Cortex-Analyzers
Cortex-Analyzers copied to clipboard
TheHive-Project
[Bug] cortexneurons/clamav_fileinfo no clamd installed
Describe the bug
The dockerized cortexneurons/clamav_fileinfo fails to scan with ClamAV. The error indicates either ClamD is not running or installed.
root@057dc1cabc74:/opt/cortex# docker run -it --rm --entrypoint bash cortexneurons/clamav_fileinfo:1
root@be1203e87504:/worker# /bin/sh -c ClamAV/pyclam_analyzer.py
Traceback (most recent call last):
File "/worker/ClamAV/pyclam_analyzer.py", line 7, in <module>
cd = pyclamd.ClamdUnixSocket()
File "/usr/local/lib/python3.10/site-packages/pyclamd/pyclamd.py", line 709, in __init__
raise ConnectionError('Could not find clamd unix socket from /etc/clamav/clamd.conf or /etc/clamd.conf')
pyclamd.pyclamd.ConnectionError: Could not find clamd unix socket from /etc/clamav/clamd.conf or /etc/clamd.conf
To Reproduce Steps to reproduce the behavior:
- configure cortex to use docker analyzers
- enable the the clamav Analyzer
- try to scan a file.
Complementary information Is there a way to resolve this locally on the dockerized container and have the changes stick? As it seems that If i try and resolve this (by installing ClamD and configuring) directly on the container, the changes get wiped when re-running the analyzer. (i assume this is due to it pulling a fresh server each time)
Also, what would be the best approach to using custom signature files when using the dockerized container? would it be best to simply map the signature location to the host? or would it be to add them on a customized clamav docker container?
Hello.
Yes, ClamAV is particular.
I tried to build a custom docker image on my side:
FROM python:3
WORKDIR /worker
WORKDIR /worker
COPY . ClamAV
RUN test ! -e ClamAV/requirements.txt || pip install --no-cache-dir -rClamAV/requirements.txt
RUN apt update
RUN apt install -y clamav clamav-daemon build-essential
ENTRYPOINT service clamav-freshclam start && freshclam && service clamav-daemon start && ClamAV/pyclam_analyzer.py
Then docker run --rm -ti -v ${PWD}:/job --entrypoint /bin/bash cortexneurons/clamav:devel
the issue is you are limited in the number freshclam command run per day, as seen in this output:
Wed Jan 26 12:22:40 2022 -> ClamAV update process started at Wed Jan 26 12:22:40 2022
Wed Jan 26 12:22:40 2022 -> ^FreshClam previously received error code 429 or 403 from the ClamAV Content Delivery Network (CDN).
Wed Jan 26 12:22:40 2022 -> This means that you have been rate limited or blocked by the CDN.
Wed Jan 26 12:22:40 2022 -> 1. Verify that you're running a supported ClamAV version.
Wed Jan 26 12:22:40 2022 -> See https://docs.clamav.net/faq/faq-eol.html for details.
Wed Jan 26 12:22:40 2022 -> 2. Run FreshClam no more than once an hour to check for updates.
Wed Jan 26 12:22:40 2022 -> FreshClam should check DNS first to see if an update is needed.
Wed Jan 26 12:22:40 2022 -> 3. If you have more than 10 hosts on your network attempting to download,
Wed Jan 26 12:22:40 2022 -> it is recommended that you set up a private mirror on your network using
Wed Jan 26 12:22:40 2022 -> cvdupdate (https://pypi.org/project/cvdupdate/) to save bandwidth on the
Wed Jan 26 12:22:40 2022 -> CDN and your own network.
Wed Jan 26 12:22:40 2022 -> 4. Please do not open a ticket asking for an exemption from the rate limit,
Wed Jan 26 12:22:40 2022 -> it will not be granted.
Wed Jan 26 12:22:40 2022 -> ^You are still on cool-down until after: 2022-01-26 16:22:24
A good idea would be to support the configuration for a private mirror with cvdupdate. It requires some updates in the code.
Has someone found a solution for this problem? I'd like to use dockerized neurons with my local ClamAV.
I have the same problem. ClamAV analyzer tries to find ClamAV daemon ... that is not installed and not running in TheHive/Cortex/Shuffle docker container. I'd be happy with a comment how to workaround this!
