3

We're investigating applications that seem to use large amounts of memory, one of those being clamav. We noticed that there are lots of av definitions for windows, osx, xls, doc, rtf etc. in /var/lib/clamav/main.cld that we shouldn't need to load in since we are only scanning linux machines (sles15). We run clamscan hourly and each time it loads in the virus definitions into memory it's loading in all these ones that don't apply to our systems, eating up a bunch of memory and causing clamscan to eventually either be killed or kill a different process (working with limited RAM, 2GB). We tried removing all the lines in main.cld that contain Win|Osx|java|xls|doc|pdf|andr|rtf|swf but that caused the file to be malformed and clamscan threw an error message that looked like this.

Starting Clam AntiVirus Daemon: LibClamAV Error: cli_cvdload: Corrupted CVD header
LibClamAV Error: Can't load /var/lib/clamav/main.cvd: Malformed database
LibClamAV Error: cli_loaddbdir(): error loading database /var/lib/clamav/main.cvd

Is there a way to get a linux only virus definitions set? (Something like this for Cisco AMP https://www.cisco.com/c/en/us/support/docs/security/amp-endpoints/214655-amp-for-endpoints-clamav-virus-definiti.pdf) or a way to properly edit those .cld files? I also saw that you can define your own set of definitions, but haven't found much info around that.

Improve this question
2
  • You really do not care about Windows viruses passing Linux systems?
    – Nils
    Commented Jan 1, 2022 at 22:41
  • That's a really good point. I might have been thinking shortsightedly here, most likely there's a reason it's not obvious to pick and choose which definitions you can apply.
    – Zack Schmidt
    Commented Jan 4, 2022 at 14:07

1 Answer 1

Reset to default
4
+150

Linux only cvd can be found here ClamAV database

It's a 321KB file

sigtool --info linux.cvd 
File: linux.cvd
Build time: 05 Jan 2022 13:04 -0500
Version: 887
Signatures: 3240
Functionality level: 73
Builder: raynman
MD5: 1a3676f21437ec3f5e32375de3fd28fd
Digital signature: ZYWsOkf+tMsvcHYn44tzHHAV2HlQASR52ESQbW9ffUNx+65iPKLL56KJwJGQXTS1Ld5xanbQWro1tQjzpYMBvvs4yXK5D5iV54+QhSKDJWVArcFMU3FKwc4h7A7+zMAHtBFRn9IElDkhqi7GCHz5MeKKkmSadDPBk9C2Ce4u1r
Verification OK.

After unpacking and looking at some of the files, the signatures are strictly unix/linux related. I hope this is what you wanted.

Improve this answer
1
  • It just worked! I just tried this and the On Access Scanner can still detected EICAR sample virus. But the "clamd -V" is now showing only the engine version without the database version. Is there a best way to get the DB version via terminal? I just thinking about pulling it by PHP read to the .cvd file. Thanks.
    – Awan
    Commented Feb 11, 2023 at 3:32

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .