一、简介
ClamAV 是一款强大、可靠且免费的开源反病毒引擎。
二、安装
安装环境:
Centos7系统,系统架构x86_64,4核8G
安装方式:
- 通过yum install epel-release安装,因为EPEL仓库中的ClamAV 0.xx版本相对较旧,安装过程中,更新病毒库遇到了问题,未解决,放弃了。
- 通过ClamAV官方下载较新版本 Linux rpm进行安装。
ClamAV官方下载地址:https://www.clamav.net/downloads
安装过程:
安装 clamav-1.5.1,clamav-1.0.9 失败
上传下载的rpm至/yuanben/soft 目录
yum install /yuanben/soft/clamav-1.5.1.linux.x86_64.rpm
# 查看版本
clamscan --version
报错,出现兼容性问题,安装的ClamAV 1.5.1版本需要更高版本的GLIBC(GNU C库),而CentOS 7自带的GLIBC版本较低。
clamscan: /lib64/libm.so.6: version `GLIBC_2.27' not found (required by /usr/local/lib64/libclamav.so.11)
clamscan: /lib64/libc.so.6: version `GLIBC_2.28' not found (required by /usr/local/lib64/libclamav.so.11)
clamscan: /lib64/libc.so.6: version `GLIBC_2.27' not found (required by /usr/local/lib64/libclamav.so.11)
clamscan: /lib64/libc.so.6: version `GLIBC_2.18' not found (required by /usr/local/lib64/libclamav.so.11)
clamscan: /lib64/libc.so.6: version `GLIBC_2.25' not found (required by /usr/local/lib64/libclamav.so.11)
卸载
yum remove clamav
安装 clamav-1.0.0
yum install clamav-1.0.0.linux.x86_64.rpm
clamscan --version
#显示版本号,表示安装成功
ClamAV 1.0.0
创建ClamAV运行所需的目录
mkdir -p /var/lib/clamav
mkdir -p /var/log/clamav
mkdir -p /var/run/clamav
进入配置目录
cd /usr/local/etc
# 查看配置文件
ll
复制示例配置文件
cp freshclam.conf.sample freshclam.conf
cp clamd.conf.sample clamd.conf
编辑配置文件(病毒库更新)
vi /usr/local/etc/freshclam.conf
1.删除Example,删除Example,删除Example(重要是说三遍,删除开头的这个单词)
2.取消注释并设置数据库目录
DatabaseDirectory /var/lib/clamav
3.取消注释并设置日志文件
UpdateLogFile /var/log/clamav/freshclam.log
4.进程配置
PidFile /var/run/clamav/freshclam.pid
5.病毒库镜像地址
DatabaseMirror db.cn.clamav.net
6.取消注释日志文件大小限制
LogFileMaxSize 2M
7.取消注释日志时间戳
LogTime yes
8.指定以当前root用户运行(很重要,很重要,很重要)
DatabaseOwner root
编辑配置文件(病毒扫描配置)
vi /usr/local/etc/clamd.conf
删除Example,删除Example,删除Example(重要是说三遍,删除开头的这个单词)
设置日志文件
LogFile /var/log/clamav/clamd.log
日志文件大小限制
LogFileMaxSize 2M
日志时间戳
LogTime yes
设置PID文件
PidFile /var/run/clamav/clamd.pid
设置病毒数据库目录
DatabaseDirectory /var/lib/clamav
clamd 守护进程(很重要,很重要,很重要)
LocalSocket /var/run/clamav/clamd.socket
限制最大线程数(默认10,建议设置为CPU核心数的1-2倍)
MaxThreads 3
待处理队列
MaxQueue 60
限制连接队列长度
MaxConnectionQueueLength 30
流式扫描的最大数据长度限制
StreamMaxLength 25M
限制扫描的最大文件大小
MaxFileSize 25M
限制整体扫描大小
MaxScanSize 50M
减少递归深度
MaxRecursion 8
减少归档内文件数
MaxFiles 3000
排除不需要扫描的目录等虚拟文件系统
ExcludePath ^/proc/
ExcludePath ^/sys/
ExcludePath ^/dev/
ExcludePath ^/var/cache
clamd进程自我健康检查的间隔时间
SelfCheck 3600
测试freshclam配置,病毒库数据库目录/var/lib/clamav
freshclam --config-file=/usr/local/etc/freshclam.conf --datadir=/var/lib/clamav
日志
Thu Oct 30 12:23:54 2025 -> ClamAV update process started at Thu Oct 30 12:23:54 2025
WARNING: Thu Oct 30 12:23:54 2025 -> Your ClamAV installation is OUTDATED!
WARNING: Thu Oct 30 12:23:54 2025 -> Local version: 1.0.0 Recommended version: 1.0.9
Thu Oct 30 12:23:54 2025 -> DON'T PANIC! Read https://docs.clamav.net/manual/Installing.html
Thu Oct 30 12:23:54 2025 -> daily database available for download (remote version: 27807)
Time: 32.5s, ETA: 0.0s [========================>] 61.74MiB/61.74MiB
Thu Oct 30 12:24:29 2025 -> Testing database: '/var/lib/clamav/tmp.d3469ff898/clamav-aea081a4fd8c191302f5d26844bb3f94.tmp-daily.cvd' ...
Thu Oct 30 12:24:44 2025 -> Database test passed.
Thu Oct 30 12:24:44 2025 -> daily.cvd updated (version: 27807, sigs: 2077009, f-level: 90, builder: svc.clamav-publisher)
Thu Oct 30 12:24:44 2025 -> main database available for download (remote version: 62)
Time: 38.7s, ETA: 0.0s [========================>] 162.58MiB/162.58MiB
Thu Oct 30 12:25:29 2025 -> Testing database: '/var/lib/clamav/tmp.d3469ff898/clamav-69f8ae95446b3ed14f94e9734f69a267.tmp-main.cvd' ...
Thu Oct 30 12:25:44 2025 -> Database test passed.
Thu Oct 30 12:25:44 2025 -> main.cvd updated (version: 62, sigs: 6647427, f-level: 90, builder: sigmgr)
Thu Oct 30 12:25:44 2025 -> bytecode database available for download (remote version: 339)
Time: 1.1s, ETA: 0.0s [========================>] 275.10KiB/275.10KiB
Thu Oct 30 12:25:45 2025 -> Testing database: '/var/lib/clamav/tmp.d3469ff898/clamav-66b80604a00ce13ecfc7dd656ed46c96.tmp-bytecode.cvd' ...
Thu Oct 30 12:25:45 2025 -> Database test passed.
Thu Oct 30 12:25:45 2025 -> bytecode.cvd updated (version: 339, sigs: 80, f-level: 90, builder: nrandolp)
[root@master1 etc]# freshclam -v
Thu Oct 30 12:32:48 2025 -> Current working dir is /var/lib/clamav/
Thu Oct 30 12:32:48 2025 -> Loaded freshclam.dat:
Thu Oct 30 12:32:48 2025 -> version: 1
Thu Oct 30 12:32:48 2025 -> uuid: 6e9dcdff-d593-44e2-816e-4d647bb2d72f
Thu Oct 30 12:32:48 2025 -> ClamAV update process started at Thu Oct 30 12:32:48 2025
Thu Oct 30 12:32:48 2025 -> Current working dir is /var/lib/clamav/
Thu Oct 30 12:32:48 2025 -> Querying current.cvd.clamav.net
Thu Oct 30 12:32:48 2025 -> TTL: 1454
Thu Oct 30 12:32:48 2025 -> fc_dns_query_update_info: Software version from DNS: 1.0.9
WARNING: Thu Oct 30 12:32:48 2025 -> Your ClamAV installation is OUTDATED!
WARNING: Thu Oct 30 12:32:48 2025 -> Local version: 1.0.0 Recommended version: 1.0.9
Thu Oct 30 12:32:48 2025 -> DON'T PANIC! Read https://docs.clamav.net/manual/Installing.html
Thu Oct 30 12:32:48 2025 -> Current working dir is /var/lib/clamav/
Thu Oct 30 12:32:48 2025 -> check_for_new_database_version: Local copy of daily found: daily.cvd.
Thu Oct 30 12:32:48 2025 -> query_remote_database_version: daily.cvd version from DNS: 27807
Thu Oct 30 12:32:48 2025 -> daily.cvd database is up-to-date (version: 27807, sigs: 2077009, f-level: 90, builder: svc.clamav-publisher)
Thu Oct 30 12:32:48 2025 -> fc_update_database: daily.cvd already up-to-date.
Thu Oct 30 12:32:48 2025 -> Current working dir is /var/lib/clamav/
Thu Oct 30 12:32:48 2025 -> check_for_new_database_version: Local copy of main found: main.cvd.
Thu Oct 30 12:32:48 2025 -> query_remote_database_version: main.cvd version from DNS: 62
Thu Oct 30 12:32:48 2025 -> main.cvd database is up-to-date (version: 62, sigs: 6647427, f-level: 90, builder: sigmgr)
Thu Oct 30 12:32:48 2025 -> fc_update_database: main.cvd already up-to-date.
Thu Oct 30 12:32:48 2025 -> Current working dir is /var/lib/clamav/
Thu Oct 30 12:32:48 2025 -> check_for_new_database_version: Local copy of bytecode found: bytecode.cvd.
Thu Oct 30 12:32:48 2025 -> query_remote_database_version: bytecode.cvd version from DNS: 339
Thu Oct 30 12:32:48 2025 -> bytecode.cvd database is up-to-date (version: 339, sigs: 80, f-level: 90, builder: nrandolp)
Thu Oct 30 12:32:48 2025 -> fc_update_database: bytecode.cvd already up-to-date.
更新
freshclam
查看版本
freshclam -v
freshclam -V
ClamAV 1.0.0/27807/Wed Oct 29 17:50:39 2025
检查病毒库文件
ls -la /var/lib/clamav/
-rw-r--r-- 1 root root 281702 Oct 30 12:25 bytecode.cvd
-rw-r--r-- 1 root root 64738149 Oct 30 12:24 daily.cvd
-rw-r--r-- 1 root root 170479789 Oct 30 12:25 main.cvd
三、clamscan和clamd进程
1. clamscan
clamscan命令测试测试,创建EICAR测试文件
echo 'X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*' > /tmp/eicar-test.txt
测试:扫描测试文件
clamscan /tmp/eicar-test.txt
Loading: 31s, ETA: 0s [========================>] 8.71M/8.71M sigs
Compiling: 6s, ETA: 0s [========================>] 41/41 tasks
/tmp/eicar-test.txt: Eicar-Signature FOUND
/tmp/eicar-test.txt: moved to '/tmp/quarantine/eicar-test.txt'
----------- SCAN SUMMARY -----------
Known viruses: 8708723
Engine version: 1.0.0
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 40.381 sec (0 m 40 s)
Start Date: 2025:10:30 13:40:24
End Date: 2025:10:30 13:41:04
测试:创建隔离目录,扫描并移动感染文件
创建隔离目录
mkdir -p /tmp/quarantine
递归扫描/home并移动感染文件
clamscan -r --move=/tmp/quarantine /home
----------- SCAN SUMMARY -----------
Known viruses: 8708723 #已知病毒
Engine version: 1.0.0 #软件版本
Scanned directories: 29592 #扫描目录
Scanned files: 156510 #扫描文件
Infected files: 0 #感染文件
Data scanned: 3403.06 MB #扫描数据
Data read: 2706.88 MB (ratio 1.26:1) #数据读取
Time: 3012.283 sec (50 m 12 s) #扫描用时
Start Date: 2025:10:30 12:45:06
End Date: 2025:10:30 13:35:19
clamscan命令说明
-r 递归扫描
-i 只显示感染
-l 或--log 日志记录
--move 移动文件
--remove 删除文件
-i 只显示感染行,-l 输出日志文件路径
clamscan -r -i -l /var/log/clamav/infected-$(date +%Y%m%d).log /home
扫描并删除感染文件(谨慎使用!)
clamscan -r --remove /home
扫描单个文件
clamscan /path/to/file
递归扫描整个目录
clamscan -r /home
扫描多个目录
clamscan -r /var /etc
扫描当前目录下的所有文件(不递归子目录)
clamscan ./*
2. clamd守护进程
重要配置
LocalSocket /var/run/clamav/clamd.socket
启动扫描进程
clamd --config-file=/usr/local/etc/clamd.conf
检查进程
ps -ef | grep clamd
检查 socket 文件是否创建
ls -la /var/run/clamav/clamd.socket
查看日志
tail -f /var/log/clamav/clamd.log
查找clamd进程
which clamd
/usr/local/sbin/clamd
创建 systemd 服务文件
cat > /etc/systemd/system/clamd.service << 'EOF'
[Unit]
Description=clamd-service
After=syslog.target network.target
[Service]
Type=forking
ExecStart=/usr/local/sbin/clamd -c /usr/local/etc/clamd.conf
ExecStop=/bin/kill -USR2 $MAINPID
ExecReload=/bin/kill -USR2 $MAINPID
Restart=on-failure
[Install]
WantedBy=multi-user.target
检查进程
ps -ef | grep clamd
Kill -9 pid
重新加载 systemd
systemctl daemon-reload
启动服务
systemctl start clamd
设置开机自启
systemctl enable clamd
检查状态
systemctl status clamd
clamd服务测试,使用clamdscan客户端进行扫描,默认是递归扫描,去掉-r
clamdscan /tmp
/tmp/eicar-test.txt: Eicar-Signature FOUND
----------- SCAN SUMMARY -----------
Infected files: 1
Time: 0.015 sec (0 m 0 s)
Start Date: 2025:10:31 16:11:04
End Date: 2025:10:31 16:11:04
[root@master1 tmp]# clamdscan /tmp
/tmp/eicar-test.txt: Eicar-Signature FOUND
提示
1.clamd 配置依赖,由clamd.conf控制。(如核心线程数,文件大小限制、扫描深度等)
2.扫描开始后,使用top命令监控性能,验证配置优化效果。
四、clamscan和clamd区别
clamscan 和 clamd 进程是 ClamAV 的两种不同工作模式,它们在架构、性能和资源使用上有显著区别
- 架构设计差异
clamscan(独立扫描器)
用户命令 → clamscan进程 → 加载病毒库 → 扫描 → 退出
一次性进程:每次运行都启动新进程
独立运行:不依赖其他服务
自包含:自己加载所有需要的资源
clamd(守护进程模式)
用户命令 → clamdscan客户端 → clamd守护进程(常驻) → 返回结果
↑
病毒库常驻内存
客户端-服务器架构:clamdscan 是客户端,clamd 是服务器
常驻进程:clamd 持续运行在后台
资源共享:多个扫描共享同一个守护进程
- 性能对比
特性 clamscan clamd
启动速度 慢(每次加载病毒库) 快(病毒库常驻内存)
内存使用 高(每次单独加载) 低(共享内存)
CPU使用 较高 较低
扫描速度 较慢 较快
并发扫描 不支持 支持
- 资源使用对比
内存使用示例
# clamscan 内存使用(每次约100-200MB)
clamscan /path → 加载病毒库(150MB) → 扫描 → 释放内存
# clamd 内存使用(常驻约150MB)
clamd启动 → 加载病毒库(150MB) → 常驻内存
clamdscan /path → 使用共享内存 → 几乎不增加内存
启动时间对比
# 测试 clamscan 启动时间
time clamscan --version
# 真实 0.5-2秒(包含病毒库加载)
# 测试 clamdscan 响应时间
time clamdscan --version
# 真实 0.01-0.1秒(直接连接已运行的服务)
使用场景对比
适合使用 clamscan 的场景:偶尔的单次扫描
适合使用 clamd 的场景:频繁扫描(如定时任务)配置复杂度
clamscan(简单)
# 基本使用,无需配置
clamscan -r /path
clamd(需要配置)
# 1. 配置 clamd.conf
# 2. 启动守护进程
clamd --config-file=/usr/local/etc/clamd.conf
# 3. 使用客户端扫描
clamdscan /path
- 功能特性对比
功能 clamscan clamd
递归扫描 -r 参数 默认递归
多线程 有限支持 更好支持
实时监控 不支持 支持(OnAccessScan)
内存扫描 不支持 支持
网络扫描 不支持 支持
总结
clamscan = "临时工":随叫随到,干完就走,每次都要重新准备工具
clamd = "专职员工": 一直在岗,工具常备,随时响应请求
五、定时任务(可选,根据实际情况,定时更新病毒库和执行扫描病毒)
检查freshclam的安装路径
which freshclam
/usr/local/bin/freshclam
检查clamscan的安装路径
which clamscan
/usr/local/bin/clamscan
查找clamd
which clamdscan
/usr/local/bin/clamdscan
编辑crontab
crontab -e
#每天凌晨2点更新
0 2 * * * /usr/local/bin/freshclam --quiet --datadir=/var/lib/clamav
#每周凌晨3点扫描系统并生成报告
0 3 * * 0 /usr/local/bin/clamscan -r -i -l /var/log/clamav/weekly-scan-$(date +\%Y\%m\%d).log /etc /bin /usr /var
#或者使用clamdscan客户端
0 3 * * * /usr/local/bin/clamdscan -l /var/log/clamav/weekly-scan-$(date +\%Y\%m\%d).log /etc /bin /usr /var
查看当前用户的cron任务
crontab -l
检查cron服务状态
systemctl status crond
查看cron日志(如果有问题)
tail -f /var/log/cron
查看日志,验证更新
tail -f /var/log/clamav/freshclam.log
查看扫描日志
ls -la /var/log/clamav/
六、安装命令汇总
mkdir -p /yuanben/soft
上传clamav-1.0.0.linux.x86_64.rpm
cd /yuanben/soft
yum install clamav-1.0.0.linux.x86_64.rpm
clamscan --version
# 创建ClamAV运行所需的目录
mkdir -p /var/lib/clamav
mkdir -p /var/log/clamav
mkdir -p /var/run/clamav
# 进入配置freshclam.conf,clamd.conf 目录 /usr/local/etc
cat > /usr/local/etc/clamd.conf << 'EOF'
LogFile /var/log/clamav/clamd.log
LogFileMaxSize 2M
LogTime yes
PidFile /var/run/clamav/clamd.pid
DatabaseDirectory /var/lib/clamav
LocalSocket /var/run/clamav/clamd.socket
MaxConnectionQueueLength 30
StreamMaxLength 25M
MaxThreads 3
MaxQueue 60
ExcludePath ^/proc/
ExcludePath ^/sys/
ExcludePath ^/dev/
ExcludePath ^/var/cache
ExcludePath \.(iso|tar\.gz|tar\.bz2|vmdk|vhd|ova)$
SelfCheck 3600
MaxScanSize 50M
MaxFileSize 25M
MaxRecursion 8
MaxFiles 3000
EOF
cat > /usr/local/etc/freshclam.conf << 'EOF'
DatabaseDirectory /var/lib/clamav
UpdateLogFile /var/log/clamav/freshclam.log
LogFileMaxSize 2M
LogTime yes
PidFile /var/run/freshclam.pid
DatabaseOwner root
DatabaseMirror db.cn.clamav.net
EOF
# 使用vi或其他编辑器编辑
vi /usr/local/etc/freshclam.conf
vi /usr/local/etc/clamd.conf
# 测试freshclam配置
freshclam --config-file=/usr/local/etc/freshclam.conf --datadir=/var/lib/clamav
# 更新
freshclam
# 查看版本
freshclam -V
# 检查病毒库文件
ls -la /var/lib/clamav/
#启动扫描进程
clamd --config-file=/usr/local/etc/clamd.conf
#检查进程
ps -ef | grep clamd
#检查 socket 文件是否创建
ls -la /var/run/clamav/clamd.socket
#查看日志
tail -f /var/log/clamav/clamd.log
#查找clamd进程
which clamd
/usr/local/sbin/clamd
#检查进程
ps -ef | grep clamd
Kill -9 pid
# 创建 systemd 服务文件clamd.service
上传到/etc/systemd/system/
cat > /etc/systemd/system/clamd.service << 'EOF'
[Unit]
Description=clamd-service
After=syslog.target network.target
[Service]
Type=forking
ExecStart=/usr/local/sbin/clamd -c /usr/local/etc/clamd.conf
ExecStop=/bin/kill -USR2 $MAINPID
ExecReload=/bin/kill -USR2 $MAINPID
Restart=on-failure
[Install]
WantedBy=multi-user.target
EOF
ll /etc/systemd/system/
# 重新加载 systemd
systemctl daemon-reload
# 启动服务
systemctl start clamd
# 检查状态
systemctl status clamd
# 设置开机自启
systemctl enable clamd
测试
# 创建EICAR测试文件
echo 'X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*' > /tmp/eicar-test.txt
clamdscan -l /var/log/clamav/daily-scan-111.log /tmp
/usr/local/bin/clamdscan -l /var/log/clamav/daily-scan-111.log /tmp
rm -rf /tmp/eicar-test.txt
# 编辑crontab
crontab -e
# 每天凌晨2点更新
0 2 * * * /usr/local/bin/freshclam --quiet --datadir=/var/lib/clamav
# 每周凌晨3点扫描系统并生成报告
0 3 * * 0 /usr/local/bin/clamdscan -l /var/log/clamav/weekly-scan-$(date +\%Y\%m\%d).log /etc /bin /usr /var
# 查看当前用户的cron任务
crontab -l
# 检查cron服务状态
systemctl status crond
# 查看cron日志(如果有问题)
tail -f /var/log/cron
# 查看日志,验证更新
tail -f /var/log/clamav/freshclam.log
# 查看扫描日志
ls -la /var/log/clamav/
立即测试
clamdscan -l /var/log/clamav/ceshi.log /etc /bin /usr /var
/usr/local/bin/clamdscan -l /var/log/clamav/ceshi.log /etc /bin /usr /var
