Clam AntiVirus is an open-source (GPL) antivirus toolkit tailored for UNIX systems, with a specific focus on e-mail scanning functionality for mail gateways. This toolkit is designed to provide robust protection against malware and threats, ensuring the security of email communications passing through mail gateways on UNIX platforms.
Clam AntiVirus is an open source (GPL) anti-virus toolkit for UNIX, designed especially for e-mail scanning on mail gateways.
1. ClamAV
ClamAV is an open source (GPLv2) anti-virus toolkit, de
on mail gateways. It provides a number of utilities inclu
threaded daemon, a command line scanner and advan
updates. The core of the package is an anti-virus engin
Tip: ClamAV is not a traditional anti-virus or endpoin
modern endpoint security suite, check out Cisco Secu
products", below, for more details.
ClamAV is brought to you by Cisco Systems, Inc.
Community Projects
ClamAV has a diverse ecosystem of community project
either depend on ClamAV to provide malware detectio
with new features such as improved support for 3rd pa
user interfaces (GUI), and more.
Features
ClamAV is designed to scan files quickly.
Real time protection (Linux only). The ClamOnAcc
daemon provides on-access scanning on modern
optional capability to block file access until a file h
prevention).
2. ClamAV detects millions of viruses, worms, trojan
Microsoft Office macro viruses, mobile malware,
ClamAV's bytecode signature runtime, powered b
bytecode interpreter, allows the ClamAV signatur
complex detection routines and remotely enhanc
Signed signature databases ensure that ClamAV w
definitions.
ClamAV scans within archives and compressed fil
bombs. Built-in archive extraction capabilities inc
Zip (including SFX, excluding some newer or
RAR (including SFX, most versions)
7Zip
ARJ (including SFX)
Tar
CPIO
Gzip
Bzip2
DMG
IMG
ISO 9660
PKG
HFS+ partition
HFSX partition
APM disk image
GPT disk image
MBR disk image
XAR
XZ
Microsoft OLE2 (Office documments)
Microsoft OOXML (Office documments)
Microsoft Cabinet Files (including SFX)
Microsoft CHM (Compiled HTML)
Microsoft SZDD compression format
HWP (Hangul Word Processor documents)
BinHex
SIS (SymbianOS packages)
AutoIt
InstallShield
ESTsoft EGG
Supports Windows executable file parsing, also k
both 32/64-bit, including PE files that are compre
AsPack
UPX
FSG
Petite
3. PeSpin
NsPack
wwpack32
MEW
Upack
Y0da Cryptor
Supports ELF and Mach-O files (both 32 and 64-b
Supports almost all mail file formats
Support for other special files/formats includes:
HTML
RTF
PDF
Files encrypted with CryptFF and ScrEnc
uuencode
TNEF (winmail.dat)
Advanced database updater with support for scri
DNS based database version queries
Disclaimer: Many of the above file formats continue
obfuscation tools in particular are constantly changi
can unpack or extract every version or variant of the
License
ClamAV is licensed under the GNU General Public Licen
Supported platforms
Clam AntiVirus is highly cross-platform. The developme
have chosen to test ClamAV using the two most recent
each of the most popular desktop operating systems. O
systems include:
GNU/Linux
Alpine
3.17 (x86_64)
Ubuntu
18.04 (x86_64, i386)
20.04 (x86_64)
Debian
4. 10 (x86_64, i386)
11 (x86_64, i386)
CentOS
7 (x86_64, i386)
Fedora
31 (x86_64)
33 (x86_64)
openSUSE
15 Leap (x86_64)
UNIX
FreeBSD
12 (x86_64)
13 (x86_64)
macOS
10.13 High Sierra (Intel x86_64)
10.15 Catalina (Intel x86_64)
11.5 Big Sur (Intel x86_64, arm64 Apple
Windows
7 (x86_64, i386)
10 (x86_64, i386)
Disclaimer: Platforms and operating systems other t
tested by the ClamAV development team. In particu
such as HP-UX and Solaris, and uncommon processo
armhf, pp64le, etc. are not supported.
You are welcome to report bugs and contribute bug
We may be unable to verify that a platform-specific
provided that a contributed fix appears technically s
issues, we will be happy to merge it.
Recommended System Requireme
The following minimum recommended system require
ClamD applications with the standard ClamAV signatur
Minimum recommended RAM for ClamAV:
FreeBSD and Linux server edition: 3 GiB+
Linux non-server edition: 3 GiB+
Windows 7 & 10 32-bit: 3 GiB+
Windows 7 & 10 64-bit: 3 GiB+
5. macOS: 3 GiB+
Tip: Server environments, like Docker, as well as and
are often resource constrained. We recommend at 3
with less if you're willing to accept some limitations.
here.
Minimum recommended CPU for ClamAV:
1 CPU at 2.0 Ghz+
Minimum available hard disk space required:
For the ClamAV application we recommend having 5 G
recommendation is in addition to the recommended d
Note: The tests to determine these minimum require
systems that were not running other applications. If
on the system, additional resources will be required
minimums.
Mailing Lists and Chat
Mailing Lists
If you have a trouble installing or using ClamAV try ask
lists available:
clamav-announce (at) lists.clamav.net
info about new versions, moderated.
Subscribers are not allowed to post to this m
clamav-users (at) lists.clamav.net
user questions
clamav-devel (at) lists.clamav.net
technical discussions
clamav-virusdb (at) lists.clamav.net
database update announcements, moderat
You can subscribe and search the mailing list archives
6. To unsubscribe: Use the same form page that you use
bottom for "unsubscribe".
IMPORTANT: When you subscribe or unsubscribe, you w
link that you must click on or else no action will occur.
email, check your spam folder.
Chat
You can join the community on our ClamAV Discord ch
Submitting New or Otherwise Und
If you've got a virus which is not detected by the curren
signature databases, please submit the sample for rev
https://www.clamav.net/reports/malware
Likewise, if you have a benign file that is flagging as a v
Positive, please submit the sample for review at our we
https://www.clamav.net/reports/fp
If you have questions about the submission process, p
Positive Report FAQ
How long does it take for a signature change after sub
false positive report?
In most cases, it takes at least 48 hours from initial s
be published in the official ClamAV signature databa
Who analyzes malware and false positive file uploads?
Given the volume of submissions, the vast majority
Who has access to the uploaded files?
All engineers and analysts within Cisco's Talos organ
7. Are malware or false positive file uploads shared with o
No. Files that are submitted for review through the C
web forms (or the clamsubmit tool), are not shared
sharing is fair game if we've already received the sam
(VirusTotal, Cisco SMA, various feeds, etc.).
Are the files deleted after the analysis?
No. Uploaded files are kept indefinitely.
Is the file accessible using a public URL at any point in t
No. Uploaded files are not accessible using a public
and kept internal to Cisco Talos.
Related Products
Cisco Secure Endpoint (formerly AMP for Endpoints) is
commercial and enterprise customers. Secure Endpoin
macOS and provides superior malware detection capa
dynamic file analysis, endpoint isolation, analytics, and
sports a modern administrative web interface (dashbo
Immunet is a cloud-based antivirus application for Win
use. Immunet offers great malware detection efficacy b
Immunet's does not have same features or the quality
offers. There is an Immunet user forum but Cisco offer
8. Installing ClamAV
Installing ClamAV
Installing with a Package Manager
Installing with an Installer
Linux (.deb, .rpm)
RPM packages (for CentOS, Redh
DEB packages (for Debian, Ubunt
macOS
Windows
Official ClamAV Docker Images
Installing from Source
What now?
Installing with a Package Manager
ClamAV is widely available from third party package m
This is often the quickest way to install ClamAV. It will m
Check out the Packages page to find installation instru
Installing with an Installer
Pre-compiled packages provided on the clamav.net do
dependencies statically compiled in.
These installers likely differ from packages provided by
need to create and configure the freshclam.conf and
to add a clamav service user account and adjust the p
We hope to round out these sharp corners in the futur
convenient, but for now be advised that setup from on
work than you may be used to.
If you're interested in learning how these packages we
development instructions.
Note: In the event that a vulnerability is found in one
impact ClamAV, we will publish new packages with u
we're able.
9. Linux (.deb, .rpm)
Beginning with ClamAV 0.104, we offer Debian and RPM
i686 (32bit) architectures. This will make it easier to get
package for your distribution is not readily available an
ClamAV from source.
Note: These packages do not presently include clam
add clamav-milter to the packages by developing
libmilter.a static library and contributing it to our Mu
RPM packages (for CentOS, Redhat, Fedora, SUSE, e
These are compiled on CentOS 7. They should be comp
distributions running glibc version 2.17 or newer.
To install, download the package for your system use
example:
You can verify that the package was installed using:
This package installs to /usr/local .
Unlike packages provided by Debian or other distribut
include a preconfigured freshclam.conf , clamd.conf
accounts for FreshClam and ClamD. You can follow the
FreshClam and ClamD. You can follow these instruction
for running FreshClam and ClamD services.
And uninstall the package with:
DEB packages (for Debian, Ubuntu, Mint, etc.)
These are compiled on Ubuntu 18.04, and have all exte
compiled in. They should be compatible with all Debian
glibc version 2.27 or newer.
sudo dnf install ~/Downloads/clamav-0.104.0-rc2
dnf info clamav
sudo dnf remove ~/Downloads/clamav-0.104.0-rc2.
10. You can verify that the package was installed using:
This package installs to /usr/local .
Unlike packages provided by Debian or other distribut
include a preconfigured freshclam.conf , clamd.conf
accounts for FreshClam and ClamD. You can follow the
FreshClam and ClamD. You can follow these instruction
for running FreshClam and ClamD services.
And uninstall the package with:
macOS
Beginning with ClamAV 0.104, we offer a PKG installer f
binaries built for Intel x86_64 and Apple M1 arm64 pro
To install, download the macOS .pkg installer. Double
directions.
This package installs to /usr/local/clamav . This is no
environment variable. You may wish to add /usr/loca
/usr/local/clamav/sbin to your PATH so you can run
entering the full path. To do this add this line to ~/.zs
Then run source ~/.zshrc or open a new terminal.
Unlike packages provided by Homebrew, this package
preconfigured freshclam.conf , clamd.conf , or datab
instructions to configure FreshClam and ClamD.
macOS package installers do not provide a mechanism
package. In the future, we hope to add a script to aid w
make it easier to remove, our macOS installer installs t
all you need to do is run:
sudo apt install ~/Downloads/clamav-0.104.0-rc2
apt info clamav
sudo apt remove clamav
export PATH=/usr/local/clamav/bin:/usr/local/cl
11. Windows
The ClamAV team provides official ClamAV builds for W
page. You can choose between a traditional executable
package.
To use the executable installer, double-click the installe
To install from a ZIP package, unzip the portable instal
Official ClamAV Docker Images
There are now official ClamAV images on Docker Hub.
Hub under clamav .
At present we offer images with builds of the latest dev
"unstable". ClamAV 0.104 will be the first stable release
Once published 0.104.0+ will be available using a Dock
number, or using "stable" to get the latest stable releas
Check out the Docker page to learn how to install and
Installing from Source
If you need, you can also compile and install ClamAV fr
Unix/Linux/Mac Instructions
Windows Instructions
What now?
Now that ClamAV is installed, you will want to customiz
up some scanning automation and alerting mechanism
Continue on to "Configuration"...
sudo rm -rf /usr/local/clamav
12. ClamAV Packages
Many Linux and Unix distributions offer one or more C
you to install ClamAV.
These packages are usually well maintained but if you
consider helping the volunteers that maintain the pack
Disclaimer: ClamAV packages may vary somewhat fr
examples:
The database and application config paths may
A default from-source install will go in /u
applications in /usr/local/bin
daemons in /usr/local/sbin
libraries in /usr/local/lib
headers in /usr/local/include
configs in /usr/local/etc/
databases in /usr/local/share/cla
A Linux package install will probably go in
applications in /usr/bin
daemons in /usr/sbin
libraries in /usr/lib
headers in /usr/include
configs in /etc/clamav
databases in /var/lib/clamav
As of 0.103.x, a from-source install requires the
FreshClam, ClamD, and ClamAV-Milter in order
install, however, is likely to come pre-configure
configs as needed.
Package installs sometimes carry extra patche
distribution, for issues the ClamAV developers
unaware of, and for security issues when distr
longer maintained by the ClamAV developers.
Some distributions parcel up ClamAV compone
don't necessarily need all of the packages. If th
13. you may need to review the applications descr
understand which features you will need.
Acknowledgments: Thank you to all of the volunteers
appreciate your help!
The Packages
Debian
Debian splits up ClamAV into a selection of different pa
Realistically, you probably only need to apt install c
clamav-daemon . If you require support for scanning co
enable the "non-free" archive. *
The full list of packages includes:
clamav - command-line interface
clamav-base - base package
clamav-daemon - scanner daemon
clamav-docs - documentation
clamav-freshclam - virus database update utility
clamav-milter - sendmail integration
clamav-testfiles - test files
libclamav-dev - development files
libclamav9 - library
libclamunrar9 - unrar support
* RAR Support: ClamAV's RAR support comes from U
not entirely free in so far as its license restricts user
create RAR archives. For this reason, it is bundled se
Enable it by adding "non-free" to /etc/apt/sources
deb http://http.us.debian.org/debian stable ma
Then you can install the RAR-plugin using: apt inst
14. There are a variety of other ClamAV related projects as
a larger list.
To test the installation, you can try to scan the test files
Note: Debian packages are maintained by Debian's C
The package maintainers can be reached at clamav-
info at tracker.debian.org/pkg/clamav.
Patches: https://salsa.debian.org/clamav-team/clam
Ubuntu
Ubuntu's ClamAV packages are derived from the Debia
instructions for installation details.
RAR Support: As with Debian, RAR support is not incl
that desire RAR support will have to install libclamu
Debian, there is no need to enable "non-free" packa
Note: Ubuntu packages are curated by Ubuntu Deve
https://packages.ubuntu.com/source/clamav
openSUSE
openSUSE provides two packages:
clamav - The clamav package
clamav-devel - The clamav package plus header
RPM download
Find these packages at under http://download.opensu
http://download.opensuse.org/repositories/secur
mav-0.103.1-lp153.234.4.x86_64.rpm.mirrorlist
http://download.opensuse.org/repositories/secur
mav-devel-0.103.1-lp153.234.4.x86_64.rpm.mirro
15. Use the update variant for openSUSE, add it to your ins
YaST or zypper and give it a higher priority (lower num
the official updates.
Tip: RPMs of new ClamAV versions for existing SUSE
respective online update channels. As these package
takes some time for a new ClamAV source release to
those who want the newest version, packages are av
the openSUSE Build Service.
Zypper
Install ClamAV with zypper :
Note: openSUSE packages are maintained by Reinha
EPEL: Fedora, RHEL, and CentOS
EPEL creates ClamAV packages for Fedora (as well as E
more information on EPEL, visit their wiki.
To enable EPEL for CentOS:
EPEL offers a selection of packages to install ClamAV:
clamd - The Clam AntiVirus Daemon
clamav - End-user tools for the Clam Antivirus sc
clamav-data - Virus signature data for the Clam
clamav-devel - Header files and libraries for the
clamav-lib - Dynamic libraries for the Clam Anti
clamav-milter - Milter module for the Clam Anti
clamav-update - Auto-updater for the Clam Antiv
Most users will only need to run:
zypper install -y clamav
dnf install -y epel-release
dnf install -y clamav clamd clamav-update
16. Tips
CentOS: On Community Enterprise Operating System
requires the Extra Packages for Enterprise Linux (EP
RHEL: On RedHat Enterprise Linux (RHEL) the EPEL r
either manually or through RHN.
Fedora: Fedora packages can be found at https://src
Fedora's packaging is more customized than most. P
troubleshooting your Fedora package configuration
Gentoo
ClamAV is available in portage under /usr/portage/ap
To install, run:
For more details, see the package entry on Portage.
FreeBSD, OpenBSD, NetBSD
Although all these systems offer the possibility to use p
pre-built package:
FreeBSD
FreeBSD offers two ClamAV ports (packages):
clamav
clamav-lts
To install, run:
and
emerge clamav
pkg install clamav
pkg install clamav-lts
17. respectively.
Note: For more details, see:
https://www.freshports.org/security/clamav
https://www.freshports.org/security/clamav-lts
OpenBSD
To install, run:
NetBSD
To install, run:
Solaris
OpenCSW is a community software project for Solaris 8
more than 2000 popular open source titles and they ca
dependency handling via pkgutil which is modeled afte
Note: The package can be found on OpenCSW thoug
date.
Disclaimer: ClamAV is also no longer supported on S
proprietary, less commonly used, and difficult to wo
will depend on components written in the Rust prog
does not support building directly on Solaris. It is lik
on Solaris in the future.
pkg_add clamav
pkgin install clamav
pkgutil -i clamav
18. Slackware
You can download ClamAV builds for Slackware from
https://slackbuilds.org/repository/14.2/system/clamav/
Download the package, and as root, install it like so (su
macOS
ClamAV can be easily installed on macOS using one of
Homebrew: ClamAV formula
MacPorts: ClamAV port
Homebrew
Install Homebrew if you don't already have it. Then run
Homebrew installs versioned packages to /usr/local/
symlinks in /usr/local/opt/<pacakge> to the current
executables will be placed in /usr/local/bin to add t
files will be placed in /usr/local/etc/clamav .
As with most other installation methods, you may need
before you can run freshclam , clamscan , or use clam
1. Create /usr/local/etc/clamav/freshclam.conf
/usr/local/etc/clamav/freshclam.conf.sample
2. Remove or comment-out the Example line from
3. Run freshclam to download the latest malware d
If you wish to run clamd you'll also need to create /us
from /usr/local/etc/clamav/clamd.conf.sample , an
Local/Unix socket settings (preferred), or TCP socket se
MacPorts
Install MacPorts if you don't already have it. Then run:
installpkg clamav.tar.gz
brew install clamav
sudo port install clamav
19. MacPorts installs versioned packages to /opt/local/ .
/opt/local/etc .
As with most other installation methods, you may need
before you can run freshclam , clamscan , or use clam
1. Create /opt/local/etc/freshclam.conf from
/opt/local/etc/freshclam.conf.sample .
2. Remove or comment-out the Example line from
3. Run freshclam to download the latest malware d
If you wish to run clamd you'll also need to create /op
/opt/local/etc/clamd.conf.sample , and configure c
settings (preferred), or TCP socket settings.
20. ClamAV in Docker
ClamAV can be run within a Docker container. This pro
by running it in a containerized environment. If new or
cgroups see docker.com.
Memory (RAM) Requirements
Whether you're using the official ClamAV docker image
ClamAV, you will need to ensure that you have enough
Recommended RAM for ClamAV (As of 2020/09/20):
Minimum: 3 GiB
Preferred: 4 GiB
Why is this much RAM required?
ClamAV uses upwards of 1.2 GiB of RAM simply to load
matching structures in the construct we call an "engine
RAM required to process the files during the scanning
ClamAV uses upwards of 2.4 GiB of RAM for a short pe
signature definitions. When the clamd processs reload
default behavior is for ClamAV to build a new engine b
Once loaded and once all scans that use the old engine
unloaded. This process is called "concurrent reloading"
during the reload. As a consequence, clamd will use tw
period. During the reload.
The freshclam process may also consume a sizeable c
newly downloaded databases. It won't use quite as mu
may still be enough to cause issues on some systems.
If your container does not have enough RAM you can e
your clamd process. Within Docker, this may cause yo
If you're observing issues with ClamAV failing or becom
likely that your system does not have enough RAM to r
21. What can I do to minimize RAM usage?
clamd reload memory usage
You can minimize clamd RAM usage by setting Concur
clamd.conf .
The downside is that clamd will block any new scans u
freshclam memory usage
You can disable freshclam database load testing to m
TestDatabases no in freshclam.conf .
The downside here is a risk that a download may fail in
freshclam will unknowingly keep the broken database
the broken file.
The official images on Docker Hub
ClamAV image tags on Docker Hub follow these namin
All images come in two forms:
clamav/clamav:<version> : A release preloaded w
Using this container will save the ClamAV project
keep the image around so that you don't downloa
you start a new container. Updating with FreshCla
not use much data.
clamav/clamav:<version>_base : A release with n
Use this container only if you mount a volume in
/var/lib/clamav to persist your signature datab
best option because it will reduce data costs for C
but it does require advanced familiarity with Linu
Caution: Using this image without mounting an
cause FreshClam to download the entire datab
container.
There are a selection of tags to help you get the versio
22. clamav/clamav:<MAJOR.MINOR.PATCH>_base and
<MAJOR.MINOR.PATCH> : This is a tag for a specific i
"base" version of this image will never change, an
be updated to have newer signature databases.
If we need to publish a new image to resolve CVE
then another image will be created with a build-n
For example: 0.104.2-2_base is a new image to
busybox in the 0.104.2_base image.
clamav/clamav:<MAJOR.MINOR>_base and clamav
for the latest patch version of ClamAV 0.104. Whe
is created, this tag will be updated so that it alway
ClamAV 0.104.
clamav/clamav:stable_base and clamav/clamav
latest stable patch version image. We use the wor
do not track the latest commit in Github. As of 20
to 0.104 and 0.104_base . When 0.105 is release
0.105 and 0.105_base .
clamav/clamav:latest_base and clamav/clamav
clamav/clamav:stable_base and clamav/clamav
users expect all images to have a "latest".
clamav/clamav:unstable_base and clamav/clam
latest commit in the main branch on github.com/
something doesn't go wrong, these are updated e
in the ClamAV Git repository.
Image Selection Recommendations
Instead of choosing the specific image for a patch relea
release, such as clamav/clamav:0.104 or clamav/clam
Only select a "latest" or "stable" tags if you're comforta
updating to a new feature release right away without e
Choose the _base tag and set up a volume to persist y
save us and you bandwidth. You may choose to set up
daemon enabled, and have multiple others that do not
images will occasionally check to see if there are newe
and will reload the databases as needed.
23. ClamAV uses quite a bit of RAM to load the signature d
insufficient. Configure your containers to have 4GB of
End of Life
The ClamAV Docker images are subject to ClamAV's En
given feature release, those images will no longer be u
download signature updates.
Building the ClamAV image
While it is recommended to pull the image from our Do
build the image locally instead.
To do this, you will need to get the Dockerfile and th
from the clamav-docker Git repository. Be sure to selec
release.
Tip: For unreleased ClamAV versions, such as when
you should select the files from the clamav-docker/
directory.
Place the Dockerfile and scripts/ directory in the C
can build the image. For example, run:
in the current directory. This will build the ClamAV ima
"clamav:TICKET-123". Any name can generally be used
referred to later when running the image.
Running ClamD
To run clamd in a Docker container, first, an image eit
Docker registry.
docker build --tag "clamav:TICKET-123" .
24. Running ClamD using the official ClamAV im
To pull the ClamAV "unstable" image from Docker Hub
Tip: Substitute unstable with a different version as
To pull and run the official ClamAV images from the Do
command:
The above creates an interactive container with the cu
optional but useful when getting started as it allows on
the case of clamd , send ctrl-c to close the container
container is cleaned up again after it exits and the --n
so it can be referenced through other (Docker) comma
same image can be started without conflicts.
Note: Pulling is not always required. docker run wil
found locally. docker run --pull always will alway
most up-to-date container is being used. Do not use
ClamAV images.
Tip: It's common to see -it instead of --interacti
Tip: It's common to also publish (forward) the ClamA
the TCP socket using --publish 3310:3310 in the d
Running ClamD using a Locally Built Image
You can run a container using an image built locally (se
run:
docker pull clamav/clamav:unstable
docker run
--interactive
--tty
--rm
--name "clam_container_01"
clamav/clamav:unstable
25. Persisting the virus database (volume)
The virus database in /var/lib/clamav is by default u
normally not shared. For simple setups this is fine, whe
expected to run in a dockerized environment. Howeve
efficiently share the database or at least persist it acro
To do so, you have two options:
1. Create a Docker volume using the docker volume
managed by Docker and are the best choice for c
For example, create a "clam_db" volume:
Then start one or more containers using this volu
database volume will download the full database
the existing databases and may update them as n
2. Create a Bind Mount that maps a file system dire
Bind Mounts depend on the directory structure, p
the Docker host machine.
Run the container with these arguments to moun
environment as a volume in the container.
When doing this, it's best to use the <version>_b
bandwith. E.g.:
docker run -it --rm
--name "clam_container_01"
clamav:TICKET-123
docker volume create clam_db
docker run -it --rm
--name "clam_container_01"
--mount source=clam_db,target=/var/lib
clamav/clamav:unstable_base
--mount type=bind,source=/path/to/data
26. Disclaimer: When using a Bind Mount, the cont
ownership of this directory to its "clamav" user
ClamD with the required permissions to read a
these changes will also affect those files on the
If you're thinking about running multiple containers th
here are some notes on how this might work.
Running Clam(D)Scan
Scanning files using clamscan or clamdscan is possib
section briefly describes them, but the other sections o
hand to better understand some of the concepts.
One important aspect is however to realize that Docke
any of the hosts files. And so to scan these within Dock
bind mount to be made accessible.
For example, running the container with these argume
... would make the hosts file/directory /path/to/scan
/scandir and thus invoking clamscan would thus be
Note that while technically possible to run either scann
described as it is unlikely the container has access to th
ClamScan
Using clamscan outside of the Docker container is how
make use of the available shared dockerized resources
virus database and share that for example. E.g. it could
container with only the freshclam daemon running, a
docker run -it --rm
--name "clam_container_01"
--mount type=bind,source=/path/to/data
clamav/clamav:unstable_base
--mount type=bind,source=/path/to/scan,targ
--mount type=bind,source=/path/to/scan,targ
27. /var/lib/clamav . This could be useful for file servers
installed on the host, and freshclam is managed in a
Note: Running the freshclam daemon separated fro
unless the clamd socket is shared with freshclam
inform clamd of database updates.
Dockerized ClamScan
To run clamscan in a Docker container, the Docker co
However, this will use whatever signatures are found in
of date. If using clamscan in this way, it would be best
to-date so that you scan with the latest signatures. E.g.
ClamDScan
As with clamscan , clamdscan can also be run when in
the dockerized clamd . This can be done by either poin
TCP/UDP port or unix socket.
Dockerized ClamDScan
Running both clamd and clamdscan is also easily pos
shared socket between the two containers. The only ca
1. mount the files to be scanned in the container th
2. mount the files to be scanned in the container th
clamdscan --stream . The --stream option will b
from a different machine on a network.
docker run -it --rm
--mount type=bind,source=/path/to/scan,targ
clamav/clamav:unstable
clamscan /scandir
docker run -it --rm
--mount type=bind,source=/path/to/scan,targ
--mount type=bind,source=/path/to/databases
clamav/clamav:unstable_base
clamscan /scandir
28. For example:
Controlling the container
The ClamAV container actually runs both freshclam a
Optionally available to the container is ClamAV's milter
the services started within the container, the following
run command with the --env ( -e ) parameter.
CLAMAV_NO_CLAMD [true|false] Do not start cl
started)
CLAMAV_NO_FRESHCLAMD [true|false] Do not st
freshclam daemon is started)
CLAMAV_NO_MILTERD [true|false] Do not start t
clamav-milter daemon is not started)
CLAMD_STARTUP_TIMEOUT [integer] Seconds to
FRESHCLAM_CHECKS [integer] freshclam daily u
day)
So to additionally also enable clamav-milter , the follo
Further more, all of the configuration files that live in /
doing a volume-mount to the specific file. The following
purpose. The example uses the entire configuration di
multiple times if individual files deem to be replaced.
docker run -it --rm
--mount type=bind,source=/path/to/scan,targ
--mount
type=bind,source=/var/lib/docker/data/clamav/so
clamav/clamav:unstable
docker run -it --rm
--mount type=bind,source=/path/to/scan,targ
--mount
type=bind,source=/var/lib/docker/data/clamav/so
clamav/clamav:unstable_base
clamdscan /scandir
--env 'CLAMAV_NO_MILTERD=false'
--mount type=bind,source=/full/path/to/clam
29. Note: Even when disabling the freshclam daemon,
once during container startup if there is no virus dat
the virus database location itself /var/lib/clamav/
volume. This however is slightly more advanced and
Connecting to the container
Executing commands within a running cont
To connect to a running ClamAV container, docker exe
an already running container. To do so, the name need
ps or supplied during container start via the --name p
command in this case can be clamdtop .
Alternatively, a shell can be started to inspect and run
well.
Unix sockets
The default socket for clamd is located inside the cont
be connected to when exposed via a Docker volume m
the container can freely create and remove the socket,
volume-mounted, to expose it for others on the same
be used for this purpose. Do ensure that the directory
inside the container has permission to access it. Cautio
permissions, as incorrect permission could open clamd
Note: If you override the LocalSocket option with a
then you may find the clamd.sock file in a different
docker exec --interactive --tty "clamav_contain
docker exec --interactive --tty "clamav_contain
--mount type=bind,source=/var/lib/docker/da
30. With the socket exposed to the host, any other service
example clamdtop where installed on the local host, c
should work just fine. Likewise, running clamdtop in a
socket will equally work. While clamdtop works well as
important to realize, this can also be used to connect a
TCP
ClamAV in the official Docker images is configured to li
ports:
clamd : 3310
clamav-milter : 7357
While clamd and clamav-milter will listen on the abo
expose these by default to the host. Only within contai
expose, or "publish", these ports to the host, and thus
the --publish (or --publish-all ) flag to docker run
advanced/secure mappings can be done as per docum
publish [<host_port>:]<container_port> to make th
The above would thus publish:
clamd port 3310 as 13310 on the host
milter port 7357 as a random to the host. The r
docker ps .
But if you're just running one ClamAV container, you p
default port numbers, which are the same port numbe
clamd.conf.sample file provided with ClamAV:
Warning: Extreme caution is to be taken when using
protections on that level. All traffic is un-encrypted.
using TCP communications.
clamdtop "/var/lib/docker/data/clamav/sockets/c
--publish 13310:3310
--publish 7357
--publish 3310:3310
--publish 7357:7357
31. Container ClamD health-check
Docker has the ability to run simple ping checks on se
clamd is running inside the container, Docker will on o
the default port and wait for the pong from clamd . If
treat this as an error. The healthcheck results can be v
Performance
The performance impact of running clamd in Docker i
a wrapper around Linux's cgroups and cgroups can be
jail . All code is executed on the host without any tra
some isolation (through cgroups) to isolate the various
Of course, nothing in life is free, and so there is some o
prominent one. The Docker container might have som
between the host and the container. Further more, als
each instance, as there is no RAM-deduplication. Both
however. A filesystem that supports disk-deduplication
RAM-deduplication.
The base container image in itself is already quite sma
(compressed/uncompressed) at the time of this writing
advantages are very much worth the cost in general.
The container including the virus database is about 300
(compressed/uncompressed) at the time of this writing
Bandwidth
Please, be kind when using 'free' bandwidth, both for t
Docker registry. Try not to download the entire databa
images on a regular basis.
32. Advanced container configuration
Multiple containers sharing the same moun
You can run multiple containers that share the same d
the FreshClam daemons on each would compete to up
would update the databases and trigger its ClamD to lo
others would be oblivious to the new databases and w
until the next ClamD self-check.
This is fine, honestly. It won't take that long before the
ClamD's self-check and the databases are reloaded aut
To reload the databases on all ClamD containers imme
disable the FreshClam daemon when you start the con
perform an update and again as needed to have ClamD
Note: This really isn't necessary but you could do thi
Exactly how you orchestrate this will depend on your e
along these lines:
1. Create a "clam_db" volume, if you don't already h
2. Start your containers:
Wait for the first one to download the databases
start more:
docker volume create clam_db
docker run -it --rm
--name "clam_container_01"
--mount source=clam_db,target=/var/lib
--env 'CLAMAV_NO_FRESHCLAMD=true'
clamav/clamav:0.104_base
docker run -it --rm
--name "clam_container_02"
--mount source=clam_db,target=/var/lib
--env 'CLAMAV_NO_FRESHCLAMD=true'
clamav/clamav:0.104_base
33. 3. Check for updates, as needed:
docker exec -it clam_container_01 freshclam
if [ $? == 1 ]; then
docker exec -it clam_container_01 clamd
docker exec -it clam_container_02 clamd
fi
34. Building ClamAV with CM
newer)
The following are instructions to build ClamAV version 0
Tip: If you wish to build ClamAV version 0.103 or olde
instructions to build ClamAV using Autotools.
Building ClamAV with CMake (v0.104 and newer)
Install prerequisites
Alpine
Redhat / Centos / Fedora
SUSE / openSUSE
Ubuntu / Debian
macOS
FreeBSD
Install Rust toolchain
Adding new system user and group
Download the source code
Build ClamAV
The Default Build
A Linux Distribution-style Build
A Build for Development
About the tests
Un-install
What now?
Note: Some of the dependencies are optional if you
command line applications, or elect to only build the
libcurl: required for libfreshclam, freshclam, clam
ncurses: required for clamdtop
For more information about customized builds and
skipped, please see the INSTALL.md document acco
35. Install prerequisites
Note: Some of the instructions below rely on Python
CMake. This is because some distributions do not pr
CMake required to build ClamAV.
Tip: The Python 3 pytest package is recommended
the unit tests fail so that the test output is easy to re
However, if you have Python 2's pytest installed bu
may fail to run.
Alpine
As root or with sudo , run:
Version 0.105+: install the Rust toolchain. The best opt
using rustup your Rust toolchain. Alpine users on the la
adequate Rust toolchain with:
Redhat / Centos / Fedora
For RHEL 8 or Centos Stream, you will probably need to r
As root or with sudo , run:
As root or with sudo , run:
apk update && apk add
`# install tools`
g++ gcc gdb make cmake py3-pytest python3 val
`# install clamav dependencies`
bzip2-dev check-dev curl-dev json-c-dev libmi
linux-headers ncurses-dev openssl-dev pcre2-d
apk add cargo rust
dnf install -y epel-release
dnf install -y dnf-plugins-core
dnf install -y https://dl.fedoraproject.org/pub
8.noarch.rpm
dnf config-manager --set-enabled PowerTools |
dnf config-manager --set-enabled powertools |
36. Note: If you get dnf: command not found , use yum
As a regular user, run:
Tip: If you don't have a user account, e.g. in a Docke
Version 0.105+: install the Rust toolchain. The best opt
using rustup your Rust toolchain. Centos and RHEL use
Rust toolchain through the distribution's package man
unwilling to use rustup may have luck with:
SUSE / openSUSE
As root or with sudo , run:
Tip: If you you're on an older release and if the cmak
old, then you may need to remove cmake , install py
like this:
dnf install -y
`# install tools`
gcc gcc-c++ make python3 python3-pip valgrind
`# install clamav dependencies`
bzip2-devel check-devel json-c-devel libcurl-
ncurses-devel openssl-devel pcre2-devel sendm
python3 -m pip install --user cmake pytest
python3 -m pip install cmake pytest
dnf install -y cargo rust
zypper install -y
`# install tools`
gcc gcc-c++ make python3 valgrind cmake pytho
`# install clamav dependencies`
libbz2-devel check-devel libjson-c-devel libc
ncurses-devel libopenssl-devel pcre2-devel se
python3 -m pip install --user cmake
37. Version 0.105+: install the Rust toolchain. The best opt
using rustup your Rust toolchain. openSUSE users that
rustup may have luck with:
Ubuntu / Debian
As root or with sudo , run:
Tip: If you you're on an older release and if the cmak
old, then you may need to remove cmake , install py
like this:
Version 0.105+: install the Rust toolchain. The best opt
using rustup your Rust toolchain. Debian users are unl
toolchain through the distribution's package manager.
the time of writing, even Ubuntu 18.04 appears to have
(1.57.0, where the latest security patch for rustc is ve
users may install the Rust toolchain with:
Note: Debian and Ubuntu chose to call it rustc and
users may instead install rust-all for a few additio
you would normally install through rustup . The ru
to exist for Debian 11 (bullseye).
zypper install -y cargo rust
apt-get update && apt-get install -y
`# install tools`
gcc make pkg-config python3 python3-pip pytho
`# install clamav dependencies`
check libbz2-dev libcurl4-openssl-dev libjson
libncurses5-dev libpcre2-dev libssl-dev libxm
python3 -m pip install --user cmake
apt-get install -y cargo rustc
38. macOS
The following instructions require you to install HomeB
dependencies.
Note: You may also need to install pkg-config if no
You can use Homebrew to do this with: brew insta
Version 0.105+: install the Rust toolchain. The best opt
using rustup your Rust toolchain.
FreeBSD
As root or with sudo , run:
Now as a regular user, run:
Tip: If you don't have a user account, e.g. in a Docke
brew update
packages=(
# install tools
python3 cmake
# install clamav dependencies
bzip2 check curl-openssl json-c libxml2 ncurs
)
for item in "${packages[@]}"; do
brew install $item || true; brew upgrade $ite
done
python3 -m pip install --user cmake pytest
pkg install -y
`# install tools`
gmake cmake pkgconf py38-pip python38
`# install clamav dependencies`
bzip2 check curl json-c libmilter libxml2 ncu
python3.8 -m pip install --user pytest
python3 -m pip install pytest
39. Version 0.105+: install the Rust toolchain. The best opt
using rustup . FreeBSD users may find an adequate ve
install the Rust toolchain, depending on their release. F
toolchain with:
Install Rust toolchain
Starting with ClamAV v0.105, a Rust toolchain is require
You can install the appropriate toolchain for your deve
the instructions on the rustup website. This ensures th
compiler available at the time of installation; keep your
and bug/security fixes by periodically executing: rustu
Building ClamAV requires, at a minimum, Rust compile
introduced in the Rust 2021 Edition.
Depending on your target environment, compilers may
downloading and executing the rustup script. Some p
packages that are recent-enough to build ClamAV. How
as CentOS, provide no package, or toolchains that are t
unable or unwilling to utilize rustup , you may downlo
binaries directly from rust-lang.org.
Adding new system user and grou
If installing to the system, and if you intend to run fre
should create a service account before compiling and i
Follow these steps to create a service account.
Download the source code
Download the source from the clamav.net downloads
Extract the archive:
pkg install -y rust
tar xzf clamav-[ver].tar.gz
cd clamav-[ver]
40. Build ClamAV
First, make a "build" subdirectory. This will enable you
something goes wrong and you need to re-configure a
Next, select the build options you desire. For a full list o
"Custom CMake options" section in the INSTALL.md fil
To help you get started, here are some popular build c
The Default Build
The default build type is RelWithDebInfo , that is "Rele
It will install to /usr/local .
Tip: If building for macOS, you may need to override
the OpenSSL you installed using Homebrew. For exa
A Linux Distribution-style Build
This build type mimics the layout you may be familiar w
Debian, Ubuntu, Alpine, and some other distributions:
mkdir build && cd build
cmake ..
cmake --build .
ctest
sudo cmake --build . --target install
cmake ..
-D CMAKE_INSTALL_PREFIX=/usr/local/clamav
-D OPTIMIZE=OFF
-D OPENSSL_ROOT_DIR=/usr/local/opt/openssl@
-D
OPENSSL_CRYPTO_LIBRARY=/usr/local/opt/openssl
-D OPENSSL_SSL_LIBRARY=/usr/local/opt/opens
make
sudo make install
41. Using the above example:
CMAKE_INSTALL_PREFIX - The install "prefix" will b
CMAKE_INSTALL_LIBDIR - The library directory wil
This may be the default anyways, but you may wa
to lib64 and if lib64 is not desired.
APP_CONFIG_DIRECTORY - The config directory wil
Note: This absolute path is non-portable.
DATABASE_DIRECTORY - The database directory wi
Note: This absolute path is non-portable.
Tip: Setting ENABLE_JSON_SHARED=OFF is preferred, b
or newer unless you build json-c yourself with custo
available to you, you may omit the option and just u
warned that downstream applications which use li
use a different JSON library.
Some other popular configuration options include:
CMAKE_INSTALL_DOCDIR - Specify exact document
install prefix. The default may vary depending on
CMake.
E.g., -D CMAKE_INSTALL_DOCDIR=share/doc/packa
CMAKE_SKIP_RPATH - If enabled, no RPATH is built
when building packages for some Linux distributi
detail about CMake's RPATH handling.
E.g., -D CMAKE_SKIP_RPATH=ON
cmake ..
-D CMAKE_INSTALL_PREFIX=/usr
-D CMAKE_INSTALL_LIBDIR=lib
-D APP_CONFIG_DIRECTORY=/etc/clamav
-D DATABASE_DIRECTORY=/var/lib/clamav
-D ENABLE_JSON_SHARED=OFF
cmake --build .
ctest
sudo cmake --build . --target install
42. Please see the CMake documentation for more instruc
paths.
A Build for Development
This suggested development configuration generates a
the default Makefile-based build system. Ninja is faster
install "ninja" (or "ninja-build"). With the following com
Debug mode with optimizations disabled. It will install
SystemD integration is disabled so that sudo is not req
files are not installed to the system. This build also ena
library as well as building the example applications.
You can find additional instructions in our Developmen
About the tests
ClamAV's public test suite is run using ctest . On Linux
if you have Valgrind. If installed, each test will run a sec
leaks.
If a test fails, please report the issue on GitHub. You wi
in the build/unit_tests directory. The output from c
information, but if not it could be helpful to zip up the
ticket.
Un-install
CMake doesn't provide a simple command to uninstall
install_manifest.txt file when you do the install. Yo
installed files.
cmake .. -G Ninja
-D CMAKE_BUILD_TYPE=Debug
-D OPTIMIZE=OFF
-D CMAKE_INSTALL_PREFIX=`pwd`/install
-D ENABLE_EXAMPLES=ON
-D ENABLE_STATIC_LIB=ON
-D ENABLE_SYSTEMD=OFF
cmake --build .
ctest --verbose
cmake --build . --target install
43. You will find the manifest in the directory where you co
recommendations (above), then you will find it at <cla
directory>/build/install_manifest.txt .
Feel free to inspect the file so you're comfortable know
Open a terminal and cd to that <clamav source dire
This will leave behind the directories, and will leave beh
including the signature databases and any config files.
files yourself.
Tip: You may need to use sudo , depending on wher
What now?
Now that ClamAV is installed, you will want to customiz
up some scanning automation and alerting mechanism
Continue on to "Configuration"...
xargs rm < install_manifest.txt
44. Building ClamAV with Aut
and older)
The following are instructions to build ClamAV version 0
Building ClamAV with Autotools (v0.103 and older
Install prerequisites
Alpine
Redhat / Centos / Fedora
Ubuntu / Debian
macOS
FreeBSD
Adding new system user and group
Download the source code
Build ClamAV
The Default Build
A Linux Distribution-style Build
A Build for Development
About the tests
Un-install
What now?
Note: Some of the dependencies are optional if you
command line applications, or elect to only build the
libcurl: required for libfreshclam, freshclam, clam
json-c: required for clamsubmit, optional for libc
ncurses: required for clamdtop
Install prerequisites
Alpine
As root or with sudo , run:
45. Redhat / Centos / Fedora
For Centos 8, you will probably need to run this to enab
sudo , run:
As root or with sudo , run:
Note: If you get dnf: command not found , use yum
Tip: You need to run autogen.sh if you're not buildi
clamav.net. If so, visit the developer section to find o
run autogen.sh
Ubuntu / Debian
As root or with sudo , run:
apk update && apk add
`# install tools`
g++ gcc gdb make valgrind
`# install clamav dependencies`
bzip2-dev check-dev curl-dev json-c-dev libmi
linux-headers ncurses-dev openssl-dev pcre2-d
dnf install -y epel-release
dnf install -y dnf-plugins-core
dnf install -y https://dl.fedoraproject.org/pub
8.noarch.rpm
dnf config-manager --set-enabled PowerTools |
dnf config-manager --set-enabled powertools |
dnf install -y
`# install tools`
gcc gcc-c++ make valgrind
`# install clamav dependencies`
bzip2-devel check-devel json-c-devel libcurl-
ncurses-devel openssl-devel pcre2-devel sendm
46. Tip: You need to run autogen.sh if you're not buildi
clamav.net. If so, visit the developer section to find o
run autogen.sh
macOS
The following instructions require you to install HomeB
dependencies.
FreeBSD
As root or with sudo , run:
apt-get update && apt-get install -y
`# install tools`
gcc make pkg-config valgrind
`# install clamav dependencies`
check libbz2-dev libcurl4-openssl-dev libjson
libncurses5-dev libpcre2-dev libssl-dev libxm
# Install XCode's Command Line Tools
xcode-select --install
brew update
packages=(
# install tools
autoconf automake m4
# install clamav dependencies
bzip2 check curl-openssl json-c libxml2 ncurs
)
for item in "${packages[@]}"; do
brew install $item || true; brew upgrade $ite
done
pkg install -y
`# install tools`
gmake pkgconf
`# install clamav dependencies`
bzip2 check curl json-c libmilter libxml2 ncu
47. Adding new system user and grou
If installing to the system, and if you intend to run fre
should create a service account before compiling and i
Follow these steps to create a service account.
Download the source code
Download the source from the clamav.net downloads
Extract the archive:
Build ClamAV
First, make a "build" subdirectory. This will enable you
something goes wrong and you need to re-configure a
Note: The instructions in this page assume you're bu
[ver].tar.gz file. If you aren't, you may need to in
automake, m4, libtool, and pkg-config/pkgconfig/pkg
Next, select the build options you desire. For a full list o
To help you get started, here are some popular build c
tar xzf clamav-[ver].tar.gz
cd clamav-[ver]
mkdir build && cd build
../autogen.sh
../configure --help
48. The Default Build
The default build type is "RelWithDebInfo", that is "Rele
It will install to /usr/local .
A Linux Distribution-style Build
This build type mimics the layout you may be familiar w
Debian, Ubuntu, Alpine, and some other distributions.
debugging symbols, optimizations enabled) and will ins
be /etc/clamav and the database directory will be /v
Note: Setting ENABLE_JSON_SHARED=OFF is preferred,
0.15 or newer. If json-c 0.15+ is not available to you,
use the json-c shared library. But be warned that do
libclamav.so may crash if they also use a different
A Build for Development
With the following commands, ClamAV will be compile
optimizations disabled. It will install to an "install" subd
disabled so that sudo is not required for the install an
to the system.
../configure
make
make check VG=1
sudo make install
../configure
--prefix=/usr
--sysconfdir=/etc/clamav
--with-dbdir=/var/lib/clamav
--with-libjson-static=/path/to/libjson-c.a
--enable-milter
make
make check VG=1
sudo make install
49. About the tests
ClamAV's public test suite is run using make check . On
will enable extra tests that use Valgrind to check for lea
If a test fails, please report the issue on GitHub. You wi
tests in the build/unit_tests directory. The output fr
enough information, but if not it could be helpful to zip
the ticket.
Un-install
Run make uninstall to remove the installed files.
This will leave behind the directories, and will leave beh
including the signature databases and any config files.
files yourself.
Tip: You may need to use sudo , depending on wher
What now?
Now that ClamAV is installed, you will want to customiz
up some scanning automation and alerting mechanism
Continue on to "Configuration"...
CFLAGS="-Wall -Wextra -ggdb -O0" CXXFLAGS="-Wal
../configure
--prefix=`pwd`/install
--with-systemdsystemunitdir=no
make -j12
make check VG=1
sudo make install
50. Installing ClamAV on Wind
The following are instructions to build ClamAV version 0
Tip: If you wish to build ClamAV from source in Clam
have to use the Visual Studio solution, please see th
located in our source release materials on ClamAV.n
Installing ClamAV on Windows from Source
Install prerequisites
Building the library dependencies
Install Rust toolchain
Download the source code
Build ClamAV
Building with Mussels
Building the library dependencies
Building ClamAV
Building with vcpkg
Build the Installer
What now?
Note: Some of the dependencies are optional if you
command line applications, or elect to only build the
libcurl: required for libfreshclam, freshclam, clam
ncurses: required for clamdtop
For more information about customized builds and
skipped, please see the INSTALL.md document acco
Install prerequisites
The following commands for building on Windows a
At a minimum you will need:
Visual Studio 2015 or newer
CMake
The Rust programming language toolchain (for Cl
51. If you want to build the installer, you'll also need WiX T
If you're using Chocolatey, you can install CMake and W
If you're using Mussels to build the library dependenci
need to install Netwide Assembler (NASM) and ActiveP
using Chocolatey:
Then open a new terminal so that CMake and WiX will
Building the library dependencies
There are two options for building and supplying the li
Mussels and vcpkg.
Mussels is an open source project developed in-house
flexibility for defining your own collections (cookbooks
of solely relying on a centralized repository of ports. An
implement CMake build tooling for projects that don't
whatever build system is provided by the project. This
require installing additional tools, like NMake and Activ
CMake. The advantage is that you'll be building those p
developers intended, and that Mussels recipes are gen
some sharp edges because it's a newer and much sma
Vcpkg is an open source project developed by Microso
CMake projects. Vcpkg offers a very large collection of
may need to build. It is very easy to get started with vc
Mussels is the preferred tool to supply the library depe
the vcpkg Debug-build libclamav unit test heap-corrup
Details for how to use Mussels and vcpkg will be provi
(below), as the instructions differ significantly depend
Tip: Installing the Python 3 pytest package is also r
fail so that the test output is easy to read. You're wel
have Python 2's pytest installed but not Python 3's
You can install pytest by running:
choco install cmake wixtoolset
choco install nasm activeperl
52. Install Rust toolchain
Starting with ClamAV version 0.105, the Rust toolchain
can install the appropriate toolchain for your developm
instructions on the rustup website. This ensures that y
available at the time of installation; keep your toolchai
bug/security fixes by periodically executing: rustup up
Building ClamAV requires, at a minimum, Rust compile
introduced in the Rust 2021 Edition.
Download the source code
Download the source from the clamav.net downloads
Extract the archive. You should be able to right click on
that folder, do the same for the clamav-[ver].tar file
The rest of the instructions will assume you've opened
directory.
Build ClamAV
First, make a "build" subdirectory. This will enable you
something goes wrong and you need to re-configure a
Building with Mussels
Building the library dependencies with Mussels
Much like vcpkg , Mussels can be used to automaticall
dependencies. Unlike vcpkg , Mussels does not provid
automatically detect the library paths.
python3 -m pip install --user pytest
mkdir build && cd build
53. To build the library dependencies with Mussels, use Py
install Mussels:
Important: Always run mussels or msl in a small su
recursively search your current directory for YAML r
such as your home directory, this may take a long ti
Update the Mussels cookbooks to get the latest build r
to be trusted:
Use msl list if you wish to see the recipes provided b
To build with Mussels, you may need to install a few ex
the libraries. These include NASM and ActivePerl. See i
Build the clamav_deps recipe to compile ClamAV's libr
Mussels will install them to ~.musselsinstall<targ
If this worked, you should be ready to build ClamAV.
Tip: You can also build for 32-bit systems, using msl
Building ClamAV
To configure the project, run the following, substiting "
Visual Studio version:
python3 -m pip install mussels
msl update
msl cookbook trust clamav
msl build clamav_deps
54. Tip: You have to drop the -A x64 arguments if you'
A win32 ) and substitute x64 with x86 in the library
Now, go ahead and build the project:
Tip: If you're having include-path issues when buildin
verbosity so you can verify that the paths are correc
You can run the test suite with ctest :
And you can install to the install (set above) like this
cmake .. -G "Visual Studio 16 2019" -A x64 `
-D JSONC_INCLUDE_DIR="$home.musselsinstall
-D JSONC_LIBRARY="$home.musselsinstallx64
-D ENABLE_JSON_SHARED=OFF
-D BZIP2_INCLUDE_DIR="$home.musselsinstall
-D BZIP2_LIBRARY_RELEASE="$home.musselsinst
-D CURL_INCLUDE_DIR="$home.musselsinstallx
-D CURL_LIBRARY="$home.musselsinstallx64l
-D OPENSSL_ROOT_DIR="$home.musselsinstallx
-D OPENSSL_INCLUDE_DIR="$home.musselsinstal
-D OPENSSL_CRYPTO_LIBRARY="$home.musselsins
-D OPENSSL_SSL_LIBRARY="$home.musselsinstal
-D ZLIB_LIBRARY="$home.musselsinstallx64l
-D LIBXML2_INCLUDE_DIR="$home.musselsinstal
-D LIBXML2_LIBRARY="$home.musselsinstallx6
-D PCRE2_INCLUDE_DIR="$home.musselsinstall
-D PCRE2_LIBRARY="$home.musselsinstallx64
-D CURSES_INCLUDE_DIR="$home.musselsinstall
-D CURSES_LIBRARY="$home.musselsinstallx64
-D PThreadW32_INCLUDE_DIR="$home.musselsins
-D PThreadW32_LIBRARY="$home.musselsinstall
-D ZLIB_INCLUDE_DIR="$home.musselsinstallx
-D ZLIB_LIBRARY="$home.musselsinstallx64l
-D LIBCHECK_INCLUDE_DIR="$home.musselsinsta
-D LIBCHECK_LIBRARY="$home.musselsinstallx
-D CMAKE_INSTALL_PREFIX="install"
cmake --build . --config RelWithDebInfo
cmake --build . --config RelWithDebInfo -- /ver
ctest -C RelWithDebInfo
cmake --build . --config RelWithDebInfo --targe
55. Tip: For a full list of configuration options, see the "C
section of the INSTALL.md file included with the sou
Building with vcpkg
vcpkg can be used to build the ClamAV library depend
vcpkg integrates really well with CMake, enabling CMa
automatically, so you don't have to specify the include
when using Mussels.
DISCLAIMER: There is a known issue with the unit tes
Debug mode. When you run the libclamav unit tests
crash and a popup will claim there was heap corrup
kill the check_clamav.exe process, the rest of the te
not occur when using Mussels to supply the library d
the following lines in readdb.c resolves the heap co
check_clamav , but of course introduces a memory
If anyone has time to figure out the real cause of the
check_clamav , it would be greatly appreciated.
You'll need to install vcpkg. See the vcpkg README for
Once installed, set the variable $VCPKG_PATH to the loc
By default, CMake and vcpkg build for 32-bit. If you wa
VCPKG_DEFAULT_TRIPLET environment variable:
Next, use vcpkg to build the required library depende
if (engine->stats_data)
free(engine->stats_data);
$VCPKG_PATH="..." # Path to your vcpkg installa
$env:VCPKG_DEFAULT_TRIPLET="x64-windows"
& "$VCPKG_PATHvcpkg" install 'curl[openssl]' '
'pthreads' 'zlib' 'pdcurses' 'bzip2' 'check'
56. Now configure the ClamAV build using the CMAKE_TOOL
enable CMake to automatically find the libraries we bu
Now, go ahead and build the project:
You can run the test suite with ctest :
And you can install to the install directory (set above
Build the Installer
To build the installer, you must have WIX Toolset instal
can install it simply with choco install wixtoolset a
WIX will be in your PATH.
What now?
Now that ClamAV is installed, you will want to customiz
up some scanning automation and alerting mechanism
Continue on to "Configuration"...
cmake .. -A x64 `
-D CMAKE_TOOLCHAIN_FILE="$VCPKG_PATHscripts
-D CMAKE_INSTALL_PREFIX="install"
cmake --build . --config RelWithDebInfo
ctest -C RelWithDebInfo
cmake --build . --config RelWithDebInfo --targe
cpack -C RelWithDebInfo
57. Community Projects
Disclaimer: The software listed in this section is auth
the ClamAV Team. Compatibility may vary.
Signatures
The ClamAV Team provides FreshClam for ClamAV age
databases and provides CVD-Update for Private Mirror
content.
Both FreshClam and CVD-Update have some limited fe
third-party sources but community tools exist that are
provide a more complete experience for users that wa
WARNING: While there are no known vulnerabilities
and hash-based ClamAV signatures, bytecode signat
signatures are effectively cross-platform executable
(WASM) but with less sandboxing.
ClamScan and ClamD will not run unsigned bytecod
Talos' signing certificate is the only certificate truste
signatures.
Both ClamD and ClamScan have options to run unsi
should NEVER enable unsigned bytecode signatures
signatures from third-party sources or a malicious b
gain control of your systems.
ClamBC is a tool installed with ClamAV for testing by
NEVER be used to run signatures from an unknown
Fangfrish
Fangfrisch (German for "freshly caught") is a sibling of
It allows downloading virus definition files that are not
Sanesecurity, URLhaus and others. Fangfrisch was des
by an unprivileged user only.
58. Detailed documentation is available online.
Get fangfrish
Mail Filters
ClamAV is popular for filtering mail. The ClamAV Team
filter for the Sendmail mail transfer agent and the Clam
variety of other tools to use ClamAV with different mai
Generic Mail Transfer Agents
amavisd-new | clamd, clamscan
amavisd-new is a high-performance interface between
virus scanners, and/or SpamAssassin. It is written in Pe
a significant price for speed. It talks to MTA via (E)SMTP
programs. Best with Postfix, fine with dual-sendmail se
sendmail/milter, or with any MTA as a SMTP relay. For
there is a patch in the distributed package.
amavisd-new is a rewritten version of Amavis and is m
ClamScan is enabled automatically if clamscan binary
ClamD is activated by uncommenting its entry in the @
/etc/amavisd.conf .
Get amavisd-new
Sendmail
MIMEDefang | clamscan, clamd
MIMEDefang is an efficient mail scanner for Sendmail/
Get MIMEDefang
59. Postfix
ClamSMTP | clamd
ClamSMTP is an SMTP filter for Postfix and other mail s
the ClamAV anti-virus software. It aims to be lightweigh
have a myriad of options. Written in C without major d
Get ClamSMTP
Clapf | libclamav
Clapf is a clamav based virus scanning and anti-spam c
Get clapf
Exim
Starting with release 4.50, Exim natively supports Clam
Get exim
Others
Mail Avenger | clamscan
Mail Avenger is a highly-configurable SMTP server. It al
transactions, before spooling messages in your local m
default policies for filtering mail, but individual users ca
creating avenger scripts in their home directories.
Get Mail Avenger
MailScanner | clamscan
MailScanner scans all e-mail for viruses, spam and atta
is not tied to any particular virus scanner, but can be u
different virus scanners, allowing sites to choose the b
Get Mail Scanner
60. Sagator | clamscan, clamd, libclamav
Sagator is an email antivirus/antispam gateway. Its mo
combination of antivirus/spamchecker according to co
Get Sagator
Courier-MTA | libclamav, clamavd
Courier MTA includes four filers.
courier-pythonfilter by Gordon Messner. Included in a
(libclamav with python)
Courier::Filter::Module::ClamAVd by Julian Mehnle. A Pe
using clamavd.
ClamCour by Tony Di Monaco. A C++ (with Boost) mult
avfilter by Alessandro Vesely. A C forking filter using lib
Get Courier-MTA
Haraka | clamd
Haraka is a robust MTA written in node.js, with a modu
control nearly every aspect of the SMTP conversation.
plugins, including a clamav plugin (docs, source) that fi
Haraka is attractive to two audiences:
1. Anyone managing mail systems with thousands o
incoming SMTP connections (like Craigslist) and w
servers.
2. Developers who need more control over mail rou
can be easily or efficiently handled with traditiona
Get Haraka
Web & FTP Tools
Clammit | clamd
Clammit is a proxy that will perform virus scans of files
multipart/form-data. If a virus exists, it will reject the re
61. the request is then forwarded to the application and it
direction.
As the name implies, Clammit offloads the virus detect
server (clamd).
Get Clammit
Clara
Serverless, real-time, ClamAV+Yara scanning for your S
Get Clara
bucket-antivirus-function
Scan new objects added to any s3 bucket using AWS La
Get bucket-antivirus-function
cdk-serverless-clamscan
An aws-cdk construct that uses ClamAV® to scan objec
construct provides a flexible interface for a system to a
virus scan.
Get cdk-serverless-clamscan
Antivirus for Amazon S3
A CloudFormation template to create an EC2 scanner c
Get Antivirus for Amazon S3
HAVP | libclamav
HAVP is a proxy with an antivirus filter. It does not cach
complete traffic is scanned. A reason for that is the cha
filetypes e.g. HTML (JavaScript) or Jpeg.
Get HAVP
62. mod_clamav | libclamav, clamd
mod_clamav is an Apache virus scanning filter. It was w
Andreas Müller. The project is very well documented a
Get mod_clamav
phpMussel | clamav
phpMussel is a PHP-based script based upon ClamAV s
viruses, malware and other threats within files uploade
is hooked. Written by Maikuolan
Get phpMussel
SpamAssassin - ClamAVPlugin | clamd
A ClamAV plug in fpr SpamAssassin 3.X
Get ClamAVPlugin
clamav-rest
Simple ClamAV REST proxy. Builds on top of clamav-jav
ClamAV.
Get clamav-rest
Filesystem & On-Access Scanning
Clam Sentinel
Clam sentinel is a program that detects file system cha
added or modified using ClamWin. Require the installa
Windows 98/98SE/Me/2000/XP/Vista, Windows 7 and W
Get Clam Sentinel
ClamFS | clamd
ClamFS is a FUSE-based user-space file system for Linu
file scanning through clamd daemon (a file scanning se
Features:
63. Scans files using ClamAV
User-space file system (no kernel patches, modul
Based on libFUSE version 3 (until version 1.1.0 on
Implements all clamd scan modes: fname, fdpass
Supports remote clamd instances in stream mod
Caches scan results in a LRU cache with time-bas
Configuration stored in XML files
Supports ulockmgr
Sends mails to administrator when detects virus
Get ClamFS
Avfs | ClamAV
Avfs, a true on-access anti-virus file system that increm
infected data from being committed to disk. Avfs is a st
add virus detection to any other file system: Ext3, NFS,
that can prevent a virus from reaching the disk or auto
potentially infected files to allow safe recovery. Avfs ca
disk and isolate them from user processes.
Avfs uses a matching algorithm that is derived from Cla
scan time for larger signature sets. Though this project
used elsewhere, the research was really good work and
in the future.
More about Avfs
Mail User Agents
Claws Mail
Claws Mail is a user-friendly, lightweight, and fast emai
plugin for scanning received messages using ClamAV.
Get Claws Mail
Kmail | clamscan
Mail is a fully-featured email client that fits nicely into t
supports attachment scanning with clamscan.
Get Kmail
64. Open Webmail modules | clamscan
Open WebMail by default can use ClamAV as the exter
messages fetched from pop3 servers or all incoming m
attachments is found to have virus, Open WebMail will
the VIRUS folder automatically.
Get Open Webmail
ClamAV Bindings
Rust
clamav-rs | libclamav
A safe Rust binding for libclamav. clamav-rs uses cla
Get clamav-rs
clamav-sys | libclamav
clamav-sys is a minimal Rust interface around libclama
used stand-alone, but only through its safe wrapper, cl
Get clamav-sys
rust-clamav | libclamav
Like clamav-rs . rust-clamav is a safe library for intera
low-level C API is wrapped in idomatic and safe Rust co
Get rust-clamav
clamav-tcp | clamd
A simple to use TCP client for scanning files with ClamA
Rust crate for interacting with ClamD.
Get clamav-tcp
65. Perl
File::Scan::ClamAV | clamd
A Perl module for interacting with ClamD. File::Scan::Cl
Anti-Virus clamd service and send commands.
Get File::Scan::ClamAV
Ruby
Clamby | clamscan + freshclam
Ruby binding for scanning file uploads using ClamScan
and you do not scan the files for viruses then you not o
also the users of the software and their files. This gem'
file.
Get Clamby
ClamAV::Client | clamd
ClamAV::Client is a client library that can talk to the cla
Get ClamAV::Client
PHP
PHP ClamAV | clamd
PHP Client to connect to ClamAV daemon over TCP or
line and scan your storage files for viruses.
Get PHP ClamAV
PHP ClamAV Scan | clamd
A simple PHP class for scanning files using a LOCAL Cla
file or network socket (windows). Can either be used o
Codeigniter app as a library. The main reason this was
clamav module is not compatible with PHP 7 and all ot
drop in compatible with CodeIgniter or were designed
66. Get PHP ClamAV
Python
clamd | clamd
clamd is a portable Python module to use the ClamAV
MacOSX and other platforms. It requires a running inst
This is a fork of pyClamd v0.2.0 created by Philippe Lag
http://www.decalage.info/en/python/pyclamd which in
pyClamd v0.1.1 created by Alexandre Norman and pub
http://xael.org/norman/python/pyclamd/
Get clamd
Python ClamAV | libclamav
Python wrapper for libclamav using ctypes . Python C
project.
Get Python ClamAV
pyClamd | clamd
Add virus detection capabilities to your python softwar
Get pyClamd
Java
clamav-java
Simple ClamAV Java client. See also ClamAV REST servic
Get clamav-java
67. Miscellaneous Tools
IPCop | ClamAV
IPCop Linux is a complete Linux Distribution whose sol
it is installed on. ClamAV is included.
Get IPCop
Endian Firewall | ClamAV
Endian Firewall Community (EFW) is a turn-key Linux se
any bare-metal appliance into a full-featured Unified T
designed to be the easiest security product to install, c
Get Endian Firewall
ClamTK | ClamAV
ClamTk is a GUI front-end for ClamAV using gtk2-perl. I
demand scanner for Linux systems. ClamTk has been p
openSUSE, ALT Linux, Ubuntu, CentOS, Gentoo, Archlin
and others.
Get ClamTK
ClamAV-GUI | ClamAV
ClamAV-GUI is a GUI front-end for ClamAV using Qt. Th
corner where files and folders can be dragged and dro
brought to you by Joerg Zopes.
Get ClamAV-GUI
ClamWin | ClamAV
ClamWin is a Free Antivirus program for Microsoft Win
/ 98 and Windows Server 2012, 2008 and 2003.
Get ClamWin
68. Hydra Dragon Antivirus
Hydra Dragon Antivirus is a Python-based GUI program
Hydra Dragon Antivirus provides a very large (multi-gig
signatures and Yara rules. See the project readme to fi
set.
Get Hydra Dragon Antivirus
69. Add a service user accoun
If you're planning to run freshclam or clamd as a ser
should create a service account. The following instruct
account named "clamav" for both services, although yo
name for each if you wish.
Note: These instructions are mostly just for folks buildin
installed a package from your Linux/Unix distributio
account(s) for you.
Create a service user account (and
Linux / Unix
As root or with sudo , run:
If your operating system does not have the groupadd
system manual. Don’t forget to lock access to the ac
macOS
Prep by identifying an unused group id (gid), and an un
This command will display all current group PrimaryGr
This command will display all current user UniqueIDs:
Then, these commands can be used to create the clam
groupadd clamav
useradd -g clamav -s /bin/false -c "Clam Antivi
dscl . list /Groups PrimaryGroupID | tr -s ' '
dscl . list /Users UniqueID | tr -s ' ' | sort
70. About how the service accounts a
At present, the behavior differs slightly between clamd
freshclam will always switch to run as the "Data
account name is "clamav", or may be customized
setting in freshclam.conf .
clamd will only switch to run as the "User" user a
specified in clamd.conf . If you do not specify a "
continue to run as the root user! We may change
prevent clamd from being run as root.
Caution: We do not recommend running clamd as r
ClamAV scans untrusted files that may be malware. A
in clamd.conf if you plan to run clamd as a service
On Unix/Linux systems, freshclam and clamd will sw
start them as the root user, or using sudo . By default,
The purpose is t
If you are running freshclam and clamd as root or wi
configure with --disable-clamav , you will want to ens
specified in freshclam.conf owns the database direct
updates.
The user that clamd , clamdscan , and clamscan run a
- it merely needs read access to the database directory
If you choose to use the default clamav user to run fr
create the clamav group and the clamav user account t
sudo dscl . create /Groups/clamav
sudo dscl . create /Groups/clamav RealName "Cla
sudo dscl . create /Groups/clamav gid 799
sudo dscl . create /Users/clamav
sudo dscl . create /Users/clamav RealName "Clam
sudo dscl . create /Users/clamav UserShell /bin
sudo dscl . create /Users/clamav UniqueID 599
sudo dscl . create /Users/clamav PrimaryGroupID
71. After installation: Make the service
database directory
After you've installed ClamAV, you will want to make it
owned by the same service account as you're using for
As root or with sudo , run:
Or (if you customized the database path):
sudo chown -R clamav:clamav /usr/local/share/cl
chown -R clamav:clamav /var/lib/clamav/
72. Usage
Table Of Contents
Usage
Purpose
Daemon
Scanner
Signature Testing and Management
Configuration
Purpose
This user guide presents an overview of the various wa
the tools provided by ClamAV. To learn more about ho
that interests you, please follow the links provided.
Daemon
The ClamAV Daemon, or clamd , is a multi-threaded da
for viruses. ClamAV provides a number of tools which i
as follows:
clamdscan - a simple scanning client
on-access scanning - provides real-time protect
clamdtop - a resource monitoring interface for c
Scanner
ClamAV also provides a command-line tool for simple s
clamscan . Unlike the daemon, clamscan is not a pers
use cases where one-time scanning with minimal setup
73. Signature Testing and Managemen
A number of tools allow for testing and management o
following:
clambc - specifically for testing bytecode
sigtool - for general signature testing and analy
freshclam - used to update signature database s
Configuration
The more complex tools ClamAV provides each require
ClamAV supplies two example configuration files:
clamd.conf - for configuring the behavior of the
associated tools
freschclam.conf - for configuring the behavior o
freshclam
ClamAV also provides a mail filtering tool called clamav
clamd instance for mail scanning purposes.
Additionally, a tool called clamconf allows users to che
other tool, pulling information from the configuration fi
relevant information.
74. Configuration
Table Of Contents
Configuration
First Time Set-Up
Unix
Windows
Additional notes about the config
freshclam.conf
Other freshclam.conf settings
clamd.conf
Other clamd.conf settings
On-Access Scanning
clamav-milter.conf
Users and on user privileges
Configure SELinux for ClamAV
ClamConf
Next Steps
First Time Set-Up
Depending on your install method and your operating
may have been pre-configured. For example a clamav
will place configs in /etc/clamav .
However, it is likely that you will need to create new co
with custom settings that make the most sense for you
require you to create a freshclam.conf before you ca
before you can use ClamD, and a clamav-milter.conf
A default install from source will place the example con
Unix/Linux systems and in the install directory under c
examples demonstrate each of the options and may he
ClamAV to suit your needs. But again the location of th
how you installed ClamAV. To continue with the Ubunt
FreshClam config from an apt install in /usr/share
So if you're unsure where the example configs are on y
ClamConf to generate them.
Here are some quick steps to get you started.
75. Unix
Run these to generate example configs, if needed:
Or if you have the examples already, copy them to dro
Next up, edit the configs you need. There are tips below
clamd.conf, and clamav-milter.
Windows
In a PowerShell terminal in the install directory, perfor
Run:
Run:
WordPad will pop up. Delete the line that says "Examp
additional options to enable features or alter default b
Save the file and close WordPad.
Run:
WordPad will pop up. Delete the line that says "Examp
additional options to enable features or alter default b
Save the file and close WordPad.
clamconf -g freshclam.conf > freshclam.conf
clamconf -g clamd.conf > clamd.conf
clamconf -g clamav-milter.conf > clamav-milter.
cp freshclam.conf.example freshclam.conf
cp clamd.conf.example clamd.conf
cp clamav-milter.conf.example clamav-milter.con
copy .conf_examplesfreshclam.conf.sample .fr
copy .conf_examplesclamd.conf.sample .clamd.
write.exe .freshclam.conf
write.exe .clamd.conf
76. Additional notes about the config files and databas
The install directory is but one of a few locations ClamA
signature databases.
Config files path search order:
1. The content of the registry key: "HKEY_LOCAL_MA
2. The directory where libclamav.dll is located: "C:P
3. "C:ClamAV"
Database files path search order:
1. The content of the registry key: "HKEY_LOCAL_MA
2. The directory "database" inside the directory whe
"C:Program FilesClamAVdatabase"
3. "C:ClamAVdb"
freshclam.conf
freshclam is the automatic database update tool for C
work in two modes:
interactive - on demand from command line
daemon - silently in the background
freshclam is an advanced tool: it supports scripted up
whole CVD file at each update it only transfers the diffe
current database via a special script), database version
(with authentication), digital signatures and various err
Quick test: run freshclam (as superuser) with no pa
Tip: Depending on how you installed Freshclam and
ClamAV you're running, you may encounter errors t
See the Freshclam section of our FAQ for help!
If everything is OK you may create the log file in /var/lo
either by clamav or whichever user freshclam will be
freshclam
77. Now you should edit the configuration file freshclam.c
directive to the log file. Finally, to run freshclam in the
The other way is to use the cron daemon. You have to
of root or clamav user:
to check for a new database every hour. N should be a
choice. Please don’t choose any multiple of 10, beca
clients using those time slots. Proxy settings are only
file and freshclam will require strict permission settin
HTTPProxyPassword is turned on.
Other freshclam.conf settings
If your freshclam.conf was derived from the freshcl
many other options that are simply commented out. If
freshclam.conf.sample file, or on Linux/Unix systems
Take the time to look through the options. You can ena
the # comment characters.
Some popular options to enable include:
LogTime
LogRotate
NotifyClamd
DatabaseOwner
touch /var/log/freshclam.log
chmod 600 /var/log/freshclam.log
chown clamav /var/log/freshclam.log
freshclam -d
N * * * * /usr/local/bin/freshclam --quiet
HTTPProxyServer myproxyserver.com
HTTPProxyPort 1234
HTTPProxyUsername myusername
HTTPProxyPassword mypass
78. clamd.conf
Currently, ClamAV requires users to edit their clamd.c
the daemon. At a bare minimum, users will need to co
"Example", else clamd will consider the configuration
You will also need to rename clamd.conf.example to
If you are setting up a simple, local clamd instance the
of interests to you will be as follows:
Beyond that, clamd.conf is well commented and confi
If needed, you can find out even more about the forma
clamd.conf with the command:
Other clamd.conf settings
If your clamd.conf was derived from the clamd.conf.
options that are simply commented out. If not, seek ou
Linux/Unix systems run man clamd.conf .
Take the time to look through the options. You can ena
the # comment characters.
Some popular options to enable include:
LogTime
LogClean
# Comment or remove the line below.
#Example
mv ./clamd.conf.example ./clamd.conf
# Path to a local socket file the daemon will l
# Default: disabled (must be specified by a use
LocalSocket /tmp/clamd.socket
...
# Sets the permissions on the unix socket to th
# Default: disabled (socket is world accessible
LocalSocketMode 660
man clamd.conf
79. LogRotate
User
ScanOnAccess
OnAccessIncludePath
OnAccessExcludePath
OnAccessPrevention
On-Access Scanning
You can configure On-Access Scanning through clamd
Scanning starts in the second half of clamd.conf.samp
Settings". All options are grouped acording to use and
those groupings. Please carefully read the explanation
use to you.
Also read the on-access section of the Usage manual fo
Scanning.
clamav-milter.conf
ClamAV includes a mail filtering tool called clamav-mil
clamd , and thus requires a working clamd instance to
configuration and log files are separate from that of cl
Ensuring ClamAV compiles with clamav-milter must b
command:
This requires having the milter library installed on your
./configure will exit with this error message:
While not necessarily complicated, setting up the clama
Thus, we recommend consulting your MTA’s manual o
the clamav-milter .
./configure [options] --enable-milter
checking for mi_stop in -lmilter... no
configure: error: Cannot find libmilter
80. Users and on user privileges
If you are running freshclam and clamd as root or wi
configure with --disable-clamav , you will want to ens
specified in freshclam.conf owns the database direct
updates.
The user that clamd , clamdscan , and clamscan run a
- it merely needs read access to the database directory
If you choose to use the default clamav user to run fr
create the clamav group and the clamav user account t
Finally, you will want to set user ownership of the data
Configure SELinux for ClamAV
Certain distributions (notably RedHat variants) when o
non-standard antivirus_can_scan_system SELinux op
clamd_can_scan_system .
At this time, libclamav only sets the clamd_can_scan_s
manually enable antivirus_can_scan_system . If you d
will log something like this when it tests the newly dow
To allow ClamAV to operate under SELinux, run the fol
ClamConf
clamconf is a tool ClamAV provides for checking your
relates to your ClamAV installation. When run, it displa
groupadd clamav
useradd -g clamav -s /bin/false -c "Clam Antivi
sudo chown -R clamav:clamav /usr/local/share/cl
During database load : LibClamAV Warning: RWX m
RWX Memory: Permission denied
setsebool -P antivirus_can_scan_system 1
81. ClamAV at compilation time, important OS details, the
clamd.conf and freshclam.conf , along with other im
and build information.
It can also generate example configuration files for cl
To use clamconf , and see all the information it provid
command:
For more detailed information on clamconf , run:
or on Unix systems:
Next Steps
Now that you have the config file basics, it's time to lea
how to keep yours up-to-date.
clamconf
clamconf --help
man clamconf
82. Signature Testing and Ma
Table Of Contents
Signature Testing and Management
FreshClam
SigTool
ClamBC
Next Steps
Create your own signatures
Tip: The commands on Windows are generally the sa
.exe extension to run the ClamAV applications.
FreshClam
Before you can start the ClamAV scanning engine (usin
must first have ClamAV Virus Database (.cvd) file(s) inst
your system.
The tool freshclam is used to download and update C
databases. While easy to use in its base configuration,
freshclam.conf configuration file to run (the location
command line if the default search location does not fi
Once you have a valid configuration file, you can invok
command:
By default, freshclam will then attempt to connect to
distribution network. If no databases exist in the direct
fresh download of the requested databases. Otherwise
existing databases, pairing them against downloaded c
corrupted, it is not updated and instead replaced with
Of course, all this behavior--and more--can be changed
freshclam.conf and/or using various command line o
You can find more information about FreshClam with t
freshclam
83. Unix/Linux:
Or (Unix/Linux only):
Tip: Newer versions of FreshClam will create your da
already exist. Older versions won't, and may fail unl
Important: It is common on Ubuntu after a fresh inst
first time you use ClamAV:
You can fix this error by using ldconfig to rebuild t
If you are having issues updating the signature databa
the freshclam FAQ.
SigTool
ClamAV provides sigtool as a command-line testing t
creating and working with virus signatures. While sigto
signatures--of particular note, is sigtool's ability to help
a file detected by libclamav's virus signatures is a false
This can be accomplished by using the command:
Where FILE points to your virus signature databases. T
unpacking the database into the directory from which
freshclam --help
man freshclam
freshclam
freshclam: error while loading shared librari
open shared object file: No such file or di
sudo ldconfig
sigtool --unpack=FILE
84. search for the offending signature name (provided eith
clamd logs). As an example:
Or, do all that in one step with:
This should give you the offending signature(s) in ques
part of your false positive report.
To learn more in depth information on how sigtool c
signatures and work with malicious (and non-malicious
online tutorials on the topic.
Otherwise, information on available sigtool functions c
Or (Unix/Linux only):
ClamBC
clambc is Clam Anti-Virus’ bytecode signature testing t
crafted bytecode signatures or to help verify existing b
as expected.
For more detailed help, please use:
Or (Unix/Linux only):
grep "Win.Test.EICAR" ./*
sigtool --find="Win.Test.EICAR"
sigtool --help
man sigtool
clambc --help
man clambc
85. Next Steps
Now that you know more about FreshClam and tools t
it's time to run your first scan.
Create your own signatures
There is a whole community of malware researchers a
learn how to craft your own signatures, you can!
86. Scanning
Table Of Contents
Scanning
Daemon
ClamD
ClamDScan
ClamDTop
On-Access Scanning
ClamOnAcc (v0.102+)
ClamD (v0.101)
One-Time Scanning
ClamScan
Some basic scans
Process Memory Scanning
Disclaimers
Windows-specific Issues
Globbing
File paths
Socket and libclamav API Input
Tip: The commands on Windows are generally the sa
.exe extension to run the ClamAV applications.
Daemon
ClamD
clamd is a multi-threaded daemon that uses libclamav
behavior can be fully configured to fit most needs by m
As clamd requires a virus signature database to run, w
official signatures before running clamd using freshc
The daemon works by listening for commands on the s
Listening is supported over both unix local sockets and
IMPORTANT: clamd does not currently protect or aut
socket, meaning it will accept any and all of the followi
87. Thus, we strongly recommend following best networki
clamd instance. I.e. don't expose your TCP socket to th
Here is a quick list of the commands accepted by clam
PING
VERSION
RELOAD
SHUTDOWN
SCAN file/directory
RAWSCAN file/directory
CONTSCAN file/directory
MULTISCAN file/directory
ALLMATCHSCAN file/directory
INSTREAM
FILDES
STATS
IDSESSION, END
As with most ClamAV tools, you can find out more abo
The daemon also handles the following signals as so:
SIGTERM - perform a clean exit
SIGHUP - reopen the log file
SIGUSR2 - reload the database
It should be noted that clamd should not be started u
external tools which would start it as a background pro
which will load the database and then daemonize itself
in clamd.conf ). After that, clamd is ready to accept co
Once you have set up your configuration to your liking
sending commands to the daemon, running clamd its
command:
ClamDScan
clamdscan is a clamd client, which greatly simplifies t
It sends commands to the clamd daemon across the s
man clamd
clamd
88. generates a scan report after all requested scanning ha
Thus, to run clamdscan , you must have an instance
Please keep in mind, that as a simple scanning client, c
and engine configurations. These are tied to the clamd
set up in clamd.conf . Therefore, while clamdscan wil
as its sister tool clamscan , it will simply ignore most of
exists to make ClamAV engine configuration changes o
Again, running clamdscan , once you have a working c
ClamDTop
clamdtop is a tool to monitor one or multiple instance
interface, which shows each job queued, memory usag
signature database for the connected clamd instance(
connect to the local clamd as defined in clamd.conf .
clamd instances at the command line.
To learn more, use the commands
or
On-Access Scanning
The ClamOnAcc application provides On-Access Scann
Scanning is a form of real-time protection that uses Cla
accessed.
ClamOnAcc (v0.102+)
ClamAV's On-Access Scanning ( clamonacc ) is a client th
alongside, but separately from the clamd instance. Th
preventing access to/from any malicious files it discove
from clamd --but by default it is configured to run in no
simply alert the user if a malicious file is detected, then
clamdscan [*options*] [*file/directory/-*]
man clamdtop
clamdtop --help
89. user may have specified at the command line, but it wi
reading or writing to that file.
Disclaimer: Enabling Prevention mode will seriously
commonly accessed directories.
Tip: You can run ClamOnAcc multiple times simultan
config. If you want to enable Prevention-mode for o
notify-only mode for any other monitored directorie
On-Access Scanning is primarily set up through clamd.
about all the configuration and command line options
Access Scanning User Guide.
Once you have set up the On-Access Scanner (and cla
to run clamd before you can start it. If your clamd ins
clamd as a user that is excluded (via OnAccessExcludeU
On-Access scanning events (e.g.) to prevent clamonacc
sends scan requests to clamd :
After the daemon is running, you can start the On-Acce
as root in order to utilize its kernel event detection and
It will run a number of startup checks to test for a sane
connect to clamd , and if everything checks out clamon
background and begin monitoring your system for eve
ClamD (v0.101)
In older versions, ClamAV's On-Access Scanner is a thre
instance. The On-Access Scanner is capable of blocking
discovers--based on the verdict it finds using the engin
it is configured to run in notify-only mode, which me
malicious file is detected, but it will not actively preven
that file.
su - clamav -c "/usr/local/bin/clamd
sudo clamonacc
90. On-Access Scanning is primarily set up through clamd.
about all the configuration and command line options
Access Scanning User Guide.
Once you have set up the On-Access Scanner to your li
elevated permissions to start it.
One-Time Scanning
ClamScan
clamscan is a command line tool which uses libclamav
viruses. Unlike clamdscan , clamscan does not require
function. Instead, clamscan will create a new engine a
time it is run. It will then scan the files and/or directorie
create a scan report, and exit.
By default, when loading databases, clamscan will che
installed the virus database signatures. This behavior,
and engine controls, can be modified by providing flag
line.
There are too many options to list all of them here. So
more interesting ones:
--log=FILE - save scan report to FILE
--database=FILE/DIR - load virus database from
from DIR
--official-db-only[=yes/no(*)] - only load offi
--max-filesize=#n - files larger than this will be
--max-scansize=#n - the maximum amount of d
--leave-temps[=yes/no(*)] - do not remove tem
--file-list=FILE - scan files from FILE
--quiet - only output error messages
--bell - sound bell on virus detection
--cross-fs[=yes(*)/no] - scan files and directo
--move=DIRECTORY - move infected files into DIRE
--copy=DIRECTORY - copy infected files into DIREC
--bytecode-timeout=N - set bytecode timeout (in
--heuristic-alerts[=yes(*)/no] - toggles heur
sudo clamd
91. --alert-encrypted[=yes/no(*)] - alert on encry
--nocerts - disable authenticode certificate chai
--disable-cache - disable caching and cache ch
To learn more about the options available when using
and
Otherwise, the general usage of clamscan is:
Some basic scans
Run this to scan the files in the current directory:
This will scan the current directory. At the end of the sc
notice in the clamscan output, it only scanned somethi
more files in subdirectories. By default, clamscan will o
Run this to scan all the files in the current directory:
Run this to scan ALL the files on your system, it will tak
can cancel it at any time by pressing Ctrl-C :
Linux/Unix:
Windows:
man clamscan
clamscan --help
clamscan [options] [file/directory/-]
clamscan .
clamscan --recursive .
clamscan --recursive /
clamscan.exe --recursive C:
92. Process Memory Scanning
Note: This feature requires Windows and ClamAV ve
also be running ClamAV as Administrator.
clamscan and clamdscan are able to scan the virtual
processes. To do so, use the --memory option:
The --kill and --unload options allow for killing/un
Disclaimers
Disclaimer: ClamAV doesn't have a "quick scan" mo
toolkit, not an endpoint security suite. It's up to you
system scan is going to take a long time with ClamAV
Disclaimer 2: ClamScan, ClamOnAcc, and ClamDSca
for deleting any file which alerts during a scan. This
you're monitoring an upload/downloads directory. F
want to have the wrong file accidentally deleted. Ins
perhaps just --copy and set up script with the Clam
you when something has been detected.
Windows-specific Issues
Globbing
Since the Windows command prompt doesn't take car
emulation of unix glob() is performed internally. It supp
clamscan --memory
93. File paths
Please always use the backslash as the path separator
are supported.
Socket and libclamav API Input
The Windows version of ClamAV requires all the input
This affects:
The API, notably the cl_scanfile() function
ClamD socket input, e.g. the commands SCAN , CO
ClamD socket output, i.e replies to the above que
For legacy reasons ANSI (i.e. CP_ACP ) input will still be
but with two important remarks:
1. Socket replies to ANSI queries will still be UTF-8 e
2. ANSI sequences which are also valid UTF-8 seque
As a side note, console output (stdin and stderr) will alw
redirected to a file.
94. On-Access Scanning
Purpose
This guide is for users interested in leveraging and und
Scanning feature. It will walk through how to set up an
through some common issues and their solutions.
Requirements
On-Access is only available on Linux systems. On Linux
version >= 3.8 . This is because it leverages a kernel a
from attempting to access malicious files. This prevent
offers stronger protection than a purely user-space so
For Versions >= 0.102.0
It also requires Curl version >= 7.45 to ensure sup
clamonacc. Users on Linux operating systems that pac
number of options:
1. Wait for your package maintainer to provide a ne
2. Install a newer version of libcurl from source.
3. Disable installation of clamonacc and On-Access
./configure flag --disable-clamonacc .
General Use
To use ClamAV's On-Access Scanner, operation will var
For Versions >= 0.102.0
You will need to run the clamd and clamonacc applica
to configure and run clamd . For instructions on how to
guide. One important thing to note while configuring c
the clamonacc application will connect to clamd using
LocalSocket or TCPAddr / TCPSocket . Another import
95. clamd.conf that specifies a LocalSocket , then clamd
the right permissions to scan the files you plan on inclu
Next, you will need to configure clamonacc . For a very
steps:
For slightly more nuanced configurations, which may b
please check out the recipe guide below.
Then, run clamonacc with elevated permissions:
If all went well, the On-Access scanner will fork to the b
protecting the path(s) specified with OnAccessIncludeP
eicar file into the specified path, and attempting to rea
will result in an "Operation not permitted" message, tr
access attempt at the kernel level.
Finally, you will have to restart both clamd and clamon
performance is not to your liking, and your system has
reccomend increasing the values for the following cla
increase performance:
MaxQueue
MaxThreads
OnAccessMaxThreads
For Versions <= 0.101.x
You will only need to run the clamd application in olde
configure clamd for your environment. For instruction
configuration guide.
Next, you will need to configure On Access Scanning us
simple configuration follow these steps:
1. Open `clamd.conf` for editing
2. Specify the path(s) you would like to recurs
`OnAccessIncludePath` option
3. Set `OnAccessPrevention` to `yes`
4. Check what username `clamd` is running under
5. Set `OnAccessExcludeUname` to `clamd`'s unam
6. Save your work and close `clamd.conf`
sudo clamonacc
96. For slightly more nuanced configurations, which may b
please check out the recipe guide below.
Then, run clamd with elevated permissions:
If all went well, the On-Access scanner will fork to the b
protecting the path(s) specified with OnAccessIncludeP
eicar file into the specified path, and attempting to rea
will result in an "Operation not permitted" message, tr
access attempt at the kernel level.
Troubleshooting
Some OS distributors have disabled fanotify, despite ke
fanotify support on your kernel by running the comma
You should see the following:
If you see this...
... then ClamAV's On-Access Scanner will still function, s
normally in real time. However, it will be unable to bloc
We call this notify-only mode.
ClamAV's On-Access Scanning system uses a scheme c
Determination (DDD for short) which is a shorthand wa
every directory specified with OnAccessIncludePath d
time. It does this by leveraging inotify which by defa
1. Open `clamd.conf` for editing
2. Set the `ScanOnAccess` option to `yes`
3. Specify the path(s) you would like to recurs
`OnAccessIncludePath` option
4. Set `OnAccessPrevention` to `yes`
6. Save your work and close `clamd.conf`
sudo clamd
cat /boot/config-<kernel_version> | grep FANOTI
CONFIG_FANOTIFY=y
CONFIG_FANOTIFY_ACCESS_PERMISSIONS=y
CONFIG_FANOTIFY_ACCESS_PERMISSIONS is not set
97. points available for use by a process at any given time.
directory hierarchies, ClamAV may warn you that it has
watch-points (8192 by default). To increase the numbe
for use by ClamAV (to 524288), run the following comm
The OnAccessIncludePath option will not accept / as
works by blocking a process' access to a file until a acce
determination has been made by the original fanotify c
fanotify watch-points on the entire filesystem, key syst
blocked to key processes at the kernel level, which will
This restriction was made to prevent users from "shoo
clever users will find it's possible to circumvent this res
OnAccessIncludePath options to recursively protect m
better still, simply the paths they truly care about.
The OnAccessMountPath option uses a different fanoti
incompatible with OnAccessIncludePath and the DDD
point limitations will not be a concern when using this
means that the following options cannot be used in co
OnAccessExtraScanning - is built around catchin
OnAccessExcludePath - is built upon the DDD Sys
OnAccessPrevention - would lock up the system
OnAccessMountPath . If you need OnAccessPreven
OnAccessIncludePath instead of OnAccessMount
Configuration and Recipes
More nuanced behavior can be coerced from ClamAV's
modification to clamd.conf . Each option related to On
by looking for the OnAccess prefix pre-pended to each
contains descriptions of each option, along with any do
features.
Below are examples of common use cases, recipes for
and the expected behavioral result.
echo 524288 | sudo tee -a /proc/sys/fs/inotify/