Closed clamavissue closed 9 months ago
Sorry for the delay. I thought I had replied, but I forgot to press the "Comment" button.
I'm not sure how alpine builds their clamav package. We do not maintain it, that's a third party package. I was able to confirm the same results as what you found -- the Alpine clamav package did not extract RAR archives even though it appears to have the libclamunrar module installed. I am unsure why it didn't work.
We provide an x86_64 alpine-based clamav docker image: https://hub.docker.com/r/clamav/clamav/tags I tested with this and it correctly extracts RAR archives.
We are also working on providing a multi-arch (amd64, arm64, and pp64le) debian-slim based image, if you're interested. But it is not quite ready yet.
Hi,
Thanks For reply. I have tried pulling latest image which is provided on above site which is built for clamav.
Can you please provide steps how did you created alpine image with clamAV? I will check with our steps just to understand if it helps to understand the difference. The only difference which I observed is alpine linux version is 3.18 which we have. and I do use command "RUN apk add clamav freshclam --repository=https://dl-cdn.alpinelinux.org/alpine/edge/community" to pull clamav install on alpine image.
Thanks Dipti
Our docker image is built using these files: https://github.com/Cisco-Talos/clamav-docker/tree/main/clamav/1.2/alpine
We do not use Alpine's clamav packages. We build clamav from source for our docker image.
Can we build image using these file to use in our system? If yes can you suggest me steps which how I can build image for our usage purpose?
We have added additional command to install libunrar before installing clamav and freshclam and it worked. It is now giving heuristics signature and infected status for encrypted rar file scan. You can close this issue.
Apologies for the delay writing back. We've been on holiday break.
Can we build image using these file to use in our system? If yes can you suggest me steps which how I can build image for our usage purpose?
Yes if you wish to build the image yourself instead of using our pre-built images or the Alpine packages, you can copy the Dockerfile
and scripts
from https://github.com/Cisco-Talos/clamav-docker/tree/main/clamav/1.2/alpine into the clamav source code directory, using either the clamav .tar.gz
from https://www.clamav.net/downloads or else a git clone from https://github.com/Cisco-Talos/clamav. Then run docker build
commands as needed.
Or if you want to use our images, we have some documentation to help you get started, here https://docs.clamav.net/manual/Installing/Docker.html
We have added additional command to install libunrar before installing clamav and freshclam and it worked. It is now giving heuristics signature and infected status for encrypted rar file scan. You can close this issue.
I am glad to hear you got it working with the alpine packages by using the additional command.
Describe the bug
We are testing with clamav 1.2.1 installing on alpine image and ubuntu docker image. after installation we have same configuration in clamd.conf file. We tried to scan encrypted Readme.rar file. it gives conflicting results on both.
On Alpine image it gives clean scan status for Readme.rar where as on ubuntu docker image it gives heuristics signature saying file is infected.
For alpine below output
/ # clamdscan Readme.rar //Readme.rar: OK
----------- SCAN SUMMARY ----------- Infected files: 0 Time: 0.022 sec (0 m 0 s) Start Date: 2023:11:29 10:41:32 End Date: 2023:11:29 10:41:32 / # clamd --v ClamAV 1.2.1/27108/Wed Nov 29 08:40:15 2023 / # clamd --v ClamAV 1.2.1/27108/Wed Nov 29 08:40:15 2023 / # ps -ef|grep clamd 87 clamav 0:32 clamd -c /etc/clamav/clamd.conf 94 root 0:00 grep clamd
/ # clamconf -n Checking configuration files in /etc/clamav
Config file: clamd.conf
LogFile = "/var/log/clamav/clamd.log" LogTime = "yes" PidFile = "/run/clamav/clamd.pid" LocalSocket = "/tmp/clamd.sock" LocalSocketMode = "660" TCPSocket = "3310" TCPAddr = "localhost" User = "clamav" AlertEncrypted = "yes" AlertEncryptedArchive = "yes" AlertEncryptedDoc = "yes"
Config file: freshclam.conf
PidFile = "/run/clamav/freshclam.pid" DatabaseMirror = "database.clamav.net"
clamav-milter.conf not found
Software settings
Version: 1.2.1 Optional features supported: MEMPOOL AUTOIT_EA06 BZIP2 LIBXML2 PCRE2 ICONV JSON
Database information
Database directory: /var/lib/clamav bytecode.cvd: version 334, sigs: 91, built on Wed Feb 22 21:33:21 2023 daily.cld: version 27108, sigs: 2047993, built on Wed Nov 29 08:40:15 2023 main.cvd: version 62, sigs: 6647427, built on Thu Sep 16 12:32:42 2021 Total number of signatures: 8695511
Platform information
uname: Linux 5.15.133.1-microsoft-standard-WSL2 #1 SMP Thu Oct 5 21:02:42 UTC 2023 x86_64 OS: Linux, ARCH: x86_64, CPU: x86_64 WARNING: zlib version mismatch: 1.3 (1.2.13) zlib version: 1.3 (1.2.13), compile flags: a9 platform id: 0x0a21bfbf08000000000d0201
Build information
GNU C: 13.2.1 20231014 (13.2.1) sizeof(void*) = 8 Engine flevel: 191, dconf: 191 / #
for docker ubuntu image it gives below one
root@09aa388aca06:/home# clamdscan Readme.rar /home/Readme.rar: Heuristics.Encrypted.RAR FOUND
----------- SCAN SUMMARY ----------- Infected files: 1 Time: 0.009 sec (0 m 0 s) Start Date: 2023:11:24 13:14:45 End Date: 2023:11:24 13:14:45
root@09aa388aca06:/home# clamd --v ClamAV 1.2.1/27103/Fri Nov 24 08:40:22 2023 Replace this text with a clear and concise description of the bug or feature request.
root@09aa388aca06:/# clamconf -n Checking configuration files in /usr/local/etc
Config file: clamd.conf
PidFile = "/run/clamav/clamd.pid" DatabaseDirectory = "/var/lib/clamav" LocalSocket = "/tmp/clamd.sock" LocalSocketMode = "660" TCPSocket = "3310" TCPAddr = "localhost" User = "clamav" AlertEncrypted = "yes" AlertEncryptedArchive = "yes" AlertEncryptedDoc = "yes"
Config file: freshclam.conf
LogFileMaxSize = "2097152" DatabaseDirectory = "/var/lib/clamav" UpdateLogFile = "/var/log/freshclam.log" DatabaseMirror = "database.clamav.net"
clamav-milter.conf not found
Software settings
Version: 1.2.1 Optional features supported: MEMPOOL AUTOIT_EA06 BZIP2 LIBXML2 PCRE2 ICONV JSON RAR
Database information
Database directory: /var/lib/clamav daily.cld: version 27105, sigs: 2047822, built on Sun Nov 26 08:39:29 2023 bytecode.cvd: version 334, sigs: 91, built on Wed Feb 22 21:33:21 2023 main.cvd: version 62, sigs: 6647427, built on Thu Sep 16 12:32:42 2021 Total number of signatures: 8695340
Platform information
uname: Linux 5.15.133.1-microsoft-standard-WSL2 #1 SMP Thu Oct 5 21:02:42 UTC 2023 x86_64 OS: Linux, ARCH: x86_64, CPU: x86_64 zlib version: 1.3 (1.3), compile flags: a9 platform id: 0x0a21bfbf0800000000070500
Build information
GNU C: 7.5.0 (7.5.0) sizeof(void*) = 8 Engine flevel: 191, dconf: 191
How to reproduce the problem
1.Create ubuntu docker image with docker pull command and then copy clamav 1.2.1 debian installable file (clamav-1.2.1.linux.x86_64.deb) on it. 2.Install .deb with commands sudo dpkg -i clamav-1.2.1.linux.x86_64.deb 3.After this i ran freshclam and then started clamd service. 4.Using command clamdscan Readme.rar scanned encrypted rar file . 5.This file is password protected .rar file and copied from windows machine to docker image. 6.For clamdscan it gives output as shown above root@09aa388aca06:/home# clamdscan Readme.rar /home/Readme.rar: Heuristics.Encrypted.RAR FOUND
----------- SCAN SUMMARY ----------- Infected files: 1 Time: 0.009 sec (0 m 0 s) Start Date: 2023:11:24 13:14:45 End Date: 2023:11:24 13:14:45
which is same as we get on windows installation of same version of clamav.
7 Now in our service we are using alpine image and pulling clamav and freshclam from alpine packages.
----------- SCAN SUMMARY ----------- Infected files: 0 Time: 0.022 sec (0 m 0 s) Start Date: 2023:11:29 10:41:32 End Date: 2023:11:29 10:41:32
This is conflicting behavior we are observing on different linux images. As we are using alpine image in our service we need fix for this case.
Please let me know if you need more info for this