The guide walks through installing ClamAV on Ubuntu 22.04 LTS, first recommending the optional ubuntu‑security/clamav‑updates PPA so you get newer virus signatures than the distro’s default package. It then shows how to install the clamav and clamav‑daemon packages, manually run freshclam after stopping its service, and restart it so the daemon uses the updated database. Optional steps include enabling the on‑access scanner by starting the clamav‑daemon socket (opening TCP port 3310) and using example clamscan commands to recursively scan a home directory with logging or to scan only newly added files. Finally, it advises adding a nightly cron job for automatic freshclam updates and lowering scan priority with nice to keep system performance responsive during large scans.

How to Install ClamAV on Ubuntu 22.04 LTS

If you’ve ever wondered whether a Linux box needs an antivirus at all, the short answer is “maybe.” I ran into a nasty ransomware dropper that tried to encrypt a couple of backup folders on my home server last year – it was caught by ClamAV’s real‑time scanner before any damage was done. Below is the no‑fluff way to get ClamAV up and running on Ubuntu 22.04 LTS, plus a few handy scan commands.

Add the official repository (optional but recommended)

Ubuntu ships with an older ClamAV package in its default repos. The newer version from the official PPA has better signatures and faster updates.

sudo add-apt-repository ppa:ubuntu‑security/clamav‑updates

Running add-apt-repository registers the PPA so your system knows where to pull fresh virus definitions. Skipping this step isn’t fatal, but you’ll be chasing older patterns.

Install the core packages

sudo apt update
sudo apt install clamav clamav-daemon

clamav gives you the command‑line scanner (clamscan, clamdscan). The clamav-daemon package installs the background service that lets other programs query it without launching a full scan each time.

Pull the latest virus database

ClamAV ships with a tiny stub DB; you need to fetch the real thing before any scans will be useful.

sudo systemctl stop clamav-freshclam.service
sudo freshclam
sudo systemctl start clamav-freshclam.service

Stopping freshclam prevents it from fighting with your manual update. After freshclam finishes, restart the service so the daemon can use the new signatures.

Enable the on‑access scanner (optional)

If you want files checked as soon as they land on disk, enable the clamav-daemon socket and configure clamd.conf.

sudo systemctl enable clamav-daemon
sudo systemctl start clamav-daemon

Edit /etc/clamav/clamd.conf and uncomment (or add) TCPSocket 3310. That opens a local TCP port the daemon listens on, which tools like amavis or mod_security can talk to.

Basic scan examples

Quick home directory scan

clamscan -r --bell --log=/tmp/clamav.log $HOME

• -r tells ClamAV to recurse into subfolders.
• --bell rings the terminal bell when a threat is found – handy if you’re running it in the background.
• --log writes results to a file so you can review later.

Scanning only newly added files

If you keep an “incoming” drop folder for uploads, limit the scan to that path:

clamscan -i /srv/uploads

The -i flag suppresses clean‑file messages, giving you a concise list of infected items.

Automate daily updates

Even with the PPA, it’s easy to miss a definition refresh if you never reboot. Add a cron entry:

0 2 * * * /usr/bin/freshclam --quiet

Running at 2 am avoids peak usage times and keeps your DB current without manual intervention.

A word on performance

ClamAV isn’t the fastest scanner, especially on older CPUs. If you notice noticeable I/O lag during large scans, lower the CPU priority:

nice -n 10 clamscan -r /var/www

The nice command tells Linux to run the scan with a lower scheduling weight, so your web server stays responsive.

That’s it – ClamAV is now ready to sniff out anything that slips past the usual Linux safety net. Give it a whirl on a test folder before you point it at critical data; once you see it catching junk, you’ll wonder how you ever lived without it.