[clamav-users] Slow reload

Alessandro Vesely vesely at tana.it
Fri Mar 22 06:58:14 EDT 2019

On Thu 21/Mar/2019 21:21:45 +0100 Bowie Bailey wrote:
>> At that point, the top of the header should be plenty of virus_header's (one for each invocation):
>> ale at pcale:~/tmp/courier/avfilter/svn/tests/testsuite.dir/09$ head eicar.mail
>> ClamAV-Found: Eicar-Test-Signature.UNOFFICIAL Eicar-Test-Signature.UNOFFICIAL
>> Old-ClamAV-Found: Eicar-Test-Signature.UNOFFICIAL Eicar-Test-Signature.UNOFFICIAL
>> Old-ClamAV-Found: Eicar-Test-Signature.UNOFFICIAL Eicar-Test-Signature.UNOFFICIAL
>>   Eicar-Test-Signature.UNOFFICIAL
>> From: author at example.com
>> To: victim at example.net
>> Subject: test message
>> Virus-Header: what does this mean?
>> MIME-Version: 1.0
>> Content-Type: multipart/mixed; boundary="=_1_1553193777_12188"
> And here's the problem.  SecuriteInfo has their own Eicar signatures, so ClamAV found
> those first and not the one you were expecting.  My header looks like this:
> ClamAV-Found: SecuriteInfo.com.Eicar-Test-Signature.UNOFFICIAL
>   SecuriteInfo.com.Eicar-Test-Signature-4.UNOFFICIAL
>   SecuriteInfo.com.Eicar-Test-Signature-2.UNOFFICIAL
>   Eicar-Test-Signature.UNOFFICIAL
>   SecuriteInfo.com.Eicar-Test-Signature.UNOFFICIAL
>   SecuriteInfo.com.Eicar-Test-Signature-4.UNOFFICIAL
>   SecuriteInfo.com.Eicar-Test-Signature-2.UNOFFICIAL
>   Eicar-Test-Signature.UNOFFICIAL

Uh, yeah, can be.  The small database is made like so:

	sigtool -f Eicar-Test-Signature > $@

where the argument to -f is a regular expression.  So the database seems to contain four matching signatures.  Your database (like mine) probably has much more matching signatures, such as Win.Test.EICAR_NDB-1, whose names don't match the above regex.

> Not sure why everything is duplicated...

This is something we should ask to ClamAV developers.  avtest.conf also contains allmatch (since it's useful when configuring different actions for different viruses).  With --allmatch, clamscan duplicates (or triplicates) messages too, even if the small database contains a single virus:

ale at pcale:~/tmp/courier/avfilter/svn/tests/testsuite.dir/09$ clamscan  --allmatch -d ../../small eicar.mail
eicar.mail: Eicar-Test-Signature.UNOFFICIAL FOUND
eicar.mail: Eicar-Test-Signature.UNOFFICIAL FOUND

----------- SCAN SUMMARY -----------
Known viruses: 1
Engine version: 0.101.1
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 0.007 sec (0 m 0 s)

>> And hence:
>> ale at pcale:~/tmp/courier/avfilter/svn/tests/testsuite.dir/09$ egrep '^ClamAV-Found: Eicar' eicar.mail | wc -l
>> 1
>> Instead, at yours wc wrote "0".  Why?
>>> 9. testsuite.at:540: 9. per-virus behavior (testsuite.at:540): FAILED (testsuite.at:612)
>>> Suggestions?
>> I'd guess something must have gone wrong in the testsuite script.  In the testsuite, wc is $WC, after a definition in tests/atlocal, but egrep was not checked during configure, so maybe it should have been grep -E or similar.  Is that the culprit?
> No, egrep works fine once the regex is adjusted to match the header.

Fine.  I'll change that command to "egrep -i '^ClamAV-Found: .*Eicar' eicar.mail".

Thank you for the fix.

> I guess I should have specified that I'm running this on CentOS 7, not that it
> matters at this point.
> Looks like everything is working now.  I'll try integrating it with Courier
> tomorrow.  If I just want to reject any email that is flagged by ClamAV, I shouldn't
> need to adjust the default config, right?

Correct, reject is the default.  You probably need to set "database" to the same directory you configured as "DatabaseDirectory" in freshclam.conf.  Also, recall that clamd.conf is not read; please see avfilter.conf(5) if you need to set clamav options.


More information about the clamav-users mailing list