# ClamAV — Open Source Antivirus Engine for Servers and Mail Gateways

> ClamAV is a free, open-source antivirus engine maintained by Cisco Talos. It provides command-line scanning, a daemon for on-access and batch scanning, and automatic signature updates for detecting malware.

## Install

Save in your project root:

# ClamAV — Open Source Antivirus Engine for Servers and Mail Gateways

## Quick Use
```bash
# Install on Debian/Ubuntu
sudo apt install clamav clamav-daemon

# Update virus definitions
sudo freshclam

# Scan a directory
clamscan -r /path/to/scan

# Start the daemon for on-access scanning
sudo systemctl start clamav-daemon
```

## Introduction
ClamAV is a free, open-source antivirus toolkit designed primarily for mail gateway scanning and server-side file inspection. Maintained by Cisco Talos, it provides reliable malware detection with regularly updated signature databases and is widely deployed on Linux servers and email infrastructure.

## What ClamAV Does
- Scans files and directories for malware using signature-based detection
- Runs as a daemon (clamd) for high-throughput scanning via socket or TCP
- Updates virus definitions automatically through the freshclam updater
- Supports scanning of archives, email attachments, PDF, and Office documents
- Integrates with mail transfer agents like Postfix, Exim, and Sendmail

## Architecture Overview
ClamAV consists of three main components: clamscan (standalone scanner), clamd (multi-threaded daemon), and freshclam (signature updater). The scanning engine uses a combination of signature matching, heuristic analysis, and bytecode signatures. clamd keeps signature databases loaded in memory for fast repeated scans, communicating with clients over a Unix socket or TCP port.

## Self-Hosting & Configuration
- Install from your distribution package manager or compile from source
- Run `freshclam` immediately after install to download the latest signature database
- Configure clamd via `/etc/clamav/clamd.conf` for socket path, scan limits, and logging
- Set up freshclam as a systemd timer or cron job for automatic daily updates
- Integrate with Postfix using clamav-milter or amavisd-new for email scanning

## Key Features
- Detects millions of malware signatures with daily database updates from Cisco Talos
- Multi-threaded daemon mode handles high scan volumes with low latency
- Supports on-access scanning via the clamonacc module on Linux
- Scans inside archives (zip, tar, gzip, rar) and compound document formats
- Provides a C API (libclamav) for embedding scanning into custom applications

## Comparison with Similar Tools
- **Sophos** — commercial AV with broader endpoint protection but requires licensing
- **ESET** — advanced heuristics and low resource usage but proprietary and paid
- **rkhunter** — rootkit-focused scanner but not a general-purpose antivirus
- **chkrootkit** — lightweight rootkit checker but limited malware signature coverage
- **VirusTotal** — cloud-based multi-engine scanning but not suitable for offline or bulk use

## FAQ
**Q: Is ClamAV effective as a desktop antivirus?**
A: ClamAV is designed for server and mail gateway use. It lacks real-time GUI protection features that desktop users expect from consumer antivirus products.

**Q: How often are virus signatures updated?**
A: Cisco Talos publishes signature updates multiple times per day. freshclam checks for updates at a configurable interval, typically every few hours.

**Q: Can ClamAV scan files on upload in a web application?**
A: Yes. Use clamd with a socket connection from your application code or a reverse proxy module to scan uploaded files before they reach storage.

**Q: Does ClamAV detect zero-day threats?**
A: ClamAV primarily uses signature-based detection. It includes heuristic and bytecode signatures for some unknown threats, but it is not a behavioral analysis engine.

## Sources
- https://github.com/Cisco-Talos/clamav
- https://docs.clamav.net/

---
Source: https://tokrepo.com/en/workflows/asset-68ab0576
Author: AI Open Source