,

How to Install & Configure ClamAV Scanner in WHM

Configure ClamAV Scanner

This guide helps you set up and manage the ClamAV® virus scanner in WHM to protect your server from malicious files. You'll learn how to install it, choose scan targets, set user options, and automate scans via cron jobs.

Install or Uninstall ClamAV Scanner

To install or remove the ClamAV Scanner plugin, go to:

WHM → cPanel → Manage Plugins

Note: This plugin requires at least 3 GB RAM on your server to function properly.

Configure Scan Settings

Select what you want ClamAV to scan using checkboxes:

  • Mail
  • Home Directory
  • Public FTP Space
  • Public Web Space

Click Save to apply the settings.

Note: Incoming mail is scanned automatically. To scan outgoing mail, see the Exim configuration section below.

User Configuration

This section lets you configure scan settings for individual cPanel users and set default options for new accounts.

For each user, you can enable or disable scanning of:

  • Mail
  • Home Directory
  • Public FTP Space
  • Public Web Space

Exim Configuration

To scan outgoing mail, enable these options in WHM:

  1. Navigate to: WHM → Service Configuration → Exim Configuration Manager → Basic Editor → Security
  2. Enable:
    • Scan messages for malware from authenticated senders (exiscan)
    • Scan outgoing messages for malware
  3. Click Save

Use from the Command Line

ClamAV command-line tools are located at:

/usr/local/cpanel/3rdparty/bin/

Tools included:

  • clamscan - command-line scanner
  • clamdscan - faster scanner using clamd
  • freshclam - updates the virus definitions

You can add these tools to your system PATH using symbolic links.

mbox Format and Compatibility

If you're using the mbox format for mailboxes, ClamAV may not detect infections properly. It's recommended to use maildir instead, which is the default format for cPanel.

If mbox is required, use doveadm to manage or remove flagged messages manually.

Set Up Cron Jobs for Scheduled Scanning

To automate scans, create a daily cron job. Here’s an example that scans all user directories and logs infected files:

while read domain user; do
  /usr/local/cpanel/3rdparty/bin/clamscan -i -r /home/"$user" 2>&1
done </etc/trueuserdomains >>/root/infections.txt
  • Run this as root.
  • Set the cron to run during low server activity hours.
case studies

See More Case Studies