Skip to content

ClamAV Ansible Role

An Ansible role to install, configure, and manage ClamAV antivirus on Debian-based systems.

Features

  • Installation and uninstallation of ClamAV and ClamAV daemon
  • Configuration of ClamAV daemon (clamd)
  • Configuration of virus database updater (freshclam)
  • Automated daily database updates via systemd timer
  • Service management (enable/disable/start/stop)
  • Support for both local socket and TCP connections
  • On-access scanning (real-time file system watcher) for monitoring specific directories

Installation

First add the following line to your requirements.yml file:

roles:
  - name: clamav
    src: https://gitlab.com/niclas-zone/tools/ansible/roles/clamav.git
    version: main
    scm: git

After that, we can install the role by executing the following command:

ansible-galaxy install -r requirements.yml --force

Role Variables

Core Configuration

Variable Default Value Type Description
clamav_state present string State of ClamAV installation (present or absent)
clamav_daemon_enabled true boolean Enable ClamAV daemon service
clamav_freshclam_enabled true boolean Enable freshclam service
clamav_freshclam_daily_update true boolean Configure daily freshclam database updates via systemd timer
ansible_managed_warning "This file is managed by Ansible..." string Warning on managed files
ansible_role_repository https://gitlab.com/niclas-zone/tools/ansible/roles/clamav string Repository URL

ClamAV Daemon Configuration

Variable Default Value Type Description
clamav_daemon_user clamav string User to run ClamAV daemon as
clamav_daemon_local_socket /var/run/clamav/clamd.ctl string Path to local socket for clamd
clamav_daemon_local_socket_mode 666 string Socket file permissions
clamav_daemon_tcp_socket false boolean Enable TCP socket for clamd
clamav_daemon_tcp_addr 127.0.0.1 string TCP address for clamd
clamav_daemon_tcp_port 3310 integer TCP port for clamd
clamav_daemon_max_threads 12 integer Maximum number of threads for clamd
clamav_daemon_max_queue 100 integer Maximum number of queued items for clamd
clamav_daemon_read_timeout 180 integer Socket read timeout in seconds
clamav_daemon_command_read_timeout 5 integer Command read timeout in seconds
clamav_daemon_send_buf_timeout 200 integer Send buffer timeout in milliseconds
clamav_daemon_max_stream_length 25M string Maximum stream length
clamav_daemon_stream_max_length 25M string Maximum stream buffer size
clamav_daemon_foreground yes string Run daemon in foreground
clamav_daemon_self_check 3600 integer Database self-check interval in seconds
clamav_daemon_exit_on_oom yes string Exit on out-of-memory condition
clamav_daemon_fix_stale_socket no string Automatically remove stale socket files
clamav_daemon_debug no string Enable debug messages in libclamav

Logging Configuration

Variable Default Value Type Description
clamav_daemon_log_syslog true boolean Use syslog for daemon logging
clamav_daemon_log_facility LOG_LOCAL6 string Syslog facility for daemon
clamav_daemon_log_clean no string Log clean files
clamav_daemon_log_verbose no string Enable verbose logging for daemon

Detection and Scanning Configuration

Variable Default Value Type Description
clamav_daemon_extended_detection_info yes string Log additional info about infected files
clamav_daemon_detect_pua yes string Detect potentially unwanted applications
clamav_daemon_exclude_pua [NetTool, PWTool] list PUA categories to exclude
clamav_daemon_include_pua [Spy, Scanner, RAT] list PUA categories to include
clamav_daemon_heuristic_alerts yes string Enable heuristic alerts
clamav_daemon_heuristic_scan_precedence yes string Enable heuristic scan precedence
clamav_daemon_alert_broken_executables yes string Alert on broken executables
clamav_daemon_alert_encrypted no string Alert on encrypted archives
clamav_daemon_alert_ole2_macros yes string Alert on OLE2 macros
clamav_daemon_alert_exceeds_max 100M string Alert on files larger than specified size
clamav_daemon_force_to_disk no string Force memory/nested scans to dump to disk
clamav_daemon_disable_cert_check no string Disable caching feature of the engine
clamav_daemon_virus_event /usr/local/bin/send_sms... string Command to execute when virus is found
clamav_daemon_scan_archive yes string Scan archives
clamav_daemon_scan_pe yes string Scan PE files
clamav_daemon_scan_elf yes string Scan ELF files
clamav_daemon_scan_ole2 yes string Scan OLE2 files
clamav_daemon_scan_pdf yes string Scan PDF files
clamav_daemon_scan_swf yes string Scan SWF files
clamav_daemon_scan_xml_docs yes string Scan XML documents
clamav_daemon_scan_hwp3 yes string Scan HWP3 files

File System Configuration

Variable Default Value Type Description
clamav_daemon_follow_directory_symlinks no string Follow directory symlinks
clamav_daemon_follow_file_symlinks no string Follow file symlinks
clamav_daemon_cross_filesystems yes string Scan across filesystems

Bytecode Configuration

Variable Default Value Type Description
clamav_daemon_bytecode yes string Enable bytecode execution
clamav_daemon_bytecode_security TrustSigned string Bytecode security level
clamav_daemon_bytecode_timeout 60000 integer Bytecode timeout in milliseconds

Freshclam Configuration

Variable Default Value Type Description
clamav_freshclam_update_time daily string Update time (systemd OnCalendar format)
clamav_freshclam_database_directory /var/lib/clamav string Database directory path
clamav_freshclam_database_owner clamav string Database directory owner
clamav_freshclam_database_mirror database.clamav.net string Database mirror URL
clamav_freshclam_checks 24 integer Database checks per day
clamav_freshclam_log_syslog true boolean Use syslog for freshclam logging
clamav_freshclam_log_facility LOG_LOCAL6 string Syslog facility for freshclam
clamav_freshclam_log_file_max_size 2M string Maximum log file size
clamav_freshclam_log_time yes string Include timestamps in logs
clamav_freshclam_log_verbose no string Enable verbose logging
clamav_freshclam_log_rotate no string Rotate log files
clamav_freshclam_connect_timeout 30 integer Connection timeout in seconds
clamav_freshclam_receive_timeout 30 integer Receive timeout in seconds
clamav_freshclam_dns_database_info current.cvd.clamav.net string DNS for database version check
clamav_freshclam_foreground yes string Run in foreground
clamav_freshclam_scripted_updates yes string Enable scripted updates
clamav_freshclam_debug no string Enable debug logging
clamav_freshclam_compress_local_database no string Compress local database
clamav_freshclam_pid_file "" string Path to PID file (empty = disabled)
clamav_freshclam_notify_clamd "" string Path to clamd.conf for notifications
clamav_freshclam_on_update_execute "" string Command to run after successful update
clamav_freshclam_on_error_execute "" string Command to run on update error
clamav_freshclam_on_outdated_execute "" string Command to run when database is outdated
clamav_freshclam_http_proxy_server "" string HTTP proxy server address
clamav_freshclam_http_proxy_port "" string HTTP proxy port
clamav_freshclam_http_proxy_username "" string HTTP proxy username
clamav_freshclam_http_proxy_password "" string HTTP proxy password

Systemd Timer Configuration

Variable Default Value Type Description
clamav_freshclam_timer_persistent true boolean Timer persists across reboots
clamav_freshclam_timer_randomized_delay 1h string Randomized delay for timer

Systemd Service Configuration

Variable Default Value Type Description
clamav_freshclam_service_type oneshot string Service type
clamav_freshclam_service_user clamav string Service user
clamav_freshclam_service_group clamav string Service group
clamav_freshclam_service_exec_start /usr/bin/freshclam --quiet string Command to execute
clamav_freshclam_service_success_exit_status 0 1 string Success exit codes
clamav_freshclam_service_private_tmp yes string Use private /tmp
clamav_freshclam_service_no_new_privileges yes string Prevent privilege escalation
clamav_freshclam_service_protect_system strict string System protection level
clamav_freshclam_service_protect_home yes string Protect home directories
clamav_freshclam_service_read_write_paths /var/lib/clamav /var/log/clamav string Writable paths

On-Access Scanning Configuration

Variable Default Value Type Description
clamav_onaccess_scanning_enabled no string Enable on-access scanning (file system watcher)
clamav_onaccess_watch_paths [/home, /var/www] list Paths to watch for on-access scanning
clamav_onaccess_exclude_paths [/home/user/.cache, /var/www/tmp] list Paths to exclude from on-access scanning
clamav_onaccess_max_threads 5 integer Maximum threads for on-access scanning
clamav_onaccess_prevention no string Block access to infected files (requires kernel support)
clamav_onaccess_extra_scanning yes string Enable extra scanning (scan on open, close, move)
clamav_onaccess_exclude_root_uid yes string Exclude root user from scanning
clamav_onaccess_exclude_uids [1000, 1001] list Additional UIDs to exclude from scanning

Example Playbooks

Basic Installation

---
- hosts: linux-servers
  become: true
  roles:
    - role: clamav

Install with Custom Configuration

---
- hosts: linux-servers
  become: true
  roles:
    - role: clamav
      vars:
        clamav_daemon_enabled: true
        clamav_freshclam_enabled: true
        clamav_freshclam_daily_update: true
        clamav_freshclam_update_time: "02:00"
        clamav_daemon_tcp_socket: true
        clamav_daemon_tcp_port: 3310

Uninstall ClamAV

---
- hosts: linux-servers
  become: true
  roles:
    - role: clamav
      vars:
        clamav_state: absent

Disable Services Without Uninstalling

---
- hosts: linux-servers
  become: true
  roles:
    - role: clamav
      vars:
        clamav_daemon_enabled: false
        clamav_freshclam_enabled: false
        clamav_freshclam_daily_update: false

Enable On-Access Scanning (File System Watcher)

---
- hosts: linux-servers
  become: true
  roles:
    - role: clamav
      vars:
        clamav_onaccess_scanning_enabled: true
        clamav_onaccess_watch_paths:
          - /home
          - /var/www
        clamav_onaccess_exclude_paths:
          - /home/user/.cache
          - /var/www/tmp
        clamav_onaccess_max_threads: 5
        clamav_onaccess_prevention: false
        clamav_onaccess_extra_scanning: true

On-Access Scanning

On-access scanning allows ClamAV to monitor specific directories in real-time and scan files as they are accessed, created, or modified. This feature requires ClamAV to be running with appropriate permissions.

Key features:

  • Real-time file system monitoring
  • Configurable watch paths (directories to monitor)
  • Configurable exclusion paths (directories to skip)
  • Optional prevention mode (blocks access to infected files - requires kernel support)
  • Extra scanning options (scan on open, close, and move operations)

Note: On-access scanning may impact system performance, especially on high-traffic directories. It's recommended to:

  • Use specific watch paths rather than monitoring the entire filesystem
  • Exclude cache directories, temporary directories, and system paths
  • Start with prevention disabled and enable it only after testing
  • Adjust the number of threads based on system resources

Daily Database Updates

This role creates a systemd timer (clamav-freshclam-daily.timer) that automatically updates the ClamAV virus database daily. The timer:

  • Runs at the time specified by clamav_freshclam_update_time (default: daily)
  • Has a randomized delay of up to 1 hour to prevent all linux-servers from updating at the same time
  • Is persistent across reboots
  • Can be disabled by setting clamav_freshclam_daily_update: false

You can check the timer status with:

systemctl status clamav-freshclam-daily.timer

View timer logs with:

journalctl -u clamav-freshclam-daily.service