Posted inCentos

ClamAV Installation Guide on CentOS Stream 9: Complete Server Malware Protection

CentOS tutorial - IT technology blog
CentOS tutorial - IT technology blog

Why does Linux still need virus scanning?

Many administrators believe that Linux is immune to malware. In reality, I have handled many servers infected with XMRig coin-mining scripts or ransomware after SSH credentials were leaked. An outdated WordPress plugin is enough for a hacker to turn your server into a spam distribution hub. In these situations, ClamAV is the most powerful open-source tool for cleaning the system.

ClamAV doesn’t just scan system files. It is extremely effective if you operate a Mail Server or a File Server like Nextcloud. Currently, the ClamAV database has exceeded 8.5 million malware signatures. This article will guide you through deploying ClamAV on CentOS Stream 9 following real-world standards.

Three Core Components to Remember

To avoid confusion during configuration, you need to distinguish between these three concepts:

  • clamscan: A manual scanning tool. Each time it runs, it reloads the entire virus database into RAM, which is quite time-consuming.
  • freshclam: An automatic update service that downloads the latest virus signatures from Cisco’s servers.
  • clamd (Daemon): A background service. It keeps the virus database in RAM for instant scanning, helping save CPU when scanning a large number of files.

If your server has spare RAM (over 2GB), I recommend using clamd for the best performance.

Detailed Installation Steps

Step 1: Enable the EPEL Repository

ClamAV is not available in the default CentOS Stream 9 repositories. You need to install EPEL (Extra Packages for Enterprise Linux) before starting.

sudo dnf install epel-release -y
sudo dnf update -y

Step 2: Install ClamAV Packages

We will simultaneously install the scanning engine, the daemon service, and the data updater:

sudo dnf install clamav clamd clamav-update -y

Step 3: Configure SELinux (Important)

This is the main reason why ClamAV often reports Permission Denied even when using root privileges. CentOS Stream 9 controls access permissions very strictly. Run the following two commands to grant permissions to the scanner:

sudo setsebool -P antivirus_can_scan_system 1
sudo setsebool -P clamd_use_jit 1

You can verify this with the command: getsebool -a | grep antivirus.

Step 4: Initial Virus Database Update

Before scanning, the system needs the latest data. The default configuration file at /etc/freshclam.conf is usually ready to use.

Trigger the update with the command:

sudo freshclam

If you encounter a 403 error, your IP might be rate-limited. Wait about 15 minutes and try again.

Step 5: Configure Clam Daemon (clamd)

For clamd to function, we need to edit the /etc/clamd.d/scan.conf file. Open the file with vi or nano and make two changes:

  • Remove the # from the line LocalSocket /run/clamd.scan/clamd.sock.
  • Ensure the Example line is commented out (add a # in front).

Enable the service to run on system startup:

sudo systemctl enable clamd@scan --now

Practical Malware Scanning Techniques

Using clamscan for Web Directories

Suppose you suspect malware is located in the /var/www/html directory. Use the following command to perform a deep scan and only display problematic files:

clamscan -r -i /var/www/html

Parameter explanation:

  • -r: Scans recursively through subdirectories.
  • -i: Only prints infected files, making it easier to track.

Automation with Cronjob

Manual scanning is time-consuming. I usually set up a scan script to run at 2 AM every day. Create the file /etc/cron.daily/clamav_scan with the following content:

#!/bin/bash
SCAN_DIR="/home /var/www/html"
LOG_FILE="/var/log/clamav/daily_scan.log"
/usr/bin/clamscan -r -i $SCAN_DIR > $LOG_FILE

Remember to grant execution permissions: chmod +x /etc/cron.daily/clamav_scan.

Notes on Performance and RAM

ClamAV is known to be a “RAM killer.” When loading the database, the clamd service can occupy between 1.2GB and 1.5GB of RAM. If your server only has 2GB of RAM, the system can easily hang due to OOM (Out Of Memory) errors.

My experience for low-spec servers:

  1. Do not run clamd in the background; only use clamscan when necessary.
  2. Always create a Swap file of at least 2GB to support virtual memory.
  3. Only scan critical directories instead of scanning the entire / drive.

Additionally, on CentOS Stream 9, the service name is clamd@scan. If you are copying scripts from old tutorials for CentOS 7, remember to update this name.

Conclusion

ClamAV is an extremely reliable layer of protection for Linux servers. While it cannot prevent 100% of sophisticated attacks, it remains the most effective malware filtering tool available today. Combine ClamAV with a solid Firewall to keep your system safe.

Share:
Tags: