How to Set Up ClamAV Antivirus on Linux Mint (2026 Guide)

Does Linux Mint Really Need Antivirus?

Linux Mint is one of the most secure desktop operating systems available, but "more secure than Windows" does not mean immune to threats. In 2026, real risks for Linux Mint users include malicious scripts downloaded from the web, infected files shared with Windows users, email attachments carrying cross-platform malware, and rogue packages from untrusted PPAs. ClamAV — the world's leading open-source antivirus engine — gives you a reliable, lightweight scanner that keeps your system and the files you share with others clean.

This guide walks you through installing ClamAV, keeping its virus database current with FreshClam, running manual and scheduled scans, using the ClamTK graphical interface, and setting up real-time on-access scanning — all on Linux Mint 21 / 22 (Cinnamon, XFCE, or MATE).

Step 1 — Install ClamAV and FreshClam

Open a terminal (Ctrl + Alt + T) and run the following commands to update your package list and install both the ClamAV scanner and its automatic virus-database updater:

sudo apt update
sudo apt install clamav clamav-freshclam -y

This installs two key components:

• clamscan — the command-line scanner you run manually or via cron
• freshclam — a background service that pulls the latest virus signatures from ClamAV's mirror network several times a day

After installation, verify that both are present:

clamscan --version
freshclam --version

You should see output similar to ClamAV 1.x.x. If the command is not found, run sudo apt install --reinstall clamav and try again.

Step 2 — Update the Virus Signature Database

ClamAV will refuse to scan until it has a valid signature database. The freshclam service normally handles this automatically, but right after a fresh install the database may not exist yet. Update it manually before your first scan:

sudo systemctl stop clamav-freshclam
sudo freshclam
sudo systemctl start clamav-freshclam

You will see freshclam downloading the main, daily, and bytecode databases. This takes one to three minutes depending on your connection speed. Once complete, enable the service so it runs on every boot:

sudo systemctl enable clamav-freshclam
sudo systemctl status clamav-freshclam

The status output should show active (running). FreshClam checks for new definitions every hour by default, so your database will stay current without any manual effort.

Step 3 — Run Your First Scan

With an up-to-date database, you are ready to scan. The most common command scans your entire home directory, reports infected files, and skips files it cannot read:

clamscan -r --bell -i /home/$USER

• -r — recursive (scan subdirectories)
• --bell — sound an alert when a threat is found
• -i — print only infected files (keeps output clean)

To scan a specific folder such as your Downloads directory:

clamscan -r -i ~/Downloads

To scan an external USB drive mounted at /media/yourname/USBDRIVE:

clamscan -r -i /media/$USER/

For a full system scan (this can take 30–60 minutes on a typical drive):

sudo clamscan -r --bell -i / --exclude-dir="^/sys" --exclude-dir="^/proc" --exclude-dir="^/dev"

The --exclude-dir flags skip virtual kernel filesystems that contain no real files and would otherwise produce thousands of spurious errors.

If ClamAV detects an infected file, you will see a line like:

/home/user/Downloads/suspicious.pdf: Eicar-Signature FOUND

To automatically move infected files to a quarantine directory instead of just reporting them:

clamscan -r -i --move=/home/$USER/quarantine ~/Downloads

Or to delete them immediately (use with caution):

clamscan -r -i --remove ~/Downloads

Step 4 — Install ClamTK (Graphical Interface)

If you prefer a point-and-click interface, ClamTK provides a clean GTK front-end for ClamAV that integrates with the Nemo file manager right-click menu:

sudo apt install clamtk -y

After installation, find ClamTK in your application menu under System Tools. The interface lets you:

• Scan a file or folder with a single click
• Review scan history and quarantine
• Schedule automatic scans (daily, weekly)
• Manage proxy settings for signature updates

To add a right-click "Scan with ClamAV" option in Nemo:

sudo apt install clamtk-nautilus -y

Then restart Nemo:

nemo -q && nemo &

You can now right-click any file or folder in the file manager and choose Scan for threats.

Step 5 — Schedule Automatic Scans with Cron

Manual scans are useful but easy to forget. Set up a weekly automated scan of your home directory using cron. Open your crontab:

crontab -e

Add the following line to run a scan every Sunday at 2:00 AM and save the results to a log file:

0 2 * * 0 clamscan -r -i /home/$USER >> /home/$USER/clamav-scan.log 2>&1

To also receive a desktop notification when the scan finishes, use this extended version:

0 2 * * 0 clamscan -r -i /home/$USER >> /home/$USER/clamav-scan.log 2>&1 && notify-send "ClamAV" "Weekly scan complete. Check ~/clamav-scan.log for results."

Review the log any time with:

cat ~/clamav-scan.log | tail -50

If the log shows Infected files: 0 at the bottom, your system is clean.

Bonus: Enable On-Access Real-Time Scanning (Advanced)

ClamAV supports on-access scanning via the clamonacc daemon, which monitors directories in real time and alerts you the moment a suspicious file appears. This feature requires the ClamAV daemon (clamd) to be running:

sudo apt install clamav-daemon -y
sudo systemctl enable clamav-daemon
sudo systemctl start clamav-daemon

Edit the ClamAV daemon configuration to enable on-access scanning:

sudo nano /etc/clamav/clamd.conf

Find and set (or add) the following lines:

OnAccessIncludePath /home
OnAccessPrevention yes
OnAccessExcludeUname clamav

Save the file (Ctrl + O, then Ctrl + X) and restart the daemon:

sudo systemctl restart clamav-daemon

Then start clamonacc in the background:

sudo clamonacc --log=/var/log/clamonacc.log --fdpass &

On-access scanning adds a small CPU overhead but gives you the closest equivalent to traditional real-time antivirus protection on Linux Mint. For most desktop users, scheduled weekly scans combined with FreshClam auto-updates provide more than adequate protection without the performance impact.

Need Help Setting Up ClamAV or Hardening Your Linux Mint System?

If you hit permission errors, freshclam fails to connect, or you are not sure whether your scan results indicate a real threat, our Linux specialists can help. CloudHouse remote support connects you with an expert who can install, configure, and verify ClamAV on your Linux Mint machine — typically resolved in under an hour, with no subscription required.

Frequently Asked Questions

Does Linux Mint need antivirus software?

Linux Mint is significantly more secure than Windows out of the box, but antivirus software is still useful if you regularly share files with Windows users, download files from unknown sources, or handle sensitive data. ClamAV is free, open-source, and has minimal impact on system performance, making it a sensible addition to any Linux Mint setup.

Why does clamscan say "No such file or directory" for the database?

This usually means freshclam has not yet downloaded the virus signature database. Run sudo systemctl stop clamav-freshclam && sudo freshclam && sudo systemctl start clamav-freshclam to force an immediate update. If freshclam fails with a network error, check your DNS settings and ensure port 443 is not blocked by a firewall.

How often should I run a full system scan?

For typical desktop use, a weekly scheduled scan of your home directory is sufficient. If you frequently download files or receive email attachments, run a manual scan of your Downloads folder after each session. A full system scan once a month is a good practice for users who want comprehensive coverage.

Can ClamAV remove malware automatically?

Yes — use the --remove flag with clamscan to delete infected files automatically, or --move=/path/to/quarantine to isolate them safely. Use --remove with caution: if ClamAV produces a false positive, the file will be permanently deleted. The quarantine approach is safer for review before deletion.

Will ClamAV slow down my Linux Mint system?

The clamscan command-line tool only uses CPU while actively scanning, so it will not slow your system during normal use. The clamav-freshclam service uses a small amount of network bandwidth a few times per day for database updates. On-access scanning via clamonacc adds a slight overhead but is barely noticeable on modern hardware. Scheduled scans during off-hours (such as 2:00 AM via cron) eliminate any impact on daily work.