Skip to main content

A Guide to ClamAV Open-Source Anti-Malware for AIX

Chris Gibson explains how to install, configure and use the signature-based software

Malware is a short term for malicious software. It refers to any intrusive software developed by cybercriminals to steal data and damage or destroy computers and computer systems. Malware is an umbrella term that describes any malicious program or code that is harmful to systems. Examples of common malware include viruses, worms, Trojan viruses, spyware, adware and ransomware.

Fortunately, malware on IBM AIX servers is rare due to its robust security, but there still exists the potential for targeted attacks that could occur on unpatched, misconfigured or mismanaged systems. Keeping systems up to date and monitoring for suspicious activity is key.

For instance, critical flaws (like CVE-2024-56346 and CVE-2024-56347) in AIX’s network installation manager could allow remote command execution, highlighting the need for prompt patching. Similarly, Chinese state-sponsored spies compromised an AIX server at a U.S. aerospace firm using default credentials, lingering for four months due to poor monitoring and unmanaged legacy systems. These incidents underscore the importance of updating systems, securing credentials and monitoring AIX environments to prevent targeted attacks.

AIX administrators have several tools and features to monitor and manage malware, though the platform’s niche nature means fewer third-party options compared to Windows or Linux. AIX admins can use Trusted Execution (TE) for file integrity, RBAC to secure access, AIX Auditing/AIXPert for activity monitoring, PowerSC for trusted boot and real-time compliance, and ClamAV for real-time malware scanning and quarantine. These tools help mitigate risks.

This article will describe the basic steps for installing, configuring and using ClamAV on AIX. ClamAV is an open-source antivirus software and a cross-platform antivirus toolkit. Its primary purpose is to detect various kinds of malicious software; i.e., viruses, worms, trojans, rootkits and many other forms of possible threats to your system. ClamAV is signature-based anti-malware software that focuses on looking at broken or unknown headers and classes. It is designed to provide flexible scanning for malicious programs. The core of the package is an anti-virus engine available in the form of a shared library. The ClamAV virus definitions are updated daily to ensure a complete database build for any suspicious program.

ClamAV Installation and Configuration on AIX

The recommended method for installing ClamAV on AIX is to use the AIX open source Toolbox. This allows for easy installation using DNF (as shown below). If you’re new to the AIX Toolbox check out this self-paced course, Open Source Software on IBM AIX. Note that all steps in this article were performed on AIX 7.3 TL2 SP1 (7300-02-01-2346).

# dnf -y install *clam*
...
Installed:
clamav-1:1.0.7-3.ppc
clamav-devel-1:1.0.7-3.ppc
libtool-ltdl-2.4.7-1.ppc

Complete!

Verify that the ClamAV software is installed.

# rpm -qa | grep -i clam
clamav-1.0.7-3.ppc
clamav-devel-1.0.7-3.ppc

Ensure that root’s PATH variable includes /opt/freeware/bin and /opt/freeware/sbin.

# echo $PATH
/usr/bin:/etc:/usr/sbin:/usr/ucb:/usr/bin/X11:/sbin:/usr/java8_64/jre/bin:/usr/java8_64/bin:/opt/freeware/bin:/opt/freeware/sbin

Create the necessary directories and symbolic links to the binaries.

# mkdir -p /var/log/clamav
# mkdir -p /var/lib/clamav
# ln -s /opt/freeware/bin/freshclam /usr/bin/freshclam
# ln -s /opt/freeware/bin/clamscan /usr/bin/clamscan
# ln -s /opt/freeware/bin/sigtool /usr/bin/sigtool

Create the required configuration file for ClamAV.

# cp /opt/freeware/etc/clamav/freshclam.conf.sample /opt/freeware/etc/clamav/freshclam.conf

# ln -s /opt/freeware/etc/clamav/freshclam.conf /etc/freshclam.conf

Edit the ClamAV configuration file. Comment out the line that starts with Example; that is, change it from Example to #Example. Add a new entry DatabaseOwner root to the file.

# vi /etc/freshclam.conf
...
# Comment or remove the line below.
#Example

# By default when started freshclam drops privileges and switches to the
# "clamav" user. This directive allows you to change the database owner.
# Default: clamav (may depend on installation options)
#DatabaseOwner clamav
DatabaseOwner root

Test and update the ClamAV database definition with the freshclam command.

# freshclam
ClamAV update process started at Fri Mar 21 00:39:26 2025
daily database available for download (remote version: 27583)
Time:    1.1s, ETA:    0.0s [========================>]   61.61MiB/61.61MiB
Testing database: '/var/lib/clamav/tmp.c33af9fb75/clamav-16010a4089c669bd1b1dd9896ca6b33d.tmp-daily.cvd' ...
Database test passed.
daily.cvd updated (version: 27583, sigs: 2074188, f-level: 90, builder: raynman)
main database available for download (remote version: 62)
Time:    3.0s, ETA:    0.0s [========================>]  162.58MiB/162.58MiB
Testing database: '/var/lib/clamav/tmp.c33af9fb75/clamav-2b46d34a50d00f94cf481839b765f3f1.tmp-main.cvd' ...
Database test passed.
main.cvd updated (version: 62, sigs: 6647427, f-level: 90, builder: sigmgr)
bytecode database available for download (remote version: 335)
Time:    0.0s, ETA:    0.0s [========================>]  282.94KiB/282.94KiB
Testing database: '/var/lib/clamav/tmp.c33af9fb75/clamav-b238b094544e9302ee34d84491a4b805.tmp-bytecode.cvd' ...
Database test passed.
bytecode.cvd updated (version: 335, sigs: 86, f-level: 90, builder: raynman)

Create the quarantine directory /var/lib/clamav/quarantine.

# mkdir -p /var/lib/clamav/quarantine

That’s it. ClamAV is now installed on your AIX system.

Scanning for Malware

Now we can perform a scan for malware. In this example, for testing purposes, we’ve placed a malware file in a directory named /test_dir. We’ll scan this directory with ClamAV and view the results.

To scan the /test_dir directory, use the clamscan command, as shown below.

# clamscan /test_dir/
Loading:    25s, ETA:   0s [========================>]    8.71M/8.71M sigs
Compiling:   6s, ETA:   0s [========================>]       41/41 tasks
/test_dir/trinity.zip: Win.Test.EICAR_HDB-1 FOUND

----------- SCAN SUMMARY -----------
Known viruses: 8706576
Engine version: 1.0.7
Scanned directories: 1
Scanned files: 1
Infected files: 1
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 32.520 sec (0 m 32 s)
Start Date: 2025:05:05 23:48:00
End Date:   2025:05:05 23:48:33

The results from clamscan show that one infected (malware) file was found (Infected files: 1). The name of the malware file is trinity.zip. Note that the file signature is Win.Test.EICAR_HDB-1, which is a signature used by ClamAV to identify the EICAR test file, a harmless, standardized file designed to test the functionality of antivirus software. Refer to the European Institute for Computer Anti-Virus Research (EICAR) website for more information.

We can run the same scan again, but this time we can instruct clamscan to move (–move) any discovered malware files to the quarantine directory (/var/lib/clamav/quarantine). Note that along with the –move option, we also specify the -v option for more verbose output while testing.

# clamscan -v --move /var/lib/clamav/quarantine /test_dir
Loading:    25s, ETA:   0s [========================>]    8.71M/8.71M sigs
Compiling:   6s, ETA:   0s [========================>]       41/41 tasks
Scanning /test_dir/trinity.zip
/test_dir/trinity.zip: Win.Test.EICAR_HDB-1 FOUND
traverse_to: Handle opened for 'test_dir' directory.
...
/test_dir/trinity.zip: moved to '/var/lib/clamav/quarantine/trinity.zip'

----------- SCAN SUMMARY -----------
Known viruses: 8706576
Engine version: 1.0.7
Scanned directories: 1
Scanned files: 1
Infected files: 1
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 32.218 sec (0 m 32 s)
Start Date: 2025:05:05 23:52:39
End Date:   2025:05:05 23:53:11

Examining the output you’ll observe that the file trinity.zip was moved to the /var/lib/clamav/quarantine directory. We can confirm this by listing the contents of the /test_dir directory (which is now empty) and the /var/lib/clamav/quarantine  directory (where the trinity.zip file now resides).

# ls -ltr /test_dir/
total 0

# ls -ltr /var/lib/clamav/quarantine
total 8
-rw-------    1 root     system      684 May 05 23:53 trinity.zip

It’s generally recommended to configure ClamAV to move potential malware files to a quarantine directory rather than deleting them immediately. This approach allows for further analysis, reduces the risk of false positives causing data loss and provides an opportunity to recover files if needed.

Keeping Up to Date

Running freshclam regularly (as shown below) is important because it updates the ClamAV virus database with the latest virus definitions, ensuring the antivirus engine can detect and protect against new and evolving malware threats.

# freshclam
ClamAV update process started at Tue May  6 18:46:16 2025
Tue May  6 18:46:16 2025 -> daily database available for update (local version: 27629, remote version: 27630)
Current database is 1 version behind.
Downloading database patch # 27630...
Time:    0.1s, ETA:    0.0s [========================>]    1.08KiB/1.08KiB
Testing database: '/var/lib/clamav/tmp.13503b497d/clamav-2acb2c19dd3bd040896acd63c764387a.tmp-daily.cld' ...
Database test passed.
Tue May  6 18:46:28 2025 -> daily.cld updated (version: 27630, sigs: 2074811, f-level: 90, builder: raynman)
Tue May  6 18:46:28 2025 -> main.cvd database is up-to-date (version: 62, sigs: 6647427, f-level: 90, builder: sigmgr)
Tue May  6 18:46:28 2025 -> bytecode.cvd database is up-to-date (version: 336, sigs: 83, f-level: 90, builder: nrandolp)
Clamd successfully notified about the update.

The freshclam tool requires internet access to function properly in most cases. It connects to ClamAV’s database servers (typically over HTTP or HTTPS) to download the latest virus definition updates. Without an internet connection, freshclam cannot retrieve these updates, and ClamAV will rely on the existing, potentially outdated database.

You’ll need to allow outgoing connections from your server to the ClamAV repository servers. The ClamAV database servers, primarily accessed via database.clamav.net, use a content delivery network (CDN) powered by Cloudflare, which employs Anycast addresses. These IP addresses can vary based on your geographic location and the CDN’s load balancing. There is no fixed or “typical” list of IP addresses, as they are dynamically assigned and can change over time. To find current IPs from your location, use the dig command (as shown below).

# dig +short database.clamav.net
database.clamav.net.cdn.cloudflare.net.
104.18.203.90
104.17.196.15

You’ll need firewall rules to allow outbound traffic from your AIX host to these IP addresses.

Another way to monitor which IP addresses are being used in your location is to run freshclam in one session and then, in another session, run the iftop command to capture IP traffic activity (the iftop tool can be installed from the AIX Toolbox, with dnf -y install iftop).

Start by capturing IP traffic (see example below). The iftop command will continue to run until you terminate it.

# iftop -t > /tmp/iflog.txt

In another session, run freshclam to update the ClamAV signatures on your system.

# freshclam
ClamAV update process started at Thu Mar 27 00:06:24 2025
daily database available for update (local version: 27586, remote version: 27589)
Current database is 3 versions behind.
Downloading database patch # 27587...
Time:    0.1s, ETA:    0.0s [========================>]    2.11KiB/2.11KiB
...etc...

Once freshclam is finished running, return to the iftop session and terminate it with Ctrl+C. Review the log file (/tmp/iflog.txt).

# vi /tmp/iflog.txt
...
# grep 104 /tmp/iflog.txt
104.17.196.15        <=     62.8Kb     20.9Kb     20.9Kb     15.7KB
104.18.203.90        <=     24.8Kb     8.28Kb     8.28Kb     6.21KB
104.17.196.15        <=         0b     15.7Kb     15.7Kb     15.7KB
104.18.203.90        <=     21.2Kb     11.5Kb     11.5Kb     11.5KB
104.17.196.15        <=         0b     12.6Kb     12.6Kb     15.7KB
104.18.203.90        <=         0b     9.20Kb     9.20Kb     11.5KB

It’s possible to use a local ClamAV mirror server instead. If you’re using a local mirror or manually providing update files (e.g., in an air-gapped environment), internet access might not be needed, but this requires specific configuration. For standard usage, an active internet connection is essential. If you’re interested in configuring a ClamAV local mirror, take a look at the ClamAV documentation and review the steps for setting up a web server, configuring freshclam to download updates, and pointing clients to the local mirror.

Be Alert!

You should also consider configuring alerts with ClamAV so that you can detect threats in real-time. This will help you respond quickly to incidents and ensure you’re monitoring your system’s overall integrity and health, not to mention helping you meet your compliance and auditing requirements.

To send email alerts whenever a malware file is detected, you can employ the clamdscan tool. First you must configure the /etc/clamd.conf file. Add a line under the “Execute a command when virus is found” section.

# Execute a command when virus is found.

VirusEvent /usr/local/bin/clamalert.sh

In this example the VirusEvent /usr/local/bin/clamalert.sh entry instructs clamdscan to run the /usr/local/bin/clamalert.sh script whenever a malware file is found. The script contains the following contents:

#!/usr/bin/ksh
PATH=/usr/bin
ALERT="Signature detected by clamav: $CLAM_VIRUSEVENT_VIRUSNAME in $CLAM_VIRUSEVENT_FILENAME"
echo "Virus found!" "$ALERT" | mail -s "Virus found!" myemail@au99.ibm.com

I also configured a few other options for logging (shown below for your reference).

# grep -v ^# /etc/clamd.conf
LogFile /var/log/clamd.log
...
LogFileMaxSize 2M
...
LogTime yes
...
LogSyslog yes
...
LogFacility LOG_MAIL
...
LogVerbose yes
...
LogRotate yes
...
ExtendedDetectionInfo yes
...
PidFile /var/run/clamd.pid
...
LocalSocket /tmp/clamd.socket
...
VirusEvent /usr/local/bin/clamalert.sh
...

Once you’ve configured clamd.conf, you must then start the clamd daemon (as shown below). This will download the latest ClamAV signature database and load it into memory. The clamdscan command will connect to the clamd daemon to perform the scan.

# clamd
# ps -ef |grep clam
    root 10486194        1   0   Apr 15      -  0:35 clamd

Note that it can take a minute for the clamd daemon to start, so be patient. If you try to run clamdscan before the clamd daemon has finished loading you’ll see the following error message:

# clamdscan /test_dir/
ERROR: Could not connect to clamd on LocalSocket /tmp/clamd.socket: No such file or directory
...

If a potential malware file is discovered, the script sends an email to the nominated email address. Here’s an example of what happens when we run clamdscan and a malware file is detected.

# clamdscan /test_dir/
/test_dir/trinity.zip: Win.Test.EICAR_HDB-1 FOUND

----------- SCAN SUMMARY -----------
Infected files: 1
Time: 0.464 sec (0 m 0 s)
Start Date: 2025:05:06 00:52:41
End Date:   2025:05:06 00:52:41

If I check my email inbox now, I see an email from root on my AIX host with information about the discovered malware file.

I also suggest that you configure logging for freshclam as well. Here are some of the log settings I would recommend configuring in the /etc/freshclam.conf file.

# grep Log /etc/freshclam.conf | grep -v ^#
UpdateLogFile /var/log/freshclam.log
LogFileMaxSize 2M
LogTime yes
LogSyslog yes
LogFacility LOG_MAIL
LogRotate yes

Don’t forget to create the /var/log/freshclam.log file after configuring the freshclam.conf file.

# touch /var/log/freshclam.log

ClamAV Daemon

In my testing I did observe that ClamAV uses quite a bit of RAM to load the signature databases into memory. Make sure you have plenty of memory available, and don’t try to run it on an LPAR that has only 2G of memory assigned.

Configuring and running the clamd daemon on the system will load the complete ClamAV database of virus definitions into memory, instead of pulling it down from the internet every time you run perform a scan. This provides very quick access to the database and makes the scanning processes run much faster; however, it requires memory for loading and caching. I noticed on my system that the clamd process consumed 1.37GB of memory. I was able to determine this using the clamdtop command (as shown below, 1370M).

# clamdtop

The scan time is faster when clamd is active, note the short duration (Time) for a scan with clamdscan compared to clamscan.

# clamdscan /test_dir/ | grep Time
Time: 0.007 sec (0 m 0 s)

# clamscan /test_dir/ | grep Time
Time: 32.520 sec (0 m 32 s)

While both clamscan and the ClamAV scan daemon tool (clamdscan) are part of the ClamAV suite, the main reason to use the clamdscan instead of clamscan is for real-time scanning and multi-threaded processing, making it more efficient and suitable for servers and systems requiring continuous protection.  I recommend you refer to the ClamAV documentation to determine which approach is best for you.

PowerSC and ClamAV

The IBM PowerSC product supports integration with ClamAV. PowerSC calls ClamAV to scan and move any detected malware to a quarantine directory on the PowerSC uiAgent. It also adds a time-stamped prefix and nullifies the file permissions to stop it from being opened or used.

ClamAV is not included with PowerSC. You must first install it on uiAgents (as we’ve described in this article) before you can use it with the PowerSC UI. Using PowerSC to manage the integration and management of ClamAV is very appealing in situations where you have a large fleet of AIX servers to monitor; the single-pane-of-glass approach with PowerSC lets administrators scan and report on all their AIX servers from a central point of control (as shown in the screenshots below).

PowerSC UI malware scan report
Figure 4: PowerSC UI malware scan report.

If you’re interested in learning more about this integration, or PowerSC in general, I highly recommend you attend the IBM PowerSC Workshop.

This article gave you a quick rundown on setting up and using ClamAV on AIX, and we hope it’s a helpful starting point—dive into the resources for more details!

Resources

ClamAV Documentation

ClamAV Scanning

Installing anti-malware on AIX

ClamAV Setup and Configuration Tutorial

PowerSC Configuring Anti-Malware

IBM PowerSC Workshop


Key Enterprises LLC is committed to ensuring digital accessibility for techchannel.com for people with disabilities. We are continually improving the user experience for everyone, and applying the relevant accessibility standards.