Stowage/clamav
2
0
Fork 0
mirror of https://github.com/Cisco-Talos/clamav.git synced 2025-10-19 10:23:17 +00:00
Code Issues Projects Releases Packages Wiki Activity
clamav/docs/man/clamd.8.in
Val Snyder 8d485b9bfd
FIPS-compliant CVD signing and verification 
Add X509 certificate chain based signing with PKCS7-PEM external
signatures distributed alongside CVD's in a custom .cvd.sign format.
This new signing and verification mechanism is primarily in support
of FIPS compliance.

Fixes: https://github.com/Cisco-Talos/clamav/issues/564

Add a Rust implementation for parsing, verifying, and unpacking CVD
files.

Now installs a 'certs' directory in the app config directory
(e.g. <prefix>/etc/certs). The install location is configurable.
The CMake option to configure the CVD certs directory is:
  `-D CVD_CERTS_DIRECTORY=PATH`

New options to set an alternative CVD certs directory:
- Commandline for freshclam, clamd, clamscan, and sigtool is:
  `--cvdcertsdir PATH`
- Env variable for freshclam, clamd, clamscan, and sigtool is:
  `CVD_CERTS_DIR`
- Config option for freshclam and clamd is:
  `CVDCertsDirectory PATH`

Sigtool:
- Add sign/verify commands.
- Also verify CDIFF external digital signatures when applying CDIFFs.
- Place commonly used commands at the top of --help string.
- Fix up manpage.

Freshclam:
- Will try to download .sign files to verify CVDs and CDIFFs.
- Fix an issue where making a CLD would only include the CFG file for
daily and not if patching any other database.

libclamav.so:
- Bump version to 13:0:1 (aka 12.1.0).
- Also remove libclamav.map versioning.
  Resolves: https://github.com/Cisco-Talos/clamav/issues/1304
- Add two new API's to the public clamav.h header:
  ```c
  extern cl_error_t cl_cvdverify_ex(const char *file,
                                    const char *certs_directory);

  extern cl_error_t cl_cvdunpack_ex(const char *file,
                                    const char *dir,
                                    bool dont_verify,
                                    const char *certs_directory);
  ```
  The original `cl_cvdverify` and `cl_cvdunpack` are deprecated.
- Add `cl_engine_field` enum option `CL_ENGINE_CVDCERTSDIR`.
  You may set this option with `cl_engine_set_str` and get it
  with `cl_engine_get_str`, to override the compiled in default
  CVD certs directory.

libfreshclam.so: Bump version to 4:0:0 (aka 4.0.0).

Add sigtool sign/verify tests and test certs.

Make it so downloadFile doesn't throw a warning if the server
doesn't have the .sign file.

Replace use of md5-based FP signatures in the unit tests with
sha256-based FP signatures because the md5 implementation used
by Python may be disabled in FIPS mode.
Fixes: https://github.com/Cisco-Talos/clamav/issues/1411

CMake: Add logic to enable the Rust openssl-sys / openssl-rs crates
to build against the same OpenSSL library as is used for the C build.
The Rust unit test application must also link directly with libcrypto
and libssl.

Fix some log messages with missing new lines.

Fix missing environment variable notes in --help messages and manpages.

Deconflict CONFDIR/DATADIR/CERTSDIR variable names that are defined in
clamav-config.h.in for libclamav from variable that had the same name
for use in clamav applications that use the optparser.

The 'clamav-test' certs for the unit tests will live for 10 years.
The 'clamav-beta.crt' public cert will only live for 120 days and will
be replaced before the stable release with a production 'clamav.crt'.
2025-03-26 19:33:25 -04:00

160 lines
7.1 KiB
Groff
Raw Permalink Blame History

.TH "Clam Daemon" "8" "February 12, 2009" "ClamAV @VERSION@" "Clam AntiVirus"
.SH "NAME"
.LP
clamd \- an anti\-virus daemon
.SH "SYNOPSIS"
.LP
clamd [options]
.SH "DESCRIPTION"
.LP
The daemon listens for incoming connections on Unix and/or TCP socket and scans files or directories on demand. It reads the configuration from @CONFDIR@/clamd.conf
.SH "COMMANDS"
.LP
It's recommended to prefix clamd commands with the letter \fBz\fR (eg. zSCAN) to indicate that the command will be delimited by a NULL character and that clamd should continue reading command data until a NULL character is read. The null delimiter assures that the complete command and its entire argument will be processed as a single command. Alternatively commands may be prefixed with the letter \fBn\fR (e.g. nSCAN) to use a newline character as the delimiter. Clamd replies will honour the requested terminator in turn.
If clamd doesn't recognize the command, or the command doesn't follow the requirements specified below, it will reply with an error message, and close the connection.
.LP
Clamd recognizes the following commands:
.TP
\fBPING\fR
Check the server's state. It should reply with "PONG".
.TP
\fBVERSION\fR
Print program and database versions.
.TP
\fBRELOAD\fR
Reload the virus databases.
.TP
\fBSHUTDOWN\fR
Perform a clean exit.
.TP
\fBSCAN file/directory\fR
Scan a file or a directory (recursively) with archive support enabled (if not disabled in clamd.conf). A full path is required.
.TP
\fBCONTSCAN file/directory\fR
Scan file or directory (recursively) with archive support enabled and don't stop the scanning when a virus is found.
.TP
\fBMULTISCAN file/directory\fR
Scan file in a standard way or scan directory (recursively) using multiple threads (to make the scanning faster on SMP machines).
.TP
\fBALLMATCHSCAN file/directory\fR
ALLMATCHSCAN works just like SCAN except that it sets a mode where scanning continues after finding a match within a file.
.TP
\fBINSTREAM\fR
It is mandatory to prefix this command with \fBn\fR or \fBz\fR.
Scan a stream of data. The stream is sent to clamd in chunks, after INSTREAM, on the same socket on which the command was sent.
This avoids the overhead of establishing new TCP connections and problems with NAT. The format of the chunk is: '<length><data>' where <length> is the size of the following data in bytes expressed as a 4 byte unsigned integer in network byte order and <data> is the actual chunk. Streaming is terminated by sending a zero-length chunk. Note: do not exceed StreamMaxLength as defined in clamd.conf, otherwise clamd will reply with \fBINSTREAM size limit exceeded\fR and close the connection.
.TP
\fBFILDES\fR
It is mandatory to newline terminate this command, or prefix with \fBn\fR or \fBz\fR.
This command only works on UNIX domain sockets.
Scan a file descriptor. After issuing a FILDES command a subsequent rfc2292/bsd4.4 style packet (with at least one dummy character) is sent to clamd carrying the file descriptor to be scanned inside the ancillary data.
Alternatively the file descriptor may be sent in the same packet, including the extra character.
.TP
\fBSTATS\fR
It is mandatory to newline terminate this command, or prefix with \fBn\fR or \fBz\fR, it is recommended to only use the \fBz\fR prefix.
Replies with statistics about the scan queue, contents of scan queue, and memory
usage. The exact reply format is subject to change in future releases.
.TP
\fBIDSESSION, END\fR
It is mandatory to prefix this command with \fBn\fR or \fBz\fR, and all commands inside IDSESSION must be prefixed.
Start/end a clamd session. Within a session multiple SCAN, INSTREAM, FILDES, VERSION, STATS commands can be sent on the same socket without opening new connections. Replies from clamd will be in the form '<id>: <response>' where <id> is the request number (in ascii, starting from 1) and <response> is the usual clamd reply.
The reply lines have same delimiter as the corresponding command had.
Clamd will process the commands asynchronously, and reply as soon as it has finished processing.
Clamd requires clients to read all the replies it sent, before sending more commands to prevent send() deadlocks. The recommended way to implement a client that uses IDSESSION is with non-blocking sockets, and a select()/poll() loop: whenever send would block, sleep in select/poll until either you can write more data, or read more replies.
\fINote that using non-blocking sockets without the select/poll loop and alternating recv()/send() doesn't comply with clamd's requirements.\fR
If clamd detects that a client has deadlocked, it will close the connection. Note that clamd may close an IDSESSION connection too if you don't follow the protocol's requirements. The client can use the PING command to keep the connection alive.
.TP
\fBVERSIONCOMMANDS\fR
It is mandatory to prefix this command with either \fBn\fR or \fBz\fR.
It is recommended to use \fBnVERSIONCOMMANDS\fR.
Print program and database versions, followed by "| COMMANDS:" and a
space-delimited list of supported commands.
Clamd <0.95 will recognize this as the VERSION command, and reply only with
their version, without the commands list.
This command can be used as an easy way to check for IDSESSION support for
example.
.LP
.TP
\fBDEPRECATED COMMANDS\fR
.TP
\fBSTREAM\fR
Scan stream \- on this command clamd will return "PORT number" you should connect to and send data to scan. (\fBDEPRECATED\fR, use INSTREAM instead)
.LP
.TP
\fBNOT SUPPORTED COMMANDS\fR
.TP
\fBSESSION, END\fR
Start/end a clamd session which will allow you to run multiple commands per TCP session. (use IDSESSION instead)
.SH "OPTIONS"
.LP
.TP
\fB\-h, \-\-help\fR
Output help information and exit.
.TP
\fB\-V, \-\-version\fR
Print the version number and exit.
.TP
\fB\-F, \-\-foreground\fR
Run in foreground; do not daemonize.
.TP
\fB\-\-debug\fR
Enable debug mode.
.TP
\fB\-c FILE, \-\-config\-file=FILE\fR
Read configuration from FILE.
.TP
\fB\-\-fail\-if\-cvd\-older\-than=days\fR
Return with a nonzero error code if the virus database is older than the specified number of days.
.TP
\fB\-\-datadir=DIRECTORY\fR
Load signatures from DIRECTORY.
.TP
\fB\-p FILE, \-\-pid=FILE\fR
Write the daemon's pid to FILE.
.TP
\fB\-\-cvdcertsdir=DIR\fR
Specify a directory containing the root CA cert needed to verify detached CVD digital signatures. If not provided, then clamd will look in the default directory.
.SH "ENVIRONMENT VARIABLES"
.LP
clamd uses the following environment variables:
.TP
\fBLD_LIBRARY_PATH\fR
May be used on startup to find the libclamunrar_iface shared library module to enable RAR archive support.
.TP
\fBCVD_CERTS_DIR\fR
Specify a directory containing the root CA cert needed to verify detached CVD digital signatures. If not provided, then clamd will look in the default directory.
.SH "SIGNALS"
.LP
Clamd recognizes the following signals:
.TP
\fBSIGHUP\fR
Reopen the logfile.
.TP
\fBSIGUSR2\fR
Reload the signature databases.
.TP
\fBSIGTERM\fR
Perform a clean exit.
.SH "FILES"
.LP
@CONFDIR@/clamd.conf
.SH "CREDITS"
Please check the full documentation for credits.
.SH "AUTHOR"
.LP
Tomasz Kojm <tkojm@clamav.net>
.SH "SEE ALSO"
.LP
clamd.conf(5), clamdscan(1), freshclam(1), freshclam.conf(5), clamav\-milter(8)
Reference in a new issue View git blame Copy permalink