Freshclam updates the virus definitions. The database version is checked by a DNS query to current.cvd.clamav.net. The clamav.net DNS server replies with all the information (e.g., latest database version and address of a mirror to download the last definitions) in the TXT records.
Two files make up the virus database:
Contains most virus definitions (about 58,000 signatures)
Contains the latest virus definitions (about 2,000 signatures)
The databases are signed with the GNU Multiple Precision (GMP) algorithm to ensure file integrity. Use sigtool (provided with ClamAV) to verify the signature manually:
[julien@asus ˜]$ sigtool -i
Build time: 09 Jun 2006 22-19 +0200
Version: 39
# of signatures: 58116
Functionality level: 8
Builder: tkojm
MD5: a9a400e70dcbfe2c9e11d78416e1c0cc
Digital signature: 0s12V8OxLWO95fNNv+kTxj7CEWBW/1TKOGC7G4RelhogruBYw8dJeIX2+yhxe
x/XsLohxoEuXxC2CaFXiiTbrbvpK2USIxkpn53n6LYVV6jKgkP5sa08MdJE7cl29H1slfCrdaevBUZ1Z
/UefkRnV6p3iQVpDPsBwqFRbrem33b
Verification OKsigtool can also display the list of signatures:
[julien@asus ˜]$sigtool -i/var/lib/clamav/main.cvd| less[...] Ailbone.1536.B Ailbone.1536 Trojan.AIMSpammer AIM-Xtreme [...]
Freshclam can run interactively or as a daemon. It uses the configuration file /etc/freshclam.conf. The main options are:
DatabaseOwnerAll the ClamAV programs (Freshclam, Clamscan, clamd, clamdscan) run as user clamav by default. If you want to run these tools as another user, it is necessary to change this field to the new username.
DatabaseDirectoryThe two database files take less than 6 MB; the default path is usually the one to use.
DatabaseMirrorThis field needs to be updated to use a mirror located in your country. For the United States, the address is db.us.clamav.net.
ChecksThis specifies how many times a day Freshclam checks the database version when run as a daemon. The default value is 12 times a day. It can be changed to 24 (once an hour).
NotifyClamdFreshclam can issue the RELOAD command to clamd (see the section "Clamd Commands" later in this chapter) after updating the database. If clamd is not installed or not used on the system, it should be disabled by commenting this option. Otherwise, it is necessary to enable it to keep clamd using the latest virus database. If the clamd configuration file is /etc/clamd.conf, the option must be set to NotifyClamd /etc/clamd.conf.
OnErrorExecute and OnOutdatedExecuteIt is critical to keep the virus definition up to date. The administrator should be warned if the database cannot be updated or is too old. These two options are used to execute a command when the database update fails or the virus definitions are out of date. See "Examples of Commands for Freshclam," later in this chapter.
UpdateLogFileIt is recommended to enable logging to a file. This option is disabled by default. Logs are usually stored in /var/log. It is recommended to change this option to UpdateLogFile /var/log/clamav-updates.log.
It is possible to run Freshclam with different options from /etc/freshclam.conf. The main command-line arguments are:
--datadir=FOLDERSaves the new database to FOLDER. This overrides the DatabaseDirectory option. FOLDER must be writable for the clamav user unless it is explicitly running as a different user.
-uUSERRuns Freshclam as user USER instead of clamav. Use this argument to scan files unavailable to the default user clamav.
-dRuns Freshclam as a daemon. It is recommended to add Freshclam as a daemon in the startup scripts. To do so, see the next section, "Examples of Commands for Freshclam."
-p FILESaves the daemon's PID file to FILE. This argument makes sense only if the -d argument is also used.
- c nChecks the database version n times a day. This argument makes sense only if the -d argument is used.
--on-error-execute=COMMAND and --on-outdated-execute=COMMANDExecutes COMMAND when the database cannot be updated or is out of date. These arguments overwrite OnErrorExecute and OnOutdatedExecute. See "Examples of Commands for Freshclam."
To run Freshclam interactively as the current user, type:
[julien@asus ˜]$freshclam -uPassword: ClamAV update process started at Fri Jun 30 11:39:31 2006 main.cvd is up to date (version: 39, sigs: 58116, f-level: 8, builder: tkojm) daily.cvd is up to date (version: 1578, sigs: 2615, f-level: 8, builder: ccordes)julien
To run Freshclam as a daemon in the background with syslog logs in case of errors and 24 database checks a day, use the following:
[julien@asus ˜]$freshclam -d -p/var/run/freshclam.pid--on-error-execute="/us r/bin/logger -i -t freshclam -p daemon.alert 'UPDATE ERROR'"-c[julien@asus ˜]$24
Here are some of commands that could be run in case of update error or if the database is out of date:
A simplistic way of logging errors is to write the text to a file in /var/log:
cat "Update Error" > /var/log/freshclam.errors
A better solution is to use the syslog logger; for example, the command:
logger -i -t freshclam -p daemon.alert "Update Error"
adds the following line to /var/log/syslog:
Jun 30 14:09:52 asus freshclam[12433]: Update Error
There are several tools to send emails with the command line on Linux. One of them is nail:
echo -e "The clamav database update failed on $HOSTNAME on 'date +%D' at date +%r'.\nPlease run 'freshclam' locally." |nail -s "freshclam update error" -rfreshclam@domain.netadmin@domain.net
This command sends an email from freshclam@domain.net to admin@domain.net with the subject "freshclam update error" and the body:
The clamav database update failed on xxx.domain.net on 06/30/06 at 11:14:47 PM. Please run 'freshclam' locally.
You can run several commands when you call freshclam:
[julien@asus ˜]$freshclam -d -p /var/run/freshclam.pid --on-error-execute="/usr/bin/logger-i -t freshclam -p daemon.alert 'UPDATE ERROR';echo -e \"The clamav database update failed on $HOSTNAME on 'date +%D'at date +%r'.\nPlease run 'freshclam' locally.\" |nail -sadmin@domain.net"freshclam update error" -r freshclam@domain.net" -c24
Freshclam should be started automatically with the computer. Most ClamAV installations on Linux install the script /etc/init.d/freshclam to the system. You can check whether the script is launched automatically when the computer starts:
[julien@asus ˜]$ chkconfig --list|grep freshclam
freshclam 0:off 1:off 2:on 3:on 4:on 5:on 6:off