How to Install ClamAV on Fedora

ClamAV detects viruses, trojans, and malware on Fedora Linux systems through on-demand scanning and automated monitoring. Use it to scan email attachments before opening them, verify downloaded files from untrusted sources, or audit server directories for compromised scripts. By the end of this guide, you’ll have automated daily virus definition updates, scheduled system scans that quarantine infected files, real-time file access blocking through on-access prevention, and notification systems that alert you when threats are detected. The setup includes CPU throttling to prevent scan operations from overwhelming system resources and an optional graphical interface for users who prefer point-and-click operation over terminal commands.

Choose Your ClamAV Installation Method

ClamAV offers multiple installation approaches depending on your workflow. The base package provides command-line scanning with clamscan, while the clamd daemon enables faster multi-threaded scans through clamdscan. Additionally, desktop users who prefer graphical interfaces can install ClamTk for point-and-click operation. Most users should start with the base installation and add the daemon or GUI later if needed.

Method	Interface	Performance	Best For
Base Installation (clamscan)	Command-line	Single-threaded, reloads database each scan	Occasional scans, cron jobs, simple setups
clamd Daemon (clamdscan)	Command-line client	Multi-threaded, database kept in memory	Frequent scans, server environments, performance-critical workflows
ClamTk GUI	Graphical desktop app	Uses clamscan backend	Desktop users who prefer graphical tools over terminal commands

This guide covers the base installation first, then explains how to enable the clamd daemon for faster scanning and install the ClamTk GUI for desktop workflows. All three methods use the same virus definition database and scanning engine, differing only in interface and performance characteristics.

Update System Packages

Before installing ClamAV, update your system packages to ensure you have the latest versions and avoid potential conflicts during installation.

sudo dnf upgrade --refresh

Install ClamAV

ClamAV is available in Fedora’s default repositories, so install it directly with the following command:

sudo dnf install clamav clamd clamav-update

Expected output:

Last metadata expiration check: 0:01:23 ago on Thu 28 Nov 2024 10:45:12 AM EST.
Dependencies resolved.
================================================================================
 Package                   Arch      Version           Repository      Size
================================================================================
Installing:
 clamav                   x86_64    1.4.1-1.fc41      updates         520 k
 clamd                    x86_64    1.4.1-1.fc41      updates         125 k
 clamav-update            x86_64    1.4.1-1.fc41      updates          90 k

Transaction Summary
================================================================================
Install  3 Packages

Complete!

Once installation completes, verify the installation by checking the version:

clamscan --version

Expected output:

ClamAV 1.x.x/27450/Thu Nov 28 10:00:00 2024

With ClamAV installed and verified, proceed to update the virus database.

Update the ClamAV Virus Database

Before updating the virus database, ensure your system has internet connectivity. First, stop the clamav-freshclam service to avoid conflicts:

sudo systemctl stop clamav-freshclam

Next, update your virus definition database using the freshclam command:

sudo freshclam

Expected output:

ClamAV update process started at Thu Nov 28 10:50:15 2024
daily.cvd database is up-to-date (version: 27419, sigs: 2055771)
main.cvd database is up-to-date (version: 62, sigs: 6647427)
bytecode.cvd database is up-to-date (version: 334, sigs: 91)
Database updated and loaded.

After the database update completes, start the clamav-freshclam service and enable it to run automatically on system boot:

sudo systemctl enable clamav-freshclam --now

Expected output:

Created symlink /etc/systemd/system/multi-user.target.wants/clamav-freshclam.service → /usr/lib/systemd/system/clamav-freshclam.service.

Next, verify the service is running correctly:

sudo systemctl status clamav-freshclam

Expected output:

● clamav-freshclam.service - ClamAV virus database updater
   Loaded: loaded (/usr/lib/systemd/system/clamav-freshclam.service; enabled; preset: disabled)
   Active: active (running) since Thu 2024-11-28 10:51:20 EST; 2min ago

Additionally, to view the ClamAV database directory and file timestamps:

ls -l /var/lib/clamav/

Expected output:

total 178M
-rw-r--r-- 1 clamupdate clamupdate  450K Nov 28 10:50 bytecode.cvd
-rw-r--r-- 1 clamupdate clamupdate   68M Nov 28 10:50 daily.cvd
-rw-r--r-- 1 clamupdate clamupdate  110M Nov 28 10:50 main.cvd

Scan Directories with ClamAV

With ClamAV installed and updated, you can now run scans to check for malware. The clamscan command handles all scanning operations.

Basic Clamscan Command Syntax

The basic syntax for the clamscan command is straightforward:

sudo clamscan [options] [file/directory/-]

clamscan vs clamdscan: Which to Use

ClamAV provides two scanning tools: clamscan for on-demand scanning and clamdscan for daemon-based scanning. Understanding the differences helps you choose the right tool for your workflow:

clamscan is the standalone scanner that:

• Runs with user permissions (can be elevated with sudo)
• Uses an unconfined SELinux context
• Loads the virus database each time it starts
• Performs single-threaded scanning

clamdscan is a client that connects to the clamd daemon:

• Runs with service permissions (configurable)
• Uses a confined SELinux context
• Keeps the virus database in memory for faster scans
• Allows multi-threaded scanning

For quick, occasional scans, clamscan is simpler. However, for frequent scans or integration with other services, clamdscan offers better performance since it doesn’t reload the database each time.

Test ClamAV with EICAR Test File

Before scanning real files, verify that ClamAV detects malware correctly using the standard EICAR test file. This harmless test signature is recognized by all antivirus software:

wget -P ~ https://secure.eicar.org/eicar.com
clamscan ~/eicar.com

Expected output:

/home/user/eicar.com: Eicar-Signature FOUND

----------- SCAN SUMMARY -----------
Known viruses: 8702198
Engine version: 1.4.1
Scanned files: 1
Infected files: 1
Time: 0.015 sec (0 m 0 s)

Once testing is complete, remove the test file:

rm ~/eicar.com

If ClamAV detects the EICAR signature, your installation is working correctly.

Common Clamscan Commands

Now that you’ve verified ClamAV works, here are the most common clamscan commands to get you started:

Print ClamAV Help

To view ClamAV’s help section, use:

sudo clamscan -h

Scan a file with ClamAV

To scan a specific file, use:

sudo clamscan /home/script.sh

Scan a directory with ClamAV

To scan a specific directory, use:

sudo clamscan /home/

Expected output:

/home/user/Documents/report.pdf: OK
/home/user/Downloads/archive.zip: OK
/home/user/Pictures/photo.jpg: OK

----------- SCAN SUMMARY -----------
Known viruses: 8702198
Engine version: 1.4.1
Scanned directories: 42
Scanned files: 156
Infected files: 0
Data scanned: 89.14 MB
Data read: 112.45 MB (ratio 0.79:1)
Time: 12.543 sec (0 m 12 s)
Start Date: 2024:11:28 11:05:22
End Date:   2024:11:28 11:05:35

Show infected files only

To display only infected files, use the -i flag:

sudo clamscan -i /home/

Hide OK files from output

To exclude files marked ‘OK’ from the scan results, use:

sudo clamscan -o /home/

Suppress scan summary

To suppress the scan summary, use:

sudo clamscan --no-summary /home/

Enable bell notification on detection

For an audible alert when malware is detected, use:

sudo clamscan --bell -i /home

Scan directories recursively

To scan directories recursively with subdirectories, use:

sudo clamscan --bell -i -r /home

Save scan report to file

To save the scan report to a specific file, run:

sudo clamscan --bell -i -r /home -l output.txt

Scan files from list

To scan files listed line-by-line in a specified file, use:

sudo clamscan -i -f /tmp/scan

In this case, the /tmp/scan file should contain one file path per line, such as /home/user/file1.pdf on the first line and /home/user/file2.zip on the second.

Automatically remove infected files

To automatically delete infected files during scanning, use:

sudo clamscan -r --remove /home/USER

This permanently deletes the file from your system. If it’s a false positive, you won’t be able to retrieve the file.

Move infected files to quarantine

Instead of deleting, you can move all files requiring quarantine into a specified location:

sudo clamscan -r -i --move=/home/USER/infected /home/

Replace USER with your actual username. Before running the scan, create the quarantine directory first with mkdir -p /home/USER/infected.

Limit ClamAV CPU Usage

ClamAV can be CPU-intensive during scanning, which may be problematic for systems with limited or older hardware. To limit CPU usage during scans, use the nice command before each ClamAV command.

To reduce ClamAV CPU usage, run:

sudo nice -n 15 clamscan --bell -i -r /home

With this setting, ClamAV maximizes CPU usage when nothing else uses the CPU. If another process with a higher priority requires CPU, clamscan scales down to allow that process to take priority.

ClamAV focuses on file-based malware detection. For comprehensive protection, complement it with chkrootkit to detect rootkit modifications and Fail2ban with firewalld to block brute-force attacks. Combined with SSH hardening, these tools provide layered security for your Fedora system.

Schedule Automatic Scans with Cron

To set up automatic scheduled scans on Fedora Linux, use a task scheduler such as GNOME Schedule or Cron. These tools regularly scan your system for malware, eliminating the need for manual scans. Set up scheduled scans with Cron as follows:

First, open the terminal and run the command below to access the crontab configuration file for the current user:

crontab -e

If the command does not work, install the cronie package first:

sudo dnf install cronie

Add a new line to schedule a daily scan with email notification when infections are found:

0 1 * * * /usr/bin/clamscan -r -i --move=/home/USER/infected /home/ | grep -i "FOUND" && echo "ClamAV found infected files. Check /home/USER/infected" | mail -s "ClamAV Alert" admin@example.com

This command schedules a daily scan at 1 AM, scanning the /home/ directory recursively, moving infected files to the quarantine directory, and sending an email alert only when infections are found. Replace USER with your actual username and admin@example.com with your email address.

Alternatively, for desktop systems with notification support, use desktop notifications instead of email:

0 1 * * * export DISPLAY=:0 && /usr/bin/clamscan -r -i --move=/home/USER/infected /home/ | grep -i "FOUND" && notify-send -u critical "ClamAV Alert" "Infected files quarantined to /home/USER/infected"

Save the file and exit the editor. The new scheduled task will take effect immediately. To verify the cron job was added correctly:

crontab -l

Expected output:

0 1 * * * /usr/bin/clamscan -r --quiet --move=/home/USER/infected /home/

Enable On-Access Scanning (Optional)

For real-time protection that blocks infected files at the kernel level, ClamAV provides on-access scanning through the clamonacc service. Unlike scheduled scans that only detect infections after the fact, on-access scanning with prevention enabled intercepts file access attempts and blocks operations on infected files before they execute. This uses Linux’s fanotify API to enforce access control at the kernel level, providing more effective protection than detection-only approaches.

On-access scanning can impact system performance, particularly on systems with heavy disk I/O or when building software projects. Test thoroughly before enabling in production environments. The prevention feature requires careful configuration to avoid blocking legitimate system operations.

Enable On-Access Prevention (File Blocking)

Before enabling the service, configure /etc/clamd.d/scan.conf to specify which directories to monitor and whether to block infected files:

sudo nano /etc/clamd.d/scan.conf

Add or uncomment the following options:

# Enable on-access scanning
ScanOnAccess yes

# Monitor this directory recursively
OnAccessIncludePath /home

# CRITICAL: Enable prevention to block infected files
# Without this, detection only logs to files
OnAccessPrevention yes

# Exclude ClamAV's own user to prevent recursion
OnAccessExcludeUname clamav

# Exclude high-activity directories to prevent performance issues
OnAccessExcludePath /home/user/projects
OnAccessExcludePath /tmp
OnAccessExcludePath /var/tmp

The OnAccessPrevention yes option is what actually blocks file access. When a process attempts to open an infected file, the kernel returns “Operation not permitted” and prevents the file from being read or executed. Without this option, on-access scanning only logs detections without blocking access.

After configuration, ensure the clamd@scan service runs (see the “Configure clamd Daemon for clamdscan” section below), then enable the on-access scanning service:

sudo systemctl enable clamav-clamonacc --now

Verify the service is running:

sudo systemctl status clamav-clamonacc

Expected output:

● clamav-clamonacc.service - ClamAV On-Access Scanner
     Loaded: loaded (/usr/lib/systemd/system/clamav-clamonacc.service; enabled; preset: disabled)
     Active: active (running) since Tue 2026-01-07 10:00:00 EST; 5s ago

Test On-Access Prevention

To verify that on-access prevention actually blocks infected files, download the EICAR test file to a monitored directory and attempt to read it:

cd ~
wget https://secure.eicar.org/eicar.com
cat eicar.com

Expected output:

cat: eicar.com: Operation not permitted

This “Operation not permitted” error confirms that fanotify blocked access at the kernel level. The detection will also be logged to /var/log/clamav/clamonacc.log. If you see the EICAR file contents instead of the error, on-access prevention is not enabled correctly. Remove the test file after verification:

sudo rm ~/eicar.com

Monitor for Detected Threats

By default, ClamAV logs detection events but does not actively notify users when it finds malware. For systems without on-access prevention enabled, infected files remain accessible until manually quarantined. This section explains how to monitor ClamAV logs and configure notifications so you know immediately when threats are detected rather than discovering infections weeks later.

Check ClamAV Log Files

ClamAV writes detection events to log files in /var/log/clamav/. Check these logs regularly to see if any threats were detected:

sudo tail -f /var/log/clamav/clamd.log

For on-access scanning logs:

sudo tail -f /var/log/clamav/clamonacc.log

To search for infected file detections across all ClamAV logs:

sudo grep -i "FOUND" /var/log/clamav/*.log

Configure Desktop Notifications

For desktop systems, configure notifications when ClamAV detects threats. Create a simple monitoring script that checks logs and sends desktop notifications:

sudo nano /usr/local/bin/clamav-notify.sh

Add the following content:

#!/bin/bash
# Monitor ClamAV logs and send desktop notifications for threats

LOGFILE="/var/log/clamav/clamd.log"
LASTCHECK="/var/tmp/clamav-notify-lastcheck"

# Create lastcheck file if it doesn't exist
if [ ! -f "$LASTCHECK" ]; then
    touch "$LASTCHECK"
fi

# Find new FOUND entries since last check
NEW_THREATS=$(find "$LOGFILE" -newer "$LASTCHECK" -exec grep -i "FOUND" {} \;)

if [ -n "$NEW_THREATS" ]; then
    # Send desktop notification
    DISPLAY=:0 notify-send -u critical "ClamAV Alert" "Malware detected! Check /var/log/clamav/clamd.log for details."
    
    # Optional: Play alert sound
    # paplay /usr/share/sounds/freedesktop/stereo/alarm-clock-elapsed.oga
fi

# Update lastcheck timestamp
touch "$LASTCHECK"

Make the script executable:

sudo chmod +x /usr/local/bin/clamav-notify.sh

Run the notification script every 5 minutes by adding it to your user crontab:

crontab -e

Add this line:

*/5 * * * * /usr/local/bin/clamav-notify.sh

Configure Email Alerts

For servers or systems where desktop notifications are not practical, configure email alerts when threats are detected. First, ensure the mail command is available:

sudo dnf install mailx postfix

Create an email notification script:

sudo nano /usr/local/bin/clamav-email-notify.sh

Add the following content, replacing admin@example.com with your email address:

#!/bin/bash
# Email notification for ClamAV threat detections

EMAIL="admin@example.com"
LOGFILE="/var/log/clamav/clamd.log"
LASTCHECK="/var/tmp/clamav-email-lastcheck"

# Create lastcheck file if it doesn't exist
if [ ! -f "$LASTCHECK" ]; then
    touch "$LASTCHECK"
fi

# Find new FOUND entries since last check
NEW_THREATS=$(find "$LOGFILE" -newer "$LASTCHECK" -exec grep -i "FOUND" {} \;)

if [ -n "$NEW_THREATS" ]; then
    echo "$NEW_THREATS" | mail -s "ClamAV Alert: Malware Detected on $(hostname)" "$EMAIL"
fi

# Update lastcheck timestamp
touch "$LASTCHECK"

Make the script executable and add it to the system crontab:

sudo chmod +x /usr/local/bin/clamav-email-notify.sh
sudo crontab -e

Add this line to run checks every 10 minutes:

*/10 * * * * /usr/local/bin/clamav-email-notify.sh

These monitoring solutions ensure you are notified when ClamAV detects threats, addressing the core limitation that log files alone provide no active alerting.

Customizing ClamAV Settings

To customize ClamAV settings, such as adjusting scanner sensitivity or specifying file type filters, edit the configuration file. On Fedora, the clamd configuration is located at /etc/clamd.d/scan.conf. Open it with your preferred editor:

sudo nano /etc/clamd.d/scan.conf

Once opened, here are some common settings to customize:

• MaxFileSize: Maximum file size ClamAV will scan (default: 25M)
• MaxScanSize: Maximum data size scanned within archives (default: 100M)
• HeuristicScanPrecedence: Enable heuristic scanning to detect unknown malware (yes/no)

After making changes, restart the clamd service if you’re using the daemon mode:

sudo systemctl restart clamd@scan

For a complete list of configuration options, consult the official ClamAV documentation or review the comments within the configuration file itself.

Troubleshoot Common ClamAV Issues

These troubleshooting steps were verified on Fedora 40 and 41 with ClamAV 1.4.1. Generally, most solutions apply to all Fedora versions with SELinux enabled and systemd-managed services.

If you encounter issues during installation or while using ClamAV, refer to these troubleshooting steps that address common error messages with diagnostic commands and verified fixes.

freshclam Fails with Connection Error

If freshclam reports connection failures, the clamav-freshclam service may be holding a lock on the database:

ERROR: Connection with database.clamav.net failed.
Can't connect to database server
ERROR: Update failed.

To resolve this, stop the service before running manual updates:

sudo systemctl stop clamav-freshclam
sudo freshclam
sudo systemctl start clamav-freshclam

Afterward, verify the service is running correctly:

sudo systemctl status clamav-freshclam

Permission Denied When Scanning System Directories

Scanning directories like /root or /var requires root privileges. As a result, without sudo, clamscan skips restricted paths:

/var/log/journal: Permission denied. ERROR
/root/.cache: Permission denied. ERROR

To resolve this issue, simply run scans with sudo to access system directories:

sudo clamscan -r /var

Database Version Mismatch Warnings

If you see warnings about database versions, you need to update both the ClamAV package and virus definitions:

WARNING: Current functionality level = 1, required = 2
WARNING: Some databases require updated version.

In this case, update ClamAV and refresh the database:

sudo dnf upgrade --refresh clamav clamd clamav-update
sudo systemctl stop clamav-freshclam
sudo freshclam
sudo systemctl start clamav-freshclam

SELinux Blocking ClamAV Operations

Fedora enables SELinux by default, which may prevent ClamAV from scanning certain directories. If scans fail with access denied errors despite using sudo, check the SELinux audit log:

sudo ausearch -m avc -ts recent | grep clam

If SELinux is blocking access, you can temporarily set it to permissive mode for testing:

sudo setenforce 0

For a permanent solution, create a custom SELinux policy module or adjust file contexts for the directories you need to scan. Learn more about managing SELinux on Fedora if you encounter persistent issues.

clamd@scan Service Fails to Start

If the clamd@scan service fails with permission errors, check the journal for specific messages:

journalctl --no-pager -u clamd@scan.service -S -5m

Common causes include a stale log file with incorrect ownership. To fix this:

sudo mv /var/log/clamd.scan /var/log/clamd.scan.bak
sudo systemctl restart clamd@scan

Never start clamd manually with sudo clamd while the systemd service runs. This creates conflicts and permission issues. Always use systemctl to manage the daemon.

Maintain ClamAV Installation

Regular maintenance keeps ClamAV effective at protecting your system. Update the ClamAV binary periodically using:

sudo dnf upgrade --refresh

Additionally, optimize DNF performance to reduce update times by configuring parallel downloads and faster mirrors in your DNF settings.

Beyond updates, maintain ClamAV effectiveness by:

• Regularly monitor ClamAV log files located in /var/log/clamav for any issues or potential threats.
• Check the ClamAV mailing lists and forums for updates, news, or known issues.
• Periodically review and update your ClamAV settings to match your system’s needs and requirements.
• Configure automatic updates with dnf-automatic to keep ClamAV and all system packages current without manual intervention.

For comprehensive protection, combine scheduled ClamAV scans with proper firewall configuration and regular system updates to establish layered security for your Fedora system.

Install ClamTk GUI (ClamAV GUI)

For users who prefer graphical tools, ClamTk provides a graphical user interface for ClamAV as an alternative to the command line. To install ClamTk, run the following command:

sudo dnf install clamtk

After installation, you can launch ClamTk from your application menu or directly from the terminal:

clamtk

The ClamTk interface allows you to scan files and folders, update the virus database, and view scan history through a graphical point-and-click interface. Look for the main window with tabs for Scanning, Settings, and History.

Configure clamd Daemon for clamdscan

For faster, multi-threaded scanning, enable the clamd daemon service to use clamdscan. First, add your user to the virusgroup to allow socket access:

sudo gpasswd -a ${USER} virusgroup

Expected output:

Adding user username to group virusgroup

Next, set the appropriate file permissions for directories you want to scan:

sudo setfacl -R -m u:clamscan:r-X,d:u:clamscan:r-X /home

Afterward, enable and start the clamd@scan service:

sudo systemctl enable clamd@scan --now

Then, verify the service is running:

sudo systemctl status clamd@scan

Expected output:

● clamd@scan.service - clamd scanner (scan) daemon
     Loaded: loaded (/usr/lib/systemd/system/clamd@.service; enabled; preset: disabled)
     Active: active (running) since Thu 2024-11-28 11:30:00 EST; 5s ago

After the daemon starts, use clamdscan instead of clamscan:

clamdscan /home/

Log out and log back in after adding yourself to virusgroup for the group membership to take effect. Alternatively, reboot your system to ensure all changes are properly applied.

Remove ClamAV

If you no longer need ClamAV, first disable the service before removing the packages:

sudo systemctl disable clamav-freshclam --now

Next, remove the ClamAV packages:

sudo dnf remove clamav clamd clamav-update

For ClamTk GUI users:

sudo dnf remove clamtk

These commands remove the software but preserve virus databases and configuration files. To completely remove all ClamAV data including virus definitions and logs, delete the following directories. This action is permanent and cannot be undone.

sudo rm -rf /var/lib/clamav
sudo rm -rf /var/log/clamav
sudo rm -rf /etc/clamd.d

For ClamTk users, also remove the user configuration:

rm -rf ~/.clamtk

Conclusion

ClamAV now protects your Fedora system with automated virus definition updates, scheduled scans with quarantine, and optional real-time file blocking through on-access prevention. The monitoring and notification scripts alert you immediately when threats are detected rather than requiring manual log reviews. For comprehensive protection, layer ClamAV with firewall rules, SSH hardening, rootkit detection, and automatic system updates. Desktop users preferring graphical tools can use ClamTk GUI for point-and-click scanning.