This How-To describes how you can drastically improve the detection rates of clamAV. Mainly written for integration into your existing mail server setup, but clamAV works system-wide.

In my opinion virus scanners are Snake-Oil and that they add another attack vector to a system where none has to be. Virus scanners can naturally only detect known threats.
Unfortunately, virus scanners are treated like a religion of their own and if a computer is infected, the question of the virus scanner is no longer far off. If you still want to use a virus scanner – for known threats – the choice of open source software is very limited. The most widespread virus scanner is probably the one with the worst detection rate of all known scanners in the world. This is particularly due to the fact that there are not many virus signatures in clamAV. Thanks to the work of eXtremeSHOK, is is particularly convenient to add several signatures for detection and thus drastically improve the detection rates.

At the beginning we need a working mail server setup with rspamd, as described by Thomas Leistner. I haven’t seen a better how-to for setting up a mail server yet. My How-To refers to Debian Linux, but should also work on other platforms like CentOS or Ubuntu.

install clamAV:

apt install clamav clamav-daemon

Create /etc/rspamd/local.d/antivirus.conf:

echo -e "first {\n attachments_only = false;\n symbol = "CLAM_VIRUS";\n type = "clamav";\n action = "reject";\n log_clean = true;\n servers = "/var/run/clamav/clamd.ctl";\n}" > /etc/rspamd/local.d/antivirus.conf

Clone with git or wget a release from

git clone

Copy the scrip to /usr/local/sbin and chmod to 775

cp /usr/local/sbin/
chmod 775 /usr/local/sbin/

Create a config directory and copy example config depending to your OS

mkdir /etc/clamav-unofficial-sigs/
cp config/YOUR_OS.conf /etc/clamav-unofficial-sigs/os.conf

Copy two more config files and enable 

cp config/{master.conf,user.conf} /etc/clamav-unofficial-sigs/

Enable clamav-unofficial-sigs script

sed -i s/#user_configuration_complete="yes"/user_configuration_complete="yes"/g' /etc/clamav-unofficial-sigs/user.conf

Install logrotate script, man pages and systemd files --install-logrotate --install-man
cp systemd/* /etc/systemd/

Run the first time and get new virus signatures

Restart and enable services

systemctl enable clamav-daemon.service
systemctl restart clamav-daemon.service
systemctl enable clamav-freshclam.service
systemctl restart clamav-freshclam.service
systemctl restart rspamd.service

That’s it!

We can test our set up with a signature-test by sending an e-mail with a attachment.

wget -O virus.test