ClamAV: open-source antivirus for mail servers and upload scanning

What is ClamAV?

ClamAV is an open-source antivirus engine under GPL-2 license developed since 2001 by the Cisco Talos team (originally started by Tomasz Kojm, acquired by SourceFire in 2007, with Cisco acquisition in 2013). As of May 2026 ClamAV is stable in version 1.4 and is the standard antivirus engine for mail servers and file upload scanning on Linux systems.

The software is clearly focused: as of May 2026, ClamAV is not the right antivirus for employee workstations -- there Windows Defender or professional XDR solutions like CrowdStrike, SentinelOne, Sophos Intercept-X are used. ClamAV belongs on mail gateway servers, in file upload endpoints of web applications, in file storage systems (Nextcloud, Samba), and in container image scanning pipelines.

Architecture consists of three components. (1) clamd -- the antivirus daemon holding the virus database in memory (around 1 GB RAM in May 2026) and answering scan requests via socket. (2) clamscan -- the CLI scanner for one-off scans (slow because database is loaded on every call). (3) freshclam -- the auto updater fetching the virus signature database from db.local.clamav.net daily.

The virus signature database is fed in May 2026 from four sources: (a) Cisco Talos -- Cisco's commercial threat intelligence team; (b) ClamSubmit -- community submissions of malware samples; (c) external feeds like SaneSecurity (free plus paid tier with Foxhole feed); (d) custom signatures via clamav-unofficial-sigs. The database holds around 8 million active signatures in May 2026.

Detection methods: ClamAV combines classic signature detection (MD5/SHA1 hashes), pattern matching with regular expressions (ndb signatures), heuristic-based detection (bytecode engine with own language), and since 2024 a light ML model for unknown malware families (clamav-ml). The latter is still experimental in May 2026 but a notable added value on polymorphic malware.

Integrations: Postfix via clamsmtpd or amavisd-new, Nextcloud via files_antivirus app, Samba via vfs_virusfilter, web apps via clamd socket calls, Docker image scanning via Trivy plugin. Performance: clamd can scan 100-500 mails per minute on a typical 4-vCPU Hetzner server.

Why it matters for Swiss SME mail servers

ClamAV solves three concrete problems around mail servers and file uploads for Swiss SMEs.

Mail gateway protection: a fiduciary with Postfix mail server (or via Brevo/Postmark for outbound but own inbound server) receives 100-500 phishing and malware mails daily. Cloudflare filters and SpamAssassin filter the bulk, but ClamAV is the layer recognising binary malware in attachments: EXE, DLL, JS loader, Office documents with VBA macros, PDFs with exploit payloads. Without ClamAV these mails reach employee inboxes -- and one click on the wrong attachment icon can lead to ransomware infection.

File upload scanning in client portals: a law firm with client portal (Nextcloud, Outline, own web app) into which clients upload documents. Every upload must be scanned -- an infected Word document from a client would otherwise lead to distribution in the employee team. ClamAV integration in the upload workflow (scan via clamd socket before storage) prevents that.

Professional secrecy and duty of care: Art. 321 SCC requires that client data is protected. A ransomware infection encrypting client files is a professional-secrecy violation plus data breach with 72-hour notification duty under revFADP Art. 24. Cyber insurance (Helvetia, Mobiliar, AXA, Zurich) has required antivirus on all mail gateways and file upload endpoints since 2025 as condition for policy and claim settlement.

Regulatory link: ISO 27001 Annex A.12.2 (Protection from Malware) is covered with ClamAV on mail gateway plus workstation Defender. Even without ISO duty, ClamAV is listed in the FDPIC guideline as technical minimum measure for mail servers.

Container image scanning: in May 2026 with widespread use of Docker Compose setups at Swiss SMEs, container scanning is an important use case. Trivy plus ClamAV engine scans Docker images before deployment for known malware -- especially important for third-party images pulled from Docker Hub without inspection. Supply-chain attacks via compromised Docker images are a growing vector in 2026.

Setup and examples

We show a productive ClamAV setup for a Swiss SME mail server with Postfix and a Nextcloud client portal.

Docker Compose with clamd: ```yaml version: "3.8" services: clamav: image: clamav/clamav:1.4 container_name: clamav restart: unless-stopped environment: - CLAMAV_NO_FRESHCLAMD=false - CLAMAV_NO_CLAMD=false - CLAMD_STARTUP_TIMEOUT=1800 ports: - "127.0.0.1:3310:3310" volumes: - ./clamav-data:/var/lib/clamav - ./clamav-logs:/var/log/clamav ```

First start takes 10-20 minutes because freshclam downloads the complete virus database (around 350 MB compressed). After that daily increments suffice.

Postfix integration via amavisd-new (apt install amavisd-new on Debian/Ubuntu): ``` # /etc/amavis/conf.d/15-content_filter_mode @bypass_virus_checks_maps = ( \%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re); ```

In /etc/postfix/master.cf: ``` smtp-amavis unix - - n - 2 smtp -o smtp_data_done_timeout=1200 -o smtp_send_xforward_command=yes -o disable_dns_lookups=yes ```

Nextcloud integration: in the Nextcloud admin area install app "Antivirus for Files", then Settings: Mode "Daemon", Host "clamav", Port "3310". Every upload is scanned via clamd socket; detection behaviour "Quarantine" or "Reject" configurable.

Custom web app integration (Node.js example): ```javascript const NodeClam = require('clamscan'); const clamscan = await new NodeClam().init({ clamdscan: { socket: false, host: 'clamav', port: 3310 } }); const { isInfected, viruses } = await clamscan.scanFile('/tmp/upload.docx'); if (isInfected) { console.log(`Malware detected: ${viruses.join(', ')}`); // Reject file, audit log, alert } ```

freshclam maintenance: daily updates usually around 3 a.m. /etc/clamav/freshclam.conf with "Checks 24" per day. As of May 2026, around 30-50 MB increments per day are normal. Include SaneSecurity feed for extended phishing detection via clamav-unofficial-sigs.

Trivy container image scanning (May 2026 standard for Swiss SMEs): ```bash trivy image --scanners vuln,secret,misconfig nginx:1.27 trivy image --severity HIGH,CRITICAL --exit-code 1 myapp:latest ```

Integration in GitLab CI or GitHub Actions as build step. ClamAV as additional layer-7 scan engine via Trivy plugin (experimental in May 2026).

Wazuh integration: mirror ClamAV logs in /var/log/clamav/clamav.log via Wazuh agent to Wazuh Manager. Wazuh creates alerts on virus finds, documents them in the compliance dashboard.

ClamAV setup in 5 steps

1. 01Installation: deploy clamav/clamav:1.4 Docker container or apt install clamav clamav-daemon; run freshclam once for initial DB download.
2. 02Bind clamd socket only to localhost (127.0.0.1:3310); set freshclam cron to 24x per day; add SaneSecurity feed via clamav-unofficial-sigs.
3. 03Mail server integration: Postfix via amavisd-new or clamsmtpd; set X-Virus-Scanned mail header; virus find moves mail to quarantine.
4. 04File upload integration: Nextcloud "Antivirus for Files" app, own web app via clamd socket call; quarantine directory with restricted rights.
5. 05Monitoring and audit: ClamAV logs to Loki/Wazuh; Telegram alert on virus find; monthly report on detection rate and false positives; Trivy image scan in CI/CD pipeline.

When to deploy ClamAV

ClamAV is a mandatory layer in four concrete scenarios for Swiss SMEs in May 2026.

Own inbound mail server (Postfix, Exim): every mail server accepting mail from the internet needs ClamAV plus SpamAssassin plus DKIM/SPF/DMARC verification. Without ClamAV binary malware attachments reach employees -- one click suffices for ransomware infection. Setup effort 2-4 hours, maintenance 1-2 hours per month.

Client portal with file upload: law firm, fiduciary, architecture office with client portal (Nextcloud, Outline, own web app). Every upload must be scanned before storage. ClamAV integration via clamd socket in the upload workflow. On virus find: reject, audit log, alert to admin.

File storage systems (Samba, NFS): shared file shares with client data on which multiple employees write. Periodic ClamAV full scan (weekly, via cron job) detects injected malware. Important for compliance audit: document scan reports in Loki/Wazuh.

Container image scanning in CI/CD: every Docker image deployed to production should be scanned for malware before deployment. Trivy is the standard tool in May 2026, with ClamAV plugin as additional layer-7 engine. Especially important for third-party images from Docker Hub.

Brevo/Postmark outbound mail: here ClamAV is not needed because Brevo/Postmark have their own antivirus layer. For purely outbound mail setups ClamAV is superfluous.

For workstations and notebooks, ClamAV is not sufficient in May 2026. Windows Defender (built-in, free) is the right layer for employee PCs. On compliance duty (ISO 27001, banking/pharma clients) deploy paid XDR like CrowdStrike, SentinelOne, Sophos Intercept-X -- they also deliver EDR functionality ClamAV does not offer.

When ClamAV is not enough

Three cases where ClamAV is insufficient in May 2026.

Workstation protection for employee PCs: ClamAV has no real-time file watching (no filesystem hook on Windows), no web browser integration, no EDR functionality. On workstations in 2026, Windows Defender (free, built-in) is the absolute minimum. On compliance duty an XDR solution with real-time behavioural detection: CrowdStrike Falcon, SentinelOne Singularity, Sophos Intercept-X -- all from CHF 50 per endpoint per year.

Zero-day protection and polymorphic malware: ClamAV is primarily signature-based. On brand-new malware (zero-day) or polymorphic families with frequent mutation, detection rate can fall below 50 percent. Modern EDR solutions with ML-based behavioural detection deliver significantly better protection here. ClamAV's experimental ML module (clamav-ml) is not yet production-ready in May 2026.

High-risk industries with targeted attacks: law firms with high-risk mandates (money laundering proceedings, industrial espionage, M-and-A consulting) are targets of targeted attacks with custom malware. ClamAV's signature database does not have such unknown samples. EDR solution plus SOC service (24/7 monitoring by security analysts) is mandatory here.

General pitfalls in ClamAV deployments: (a) freshclam updates not configured -- database outdated, detection rate drops drastically. (b) Opening clamd socket on 0.0.0.0:3310 instead of 127.0.0.1 -- attackers can send scan requests and exfiltrate data. (c) No quarantine configured -- virus find is simply deleted, no audit trail for compliance. (d) ClamAV logs not mirrored to SIEM -- on compliance audit the proof is missing. (e) Using container image of wrong version -- clamav/clamav:latest can have breaking changes, prefer pinned to 1.4.

Performance note: clamd occupies around 1 GB RAM for the database. On a mini VPS with 1 GB RAM this is not practicable -- plan at least 2 GB total RAM.

Trade-offs

FAQ

Related topics

Sources

1. ClamAV -- official documentation · 2026-05
2. ClamAV GitHub -- v1.4 release notes · 2026-04
3. SaneSecurity -- third-party ClamAV signature feeds · 2026-03
4. Aqua Trivy -- container image scanning · 2026-04
5. ISO/IEC 27001:2022 -- Annex A.12.2 protection from malware · 2026-02