How to Install ClamAV on Debian 9 and Scan for Vulnerabilities

In this tutorial, we’ll be explaining how to install ClamAV on your Debian 9 VPS, as well as how to use it to check for and remove any malware or security vulnerabilities.

First, let’s go over some of the most important features provided by ClamAV:

  • Powerful command-line based scanner
  • On-Access Scanning capabilities
  • Configurable background scanning behavior
  • Provides milter interface for Sendmail service
  • A robust, consistent, and reliable method of updating the virus definition database
  • Ability to scan various archive file-formats including Zip, Rar, Tar, Gzip, Bzip, and others
  • Ability to scan different mail file formats

Step 1: Checking for Updates and Dependencies

To begin with, log in to your Linux server via SSH using your preferred terminal:

ssh [username]@[server public IP address]

Modify the [username] variable with the account name of a root-privileged user found on the server (or the root user itself), and replace [server public IP address] variable with the IP address of your server.

If your server does not use the default port number, you can add -p [port number] to the end of your command, and replace [port number] with your VPS’s port number. It is recommended to use the root account for this.

After logging in, it is best to update Debian with the latest packages available for bug fix and improvements.

apt-get -y update
apt-get -y upgrade

It is also best to install basic Debian libraries and dependencies to avoid any missing library issues during the installation.

apt-get install software-properties-common build-essential curl -y

Step 2: Installing ClamAV 

Installing the main package of ClamAV is very easy. To proceed, supply the following command:

apt-get install clamav clamav-daemon

The clamav package is the command-line based virus scanner, while the clamav-daemon package is the on-access scanner, which runs in the background.

After installation, an update of the virus definition database will automatically start. Basically, a freshclam command has been activated. You can watch the logs using:

tail -f /var/log/clamav/freshclam.log

You should be able to see the following message as the update is in progress:

Fri Aug 2 21:22:05 2019 -> --------------------------------------
Fri Aug 2 21:22:05 2019 -> freshclam daemon 0.100.3 (OS: linux-gnu, ARCH: x86_64, CPU: x86_64)
Fri Aug 2 21:22:05 2019 -> ClamAV update process started at Fri Aug 2 21:22:05 2019
Fri Aug 2 21:22:05 2019 -> WARNING: Your ClamAV installation is OUTDATED!
Fri Aug 2 21:22:05 2019 -> WARNING: Local version: 0.100.3 Recommended version: 0.101.2
Fri Aug 2 21:22:05 2019 -> DON'T PANIC! Read https://www.clamav.net/documents/upgrading-clamav
Fri Aug 2 21:22:07 2019 -> Downloading main.cvd [100%]
Fri Aug 2 21:22:20 2019 -> main.cvd updated (version: 58, sigs: 4566249, f-level: 60, builder: sigmgr)
Can't query main.58.93.1.0.6810DB54.ping.clamav.net
Fri Aug 2 21:22:58 2019 -> Downloading daily.cvd [100%]
Fri Aug 2 21:23:27 2019 -> daily.cvd updated (version: 25529, sigs: 1694663, f-level: 63, builder: raynman)
Can't query daily.25529.93.1.0.6810DB54.ping.clamav.net
Fri Aug 2 21:24:04 2019 -> Downloading bytecode.cvd [100%]
Fri Aug 2 21:24:05 2019 -> bytecode.cvd updated (version: 330, sigs: 94, f-level: 63, builder: neo)
Can't query bytecode.330.93.1.0.6810DB54.ping.clamav.net
Fri Aug 2 21:24:45 2019 -> Database updated (6261006 signatures) from db.local.clamav.net (IP: 104.16.219.84)

The last line indicates that we are now using the latest virus definition database of ClamAV. The database files are saved in:
/var/lib/clamav/daily.cvd (daily update file for ClamAV virus databases)
/var/lib/clamav/main.cvd (main ClamAV virus database file)
/var/lib/clamav/bytecode.cvd (signatures to detect bytecode in files)

Verify that the main ClamAV-freshclam service is running to make sure the virus definition database is always up-to-date:

systemctl status clamav-freshclam

Almost the same output should appear:

● clamav-freshclam.service - ClamAV virus database updater
Loaded: loaded (/lib/systemd/system/clamav-freshclam.service; enabled; vendor
Active: active (running) since Fri 2019-08-02 21:22:05 EDT; 44min ago

Finally, run the main ClamAV on-access scanner service and verify its status.

systemctl start clamav-daemon
systemctl status clamav-daemon
● clamav-daemon.service - Clam AntiVirus userspace daemon
Loaded: loaded (/lib/systemd/system/clamav-daemon.service; enabled; vendor pr
Drop-In: /etc/systemd/system/clamav-daemon.service.d
└─extend.conf
Active: active (running) since Fri 2019-08-02 22:09:56 EDT; 18min ago

Step 3: Configuring ClamAV 

By default, ClamAV’s configuration is already optimized for general use. If you want to adjust some settings for the on-access scanner service, you can check the file:

nano /etc/clamav/clamd.conf

Do not forget to restart the service after saving the modified file:

systemctl restart clamav-daemon

Testing ClamAV 

To test and verify our ClamAV installation, we can try to scan the EICAR test file (a harmless signature with no virus code). To start the sample scan, supply the following command:

curl https://www.eicar.org/download/eicar.com.txt | clamscan -

The scan time will take some time and this is a normal behavior of ClamAV as it will need to read a number of signatures. The output should show:

stdin: Eicar-Test-Signature FOUND
----------- SCAN SUMMARY -----------
Known viruses: 6251170
Engine version: 0.100.3
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 49.993 sec (0 m 49 s

Once it is detected, we can now confirm that our ClamAV installation is working.

Starting a scan with ClamAV 

There are many scan options available for a one-time scan which is handled by clamscan. To remove the infected file automatically, add to the option --remove. To move the file to a quarantine folder, use the --move=/dir option. ClamAV also supports logging of the scan which you can enable by using the -l /path/to/file option.

To scan a file:

clamscan /opt/testfile.zip

To scan a directory:

clamscan --recursive --infected /mydir

To scan larger files (ClamAV will not scan files larger than 20MB by default):

clamscan --max-filesize=2000M --max-scansize=2000M --recursive=yes --infected /mydir

To learn more about the available options, check out ClamAV’s official OneTime scanning documentation.

That’s it! – you now have an active anti-virus in the background and an on-demand scanner for your Debian 9 server.


Of course, you don’t have to install ClamAV on Debian 9 if you have a managed Debian VPS hosting plan with us. You can simply ask our support team to help out, after which they will install, set up, and do an initial scan for you, as well as perform other threat preventions if needed. They are available 24/7 and will be able to help you with anything that you might need.

PS. If you enjoyed reading this blog post on how to install and scan vulnerabilities with ClamAV on Debian 9, feel free to share it on social networks using the shortcuts below, or simply leave a comment in the comments section. Thanks.

Leave a Comment

To prove you are human please solve the following *