[clamav-users] Disable official database
kdeugau at vianet.ca
Mon Aug 26 11:07:26 EDT 2019
G.W. Haywood via clamav-users wrote:
> To find out what might work and what might not, here's what I did:
> Using 'clamd':
> 1. I moved the 'main.cld' and 'daily.cld' files from my working clamav
> database directory to a temporary directory, replaced them with empty
> files, and by sending a message to its TCP port I told one of my clamd
> daemons to reload its databases. (By default clamd doesn't listen on
> TCP, but I normally configure that anyway.) Here's what happened:
> Aug 25 08:28:01 mail6 root: PONG
> Aug 25 08:28:20 mail6 ged: RELOADING
> Aug 25 08:28:23 mail6 clamd: Reading databases from /etc/mail/clamav
> Aug 25 08:28:23 mail6 clamd: reload db failed: Malformed database
> Aug 25 08:28:23 mail6 clamd: Terminating because of a fatal error.
> Aug 25 08:28:23 mail6 clamd: Pid file removed.
> Aug 25 08:28:23 mail6 clamd: --- Stopped at Sun Aug 25 08:28:23 2019
> The clamd daemon disliked the empty 'main' and 'daily' files and died.
> I guess some folk might prefer it to carry on with the old databases,
> but at least it's very clear what's happened.
From my own experience, I expect this is because they were, as per the
error, "malformed". ClamAV is very picky about this - too picky IMO.
If a signature database is present, it is expected to contain at least
one signature, which is a valid signature for the database "type". An
empty file is not a valid signature database file.
> 6. The same, using a database directory containing just an empty file:
> mail6:~/src/net/mail/clamav-0.101.4/test$ >>> ls -l /etc/mail/clamav/empty/
> total 0
> -rw-r--r-- 1 root root 0 Aug 25 10:25 empty.ign2
> mail6:~/src/net/mail/clamav-0.101.4/test$ >>> /usr/local/bin/clamscan -d
> /etc/mail/clamav/empty clam.exe
> clam.exe: OK
This is consistent with my experience; .ign is basically a list of
signatures to ignore, and so it can reasonably be empty. Strictly
speaking it's not a signature database file, because it does not contain
actual signatures - just the names of signatures to ignore/skip.
If you wanted to use *ONLY* one or more of the internal heuristic tests,
this is probably the best option.
More information about the clamav-users