In this tutorial, we are going to learn how to install and use ClamAV on Ubuntu 20.04. ClamAV is an open source antivirus engine for detecting trojans, viruses, malware, adwares, rootkits and other malicious threats.
Some of the features of ClamAV include;
- built-in support for various archive formats, including Zip, Tar, Gzip, Bzip2, OLE2, Cabinet, CHM, BinHex, SIS and others.
- built-in support for almost all mail file formats
- built-in support for ELF executables and Portable Executable files compressed with UPX, FSG, Petite, NsPack, wwpack32, MEW, Upack and obfuscated with SUE, Y0da Cryptor and others;
- built-in support for popular document formats including Microsoft Office and Mac Office files, HTML, RTF and PDF.
- support multiple signature languages such as hash-based signature matching, wildcards, boolean logic and any custom rules written in Bytecode language.
ClamAV includes a multi-threaded scanner daemon, command line utilities for on demand file scanning and automatic signature updates. One of its main uses is on mail servers as a server-side email virus scanner.
Install and use ClamAV on Ubuntu 20.04
Update System Package Cache
To begin with, update system package cache.
Install ClamAV on Ubuntu 20.04
The default Ubuntu 20.04 repositories contains the latest stable release version of ClamAV. You can simply install it and its utilities by running the command below;
apt install clamav clamav-daemon -y
Update the ClamAV Signature Database
For scanning to work, you need am updated virus database. There are two options for updating ClamAV database:
clamav-freshclam: updates the database from Internet. This is recommended with Internet access.
Offline updatefor systems with no direct internet access.
Update Signature Database with
If you have internet access, you can use
clamav-freshclam to update the ClamAV virus signature database.
To use this method, stop the
clamav-freshclam service (if it is running) and execute
freshclam, the virus database update tool.
systemctl stop clamav-freshclam
Then update the virus database;
If the database is up-to-date, then you might get an output similar to below (Otherwise, the command will pull database updates)
Wed May 6 05:58:42 2020 -> ClamAV update process started at Wed May 6 05:58:42 2020 Wed May 6 05:58:42 2020 -> daily.cvd database is up to date (version: 25803, sigs: 2358438, f-level: 63, builder: raynman) Wed May 6 05:58:42 2020 -> main.cvd database is up to date (version: 59, sigs: 4564902, f-level: 60, builder: sigmgr) Wed May 6 05:58:42 2020 -> bytecode.cvd database is up to date (version: 331, sigs: 94, f-level: 63, builder: anvilleg)
Next, start the
clamav-freshclam service so it keeps updating the signature database in the background whenever.
systemctl start clamav-freshclam
Ensure the service is enabled to run on system boot;
systemctl is-enabled clamav-freshclam enabled
freshclam downloads the ClamAV databases, CVDs, and place them on under,
bytecode.cvd daily.cvd main.cvd
Offline Database Update
Once the downloaded CVDs are placed on the ClamAV database, be sure to change the ownership and permissions accordingly;
chown clamav:clamav /var/lib/clamav/*.cvd
chmod 644 /var/lib/clamav/*.cvd
Restart ClamAV daemon;
systemctl restart clamav-daemon
To update the database via a private local mirror, check how to on documentation page.
Clamscan CLI Options and Example Usage
Clamscan is used to scan files and directories for viruses. From the man pages, the clamscan command syntax is:
clamscan [options] [file/directory/-]
Some of the clamscan command options and their example usage is illustrated below;
Print help information using
Note: Options marked with [=yes/no(*)] can be optionally followed by =yes or =no. If they get called without the boolean argument the scanner will assume ‘yes’. The asterisk marks the default internal setting for a given option.
Scan specific directory or file;
Do not display summary at the end of scanning.
clamscan --no-summary /home/
Print infected files only (
clamscan -i /
Skip printing OK files (
clamscan -o /home/
Sound a bell on virus detection (
clamscan --bell -i /home
Scan directories recursively (
clamscan --bell -i -r /home
Save scan report to FILE (
clamscan --bell -i -r /home -l home-scan.txt
Scan files listed line by line in FILE (
clamscan -i -f /tmp/scan
Remove infected files (
--remove[=yes/no(*)]). Be careful as this removes file completely.
clamscan -r --remove /home/USER
Move infected files into DIRECTORY
(--move=DIRECTORY). Directory must be writable for the user or unprivileged user running clamscan.
clamscan -r -i --move=/home/USER/infected /home/
Copy infected files into DIRECTORY (–copy=DIRECTORY). Directory must be writable for the user or unprivileged user running clamscan.
clamscan -r -i --copy=/home/USER/infected /home/
There is quite long list of options for various usage of clamscan. Consult
man clamscan for more details.
ClamAV Return Codes
The following are the exit return codes for ClamAV.
- 0 : No virus found.
- 1 : Virus(es) found.
- 2 : Some error(s) occurred.
Limiting Clamscan CPU Usage
clamscan can be CPU intensive especially if it scanning a large directory.
To limit the clamscan CPU time to certain levels, you can use two tools;
nice: lowers the priority of clamscan (limits relative cpu time).
cpulimit: limits absolute cpu time.
To use nice command,
nice -n 15 clamscan && clamscan -ir /
As long as no other process requires cputime, clamscan will maximize it. But as soon as another process with a higher priority needs cputime, clamscan will lost it.
cpulimit -z -e clamscan -l 20 & clamscan -ir /
Limits clamscan cpu time to 15% when scanning the entire root directory.