G.W. Haywood via clamav-users wrote:
To find out what might work and what might not, here's what I did:
======================================================================
Using 'clamd':
8<----------------------------------------------------------------------
1. I moved the 'main.cld' and 'daily.cld' files from my working clamav
database directory to a temporary directory, replaced them with empty
files, and by sending a message to its TCP port I told one of my clamd
daemons to reload its databases. (By default clamd doesn't listen on
TCP, but I normally configure that anyway.) Here's what happened:
Aug 25 08:28:01 mail6 root: PONG
Aug 25 08:28:20 mail6 ged: RELOADING
Aug 25 08:28:23 mail6 clamd[4518]: Reading databases from /etc/mail/clamav
Aug 25 08:28:23 mail6 clamd[4518]: reload db failed: Malformed database
Aug 25 08:28:23 mail6 clamd[4518]: Terminating because of a fatal error.
Aug 25 08:28:23 mail6 clamd[4518]: Pid file removed.
Aug 25 08:28:23 mail6 clamd[4518]: --- Stopped at Sun Aug 25 08:28:23 2019
The clamd daemon disliked the empty 'main' and 'daily' files and died.
I guess some folk might prefer it to carry on with the old databases,
but at least it's very clear what's happened.
From my own experience, I expect this is because they were, as per the
error, "malformed". ClamAV is very picky about this - too picky IMO.
If a signature database is present, it is expected to contain at least
one signature, which is a valid signature for the database "type". An
empty file is not a valid signature database file.
6. The same, using a database directory containing just an empty file:
mail6:~/src/net/mail/clamav-0.101.4/test$ >>> ls -l /etc/mail/clamav/empty/
total 0
-rw-r--r-- 1 root root 0 Aug 25 10:25 empty.ign2
mail6:~/src/net/mail/clamav-0.101.4/test$ >>> /usr/local/bin/clamscan -d
/etc/mail/clamav/empty clam.exe
clam.exe: OK
This is consistent with my experience; .ign[2] is basically a list of
signatures to ignore, and so it can reasonably be empty. Strictly
speaking it's not a signature database file, because it does not contain
actual signatures - just the names of signatures to ignore/skip.
If you wanted to use *ONLY* one or more of the internal heuristic tests,
this is probably the best option.
-kgd
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
