Frequently Asked Questions

How do I remove the clamav account from my MacOSX server 10.4 (Tiger)?

Ideally you wouldn’t. It’s harmless by itself and highly useful if you wish to take advantage of the integration Apple has provided with the email service, amavisd and ClamAV. Removing the account will break this functionality. But if you insist, you can do it like this: Launch Workgroup Manager and authenticate to your server Make sure you’re working in the /NetInfo/DefaultLocalNode directory (click the tiny blue globe with the triangle beside it). From the View menu at the top of the screen, select Show System Users and Groups. Select and delete the ClamAV User account.

What is the password for the clamav user on MacOSX server 10.4 (Tiger)?

There is no valid password for this account. In Mac OS X terms, the account is disabled in the same way that the root account is disabled on Mac OS X client systems. Technically speaking, the account's password hash is *, to which no possible password value can be mapped. Nobody can log in as this user. In this way it is identical to the www account and others on the system which are used to restrict processes such as clamscan, clamd and httpd from reading or writing files they should not be touching.

How do I upgrade ClamAV?

Visit our "Wiki": UpgradeInstructions . The page can be edited by anyone. If you can make those instructions better, please do.

What does WARNING: Current functionality level = 1, required = 2 mean?

The functionality level of the database determines which scanner engine version is required to use all of its signatures. If you don't upgrade immediately you will be missing the latest viruses.

What does Your ClamAV installation is OUTDATED mean?

You'll get this message whenever a new version of ClamAV is released. In order to detect all the latest viruses, it's not enough to keep your database up to date. You also need to run the latest version of the scanner. You can download the "sources":stable of the latest release from our website. Upgrade instructions are on the "WikiWiki":wikiwiki. If you are afraid to break something while upgrading, use the "precompiled packages":binary for your operating system/distribution. Remember: running the latest stable release also improves stability.

I upgraded to the latest stable version but I still get the message Your ClamAV installation is OUTDATED, why?

Make sure there is really only one version of ClamAV installed on your system:

=$ whereis freshclam 
  $ whereis clamscan=

Also make sure that you haven't got old libraries (libclamav.so*) lying around your filesystem. You can verify it using: $ ldd `which freshclam`

As of 2007-02-19, I get this message on my Windows box. The latest version at http://clamwin.com/ is still version 0.88.7 -- when I do "Tools | download database update", I get the message

    WARNING: Your ClamAV installation is OUTDATED!
    WARNING: Local version: 0.88.7 Recommended version: 0.90
    DON'T PANIC! Read http://www.clamav.net/faq.html

but "Help | check latest version" gives me a seemingly-contradictory message

    You have the latest version of ClamWin Free Antivirus (0.88.7).

.

What does WARNING: DNS record is older than 3 hours mean?

freshclam attempts to detect potential problems with DNS caches and switches to the old mode if something looks suspicious. If this message appears seldomly, you can safely ignore it. If you get the error everytime you run freshclam, check your system clock. If it is set correctly, check your dns settings. If those didn't help, try putting this at the top of your cronjob:

 host -t txt current.cvd.clamav.net; perl -e 'printf "%d\n", time;' 

I got an error message followed by report to bugs.clamav.net: can you fix this bug?

If you want us to fix the bug, you need to send us the error message *and* the file that triggered it. Without the file your report is totally useless for us. Despite what the error message says, the preferred way to submit bug reports is now tu use our bugzilla interface.

How often is the virus database updated?

The virus database is usually updated many times per week. Check out http://lurker.clamav.net/list/clamav-virusdb.html to see our response times to new threats. The virusdb team tries to keep up with the latest worm in the wild. When a new worm spreads out, often it is less than one hour before we release a database update. You can contribute to make the virusdb updating process more efficient by submitting samples of viruses via our "web interface":submit.

How many times per hour shall I run freshclam?

If you are running ClamAV 0.7x please *upgrade NOW*. If you are running ClamAV 0.8x or later, you can check for database update as often as 4 times per hour provided that you have the following options in freshclam.conf: DNSDatabaseInfo current.cvd.clamav.net DatabaseMirror db.XY.clamav.net DatabaseMirror database.clamav.net Replace XY with your "country code":iana. If you don't have that option, then you must stick with 1 check per hour.

I tried to submit a sample through the web interface, but it said the sample is already recognized by ClamAV. My clamscan tells me it's not. I have already updated my database and ClamAV engine, what's wrong with my setup?

Please run clamscan with the --detect-broken option. Also check that freshclam and clamscan are using the same path for storing/reading the database.

ClamAV doesn't work! It doesn't add any header to the messages that transit on my mail server.

ClamAV itself is an antivirus and his job is to scan files not to do fancy things with your mail's headers. In order to use ClamAV with your MTA you need a content filter program. If you are using clamav-milter you can ask for help on our mailing lists. If you are using any other content filter, find the address of the official mailing-list (if any) or contact the author.

Can phishing be considered one kind of spam? ClamAV should not detect it as some kind of malware.

Starting from release 0.90, ClamAV allows you to choose whether to detect phish as some kind of malware or not. This should put an end to the endless threads on our mailing lists. So long, and thanks for all the phish.

I can't resolve current.cvd.clamav.net! Is there a problem with your/my DNS servers?

current.cvd.clamav.net has got only a TXT record, not a type A record! Try this command: $ host -t txt current.cvd.clamav.net. Please note that some not RFC compliant DNS servers (namely the one shipped with the SpeedTouch Alcatel 510 modem) can't resolve TXT record. If that's the case, please recompile ClamAV with the flag --enable-dns-fix .

Can I convert the new database format to the old one?

Yes, install a recent version of sigtool and run:

=$ sigtool --unpack-current daily.cvd 
  $ sigtool --unpack-current main.cvd=

ClamAV crashes/hangs/doesn't compile/doesn't start. Did I find a bug?

Before reporting a bug, please download the latest CVS code and try to reproduce the bug with it. Chances are the bug you encountered has already been fixed. If you really feel like you found a bug, please visit our bugzilla interface. Before submitting your bug please check if a similar report is already present.

How do I start clamd at boot time?

If you installed ClamAV from a binary package or ports, you should already have a script that starts clamd at boot time. If you compiled ClamAV by yourself, then look in the contrib/init/ directory of the source package.

How do I automatically restart clamd when it dies?

Set up a cronjob which checks that clamd is up and running every XX minutes. You can find an example in the contrib/clamdmon/ and contrib/clamdwatch/ directory. You can also check clamd from the command prompt with a simple:

echo PING|socat - /tmp/clamd 

How do I automatically restart clamam-milter when it dies?

Set up a cronjob which checks that clamav-milter is up and running every XX minutes. You can find an example at http://www.itg.uiuc.edu/itg_software/clmilter_watch/

What does SECURITY WARNING: NO SUPPORT FOR DIGITAL SIGNATURES mean?

The ClamAV package requires the GMP library to verify the digital signature of the virus database. When building ClamAV you need the GMP library and its headers: if you are using Debian just run apt-get install libgmp3-dev, if you are using an RPM based distribution install the gmp-devel package. You'll need to rerun ./configure and recompile ClamAV.

I visited www.webmail.us/testvirus and tried to send some viruses to my server. ClamAV failed to detect some of them, why?

Some messages will get through (24 and 25 ATM), but since they don't contain any virus there's nothing to find and therefore nothing to stop. By definition ClamAV only traps malicious code. "testvirus":testvirus sends some messages which don't contain any virus string, but only have some malformed MIME tags that can fool Outlook clients. It's not an antivirus job to detect such messages.

How do I keep my virus database up to date?

ClamAV comes with freshclam, a tool which periodically checks for new database releases and keeps your database up to date.

I get this error when running freshclam: Invalid DNS reply. Falling back to HTTP mode or ERROR: Can't query current.cvd.clamav.net . What does it mean?

There are 2 completely different problems that give this symptom:

(a) There is a problem with your DNS server. Please check the entries in /etc/resolv.conf and verify that you can resolve the TXT record manually: $ host -t txt current.cvd.clamav.net If you can't, it means your network is broken. You'll be still able to download the updates, but you'll waste a lot of bandwidth checking for updates.

(b) This also happens to laptop users who (1) enable automatic database updates, but (2) their PC is hibernating at the scheduled update-time, and (3) their laptop takes a couple of minutes to re-connect to the network (DHCP, etc.) when they wake up. When you wake the laptop up, ClamAV notices that it's past time for an update, so it immediately tries to download the update. When the update fails (because the laptop still hasn't connected to the network), ClamAV gives that error. (ClamAV does try again 10 seconds later, but that's not long enough for my laptop to connect). How can we solve this problem? One work-around for now: After the PC has (finally!) connected to the network, manually tell ClamAV to download an update "now".

I get this error when running freshclam: ERROR: Connection with ??? failed . What shall I do?

Either your dns servers are not working or you are blocking port 53/tcp. You should manually check that you can resolve hostnames with: $ host database.clamav.net. If it doesn't work, check your dns settings in /etc/resolv.conf. If it works, check that you can receive dns answers longer than 512 bytes, e.g. check that your firewall is not blocking packets which originate from port 53/tcp. An easy way to find it out is: $ dig @ns1.clamav.net db.us.big.clamav.net

How do I know if my IP address has been blacklisted?

Try to download daily.cvd with lynx or wget from the same machine that is running freshclam. Future versions of freshclam will provide a better way to deal with this.

I'm running ClamAV on a lot of clients on my local network. Can I mirror the database locally so that each client doesn't have to download it from your servers?

Sure, install a proxy server and then configure your freshclam clients to use it (watch for the HTTPProxyServer parameter in man freshclam.conf).

Can I download the virusdb manually?

Yes, the virusdb can be downloaded following the ClamAV Virus database link on the left menu.

How can I list the virus signature names contained in the database?

If you are using a recent version of ClamAV just run: $ sigtool --list-sigs

I found an infected file in my HD/floppy/mailbox, but ClamAV doesn't recognize it yet. Can you help me?

Our virus database is kept up to date with the help of the community. Whenever you find a new virus which is not detected by ClamAV you should "complete this form":submit. The virusdb team will review your submission and update the database if necessary. Before submitting a new sample: - check that the value of DatabaseDirectory, in both clamd.conf and freshclam.conf, is the same - update your database by running freshclam

I can't wait for you to update the database! I need to use the new signature NOW!

No problem, save your own signatures in a text file with .db extension. Put it in the same dir where the .cvd files are located. ClamAV will load it after the official .cvd files. You need not to sign the .db file.

I'm using ClamAV in a production environment and a brand new virus is not being recognized by ClamAV. How long do I have to wait before ClamAV can start filtering the virus?

No time at all! Find a signature for that virus and modify your virus database accordingly (see signatures.pdf in the doc/ dir). Remember to "submit":submit the sample to the virusdb team.

Why is ClamAV calling the XXX virus with another name?

This usually happens when we add a signature before other AV vendors. No well-known name is available at that moment so we have to invent one. Renaming the virus after a few days would just confuse people more, so we usually keep on using our name for that virus. The only exception is when a new name is established soon after the signature addition. You can find more info about this in the "virus naming":cvdinfo page.

How do I know when database updates are released?

Subscribe to the "clamav-virusdb":ml mailing-list.

I found a false positive in ClamAV virus database. What shall I do?

Complete the form at http://www.clamav.net/sendvirus.html Be sure to select The file attached is... a false positive.

I get many false positives of Oversized.Zip

Whenever a file exceeds ArchiveMaxCompressionRatio (see clamd.conf man page), it's considered a logic bomb and marked as Oversized.Zip. Try increasing your ArchiveMaxCompressionRatio setting because the (zip) file may simply be "highly compressed" and thus inadvertently resemble an archive bomb. This testing is done on a file by file basis within the archive, so one hugely compressed file within an archive will trigger the test. It should be noted that this is on purpose - slipping a hypercompressed file into an otherwise normal appearing archive is exactly how many archive bombs work. The default ArchiveMaxCompressionRatio is 250. Test different settings with, for example,
clamscan --max-ratio=400 file.zip
until you find a reasonable ratio that works.
Note that clamscan does not use /etc/clamd.conf
Then modify ArchiveMaxCompressionRatio in /etc/clamd.conf accordingly and restart clamav-milter (if you use clamav-milter).

How do I verify the integrity of ClamAV sources?

Using GnuPG - http://www.gnupg.org/ you can easily verify the authenticity of your stable release downloads by using the following method: Download Tomasz Kojm's "key":http://www.clamav.net/gpg/tkojm.gpg from the clamav.net site. Import the key into your local public keyring: $ gpg --import tkojm.gpg. Download the stable release AND the corresponding .sig file to the same directory. Verify that the stable release download is signed with Tomasz Kojm's key: $ gpg --verify clamav-X.XX.tar.gz.sig . Please note that the resulting output MUST contain the following!! Good signature from Tomasz Kojm.

Can ClamAV disinfect files?

No, it can't. We will add support for disinfecting OLE2 files in one of the next stable releases. There are no plans for disinfecting other types of files. There are many reasons for it: cleaning viruses from files is virtually pointless these days. It is very seldom that there is anything useful left after cleaning, and even if there is, would you trust it?

When using clamscan, is there a way to know which message within an mbox is infected?

There are two solutions: Run clamscan --debug, look for Deal with email number xxx Alternatively you can convert the mbox to Maildir format, run clamscan on it and then convert it back to mbox format. There are many tools available which can convert to and from Maildir format: formail, mbox2maildir and maildir2mbox

I'm running ClamAV + amavisd-new and get the following error in my mail log _amavis: Clam Antivirus-clamd FAILED - unknown status:/var/lib/amavis/amavis-20060917T120205-21416/parts: lstat() failed. ERROR\n

amavis: WARN: all primary virus scanners failed, considering backups_ . What's wrong?

One of the reasons is that clamd cannot access the messages to scan because it is running as other user than amavis is. Such separation is a desirable approach and it is better not to remove that. In the following solution I assume that clamd is run as user clamav, group clamav and amavisd is run as user amavis, group amavis. Add user clamav to the group amavis (the corresponding entry in /etc/group looks like amavis:x:105:clamav", (105 is the example GID of group amavis)). Put AllowSupplementaryGroups in clamd.conf. This way clamd will be able to read amavisd's files without giving to amavisd too much power over clamd.

I'm running Qmail+Qmail-Scanner+ClamAV and get the following error in my mail logs: clamdscan: corrupt or unknown clamd scanner error or memory/resource/perms problem. What's wrong with it?

Most likely clamd is not running at all, or you are running Qmail-Scanner and clamd under a different uid. If you are running Qmail-Scanner as qscand (default setting) you could put User qscand inside your clamd.conf file and restart clamd. Remember to check that qscand can create clamd.ctl (usually located at /var/run/clamav/clamd.ctl). The same applies to the log file. The suggested setup is: put User qscand and AllowSupplementaryGroups in clamd.conf, then add user qscand to group clamav and make the socket dir and the log dir group writable by clamav. Another possible reason for the aforementioned problem is that your softlimit is set too low. Try raising it to 40MB at least.

How do I use ClamAV with p3scan?

Add the following lines to your pop3vscan configuration file:

=virusregexp = .*: (.*) FOUND 
  scanner = /usr/bin/clamdscan --no-summary -i 
  scannertype = basic=

Where can I ask questions about using ClamAV?

Subscribe to our "clamav-users":ml mailing-list.

I want to take part to the development of ClamAV. Where can I get more info?

Subscribe to the "clamav-devel":ml mailing-list.

The mailing-lists generate too many messages per day. I can't handle them. What shall I do?

There are two possible solutions: - Go to the "mailing-list":ml mailman interface, click on Edit options, and turn digest mode on - access the mailing-lists using a "news reader":ml

I sent a message to one of ClamAV 's mailing-lists, but the mail was rejected/held for approval. Why?

Only subscribers are allowed to post to the mailing-list. This is done to avoid spammers. Please check that your outgoing messages start with a line like the following: Return-Path: me@mydomain.com where me@mydomainDEL_ME.com is the mail account which you used to subscribe to the mailing-list. You can subscribe multiple times, with different mail addresses, and disable mail delivery. You will be able to post to the mailing-lists by putting any of those addresses in Return-Path.

I read the mailing-list from the Gmane news gateway. Can I post to the mailing-list?

See previous FAQ.

I've been unsubscribed from one of the mailing-lists. What happened?

There are two possible reasons: If your account generates too many bounces you'll be automatically unsubscribed. Please subscribe again with a more reliable account. If we receive even one out of office notification from your vacation program, your address will be unsubscribed and banned from our mailing-lists forever. Sorry for that, there are just too many stupid people out there.

How do I disable mail delivery from the mailing-list I'm subscribed to?

Suppose you are subscribed to clamav-users. Go to http://lists.clamav.net/mailman/listinfo/clamav-users and enter your mail address at the bottom of the page. Click on Edit options and then choose on under Disable mail delivery.

Where can I get the latest CVS snapshot of ClamAV?

Visit http://www.clamav.net/snapshot.html

What platforms does it support ?

Clam AntiVirus works with Linux®, Solaris, FreeBSD, OpenBSD , NetBSD , AIX, Mac OS X, Cygwin B20 on multiple architectures such as Intel, Alpha, Sparc, Cobalt MIPS boxes, PowerPC , RISC 6000.

I'm a MS Windows user. Can I take advantage of ClamAV virus protection?

A native port for win32 is available at http://w32.clamav.net . It is maintained by Nigel Horne. Other ports are available but they are NOT maintained/supported by ClamAV team. You can find them at http://wiki.clamav.net/Main/ClamUnofficialWindows. Please do NOT submit any bug report or support request about software that we do NOT maintain directly.

FreshClam and signatures updates modifications with ClamAV v0.93.0 ?

Actually, it's "normal" that the structure/architecture of the signatures updates directory and files may change, automatically (automagically ...). This is under control of the engine code, and depends on the bandwith of the Internet link (and has nothing to do with the ClamAV version).

So you can have both figures :

1 ) either a 'flat' directory structure under /share/clamav, with just two signatures files : daily.cld (or daily.cvd) AND main.cvd , plus the file mirrors.dat .

2 ) or 2 second-level directories under /share/clamav, namely 'daily.inc' and 'main.inc' , plus the file mirrors.dat still at the 'base' level In this case, 'main.inc' contains the main signatures infos 'split' into 7 db files : main.db, main.fp, main.hdb, main.info, main.mdb, main.ndb and main.zmd And samely, 'daily.inc' contains 15 db files.

So, in either case, and as long as the update process sings happily in the 'freshclam.log', everything runs fine and you don't have to worry.

Where can I find more information about ClamAV?

Please read the complete documentation in pdf/ps format. You will find it in the each package or in "documentation":doc. You can also try searching the "mailing list archives":ml. If you can't find the answer, you can ask for support on the clamav-users mailing-list, but please before doing it, search the archives! Also, make sure that you don't send HTML messages and that you don't top post: these violate the netiquette and lessen your chances of being answered.

How can I contribute to the ClamAV project?

There are many ways to contribute to the ClamAV project. See the "donations":donations page for more info.

Old FAQ imported from old Wiki

• OldFAQ

-- LucaGibelli - 18 Nov 2006

---