[Support] ClamAV


Recommended Posts

On 3/19/2020 at 3:58 PM, chip said:

Do I need to worry about the errors listed in the below?

 

2020-03-19T17:05:05+0000 ClamAV process starting

Updating ClamAV scan DB
LibClamAV Warning: Cannot dlopen libclamunrar_iface: file not found - unrar support unavailable
ClamAV update process started at Thu Mar 19 17:05:05 2020
WARNING: Your ClamAV installation is OUTDATED!
WARNING: Local version: 0.102.1 Recommended version: 0.102.2
DON'T PANIC! Read https://www.clamav.net/documents/upgrading-clamav
daily database available for update (local version: 25755, remote version: 25756)
Testing database: '/var/lib/clamav/tmp/clamav-f7f0b66ce827844c8f5352135dee0529.tmp-daily.cld' ...
Database test passed.
daily.cld updated (version: 25756, sigs: 2229890, f-level: 63, builder: raynman)
main.cvd database is up to date (version: 59, sigs: 4564902, f-level: 60, builder: sigmgr)
bytecode.cvd database is up to date (version: 331, sigs: 94, f-level: 63, builder: anvilleg)
WARNING: Clamd was NOT notified: Can't connect to clamd through /run/clamav/clamd.sock: No such file or directory

The unrar errors: I'll fix in just a moment.

The clamd.sock error; no, that's just clamav trying to notify the clamav daemon (not running) about its scan results.

Link to comment
3 hours ago, Flubster said:

package clamav-libunrar and unrar is missing from the dockerfile, also clamav is out of date as the dockerfile has a specific version installing rather than the latest in the alpine packages.

 

You can fix (until the maintainer sorts) by:

 

opening a console

 

apk update

apk del clamav

apk add clamav

apk add clamav-libunrar

apk add unrar

 

then restart the container.

 

Dave

Thanks Dave.

 

I've updated the clamav version as well as added the clamav-unrar libs.

2020-05-23T12:25:05+0000 ClamAV process starting

Updating ClamAV scan DB
ClamAV update process started at Sat May 23 12:25:06 2020
daily database available for download (remote version: 25820)
Time: 1.6s, ETA: 0.0s [=============================>] 63.14MiB/63.14MiB
Testing database: '/var/lib/clamav/tmp.319e6/clamav-d7cb4002549b22ae34aa0e790e0def2a.tmp-daily.cvd' ...
Database test passed.
daily.cvd updated (version: 25820, sigs: 2462534, f-level: 63, builder: raynman)
main database available for download (remote version: 59)
Time: 2.5s, ETA: 0.0s [=============================>] 112.40MiB/112.40MiB
Testing database: '/var/lib/clamav/tmp.319e6/clamav-d10a40146f6be5d2f5a27ad8e3da72d6.tmp-main.cvd' ...
Database test passed.
main.cvd updated (version: 59, sigs: 4564902, f-level: 60, builder: sigmgr)
bytecode database available for download (remote version: 331)
Time: 0.2s, ETA: 0.0s [=============================>] 289.44KiB/289.44KiB
Testing database: '/var/lib/clamav/tmp.319e6/clamav-40ed796077acdbd8f6d30c39d900f873.tmp-bytecode.cvd' ...
Database test passed.
bytecode.cvd updated (version: 331, sigs: 94, f-level: 63, builder: anvilleg)
WARNING: Clamd was NOT notified: Can't connect to clamd through /run/clamav/clamd.sock: No such file or directory


Freshclam updated the DB

ClamAV 0.102.3/25820/Fri May 22 12:21:08 2020

Scanning /scan


----------- SCAN SUMMARY -----------
Known viruses: 7016614
Engine version: 0.102.3
Scanned directories: 30
Scanned files: 47
Infected files: 0
Data scanned: 0.54 MB
Data read: 0.32 MB (ratio 1.66:1)
Time: 35.471 sec (0 m 35 s)

Updated on Github and Dockerhub.

Link to comment
  • 3 weeks later...

i added the notify user script but im getting this.

 

Script location: /tmp/user.scripts/tmpScripts/clamav/script
Note that closing this window will abort the execution of this script
/tmp/user.scripts/tmpScripts/clamav/script: line 3: ?: No such file or directory
/tmp/user.scripts/tmpScripts/clamav/script: line 4: syntax error near unexpected token `'/usr/local/emhttp/plugins/dynamix/scripts/notify -e "Antivirus Scan" -s "Antivirus Scan Started" -d "Antivirus Scan Started" -i "normal"''
/tmp/user.scripts/tmpScripts/clamav/script: line 4: `exec('/usr/local/emhttp/plugins/dynamix/scripts/notify -e "Antivirus Scan" -s "Antivirus Scan Started" -d "Antivirus Scan Started" -i "normal"');'

 

do i still need to install something else ?

Link to comment
12 minutes ago, Squid said:

You need to post exactly what shows up when you edit the script in user scripts

#!/bin/bash
#!/usr/bin/php
<?
exec('/usr/local/emhttp/plugins/dynamix/scripts/notify -e "Antivirus Scan" -s "Antivirus Scan Started" -d "Antivirus Scan Started" -i "normal"');
exec('docker start ClamAV');
for ( ;; ) {
  $status = trim(exec("docker ps | grep ClamAV"));
  if ( ! $status ) break;
  sleep(60);
}
exec("docker logs ClamAV 2>/dev/null",$logs);
foreach ($logs as $line) {
  $virus = explode(" ",$line);
  if (trim(end($virus)) == "FOUND" ) {
    $infected .= "$line\n";
  }
}

if ( ! $infected ) $infected = "No infections found\n";

exec('/usr/local/emhttp/plugins/dynamix/scripts/notify -e "Antivirus Scan" -s "Antivirus Scan Finished" -d '.escapeshellarg($infected).' -i "normal"');
?>

this is what is in the script i see what i did wrong now :)

 

i removed the top one  bin bash and it doesnt give any errors anymore when i run the script

 

Link to comment
  • 2 weeks later...

Hi there,

 

I ran a complete (user0) scan, and get it finalized :


Engine version: 0.102.3
Scanned directories: 6499
Scanned files: 68931
Infected files: 0
Data scanned: 535740.32 MB
Data read: 835299.34 MB (ratio 0.64:1)
Time: 173506.039 sec (2891 m 46 s)

2020-06-25T18:07:24+0000 ClamAV scanning finished

 

Is the time ok ?? It ran 40+ hours...

Thanks

Link to comment
  • 2 weeks later...
On 6/26/2020 at 2:44 AM, Gregori said:

Hi there,

 

I ran a complete (user0) scan, and get it finalized :


Engine version: 0.102.3
Scanned directories: 6499
Scanned files: 68931
Infected files: 0
Data scanned: 535740.32 MB
Data read: 835299.34 MB (ratio 0.64:1)
Time: 173506.039 sec (2891 m 46 s)

2020-06-25T18:07:24+0000 ClamAV scanning finished

 

Is the time ok ?? It ran 40+ hours...

Thanks

Probably. ClamAV utilizes only 1 core as to not crush your machine when it's scanning. So for 6500 directories and 69,000 files, it might take a while.

Link to comment
  • 2 months later...
  • 4 weeks later...
  • 2 months later...
On 9/13/2020 at 6:18 AM, marlouiegene18 said:

Has anyone figured this out for Nextcloud use? I'll be using Nextcloud to work with my students. I just want to get infected and others get infected. 

If it's still relevant for you, I got a solution that works fine for me.

 

You should enable the additional search results from dockerhub in the CA settings

grafik.png.71def74bd31a37a95247103fe5a6bf4f.png

 

Then proceed with the following steps:

1. In Apps-tab search for "docker-clamav"

2. Click on "Click Here To Get More Results From DockerHub"

3. Select the following container (it's from mkodockx, you can verify by click on the link to dockerhub page):

grafik.png.ae2694db3df160bbc9798ad43603e36f.png

 

4. Install with these attributes(beside the standard template, you just have to set up the port 3310). I don't know if it's relevant: My nextcloud container is in the user defined network "proxynet" like spaceinvaderone explained in

his video for a setting up a reverse proxy. I think at least it's important, that both containers using the same network.

grafik.thumb.png.b63d6fe6b1c82b8de21f35a412b53029.png

 

5. After installing the docker-clamav container, edit the nextcloud container, enable "advanced view" in the up right corner and add the extra parameter --link docker-clamav.

grafik.thumb.png.25a83129c6ebc38107aa29aff3678277.png

 

6. Restarting both containers and everything should work fine. You can test it with some false virus signatures downloaded here:

https://www.eicar.org/?page_id=3950

 

To set it up, I followed the instructions from the following website:  https://www.virtualconfusion.net/clamav-for-nextcloud-on-docker/

 

Edited by Voss
Link to comment
  • 1 month later...

Hi--I have been using your docker image for a while now in Unraid 6.8.3, it works great, thank you for all your work on it! However lately I am getting these errors in the logs:

 

LibClamAV Warning: Bytecode 79 failed to run: CL_ETIMEOUT: Time limit reached

LibClamAV Warning: Bytecode run timed out in interpreter after 5000 opcodes

 

It is still catching viruses and trojans (just ran it on a backup for my gf's main machine before she upgraded the hdd and caught several), but if I am reading the end results correctly:

 

----------- SCAN SUMMARY -----------
Known viruses: 8748948
Engine version: 0.102.4

Scanned directories: 159783
Scanned files: 712394
Infected files: 5
Data scanned: 640178.14 MB
Data read: 5307618.48 MB (ratio 0.12:1)
Time: 46830.559 sec (780 m 30 s)

 

It is only scanning about 10% of the total server. Is that right or is this all just it skipping things it has scanned on previous passes? And if these errors are a concern, where/how can I adjust the Bytecode Timeout setting?

Link to comment

You're welcome, and I'm glad it's been useful.

 

I think I've found something that might be what's occurring in your case.

Quote

Bytecode signatures are a specialized type of ClamAV signature which is able to perform additional processing of the scanned file and allow for more robust detection. Unlike the standard ClamAV signature types, bytecode signatures have a number of unique distinctions which need to be respected for their effective usage.

Quote

Bytecode signatures, by default, are considered untrusted. In fact, only bytecode signatures published by Cisco, in the bytecode.cvd are considered “trusted”. This means that the ClamAV engine will, by default, never load, trigger or execute untrusted bytecodes. One can bypass this safety mechanism by specifying the bytecode unsigned option to the engine but it should be noted that it is up to the user’s discretion on using untrusted bytecode signatures.

 

One issue is you might not have enough ram to process this particular file. It's a stretch, but a possible cause.

 

To address the timeout, you should be able to pass a command line variable

--bytecode-timeout=[time in ms]

 

I've never had this issue, so let us know if this works and/or is helpful.

Source: StackExchange

Edited by TQ
Link to comment

I at the time had 64gb of RAM, so I am going to assume that wasn't the issue (I just installed 128--er. 125.9 usable for some reason, but still); both runs have the warnings. To be totally clear, they are colored as warnings, not errors, in the Unraid log. I'm not overly worried or anything, just wanted to know if this is something I should be fixing. :)

 

Also this probably isn't important as the databases are updating fine and well, but I AM getting this error at the end of the of the opening "testing database" part of the log:

 

WARNING: Clamd was NOT notified: Can't connect to clamd through /run/clamav/clamd.sock: No such file or directory

 

Edited by greyday
Link to comment
On 1/27/2021 at 9:16 AM, greyday said:

Also this probably isn't important as the databases are updating fine and well, but I AM getting this error at the end of the of the opening "testing database" part of the log:

 


WARNING: Clamd was NOT notified: Can't connect to clamd through /run/clamav/clamd.sock: No such file or directory

 

 

First post on this page :)

...that's just clamav trying to notify the clamav daemon (not running) about its scan results.

Link to comment

Is there any way for ClamAV to actively scan new files are they are downloaded or imported?

Thinking if I use SABnzbd to download stuff, for Clam to always be monitoring that folder for anything bad.

Also like Nextcloud or Picture imports as and when they get imported for Clam to actively monitor files as they are being installed.

Is this possible?

Link to comment
1 hour ago, parsec said:

Is it possible to have some progress indicator on the log, maybe a file counter that updated every hour or similar?

I'm about to scan 2.1 mill files, which I assume will take quite a long time, so some sort of indicator would be helpful.

 

Possibly doable. I'd probably have to dig into the scan script and add a progress bar into it.

Link to comment
1 hour ago, SavellM said:

Is there any way for ClamAV to actively scan new files are they are downloaded or imported?

Thinking if I use SABnzbd to download stuff, for Clam to always be monitoring that folder for anything bad.

Also like Nextcloud or Picture imports as and when they get imported for Clam to actively monitor files as they are being installed.

Is this possible?

 

Great idea. I think for this to be something that actually works, this container would not be the one.

I'd (or someone else) would have to write one for clamd (the daemon used for ClamAV), as this one only updates the dbs and runs a scan.

Link to comment
  • 2 weeks later...
11 hours ago, wgstarks said:

I have started having problems with this docker recently. Not sure exactly when they started but I noticed this error repeating in the log-


LibClamAV Error: CRITICAL: fmap() failed

I get this every time I attempt a scan.

 

 

I just download this container for the 1st time and I am getting the same errors in my log

 

unRAID 6.8.3

 

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.