Installing ClamAV on CentOS 7 and Using Freshclam

Install and Configure ClamAV on CentOS 7

Including the usage of Freshclam

 

To get ClamAV on CentOS installed, we have to use the EPEL repository (Extra Packages for Enterprise Linux). Fortunately, the Fedora project provides this with an easy installation. Unfortunately the default configuration is not properly working. In this post we collect some of the issues and required changes.

Let’s start with installing the EPEL support.

yum install epel-release

Next step is installing all ClamAV components.

yum install clamav-server clamav-data clamav-update clamav-filesystem clamav clamav-scanner-systemd clamav-devel clamav-lib clamav-server-systemd

The output should be similar to:

Screenshot of ClamAV being installed on CentOS 7

Installing ClamAV with help of EPEL repository

Configure SELinux for ClamAV

If you are using ClamAV on CentOS, together with SELinux, we should configure it a little bit. This way ClamAV can access all files on disk, and update its data definition files.

Enable antivirus_can_scan_system:

setsebool -P antivirus_can_scan_system 1

Screenshot to configure SELinux for ClamAV

If you don’t perform this step, Freshclam will log something like:

During database load : LibClamAV Warning: RWX mapping denied: Can't allocate RWX Memory: Permission denied

Configuration of Clam daemon

Copy a the clamd.conf template, in case you don’t have a configuration file yet.

cp /usr/share/clamav/template/clamd.conf /etc/clamd.d/clamd.conf
sed -i ‘/^Example/d’ /etc/clamd.d/clamd.conf

Change /etc/clamd.d/clamd.conf file and define if you want to run the scanner as root, or a specific user. Check your /etc/passwd file for the related Clam user.

Change the following two options:

User clamscan
LocalSocket /var/run/clamd.<SERVICE>/clamd.sock

Enable Freshclam

Freshclam helps with keeping the database of ClamAV up-to-date. First delete the related “Example” line from /etc/freshclam.conf.

cp /etc/freshclam.conf /etc/freshclam.conf.bak
sed -i ‘/^Example/d’ /etc/freshclam.conf

Check the other options in the file, and change it to your preferred settings.

Missing systemd service file

We didn’t get a systemd service file, so creating a quick file here. The process should be forking itself and start freshclam in daemon mode. In this case we configure it to check 4 times a day for new files.

Create a new file /usr/lib/systemd/system/clam-freshclam.service

# Run the freshclam as daemon
[Unit]
Description = freshclam scanner
After = network.target

[Service]
Type = forking
ExecStart = /usr/bin/freshclam -d -c 4
Restart = on-failure
PrivateTmp = true

[Install]
WantedBy=multi-user.target

Now enable and start the service.

systemctl enable clam-freshclam.service

 

systemctl start clam-freshclam.service

Check the status.

[root@centos7 system]# systemctl status clam-freshclam.service
clam-freshclam.service - freshclam scanner
Loaded: loaded (/usr/lib/systemd/system/clam-freshclam.service; enabled)
Active: active (running) since Thu 2015-06-11 11:09:24 CEST; 1s ago
Process: 3158 ExecStart=/usr/bin/freshclam -d -c 4 (code=exited, status=0/SUCCESS)
Main PID: 3159 (freshclam)
CGroup: /system.slice/clam-freshclam.service
└─3159 /usr/bin/freshclam -d -c 4

Change service files

By default, the service files seem to be messy and not working.

These are the files bundled:

[root@centos7 system]# ls -l /usr/lib/systemd/system/clam*
-rw-r--r--. 1 root root 136 Apr 29 20:38 /usr/lib/systemd/system/clamd@scan.service
-rw-r--r--. 1 root root 231 Apr 29 20:38 /usr/lib/systemd/system/clamd@.service

When enabling the clamd service, we would see something like this:

[root@centos7 system]# systemctl enable /usr/lib/systemd/system/clamd@.service
 Failed to issue method call: Unit /usr/lib/systemd/system/clamd@.service does not exist.

So let’s fix it. First rename the /usr/lib/systemd/system/clamd@.service file.

Rename the clamd@ file.

mv /usr/lib/systemd/system/clamd@.service /usr/lib/systemd/system/clamd.service

Now we have to change the clamd@scan service as well, as it refers to a non-existing file now. Change this line in /usr/lib/systemd/system/clamd@scan.service and remove the @ sign.

.include /lib/systemd/system/clamd@.service

Next step is changing the clamd service file /usr/lib/systemd/system/clamd.service

[Unit]
Description = clamd scanner daemon
After = syslog.target nss-lookup.target network.target

[Service]
Type = simple
ExecStart = /usr/sbin/clamd -c /etc/clamd.d/clamd.conf --foreground=yes
Restart = on-failure
PrivateTmp = true

[Install]
WantedBy=multi-user.target

Move into the directory.

cd /usr/lib/systemd/system

Start all services.

[root@centos7 system]# systemctl enable clamd.service
[root@centos7 system]# systemctl enable clamd@scan.service
[root@centos7 system]# systemctl start clamd.service
[root@centos7 system]# systemctl start clamd@scan.service

Checking the status

With all these changes, ClamAV on CentOS 7 should be running now. The easiest way to check, is using the ps command and see if freshclam and clamd are running.

Useful resources for debugging are the systemctl status command, followed by the service. Then there is logging in /var/log/messages, which usually will reveal when and why something is (not) running.

More tips? Leave them in the comments!

 

One more thing...

Keep learning

So you are interested in Linux security? Join the Linux Security Expert training program, a practical and lab-based training ground. For those who want to become (or stay) a Linux security expert.

See training package




Lynis Enterprise screenshot to help with system hardeningSecurity scanning with Lynis and Lynis Enterprise

Run automated security scans and increase your defenses. Lynis is an open source security tool to perform in-depth audits. It helps with system hardening, vulnerability discovery, and compliance.


Download

52 comments

  • Thx a lot for this article! I searched a lot to get clamd work on CentOS 7!
    Nice greetings from Vienna!

    Reply
  • AzzinarAzzinar

    Hi Mic,

    thank you very much for your posting. i have do that sequence but i have get error

    “Jul 28 09:13:10 localhost.localdomain freshclam[12408]: During database load : LibClamAV Warning: RWX mapping denied: Can’t allocate RWX Memory: Permission denied”

    the error disappear after type command “setsebool -P clamd_use_jit on”

    Best regards / Azzinar

    Reply
  • Hi

    Every time I use this line sed -i ‘/^Example/d’ /etc/freshclam.conf the ‘ gets change to . and it fails and if I use the correct character I get the same error

    Any idea?

    Reply
    • Copy the line manually in a text browser and replace the quotes with single ones. It might be due to WordPress.

      Reply
    • Emiliano A.Emiliano A.

      You can use vim editor and remove this line with dd command

      Reply
  • FelipeFelipe

    Hi there!

    Very good tutorial! I’m begginer in linux but I could follow this almost complete…
    My doubts are:
    1. You said to change this to any user I want, but which should be better for security matters, root or clamscan?
    2. sed -i ‘/^Example/d’ /etc/clamd.d/clamd.conf (What should happen after using that command?)
    3. You said to change this: LocalSocket /var/run/clamd./clamd.sock. To point I did not understand is, change what and for what value in there?

    Thank you!

    Reply
    • Best is using a non-privilged user, to reduce the chance of attacks succeeding and having full permissions. The sed command will remove the “Example” line.
      The socket file should point to the right directory, which is determined by the service name in the related example.

      Did that help?

      Reply
      • FelipeFelipe

        Hi, thanks for the reply!

        To be honest, no XD

        Let me clarify…
        2. sed -i ‘/^Example/d’ /etc/clamd.d/clamd.conf (What should happen after using that command?)
        This command didn’t delete the Exampe (I think…)

        When I get this point “LocalSocket /var/run/clamd./clamd.sock”, the problem is that I didn’t understood what should be changed there and under /var/run the only folder about clam is clamd.scan which there is nothing inside. It means that those socket file doesn’t exist.

        Until now that are my problems! :/

        As you can see I’m newbie… trying to lean XD

        Reply
  • Robert NadonRobert Nadon

    As per above, just add this line:
    LocalSocket /var/run/clamd.scan/clamd.sock

    It will create your clamd.sock

    Reply
  • Amy TebbeAmy Tebbe

    Thanks for the directions. I was able to get it working, however, I end up with 2 clamd processes running:

    # ps -ef|grep clam
    clamupd+ 11639 1 0 Nov23 ? 00:00:10 /usr/bin/freshclam -d -c 4
    clamscan 25171 1 1 09:42 ? 00:00:17 /usr/sbin/clamd -c /etc/clamd.dclamd.conf –nofork=yes
    clamscan 26210 1 99 10:02 ? 00:00:04 /usr/sbin/clamd -c /etc/clamd.dclamd.conf –nofork=yes

    stopping clamd.service will kill one and I can manually kill -9 the other process, but it always restarts another process.

    Any idea why I’m getting 2 clamd processes? Thanks.

    Reply
  • mailpop3mailpop3

    Hi All,
    Thanks to Michael Boelen for this training

    Reply to friends about the following problem:
    #LocalSocket /var/run/clamd./clamd.sock

    1) Please first run the command:
    # ls ls -la /var/run/

    2) Now find the following folder clamd.???
    drwx–x—. 2 clamscan clamscan 80 Feb 01 10:27 clamd.scan

    3) Open the file /etc/clamd.d/clamd.conf

    4) Finde the line: #LocalSocket /var/run/clamd./clamd.sock
    5) Now change to: LocalSocket /var/run/clamd.scan/clamd.sock

    Thanks.

    Reply
  • Amy TsuiAmy Tsui

    I am not sure why you would need to change the name of /usr/lib/systemd/system/clamd@.service
    I assume this is a subprocess that is called when /usr/lib/systemd/system/clamd@scan.service is started

    You would run into no error if you enable and start /usr/lib/systemd/system/clamd@scan.service without renaming clamd@.service

    Thank you for your article. It was helpful.

    Reply
  • Amy TsuiAmy Tsui

    if you do:

    systemctl list-unit-files –type=service

    you will see:

    ….
    clamd@.service static
    clamd@scan.service enabled
    …..

    In particular, “static” means “enabled because something else wants it”. Think by analogy to pacman’s package install reasons:
    enabled :: explicitly installed
    static :: installed as dependency
    disabled :: not installed

    So you should not need to change or enable the clamd@.service

    The dependency will just work if you enable and start clamd@scan.service

    Reply
  • TheoTheo

    Nice work. Got me up and running. I wouldn’t mind a little more at the end with a few basic commands or to know if we are all set on a reboot to auto-start, how I will know if a virus is detected and such. But I can break out the manual. Their install instructions were all kinds of wrong so glad your post was here.

    Reply
    • Great to be of help here and good feedback. Let’s help others: can you share the commands you used (after you got things set up)? Then I will add them to the article!

      Reply
  • Chad VondraChad Vondra

    I am dealing with a constant error when the service starts. I have touched clamd.sock then chown’d the directory and the socket to clamupdate:clamupdate. Immediately after I do that it loads properly. Howewver, upon reboot when it fixes the stale socket it the service fails to start again until I re-touch and chown. Any suggestions would be great!

    Feb 1 14:24:01 mail clamd[4906]: Log file size limited to 1048576 bytes.
    Feb 1 14:24:01 mail clamd[4906]: Reading databases from /var/lib/clamav
    Feb 1 14:24:01 mail clamd[4906]: Not loading PUA signatures.
    Feb 1 14:24:01 mail clamd[4906]: Bytecode: Security mode set to “TrustSigned”.
    Feb 1 14:24:14 mail clamd[4906]: Loaded 4244905 signatures.
    Feb 1 14:24:16 mail clamd[4906]: LOCAL: Socket file /var/run/clamd.scan/clamd.sock could not be bound: Permission denied
    Feb 1 14:24:16 mail clamd: ERROR: LOCAL: Socket file /var/run/clamd.scan/clamd.sock could not be bound: Permission denied
    Feb 1 14:24:16 mail systemd: clamd.service: main process exited, code=exited, status=1/FAILURE
    Feb 1 14:24:16 mail systemd: Unit clamd.service entered failed state.

    Reply
    • Check if your temporary directory is properly created via a file in /etc/tmpfiles.d/.

      You could try to force it in your service file:
      ExecStartPre=/bin/mkdir -p /var/run/clamd.scan
      ExecStartPre=/bin/chown -R clamuser:clamgroup /var/run/clamd.scan

      Reply
      • KarbasKarbas

        Have the same problem. Unfortunately forcing directory creation and owner change with ExecStartPre didnt change much. Have noticed, when i manually launch /usr/sbin/clamd -c /etc/clamd.d/clamd.conf –nofork=yes – clamd starts without any errors and socket file is created.

        /etc/clamd.d/clamd.conf has the following options active:
        LogSyslog yes
        LocalSocket /var/run/clamd/clamd.sock
        User clamscan
        AllowSupplementaryGroups yes

        ls -la /var/run/clamd
        total 0
        drwxr-xr-x. 2 clamscan clamscan 40 Apr 13 11:30 .
        drwxr-xr-x. 28 root root 800 Apr 11 16:18 ..

        Any ideas?

        Reply
        • LauraLaura

          I have the same problem. It is annoying. Did you managed to fix this? Thanks.

          Reply
  • TemirTemir

    Hi, when i change line #LocalSocket /var/run/clamd./clamd.sock to:
    LocalSocket /var/run/clamd.scan/clamd.sock
    i get this error ” clamd: ERROR: LOCAL: Socket file /var/run/clamd.scan/clamd.sock is in use by another process.”

    can you tell me where i could make mistake?

    Reply
    • Easiest step to validate this is using the lsof utility and see what process keeps it open. Let us know when you found it, so it might helps others as well.

      Reply
    • ExtraCheesePlsExtraCheesePls

      If it helps… I just fixed this with killall clamd, then systemctl restart clamd.

      Reply
      • Randall SindlingerRandall Sindlinger

        It seems the `killall` followed by `systemctl restart clamd` fixes things because there were 2 instances of clamd trying to run. The second one is the one that keeps failing and trying to start.
        After I did the initial `systemctl start` commands as suggested in the main article, ps showed two running clamd’s:
        # ps -aef | grep clam
        clamscan 4507 1 88 10:31 ? 00:00:22 /usr/sbin/clamd -c /etc/clamd.d/clamd.conf –foreground=yes
        clamscan 4522 1 98 10:32 ? 00:00:18 /usr/sbin/clamd -c /etc/clamd.d/clamd.conf –foreground=yes
        root 4555 7049 0 10:32 pts/10 00:00:00 grep –color=auto clam
        clamupd+ 7213 1 0 May22 ? 00:00:09 /usr/bin/freshclam -d -c 4

        Later, when I did the `killall`, `tail /var/log/messages` showed:
        May 23 13:47:06 gs619-g001189 clamd[21844]: LOCAL: Socket file /var/run/clamd.scan/clamd.sock is in use by another process.
        May 23 13:47:06 gs619-g001189 clamd: ERROR: LOCAL: Socket file /var/run/clamd.scan/clamd.sock is in use by another process.
        May 23 13:47:06 gs619-g001189 systemd: clamd@scan.service: main process exited, code=exited, status=1/FAILURE
        May 23 13:47:06 gs619-g001189 systemd: Unit clamd@scan.service entered failed state.
        May 23 13:47:06 gs619-g001189 systemd: clamd@scan.service failed.
        May 23 13:47:06 gs619-g001189 systemd: clamd@scan.service holdoff time over, scheduling restart.
        May 23 13:47:06 gs619-g001189 systemd: Stopped Generic clamav scanner daemon.
        May 23 13:47:06 gs619-g001189 systemd: Started Generic clamav scanner daemon.
        May 23 13:47:06 gs619-g001189 clamd[21871]: Received 0 file descriptor(s) from systemd.
        May 23 13:47:06 gs619-g001189 clamd[21871]: clamd daemon 0.101.2 (OS: linux-gnu, ARCH: x86_64, CPU: x86_64)
        May 23 13:47:06 gs619-g001189 clamd[21871]: Running as user clamscan (UID 982, GID 973)
        May 23 13:47:06 gs619-g001189 clamd[21871]: Log file size limited to 1048576 bytes.
        May 23 13:47:06 gs619-g001189 clamd[21871]: Reading databases from /var/lib/clamav
        May 23 13:47:06 gs619-g001189 clamd[21871]: Not loading PUA signatures.
        May 23 13:47:06 gs619-g001189 clamd[21871]: Bytecode: Security mode set to “TrustSigned”.
        May 23 13:47:14 gs619-g001189 clamd: — Stopped at Thu May 23 13:47:14 2019
        May 23 13:47:14 gs619-g001189 clamd: Socket file removed.
        May 23 13:47:14 gs619-g001189 clamd[4507]: — Stopped at Thu May 23 13:47:14 2019
        May 23 13:47:14 gs619-g001189 clamd[4507]: Socket file removed.

        In particular, note that last PID of 4507 – it’s the same PID that had been running since the first `ps`. The other PID kept changing (most recently 21871) as it kept failing on the socket file and restarting (under a new PID)

        I suspect the problem is rooted in doing both starts as directed in the article:
        [root@centos7 system]# systemctl start clamd.service
        [root@centos7 system]# systemctl start clamd@scan.service
        If so, that makes the explicit `start` of the `clamd@scan.service` superfluous.

        Reply
  • Hi, thank you so much for this great article! I have the following question:

    How would I configure clamav to automatically kick off a weekly virus scan of the entire hard drive?

    Thanks in advanced!

    Reply
  • Hello ~ thank you for this great article.

    Now that I have all 3 services up and running, is it possible for me to create an automated weekly scan of the full hard drive (or at least the important areas of the drive)?

    Thank you!

    Reply
    • Hi Jason. Sure, you could run the clamscan utility to do a full system scan. Add it to your cronjobs (or timers).

      Reply
  • RobertRobert

    The freshclam works fine, but when I follow the instructions above here for clamd, it won’t start. When I call the status with: systemctl status clamd.service I see the following:

    |root@centos72.testdomain.com > /usr/lib/systemd/system |->systemctl status clamd.service
    ● clamd.service – clamd scanner daemon
    Loaded: loaded (/usr/lib/systemd/system/clamd.service; enabled; vendor preset: disabled)
    Active: failed (Result: start-limit) since Sun 2016-02-14 21:52:10 CET; 6min ago
    Process: 16999 ExecStart=/usr/sbin/clamd -c /etc/clamd.d/clamd.conf –nofork=yes (code=exited, status=1/FAILURE)
    Main PID: 16999 (code=exited, status=1/FAILURE)

    Feb 14 21:52:10 centos72.testdomain.com systemd[1]: Unit clamd.service entered failed state.
    Feb 14 21:52:10 centos72.testdomain.com systemd[1]: clamd.service failed.
    Feb 14 21:52:10 centos72.testdomain.com systemd[1]: clamd.service holdoff time over, scheduling restart.
    Feb 14 21:52:10 centos72.testdomain.com systemd[1]: start request repeated too quickly for clamd.service
    Feb 14 21:52:10 centos72.rope-parkstad.nl systemd[1]: Failed to start clamd scanner daemon.
    Feb 14 21:52:10 centos72.rope-parkstad.nl systemd[1]: Unit clamd.service entered failed state.
    Feb 14 21:52:10 centos72.rope-parkstad.nl systemd[1]: clamd.service failed.

    Can someone tell me what is going wrong here? I Get the same error when i want to start clamd@scan

    Reply
    • EdwinEdwin

      Hi Robert, was the problem fixed? any experience to share?

      Reply
    • CreedCreed

      Was there a fix to this?

      Reply
    • MooDMooD

      Please notice that you don’t any extra chart in:
      /etc/clamd.d/clamd.conf
      I have in the start “/” , after I removed and systemctl restart clamd.service it’s worked

      Reply
    • Will LongWill Long

      Robert,

      Try running the command alone…
      $ ExecStart=/usr/sbin/clamd -c /etc/clamd.d/clamd.conf –nofork=yes

      In my case, the response was “ERROR: Please define server type (local and/or TCP).”

      So I enabled/uncommented “TCPSocket 3310” in /etc/clamd.d/clamd.conf and it now works.

      Will

      Reply
  • James DanielJames Daniel

    Hi Michael. This post includes a big error, the service is not missing and didn’t need to be created. Take a look here, it’s solved my problems:
    https://www.adminsys.ch/2015/08/21/installing-clamav-epel-centosred-hat-7-nightmare/

    Reply
    • Thanks, that might be helpful for others. Not everyone will do their installation the same way, so keeping things up for readers to consider what option they prefer.

      Reply
      • DenisDenis

        update your blog post, no need to remove or change clamd@.service is the service template file, it means you can run few different config files. thats why it has “%i” inside. you name config and you start the service. for example 1 – /etc/clam.d/monitor.conf -> service clamd@monitor start
        example 2 – /etc/clam.d/mailscan.conf -> service clamd@mailscan start

        first one will monitor folders with on-access feature, and run as root user, the second will be using together with milter socket to scan incoming e-mails, runnind as clamscan user. and so on…

        thnks

        p.s. http://blog.clamav.net/2016/03/configuring-on-access-scanning-in-clamav.html

        Reply
  • KennyKenny

    Why exactly are creating a freshclam daemon?

    The default clamav package creates a CRON file (namely “/etc/cron.d/clamav-update”) that calls “/usr/share/clamav/freshclam-sleep” every three hours. Creating an additional freshclam daemon by hand seems to be a bit redundant to me.

    Reply
  • ErhanErhan

    replace “–nofork=yes” with “–foreground=yes”.

    https://bugzilla.redhat.com/show_bug.cgi?id=1364253

    Reply
  • brockbrock

    The blog converted your double dashes to long dashes / single em dashes.

    I understand that you meant to say replace the “dash dash nofork=yes” with “dash dash foreground=yes”

    That automatic conversion of your typed characters by the CMS caught me for a second… :-)

    That fixed my problem. Thanks for the note…

    Reply
  • Sven CroonSven Croon

    Hi,

    Thx for the great article! It really helped me get everything up&running.
    One thing though. there are no databasemirrors in my country apparently, so, as advised by the Clamav tutorial (http://www.clamav.net/documents/mirrors), I added
    DatabaseMirror db.be.clamav.net
    DatabaseMirror db.local.clamav.net

    This different from what the default contents of the freshclam file says
    cfr.
    # database.clamav.net is a round-robin record which points to our most
    # reliable mirrors. It’s used as a fall back in case db.XY.clamav.net is
    # not working. DO NOT TOUCH the following line unless you know what you
    # are doing.
    DatabaseMirror database.clamav.net

    I guess they updated the round-robin record, but failed to update the freshclam.conf default ?

    Best Regards,
    Sven

    Reply
  • DanDan

    Thats a great guide there but it needs to be updated. after a recent update for clamav it no longer supports the flag
    ‘–nofork=yes’. It was replaced by ‘–foreground=yes’. This will need to be done like this: navigate to /usr/lib/systemd/system/clamd.service : in there replace ‘/usr/sbin/clamd -c /etc/clamd.d/clamd.conf –nofork=yes’ with ‘/usr/sbin/clamd -c /etc/clamd.d/clamd.conf –foreground=yes’ . then run ‘systemctl daemon-reload’ and start clamd

    Reply
  • Michael T. BabcockMichael T. Babcock

    freshclam shouldn’t be run as a ‘service’ in systemd but as a timer. By default it comes with a cron job that will run it automatically as well. rpm -ql clamav-update for details.

    Reply
  • I’m getting this error now:
    systemd[1]: /usr/lib/systemd/system/clamd@scan.service:1: .include directives are deprecated, and support for them will be removed in a future version of systemd. Please use drop-in files instead.

    Reply
  • Tony EspositoTony Esposito

    Why are you doing this

    cp /usr/share/clamav/template/clamd.conf /etc/clamd.d/clamd.conf
    sed -i ‘/^Example/d’ /etc/clamd.d/clamd.conf

    but starting the service with another config file (scan.conf)

    systemctl start clamd@scan.service

    Reply
  • Sebastian GarzónSebastian Garzón

    Thanks a lot for this tutorial. This solved my problem of clamd not starting.

    Reply
    • Mohan ThavarajahMohan Thavarajah

      Hey Sebastian, did you get it to work by disabling clamd.service?
      systemctl enable clamd@scan.service
      systemctl disable calmd.service

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.