tquizzle / clamav-alpine Goto Github PK

View Code? Open in Web Editor NEW

23.0 2.0 6.0 1.24 MB

ClamAV on Alpine

License: MIT License

Dockerfile 50.96% Shell 49.04%

anti-virus antivirus clamav clamav-antivirus

clamav-alpine's Introduction

ClamAV scanning Docker container based on Alpine

ClamAV scanning Docker container based on Alpine
- How-To
  - Usage
    - Post-Args
    - Volumes
  - Examples
- Expected Output
- Supported Tags | Versions
- Vuln Scanning
  - Edge
  - Latest
- History
  - 2024-03-08
  - 2024-01-14
  - 2023-12-09
  - 2023-09-30
  - 2023-07
  - 2023-12-09
  - 2023-05-27
  - 2023-05-26
  - 2023-04-23
  - 2023-04-22
  - 2023-02-11
  - 2022-09-02
  - 2022-07-10
  - 2021-12-24
  - 2021-11-25
  - 2021-10-08
  - 2021-06-24
  - 2021-04-17
  - 2021-01-31
  - 2020-10-06
  - 2020-05-23
  - 2020-02-16

This container allows you a very simple way to scan a mounted directory using clamscan.

It will always update the ClamAV Database, by using the standard freshclam before running clamscan. If the local ClamAV Database is up-to-date, it will check and continue.

How-To

Usage

Using this image is fairly straightforward.

Pay attention to -v /path/to/scan as this is the mounted directory that this docker image will scan.

docker run -it \
  -v /path/to/scan:/scan:ro \
  tquinnelly/clamav-alpine -i

Use -d instead of -it if you want to detach and move along.

Post-Args

I took the liberty to include -i by default. You can, however, add any you desire.

-i - Only print infected files
--log=FILE - save scan report to FILE
--database=FILE/DIR - load virus database from FILE or load all supported db files from DIR
--official-db-only[=yes/no(*)] - only load official signatures
--max-filesize=#n - files larger than this will be skipped and assumed clean
--max-scansize=#n - the maximum amount of data to scan for each container file
--leave-temps[=yes/no(*)]- do not remove temporary files
--file-list=FILE - scan files from FILE
--quiet - only output error messages
--bell - sound bell on virus detection
--cross-fs[=yes(*)/no] - scan files and directories on other filesystems
--move=DIRECTORY - move infected files into DIRECTORY
--copy=DIRECTORY - copy infected files into DIRECTORY
--bytecode-timeout=N - set bytecode timeout (in milliseconds)
--heuristic-alerts[=yes(*)/no] - toggles heuristic alerts
--alert-encrypted[=yes/no(*)] - alert on encrypted archives and documents
--nocerts - disable authenticode certificate chain verification in PE files
--disable-cache - disable caching and cache checks for hash sums of scanned files

Volumes

I only have the /scan directory noted above. You can add others in conjunction with the post-args as well.

Save AV Signatures

-v /path/to/sig:/var/lib/clamav

Infected Dir

-v /path/to/infected:/infected
Then you can use either the --move or --copy post-arg above.

Examples

Here are some examples of various configurations.

This is the one I run. I target 2 cores of my CPU as to not cripple my host. I also log to the DB directory and limit 2G file size scan.

docker run -d --name=ClamAV \
  --cpuset-cpus='0,1' \
  -v /path/to/scan:/scan:ro \
  -v /path/to/sig:/var/lib/clamav:rw \
  tquinnelly/clamav-alpine -i --log=/var/lib/clamav/log.log --max-filesize=2048M

Expected Output

# docker run -it -v /path:/scan:ro tquinnelly/clamav-alpine -i

2022-07-10T13:05:10+00:00 ClamAV process starting

Updating ClamAV scan DB
ClamAV update process started at Sun Jul 10 13:05:10 2022
daily database available for download (remote version: 26597)
Testing database: '/var/lib/clamav/tmp.c94c177031/clamav-5960cb40f091d042fdbe87b6656dc482.tmp-daily.cvd' ...
Database test passed.
daily.cvd updated (version: 26597, sigs: 1989376, f-level: 90, builder: raynman)
main database available for download (remote version: 62)
Testing database: '/var/lib/clamav/tmp.c94c177031/clamav-f97772d5bbd6c13c61c4ea14c3ebeb86.tmp-main.cvd' ...
Database test passed.
main.cvd updated (version: 62, sigs: 6647427, f-level: 90, builder: sigmgr)
bytecode database available for download (remote version: 333)
Testing database: '/var/lib/clamav/tmp.c94c177031/clamav-5ce3fe7b3dd82e9d6f61c4d68dde2ab0.tmp-bytecode.cvd' ...
Database test passed.
bytecode.cvd updated (version: 333, sigs: 92, f-level: 63, builder: awillia2)

Freshclam updated the DB

ClamAV 0.104.3/26597/Sun Jul 10 07:56:43 2022

Scanning /scan

----------- SCAN SUMMARY -----------
Known viruses: 8621438
Engine version: 0.104.3
Scanned directories: 3171
Scanned files: 16683
Infected files: 0
Data scanned: 3131.81 MB
Data read: 3120.78 MB (ratio 1.00:1)
Time: 375.514 sec (6 m 15 s)
Start Date: 2022:07:10 13:05:53
End Date:   2022:07:10 13:12:08

2022-07-10T13:12:08+00:00 ClamAV scanning finished

Supported Tags | Versions

Tag	ClamAV Version	Alpine Version
latest	1.2.2-r0	3.19
edge	1.2.2-r0	Edge

History

2024-03-08

Updated ClamAV to 1.2.2-r0 on latest and edge

2024-01-14

Updated openssl to 3.1.4-r3 on latest and edge to mitigate CVE-2023-6129

2023-12-09

Updated ClamAV to 1.2.1-r0 on latest and edge

2023-05-27

Updated scan.sh to fix the new line issue
Updated edge and latest Dockerfiles to remove hardcoded ClamAV version

2023-05-26

Updated latest to Alpine 3.18
Updated ClamAV to 1.10-r0 on latest and edge

2023-04-22

Updated ClamAV to 0.105.2-r0 on latest

2023-02-11

Updated latest to Alpine 3.17
Updated ClamAV to 0.105.1-r0

2022-07-10

Updating latest to Alpine 3.16
Updating ClamAV to 0.104.3-r0 on latest and edge

2021-12-24

Updating packages for vuln scan
Reorganizing commands

2021-11-25

Bump edge version for clamav to 0.104.1-r0

2021-10-08

Bump edge version for clamav to 0.103.3-r1

2021-04-17

Bump version for clamav 0.103.2-r0
Pull Requests
- Added Upgrade openssl
  - PR - #5
- Added ca-certificates package
  - PR - #6

2020-05-23

Bump version for clamav 0.102.3-r0
Added unrar and unrar libs

clamav-alpine's People

Contributors

Stargazers

Watchers

Forkers

rubberbandboy techie2000 mrsoffer ekmixon itssaad alardus

clamav-alpine's Issues

scan folder when autmatic when files is dropped

It would be a great function to have, if the container scanned when files got dropped scanned folder

Clamav with Nextcloud

NC keeps asking for the default streamlength yet this doesn't seem to be a confinable variable. I set the max file size to 400M using the variables and 419430400 bytes in NC. No joy, any ideas?

Support for ClamAV Version 1.0?

Recently I've been getting this error while scanning some files

LibClamAV Warning: crtmgr_rsa_verify: verification failed: fp_exptmod failed with 1

Looks like it was addressed in ClamAV itself with in issue here: Cisco-Talos/clamav#604

Only problem with that is that it looks like the merge is only going to be supported for version 1.0 as per this merge from October: Cisco-Talos/clamav#727 (comment)

So was mainly wondering if there are any current plans to or if it would be feasible to add support for/update to ClamAV Version 1.0?

Unraid: Icon Url is not valid anymore

Hi,

can you please update the Icon Url for Unraid? It´s not valid anymore.

NEW VALUE: https://raw.githubusercontent.com/tquizzle/clamav-alpine/master/img/clamav.png

and if you add "--user=99:100" to the Extra Parameters: you don´t need to do any manually permission changes on the filesystem itself anymore. The Docker App would work directly without any changes.

Thanks!

[Question] How would I give my pc/Docker more time to pull the database?

Every time I build the database it seems like the container gets stuck at a different place when pulling the database.

Example:
Time: 4.7s, ETA: 4.0s [=============> ] 55.22MiB/101.46MiB
Personally I think that this has to do with the connection timeout. How would I increase for example the ReceiveTimeout proptery from the config?

This only happens when I build my own image. When I pull this image:
docker run -it -v /opt:/scan:ro tquinnelly/clamav-alpine -i
The download does get completed. But I would like to make my own Image.

--log= host or container path?

With the --log option, is this a host or container path? Both of them have given me errors!

Use of optional parameter?

Can you expose an optional parameter --file-list=FILE - scan files from FILE? More details on https://www.clamav.net/documents/scanning

Why? I have multiple /mnt/points/and/many/folders/hundreds of thousands of files/ and would ideally define a file which contains the much smaller subset of /mnt/point/folders I want to have scanned.

Currently it takes over a day to scan all the files and thrashes my poor drives for the duration!

DB not updating and no files scanned

After the latest updates, the ClamAV database is no longer updating, and its not scanning any files.

Digest: sha256:c165d10772857a9003ca4b44314241372065fcda81f62cccb943039058ab95d7
Status: Downloaded newer image for tquinnelly/clamav-alpine:latest
----------- SCAN SUMMARY -----------
Known viruses: 0
Engine version: 0.102.1
Scanned directories: 0
Scanned files: 0
Infected files: 0
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 0.003 sec (0 m 0 s)

3 libraries with 9 high CVE's

+--------------+------------------+----------+-------------------+---------------+---------------------------------------+
|   LIBRARY    | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |                 TITLE                 |
+--------------+------------------+----------+-------------------+---------------+---------------------------------------+
| libcrypto1.1 | CVE-2021-23839   | HIGH     | 1.1.1i-r0         | 1.1.1j-r0     | openssl: incorrect SSLv2              |
|              |                  |          |                   |               | rollback protection                   |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-23839 |
+              +------------------+          +                   +               +---------------------------------------+
|              | CVE-2021-23840   |          |                   |               | openssl: integer                      |
|              |                  |          |                   |               | overflow in CipherUpdate              |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-23840 |
+              +------------------+          +                   +               +---------------------------------------+
|              | CVE-2021-23841   |          |                   |               | openssl: NULL pointer dereference     |
|              |                  |          |                   |               | in X509_issuer_and_serial_hash()      |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-23841 |
+--------------+------------------+          +                   +               +---------------------------------------+
| libssl1.1    | CVE-2021-23839   |          |                   |               | openssl: incorrect SSLv2              |
|              |                  |          |                   |               | rollback protection                   |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-23839 |
+              +------------------+          +                   +               +---------------------------------------+
|              | CVE-2021-23840   |          |                   |               | openssl: integer                      |
|              |                  |          |                   |               | overflow in CipherUpdate              |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-23840 |
+              +------------------+          +                   +               +---------------------------------------+
|              | CVE-2021-23841   |          |                   |               | openssl: NULL pointer dereference     |
|              |                  |          |                   |               | in X509_issuer_and_serial_hash()      |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-23841 |
+--------------+------------------+          +                   +               +---------------------------------------+
| openssl      | CVE-2021-23839   |          |                   |               | openssl: incorrect SSLv2              |
|              |                  |          |                   |               | rollback protection                   |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-23839 |
+              +------------------+          +                   +               +---------------------------------------+
|              | CVE-2021-23840   |          |                   |               | openssl: integer                      |
|              |                  |          |                   |               | overflow in CipherUpdate              |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-23840 |
+              +------------------+          +                   +               +---------------------------------------+
|              | CVE-2021-23841   |          |                   |               | openssl: NULL pointer dereference     |
|              |                  |          |                   |               | in X509_issuer_and_serial_hash()      |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-23841 |
+--------------+------------------+----------+-------------------+---------------+---------------------------------------+

Critical error with current release

I posted this error in the support thread but thought it wouldn’t hurt to post the issue here as well. After the most recent update I’m getting this error flooding my logs-
LibClamAV Error: CRITICAL: fmap() failed

I still get notifications that the scan completed successfully even though it appears to be failing.

There are multiple reports of this in the support thread. It seems to have been an issue which was fixed previously in ClamAV but perhaps there is some regression?

max file size doesn't work in post arguments

logs:

08/12/2023 7:11:19 PM
ERROR: Incorrect argument format for option --max-filesize
08/12/2023 7:11:19 PM
ERROR: Can't parse command line options

my command line is

-i --cross-fs=yes -alert-encrypted=yes --max-filesize=2G --move /infected --bell