Unable to run clamav because I can't update the virus définition

[Battant]

Hello,

Because clamxav became comercial and close source, I try to install clamav using hambrew

When I run clamscan I get this :
`clamscan
LibClamAV Error: cli_loaddbdir(): No supported database files found in /usr/local/Cellar/clamav/0.99.2/share/clamav
ERROR: Can't open file or directory

----------- SCAN SUMMARY -----------
Known viruses: 0
Engine version: 0.99.2
Scanned directories: 0
Scanned files: 0
Infected files: 0
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 0.009 sec (0 m 0 s)``

When I run freshclam I get this
sudo freshclam ERROR: Can't open/parse the config file /usr/local/etc/clamav/freshclam.conf
`
Could you help me please to fix this issue ?

Thanks for your support

Battant

[ilovezfs]

Yeah, this isn't our most user-friendly formula.

First, note the caveat message you get when initially installing:

bash-3.2$ brew install clamav
==> Downloading https://homebrew.bintray.com/bottles/clamav-0.99.2.el_capitan.bottle.tar.gz
Already downloaded: /Users/joe/Library/Caches/Homebrew/clamav-0.99.2.el_capitan.bottle.tar.gz
==> Pouring clamav-0.99.2.el_capitan.bottle.tar.gz
==> Caveats
To finish installation & run clamav you will need to edit
the example conf files at /usr/local/etc/clamav/
==> Summary
🍺  /usr/local/Cellar/clamav/0.99.2: 37 files, 3.9M
bash-3.2$

So what is it talking about regarding "example conf files at /usr/local/etc/clamav/"?

bash-3.2$ ls /usr/local/etc/clamav/
clamd.conf.sample   freshclam.conf.sample

Note that configuration files with the extension .conf.sample won't actually work. You have to copy (or rename) them to files with the extension .conf.

Let's see what happens if we ignore the conf files issue and just try to run clamscan:

bash-3.2$ clamscan
LibClamAV Error: cli_loaddbdir(): No supported database files found in /usr/local/Cellar/clamav/0.99.2/share/clamav
ERROR: Can't open file or directory

----------- SCAN SUMMARY -----------
Known viruses: 0
Engine version: 0.99.2
Scanned directories: 0
Scanned files: 0
Infected files: 0
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 0.002 sec (0 m 0 s)

Is that telling the truth?

bash-3.2$ ls -al /usr/local/Cellar/clamav/0.99.2/share/clamav
total 0
drwxr-xr-x  2 joe  admin   68 Apr 22 09:24 .
drwxr-xr-x  4 joe  admin  136 Apr 22 09:24 ..

Yep, nothing there. So where do we get them?

Note that Homebrew doesn't provide any non-Homebrew-specific documentation, so now would be a good time to visit https://www.clamav.net/. If you click "download" or visit "https://www.clamav.net/downloads" directly, you'll see a closed tab with the name "Virus Database." If you click that, you'll see:

For ClamAV to work properly, both the ClamAV engine and the ClamAV Virus Database (CVD) must be kept up to date.

Freshclam should perform these updates automatically. Instructions for setting up Freshclam can be found in the ClamAV Manual or in the documentation section.

But let's assume that we're in a rush, and get the point that to get the database files we need to run freshclam. What happens if we try to do that?

bash-3.2$ freshclam
ERROR: Can't open/parse the config file /usr/local/etc/clamav/freshclam.conf

OK, well that should make sense, since the only files in /usr/local/etc/clamav/ were clamd.conf.sample freshclam.conf.sample as we saw above.

It's looking for /usr/local/etc/clamav/freshclam.conf, so let's see if we can just copy the sample file and use that:

bash-3.2$ cd /usr/local/etc/clamav
bash-3.2$ cp freshclam.conf.sample freshclam.conf
bash-3.2$ freshclam
ERROR: Please edit the example config file /usr/local/etc/clamav/freshclam.conf
ERROR: Can't open/parse the config file /usr/local/etc/clamav/freshclam.conf

Well at least we got a different error that time.

It's telling us we actually have to edit freshclam.conf and that the sample wasn't sufficient without any modifications. Let's see what's wrong. If you open freshclam.conf in a text editor, you'll see at the top

bash-3.2$ cat freshclam.conf
##
## Example config file for freshclam
## Please read the freshclam.conf(5) manual before editing this file.
##


# Comment or remove the line below.
Example

# Path to the database directory.
# WARNING: It must match clamd.conf's directive!
# Default: hardcoded (depends on installation options)
#DatabaseDirectory /var/lib/clamav
...

OK, so it seems to be telling us how to fix it: "Comment or remove the line below." That must be referring to the line that just says "Example" so let's delete that line and save the file.

Now what happens if we run freshclam?

bash-3.2$ freshclam
ClamAV update process started at Fri Jun 17 06:07:35 2016
Downloading main.cvd [100%]
main.cvd updated (version: 57, sigs: 4218790, f-level: 60, builder: amishhammer)
Downloading daily.cvd [100%]
[LibClamAV] cli_loadldb: logical signature for Win.Trojan.ssid18332-1 uses PCREs but support is disabled, skipping
[LibClamAV] cli_loadldb: logical signature for Win.Ransomware.Locky-4 uses PCREs but support is disabled, skipping
[LibClamAV] cli_loadldb: logical signature for Html.Exploit.CVE_2016_0184-1 uses PCREs but support is disabled, skipping
daily.cvd updated (version: 21740, sigs: 301088, f-level: 63, builder: neo)
Downloading bytecode.cvd [100%]
bytecode.cvd updated (version: 281, sigs: 51, f-level: 63, builder: neo)
Database updated (4519929 signatures) from database.clamav.net (IP: 155.98.64.87)

Well that's much better! But did the database files end up in the right place?

bash-3.2$ ls -al /usr/local/Cellar/clamav/0.99.2/share/clamav
total 227368
drwxr-xr-x  2 joe  admin        204 Jun 17 06:08 .
drwxr-xr-x  4 joe  admin        136 Apr 22 09:24 ..
-rw-r--r--  1 joe  admin      81051 Jun 17 06:08 bytecode.cvd
-rw-r--r--  1 joe  admin    7177006 Jun 17 06:08 daily.cvd
-rw-r--r--  1 joe  admin  109143933 Jun 17 06:07 main.cvd
-rw-------  1 joe  admin         52 Jun 17 06:08 mirrors.dat

Yes, that looks good.

So can we actually run clamscan now?

bash-3.2$ clamscan 
LibClamAV Warning: cli_loadldb: logical signature for Win.Trojan.ssid18332-1 uses PCREs but support is disabled, skipping
LibClamAV Warning: cli_loadldb: logical signature for Win.Ransomware.Locky-4 uses PCREs but support is disabled, skipping
LibClamAV Warning: cli_loadldb: logical signature for Html.Exploit.CVE_2016_0184-1 uses PCREs but support is disabled, skipping
...

Yes looks good. (And probably best to run it with -v and/or --debug to see more info.)

So it seems clamd.conf was not actually mandatory but freshclam.conf was, and freshclam.conf required edits to the sample version to actually be functional.

And now would be a good time to consult the upstream documentation for further information.

[ilovezfs]

@Battant let us know if you need additional help beyond the above.