[clamav-users] Restriction of downloads

[G.W. Haywood]

Hi there,

On Thu, 11 Mar 2021, Harv Azad via clamav-users wrote:

> I’m a simple QNAP 509 (x2) user ...

Full disclosure: I know nothing about QNAP.

> I can see that there is some mention of Freshclam.  Happy to use
> this but could someone please clarify if this is something that sits
> on my qnap or on my pc?  Can I then use this to manually download
> the definition files to update my qnaps manually.

Freshclam is designed to update the ClamAV database using the minimum
of network resources.  Normally it is run as a 'daemon' (which means
it runs indefinitely) and periodically sends out DNS requests to find
out if the database needs updating.  DNS requests are very small and
quick to execute; if the reply to the request indicates that there is
no update needed, the daemon goes back to sleep until the next time
it's scheduled to wake up.  If an update is required, it requests the
'difference' files which it needs to update the existing, out-of-date
database to the up-to-date version.  The difference files tend to be
small too - very much smaller than the main and daily databases.  The
daemon then creates a new database from the old one and the difference
files, optionally tests the result, replaces the old database with the
new one and optionally signals the clamd scanning daemon to reload it.
Normally it then deletes the difference files but you can tell it to
keep them if you wish.  When freshclam (optionally) tests the database
which it has just updated, it will briefly use a lot of memory.

Freshclam can also be run from the command line to do one-off updates
instead of running as a daemon.  It starts and does those DNS checks;
if there's nothing to do it stops and never runs again until you tell
it to with another command; otherwise it updates in the same way and
then stops.

Most people run freshclam on a PC.  I've only ever run it under Linux
but I'm sure it can run under Windows too.  I've seen mention that it
runs on QNAP devices but I gather that some of these devices are very
short on memory, and as the minimum ClamAV database thesedays uses in
the region of 1 Gbyte of memory it can be difficult to use it directly
on devices with relatively small amounts of memory.

It's possible for the ClamAV scanner to scan devices other than the
computer on which the scanner is running.  It requires at least some
understanding of the use of network connections to do that.  You can
tell the device to be scanned to connect to a TCP port on the device
which will do the scanning and send the data to be scanned over this
connection.  On the scanning device you would run the clamd daemon,
which will be told to listen on a TCP port and scan anything it sees.
Because it loads the database entirely into memory, the clamd daemon
uses a lot of memory too.  Then it just waits for something to scan.
There's a utility called 'clamdscan' which can be run on the device to
be scanned.  This utility is relatively small and lightweight, it does
the job of taking data from the scanned device and passing it to the
clamd daemon on the scanning device over the TCP connection.  If your
QNAP device is short on memory I'd suggest that you look into putting
a copy of clamdscan on it, and running clamd on something which has
plenty of memory.  You should be aware that the clamd daemon will not
place any restrictions on anything connecting to its port, so if your
network is not implicitly trusted then you need to take precautions.

I hope this makes sense to you, please get back to us if you need to.

-- 

73,
Ged.