This macOS clamAV repo is now part of MacPorts. The details below this notice are deprecated.
To install:
sudo port install clamav-server
sudo port load clamav-server
A simple macOS clamAV configuration with scheduled volume scans and on-access scans of user Downloads
and Desktop
directories.
This configures clamAV for macOS with regular on-demand scans and on-access scanning of user Downloads
and Desktop
directories.
This uses MacPorts. It is also easy to use Homebrew.
To install and configure:
sudo port install clamav clamav-server fswatch pcre
sudo install -m 644 -b -B .orig ./clamd.conf /opt/local/etc
sudo install -m 644 -b -B .orig ./freshclam.conf /opt/local/etc
sudo install -m 644 ./org.macports.clamdscan.plist /Library/LaunchDaemons
sudo mkdir -p /opt/local/etc/LaunchDaemons/org.macports.ClamdScanOnAccess
sudo install -m 755 ./ClamdScanOnAccess.wrapper /opt/local/etc/LaunchDaemons/org.macports.ClamdScanOnAccess
sudo install -m 644 ./org.macports.ClamdScanOnAccess.plist /opt/local/etc/LaunchDaemons/org.macports.ClamdScanOnAccess
sudo install -m 644 ./org.macports.ClamdScanOnAccess.plist /Library/LaunchDaemons
sudo mkdir /opt/local/share/clamav
sudo chown -R clamav:clamav /opt/local/share/clamav
sudo mkdir /opt/Quarantine
sudo -u clamav freshclam
sudo launchctl load -w /Library/LaunchDaemons/org.macports.clamd.plist
sudo launchctl load -w /Library/LaunchDaemons/org.macports.freshclam.plist
sudo launchctl load -w /Library/LaunchDaemons/org.macports.clamdscan.plist
sudo launchctl load -w /Library/LaunchDaemons/org.macports.ClamdScanOnAccess.plist
To update the clamav
engine and database:
sudo port selfupdate
sudo port -puN upgrade clamav clamav-server
sudo -u clamav freshclam
On-Demand scanning is controlled with the launchd daemon org.macports.clamdscan.plist.
On-Access scanning via fswatch is controlled with the Macports daemon script
ClamdScanOnAccess.wrapper, itself invoked using the launchd daemon
org.macports.ClamdScanOnDemand.plist. The Downloads
and Desktop
directories of
all active users are watched by default.
macOS 10.14 Mojave includes new privacy protections under System Preferences>Security & Privacy>Privacy>Full Disk Access
("TCC"). Scanning files protected by TCC requires granting access to these binaries:
/opt/local/sbin/clamd
/opt/local/bin/clamdscan
/opt/local/bin/clamscan
and possibly /Applications/Utilities/Terminal.app
for command line scan calls. Dragging and dropping these files from the Finder app into the pane System Preferences>Security & Privacy>Privacy>Full Disk Access
will grant access.
Excluded files are set in clamd.conf, including macOS SIP protected directories. Change this to scan all
directories. The default scanned directory is /
, every week early Sunday morning. Edit the bash command
in org.macports.clamdscan.plist and unload/load this plist to change this behavior. For
example, change the shell array variable SCAN_TARGETS
to scan these volumes (using XML
compliant quoted special characters to quote spaces in directory or file names):
SCAN_TARGETS=(/ "/Volumes/Server HD")
Note that macOS sets the default volume name /Volumes/Macintosh HD
as a symbolic link to /
, and therefore this link name
will not be scanned unless FollowDirectorySymlinks
is set in clamd.conf, i.e., use /
specifically to scan
the boot system.