Configure Clamav for daily system scans and email notification on Debian

Today we take a look at the ClamAV antivirus software and how to use it to protect your server or desktop. I will show you how to configure ClamAV to scan all system, website and email files daily and notify you by email in case that a virus gets detected. For those that don't know ClamAV, ClamAV is an open-source antivirus software solution that is available on all Linux distributions. One of the requirements of this guide is that your server has already a working mail service.

This tutorial is working fine on Debian systems, but should be compatible with Ubuntu systems as well.

Installation and configuration

First of all we execute the command to install Clamav and a tool to send email notifications.

apt-get update && apt-get install clamav clamav-freshclam heirloom-mailx

Be sure that the virus definition will be updated with the command:

service ClamAV-freshclam start

By default, ClamAV will do a check for new virus definitions every hour, if you want to change this parameter you can edit the file /etc/clamav/freshclam.conf.

nano /etc/clamav/freshclam.conf

And change the following line:

# Check for new database 24 times a day
Checks 24


# Check for new database 1 times a day
Checks 1

in this case the check will be done, only once a day. I suggest you to leave 24 times a day.

To do a manual update of the virus definitions, you can execute:

freshclam -v

Enable notify and schedule the scan

In the following script, modify the variable DIRTOSCAN to specify the directories that you want to scan.

We create the file /root/

nano /root/

and we paste the following code:

LOGFILE="/var/log/clamav/clamav-$(date +'%Y-%m-%d').log";
EMAIL_MSG="Please see the log file attached.";
EMAIL_FROM="[email protected]";
EMAIL_TO="[email protected]";
DIRTOSCAN="/var/www /var/vmail";

for S in ${DIRTOSCAN}; do
 DIRSIZE=$(du -sh "$S" 2>/dev/null | cut -f1);

 echo "Starting a daily scan of "$S" directory.
 Amount of data to be scanned is "$DIRSIZE".";

 clamscan -ri "$S" >> "$LOGFILE";

 # get the value of "Infected lines"
 MALWARE=$(tail "$LOGFILE"|grep Infected|cut -d" " -f3);

 # if the value is not equal to zero, send an email with the log file attached
 if [ "$MALWARE" -ne "0" ];then
 # using heirloom-mailx below
 echo "$EMAIL_MSG"|mail -a "$LOGFILE" -s "Malware Found" -r "$EMAIL_FROM" "$EMAIL_TO";

exit 0

You can change the two variables EMAIL_FROM and EMAIL_TO to reflect your desired email addresses, and change the list of directories to scan in the variable DIRTOSCAN.

Save the file with ( ctrl+o ), and change the permission as follows:

chmod 0755 /root/

Now enable the daily execution of the script by creating a symlink in the /etc/cron.daily/ directory:

ln /root/ /etc/cron.daily/clamscan_daily

Now you should be able to receive the email notification once a day for virus or malware in your mail files or websites. ClamAV also scans the content of PHP files for the presence of malware or other potentially malicious content.

Test the script

In this configuration, ClamAV won't do any actions on the found viruses, it will only report them. So don't worry, nothing will be deleted or altered. To test the script, just run:


After the command has finished, there will be two possible states:

- Clamav has found some virus: in this case you'll receive an email in your inbox with the attached log.

- Clamav has found nothing, or something goes wrong. In this case, you'll need to check what log says. To check the logs you should check in /var/log/clamav/

I'll attach a little log example to know what you should read:

Starting a daily scan of /var/www directory. Amount of data to be scanned is 36G.
Mon Jun 15 13:17:14 CEST 2015

----------- SCAN SUMMARY -----------
Known viruses: 3841819
Engine version: 0.98.4
Scanned directories: 47944
Scanned files: 316827
Infected files: 0
Data scanned: 17386.77 MB
Data read: 34921.59 MB (ratio 0.50:1)
Time: 1432.747 sec (23 m 52 s)
Mon Jun 15 13:41:06 CEST 2015
Starting a daily scan of /var/vmail directory. Amount of data to be scanned is 7.0G.
Mon Jun 15 13:41:27 CEST 2015
/var/vmail/domain.tld/info/Maildir/.Cestino/cur/1386677288.M361286P15524.domain.tld,W=2675,S=2627:2,S: Heuristics.Phishing.Email.SpoofedDomain FOUND
/var/vmail/domain.tld/info/Maildir/.Cestino/cur/1371451873.M697795P19793.domain.tld,W=5421,S=5353:2,S: Heuristics.Phishing.Email.SpoofedDomain FOUND
/var/vmail/domain.tld/info/Maildir/.Cestino/cur/1390203133.M981287P17350.domain.tld,W=3223,S=3157:2,S: Heuristics.Phishing.Email.SpoofedDomain FOUND
/var/vmail/domain.tld/info/Maildir/.Cestino/cur/1386677288.M361285P15524.domain.tld,W=2270,S=2227:2,S: Heuristics.Phishing.Email.SpoofedDomain FOUND

In this case, ClamAV has Found some phishing email at [email protected], so in this case, you'll receive also the email.

That's all!

Share this page:

9 Comment(s)

Add comment


From: Chris hawkins

Great Article!

Having a problem with the /root/ script!

Error is:

"root@-office:~# /root/

Starting a daily scan of /var/www directory.

 Amount of data to be scanned is 20K.

/root/ line 13: : No such file or directory

tail: cannot open ‘’ for reading: No such file or directory"

/root/ line 19: [: : integer expression expected"

Any idea what's wrong?

Thanks again for the article




From: ethan

Hey, did you ever get this resolved?

From: Adam

The variable $LOGFILE is used in the script, but is never defined.  Add the following line to the script and you should be good to go.

To the end of the variable declaration section at the top, add:


and you should be all set.  

Be sure that the path you set exists!

From: diablo666

Mmmm just retested but no error to me.

Can you please paste the code of your /root/ ?

From: swedala

Thanks for a good simple tutorial.

I have good knowledge about linux and had been able to develop it as well, but I'm lazy so I searched if someone else have done the job for me ;-)

Found this tutorial and when I checked the script and it was promising.

As I mentioned above, I'm lazy so I want to avoid attachments, guess I will change the script.

echo "$LOGFILE" | mail -s "Malware Found" -r "$EMAIL_FROM" "$EMAIL_TO"

From: diablo666

Hi swedala, the idea of the script is that, if there's no error, no mail will be sent. So when it will be sent, i want to check fast what is the problem, so i've decide to attach the log.

But as you said, may be someone don't want the attachment, and your suggestion is welcome to us! :)

From: Rex


How can we set ClamAV scan & remove virus itself daily?



From: Antony Rappai

I am glad I stumbled upon this, I stumbled across this articles, I will be using bits and pieces for an article that will be writing on cloud server security.

I shall mention this link in the credits  :)

From: Davide Cester

Hi, very useful script, thank you!

I would like to suggest a couple of improvements:

- truncate $LOGFILE just before the loop, to improve readability when testing the log:


- replace echo commands with cat "..." >> $LOGFILE to have everything in the log file:

  echo "  ===== Scanning $S        Total size: "$DIRSIZE"." >> $LOGFILE;

The additional newline before ===== is because clamscan output has a blank line at the beginning, and the "Scanning..." header appears to belong to the previous block, reducing readability.

Bye :)