How to Install ClamAV on Fedora 44

ClamAV earns its place on Fedora when files move between Linux, Windows, mailboxes, shared folders, or upload directories and you want a second malware check before those files go any farther. To install ClamAV on Fedora, start with Fedora’s repository packages for the scanner and signature updater, then add the daemon, on-access testing, or ClamTk only when those workflows match the system you are protecting.

The base setup gives you clamscan for on-demand checks and freshclam for signature updates. clamd and clamdscan help with repeat scanning, clamonacc can test on-access blocking for selected paths, and ClamTk adds a desktop interface for graphical Fedora sessions.

Install ClamAV on Fedora

Begin with the scanner and updater packages. Add the daemon, GUI, or on-access scanner later so each extra component has a clear purpose.

Update Fedora before installing ClamAV

Refresh package metadata and review pending system updates before installing security software.

sudo dnf upgrade --refresh

Package and service changes need administrative privileges. If your account cannot use sudo yet, configure sudo access with the guide on how to add a user to sudoers on Fedora.

Install the ClamAV scanner and signature updater

Install the command-line scanner and Fedora’s FreshClam updater package:

sudo dnf install clamav clamav-freshclam

Verify the scanner binary afterward:

clamscan --version

Fedora 44 currently reports this ClamAV branch:

ClamAV 1.4.4

Update ClamAV signatures on Fedora

Run one manual signature update before the first scan. FreshClam’s database versions, signature counts, and timestamps change constantly, so treat successful database update or up-to-date messages as the important signal.

sudo freshclam --stdout

After the manual refresh, start Fedora’s updater service so signatures stay current automatically:

sudo systemctl enable --now clamav-freshclam

Check the service with short state commands instead of a long status dump:

systemctl is-active clamav-freshclam
systemctl is-enabled clamav-freshclam

The expected states are:

active
enabled

Compare ClamAV Components on Fedora

Fedora splits ClamAV into small packages. Keep the base scanner for occasional checks, then install only the extra components that change your workflow.

Component	Fedora Package	Use Case	Update or Service Owner
clamscan	clamav	On-demand terminal scans for files and directories.	Updated by normal DNF package updates.
freshclam	clamav-freshclam	Downloads and refreshes malware signature databases.	clamav-freshclam.service after you enable it.
clamdscan	clamd plus clamav	Faster repeat scans through the clamd daemon.	clamd@scan.service after socket configuration.
clamonacc	clamav	Advanced on-access testing for selected paths.	Manual foreground test first; service use needs path-specific validation.
ClamTk	clamtk	Graphical ClamAV front end for Fedora desktop sessions.	Updated by DNF; uses the same ClamAV signatures.

For most Fedora desktops, clamav and clamav-freshclam are enough. Add clamd for frequent scans, test clamonacc only on a narrow path first, and install ClamTk only when a GUI is useful.

Scan Files and Directories with ClamAV on Fedora

Once signatures are current, use clamscan for direct file checks, directory sweeps, quarantine jobs, and quick malware detection tests.

Test ClamAV with the EICAR file

The EICAR test file is a harmless antivirus test string. Download it with curl, then scan it with ClamAV; the Linux curl command guide explains the download flags if you want the command details.

curl -fsSL https://secure.eicar.org/eicar.com -o /tmp/eicar.com
clamscan /tmp/eicar.com

Relevant output includes the detection line and an infected-file count:

/tmp/eicar.com: Eicar-Test-Signature FOUND

----------- SCAN SUMMARY -----------
Scanned files: 1
Infected files: 1

Remove the test file after the scan:

rm -f /tmp/eicar.com

Run common ClamAV scan commands on Fedora

Use a single-file scan when you only need to check one download:

clamscan ~/Downloads/example.iso

Scan a directory recursively when you want ClamAV to walk through subdirectories:

clamscan -r ~/Downloads

Limit output to infected results when clean-file output becomes noisy:

clamscan -r -i ~/Downloads

Ring the terminal bell when an interactive scan detects malware:

clamscan -r -i --bell ~/Downloads

Move infected files into quarantine with ClamAV

Create a quarantine directory before using --move so ClamAV has a safe destination for detected files:

mkdir -p ~/clamav-quarantine

Scan your downloads and move infected files into that directory:

clamscan -r -i --move="$HOME/clamav-quarantine" "$HOME/Downloads"

Use quarantine before you use --remove. Deleting infected files is permanent, and false positives are easier to review from a quarantine directory than from a wiped download folder.

Review useful clamscan flags on Fedora

Flag	What It Does
-r	Scans subdirectories recursively.
-i	Prints infected files instead of every clean result.
-o	Skips clean OK lines.
--no-summary	Suppresses the scan summary.
--log=FILE	Writes the scan report to a log file.
--move=DIRECTORY	Moves infected files into a quarantine directory.
--remove	Deletes infected files permanently.

Schedule ClamAV Scans on Fedora

A user cron job is a practical middle ground for home directories, shared download folders, and upload areas that do not need on-access scanning. It also creates a log you can review after unattended scans.

Install cron support for ClamAV scheduled scans

Fedora Workstation commonly has cronie already. Install it if crontab is missing, then enable the scheduler on minimal systems:

sudo dnf install cronie
sudo systemctl enable --now crond

Add a daily ClamAV cron job on Fedora

Create the quarantine directory first so the scheduled scan does not fail when it finds a detection:

mkdir -p ~/clamav-quarantine

Open your user crontab:

crontab -e

Add a daily scan that checks $HOME/Downloads, moves infected files into quarantine, and writes the result to $HOME/clamav-scan.log:

0 2 * * * /usr/bin/clamscan -r -i --move="$HOME/clamav-quarantine" --log="$HOME/clamav-scan.log" "$HOME/Downloads"

List the crontab afterward to confirm the entry was saved correctly:

crontab -l

The saved entry should match the scan schedule:

0 2 * * * /usr/bin/clamscan -r -i --move="$HOME/clamav-quarantine" --log="$HOME/clamav-scan.log" "$HOME/Downloads"

Review detections or scan errors from the log instead of relying on the cron job to interrupt you. The Linux grep command guide can help you expand the pattern for additional scan terms.

grep -E "FOUND|ERROR" "$HOME/clamav-scan.log"

Configure clamd and clamdscan on Fedora

The clamd daemon keeps signatures loaded in memory, which makes repeated scans faster than starting a new clamscan process each time. Fedora installs the daemon separately and expects you to enable a local socket before starting clamd@scan.

Install the clamd daemon package

sudo dnf install clamd

Enable the clamd local socket on Fedora

Open Fedora’s scan profile:

sudo nano /etc/clamd.d/scan.conf

Set the local socket values so clamdscan can talk to the daemon through /run/clamd.scan/clamd.sock:

LocalSocket /run/clamd.scan/clamd.sock
LocalSocketGroup virusgroup
LocalSocketMode 660

If the socket stays commented out, clamd@scan can fail with Please define server type (local and/or TCP).

Use the local socket unless you have a specific remote-scanning design. A TCP clamd listener needs tight firewall rules; start with firewalld on Fedora before exposing any scan service beyond localhost.

Start clamd and allow clamdscan access

sudo systemctl enable --now clamd@scan
sudo gpasswd -a "$USER" virusgroup

Group membership changes apply to new login sessions. Log out and back in before using plain clamdscan, or use sg for a one-time test in your current shell.

Check the daemon state:

systemctl is-active clamd@scan
systemctl is-enabled clamd@scan

Successful service states look like this:

active
enabled

Test clamdscan immediately with temporary virusgroup membership:

sg virusgroup -c 'clamdscan /etc/hosts'

Relevant output includes a clean file result:

/etc/hosts: OK

----------- SCAN SUMMARY -----------
Infected files: 0

For private directories, the daemon still needs read access to the files. Use normal permissions or ACLs, or fall back to clamscan when a one-off scan with sudo is simpler.

Test ClamAV On-Access Scanning on Fedora

ClamAV can watch selected paths through clamonacc, but on-access scanning is more fragile than scheduled scans. Test one directory first, confirm that EICAR access is actually blocked, and only expand the path list after you understand the permission and SELinux behavior for your workload.

Create a test directory that your account can write to and the clamscan service user can read:

sudo install -d -m 0755 -o "$USER" -g "$USER" /srv/clamav-watch

Add a narrow on-access test policy to /etc/clamd.d/scan.conf after the local socket settings:

OnAccessIncludePath /srv/clamav-watch
OnAccessPrevention yes
OnAccessExcludeUname clamscan
OnAccessDisableDDD yes

OnAccessDisableDDD yes keeps this first test non-recursive. Remove that line only after you deliberately plan a recursive watch path and have checked inotify and fanotify limits for the system.

Restart clamd and confirm the daemon can scan through its socket:

sudo systemctl restart clamd@scan
sudo clamdscan /etc/hosts

Download the EICAR test file into the watched directory before starting the foreground monitor:

curl -fsSL https://secure.eicar.org/eicar.com -o /srv/clamav-watch/eicar.com
chmod 644 /srv/clamav-watch/eicar.com

Start clamonacc in the foreground. Fedora’s clamd profile runs scans as the clamscan user, so --fdpass is important for files that the daemon otherwise cannot open directly.

sudo clamonacc --foreground --fdpass --config-file=/etc/clamd.d/scan.conf

In a second terminal, try to read the EICAR file:

cat /srv/clamav-watch/eicar.com

A working prevention test blocks access:

cat: /srv/clamav-watch/eicar.com: Operation not permitted

The foreground clamonacc terminal should also report the EICAR detection:

/srv/clamav-watch/eicar.com: Eicar-Test-Signature FOUND

Do not rely on on-access protection until the exact path you plan to monitor passes this EICAR test. If access still succeeds, check the troubleshooting section for Access denied and no reply from clamd journal messages.

Install ClamTk on Fedora

ClamTk adds a GTK interface for desktop scans. It still uses the ClamAV engine and signature databases underneath, so keep clamav-freshclam enabled even if you prefer the GUI.

sudo dnf install clamtk

Verify the package:

rpm -q clamtk

Fedora 44 currently reports:

clamtk-6.18-6.fc44.noarch

On a Fedora desktop, search for ClamTk in Activities and open it there. A local graphical session is required; terminal-only servers should stay with clamscan, clamdscan, or scheduled scans.

clamtk

New ClamTk profiles use ~/.config/clamtk. Older profiles can still use ~/.clamtk, so check both paths before deleting GUI preferences during cleanup.

The ClamTk GitHub repository tracks releases and project history.

Troubleshoot ClamAV on Fedora

Most Fedora ClamAV problems come from a missing daemon socket, stale signatures, socket permissions, path permissions, or expecting ClamAV to show active notifications when only logs were configured.

Fix clamd@scan “Please define server type” errors

If clamd@scan exits immediately, inspect recent unit logs:

sudo journalctl -u clamd@scan.service --no-pager -n 20

The failure usually includes these lines:

Please define server type (local and/or TCP).
ERROR: Please define server type (local and/or TCP).

Uncomment or add the local socket settings, then restart the daemon:

LocalSocket /run/clamd.scan/clamd.sock
LocalSocketGroup virusgroup
LocalSocketMode 660

sudo systemctl restart clamd@scan

Fix clamdscan permission denied on the local socket

If your user is not in virusgroup, clamdscan cannot open the local socket:

ERROR: Could not connect to clamd on LocalSocket /run/clamd.scan/clamd.sock: Permission denied

Add your user to the socket group, then start a new login session or run a one-time sg test:

sudo gpasswd -a "$USER" virusgroup
sg virusgroup -c 'clamdscan /etc/hosts'

Fix freshclam 403 or 429 errors on Fedora

FreshClam 429 errors usually mean the ClamAV CDN is rate-limiting repeated database requests. A 403 can happen on restricted networks or when old manual download habits bypass FreshClam’s normal update flow. Stop repeated retries, wait for the cooldown window, then run one manual refresh with the service stopped so only one updater touches the database.

sudo systemctl stop clamav-freshclam
sudo freshclam --stdout
sudo systemctl start clamav-freshclam

If the error returns immediately, check the official ClamAV documentation and avoid scripted database downloads with generic tools. FreshClam is the supported updater for ClamAV signature databases.

Fix ClamTk outdated signature warnings on Fedora

ClamTk can report outdated signatures when FreshClam has not completed its first update yet. Refresh the databases, then confirm signature files exist under /var/lib/clamav:

sudo freshclam --stdout
sudo ls -l /var/lib/clamav/daily.* /var/lib/clamav/main.* /var/lib/clamav/bytecode.*

Fix clamonacc Access denied or no reply from clamd messages

On-access scanning fails closed only when clamonacc, clamd, and the watched path all work together. If access to an infected test file still succeeds, read the foreground clamonacc terminal first. If you are testing the packaged background service, inspect its unit logs too:

sudo journalctl -u clamav-clamonacc --no-pager -n 30

Access denied or no reply from clamd messages usually mean the daemon could not scan the file quickly or with the needed permissions. Re-test in the foreground with --fdpass, confirm the watched path is readable by the clamscan service user, and keep OnAccessIncludePath limited to one tested directory until the EICAR access test returns Operation not permitted.

grep -E "FANOTIFY|FANOTIFY_ACCESS_PERMISSIONS" "/boot/config-$(uname -r)"
sudo -u clamscan test -r /srv/clamav-watch/eicar.com

Fix ClamAV permission denied errors on system directories

Directories such as /root, /var/log/journal, and virtual filesystems can produce permission errors during broad scans:

/var/log/journal: Permission denied. ERROR
/root/.cache: Permission denied. ERROR

For a one-off system scan, use sudo and avoid virtual filesystems that do not contain normal files:

sudo clamscan --bell -i -r / --exclude-dir="^/proc" --exclude-dir="^/sys" --exclude-dir="^/dev" --exclude-dir="^/run"

Remove ClamAV from Fedora

Stop the services you enabled before removing packages. If a service was never enabled, systemctl reports it as inactive and moves on.

sudo systemctl disable --now clamav-clamonacc
sudo systemctl disable --now clamd@scan
sudo systemctl disable --now clamav-freshclam

Remove the base ClamAV packages:

sudo dnf remove clamav clamav-freshclam

Remove optional packages only if you installed them:

sudo dnf remove clamd
sudo dnf remove clamtk

The cleanup commands permanently remove local signatures, custom daemon configuration, the on-access test directory, quarantine files, and ClamTk preferences. Review each path before deleting it on a system with production scan logs or quarantined evidence.

sudo rm -rf /var/lib/clamav
sudo rm -rf /etc/clamd.d
sudo rm -rf /srv/clamav-watch
rm -rf ~/clamav-quarantine ~/.config/clamtk ~/.clamtk

Verify that the core packages are gone:

rpm -q clamav clamav-freshclam

Removed packages report as not installed:

package clamav is not installed
package clamav-freshclam is not installed

Conclusion

ClamAV is ready on Fedora with current signatures, on-demand scanning, and a clear path to scheduled scans, clamd, foreground on-access testing, or ClamTk when those pieces fit the system. Network-facing machines still need layered hardening, so pair malware scanning with Fail2Ban with firewalld on Fedora and routine package maintenance through dnf-automatic on Fedora.