Login/Register
How to be sure ClamAV database is up to date?
Asked Answered
Solved linuxcentosantivirusvirus-scanningclam
F

5

19

I am currently having an issue with ClamAV and freshclam on Centos 6.9.

I have the last Clam engine 0.99.2, and a working internet connection. Even if I run the # freshclam -v command ( it only returns a security warning about unsecure permission of freshclam.conf) before a # clamscan, clamAV return me this warning :

LibClamAV Warning: ************************************************** LibClamAV Warning: *** The virus database is older than 7 days. *** LibClamAV Warning: *** Please update it IMMEDIATELY! *** LibClamAV Warning: **************************************************

So my questions are : how can I know when the last update was done ? Or make sure the virus database is up-to-date ?

PS : I've tested the clamscan with eicar test file and it detects it.

Finery answered 20/4, 2017 at 9:0 Comment(0)
K
10

You have 2 questions:

  1. How can I know when the last update was done ?

host -t txt current.cvd.clamav.net; perl -e 'printf "%d\n", time;'

This will tell you when clamav made available the last update.

  1. Make sure the virus database is up-to-date ?

First you need to understand why you get the security warning. If you post the warning here maybe we'd have a better chance to help you.

Then I recommend you look in the log at /var/log/clamav/freshclam.log

Also, if you have selinux enabled, you'd have to run this: setsebool -P antivirus_can_scan_system 1. If by any chance the error is something like this During database load : LibClamAV Warning: RWX mapping denied: Can't allocate RWX Memory: Permission denied then clearly your solution is the command I mentioned above.

Kidderminster answered 20/4, 2017 at 9:43 Comment(1)
#1 will only print the time when the updates were last pushed to the clamav.net site, and NOT when the last AV update was done on the system. You will need to check the logs in /var/log/clamav/freshclam.log and look for the string - "ClamAV update process started" - at the end of this file. This will show you when ClamAV was last updated on the system.Disgust
L
18

clamscan --version shows the version and date of signatures, e.g.

$ clamscan --version
ClamAV 0.101.4/25613/Fri Oct 25 11:00:25 2019

where 25613 is the signatures version and it is followed by the date of the signatures

Lipoma answered 25/10, 2019 at 17:16 Comment(3)
Is this no longer the case? When running clamscan --version all I get now is ClamAV 0.103.6Axiomatic
@Axiomatic clamscan --version format changed recently. Running strace on clamscan --version shows that it refers /var/lib/clamav/daily.cvd file to puke the output for database's version that clamscan refers! ... Thus, it;s better to use sigtool --info /var/lib/clamav/daily.cvd to find what's your database/DEFINITION's version (just 1 Number format ex: 12345), like where you are at? Then, using clamscan --version --database /opt/clammav/defs/<latest_dated_directory> | cut -d'/' -f2 will give you similar 1 NUMBER format for that dated definition. Now you can compare!!Bebop
@RVid: I have just tested it. By default, clamscan --version indeed returns just "ClamAV 1.3.0"; but the reason for this is that there's no virus database. After downloading the database it returns "ClamAV 1.3.0/27242/Thu Apr 11 10:25:12 2024".Twibill
K
10

You have 2 questions:

  1. How can I know when the last update was done ?

host -t txt current.cvd.clamav.net; perl -e 'printf "%d\n", time;'

This will tell you when clamav made available the last update.

  1. Make sure the virus database is up-to-date ?

First you need to understand why you get the security warning. If you post the warning here maybe we'd have a better chance to help you.

Then I recommend you look in the log at /var/log/clamav/freshclam.log

Also, if you have selinux enabled, you'd have to run this: setsebool -P antivirus_can_scan_system 1. If by any chance the error is something like this During database load : LibClamAV Warning: RWX mapping denied: Can't allocate RWX Memory: Permission denied then clearly your solution is the command I mentioned above.

Kidderminster answered 20/4, 2017 at 9:43 Comment(1)
#1 will only print the time when the updates were last pushed to the clamav.net site, and NOT when the last AV update was done on the system. You will need to check the logs in /var/log/clamav/freshclam.log and look for the string - "ClamAV update process started" - at the end of this file. This will show you when ClamAV was last updated on the system.Disgust
C
7

This is what I do for the second part of your question: Make sure the virus database is up-to-date ?

My systems are offline so cannot query the clamav site for their most recent virus definitions database but I can easily examine the date of my current cvd files with this linux command.

strings /var/lib/clamav/daily.cvd|head -1|cut -c1-28
ClamAV-VDB:31 Jul 2019 04-17

Edit: As Jonathon has so kindly mentioned, sigtool is a great way to examine the clamav dat file signature:

sigtool --info daily.cvd
File: daily.cvd
Build time: 28 Aug 2019 04:24 -0400
Version: 25555
Signatures: 1739106
Functionality level: 63
Builder: raynman
...
Cuttlebone answered 7/8, 2019 at 19:52 Comment(1)
Just use sigtool --info /var/lib/clamav/daily.cvd. clamav.net/documents/…Biliary
D
2

Use the following script to check if ClamAV has up to date version of the database:

#!/usr/bin/env bash
set -eo pipefail

_local_version=$(freshclam -V)
_remote_version=$(host -t txt current.cvd.clamav.net)

local_version=$(echo "$_local_version" | awk -F '/' '{ print $2 }')
remote_version=$(echo "$_remote_version" | awk -F ':' '{ print $3 }')

echo "Local version: $local_version" >&2
echo "Remote version: $remote_version" >&2

if [[ "$local_version" == "$remote_version" ]]; then
  echo "ClamAV  is up to date" >&2
else
  echo "ClamAV not up to date, local version is $local_version, available is: $remote_version" >&2
  exit 1
fi

Save it as clamav-check-if-up-to-date.sh. It will return exit code 1 if database is out of date, or 0 if it is up to date.

Dicephalous answered 19/1, 2022 at 11:51 Comment(1)
As it’s currently written, your answer is unclear. Please edit to add additional details that will help others understand how this addresses the question asked. You can find more information on how to write good answers in the help center.Oenone
P
0

You can not trust the TXT record's date. However, you can trust the database version from the TXT record.

So, the right answer is to use parts of both @bogdan and @falko-menge answers:

First, "what version of the clamav database is on my machine?" (in this example, 25904):

$ clamscan --version
ClamAV 0.102.4/25904/Mon Aug 17 08:02:24 2020

Now, "what is the most recent version available on clamav.net?" (in this example, also 25904):

@ ✓ $ host -t txt current.cvd.clamav.net; perl -e 'printf "%d\n", time;'
current.cvd.clamav.net descriptive text "0.102.4:59:25904:1597879740:1:63:49191:331"

However, that TXT record shows a false time for when the 25904 was actually created :-(

@ ✓ $ epoch_to_rfc_3339 1597879740
2020-08-19T18:29:00
Plumcot answered 20/8, 2020 at 16:18 Comment(0)

© 2022 - 2025 — McMap. All rights reserved.