ClamAV logo against dark skies

How to set up ClamAV to periodically scan for badware on Fedora Linux

ClamAV requires a bit of configuration, and as a Fedora user you must work around some issues with the packages. This tutorial should also apply to other Linux distributions, although some of the tools and package names may be different.

Every command must be executed as the root system user.

Installation

ClamAV is found in the default Fedora package repository, and installing the package requires just a single command:

dnf install clamav-scanner clamav-scanner-systemd clamav-update

This will get you the SystemD configuration files and the virus definition update agent as well as the ClamAV engine and daemon.

Because of a bug in the Fedora distribution of the clamav-scanner package (since at least Fedora 17 up through 25), you will also need to create a symbolic link from Fedora’s installation path to a hard-coded path expected by ClamAV:

ln -s /etc/clamd.d/scan.conf /etc/clamd.conf

Before proceeding you should also make sure to set the SELinux boolean for giving the ClamAV engine unrestricted access to the system:

setsebool -P antivirus_can_scan_system 1

At this point you should have installed ClamAV properly and can move on to configuring it for your system.

Configuring virus definition auto-update

Open up the file /etc/freshclam.conf for editing, and apply the following changes:

  • Comply with the request to “Comment or remove the line below“ near the top of the file.
  • Near the bottom of the file, uncomment the “SafeBrowsing yes” and “Bytecode yes” options.

Save the changes and then run the freshclam command once to verify that it is working. You may see some warnings, but you should see virus definitions being downloaded and a success reported.

By using the Google Safe Browsing definition set, you may discover security threats that Google will frown upon and delist your website for before the search giant notices it. This is a very powerful tool if your business depends on a website’s availability.

The virus definition update should be a few times per day. Rather than doing it manually, we’re going to create an update task in cron to run automatically every eight hours:

  1. Run EDITOR=nano crontab -e to modify your crontab using the nano editor.
  2. Insert the below task:
    0 */8  *  *  0  nice -n 16  systemd-cat --identifier="clamav-update" /usr/bin/freshclam

I’ll get back to the use of the systemd-cat utility near the end of the tutorial.

Configuring the ClamAV daemon

Open up the file /etc/clamd.conf for editing, and apply the following changes:

  • Comply with the request to “Comment or remove the line below“ near the top of the file.
  • Uncomment the line with the “LocalSocket” option. The default value is okay.
  • Uncomment the line with the “ExitOnOOM” option. The default value is okay.

That is it for the essential configuration. You may skip ahead to the next section, or read on if you’re running on a lower end machine or a server.

Now, to keep ClamAV’s impact on the systems resources low, we’re also going to add some custom options to lower the task’s priority in the system. We’ll acheive this through SystemD.

Copy the default SystemD service configuration file into your local configuration folder so you can edit it without loosing changes on future updates.

cp /usr/lib/systemd/system/clamd@.service /etc/systemd/system/clamd@.service

Open up the file /etc/systemd/system/clamd@.service for editing, and apply the following changes at the bottom of the “[Service]” section:

Nice=18
IOSchedulingClass=idle
CPUSchedulingPolicy=idle

Have SysetmD reload all configuration files to inform it of your changes. Proceed to test-start the clamd@scan service and check up on its status:

systemctl daemon-reload
systemctl start clamd@scan
systemctl status clamd@scan

You should review your logs and configuration files if the service failed to start.

Assuming that the service is marked as running, you can go on and enable the service by default on system boot:

systemctl enable clamd@scan

Setting up periodic scans

Please be aware that virus scanning requires 700+ MB of memory of your system and growing every year. It also requires a significant chunk of CPU and I/O disk operations. The modifications to the service file will reduce the effects of CPU and I/O load on your system at the expense of scans taking more time. There isn’t much that can be done with the memory consumption. The virus scanner requires knowledge of all the world’s viruses, the virus definitions, while scanning your files. As you can’t decide what viruses and malware that will appear on your system, you have no reasonable expectation of lowering the memory consumption.

Set your scan schedule to times when your PC or server doesn’t have to perform other tasks to minimize impact.

We’ll once again rely on crontab to run our reoccurring periodic tasks on a a schedule:

  1. Run EDITOR=nano crontab -e to modify your crontab using the nano editor.
  2. Insert the below task:
     0 5 * * 0 nice -n 16  systemd-cat --identifier="clamav-scan" clamdscan --quiet --fdpass /var/www
    30 5 * * 7 nice -n 18  systemd-cat --identifier="clamav-scan" clamdscan --quiet --fdpass /

These are slightly more complex tasks than we set up before. This will scan your /var/www/ directory every day at 05:00, and your entire file system / on the first Sunday of every month at 05:30 in the morning. One day per month, you’ll have a duplicate scan of your /var/www/ directory but we can live with that. Adjust the example scan targets and schedule to fit your needs.

Review your virus scan logs!

Detecting the presence of malware, viruses, and other badware is only half the battle. You’ll have to act on the detection threat information manually.

Thought the use of systemd-cat, every log message from virus definition updates to virus scanning have been passed on to the SystemD journal. Definition updates are logged in the clamav-update page, and virus scans are logged in the clamav-scan page.

To learn how to select specific pages of the journal, see my short introduction to systemd-cat and dealing with journal pages. This will quickly get you up to speed on the relevant commands.

Set up reoccurring calendar reminder on your phone or calendar program to remind yourself to periodically review your PC or servers virus scan logs.

I hope you’ll never see a virus or badware on any of your systems, but with ClamAV you should at least be able to detect it if the unspeakable were to happen!

3 thoughts on “How to set up ClamAV to periodically scan for badware on Fedora Linux”

  1. Thanks for a great tutorial!
    I think you forgot the “&&” operator in your crontab command.
    30 5 * * 7 [ $(date +%d) -le 07 ] nice -n 18 …
    Should be:
    30 5 * * 7 [ $(date +%d) -le 07 ] && nice -n 18 …

    1. Thank you for pointing out that there was a problem. However, the problem was the number 7 in front there. Its used to calculate the first Sunday of the month, but I’d left in a number 7 in it’s place. I’ve fixed the example in the article now. Thanks again!

      1. I’m afraid, I still believe you should keep the number seven and add the “&&” operator for the monthly command to work. Besides, your contab won’t pass syntax check if you use “crontab -e” to edit the file.

        Cheers!

Leave a Reply

Your email address will not be published. Be courteous and on-topic. Comments are moderated prior to publication.