Fix configuration settings so that clamd is notified about the antivirus database update

[christianbumann]

Starting an older version of the container with docker compose

version: '3.8'

services:
  clamav-rest:
    image: ajilaag/clamav-rest:20241005
    container_name: clamav-rest
    ports:
      - "9000:9000"
      - "9443:9443"
    environment:
      - SIGNATURE_CHECKS=50

It shows that the database was updated

2024-10-07 13:42:20 Starting clamav rest bridge
2024-10-07 13:42:20 Connecting to clamd on tcp://localhost:3310
2024-10-07 13:42:20 clamD not running, waiting times [1]
2024-10-07 13:42:20 ClamAV update process started at Mon Oct  7 13:42:20 2024
2024-10-07 13:42:20 daily database available for update (local version: 27417, remote version: 27420)
2024-10-07 13:42:22 Testing database: '/clamav/data/tmp.bceba0a902/clamav-19e1647c51a6d6f7cd03120eb58963c1.tmp-daily.cld' ...
2024-10-07 13:42:24 clamD not running, waiting times [2]
2024-10-07 13:42:28 clamD not running, waiting times [3]
2024-10-07 13:42:32 clamD not running, waiting times [4]
2024-10-07 13:42:36 clamD not running, waiting times [5]
2024-10-07 13:42:39 Database test passed.
2024-10-07 13:42:39 daily.cld updated (version: 27420, sigs: 2067197, f-level: 90, builder: raynman)
2024-10-07 13:42:40 main.cvd database is up-to-date (version: 62, sigs: 6647427, f-level: 90, builder: sigmgr)
2024-10-07 13:42:40 bytecode.cvd database is up-to-date (version: 335, sigs: 86, f-level: 90, builder: raynman)
2024-10-07 13:42:40 WARNING: Clamd was NOT notified: Can't connect to clamd through /run/clamav/clamd.sock: No such file or directory
2024-10-07 13:42:40 clamD not running, waiting times [6]
2024-10-07 13:42:44 clamD not running, waiting times [7]
2024-10-07 13:42:48 clamD not running, waiting times [8]
2024-10-07 13:42:52 clamD not running, waiting times [9]
2024-10-07 13:42:56 clamD not running, waiting times [10]
2024-10-07 13:43:00 clamD not running, waiting times [11]
2024-10-07 13:43:04 clamD not running, waiting times [12]
2024-10-07 13:43:08 clamD not running, waiting times [13]
2024-10-07 13:43:08 Mon Oct  7 13:43:08 2024 -> Limits: Global time limit set to 120000 milliseconds.
2024-10-07 13:43:08 Mon Oct  7 13:43:08 2024 -> Limits: Global size limit set to 104857600 bytes.
2024-10-07 13:43:08 Mon Oct  7 13:43:08 2024 -> Limits: File size limit set to 26214400 bytes.
2024-10-07 13:43:08 Mon Oct  7 13:43:08 2024 -> Limits: Recursion level limit set to 18.
2024-10-07 13:43:08 Mon Oct  7 13:43:08 2024 -> Limits: Files limit set to 10000.
2024-10-07 13:43:08 Mon Oct  7 13:43:08 2024 -> Limits: MaxEmbeddedPE limit set to 10485760 bytes.
2024-10-07 13:43:08 Mon Oct  7 13:43:08 2024 -> Limits: MaxHTMLNormalize limit set to 10485760 bytes.
2024-10-07 13:43:08 Mon Oct  7 13:43:08 2024 -> Limits: MaxHTMLNoTags limit set to 2097152 bytes.
2024-10-07 13:43:08 Mon Oct  7 13:43:08 2024 -> Limits: MaxScriptNormalize limit set to 5242880 bytes.
2024-10-07 13:43:08 Mon Oct  7 13:43:08 2024 -> Limits: MaxZipTypeRcg limit set to 1048576 bytes.
2024-10-07 13:43:08 Mon Oct  7 13:43:08 2024 -> Limits: MaxPartitions limit set to 50.
2024-10-07 13:43:08 Mon Oct  7 13:43:08 2024 -> Limits: MaxIconsPE limit set to 100.
2024-10-07 13:43:08 Mon Oct  7 13:43:08 2024 -> Limits: MaxRecHWP3 limit set to 16.
2024-10-07 13:43:08 Mon Oct  7 13:43:08 2024 -> Limits: PCREMatchLimit limit set to 100000.
2024-10-07 13:43:08 Mon Oct  7 13:43:08 2024 -> Limits: PCRERecMatchLimit limit set to 2000.
2024-10-07 13:43:08 Mon Oct  7 13:43:08 2024 -> Limits: PCREMaxFileSize limit set to 104857600.
2024-10-07 13:43:08 Mon Oct  7 13:43:08 2024 -> Archive support enabled.
2024-10-07 13:43:08 Mon Oct  7 13:43:08 2024 -> AlertExceedsMax heuristic detection disabled.
2024-10-07 13:43:08 Mon Oct  7 13:43:08 2024 -> Heuristic alerts enabled.
2024-10-07 13:43:08 Mon Oct  7 13:43:08 2024 -> Portable Executable support enabled.
2024-10-07 13:43:08 Mon Oct  7 13:43:08 2024 -> ELF support enabled.
2024-10-07 13:43:08 Mon Oct  7 13:43:08 2024 -> Mail files support enabled.
2024-10-07 13:43:08 Mon Oct  7 13:43:08 2024 -> OLE2 support enabled.
2024-10-07 13:43:08 Mon Oct  7 13:43:08 2024 -> PDF support enabled.
2024-10-07 13:43:08 Mon Oct  7 13:43:08 2024 -> SWF support enabled.
2024-10-07 13:43:08 Mon Oct  7 13:43:08 2024 -> HTML support enabled.
2024-10-07 13:43:08 Mon Oct  7 13:43:08 2024 -> XMLDOCS support enabled.
2024-10-07 13:43:08 Mon Oct  7 13:43:08 2024 -> HWP3 support enabled.
2024-10-07 13:43:08 Mon Oct  7 13:43:08 2024 -> Self checking every 600 seconds.
2024-10-07 13:43:08 Mon Oct  7 13:43:08 2024 -> Set stacksize to 1048576
2024-10-07 13:43:12 Clamd version: "ClamAV 1.2.2/27417/Fri Oct  4 10:53:24 2024"
2024-10-07 13:43:12 Connected to clamd on tcp://localhost:3310
2024-10-07 13:53:12 Mon Oct  7 13:53:12 2024 -> SelfCheck: Database status OK.
2024-10-07 14:03:12 Mon Oct  7 14:03:12 2024 -> SelfCheck: Database status OK.
2024-10-07 14:11:28 Received signal: wake up
2024-10-07 14:11:28 ClamAV update process started at Mon Oct  7 14:11:28 2024
2024-10-07 14:11:28 daily.cld database is up-to-date (version: 27420, sigs: 2067197, f-level: 90, builder: raynman)
2024-10-07 14:11:28 main.cvd database is up-to-date (version: 62, sigs: 6647427, f-level: 90, builder: sigmgr)
2024-10-07 14:11:28 bytecode.cvd database is up-to-date (version: 335, sigs: 86, f-level: 90, builder: raynman)
2024-10-07 14:13:12 Mon Oct  7 14:13:12 2024 -> SelfCheck: Database status OK.
2024-10-07 14:23:12 Mon Oct  7 14:23:12 2024 -> SelfCheck: Database status OK.
2024-10-07 14:33:12 Mon Oct  7 14:33:12 2024 -> SelfCheck: Database status OK.

but getting the version still shows me the old one

{
    "Clamav": "1.2.2",
    "Signature": "27417",
    "Signature_date": "Fri Oct  4 10:53:24 2024"
}

/ $ clamscan --version
ClamAV 1.2.2/27417/Fri Oct  4 10:53:24 2024

[christianbumann]

Calling freshclam from the console finally updates the database, but imho this should happen automatically

ClamAV update process started at Mon Oct  7 15:40:39 2024
daily database available for update (local version: 27417, remote version: 27420)
Current database is 3 versions behind.
Downloading database patch # 27418...
Time:    0.1s, ETA:    0.0s [========================>]    1.23KiB/1.23KiB
Downloading database patch # 27419...
Time:    0.1s, ETA:    0.0s [========================>]       778B/778B
Downloading database patch # 27420...
Time:    0.1s, ETA:    0.0s [========================>]       781B/781B
Testing database: '/var/lib/clamav/tmp.bf45a06fa6/clamav-2b9033e0eee33baf5d44e893ce40d0a0.tmp-daily.cld' ...
Database test passed.
daily.cld updated (version: 27420, sigs: 2067197, f-level: 90, builder: raynman)
main.cvd database is up-to-date (version: 62, sigs: 6647427, f-level: 90, builder: sigmgr)
bytecode.cvd database is up-to-date (version: 335, sigs: 86, f-level: 90, builder: raynman)
Clamd successfully notified about the update.

{
    "Clamav": "1.2.2",
    "Signature": "27420",
    "Signature_date": "Mon Oct  7 10:43:46 2024"
}

/ $ clamscan --version
ClamAV 1.2.2/27420/Mon Oct  7 10:43:46 2024

This reloads then the database

2024-10-07 15:40:59 Mon Oct  7 15:40:59 2024 -> Reading databases from /clamav/data
2024-10-07 15:41:46 Mon Oct  7 15:41:46 2024 -> Database correctly reloaded (8698995 signatures)
2024-10-07 15:41:46 Mon Oct  7 15:41:46 2024 -> Activating the newly loaded database...

[christianbumann]

after starting the container. freshclam uses the /clamav/data folder but the override for the clamd https://github.com/ajilach/clamav-rest/blob/1033790c7e98b5145ace45ec5d11e9bbeaa6c57d/entrypoint.sh#L33 is not working - is this because the setting is outcommented in /clamav/etc/clamd.conf?

/ $ cd /clamav/data
/clamav/data $ ls -l
total 365984
-rw-r--r--    1 clamav   clamav      289733 Oct  8 09:06 bytecode.cvd
-rw-r--r--    1 clamav   clamav   203986432 Oct  8 09:06 daily.cld
-rw-r--r--    1 clamav   clamav          69 Oct  8 09:06 freshclam.dat
-rw-r--r--    1 clamav   clamav   170479789 Oct  8 09:06 main.cvd
/clamav/data $ 
/clamav/data $ cd /var/lib/clamav
~ $ ls -l
total 365984
-rw-r--r--    1 clamav   clamav      289733 Oct  5 02:26 bytecode.cvd
-rw-r--r--    1 clamav   clamav   203985408 Oct  5 02:26 daily.cld
-rw-r--r--    1 clamav   clamav          69 Oct  5 02:26 freshclam.dat
-rw-r--r--    1 clamav   clamav   170479789 Oct  5 02:26 main.cvd
~ $

after calling freshclam

~ $ freshclam
ClamAV update process started at Tue Oct  8 09:10:54 2024
daily database available for update (local version: 27417, remote version: 27420)
Current database is 3 versions behind.
Downloading database patch # 27418...
Time:    0.1s, ETA:    0.0s [========================>]    1.23KiB/1.23KiB
Downloading database patch # 27419...
Time:    0.1s, ETA:    0.0s [========================>]       778B/778B
Downloading database patch # 27420...
Time:    0.1s, ETA:    0.0s [========================>]       781B/781B
Testing database: '/var/lib/clamav/tmp.8d8081df6f/clamav-f678a7fc88e9eeef179c2ac11b823615.tmp-daily.cld' ...
Database test passed.
daily.cld updated (version: 27420, sigs: 2067197, f-level: 90, builder: raynman)
main.cvd database is up-to-date (version: 62, sigs: 6647427, f-level: 90, builder: sigmgr)
bytecode.cvd database is up-to-date (version: 335, sigs: 86, f-level: 90, builder: raynman)
Clamd successfully notified about the update.
~ $ cd /clamav/data
/clamav/data $ ls -l
total 365984
-rw-r--r--    1 clamav   clamav      289733 Oct  8 09:06 bytecode.cvd
-rw-r--r--    1 clamav   clamav   203986432 Oct  8 09:06 daily.cld
-rw-r--r--    1 clamav   clamav          69 Oct  8 09:06 freshclam.dat
-rw-r--r--    1 clamav   clamav   170479789 Oct  8 09:06 main.cvd
/clamav/data $ 
/clamav/data $ cd /var/lib/clamav
~ $ ls -l
total 365988
-rw-r--r--    1 clamav   clamav      289733 Oct  5 02:26 bytecode.cvd
-rw-r--r--    1 clamav   clamav   203986432 Oct  8 09:10 daily.cld
-rw-r--r--    1 clamav   clamav          69 Oct  5 02:26 freshclam.dat
-rw-r--r--    1 clamav   clamav   170479789 Oct  5 02:26 main.cvd
~ $

[christianbumann]

@davosian Unfortunately updating still doesn't work, the path mapping from the previous version also worked. I am sure that updating was working on my local machine before creating the pull request. I have a guess why it doesn't work and why it worked in my local tests. I'll check my assumption tomorrow as soon as new virus definitions are available. But anyway, imho it's more secure to set the value inside the config instead of using an argument during the service start :-)

[davosian]

Hi @christianbumann, thanks for the heads-up. This is unfortunate, but I appreciate your effort to get this sorted out. While more secure, the approach is slightly less flexible. Given that we are dealing with an antivirus scanner, more secure is the better choice :)

[davosian]

Turns out the changes did not have the desired effect.

[christianbumann]

Turns out the changes did not have the desired effect.

@davosian I think that I found the problem. I’ll create a Pull Request tomorrow or friday to fix it finally…

[davosian]

Sounds like a plan @christianbumann 🙌

[christianbumann]

https://linux.die.net/man/5/freshclam.conf

NotifyClamd

Notify a running clamd(8) to reload its database after a download has occurred. The path for clamd.conf file must be provided. Default: The default is to not notify clamd. See clamd.conf(5)'s option SelfCheck for how clamd(8) handles database updates in this case.

The value of NotifyClamd before this change is the old path /etc/clamav/clamd.conf

[christianbumann]

Hi @christianbumann, thanks for the heads-up. This is unfortunate, but I appreciate your effort to get this sorted out. While more secure, the approach is slightly less flexible. Given that we are dealing with an antivirus scanner, more secure is the better choice :)

@davosian is there a good reason why some original directories are changed inside the entrypoint.sh