Clamav and Centos 6: Part 1

I’m going to explain how to install the open source anti-virus software clamv on CentOS 6 systems. It will take two parts. In the first I will try to describe its subsystems, in the second I will provide an Ansible role to automate it.

Why clamav?

Well mostly because there isn’t much choice. I tried AVG’s product but it didn’t work. Plus it has even worse primary documentation than clamav–i.e., none! I wanted to try Bitdefender’s Linux version but they haven’t responded to the license request. If they ever do I’ll give it a try. That leaves clamav.

Even though it may not be necessary and at best only marginally effective, I want to install clamav as part of a layered approach to security. All my systems will have A/V as well as SELinux, auditd, iptables, and OSSEC (more articles on those coming soon). Plus, the automated CM tools will run regularly to reset any unwanted changes and I’ll throw in frequent scanning with Nessus and log mining with the Logstash/Elasticsearch/Kibana.

clamav Components

It is astonishingly hard to discover what the main components of clamav actually do. Their manual doesn’t say and Google links to a multitude of frequently wrong answers. I hope this will not be one of them. I have tried hard to get this right.

There are a bunch of clamav related packages in the EPEL repository. The key ones are:

  • clamd
  • clamav
  • clamav-db


clamd is the demon installed by the package of the same name. It is a service that runs constantly in the background, doing, I am pretty sure, absolutely nothing. You use another component called clamdscan to actually scan for viruses. clamdscan is not a demon which means you have to run it using cron. Apparently it sends files to clamd for actual testing.

I had a lot of trouble with this clamd/clamdscan duo so I don’t use them. I understand that for email scanning they may be a more efficient method. I use a commercial security appliance for this purpose so I didn’t test it.


freshclam is the application that updates your virus signature database. It can run as a normal application or as a demon. It has its own configuration file at /etc/freshclam.conf . Both the demon and non-demon version use this config file. I run freshclam through cron. I found the cron method easier to manage. One update per day is enough.


clamscan is the program that actually scans your drive for viruses. It is non-demonic so just right for cron. clamscan does not need clamd. It checks files against the database updated by freshclam.  To use it simply schedule it at a time when system use is low. Be sure to nice it in the cron file. clamscan has no configuration file so you must set all its parameters in the run command.

Minimal Install

A minimal install require:

  1. Install the clamav and clamav-db packages
  2. Configure the freshclam configuration file
  3. Add freshclam and clamscan to cron

That’s really all you need.

In part 2 I’ll show my Ansible script and tell you whether or not I could get the unofficial-sigs database working.

Categories: Security, Software

Tags: ,

Share Your Ideas

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: