[clamav-users] Slow reload

Bowie Bailey Bowie_Bailey at BUC.com
Fri Mar 22 10:54:03 EDT 2019


On 3/22/2019 6:58 AM, Alessandro Vesely via clamav-users wrote:
> On Thu 21/Mar/2019 21:21:45 +0100 Bowie Bailey wrote:
>>
>> And here's the problem.  SecuriteInfo has their own Eicar signatures, so ClamAV found
>> those first and not the one you were expecting.  My header looks like this:
>>
>> ClamAV-Found: SecuriteInfo.com.Eicar-Test-Signature.UNOFFICIAL
>>   SecuriteInfo.com.Eicar-Test-Signature-4.UNOFFICIAL
>>   SecuriteInfo.com.Eicar-Test-Signature-2.UNOFFICIAL
>>   Eicar-Test-Signature.UNOFFICIAL
>>   SecuriteInfo.com.Eicar-Test-Signature.UNOFFICIAL
>>   SecuriteInfo.com.Eicar-Test-Signature-4.UNOFFICIAL
>>   SecuriteInfo.com.Eicar-Test-Signature-2.UNOFFICIAL
>>   Eicar-Test-Signature.UNOFFICIAL
>
> Uh, yeah, can be.  The small database is made like so:
>
> test.ndb:
> 	sigtool -f Eicar-Test-Signature > $@
>
> where the argument to -f is a regular expression.  So the database seems to contain four matching signatures.  Your database (like mine) probably has much more matching signatures, such as Win.Test.EICAR_NDB-1, whose names don't match the above regex.

Maybe you should limit that regex so it only matches the official ClamAV signature.

sigtool -f '^Eicar-Test-Signature' > $@

>
>> Not sure why everything is duplicated...
>>

After testing the sigtool command above, it looks like the duplication comes from
matching multiple types of files in the database directory.  daily.ndu, daily.ndb,
daily.ldu, and daily.ldb all matched an Eicar signature on my system.  I don't see a
way with sigtool to limit the match to a particular file type without having to
specify the directory.  Maybe you could just drop all but the first match from the
results.  (Although I guess it really doesn't matter since it is only used for the test)

Something like this:
sigtool -f '^Eicar-Test-Signature' | grep -m 1 . > $@

Actually, after testing that, I still get the header duplication with only 1
signature in the database.  Oh well...

ClamAV-Found: Eicar-Test-Signature.UNOFFICIAL Eicar-Test-Signature.UNOFFICIAL
  Eicar-Test-Signature.UNOFFICIAL

>> No, egrep works fine once the regex is adjusted to match the header.
>
> Fine.  I'll change that command to "egrep -i '^ClamAV-Found: .*Eicar' eicar.mail".
>
> Thank you for the fix.

If you change how the test database is generated, then you can stick with the
original regex.

>
>> I guess I should have specified that I'm running this on CentOS 7, not that it
>> matters at this point.
>>
>> Looks like everything is working now.  I'll try integrating it with Courier
>> tomorrow.  If I just want to reject any email that is flagged by ClamAV, I shouldn't
>> need to adjust the default config, right?
>
> Correct, reject is the default.  You probably need to set "database" to the same directory you configured as "DatabaseDirectory" in freshclam.conf.  Also, recall that clamd.conf is not read; please see avfilter.conf(5) if you need to set clamav options.

The database option defaulted to the right location, so I didn't need to adjust
that.  I did need to go through the other clam options and adjust them to match what
I was using with clamd.  Oddly, the defaults in clamd aren't quite the same as the
defaults in clamscan.  Annoyingly, the option names aren't quite the same either...

Everything is working now.  I have avfilter installed and running on Courier with
pythonfilter now just doing the rate limiting.  The only problem I have found is that
since my databases take so long to load, avfilter_sig times out when reloading the
virus definitions.  Is there a way to increase the timeout for avfilter_sig?

-- 
Bowie


More information about the clamav-users mailing list