[ClamAV] Update to 0.101.1 (based on Debian to fix some errors)

[ClamAV] Some config values are deprecated and were replaced
2019-01-08 12:54:33 +01:00 · 2019-01-08 12:54:33 +01:00 · e42afa39a8
parent 75d5de016a
commit e42afa39a8
5 changed files with 61 additions and 53 deletions
--- a/data/Dockerfiles/clamd/Dockerfile
+++ b/data/Dockerfiles/clamd/Dockerfile
@ -1,18 +1,32 @@
-FROM alpine:3.8
+FROM debian:stretch-slim

 LABEL maintainer "André Peters <andre.peters@servercow.de>"

-# Add scripts
-COPY dl_files.sh bootstrap.sh ./
-
 # Installation
-ENV CLAMAV 0.100.2
+ENV CLAMAV 0.101.1

-RUN apk add --no-cache --virtual build-dependencies alpine-sdk ncurses-dev zlib-dev bzip2-dev pcre-dev linux-headers fts-dev libxml2-dev libressl-dev \
-  && apk add --no-cache curl bash tini libxml2 libbz2 pcre fts libressl tzdata \
+RUN apt-get update && apt-get install -y --no-install-recommends \
+  ca-certificates \
+  zlib1g-dev \
+  libncurses5-dev \
+  libzip-dev \
+  libpcre2-dev \
+  libxml2-dev \
+  libssl-dev \
+  build-essential \
+  libjson-c-dev \
+  curl \
+  bash \
+  wget \
+  tzdata \
+  dnsutils \
+  rsync \
+  dos2unix \
+  netcat \
+  && rm -rf /var/lib/apt/lists/* \
  && wget -O - https://www.clamav.net/downloads/production/clamav-${CLAMAV}.tar.gz | tar xfvz - \
  && cd clamav-${CLAMAV} \
-  && LIBS=-lfts ./configure \
+  && ./configure \
  --prefix=/usr \
  --libdir=/usr/lib \
  --sysconfdir=/etc/clamav \
@ -30,18 +44,22 @@ RUN apk add --no-cache --virtual build-dependencies alpine-sdk ncurses-dev zlib-
  && make install \
  && make clean \
  && cd .. && rm -rf clamav-${CLAMAV} \
-  && apk del build-dependencies \
-  && addgroup -S clamav \
-  && adduser -S -D -h /var/lib/clamav -s /sbin/nologin -G clamav -g clamav clamav \
-  && adduser clamav tty \
+  && apt-get -y --auto-remove purge build-essential \
+  && apt-get -y purge zlib1g-dev \
+  libncurses5-dev \
+  libzip-dev \
+  libpcre2-dev \
+  libxml2-dev \
+  libssl-dev \
+  libjson-c-dev \
+  && addgroup --system --gid 700 clamav \
+  && adduser --system --home /var/lib/clamav --uid 700 --gid 700 --disabled-login clamav \
  && mkdir -p /run/clamav \
  && chown clamav:clamav /run/clamav \
-  && chmod +x /dl_files.sh \
-  && set -ex; /bin/bash /dl_files.sh \
-  && chmod 750 /run/clamav
+  && chmod 750 /run/clamav \
+  && rm -rf /tmp/* /var/tmp/*

-# Port provision
-EXPOSE 3310
+COPY bootstrap.sh ./
+COPY tini /sbin/tini

-# AV daemon bootstrapping
 CMD ["/sbin/tini", "-g", "--", "/bootstrap.sh"]
--- a/data/Dockerfiles/clamd/bootstrap.sh
+++ b/data/Dockerfiles/clamd/bootstrap.sh
@ -10,7 +10,7 @@ fi
 mkdir -p /var/log/clamav
 touch /var/log/clamav/clamd.log /var/log/clamav/freshclam.log
 chown -R clamav:clamav /var/log/clamav/
-chown root:tty /dev/console
+adduser clamav tty
 chmod g+rw /dev/console

 # Prepare whitelist
@ -37,6 +37,27 @@ done
 ) &
 BACKGROUND_TASKS+=($!)

+(
+while true; do
+  sleep 2m
+  SANE_MIRRORS="$(dig +ignore +short rsync.sanesecurity.net)"
+  for sane_mirror in ${SANE_MIRRORS}; do
+    rsync -avp --chown=clamav:clamav --timeout=5 rsync://${sane_mirror}/sanesecurity/ \
+      --include 'blurl.ndb' \
+      --include 'junk.ndb' \
+      --include 'jurlbl.ndb' \
+      --include 'phish.ndb' \
+      --exclude='*' /var/lib/clamav/
+    if [ $? -eq 0 ]; then
+      echo RELOAD | nc localhost 3310
+      break
+    fi
+  done
+  sleep 30h
+done
+) &
+BACKGROUND_TASKS+=($!)
+
 clamd &
 BACKGROUND_TASKS+=($!)

--- a/data/Dockerfiles/clamd/dl_files.sh
+++ b/data/Dockerfiles/clamd/dl_files.sh
@ -1,32 +0,0 @@
-#!/bin/bash
-
-declare -a DB_MIRRORS=(
-  "switch.clamav.net"
-  "clamavdb.heanet.ie"
-  "clamav.iol.cz"
-  "clamav.univ-nantes.fr"
-  "clamav.easynet.fr"
-  "clamav.begi.net"
-)
-declare -a DB_MIRRORS=( $(shuf -e "${DB_MIRRORS[@]}") )
-
-DB_FILES=(
-  "bytecode.cvd"
-  "daily.cvd"
-  "main.cvd"
-)
-
-for i in "${DB_MIRRORS[@]}"; do
-  for j in "${DB_FILES[@]}"; do
-  [[ -f "/var/lib/clamav/${j}" && -s "/var/lib/clamav/${j}" ]] && continue;
-  if [[ $(curl -o /dev/null --connect-timeout 1 \
-    --max-time 1 \
-    --silent \
-    --head \
-    --write-out "%{http_code}\n" "${i}/${j}") == 200 ]]; then
-    curl "${i}/${j}" -o "/var/lib/clamav/${j}" -#
-  fi
-  done
-done
-
-chown clamav:clamav /var/lib/clamav/*.cvd
--- a/data/Dockerfiles/clamd/tini
+++ b/data/Dockerfiles/clamd/tini
--- a/data/conf/clamav/clamd.conf
+++ b/data/conf/clamav/clamd.conf
@ -1,3 +1,4 @@
+#Debug true
 LogFile /dev/console
 LogTime yes
 LogClean yes
@ -23,9 +24,9 @@ DetectPUA yes
 #IncludePUA Spy
 #IncludePUA Scanner
 #IncludePUA RAT
-AlgorithmicDetection yes
+HeuristicAlerts yes
 ScanOLE2 yes
-OLE2BlockMacros yes
+AlertOLE2Macros yes
 ScanPDF yes
 ScanSWF yes
 ScanXMLDOCS yes