[clamav-users] Disable official database

G.W. Haywood clamav at jubileegroup.co.uk
Sun Aug 25 06:07:12 EDT 2019


Hi there,

On Sun, 25 Aug 2019, Kees Theunissen wrote:
> On Sat, 24 Aug 2019, azurit at pobox.sk wrote:
>
>> is it possible to disable official virus database? I would like to use only
>> custom database. Thanks for info.
>
> ... I didn't need virus databases at all ... (I didn't even test if
> I could start clamd without databases.)
>
> I created a database dirctory containing only a custom database ...
>
> So yes, at that time, it was possible to run at least clamd without
> the official virus database. I only used this with clamd, not with
> clamscan. And I didn't test this with the current clamav version.

To find out what might work and what might not, here's what I did:

======================================================================
Using 'clamd':
8<----------------------------------------------------------------------

1. I moved the 'main.cld' and 'daily.cld' files from my working clamav
database directory to a temporary directory, replaced them with empty
files, and by sending a message to its TCP port I told one of my clamd
daemons to reload its databases.  (By default clamd doesn't listen on
TCP, but I normally configure that anyway.)  Here's what happened:

Aug 25 08:28:01 mail6 root: PONG
Aug 25 08:28:20 mail6 ged: RELOADING
Aug 25 08:28:23 mail6 clamd[4518]: Reading databases from /etc/mail/clamav
Aug 25 08:28:23 mail6 clamd[4518]: reload db failed: Malformed database
Aug 25 08:28:23 mail6 clamd[4518]: Terminating because of a fatal error.
Aug 25 08:28:23 mail6 clamd[4518]: Pid file removed.
Aug 25 08:28:23 mail6 clamd[4518]: --- Stopped at Sun Aug 25 08:28:23 2019

The clamd daemon disliked the empty 'main' and 'daily' files and died.
I guess some folk might prefer it to carry on with the old databases,
but at least it's very clear what's happened.

8<----------------------------------------------------------------------

2. Instead, I simply moved the two files elsewhere and said 'RELOAD'.
This was successful.  Just the 'safebrowsing' etc. and third-party
signatures were reloaded and the daemon seemed happy.  As you can see,
without 'main' and 'daily' there were only 2.6 million signatures:

Aug 25 08:35:01 mail6 root: PONG
Aug 25 08:35:32 mail6 ged: RELOADING
Aug 25 08:35:35 mail6 clamd[5479]: Reading databases from /etc/mail/clamav
Aug 25 08:35:49 mail6 clamd[5479]: Database correctly reloaded (2603979 signatures)
Aug 25 08:36:01 mail6 root: PONG

8<----------------------------------------------------------------------

3. After replacing 'main' and 'daily' where they normally live, back up
to nearly 9 million signatures:

Aug 25 08:36:39 mail6 ged: RELOADING
Aug 25 08:36:40 mail6 clamd[5479]: Reading databases from /etc/mail/clamav
Aug 25 08:36:56 mail6 ged: RELOADING
Aug 25 08:37:01 mail6 root: PONG
Aug 25 08:38:01 mail6 root: PONG
Aug 25 08:39:01 mail6 root: PONG
Aug 25 08:40:01 mail6 root: PONG
Aug 25 08:40:05 mail6 clamd[5479]: Database correctly reloaded (8900727 signatures)
Aug 25 08:41:01 mail6 root: PONG

======================================================================

Using 'clamscan':
8<----------------------------------------------------------------------

4. Running clamscan with my production database directory on a random
test file supplied by the ClamAV install:

mail6:~/src/net/mail/clamav-0.101.4/test$ >>> clamscan -d /etc/mail/clamav clam.exe
clam.exe: Clamav.Test.File-6 FOUND

----------- SCAN SUMMARY -----------
Known viruses: 8893502
Engine version: 0.101.4
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 215.517 sec (3 m 35 s)

8<----------------------------------------------------------------------

5. The same, using a completely empty database directory:

mail6:~/src/net/mail/clamav-0.101.4/test$ >>> clamscan -d /etc/mail/clamav/empty clam.exe
LibClamAV Error: cli_loaddbdir(): No supported database files found in /etc/mail/clamav/empty
ERROR: Can't open file or directory

----------- SCAN SUMMARY -----------
Known viruses: 0
Engine version: 0.101.4
Scanned directories: 0
Scanned files: 0
Infected files: 0
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 0.015 sec (0 m 0 s)

8<----------------------------------------------------------------------

6. The same, using a database directory containing just an empty file:

mail6:~/src/net/mail/clamav-0.101.4/test$ >>> ls -l /etc/mail/clamav/empty/
total 0
-rw-r--r-- 1 root root 0 Aug 25 10:25 empty.ign2

mail6:~/src/net/mail/clamav-0.101.4/test$ >>> /usr/local/bin/clamscan -d /etc/mail/clamav/empty clam.exe
clam.exe: OK

----------- SCAN SUMMARY -----------
Known viruses: 0
Engine version: 0.101.4
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 0.017 sec (0 m 0 s)

8<----------------------------------------------------------------------

This was all with the current ClamAV version.  LibClamAV is not happy
with no database files at all, but it's happy if at least one file in
the database is readable, even if it's only 'empty.ign2'.  So it seems
that the way to do what the OP wants is simply to remove the official
databases from the database directory.

Since for the vast majority of users the 'main' and 'daily' files are
the mainstay of ClamAV operation it might perhaps be a little worrying
that a configuration error (even if not malicious) which causes these
files not to be read could pass without notice.  I can't help thinking
that it would be better if, by default, ClamAV gave a warning that the
'main' and 'daily' files weren't found.

If there's documentation on this kind of usage I've failed to find it.

-- 

73,
Ged.


More information about the clamav-users mailing list