FAQ



Official FAQ

This is the official FAQ. For additional FAQs please visit our Wiki . You are encouraged to contribute to them. The ClamAV team continuosly monitor that page and will add the best ones below.

Upgrading ClamAV

  • How do I upgrade ClamAV?
    • Visit our Wiki . The page can be edited by anyone. If you are a skilled sysadmin please contribute to it.
  • What does WARNING: Current functionality level = 1, required = 2 mean?
    • The functionality level of the database determines which scanner engine version is required to use all of its signatures. If you don’t upgrade immediately you will be missing the latest viruses.
  • What does Your ClamAV installation is OUTDATED mean?
    • You’ll get this message whenever a new version of ClamAV is released. In order to detect all the latest viruses, it’s not enough to keep your database up to date. You also need to run the latest version of the scanner. You can download the sources of the latest release from our website. Upgrade instructions are on the Wiki. If you are afraid to break something while upgrading, use the precompiled packages for your operating system/distribution. Remember: running the latest stable release also improves stability.
  • I upgraded to the latest stable version but I still get the message Your ClamAV installation is OUTDATED, why?
    • Make sure there is really only one version of ClamAV installed on your system: 
         $ whereis freshclam 
   $ whereis clamscan
    • Also make sure that you haven’t got old libraries (libclamav.so*) lying around your filesystem. You can verify it using: $ ldd `which freshclam`
  • How do I verify the integrity of ClamAV sources?
    • Using GnuPG you can easily verify the authenticity of your stable release downloads by using the following method: Download Tomasz Kojm’s key from the clamav.net site. Import the key into your local public keyring: $ gpg --import tkojm.gpg. Download the stable release AND the corresponding .sig file to the same directory. Verify that the stable release download is signed with Tomasz Kojm’s key: $ gpg --verify clamav-X.XX.tar.gz.sig . Please note that the resulting output MUST contain the following!! Good signature from Tomasz Kojm.
  • Is my compiler/hardware/operating system supported by ClamAV?
    • ClamAV supports a wide variety of compilers, hardware and operating systems. Our core compiler is gcc with Linux on 32 and 64 bit Intel platforms, though we also test using other compilers, including Sun’s C compiler, Microsoft’s Visual Studio, Intel’s C compiler, LLVM-GCC, and others. To date we have only found one compiler that we do not support, GCC version 4.0.0 to 4.1.0 inclusive. We have found that version of the compiler produces incorrect code on all of the platforms and operating systems on which we have tested it. ClamAV will not work using that compiler and you MUST switch to an alternative, such as GCC3.4 or GCC4.1. Please contact your vendor for further information. Please refer to gcc’s bugzilla for further information. If you want to see a proof of why gcc 4.0.1 generates wrong code for the kernel read the relevant article on kerneltrap. More information about this bug is also available in our bugzilla . Our configure scripts will detect if your compiler is affected by this bug and refuse to generate a non working binary with the following error message: your compiler has gcc PR26763-2 bug, use a different compiler . If you are on MacOS X, you can try an alternative compiler, LLVM-GCC4.2-2.2, which has official binaries available

Updating the ClamAV Virus Database

  • What does WARNING: DNS record is older than 3 hours mean?
    • freshclam attempts to detect potential problems with DNS caches and switches to the old mode if something looks suspicious. If this message appears seldomly, you can safely ignore it. If you get the error everytime you run freshclam, check your system clock. If it is set correctly, check your dns settings. If those didn’t help, try putting this at the top of your cronjob:
       host -t txt current.cvd.clamav.net; perl -e 'printf "%d\n", time;'
      The 4th field of the first line should be less than 3 ∗ 3600 behind the output of the second line. If not, you have a caching DNS server somewhere misbehaving.
  • How often is the virus database updated?
    • The virus database is usually updated many times per week. Check out http://lurker.clamav.net/list/clamav-virusdb.html to see our response times to new threats. The virusdb team tries to keep up with the latest worm in the wild. When a new worm spreads out, often it is less than one hour before we release a database update. You can contribute to make the virusdb updating process more efficient by submitting samples of viruses via our web interface.
  • How many times per hour shall I run freshclam?
    • If you are running ClamAV 0.7x please upgrade NOW. If you are running ClamAV 0.8x or later, you can check for database update as often as 4 times per hour provided that you have the following options in freshclam.conf: DNSDatabaseInfo current.cvd.clamav.net DatabaseMirror db.XY.clamav.net DatabaseMirror database.clamav.net Replace XY with your country code. If you don’t have that option, then you must stick with 1 check per hour.
  • I tried to submit a sample through the web interface, but it said the sample is already recognized by ClamAV. My clamscan tells me it’s not. I have already updated my database and ClamAV engine, what’s wrong with my setup?
    • Please run clamscan with the --detect-broken option. Also check that freshclam and clamscan are using the same path for storing/reading the database.
  • I found an infected file in my HD/floppy/mailbox, but ClamAV doesn’t recognize it yet. Can you help me?
    • Our virus database is kept up to date with the help of the community. Whenever you find a new virus which is not detected by ClamAV you should complete this form. The virusdb team will review your submission and update the database if necessary. Before submitting a new sample: – check that the value of DatabaseDirectory, in both clamd.conf and freshclam.conf, is the same – update your database by running freshclam
  • How do I keep my virus database up to date?
    • ClamAV comes with freshclam, a tool which periodically checks for new database releases and keeps your database up to date.
  • I get this error when running freshclam: Invalid DNS reply. Falling back to HTTP mode or ERROR: Can’t query current.cvd.clamav.net . What does it mean?
    • There is a problem with your DNS server. Please check the entries in /etc/resolv.conf and verify that you can resolve the TXT record manually: $ host -t txt current.cvd.clamav.net If you can’t, it means your network is broken. You’ll be still able to download the updates, but you’ll waste a lot of bandwidth checking for updates.
  • I get this error when running freshclam: ERROR: Connection with ??? failed . What shall I do?
    • Either your dns servers are not working or you are blocking port 53/tcp. You should manually check that you can resolve hostnames with: $ host database.clamav.net. If it doesn’t work, check your dns settings in /etc/resolv.conf. If it works, check that you can receive dns answers longer than 512 bytes, e.g. check that your firewall is not blocking packets which originate from port 53/tcp. An easy way to find it out is: $ dig @ns1.clamav.net db.us.big.clamav.net
  • How do I know if my IP address has been blacklisted?
    • Try to download daily.cvd with lynx or wget from the same machine that is running freshclam. Future versions of freshclam will provide a better way to deal with this.
  • What is the mirrors.dat file?
    • mirrors.dat is used by freshclam to keep track of broken mirrors. It avoids the unnecessary delays caused by trying to download a CVD update from a mirror which failed multiple times during the last 24 hours.
  • I’m running ClamAV on a lot of clients on my local network. Can I serve the cvd files from a local server so that each client doesn’t have to download them from your servers?
    • Sure, there are two possible solutions.
    • If you want to take advantage of incremental updates, install a proxy server and then configure your freshclam clients to use it (watch for the HTTPProxyServer parameter in man freshclam.conf).
    • The second possible solution is to configure a local webserver on one of your machines (say machine1.mylan) and let freshclam download the *.cvd files from http://database.clamav.net to the webserver’s DocumentRoot. Finally, change freshclam.conf on your clients so that it reads:
    • DatabaseMirror machine1.mylan
    • First the database will be downloaded to the local webserver and then the other clients on the network will update their copy of the database from it. For this to work, you have to add ScriptedUpdates off on all of your machines!
  • I can’t wait for you to update the database! I need to use the new signature NOW!
    • No problem, save your own signatures in a text file with the appropriate extension (see signatures.pdf for more information). Put it in the same dir where the .cvd files are located. ClamAV will load it after the official .cvd files. You need not to sign the .db file.
  • Can I download the virusdb manually?
    • Yes, the virusdb can be downloaded from the Latest releases section on our home page.
  • I can’t resolve current.cvd.clamav.net! Is there a problem with your/my DNS servers?
    • current.cvd.clamav.net has got only a TXT record, not a type A record! Try this command: $ host <del>t txt current.cvd.clamav.net. Please note that some not RFC compliant DNS servers (namely the one shipped with the Alcatel (now Thomson) SpeedTouch 510 modem) can’t resolve TXT record. If that’s the case, please recompile ClamAV with the flag </del>-enable-dns-fix .

Troubleshooting crashes

  • I got an error message followed by report to http://bugs.clamav.net: can you fix this bug?
    • If you want us to fix the bug, you need to send us the error message and the file that triggered it. Without the file your report is totally useless for us. Despite what the error message says, the preferred way to submit bug reports is now to use our bugzilla interface.
  • ClamAV doesn’t work! It doesn’t add any header to the messages that transit on my mail server.
    • ClamAV itself is an antivirus and his job is to scan files not to do fancy things with your mail’s headers. In order to use ClamAV with your MTA you need a content filter program. If you are using clamav-milter you can ask for help on our mailing lists. If you are using any other content filter, find the address of the official mailing-list (if any) or contact the author.
  • ClamAV crashes/hangs/doesn’t compile/doesn’t start. Did I find a bug?
    • Before reporting a bug, please download the latest SVN code and try to reproduce the bug with it. Chances are the bug you encountered has already been fixed. If you really feel like you found a bug, please visit our bugzilla interface. Before submitting your bug please check if a similar report is already present.
  • How do I start clamd at boot time?
    • If you installed ClamAV from a binary package or ports collection, you should already have a script that starts clamd at boot time. If you compiled ClamAV by yourself, then look in the contrib/init/ directory of the source package.
  • How do I automatically restart clamd when it dies?
    • Set up a cronjob which checks that clamd is up and running every XX minutes. You can find an example in the contrib/clamdmon/ and contrib/clamdwatch/ directory. You can also check clamd from the command prompt with a simple: 
      echo PING|socat - /tmp/clamd
  • What does SECURITY WARNING: NO SUPPORT FOR DIGITAL SIGNATURES mean?
    • The ClamAV package requires the GMP library to verify the digital signature of the virus database. When building ClamAV you need the GMP library and its headers: if you are using Debian just run apt-get install libgmp3-dev, if you are using an RPM based distribution install the gmp-devel package. You’ll need to rerun ./configure and recompile ClamAV.
  • How can I list the virus signature names contained in the database?
    • If you are using a recent version of ClamAV just run: $ sigtool --list-sigs
  • How do I know when database updates are released?
  • I found a false positive in ClamAV virus database. What shall I do?
  • The load on my mail server is simply too high, clamscan takes more than 20 secs to scan a single e-mail message. What shall I do?
    • Switch to clamd/clamdscan to avoid the overload of loading the CVD everytime a message arrives.

Using the ClamAV mailing lists

  • Where can I ask questions about using ClamAV?
  • I want to take part to the development of ClamAV. Where can I get more info?
  • The mailing-lists generate too many messages per day. I can’t handle them. What shall I do?
    • There are two possible solutions: – Go to the mailing-list mailman interface, click on Unsubscribe or edit options, and turn digest mode on – access the mailing-lists using a news reader
  • I sent a message to one of ClamAV’s mailing-lists, but the mail was rejected/held for approval. Why?
    • Only subscribers are allowed to post to the mailing-list. This is done to avoid spammers. Please check that your outgoing messages start with a line like the following: Return-Path: me@mydomain.com where me@mydomain.com is the mail account which you used to subscribe to the mailing-list. You can subscribe multiple times, with different mail addresses, and disable mail delivery. You will be able to post to the mailing-lists by putting any of those addresses in Return-Path.
  • I read the mailing-list from the Gmane news gateway. Can I post to the mailing-list?
    • See previous FAQ.
  • I’ve been unsubscribed from one of the mailing-lists. What happened?
    • There are two possible reasons: If your account generates too many bounces you’ll be automatically unsubscribed. Please subscribe again with a more reliable account. If we receive even one out of office notification from your vacation program, your address will be unsubscribed and banned from our mailing-lists forever. Sorry for that, there are just too many stupid people out there.
  • How do I disable mail delivery from the mailing-list I’m subscribed to?
    • Suppose you are subscribed to clamav-users. Go to http://lists.clamav.net/mailman/listinfo/clamav-users and enter your mail address at the bottom of the page. Click on Unsubscribe or edit options. At the next page enter your password and press Log in. Under Your clamav-users Subscription Options choose Disabled opposite Mail delivery and press Submit My Changes at the bottom of the page.

Miscellaneous

  • Can phishing be considered one kind of spam? ClamAV should not detect it as some kind of malware.
    • Starting from release 0.90, ClamAV allows you to choose whether to detect phish as some kind of malware or not. This should put an end to the endless threads on our mailing lists. So long, and thanks for all the phish.
  • Can I convert the new database format to the old one?
    • Yes, install a recent version of sigtool and run: sigtool --unpack-current daily.cvd; sigtool --unpack-current main.cvd
  • How do I read inside the CVD files?
    • See previous FAQ.
  • I’m using ClamAV in a production environment and a brand new virus is not being recognized by ClamAV. How long do I have to wait before ClamAV can start filtering the virus?
    • No time at all! Find a signature for that virus and modify your virus database accordingly (see signatures.pdf in the doc/ dir). Remember to submit the sample to the virusdb team.
  • Why is ClamAV calling the XXX virus with another name?
    • This usually happens when we add a signature before other AV vendors. No well-known name is available at that moment so we have to invent one. Renaming the virus after a few days would just confuse people more, so we usually keep on using our name for that virus. The only exception is when a new name is established soon after the signature addition.
  • I get many false positives of Oversized.zip
    • Whenever a file exceeds ArchiveMaxCompressionRatio (see clamd.conf man page), it’s considered a logic bomb and marked as Oversized.zip . Try increasing your ArchiveMaxCompressionRatio setting.
  • What is PUA? I get a lot of false positives named PUA.*
    • With the release of ClamAV 0.91.2 we introduce the option to scan for Potentially Unwanted Applications. The PUA database contains detection for applications that are not malicious by itself but can be used in a malicious or unwanted context. As an example: A tool to retrieve passwords from a system can be useful as long as the person who uses it, is authorized to do so. However, the same tool can be used to steal passwords from a system. To make use of the PUA database you can use the—detect-pua switch for clamscan or enable it in the config file for clamd (add: DetectPUA yes). At this point we DON’T recommend using it in production environments, because the detection may be too agressive and lead to false positives. In one of the next releases we will provide additional features for fine-tuning allowing better adjustments to different setups. NOTE: A detection as PUA does NOT tell if a application is good or bad. All it says is, that a file MAYBE unwanted or MAYBE could compromise your system security and it MAYBE a good idea to check it twice.
  • Can ClamAV disinfect files?
    • No, it can’t. We will add support for disinfecting OLE2 files in one of the next stable releases. There are no plans for disinfecting other types of files. There are many reasons for it: cleaning viruses from files is virtually pointless these days. It is very seldom that there is anything useful left after cleaning, and even if there is, would you trust it?
  • When using clamscan, is there a way to know which message within an mbox is infected?
    • There are two solutions: Run clamscan --debug, look for Deal with email number xxx Alternatively you can convert the mbox to Maildir format, run clamscan on it and then convert it back to mbox format. There are many tools available which can convert to and from Maildir format: formail, mbox2maildir and maildir2mbox
  • I’m running ClamAV + amavisd-new and get the following error in my mail log amavis: Clam Antivirus-clamd FAILED – unknown status:/var/lib/amavis/amavis-20060917T120205-21416/parts: lstat() failed. ERROR\n amavis: WARN: all primary virus scanners failed, considering backups . What’s wrong?
    • Please refer to Wiki.
  • I’m running Qmail + Qmail-Scanner + ClamAV and get the following error in my mail logs: clamdscan: corrupt or unknown clamd scanner error or memory/resource/perms problem. What’s wrong with it?
    • Please refer to Wiki.
  • How do I use ClamAV with p3scan?
    • Please refer to Wiki.
  • What platforms does it support ?
    • Clam AntiVirus works with Linux®, Solaris, FreeBSD, OpenBSD, NetBSD, AIX, Mac OS X, Cygwin B20 on multiple architectures such as Intel, Alpha, Sparc, Cobalt MIPS boxes, PowerPC, RISC 6000.
  • Where can I find more information about ClamAV?
    • Please read the complete documentation in pdf/ps format. You will find it inside the package or in the documentation section of this website. You can also try searching the mailing list archives. If you can’t find the answer, you can ask for support on the clamav-users mailing-list, but please before doing it, search the archives! Also, make sure that you don’t send HTML messages and that you don’t top post: these violate the netiquette and lessen your chances of being answered.

Last update: Feb 10th, 2007