Hello

I am using

clamdscan --verbose --config-file=clamd.conf /spam/*

in clamd.conf I have this
OfficialDatabaseOnly yes

but I receive this

/spam/NEWENQUIRYpdf.zip: Sanesecurity.Foxhole.Zip_exe.UNOFFICIAL FOUND

why OfficialDatabaseOnly yes is fully ignored ?

Thank you

Hello, got this warning on CentOS 7 with clamd 0.101:

WARNING: Ignoring deprecated option DetectBrokenExecutables at /etc/clamd.d/scan.conf

Not a big deal but would be nice to fix in future releases :) Thanks!

Hi,

I am recieving this error during puppet run:

Error: Could not unmask clamav:
Error: /Stage[main]/Clamav::Clamd::Service/Service[clamav::clamd]/ensure: change from stopped to running failed: Could not unmask clamav:

I'm unsure whether this a bug or my configuration, any advice greatly appreciated.

On a puppetrun I get the following message when the ClamAV Daemon wants to start

May 5 14:01:43 mailscan-02 systemd[1]: Started Clam AntiVirus userspace daemon.
May 5 14:01:44 mailscan-02 clamd[18391]: ERROR: Incorrect argument format for option AlgorithmicDetection
May 5 14:01:44 mailscan-02 clamd[18391]: ERROR: Can't open/parse the config file /etc/clamav/clamd.conf

A default config from the ClamAV installation works well.

Hi! Is it possible to toggle epel repo management? Seems like epel gets installed no matter what on RHEL. My environment already has a local Satellite 6 EPEL mirror.
Thanks

I haven't had time to test more than that, but I found out that clamd fails to start when using this module. It may be caused by the fact that systemd has replaced init in this distro. I don't know Debian much though.

Currently "running" is the only option for clam and freshclam. While it may not make sense in a lot of environments not to have these running, in my environment, I don't have both daemons running. It'd be nice to be able to specify running or not:

service { 'clamd':
28 ensure => running,
29 name => $clamd_service,
30 enable => true,
Puppet
manifests/freshclam.pp

32 if $freshclam_service {
33 service { 'freshclam':
34 ensure => running,
35 name => $freshclam_service,

Latest update to clamav-milter makes the daemon run using the right SELinux context, but it's not included in the policy, so I can't use a tcp socket anymore, so I finally found how to make the unix socket work.

  clamav_milter_options    => {
    'AddHeader'            => 'add',
    'OnInfected'           => 'Reject',
    'RejectMsg'            => 'Message rejected: Infected by %v',
    'MilterSocket'         => 'unix:/var/run/clamav-milter/clamav-milter.socket',
    'MilterSocketGroup'    => 'postfix',
    'MilterSocketMode'     => '660',
  },

  manage_clamd             => true,
  manage_user              => false,
  manage_freshclam         => true,
  manage_clamav_milter     => true,
  clamd_service_ensure     => 'running',
  freshclam_service_ensure => 'stopped',
  }

  file{ '/var/run/clamav-milter':
    ensure   => directory,
    group   => 'postfix',
    require => Package[['clamav_milter'],['postfix']],
  }

  user { 'clamilt':
    groups => 'postfix',
    require => Package[['clamav_milter'],['postfix']],
  }

To allow postfix to communicate with clamav-milter through an unix socket, it needs x permissions on the parent folder and rw permission on the socket file. The permissions on the socket file are determined in the clamav_milter_options block, but for the parent folder I had to create a file directive. The user directive is there because a user must be part of the group it wants to change something to.

Hello,

I'm running you plugin on debian 8. just figure out that freshclam can't create the pid file into /var/run/clamav/. this folder is owned by root and freshclam run a user clamav.

Anyway this isn't needed when we use systemd according to :
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=804132

I checked this PR :
https://github.com/edestecd/puppet-clamav/pull/38/commits

Does this fixed also this issue ?

Hi,

I am currently in the process of trying to install clamd on a RHEL7 machine but I can't find a module that is compatible with this version. Do you have any plans for making this module compatible. I can offer some help. However, I'm not too familiar with git and github.

I was looking at using this module and decided it needed some tests so was going to write them. As I looked at the module in more detail all of your subclasses inherit clamav::params and set the defaults from there, but it appears this module is intended to be called from the main class and override any defaults there. How do you intend this module to be used? Main class and set params or call each subclass individually?

On Debian 9 (stretch) clamd can not start because the AllowSupplementaryGroups option in clamd.conf does not exist anymore as you can see here from the clamd log file:

clamd[8822]: ERROR: Parse error at line 6: Unknown option AllowSupplementaryGroups

Use a puppetlabs module as an example and for god sakes use module sync!

The newest implementation of clamav separates the on-access file scanning from clamd and moves it into clamonacc.

This needs to be configured as a service and running, it uses the clamd.conf for its parameters as well.

All that would need to be done here is add the parts to make the service startup as boot, like clamd.

The freshclam service is not run by cron (as mentioned in freshclam.pp), så systems end up with the signatures from installation time or no signatures at all.

Reason for that is that the service as coming from the epel is set to disabled, and it's named clamav-freshclam, not freshclam (as the module assumes).

That means freshclam_service_enable and freshclam_service_ensure don't have the expected effect when set.

Solution: make the service name a variable that depends on OS version and major, and set it to clamav-freshclam in RHEL8, then use that as the service name instead of the hard-coded string "freshclam".

Hi @edestecd 👋

We're wondering whether or not this module is still maintained. In case you're looking for a new maintainer, we would be interested to take over maintainership:
https://github.com/markt-de/
https://forge.puppet.com/modules/markt

Frank

I'd like to comment out the LogFile option in clamd config file. I looked at the template file, but I don't know what the .delete means or how it can be called.

Thanks,

Hi guys,

the option "AllowSupplementaryGroups" is not supported anymore since the ClamAV version 0.99.2+dfsg-0+deb8u1 on debian. (leapcode/leap_platform#106)
Which says:

clamav (0.99.2+dfsg-0+deb8u1) stable; urgency=medium

* Import new Upstream.
* Drop AllowSupplementaryGroups option which is default now (Closes: #822444).

Could you fix that in your module please?

regards

Since you mentioned being swarmed with work, maybe we can move this module to voxpupuli so more eyes can keep it up to date and I think this module is usefull for the community.

https://voxpupuli.org/docs/#migrating-a-module-to-voxpupuli

What do you think ?

Hi,

I'm testing this module and found that some parameters in freshclam.conf are not changing to values in Hiera.
I tried this:

clamav::manage_clamd: true
clamav::manage_freshclam: true

clamav::clamd_options:
MaxScanSize: 500M
MaxFileSize: 150M
clamav::freshclam_options:
LogTime: yes
HTTPProxyServer: myproxy.proxy.com
HTTPProxyPort: 80
NotifyClamd: /etc/clamd.conf
DatabaseMirror: clam.host1.mydomain.com
DatabaseMirror: clam.host2.mydomain.com

DatabaseMirror database.clamav.net

Would that be possible to have even multple lines configured dynamicaly as DatabaseMirror in hiera?

Br,
/Istvan

OS version is checked in params.
We are using Ubuntu versioning, but should also support Debian.

The clamav-daemon service needs the signature file to start (created by clamav-freshclam). Sometimes it takes more than 1 minute since clamav-freshclam is started for the first time.

Please wait 2 minutes between:

sudo service clamav-freshclam restart
sudo service clamav-daemon start

Is it possible for the module to do this, so that service clamav-freshclam starts first, then 2 minutes later clamav-daemon

Thanks

I'm passing a fact array via ENC to clamd_options for ExcludePath

In RHEL7 (ruby 2.0.0.648-29):

ExcludePath <path1>
ExcludePath <path2>

In RHEL6 (ruby 1.8.7.374-5):

ExcludePath <path1><path2>

RHEL7 above is the intended behavior I'm seeking. However, I'm still investigating as to why this occurs. In both cases I'm running puppet 3.8.6-2

Hi,

Would it be possible to add clamav-milter support to this module? I personnaly use clamav mostly for mail servers and this module only lacks clamav-support to be able to add virus scanning to postfix or sendmail.

The following happens on Ubuntu 17.04 after a successfull Puppetrun.

May 5 14:01:43 mailscan-02 mkdir[18384]: /bin/mkdir: cannot create directory '/run/clamav': File exists

Hi Chris,

Sorry if bother with this question but I ma news in the puppet world. I want to know the way to configure the module in red hat satellite or foreman. I don't understand the way in which I have to configure the module to work. How is the process to add the parameters you mention in the module?

Hi,
I have notice the following issue while applying the puppet-clamav

Error: Could not set uid on user[clamav]: Execution of '/usr/sbin/usermod -u 496 clamav' returned 8: usermod: user clamav is currently used by process 13666

Error: /Stage[main]/Clamav::User/User[clamav]/uid: change from 114 to 496 failed: Could not set uid on user[clamav]: Execution of '/usr/sbin/usermod -u 496 clamav' returned 8: usermod: user clamav is currently used by process 13666

Debug: Class[Clamav::User]: The container Stage[main] will propagate my refresh event
Notice: /Stage[main]/Clamav/Package[clamav]: Dependency User[clamav] has failures: true
Warning: /Stage[main]/Clamav/Package[clamav]: Skipping because of failed dependencies

From my perspective it looks like puppet firstly start the daemon and then tries to change privileges on the user.
I have workaround this by not installing clamav::clamd class ( cause I do not need it anyway)

version: OS
Distributor ID: Ubuntu
Description: Ubuntu 14.04.1 LTS
Release: 14.04
Codename: trusty

Version puppet:
Version: 3.4.3-1ubuntu1

However I just wanted you to know.
Thanks for a good job.

Regards
Jaroslaw Wojciechowski

Hi Dear,

Is necessary create the link 'ln -s /etc/clamd.d/scan.conf /etc/clamd.conf', but have error 'ERROR: Can't parse clamd configuration file /etc/clamd.conf'

I'm seeing the _header.erb contents included twice in /etc/freshclam.conf and /etc/sysconfig/freshclam.
I think the problem stems from using ERB.new(...).result(binding) to render the included template directly, instead of scope.function_template(...).

The problem only seems to occur when applying via puppet agent, for some reason using puppet apply on the same catalog doesn't include the header twice.

I've locally found that the replacing the call as in the diff below gets identical and correct behaviour with both puppet apply and puppet agent:

diff --git a/modules/clamav/templates/clamav.conf.erb b/modules/clamav/templates/clamav.conf.erb
index cdd5ce6..b8d2ead 100644
--- a/modules/clamav/templates/clamav.conf.erb
+++ b/modules/clamav/templates/clamav.conf.erb
@@ -1,4 +1,4 @@
-<%= ERB.new(File.read(File.expand_path("_header.erb",File.dirname(file)))).result(binding) -%>
+<%= scope.function_template([File.expand_path("_header.erb",File.dirname(file))]) -%>
 
 <% @config_options.sort.each do |k,v| -%>
 <% Array(v).each do |av| -%>
diff --git a/modules/clamav/templates/sysconfig/freshclam.erb b/modules/clamav/templates/sysconfig/freshclam.erb
index 967280b..8fdfab1 100644
--- a/modules/clamav/templates/sysconfig/freshclam.erb
+++ b/modules/clamav/templates/sysconfig/freshclam.erb
@@ -1,3 +1,3 @@
-<%= ERB.new(File.read(File.expand_path("_header.erb",File.dirname(File.dirname(file))))).result(binding) -%>
+<%= scope.function_template([File.expand_path("_header.erb",File.dirname(File.dirname(file)))]) -%>
 
 FRESHCLAM_DELAY=<%= @freshclam_delay %>

Hi,
The module is really working great and I only have a small issue:

The configuration file /etc/clamav/freshclam.conf is every second time changing. The parameters have the same values but the order inte the created file based on the template does not "settle".
This makes machines their configurations continuoly changing.

I've tested this code change on Ubuntu and it sorts the file contents by the first key.
Testing was dome with 3.4.3.

The change was done in freshclam.conf.Debian.erb.

-<% @config_options.each do |k,v| -%>
+<% @config_options.sort.each do |k,v| -%>
Cheers,
/István

Ubuntu 12.04 is EOL and 16.04 is there. It may be the time to add 16.04 support (with tests) and remove 12.04 from the list. The clamav-milter part has been tested manually on 16.04.

clamd and freshclam ensure can be set but enable can't, so they will always start on boot. enable param should also be settable.