unsubbed.co

Clamav

Clamav handles antivirus engine for detecting malicious threats as a self-hosted solution.

GPL-2.0 Free cisco-talos/clamav · 6.4K clamav.net C 1 deploy option

The GPL-licensed virus scanner that Cisco maintains and basically every self-hosted mail stack ships by default — honestly reviewed.

TL;DR

  • What it is: Open-source (GPL-2.0) antivirus engine for detecting trojans, viruses, malware, and phishing — designed primarily as a mail gateway scanner, not a desktop endpoint product [README].
  • Who it’s for: Sysadmins running self-hosted mail servers, shared hosting providers, and DevOps teams who need a free, scriptable malware scanner they can plug into Postfix, Dovecot, or any Linux pipeline [1][3].
  • Cost: Zero. No tiers, no usage caps, no per-scan pricing. You pay only for the VPS or server it runs on [README].
  • Key strength: The de-facto standard for open-source mail gateway scanning. Ships embedded in mailcow, Mailu, docker-mailserver, and every serious self-hosted email stack [4]. Backed by Cisco Talos, which means signature updates are real and timely [README].
  • Key weakness: It is not a replacement for a modern endpoint antivirus. Detection rates for novel malware lag behind commercial engines. The daemon (clamd) is memory-hungry — expect 1–1.5 GB RAM at baseline, spiking near 1.8 GB during signature reloads [3].

What is ClamAV

ClamAV is an open-source antivirus engine that detects trojans, viruses, malware, and phishing. The project has been around since 2004, was acquired by Sourcefire in 2013, and is now maintained by Cisco Talos — one of the more credible threat intelligence teams in the industry [README][website]. The current stable release is 1.5.2.

What ClamAV actually is, once you get past the homepage marketing, is a signature-based file scanner with a daemon mode. The core toolchain has three pieces: clamd, the persistent daemon that holds virus definitions in memory and scans on demand via a socket; clamscan, the one-shot command-line scanner you run manually or in scripts; and freshclam, the background updater that pulls signature database changes from Cisco’s mirrors multiple times per day [about page].

The reason ClamAV dominates the self-hosted mail server world is its milter interface — it can plug directly into Postfix or Sendmail as a content filter, inspecting every inbound and outbound message for malicious attachments without the mail server needing to know how scanning works [about page][3]. When you spin up a mailcow, Mailu, or docker-mailserver instance, ClamAV is almost always the bundled scanner [4]. It’s not glamorous, but it’s reliable enough that the open-source mail community stopped looking for alternatives a decade ago.

The project sits at 6,378 GitHub stars and is actively developed under GPL-2.0. Cisco releases both source and pre-built packages for Debian, RPM-based Linux, macOS, and Windows [README].

Why people choose it

The articles we synthesized tell a consistent story: people don’t exactly choose ClamAV the way they evaluate SaaS tools. They choose to run a self-hosted mail server, and ClamAV is the scanner that everything integrates with. That said, the reasons it stays chosen — rather than being swapped out — come down to four things.

It’s free and doesn’t impose resource constraints on scanning volume. You can run clamscan on a 100 GB /home directory overnight and the only cost is CPU time [1]. One system administrator describes running it monthly on shared hosting servers to catch phishing pages, spammer scripts, and uploaded exploits — zero license cost, zero per-scan fee, just a scheduled job [1].

It integrates with everything. StackShare lists Windows, Ubuntu, Debian, CentOS, Linux, and macOS as platforms; the milter interface means any MTA can use it [7]. The full Docker mail stacks (mailcow, Mailu, docker-mailserver) all ship ClamAV as their default antivirus layer precisely because the integration is well-documented and stable [4].

Cisco Talos keeps the signatures current. The database updates multiple times per day [about page]. For a mail scanner, signature freshness matters more than heuristics — most malicious email attachments are known-malware variants, not zero-days, so a regularly updated signature database is genuinely useful.

It’s scriptable and headless. There’s no GUI required. You pipe files through it, parse the output, and automate responses. The 2011 pc-freak.net case study [1] demonstrates exactly this: clamscan scanning /home on a shared hosting server, logging to /var/log/clamscan.log, with phishing email and SSL-spoof detections written as plain text for grep-able reporting. The admin can attach a screen session, let it run, and read the log later.

What people don’t choose ClamAV for — and this is worth saying plainly — is desktop endpoint protection. It lacks real-time file system monitoring, behavioral analysis, and the detection rates against novel malware that commercial endpoint products offer. If someone asks “should I run ClamAV on my developer laptop instead of paying for Malwarebytes,” the honest answer is probably no.

Features

From the official documentation and first-hand sources:

Core scanner:

  • clamd daemon with multi-threaded scanning and socket interface for high-throughput use cases [about page]
  • clamscan one-shot command-line scanner — slower but requires no persistent process [1]
  • freshclam automatic signature updater; pulls incremental diffs or full .cvd databases from Cisco mirrors [1][README]
  • Milter interface for Postfix and Sendmail integration — scans attachments at the MTA level [about page][3]

File format support:

  • Standard mail file formats (EML, MIME) [about page]
  • Archives: ZIP, RAR, DMG, TAR, GZIP, BZIP2, Cabinet, CHM, BinHex, SIS [about page]
  • Executables: ELF, PE files, including packers (UPX, FSG, Petite, NsPack) and obfuscation tools (Y0da Cryptor) [about page]
  • Documents: MS Office, MacOffice, HTML, Flash, RTF, PDF [about page]

Detection capabilities:

  • Signature-based virus and malware detection
  • Heuristic phishing detection (email spoofed domains, SSL-spoof, phishing URLs) [1]
  • Phishing URL scanning with --phishing-scan-urls [1]
  • YARA rule support (Apache 2.0-licensed YARA engine bundled) [README]
  • Scripted and digitally signed database updates to prevent tampering [about page]
  • Optional unofficial signature packs (third-party databases can add 18M+ additional definitions) [3]

Deployment options:

  • Docker image on Docker Hub (clamav/clamav) [README][4]
  • Package manager installation on all major Linux distributions [README]
  • MSI installer for Windows, PKG installer for macOS [README]
  • Build from source (CMake-based) [README]

What’s not included:

  • No GUI of any kind
  • No real-time filesystem monitoring (no equivalent of an on-access scanner on Linux without third-party tools)
  • No behavioral analysis or sandboxing
  • No centralized management console
  • No endpoint detection and response (EDR) capabilities

Pricing: SaaS vs self-hosted math

ClamAV has no paid tier, no cloud subscription, no per-scan pricing. The software is GPL-2.0, signature updates are free, and the Docker image is public [README].

The relevant cost comparison is commercial mail security scanning services vs. self-hosted ClamAV. Specific commercial pricing for mail gateway security (Proofpoint, Mimecast, Barracuda, FortiMail) wasn’t available in the sources reviewed — these vendors don’t publish list prices publicly. What can be said from general availability: purpose-built commercial mail security platforms targeting SMBs typically run in the $3–10/user/month range, and for a 20-person company that’s $720–$2,400/year before you factor in overage fees and annual contract commitments. Pricing data not independently verified against current vendor pages.

What self-hosting ClamAV costs in practice:

  • ClamAV license: $0
  • VPS to run a mail server that includes ClamAV: $5–20/month depending on RAM needs
  • The clamd daemon needs 1–1.5 GB RAM at baseline (more during signature reloads) [3], so account for that in VPS sizing — a 2 GB VPS is the realistic floor

The math for a founder running their own mail server: if you’re already self-hosting Postfix + Dovecot, adding ClamAV costs approximately $0 in licensing and requires upgrading your VPS by maybe $5/month to cover the RAM increase. That’s a reasonable trade against any per-user mail security subscription.

Deployment reality check

Getting ClamAV running isn’t hard, but there are real operational considerations that the marketing page glosses over.

The daemon vs. the scanner choice matters. Running clamd (daemon mode) is the right choice for mail servers — it holds the signature database in memory and responds to scan requests in milliseconds [1][3]. Running clamscan directly is simpler to set up but slow; one sysadmin notes preferring clamscan without the daemon for infrequent whole-directory scans because “having a permanently running clamd on the servers sometimes creates problems or hangs” [1]. For a mail server processing dozens of messages per minute, clamd is non-negotiable. For a monthly audit of uploaded user files, clamscan in a screen session works fine [1].

Memory is the main resource concern. ClamAV is RAM-hungry relative to what you’d expect from a scanner. Baseline usage is 1–1.5 GB; during signature database reloads it can spike to 1.8 GB [3]. On a VPS shared with Postfix, Dovecot, Rspamd, and a database, this adds up. One deployment guide recommends ensuring “sufficient free host memory to absorb ClamAV reload spikes” and suggests resource limiting via systemd to prevent OOM kills from taking down mail delivery [3].

Integration with Rspamd is well-documented. The modern self-hosted mail server pattern is Rspamd for spam filtering + ClamAV for virus scanning, with ClamAV operating as an Rspamd plugin [3]. This combination gives you virus scanning of all attachments with a real-time signature update feed, phishing URL checking, and the full Rspamd spam filtering stack. The integration is Part 5 in at least one production Debian mail server guide — the guide flags it as “optional but recommended” for anyone handling sensitive data or sophisticated spam [3].

Signature update failures happen. The pc-freak.net example [1] shows the freshclam output including warnings about missing incremental .cdiff patch files on specific mirrors, falling back to downloading the full daily.cvd database. This is normal behavior but worth knowing — if you’re on a metered connection or have strict firewall egress rules, the fallback to downloading a full signature database (several hundred MB) will surprise you.

Plesk integration can break across Ubuntu upgrades. At least one forum thread [2] documents ClamAV working on Ubuntu 18.x LTS + Plesk Obsidian, then failing to integrate cleanly after upgrading to Ubuntu 20.x LTS. The specific issue is ClamAV showing up correctly in the Plesk Email Security integration with amavis. Not a ClamAV bug per se — it’s a packaging/path change issue — but worth knowing if you’re on Plesk-managed hosting.

Realistic setup time for a sysadmin who’s run Linux servers before: 20–40 minutes to install, configure, and integrate with a mail server on a fresh VPS. For a non-technical founder: this is not a non-technical tool. ClamAV has no setup wizard, no web interface, no guided configuration. Budget a full day or hire someone.

Pros and cons

Pros

  • Actually free. No license cost, no scan limits, no usage tiers. GPL-2.0 means you can embed it in your product, deploy it in client infrastructure, and redistribute it without commercial agreements [README].
  • Cisco Talos signatures. The signature database is maintained by one of the larger dedicated threat intelligence operations. Updates ship multiple times per day [about page].
  • Milter integration is solid. Plugging into Postfix or Sendmail at the MTA layer is well-understood, well-documented, and battle-tested across thousands of deployments [3][4].
  • Ships in every major self-hosted mail stack. mailcow, Mailu, docker-mailserver all bundle it [4]. You’re not choosing an obscure tool — you’re using what the community converged on.
  • Wide format coverage. Scans executables, documents, archives, and email formats. The list of supported packers and obfuscation tools is surprisingly deep for a free tool [about page].
  • Docker image maintained. Official Docker Hub image with documented configuration [README][4].
  • Unofficial signature extensions available. Third-party signature packs can extend detection to 18M+ additional definitions [3].
  • YARA support. Security teams can write custom YARA rules and load them into ClamAV for targeted detection of specific threats [README].

Cons

  • RAM footprint is heavy. 1–1.5 GB baseline, 1.8 GB during reloads [3]. On a shared VPS, this is a real constraint.
  • Detection rate lags commercial engines. This is the honest truth about ClamAV: it’s excellent for known malware via signatures and not designed for behavioral or heuristic detection of novel threats. It’s a mail gateway filter, not an EDR.
  • No real-time on-access scanning. There’s no Linux equivalent of Windows Defender’s file system filter driver. On-access scanning requires third-party wrappers (ClamFanotify, Dazuko) with their own complexity.
  • No GUI, no dashboard. Results come from log files and exit codes. This is fine for sysadmins; it’s not acceptable for non-technical operators.
  • Daemon stability complaints exist. At least one production operator notes clamd occasionally “creates problems or hangs” in long-running shared hosting deployments, preferring the stateless clamscan for infrequent audits [1].
  • Plesk/panel integration can break across OS upgrades [2]. If your mail environment is control-panel-managed rather than hand-configured, verify compatibility before upgrading the underlying OS.
  • Not a desktop security product. If you install it on a developer workstation expecting Malwarebytes-equivalent protection, you’ll be disappointed.

Who should use this / who shouldn’t

Use ClamAV if:

  • You’re running a self-hosted mail server and need a free virus scanner for attachments.
  • You’re a shared hosting provider who wants to audit /home for phishing pages, uploaded shells, and spam scripts [1].
  • You’re building a self-hosted mail stack with Docker and want the standard, well-integrated antivirus layer [4].
  • You need YARA rule support for custom threat detection in a file scanning pipeline.
  • You have a sysadmin who can configure and maintain it — this is not a self-service tool.

Skip it (or add it alongside something else) if:

  • You need endpoint protection on developer laptops or workstations — ClamAV is not designed for this use case.
  • You need behavioral analysis, memory scanning, or sandboxing — signature-based scanning only.
  • You’re a non-technical founder without a technical person on call — you need a managed mail security service, not a C daemon with a config file.
  • You need a web-based management interface for a non-sysadmin team.

Consider a managed option if:

  • Your compliance requirements specify a named commercial AV vendor (some certifications require this explicitly).
  • Your team can’t absorb the operational overhead of monitoring signature update health and daemon restarts.

Alternatives worth considering

  • Rspamd — Not a direct alternative (it’s a spam filter, not a virus scanner), but modern production setups run both together. Rspamd handles spam scoring, ClamAV handles malware [3][4]. They complement rather than replace each other.
  • Linux Malware Detect (LMD/Maldet) — Focused on detecting web-server-context malware (PHP shells, uploaded exploits) rather than email attachments. Often paired with ClamAV on shared hosting for broader coverage.
  • ESET NOD32 for Linux — Commercial endpoint antivirus for Linux servers. Better detection rates, commercial support, license cost.
  • Sophos Antivirus for Linux — Previously had a free Linux home version; commercial editions for servers. Better heuristics than ClamAV.
  • F-Secure / WithSecure Linux Security — Commercial, enterprise-grade, supports on-access scanning properly.
  • VirusTotal API — If you need multi-engine scanning for individual suspicious files, submitting to VirusTotal hits 70+ engines. Not a mail gateway solution, but useful for incident response.

For a self-hosted mail server, the realistic answer is: run ClamAV for virus scanning and Rspamd for spam filtering. That combination is what the community has standardized on [3][4].

Bottom line

ClamAV is the right tool for exactly one job, and it does that job well: scanning email attachments and uploaded files for known malware on a Linux server. It’s free, it’s maintained by a serious threat intelligence team, and it integrates with every major self-hosted mail stack. The tradeoffs are real — the RAM footprint is heavier than you’d expect, detection against novel threats is limited, and there’s no UI of any kind. But for a sysadmin running their own mail server, ClamAV isn’t really a choice you make. It’s the scanner the ecosystem converged on, it works, and swapping it out for something else would require re-validating integrations that already work. If you’re not running a mail server and you want antivirus protection on a Linux workstation or endpoint, look elsewhere. If you are running a mail server, ClamAV is already in your docker-compose file whether you put it there or not.

Sources

  1. PC-Freak.net“Scanning shared hosting servers to catch abusers, unwanted files, phishers, spammers and script kiddies with clamav” (Aug 12, 2011). https://www.pc-freak.net/blog/scanning-shared-hosting-servers-to-catch-abusers-unwanted-files-phishers-spammers-and-script-kiddies-with-clamav/
  2. Plesk Community Forum“Resolved - Clamav” (Ubuntu 20.x + amavis integration thread). https://talk.plesk.com/threads/clamav.362544/
  3. Pieter Bakker“ClamAV & Rspamd Advanced Filtering — Building a Modern Mail Server on Debian 13, Part 5”. https://pieterbakker.com/clamav-rspamd-advanced-filtering/
  4. portalZINE.DE“Day 44: SPAM, SPAM or NO SPAM – 7 Days of Docker” (Feb 27, 2026). https://portalzine.de/day-44-spam-spam-or-no-spam-7-days-of-docker/
  5. StackShare“ClamAV” (integrations and categorization). https://stackshare.io/clamav

Primary sources:

Category

Security & Authentication (159) Cybersecurity Tools (45)

Replaces

McAfee
1 tools

Related Security & Authentication Tools

View all 159 →

Ghidra

66K

A free, open-source software reverse engineering framework created by the NSA — disassemble, decompile, and analyze compiled code on any platform.

security Apache-2.0

PocketBase

58K

Open-source backend in a single 12 MB binary — realtime database, auth, file storage, and admin dashboard. No Docker, no Postgres, just run it.

security MIT Easy to deploy

Vaultwarden

57K

Lightweight, self-hosted Bitwarden-compatible password manager written in Rust. Uses 10x less RAM than the official server and works with all Bitwarden clients.

security AGPL-3.0

Zen Browser

41K

Zen Browser is a privacy-focused, beautifully designed Firefox fork with a unique sidebar tab layout, split views, and built-in content blocking — no telemetry, no tracking.

security MPL-2.0

Vault

35K

Manage secrets and protect sensitive data. Securely store and control access to tokens, passwords, certificates, and encryption keys.

security

KeyCloak

33K

Open source identity and access management. Add authentication to applications and secure services with minimum effort.

security Apache-2.0