Talk:ClamAV

From ArchWiki

Should instructions for standalone (non-daemon) operation be added here or on its own page? --papabean 22:56, 11 October 2009 (EDT)


The new procedure of enabling and starting clamav with systemd goes something along the lines of:

  1. systemctl enable freshclamd
  2. systemctl start freshclamd
    • Once freshclam has finished downloading the database to /var/lib/clamav:
  3. systemctl enable clamd
  4. systemctl start clamd

I suspect there's a better way to do this so I haven't updated the article myself.--Kit (talk) 18:56, 16 October 2012 (UTC)Reply[reply]

What if we don't want clamd because we're just manually scanning using clamscan? Beepboo (talk) 08:26, 31 March 2020 (UTC)Reply[reply]

Loading virus signatures has become so slow in recent ClamAV versions that clamscan is hardly usable anymore (see various threads on the ClamAV mailing list). Clamdscan relies on a running clamd, but since that daemon pre-loads the signature files, it is much more responsive. Morbius (talk) 15:48, 31 March 2020 (UTC)Reply[reply]

I've searched and can't find useful info - e.g. mailing list search. In my use case, if I scan a 1.5TB folder (2 x SSD, 24 core CPU) I find clamdscan only uses about 5 cores, whereas I can spin up 24 instances of clamscan via parallel. Beepboo (talk) 17:11, 31 March 2020 (UTC)Reply[reply]

A few of the threads dealing with delays due to signature database initialisation are: 1 2 3. This is not an issue limited to clamscan, but other than clamdscan each call to clamscan needs to individually load the database files, multiplying the necessary resources when run in parallel. Also, clamscan runs with the rights of the user invoking it. Unless run as root, I don't see use cases for launching 24 clamscan instances. I am not saying there is no valid application, but I see no reason to avoid clamd/clamdscan. Morbius (talk) 18:49, 31 March 2020 (UTC)Reply[reply]

4 Testing the software

The return from EICAR test file that "must" appear is consistent with what's reported for ClamAV at VirusTotal, but I'm getting "{HEX}EICAR.TEST.3.UNOFFICIAL FOUND". Perhaps we should change the text.

—This unsigned comment is by Ttoirrah (talk) 17:32, 15 April 2020‎ (UTC). Please sign your posts with ~~~~!Reply[reply]

8 OnAccess Scanning

It would be great it the page could also contain a section on how to configure OnAccess scanning - how to set up directories, the permissions, how virus findings are reported, ... Mephinet (talk) 19:17, 22 August 2016 (UTC)Reply[reply]


Is it possibile to enable the 'OnAccessScan' editing the /etc/clamav/clamd.conf and add this options:

/etc/clamav/clamd.conf
# Enable scan on access, required clamd service running
ScanOnAccess true 
# Set the mount point where to perform the scan,
# this could be every path o multiple path (one line for path)
# / for all
OnAccessMount /
# block all operation for the file during the scan
OnAccessPrevention false
# perform scans on newly created, moved, or renamed files
OnAccessExtraScanning true
# check UID and pid
OnAccessExclude UID 0
# action to perform when detects a malicious file (is possibile to specify a script path)
# in headless server
VirusEvents "echo $(date) - ${CLAM_VIRUSEVENT_VIRUSNAME}: ${CLAM_VIRUSEVENT_FILENAME} | wall"
# client with libnotify
# notify-send "Virus Found ${CLAM_VIRUSEVENT_VIRUSNAME}" "${CLAM_VIRUSEVENT_FILENAME} detected"
# is also possible to delete the file with 'rm $CLAM_VIRUSEVENT_FILENAME'

# clamd should run as root
User root

If you are using AppArmor it is necessary to allow clamd to run as root:

$ sudo aa-complain clamd


Source: http://blog.clamav.net/2016/03/configuring-on-access-scanning-in-clamav.html

Dodo (talk) 04:00, 14 March 2017 (UTC)Edoz90Reply[reply]

According to the ClamAV official documentation at https://www.clamav.net/documents/on-access-scanning, it seems that OnAccessMountPath cannot be used in conjunction with OnAccessExcludePath and OnAccessExtraScanning. Is it that we should change the OnAccessMountPath to OnAccessIncludePath? Please correct me if I'm wrong as I'm also new to ClamAV. Wan109020 (talk) 06:46, 22 May 2019 (UTC)Reply[reply]
Oh, it feels like the VirusEvent is broken for some while. See https://bbs.archlinux.org/viewtopic.php?id=237489. The response script specified in VirusEvent will not be fired which makes the OnAccessScan feature ineffective. Wan109020 (talk) 07:23, 22 May 2019 (UTC)Reply[reply]
It seems the VirusEvent still doesn't fire, so I didn't change anything - but when it starts working again, I think the /etc/clamav/detected.sh may need an edit:
XUSERS=($(who|awk '{print $1$NF}'|sort -u))
produces a list of users on the form "username(:0)"
Presumably the script aims to set NAME=username and DISPLAY=:0, but
NAME=(${XUSER/(/ })
doesn't change anything; NAME will still be "username(:0)", and
DISPLAY=${NAME[1]/)/}
isn't working either (DISPLAY is empty)
I'm not the best scripter out there, but these two
NAME=$(echo "$XUSER" | awk -F "[()]" '{print $1}')
DISPLAY=$(echo "$XUSER" | awk -F "[()]" '{print $2}')
should do the trick?
Ferdinand (talk) 13:04, 6 April 2021 (UTC)Reply[reply]


Clamd Port Security: Please note the following warning about clamd port security if changing other parts of the file (/etc/clamav/clamd.conf). Generally use an local unix socket but note that this port is not authenticated or protected. See https://docs.clamav.net/manual/Usage/Scanning.html#clamd-v0101 for more details in the Daemon and then ClamD section. Is it possible to further restrict a local unix socket?

(I'm new so please check my edits :) )


10.1 Run in multiple threads

Are we sure that it is a safe way to scan in multithreads? I was monitoring my CPU, RAM and Swap usage while running the command and in a second, RAM and Swap were full and all cores were at %100. Then my PC froze and I had to shutdown forcefully. Dybdeskarphet (talk) 16:42, 26 May 2022 (UTC)Reply[reply]

5.2.2 MalwarePatrol database

malwarepatrol_product_code="8" should be 32 instead now. Their clamav-configuration-guide is wrong, this is the correct doc: https://www.malwarepatrol.net/tech-support/ But the clamav-unofficial-sigs.sh script should be also modified. The fix is in the dev branch for a while. https://github.com/extremeshok/clamav-unofficial-sigs/pull/393/

Kovacs-Andras (talk) 18:30, 26 November 2022 (UTC)Reply[reply]

Freshclam daemon causes CDN lockout on frequent reboots

When rebooting your (development) system a lot with default settings having clamav-freshclam.service enabled, will cause too frequent update requests and in the end being blocked by the CDN:

WARNING: FreshClam previously received error code 429 or 403 from the ClamAV Content Delivery Network (CDN). This means that you have been rate limited or blocked by the CDN.

The issue is the unintelligent /usr/bin/freshclam -d --foreground=true process that immediately starts the "ClamAV virus database updater" on every boot.

After 7 reboots in a 5 hour window, I was blocked for 24 hours.

Isn't it better and safer to not use the clamav-freshclam.service and instead use the clamav-freshclam-once.service with clamav-freshclam-once.timer, and update the wiki accordingly? Probackup-nl (talk) 20:52, 21 January 2024 (UTC)Reply[reply]