Virus scanning

Scan for viruses/malware with industry standard ClamAV

Virus scanning

Virus scanning

E-mail is the most commonly used tool for propagating viruses which is a form of malware but the most well understood one. Anti virus software and scanners both commercial and free alternatives have the onerous task of ensuring that desktops and mailboxes are clean.

SpamCheetah employs ClamAV virus scanner to clean your INBOX. Here is a sample output from its companion program freshclam.

ClamAV update process started at Tue Jul 20 10:35:24 2021
WARNING: Your ClamAV installation is OUTDATED!
WARNING: Local version: 0.103.2 Recommended version: 0.103.3
DON'T PANIC! Read https://www.clamav.net/documents/upgrading-clamav
daily database available for update (local version: 26192, remote version: 26237)
Current database is 45 versions behind.
Downloading database patch # 26193...
Time:    0.1s, ETA:    0.0s [========================>]   27.21KiB/27.21KiB
Downloading database patch # 26194...
Time:    0.1s, ETA:    0.0s [========================>]   15.65KiB/15.65KiB
Downloading database patch # 26195...
Time:    0.1s, ETA:    0.0s [========================>]   21.64KiB/21.64KiB
Downloading database patch # 26196...
Time:    0.1s, ETA:    0.0s [========================>]   30.80KiB/30.80KiB
Downloading database patch # 26197...
Time:    0.1s, ETA:    0.0s [========================>]   25.27KiB/25.27KiB
Downloading database patch # 26198...
Time:    0.1s, ETA:    0.0s [========================>]   14.12KiB/14.12KiB
Downloading database patch # 26199...
Time:    0.1s, ETA:    0.0s [========================>]   22.06KiB/22.06KiB
Downloading database patch # 26200...
Time:    0.1s, ETA:    0.0s [========================>]   23.31KiB/23.31KiB
Downloading database patch # 26201...
Time:    0.1s, ETA:    0.0s [========================>]   30.88KiB/30.88KiB
Downloading database patch # 26202...
Time:    0.1s, ETA:    0.0s [========================>]   17.59KiB/17.59KiB
Downloading database patch # 26203...
Time:    0.1s, ETA:    0.0s [========================>]   25.97KiB/25.97KiB
Downloading database patch # 26204...
Time:    0.1s, ETA:    0.0s [========================>]   38.67KiB/38.67KiB
Downloading database patch # 26205...
Time:    0.1s, ETA:    0.0s [========================>]   20.92KiB/20.92KiB
Downloading database patch # 26206...
Time:    0.1s, ETA:    0.0s [========================>]   31.70KiB/31.70KiB
Downloading database patch # 26207...
Time:    0.1s, ETA:    0.0s [========================>]   18.66KiB/18.66KiB
Downloading database patch # 26208...
Time:    0.1s, ETA:    0.0s [========================>]   31.33KiB/31.33KiB
Downloading database patch # 26209...
Time:    0.1s, ETA:    0.0s [========================>]   19.23KiB/19.23KiB
Downloading database patch # 26210...
Time:    0.1s, ETA:    0.0s [========================>]   31.42KiB/31.42KiB
Downloading database patch # 26211...
Time:    0.1s, ETA:    0.0s [========================>]    2.73KiB/2.73KiB
Downloading database patch # 26212...
Time:    0.1s, ETA:    0.0s [========================>]       960B/960B
Downloading database patch # 26213...
Time:    0.1s, ETA:    0.0s [========================>]    3.88KiB/3.88KiB
Downloading database patch # 26214...
Time:    0.1s, ETA:    0.0s [========================>]   16.64KiB/16.64KiB
Downloading database patch # 26215...
Time:    0.1s, ETA:    0.0s [========================>]   16.16KiB/16.16KiB
Downloading database patch # 26216...
Time:    0.1s, ETA:    0.0s [========================>]    9.77KiB/9.77KiB
Downloading database patch # 26217...
Time:    0.1s, ETA:    0.0s [========================>]   18.71KiB/18.71KiB
Downloading database patch # 26218...
Time:    0.1s, ETA:    0.0s [========================>]   11.15KiB/11.15KiB
Downloading database patch # 26219...
Time:    0.1s, ETA:    0.0s [========================>]    9.45KiB/9.45KiB
Downloading database patch # 26220...
Time:    0.3s, ETA:    0.0s [========================>]   66.84KiB/66.84KiB
Downloading database patch # 26221...
Time:    0.1s, ETA:    0.0s [========================>]   12.00KiB/12.00KiB
Downloading database patch # 26222...
Time:    0.1s, ETA:    0.0s [========================>]   17.26KiB/17.26KiB
Downloading database patch # 26223...
Time:    0.1s, ETA:    0.0s [========================>]   11.38KiB/11.38KiB
Downloading database patch # 26224...
Time:    0.1s, ETA:    0.0s [========================>]   14.95KiB/14.95KiB
Downloading database patch # 26225...
Time:    0.1s, ETA:    0.0s [========================>]   25.42KiB/25.42KiB
Downloading database patch # 26226...
Time:    0.1s, ETA:    0.0s [========================>]   19.36KiB/19.36KiB
Downloading database patch # 26227...
Time:    0.1s, ETA:    0.0s [========================>]   30.81KiB/30.81KiB
Downloading database patch # 26228...
Time:    0.1s, ETA:    0.0s [========================>]   28.80KiB/28.80KiB
Downloading database patch # 26229...
Time:    0.1s, ETA:    0.0s [========================>]   20.14KiB/20.14KiB
Downloading database patch # 26230...
Time:    0.1s, ETA:    0.0s [========================>]   16.62KiB/16.62KiB
Downloading database patch # 26231...
Time:    0.1s, ETA:    0.0s [========================>]   17.23KiB/17.23KiB
Downloading database patch # 26232...
ERROR: cdiff_apply: lseek(desc, -350, SEEK_END) failed
ERROR: downloadPatch: Can't apply patch
Downloaded 39 patches for daily, which is fewer than the 45 expected patches.
We'll settle for this partial-update, at least for now.
Testing database: '/var/db/clamav/tmp.28ffb4bd0a/clamav-4bc49ebc44b60ba0b9988d6499d15eb4.tmp-daily.cld' ...
Database test passed.
daily.cld updated (version: 26231, sigs: 3996055, f-level: 63, builder: raynman)
main database available for update (local version: 59, remote version: 61)
Current database is 2 versions behind.
Downloading database patch # 60...
ERROR: cdiff_apply: lseek(desc, -350, SEEK_END) failed
ERROR: downloadPatch: Can't apply patch
WARNING: Incremental update failed, trying to download main.cvd
Time:  1m 23s, ETA:    0.0s [========================>]  160.41MiB/160.41MiB
Testing database: '/var/db/clamav/tmp.28ffb4bd0a/clamav-e887b257c3c7a5518030f7e447c125b7.tmp-main.cvd' ...
Database test passed.
main.cvd updated (version: 61, sigs: 6607162, f-level: 90, builder: sigmgr)
bytecode.cvd database is up-to-date (version: 333, sigs: 92, f-level: 63, builder: awillia2)
test#
```

ClamAV anti virus is very powerful and virus signatures and malware families are detected using this engine.

ClamAV is the most popular virus scanning engine and we update the virus signatures daily in an attempt to detect virus,worms and other types of malware.


Date: Tue, 29 Jun 2021 19:48:52 +0530
From:  <xxx@xxxxxxxxxxx.com>
To: <xxxxxx@xxxxxxxxxxx>
Subject: the 
Message-ID: <YNsrvtLfXy3E4WQ2@girish>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="cnbWGOKShdMN4huz"
Content-Disposition: inline


--cnbWGOKShdMN4huz
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Disposition: inline

this is from movie

some ...


--cnbWGOKShdMN4huz
Content-Type: image/png
Content-Disposition: attachment; filename="shot0001.png"
Content-Transfer-Encoding: base64

iVBORw0KGgoAAAANSUhEUgAABQAAAALQCAIAAABAH0oBAAAACXBIWXMAAAAAAAAAAQCEeRdz
AAAQAElEQVR4AQAJh/Z4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

..

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AwEAAwEAAwEAAwEAAwEAAwEAAwEAAwEAAwEAAwEAAwEAAwEAAwEAAwEAAwEAAwEBAQEBAQEB
--cnbWGOKShdMN4huz--

A typical mail with attachment appears like this to the SMTP backend. This is known as a MIME envelope . As you can see the entire email the body attachments and parts are all recursively encoded using modern day binary to text encoding.

While ClamAV gets fed this envelope it is capable of deconstructing the layers and recursively decodes content and ensures that no virus infected attachments or malware signature files are present.

ClamAV uses 3 programs that we care for our purposes.

The first two are used to scan a file attachment, either a mime envelope or file on disk or even a directory of files. There is huge speed difference between first and second invocations. First program clamscan looks up each file by looking up the database it has downloaded. So it is slow when you invoke it individually.

clamdscan however uses the clamd daemon running in background to query files you feed for signature matches. The freshclam script is used to download clamAV signatures which can be invoked from a background cron job or scheduled to run once a day or something like that.

ClamAV is by far very effective in detecting unwanted content in mail body and attachments. But it does nothing with malware infected URLs. For that SpamCheetah uses a different backend for SURBL URL scanning.

Viruses come in many forms in all shapes and sizes. They can be written in any programming language and can be made to run in any environment and replicate. They could be worms, trapdoors, trojans. Virus scanning is not only for Windows desktops anymore since viruses can operate in any environment and most viruses are spread on email anyway at least the initial infections occur there.

Does ClamAV stop malware?

Yes. ClamAV has built in support for most malware families though SpamCheetah uses malware scanning using an API service.

ClamAV uses the clamd daemon listening on UNIX domain or local TCP socket to send a query against the e-mail envelope and it returns a success or failure code depending on if the e-mail is having embedded malware or not.

Virus scanning

Duration: 3:32 min
Related pages