FAQ



h2.官方FAQ

这是官方FAQ。其他的FAQs请访问”Wiki”:http://wiki.clamav.net/Main/FAQ。请增加更多的FAQs到Wiki。ClamAV团队会一自that page and will add the best ones below.

升级ClamAV

  • 如何升级ClamAV?
    • 请访问Wiki。任何人都可以编辑这个网页,如果你是个资深的系统管理员,请捐献一些。
  • “Current functionality level = 1, required = 2”代表什么?
    • 病毒库作用级别是用来测试为了使用所有的病毒库资料至少需要哪个版本的扫描引擎。如果你不立即升级,你仍可以更新最新的CVD升级,但杀毒引擎不能使用所有的病毒库。
  • “Your ClamAV installation is OUTDATED”代表什么?
    • 当有比你使用的更新的ClamAV版本,你就会得到这个消息。为了能够检测最新的病毒,你不仅要有最新的病毒库,还要使用最新的扫描程序。 你可以从我们的网站上下载到最新的稳定版的源码”sources”。 升级指南请看”Wiki”:http://wiki.clamav.net/Main/UpgradeInstructions。如果你怕从源码升级会破坏什么,请使用与你系统匹配的”precompiled packages”: 记住:使用最新的稳定版会提高稳定性。
  • 已经升级到最新的稳定版怎么还有“Your ClamAV installation is OUTDATED”的提示?
    • 请确认在你的系统里仅有一个版本: 
         $ whereis freshclam 
   $ whereis clamscan
    • 请确认你的系统里是否有旧版本的库文件(libclamav.so*)。 请用:$ ldd `which freshclam`
  • 如何校验ClamAV源码的完整性?
    • GnuPG你可以轻易用以下的方法来校验你下载的内容的真实性: 从ClamAV网站下载Tomasz Kojm’s “key”:http://www.clamav.net/gpg/tkojm.gpg。将这个KEY导入到本地public keyring: $ gpg --import tkojm.gpg。下载稳定版本和相关.sig文件到同一个目录。 用Tomasz Kojm’s的key校验刚刚下载的软件:$ gpg --verify clamav-X.XX.tar.gz.sig . 请注意输出的内容必须包含Good signature from Tomasz Kojm!!!

升级ClamAV病毒库

  • “WARNING: DNS record is older than 3 hours”代表什么?
    • freshclam尝试去探测DNS缓冲的潜在问题,如果有不正常就转换到旧的模式。如果这个提示出现的不是很多,你可以不要管它。 如果你每次运行freshclam时都有这个错误,请检查你的系统时间。 如果时间正确,请检查你的DNS设置。如果这些都没用,把
       host -t txt current.cvd.clamav.net; perl -e 'printf "%d\n", time;'
      放到cronjob的第一行。 The 4th field of the first line should be less than 3 ∗ 3600 behind the output of the second line. If not, you have a caching DNS server somewhere misbehaving.
  • 病毒库升级频率?
    • 通常病毒库一个星期要升级很多次, 检查”http://lurker.clamav.net/list/clamav-virusdb.html”:http://lurker.clamav.net/list/clamav-virusdb.html看我们对新威胁的反应时间,病毒库团队成员会尽最大的努力去更新病毒库,当一个新的蠕虫病毒开始传播,我们一般在一个小时内更新病毒库。你可以通过我们web interface提交病毒样本来帮助我们,这样我们会更新的更快更有效。
  • 每小时要运行freshclam多少次? * 如果你在使用ClamAV 0.7x版本,请*立即升级**!!! 如果你在使用ClamAV 0.8x或更新的版本, 在你的freshclam.conf里有如下设置: DNSDatabaseInfo current.cvd.clamav.net DatabaseMirror db.XY.clamav.net DatabaseMirror database.clamav.net 将XY替换你的国家代码,每小时升级四次。如果你没有用这个选项,每小时升级一次。
  • 我尝试通过WEB界面提交病毒样本,得到结果是ClamAV已经能够识别, 但我的clamscan却不能。我已经升级了病毒库和杀毒引擎,什么问题?
    • 运行clamscan—detect-broken,同时检查freshclam和clamscan是否使用相同路径读写病毒库。
  • 我在HD/floppy/mailbox发现感染的文件,但是ClamAV不能识别,帮帮我?
    • 由于社团的帮助,我们的病毒库一直保持最新。当你发现一个ClamAV不能识别的病毒,请”填写这个表格”:submit。我们的病毒库维护团队检查你的提交,更新病毒库。在提交前请先检查clamd.conf和freshclam.conf里DatabaseDirectory是否相同;用freshclam升级病毒库。
  • 我样保持病毒库最新?
    • ClamAV带有一个定期更新病毒库的程序freshclam。
  • 当我运行freshclam时出现如下错误:_Invalid DNS reply. Falling back to HTTP mode_ or ERROR: Can’t query current.cvd.clamav.net 什么问题?
    • 这是你的DNS服务器问题,请检查etc/resolv.conf设置,确认你可以解析TXT纪录: $ host -t txt current.cvd.clamav.net。 如果不行,表示有问题, 但你仍然可以更新,但是会浪费很多带宽用于检查更新。
  • 当我运行freshclam时出现如下错误:_ERROR: Connection with ??? failed_ 。我该怎么办?
    • 你的DNS没有发挥作用或是你阻止53/tcp端口的数据。你可以用:$ host database.clamav.net来检查你能否解析这个主机名,如果不行,请检查/etc/resolv.conf设置。 如果可以,检查你是否可以接收超过512字节DNS数据包。 比如:检查你的防火墙是否阻止来自53/tcp的数据包。 一个简单的方法:$ dig @ns1.clamav.net db.us.big.clamav.net
  • 怎样判断我的IP是否被阻止?
    • 在使用freshclam的机器上用lynx或wget尝试是否能下载daily.cvd。未来版本的freshclam提供更好的办法来处理这个问题。
  • 什么是mirrors.dat文件?
    • mirrors.dat是freshclam用来跟踪有问题的镜像的。它会防止你从在24小时内失败多次的镜像下载CVD升级。
  • 在我的内部网有许多运行ClamAV的客户端,我可以运行自己的cvd文件服务器吗?这样就不需要每个客户端都从你们的服务器下载更新了。
    • 当然可以,有两种方法:
    • 如果你需要增量升级优势,安装proxy server and then configure your freshclam clients to use it (watch for the HTTPProxyServer parameter in man freshclam.conf). * 第二种方法是配置一个本地WEB服务器(比如:machine1.mylan),运行freshclam从http://database.clamav.net下载.cvd文件到WEB服务器的根目录,更改所有客户端的freshclam.conf:DatabaseMirror machine1.mylan和ScriptedUpdates off,这样客户端就可以更新了。
    • 我来不及等你们的更新了,我现在就要用我自己的更新,怎么办?
    • 没问题,你可以用适当的后缀名将你自己的病毒库更新保存到文本文件(详见 “signatures.pdf”:/doc/latest/signatures.pdf),把它放在.cvd,ClamAV会在加载完所有CVD文件后自动加载它, You need not to sign the .db file.
  • 我可以手动下载病毒库吗?
    • 是的,你可以从我们网站的“Latest releases”下载。
  • 我不能解析current.cvd.clamav.net!是你的或我的DNS服务器问题吗?
    • current.cvd.clamav.net has got only a TXT record, not a type A record! Try this command: $ host <del>t txt current.cvd.clamav.net. Please note that some not RFC compliant DNS servers (namely the one shipped with the SpeedTouch Alcatel 510 modem) can’t resolve TXT record. If that’s the case, please recompile ClamAV with the flag </del>-enable-dns-fix .

Troubleshooting crashes

  • I got an error message followed by report to http://bugs.clamav.net: can you fix this bug?
    • If you want us to fix the bug, you need to send us the error message and the file that triggered it. Without the file your report is totally useless for us. Despite what the error message says, the preferred way to submit bug reports is now to use our bugzilla interface.
  • ClamAV doesn’t work! It doesn’t add any header to the messages that transit on my mail server.
    • ClamAV itself is an antivirus and his job is to scan files not to do fancy things with your mail’s headers. In order to use ClamAV with your MTA you need a content filter program. If you are using clamav-milter you can ask for help on our mailing lists. If you are using any other content filter, find the address of the official mailing-list (if any) or contact the author.
  • ClamAV crashes/hangs/doesn’t compile/doesn’t start. Did I find a bug?
    • Before reporting a bug, please download the latest SVN code and try to reproduce the bug with it. Chances are the bug you encountered has already been fixed. If you really feel like you found a bug, please visit our bugzilla interface. Before submitting your bug please check if a similar report is already present.
  • How do I start clamd at boot time?
    • If you installed ClamAV from a binary package or ports collection, you should already have a script that starts clamd at boot time. If you compiled ClamAV by yourself, then look in the contrib/init/ directory of the source package.
  • How do I automatically restart clamd when it dies?
    • Set up a cronjob which checks that clamd is up and running every XX minutes. You can find an example in the contrib/clamdmon/ and contrib/clamdwatch/ directory. You can also check clamd from the command prompt with a simple: 
      echo PING|socat - /tmp/clamd
  • What does SECURITY WARNING: NO SUPPORT FOR DIGITAL SIGNATURES mean?
    • The ClamAV package requires the GMP library to verify the digital signature of the virus database. When building ClamAV you need the GMP library and its headers: if you are using Debian just run apt-get install libgmp3-dev, if you are using an RPM based distribution install the gmp-devel package. You’ll need to rerun ./configure and recompile ClamAV.
  • How can I list the virus signature names contained in the database?
    • If you are using a recent version of ClamAV just run: $ sigtool --list-sigs
  • How do I know when database updates are released?
  • I found a false positive in ClamAV virus database. What shall I do?

使用ClamAV邮件列表

  • Where can I ask questions about using ClamAV?
  • I want to take part to the development of ClamAV. Where can I get more info?
  • The mailing-lists generate too many messages per day. I can’t handle them. What shall I do?
    • There are two possible solutions: – Go to the mailing-list mailman interface, click on Unsubscribe or edit options, and turn digest mode on – access the mailing-lists using a news reader
  • I sent a message to one of ClamAV’s mailing-lists, but the mail was rejected/held for approval. Why?
    • Only subscribers are allowed to post to the mailing-list. This is done to avoid spammers. Please check that your outgoing messages start with a line like the following: Return-Path: me@mydomain.com where me@mydomain.com is the mail account which you used to subscribe to the mailing-list. You can subscribe multiple times, with different mail addresses, and disable mail delivery. You will be able to post to the mailing-lists by putting any of those addresses in Return-Path.
  • I read the mailing-list from the Gmane news gateway. Can I post to the mailing-list?
    • See previous FAQ.
  • I’ve been unsubscribed from one of the mailing-lists. What happened?
    • There are two possible reasons: If your account generates too many bounces you’ll be automatically unsubscribed. Please subscribe again with a more reliable account. If we receive even one out of office notification from your vacation program, your address will be unsubscribed and banned from our mailing-lists forever. Sorry for that, there are just too many stupid people out there.
  • How do I disable mail delivery from the mailing-list I’m subscribed to?
    • Suppose you are subscribed to clamav-users. Go to http://lists.clamav.net/mailman/listinfo/clamav-users and enter your mail address at the bottom of the page. Click on Unsubscribe or edit options. At the next page enter your password and press Log in. Under Your clamav-users Subscription Options choose Disabled opposite Mail delivery and press Submit My Changes at the bottom of the page.

其它

  • Can phishing be considered one kind of spam? ClamAV should not detect it as some kind of malware.
    • Starting from release 0.90, ClamAV allows you to choose whether to detect phish as some kind of malware or not. This should put an end to the endless threads on our mailing lists. So long, and thanks for all the phish.
  • Can I convert the new database format to the old one?
    • Yes, install a recent version of sigtool and run: sigtool --unpack-current daily.cvd; sigtool --unpack-current main.cvd
  • How do I read inside the CVD files?
    • See previous FAQ.
  • I’m using ClamAV in a production environment and a brand new virus is not being recognized by ClamAV. How long do I have to wait before ClamAV can start filtering the virus?
    • No time at all! Find a signature for that virus and modify your virus database accordingly (see signatures.pdf in the doc/ dir). Remember to submit the sample to the virusdb team.
  • Why is ClamAV calling the XXX virus with another name?
    • This usually happens when we add a signature before other AV vendors. No well-known name is available at that moment so we have to invent one. Renaming the virus after a few days would just confuse people more, so we usually keep on using our name for that virus. The only exception is when a new name is established soon after the signature addition.
  • I get many false positives of Oversized.zip
    • Whenever a file exceeds ArchiveMaxCompressionRatio (see clamd.conf man page), it’s considered a logic bomb and marked as Oversized.zip . Try increasing your ArchiveMaxCompressionRatio setting.
  • Can ClamAV disinfect files?
    • No, it can’t. We will add support for disinfecting OLE2 files in one of the next stable releases. There are no plans for disinfecting other types of files. There are many reasons for it: cleaning viruses from files is virtually pointless these days. It is very seldom that there is anything useful left after cleaning, and even if there is, would you trust it?
  • When using clamscan, is there a way to know which message within an mbox is infected?
    • There are two solutions: Run clamscan --debug, look for Deal with email number xxx Alternatively you can convert the mbox to Maildir format, run clamscan on it and then convert it back to mbox format. There are many tools available which can convert to and from Maildir format: formail, mbox2maildir and maildir2mbox
  • I’m running ClamAV + amavisd-new and get the following error in my mail log amavis: Clam Antivirus-clamd FAILED – unknown status:/var/lib/amavis/amavis-20060917T120205-21416/parts: lstat() failed. ERROR\n amavis: WARN: all primary virus scanners failed, considering backups . What’s wrong?
    • Please refer to Wiki.
  • I’m running Qmail + Qmail-Scanner + ClamAV and get the following error in my mail logs: clamdscan: corrupt or unknown clamd scanner error or memory/resource/perms problem. What’s wrong with it?
    • Please refer to Wiki.
  • How do I use ClamAV with p3scan?
    • Please refer to Wiki.
  • What platforms does it support ?
    • Clam AntiVirus works with Linux®, Solaris, FreeBSD, OpenBSD, NetBSD, AIX, Mac OS X, Cygwin B20 on multiple architectures such as Intel, Alpha, Sparc, Cobalt MIPS boxes, PowerPC, RISC 6000.
  • Where can I find more information about ClamAV?
    • Please read the complete documentation in pdf/ps format. You will find it inside the package or in the documentation section of this website. You can also try searching the mailing list archives. If you can’t find the answer, you can ask for support on the clamav-users mailing-list, but please before doing it, search the archives! Also, make sure that you don’t send HTML messages and that you don’t top post: these violate the netiquette and lessen your chances of being answered.

Last update: Feb 10th, 2007

我们会尽量更新中文版,最新内容请看英文版。