Mailing List Archive

ClamAV/FreshClam: Configuring OnErrorExecute event on Windows
Hi,

Currently I'm confronted with some difficulties in configuring freshclam, in the freshclam.conf file.

More specific I want to trigger a command to the events 'OnUpdateExecute' and 'OnErrorExecute'. My purpose is to execute a Powershell command which calls a local API in order to keep track of update statuses.

I'm using ClamAV 0.104.1 for Windows. The ways I have tried to configure the described scenario are multiple:

OnErrorExecute = powershell.exe "D:\Updatelog.ps1"

OnErrorExecute powershell.exe "D:\Updatelog.ps1"

OnErrorExecute "D:\Updatelog.ps1"

OnErrorExecute D:\Updatelog.ps1

The way I am testing this scenario is disabling internet connection for freshclam while updating. My expectation is that the update process fails this way, and that event ' OnErrorExecute' occurs. However: the Powershell script is never executed. To be complete: the script I have configured is working perfectly when executed in a command prompt window.

Is there somebody who has done this before on Windows, or knows how to configure this setting properly? Or could it be that my apprehension of this event is incorrect, and it occurs in other situations? I have seen examples from other people, but they were using Linux, which might be slightly different in this (configuration) respect.


Thanks in advance,

Kind regards,
Tim


PS: below I have included my config:

Checking configuration files in D:\OV\ClamAV3\clamav-0.104.1.win.x64

Config file: clamd.conf
-----------------------
LogFile = "D:\OV\ClamAV3\Log\clamd.log"
LogTime = "yes"
LogClean = "yes"
LogRotate = "yes"
DatabaseDirectory = "D:\OV\ClamAV3\Database"
TCPSocket = "3310"
TCPAddr = "localhost"

Config file: freshclam.conf
---------------------------
LogTime = "yes"
LogRotate = "yes"
DatabaseDirectory = "D:\OV\ClamAV3\Database"
UpdateLogFile = "D:\OV\ClamAV3\Log\freshclam.log"
DatabaseMirror = "database.clamav.net"
OnUpdateExecute = "= powershell.exe "D:\Updatelog.ps1""
OnErrorExecute = "= powershell.exe "D:\Updatelog.ps1""
OnOutdatedExecute = "= powershell.exe "D:\Updatelog.ps1""

clamav-milter.conf not found

Software settings
-----------------
Version: 0.104.1
Optional features supported: MEMPOOL AUTOIT_EA06 BZIP2 LIBXML2 PCRE2 JSON RAR

Database information
--------------------
Database directory: D:\OV\ClamAV3\Database
Total number of signatures: 0

Platform information
--------------------
uname: Microsoft Windows 6.2 SP0.0 Build 9200
OS: Windows, ARCH: AMD64, CPU: AMD64
zlib version: 1.2.11 (1.2.11), compile flags: 65
platform id: 0x10058d8d080000000000077c

Build information
-----------------
Microsoft Visual C++: (0.7.124)
sizeof(void*) = 8
Engine flevel: 141, dconf: 141

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: ClamAV/FreshClam: Configuring OnErrorExecute event on Windows [ In reply to ]
Hi there,

It's been a few hours so I'll drop you a line to let you know that at
least someone has read your mail. :)

On Tue, 14 Dec 2021, Tim Out wrote:

> Currently I'm confronted with some difficulties in configuring
> freshclam, in the freshclam.conf file.

Did you restart freshclam after making changes to its configuration?
You need to do that after practically any configuration change.

> More specific I want to trigger a command to the events
> 'OnUpdateExecute' and 'OnErrorExecute'. My purpose is to execute a
> Powershell command which calls a local API in order to keep track of
> update statuses.
>
> ... I have tried ...
>
> OnErrorExecute = powershell.exe "D:\Updatelog.ps1"
> OnErrorExecute powershell.exe "D:\Updatelog.ps1"
> OnErrorExecute "D:\Updatelog.ps1"
> OnErrorExecute D:\Updatelog.ps1

The first one is definitely wrong because there must be no '=' sign on
the line between the option name and the command. I suspect that the
next two may give problems because of the double-quote characters, but
I've never run freshclam on a Windows box so I can't be sure.

You might try doubling the '\' backslash on the last one; in the Unix
world the backslash removes the special meaning of the following
special character (it does nothing to the meaning of a subsequent non-
special character), and the directory path separator is '/' (forward
slash). So you might try using forward slash instead of backslash,
but again I can't be sure about anything on Windows. It matters much
more when what you're configuring contains a regular expression, but
that isn't the case here.

> Is there somebody who has done this before on Windows, or knows how
> to configure this setting properly? Or could it be that my
> apprehension of this event is incorrect, and it occurs in other
> situations? I have seen examples from other people, but they were
> using Linux, which might be slightly different in this
> (configuration) respect.

Sorry, I've never done any of this on Windows boxes, but apart from
obvious differences in things like having no drive letters in Linux,
the configuration and behaviour should be much the same because most
of the code is the same.

> ...
> DatabaseMirror = "database.clamav.net"

This is correct. To be clear to people who are reading, the 'clamconf'
utility added the '=' sign and the double quotes to this line. To my
way of thinking it's confusing that it does that, but it does help in
this particular case. The actual line in the configuration would be

DatabaseMirror database.clamav.net

with no '=' sign and no quotes, as given in the 'man' page. I don't
know what passes for a 'man' page on a Windows host unfortunately.

> OnUpdateExecute = "= powershell.exe "D:\Updatelog.ps1""
> OnErrorExecute = "= powershell.exe "D:\Updatelog.ps1""
> OnOutdatedExecute = "= powershell.exe "D:\Updatelog.ps1""
> ...

These will all fail because of the superfluous '=' sign, and perhaps
also because of the superfluous quotes.

If you still don't have any luck you might try checking the section
headed 'RETURN CODES' in the freshclam documentation. You can get
whatever calls freshclam to examine freshclam's return code, perhaps
getting done what you want to get done that way instead. Again, I
have no experience of it on Windows boxes.

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: ClamAV/FreshClam: Configuring OnErrorExecute event on Windows [ In reply to ]
Thanks very much for your response and suggestions, and my apologies for my late reaction.

I'm still not where I want to be but the information in your mail is nevertheless useful.

Best regards,
Tim

-----Original Message-----
From: clamav-users <clamav-users-bounces@lists.clamav.net> On Behalf Of G.W. Haywood via clamav-users
Sent: Tuesday, 14 December 2021 16:09
To: ClamAV users ML <clamav-users@lists.clamav.net>
Cc: G.W. Haywood <clamav@jubileegroup.co.uk>
Subject: Re: [clamav-users] ClamAV/FreshClam: Configuring OnErrorExecute event on Windows

Hi there,

It's been a few hours so I'll drop you a line to let you know that at least someone has read your mail. :)

On Tue, 14 Dec 2021, Tim Out wrote:

> Currently I'm confronted with some difficulties in configuring
> freshclam, in the freshclam.conf file.

Did you restart freshclam after making changes to its configuration?
You need to do that after practically any configuration change.

> More specific I want to trigger a command to the events
> 'OnUpdateExecute' and 'OnErrorExecute'. My purpose is to execute a
> Powershell command which calls a local API in order to keep track of
> update statuses.
>
> ... I have tried ...
>
> OnErrorExecute = powershell.exe "D:\Updatelog.ps1"
> OnErrorExecute powershell.exe "D:\Updatelog.ps1"
> OnErrorExecute "D:\Updatelog.ps1"
> OnErrorExecute D:\Updatelog.ps1

The first one is definitely wrong because there must be no '=' sign on the line between the option name and the command. I suspect that the next two may give problems because of the double-quote characters, but I've never run freshclam on a Windows box so I can't be sure.

You might try doubling the '\' backslash on the last one; in the Unix world the backslash removes the special meaning of the following special character (it does nothing to the meaning of a subsequent non- special character), and the directory path separator is '/' (forward slash). So you might try using forward slash instead of backslash, but again I can't be sure about anything on Windows. It matters much more when what you're configuring contains a regular expression, but that isn't the case here.

> Is there somebody who has done this before on Windows, or knows how to
> configure this setting properly? Or could it be that my apprehension
> of this event is incorrect, and it occurs in other situations? I have
> seen examples from other people, but they were using Linux, which
> might be slightly different in this
> (configuration) respect.

Sorry, I've never done any of this on Windows boxes, but apart from obvious differences in things like having no drive letters in Linux, the configuration and behaviour should be much the same because most of the code is the same.

> ...
> DatabaseMirror = "database.clamav.net"

This is correct. To be clear to people who are reading, the 'clamconf'
utility added the '=' sign and the double quotes to this line. To my way of thinking it's confusing that it does that, but it does help in this particular case. The actual line in the configuration would be

DatabaseMirror database.clamav.net

with no '=' sign and no quotes, as given in the 'man' page. I don't know what passes for a 'man' page on a Windows host unfortunately.

> OnUpdateExecute = "= powershell.exe "D:\Updatelog.ps1""
> OnErrorExecute = "= powershell.exe "D:\Updatelog.ps1""
> OnOutdatedExecute = "= powershell.exe "D:\Updatelog.ps1""
> ...

These will all fail because of the superfluous '=' sign, and perhaps also because of the superfluous quotes.

If you still don't have any luck you might try checking the section headed 'RETURN CODES' in the freshclam documentation. You can get whatever calls freshclam to examine freshclam's return code, perhaps getting done what you want to get done that way instead. Again, I have no experience of it on Windows boxes.

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml