[Support] ClamAV


TQ

Recommended Posts

Overview: Support for Docker image tquinnelly/clamav-alpine which uses clamav, freshclam, and clamscan to scan your array.

Application: ClamAV https://www.clamav.net/

Docker Hub: https://hub.docker.com/r/tquinnelly/clamav-alpine

GitHub: https://www.github.com/tquizzle/clamav-alpine

 

Container Size: 15 MB

 

Alpine Version: latest

ClamAV Version: 0.102.3-r0

 

 

Expectations:

This container will run when started, scan, then stop. If you want to scan again, just start it again.

 

Notification script from Squid:

On 6/16/2019 at 9:57 AM, Squid said:

Updated to include the infected file in the notification


#!/usr/bin/php
<?
exec('/usr/local/emhttp/plugins/dynamix/scripts/notify -e "Antivirus Scan" -s "Antivirus Scan Started" -d "Antivirus Scan Started" -i "normal"');
exec('docker start ClamAV');
for ( ;; ) {
  $status = trim(exec("docker ps | grep ClamAV"));
  if ( ! $status ) break;
  sleep(60);
}
exec("docker logs ClamAV 2>/dev/null",$logs);
foreach ($logs as $line) {
  $virus = explode(" ",$line);
  if (trim(end($virus)) == "FOUND" ) {
    $infected .= "$line\n";
  }
}

if ( ! $infected ) $infected = "No infections found\n";

exec('/usr/local/emhttp/plugins/dynamix/scripts/notify -e "Antivirus Scan" -s "Antivirus Scan Finished" -d '.escapeshellarg($infected).' -i "normal"');
?>

 

script 689 B · 24 downloads

 

 

Logs

This container logs to stdout. To see the logs you will have to execute the docker logs command.

docker logs ClamAV

Buy me a coffee?

Edited by TQ
Update for Alpine
  • Like 1
Link to comment
7 minutes ago, Squid said:

To schedule scans,

 

Disable autostart on the app from the docker tab (otherwise it will do a scan everytime you start the server) - up to you.

 

Run this as a user script on a schedule which you choose.  Will send a start / stop notification with the # of infected files.  You'll have to look at the logs to determine which file(s) are infected


#!/usr/bin/php
<?
exec('/usr/local/emhttp/plugins/dynamix/scripts/notify -e "Antivirus Scan" -s "Antivirus Scan Started" -d "Antivirus Scan Started" -i "normal"');
exec('docker start ClamAV');
for ( ;; ) {
  $status = trim(exec("docker ps | grep ClamAV"));
  if ( ! $status ) break;
  sleep(600);
}
$infected = system("docker logs ClamAV | grep -i 'Infected'");
exec('/usr/local/emhttp/plugins/dynamix/scripts/notify -e "Antivirus Scan" -s "Antivirus Scan Finished" -d '.escapeshellarg($infected).' -i "normal"');
?>

 

script 517 B · 0 downloads

 

  • Like 1
Link to comment
27 minutes ago, Squid said:

You would make another instance of the container.  Each instance scans whatever is specified

In the script you wrote I just need to edit the 2 references to “ClamAV” (docker run ClamAV and docker log ClamAV) to the name I used for whichever instance of the docker right?

Link to comment

Updated to include the infected file in the notification

#!/usr/bin/php
<?
exec('/usr/local/emhttp/plugins/dynamix/scripts/notify -e "Antivirus Scan" -s "Antivirus Scan Started" -d "Antivirus Scan Started" -i "normal"');
exec('docker start ClamAV');
for ( ;; ) {
  $status = trim(exec("docker ps | grep ClamAV"));
  if ( ! $status ) break;
  sleep(60);
}
exec("docker logs ClamAV 2>/dev/null",$logs);
foreach ($logs as $line) {
  $virus = explode(" ",$line);
  if (trim(end($virus)) == "FOUND" ) {
    $infected .= "$line\n";
  }
}

if ( ! $infected ) $infected = "No infections found\n";

exec('/usr/local/emhttp/plugins/dynamix/scripts/notify -e "Antivirus Scan" -s "Antivirus Scan Finished" -d '.escapeshellarg($infected).' -i "normal"');
?>

 

 

script

Edited by Squid
  • Like 1
Link to comment
2 hours ago, Squid said:

Updated to include the infected file in the notification

@Squid Thanks for the updated script.

Is this the expected output if no infections are found?

Event: Antivirus Scan
Subject: Antivirus Scan Finished
Description: 
Importance: normal

Would it be possible to have something like "Files infected = 0" or maybe "No infections found" for Description?

Link to comment
8 minutes ago, testdasi said:

Stupid question: does it work cross platform? e.g. Linux docker detecting Windows / MacOS viruses?

It checks for matches to the database, so it will detect anything in the database. At the file level, it's all just ones and zeros being checked. It's not like a full featured A/V inside your OS, that looks at critical run entries and such, all it does is scan the files.

Link to comment
8 hours ago, jonathanm said:

It checks for matches to the database, so it will detect anything in the database. At the file level, it's all just ones and zeros being checked. It's not like a full featured A/V inside your OS, that looks at critical run entries and such, all it does is scan the files.

Yes. It will work on any docker install.

Link to comment

If this container only scans when you start the container or from the user script that Squid provided here.  Will the Clam Databases check for updates every time the docker runs as well?  Or how do the updates for the definitions database work in this container?

 

Edited by mwells
Link to comment
14 minutes ago, mwells said:

If this container only scans when you start the container or from the user script that Squid provided here.  Will the Clam Databases check for updates every time the docker runs as well?  Or how do the updates for the definitions database work in this container?

 

Quote from the github linked in OP-

It will always update the ClamAV Database, by using the standard freshclam before running clamscan.

Edited by wgstarks
  • Like 1
Link to comment
  • 2 months later...
  • 4 weeks later...

hello 

  I run clamav it shows 

 


2019-10-03T08:39:17+0000 ClamAV scanning started

Updating ClamAV scan DB
Hint: The database directory must be writable for UID 100 or GID 101
ERROR: Can't create temporary directory /var/lib/clamav/clamav-435ac426ce5c25f4c347d7759f496c54.tmp



An error occurred (freshclam returned with exit code '57')

It works fine a few months ago and I dont know what happend , I check the unraid and have't found the user id is 100 , what should I do with it ?

 

thank u 

Link to comment
9 hours ago, Cyberalien said:

hello 

  I run clamav it shows 

 



2019-10-03T08:39:17+0000 ClamAV scanning started

Updating ClamAV scan DB
Hint: The database directory must be writable for UID 100 or GID 101
ERROR: Can't create temporary directory /var/lib/clamav/clamav-435ac426ce5c25f4c347d7759f496c54.tmp



An error occurred (freshclam returned with exit code '57')

It works fine a few months ago and I dont know what happend , I check the unraid and have't found the user id is 100 , what should I do with it ?

 

thank u 

Latest version has the option to run UID/GID to address this behavior.

 

I'm not sure if it ever got updated in CA.

@Squid can you verify? I should have fixed the invalid xml.

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.