NovaCloud-Hosting Docs

ClamAV

Scan a Server with ClamAV

ClamAV is a free antivirus and malware scanner for Linux. You can use it to scan a VPS or root server for suspicious files, for example after a compromised website, suspicious uploads, or unusual processes.

If a server is clearly compromised, a ClamAV scan does not replace a clean reinstall. In that case, use the scan mainly for analysis and for checking data before restoring it.

Requirements

  • SSH access to the server
  • Root privileges or a user with sudo
  • Debian- or Ubuntu-based system
  • Enough free disk space for signatures, logs, and possible quarantine files

Create a backup or snapshot before making larger changes if the server contains important data.

1. Update the system

Update the package index and installed packages first:

sudo apt update
sudo apt upgrade -y

2. Install ClamAV

Install ClamAV and the optional daemon:

sudo apt install clamav clamav-daemon -y

Check that clamscan is available:

clamscan --version

3. Update virus signatures

Enable the Freshclam service so signatures are updated automatically:

sudo systemctl enable --now clamav-freshclam

Then start a manual update:

sudo freshclam

If you get a message that the database is locked by the Freshclam service, stop the service briefly, update the signatures, and start it again:

sudo systemctl stop clamav-freshclam
sudo freshclam
sudo systemctl start clamav-freshclam

4. Prepare the scan

Create directories for logs and quarantine:

sudo mkdir -p /root/clamav-logs /root/clamav-quarantine
sudo chmod 700 /root/clamav-logs /root/clamav-quarantine

Quarantine is safer than deleting files immediately because ClamAV can report false positives.

5. Scan important directories

For a first scan, check common data and web directories:

sudo clamscan -r -i --bell --log=/root/clamav-logs/quick-scan.log /var/www /home

The options mean:

  • -r: scan directories recursively
  • -i: only print infected or suspicious files
  • --bell: ring the terminal bell when a file is found
  • --log: also write the result to a log file

If your web server uses different paths, adjust /var/www accordingly.

6. Scan the whole server

For a broader check, scan the root filesystem. Virtual system directories are excluded:

sudo clamscan -r -i --cross-fs=no \
  --exclude-dir="^/proc" \
  --exclude-dir="^/sys" \
  --exclude-dir="^/dev" \
  --exclude-dir="^/run" \
  --log=/root/clamav-logs/full-scan.log /

A full scan can take a long time and generate high CPU and I/O load depending on the amount of data and server performance. Run it outside production peak times if possible.

7. Move findings to quarantine

If you do not want to delete found files directly, move them to quarantine:

sudo clamscan -r -i \
  --move=/root/clamav-quarantine \
  --log=/root/clamav-logs/quarantine-scan.log \
  /var/www /home

Check which files were moved:

sudo ls -lah /root/clamav-quarantine
sudo less /root/clamav-logs/quarantine-scan.log

Moved files can break applications if they were actively used. After a quarantine scan, check your websites, services, and cron jobs.

8. Speed up scans with the ClamAV daemon

For larger datasets, clamdscan can be faster because signatures stay loaded through the daemon:

sudo systemctl enable --now clamav-daemon
sudo clamdscan --multiscan --fdpass /var/www /home

If the daemon does not start immediately after installation, wait a few minutes or check whether the signature database has already loaded:

sudo systemctl status clamav-daemon
sudo journalctl -u clamav-daemon --no-pager -n 50

9. Review the results

Open the log file for the scan you ran:

sudo less /root/clamav-logs/quick-scan.log

Pay particular attention to:

  • Infected files: number of detected files
  • Paths below /var/www, /home, or temporary upload directories
  • Findings that reappear after cleanup

If ClamAV finds malware, also check:

  • Which application created or changed the file
  • Whether suspicious users, SSH keys, or cron jobs exist
  • Whether web applications, plugins, or CMS versions are outdated
  • Whether passwords, API keys, or database credentials need to be changed

10. After cleanup

Restart affected services and check their logs. Only run the commands for services you actually use:

sudo systemctl restart nginx
sudo systemctl restart apache2
sudo systemctl restart php8.2-fpm
sudo journalctl -p warning --since "1 hour ago"

Run another scan afterwards. If findings reappear or you are not sure how the files got onto the server, a clean reinstall with restored and verified data is the safest solution.

Last updated: 2026-06-10

On this page

Scan a Server with ClamAVRequirements1. Update the system2. Install ClamAV3. Update virus signatures4. Prepare the scan5. Scan important directories6. Scan the whole server7. Move findings to quarantine8. Speed up scans with the ClamAV daemon9. Review the results10. After cleanup