The development of this image will be discontinued. Since 0.104 Cisco provides official docker images for clamav. This image here will be on hold and supported as long as possible.
At the moment we are faced with unexpected disconnects during database updates. This might be due to changes in the database download handling from the clamav servers.
Dockerized open source antivirus daemons for use with
3310
ClamAV daemon as a Docker image. It builds with a current virus database and
runs freshclam
in the background constantly updating the virus signature database. clamd
itself
is listening on exposed port 3310
.
Find the latest releases at the official docker hub registry. There are different releases for the different platforms.
With special thanks to @WhiteBahamut you will find versioned builds to pin to for production use at docker hub.
The container run as user clamav
with uid=101
and gid=102
.
docker run -d -p 3310:3310 mkodockx/docker-clamav:buster-slim
docker run -d -p 3310:3310 mkodockx/docker-clamav:alpine
Joel Esler from Cisco (main hosts of ClamAV):
Downloading using other than FreshClam has now been limited.
FreshClam supports the Cdiff system, the cdiff system allows for small micro updates to rebuild your daily.cvd instead of downloading the whole daily.cvd and main.cvd.
Abuse of the download system has forced us to push people towards FreshClam.
Unfortunately a handful have ruined it for everyone. (Looking at you, handful
of IPs that download the daily.cvd 3x a second)
We cannot continue to transfer 9PB of traffic a month.
Further enhancements to Freshclam are planned to take advantage of, and handle our mirror infrastructure more politely. More details will be published about this soon. In the meantime, please immediately discontinue the use of other command line downloading systems and use FreshClam.
So to clarify:
– Joel Esler Manager, Communities Division Cisco Talos Intelligence Group http://www.talosintelligence.com | https://www.snort.org
On Mar 3, 2021, at 9:57 AM, Joel Esler (jesler) via clamav-users clamav-users@lists.clamav.net wrote:
Signed PGP part All —
I’ve had to be more stringent on the rate limiting for the daily.cvd and main.cvd files. It seems that some people either have stuck cron jobs (or are doing it on purpose) and downloading the full file 200k-300k times a day.
We release AV updates once a day, in an emergency slightly more than that.
There is no reason for this. I’ve had to lower the amount of connections you are allowed, and raise the amount of time you are blocked.If you are being blocked with a 429 code from the ClamAV update system, and you believe your system isn’t broken, and have a valid reason to download that much.
- Feel free to reach out to me via 1:1 or via this list.
- Consider setting up a local mirror on your network.
Repeat: You need to be using freshclam, and freshclam only. It needs to check the DNS for the presence of an update, and you need to be downloading the diff files. There’s no reason to download the full main and daily.
– Joel Esler Manager, Communities Division Cisco Talos Intelligence Group http://www.talosintelligence.com | https://www.snort.org
Source: https://www.mail-archive.com/clamav-users@lists.clamav.net/msg49810.html
With alpine-idb-amd64 image you download data just from docker hub not from clamav initially.
Linked usage was recommended, to not expose the port to “everyone”. Now it is legacy and will be removed some time. Use networks instead.
docker run -d --name av mkodockx/docker-clamav(:alpine)
docker run -d --link av:av application-with-clamdscan-or-something
There are several possibilities to use the network configuration. Out of the box the host network should fit your needs to connect any client to the ClamAV daemon.
If you need more information, follow instructions at docker manuals.
Thanks to @mchus proxy configuration is possible.
Specifying a particular mirror for freshclam is also possible.
Mount custom configuration files into the container.
freshclam.conf
file, e.g. /mnt/freshclam.conf
.clamd.conf
file, e.g. /mnt/clamd.conf
.Virus update definitions are stored in /var/lib/clamav
. To store the defintion just mount the directory as a volume, docker run -d -p 3310:3310 -v $(pwd)/clamav:/var/lib/clamav mkodockx/docker-clamav:latest
See example with Nextcloud at docker-compose.yml. You still need to configure the AntiVirus files app in Nextcloud.
You can find a tutorial here: https://www.virtualconfusion.net/clamav-for-nextcloud-on-docker/
The images provide with check.sh
a file to check for the healthyness of the running container. To enable the health check configure your docker run
or compose file
. The start period should be adjusted to your system needs. Slow internet connection, with limited cpu and IO speed might require larger values.
Via docker run:
docker run --health-cmd=./check.sh \
--health-start-period=120s \
--health-interval=60s \
--health-retries=3 \
-p 3310:3310 mkodockx/docker-clamav:alpine`
Via docker-compose
services:
clamav:
healthcheck:
test: ["CMD", "./check.sh"]
interval: 60s
retries: 3
start_period: 120s
This image provides support for different platforms
Some users are wondering about memory consumption of clamd. Here is an explanation of the reasons I found:
“ClamAV holds the search strings using the classic string (Boyer Moore) and regular expression (Aho Corasick) algorithms. Being algorithms from the 1970s they are extemely memory efficient.
The problem is the huge number of virus signatures. This leads to the algorithms’ datastructures growing quite large.
You can’t send those datastructures to swap, as there are no parts of the algorithms’ datastructures accessed less often than other parts. If you do force pages of them to swap disk, then they’ll be referenced moments later and just swap straight back in. (Technically we say “the random access of the datastructure forces the entire datastructure to be in the process’s working set of memory”.)
The datastructures are needed if you are scanning from the command line or scanning from a daemon.
You can’t use just a portion of the virus signatures, as you don’t get to choose which viruses you will be sent, and thus can’t tell which signatures you will need.” Source stackexchange.com
It is obvious that an antivirus engine based on virus signatures will raise memory consumption over the time as it always has to check for all signatures. As the number of virus signatures grows daily, the amount of necessary memory will increase as well.
Several users are experiencing problems during the database updates (incremental,diff,initial).
ClamaV is open source and the databases are provided by a network of mirrors that are hosted for free by some folks (Cisco) to support open source antivirus. That was about 9 PB a month. That is why downloads are now protected by Cloudflare. If you’re downloading too often you will recieve 429 errors. (See ## Prefer alpine-idb-amd64 at the top of this document)
If you have an error related to the updates on your special OS, machine, iPad ;) or anything special else, first check the FAQ to clamav troubleshooting and then the virus database FAQ.
If you keep on getting errors you might try your own private local mirror easily.
If you have problems with freshclam downloads use the alpine image with initialized dbs. more info
Several projects are using this image:
Thank you for using this image. I have only a blink of how many projects are using this, but I know there are some including big tech, governments and many open source. I try to keep it working in my rare spare time. Feel free to participate or get in contact.
For license see file LICENSE
Thanks goes to these wonderful people (emoji key):
This project follows the all-contributors specification. Contributions of any kind welcome!