[Support] ClamAV


Recommended Posts

On 7/19/2021 at 4:27 PM, luca2 said:

Hi, thx for the docker!

I tri3ed -after install- to add:

--max-scansize=4000N --max-filesize=4000N

but as soon as I press save, the docker disappears. Anyone expiriencieng the same?

Rgds

Also to note, based on what I read earlier in the thread, it should be 4000"M", not 4000"N".

Link to comment
On 4/18/2021 at 8:32 AM, SmokeyColes said:

Great thank you, "Antivirus Scan Started" and the schedule is set in User Scripts.

I am a little confused - what is it actually scanning?  Every disk in the array or just dockers?

Once it finds a file, does it inform you and does it treat it?

 

Thanks

Chris

I've never created a custom script before and am pretty confused on the formatting. Can you or someone else share your script for getting a virus scan to execute automatically on a schedule via User Scripts? 

Link to comment
9 hours ago, ThatTallGuy21 said:

I've never created a custom script before and am pretty confused on the formatting. Can you or someone else share your script for getting a virus scan to execute automatically on a schedule via User Scripts? 

The script to use in user scripts is in the OP

Link to comment
  • 1 month later...

Hi everyone !

i'm getting this errors / warnings :

 

Updating ClamAV scan DB
ClamAV update process started at Sat Sep 4 08:52:39 2021
WARNING: FreshClam previously received error code 429 from the ClamAV Content Delivery Network (CDN).

WARNING: You are still on cool-down until after: 2021-09-04 12:48:27

This means that you have been rate limited by the CDN.
1. Run FreshClam no more than once an hour to check for updates.
FreshClam should check DNS first to see if an update is needed.
2. If you have more than 10 hosts on your network attempting to download,
it is recommended that you set up a private mirror on your network using
cvdupdate (https://pypi.org/project/cvdupdate/) to save bandwidth on the
CDN and your own network.
3. Please do not open a ticket asking for an exemption from the rate limit,
it will not be granted.


Freshclam updated the DB


ClamAV 0.103.3/26217/Wed Jun 30 11:10:04 2021

Scanning /scan

LibClamAV Warning: **************************************************

LibClamAV Warning: *** The virus database is older than 7 days! ***

LibClamAV Warning: *** Please update it as soon as possible. ***

LibClamAV Warning: **************************************************

 

Any idea what the problem could be ?

I'm running ClamAV on a monthly basis, nothing more

Link to comment
16 hours ago, AmokK said:

Hi everyone !

i'm getting this errors / warnings :

 

Updating ClamAV scan DB
ClamAV update process started at Sat Sep 4 08:52:39 2021
WARNING: FreshClam previously received error code 429 from the ClamAV Content Delivery Network (CDN).

WARNING: You are still on cool-down until after: 2021-09-04 12:48:27

This means that you have been rate limited by the CDN.
1. Run FreshClam no more than once an hour to check for updates.
FreshClam should check DNS first to see if an update is needed.
2. If you have more than 10 hosts on your network attempting to download,
it is recommended that you set up a private mirror on your network using
cvdupdate (https://pypi.org/project/cvdupdate/) to save bandwidth on the
CDN and your own network.
3. Please do not open a ticket asking for an exemption from the rate limit,
it will not be granted.

 

Any idea what the problem could be ?

I'm running ClamAV on a monthly basis, nothing more

 

You've been rate limited. 

 

Are you behind a large NAT? That error indicates rate limited.

 

If you continue to have issues, rebuild the container and try again. If that doesn't work, try manually installing the main db files into a bind mounted dir and see if that works.

Link to comment
  • 1 month later...

Thank you @TQ for this.

 

I wrote another user script to start and control the scanning. With it you can select which shares to scan. The script can be scheduled. You can select one day in a week when the script runs another set of shares. The intention is to scan a small set daily and then a full scan once per week, and and completely avoid scanning some shares.

 

Some snippets as a sample:

# Edit these parameters:
# List of Unraid shares to scan under /mnt/user. Check YOUR Unraid "Shares" tab.
# Put a space between each share name.
FOLDERSDAILY="incoming shared"
FOLDERSWEEKLY="isos incoming shared backups myverybigshare"
# Select which day is weekly scan day (1=mon, 7=sun).
WEEKLYDAY=2

 

The script writes the target directories into a parameter file.

# Switch to advanced mode (click basic mode at top right) and change
# "Post parameters" to "-i -f /var/lib/clamav/clamavtargets.txt".
# This tells the scanner to use a target list in a file instead of
# scanning every Unraid share.

This is the only required change to the container definition.

 

The user script writes the parameter file and runs the container.

 

Full script is here: https://github.com/Helediron/unraid-dailyclamavscan

Credits to @Squid for the original script, on which this is based.

 

Link to comment
On 10/11/2021 at 12:11 PM, Helediron said:

I wrote another user script to start and control the scanning. With it you can select which shares to scan. The script can be scheduled. You can select one day in a week when the script runs another set of shares. The intention is to scan a small set daily and then a full scan once per week, and and completely avoid scanning some shares.

Thanks Helediron. Can I do a daily scan of cache without making huge changes to the script?

Link to comment
5 hours ago, rbronco21 said:

Thanks Helediron. Can I do a daily scan of cache without making huge changes to the script?

Hi, script parameter and container parameter customisation sshould be enough.

 

ClamAV scans whatever it finds in the Docker container's internal /scan folder, which usually is mapped to external folder /mnt/user. If you change that container parameter to e.g. /mnt/cache (assuming "standard" naming), then you can direct the container to scan the cache.

 

Now, if you want to scan the cache completely, you don't need my script. Just point the container to the cache as above and run the container. This one-liner starts the scan:

  docker start ClamAV

Put that into a user script, schedule it daily and you're done.

 

 

If you want the folder selection or those fancy notifications, then continue. ->

 

To modify the script, there are more parameters in the script to customise. Find this block:

#Technical parameters
# name of the container.
CONTAINER=ClamAV
# Location of ClamAV application data folder in Unraid host. 
# Must match with container parameter "ClamAV Signatures:"
HOSTAPPDATA=/mnt/user/appdata/clamav
# Location of scanned directory. 
# Must match with container parameter "Folder to Scan:"
HOSTSCANDIR=/mnt/user
...

and customize the script too. The script parameter HOSTSCANDIR must match with the container parameter.  Change "HOSTSCANDIR=/mnt/user" to "HOSTSCANDIR=/mnt/cache".

 

Put into FOLDERSDAILY and FOLDERSWEEKLY directories right under /mnt/cache, e.g. FOLDERSDAILY="domains isos" .

 

If you want to run both user shares and directories under cache, it's getting more complex. There are two options:

  1. If you want to scan both /mnt/cache and /mnt/user completely, then set the scan point to /mnt and set FOLDERSDAILY and FOLDERSWEEKLY to "cache user" . We just moved here one step higher in folder hierarchy.
  2. If you want to scan subsets in both, then you have to duplicate the ClamAV container and script and customise them independently. In the second script you have to change CONTAINER and HOSTAPPDATA to match the second container. (Actually i don't yet know how that's done in Unraid, i'm Unraid noob).

The script prints some debugging info. You'll see that if you run the script interactively with User Script plugin. It verifies that the folders actually exist and prints what it finds and finds not. If the scan takes long time, you can safely stop the script, but remember to stop the ClamAV container too.

Edited by Helediron
Link to comment
  • 3 weeks later...

Hoping someone might be able to help me out with a part of my setup.  

 

I have the ClamAv from https://hub.docker.com/r/mkodockx/docker-clamav  setup so that I can run this as an active daemon scanner for Nextcloud which I got working

 

But I note the below error I am not sure how I would go about changing things to not hit the time limit.. for the database test. 

 

Below is the error log that I have. 

 

 

Thu Nov 11 05:53:25 2021 -> ClamAV update process started at Thu Nov 11 05:53:25 2021
Thu Nov 11 05:53:26 2021 -> ^Your ClamAV installation is OUTDATED!
Thu Nov 11 05:53:26 2021 -> ^Local version: 0.102.4 Recommended version: 0.103.4
Thu Nov 11 05:53:26 2021 -> DON'T PANIC! Read https://www.clamav.net/documents/upgrading-clamav
Thu Nov 11 05:53:26 2021 -> daily database available for update (local version: 26349, remote version: 26350)
Thu Nov 11 05:53:28 2021 -> Testing database: '/var/lib/clamav/tmp.da8a6/clamav-657c926e1e7e31ed3ddaa24ef0748942.tmp-daily.cld' ...
Thu Nov 11 05:53:33 2021 -> Database test passed.
Thu Nov 11 05:53:33 2021 -> daily.cld updated (version: 26350, sigs: 1943487, f-level: 90, builder: raynman)
Thu Nov 11 05:53:34 2021 -> main.cld database is up to date (version: 62, sigs: 6647427, f-level: 90, builder: sigmgr)
Thu Nov 11 05:53:34 2021 -> bytecode.cld database is up to date (version: 333, sigs: 92, f-level: 63, builder: awillia2)

Link to comment
  • 2 weeks later...
Quote

 

2021-11-23T21:30:18+00:00 ClamAV process starting

Updating ClamAV scan DB
ERROR: Can't create freshclam.dat in /var/lib/clamav
ERROR: Failed to save freshclam.dat!
WARNING: Failed to create a new freshclam.dat!
ERROR: initialize: libfreshclam init failed.
ERROR: Initialization error!
Hint: The database directory must be writable for UID 100 or GID 101


An error occurred (freshclam returned with exit code '2')

Getting the error above using the latest version from the CA on Unraid 6.10 RC2. I specified the UID/GID as 99/100 in the settings. 

Link to comment
4 hours ago, neverendingtech said:

Getting the error above using the latest version from the CA on Unraid 6.10 RC2. I specified the UID/GID as 99/100 in the settings. 

Wherever you're mounting those directories, you do not have access.

If you've not mounted those directories, then your docker.img file is full. 

Link to comment
On 11/24/2021 at 3:11 AM, neverendingtech said:

Getting the error above using the latest version from the CA on Unraid 6.10 RC2. I specified the UID/GID as 99/100 in the settings. 

Can you check the config for appdata mount?

i also had the issue, but my app data was configured like this (default value)
/mnt/cache/appdata/claimav

However this is supposed to be from the user shares.

Update the path to 

/mnt/user/appdata/clamav

 

or choose appdata folder manually, rather than using the default value.
 

Link to comment
1 hour ago, NotYourAverageDev said:

Can you check the config for appdata mount?

i also had the issue, but my app data was configured like this (default value)
/mnt/cache/appdata/claimav

However this is supposed to be from the user shares.

Update the path to 

/mnt/user/appdata/clamav

 

or choose appdata folder manually, rather than using the default value.
 

I had changed that, but for some reason it still created the  appdata/clamav folder with the wrong permissions. (rwx r-x r-x, which incidentally is the same as for my resilio and avidemux dockers, without any issues).

 

I manually created the appdata/clamav folder via Windows Explorer and now it works just fine. Thanks for the hint though!

Link to comment

I'm having the same permissions issue deploying this container with unraid version 6.10.0-rc2

 

The only solution I've found so far is changing /mnt/user/appdata/clamav to 777

 

2021-12-02T22:10:35+00:00 ClamAV process starting

Updating ClamAV scan DB
ERROR: Can't create freshclam.dat in /var/lib/clamav
ERROR: Failed to save freshclam.dat!
WARNING: Failed to create a new freshclam.dat!
ERROR: initialize: libfreshclam init failed.
ERROR: Initialization error!
Hint: The database directory must be writable for UID 100 or GID 101
An error occurred (freshclam returned with exit code '2')

 

Mappings:

/var/lib/clamav   <->   /mnt/user/appdata/clamav
/scan   <->   /mnt/user

 

USER_ID & GROUP_ID are set to 99/100

 

[email protected]:~# stat /mnt/user/appdata/clamav
  File: /mnt/user/appdata/clamav
  Size: 0         	Blocks: 0          IO Block: 4096   directory
Device: 0,51	Inode: 13792273858936362  Links: 1
Access: (0755/drwxr-xr-x)  Uid: (   99/  nobody)   Gid: (  100/   users)
Access: 2021-12-02 16:10:03.832225925 -0600
Modify: 2021-12-02 16:10:03.832225925 -0600
Change: 2021-12-02 16:10:03.832225925 -0600


 

Edited by ceddybu
Link to comment
3 minutes ago, jeuser said:

Hi,

has someone an idea how to get notice of errors or a found virus without checking the log manually each time?

I'm using one of the scripts in this thread, gives me notifications, which are handled by the default unraid notifications, however you have them set up.

  • Like 1
Link to comment
1 hour ago, Sayuuk said:

I'm using one of the scripts in this thread, gives me notifications, which are handled by the default unraid notifications, however you have them set up.

Precisely. Squid posted a script that I linked in the original post.

  • Like 1
Link to comment

OK, I used an infected testfile but I get no notification.

 

ClamAV 0.103.3/26373/Sat Dec 4 09:32:50 2021

Scanning /scan

LibClamAV Warning: Bytecode run timed out in interpreter after 5000 opcodes
LibClamAV Warning: Bytecode 78 failed to run: CL_ETIMEOUT: Time limit reached
LibClamAV Warning: Bytecode run timed out in interpreter after 5000 opcodes
LibClamAV Warning: Bytecode 78 failed to run: CL_ETIMEOUT: Time limit reached
LibClamAV Warning: Bytecode run timed out in interpreter after 5000 opcodes
LibClamAV Warning: Bytecode 78 failed to run: CL_ETIMEOUT: Time limit reached
LibClamAV Warning: Bytecode run timed out in interpreter after 5000 opcodes
LibClamAV Warning: Bytecode 78 failed to run: CL_ETIMEOUT: Time limit reached
/scan/data/2_read/.sync/Archive/eicar_com.zip: Win.Test.EICAR_HDB-1 FOUND
/scan/data/2_read/eicar.com: Win.Test.EICAR_HDB-1 FOUND

----------- SCAN SUMMARY -----------
Known viruses: 8581021
Engine version: 0.103.3
Scanned directories: 32429
Scanned files: 133491
Infected files: 2
Data scanned: 95934.23 MB
Data read: 2209284.16 MB (ratio 0.04:1)
Time: 15151.955 sec (252 m 31 s)
Start Date: 2021:12:04 17:50:13
End Date: 2021:12:04 22:02:45

 

Bildschirmfoto 2021-12-05 um 00.26.37.png

Link to comment
On 10/18/2021 at 5:50 PM, Helediron said:

Hi, script parameter and container parameter customisation sshould be enough.

 

ClamAV scans whatever it finds in the Docker container's internal /scan folder, which usually is mapped to external folder /mnt/user. If you change that container parameter to e.g. /mnt/cache (assuming "standard" naming), then you can direct the container to scan the cache.

 

Now, if you want to scan the cache completely, you don't need my script. Just point the container to the cache as above and run the container. This one-liner starts the scan:

  docker start ClamAV

Put that into a user script, schedule it daily and you're done.

 

 

If you want the folder selection or those fancy notifications, then continue. ->

 

To modify the script, there are more parameters in the script to customise. Find this block:

#Technical parameters
# name of the container.
CONTAINER=ClamAV
# Location of ClamAV application data folder in Unraid host. 
# Must match with container parameter "ClamAV Signatures:"
HOSTAPPDATA=/mnt/user/appdata/clamav
# Location of scanned directory. 
# Must match with container parameter "Folder to Scan:"
HOSTSCANDIR=/mnt/user
...

and customize the script too. The script parameter HOSTSCANDIR must match with the container parameter.  Change "HOSTSCANDIR=/mnt/user" to "HOSTSCANDIR=/mnt/cache".

 

Put into FOLDERSDAILY and FOLDERSWEEKLY directories right under /mnt/cache, e.g. FOLDERSDAILY="domains isos" .

 

If you want to run both user shares and directories under cache, it's getting more complex. There are two options:

  1. If you want to scan both /mnt/cache and /mnt/user completely, then set the scan point to /mnt and set FOLDERSDAILY and FOLDERSWEEKLY to "cache user" . We just moved here one step higher in folder hierarchy.
  2. If you want to scan subsets in both, then you have to duplicate the ClamAV container and script and customise them independently. In the second script you have to change CONTAINER and HOSTAPPDATA to match the second container. (Actually i don't yet know how that's done in Unraid, i'm Unraid noob).

The script prints some debugging info. You'll see that if you run the script interactively with User Script plugin. It verifies that the folders actually exist and prints what it finds and finds not. If the scan takes long time, you can safely stop the script, but remember to stop the ClamAV container too.

Is it possible to use share names with spaces in the name, I tried messing with the script but I wasn't able figure out how to do this.  Any help is appreciated!

Link to comment
  • 2 weeks later...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.