[clamav-users] Disable official database

Andrew Williams awillia2 at sourcefire.com
Sat Aug 24 22:07:54 EDT 2019


There is a configuration option to have ClamAV only load the official
signatures but this setting is disabled by default (it's the
OfficialDatabaseOnly setting for clamd, and '--official-db-only' for
clamscan). One exception to this is for bytecode signatures - only
official bytecode signatures are loaded by default.  This can be changed by
using '--bytecode-unsigned=yes' for clamscan, and for clamd it looks like
the BytecodeSecurity setting can be used (depending on how ClamAV is built).

Although there is some code in ClamAV that ensures daily.cvd/daily.cld get
loaded before some other rule files if they are present, in general ClamAV
only cares about the file extension and uses that to determine whether it
should try to load a given set of rules. This makes it easy to use
third-party or custom rules - with clamd you can just copy the rule files
into the DatabaseDirectory directory and with clamscan you can either copy
the rules into the default rule directory or specify the path to the custom
rules with the '-d' flag.

Hope that helps!

-Andrew

On Sat, Aug 24, 2019 at 11:54 AM G.W. Haywood via clamav-users <
clamav-users at lists.clamav.net> wrote:

> Hi there,
>
> On Sat, 24 Aug 2019, Joel Esler (jesler) wrote:
>
> > I mean, it's possible not to download the official definitions and
> > just point at a custom file right?
>
> No idea.  Haven't tried it.  If you can, it seems like it would be a
> security hole.  The code seems to be saying that it wants to load the
> daily.c[lv]d file before anything else; the name is hard-coded into
> the file I mentioned; and those files are signed.  Given that there's
> already been some discussion along these lines (e.g. see the link in
> my last post) I'd be surprised if nobody else has tried it, but I've
> been surprised before. :)
>
> --
>
> 73,
> Ged.
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users at lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20190824/d40d0d73/attachment.html>


More information about the clamav-users mailing list