Skip to main content
HashnodeNeel's blog

Command Palette

Search for a command to run...

Hardening Linux

Real-Time Antivirus with ClamAV & Auto-Quarantine

Updated
Hardening Linux
N
Neel Soni
Part of seriesLinux

If you’ve ever tried to set up ClamAV for real-access scanning on a modern, hardened distro like Ubuntu 24, Fedora 43 or any other Linux distro, you know it’s not as simple as "install and run." Between Systemd sandboxing, SELinux policies, and recent security updates to the ClamAV engine, there are several "boss fights" you have to win.

This guide walks through setting up ClamOnAcc to monitor your ~/Downloads folder and automatically move threats to a quarantine folder the moment they touch your disk.

Before we begin to setup, clamAV is available with many Linux distos, I tried to cover Ubuntu and Fedora with apt and dnf package manager. You can replace for other distro and it would work. Other than that, most of the steps will be the same. Now, let's dive in!

The Challenge

Standard ClamAV is a manual scanner. To make it "Live," we need ClamOnAcc. However, Linux distro's security are so tight that it will initially block the antivirus from actually touching or moving files in your home directory. We're going to fix that.

Step 1: Install and Configure the Engine

First, ensure you have the necessary packages:

apt for Ubuntu and dnf for Fedora.

sudo apt install clamav clamav-update clamd

sudo dnf install clamav clamav-update clamd

Next, edit your scan configuration:

sudo nano /etc/clamd.d/scan.conf

Ensure these lines are active (uncommented):

  • LogFile /var/log/clamd.scan

  • LocalSocket /run/clamd.scan/clamd.sock

  • OnAccessPrevention yes

  • OnAccessExcludeRootUID yes

Add these lines:

  • User root (Required for kernel-level file monitoring)

  • VirusEvent /usr/local/bin/clamav-quarantine.sh

Add as many folder path as you like with OnAccessIncludePath even entire directory like /home. These direcroties will be on watch for threats.

Replace YOUR_USER to your user name and add line:

  • OnAccessIncludePath /home/YOUR_USER/Downloads

You need to exclude Quarantine folder from scan if you have added /home directory. Add line:

  • OnAccessExcludePath /home/YOUR_USER/Quarantine

Step 2: Create the Secure Quarantine Script

As of recent versions, ClamAV disabled the %f variable for security. We must now use Environment Variables to identify the infected file.

mkdir Quarantine

  1. Create the script:

    sudo nano /usr/local/bin/clamav-quarantine.sh

  2. Paste the following:

#!/bin/bash
# ClamAV sets these automatically
FILE_TO_MOVE="$CLAM_VIRUSEVENT_FILENAME"
VIRUS_NAME="$CLAM_VIRUSEVENT_VIRUSNAME"
DESTINATION="/home/YOUR_USER/Quarantine/"
TIMESTAMP=$(date "+%Y-%m-%d %H:%M:%S")

if [ -z "$FILE_TO_MOVE" ]; then exit 1; fi

# Attempt to move the file
if /usr/bin/mv -f "\(FILE_TO_MOVE" "\)DESTINATION" 2>> /var/log/clamav_mover.log; then
    echo "[\(TIMESTAMP] SUCCESS: \)FILE_TO_MOVE ($VIRUS_NAME) moved." >> /var/log/clamav_mover.log
else
    # Backup delete if move fails
    /usr/bin/rm -f "$FILE_TO_MOVE"
    echo "[\(TIMESTAMP] MOVE FAILED: File \)FILE_TO_MOVE deleted instead." >> /var/log/clamav_mover.log
fi

Make it executable:

sudo chmod +x /usr/local/bin/clamav-quarantine.sh

Step 3: Escaping the Systemd Sandbox

Fedora’s Systemd service for ClamAV is "sandboxed," meaning it’s forbidden from seeing your /home folder or running external scripts like our mover. We need an override.

  1. Run:

    sudo systemctl edit clamd@scan

  2. Paste this exact block:

[Service]
User=root
Group=root
ProtectHome=false
ProtectSystem=false
PrivateTmp=false
NoNewPrivileges=no

Step 4: Defeating the Final Boss (SELinux)

Even as root, SELinux will block the antivirus from deleting files in your home directory. To fix this without disabling security entirely, we set the antivirus domain to permissive.

# Install tools if missing
sudo dnf install policycoreutils-python-utils

# Set antivirus to permissive mode
sudo semanage permissive -a antivirus_t

# Allow general antivirus system scanning
sudo setsebool -P antivirus_can_scan_system 1

Step 5: Automating the Monitor

We will create clamonacc service to watch our folders on boot.

  1. Create the service:
sudo nano /etc/systemd/system/clamonacc.service
  1. Paste this:
[Unit]
Description=ClamAV On-Access Scanner
Requires=clamd@scan.service
After=clamd@scan.service network.target

[Service]
Type=simple
User=root
ExecStart=/usr/bin/clamonacc --config-file=/etc/clamd.d/scan.conf --foreground
Restart=on-failure

[Install]
WantedBy=multi-user.target

Step 6: Start and Test

Reload the system and fire everything up:

sudo systemctl daemon-reload
sudo systemctl enable --now clamd@scan
sudo systemctl enable --now clamonacc

The Moment of Truth:

Create a fake virus (EICAR test string) in your Downloads:

echo 'X5O!P%@AP[4\PZX54(P^)7CC)7}\(EICAR-STANDARD-ANTIVIRUS-TEST-FILE!\)H+H*' > ~/Downloads/test.txt

At this point, your file will move from ~/Downloads to ~/Quarantine folder. If it isn't try to go through each step again and check if you missed any thing.

If you find this blog useful, kindly consider to share with your network. Thank you!

#linux#antivirus#clamav

Comments

Join the discussion

No comments yet. Be the first to comment.

Linux

Part 3 of 3
Start from the beginning

How to Operate Linux for Beginners

First of all, what is Linux? So, Linux is an operating system which is free and open source. And now if you are confused about "but why Linux?" Well, I know Windows OS is the most famous amongst all OS and has the 74% of the market share for desktop ...

More from this blog

N

Neel's blog

74 posts