ClamAV: Difference between revisions
mNo edit summary |
mNo edit summary |
||
(15 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
=Clam Antivirus= | |||
= Clam Antivirus = | |||
Virus scanner for mail and files. | Virus scanner for mail and files. | ||
*[http://www.clamav.net/ Homepage] | *[http://www.clamav.net/ Homepage] | ||
*[[clamav-milter]] | *[[Clamav-milter|clamav-milter]] | ||
*[http://www.sanesecurity.com/ Phishing and Scam Signatures for ClamAV ] | *[http://www.sanesecurity.com/ Phishing and Scam Signatures for ClamAV] | ||
*[https://github.com/extremeshok/clamav-unofficial-sigs Unofficial sigs] | *[https://github.com/extremeshok/clamav-unofficial-sigs Unofficial sigs] | ||
*https://wiki.archlinux.org/index.php/ClamAV | |||
=On Access Scanning= | |||
==FAQ== | |||
==Errors and messages== | |||
===Excluded UID=== | |||
Because it's root? | |||
== A handy script for adding more goodies == | |||
#!/usr/local/bin/bash | #!/usr/local/bin/bash | ||
#extra signatures to catch spam and phishing | #extra signatures to catch spam and phishing | ||
#or look at http://www.sanesecurity.com/ | #or look at [http://www.sanesecurity.com/ http://www.sanesecurity.com/] | ||
LOCATION=/var/db/clamav | LOCATION=/var/db/clamav | ||
GUNZIP=/usr/bin/gunzip | GUNZIP=/usr/bin/gunzip | ||
Line 19: | Line 29: | ||
#and now the script itself | #and now the script itself | ||
cd $LOCATION || exit -1 | cd $LOCATION || exit -1 | ||
$WGET --timestamping http://ftp.tiscali.nl/sanesecurity/phish.ndb.gz && ${GUNZIP} -f phish.ndb.gz | $WGET --timestamping [http://ftp.tiscali.nl/sanesecurity/phish.ndb.gz http://ftp.tiscali.nl/sanesecurity/phish.ndb.gz] && ${GUNZIP} -f phish.ndb.gz | ||
$WGET --timestamping http://ftp.tiscali.nl/sanesecurity/scam.ndb.gz && ${GUNZIP} -f scam.ndb.gz | $WGET --timestamping [http://ftp.tiscali.nl/sanesecurity/scam.ndb.gz http://ftp.tiscali.nl/sanesecurity/scam.ndb.gz] && ${GUNZIP} -f scam.ndb.gz | ||
$WGET --timestamping http://download.mirror.msrbl.com/MSRBL-SPAM.ndb | $WGET --timestamping [http://download.mirror.msrbl.com/MSRBL-SPAM.ndb http://download.mirror.msrbl.com/MSRBL-SPAM.ndb] | ||
$WGET --timestamping http://download.mirror.msrbl.com/MSRBL-Images.hdb | $WGET --timestamping [http://download.mirror.msrbl.com/MSRBL-Images.hdb http://download.mirror.msrbl.com/MSRBL-Images.hdb] | ||
$WGET -O - http://www.malware.com.br/cgi/submit?action=list_clamav > mbl.db | $WGET -O - [http://www.malware.com.br/cgi/submit?action=list_clamav http://www.malware.com.br/cgi/submit?action=list_clamav] > mbl.db | ||
/usr/sbin/chown clamav:clamav * | /usr/sbin/chown clamav:clamav * | ||
killall -HUP clamd | killall -HUP clamd | ||
=== Amavis not finding socket clamd.ctl | |||
= FAQ = | |||
==clamdscan== | |||
===Can't open file or directory ERROR=== | |||
Could be apparmor, then | |||
apt-get install apparmor-utils | |||
aa-complain /usr/sbin/clamd | |||
This would make it complain instead of deny | |||
==ERROR: Can't send to clamd: Broken pipe== | |||
grep -r LocalSocket /etc/clam* | |||
| |||
== Amavis not finding socket clamd.ctl == | |||
Means clamd is busy handling the queue after a powre failure or such, the socket won't be created before it's done. | Means clamd is busy handling the queue after a powre failure or such, the socket won't be created before it's done. | ||
Line 36: | Line 60: | ||
| | ||
== INetMsg.SpamDomain-xxx == | |||
That's from sanesecurity.net | That's from sanesecurity.net | ||
Line 46: | Line 70: | ||
| | ||
== LibClamAV Warning: [Bytecode JIT]: Bytecode run timed out, timeout flag set == | |||
Try --bytecode-timeout=120000 | Try --bytecode-timeout=120000 | ||
== LibClamAV Warning: Bytecode run timed out in interpreter after 5000 opcodes == | |||
--bytecode-timeout=N | --bytecode-timeout=N | ||
Line 56: | Line 80: | ||
| | ||
== Ignoring mirror x.x.x.x (due to previous errors) == | |||
try removing mirrors.dat and daily.cvd | try removing mirrors.dat and daily.cvd | ||
| |||
== LibClamAV Error: CRITICAL: fmap() failed == | |||
haha yeah, good luck | haha yeah, good luck | ||
| |||
== Can't allocate memory ERROR == | |||
Some file too big? | |||
| |||
== Exclude dir == | |||
clamscan --exclude-dir='/foo/b.*r' | |||
| |||
wildcards? | |||
scan.conf: ExcludePath /foo/*/bar ? | |||
REGEX suggests using ^/foo/.*/bar/ | |||
== WARNING: Directory recursion limit reached == | |||
Change '''MaxDirectoryRecursion''' in clamd configuration, default is 15 | |||
==Whitelisting file== | |||
sigtool --sha1 somefile >> /var/lib/clamav/whitelist.sfp | |||
and restart clamd if that's used | |||
==Freshclam== | |||
=== Freshclam: ERROR: getpatch: Can't download daily-26337.cdiff from db.nl.clamav.net === | |||
Probably an outdated freshclam | |||
=== ERROR: downloadFile: Unexpected response (403) from [https://database.clamav.net/daily.cvd https://database.clamav.net/daily.cvd] === | |||
If you are receiving a 403, 503, or 1020 error codes when downloading from Cloudflare, then you are either explicitly blocked, using an [https://docs.clamav.net/faq/faq-eol.html EOL'ed version of ClamAV] or you are downloading incorrectly. | |||
[[Category:Security]] |
Latest revision as of 13:46, 22 May 2024
Clam Antivirus
Virus scanner for mail and files.
- Homepage
- clamav-milter
- Phishing and Scam Signatures for ClamAV
- Unofficial sigs
- https://wiki.archlinux.org/index.php/ClamAV
On Access Scanning
FAQ
Errors and messages
Excluded UID
Because it's root?
A handy script for adding more goodies
#!/usr/local/bin/bash #extra signatures to catch spam and phishing #or look at http://www.sanesecurity.com/ LOCATION=/var/db/clamav GUNZIP=/usr/bin/gunzip WGET=/usr/local/bin/wget #and now the script itself cd $LOCATION || exit -1 $WGET --timestamping http://ftp.tiscali.nl/sanesecurity/phish.ndb.gz && ${GUNZIP} -f phish.ndb.gz $WGET --timestamping http://ftp.tiscali.nl/sanesecurity/scam.ndb.gz && ${GUNZIP} -f scam.ndb.gz $WGET --timestamping http://download.mirror.msrbl.com/MSRBL-SPAM.ndb $WGET --timestamping http://download.mirror.msrbl.com/MSRBL-Images.hdb $WGET -O - http://www.malware.com.br/cgi/submit?action=list_clamav > mbl.db /usr/sbin/chown clamav:clamav * killall -HUP clamd
FAQ
clamdscan
Can't open file or directory ERROR
Could be apparmor, then
apt-get install apparmor-utils aa-complain /usr/sbin/clamd
This would make it complain instead of deny
ERROR: Can't send to clamd: Broken pipe
grep -r LocalSocket /etc/clam*
Amavis not finding socket clamd.ctl
Means clamd is busy handling the queue after a powre failure or such, the socket won't be created before it's done.
INetMsg.SpamDomain-xxx
That's from sanesecurity.net
Milter (clmilter): local socket name /var/run/clamav/clmilter.sock unsafe
Usually means something like clamd not running.
LibClamAV Warning: [Bytecode JIT]: Bytecode run timed out, timeout flag set
Try --bytecode-timeout=120000
LibClamAV Warning: Bytecode run timed out in interpreter after 5000 opcodes
--bytecode-timeout=N
Ignoring mirror x.x.x.x (due to previous errors)
try removing mirrors.dat and daily.cvd
LibClamAV Error: CRITICAL: fmap() failed
haha yeah, good luck
Can't allocate memory ERROR
Some file too big?
Exclude dir
clamscan --exclude-dir='/foo/b.*r'
wildcards?
scan.conf: ExcludePath /foo/*/bar ? REGEX suggests using ^/foo/.*/bar/
WARNING: Directory recursion limit reached
Change MaxDirectoryRecursion in clamd configuration, default is 15
Whitelisting file
sigtool --sha1 somefile >> /var/lib/clamav/whitelist.sfp
and restart clamd if that's used
Freshclam
Freshclam: ERROR: getpatch: Can't download daily-26337.cdiff from db.nl.clamav.net
Probably an outdated freshclam
ERROR: downloadFile: Unexpected response (403) from https://database.clamav.net/daily.cvd
If you are receiving a 403, 503, or 1020 error codes when downloading from Cloudflare, then you are either explicitly blocked, using an EOL'ed version of ClamAV or you are downloading incorrectly.