[clamav-users] Disable official database

Kris Deugau kdeugau at vianet.ca
Mon Aug 26 15:07:26 UTC 2019 

G.W. Haywood via clamav-users wrote:
> To find out what might work and what might not, here's what I did:
> 
> ======================================================================
> Using 'clamd':
> 8<----------------------------------------------------------------------
> 
> 1. I moved the 'main.cld' and 'daily.cld' files from my working clamav
> database directory to a temporary directory, replaced them with empty
> files, and by sending a message to its TCP port I told one of my clamd
> daemons to reload its databases.  (By default clamd doesn't listen on
> TCP, but I normally configure that anyway.)  Here's what happened:
> 
> Aug 25 08:28:01 mail6 root: PONG
> Aug 25 08:28:20 mail6 ged: RELOADING
> Aug 25 08:28:23 mail6 clamd[4518]: Reading databases from /etc/mail/clamav
> Aug 25 08:28:23 mail6 clamd[4518]: reload db failed: Malformed database
> Aug 25 08:28:23 mail6 clamd[4518]: Terminating because of a fatal error.
> Aug 25 08:28:23 mail6 clamd[4518]: Pid file removed.
> Aug 25 08:28:23 mail6 clamd[4518]: --- Stopped at Sun Aug 25 08:28:23 2019
> 
> The clamd daemon disliked the empty 'main' and 'daily' files and died.
> I guess some folk might prefer it to carry on with the old databases,
> but at least it's very clear what's happened.

 From my own experience, I expect this is because they were, as per the 
error, "malformed".  ClamAV is very picky about this - too picky IMO.

If a signature database is present, it is expected to contain at least 
one signature, which is a valid signature for the database "type".  An 
empty file is not a valid signature database file.


> 6. The same, using a database directory containing just an empty file:
> 
> mail6:~/src/net/mail/clamav-0.101.4/test$ >>> ls -l /etc/mail/clamav/empty/
> total 0
> -rw-r--r-- 1 root root 0 Aug 25 10:25 empty.ign2
> 
> mail6:~/src/net/mail/clamav-0.101.4/test$ >>> /usr/local/bin/clamscan -d 
> /etc/mail/clamav/empty clam.exe
> clam.exe: OK

This is consistent with my experience;  .ign[2] is basically a list of 
signatures to ignore, and so it can reasonably be empty.  Strictly 
speaking it's not a signature database file, because it does not contain 
actual signatures - just the names of signatures to ignore/skip.

If you wanted to use *ONLY* one or more of the internal heuristic tests, 
this is probably the best option.

-kgd

More information about the clamav-users mailing list