ClamAV: Difference between revisions

From DWIKI
mNo edit summary
 
(18 intermediate revisions by the same user not shown)
Line 1: Line 1:
=Clam Antivirus=
 
= Clam Antivirus =


Virus scanner for mail and files.
Virus scanner for mail and files.


*[http://www.clamav.net/ Homepage]
*[http://www.clamav.net/ Homepage]  
*[[clamav-milter]]
*[[Clamav-milter|clamav-milter]]  
*[http://www.sanesecurity.com/ Phishing and Scam Signatures for ClamAV ]
*[http://www.sanesecurity.com/ Phishing and Scam Signatures for ClamAV]  
*[https://github.com/extremeshok/clamav-unofficial-sigs Unofficial sigs]
*[https://github.com/extremeshok/clamav-unofficial-sigs Unofficial sigs]  
*https://wiki.archlinux.org/index.php/ClamAV
 
 
=On Access Scanning=
==FAQ==
==Errors and messages==
===Excluded UID===
Because it's root?
 


==A handy script for adding more goodies==


== A handy script for adding more goodies ==


  #!/usr/local/bin/bash
  #!/usr/local/bin/bash
  #extra signatures to catch spam and phishing
  #extra signatures to catch spam and phishing
  #or look at http://www.sanesecurity.com/
  #or look at [http://www.sanesecurity.com/ http://www.sanesecurity.com/]
  LOCATION=/var/db/clamav
  LOCATION=/var/db/clamav
  GUNZIP=/usr/bin/gunzip
  GUNZIP=/usr/bin/gunzip
Line 19: Line 29:
  #and now the script itself
  #and now the script itself
  cd $LOCATION || exit -1
  cd $LOCATION || exit -1
  $WGET --timestamping http://ftp.tiscali.nl/sanesecurity/phish.ndb.gz && ${GUNZIP} -f phish.ndb.gz
  $WGET --timestamping [http://ftp.tiscali.nl/sanesecurity/phish.ndb.gz http://ftp.tiscali.nl/sanesecurity/phish.ndb.gz] && ${GUNZIP} -f phish.ndb.gz
  $WGET --timestamping http://ftp.tiscali.nl/sanesecurity/scam.ndb.gz && ${GUNZIP} -f scam.ndb.gz
  $WGET --timestamping [http://ftp.tiscali.nl/sanesecurity/scam.ndb.gz http://ftp.tiscali.nl/sanesecurity/scam.ndb.gz] && ${GUNZIP} -f scam.ndb.gz
  $WGET --timestamping http://download.mirror.msrbl.com/MSRBL-SPAM.ndb
  $WGET --timestamping [http://download.mirror.msrbl.com/MSRBL-SPAM.ndb http://download.mirror.msrbl.com/MSRBL-SPAM.ndb]
  $WGET --timestamping  http://download.mirror.msrbl.com/MSRBL-Images.hdb
  $WGET --timestamping  [http://download.mirror.msrbl.com/MSRBL-Images.hdb http://download.mirror.msrbl.com/MSRBL-Images.hdb]
  $WGET -O - http://www.malware.com.br/cgi/submit?action=list_clamav > mbl.db
  $WGET -O - [http://www.malware.com.br/cgi/submit?action=list_clamav http://www.malware.com.br/cgi/submit?action=list_clamav] > mbl.db
  /usr/sbin/chown clamav:clamav *
  /usr/sbin/chown clamav:clamav *
  killall -HUP clamd
  killall -HUP clamd


==FAQ==
 
===Amavis not finding socket clamd.ctl===
 
 
= FAQ =
==clamdscan==
===Can't open file or directory ERROR===
Could be apparmor, then
apt-get install apparmor-utils
aa-complain /usr/sbin/clamd
This would make it complain instead of deny
 
==ERROR: Can't send to clamd: Broken pipe==
 
grep -r LocalSocket /etc/clam*
 
 
 
== Amavis not finding socket clamd.ctl ==
 
Means clamd is busy handling the queue after a powre failure or such, the socket won't be created before it's done.
Means clamd is busy handling the queue after a powre failure or such, the socket won't be created before it's done.


 
== INetMsg.SpamDomain-xxx ==


===INetMsg.SpamDomain-xxx===
That's from sanesecurity.net
That's from sanesecurity.net


===Milter (clmilter): local socket name /var/run/clamav/clmilter.sock unsafe===
=== Milter (clmilter): local socket name /var/run/clamav/clmilter.sock unsafe ===
 
Usually means something like clamd not running.
Usually means something like clamd not running.
 
== LibClamAV Warning: [Bytecode JIT]: Bytecode run timed out, timeout flag set ==
Try --bytecode-timeout=120000
== LibClamAV Warning: Bytecode run timed out in interpreter after 5000 opcodes ==
--bytecode-timeout=N
 
== Ignoring mirror x.x.x.x (due to previous errors) ==
try removing mirrors.dat and daily.cvd
 
== LibClamAV Error: CRITICAL: fmap() failed ==
haha yeah, good luck
 
== Can't allocate memory ERROR ==
Some file too big?
 
== Exclude dir ==
clamscan --exclude-dir='/foo/b.*r'
 
wildcards?
scan.conf: ExcludePath /foo/*/bar ?
REGEX suggests using ^/foo/.*/bar/
== WARNING: Directory recursion limit reached ==
Change '''MaxDirectoryRecursion''' in clamd configuration, default is 15
==Whitelisting file==
sigtool --sha1 somefile >> /var/lib/clamav/whitelist.sfp
and restart clamd if that's used
==Freshclam==
=== Freshclam: ERROR: getpatch: Can't download daily-26337.cdiff from db.nl.clamav.net ===
Probably an outdated freshclam
     
=== ERROR: downloadFile: Unexpected response (403) from [https://database.clamav.net/daily.cvd https://database.clamav.net/daily.cvd] ===
If you are receiving a 403, 503, or 1020 error codes when downloading from Cloudflare, then you are either explicitly blocked, using an [https://docs.clamav.net/faq/faq-eol.html EOL'ed version of ClamAV] or you are downloading incorrectly.




===LibClamAV Warning: [Bytecode JIT]: Bytecode run timed out, timeout flag set===
[[Category:Security]]
Try  --bytecode-timeout=120000

Latest revision as of 13:46, 22 May 2024

Clam Antivirus

Virus scanner for mail and files.


On Access Scanning

FAQ

Errors and messages

Excluded UID

Because it's root?


A handy script for adding more goodies

#!/usr/local/bin/bash
#extra signatures to catch spam and phishing
#or look at http://www.sanesecurity.com/
LOCATION=/var/db/clamav
GUNZIP=/usr/bin/gunzip
WGET=/usr/local/bin/wget
#and now the script itself
cd $LOCATION || exit -1
$WGET --timestamping http://ftp.tiscali.nl/sanesecurity/phish.ndb.gz && ${GUNZIP} -f phish.ndb.gz
$WGET --timestamping http://ftp.tiscali.nl/sanesecurity/scam.ndb.gz && ${GUNZIP} -f scam.ndb.gz
$WGET --timestamping http://download.mirror.msrbl.com/MSRBL-SPAM.ndb
$WGET --timestamping  http://download.mirror.msrbl.com/MSRBL-Images.hdb
$WGET -O - http://www.malware.com.br/cgi/submit?action=list_clamav > mbl.db
/usr/sbin/chown clamav:clamav *
killall -HUP clamd



FAQ

clamdscan

Can't open file or directory ERROR

Could be apparmor, then

apt-get install apparmor-utils
aa-complain /usr/sbin/clamd

This would make it complain instead of deny

ERROR: Can't send to clamd: Broken pipe

grep -r LocalSocket /etc/clam*

 

Amavis not finding socket clamd.ctl

Means clamd is busy handling the queue after a powre failure or such, the socket won't be created before it's done.

 

INetMsg.SpamDomain-xxx

That's from sanesecurity.net

Milter (clmilter): local socket name /var/run/clamav/clmilter.sock unsafe

Usually means something like clamd not running.

 

LibClamAV Warning: [Bytecode JIT]: Bytecode run timed out, timeout flag set

Try --bytecode-timeout=120000

LibClamAV Warning: Bytecode run timed out in interpreter after 5000 opcodes

--bytecode-timeout=N

 

Ignoring mirror x.x.x.x (due to previous errors)

try removing mirrors.dat and daily.cvd

 

LibClamAV Error: CRITICAL: fmap() failed

haha yeah, good luck

 

Can't allocate memory ERROR

Some file too big?

 

Exclude dir

clamscan --exclude-dir='/foo/b.*r'

 

wildcards?

scan.conf: ExcludePath /foo/*/bar ? REGEX suggests using ^/foo/.*/bar/

WARNING: Directory recursion limit reached

Change MaxDirectoryRecursion in clamd configuration, default is 15

Whitelisting file

sigtool --sha1 somefile >> /var/lib/clamav/whitelist.sfp

and restart clamd if that's used

Freshclam

Freshclam: ERROR: getpatch: Can't download daily-26337.cdiff from db.nl.clamav.net

Probably an outdated freshclam


ERROR: downloadFile: Unexpected response (403) from https://database.clamav.net/daily.cvd

If you are receiving a 403, 503, or 1020 error codes when downloading from Cloudflare, then you are either explicitly blocked, using an EOL'ed version of ClamAV or you are downloading incorrectly.