ClamAV: Rock-Solid Scheduled Scanning for Your Linux System

Welcome back to Orion's Guard!

This guide provides a clean, stable method for installing ClamAV and setting up reliable daily scheduled scanning on Arch Linux, using official Systemd units to avoid complex configuration errors.

A Note on Security: Running ClamAV is a great project for monitoring your local files, but for hardened, production-level security on Linux, we recommend specialized solutions like Sandfly. Your security priority should always be keeping your system software and kernel up-to-date!

1. Installation and Initial Setup

We begin by installing the necessary packages and getting the virus definitions up to date.

Install ClamAV and tools:

sudo pacman -S clamav wget --noconfirm

Enable automatic database updates: This uses the official service unit to keep your definitions fresh continuously.Bash

sudo systemctl enable --now clamav-freshclam.service

Run an initial manual database update: This ensures your definitions are current immediately.Bash

sudo freshclam

2. Setting Up the Daily Scan

We will use a dedicated Systemd Service and Timer pair—the most stable method for scheduling recurring tasks on Arch Linux.

A. Create Quarantine Directory

The scan requires a secure location to move infected files.

sudo mkdir -p /var/log/clamav/infected

B. Create the Scan Service (.service)

This file defines what to run (the scan command).

File: nano /etc/systemd/system/clamscan.service

Paste the configuration: (This runs a recursive scan, excludes system directories, and moves threats to the quarantine folder).

[Unit]
Description=Daily ClamAV Scan

[Service]
Type=oneshot
Nice=10
ExecStart=/usr/bin/clamscan -r --exclude-dir=^/sys --exclude-dir=^/proc --exclude-dir=^/dev --move=/var/log/clamav/infected /home /var/www/html

C. Create the Scan Timer (.timer)

This file defines when to run the scan (daily at 3:00 AM local time).

Open the timer file:

sudo nano /etc/systemd/system/clamscan.timer

Paste the configuration:File: /etc/systemd/system/clamscan.timer

[Unit]
Description=Schedule Daily ClamAV Scan

[Timer]
OnCalendar=daily
AccuracySec=1h
Persistent=true
# Set the desired time (e.g., 03:00 local time)
OnCalendar=*-*-* 03:00:00

[Install]
WantedBy=timers.target

D. Enable the Scheduled Timer

Enable the Timer: This starts the automated schedule.

sudo systemctl enable --now clamscan.timer

Reload Systemd: This loads the new .service and .timer files.

sudo systemctl daemon-reload

3. Verification and False Positive Management

A. Check Schedule and Status

Check Next Scan Time: Confirm the schedule override worked.

sudo systemctl list-timers | grep -i clamscan

Check Service Status: Confirm the timer is active.

systemctl status clamscan.timer

B. Proof of Quarantine

Download the test file (using the stable EICAR URL):

wget https://secure.eicar.org/eicar.com.txt -O ~/eicar_test.txt

If you do not have wget installed...install it with 'pacman -S wget'

*Sometimes the file name changes. You can go to eicar.org and capture the correct URL if this happens

Force the scan immediately:

sudo systemctl start clamscan.service

Verify Quarantine: Check that the file was successfully moved. It may take time depending on files and sizes you have on your system. Let is complete!

sudo ls /var/log/clamav/infected/

C. Management: Creating an Exclusion List (False Positives)

If the scan flags legitimate files (e.g., development components), create a whitelist to ignore them.

Open the exclusion file:

sudo nano /etc/clamav/local.ign2

Add the exact file names of the false positives (one per line):

# Example format:
# ms-python.debugpy-2025.14.1-linux-x64
# ms-python.vscode-python-envs-1.10.0-universal

Reload the Database: This forces ClamAV to load the new whitelist.

sudo freshclam

4. Manage Quarantined Files