How To Install ClamAV on Ubuntu 26.04 LTS

Install ClamAV on Ubuntu 26.04 LTS

Malware on Linux servers is more common than most people admit. If you run a file server, a mail relay, or a shared hosting box, you are often the last line of defense before infected files reach someone else’s Windows machine. That is exactly why you need to install ClamAV on Ubuntu 26.04 before you go live with any production workload.

ClamAV is a free, open source antivirus engine built specifically for scanning files on Linux and Unix systems. It was originally designed for mail gateways, but today it protects web servers, backup systems, and shared storage across thousands of organizations. Unlike commercial antivirus tools, ClamAV runs entirely from the command line, which makes it a natural fit for headless Ubuntu servers.

This guide walks through the full ClamAV on Ubuntu 26.04 setup process from a working sysadmin’s point of view. You will learn not just the commands to type, but the reasoning behind each one. By the end, you will know how to install, update, scan, automate, and troubleshoot ClamAV like someone who has done this on real production servers, not just copied a command list.

We will cover installation, database updates, manual scanning, real time protection, automated cron jobs, and the most common errors you will hit along the way. If you are new to Linux server tutorial content, do not worry. Every step includes plain English explanations of what is happening under the hood.

Why Ubuntu Needs Antivirus Protection Too

A lot of Linux users repeat the myth that Linux cannot get viruses. That is misleading. Linux malware exists, but the bigger risk on a Linux server is acting as a carrier.

Think about a shared file server running Samba or NFS. Someone uploads an infected Word document. Your Ubuntu box never executes that file, so it looks harmless from the Linux side. But the moment a Windows user downloads it, they get infected, and the trail leads back to your server.

This is the real reason system administrators configure ClamAV on Ubuntu 26.04 for mail servers, FTP servers, and shared storage. It is not about protecting Ubuntu itself. It is about stopping your server from becoming a delivery pipeline for malware headed to other machines.

Hosting providers and companies handling payment data also have compliance reasons to run antivirus scanning. Standards like PCI DSS often require some form of malware detection on servers that touch sensitive data. Installing ClamAV checks that box without any licensing fees.

Prerequisites

Before you install ClamAV on Ubuntu 26.04, make sure you have the following ready.

  • Ubuntu 26.04 LTS installed and updated, either on a physical machine, VPS, or cloud instance
  • Root or sudo access, since package installation and service management both need elevated permissions
  • At least 3GB of free disk space, because ClamAV’s signature databases grow over time and can reach several gigabytes
  • A stable internet connection, needed for the initial signature database download and daily updates
  • Basic terminal familiarity, enough to run commands and edit a config file with a text editor like nano

If you are managing a remote server, connect over SSH before starting. Everything in this guide runs from the terminal, so a desktop environment is not required.

Step 1: Update Your System

Before installing anything new, refresh your package index. This is a habit every experienced sysadmin builds early, and skipping it is one of the most common reasons installs go wrong.

sudo apt update

What this does: It contacts Ubuntu’s repositories and pulls the latest list of available packages and their versions. It does not install or upgrade anything yet.

Why it matters: Without this step, apt might try to install ClamAV using outdated package information cached from weeks or months ago. That can lead to missing dependencies or version mismatches that break the install halfway through.

You should see output listing repositories being fetched, ending with something like:

Reading package lists... Done
Building dependency tree... Done

Step 2: Install ClamAV And ClamAV Daemon

Now install the two core packages: the scanner itself and the background daemon.

sudo apt install clamav clamav-daemon -y

What this does: This pulls in three components. The clamav package gives you clamscan, the command line tool for manual scans. The clamav-daemon package installs clamd, a background process that keeps virus signatures loaded in memory. Apt will also automatically install clamav-freshclam, the tool responsible for downloading signature updates.

Why install both together: You could technically install just clamav and run clamscan manually every time. But clamscan reloads the entire signature database from disk on every single run, which is slow once your database grows to hundreds of megabytes. The daemon keeps everything loaded in RAM, so scans through clamdscan run much faster on a busy server.

Why ClamAV Splits Scanning And Updating

ClamAV deliberately separates its update logic from its scanning logic. Freshclam handles downloading new virus signatures. Clamd handles the actual scanning work. This separation means a bad or interrupted update never crashes your active scanning service, and you can restart one component without touching the other.

Step 3: Update Virus Signature Databases

A fresh ClamAV install ships with little to no signature data. Scanning right now would be almost pointless, since the engine has nothing to compare files against.

First, stop the freshclam service so it does not conflict with a manual update:

sudo systemctl stop clamav-freshclam

Now run freshclam manually to pull the latest databases:

sudo freshclam

What this does: Freshclam connects to ClamAV’s official update servers and downloads the latest main.cvd, daily.cvd, and bytecode.cvd files into /var/lib/clamav. These files contain the actual virus signatures the engine uses to detect malware.

Why stop the service first: If the freshclam daemon is already running in the background, it can lock the same files your manual command is trying to write to. Running both at once often produces a “lock file” error, which we will cover in the troubleshooting section.

Once the download finishes, restart and enable the service so updates happen automatically going forward:

sudo systemctl start clamav-freshclam
sudo systemctl enable clamav-freshclam

Why enabling matters: New malware signatures get published multiple times a day. If freshclam only runs once, your protection goes stale within days. Enabling the service on boot and as a persistent daemon means your database stays current without you having to remember to run anything manually.

Expected output during a successful update looks like this:

daily.cvd updated (version: 27500, sigs: 2050000, ...)
main.cvd is up to date
Database updated

Step 4: Start And Configure The ClamAV Daemon

With signatures in place, bring the scanning daemon online.

sudo systemctl start clamav-daemon
sudo systemctl enable clamav-daemon
sudo systemctl status clamav-daemon

What this does: The first command starts clamd. The second ensures it launches automatically after every reboot. The third confirms it is actually running and healthy.

Why enabling on boot matters: Servers restart during maintenance, kernel updates, or unexpected crashes. If clamd is not enabled, your server could sit unprotected for hours after a reboot without anyone noticing until it is too late.

Reviewing The Main Config File

Open the daemon config file to review its defaults:

sudo nano /etc/clamav/clamd.conf

Two settings worth checking early are MaxScanSize and LogFile. If MaxScanSize is too small, large files get skipped silently instead of scanned, which defeats the purpose of having antivirus protection in the first place.

Step 5: Run Your First Manual Scan

Time to test that everything actually works. Start with a scan of your home directory.

sudo clamscan -r -i /home

What this does: The -r flag scans recursively through subfolders. The -i flag tells ClamAV to only print infected files instead of listing every single clean file, which keeps the output readable.

For a full system scan, exclude virtual filesystems that do not contain real files:

sudo clamscan -r -i --exclude-dir="^/sys" --exclude-dir="^/proc" --exclude-dir="^/dev" /

Why exclude those directories: /sys, /proc, and /dev are kernel generated pseudo files, not actual data. Scanning them wastes time and can occasionally cause the scanner to hang or throw errors, since these paths behave differently from normal storage.

Testing Detection With The EICAR File

A scan that runs without errors is not proof that detection actually works. The industry standard test is the EICAR test file, a harmless string recognized by every antivirus engine as a test signature.

curl -Lo /tmp/eicar.txt https://secure.eicar.org/eicar.com.txt
clamscan /tmp/eicar.txt

You should see output flagging the file as infected:

/tmp/eicar.txt: Win.Test.EICAR_HDB-1 FOUND

This confirms your scanner is reading signatures correctly, not just running without crashing.

Step 6: Enable Real Time Scanning

On demand scans only catch problems when you run them. A file uploaded five minutes after your last scan sits unprotected until the next one. Real time, or on access, scanning closes that gap.

Open the config file again:

sudo nano /etc/clamav/clamd.conf

Add or update the following lines:

ScanOnAccess yes
OnAccessMountPath /home
OnAccessIncludePath /home
OnAccessExcludeUname clamav

What this does: ScanOnAccess turns on real time monitoring. OnAccessIncludePath tells clamd which directories to watch continuously. OnAccessExcludeUname prevents the daemon from scanning its own file operations, which avoids unnecessary overhead.

Why this matters for busy servers: If you run a web server where users upload files, or a Samba share used by multiple people, malware can land on disk at any time. Real time scanning checks files the moment they are written, rather than waiting for a scheduled job hours later.

Restart the daemon to apply changes:

sudo systemctl restart clamav-daemon

Note that on access scanning depends on your kernel supporting fanotify, which is standard on Ubuntu 26.04 by default.

Step 7: Automate Scans With Cron

Manual scans do not scale. People forget, get busy, or move on to other tasks. A cron job removes that risk entirely.

Open the root crontab:

sudo crontab -e

Add a line to run a scan every night at 2 AM and log the results:

0 2 * * * clamdscan --multiscan --fdpass -r /home >> /var/log/clamav/nightly-scan.log 2>&1

What this does: This schedules clamdscan to run daily at 2 AM against /home, saving all output to a log file for later review.

Why use clamdscan instead of clamscan here: clamdscan talks to the already running daemon instead of reloading the entire signature database from disk. On a server with a large database, this can cut scan time significantly, especially for recurring jobs.

Why logging matters: If something goes wrong at 2 AM, you want a written record. Logs also create an audit trail, which matters if you ever need to prove compliance with a security policy after an incident.

Step 8: Review Your Logs Regularly

Set a reminder to check your logs weekly, at minimum.

tail -n 50 /var/log/clamav/freshclam.log
tail -n 50 /var/log/clamav/nightly-scan.log

Why this is not optional: Silent failures are the most dangerous kind. If freshclam loses internet access for a week, your database goes stale, but nothing crashes and no alert fires. The only way you catch that is by actually reading the logs from time to time.

Troubleshooting Common ClamAV Errors

Even a clean install hits a few common snags. Here are the ones you are most likely to run into.

Error: “ERROR: /var/log/clamav/freshclam.log is locked by another process”
This happens when two freshclam processes try to write to the same log at once, usually because the daemon is running while you also run freshclam manually. Fix it by stopping the service first with sudo systemctl stop clamav-freshclam, then run sudo freshclam again before restarting the service.

Error: “Can’t open/parse the config file /etc/clamav/freshclam.conf”
This usually means the config file has a syntax error, often from a leftover “Example” line that ClamAV requires you to delete before the file becomes valid. Open the file and remove any line that literally says Example near the top.

Error: Daemon fails to start with a socket error
This typically means an old socket file still exists at /var/run/clamav/clamd.ctl from a previous crash. Delete the stale socket file and restart the service with sudo systemctl restart clamav-daemon.

Error: Permission denied during a scan
ClamAV often runs as a dedicated clamav user that does not have read access to every directory. Either run the scan with sudo, or adjust folder permissions if the daemon needs ongoing access to a specific path.

Error: On access scanning does not trigger
This usually points to fanotify not being properly supported or the OnAccessIncludePath pointing to a path that does not exist. Double check the path spelling and confirm your kernel has fanotify enabled, which is standard on Ubuntu 26.04.

r00t is a Linux Systems Administrator and open-source advocate with over ten years of hands-on experience in server infrastructure, system hardening, and performance tuning. Having worked across distributions such as Debian, Arch, RHEL, and Ubuntu, he brings real-world depth to every article published on this blog. r00t writes to bridge the gap between complex sysadmin concepts and practical, everyday application — whether you are configuring your first server or optimizing a production environment. Based in New York, US, he is a firm believer that knowledge, like open-source software, is best when shared freely.

Related Posts