Learn how to install and configure ClamAV on Ubuntu 24.04 server for fast on-demand malware scanning with real examples and advanced security tips.
Keeping our systems secure is more important than ever, especially with the rise of sophisticated malware and targeted cyber threats. On-demand malware scanning provides a proactive way to detect and eliminate threats manually, whenever needed.
In this guide, we’ll walk through how to install and configure ClamAV on Ubuntu 24.04 for on-demand malware scanning. Whether we’re managing a development server, a desktop workstation, or a web server, ClamAV gives us a reliable open-source antivirus solution that’s actively maintained by the community.
What is ClamAV?
ClamAV (Clam AntiVirus) is an open-source antivirus engine designed for detecting Trojans, viruses, malware, and other malicious threats. It’s widely used on Linux-based systems, especially for scanning emails, web files, and user directories.
Unlike real-time scanners that continuously monitor system activity, ClamAV excels in on-demand scanning — giving us full control over when and where to look for threats.
Prerequisites
Before we begin, let’s ensure our environment meets the following requirements:
- A Ubuntu 24.04 installed dedicated server or KVM VPS.
- A non-root user with sudo privileges.
- Basic knowledge of using the terminal.
How to Install and Configure ClamAV on Ubuntu 24.04 for Fast and Accurate On-Demand Malware Scanning
1: Update Ubuntu 24.04 Packages
Before installing anything new, it's good practice to update the system. This ensures that our package sources are fresh and all software dependencies are current.
sudo apt update && sudo apt upgrade -y
This helps avoid conflicts during installation.
2: Install ClamAV and ClamDaemon
ClamAV consists of two main components: the clamav package (the scanner), and the optional clamav-daemon, which runs a background service. For on-demand scanning, installing the daemon isn't strictly necessary, but it's still recommended for faster scan operations.
sudo apt install clamav clamav-daemon -y
After installation, both the scanner and its daemon will be available to us.
3: Stop the Freshclam Service Temporarily
ClamAV uses a service called Freshclam to update its virus definitions. By default, it starts updating automatically after installation. Before we manually update the virus database, we need to stop this service to avoid conflicts.
sudo systemctl stop clamav-freshclam
4: Manually Update the Virus Definitions
Once the Freshclam service is stopped, we can manually pull the latest virus signatures. This ensures our ClamAV engine has the most up-to-date definitions for effective scanning.
sudo freshclam
After a successful update, we’ll see confirmation messages showing the latest versions fetched.
5: Start the Freshclam Service Again
Now that the initial update is complete, we should restart the Freshclam service so it can continue to update automatically in the background.
sudo systemctl start clamav-freshclam
This keeps our system protected with regular updates, without manual intervention.
6: Run an On-Demand Malware Scan
We can now scan any directory or file on our system using the clamscan command.
Here are a few useful examples:
Scan a Specific Directory:
clamscan -r /home/username/
Scan and Remove Infected Files Automatically:
clamscan -r --remove /home/username/
Warning: Use the --remove flag with caution, as it will delete any files identified as infected.
Scan the Entire File System (May Take Time):
sudo clamscan -r --bell -i /
- -r: Recursively scan all subdirectories.
- --bell: Alerts us with a sound (if supported).
- -i: Displays only infected files (saves screen clutter).
7: Automate On-Demand Scanning with Cron (Optional)
If we want to automate scanning (e.g., nightly scans), we can use cron.
To schedule a daily scan of /home and log the results:
sudo crontab -e
Add the following line:
0 2 * * * clamscan -r /home/username/ >> /var/log/clamav/daily_scan.log
This runs every day at 2:00 AM and appends the results to a log file. We can change the path and time as needed.
8: Check Logs and Scan Reports
ClamAV logs provide detailed insights into scanning activity and detected threats.
To view scan logs (if using clamdscan or cron):
cat /var/log/clamav/clamav.log
If using custom scan commands with clamscan, make sure to direct output to a file using >> or tee.
9. Use clamd and clamdscan for Faster Scanning
By default, clamscan loads virus definitions into memory every time it runs — which slows down large scans. To boost speed, we can use the clamd daemon with clamdscan.
Enable and start the ClamAV daemon:
sudo systemctl enable clamav-daemon
sudo systemctl start clamav-daemon
Then scan using clamdscan:
clamdscan /home/username/
Benefit: Faster scanning since clamd keeps definitions in memory.
10. Configure clamd.conf for Performance and Accuracy
We can edit the clamd.conf file to fine-tune behavior.
sudo nano /etc/clamav/clamd.conf
Recommended tweaks:
- MaxThreads 4: Adjust based on CPU cores for parallel scanning.
- LogTime yes: Adds timestamps to logs.
- ScanArchive yes: Ensures .zip, .rar, and tar.gz files are scanned.
- ExcludePath ^/proc: Avoid scanning virtual system paths.
After changes, restart the daemon:
sudo systemctl restart clamav-daemon
11. Add Custom Signatures for Enhanced Detection
ClamAV supports user-defined signatures to detect threats not yet included in the official database.
Create a custom signature file:
sudo nano /var/lib/clamav/custom.ndb
Example signature format (simplified):
Custom.Test.Signature:0:*:4D414C57415245
Then reload:
sudo systemctl restart clamav-daemon
We can also download curated community signatures like SaneSecurity.
12. Integrate with Email and Web Uploads (Optional)
If our system handles email or file uploads (e.g., in a web app), we can integrate ClamAV with tools like:
- Amavis + Postfix for scanning incoming emails.
- ClamAV + inotify + scripts for scanning uploaded files in real time (or in batches).
This allows us to apply on-demand scanning logic automatically based on events.
13. Use --gen-json for Machine-Readable Reports
If we want to process scan results using scripts or APIs:
clamscan --infected --recursive --gen-json /home/username > scan_report.json
This generates structured JSON output we can parse with tools or dashboards.
14. Add Scheduled Notifications
Combine scan logs with tools like mail or sendmail to email results:
0 3 * * * clamscan -r /home | mail -s "ClamAV Daily Report" admin@example.com
This adds visibility and reduces manual monitoring.
15. Scan Files Upon Upload Using inotify
To trigger a scan when a file is created or moved into a directory:
sudo apt install inotify-tools
Create a watcher script (e.g., /usr/local/bin/watch_uploads.sh):
#!/bin/bash
inotifywait -m -e close_write --format '%w%f' /uploads | while read file
do
clamdscan "$file" --move=/quarantine/
done
Make it executable and run in the background or as a systemd service.
16. Monitor ClamAV with System Health Tools
We can integrate ClamAV health into monitoring dashboards like:
- Prometheus + Node Exporter + Custom Script
- Zabbix agents
- Nagios plugins
This helps ensure Freshclam is updating and clamd is running correctly.
Tips for Best Security Practice
- Schedule regular virus database updates using Freshclam (already set up).
- Avoid scanning system folders unnecessarily to reduce false positives.
- Regularly check logs to ensure scans are running and threats are handled.
- Avoid mixing ClamAV with real-time AV tools on the same server — they may conflict.
Final Thoughts
ClamAV remains a trusted tool in the Linux world for reliable, manual virus scanning. With its open-source nature, regular updates, and support for on-demand scans, it fits perfectly into our security toolkit — especially when we want lightweight and customizable protection.
By following this guide, we now have ClamAV fully installed and ready for use on Ubuntu 24.04. We’ve configured everything for safe, flexible scanning — and we’re in full control of when and where we scan.
Let’s keep our Linux environments clean, secure, and malware-free — one scan at a time.
Checkout our low cost dedicated servers.
