🛡️ ClamAV & Real-Time Protection on Arch Linux

Arch Linux provides the latest ClamAV binaries, but unlike Debian/Ubuntu, it doesn't always pre-configure the background services for you. Here is the step-by-step guide.

Phase 1: Installation & Automatic Updates

On Arch, we use pacman to grab the core suite.

1. Install the package:

   Bash

   sudo pacman -Syu clamav

2. Configure Automatic Signature Updates: The update tool is freshclam. We need to enable its timer so your virus definitions stay current.

   • Start & Enable:

   • sudo systemctl enable --now clamav-freshclam.service

   • Verify: 

   • sudo systemctl status clamav-freshclam.service

     
     

3. Initial Database Download: Arch sometimes requires a manual first run to create the database files.

   Bash

   sudo freshclam

   
   

Phase 2: Configure the ClamAV Daemon (clamd)

For clamonacc (the real-time engine) to work, it must communicate with the clamd service. We need to edit the configuration to enable "On-Access" features.

1. Edit the configuration file:

   Bash

   sudo nano /etc/clamav/clamd.conf

   
   

2. Uncomment and set these values: Search for these lines and ensure they are not preceded by a #.

   Plaintext

   # Required for clamonacc to talk to clamd LocalSocket /run/clamav/clamd.ctl # Enable On-Access Scanning OnAccessIncludePath /home OnAccessIncludePath /var/www # Block access to infected files OnAccessPrevention yes # Exclude the ClamAV user to prevent loops OnAccessExcludeUname clamav

   
   

3. Start the Daemon:

   Bash

   sudo systemctl enable --now clamav-daemon.service

   
   

Phase 3: Setting up clamonacc for Boot

On Arch, the clamonacc binary is included, but there is no default systemd service file for it. We have to create one manually.

1. Create the systemd unit:

   Bash

   sudo nano /etc/systemd/system/clamonacc.service

   
   

2. Paste the following:

   [!NOTE] We use ExecStartPre to ensure the socket file exists before the real-time scanner tries to connect, preventing a "Socket not found" crash on boot.

   Ini, TOML

   [Unit] Description=ClamAV On-Access Scanner Requires=clamav-daemon.service After=clamav-daemon.service network.target [Service] Type=simple User=root # Check for the socket file before starting ExecStartPre=/usr/bin/bash -c "while [ ! -S /run/clamav/clamd.ctl ]; do sleep 1; done" # -F runs in foreground for systemd, --move sends threats to quarantine ExecStart=/usr/bin/clamonacc -F --log=/var/log/clamav/clamonacc.log --move=/tmp/quarantine Restart=on-failure [Install] WantedBy=multi-user.target

   
   

3. Set up the Quarantine & Start:

   Bash

   sudo mkdir -p /tmp/quarantine sudo systemctl daemon-reload sudo systemctl enable --now clamonacc.service

   
   

Phase 4: Verification

To confirm everything is linked correctly:

1. Check the logs:

   Bash

   tail -f /var/log/clamav/clamonacc.log

2. Test Detection: In a new terminal, try to curl the EICAR test file into your /home directory:

   Bash

   curl -O https://secure.eicar.org/eicar.com.txt

   
   

   If successful, clamonacc should intercept the file, move it to /tmp/quarantine, and log the event.