Dockerized open source antivirus daemons for use with
- file sharing containers like Nextcloud or
- to use it via a REST proxy like @solita made clamav-rest or
- to check files on a server via e.g. node.js kylefarris/clamscan
- to directly connect to clamav via TCP port
3310
ClamAV daemon as a Docker image. It builds with a current virus database and
runs freshclam
in the background constantly updating the virus signature database. clamd
itself
is listening on exposed port 3310
.
Find the latest releases at the official docker hub registry. There are different releases for the different platforms.
With special thanks to @WhiteBahamut you will find versioned builds to pin to for production use at docker hub.
The container run as user clamav
with uid=101
and gid=102
.
- buster-slim
- stretch-slim
docker run -d -p 3310:3310 mkodockx/docker-clamav:buster-slim
- alpine
- alpine-idb-amd64 (initialized databases, more info)
- alpine-edge
docker run -d -p 3310:3310 mkodockx/docker-clamav:alpine
Joel Esler from Cisco (main hosts of ClamAV):
Downloading using other than FreshClam has now been limited.
FreshClam supports the Cdiff system, the cdiff system allows for small micro updates to rebuild your daily.cvd instead of downloading the whole daily.cvd and main.cvd.
Abuse of the download system has forced us to push people towards FreshClam.
Unfortunately a handful have ruined it for everyone. (Looking at you, handful
of IPs that download the daily.cvd 3x a second)
We cannot continue to transfer 9PB of traffic a month.
Further enhancements to Freshclam are planned to take advantage of, and handle our mirror infrastructure more politely. More details will be published about this soon. In the meantime, please immediately discontinue the use of other command line downloading systems and use FreshClam.
So to clarify:
- Rate limiting around daily.cvd, main.cvd, and super excessive cdiff downloading is now in place. If you are getting “429” back from Cloudflare - you are part of the problem.
- Use of Wget, Curl, and the link is now severely limited.
- Use FreshClam
- We’re modifying FreshClam in upcoming releases to deal with this problem better.
- See #3
-- Joel Esler Manager, Communities Division Cisco Talos Intelligence Group http://www.talosintelligence.com | https://www.snort.org
On Mar 3, 2021, at 9:57 AM, Joel Esler (jesler) via clamav-users clamav-users@lists.clamav.net wrote:
Signed PGP part All —
I’ve had to be more stringent on the rate limiting for the daily.cvd and main.cvd files. It seems that some people either have stuck cron jobs (or are doing it on purpose) and downloading the full file 200k-300k times a day.
We release AV updates once a day, in an emergency slightly more than that.
There is no reason for this. I’ve had to lower the amount of connections you are allowed, and raise the amount of time you are blocked.If you are being blocked with a 429 code from the ClamAV update system, and you believe your system isn’t broken, and have a valid reason to download that much.
- Feel free to reach out to me via 1:1 or via this list.
- Consider setting up a local mirror on your network.
Repeat: You need to be using freshclam, and freshclam only. It needs to check the DNS for the presence of an update, and you need to be downloading the diff files. There’s no reason to download the full main and daily.
-- Joel Esler Manager, Communities Division Cisco Talos Intelligence Group http://www.talosintelligence.com | https://www.snort.org
Source: https://www.mail-archive.com/clamav-users@lists.clamav.net/msg49810.html
With alpine-idb-amd64 image you download data just from docker hub not from clamav initially.
Linked usage recommended, to not expose the port to "everyone".
docker run -d --name av mkodockx/docker-clamav(:alpine)
docker run -d --link av:av application-with-clamdscan-or-something
Thanks to @mchus proxy configuration is possible.
- HTTPProxyServer: Allows to set a proxy server
- HTTPProxyPort: Allows to set a proxy server port
Specifying a particular mirror for freshclam is also possible.
- DatabaseMirror: Hostname of the mirror web server.
Mount custom configuration files into the container.
- FRESHCLAM_CONF_FILE: Path to custom
freshclam.conf
file, e.g./mnt/freshclam.conf
. - CLAMD_CONF_FILE: Set the path to a custom
clamd.conf
file, e.g./mnt/clamd.conf
.
Virus update definitions are stored in /var/lib/clamav
. To store the defintion just mount the directory as a volume, docker run -d -p 3310:3310 -v ./clamav:/var/lib/clamav mkodockx/docker-clamav:latest
See example with Nextcloud at docker-compose.yml. You still need to configure the AntiVirus files app in Nextcloud.
You can find a tutorial here: https://www.virtualconfusion.net/clamav-for-nextcloud-on-docker/
The images provide with check.sh
a file to check for the healthyness of the running container. To enable the health check configure your docker run
or compose file
. The start period should be adjusted to your system needs. Slow internet connection, with limited cpu and IO speed might require larger values.
Via docker run:
docker run --health-cmd=./check.sh \
--health-start-period=120s \
--health-interval=60s \
--health-retries=3 \
-p 3310:3310 mkodockx/docker-clamav:alpine`
Via docker-compose
services:
clamav:
healthcheck:
test: ["CMD", "./check.sh"]
interval: 60s
retries: 3
start_period: 120s
This image provides support for different platforms
- x86
- amd64
- arm32v7
- arm64v8
- OpenShift support in kuanfandevops fork
Some users are wondering about memory consumption of clamd. Here is an explanation of the reasons I found:
"ClamAV holds the search strings using the classic string (Boyer Moore) and regular expression (Aho Corasick) algorithms. Being algorithms from the 1970s they are extemely memory efficient.
The problem is the huge number of virus signatures. This leads to the algorithms' datastructures growing quite large.
You can't send those datastructures to swap, as there are no parts of the algorithms' datastructures accessed less often than other parts. If you do force pages of them to swap disk, then they'll be referenced moments later and just swap straight back in. (Technically we say "the random access of the datastructure forces the entire datastructure to be in the process's working set of memory".)
The datastructures are needed if you are scanning from the command line or scanning from a daemon.
You can't use just a portion of the virus signatures, as you don't get to choose which viruses you will be sent, and thus can't tell which signatures you will need." Source stackexchange.com
It is obvious that an antivirus engine based on virus signatures will raise memory consumption over the time as it always has to check for all signatures. As the number of virus signatures grows daily, the amount of necessary memory will increase as well.
Several users are experiencing problems during the database updates (incremental,diff,initial).
ClamaV is open source and the databases are provided by a network of mirrors that are hosted for free by some folks (Cisco) to support open source antivirus. That was about 9 PB a month. That is why downloads are now protected by Cloudflare. If you're downloading too often you will recieve 429 errors. (See ## Prefer alpine-idb-amd64 at the top of this document)
If you have an error related to the updates on your special OS, machine, iPad ;) or anything special else, first check the FAQ to clamav troubleshooting and then the virus database FAQ.
If you keep on getting errors you might try your own private local mirror easily.
If you have problems with freshclam downloads use the alpine image with initialized dbs. more info
Several projects are using this image:
- solita/clamav-rest
- r3kzi/clamav-prometheus-exporter
- US DoD transcom/mymove
- Inveniem/nextcloud-azure-aks
- pivotal.io jzheaux/terracotta-bank
- Hasso Plattner Institut, Schul Cloud hpi-schul-cloud/antivirus_check_service
- UK Government Crown-Commercial-Service/ccs-conclave-document-clamav
- UKHomeOffice/file-vault
- SICTIAM/stela
- DeloitteDigitalAT/terracotta-bank
- UK ministryofjustice/moj-clamav-rest
- weixian-zhang/Azure-sSFTP
- Mattermost
- Province of British Columbia, Transportation Fuels Reporting System (TFRS)
- ...
Thank you for using this image. I have only a blink of how many projects are using this, but I know there are some including big tech, governments and many open source. I try to keep it working in my rare spare time. Feel free to participate or get in contact.
For license see file LICENSE