Guide to Installing ClamAV to Run Securely and Stably with ModSecurity and CSF on CyberPanel

This is a detailed description of how to deploy ClamAV on Linux and set it up to work seamlessly with other security systems. The goal is to create a secure, resource-efficient environment with effective automatic malware scanning capabilities.

1. System Preparation and Resource Requirements

Before starting, you should evaluate your current RAM and CPU capacity. ClamAV needs at least 2GB of RAM to run comfortably, but with proper configuration, it can still run on 1GB of RAM. For servers with less than 2GB of RAM, you should restrict continuous full system scans and only scan important directories such as website folders, uploads, and email directories.

ModSecurity and CSF inherently do not consume much RAM, so adding ClamAV will not cause too much pressure if the server has 2CPU and 2GB RAM or more. When resources are stable, the ability to run these three security systems simultaneously will be smooth.

2. Installing ClamAV from the Official Repository

On AlmaLinux, Rocky Linux, or CentOS Stream—the operating systems most commonly used for CyberPanel—ClamAV is available in the EPEL repository. You just need to enable EPEL and install it.

Open your terminal and execute:

Bash

dnf install epel-release -y
dnf install clamav clamav-update -y

After installation, you need to update the virus database so ClamAV can identify the latest malware samples:

Bash

freshclam

On some servers, freshclam runs as a daemon. If you see a message indicating it’s running in the background, you just need to restart it:

Bash

systemctl restart clamav-freshclam

Once the database is successfully updated, ClamAV is ready to operate.

3. Integrating ClamAV into Web Directories Managed by CyberPanel

For example, on CyberPanel, websites are stored at /home/USERNAME/public_html. To ensure ClamAV scans the correct target, you should configure it to scan the source code directory precisely.

Example:

Bash

clamscan -r /home --bell -i

This command will scan all running sites in the system. However, if you own many large websites, scanning the entire /home directory can take a long time. In that case, you can divide the scan by individual websites:

Bash

clamscan -r /home/domain1.com/public_html

For optimal performance, you should schedule the scan to run nightly to avoid impacting the CPU during the day when the server is busy handling traffic.

4. Creating an Automatic Malware Scan Schedule using Cron

Cron helps ClamAV operate more efficiently by running during off-peak hours. For example, you can set it to scan at 2 AM—the time with the least user traffic.

Add a schedule:

Bash

crontab -e

Enter the content:

Bash

0 2 * * * clamscan -ri /home --log=/var/log/clamav/scan.log

Thanks to this, ClamAV will automatically scan and save the report, allowing you to check periodically without having to run it manually.

5. Checking Compatibility with ModSecurity

ModSecurity operates completely independently of ClamAV. It analyzes the HTTP request before OpenLiteSpeed processes it. Meanwhile, ClamAV only reads files after the request is finished or when the user uploads a file. There is no overlap between these two components.

The only thing you need to avoid is letting ModSecurity block the upload of legitimate files that ClamAV needs to check. This can happen if the website uploads large zip files. In such a situation, you only need to adjust the ModSecurity rules appropriately, but this is unrelated to ClamAV.

In practice, across hundreds of CyberPanel systems deployed, ModSecurity and ClamAV have never caused direct conflicts.

6. Compatibility with CSF and Stable Firewall Configuration

CSF acts as the system firewall, monitoring ports and limiting connection speed. It does not monitor or interfere with internal file scanning activity. Therefore, ClamAV does not require opening any special ports and does not affect CSF’s packet filtering process.

On some servers, CSF might log high CPU activity when ClamAV is scanning. This is not a conflict but just a notification. If you want to limit warnings, you can change the warning level in CSF or reconfigure ClamAV’s scan cycle to a time when the CPU is less active.

Crucially, ClamAV does not cause IP blocking, does not open ports, and does not log connections, so it is completely separate from CSF. This combination further enhances the security level of CyberPanel.

7. Enabling Email Scanning if Using MailServer on CyberPanel

If you use the email system included with CyberPanel (Postfix + Dovecot), you can integrate ClamAV to scan incoming emails. This prevents malware from spreading through the internal email system.

First, install clamav-daemon:

Bash

dnf install clamav-daemon -y
systemctl enable --now clamd@scan

Then, configure Postfix to use ClamAV via the socket /var/run/clamd.scan/clamd.sock. This is an advanced configuration for large email systems, but for most regular web-running VPSs, this feature does not need to be enabled.

8. Handling Infected Files and Checking Logs

ClamAV does not automatically delete files to avoid risks. When it detects malware, it logs the file path in the log. You just need to open:

Bash

cat /var/log/clamav/scan.log

Once confirmed as malware, you can delete it:

Bash

rm -f /path/to/infected/file

If it is a website system file, you should restore it from a CyberPanel backup or re-upload a clean source code.

9. Optimizing Resources When Using ClamAV on Small VPS

Many worry that ClamAV consumes too much RAM. This is true if you run continuous scans during peak hours or on a 1GB RAM VPS. However, you can limit the load by:

• Limiting the scan frequency to once per night.
• Only scanning web directories, not the entire server.
• Disabling the clamd daemon if not using email scanning.

After these adjustments, ClamAV runs quite lightly, making it suitable even for a 1GB RAM VPS.