Set up ClamAV Antivirus on Debian 12

In this tutorial, we want to teach you to Set up ClamAV Antivirus and Install ClamTK which is the graphical user interface for ClamAV on Debian 12.

ClamAV is a free and open-source command-line Antivirus. It can detect viruses, trojans, and malware.

ClamAV components Include:

  • clamd (ClamAV-daemon) – This daemon is mainly responsible for loading the virus database to memory when scanning starts.
  • freshclam (clamav-freshclam) – This daemon is used to update, download, and install the Virus signature database.
  • clamdscan – Tool to scan files and directories for viruses.
  • clamonacc – This daemon provides on-access scanner functionality for ClamAV.

Steps To Set up ClamAV Antivirus on Debian 12

To complete this guide, you must log in to your server as a non-root user with sudo privileges. To do this, you can follow our guide on Initial Server Setup with Debian 12 Bookworm.

Now follow the steps below to complete the ClamAV installation on Debian 12.

Step 1 – Install ClamAV Antivirus on Debian 12

ClamAV is available in the default Debian 12 repository. First, run the system update with the command below:

sudo apt update

Then, use the following command to install ClamAV packages on your server:

sudo apt install clamav clamav-daemon -y

Next, you can verify your ClamAV installation by checking its version:

clamscan -V
Output
ClamAV 1.0.1/26949/Sat Jun 24 03:28:32 2023

Step 2 – Check ClamAV Status on Debian 12

By default, clamav-freshclam service will be enabled and running. At this point, you can verify it by checking its status with the following command:

sudo systemctl status clamav-freshclam
Output
● clamav-freshclam.service - ClamAV virus database updater
     Loaded: loaded (/lib/systemd/system/clamav-freshclam.service; enabled; pre>
     Active: active (running) since Sun 2023-06-25 02:47:52 EDT; 3min 20s ago
       Docs: man:freshclam(1)
             man:freshclam.conf(5)
             https://docs.clamav.net/
   Main PID: 1411 (freshclam)
      Tasks: 1 (limit: 4653)
     Memory: 238.9M
        CPU: 33.994s
     CGroup: /system.slice/clamav-freshclam.service
...

Note: If the service is not started, run the following command to start the clamav-freshclam:

sudo systemctl start clamav-freshclam

Step 3 – Update ClamAV Signature Database for Viruses

At this point, you need to update the ClamAV Signature Database for Viruses. freshclam command is used to download and update ClamAV’s official virus signature databases.

First, stop the clamav-freshclam service by using the command below:

sudo systemctl stop clamav-freshclam

Then, download and update the database manually using the following command:

sudo freshclam

If you get the following output, then the database is updated:

Output
Sun Jun 25 02:54:18 2023 -> ClamAV update process started at Sun Jun 25 02:54:18 2023
Sun Jun 25 02:54:18 2023 -> daily.cvd database is up-to-date (version: 26949, sigs: 2037580, f-level: 90, builder: raynman)
Sun Jun 25 02:54:18 2023 -> main.cvd database is up-to-date (version: 62, sigs: 6647427, f-level: 90, builder: sigmgr)
Sun Jun 25 02:54:18 2023 -> bytecode.cvd database is up-to-date (version: 334, sigs: 91, f-level: 90, builder: anvilleg)

At this point, you need to start your freshclam service again:

sudo systemctl start clamav-freshclam

Next, you need to start the clamav-daemon service to load database definitions to memory:

sudo systemctl start clamav-daemon

Finally, you can check the ClamAV logs in /var/log/clamav/clamav.log on Debian 12:

tail /var/log/clamav/clamav.log

Step 4 – How To Test ClamAV Antivirus Service?

At this point, we want to test the ClamAV service by downloading a test virus to /tmp directory and scanning by using the clamscan tool. To do this, run the following commands:

# cd /tmp
# wget http://www.eicar.org/download/eicar.com
# clamscan --infected --remove eicar.com
Output
/tmp/eicar.com: Win.Test.EICAR_HDB-1 FOUND
/tmp/eicar.com: Removed.

----------- SCAN SUMMARY -----------
Known viruses: 8669478
Engine version: 1.0.1
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 36.186 sec (0 m 36 s)
Start Date: 2023:06:25 02:58:39
End Date:   2023:06:25 02:59:15

Step 5 – How To Use ClamAV Antivirus from the Command Line?

ClamAV comes with many inbuilt tools, among which clamscan is the most important tool. Clamscan is a clamd client used to scan files.

Let’s see some examples of using ClamAV antivirus on Debian 12.

From your current directory, you can scan all the files by using the command below:

clamscan -r /

You can scan the files but only show the infected files. To do this, you can use the command below:

clamscan -r -i /[path-to-folder]

Also, you can scan infected files in a specific directory recursively and then remove them by using the command below:

clamscan --infected --remove --recursive /home/debian/Desktop/

The options used in the commands mean:

  • –infected: prints only infected files
  • –remove: removes infected files
  • –recursive: all directories and subdirectories in that path will be scanned

To scan your web server and everything in the standard Apache document root, you scan any suspicious files and unwanted applications with the following command:

sudo clamscan --infected --detect-pua=yes --recursive /var/www/html/

pua: Potential Unwanted Application.

You can scan files and send the results of infected files to a new results file by using the command below:

clamscan -r /[path-to-folder] | grep FOUND >> /[path-folder]/[file].txt

Also, you can scan and move infected files to a different directory path by running the command below:

clamscan -r --move=/[path-to-folder] /[path-to-quarantine-folder]

To get more help about ClamAV, you can use the command below:

clamscan -h

Or, you can visit the ClamAV Documentation page.

Step 6 – Where are ClamAV Configuration File and Log Files?

The ClamAV configuration file is located at /etc/clamav/clamd.conf. The configuration file allows us to set scanning behavior, user name for clamd daemon (by default daemon is run by ClamAV), exclude directories from scanning, and much more.

ClamAV logs are stored in /var/log/clamav/, which contains information about each virus scan.

Step 7 – Install ClamTK (ClamAV GUI) on Debian 12

If you are interested in using GUI instead of the command line, you can install ClamTK. ClamTK is a Graphical User Interface for a ClamAV software program.

To install ClamTK, you can use the following command:

sudo apt install clamtk -y

If you already have ClamAV installed on your system and need to upgrade it, use the command below:

sudo apt --only-upgrade install clamav clamav-daemon

After installing clamTK, open it and you will get a nice GUI with all options including Configuration, History, Updates, and Analysis.

ClamTK dashbaord

Conclusion

At this point, you have learned to Set up ClamAV Antivirus and Install ClamTK which is the graphical user interface for ClamAV on Debian 12. Also, you have learned to use ClamAV from the command line interface.

Hope you enjoy it. You may like these articles on the Orcacore website:

Configure Firewall with UFW on Debian 12 Bookworm

Install Nessus Scanner on Centos 7

Newsletter Updates

Enter your email address below and subscribe to our newsletter

Leave a Reply

Stay informed and not overwhelmed, subscribe now!