[Rspamd-Users] rspamd-3.7.1: lua module clamav is enabled but has not been configured

Mon Oct 23 13:10:34 UTC 2023

Hi there,

On Mon, 23 Oct 2023, Franta Hanzlík wrote:

> I'm using ClamAV with eXtremeSHOK 3rd party AV DB:
>  https://github.com/extremeshok/clamav-unofficial-sigs
> I don't know how good this database is.

That's not so much a source of signatures as a tool for updating
third-party signatures.  I believe it's fairly widely used.  You need
to configure it to tell it which third-party signatures you want it to
fetch.  Some signature sources require registration and/or payment for
example, so of course you can't just ask for all that you can find and
expect to get them.

> And specifically, why I want to replace separate (clamav-milter + clamd
> scan engine) and integrate AV scan under RSPAMD:
>  1) integration into one milter seems optimal from the point of view
> of resource usage (I will save clamav-milter bridge to clamd engine)

I think the gain will be minimal, the milter is small and efficient.

> and results and statistics are collected in one place .

This may be an important consideration.

>  2) with the combination of clamav-milter + clamd-scanner, I had a
> problem several times - non-functioning clamd engine (crash, damaged
> DB etc.) led to the blocking of MTA Postfix, which was waiting for a
> response from clamav-milter. I don't know if this error is still there,
> but I hope that the AV scan from rspamd will not block MTA.

I have found that it's fairly easy to crash clamd if you know how. :/
However in normal use, if you know how to crash it and avoid doing it,
then for a couple of decades I have found it to be very stable if not
particularly effective at finding viruses.  I use it more because some
of the third party databases are pretty good for catching spam.  The
easiest way to crash clamd is to try writing some Yara rules.  Many of
the third party signatures do have Yara rules, but I guess most of the
time they've been tested with ClamAV before publication.  At least I'd
hope so.  If clamd is crashing or the databases are getting damaged, I
guess you might be doing something that people have learned to avoid.
There have been a few security issues with ClamAV.  For the past few
years I've run clamd on a separate server, so that it couldn't do any
harm even if it were to be compromised.  A security issue could result
in a crash, so I think if you do experience one it's best to find out
what went wrong to (hopefully) eliminate that possibility.

> I agree that ClamAV's memory requirements are large and start of its scan
> engine itself takes so long that I had to increase the relevant TimeoutSec
> systemd units parameter. I did not detect ClamAV CPU load.

Yes, depending on your hardware ClamAV can take many seconds initially
to read its signatures, but if you allow it to reload while scanning
(which consumes twice as much RAM during the reloads) then there's no
more downtime after the first start.  Typically clamd will run here
for months without a restart.

This is rather OT for the spamd list, so if you want to continue the
discussion you'd better send me a private mail.

-- 

73,
Ged.