How to be sure ClamAV database is up to date?

Question

I am currently having an issue with ClamAV and freshclam on Centos 6.9.

I have the last Clam engine 0.99.2, and a working internet connection. Even if I run the # freshclam -v command ( it only returns a security warning about unsecure permission of freshclam.conf) before a # clamscan, clamAV return me this warning :

LibClamAV Warning: ************************************************** LibClamAV Warning: *** The virus database is older than 7 days. *** LibClamAV Warning: *** Please update it IMMEDIATELY! *** LibClamAV Warning: **************************************************

So my questions are : how can I know when the last update was done ? Or make sure the virus database is up-to-date ?

PS : I've tested the clamscan with eicar test file and it detects it.

Answer 1

clamscan --version shows the version and date of signatures, e.g.

$ clamscan --version
ClamAV 0.101.4/25613/Fri Oct 25 11:00:25 2019

where 25613 is the signatures version and it is followed by the date of the signatures

Answer 2

You have 2 questions:

1. How can I know when the last update was done ?

host -t txt current.cvd.clamav.net; perl -e 'printf "%d\n", time;'

This will tell you when clamav made available the last update.

2. Make sure the virus database is up-to-date ?

First you need to understand why you get the security warning. If you post the warning here maybe we'd have a better chance to help you.

Then I recommend you look in the log at /var/log/clamav/freshclam.log

Also, if you have selinux enabled, you'd have to run this: setsebool -P antivirus_can_scan_system 1. If by any chance the error is something like this During database load : LibClamAV Warning: RWX mapping denied: Can't allocate RWX Memory: Permission denied then clearly your solution is the command I mentioned above.

Answer 3

This is what I do for the second part of your question: Make sure the virus database is up-to-date ?

My systems are offline so cannot query the clamav site for their most recent virus definitions database but I can easily examine the date of my current cvd files with this linux command.

strings /var/lib/clamav/daily.cvd|head -1|cut -c1-28
ClamAV-VDB:31 Jul 2019 04-17

Edit: As Jonathon has so kindly mentioned, sigtool is a great way to examine the clamav dat file signature:

sigtool --info daily.cvd
File: daily.cvd
Build time: 28 Aug 2019 04:24 -0400
Version: 25555
Signatures: 1739106
Functionality level: 63
Builder: raynman
...

Answer 4

#!/bin/bash


check_clamav_version=`freshclam -V`
check_clamav_site=`host -t txt current.cvd.clamav.net`

#echo $check_clamav_version
#echo $check_clamav_site



clamav_version=`echo $check_clamav_version |awk -F '/' '{ print $2}'`
clamav_site=`echo $check_clamav_site |awk -F ":" '{ print $3}'`

echo $clamav_version
echo $clamav_site
let "result=clamav_site-clamav_version" ; echo $result


case $result in
0) echo "ClamAV is up to date, versies zijn gelijk"
;;
*) echo "ClamAV is niet up to date, lokale database is versie $clamav_version, op de site is versie $clamav_site beschibaar."
;;
esac

~ ~

Answer 5

You can not trust the TXT record's date. However, you can trust the database version from the TXT record.

So, the right answer is to use parts of both @bogdan and @falko-menge answers:

First, "what version of the clamav database is on my machine?" (in this example, 25904):

$ clamscan --version
ClamAV 0.102.4/25904/Mon Aug 17 08:02:24 2020

Now, "what is the most recent version available on clamav.net?" (in this example, also 25904):

@ ✓ $ host -t txt current.cvd.clamav.net; perl -e 'printf "%d\n", time;'
current.cvd.clamav.net descriptive text "0.102.4:59:25904:1597879740:1:63:49191:331"

However, that TXT record shows a false time for when the 25904 was actually created :-(

@ ✓ $ epoch_to_rfc_3339 1597879740
2020-08-19T18:29:00