Clamav is a free antivirus nowadays owned by Cisco and developed under the umbrella of the Talos-Intelligence group. Don’t be fooled by the word free, this is serious business. It supports a wide variety of operating systems from Windows to Linux-based ones as well as FreeBSD. Many companies are using other types of antivirus software and some have had an advantage over Clamav for quite some time, that being real-time protection. However, since release 0.99, from back in 2015, Clamav incorporates a On-Access scanning feature, making more interesting and appealing tool. In this how to install the Clamav antivirus on CentOS 8 guide I’ll demonstrate how to install the tool and enable the On-Access scanning capability.
As it happens with some other tools on CentOS one needs to enable the EPEL repository. You can read about some repo configuration on this other article but for enabling EPEL now you can just use this command:
Step 0. Enable the EPEL repository
$ sudo dnf --enablerepo=extras install epel-release
Once the repo has been configured and installed we need to update the system repositories information.
$ sudo dnf update -y
Now that the EPEL repository has been configured installed and the system’s information has been updated I can install the Clamav antivirus on CentOS 8.
Step 1. Install Clamav
$ sudo dnf install clamav clamav-update clamd -y
This above command will install the clamav program the freshclam utility in clamav-update so updates are received automatically and the clamav daemon.
Step 2. Adjust SELinux
Now Clamav has been installed SELinux must be adjusted, otherwise the freshclam utility for updates will not work and scans will not be performed because they’ll be blocked.
$ sudo setsebool -P antivirus_can_scan_system 1
Use the above command and do not disable SELinux completely unless you have a good reason for that and/or know what you’re doing.
Step 3. Get the antivirus signatures
In order to get the latest signatures I will use the following command.
$ sudo freshclam
The server will start downloading all the signatures.
Step 4. Configure clamd
In order to make use of Clamav a few configuration bits must be changed. First locate the ‘LocalSocket’ parameter in /etc/clamd.d/scan.conf file and enable it.
This next command will do this.
$ sudo sed -i 's/#LocalSocket \/run/LocalSocket \/run/g' /etc/clamd.d/scan.conf
Check the result to look like:
[albert@CentOS ~]$ grep -n 'LocalSocket' /etc/clamd.d/scan.conf
93:LocalSocket /run/clamd.scan/clamd.sock
97:#LocalSocketGroup virusgroup
101:#LocalSocketMode 660
[albert@CentOS ~]$
Before enabling Clamav with Systemd control capabilities we’ll make two simple configuration changes in the entry for that in the ‘/usr/lib/systemd/system/clamd@.service’ file.
$ sudo sed -i 's/scanner (%i) daemon/scanner daemon/g' /usr/lib/systemd/system/clamd@.service
$ sudo sed -i 's/\/etc\/clamd.d\/%i.conf/\/etc\/clamd.d\/scan.conf/g' /usr/lib/systemd/system/clamd@.service
Step 5. Enable and start up the services for clamd and freshclam.
First we will enable the freshclam service with systemd.
$ sudo systemctl enable freshclam.service
After that we will start it up.
$ sudo systemct start freshclam.service
To check how it’s running type this next one.
$ sudo systemctl status freshclam.service
With fresclam enabled and running time to do the same with clamd.
To enable the clamd service type:
$ sudo systemctl enable clamd@.service
Don’t forget the dot in the above command.
Now I’ll start it up.
$ sudo systemctl start clamd@scan
To check the clamd service is up and running use the next command.
$ sudo systemctl status clamd@scan
We can now make use of the Clamav antivirus and make some scans at will. This is a very short guide from its developers. But here some simple examples.
$ sudo clamscan filename
Instead of files one can scan directories.
$ sudo clamscan -r directoryname
Flags can be used so Clamav does not only scan for viruses but takes specific actions.
To remove found threats on the manual scan.
$ sudo clamscan --remove filename
$ sudo clamscan -r --remove directoryname
Other flags can be used to log the results
$ sudo clamscan -r --log=/path/to/the/log
Or move the suspicious files
$ sudo clamscan -r –move=/path/to/the/quarantine/directory
These actions can be declared on the systemd launch files for clamd. The filw is located here:
/usr/lib/systemd/system/clamd@.service
Now, this could be all on a regular how to install the Clamav antivirus on CentOS 8 guide. However as an extra, a very convenient one, I’m going to enable the On-Access module.
Step 6. Enable On-Access (Optional)
As already described above Clamav incorporates the On-Access scan feature and this is interesting because the tool will prevent writing or even reading from infected files. In this link one can read the official instructions but I’ll post it here and explain a few other extra bits.
First I will stop the clamav service.
$ sudo systemctl stop clamd@service
Then I will enable the on-access module.
$ sudo sed -i 's/#OnAccessPrevention yes/OnAccessPrevention yes/g' /etc/clamd.d/scan.conf
Next configuration arrengement is to set what has to be scanned. There are two already set entries but they are commented. Each path one desires to monitor and get scanned has to be declared on one single, independent, line.
If I want to scan my /home directory I will do this:
$ sudo sed -i 's/#OnAccessIncludePath \/home/OnAccessIncludePath \/home/g' /etc/clamd.d/scan.conf
But if I also want to scan my website folder in the system I will add and entry on the ‘OnAccessInclude’ section. To find the line one needs to edit use the following command.
$ grep -n ‘OnAccessInclude’ /etc/clamd.d/scan.conf
Once you see the line where it starts you can edit the file and add your entry. For the above example on the website directory add this:
OnAccessIncludePath /var/www/html
This will scan all the files and directories under that path.
Last but not least I will exclude the clamav user to be scanned and looked after so it’s not blocked.
$ sudo sed -i 's/#OnAccessExcludeUname clamav/OnAccessExcludeUname clamscan/g' /etc/clamd.d/scan.conf
Now the On-Access scan has been minimally configured I can add a systemd entry so it starts up automatically after reboots.
First I create an empty file.
$ sudo touch /usr/lib/systemd/system/clamonacc.service
Now I add the following configuration block.
[Unit]
Description=ClamAV On Access Scanner
Requires=clamd@service
After=clamd.service syslog.target network-online.target
[Service]
Type=simple
User=root
ExecStart=/usr/bin/clamonacc -F --log=/var/log/clamonacc --move=/tmp/clamav-quarantine
Restart=on-failure
RestartSec=7s
[Install]
WantedBy=multi-user.target
After this block has been placed the log file and the quarantine directory must be created.
For the log file I’ll use the following command:
$ sudo touch /var/log/clamonacc
For the quarantine directory:
$ sudo mkdir /tmp/clamav-quarantine
Before enabling this recently created entry on systemd let’s reload the tool.
$ sudo systemctl daemon-reload
Now I can enable the clamonacc.service so the On-Access scan capacity is systemd-aware. Or better said, systemd knows this exists and what to do with it.
$ sudo systemctl enable clamonacc.service
Because clamonacc depends on clamd and I stopped it before making these changes I need to start it up again.
$ sudo systemctl start clamd@service
Time to start the clamonacc.service service.
$ sudo systemctl start clamonacc.service
To check that all the Clamav antivirus services are up and running I will use this next command:
[albert@CentOS ~]$ ps -ef | grep clam
clamupd+ 1498 1 0 17:10 ? 00:00:00 /usr/bin/freshclam -d --foreground=true
clamscan 1526 1 0 17:11 ? 00:00:00 /usr/sbin/clamd -c /etc/clamd.d/scan.conf
root 1530 1 0 17:11 ? 00:00:00 /usr/bin/clamonacc -F --log=/var/log/clamonacc --move=/tmp/clamav-quarantine
clamscan 1578 1 99 17:13 ? 00:00:02 /usr/sbin/clamd -c /etc/clamd.d/scan.conf
albert 1608 1581 0 17:13 pts/0 00:00:00 grep --color=auto clam
[albert@CentOS ~]$
Clamav and its On-Access module are now installed and enabled.
Conclusion
To conclude this how to install the Clamav antivirus on CentOS 8 guide you’re very welcome to test this same configuration using the script on my Github or tune it to best fit your needs.