ClamAV is a free, open-source antivirus program for, amongst other things, the detection of trojans, viruses, and malware on your VPS. In this tutorial, we show you how to install ClamAV in Debian 9 and Debian 10, ensure that ClamAV starts automatically, and your VPS scans daily. 

Installing ClamAV

The installation of ClamAV in Debian is straight forward, and done using the command:

apt -y install clamav

Do you want ClamAV to automatically scan your VPS and protect against viruses in real-time? Then also install the ClamAV daemon with the command below.

The daemon uses a reasonable amount of RAM (soon + - 600MB), so it is advisable to at least use an X4-VPS when you install the daemon, or alternatively, only use the basic version together with a Cronjob, see the cronjob instruction later in this article.

apt install -y clamav-daemon

Updating the virus database

ClamAV comes with a tool called Freshclam to update the virus database of ClamAV. Freshclam automatically checks for virus database updates 24 times a day.

Freshclam is automatically executed. Its current state can be checked with:

systemctl status clamav-freshclam

In Debian 9, Freshclam is not automatically started after the installation of ClamAV. You enable FreshClam with the command: 

systemctl start clamav-freshclam

Updating manually 

If you disable freshclam (with systemctl stop clamav-freshclam) and only want to update manually, you use the command:

freshclam

If you use the above command while freshclam is still active, you will get the following notification:

ERROR: /var/log/clamav/freshclam.log is locked by another process
ERROR: Problem with internal logger (UpdateLogFile = /var/log/clamav/freshclam.log).

Scanning your VPS automatically 

Automatic scanning with the ClamAV daemon

If you use the daemon version of ClamAV, the ClamAV daemon (ClamD) automatically runs as a service and will automatically start after a restart of your VPS.

ClamD will not automatically protect your VPS in real time. For this, it uses the additional On-Access Scanning tool. To enable this, first make some adjustments in the ClamD configuration: 

Step 1

Open the ClamD configuration

nano /etc/clamav/clamd.conf

Step 2 

Add the following content at the bottom of the file (see explanation):

ScanOnAccess yes
OnAccessIncludePath /home
OnAccessIncludePath /etc
OnAccessIncludePath /var
OnAccessPrevention yes

• ScanOnAccess yes: enable On-Access scanning
• OnAccessIncludePath: the folders defined here (/home/etc/var) are recursively scanned.
• OnAccessPrevention yes: blocks viruses, if you use 'no', only a notification is made but no action is taken. 

There are other options, such as the exclusion of folders with OnAccessExcludePath. More information on all available options can be found on this page and some use cases are discussed here.

Step 3

The changes can only be made when the clamav-daemon service is disabled. So, disable it as follows:

systemctl stop clamav-daemon

Are you using Debian 10? If so, use the following two commands before proceeding. ClamAV executes the command in step 4 as the user 'ClamAV'. This user has no rights to the /var/run/ folder (which is a symbolic link to the /run folder) and can't create the folder or the socket file. The commands below solve this.

mkdir /run/clamav/
chmod 777 -R /run/clamav/

Step 4

Start ClamD first and then the associated service:

clamd
systemctl start clamav-daemon

It will take a moment for the start of clamd to be completed. 

Debian 10: Having run these commands, the ownership to the files in step 3 are set correctly. Revert the right changes from step 3 with:

chmod 755 -R /run/clamav/

Additional tips:

• You can check the status of the ClamAV daemon with the command:

  systemctl status clamav-daemon

• The log files can be found in:

  nano /var/log/clamav/clamav.log

• Clamd has a resource monitor similar to top/htop. You use this with the command:

  clamdtop

• If you get a message that inotify has exhausted the maximum number of watchpoints, you can add more to it with:

  $ echo 524288 | sudo tee -a /proc/sys/fs/inotify/max_user_watches

Automatically scan your VPS with a cron job

At the beginning of this article, we indicated that the ClamAV daemon uses quite a bit of RAM. Alternatively, you can choose not to install the ClamAV daemon and create a cronjob with which you automatically carry out the manual ClamAV scan (with a cronjob, you create a task on your VPS to perform one or more assignments at fixed times). This works like as follows:

Step 1

Create a cronjob with the command:

crontab -e

Step 2

For example, give your cronjob the following content:

SHELL=/bin/bash
HOME=/
* */1 * * * date >> /var/log/clamav_log
* */1 * * * clamscan --exclude-dir=/proc/* --exclude-dir=/sys/* -i -r / >> /var/log/clamav_log

In summary, the above does the following:

• The cronjob is executed every hour (defined by * */1 * * *). Do you prefer to scan daily at a specific time? For example, to scan at 18:00 every day you use * 18 * * *. At https://crontab.guru/, you can see how you specify specific times in a cronjob.
• date >> /var/log/clamav_log: this part ensures that every time the cronjob is executed, the date and time of the synchronization is specified in /var/log/clamav_log on a new line at the end of /var/log/clamav_log.
• The Clamscan command is explained in more detail under 'manual scanning with ClamAV'. The addition >> /var/log/clamav_log causes the output to be written to /var/log/clamav_log (below the date and time). This way you can always look back at the scan results using cat /var/log/clamav_log | less.

If desired, you can remove the cronjob as follows (removing all crontabs):

crontab -r

or you can of course edit the existing cronjob with:

crontab -e

You can check your cronjob itself (without adjusting it) with:

crontab -l

Please note: if you use a custom logfile directory as above, do not forget that to create it (mkdir /var/log/siteupdates).

Scanning your VPS manually

Manual scanning with ClamAV

For the manual version you use the command:

clamscan --exclude-dir=/proc/* --exclude-dir=/sys/* -i -r /

• With the addition --exclude-dir=/proc/* and --exclude-dir=/sys/* you make sure that ClamAV does not scan these folders. The /proc/ and /sys/ folders are virtual filesystems which, among other things, provide communication between the hardware of your VPS / the processes of your VPS and your OS.
• -i (infected) ensures that only infected files are shown
• -r (recursive) ensures that all underlying folders are scanned
• / indicates that all folders of your VPS are being scanned. You can also use this to scan specific folders, e.g. /etc/

Manual scanning with ClamD 

You can also scan your OS manually with the ClamAV daemon, but it has fewer scan options than clamscan and is mainly intended to scan specific folders, not your entire OS at once. The syntax that you can use for this is:

clamdscan--fdpass -i /etc

• --fdpass: the ClamAV daemon is executed by the user ClamAV and has few rights to folders. With –fdpass, you give the rights of the user with whom you are working to clamdscan. If you execute this command as root user, then, with –fdpass, clamdscan thus has rights to scan all folders to which the root user has access.
• -i (infected) ensures that only infected files are shown
• /etc Indicates which folder you want to scan (recursively).

Scanning with ClamD uses the configuration in clamd.conf. You can edit this file to adjust the scanning to your own wishes:

nano /etc/clamav/clamd.conf

This concludes our tutorial on installing and using ClamAV in Debian 9. Should you have any questions left regarding this article, do not hesitate to contact our support department. You can reach them via the ‘ContactUs’ button at the bottom of this page.

If you want to discuss this article with other users, please leave a message under 'Comments'.