Antivirus, Antimalware, Antiphishing on CentOS or Cloudlinux with ClamAV

Este post também está disponível em: Português (Portuguese (Brazil))

ClamAV AntiVirus is widely used on linux servers. It has an efficient antivirus engine to detect trojans, viruses, malware, phishing and other threats. By default, ClamAV provides some antivirus signatures that are updated through its standard repository, however, mainly on Web Servers, with PHP, Python etc… where all kinds of applications are installed, including WordPress, Joomla… or MailServers that receive phishing, viruses , trojans, in the most diverse files and formats, additional signatures are necessary for ClamAV.

On the Web there are several projects and sites that offer free or paid subscriptions to ClamAV, however it is very important to identify the quality of these subscriptions, it is quite common to find subscriptions that will generate what we call a “false positive”.

eXtremeSHOK through GitHub created a project named ClamAV-unofficial-sigs that gathers several trusted signatures, available on the web for ClamAV, keeping everything always up to date.

In addition to the signatures available through the project, we are going to add part of the trusted signatures that we use with our Linux Server Management clients.

Let’s go through the step-by-step guide for the correct installation and configuration of ClamAV-unofficial-sigs on CentOS and CloudLinux servers.

Install the epel-release repository

yum -y update
yum -y install epel-release
yum -y update

Check your firewall and open the ports if necessary:

rsync: TCP porta 873
wget/curl : TCP porta 443

Install ClamAV and components:

yum -y install clamav-server clamav-data clamav-update clamav-filesystem clamav clamav-scanner-systemd clamav-devel clamav-lib clamav-server-systemd

Configure SELinux to allow Clamav (If Selinux is enabled)
** Make sure Selinux is enabled. If it is disabled skip this step .


If the result is enable, proceed (if disable, skip to ClamAV user):

setsebool -P antivirus_can_scan_system 1
setsebool -P clamd_use_jit 1

Create the group and user for ClamAV

groupadd clamav
useradd -g clamav -s /bin/false -c "Clam AntiVirus" clamav

Create directory, change group and user to ClamAV

mkdir /var/clamav
chown clamav.clamav /var/clamav

Removing Example

sed -i '/^Example$/d' /etc/clamd.d/scan.conf

Edit the scan.conf file

nano /etc/clamd.d/scan.conf

Find LocalSocket and replace with:

LocalSocket /var/run/clamd.scan/clamd.sock/g

Then in the linux shell paste the block below:

cat << EOF > /etc/tmpfiles.d/clamav.conf
/var/run/clamd.scan 0755 clam clam
mv /usr/lib/systemd/system/clamd\@scan.service /usr/lib/systemd/system/clamd\@scan.old
cat << EOF > /usr/lib/systemd/system/clamd\@scan.service
# Run the clamd scanner
Description = clamd scanner (%i) daemon
After =
Type = simple
ExecStart = /usr/sbin/clamd --foreground=yes
Restart = on-failure
IOSchedulingPriority = 7
CPUSchedulingPolicy = 5
Nice = 19
PrivateTmp = true
WantedBy =
systemctl daemon-reload

Configuring FreshClam, paste the block below:

sed -i '/^Example$/d' /etc/freshclam.conf
sed -i '/REMOVE ME/d' /etc/sysconfig/freshclam
cat << EOF > /usr/lib/systemd/system/clam-freshclam.service
# Run the freshclam as daemon
Description = freshclam scanner
After =

Type = forking
ExecStart = /usr/bin/freshclam -d
Restart = on-failure
IOSchedulingPriority = 7
CPUSchedulingPolicy = 5
Nice = 19
PrivateTmp = true
WantedBy =
systemctl daemon-reload
systemctl enable clam-freshclam.service
systemctl start clam-freshclam.service

Enable, Start and check if everything is ok with status:

systemctl enable clamd@scan
systemctl start clamd@scan
systemctl status clamd@scan

Installing Dependencies:

yum -y install bind-utils rsync	

Installing clamav-unofficial-sigs :

mkdir -p /usr/local/sbin/
wget -O /usr/local/sbin/; chmod 755 /usr/local/sbin/
mkdir -p /etc/clamav-unofficial-sigs/
wget -O /etc/clamav-unofficial-sigs/master.conf
wget -O /etc/clamav-unofficial-sigs/user.conf

If your linux distribution is CentOS 7 or CloudLinux 7 copy and paste the instructions below:

wget "${os_conf}" -O /etc/clamav-unofficial-sigs/os.conf

**Note: for other Linux distributions, access the link below, and under “Operating System Specific Install”, select the best option for your Linux. clamav-unofficial-sigs

Before moving on to the next step, sign up for two sites that offer excellent subscriptions to ClamAV.

1 – MalwarePatrol Free
Create your free account at:
Your browser will display “Password/Receipt:”
Save this information, we will need it in the next step.

2 – SecuriteInfo Free

Create your free account at:
You will receive an email with a link to activate your account, after activation, you will receive another email with your username and password to login to the site.
Log in and go to:
Click on Setup tab, you will see a URL in front of DatabaseCustomURL
We need to find your individual identifier which is made up of a string of 128 characters.
In the url in front of DatabaseCustomURL copy the sequence after
until “/”

Save this information, we will use it in the next step.

The other repositories used by clamav-unofficial-sigs do not require registration, just for knowledge, I will quote them below:

Yara Rules:
Linux Malware Detect Subscriptions:

** There are many free signatures for ClamAV on the web, unfortunately many generate false positives in the detection of Virus/Malware. It is very important to verify in the community and other means the trust of these new signatures.

Let’s add two new additional signatures repositories for ClamAV in the configuration file that we will cover next.


Signature configuration for Clamav:

Edit the user.conf file:

nano /etc/clamav-unofficial-sigs/user.conf

Locate and remove the # from the following lines:


Replace YOUR-SIGNATURE-NUMBER with the 128-character code you saved by following the steps above in SecuriteInfo Free

Next we’ll add a few more signatures.

find and remove the # from the lines:

declare -a additional_dbs=(

delete the bold (gray) lines above and paste the content below:

Run the Script below to download all signatures for the first time and finalize some settings. This process may take a while, wait until the end.

/usr/local/sbin/ --force

The following Script will install instructions to keep the system and signatures up to date:

/usr/local/sbin/ --install-cron

The following script will install instructions for logrotate for clamav-unofficial-sigs:

/usr/local/sbin/ --install-logrotate
/usr/local/sbin/ --install-man

Final Note: Server Management HelpSysAdmin customers have these and many other trusted signatures for ClamAV.