Mailing List Archive

Hi there,

On Sat, 24 Aug 2019, azurit@pobox.sk wrote:

> is it possible to disable official virus database? I would like to use only
> custom database. Thanks for info.

A quick look at the code in libclamav/readdb.c suggests to me that
this won't be very straightforward. The name of the 'daily' database
is hard-coded into the source. Database files are digitally signed,
so in theory you can't easily create an empty one and expect it to
load correctly. Perhaps the easiest approach would be to disable the
signature checks. Maybe you could patch the code so that it doesn't
read the databases which you don't need, and I'd guess that would be
useful to others too; it's been mentioned on this list recently, see
for example

https://lists.clamav.net/pipermail/clamav-users/2019-April/007901.html

I'm sure Micah would welcome well thought-out patches.

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

I mean, it's possible not to download the official definitions and just point at a custom file right?

> On Aug 24, 2019, at 10:29 AM, G.W. Haywood via clamav-users <clamav-users@lists.clamav.net> wrote:
>
> Hi there,
>
> On Sat, 24 Aug 2019, azurit@pobox.sk wrote:
>
>> is it possible to disable official virus database? I would like to use only custom database. Thanks for info.
>
> A quick look at the code in libclamav/readdb.c suggests to me that
> this won't be very straightforward. The name of the 'daily' database
> is hard-coded into the source. Database files are digitally signed,
> so in theory you can't easily create an empty one and expect it to
> load correctly. Perhaps the easiest approach would be to disable the
> signature checks. Maybe you could patch the code so that it doesn't
> read the databases which you don't need, and I'd guess that would be
> useful to others too; it's been mentioned on this list recently, see
> for example
>
> https://lists.clamav.net/pipermail/clamav-users/2019-April/007901.html
>
> I'm sure Micah would welcome well thought-out patches.
>
> --
>
> 73,
> Ged.
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml

Hi there,

On Sat, 24 Aug 2019, Joel Esler (jesler) wrote:

> I mean, it's possible not to download the official definitions and
> just point at a custom file right?

No idea. Haven't tried it. If you can, it seems like it would be a
security hole. The code seems to be saying that it wants to load the
daily.c[lv]d file before anything else; the name is hard-coded into
the file I mentioned; and those files are signed. Given that there's
already been some discussion along these lines (e.g. see the link in
my last post) I'd be surprised if nobody else has tried it, but I've
been surprised before. :)

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

There is a configuration option to have ClamAV only load the official
signatures but this setting is disabled by default (it's the
OfficialDatabaseOnly setting for clamd, and '--official-db-only' for
clamscan). One exception to this is for bytecode signatures - only
official bytecode signatures are loaded by default. This can be changed by
using '--bytecode-unsigned=yes' for clamscan, and for clamd it looks like
the BytecodeSecurity setting can be used (depending on how ClamAV is built).

Although there is some code in ClamAV that ensures daily.cvd/daily.cld get
loaded before some other rule files if they are present, in general ClamAV
only cares about the file extension and uses that to determine whether it
should try to load a given set of rules. This makes it easy to use
third-party or custom rules - with clamd you can just copy the rule files
into the DatabaseDirectory directory and with clamscan you can either copy
the rules into the default rule directory or specify the path to the custom
rules with the '-d' flag.

Hope that helps!

-Andrew

On Sat, Aug 24, 2019 at 11:54 AM G.W. Haywood via clamav-users <
clamav-users@lists.clamav.net> wrote:

> Hi there,
>
> On Sat, 24 Aug 2019, Joel Esler (jesler) wrote:
>
> > I mean, it's possible not to download the official definitions and
> > just point at a custom file right?
>
> No idea. Haven't tried it. If you can, it seems like it would be a
> security hole. The code seems to be saying that it wants to load the
> daily.c[lv]d file before anything else; the name is hard-coded into
> the file I mentioned; and those files are signed. Given that there's
> already been some discussion along these lines (e.g. see the link in
> my last post) I'd be surprised if nobody else has tried it, but I've
> been surprised before. :)
>
> --
>
> 73,
> Ged.
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>

On Sat, 24 Aug 2019, azurit@pobox.sk wrote:

> Hi,
>
> is it possible to disable official virus database? I would like to use only
> custom database. Thanks for info.

Before I retired nearly a year ago I ran for several years an instance
of clamd on the incoming mail servers at work that should only detect
macro's in office files. These macro's are detected by build-in
heuristics in clamd so I didn't need virus databases at all for these
clamd instances but I didn't want to run clamd in the ultimate edge
case using no databases. (I didn't even test if I could start clamd
without databases.)

I created a database dirctory containing only a custom database with a
single definition to detect the "eicar-virus". I created a customized
clamd config file pointing to this nearly empty database dirctory.
And I started these instances of clamd with the commandline option to
use this customized config file. The overhead involved with using
a single -actually not needed- eicar definition was acceptable to me.

So yes, at that time, it was possible to run at least clamd without
the official virus database. I only used this with clamd, not with
clamscan. And I didn't test this with the current clamav version.


Regards,

Kees.

--
Kees Theunissen
Email: kees.theunissen@xs4all.nl

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Hi there,

On Sun, 25 Aug 2019, Kees Theunissen wrote:
> On Sat, 24 Aug 2019, azurit@pobox.sk wrote:
>
>> is it possible to disable official virus database? I would like to use only
>> custom database. Thanks for info.
>
> ... I didn't need virus databases at all ... (I didn't even test if
> I could start clamd without databases.)
>
> I created a database dirctory containing only a custom database ...
>
> So yes, at that time, it was possible to run at least clamd without
> the official virus database. I only used this with clamd, not with
> clamscan. And I didn't test this with the current clamav version.

To find out what might work and what might not, here's what I did:

======================================================================
Using 'clamd':
8<----------------------------------------------------------------------

1. I moved the 'main.cld' and 'daily.cld' files from my working clamav
database directory to a temporary directory, replaced them with empty
files, and by sending a message to its TCP port I told one of my clamd
daemons to reload its databases. (By default clamd doesn't listen on
TCP, but I normally configure that anyway.) Here's what happened:

Aug 25 08:28:01 mail6 root: PONG
Aug 25 08:28:20 mail6 ged: RELOADING
Aug 25 08:28:23 mail6 clamd[4518]: Reading databases from /etc/mail/clamav
Aug 25 08:28:23 mail6 clamd[4518]: reload db failed: Malformed database
Aug 25 08:28:23 mail6 clamd[4518]: Terminating because of a fatal error.
Aug 25 08:28:23 mail6 clamd[4518]: Pid file removed.
Aug 25 08:28:23 mail6 clamd[4518]: --- Stopped at Sun Aug 25 08:28:23 2019

The clamd daemon disliked the empty 'main' and 'daily' files and died.
I guess some folk might prefer it to carry on with the old databases,
but at least it's very clear what's happened.

8<----------------------------------------------------------------------

2. Instead, I simply moved the two files elsewhere and said 'RELOAD'.
This was successful. Just the 'safebrowsing' etc. and third-party
signatures were reloaded and the daemon seemed happy. As you can see,
without 'main' and 'daily' there were only 2.6 million signatures:

Aug 25 08:35:01 mail6 root: PONG
Aug 25 08:35:32 mail6 ged: RELOADING
Aug 25 08:35:35 mail6 clamd[5479]: Reading databases from /etc/mail/clamav
Aug 25 08:35:49 mail6 clamd[5479]: Database correctly reloaded (2603979 signatures)
Aug 25 08:36:01 mail6 root: PONG

8<----------------------------------------------------------------------

3. After replacing 'main' and 'daily' where they normally live, back up
to nearly 9 million signatures:

Aug 25 08:36:39 mail6 ged: RELOADING
Aug 25 08:36:40 mail6 clamd[5479]: Reading databases from /etc/mail/clamav
Aug 25 08:36:56 mail6 ged: RELOADING
Aug 25 08:37:01 mail6 root: PONG
Aug 25 08:38:01 mail6 root: PONG
Aug 25 08:39:01 mail6 root: PONG
Aug 25 08:40:01 mail6 root: PONG
Aug 25 08:40:05 mail6 clamd[5479]: Database correctly reloaded (8900727 signatures)
Aug 25 08:41:01 mail6 root: PONG

======================================================================

Using 'clamscan':
8<----------------------------------------------------------------------

4. Running clamscan with my production database directory on a random
test file supplied by the ClamAV install:

mail6:~/src/net/mail/clamav-0.101.4/test$ >>> clamscan -d /etc/mail/clamav clam.exe
clam.exe: Clamav.Test.File-6 FOUND

----------- SCAN SUMMARY -----------
Known viruses: 8893502
Engine version: 0.101.4
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 215.517 sec (3 m 35 s)

8<----------------------------------------------------------------------

5. The same, using a completely empty database directory:

mail6:~/src/net/mail/clamav-0.101.4/test$ >>> clamscan -d /etc/mail/clamav/empty clam.exe
LibClamAV Error: cli_loaddbdir(): No supported database files found in /etc/mail/clamav/empty
ERROR: Can't open file or directory

----------- SCAN SUMMARY -----------
Known viruses: 0
Engine version: 0.101.4
Scanned directories: 0
Scanned files: 0
Infected files: 0
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 0.015 sec (0 m 0 s)

8<----------------------------------------------------------------------

6. The same, using a database directory containing just an empty file:

mail6:~/src/net/mail/clamav-0.101.4/test$ >>> ls -l /etc/mail/clamav/empty/
total 0
-rw-r--r-- 1 root root 0 Aug 25 10:25 empty.ign2

mail6:~/src/net/mail/clamav-0.101.4/test$ >>> /usr/local/bin/clamscan -d /etc/mail/clamav/empty clam.exe
clam.exe: OK

----------- SCAN SUMMARY -----------
Known viruses: 0
Engine version: 0.101.4
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 0.017 sec (0 m 0 s)

8<----------------------------------------------------------------------

This was all with the current ClamAV version. LibClamAV is not happy
with no database files at all, but it's happy if at least one file in
the database is readable, even if it's only 'empty.ign2'. So it seems
that the way to do what the OP wants is simply to remove the official
databases from the database directory.

Since for the vast majority of users the 'main' and 'daily' files are
the mainstay of ClamAV operation it might perhaps be a little worrying
that a configuration error (even if not malicious) which causes these
files not to be read could pass without notice. I can't help thinking
that it would be better if, by default, ClamAV gave a warning that the
'main' and 'daily' files weren't found.

If there's documentation on this kind of usage I've failed to find it.

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Joel Esler (jesler) via clamav-users wrote:
> I mean, it's possible not to download the official definitions and just point at a custom file right?

*nod* This works fine. I have a secondary Clam instance set up to use
only a selection of third-party signatures that I do not absolutely
trust as hard black/white tests, which is called from SpamAssassin and
scored based on the resulting signature names.

clamd will use whatever database files are in its database directory.
It does NOT use anything in any subdirectories.

clamscan will use those, or:

1) whatever database files are in the directory you specify with the -d
argument, or

2) whatever single database file you specify with the -d argument

The only constant is that there must be at least one signature database,
even if it's a trivial hash database with one signature that matches on
an empty file.

-kgd

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

G.W. Haywood via clamav-users wrote:
> To find out what might work and what might not, here's what I did:
>
> ======================================================================
> Using 'clamd':
> 8<----------------------------------------------------------------------
>
> 1. I moved the 'main.cld' and 'daily.cld' files from my working clamav
> database directory to a temporary directory, replaced them with empty
> files, and by sending a message to its TCP port I told one of my clamd
> daemons to reload its databases.  (By default clamd doesn't listen on
> TCP, but I normally configure that anyway.)  Here's what happened:
>
> Aug 25 08:28:01 mail6 root: PONG
> Aug 25 08:28:20 mail6 ged: RELOADING
> Aug 25 08:28:23 mail6 clamd[4518]: Reading databases from /etc/mail/clamav
> Aug 25 08:28:23 mail6 clamd[4518]: reload db failed: Malformed database
> Aug 25 08:28:23 mail6 clamd[4518]: Terminating because of a fatal error.
> Aug 25 08:28:23 mail6 clamd[4518]: Pid file removed.
> Aug 25 08:28:23 mail6 clamd[4518]: --- Stopped at Sun Aug 25 08:28:23 2019
>
> The clamd daemon disliked the empty 'main' and 'daily' files and died.
> I guess some folk might prefer it to carry on with the old databases,
> but at least it's very clear what's happened.

From my own experience, I expect this is because they were, as per the
error, "malformed". ClamAV is very picky about this - too picky IMO.

If a signature database is present, it is expected to contain at least
one signature, which is a valid signature for the database "type". An
empty file is not a valid signature database file.


> 6. The same, using a database directory containing just an empty file:
>
> mail6:~/src/net/mail/clamav-0.101.4/test$ >>> ls -l /etc/mail/clamav/empty/
> total 0
> -rw-r--r-- 1 root root 0 Aug 25 10:25 empty.ign2
>
> mail6:~/src/net/mail/clamav-0.101.4/test$ >>> /usr/local/bin/clamscan -d
> /etc/mail/clamav/empty clam.exe
> clam.exe: OK

This is consistent with my experience; .ign[2] is basically a list of
signatures to ignore, and so it can reasonably be empty. Strictly
speaking it's not a signature database file, because it does not contain
actual signatures - just the names of signatures to ignore/skip.

If you wanted to use *ONLY* one or more of the internal heuristic tests,
this is probably the best option.

-kgd

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Hi there,

On Mon, 26 Aug 2019, Kris Deugau wrote:

> The only constant is that there must be at least one signature
> database, even if it's a trivial hash database with one signature
> that matches on an empty file.

AFAICT the signature database file doesn't even need to have any
signatures in it; it can just be an empty file. See my earlier
post, extract below:

8<----------------------------------------------------------------------

6. The same, using a database directory containing just an empty file:

mail6:~/src/net/mail/clamav-0.101.4/test$ >>> ls -l /etc/mail/clamav/empty/
total 0
-rw-r--r-- 1 root root 0 Aug 25 10:25 empty.ign2

mail6:~/src/net/mail/clamav-0.101.4/test$ >>> /usr/local/bin/clamscan -d /etc/mail/clamav/empty clam.exe
clam.exe: OK

----------- SCAN SUMMARY -----------
Known viruses: 0
Engine version: 0.101.4
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 0.017 sec (0 m 0 s)

8<----------------------------------------------------------------------

This aspect is a little concerning. There's the potential for e.g. a
typo on a command line (or a misconfiguration) to permit a malicious
file, which might otherwise be detected, quietly to escape detection.

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Hi there,

On Mon, 26 Aug 2019, Kris Deugau wrote:

> G.W. Haywood via clamav-users wrote:
>> 6. The same, using a database directory containing just an empty file:
>>
>> mail6:~/src/net/mail/clamav-0.101.4/test$ >>> ls -l /etc/mail/clamav/empty/
>> total 0
>> -rw-r--r-- 1 root root 0 Aug 25 10:25 empty.ign2
>
> This is consistent with my experience ...

Mails crossed :/

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml