Skip to content

Commit

Permalink
fix(clamav): detection of daily DB
Browse files Browse the repository at this point in the history
Daily DB could cycle between daily.cld and daily.cvd

Freshclam tries to fetch daily.cvd, but in case that it's outdated, it
will fetch diffs and construct daily.cld instead.

```
Properly loaded 2067774 signatures from /var/lib/clamav/tmp.76d8729fde/clamav-306c76ad22d1f1bb9c4a6f49e1bedaf1.tmp-daily.cvd
Database test passed.
daily.cvd updated (version: 27455, sigs: 2067774, f-level: 90, builder: raynman)
Received an older daily CVD than was advertised. We'll retry so the incremental update will ensure we're up-to-date.
```

Make sure both files are checked.

Signed-off-by: Martin Basti <[email protected]>
  • Loading branch information
MartinBasti committed Nov 12, 2024
1 parent ff0af28 commit 043e593
Showing 1 changed file with 20 additions and 4 deletions.
24 changes: 20 additions & 4 deletions task/clamav-scan/0.1/clamav-scan.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -100,19 +100,34 @@ spec:
interval=20 # interval between checks in seconds
elapsed=0
until [ -f /var/lib/clamav/daily.cld ] || [ "$elapsed" -ge "$timeout" ]; do
until [ -f /var/lib/clamav/ready.txt ] || [ "$elapsed" -ge "$timeout" ]; do
if (( elapsed % 60 == 0 )) && [ $elapsed -ne 0 ]; then
echo "Waiting for database to be downloaded... Elapsed time: $((elapsed / 60)) minute(s)"
fi
sleep $interval
elapsed=$((elapsed + interval))
done
if [ ! -f /var/lib/clamav/daily.cld ]; then
echo "Error: Timed out waiting for daily.cld after $((elapsed / 60)) minute(s)."
if [ ! -f /var/lib/clamav/ready.txt ] ; then
echo "Error: Timed out waiting for database download after $((elapsed / 60)) minute(s)."
exit 1
fi
DAILY_DB_FILE=""
for DB_PATH in "/var/lib/clamav/daily.cvd" "/var/lib/clamav/daily.cld"; do
if [ -f "${DB_PATH}" ]; then
DAILY_DB_FILE="${DB_PATH}"
break
fi
done
if [ -z "${DAILY_DB_FILE}" ]; then
echo "Daily DB file not found!"
exit 1
fi
db_version=$(sigtool --info "${DAILY_DB_FILE}" | grep 'Version')
echo "Scanning image for arch $arch. This operation may take a while."
clamscan $destination -ri --max-scansize=4095M --max-filesize=4095M \
--max-scantime=0 --max-files=0 --max-recursion=1000 --max-dir-recursion=20000 --max-embeddedpe=4095M \
Expand All @@ -123,7 +138,6 @@ spec:
--alert-phishing-ssl=yes --alert-phishing-cloak=yes --alert-partition-intersection=yes \
| tee /work/logs/clamscan-result-$arch.log || true
db_version=$(sigtool --info /var/lib/clamav/daily.cld | grep 'Version')
echo "Executed-on: Scan was executed on clamscan version - $(clamscan --version) Database $db_version" | tee -a "/work/logs/clamscan-result-$arch.log"
digests_processed+=("\"$arch_sha\"")
Expand Down Expand Up @@ -231,6 +245,8 @@ spec:
#!/usr/bin/env bash
clamscan --version
cp -r /var/lib/clamav/* /tmp/clamdb
echo "DB files copied"
touch /tmp/clamdb/ready.txt
volumeMounts:
- mountPath: /tmp/clamdb
name: dbfolder
Expand Down

0 comments on commit 043e593

Please sign in to comment.