[clamav-users] How can we consume .ldb files in ClamAV Ubuntu?

Joel Esler (jesler) jesler at cisco.com
Tue Dec 15 00:15:47 UTC 2020 

Also, we have shipped detection which detects the same things Fireeye was detecting and much more, also rewritten to be more efficient in the official ruleset. 

Sent from my  iPhone

> On Dec 14, 2020, at 18:54, G.W. Haywood via clamav-users <clamav-users at lists.clamav.net> wrote:
> 
> Hi there,
> 
>> On Mon, 14 Dec 2020, Sandeep Talla wrote:
>> 
>> ... *fireeye.ldb* file under the directory /var/lib/clamav/ ...
>> ... Clamscam is not picking up the *fireeye.ldb* file when
> 
> Clamscam.  I like that. :)
> 
>> we verify the Freshclam.log and clamav.log files.
> 
> Freshclam will not update the Fireeye data unless it is both available
> from a mirror which freshclam can recognize and the mirror location is
> given in freshclam.conf using the 'DatabaseCustomURL' option.  See the
> man page for freshclam.conf for more information.  Freshclam will not
> mention the file in its logs unless it updates it.  But freshclam only
> updates the files, it does not affect whether or not clamd loads them,
> and it has no effect on clamscan at all.
> 
> I do not know what the 'clamav.log' file contains, perhaps it is only
> found in Ubuntu systems.
> 
> When clamd has reloaded its databases you will see that it writes in
> its log the number of signatures which it has loaded.  It's quite a
> large number, of the order of ten million, but you should see that
> after you have the Fireeye data in the correct location and clamd has
> reloaded the data, there are 23 more signatures than the last time
> clamd loaded the data.  Below is an extract from my clamd server log.
> I downloaded the file from the URL you gave, dropped it in the clamd
> database directory, and issued a RELOAD command using telnet.  As you
> can see, there are 23 more signatures after the reload.
> 
> pi4b530214:/var/log/clamav# >>> grep -i reload clamd.2.log | tail -n 3
> Mon Dec 14 22:42:18 2020 -> Database correctly reloaded (11352914 signatures)
> Mon Dec 14 23:12:35 2020 -> got command RELOAD (7, 2), argument: Mon Dec 14 23:13:39 2020 -> Database correctly reloaded (11352937 signatures)
> 
> What is the size of your fireeye.ldb file?  Have you checked it with a
> pager to make sure that it looks OK?  It should be 26 lines of text.
> Some of them are very long.
> 
>> Are there any configuration settings that need to add for *clamd.conf* or
>> *freshclam.conf* in order to pick up the fireeye.ldb file during clamscan?
> 
> Freshclam.conf is irrelevant.  Do you have in clamd.conf the option
> 
> --official-db-only
> 
> set to 'yes'?  See the clamd man page for more information.
> 
> If you run
> 
> clamscan --debug some_test_file
> 
> and pipe the output to a pager or through grep or something you see
> listed in the (long) output all the databases which clamscan loads:
> 
> ged at pi4b530214:~ $ clamscan --debug phish-test 2>&1 | grep loaded
> LibClamAV debug: unrar support loaded from libclamunrar_iface.so.9
> LibClamAV debug: daily.info loaded
> LibClamAV debug: daily.cfg loaded
> ...
> ...
> LibClamAV debug: /EXPORTS/clamav/databases/all-clam.ldb loaded
> ...
> ...
> 
> HTH
> 
> -- 
> 
> 73,
> Ged.
> 
> _______________________________________________
> 
> clamav-users mailing list
> clamav-users at lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 1872 bytes
Desc: not available
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20201215/db6f138f/attachment.bin>

More information about the clamav-users mailing list