Install ClamAV on Ubuntu 24.04/Ubuntu 22.04

Last Updated:

In this tutorial, we are going to learn how to install ClamAV on Ubuntu 24.04/Ubuntu 22.04. ClamAV is an open source antivirus engine for detecting trojans, viruses, malware, adwares, rootkits and other malicious threats.

Features of ClamAV

Some of the features of ClamAV include;

  • built-in support for various archive formats, including Zip, Tar, Gzip, Bzip2, OLE2, Cabinet, CHM, BinHex, SIS and others.
  • built-in support for almost all mail file formats
  • built-in support for ELF executables and Portable Executable files compressed with UPX, FSG, Petite, NsPack, wwpack32, MEW, Upack and obfuscated with SUE, Y0da Cryptor and others;
  • built-in support for popular document formats including Microsoft Office and Mac Office files, HTML, RTF and PDF.
  • support multiple signature languages such as hash-based signature matching, wildcards, boolean logic and any custom rules written in Bytecode language.

ClamAV includes a multi-threaded scanner daemon, command line utilities for on demand file scanning and automatic signature updates. One of its main uses is on mail servers as a server-side email virus scanner.

Install ClamAV on Ubuntu

The default Ubuntu 24.04/Ubuntu 22.04 repositories contains the latest stable release version of ClamAV. You can simply install it and its utilities by running the command below;

sudo apt update
sudo apt install clamav clamav-daemon -y

Update the ClamAV Signature Database

For scanning to work, you need am updated virus database. There are two options for updating ClamAV database:

  • clamav-freshclam: updates the database from Internet. This is recommended with Internet access.
  • Offline update (clamav-data) for systems with no direct internet access.

Update Signature Database with clamav-freshclam

If you have internet access, you can use clamav-freshclam to update the ClamAV virus signature database.

To use this method, stop the clamav-freshclam service (if it is running) and execute freshclam, the virus database update tool.

sudo systemctl stop clamav-freshclam

Then update the virus database;

sudo freshclam

Sample database update output;

ClamAV update process started at Wed Feb 21 18:35:04 2024
Wed Feb 21 18:35:04 2024 -> daily.cvd database is up-to-date (version: 27192, sigs: 2053940, f-level: 90, builder: raynman)
Wed Feb 21 18:35:04 2024 -> main.cvd database is up-to-date (version: 62, sigs: 6647427, f-level: 90, builder: sigmgr)
Wed Feb 21 18:35:04 2024 -> bytecode.cvd database is up-to-date (version: 334, sigs: 91, f-level: 90, builder: anvilleg)

Next, start the clamav-freshclam service so it keeps updating the signature database in the background whenever.

sudo systemctl start clamav-freshclam

Ensure the service is enabled to run on system boot;

sudo systemctl enable clamav-freshclam

freshclam downloads the ClamAV databases, CVDs, and place them on under, /var/lib/clamav/.

ls -alh1 /var/lib/clamav/
total 223M
drwxr-xr-x  2 clamav clamav 4.0K Feb 21 18:35 .
drwxr-xr-x 75 root   root   4.0K Feb 21 18:34 ..
-rw-r--r--  1 clamav clamav 286K Feb 21 18:34 bytecode.cvd
-rw-r--r--  1 clamav clamav  60M Feb 21 18:34 daily.cvd
-rw-r--r--  1 clamav clamav   69 Feb 21 18:34 freshclam.dat
-rw-r--r--  1 clamav clamav 163M Feb 21 18:34 main.cvd

Also restart the Clam AntiVirus userspace daemon;

sudo systemctl restart clamav-daemon

Offline Database Update

If your system do not have internet access, you can consider setting up a private local mirror using the cvdupdate tool.

Clamscan CLI Options and Example Usage

Clamscan is used to scan files and directories for viruses. From the man pages, the clamscan command syntax is:

clamscan [options] [file/directory/-]

Some of the clamscan command options and their example usage is illustrated below;

Print help information using -h or --help option.

clamscan -h

Note: Options marked with [=yes/no(*)] can be optionally followed by =yes or =no. If they get called without the boolean argument the scanner will assume ‘yes’. The asterisk marks the default internal setting for a given option.

Scan specific directory using ClamAV;

clamscan /home/

Scan specific file using ClamAV;

clamscan /home/filename.docx

Do not display summary at the end of scanning.

clamscan --no-summary /home/

Print infected files only (-i--infected);

clamscan -i /

Skip printing OK files (-o--suppress-ok-results);

clamscan -o /home/

Sound a bell on virus detection (--bell);

clamscan --bell -i /home

Scan directories recursively (-r--recursive).

clamscan --bell -i -r /home

Save scan report to FILE (-l FILE--log=FILE);

clamscan --bell -i -r /home -l home-scan.txt

Scan files listed line by line in FILE (-f FILE, --file-list=FILE).

clamscan -i -f /tmp/scan

Remove infected files (--remove[=yes/no(*)]). Be careful as this removes file completely.

 clamscan -r --remove /home/USER

Move infected files into DIRECTORY (--move=DIRECTORY). Directory must be writable for the user or unprivileged user running clamscan.

clamscan -r -i --move=/home/USER/infected /home/

Copy infected files into DIRECTORY (–copy=DIRECTORY). Directory must be writable for the user or unprivileged user running clamscan.

clamscan -r -i --copy=/home/USER/infected /home/

There is quite long list of options for various usage of clamscan. Consult man clamscan for more details.

How to Test ClamAV

You can test the efficiency of ClamAV to detect malicious threats by downloading anti-malware EICAR test file to your specific system directory.

wget -P /tmp

Next, scan the /tmp directory;

clamscan -ir /tmp/

Sample scan output;

/tmp/ Win.Test.EICAR_HDB-1 FOUND

----------- SCAN SUMMARY -----------
Known viruses: 8685808
Engine version: 1.0.5
Scanned directories: 7
Scanned files: 2
Infected files: 1
Total errors: 12
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 13.121 sec (0 m 13 s)
Start Date: 2024:02:21 18:37:20
End Date:   2024:02:21 18:37:33

ClamAV Return Codes

The following are the exit return codes for ClamAV.

  • 0 : No virus found.
  • 1 : Virus(es) found.
  • 2 : Some error(s) occurred.

Limiting Clamscan CPU Usage

clamscan can be CPU intensive especially if it scanning a large directory.

To limit the clamscan CPU time to certain levels, you can use two tools;

  • nice: lowers the priority of clamscan (limits relative cpu time).
  • cpulimit: limits absolute cpu time.

To use nice command,

nice -n 15 clamscan && clamscan -ir /

As long as no other process requires cputime, clamscan will maximize it. But as soon as another process with a higher priority needs cputime, clamscan will lost it.

Using cpulimit;

cpulimit -z -e clamscan -l 15 & clamscan -ir /

Limits clamscan cpu time to 15% when scanning the entire root directory.

Visualize ClamAV Results on ELK Stack

Follow the guide below to learn how to visualize ClamAV results on ELK Stack.

Visualize ClamAV Scan Logs on ELK Stack Kibana

Further Reading

ClamAV User Manual

Other Tutorials

Install Nikto Web Scanner on Rocky Linux 8

Install and Setup Nessus Scanner on Ubuntu 20.04


We're passionate about sharing our knowledge and experiences with you through our blog. If you appreciate our efforts, consider buying us a virtual coffee. Your support keeps us motivated and enables us to continually improve, ensuring that we can provide you with the best content possible. Thank you for being a coffee-fueled champion of our work!

Photo of author
I am the Co-founder of, Linux and the whole FOSS enthusiast, Linux System Admin and a Blue Teamer who loves to share technological tips and hacks with others as a way of sharing knowledge as: "In vain have you acquired knowledge if you have not imparted it to others".

Leave a Comment