Clam AntiVirus Definition Updates

Updating Definitions | Daemon Notification | Troubleshooting

Clam AntiVirus (clamav) includes the freshclam utility to download new virus definitions. This page documents the configuration and troubleshooting of freshclam under clamav 0.80.

$ clamscan --version
ClamAV 0.80/646/Thu Dec 30 11:42:35 2004

freshclam obtains updates via the HyperText Transfer Protocol (HTTP), and saves them to the local filesystem. Configuration of freshclam is done via the freshclam.conf configuration file, though the location of this file will vary between different systems.

Virus definition updates are not available for older versions of clamav. Upgrade clamav to a current version to fix this problem.

Some sites may want to review definition changes before updating local systems, though the alarming rate of new malware for Windows makes such an approach impractical. Use the sigtool utility to inspect the contents of the virus definition files.

To keep an eye on what clamav blocks, subscribe to the clamav-virusdb mailing list. Or, follow the Really Simple Syndication (RSS) feed.

Updating Definitions

The freshclam utility can be run as a daemon, or called periodically from a scheduler. Due to the infrequent need for updates, I recommend against running freshclam as a daemon. If using a vendor supplied clamav package, check whether it already includes some means to run freshclam, for example via cron(8).

$ rpm -ql clamav | grep cron

Critical network servers should run freshclam directly against the clamav mirrors. Critical systems include mail servers, file servers, and intrusion detection systems that can block new outbreaks from reaching vulnerable Windows systems. Less vulnerable Unix client systems should download new definitions less frequently, perhaps from a local cache.

Daemon Notification

The clamd daemon should be notified after virus definitions are updated. There are several methods available to ensure clamd has loaded the most recent definitions.



freshclam uses HTTP to download new definitions. Misconfigured web proxies or ad-blocking software may block updates, along with firewalls that reach into the HTTP layer. Tools such as tcpflow may be needed to watch the web traffic generated by freshclam for errors.

$ sudo tcpflow -c port 80

Unix Debugging Tips covers tcpflow and other tools in more detail.

freshclam errors like the following indicate some sort of HTTP problem, such as Websense mangling the definition updates.

# freshclam --debug
ClamAV update process started at Thu Mar 10 11:27:10 2005
main.cvd is up to date (version: 30, sigs: 31086, f-level: 4, builder: tkojm)
Downloading daily.cvd [*]
LibClamAV debug: Can't read CVD head from stream
ERROR: Verification: Broken or not a CVD file


Even if run by the superuser, freshclam will setuid to the clamav user. The freshclam utility requires write permissions to the DatabaseDirectory to save local copies of the virus definitions. If any permissions or ownerships are wrong, freshclam will fail.

$ sudo freshclam
ClamAV update process started at Mon Jun 21 14:22:01 2004
Reading CVD header (main.cvd): OK
main.cvd is up to date (version: 23, sigs: 21096, f-level: 2, builder: ddm)
Reading CVD header (daily.cvd): OK
ERROR: Can't open new file ./clamav-37e017e7f9e9df66 to write
open: Permission denied

Decide which user will update the virus definitions files (typically clamav), then fix all the permissions, ownerships, and configuration settings to agree on the user.

  1. Set directory and definitions file permissions.
  2. In this example, the definitions directory is /var/lib/clamav, and the clamav user used by freshclam. The clamav user must have write permissions to the DatabaseDirectory.

    $ ls -al /var/lib/clamav
    total 2200
    drwxr-xr-x 4 clamav clamav 136 21 Jun 10:22 .
    drwxr-xr-x 9 root wheel 306 19 Mar 08:16 ..
    -rw-r--r-- 1 clamav clamav 88226 21 Jun 10:22 daily.cvd
    -rw-r--r-- 1 clamav clamav 1034725 11 May 22:01 main.cvd

  3. Ensure the correct user is set in freshclam.conf.
  4. The DatabaseOwner option can be used to specify which user freshclam will setuid to.

    # By default when freshclam is started by root it drops privileges and
    # switches to the "clamav" user. You can change this behavior here.
    DatabaseOwner clamav

  5. Fix other permissions.
  6. freshclam and clamd may use custom log files, and lack the permission to write to them.

    $ sudo freshclam
    ERROR: Can't open /var/log/freshclam.log in append mode.
    ERROR: Problem with internal logger.

    For freshclam, find the UpdateLogFile option, and fix the permissions to that file.

    $ grep -i updatelogfile /etc/freshclam.conf
    UpdateLogFile /var/log/freshclam.log
    $ ls -l /var/log/freshclam.log
    ls: /var/log/freshclam.log: No such file or directory
    $ sudo touch /var/log/freshclam.log
    $ sudo chown clamav:clamav /var/log/freshclam.log

    I recommend against custom log files, and use LogSyslog in clamd.conf and freshclam.conf to send logs via syslog(3). System Logging documents centralized logging setup on Unix systems.

    # Path to the log file (make sure it has proper permissions)
    #UpdateLogFile /var/log/freshclam.log

If problems persist, run freshclam under tracing tools such as ktrace or strace. Unix Debugging Tips covers these tools in more detail.