RamNode logo
    Sign UpLogin
    Server Security

    Setting Up ClamAV Antivirus on RamNode VPS

    ClamAV is an open-source antivirus engine designed for detecting trojans, viruses, malware, and other malicious threats. While Linux systems are generally more secure, ClamAV provides essential protection for servers hosting websites, email services, or file storage on your RamNode VPS.

    Ubuntu/Debian
    RHEL/CentOS/AlmaLinux
    ⏱️ 15-20 minutes

    What ClamAV Provides

    Open-source antivirus engine
    Trojan, virus, and malware detection
    Automatic virus definition updates
    On-demand and scheduled scanning
    Email and file upload scanning integration
    Quarantine and removal capabilities
    Multi-threaded daemon for fast scanning
    Cross-platform compatibility

    Prerequisites

    Before starting, ensure you have:

    System Requirements

    • RAM: At least 2GB (ClamAV is memory-intensive)
    • Disk: 500MB+ for virus definitions
    • • Root or sudo access
    → View Recommended VPS Plans

    Supported Operating Systems

    • • Ubuntu 20.04/22.04/24.04
    • • Debian 11/12
    • • CentOS 7/8
    • • AlmaLinux 8/9, Rocky Linux 8/9
    2

    Installation (Ubuntu/Debian)

    Update your package repository and install ClamAV:

    Install ClamAV on Ubuntu/Debian
    sudo apt update
sudo apt install clamav clamav-daemon clamav-freshclam -y

    Stop the freshclam service temporarily to update the virus definitions:

    Update Virus Definitions
    sudo systemctl stop clamav-freshclam
sudo freshclam
sudo systemctl start clamav-freshclam
    3

    Installation (RHEL/CentOS/AlmaLinux)

    Install the EPEL repository if not already present:

    Install EPEL Repository
    # For RHEL 8/9, AlmaLinux, Rocky Linux
sudo dnf install epel-release -y

# For CentOS 7
sudo yum install epel-release -y
    Install ClamAV on RHEL-based Systems
    # RHEL 8/9 based
sudo dnf install clamav clamd clamav-update -y

# CentOS 7
sudo yum install clamav clamav-scanner clamav-scanner-systemd clamav-server clamav-update -y
    Update Virus Definitions
    sudo freshclam
    4

    Configure ClamAV Daemon

    The ClamAV daemon (clamd) runs as a service and provides faster scanning by keeping the virus database in memory.

    Edit Daemon Configuration
    # For Ubuntu
sudo nano /etc/clamav/clamd.conf

# For RHEL-based systems
sudo nano /etc/clamd.d/scan.conf
    Key Configuration Options
    # Remove or comment out the Example line
# Example

# Set the log file location
LogFile /var/log/clamav/clamd.log
LogTime yes
LogFileMaxSize 100M
LogRotate yes

# Socket configuration
LocalSocket /var/run/clamav/clamd.sock
LocalSocketMode 666

# Performance tuning
MaxThreads 20
MaxConnectionQueueLength 30
StreamMaxLength 100M
    5

    Configure Freshclam (Auto-Updates)

    Freshclam automatically updates virus definitions:

    Edit Freshclam Configuration
    # For Ubuntu
sudo nano /etc/clamav/freshclam.conf

# For RHEL-based systems
sudo nano /etc/freshclam.conf
    Important Settings
    # Remove or comment out the Example line
# Example

# Database directory
DatabaseDirectory /var/lib/clamav

# Update log file
UpdateLogFile /var/log/clamav/freshclam.log

# How many times per day to check for updates (default: 24)
Checks 24
    6

    Start and Enable Services

    Ubuntu/Debian

    Enable and Start Services (Ubuntu)
    sudo systemctl enable clamav-daemon
sudo systemctl enable clamav-freshclam
sudo systemctl start clamav-daemon
sudo systemctl start clamav-freshclam

# Verify services are running
sudo systemctl status clamav-daemon
sudo systemctl status clamav-freshclam

    RHEL-Based Systems

    Enable and Start Services (RHEL)
    sudo systemctl enable clamd@scan
sudo systemctl start clamd@scan
sudo systemctl enable clamav-freshclam
sudo systemctl start clamav-freshclam

# Verify status
sudo systemctl status clamd@scan
sudo systemctl status clamav-freshclam
    7

    Basic Scanning Operations

    Manual Scanning with clamscan

    Manual Scan Commands
    # Scan a specific directory
sudo clamscan -r /home

# Scan with detailed output
sudo clamscan -r -v /path/to/directory

# Scan and move infected files to quarantine
sudo clamscan -r --move=/var/quarantine /path/to/scan

# Scan and remove infected files (use with caution)
sudo clamscan -r --remove /path/to/scan

    Using clamd for Faster Scanning

    The clamdscan command uses the clamd daemon and is significantly faster:

    Daemon-Based Scanning
    sudo clamdscan -m -v /path/to/directory

    clamdscan Options

    • -m - Only show infected files
    • -v - Verbose output
    • --multiscan - Enable multi-threaded scanning
    • --fdpass - Pass file descriptors for better performance
    8

    Automated Scanning with Cron

    Create a daily scan script:

    Create Scan Script
    sudo nano /usr/local/bin/clamav-scan.sh
    Scan Script Contents
    #!/bin/bash
# ClamAV scanning script with logging and notifications

SCAN_DIR="/home /var/www"
LOG_FILE="/var/log/clamav/daily-scan.log"
QUARANTINE_DIR="/var/quarantine"
DATE=$(date '+%Y-%m-%d %H:%M:%S')

# Create quarantine directory if it doesn't exist
mkdir -p $QUARANTINE_DIR

# Create log directory if it doesn't exist
mkdir -p /var/log/clamav

echo "[$DATE] Starting ClamAV scan" >> $LOG_FILE

# Perform the scan
clamdscan --multiscan --fdpass --move=$QUARANTINE_DIR $SCAN_DIR >> $LOG_FILE 2>&1

# Check if any infections were found
if [ $? -eq 1 ]; then
    echo "[$DATE] ALERT: Infections found! Check $LOG_FILE" >> $LOG_FILE
fi

echo "[$DATE] Scan completed" >> $LOG_FILE
echo "----------------------------------------" >> $LOG_FILE
    Make Executable and Schedule
    sudo chmod +x /usr/local/bin/clamav-scan.sh

# Create a cron job for daily scanning
sudo crontab -e

# Add a line to run the scan daily at 2 AM:
0 2 * * * /usr/local/bin/clamav-scan.sh
    9

    Performance Optimization

    ClamAV can be resource-intensive. Here are optimization tips:

    Memory Management

    For systems with limited RAM, configure clamd to use resources more efficiently:

    Memory Optimization in clamd.conf
    MaxThreads 12
MaxConnectionQueueLength 15
StreamMaxLength 50M

    Exclude Directories

    Exclude directories that don't need scanning:

    Exclude Directories
    # Add to scan command
--exclude-dir=/proc
--exclude-dir=/sys
--exclude-dir=/dev

    Schedule Scans During Off-Peak Hours

    Off-Peak Scheduling
    # Run at 3 AM on Sundays
0 3 * * 0 /usr/local/bin/clamav-scan.sh
    10

    Monitoring and Logs

    Log Locations

    Ubuntu/Debian
    • • Daemon: /var/log/clamav/clamav.log
    • • Freshclam: /var/log/clamav/freshclam.log
    RHEL-based
    • • Daemon: /var/log/clamd.scan

    Monitoring Commands

    Monitoring Commands
    # Check virus database version
sigtool --version-database=/var/lib/clamav/main.cvd

# View recent scan results
sudo tail -f /var/log/clamav/clamd.log

# Check for errors
sudo grep -i error /var/log/clamav/*.log
    11

    Troubleshooting

    12

    Security Best Practices

    • Regular Updates: Ensure freshclam runs multiple times daily to stay current with new threats
    • Quarantine Rather Than Delete: Use --move instead of --remove to preserve infected files for analysis
    • Monitor Logs: Regularly review scan logs for patterns or recurring threats
    • Scan User Uploads: Integrate ClamAV with upload handling in web applications
    • Email Scanning: Consider integrating ClamAV with your mail server (Postfix/Exim)
    • Backup Before Removal: Always maintain backups before running scans with automatic removal
    13

    Testing ClamAV Installation

    Download the EICAR test file to verify ClamAV is working:

    Test ClamAV
    cd /tmp
wget https://secure.eicar.org/eicar.com.txt
clamscan eicar.com.txt

    ✓ You should see output indicating the test virus was detected. This confirms ClamAV is functioning correctly.

    Clean Up Test File
    rm eicar.com.txt

    ClamAV Successfully Deployed!

    ClamAV provides robust, open-source antivirus protection for your VPS. While Linux systems face fewer threats than other platforms, ClamAV adds valuable security particularly for servers handling file uploads, email, or content from untrusted sources.

    For production environments, consider implementing real-time scanning with ClamAV's on-access scanning feature (clamonacc) and integrating alerts with your monitoring infrastructure.

    Additional Resources

    ClamAV Documentation
    Official docs
    GitHub Repository
    Source code and issues
    Fail2Ban Guide
    Intrusion prevention
    RamNode Documentation
    VPS guides and tutorials