diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix
index 0216ea9d9bd5..d6f08cbe5bce 100644
--- a/nixos/tests/all-tests.nix
+++ b/nixos/tests/all-tests.nix
@@ -345,6 +345,7 @@ in
   cinnamon = runTest ./cinnamon.nix;
   cinnamon-wayland = runTest ./cinnamon-wayland.nix;
   cjdns = runTest ./cjdns.nix;
+  clamav = runTest ./clamav.nix;
   clatd = runTest ./clatd.nix;
   clickhouse = import ./clickhouse {
     inherit runTest;
diff --git a/nixos/tests/clamav.nix b/nixos/tests/clamav.nix
new file mode 100644
index 000000000000..b84a195747e7
--- /dev/null
+++ b/nixos/tests/clamav.nix
@@ -0,0 +1,45 @@
+# Test ClamAV.
+
+{ lib, pkgs, ... }:
+{
+  name = "clamav";
+  nodes = {
+    machine = {
+      services.clamav = {
+        daemon.enable = true;
+        clamonacc.enable = true;
+
+        daemon.settings = {
+          OnAccessPrevention = true;
+          OnAccessIncludePath = "/opt";
+        };
+      };
+
+      # Add the definition for our test file.
+      # We cannot download definitions from Internet using freshclam in sandboxed test.
+      systemd.tmpfiles.settings."10-eicar"."/var/lib/clamav/test.hdb".L.argument = "${pkgs.runCommand
+        "test.hdb"
+        { }
+        ''
+          echo CLAMAVTEST > testfile
+          ${lib.getExe' pkgs.clamav "sigtool"} --sha256 testfile > $out
+        ''
+      }";
+
+      # Test using /opt as the ClamAV on-access scanner-protected directory.
+      systemd.tmpfiles.settings."10-testdir"."/opt".d = { };
+    };
+  };
+
+  testScript = ''
+    start_all()
+
+    machine.wait_for_unit("default.target")
+
+    # Write test file into the test directory.
+    # This won't trigger ClamAV as it scans on file open.
+    machine.succeed("echo CLAMAVTEST > /opt/testfile")
+
+    machine.fail("cat /opt/testfile")
+  '';
+}