Gazoo
commented
2 years ago @rfxn I'm going to have some free time over the holidays and I'm willing to spend some time fixing some of these linux-malware-detect bugs. Maybe it would be a good time to get some of the contributors together and see if we can put out another release. A holiday bug hunt?
When the maldet daemon is running the ClamAV daemon always thinks that signature databases have changed (according to the SelfCheck interval) and forces a reload of signatures (even though signatures haven't actually changed).
After looking at the maldet code it looks like the problem is that the maldet monitor_cycle() function calls -> gensigs() -> clamav_linksigs(). This causes the rfxn.hdb rfxn.ndb rfxn.yara files to be constantly deleted and re-copied with every single monitor cycle. The ClamAV daemon detects the database file modification changes in /var/lib/clamav which forces all signatures to be reloaded.
You can see that the file modification times change every minute on the rfxn database files in the /var/lib/clamav directory when the maldet monitoring daemon is running.