ClamAV: Difference between revisions
From DWIKI
mNo edit summary |
mNo edit summary |
||
| (8 intermediate revisions by the same user not shown) | |||
| Line 9: | Line 9: | ||
*[https://github.com/extremeshok/clamav-unofficial-sigs Unofficial sigs] | *[https://github.com/extremeshok/clamav-unofficial-sigs Unofficial sigs] | ||
*https://wiki.archlinux.org/index.php/ClamAV | *https://wiki.archlinux.org/index.php/ClamAV | ||
=On Access Scanning= | |||
==FAQ== | |||
==Errors and messages== | |||
===Excluded UID=== | |||
Because it's root? | |||
== A handy script for adding more goodies == | == A handy script for adding more goodies == | ||
| Line 32: | Line 41: | ||
= FAQ = | = FAQ = | ||
==clamdscan== | |||
===Can't open file or directory ERROR=== | |||
Could be apparmor, then | |||
apt-get install apparmor-utils | |||
aa-complain /usr/sbin/clamd | |||
This would make it complain instead of deny | |||
== ERROR: Can't send to clamd: Broken pipe == | ==ERROR: Can't send to clamd: Broken pipe== | ||
grep -r LocalSocket /etc/clam* | grep -r LocalSocket /etc/clam* | ||
| Line 92: | Line 107: | ||
scan.conf: ExcludePath /foo/*/bar ? | scan.conf: ExcludePath /foo/*/bar ? | ||
REGEX suggests using ^/foo/.*/bar/ | |||
== WARNING: Directory recursion limit reached == | |||
Change '''MaxDirectoryRecursion''' in clamd configuration, default is 15 | |||
==Whitelisting file== | |||
sigtool --sha1 somefile >> /var/lib/clamav/whitelist.sfp | |||
and restart clamd if that's used | |||
==Freshclam== | ==Freshclam== | ||
| Line 100: | Line 123: | ||
===ERROR: downloadFile: Unexpected response (403) from https://database.clamav.net/daily.cvd=== | |||
Cloudflare | === ERROR: downloadFile: Unexpected response (403) from [https://database.clamav.net/daily.cvd https://database.clamav.net/daily.cvd] === | ||
If you are receiving a 403, 503, or 1020 error codes when downloading from Cloudflare, then you are either explicitly blocked, using an [https://docs.clamav.net/faq/faq-eol.html EOL'ed version of ClamAV] or you are downloading incorrectly. | |||
[[Category:Security]] | |||
Latest revision as of 13:46, 22 May 2024
Clam Antivirus
Virus scanner for mail and files.
- Homepage
- clamav-milter
- Phishing and Scam Signatures for ClamAV
- Unofficial sigs
- https://wiki.archlinux.org/index.php/ClamAV
On Access Scanning
FAQ
Errors and messages
Excluded UID
Because it's root?
A handy script for adding more goodies
#!/usr/local/bin/bash #extra signatures to catch spam and phishing #or look at http://www.sanesecurity.com/ LOCATION=/var/db/clamav GUNZIP=/usr/bin/gunzip WGET=/usr/local/bin/wget #and now the script itself cd $LOCATION || exit -1 $WGET --timestamping http://ftp.tiscali.nl/sanesecurity/phish.ndb.gz && ${GUNZIP} -f phish.ndb.gz $WGET --timestamping http://ftp.tiscali.nl/sanesecurity/scam.ndb.gz && ${GUNZIP} -f scam.ndb.gz $WGET --timestamping http://download.mirror.msrbl.com/MSRBL-SPAM.ndb $WGET --timestamping http://download.mirror.msrbl.com/MSRBL-Images.hdb $WGET -O - http://www.malware.com.br/cgi/submit?action=list_clamav > mbl.db /usr/sbin/chown clamav:clamav * killall -HUP clamd
FAQ
clamdscan
Can't open file or directory ERROR
Could be apparmor, then
apt-get install apparmor-utils aa-complain /usr/sbin/clamd
This would make it complain instead of deny
ERROR: Can't send to clamd: Broken pipe
grep -r LocalSocket /etc/clam*
Amavis not finding socket clamd.ctl
Means clamd is busy handling the queue after a powre failure or such, the socket won't be created before it's done.
INetMsg.SpamDomain-xxx
That's from sanesecurity.net
Milter (clmilter): local socket name /var/run/clamav/clmilter.sock unsafe
Usually means something like clamd not running.
LibClamAV Warning: [Bytecode JIT]: Bytecode run timed out, timeout flag set
Try --bytecode-timeout=120000
LibClamAV Warning: Bytecode run timed out in interpreter after 5000 opcodes
--bytecode-timeout=N
Ignoring mirror x.x.x.x (due to previous errors)
try removing mirrors.dat and daily.cvd
LibClamAV Error: CRITICAL: fmap() failed
haha yeah, good luck
Can't allocate memory ERROR
Some file too big?
Exclude dir
clamscan --exclude-dir='/foo/b.*r'
wildcards?
scan.conf: ExcludePath /foo/*/bar ? REGEX suggests using ^/foo/.*/bar/
WARNING: Directory recursion limit reached
Change MaxDirectoryRecursion in clamd configuration, default is 15
Whitelisting file
sigtool --sha1 somefile >> /var/lib/clamav/whitelist.sfp
and restart clamd if that's used
Freshclam
Freshclam: ERROR: getpatch: Can't download daily-26337.cdiff from db.nl.clamav.net
Probably an outdated freshclam
ERROR: downloadFile: Unexpected response (403) from https://database.clamav.net/daily.cvd
If you are receiving a 403, 503, or 1020 error codes when downloading from Cloudflare, then you are either explicitly blocked, using an EOL'ed version of ClamAV or you are downloading incorrectly.
