ManagedCloud Servers

High performance handled and monitored by us 24/7/365. A complete solution to provide you with our in house expertise 24/7 tailored to your specific needs. We'll setup a bespoke server for your site using the latest tehnologies so you can get the most out of your hardware and get your website loading quickly and reliably. Find out more..

cPanelCloud Servers

Recommended - High performance cloud servers with no technical knowledge required. If you're hosting multiple websites already and you're looking to consolidate, or if you're looking to isolate yourself from the shared hosting environment but you don't have the time or knoweldge to manage a server, then the Managed cPanel Servers are for you. Find out more..

UnmanagedCloud Servers

Our unmanaged range gives you complete control at rock bottom prices and our cloud platform boasts super fast multipath 40Gb/s network, the latest Intel Xeon V3 CPUs and enterprise grade redundant SSDs. If you're a sysadmin look no further, we offer some of the best specification to price ratio servers available. Find out more..

Want your very own server? Get our 1GB memory, Xeon V4, 20GB SSD VPS for £10.00 / month.

View Plans

How to Install ClamAV on CentOS 7

ClamAV or Clam Antivirus is an open source antivirus tool for UNIX. It was built specially for scanning emails at mail gateways but these days it is used for securing various types of systems and applications. ClamAV provides a number of utilities including a flexible multi-threaded daemon, a command line scanner and advanced tool for automatic database updates. ClamAV is used widely for securing Linux servers, mail gateways. It is also used along with CPanel to secure the file system.

A few notable features of ClamAV are:

  • It is opensource, POSIX compliant, portable software licensed under GNU general public licence.
  • It provides fast scanning and supports on access scanning of a file.
  • It claims to detect over 1 million viruses, worms and Trojans, including Microsoft Office macro viruses, mobile malware, and other threats.
  • Capable of scanning within various types of archives and compressed files.
  • Supports Portable Executable files, ELF and Mach-O files as well.
  • Supports almost all mail formats and special files and formats.
  • Advanced database updater with support for scripted updates, digital signatures and DNS based database version queries.

Requirements

ClamAV does not require any special hardware, you will only need a server with CentOS 7.x installed. You will need root or sudo access to your system. If you are logged in as non root user, you can either execute sudo -i to switch to root account or you can use sudo command at the start of all the administrative command.

Installing ClamAV

Before installing any package, it is recommended to update the system and packages using the following command.

    yum -y update

After updating the system we will need to add the EPEL repository into our system as ClamAV is not available in the default repository of CentOS 7. To add EPEL repository run the following command.

    yum -y install epel-release
    yum -y update
    yum clean all

Now run the following command to install ClamAV antivirus.

    yum -y install clamav-server clamav-data clamav-update clamav-filesystem clamav clamav-scanner-systemd clamav-devel clamav-lib clamav-server-systemd

Before running Clam antivirus you will need to configure few things.

As we are working on CentOS, it comes comes with SELinux. SELinux may deny access to few files, which will generate errors and warning. You can either disable SELinux or modify it's configuration so that ClamAV can access all the files on the disk.

To disable SELinux run the following command.

    setenforce 0

To modify its configuration to allow ClamAV, run the following command.

    setsebool -P antivirus_can_scan_system 1
    setsebool -P clamd_use_jit 1

To check the status of SELinux configuration for antivirus, run the following command.

    getsebool -a | grep antivirus

You will get following output.

    [root@ip-172-31-16-226 ~]# getsebool -a | grep antivirus
    antivirus_can_scan_system --> on
    antivirus_use_jit --> off

Once we have adjusted SELinux, we will now need to modify the scanner configuration files of ClamAV. By default a configuration file is created at /etc/clamd.d/scan.conf, hence you will only need to modify the configuration. Before we can use the configuration, we must need to remove or comment out the Example word from the configuration. You can run the following command to remove the example word directly.

    cp /etc/clamd.d/scan.conf /etc/clamd.d/scan.conf.backup
    sed -i -e "s/^Example/#Example/" /etc/clamd.d/scan.conf

If the above command results in an error then open the file in your favourite editor and remove the text Example from the file.

You also have the option of which user will run ClamAV. You can either run ClamAV with the root user or any other user like clamscan etc. By default ClamAV creates a user in your system which we can use to run the scanner service. To find the user, you can run the following command.

    cat /etc/passwd | grep clam

You will likely see the following output.

    [root@ip-172-31-7-222 ~]# cat /etc/passwd | grep clam
    clamupdate:x:995:992:Clamav database update user:/var/lib/clamav:/sbin/nologin
    clamscan:x:994:991:Clamav scanner user:/:/sbin/nologin

We can use the above clamscan user to run the ClamAV scanner. Open the scanner configuration file in your favourite editor. In this tutorial we will be using nano editor, if you don't have nano installed, you can run yum -y install nano command to install nano editor in your computer.

    nano /etc/clamd.d/scan.conf

Scroll down to find the following lines.

    # Run as another user (clamd must be started by root for this option to work)
    # Default: don't drop privileges
    User clamscan

If you are using the ClamAV user, then you will need to start the daemon as root. As we are logged in as root, we can keep using this user. If you want you can also switch to root user here.

Next you will need to define the server type in the configuration, scroll down to find the following lines.

    # The daemon can work in local mode, network mode or both.
    # Due to security reasons we recommend the local mode.

# Path to a local socket file the daemon will listen on. # Default: disabled (must be specified by a user) #LocalSocket /var/run/clamd.scan/clamd.sock

Uncomment the line #LocalSocket /var/run/clamd.scan/clamd.sock to

    LocalSocket /var/run/clamd.scan/clamd.sock

Save and exit from editor. But before we can run the scanner service, we will need to configure and run Freshclam.

Freshclam is used to update the database of virus definitions into the server. Freshclam configuration file is located at /etc/freshclam.conf. We will take a backup of the file and then we will comment out the Example line from the file.

    cp /etc/freshclam.conf /etc/freshclam.conf.bakup
    sed -i -e "s/^Example/#Example/" /etc/freshclam.conf

We can now run Freshclam using the following command.

    freshclam

You will get following output.

    [root@ip-172-31-7-222 ~]# freshclam
    ClamAV update process started at Tue Nov  1 08:44:10 2016
    main.cvd is up to date (version: 57, sigs: 4218790, f-level: 60, builder: amishhammer)
    Trying host database.clamav.net (27.96.54.66)...
    Downloading daily.cvd [100%]
    daily.cvd updated (version: 22463, sigs: 804704, f-level: 63, builder: neo)
    Downloading bytecode-279.cdiff [100%]
    Downloading bytecode-280.cdiff [100%]
    Downloading bytecode-281.cdiff [100%]
    Downloading bytecode-282.cdiff [100%]
    Downloading bytecode-283.cdiff [100%]
    bytecode.cld updated (version: 283, sigs: 53, f-level: 63, builder: neo)
    Database updated (5023547 signatures) from database.clamav.net (IP: 27.96.54.66)

To check if the database is up to date or not, run the same command freshclam again, if any update is available, it will update it or it will show you that everything is up to date.

    [root@ip-172-31-7-222 ~]# freshclam
    ClamAV update process started at Tue Nov  1 08:51:46 2016
    main.cvd is up to date (version: 57, sigs: 4218790, f-level: 60, builder: amishhammer)
    daily.cvd is up to date (version: 22463, sigs: 804704, f-level: 63, builder: neo)
    bytecode.cld is up to date (version: 283, sigs: 53, f-level: 63, builder: neo)

As freshclam updates the virus database, it is recommended to run it frequently to download the latest malware signatures. To run it automatically, you either create a cron job or you can create a systemd service file.

To create a cron job run the following command.

    crontab -e

This will open the cron job file in VI text editor, go to insert mode by pressing i and then enter the following line into the file.

     00 01,13 * * *  /usr/bin/freshclam --quiet

Now press Esc and then in command mode type :wq to save and exit from editor. The above cron job will execute the the freshclam command, twice a day, once at 1AM and then again at 1PM.

You can also create a systemd service if you do not want to use cron jobs. Create a new text file using your favourite editor.

    nano /usr/lib/systemd/system/freshclam.service

Now add the following lines into the file.

    [Unit]
    Description = freshclam scanner
    After = network.target

[Service] Type = forking ExecStart = /usr/bin/freshclam -d -c 2 Restart = on-failure PrivateTmp = true

[Install] WantedBy=multi-user.target

Now save and exit from the editor. To start the service and enable it to automatically start at boot time, run the following command.

    systemctl start freshclam
    systemctl enable freshclam

Now the systemd service will run freshclam twice a day to update the database. You can also check the status of our newly created freshclam service using the following command.

    systemctl status freshclam

You should see following output.

    [root@ip-172-31-7-222 ~]# systemctl status freshclam
    ● freshclam.service - freshclam scanner
       Loaded: loaded (/usr/lib/systemd/system/freshclam.service; enabled; vendor preset: disabled)
       Active: active (running) since Tue 2016-11-01 09:07:06 UTC; 1min 7s ago
     Main PID: 4488 (freshclam)
       CGroup: /system.slice/freshclam.service
               └─4488 /usr/bin/freshclam -d -c 2

Nov 01 09:07:06 ip-172-31-7-222 systemd[1]: Starting freshclam scanner... Nov 01 09:07:06 ip-172-31-7-222 systemd[1]: Started freshclam scanner. Nov 01 09:07:06 ip-172-31-7-222 freshclam[4488]: freshclam daemon 0.99.2 (OS: linux-gnu, ARCH: x86_64, CPU: x86_64) Nov 01 09:07:06 ip-172-31-7-222 freshclam[4488]: ClamAV update process started at Tue Nov 1 09:07:06 2016 Nov 01 09:07:06 ip-172-31-7-222 freshclam[4488]: main.cvd is up to date (version: 57, sigs: 4218790, f-level: 60, builder: amishhammer) Nov 01 09:07:06 ip-172-31-7-222 freshclam[4488]: daily.cvd is up to date (version: 22463, sigs: 804704, f-level: 63, builder: neo) Nov 01 09:07:06 ip-172-31-7-222 freshclam[4488]: bytecode.cld is up to date (version: 283, sigs: 53, f-level: 63, builder: neo) Nov 01 09:07:06 ip-172-31-7-222 freshclam[4488]: -------------------------------------- Hint: Some lines were ellipsized, use -l to show in full.

Now as we have our virus definitions updated, we can proceed further to run the scanner service of ClamAV. To start the scanner service run the following command.

    systemctl start clamd@scan

To automatically start the service at boot time, run the following command.

    systemctl enable clamd@scan

To check the status of scanner service, run the following command.

    systemctl status clamd@scan

It should produce the following output when running normally.

    [root@ip-172-31-7-222 ~]# systemctl status clamd@scan
    ● clamd@scan.service - Generic clamav scanner daemon
       Loaded: loaded (/usr/lib/systemd/system/clamd@scan.service; disabled; vendor preset: disabled)
       Active: active (running) since Tue 2016-11-01 11:20:36 UTC; 12s ago
     Main PID: 4956 (clamd)
       CGroup: /system.slice/system-clamd.slice/clamd@scan.service
               └─4956 /usr/sbin/clamd -c /etc/clamd.d/scan.conf --foreground=yes

Nov 01 11:20:45 ip-172-31-7-222 clamd[4956]: HTML support enabled. Nov 01 11:20:45 ip-172-31-7-222 clamd[4956]: XMLDOCS support enabled. Nov 01 11:20:45 ip-172-31-7-222 clamd[4956]: HWP3 support enabled. Nov 01 11:20:45 ip-172-31-7-222 clamd[4956]: Self checking every 600 seconds. Nov 01 11:20:45 ip-172-31-7-222 clamd[4956]: PDF support enabled. Nov 01 11:20:45 ip-172-31-7-222 clamd[4956]: SWF support enabled. Nov 01 11:20:45 ip-172-31-7-222 clamd[4956]: HTML support enabled. Nov 01 11:20:45 ip-172-31-7-222 clamd[4956]: XMLDOCS support enabled. Nov 01 11:20:45 ip-172-31-7-222 clamd[4956]: HWP3 support enabled. Nov 01 11:20:45 ip-172-31-7-222 clamd[4956]: Self checking every 600 seconds.

You can also use clamconf utility to check the configuration files. This utility will display the configuration of config file clam.conf and freshclam.conf. It will display information about software settings, database, platform, and build information. To use this utility run the following command.

    clamconf

The sample output of the command is:

    [root@ip-172-31-7-222 ~]# clamconf
    Checking configuration files in /etc

Config file: clamd.conf ERROR: Please edit the example config file /etc/clamav/clamd.conf

Config file: freshclam.conf --------------------------- StatsHostID disabled StatsEnabled disabled StatsTimeout disabled LogFileMaxSize = "1048576" LogTime disabled LogSyslog = "yes" LogFacility = "LOG_LOCAL6" LogVerbose disabled LogRotate disabled PidFile disabled DatabaseDirectory = "/var/lib/clamav" Foreground disabled Debug disabled AllowSupplementaryGroups disabled UpdateLogFile disabled DatabaseOwner = "clamupdate" Checks = "12" DNSDatabaseInfo = "current.cvd.clamav.net" DatabaseMirror = "database.clamav.net" PrivateMirror disabled MaxAttempts = "3" ScriptedUpdates = "yes" TestDatabases = "yes" CompressLocalDatabase disabled ExtraDatabase disabled DatabaseCustomURL disabled HTTPProxyServer disabled HTTPProxyPort disabled HTTPProxyUsername disabled HTTPProxyPassword disabled HTTPUserAgent disabled NotifyClamd = "/etc/clamd.conf" OnUpdateExecute disabled OnErrorExecute disabled OnOutdatedExecute disabled LocalIPAddress disabled ConnectTimeout = "30" ReceiveTimeout = "30" SubmitDetectionStats disabled DetectionStatsCountry disabled DetectionStatsHostID disabled SafeBrowsing disabled Bytecode = "yes"

clamav-milter.conf not found

Software settings ----------------- Version: 0.99.2 Optional features supported: MEMPOOL IPv6 AUTOIT_EA06 BZIP2 LIBXML2 PCRE ICONV JIT

Database information -------------------- Database directory: /var/lib/clamav main.cvd: version 57, sigs: 4218790, built on Wed Mar 16 23:17:06 2016 bytecode.cld: version 283, sigs: 53, built on Thu Jun 23 15:01:37 2016 daily.cld: version 22464, sigs: 804704, built on Tue Nov 1 10:03:49 2016 Total number of signatures: 5023547

Platform information -------------------- uname: Linux 3.10.0-327.10.1.el7.x86_64 #1 SMP Tue Feb 16 17:03:50 UTC 2016 x86_64 OS: linux-gnu, ARCH: x86_64, CPU: x86_64 zlib version: 1.2.7 (1.2.7), compile flags: a9 Triple: x86_64-redhat-linux-gnu CPU: i686, Little-endian platform id: 0x0a2152520804080503040805

Build information ----------------- GNU C: 4.8.5 20150623 (Red Hat 4.8.5-4) (4.8.5) GNU C++: 4.8.5 20150623 (Red Hat 4.8.5-4) (4.8.5) CPPFLAGS: CFLAGS: -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic -Wall -W -Wmissing-prototypes -Wmissing-declarations -std=gnu99 -fno-strict-aliasing -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE CXXFLAGS: -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic -std=gnu++98 LDFLAGS: -Wl,-z,relro -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -Wl,--as-needed sizeof(void*) = 8 Engine flevel: 82, dconf: 82

To scan the files in a directory, you can use clamscan utility. Clamscan is the command line scanner utility in antivirus. To scan your home directory run the following command.

    clamscan --infected --remove --recursive /home /root

The above command will scan the directory /home and /root. --infected option will print the list of infected files, --remove options will remove the virus detected and --recursive option will enable clamscan to scan all the sub-directories and files. You will find the following output.

    [root@ip-172-31-7-222 ~]# clamscan --infected --remove --recursive /home /root

----------- SCAN SUMMARY ----------- Known viruses: 5018129 Engine version: 0.99.2 Scanned directories: 7 Scanned files: 12 Infected files: 0 Data scanned: 0.00 MB Data read: 0.00 MB (ratio 0.00:1) Time: 10.117 sec (0 m 10 s)

To verify that ClamAV is working correctly, you can use the EICAR Standard Anti-Virus Test File. It is simply a signature of a virus but not an actual virus. Download the file using following command.

    wget http://www.eicar.org/download/eicar_com.zip

Now scan the current directory using the following command.

    clamscan --infected --remove --recursive .

You should get following output.

    [root@ip-172-31-7-222 ~]# clamscan --infected --remove --recursive .
    ./eicar_com.zip: Eicar-Test-Signature FOUND
    ./eicar_com.zip: Removed.

----------- SCAN SUMMARY ----------- Known viruses: 5018129 Engine version: 0.99.2 Scanned directories: 4 Scanned files: 8 Infected files: 1 Data scanned: 0.00 MB Data read: 0.00 MB (ratio 0.00:1) Time: 10.758 sec (0 m 10 s)

To scan the whole system, you can run the following command.

    clamscan --infected --recursive --exclude-dir="^/sys" /

The above command will scan the whole server but excluding the /sys directory. /sys directory contains few unreachable files, hence scanning them will print unnecessary warnings.

The above commands can be used to scan the system, although be careful with --remove option, you can simply run the command without this option and then check for the files containing virus. Once you are sure of the files are containing virus, you can remove them manually or simply run the command again with --remove option.

Conclusion

In this tutorial we have learnt how to install Clam antivirus in CentOS 7 servers. We have learned to scan the system when required. You can now successfully install the software to scan and secure your system against viruses, malware and rootkits.

Want your very own server? Get our 1GB memory, Xeon V4, 20GB SSD VPS for £10.00 / month.

View Plans