Re: [clamav-users] Disable official database
Hi there, On Mon, 26 Aug 2019, Kris Deugau wrote: G.W. Haywood via clamav-users wrote: 6. The same, using a database directory containing just an empty file: mail6:~/src/net/mail/clamav-0.101.4/test$ >>> ls -l /etc/mail/clamav/empty/ total 0 -rw-r--r-- 1 root root 0 Aug 25 10:25 empty.ign2 This is consistent with my experience ... Mails crossed :/ -- 73, Ged. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Disable official database
Hi there, On Mon, 26 Aug 2019, Kris Deugau wrote: The only constant is that there must be at least one signature database, even if it's a trivial hash database with one signature that matches on an empty file. AFAICT the signature database file doesn't even need to have any signatures in it; it can just be an empty file. See my earlier post, extract below: 8<-- 6. The same, using a database directory containing just an empty file: mail6:~/src/net/mail/clamav-0.101.4/test$ >>> ls -l /etc/mail/clamav/empty/ total 0 -rw-r--r-- 1 root root 0 Aug 25 10:25 empty.ign2 mail6:~/src/net/mail/clamav-0.101.4/test$ >>> /usr/local/bin/clamscan -d /etc/mail/clamav/empty clam.exe clam.exe: OK --- SCAN SUMMARY --- Known viruses: 0 Engine version: 0.101.4 Scanned directories: 0 Scanned files: 1 Infected files: 0 Data scanned: 0.00 MB Data read: 0.00 MB (ratio 0.00:1) Time: 0.017 sec (0 m 0 s) 8<-- This aspect is a little concerning. There's the potential for e.g. a typo on a command line (or a misconfiguration) to permit a malicious file, which might otherwise be detected, quietly to escape detection. -- 73, Ged. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Disable official database
G.W. Haywood via clamav-users wrote: To find out what might work and what might not, here's what I did: == Using 'clamd': 8<-- 1. I moved the 'main.cld' and 'daily.cld' files from my working clamav database directory to a temporary directory, replaced them with empty files, and by sending a message to its TCP port I told one of my clamd daemons to reload its databases. (By default clamd doesn't listen on TCP, but I normally configure that anyway.) Here's what happened: Aug 25 08:28:01 mail6 root: PONG Aug 25 08:28:20 mail6 ged: RELOADING Aug 25 08:28:23 mail6 clamd[4518]: Reading databases from /etc/mail/clamav Aug 25 08:28:23 mail6 clamd[4518]: reload db failed: Malformed database Aug 25 08:28:23 mail6 clamd[4518]: Terminating because of a fatal error. Aug 25 08:28:23 mail6 clamd[4518]: Pid file removed. Aug 25 08:28:23 mail6 clamd[4518]: --- Stopped at Sun Aug 25 08:28:23 2019 The clamd daemon disliked the empty 'main' and 'daily' files and died. I guess some folk might prefer it to carry on with the old databases, but at least it's very clear what's happened. From my own experience, I expect this is because they were, as per the error, "malformed". ClamAV is very picky about this - too picky IMO. If a signature database is present, it is expected to contain at least one signature, which is a valid signature for the database "type". An empty file is not a valid signature database file. 6. The same, using a database directory containing just an empty file: mail6:~/src/net/mail/clamav-0.101.4/test$ >>> ls -l /etc/mail/clamav/empty/ total 0 -rw-r--r-- 1 root root 0 Aug 25 10:25 empty.ign2 mail6:~/src/net/mail/clamav-0.101.4/test$ >>> /usr/local/bin/clamscan -d /etc/mail/clamav/empty clam.exe clam.exe: OK This is consistent with my experience; .ign[2] is basically a list of signatures to ignore, and so it can reasonably be empty. Strictly speaking it's not a signature database file, because it does not contain actual signatures - just the names of signatures to ignore/skip. If you wanted to use *ONLY* one or more of the internal heuristic tests, this is probably the best option. -kgd ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Disable official database
Joel Esler (jesler) via clamav-users wrote: I mean, it's possible not to download the official definitions and just point at a custom file right? *nod* This works fine. I have a secondary Clam instance set up to use only a selection of third-party signatures that I do not absolutely trust as hard black/white tests, which is called from SpamAssassin and scored based on the resulting signature names. clamd will use whatever database files are in its database directory. It does NOT use anything in any subdirectories. clamscan will use those, or: 1) whatever database files are in the directory you specify with the -d argument, or 2) whatever single database file you specify with the -d argument The only constant is that there must be at least one signature database, even if it's a trivial hash database with one signature that matches on an empty file. -kgd ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Disable official database
Hi there, On Sun, 25 Aug 2019, Kees Theunissen wrote: On Sat, 24 Aug 2019, azu...@pobox.sk wrote: is it possible to disable official virus database? I would like to use only custom database. Thanks for info. ... I didn't need virus databases at all ... (I didn't even test if I could start clamd without databases.) I created a database dirctory containing only a custom database ... So yes, at that time, it was possible to run at least clamd without the official virus database. I only used this with clamd, not with clamscan. And I didn't test this with the current clamav version. To find out what might work and what might not, here's what I did: == Using 'clamd': 8<-- 1. I moved the 'main.cld' and 'daily.cld' files from my working clamav database directory to a temporary directory, replaced them with empty files, and by sending a message to its TCP port I told one of my clamd daemons to reload its databases. (By default clamd doesn't listen on TCP, but I normally configure that anyway.) Here's what happened: Aug 25 08:28:01 mail6 root: PONG Aug 25 08:28:20 mail6 ged: RELOADING Aug 25 08:28:23 mail6 clamd[4518]: Reading databases from /etc/mail/clamav Aug 25 08:28:23 mail6 clamd[4518]: reload db failed: Malformed database Aug 25 08:28:23 mail6 clamd[4518]: Terminating because of a fatal error. Aug 25 08:28:23 mail6 clamd[4518]: Pid file removed. Aug 25 08:28:23 mail6 clamd[4518]: --- Stopped at Sun Aug 25 08:28:23 2019 The clamd daemon disliked the empty 'main' and 'daily' files and died. I guess some folk might prefer it to carry on with the old databases, but at least it's very clear what's happened. 8<-- 2. Instead, I simply moved the two files elsewhere and said 'RELOAD'. This was successful. Just the 'safebrowsing' etc. and third-party signatures were reloaded and the daemon seemed happy. As you can see, without 'main' and 'daily' there were only 2.6 million signatures: Aug 25 08:35:01 mail6 root: PONG Aug 25 08:35:32 mail6 ged: RELOADING Aug 25 08:35:35 mail6 clamd[5479]: Reading databases from /etc/mail/clamav Aug 25 08:35:49 mail6 clamd[5479]: Database correctly reloaded (2603979 signatures) Aug 25 08:36:01 mail6 root: PONG 8<-- 3. After replacing 'main' and 'daily' where they normally live, back up to nearly 9 million signatures: Aug 25 08:36:39 mail6 ged: RELOADING Aug 25 08:36:40 mail6 clamd[5479]: Reading databases from /etc/mail/clamav Aug 25 08:36:56 mail6 ged: RELOADING Aug 25 08:37:01 mail6 root: PONG Aug 25 08:38:01 mail6 root: PONG Aug 25 08:39:01 mail6 root: PONG Aug 25 08:40:01 mail6 root: PONG Aug 25 08:40:05 mail6 clamd[5479]: Database correctly reloaded (8900727 signatures) Aug 25 08:41:01 mail6 root: PONG == Using 'clamscan': 8<-- 4. Running clamscan with my production database directory on a random test file supplied by the ClamAV install: mail6:~/src/net/mail/clamav-0.101.4/test$ >>> clamscan -d /etc/mail/clamav clam.exe clam.exe: Clamav.Test.File-6 FOUND --- SCAN SUMMARY --- Known viruses: 8893502 Engine version: 0.101.4 Scanned directories: 0 Scanned files: 1 Infected files: 1 Data scanned: 0.00 MB Data read: 0.00 MB (ratio 0.00:1) Time: 215.517 sec (3 m 35 s) 8<-- 5. The same, using a completely empty database directory: mail6:~/src/net/mail/clamav-0.101.4/test$ >>> clamscan -d /etc/mail/clamav/empty clam.exe LibClamAV Error: cli_loaddbdir(): No supported database files found in /etc/mail/clamav/empty ERROR: Can't open file or directory --- SCAN SUMMARY --- Known viruses: 0 Engine version: 0.101.4 Scanned directories: 0 Scanned files: 0 Infected files: 0 Data scanned: 0.00 MB Data read: 0.00 MB (ratio 0.00:1) Time: 0.015 sec (0 m 0 s) 8<-- 6. The same, using a database directory containing just an empty file: mail6:~/src/net/mail/clamav-0.101.4/test$ >>> ls -l /etc/mail/clamav/empty/ total 0 -rw-r--r-- 1 root root 0 Aug 25 10:25 empty.ign2 mail6:~/src/net/mail/clamav-0.101.4/test$ >>> /usr/local/bin/clamscan -d /etc/mail/clamav/empty clam.exe clam.exe: OK --- SCAN SUMMARY --- Known viruses: 0 Engine version: 0.101.4 Scanned directories: 0 Scanned files: 1 Infected files: 0 Data scanned: 0.00 MB Data read: 0.00 MB (ratio 0.00:1) Time: 0.017 sec (0 m 0 s) 8<-- This was all with the current ClamAV version. LibClamAV is not happy with no database files at all, but it's happy if at least
Re: [clamav-users] Disable official database
On Sat, 24 Aug 2019, azu...@pobox.sk wrote: > Hi, > > is it possible to disable official virus database? I would like to use only > custom database. Thanks for info. Before I retired nearly a year ago I ran for several years an instance of clamd on the incoming mail servers at work that should only detect macro's in office files. These macro's are detected by build-in heuristics in clamd so I didn't need virus databases at all for these clamd instances but I didn't want to run clamd in the ultimate edge case using no databases. (I didn't even test if I could start clamd without databases.) I created a database dirctory containing only a custom database with a single definition to detect the "eicar-virus". I created a customized clamd config file pointing to this nearly empty database dirctory. And I started these instances of clamd with the commandline option to use this customized config file. The overhead involved with using a single -actually not needed- eicar definition was acceptable to me. So yes, at that time, it was possible to run at least clamd without the official virus database. I only used this with clamd, not with clamscan. And I didn't test this with the current clamav version. Regards, Kees. -- Kees Theunissen Email: kees.theunis...@xs4all.nl ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Disable official database
There is a configuration option to have ClamAV only load the official signatures but this setting is disabled by default (it's the OfficialDatabaseOnly setting for clamd, and '--official-db-only' for clamscan). One exception to this is for bytecode signatures - only official bytecode signatures are loaded by default. This can be changed by using '--bytecode-unsigned=yes' for clamscan, and for clamd it looks like the BytecodeSecurity setting can be used (depending on how ClamAV is built). Although there is some code in ClamAV that ensures daily.cvd/daily.cld get loaded before some other rule files if they are present, in general ClamAV only cares about the file extension and uses that to determine whether it should try to load a given set of rules. This makes it easy to use third-party or custom rules - with clamd you can just copy the rule files into the DatabaseDirectory directory and with clamscan you can either copy the rules into the default rule directory or specify the path to the custom rules with the '-d' flag. Hope that helps! -Andrew On Sat, Aug 24, 2019 at 11:54 AM G.W. Haywood via clamav-users < clamav-users@lists.clamav.net> wrote: > Hi there, > > On Sat, 24 Aug 2019, Joel Esler (jesler) wrote: > > > I mean, it's possible not to download the official definitions and > > just point at a custom file right? > > No idea. Haven't tried it. If you can, it seems like it would be a > security hole. The code seems to be saying that it wants to load the > daily.c[lv]d file before anything else; the name is hard-coded into > the file I mentioned; and those files are signed. Given that there's > already been some discussion along these lines (e.g. see the link in > my last post) I'd be surprised if nobody else has tried it, but I've > been surprised before. :) > > -- > > 73, > Ged. > > ___ > > clamav-users mailing list > clamav-users@lists.clamav.net > https://lists.clamav.net/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml > ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Disable official database
Hi there, On Sat, 24 Aug 2019, Joel Esler (jesler) wrote: I mean, it's possible not to download the official definitions and just point at a custom file right? No idea. Haven't tried it. If you can, it seems like it would be a security hole. The code seems to be saying that it wants to load the daily.c[lv]d file before anything else; the name is hard-coded into the file I mentioned; and those files are signed. Given that there's already been some discussion along these lines (e.g. see the link in my last post) I'd be surprised if nobody else has tried it, but I've been surprised before. :) -- 73, Ged. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Disable official database
I mean, it's possible not to download the official definitions and just point at a custom file right? > On Aug 24, 2019, at 10:29 AM, G.W. Haywood via clamav-users > wrote: > > Hi there, > > On Sat, 24 Aug 2019, azu...@pobox.sk wrote: > >> is it possible to disable official virus database? I would like to use only >> custom database. Thanks for info. > > A quick look at the code in libclamav/readdb.c suggests to me that > this won't be very straightforward. The name of the 'daily' database > is hard-coded into the source. Database files are digitally signed, > so in theory you can't easily create an empty one and expect it to > load correctly. Perhaps the easiest approach would be to disable the > signature checks. Maybe you could patch the code so that it doesn't > read the databases which you don't need, and I'd guess that would be > useful to others too; it's been mentioned on this list recently, see > for example > > https://lists.clamav.net/pipermail/clamav-users/2019-April/007901.html > > I'm sure Micah would welcome well thought-out patches. > > -- > > 73, > Ged. > > ___ > > clamav-users mailing list > clamav-users@lists.clamav.net > https://lists.clamav.net/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml smime.p7s Description: S/MIME cryptographic signature ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Disable official database
Hi there, On Sat, 24 Aug 2019, azu...@pobox.sk wrote: is it possible to disable official virus database? I would like to use only custom database. Thanks for info. A quick look at the code in libclamav/readdb.c suggests to me that this won't be very straightforward. The name of the 'daily' database is hard-coded into the source. Database files are digitally signed, so in theory you can't easily create an empty one and expect it to load correctly. Perhaps the easiest approach would be to disable the signature checks. Maybe you could patch the code so that it doesn't read the databases which you don't need, and I'd guess that would be useful to others too; it's been mentioned on this list recently, see for example https://lists.clamav.net/pipermail/clamav-users/2019-April/007901.html I'm sure Micah would welcome well thought-out patches. -- 73, Ged. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
[clamav-users] Disable official database
Hi, is it possible to disable official virus database? I would like to use only custom database. Thanks for info. azur ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml