How to Set Up ClamAV Antivirus Scanning in Webmin (Complete 2026 Guide)

Priya

Content Writer & Researcher

Last Updated: 6 June 2026

How to Set Up ClamAV Antivirus Scanning in Webmin (Complete 2026 Guide)

🖥️

Don't Let Malware Silently Destroy Your Webmin Server's Reputation

CloudHouse deploys ClamAV with scheduled scanning, malware alerting, and rapid incident response for Webmin and Linux servers — so infections are caught and cleaned before they cause blacklisting or data loss.

🔧 Book Free Diagnosis Call Now WhatsApp

🖥️12,400+PCs Fixed

⭐4.9★Google Rating

⚡<15 minAvg. Response

🛡️ISO 27001Certified

Malware infections on Linux web servers don't announce themselves — compromised PHP files, backdoors injected into WordPress themes, and cryptomining scripts running as nobody quietly drain resources and get your server's IP blacklisted by Google, Spamhaus, or your upstream provider. ClamAV is the most widely deployed open-source antivirus engine for Linux servers, and when combined with automated scheduling and email alerts, it gives Webmin administrators a reliable early-warning system for malware infections. This guide covers the complete setup: installing ClamAV and FreshClam, configuring the daemon, scheduling automated scans, setting up quarantine, and optionally integrating with the Webmin control panel.

💡 None of these worked? Skip the guesswork.

Get Expert Help →

Step 1: Install ClamAV on Your Webmin Server

ClamAV consists of three components: clamav (the scanner binary), clamav-daemon (the background scanning daemon clamd), and clamav-freshclam (the virus definition updater).

On Debian/Ubuntu-based systems:

apt update
apt install clamav clamav-daemon -y

On RHEL/CentOS/AlmaLinux/Rocky Linux (EPEL required):

dnf install epel-release -y
dnf install clamav clamd clamav-update -y

1Stop clamd before the initial signature update

FreshClam needs to run before clamd starts or it will fail due to missing signatures:

systemctl stop clamav-freshclam 2>/dev/null
systemctl stop clamav-daemon 2>/dev/null

2Update virus definitions with freshclam

freshclam

This downloads the latest virus definition databases (main.cvd, daily.cvd, bytecode.cvd) from ClamAV's servers. The initial download can take 1-5 minutes depending on bandwidth. You should see output confirming each database was updated.

3Enable and start the ClamAV services

systemctl enable clamav-freshclam --now
systemctl enable clamav-daemon --now

On RHEL-based systems, the service names may be clamd@scan and clamav-freshclam.

4Verify ClamAV is running

systemctl status clamav-daemon
clamdscan --version

1Key settings to review and configure

# Log settings
LogFile /var/log/clamav/clamav.log
LogTime yes
LogSyslog yes

# Performance limits
MaxThreads 4
MaxDirectoryRecursion 20
MaxFileSize 25M
MaxScanSize 100M

# Quarantine directory
MoveInfected /var/quarantine

# Scan settings
ScanPE yes
ScanELF yes
ScanOLE2 yes
ScanHTML yes
ScanArchive yes
DetectPUA yes

2Create the quarantine directory

mkdir -p /var/quarantine
chmod 700 /var/quarantine
chown clamav:clamav /var/quarantine

3Exclude directories that cause false positives or performance issues

Add exclusions for system directories and large data directories that don't contain web-accessible files:

ExcludePath ^/proc
ExcludePath ^/sys
ExcludePath ^/dev
ExcludePath ^/run
ExcludePath ^/var/lib/mysql

4Restart clamd after configuration changes

systemctl restart clamav-daemon

1Scan a single user's web directory

clamscan -r --infected --remove=no /home/username/public_html/

-r scans recursively. --infected prints only infected files. --remove=no reports but does not delete (recommended for the first scan — review findings before enabling auto-removal).

2Scan all web directories on a Webmin/Virtualmin server

clamscan -r --infected --remove=no /home/ 2>/dev/null | tee /tmp/clamav-scan-$(date +%Y%m%d).log

The results are saved to a dated log file in /tmp/.

3Use clamdscan for faster multi-threaded scanning

When clamd is running, clamdscan (with the d) submits scan jobs to the daemon instead of loading the virus database into memory per invocation — significantly faster for large directories:

clamdscan --multiscan --fdpass /home/ 2>/dev/null | tee /tmp/clamdscan-$(date +%Y%m%d).log

1Create a scan script

cat > /usr/local/bin/clamav-scan.sh << 'SCANEOF'
#!/bin/bash
LOGFILE="/var/log/clamav/scan-$(date +%Y%m%d).log"
EMAIL="admin@yourdomain.com"
SCAN_DIR="/home"

echo "ClamAV Scan Report - $(date)" > "$LOGFILE"
echo "=============================" >> "$LOGFILE"

clamdscan --multiscan --fdpass "$SCAN_DIR" >> "$LOGFILE" 2>&1

INFECTED=$(grep -c "FOUND" "$LOGFILE" 2>/dev/null || echo 0)

if [ "$INFECTED" -gt 0 ]; then
    mail -s "[ALERT] ClamAV found $INFECTED infected file(s) on $(hostname)" "$EMAIL" < "$LOGFILE"
else
    mail -s "[OK] ClamAV scan clean on $(hostname)" "$EMAIL" < "$LOGFILE"
fi
SCANEOF
chmod +x /usr/local/bin/clamav-scan.sh

2Add the cron job to run nightly at 2 AM

echo "0 2 * * * root /usr/local/bin/clamav-scan.sh" > /etc/cron.d/clamav-scan

3Test the script manually first

/usr/local/bin/clamav-scan.sh
cat /var/log/clamav/scan-$(date +%Y%m%d).log

1Download the wbmclamav module

Go to wbmclamav.esaracco.fr and download the latest release as a .wbm.gz file.

2Install via Webmin

Log in to Webmin → Webmin → Webmin Configuration → Webmin Modules → Install Module → upload the .wbm.gz file → click Install Module.

3Access via the System section

After installation, ClamAV appears under Webmin → System → ClamAV Antivirus. You can configure update schedules, trigger manual scans, view the quarantine directory, and search the virus database — all without SSH.

1Identify the infection scope

grep "FOUND" /var/log/clamav/scan-$(date +%Y%m%d).log

Note the paths. If multiple files in the same directory are infected, or if the same signature appears in multiple accounts, the server may have been compromised at the system level rather than just a single user's files.

2Quarantine (don't just delete)

clamscan -r --move=/var/quarantine /path/to/infected/directory/

Moving preserves the evidence if you need to determine how the infection occurred. Always review quarantined files before permanently deleting them.

3Change all passwords and review access logs

Check FTP logs (/var/log/vsftpd.log), SSH logs (/var/log/auth.log), and web access logs for unusual activity around the time of infection.

4Check for persistent backdoors

# Search for web-accessible PHP files with exec or system calls
find /home -name "*.php" -exec grep -l "eval(base64" {} \;
find /home -name "*.php" -exec grep -l "system(\$_" {} \;

For Webmin-managed servers where malware detection and incident response need to be part of a broader managed security posture, CloudHouse's managed server service includes scheduled ClamAV scanning, malware alerting, and incident response support.

FAQs

Conclusion

Setting up ClamAV on a Webmin server takes about 20-30 minutes from installation to automated nightly scanning with email alerts. The key steps are: install ClamAV and run freshclam for the initial signature database, configure clamd.conf with appropriate file size limits and quarantine settings, run a first manual scan to establish a baseline, then set up a cron-scheduled scan script that emails you the results every morning. The optional Webmin module (wbmclamav) adds a browser-based management interface for administrators who prefer not to work in SSH. For production servers where malware detection needs to be part of a managed security programme with rapid incident response, CloudHouse's managed server team handles ClamAV deployment, scheduled scanning, and malware remediation.

Get the Free Linux Server Admin Cheatsheet (PDF)

Essential commands for server management, networking, and troubleshooting — all on one printable page.

Running Linux servers? Let us manage them for you.

Our Managed Linux Server plans cover updates, security hardening, monitoring, and 24/7 incident response — so your servers stay up and your team stays focused.

Proactive OS patching and security updates
24×7 monitoring with instant alerting
Backup configuration and disaster recovery
Dedicated Linux engineers on call

See Pricing Plans →

What our customers say

“Our production server went down at 2 AM. CloudHouse had it back online in under 20 minutes. Incredible response time.”

Arun S.

CTO, SaaS Startup

“They migrated our entire infrastructure from Ubuntu 18 to 22 with zero downtime. Couldn't have asked for better.”

Deepak N.

DevOps Lead

Frequently Asked Questions

On Debian/Ubuntu systems: apt install clamav clamav-daemon -y. On RHEL/AlmaLinux/Rocky Linux: dnf install epel-release -y then dnf install clamav clamd clamav-update -y. After installation, run freshclam to download the virus signature database before starting the clamd daemon. Enable both services with systemctl enable --now clamav-daemon clamav-freshclam.

Book your free 15-minute diagnosis

A certified technician will call you back within 15 minutes during business hours.

Share this article

Comments (0)

Loading comments...