Mailing List Archive

Attached is the freshclam log.

I am using this with Squid on pfSense

Jonathan Lee
Adult Student

________________________________
From: clamav-users <clamav-users-bounces@lists.clamav.net> on behalf of Nick Suan via clamav-users <clamav-users@lists.clamav.net>
Sent: Wednesday, August 30, 2023 11:20
To: clamav-users <clamav-users@lists.clamav.net>
Cc: Nick Suan <nsuan@nonexiste.net>
Subject: Re: [clamav-users] Antivirus Bases showing outdated main.cvd with a version dated year 2021

While you have ClamAV 0.105.1_1 in your post, the screenshot says ClamAV 0.101_1.1, which is an unsupported version. What version of freshclam is trying to download updates? What do freshclam's logs say?

On Wed, Aug 30, 2023, at 12:46 PM, Jonathan Lee via clamav-users wrote:

Hello fellow ClamAV members,


Can you please help?


Per ClamAV's website:
"ClamAV signatures come in a variety of formats, one for each of the distinct detection methods that the ClamAV file scanning engine supports. ClamAV also uses the ClamAV Virus Database (CVD) file format, which serves as a container for the compressed and digitally-signed official signature sets that power ClamAV ? daily.cvd, main.cvd, and bytecode.cvd. Each signature set serves a different purpose:

bytecode.cvd contains all compiled bytecode signatures evaluated by the bytecode interpreter engine
daily.cvd contains signatures for the latest threats (updated daily)
main.cvd contains signatures previously in daily.cvd that have shown to have a low false-positive risk."


The main.cvd is not replacing itself with an updated version.

Squid ClamAV is not updating the main.cvd and is listing 2021 version

Squid Version 5.7
Antivirus Scanner ClamAV 0.105.1_1,1 C-ICAP 0.5.10,2 + SquidClamav 7.2
Antivirus Bases
Database Date Version Builder
daily.cld 2023.03.14 26841 raynman
bytecode.cvd 2023.02.22 334 anvilleg
main.cvd 2021.09.16 62 sigmgr
Last Update Tue Mar 14 00:22:56 2023
Statistics Found 124 virus(es) total.

Please see attached ClamAV is functional again main is not updating with prior daily.cvd


It shows from 2021 still



Ref:
https://redmine.pfsense.org/issues/14108
https://bugs.squid-cache.org/show_bug.cgi?id=5297

Per developer investigation this is the newest file available for main.cvd

_______________________________________________

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat


Attachments:

* Screenshot 2023-03-14 at 8.51.44 AM (1).png
* Screenshot 2023-03-14 at 8.53.14 AM (1).png
* Screenshot 2023-08-30 104608.jpg

Thank you for your email.

I was confused as the following statement from Clam AV's website doesn't reflect new date ranges within main.cvd correctly. This confusion stems from the following statement about main.cvd containing and I quote "signatures previously in daily.cvd." Therefore, the signature migration into main.cvd I assumed would constitute a new file or create a new date and version number for the main.cvd after several new daily.cvd updates.

I was under that assumption.

Thanks for the information.

"main.cvd contains signatures previously in daily.cvd that have shown to have a low false-positive risk."

Get Outlook for Android<https://aka.ms/ghei36>
________________________________
From: Andrew C Aitchison <andrew@aitchison.me.uk>
Sent: Wednesday, August 30, 2023 12:14:33 PM
To: Jonathan Lee via clamav-users <clamav-users@lists.clamav.net>
Cc: Jonathan Lee <jonathanlee571@gmail.com>
Subject: Re: [clamav-users] Antivirus Bases showing outdated main.cvd with a version dated year 2021

On Wed, 30 Aug 2023, Jonathan Lee via clamav-users wrote:

> Hello fellow ClamAV members,
>
>
> Can you please help?
>
>
> Per ClamAV's website:
> "ClamAV signatures come in a variety of formats, one for each of the distinct detection methods that the ClamAV file scanning engine supports. ClamAV also uses the ClamAV Virus Database (CVD) file format, which serves as a container for the compressed and digitally-signed official signature sets that power ClamAV ? daily.cvd, main.cvd, and bytecode.cvd. Each signature set serves a different purpose:
>
> bytecode.cvd contains all compiled bytecode signatures evaluated by the bytecode interpreter engine
> daily.cvd contains signatures for the latest threats (updated daily)
> main.cvd contains signatures previously in daily.cvd that have shown to have a low false-positive risk."
>
>
> The main.cvd is not replacing itself with an updated version.
>
> Squid ClamAV is not updating the main.cvd and is listing 2021 version

You have the latest version.
ClamAV have not made a new version of main.cvd for nearly two years.
It is a very big file and stores the definitions that do not change very
often.

daily.cld (or daily.cvd depending how it reaches your machine)
contains the latest updates.




> Squid Version 5.7
> Antivirus Scanner ClamAV 0.105.1_1,1 C-ICAP 0.5.10,2 + SquidClamav 7.2
> Antivirus Bases
> Database Date Version Builder
> daily.cld 2023.03.14 26841 raynman
> bytecode.cvd 2023.02.22 334 anvilleg
> main.cvd 2021.09.16 62 sigmgr
> Last Update Tue Mar 14 00:22:56 2023
> Statistics Found 124 virus(es) total.
>
> Please see attached ClamAV is functional again main is not updating with prior daily.cvd
>
>
> It shows from 2021 still
>
>
>
> Ref:
> https://redmine.pfsense.org/issues/14108
> https://bugs.squid-cache.org/show_bug.cgi?id=5297
>
> Per developer investigation this is the newest file available for main.cvd
>
>

--
Andrew C. Aitchison Kendal, UK
andrew@aitchison.me.uk

On Wed, 30 Aug 2023, Jonathan Lee via clamav-users wrote:

> Date: Wed, 30 Aug 2023 17:46:48 +0000
> From: Jonathan Lee via clamav-users <clamav-users@lists.clamav.net>
> To: "clamav-users@lists.clamav.net" <clamav-users@lists.clamav.net>
> Cc: Jonathan Lee <jonathanlee571@gmail.com>
> Subject: [clamav-users] Antivirus Bases showing outdated main.cvd with a
> version dated year 2021
>
> Hello fellow ClamAV members,
>
> Can you please help?
>
> Per ClamAV's website:
> "ClamAV signatures come in a variety of formats, one for each of the
> distinct detection methods that the ClamAV file scanning engine
> supports. ClamAV also uses the ClamAV Virus Database (CVD) file format,
> which serves as a container for the compressed and digitally-signed
> official signature sets that power ClamAV ? daily.cvd, main.cvd, and
> bytecode.cvd. Each signature set serves a different purpose:
>
> bytecode.cvd contains all compiled bytecode signatures evaluated by
> the bytecode interpreter engine
> daily.cvd contains signatures for the latest threats (updated daily)
> main.cvd contains signatures previously in daily.cvd that have shown
> to have a low false-positive risk."
>
> The main.cvd is not replacing itself with an updated version.
> Squid ClamAV is not updating the main.cvd and is listing 2021 version
>
> Squid Version 5.7
> Antivirus Scanner ClamAV 0.105.1_1,1 C-ICAP 0.5.10,2 + SquidClamav 7.2
> Antivirus Bases
> Database Date Version Builder
> daily.cld 2023.03.14 26841 raynman
> bytecode.cvd 2023.02.22 334 anvilleg
> main.cvd 2021.09.16 62 sigmgr
> Last Update Tue Mar 14 00:22:56 2023
> Statistics Found 124 virus(es) total.
>
> Please see attached ClamAV is functional again main is not updating
> with prior daily.cvd
>
> It shows from 2021 still

[hubble:stock]:(/var/lib/clamav)$ ll
total 357496
-rw-r--r-- 1 clamav clamav 291965 Aug 29 07:59 bytecode.cvd
-rw-r--r-- 1 clamav clamav 195292672 Aug 30 10:07 daily.cld
-rw-r--r-- 1 clamav clamav 69 Aug 29 07:58 freshclam.dat
-rw-r--r-- 1 clamav clamav 170479789 Aug 29 07:59 main.cvd
[hubble:stock]:(/var/lib/clamav)$

You can sneak peak the Database characteristic using a tool like
hexedit (use with caution) :

hexedit daily.cld :

00000000 43 6C 61 6D 41 56 2D 56 44 42 3A 33 30 20 41 75 ClamAV-VDB:30 Au
00000010 67 20 32 30 32 33 20 30 33 2D 33 37 20 2D 30 34 g 2023 03-37 -04
00000020 30 30 3A 32 37 30 31 36 3A 32 30 34 30 31 30 32 00:27016:2040102
00000030 3A 39 30 3A 58 3A 58 3A 72 61 79 6E 6D 61 6E 3A :90:X:X:raynman:
00000040 31 36 39 33 33 38 31 30 32 34 20 20 20 20 20 20 1693381024
00000050 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
00000060 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20

hexedit main.cvd :

00000000 43 6C 61 6D 41 56 2D 56 44 42 3A 31 36 20 53 65 ClamAV-VDB:16 Se
00000010 70 20 32 30 32 31 20 30 38 2D 33 32 20 2D 30 34 p 2021 08-32 -04
00000020 30 30 3A 36 32 3A 36 36 34 37 34 32 37 3A 39 30 00:62:6647427:90
00000030 3A 31 33 37 65 63 63 63 65 33 31 61 61 63 62 32 :137eccce31aacb2
00000040 31 62 35 61 39 38 62 62 38 63 32 31 63 65 66 64 1b5a98bb8c21cefd
00000050 36 3A 74 77 61 4A 42 6C 73 38 56 35 71 36 34 52 6:twaJBls8V5q64R
00000060 37 51 59 31 30 41 61 74 45 74 50 4E 75 50 57 6F 7QY10AatEtPNuPWo
00000070 56 6F 78 54 61 4E 4F 31 6A 70 42 67 37 73 35 6A VoxTaNO1jpBg7s5j
00000080 49 4D 4D 58 70 69 74 67 47 31 30 30 30 59 4C 70 IMMXpitgG1000YLp
00000090 36 72 62 30 54 57 6B 45 4B 6A 52 71 78 6E 65 47 6rb0TWkEKjRqxneG
000000A0 54 78 75 78 57 61 57 6D 37 58 42 6A 73 67 77 58 TxuxWaWm7XBjsgwX
000000B0 32 42 52 57 68 2F 79 34 66 68 73 37 75 79 49 6D 2BRWh/y4fhs7uyIm
000000C0 64 4B 52 4C 7A 51 35 79 38 65 32 45 6B 53 43 68 dKRLzQ5y8e2EkSCh
000000D0 65 67 46 2F 69 38 63 6C 71 66 6E 2B 31 71 65 74 egF/i8clqfn+1qet
000000E0 71 39 6A 34 67 62 6B 74 4A 33 4A 5A 70 4F 58 50 q9j4gbktJ3JZpOXP
000000F0 6F 48 6C 79 72 32 44 76 39 53 2F 42 67 3A 73 69 oHlyr2Dv9S/Bg:si
00000100 67 6D 67 72 3A 31 36 33 31 37 39 35 35 36 32 20 gmgr:1631795562
00000110 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
00000120 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20

hexedit bytecode.cvd :

00000000 43 6C 61 6D 41 56 2D 56 44 42 3A 32 32 20 46 65 ClamAV-VDB:22 Fe
00000010 62 20 32 30 32 33 20 31 36 2D 33 33 20 2D 30 35 b 2023 16-33 -05
00000020 30 30 3A 33 33 34 3A 39 31 3A 39 30 3A 30 34 36 00:334:91:90:046
00000030 34 30 36 37 61 32 35 32 62 31 65 39 33 37 30 31 4067a252b1e93701
00000040 32 61 64 33 34 65 38 31 31 30 36 35 66 3A 75 72 2ad34e811065f:ur
00000050 56 42 43 62 68 4A 63 7A 38 76 36 69 31 45 36 48 VBCbhJcz8v6i1E6H
00000060 65 64 44 77 61 38 54 78 42 48 6E 4A 6B 6E 71 67 edDwa8TxBHnJknqg
00000070 37 53 45 2B 36 4A 57 42 74 6F 76 41 54 70 77 38 7SE+6JWBtovATpw8
00000080 4D 57 77 53 2B 6B 76 47 41 69 2F 2F 78 35 75 30 MWwS+kvGAi//x5u0
00000090 4C 49 46 77 68 50 76 55 73 67 45 42 42 65 46 69 LIFwhPvUsgEBBeFi
000000A0 5A 45 30 51 54 54 57 61 7A 4F 68 4A 2F 4C 66 4B ZE0QTTWazOhJ/LfK
000000B0 4A 4B 2B 6E 4F 44 71 68 61 36 63 54 76 61 51 64 JK+nODqha6cTvaQd
000000C0 4B 6C 32 72 53 62 45 4F 76 36 67 72 76 37 55 4F Kl2rSbEOv6grv7UO
000000D0 4E 56 38 65 4B 69 33 38 33 57 76 30 37 77 66 53 NV8eKi383Wv07wfS
000000E0 4E 59 70 2B 6C 50 4E 70 74 30 51 6D 65 6A 4B 62 NYp+lPNpt0QmejKb
000000F0 31 54 4D 48 41 59 54 41 3A 61 6E 76 69 6C 6C 65 1TMHAYTA:anville
00000100 67 3A 31 36 37 37 31 30 31 36 30 31 20 20 20 20 g:1677101601
00000110 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
00000120 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20


I think that main.cvd contains the basic stuff and definitions up and
until 16 Sep 2021. bytecode.cvd contains the current database
definitions which were implemented and activated on 22 Feb 2023.
There's no reason to believe that such a setup doesn't work.

--
Robert M. Stockmann - RHCE
Network Engineer - UNIX/Linux Specialist
crashrecovery.org stock@stokkie.net

_______________________________________________

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

?Sent from my iPad

On Aug 30, 2023, at 13:55, Jonathan Lee via clamav-users <clamav-users@lists.clamav.net> wrote:
> This confusion stems from the following statement about main.cvd containing and I quote "signatures previously in daily.cvd." Therefore, the signature migration into main.cvd I assumed would constitute a new file or create a new date and version number for the main.cvd after several new daily.cvd updates.

Your assumption is mostly correct, except that has sometimes taken several years before the developers have seen a need to migrate the daily.cvd into the main.cvd.

At the start of every freshclam run there is a DNS check to determine the latest versions of .cvd files posted, the compares them with the versions you have. If your main.cvd is out-of-date, it will attempt to download the latest and if that fails you will get a notification in your freshclam.log to that effect. As long as your freshclam runs exit normally, you can be assured your database is fully up-to-date.

-Al-
_______________________________________________

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat