bashrubygemsclamav

Clamdscan errors when scanning a file


So I have been trying to use clamav to scan files but the clamdscan has not worked for me yet.

my setup is as follows:

brew install clamav

then I renamed the clamd.conf.sample and freshclam.conf.sample to clamd.conf and freshclam.conf respectively.

Next I commented Example (around line 8) for both and for clamd.conf I commented in the TCP port address => TCPSocket 3310

After that I ran freshclam to update clamav

Now I ran clamd (and allowed incoming connections) to start the daemon service and I can see it running with:

ps -ef |grep clamd            
502 16932     1   0  1:03PM ??         0:14.57 clamd

If I try to scan a file with clamdscan it errors:

clamdscan ~/Desktop/sample.pdf 

----------- SCAN SUMMARY -----------
Infected files: 0
Total errors: 1
Time: 0.008 sec (0 m 0 s)
Start Date: 2022:01:18 13:03:47
End Date:   2022:01:18 13:03:47

Additionally I was wondering what the best way to test clamav. I have an eicar.rtf with an virus signature but that also passes the clamscan (but i get the same error for clamdscan as with the sample.pdf):

clamscan ~/Desktop/eicar.rtf 
Loading:    11s, ETA:   0s [========================>]    8.60M/8.60M sigs       
Compiling:   4s, ETA:   0s [========================>]       41/41 tasks 

/Users/alexhaumer/Desktop/eicar.rtf: OK

----------- SCAN SUMMARY -----------
Known viruses: 8603862
Engine version: 0.104.2
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 16.482 sec (0 m 16 s)
Start Date: 2022:01:18 13:32:22
End Date:   2022:01:18 13:32:39

the eicar.rtf does trigger other AV's for example when I try to attach it to a slack message

On a separate note when I try to create a file.txt and past the signature in manually it does not allow me to save the file - so whats the best way to generate a file (say other than .rtf) and test it against clamdscan ? (MacOs Big Sur)

Finally here are my logs (located at /tmp/clamd.log):

+++ Started at Tue Jan 18 13:03:02 2022
Received 0 file descriptor(s) from systemd.
clamd daemon 0.104.2 (OS: Darwin, ARCH: x86_64, CPU: x86_64)
Log file size limited to 1048576 bytes.
Reading databases from /usr/local/Cellar/clamav/0.104.2/share/clamav
Not loading PUA signatures.
Bytecode: Security mode set to "TrustSigned".
Loaded 8603862 signatures.
TCP: Bound to []:3310
TCP: Setting connection queue length to 200
TCP: Bound to []:3310
TCP: Setting connection queue length to 200
Limits: Global time limit set to 120000 milliseconds.
Limits: Global size limit set to 104857600 bytes.
Limits: File size limit set to 26214400 bytes.
Limits: Recursion level limit set to 17.
Limits: Files limit set to 10000.
Limits: Core-dump limit is 0.
Limits: MaxEmbeddedPE limit set to 10485760 bytes.
Limits: MaxHTMLNormalize limit set to 10485760 bytes.
Limits: MaxHTMLNoTags limit set to 2097152 bytes.
Limits: MaxScriptNormalize limit set to 5242880 bytes.
Limits: MaxZipTypeRcg limit set to 1048576 bytes.
Limits: MaxPartitions limit set to 50.
Limits: MaxIconsPE limit set to 100.
Limits: MaxRecHWP3 limit set to 16.
Limits: PCREMatchLimit limit set to 100000.
Limits: PCRERecMatchLimit limit set to 2000.
Limits: PCREMaxFileSize limit set to 26214400.
Archive support enabled.
AlertExceedsMax heuristic detection disabled.
Heuristic alerts enabled.
Portable Executable support enabled.
ELF support enabled.
Mail files support enabled.
OLE2 support enabled.
PDF support enabled.
SWF support enabled.
HTML support enabled.
XMLDOCS support enabled.
HWP3 support enabled.
Self checking every 600 seconds.
Listening daemon: PID: 16932
MaxQueue set to: 100
Set stacksize to 1048576

Once all of this works I will use this in the context of the clamby gem in rails


Solution

  • Alright, I havent seen any documentation explicitly mentioning this but in the clamd.conf (located at /usr/local/etc/clamav if installed via brew) you can additionally uncomment TCPAddr localhost (around line 120) because if you dont the default listens to INADDR_ANY which in my case obvs was not set. works seamlessly now.