When installing ClamAV from EPEL to CentOS/Red Hat 7 becomes a nightmare…

The installation of ClamAV from EPEL 7 to CentOS/Red Hat 7 is a little bit more challenging than the simple setup used in CentOS 6/Red Hat 6. The problem isn’t really the installation itself, but the way how things are documented and what it’s really needed to do to use ClamAV.

You can find a lot of bad information on the Internet who only complicate things (perhaps this post will add more incorrect information…). But when you know how to install it, it can be done quickly, smoothly and without difficulties. The complication came with the proliferation of packages that need to be installed, and as always with EPEL, the missing/lost documentation on how the packages were made.

This post is trying to suggest a working solution that can be used to start from scratch with a new installation.

A part of the answer can be found in the lost manual:

more /usr/share/doc/clamav-server-*/README

1 – Install EPEL 7

After you’ve successfully installed your operating system and applied all the updates. You can install the EPEL 7 repository by running this command:

yum install epel-release

2 – Install and configure the ClamAV packages

yum install clamav clamav-scanner-systemd

Yes, it’s enough. When installing these packages all needed packages will be installed by dependency.

Create a symbolic link to the default file path and link it to the clamd@scan file (read comments for more information):

ln -s /etc/clamd.d/scan.conf /etc/clamd.conf

Edit the configuration installed by the clamd-scanner package:

vi /etc/clamd.d/scan.conf

Comment the example line:

#Example

Uncomment the LocalSocket config line to enable it:

LocalSocket /var/run/clamd.scan/clamd.sock

Save and quit the text editor.

3 – Turn on the SELinux boolean for antivirus

setsebool -P antivirus_can_scan_system 1

4 – Start the service and enable it at boot

systemctl start clamd@scan
systemctl enable clamd@scan

5 – Install and configure the ClamAV updater

To automatically get the latest virus updates, you need to install the binary used for this task:

yum install clamav-update

Edit the configuration file:

vi /etc/freshclam.conf

Comment the example line:

#Example

Edit the second configuration file (in sysconfig):

vi /etc/sysconfig/freshclam

Comment this line to allow you to use crontab (updates are disabled by default):

#FRESHCLAM_DELAY=disabled-warn

Save files and quit the text editor and run the command “freshclam” to update the virus database. If needed you can add a crontab to execute it regularly.

6 – Test your installation

clamdscan --fdpass /var/log/*

Always use the –fdpass to give the correct permission to scan the files with clamdscan binary. In some case the first check mays fail after the installation, a simple reboot can solve this issue.

32 Replies to “When installing ClamAV from EPEL to CentOS/Red Hat 7 becomes a nightmare…”

  1. Thank you for this. After a few days of banging my head against a wall with other guides, this was simple, clear and did exactly what I needed.

  2. Doesn’t clamav-update drop a clamav-update file into /etc/cron.d?
    ## Adjust this line…
    MAILTO=root

    ## It is ok to execute it as root; freshclam drops privileges and becomes
    ## user ‘clamupdate’ as soon as possible
    0 */3 * * * root /usr/share/clamav/freshclam-sleep

    • From another post …
      Create a new file /usr/lib/systemd/system/clam-freshclam.service
      # Run the freshclam as daemon
      [Unit]
      Description = freshclam scanner
      After = network.target
      [Service]
      Type = forking
      ExecStart = /usr/bin/freshclam -d -c 4
      Restart = on-failure
      PrivateTmp = true
      [Install]
      WantedBy=multi-user.target

      Now enable and start the service.

      systemctl enable clam-freshclam.service
      systemctl start clam-freshclam.service

      Seems like I should do one or the other (cron or daemon) but not both.

  3. I have installed many Linux boxes from FC3 – right to FC10 from 200-users mail serves, firewalls, proxy servers, samba, MailScanners working with CLAMAV and SpamAssassin and they are all still working today appart from the old upgrading of hardware and server OS…

    WHAT THE HELL DID THESE PEOPLE DO TO PERFECTLY WORKING Linux Mail servers???!? I cant even install Squirrelmail or CLAMAV without seeing important things commented out which never use to be the case, and why by Zues’s beard to they have the word “EXAMPLE” in the middle of a config file not commented out?
    I could have installed these things with my eyes closed and now I have to open them with a simple Postfix, Mailscanner, ClamAV and Spamassassin installation. I chucked Squirrelmail out the windows that sh!t just aint working anymore. This new Epel thing screwed everything up.

    What a waste of my time.

  4. You can have multiple daemons, that’s why there is no /etc/clamd.conf

    There is one daemon by default: clamd@scan (it uses the /etc/clamd.d/scan.conf file)

    Example:
    If you wanted to have the clamd@amavisd service/daemon, you need to do this:

    cp -a “/usr/lib/systemd/system/clamd@scan.service” “/usr/lib/systemd/system/clamd@amavisd.service”;
    systemctl daemon-reload;
    systemctl status clamd@amavisd;

    Now you have a clamd@amavisd daemon which will use the /etc/clamd.d/amavisd.conf file

  5. This was the ONLY piece of documentation that helped me get ClamAV installed. Thank you so much for providing ACCURATE AND HELPFUL info!!!!
    No idea how to do anything with clamav to ensure its functionality but needed to install AV on the system.

    Periodically, I DO try getting into Linux and would love nothing more than to get rid of all Windows systems, but crap installations, along with worthless installation instructions, like ClamAV provides makes me glad I’m too stupid for Linux.

    Why can’t the installation take care of basic configuration in the first place?

  6. Super post!
    I’ve finally got clamav installed and working, but could not have done it without this post.

  7. I have no clue what I just did editing those files.
    But thank you very much because clamscan is updated now! Yay!

    You = Angel!

    Thank YOU!

  8. I followed this exactly but I get the following error

    ERROR: Please edit the example config file /etc/clamd.conf
    ERROR: Can’t parse clamd configuration file /etc/clamd.con

  9. [root@server516 ~]# setsebool -P antivirus_can_scan_system 1
    setsebool: SELinux is disabled.

    in this comand i get :SELinux is disabled., i use plesk ant default not have enebled the SELinux , so i load the extension SELinux in the extension of plesk bat i have agen the same erorr SELinux is disabled.

    can you help me? is the SELinux recuirment for clamav?

    a very very thanks for yur clear tutorial

    • Hi, if SELinux is disabled you can forget this command. SELinux is not mandatory but enabled by default on CentOS/Red Hat Enterprise Linux, so in your case you can ignore this.

  10. Thanks for saving me many hours of trying to resolve conflicting documents and making false starts. I appreciate you taking the time to share your knowledge and simplify the install process for others!

  11. Sorry for what may be a silly question, but by uncommenting the Checks parameter in /etc/freshclam.conf, wouldn’t freshclam perform a database automatically, without the need for a separate crontab? Is the use of a crontab preferred? Also, when i attempt to run sudo clamdscan /, I receive a lot of error messages regarding insufficient access permissions for various files. I would have assumed that by running clamdscan as root, i wouldn’t have these permissions errors.

    • By default, the freshclam update is disabled to avoid network access (based on official documentation). Removing this line allow freshclam to access Internet without error, so next you can create a crontab.

  12. Thanks for this article. It was straightforward and works fine with one minor hiccup caused by my own security configuration.

    Freshclam writes its files as the user clamupdate. Clamd@scan runs as the user clamscan. I am asked to run systems with a restrictive 027 umask, so when freshclam creates the database files in /var/lib/clamav/ it makes them owned by clamupdate.clamupdate with 640 permissions instead of 644. As a result clamscan can’t read them. I added the clamscan user account into the clamupdate group, and it fixed the issue without requiring me to change my umask. If clamscan can’t read the database files it just restarts the clamd@scan service over and over and uses an impressive amount of CPU doing it.

    Just posting this comment here so that others may find it if they search

  13. Hi,
    I am using CentOS 7 and Plesk Onyx.
    What settings do we need to make in order to use ClamAV as antivirus for email attachments (postfix) and on-access scanning (to protect against malicious files upload using php scripts)?

Leave a Reply

Your email address will not be published. Required fields are marked *

*