Fedora

How to Install ClamAV on Fedora Linux

Last updated Saturday, February 28, 2026 3:03 pm 10 min read 8 comments
ClamAV and Fedora Linux logos on blue geometric background

ClamAV makes sense on Fedora when you want a second look at downloads, mail attachments, or files moving between Linux and Windows systems. To install ClamAV on Fedora, you can stay inside Fedora’s default repositories, keep signatures current with clamav-freshclam, and add the optional clamd daemon later if repeat scans start feeling slow.

Most people only need the base scanner and current signatures. The guide starts there, then moves into the scan commands that matter day to day, scheduled quarantine jobs, clamd/clamdscan for faster repeat work, and ClamTk if you would rather use a desktop GUI than live in the terminal.

On this page hide
Install ClamAV on Fedora
Compare ClamAV, clamd, and ClamTk on Fedora
Scan Files and Directories with ClamAV on Fedora
Schedule ClamAV Scans on Fedora
Configure clamd and clamdscan on Fedora
Install ClamTk on Fedora
Troubleshoot ClamAV on Fedora
Remove ClamAV from Fedora
Frequently Asked Questions
Conclusion

Install ClamAV on Fedora

Start with the scanner and the signature updater. You can add the daemon later if you want faster repeat scans through clamdscan.

Update Fedora before installing ClamAV

Refresh package metadata and install pending updates first so the ClamAV packages come from a current Fedora repository state.

sudo dnf upgrade --refresh

This guide uses sudo for system-wide package and service changes. If your account is not in the sudoers file yet, follow the guide on how to add a user to sudoers on Fedora.

Install the ClamAV scanner and updater

For a base setup, install the scanner plus Fedora’s background signature updater:

sudo dnf install clamav clamav-freshclam

Expected output:

Package                  Arch    Version         Repository   Size
Installing:
 clamav                  x86_64  1.4.3-3.fc43   updates      19.3 MiB
 clamav-freshclam        x86_64  1.4.3-3.fc43   updates      233.8 MiB
Installing dependencies:
 clamav-filesystem       noarch  1.4.3-3.fc43   updates      28.0 KiB
 clamav-lib              x86_64  1.4.3-3.fc43   updates      10.9 MiB

Transaction Summary:
 Installing: 4 packages

Complete!

Verify that the scanner is available in your shell:

clamscan --version

Expected output:

ClamAV 1.4.3

Update ClamAV signatures on Fedora

Run an initial manual update so the first scan uses current signatures instead of waiting for the background updater to catch up.

sudo freshclam

Expected output:

ClamAV update process started at Sat Feb 28 14:34:51 2026
daily.cvd updated (version: 27925, sigs: 355142, f-level: 90, builder: svc.clamav-publisher)
main.cvd updated (version: 63, sigs: 3287027, f-level: 90, builder: tomjudge)
bytecode.cvd updated (version: 339, sigs: 80, f-level: 90, builder: nrandolp)

Later runs switch from updated to is up-to-date once the databases are current. Any time you want a manual refresh later, run sudo freshclam again.

After the first manual update, enable the background updater so Fedora keeps checking for newer signatures automatically:

sudo systemctl enable --now clamav-freshclam

Confirm that the updater service is active:

sudo systemctl status clamav-freshclam --no-pager

Expected output:

● clamav-freshclam.service - ClamAV virus database updater
     Loaded: loaded (/usr/lib/systemd/system/clamav-freshclam.service; enabled; preset: disabled)
     Active: active (running) since Sat 2026-02-28 14:34:51 AWST

Compare ClamAV, clamd, and ClamTk on Fedora

Fedora splits the scanner, daemon, and GUI into separate packages, so it helps to know which part you actually need before adding more services.

ComponentPackageBest forWhat to know
clamscanclamavOccasional on-demand scansSimplest setup, but it reloads signatures every time you start a scan.
clamdscanclamdFrequent repeat scansFaster after setup because the daemon keeps signatures loaded in memory.
ClamTkclamtkDesktop GUI workflowsGTK front end for ClamAV; good if you prefer a graphical launcher in Activities.

Most users should start with clamscan and clamav-freshclam. Add clamd when scan speed matters, and install ClamTk only if you want a GUI on a Fedora desktop session.

Scan Files and Directories with ClamAV on Fedora

Once the signatures are current, you can use clamscan for direct file checks, directory sweeps, and quarantine runs.

Test ClamAV with the EICAR file

The EICAR test file is a harmless string that antivirus tools treat as malware. It is the quickest way to prove the scanner and signatures are working together.

curl -fsSL https://secure.eicar.org/eicar.com -o /tmp/eicar.com
clamscan /tmp/eicar.com

Expected output:

/tmp/eicar.com: Eicar-Test-Signature FOUND

----------- SCAN SUMMARY -----------
Known viruses: 3627556
Engine version: 1.4.3
Scanned files: 1
Infected files: 1

Remove the test file after the check finishes:

rm -f /tmp/eicar.com

Common ClamAV scan commands on Fedora

Scan a single file

clamscan ~/Downloads/example.iso

Scan a directory recursively

clamscan -r ~/Downloads

Show only infected results

clamscan -r -i ~/Downloads

Ring the terminal bell when ClamAV finds malware

If you are running a scan in an interactive terminal and want a simple alert, the --bell flag rings the terminal bell when ClamAV detects something.

clamscan -r -i --bell ~/Downloads

Move infected files into quarantine

Create a quarantine directory first so ClamAV has a safe place to move infected files:

mkdir -p ~/clamav-quarantine
clamscan -r -i --move="$HOME/clamav-quarantine" "$HOME/Downloads"

Use quarantine before you use --remove. Deleting infected files is permanent, and false positives are much easier to review and restore from a separate quarantine directory than from a wiped download folder.

Useful clamscan flags on Fedora

FlagMeaning
-rScan subdirectories recursively.
-iPrint only infected files instead of every clean result.
-oSkip printing clean OK results.
--no-summarySkip the summary block at the end of the scan.
--log=FILEWrite the scan report to a log file.
--move=DIRECTORYMove infected files into a quarantine directory.
--removeDelete infected files permanently.

Schedule ClamAV Scans on Fedora

A daily cron job works well for home directories, shared download folders, and upload areas that do not need the extra complexity of on-access scanning.

Install cron support for ClamAV scheduled scans

Fedora Workstation often already has cronie. If crontab -e is missing, install it first:

sudo dnf install cronie

On Fedora Workstation, crond is usually already enabled. If you install cronie on a minimal system, start the scheduler with sudo systemctl enable --now crond before you rely on user crontabs.

Add a daily ClamAV cron job on Fedora

Open your user crontab:

crontab -e

If this is your first personal crontab, Fedora may ask which editor you want to use before it opens the file.

Add a daily scan that checks $HOME/Downloads, moves infected files into quarantine, and logs the result to $HOME/clamav-scan.log:

0 2 * * * /usr/bin/clamscan -r -i --move="$HOME/clamav-quarantine" --log="$HOME/clamav-scan.log" "$HOME/Downloads"

List your crontab afterward to confirm the entry was saved correctly:

crontab -l

Expected output:

0 2 * * * /usr/bin/clamscan -r -i --move="$HOME/clamav-quarantine" --log="$HOME/clamav-scan.log" "$HOME/Downloads"

Change $HOME/Downloads to another directory if you want to scan mail spools, shared folders, or a web upload path instead.

Configure clamd and clamdscan on Fedora

The clamd daemon keeps the signature database in memory, so repeat scans finish much faster than repeated clamscan runs. On Fedora, though, the daemon does not start cleanly until you define a local socket in /etc/clamd.d/scan.conf.

Enable the clamd local socket in scan.conf

Open the daemon configuration file:

sudo nano /etc/clamd.d/scan.conf

Uncomment or add these lines so clamd listens on the local Unix socket that Fedora expects:

LocalSocket /run/clamd.scan/clamd.sock
LocalSocketGroup virusgroup
LocalSocketMode 660

If those settings stay commented out, clamd@scan fails with the journal error Please define server type (local and/or TCP).

Stick with the local socket unless you specifically need a remote ClamAV service. If you later expose clamd over TCP, lock it down with firewalld on Fedora instead of leaving it open on the network.

Start clamd and allow clamdscan access

sudo systemctl enable --now clamd@scan
sudo gpasswd -a "$USER" virusgroup

Group membership changes apply to new login sessions. Log out and back in before you use plain clamdscan, or use the one-time sg command shown below to test the socket immediately in your current shell.

Check that the daemon is running:

sudo systemctl status clamd@scan --no-pager

Expected output:

● clamd@scan.service - clamd scanner (scan) daemon
     Loaded: loaded (/usr/lib/systemd/system/clamd@.service; enabled; preset: disabled)
     Active: active (running) since Sat 2026-02-28 14:35:48 AWST
     CGroup: /system.slice/system-clamd.slice/clamd@scan.service
             └─14158 /usr/sbin/clamd -c /etc/clamd.d/scan.conf

Test clamdscan from your current shell

This one-time command launches clamdscan with your new virusgroup membership so you do not have to log out just to confirm the socket works. In plain terms, sg starts a temporary shell with the extra group applied.

sg virusgroup -c 'clamdscan /etc/hosts'

Expected output:

/etc/hosts: OK

----------- SCAN SUMMARY -----------
Infected files: 0
Time: 0.007 sec (0 m 0 s)

If you later scan private directories with clamdscan, remember that the daemon still needs read access to those paths. Use normal file permissions, ACLs, or fall back to clamscan when a quick one-off sudo scan is easier.

Install ClamTk on Fedora

ClamTk adds a simple GTK front end for ClamAV, which is useful if you would rather launch scans from the desktop than type every command yourself.

sudo dnf install clamtk

Verify that Fedora installed the package:

rpm -q clamtk

Expected output:

clamtk-6.18-4.fc43.noarch

On a Fedora desktop, search for ClamTk in Activities and open it there. If you prefer, you can also launch it from a local terminal:

clamtk

Over SSH without a graphical desktop session, clamtk fails with a display error instead of opening its window. Launch it from the Fedora desktop itself when you want the GUI.

New ClamTk setups store per-user data in ~/.config/clamtk, including quarantine history and preferences. If you already have an older ~/.clamtk directory, ClamTk keeps using that instead of creating a second profile tree.

ClamTk is maintained upstream on GitHub if you want to review its changelog or project notes.

Troubleshoot ClamAV on Fedora

These are the Fedora-specific problems most likely to trip you up: the daemon failing before its socket is configured, regular users getting blocked from the daemon socket, and permission errors when a scan reaches protected paths.

clamd@scan fails with “Please define server type”

If the service exits immediately after installation, check the journal first:

sudo journalctl -u clamd@scan.service --no-pager -n 20

A typical failure looks like this:

Received 0 file descriptor(s) from systemd.
Please define server type (local and/or TCP).
ERROR: Please define server type (local and/or TCP).

This happens because Fedora’s default scan.conf leaves both the local socket and TCP listener commented out. Uncomment the socket settings, then restart the service:

LocalSocket /run/clamd.scan/clamd.sock
LocalSocketGroup virusgroup
LocalSocketMode 660
sudo systemctl restart clamd@scan

clamdscan says “Permission denied” on the local socket

When your user is not in virusgroup, clamdscan cannot open the daemon socket:

ERROR: Could not connect to clamd on LocalSocket /run/clamd.scan/clamd.sock: Permission denied

Add your user to the correct group, then start a new login session or use sg for an immediate one-time test:

sudo gpasswd -a "$USER" virusgroup
sg virusgroup -c 'clamdscan /etc/hosts'

clamscan reports permission denied on system directories

Directories such as /root, /var, and parts of /proc need elevated access. Without it, ClamAV skips them and reports errors like these:

/var/log/journal: Permission denied. ERROR
/root/.cache: Permission denied. ERROR

For a one-off system scan, run the command with sudo:

sudo clamscan -r /var

Remove ClamAV from Fedora

If you no longer need ClamAV, stop any background services first, then remove the packages you installed.

If you enabled the updater or daemon, stop them before package removal:

sudo systemctl disable --now clamav-freshclam
sudo systemctl disable --now clamd@scan

Remove the core ClamAV packages:

sudo dnf remove clamav clamav-freshclam

If you installed the optional daemon or GUI, remove them separately:

sudo dnf remove clamd
sudo dnf remove clamtk

DNF removes the packages, but Fedora leaves local signature files and custom daemon configuration behind. The next commands permanently delete downloaded databases, custom clamd settings, and any ClamTk preferences or quarantine history stored in your home directory.

sudo rm -rf /var/lib/clamav
sudo rm -rf /etc/clamd.d
rm -rf ~/.config/clamtk ~/.clamtk

Verify that the core packages are gone:

rpm -q clamav clamav-freshclam

Expected output:

package clamav is not installed
package clamav-freshclam is not installed

Frequently Asked Questions

Does Fedora need an antivirus scanner?

Fedora is less exposed to common desktop malware than Windows, but ClamAV is still useful when you exchange files with Windows systems, scan email attachments, or check upload directories on a Fedora server.

How do you update ClamAV signatures on Fedora?

Run sudo freshclam for a manual signature refresh. After you enable clamav-freshclam, Fedora also checks for newer signatures in the background, so the manual command is mainly for the first update or for troubleshooting.

Is there a GUI for ClamAV on Fedora?

Yes. The clamtk package adds a GTK front end you can launch from Activities on a Fedora desktop. It still uses the same ClamAV engine and signature database underneath, so GUI scans and command-line scans stay in sync.

Does ClamAV provide real-time protection on Fedora?

Yes. Fedora ships the clamonacc client, but it is an advanced setup that depends on a working clamd socket plus readable monitored paths. Start with scheduled scans first, then test on a non-critical directory before you rely on on-access prevention.

Why does ClamTk say the antivirus signatures are outdated?

Usually either the signatures have not been refreshed yet or ClamTk is seeing more than one signature directory. Run sudo freshclam first, then check whether daily.cvd or daily.cld exists in more than one location under /var.

Why does freshclam get a 403 or 429 error on Fedora?

A 429 usually means the ClamAV CDN is rate-limiting repeated downloads, and a 403 can happen when the updater is being used the wrong way or from a restricted network. Stick with Fedora’s clamav-freshclam service, avoid hammering the CDN with scripted curl or wget downloads, and wait for the cooldown window before retrying.

Conclusion

ClamAV is now in place on Fedora with current signatures and a scan routine that fits real use, whether that means a quick clamscan check, a nightly cron job, or the faster clamd path. If this machine is exposed to the network, tighten it further with Fail2Ban with firewalld on Fedora or keep routine updates hands-off with dnf-automatic on Fedora.

Search LinuxCapable

Need another guide?

Search LinuxCapable for package installs, commands, troubleshooting, and follow-up guides related to what you just read.

Found this guide useful?

Support LinuxCapable to keep tutorials free and up to date.

Buy me a coffee Buy me a coffee

How to Install Microsoft Fonts on Debian (13, 12, 11)

How to Install Wireshark on Debian

8 thoughts on “How to Install ClamAV on Fedora Linux”

  1. I miss the access prevention in case a virus was detected and also a notification. Otherwise you would hardly find out you got a virus on your system. Nobody reads/scans the logs on a daily basis.

    Reply

    • Thanks for raising this important concern, Herbert. You are absolutely right that the article previously did not make clear how users know when ClamAV detects threats or how to prevent access to infected files.

      ClamAV does provide access prevention through the on-access scanner with OnAccessPrevention yes configured in /etc/clamd.d/scan.conf. When enabled, this uses Linux fanotify to block file access at the kernel level with “Operation not permitted” errors when infected files are accessed. The article has been updated with detailed configuration steps and a test procedure to verify the blocking works correctly.

      For notifications, you are correct that ClamAV by default only logs detections without actively alerting users. The article now includes a complete “Monitor for Detected Threats” section with scripts for desktop notifications and email alerts that check ClamAV logs and notify you immediately when malware is detected. These notification systems address exactly the concern you raised about nobody reading logs on a daily basis.

      Without these configurations, you are right that infected files remain accessible and users would not know about detections until manually checking logs. The updated guide now covers both real-time blocking and active notification systems.

      Reply

    • Thanks for the question, Eric. Scanning the entire filesystem with sudo clamscan -r / works, but expect it to take significantly longer and use more resources. The scan will traverse system directories, mounted drives, and virtual filesystems like /proc and /sys, which can cause false positives or errors.

      For a full system scan, consider excluding problematic paths:

      sudo clamscan --bell -i -r / --exclude-dir="^/proc" --exclude-dir="^/sys" --exclude-dir="^/dev" --exclude-dir="^/run"

      This skips virtual filesystems that contain no actual files. Running nice to lower CPU priority is also recommended for full system scans to avoid impacting system performance.

      Reply
Before commenting, please review our Comments Policy.
Formatting tips for your comment

You can use basic HTML to format your comment. Useful tags currently allowed:

You type Result
<code>command</code> command
<strong>bold</strong> bold
<em>italic</em> italic
<blockquote>quote</blockquote> quote block

Leave a Comment

We read and reply to every comment - let us know how we can help or improve this guide.

Let us know you are human: