freshclam

Update virus definitions

$ freshclam

freshclam [options]

-h, --help
    Show help message and exit.

-V, --version
    Print version number and exit.

-v, --verbose
    Be verbose while updating.

-d, --daemon
    Run freshclam as a daemon. It will check for updates periodically.

-c N, --checks=N
    In daemon mode, check for N updates (default: 12). After N checks, daemon exits.

-l FILE, --log=FILE
    Log to specified FILE.

-L, --syslog
    Log to syslog.

-u USER, --user=USER
    Run as specified user. Required when started as root.

--config-file=FILE
    Read configuration from FILE (default: freshclam.conf).

--no-warnings
    Do not print warnings.

--foreground
    Run in foreground when daemonizing (useful for systemd).

--datadir=DIR
    Specify the database directory where definitions are stored.

--quiet
    Do not output any messages except errors (overrides -v).

freshclam is the command-line utility for updating the ClamAV virus signature database. It connects to the official ClamAV mirror network to download the latest virus definition files, including main.cvd, daily.cvd, and bytecode.cvd.

Keeping the virus database up-to-date is crucial for ClamAV's effectiveness in detecting new and emerging malware threats. freshclam can be run manually, scheduled via a cron job, or operated in a daemon mode for continuous monitoring and updating. It reads its configuration from freshclam.conf, allowing users to specify parameters like proxy settings, update frequencies, and database locations.

freshclam requires internet access to download updates. Firewall rules might need adjustment. It also needs write permissions to the database directory (typically /var/lib/clamav or /usr/local/share/clamav) to save the new definition files. Running it with insufficient permissions will cause updates to fail silently or with errors. Frequent updates can consume bandwidth, so consider your network capacity and scheduling when configuring daemon mode or cron jobs.

The primary configuration for freshclam is handled via freshclam.conf (often located in /etc/clamav/). This file allows specifying critical settings like proxy server details, desired update frequency, location of the virus database directory, and preferred mirror servers. Users should consult this file to tailor freshclam behavior to their specific environment.

When run with the --daemon option, freshclam operates in the background, periodically checking for and downloading updates. This is particularly useful for systems where ClamAV is actively used, such as email servers running clamd, ensuring that scanning always uses the latest definitions without manual intervention or separate scheduling.

It is critical that freshclam has appropriate write permissions to its database directory. Often, freshclam is configured to run as a dedicated, unprivileged user (e.g., clamav or _clamav) for security reasons. This user must own or have write access to the directory where the .cvd files are stored to successfully download and update the virus definitions.

freshclam is an integral part of the ClamAV antivirus engine, which was originally developed by Tomasz Kojm in 2002. Since its inception, ClamAV has been a popular open-source solution for email gateway scanning and general-purpose malware detection. freshclam was designed from the beginning as the dedicated tool to ensure that the ClamAV scanning engine always operates with the most current threat intelligence, reflecting the rapidly evolving nature of malware. Its development has focused on robustness, efficient bandwidth usage, and flexible configuration to support a wide range of deployment scenarios.

clamscan(1), clamd(8), freshclam.conf(5), sigtool(1)