FAQ



FAQ Oficial

Esta es la FAQ oficial. Para otras FAQ visita por favor nuestro Wiki . Te invitamos a que colabores en ellas. El equipo de ClamAV revisa constantemente dicha página y añadirá las mejores a esta sección.

Actualizando ClamAV

  • ¿Cómo actualizo ClamAV?
    • Visita nuestro Wiki . La página puede ser editada por cualquiera. Si eres un administrador experimentado por favor contribuye en ella.
  • ¿Qué significa: WARNING: Current functionality level = 1, required =2 ?
    • El functionality level de la base de datos determina que versión del motor del escaner es necesario utilizar para usar todas las firmas disponibles. Si no actualizas inmediatamente estarás dejando de detectar los últimos virus.
  • ¿Qué significa: Your ClamAV installation it OUTDATED ?
    • Este mensaje aparecerá cada vez que una nueva versión de ClamAV sea liberada. Para detectar todos los últimos virus, no es suficiente con mantener la base de datos actualizada. Necesitas también disponer de la última versión del escaner. Puedes descargar las fuentes de la última versión disponible en nuestro sitio web. Las instrucciones de actualización están disponibles en el Wiki. Si tienes miedo de poder romper algo en la actualización, usa los paquetes precompilados para tu sistema operativo/distribución. Recuerda: disponer de la última versión estable también mejora la estabilidad.
  • Actualicé a la última versión estable pero aun me sale el mensaje Your ClamAV installation is OUTDATED , ¿por qué?
    • Asegúrate de que solo hay una versión de ClamAV instalada en tu sistema: 
         $ whereis freshclam
   $ whereis clamscan
    • También asegúrate que no tienes librerías antiguas (libvlamav.so*) en tu sistema. Puedes comprobarlo usando: $ ldd `which freshclam`
  • *Como puedo comprobar la integridad de las fuentes de ClamAV?
    • Usando GNUPG puedes fácilmente comprobar la autenticidad de tus descargas utilizando el siguiente método: Descargate la clave de Tomasz Kojm del sitio web de clamav.net. Importa dicha clave en tu anillo de claves local: $ gpg --import tkojm.gpg. Descárgate la versión estable y el fichero .sig correspondiente al mismo directorio. Comprueba que la descarga está firmada con la clave de Tomasz Kojm. $ gpg --verify clamav-X.XX.tar.gz.sig. Por favor ten en cuenta que el resultado del comando deve contener lo siguiente!! Good signature from Tomasz Kojm.
  • ¿Dónde puedo conseguir la última revisión SVN de ClamAV?
  • ¿Está mi compilador/hardware/sistema operativo soportado por ClamAV?
    • ClamAV soporta una gran variedad de compiladores, hardware y sistemas operativos. Nuestro compilador es gcc sobre Linux en plataformas Intel de 32 y 64 bits, aunque también lo probamos sobre otros compiladores, incluyendo el compilador C de Sun, Microsoft Visual Studio, compilador C de Intel, LLVM-GCC, y otros. Hasta la fecha solo hemos encontrado un compilador no soportado, GCC versión 4.0.0 a 4.1.0 incluídos. Hemos encontrado que dichas versiones del compilador producen código incorrecto en todas las plataformas y sistemas operativos en los que hemos probado. ClamAV no funciona con esos compiladores y DEBES buscar una alternativa, como GCC3.4 o GCC4.1. Por favor ponte en contacto con tu distribuidor para más información. Para más información puedes consultar bugzilla gcc . Si quieres una prueba de por qué gcc 4.0.1 genera código erróneo para el kernel lee el artículo de kerneltrap. Más información sobre este bug está disponible en nuestro bugzilla . Nuestros scripts de configuración detectarán si tu compilador está afectado por este fallo y se negarán a generar un binario no funcional con el siguiente mensaje: your compiler has gcc PR26763-2 bug, use a different compiler . Si estás en MacOS X, puedes probar con otro compilador, LLVM-GCC4.2-2.2, que tiene disponibles binarios oficiales

Actualizando la Base de Datos de Virus de ClamAV

  • ¿Qué significa WARNING: DNS record is older than 3 hours ?
    • freshclam instenta detectar posibles problemas con las cachés DNS y cambia al viejo modo si detecta algo sospechoso. Si este mensaje aparece ocasionalmente, puedes ignorarlo con seguridad. Si obtienes el error constantemente cada vez que corres freshclam, comprueba el reloj de tu sistema. Si está correctamente ajustado, comprueba la configuración DNS. Si aun así sigue fallando, prueba a poner esto al principio de tu cronjob:
       host -t txt current.cvd.clamav.net; perl -e 'printf "%d\n", time;'
      El 4º campo de la primera línea debe ser inferior a 3 ∗ 3600 detrás de la salida de la segunda línea. Si no, tienens un servidor DNS cache en algún lado produciendo un mal comportamiento.
  • ¿Con qué frecuencia se actualiza la base de datos?
    • La base de datos se suele actualizar varias veces por semana. Comprueba http://lurker.clamav.net/list/clamav-virusdb.html para ver nuestros tiempos de respuesta a los nuevos hilos. El grupo virusdb intenta mantenerse actualizado con los últimos gusanos activos. Cuando un nuevo gusano se propaga, a menudo transcurre menos de una hora hasta que publicamos una nueva actualización de la base de datos. Puedes ayudar a hacer el proceso de actualización de virusdb más eficiente enviando ejemplos de virus a través de nuestra interfaz web.
  • ¿Cuántas veces por hora debería ejecutar freshclam?
    • Si estás ejecutando ClamAV 0.7x por favor actualiza AHORA. Si estás ejecutando ClamAV 0.8x o superior, puedes comprobar en busca de actualizaciones de la base de datos hasta 4 veces por hora siempre y cuando tengas las siguientes opciones en freshclam.conf: DNSDatabaseInfo current.cvd.clamav.net DatabaseMirror db.XY.clamav.net DatabaseMirror database.clamav.net Sustituye XY con tu código de país. Si no tienes esa opción, entonces tendrás que conformarte con una comprobación por hora.
  • He intentado enviar una muestra a través de la interface web, pero me dice que la muestra ya está reconocida por ClamAV. Mi clamscan me dice que no. He actualizado mi base de datos y mi motor de ClamAV, que es lo que está mal con mi configuración?
    • Por favor ejecuta clamscan con la opción --detect-broken. También comprueba que freshclam y clamscan están utilizando la misma ruta para almacenar/leer la base de datos.
  • He encontrando un fichero infectado en mi disco duro/disquete/buzón, pero ClamaAV no lo reconoce aún. Me podeis ayudar?
    • Nuestra base de datos de virus se mantiene actualizada con la ayuda de la comunidad. Siempre que encuentres un nuevo virus que no es detectado por ClamAV tu deberías completar este formulario. El grupo virusdb revisará tu solicitud y actualizará la base de datos si fuera necesario. Antes de enviar una nueva muestra: – comprueba que el valor de DatabaseDirectory, tanto en clamd.conf y freshclam.conf, es el mismo – actualiza tu base de datos ejecutando freshclam.
  • ¿Cómo mantengo actualizada mi base de datos de virus?
    • ClamAV viene junto a freshclam, una herramienta que periódicamente busca nuevas versiones de bases de datos y mantiene tu base de datos actualizada.
  • I get this error when running freshclam: Invalid DNS reply. Falling back to HTTP mode or ERROR: Can’t query current.cvd.clamav.net . What does it mean?
    • There is a problem with your DNS server. Please check the entries in /etc/resolv.conf and verify that you can resolve the TXT record manually: $ host -t txt current.cvd.clamav.net If you can’t, it means your network is broken. You’ll be still able to download the updates, but you’ll waste a lot of bandwidth checking for updates.
  • I get this error when running freshclam: ERROR: Connection with ??? failed . What shall I do?
    • Either your dns servers are not working or you are blocking port 53/tcp. You should manually check that you can resolve hostnames with: $ host database.clamav.net. If it doesn’t work, check your dns settings in /etc/resolv.conf. If it works, check that you can receive dns answers longer than 512 bytes, e.g. check that your firewall is not blocking packets which originate from port 53/tcp. An easy way to find it out is: $ dig @ns1.clamav.net db.us.big.clamav.net
  • How do I know if my IP address has been blacklisted?
    • Try to download daily.cvd with lynx or wget from the same machine that is running freshclam. Future versions of freshclam will provide a better way to deal with this.
  • What is the mirrors.dat file?
    • mirrors.dat is used by freshclam to keep track of broken mirrors. It avoids the unnecessary delays caused by trying to download a CVD update from a mirror which failed multiple times during the last 24 hours.
  • I’m running ClamAV on a lot of clients on my local network. Can I serve the cvd files from a local server so that each client doesn’t have to download them from your servers?
    • Sure, there are two possible solutions.
    • If you want to take advantage of incremental updates, install a proxy server and then configure your freshclam clients to use it (watch for the HTTPProxyServer parameter in man freshclam.conf).
    • The second possible solution is to configure a local webserver on one of your machines (say machine1.mylan) and let freshclam download the *.cvd files from http://database.clamav.net to the webserver’s DocumentRoot. Finally, change freshclam.conf on your clients so that it reads:
    • DatabaseMirror machine1.mylan
    • First the database will be downloaded to the local webserver and then the other clients on the network will update their copy of the database from it. For this to work, you have to add ScriptedUpdates off on all of your machines!
  • I can’t wait for you to update the database! I need to use the new signature NOW!
    • No problem, save your own signatures in a text file with the appropriate extension (see signatures.pdf for more information). Put it in the same dir where the .cvd files are located. ClamAV will load it after the official .cvd files. You need not to sign the .db file.
  • Can I download the virusdb manually?
    • Yes, the virusdb can be downloaded from the Latest releases section on our home page.
  • I can’t resolve current.cvd.clamav.net! Is there a problem with your/my DNS servers?
    • current.cvd.clamav.net has got only a TXT record, not a type A record! Try this command: $ host <del>t txt current.cvd.clamav.net. Please note that some not RFC compliant DNS servers (namely the one shipped with the Alcatel (now Thomson) SpeedTouch 510 modem) can’t resolve TXT record. If that’s the case, please recompile ClamAV with the flag </del>-enable-dns-fix .

Troubleshooting crashes

  • I got an error message followed by report to http://bugs.clamav.net: can you fix this bug?
    • If you want us to fix the bug, you need to send us the error message and the file that triggered it. Without the file your report is totally useless for us. Despite what the error message says, the preferred way to submit bug reports is now to use our bugzilla interface.
  • ClamAV doesn’t work! It doesn’t add any header to the messages that transit on my mail server.
    • ClamAV itself is an antivirus and his job is to scan files not to do fancy things with your mail’s headers. In order to use ClamAV with your MTA you need a content filter program. If you are using clamav-milter you can ask for help on our mailing lists. If you are using any other content filter, find the address of the official mailing-list (if any) or contact the author.
  • ClamAV crashes/hangs/doesn’t compile/doesn’t start. Did I find a bug?
    • Before reporting a bug, please download the latest SVN code and try to reproduce the bug with it. Chances are the bug you encountered has already been fixed. If you really feel like you found a bug, please visit our bugzilla interface. Before submitting your bug please check if a similar report is already present.
  • How do I start clamd at boot time?
    • If you installed ClamAV from a binary package or ports collection, you should already have a script that starts clamd at boot time. If you compiled ClamAV by yourself, then look in the contrib/init/ directory of the source package.
  • How do I automatically restart clamd when it dies?
    • Set up a cronjob which checks that clamd is up and running every XX minutes. You can find an example in the contrib/clamdmon/ and contrib/clamdwatch/ directory. You can also check clamd from the command prompt with a simple: 
      echo PING|socat - /tmp/clamd
  • What does SECURITY WARNING: NO SUPPORT FOR DIGITAL SIGNATURES mean?
    • The ClamAV package requires the GMP library to verify the digital signature of the virus database. When building ClamAV you need the GMP library and its headers: if you are using Debian just run apt-get install libgmp3-dev, if you are using an RPM based distribution install the gmp-devel package. You’ll need to rerun ./configure and recompile ClamAV.
  • How can I list the virus signature names contained in the database?
    • If you are using a recent version of ClamAV just run: $ sigtool --list-sigs
  • How do I know when database updates are released?
  • I found a false positive in ClamAV virus database. What shall I do?
  • The load on my mail server is simply too high, clamscan takes more than 20 secs to scan a single e-mail message. What shall I do?
    • Switch to clamd/clamdscan to avoid the overload of loading the CVD everytime a message arrives.

Utilizando las listas de ClamAV

  • Where can I ask questions about using ClamAV?
  • I want to take part to the development of ClamAV. Where can I get more info?
  • The mailing-lists generate too many messages per day. I can’t handle them. What shall I do?
    • There are two possible solutions: – Go to the mailing-list mailman interface, click on Unsubscribe or edit options, and turn digest mode on – access the mailing-lists using a news reader
  • I sent a message to one of ClamAV’s mailing-lists, but the mail was rejected/held for approval. Why?
    • Only subscribers are allowed to post to the mailing-list. This is done to avoid spammers. Please check that your outgoing messages start with a line like the following: Return-Path: me@mydomain.com where me@mydomain.com is the mail account which you used to subscribe to the mailing-list. You can subscribe multiple times, with different mail addresses, and disable mail delivery. You will be able to post to the mailing-lists by putting any of those addresses in Return-Path.
  • I read the mailing-list from the Gmane news gateway. Can I post to the mailing-list?
    • See previous FAQ.
  • I’ve been unsubscribed from one of the mailing-lists. What happened?
    • There are two possible reasons: If your account generates too many bounces you’ll be automatically unsubscribed. Please subscribe again with a more reliable account. If we receive even one out of office notification from your vacation program, your address will be unsubscribed and banned from our mailing-lists forever. Sorry for that, there are just too many stupid people out there.
  • How do I disable mail delivery from the mailing-list I’m subscribed to?
    • Suppose you are subscribed to clamav-users. Go to http://lists.clamav.net/mailman/listinfo/clamav-users and enter your mail address at the bottom of the page. Click on Unsubscribe or edit options. At the next page enter your password and press Log in. Under Your clamav-users Subscription Options choose Disabled opposite Mail delivery and press Submit My Changes at the bottom of the page.

Miscellaneous

  • Can phishing be considered one kind of spam? ClamAV should not detect it as some kind of malware.
    • Starting from release 0.90, ClamAV allows you to choose whether to detect phish as some kind of malware or not. This should put an end to the endless threads on our mailing lists. So long, and thanks for all the phish.
  • Can I convert the new database format to the old one?
    • Yes, install a recent version of sigtool and run: sigtool --unpack-current daily.cvd; sigtool --unpack-current main.cvd
  • How do I read inside the CVD files?
    • See previous FAQ.
  • I’m using ClamAV in a production environment and a brand new virus is not being recognized by ClamAV. How long do I have to wait before ClamAV can start filtering the virus?
    • No time at all! Find a signature for that virus and modify your virus database accordingly (see signatures.pdf in the doc/ dir). Remember to submit the sample to the virusdb team.
  • Why is ClamAV calling the XXX virus with another name?
    • This usually happens when we add a signature before other AV vendors. No well-known name is available at that moment so we have to invent one. Renaming the virus after a few days would just confuse people more, so we usually keep on using our name for that virus. The only exception is when a new name is established soon after the signature addition.
  • I get many false positives of Oversized.zip
    • Whenever a file exceeds ArchiveMaxCompressionRatio (see clamd.conf man page), it’s considered a logic bomb and marked as Oversized.zip . Try increasing your ArchiveMaxCompressionRatio setting.
  • What is PUA? I get a lot of false positives named PUA.*
    • With the release of ClamAV 0.91.2 we introduce the option to scan for Potentially Unwanted Applications. The PUA database contains detection for applications that are not malicious by itself but can be used in a malicious or unwanted context. As an example: A tool to retrieve passwords from a system can be useful as long as the person who uses it, is authorized to do so. However, the same tool can be used to steal passwords from a system. To make use of the PUA database you can use the—detect-pua switch for clamscan or enable it in the config file for clamd (add: DetectPUA yes). At this point we DON’T recommend using it in production environments, because the detection may be too agressive and lead to false positives. In one of the next releases we will provide additional features for fine-tuning allowing better adjustments to different setups. NOTE: A detection as PUA does NOT tell if a application is good or bad. All it says is, that a file MAYBE unwanted or MAYBE could compromise your system security and it MAYBE a good idea to check it twice.
  • Can ClamAV disinfect files?
    • No, it can’t. We will add support for disinfecting OLE2 files in one of the next stable releases. There are no plans for disinfecting other types of files. There are many reasons for it: cleaning viruses from files is virtually pointless these days. It is very seldom that there is anything useful left after cleaning, and even if there is, would you trust it?
  • When using clamscan, is there a way to know which message within an mbox is infected?
    • There are two solutions: Run clamscan --debug, look for Deal with email number xxx Alternatively you can convert the mbox to Maildir format, run clamscan on it and then convert it back to mbox format. There are many tools available which can convert to and from Maildir format: formail, mbox2maildir and maildir2mbox
  • I’m running ClamAV + amavisd-new and get the following error in my mail log amavis: Clam Antivirus-clamd FAILED – unknown status:/var/lib/amavis/amavis-20060917T120205-21416/parts: lstat() failed. ERROR\n amavis: WARN: all primary virus scanners failed, considering backups . What’s wrong?
    • Please refer to Wiki.
  • I’m running Qmail + Qmail-Scanner + ClamAV and get the following error in my mail logs: clamdscan: corrupt or unknown clamd scanner error or memory/resource/perms problem. What’s wrong with it?
    • Please refer to Wiki.
  • How do I use ClamAV with p3scan?
    • Please refer to Wiki.
  • What platforms does it support ?
    • Clam AntiVirus works with Linux®, Solaris, FreeBSD, OpenBSD, NetBSD, AIX, Mac OS X, Cygwin B20 on multiple architectures such as Intel, Alpha, Sparc, Cobalt MIPS boxes, PowerPC, RISC 6000.
  • Where can I find more information about ClamAV?
    • Please read the complete documentation in pdf/ps format. You will find it inside the package or in the documentation section of this website. You can also try searching the mailing list archives. If you can’t find the answer, you can ask for support on the clamav-users mailing-list, but please before doing it, search the archives! Also, make sure that you don’t send HTML messages and that you don’t top post: these violate the netiquette and lessen your chances of being answered.

Última actualización: 10 Feb 2007

Intentamos disponer actualizada la versión traducida de este sitio web, sin embargo no siempre es posible. Por favor recurra a la versión en Inglés para la última información