How to Install ClamAV on CentOS 7

ClamAV is an open source antivirus tool. Its basic usage is for detecting viruses, malware, and malicious software on Linux-based machines.

ClamAV is an open source antivirus tool. Its basic usage is for detecting viruses, malware, and malicious software on Linux-based machines. The threat from viruses, Trojans, and other forms of malware is real. They have grown exponentially in both quantity and in sophistication, and antivirus software have had to adopt sophisticated detection methods.

While there’s no guarantee that your system will not fall victim to these unwanted bits of code, remaining mindful when using the Internet and sharing files, implementing common-sense security policies, and using an up-to-date antivirus program can go a long way in protecting you.

This article will show you how to install and configure ClamAV on CentOS / RHEL 7.

Install ClamAV

To install ClamAV on CentOS / RHEL 7, we need to install the EPEL repository:

# yum install epel-release

You can follow clamav official website to get the details of installing ClamAV on other distributions

Then we can install ClamAV with all its useful tools:

Now, we can install ClamAv on CentOS 7 by running the following command

yum -y install clamav-server clamav-data clamav-update clamav-filesystem clamav clamav-scanner-systemd clamav-devel clamav-lib clamav-server-systemd

Congratulations,  you’ve successfully installed antivirus software on your server. We can move on the next step.

SELinux settings

SELinux is a security measure to protect some of the applied changes. If you want to use ClamAV with SELinux kernel module enabled you will need to change the following settings otherwise you will not be able to read some of your ClamAv files.

To do that, all you need to do is run the following commands:

setsebool -P antivirus_can_scan_system 1

setsebool -P clamd_use_jit 1

Run this delegation to confirm the changes:

getsebool -a | grep antivirus

You should have obtained the following result:

antivirus_can_scan_system – & gt; front

antivirus_use_jit – & gt; off

That’s it, ClamAV with SELinux is ready for use.

Configure ClamAV (AntiVirus)

To configure ClamAV first of all we need to remove the example configuration, so we can make our own configuration:

# sed -i '/^Example/d' /etc/clamd.d/scan.conf

After removing the example lines, we need to do some modifications to define the TCP server type and to define the user root to execute the antivirus:

# vim /etc/clamd.d/scan.conf

The value given with LocalSocket is the socket file used by the scanner daemon for communicating with outside processes.. We uncomment the following line:

LocalSocket /var/run/clamd.scan/clamd.sock

We add those two lines at the end of the file and save:

User root
LocalSocket /var/run/clamd.<SERVICE>/clamd.sock

To keep the ClamAV database up to date, we need to enable a tool called Freshclam. Therefore, we need to create a backup file from its configuration file:

# cp /etc/freshclam.conf /etc/freshclam.conf.bak

Freshclam reads its configuration from /etc/freshclam.conf. The file contains a line with the word Example to prevent users from using the defaults blindly and we must remove it or comment it out before we can use freshclam. The defaults settings are fine for our purposes and this is more of an annoyance than anything else, but it does force us to look at the file and see what behavior can be tweaked. Each directive is commented with an explanation and what the default behavior is.

# sed -i '/^Example/d' /etc/freshclam.conf

We need to run Freshclam to update the database manually and to check whether the configuration is successfully set:

# freshclam
ClamAV update process started at Tue Nov 6 15:51:59 2018
WARNING: Can't query
WARNING: Invalid DNS reply. Falling back to HTTP mode.
Reading CVD header (main.cvd): OK (IMS)
main.cvd is up to date (version: 58, sigs: 4566249, f-level: 60, builder: sigmgr)
Reading CVD header (daily.cvd): OK
Downloading daily-25006.cdiff [100%]
Downloading daily-25092.cdiff [100%]
Downloading daily-25093.cdiff [100%]
Downloading daily-25094.cdiff [100%]
Downloading daily-25095.cdiff [100%]
daily.cld updated (version: 25095, sigs: 2143057, f-level: 63, builder: neo)
Reading CVD header (bytecode.cvd): OK
bytecode.cvd is up to date (version: 327, sigs: 91, f-level: 63, builder: neo)
Database updated (6709397 signatures) from (IP:

We can run freshclam any time we want to make sure the definition databases are up to date, but it would be inconvenient to have to always run it manually. When launched with the -d argument, freshclam will run in the daemon mode and periodically check for updates throughout the day (every two hours by default).

To keep things clean, we created a service file to run freshclam and registered it with systemd:

# vim /usr/lib/systemd/system/clam-freshclam.service

Then we put the following code inside the file and save it:

Description = freshclam scanner
After =

Type = forking
ExecStart = /usr/bin/freshclam -d -c 4
Restart = on-failure
PrivateTmp = true
RestartSec = 20sec


The [Unit] section defines the basic attributes of the service, such as its description and that it relies on a network connection. The [Service] section defines the service itself, ExecStart will run freshclam with the -d argument, Type lets systemd know that the process will fork and run in the background as a daemon, and Restart will have systemd monitor the service and restart it automatically if it crashes. The [Install] section defines how it will be linked when we run systemctl enable.

Reload the systemd daemon to refresh the changes

# systemctl daemon-reload

Next start and enable the freshclam service

 systemctl start clam-freshclam.service

# systemctl status clam-freshclam.service
● clam-freshclam.service - freshclam scanner
Loaded: loaded (/usr/lib/systemd/system/clam-freshclam.service; disabled; vendor preset: disabled)
Active: active (running) since Tue 2018-11-06 15:56:53 IST; 3s ago
Process: 7926 ExecStart=/usr/bin/freshclam -d -c 4 (code=exited, status=0/SUCCESS)
Main PID: 7927 (freshclam)
CGroup: /system.slice/clam-freshclam.service
└─7927 /usr/bin/freshclam -d -c 4

Nov 06 15:56:53 systemd[1]: Starting freshclam scanner...
Nov 06 15:56:53 systemd[1]: Started freshclam scanner.
Nov 06 15:56:53 freshclam[7927]: freshclam daemon 0.100.2 (OS: linux-gnu, ARCH: x86_64, CPU: x86_64)
Nov 06 15:56:53 freshclam[7927]: ClamAV update process started at Tue Nov 6 15:56:53 2018

If everything is running fine and there is no problem, we add it to the system startup service:

# systemctl enable clam-freshclam.service
Created symlink from /etc/systemd/system/ to /usr/lib/systemd/system/clam-freshclam.service.

Now again to configure ClamAV we need to create the ClamAV service file. We have an example service file that we need to copy into the system services folder. We need to change its name to something understandable. Then, we need to make some minor modifications to it:

# mv /usr/lib/systemd/system/[email protected] /usr/lib/systemd/system/clamd.service

Since we have changed the name, we need to change it at the file that uses this service as well:

# vim /usr/lib/systemd/system/[email protected]

We change the first line by removing @ to look like this:

.include /lib/systemd/system/clamd.service

At the same location, we need to change the Clamd service file:

# vim /usr/lib/systemd/system/clamd.service

We add the following lines at the end:


And we remove %i from both the Description and ExecStart options. Then we change them to look like the following:

Description = clamd scanner daemon
ExecStart = /usr/sbin/clamd -c /etc/clamd.d/scan.conf
Restart = on-failure

Next start the clamv service

# systemctl start clamd.service

# systemctl status clamd.service
● clamd.service - clamd scanner daemon
Loaded: loaded (/usr/lib/systemd/system/clamd.service; enabled; vendor preset: disabled)
Active: active (running) since Tue 2018-11-06 19:48:17 IST; 16s ago
Docs: man:clamd(8)
Process: 1460 ExecStart=/usr/sbin/clamd -c /etc/clamd.d/scan.conf (code=exited, status=0/SUCCESS)
Main PID: 1461 (clamd)
CGroup: /system.slice/clamd.service
└─1461 /usr/sbin/clamd -c /etc/clamd.d/scan.conf

Nov 06 19:48:15 clamd[1461]: ELF support enabled.
Nov 06 19:48:15 clamd[1461]: Mail files support enabled.
Nov 06 19:48:15 clamd[1461]: OLE2 support enabled.
Nov 06 19:48:15 clamd[1461]: PDF support enabled.
Nov 06 19:48:15 clamd[1461]: SWF support enabled.
Nov 06 19:48:15 clamd[1461]: HTML support enabled.
Nov 06 19:48:15 clamd[1461]: XMLDOCS support enabled.
Nov 06 19:48:15 clamd[1461]: HWP3 support enabled.
Nov 06 19:48:15 clamd[1461]: Self checking every 600 seconds.
Nov 06 19:48:17 systemd[1]: Started clamd scanner daemon.

If everything is fine then enable the clamd service


# systemctl enable clamd.service
Created symlink from /etc/systemd/system/ to /usr/lib/systemd/system/clamd.service.

For a test scan of the current folder, we run the following command:

# clamscan --infected --remove --recursive ./

----------- SCAN SUMMARY -----------
Known viruses: 6702413
Engine version: 0.100.2
Scanned directories: 7
Scanned files: 9
Infected files: 0
Data scanned: 0.01 MB
Data read: 0.00 MB (ratio 2.00:1)
Time: 25.439 sec (0 m 25 s)


Lastly I hope the steps from the article to configure ClamAV on RHEL / CentOS 7 Linux was helpful. So, let me know your suggestions and feedback using the comment section.


Subscribe to our newsletter
Sign up here to get the latest news, updates and special offers delivered directly to your inbox.
You can unsubscribe at any time

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Accept Read More