[Support] ClamAV

[Maginos]

On 11/7/2021 at 5:03 PM, svh1985 said:

I just started a 2nd scan after two months, and the notify script still picks up the previous infection (a file that I since removed) from the ClamAV docker logs, so I still get an FOUND message. Anyone else seeing this?

I also have this issue.
What I also observe is, that files are are listed multiple times in my logs. 

Can someone help me to get rid of this?

Thank you!

[TQ]

5 hours ago, Maginos said:

I also have this issue.
What I also observe is, that files are are listed multiple times in my logs. 

Can someone help me to get rid of this?

Thank you!

In the logs they should be time stamped. Is it finding the file again after deletion, or is it showing the previous infected file with previous time stamped entry? 

Can you post a section of the logs for view?

[Maginos]

20 minutes ago, TQ said:

In the logs they should be time stamped. Is it finding the file again after deletion, or is it showing the previous infected file with previous time stamped entry? 

Can you post a section of the logs for view?

I attached the log from the last scan.

 

In this log no infected file was found. In the logs before I deleted the infected files, the lines look like:

/scan/path/to/infected/file: Heuristics.Phishing.Email.SSL-Spoof FOUND

So there is no timestamp.

I assume, it shows the infected files from previous scans. How can I get rid of this?

clamav_logs.txt

[TQ]

22 minutes ago, Maginos said:

I attached the log from the last scan.

 

In this log no infected file was found. In the logs before I deleted the infected files, the lines look like:

/scan/path/to/infected/file: Heuristics.Phishing.Email.SSL-Spoof FOUND

So there is no timestamp.

I assume, it shows the infected files from previous scans. How can I get rid of this?

clamav_logs.txt 5.15 kB · 0 downloads

 

Hmm. Well, definitely should add timestamp to `stdout` next update. (adds to my to-do list)

 

So, are you referring to the pop-up in the Unraid GUI that shows the previous virus found message? Just want to make sure I understand fully.

[Maginos]

4 minutes ago, TQ said:

 

Hmm. Well, definitely should add timestamp to `stdout` next update. (adds to my to-do list)

 

So, are you referring to the pop-up in the Unraid GUI that shows the previous virus found message? Just want to make sure I understand fully.

That would be great, thanks!

 

4 minutes ago, TQ said:

 

Hmm. Well, definitely should add timestamp to `stdout` next update. (adds to my to-do list)

 

So, are you referring to the pop-up in the Unraid GUI that shows the previous virus found message? Just want to make sure I understand fully.

I'm referring to the email I get after the scan has finished. Unfortunately the content is too long to get sent via Telegram, so I had to check mail notification. 

[TQ]

On 1/23/2023 at 5:52 AM, rbronco21 said:

If I add "--max-filesize=200M --max-scansize=500M" to Post Arguments, my log is empty and I am unsure if it has done anything.

 

If I add a -i, it fails with this in the log:

clamd: illegal option -- i
ERROR: Unknown option passed
ERROR: Can't parse command line options

 

These options also fail:

-f /scan/appdata/clamav/clamavtargets.txt
clamd: illegal option -- f
ERROR: Unknown option passed
ERROR: Can't parse command line options

--file-list=/scan/appdata/clamav/clamavtargets.txt
clamd: unrecognized option `--file-list=/scan/appdata/clamav/clamavtargets.txt'
ERROR: Unknown option passed
ERROR: Can't parse command line options

 

I have to be missing something because there aren't other posts about this. What's going on?

 

That is strange. I just rebuilt the container on my test Unraid server to ensure it was pulling new and starting with new config.

I passed the -i and -f parameters respectively, and all passed and worked.

 

I do see two potential issues with your configuration.

 

Wondering if you're adding the parameters to the "Extra Parameters" instead of "Post-Arguments" options.

I added the following parameters to that section and it runs normally.

-i --log=/var/lib/clamav/log.log --max-filesize=4096M --file-list=/scan/file-list.txt

Also, parameters should be from the "container's" perspective. I pass the file list using the container's path.

 

Output:

2023-01-28T16:05:17+00:00 ClamAV process starting

Updating ClamAV scan DB
ClamAV update process started at Sat Jan 28 16:05:17 2023
daily.cvd database is up-to-date (version: 26795, sigs: 2018570, f-level: 90, builder: raynman)
main.cvd database is up-to-date (version: 62, sigs: 6647427, f-level: 90, builder: sigmgr)
bytecode.cvd database is up-to-date (version: 333, sigs: 92, f-level: 63, builder: awillia2)


Freshclam updated the DB


ClamAV 0.104.3/26795/Sat Jan 28 08:27:17 2023

Scanning /scan

WARNING: Only scanning files from --file-list (files passed at cmdline are ignored)

----------- SCAN SUMMARY -----------
Known viruses: 8650505
Engine version: 0.104.3
Scanned directories: 4
Scanned files: 6
Infected files: 0
Data scanned: 0.15 MB
Data read: 5678.47 MB (ratio 0.00:1)
Time: 26.245 sec (0 m 26 s)
Start Date: 2023:01:28 16:05:17
End Date:   2023:01:28 16:05:43

2023-01-28T16:05:43+00:00 ClamAV scanning finished

 

[Maginos]

6 minutes ago, TQ said:

Wondering if you're adding the parameters to the "Extra Parameters" instead of "Post-Arguments" options.

I added the following parameters to that section and it runs normally.

Nope, I had only the -i option in Post-Arguments. I added the other parameters you suggest and I think on Monday, I will see, if they help.

 

Since the -f option is not listed in the Docker Hub page, can you tell what this parameter does?

[Maginos]

This is my output from the docker container:

docker run
  -d
  --name='ClamAV'
  --net='bridge'
  -e TZ="Europe/Berlin"
  -e HOST_OS="Unraid"
  -e HOST_HOSTNAME="Tilda"
  -e HOST_CONTAINERNAME="ClamAV"
  -e 'USER_ID'='99'
  -e 'GROUP_ID'='100'
  -l net.unraid.docker.managed=dockerman
  -l net.unraid.docker.icon='http://its.ucsc.edu/software/images/clam.png'
  -v '/mnt/user':'/scan':'ro'
  -v '/mnt/nmvecache/appdata/clamav':'/var/lib/clamav':'rw' 'tquinnelly/clamav-alpine'
  -i
  --log=/var/lib/clamav/log.log
  --max-filesize=4096M
  --file-list=/scan/file-list.txt

7fd0b66f015ed72c98def70d4a2f24faa1ce017b16c414b772856200a7b8ad02

The command finished successfully!

[TQ]

1 hour ago, Maginos said:

This is my output from the docker container:

docker run
  -d
  --name='ClamAV'
  --net='bridge'
  -e TZ="Europe/Berlin"
  -e HOST_OS="Unraid"
  -e HOST_HOSTNAME="Tilda"
  -e HOST_CONTAINERNAME="ClamAV"
  -e 'USER_ID'='99'
  -e 'GROUP_ID'='100'
  -l net.unraid.docker.managed=dockerman
  -l net.unraid.docker.icon='http://its.ucsc.edu/software/images/clam.png'
  -v '/mnt/user':'/scan':'ro'
  -v '/mnt/nmvecache/appdata/clamav':'/var/lib/clamav':'rw' 'tquinnelly/clamav-alpine'
  -i
  --log=/var/lib/clamav/log.log
  --max-filesize=4096M
  --file-list=/scan/file-list.txt

7fd0b66f015ed72c98def70d4a2f24faa1ce017b16c414b772856200a7b8ad02

The command finished successfully!

That is the output of the command to run the container. 

 

You can see the logs by either clicking the icon in the Docker tab, and choosing "Logs" or by running the command below from an SSH session.

docker logs -f ClamAV

 

[Maginos]

5 minutes ago, TQ said:

That is the output of the command to run the container. 

 

You can see the logs by either clicking the icon in the Docker tab, and choosing "Logs" or by running the command below from an SSH session.

docker logs -f ClamAV

 

Yes I know. I thougt, it might be helpful for you.

 

2 hours ago, Maginos said:

I attached the log from the last scan.

 

I already posted the output of the log file in this post as txt file.

[Barry Staes]

New install, first run, something is off with permissions for a new install. See bottom for sus causes and tests.

 

The container was created normally as such:

 

Command execution
docker run
  -d
  --name='ClamAV'
  --net='bridge'
  -e TZ="Europe/Berlin"
  -e HOST_OS="Unraid"
  -e HOST_HOSTNAME="bTower"
  -e HOST_CONTAINERNAME="ClamAV"
  -e 'USER_ID'='99'
  -e 'GROUP_ID'='100'
  -l net.unraid.docker.managed=dockerman
  -l net.unraid.docker.icon='https://its.ucsc.edu/software/images/clam.png'
  -v '/mnt/user':'/scan':'ro'
  -v '/mnt/cache_apps/appdata/clamav':'/var/lib/clamav':'rw' 'tquinnelly/clamav-alpine'
  -i

51721770e6d4bf942cef86765a8bc9f159e8633e06f90b96327349aab8eee4a0

The command finished successfully!

 

Mind the ID's used. But when started there are errors:
 

ERROR: Can't create freshclam.dat in /var/lib/clamav
ERROR: Failed to save freshclam.dat!
WARNING: Failed to create a new freshclam.dat!
ERROR: initialize: libfreshclam init failed.
ERROR: Initialization error!
ERROR: Can't create freshclam.dat in /var/lib/clamav
ERROR: Failed to save freshclam.dat!
WARNING: Failed to create a new freshclam.dat!
ERROR: initialize: libfreshclam init failed.
ERROR: Initialization error!

2023-03-01T08:54:30+00:00 ClamAV process starting
Updating ClamAV scan DB
Hint: The database directory must be writable for UID 100 or GID 101
An error occurred (freshclam returned with exit code '2')

2023-03-01T08:54:51+00:00 ClamAV process starting
Updating ClamAV scan DB
Hint: The database directory must be writable for UID 100 or GID 101
An error occurred (freshclam returned with exit code '2')

** Press ANY KEY to close this window **

 

Trying to find a cause..

• Maybe because my Unraid gave the docker different User and Group ID's ?
• Maybe because the new `/appdata/clamav` folder was created with less permissions (drwxr-xr-x) than all other folders (drwxrwxrwx) ? => I am running the latest CA Plugin version 2023.02.25 and wil run a test with other dockers soon to compare results.

 

Edited March 1, 2023 by Barry Staes

[cynod]

I'm seeing the same issue as @Barry Staes  on a fresh install. The container installs fine but "/mnt/cache/appdata/clamav" (and /mnt/user/appdata/clamav) is created 755 with owner "nobody" (which has uid 99 in the base unraid OS) and group "users" (which is gid 100). I tried changing the container USER_ID from 99 to 100 and GROUP_ID from 100 to 101 but got same result. I also tried changing to 775 and also chown 100.101 but same error.

 

I ended up chmod'ing "/mnt/cache/appdata/clamav" to 777 which got ClamAV running but it doesn't feel like the right solution.

[cynod]

I note that clamscan doesn't have a multithreaded option (other than running it multiple times on different locations) but clamdscane/clamd does. Has anyone tried to run clamd and then use clamdscan with --multiscan (or similar) to speed things up?  

[TQ]

3 hours ago, cynod said:

I'm seeing the same issue as @Barry Staes  on a fresh install. The container installs fine but "/mnt/cache/appdata/clamav" (and /mnt/user/appdata/clamav) is created 755 with owner "nobody" (which has uid 99 in the base unraid OS) and group "users" (which is gid 100). I tried changing the container USER_ID from 99 to 100 and GROUP_ID from 100 to 101 but got same result. I also tried changing to 775 and also chown 100.101 but same error.

 

I ended up chmod'ing "/mnt/cache/appdata/clamav" to 777 which got ClamAV running but it doesn't feel like the right solution.

 

I agree, it feels dirty to chmod 777 to a dir.

You can do the below to the directory to resolve the issue.

 

chmod -R u-x,go-rwx,go+u,ugo+X /mnt/cache/appdata/clamav
chown -R nobody:users  /mnt/cache/appdata/clamav

 

Note: hack that I use, when creating directories and such via ssh, I use the following

sudo -u nobody -g users 'command here'

...so that the perms dont come back to bite me.

[Masterwishx]

@TQ is it possible to make this container to use with nextcloud ?

[TQ]

2 hours ago, Masterwishx said:

@TQ is it possible to make this container to use with nextcloud ?

 

It should be quite possible, yes.

I do not use Nextcloud so bit of a challenge for me.

[Masterwishx]

5 hours ago, TQ said:

It should be quite possible, yes.

I do not use Nextcloud so bit of a challenge for me.

 

in Nextcloud there are 3 options: daemon,daemon (socket),Executable .

in this container is no daemon right? so we can use only executable, but how to get to Nextcloud path of executable ?

 

[SShadow]

When installing the latest update from 4/22/2023 on Unraid 6.11.5 I saw the error below during installation:

 

 

The docker starts but immediately stops.  When looking at the log I get the following error:

 

 

Is there something I need to adjust in the template for the new build?  Thank you.

Edited April 26, 2023 by SShadow

[dreadu]

17 hours ago, SShadow said:

When installing the latest update from 4/22/2023 on Unraid 6.11.5 I saw the error below during installation:

 

 

The docker starts but immediately stops.  When looking at the log I get the following error:

 

 

Is there something I need to adjust in the template for the new build?  Thank you.

I got exactly the same issue. Same error 6.11.5 as well.

[dhawk2k]

I can confirm I experience the same error using Unraid 6.11.5.  The other ClamAV docker available requires an active console or tmux session to run a scan command explicitly.  I prefer this automated one and check the logs.  Hopefully the developers see this and can correct.

[TQ]

I will check on it tonight. Not sure how the arch changed.

[TQ]

Latest branch updated. Please re-pull and LMK.

[dreadu]

Thanks for the quick fix!

Seems to work again (as well in combination with the user scrip for different shared).

[SShadow]

I can confirm mine is working now too.  Thank you for the quick turnaround on the fix!

[bmartino1]

I've noticed that my logs are in UTC time. is there a way to get the alpine packaged installed for TZ data to pass and update the scan log to be in time zone time?
 

Reviewing this docker. for logs and time. https://serverfault.com/questions/683605/docker-container-time-timezone-will-not-reflect-changes I have found that the log is in UTC Time. Is there a way for me to add a custom script to run or to pass the TZ via environments to use local time for clam AV logging? I believe a package would have to be added to the alpine image to accomplish this.

-v /etc/localtime:/etc/localtime:ro
-v /etc/timezone:/etc/timezone:ro