Hi there,
On Mon, 14 Dec 2020, Sandeep Talla wrote:
> ... *fireeye.ldb* file under the directory /var/lib/clamav/ ...
> ... Clamscam is not picking up the *fireeye.ldb* file when
Clamscam. I like that. :)
> we verify the Freshclam.log and clamav.log files.
Freshclam will not update the Fireeye data unless it is both available
from a mirror which freshclam can recognize and the mirror location is
given in freshclam.conf using the 'DatabaseCustomURL' option. See the
man page for freshclam.conf for more information. Freshclam will not
mention the file in its logs unless it updates it. But freshclam only
updates the files, it does not affect whether or not clamd loads them,
and it has no effect on clamscan at all.
I do not know what the 'clamav.log' file contains, perhaps it is only
found in Ubuntu systems.
When clamd has reloaded its databases you will see that it writes in
its log the number of signatures which it has loaded. It's quite a
large number, of the order of ten million, but you should see that
after you have the Fireeye data in the correct location and clamd has
reloaded the data, there are 23 more signatures than the last time
clamd loaded the data. Below is an extract from my clamd server log.
I downloaded the file from the URL you gave, dropped it in the clamd
database directory, and issued a RELOAD command using telnet. As you
can see, there are 23 more signatures after the reload.
pi4b530214:/var/log/clamav# >>> grep -i reload clamd.2.log | tail -n 3
Mon Dec 14 22:42:18 2020 -> Database correctly reloaded (11352914 signatures)
Mon Dec 14 23:12:35 2020 -> got command RELOAD (7, 2), argument:
Mon Dec 14 23:13:39 2020 -> Database correctly reloaded (11352937 signatures)
What is the size of your fireeye.ldb file? Have you checked it with a
pager to make sure that it looks OK? It should be 26 lines of text.
Some of them are very long.
> Are there any configuration settings that need to add for *clamd.conf* or
> *freshclam.conf* in order to pick up the fireeye.ldb file during clamscan?
Freshclam.conf is irrelevant. Do you have in clamd.conf the option
--official-db-only
set to 'yes'? See the clamd man page for more information.
If you run
clamscan --debug some_test_file
and pipe the output to a pager or through grep or something you see
listed in the (long) output all the databases which clamscan loads:
ged@pi4b530214:~ $ clamscan --debug phish-test 2>&1 | grep loaded
LibClamAV debug: unrar support loaded from libclamunrar_iface.so.9
LibClamAV debug: daily.info loaded
LibClamAV debug: daily.cfg loaded
...
...
LibClamAV debug: /EXPORTS/clamav/databases/all-clam.ldb loaded
...
...
HTH
--
73,
Ged.
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml