Installation on Redhat and CentOS Linux Distributions
Installation on Redhat and CentOS Linux Distributions
Below are the steps for installing ClamAV from source on Redhat and CentOS Linux.
Install prerequisites
- Install ClamAV dependencies
- Install the developer tools
sudo yum groupinstall "Development Tools"
- Install library dependencies
sudo yum install openssl openssl-devel libcurl-devel zlib-devel libpng-devel libxml2-devel json-c-devel bzip2-devel pcre2-devel ncurses-devel
- (very optional) Those wishing to use clamav-milter may wish to install the following
sudo yum install sendmail sendmail-devel
- Install the unit testing dependencies
sudo yum valgrind check
Note: LLVM is also an optional dependency. LLVM will not provide any additional features, but is an alternative method for executing bytecode signatures versus using the built-in bytecode interpreter. Limited performance testing between LLVM and the bytecode interpreter did not yield conclusive evidence that one is “better” than the other. For the sake of simplicity, it is not recommended to install LLVM.
Download the latest stable release
- Open a browser and navigate to the ClamAV downloads page
- Click
clamav-<version>.tar.gzlink to download the latest stable release.
Extract the source archive
cd ~/Downloads
tar xzf clamav-[ver].tar.gz
cd clamav-[ver].tar.gz
Configure the build
ClamAV’s configure script should detect each of the above dependencies automatically.
Typical ./configure usage
./configure --enable-check
Once ./configure completes, it will print a summary. Verify that the packages you installed are in fact being detected.
Example configure summary output:
configure: Summary of detected features follows
OS : linux-gnu
pthreads : yes (-lpthread)
configure: Summary of miscellaneous features
check : -lcheck_pic -pthread -lrt -lm -lsubunit
fanotify : yes
fdpassing : 1
IPv6 : yes
configure: Summary of optional tools
clamdtop : -lncurses (auto)
milter : yes (disabled)
clamsubmit : yes (libjson-c-dev found at /usr), libcurl-devel found at /usr)
configure: Summary of engine performance features
release mode: yes
llvm : no (disabled)
mempool : yes
configure: Summary of engine detection features
bzip2 : ok
zlib : /usr
unrar : yes
preclass : yes (libjson-c-dev found at /usr)
pcre : /usr
libmspack : yes (Internal)
libxml2 : yes, from /usr
yara : yes
fts : yes (libc)
Additional popular ./configure options
--with-systemdsystemunitdir- Do not installsystemdsocket files. This option disables systemd support, but will allow you tomake installto a user-owned directory without requiringsudo/root privileges:./configure --with-systemdsystemunitdir=no
--sysconfdir- Install the configuration files to/etcinstead of/usr/local/etc:./configure -–sysconfdir=/etc
--prefix- Install ClamAV to a directory other than/usr/local/:- Example 1: Install to a local
./installdirectory../configure --prefix=`pwd`/install
- Example 2: Install ClamAV locally on an unprivileged shell account.
./configure --prefix=$HOME/clamav --disable-clamav --with-systemdsystemunitdir=no
- Example 1: Install to a local
--disable-clamav- Don’t drop super-user priveleges to runfreshclamorclamdas theclamav* user../configure --disable-clamav
*Tip: Using this
--disable-clamavmeans thatfreshclamandclamdwill run with root privleges if invoked usingsudo. Runningclamdorclamscanas root is not recommended. Instead of using this option, you can configurefreshclamorclamdto drop to any other user by:- setting the
DatabaseOwneroption infreshclam.confand - setting the
Useroption inclamd.conf.
- setting the
Please see the ./configure --help for additional options.
Compile ClamAV
Compile ClamAV with:
make -j2
Run ClamAV Unit Tests (Optional)
For peace of mind, it can be helpful to run a small suite of unit and system tests.
Run:
make check
All tests should pass.* Output will look something like this:
...
PASS: check_clamav
PASS: check_freshclam.sh
PASS: check_sigtool.sh
PASS: check_unit_vg.sh
PASS: check1_clamscan.sh
PASS: check2_clamd.sh
PASS: check3_clamd.sh
PASS: check4_clamd.sh
PASS: check5_clamd_vg.sh
PASS: check6_clamd_vg.sh
SKIP: check7_clamd_hg.sh
PASS: check8_clamd_hg.sh
PASS: check9_clamscan_vg.sh
...
============================================================================
Testsuite summary for ClamAV 0.100.2
============================================================================
# TOTAL: 13
# PASS: 12
# SKIP: 1
# XFAIL: 0
# FAIL: 0
# XPASS: 0
# ERROR: 0
Notes:
- The
*.vg.shtests will be skipped unless you runmake check VG=1. - The
check7_clamd.hg.sh(helgrind) is presently disabled and will be skipped.- For details, see: the Git commit
If you have a failure or an error in the unit tests, it could be that you are missing one or more of the prerequisites.
If you are investigating a failure, please do the following:
cd unit_tests
Use less to read the log for the failed test. Example:
less check4_clamd.sh.log`
To submit a bug report regarding unit text failures, please follow these bug reporting steps.
Install ClamAV
Install ClamAV with:
make install
Tip: If installing to the default or other system-owned directory, you may need to use sudo.
First time set-up
Note: The following instructions assume you used the default install paths (i.e. /usr/local). If you modified the install locations using --prefix or --sysconfdir options, replace /usr/local with your chosen install path.
freshclam config
Before you can use freshclam to download updates, you need to create a freshclam config. A sample config is provided for you.
- Copy the sample config. You may need to use
sudo:cp /usr/local/etc/freshclam.conf.sample /usr/local/etc/freshclam.conf
- Modify the config file using your favourite text editor. Again, you may need to use
sudo.- At a minimum, remove the
Exampleline sofreshclamcan use the config.
Take the time to look through the options. You can enable the sample options by deleting the
#comment characters.Some popular options to enable include:
LogTimeLogRotateNotifyClamdDatabaseOwner
- At a minimum, remove the
- Create the database directory. *Tip: You may need to use
sudo.mkdir /usr/local/share/clamav
clamd config (optional)
You can run clamscan without setting the config options for clamd. However, the clamd scanning daemon allows you to use clamdscan to perform faster a-la-carte scans, allows you to run multi-threaded scans, and allows you to use clamav-milter if you want to use ClamAV as a mail filter if you host an email server.
Additionally, if you are a running modern versions of Linux where the FANOTIFY kernel feature is enabled, clamd has a feature run with On-Access Scanning. *When properly configured, On-Access Scanning can scan files as they are accessed and optionally block access to the file in the event that a signature alerted.
Note: At this time, for On-Access Scanning to work, clamd must run with sudo/root privileges. For more details, please see our documentation on On-Access Scanning.
- Copy the sample config. You may need to use
sudo:cp /usr/local/etc/clamd.conf.sample /usr/local/etc/clamd.conf
- Modify the config file using your favourite text editor. Again, you may need to use
sudo.- At a minimum, remove the
Exampleline sofreshclamcan use the config. - You also need to select a Socket option for
clamdsoclamdscanand other utilities can communicate withclamd. You must enable one of the following.LocalSocketTCPSocket
Take the time to look through the options. You can enable the sample options by deleting the
#comment characters.Some popular options to enable include:
LogTimeLogCleanLogRotateUserScanOnAccessOnAccessIncludePathOnAccessExcludePathOnAccessPrevention
- At a minimum, remove the
Configure SELinux for ClamAV
Certain distributions (notably RedHat variants) when operating with SELinux enabled use the non-standard antivirus_can_scan_system SELinux option instead of clamd_can_scan_system.
At this time, libclamav only sets the clamd_can_scan_system option, so you may need to manually enable antivirus_can_scan_system. If you don’t perform this step, freshclam will log something like this when it tests the newly downloaded signature databases:
During database load : LibClamAV Warning: RWX mapping denied: Can't allocate RWX Memory: Permission denied
To allow ClamAV to operate under SELinux, run the following:
setsebool -P antivirus_can_scan_system 1
Download / Update the signature database
Before you can run a scan, you’ll need to download the signature databases. Once again, you may need to run with sudo/root privileges.
If you installed to a location in your system PATH:
freshclam
If you installed to another location:
/{path}/{to}/{clamav}/bin/freshclam
Users and on user privileges
If you are running freshclam and clamd as root or with sudo, and you did not explicitely configure with --disable-clamav, you will want to ensure that the DatabaseOwner user specified in freshclam.conf owns the database directory so it can download signature udpates.
The user that clamd, clamdscan, and clamscan run as may be the same user, but if it isn’t – it merely needs read access to the database directory.
If you choose to use the default clamav user to run freshclam and clamd, you’ll need to create the clamav group and the clamav user account the first time you install ClamAV.
groupadd clamav
useradd -g clamav -s /bin/false -c "Clam Antivirus" clamav
Finally, you will want to set user ownership of the database directory. For example:
sudo chown -R clamav:clamav /usr/local/share/clamav
Usage
You should be all set up to run scans.
Take a look at our usage documentation to learn about how to use ClamAV each of the utilities.