“Antivirus for files” - New rules not used by clamav-daemon

[Speed7811]

Steps to reproduce

1. Add new rule Match by: Scanner Ausgabe -> Match: /*Win.Test.EICAR_HDB-1* FOUND$/ -> Mark as: Ungeprüft
2. Save this rule
3. Upload EICAR Testfile

Expected behaviour

EICAR Testfile should be uploaded successfully

Actual behaviour

EICAR Testfile is blocked. If I restart the clamav daemon via “systemctl restart clamav-daemon” and upload the same EICAR Testfile the upload was successfully.

Server configuration

Operating system: Ubuntu 20.04.4

Web server: Apache 2.4.41

Database: Maria SQL Server 10.3.34

PHP version: 8.0.18

Nextcloud version: 23.0.4

Where did you install Nextcloud from: wget https://download.nextcloud.com/server/releases/latest.tar.bz2

List of activated apps: Enabled:

• accessibility: 1.9.0
• activity: 2.15.0
• bruteforcesettings: 2.4.0
• circles: 23.1.1
• cloud_federation_api: 1.6.0
• comments: 1.13.0
• contactsinteraction: 1.4.0
• dav: 1.21.0
• federatedfilesharing: 1.13.0
• federation: 1.13.0
• files: 1.18.0
• files_antivirus: 3.2.2
• files_external: 1.15.0
• files_pdfviewer: 2.4.0
• files_rightclick: 1.2.0
• files_sharing: 1.15.0
• files_trashbin: 1.13.0
• files_versions: 1.16.0
• files_videoplayer: 1.12.0
• firstrunwizard: 2.12.0
• group_default_quota: 0.1.4
• logreader: 2.8.0
• lookup_server_connector: 1.11.0
• nextcloud_announcements: 1.12.0
• notifications: 2.11.1
• oauth2: 1.11.0
• password_policy: 1.13.0
• previewgenerator: 4.0.0
• privacy: 1.7.0
• provisioning_api: 1.13.0
• ransomware_protection: 1.13.0
• serverinfo: 1.13.0
• settings: 1.5.0
• sharebymail: 1.13.0
• support: 1.6.0
• survey_client: 1.11.0
• systemtags: 1.13.0
• text: 3.4.1
• theming: 1.14.0
• twofactor_backupcodes: 1.12.0
• unsplash: 1.2.4
• updatenotification: 1.13.0
• user_ldap: 1.13.1
• user_status: 1.3.1
• viewer: 1.7.0
• weather_status: 1.3.0
• workflowengine: 2.5.0 Disabled:
• admin_audit
• dashboard: 7.3.0
• encryption
• groupquota: 0.1.8
• photos: 1.5.0
• recommendations: 1.2.0

Nextcloud configuration:

{
    "system": {
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "cloud.REMOVED.de"
        ],
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "dbtype": "mysql",
        "version": "23.0.4.1",
        "overwrite.cli.url": "https:\/\/cloud.REMOVED.de",
        "overwritehost": "cloud.REMOVED.de:8443",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbport": "",
        "dbtableprefix": "oc_",
        "mysql.utf8mb4": true,
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "memcache.local": "\\OC\\Memcache\\APCu",
        "memcache.locking": "\\OC\\Memcache\\Redis",
        "redis": {
            "host": "***REMOVED SENSITIVE VALUE***",
            "port": 0,
            "timeout": 0
        },
        "default_language": "de",
        "default_locale": "de_DE",
        "enable_previews": true,
        "preview_max_x": "1024",
        "preview_max_y": "1024",
        "preview_max_scale_factor": "1",
        "jpeg_quality": "60",
        "enabledPreviewProviders": [
            "OC\\Preview\\PNG",
            "OC\\Preview\\JPEG",
            "OC\\Preview\\GIF",
            "OC\\Preview\\BMP",
            "OC\\Preview\\XBitmap",
            "OC\\Preview\\Movie",
            "OC\\Preview\\PDF",
            "OC\\Preview\\MP3",
            "OC\\Preview\\TXT",
            "OC\\Preview\\MarkDown"
        ],
        "skeletondirectory": "",
        "logfile": "\/var\/log\/nextcloud\/nextcloud.log",
        "loglevel": 2,
        "logtimezone": "Europe\/Berlin",
        "log_rotate_size": 104857600,
        "mail_from_address": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpmode": "smtp",
        "mail_sendmailmode": "smtp",
        "mail_domain": "***REMOVED SENSITIVE VALUE***",
        "mail_smtphost": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpport": "25",
        "ldapProviderFactory": "OCA\\User_LDAP\\LDAPProviderFactory",
        "default_phone_region": "DE",
        "maintenance": false,
        "trashbin_retention_obligation": "7, 7"
    }
}

Client configuration

Browser: Opera

Operating system: Windows 10 Pro 21H2

[Speed7811]

The issue is solved. When the service was restarted the first connect from the app to clamav daemon wasn't successful. That was the reason why I thought the rule was working. When the file was uploaded the second time the connection to the clamav daemon could be established and the scan was successful. No bug. Issue closed.