ClamAV is an open-source antivirus engine widely used on Linux servers to scan for malware in email attachments, uploaded files, and shared storage directories. Although Linux malware is less common than its Windows counterpart, RHEL 8 servers often act as intermediaries that receive and redistribute files to mixed-OS environments, making antivirus scanning an important layer in a defense-in-depth strategy. This guide covers installing ClamAV from EPEL, updating signature databases with freshclam, configuring the clamd daemon for socket-based scanning, running manual and automated scans, and setting up email alerts. On-access scanning using fanotify is also introduced for real-time file interception.
Prerequisites
- RHEL 8 server with a non-root sudo user
- EPEL 8 repository enabled (
dnf install -y epel-release) - An MTA or mail relay configured for sending alert emails (e.g. postfix)
- Sufficient disk space — ClamAV signature databases are approximately 300 MB
- SELinux in enforcing mode (standard ClamAV operation does not require policy changes)
Step 1 — Install ClamAV Packages
Install the core ClamAV package and the update utility. The clamav-update package provides freshclam and the automatic update systemd service.
sudo dnf install -y clamav clamav-update clamd
# Verify installation
clamscan --versionStep 2 — Update Signature Databases with freshclam
ClamAV relies on signature databases that must be updated before the first scan. Run freshclam manually to perform an initial download, then enable the systemd timer for ongoing updates.
# Perform initial database update
sudo freshclam
# Verify databases were downloaded
ls -lh /var/lib/clamav/
# Enable automatic daily updates via the systemd timer
sudo systemctl enable --now clamav-freshclam
# Check timer status
sudo systemctl status clamav-freshclamStep 3 — Configure the clamd Daemon
The clamd daemon enables faster on-demand scanning by keeping signature databases resident in memory. Edit the scan configuration to enable a local socket and set the runtime user.
sudo cp /etc/clamd.d/scan.conf /etc/clamd.d/scan.conf.bak
sudo vi /etc/clamd.d/scan.confUncomment or set the following directives:
# Remove or comment the "Example" line at the top of the file
# Example <-- comment this out
LocalSocket /run/clamd.scan/clamd.sock
LocalSocketMode 660
User clamscan
# Log infected files to syslog
LogSyslog yes
LogFacility LOG_MAIL
# Scan archives
ScanArchive yes
MaxScanSize 100M
MaxFileSize 25Msudo systemctl enable --now clamd@scan
sudo systemctl status clamd@scanStep 4 — Run a Manual Scan
Use clamscan for ad-hoc scanning. The -r flag scans recursively, --infected prints only infected files, and --remove deletes detected threats (use with caution).
# Scan the /home directory, print only infected files
sudo clamscan -r --infected /home
# Scan a specific directory and log results
sudo clamscan -r --infected --log=/var/log/clamav/manual_scan.log /var/www/html
# Scan and move infected files to quarantine (safer than --remove)
sudo mkdir -p /var/quarantine
sudo clamscan -r --infected --move=/var/quarantine /homeStep 5 — Automate Daily Scans with cron
Create a scan script and schedule it with cron to run nightly. The script logs output and optionally sends an email alert when infections are found.
sudo bash -c 'cat > /usr/local/bin/daily_clamscan.sh <&1 | tee "$LOGFILE"
# Send alert if infections were found
if grep -q "FOUND" "$LOGFILE"; then
mail -s "ClamAV: Infections detected on $(hostname)" "$ALERT_EMAIL" < "$LOGFILE"
fi
EOF'
sudo chmod +x /usr/local/bin/daily_clamscan.sh# Schedule at 02:30 every night
echo "30 2 * * * root /usr/local/bin/daily_clamscan.sh" | sudo tee /etc/cron.d/clamav-dailyStep 6 — On-Access Scanning Overview
ClamAV supports real-time on-access scanning using the Linux fanotify interface. Enable it by adding the following directives to /etc/clamd.d/scan.conf, then restart the daemon. Note that on-access scanning requires the kernel fanotify feature and increases I/O overhead.
# Add to /etc/clamd.d/scan.conf
OnAccessIncludePath /home
OnAccessIncludePath /var/www/html
OnAccessExcludeRootUID yes
OnAccessPrevention yes
# Restart clamd
sudo systemctl restart clamd@scan
# Verify on-access is active in the log
sudo journalctl -u clamd@scan | grep -i "on-access"Conclusion
ClamAV is now installed on your RHEL 8 server with automatic daily signature updates, a running clamd daemon for efficient scanning, scheduled nightly scans of user and web directories, automated quarantine of infected files, and email alerting. Combining scheduled scanning with on-access prevention provides both reactive and proactive malware defense for files passing through the server.
Next steps: How to Configure SELinux on RHEL 8, How to Harden SSH on RHEL 8, and How to Set Up Auditd on RHEL 8.
