Fix ClamAV Scan Not Detecting Malware

What's Actually Happening

ClamAV antivirus scanner fails to detect known malware. Known malicious files are not being flagged during scans.

The Error You'll See

```bash $ clamscan -r /home/user

----------- SCAN SUMMARY ----------- Known viruses: 0 Engine version: 0.103.0 Scanned directories: 100 Scanned files: 1000 Infected files: 0 ```

Outdated definitions:

bash

LibClamAV Warning: **************************************************
LibClamAV Warning: ***  The virus database is older than 7 days!  ***
LibClamAV Warning: ***   Please update it immediately!            ***
LibClamAV Warning: **************************************************

Database error:

bash

LibClamAV Error: cl_load(): Can't open/parse file /var/lib/clamav/main.cvd

No signatures:

bash

LibClamAV Warning: No virus database files found

Why This Happens

1.Outdated definitions - Virus database not updated
2.No database files - Missing or corrupted definition files
3.Scan exclusions - Files excluded from scan
4.Configuration issues - Wrong scan settings
5.File size limits - Files too large to scan
6.Archive limits - Archives not fully scanned
7.Database path - Wrong database directory

Step 1: Check ClamAV Status

```bash # Check ClamAV installation: clamscan --version

# Check freshclam: freshclam --version

# Check services: systemctl status clamav-daemon systemctl status clamav-freshclam

# Check process: ps aux | grep clam

# Check logs: journalctl -u clamav-daemon -f journalctl -u clamav-freshclam -f

# Check database files: ls -la /var/lib/clamav/

# Expected files: # main.cvd or main.cld # daily.cvd or daily.cld # bytecode.cvd

# Check configuration: cat /etc/clamav/clamd.conf cat /etc/clamav/freshclam.conf

# Test scan: clamscan -r /tmp/test ```

Step 2: Update Virus Definitions

```bash # Manual update: freshclam

# Check update status: freshclam --show-progress

# Verbose update: freshclam -v

# Force update: freshclam --force-update

# Check database files after update: ls -la /var/lib/clamav/

# Check database version: sigtool --info /var/lib/clamav/main.cvd | grep "Version:" sigtool --info /var/lib/clamav/daily.cld | grep "Version:"

# Check last update: stat /var/lib/clamav/daily.cld

# Configure automatic updates: # In /etc/clamav/freshclam.conf: UpdateLogFile /var/log/clamav/freshclam.log LogTime yes LogVerbose yes DatabaseOwner clamav Checks 24 # Check 24 times per day

# Database mirrors: DatabaseMirror db.local.clamav.net DatabaseMirror database.clamav.net

# Restart freshclam: systemctl restart clamav-freshclam

# Test with known EICAR test file: echo 'X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*' > /tmp/eicar.com clamscan /tmp/eicar.com rm /tmp/eicar.com ```

Step 3: Fix Database Issues

```bash # Check database directory: ls -la /var/lib/clamav/

# Check database path in config: grep DatabaseDirectory /etc/clamav/clamd.conf

# Common path: DatabaseDirectory /var/lib/clamav

# Fix permissions: chown -R clamav:clamav /var/lib/clamav/ chmod 755 /var/lib/clamav/

# Remove corrupted database: systemctl stop clamav-daemon rm -f /var/lib/clamav/*.cvd rm -f /var/lib/clamav/*.cld

# Re-download database: freshclam

# Verify database: clamscan --database=/var/lib/clamav --test-file=/tmp/eicar.com

# Check database integrity: sigtool --md5 /var/lib/clamav/main.cvd

# Use alternative database location: # In clamd.conf: DatabaseDirectory /usr/share/clamav

# Private mirrors: # In freshclam.conf: PrivateMirror mirror1.example.com PrivateMirror mirror2.example.com ```

Step 4: Check Scan Configuration

```bash # Check clamd.conf: cat /etc/clamav/clamd.conf

# Key settings: LogFile /var/log/clamav/clamd.log LogTime yes LogVerbose yes PidFile /run/clamav/clamd.pid DatabaseDirectory /var/lib/clamav LocalSocket /run/clamav/clamd.ctl User clamav

# Scan settings: ScanPE yes ScanELF yes ScanOLE2 yes ScanPDF yes ScanSWF yes ScanHTML yes ScanArchive yes

# Enable all scanners: ScanPE yes ScanELF yes ScanOLE2 yes ScanPDF yes ScanSWF yes ScanHTML yes ScanMail yes ScanArchive yes

# Check for disabled scanners: grep -E "^Scan.*no" /etc/clamav/clamd.conf

# Enable disabled scanners: sed -i 's/^ScanPE no/ScanPE yes/' /etc/clamav/clamd.conf

# Restart clamd: systemctl restart clamav-daemon ```

Step 5: Fix File Size and Archive Limits

```bash # Check file size limits: grep MaxFileSize /etc/clamav/clamd.conf

# Default limits may skip large files: MaxFileSize 25M MaxScanSize 100M MaxFiles 10000

# Increase limits: MaxFileSize 100M MaxScanSize 500M MaxFiles 50000

# Archive limits: MaxRecursion 16 MaxCompressionRatio 250

# Increase for deep scanning: MaxRecursion 30

# Check for limits blocking scan: clamscan -v --max-filesize=100M --max-scansize=500M /path/to/scan

# Command line overrides: clamscan --max-filesize=500M --max-scansize=1000M -r /path

# Disable limits (careful): clamscan --max-filesize=0 --max-scansize=0 -r /path

# Check scan size: # Files larger than limit are skipped: # Archive size exceeds limit

# Adjust in clamd.conf: StreamMaxLength 100M ```

Step 6: Check Scan Exclusions

```bash # Check for exclusion patterns: grep ExcludePath /etc/clamav/clamd.conf

# Remove exclusions if needed: # Comment out: # ExcludePath ^/proc/ # ExcludePath ^/sys/

# Check for temporary exclusion: # ClamAV may skip certain file types

# Scan specific paths: clamscan -r /home/user

# Exclude specific patterns: clamscan --exclude-dir="^/sys" --exclude-dir="^/proc" -r /

# Include specific file types: clamscan --include="\.exe$" --include="\.dll$" -r /path

# Exclude specific file types: clamscan --exclude="\.log$" --exclude="\.txt$" -r /path

# Check clamdscan exclusions: # Different from clamscan grep -E "ExcludePath|Exclude" /etc/clamav/clamd.conf

# Test specific file: clamscan /path/to/suspicious.exe ```

Step 7: Test Detection

```bash # Create EICAR test file: echo 'X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*' > /tmp/eicar.com

# Test detection: clamscan /tmp/eicar.com

# Expected output: # /tmp/eicar.com: Eicar-Signature FOUND

# Test with clamdscan: clamdscan /tmp/eicar.com

# Test archives: zip /tmp/test.zip /tmp/eicar.com clamscan /tmp/test.zip

# Test nested archives: tar czf /tmp/test.tar.gz /tmp/test.zip clamscan /tmp/test.tar.gz

# Clean up: rm /tmp/eicar.com /tmp/test.zip /tmp/test.tar.gz

# Check detection statistics: clamscan --infected --bell -r /path 2>&1 | tail -20

# List found viruses: clamscan --infected -r /path | grep FOUND

# Remove infected files: clamscan --remove -r /path

# Move infected files: clamscan --move=/quarantine -r /path ```

Step 8: Check Daemon Mode

```bash # Check if clamd running: systemctl status clamav-daemon

# Test socket: ls -la /run/clamav/clamd.ctl

# Test with clamdscan: clamdscan /tmp/eicar.com

# Check daemon stats: clamdscan --stats

# Ping daemon: clamdscan --ping

# Check if listening: netstat -tlnp | grep clamd

# TCP socket: grep TCPSocket /etc/clamav/clamd.conf

# Enable TCP: TCPSocket 3310 TCPAddr 127.0.0.1

# Test TCP: clamdscan --host 127.0.0.1:3310 /tmp/eicar.com

# Reload database without restart: clamdscan --reload

# Check multi-threaded scanning: grep MaxThreads /etc/clamav/clamd.conf

# Increase threads: MaxThreads 20

# Memory limits: grep -E "MaxQueue|MaxConnectionQueueLength" /etc/clamav/clamd.conf ```

Step 9: Use Additional Databases

```bash # Check current databases: ls -la /var/lib/clamav/

# Add additional signatures:

# 1. MalwarePatrol (requires subscription): # In freshclam.conf: MalwarePatrolSubscriptionKey YOUR_KEY MalwarePatrolDB MP-2018

# 2. SecuriteInfo databases: # In freshclam.conf: DatabaseCustomURL https://www.securiteinfo.com/get/signatures/...

# 3. Linux Malware Detect: # Download LMD signatures: wget -O /var/lib/clamav/rfxn.hdb https://www.rfxn.com/downloads/rfxn.hdb

# 4. Yara rules: # Download and add to database directory: wget -O /var/lib/clamav/yara.yar https://...

# Reload databases: clamdscan --reload

# Verify additional databases: sigtool --list-sigs /var/lib/clamav/rfxn.hdb

# Check signature count: clamscan --database=/var/lib/clamav --test-file=/tmp/eicar.com ```

Step 10: ClamAV Verification Script

```bash # Create verification script: cat << 'EOF' > /usr/local/bin/check-clamav.sh #!/bin/bash

echo "=== ClamAV Version ===" clamscan --version 2>/dev/null || echo "ClamAV not installed"

echo "" echo "=== Services ===" systemctl status clamav-daemon 2>/dev/null | head -3 || echo "clamd not running" systemctl status clamav-freshclam 2>/dev/null | head -3 || echo "freshclam not running"

echo "" echo "=== Database Files ===" ls -la /var/lib/clamav/ 2>/dev/null || echo "No database directory"

echo "" echo "=== Database Version ===" for db in /var/lib/clamav/*.cvd /var/lib/clamav/*.cld; do if [ -f "$db" ]; then echo "$db:" sigtool --info "$db" 2>/dev/null | grep -E "Version|Build time" | head -2 fi done

echo "" echo "=== Last Database Update ===" stat /var/lib/clamav/daily.cld 2>/dev/null | grep Modify || stat /var/lib/clamav/daily.cvd 2>/dev/null | grep Modify || echo "No daily database"

echo "" echo "=== Test EICAR Detection ===" echo 'X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*' > /tmp/eicar-test.com clamscan /tmp/eicar-test.com 2>&1 rm -f /tmp/eicar-test.com

echo "" echo "=== Scan Settings ===" grep -E "^MaxFileSize|^MaxScanSize|^ScanArchive|^ScanPE" /etc/clamav/clamd.conf 2>/dev/null || echo "Cannot read config"

echo "" echo "=== Exclusions ===" grep ExcludePath /etc/clamav/clamd.conf 2>/dev/null || echo "No exclusions configured"

echo "" echo "=== Recent Detections ===" grep "FOUND" /var/log/clamav/clamd.log 2>/dev/null | tail -10 || echo "No detections logged"

echo "" echo "=== Update Log ===" tail /var/log/clamav/freshclam.log 2>/dev/null | tail -5 || echo "No freshclam log"

echo "" echo "=== Recommendations ===" echo "1. Update virus definitions with freshclam" echo "2. Ensure all scanners enabled in clamd.conf" echo "3. Check file size limits for large files" echo "4. Verify database directory permissions" echo "5. Test with EICAR test file" echo "6. Consider additional signature databases" echo "7. Enable verbose logging for troubleshooting" EOF

chmod +x /usr/local/bin/check-clamav.sh

# Usage: /usr/local/bin/check-clamav.sh ```

ClamAV Detection Checklist

Check	Expected
Service running	clamd process active
Database updated	Recent daily.cld/cvd
Test detection	EICAR detected
Scanners enabled	All Scan options yes
Limits adequate	MaxFileSize/MacScanSize
Database files	main, daily, bytecode
Permissions	clamav owns database

Verify the Fix

```bash # After fixing ClamAV detection

# 1. Update definitions freshclam // Database updated

# 2. Check version clamscan --version // Shows database version

# 3. Test EICAR clamscan /tmp/eicar.com // Eicar-Signature FOUND

# 4. Check database ls -la /var/lib/clamav/ // main.cvd, daily.cld present

# 5. Test scan clamscan -r /home/user // Scans and detects

# 6. Monitor logs tail -f /var/log/clamav/clamd.log // No errors ```

[Fix Fail2ban Not Blocking IPs](/articles/fix-fail2ban-not-blocking-ips)
[Fix SELinux Blocking Service](/articles/fix-selinux-blocking-service)
[Fix iptables Rules Not Persisting](/articles/fix-iptables-rules-not-persisting)

What's Actually Happening

The Error You'll See

Why This Happens

Step 1: Check ClamAV Status

Step 2: Update Virus Definitions

Step 3: Fix Database Issues

Step 4: Check Scan Configuration

Step 5: Fix File Size and Archive Limits

Step 6: Check Scan Exclusions

Step 7: Test Detection

Step 8: Check Daemon Mode

Step 9: Use Additional Databases

Step 10: ClamAV Verification Script

ClamAV Detection Checklist

Verify the Fix

Related Issues

Share this guide

More Security Recovery Troubleshooting Guides

Fix Debug Mode Enabled in Production Environment

Fix Error Messages Leaking Stack Traces to Users

Fix Backup Files in Web Root Publicly Downloadable

Fix Exposed .git Directory Leaking Source Code

Fix Directory Listing Exposing Sensitive Files

Fix Side-Channel Cryptographic Timing Attack