LINUXMAKER, OpenSource, Tutorials

The clamav daemon does not listen on TCP ports

ClamAV (Clam AntiVirus) is a virus protection scanner and additional phishing filter under the GNU General Public License. The program can be integrated as a milter under the mail server Postfix together with the SPAM filter software Rspamd. This means that incoming and optionally also outgoing emails are scanned for viruses by ClamAV.
Since upgrading from Debian 11 "Bullseye" to version 12 "Bookworm", Debian Linux has been experiencing problems sending and receiving file attachments, resulting in the error message "4.7.1 Tempfail - internal scan engine error.", particularly in the log file. Depending on how Rspamd is configured, senders were also informed with the same message.

Stopping service and socket

systemctl stop clamav-daemon.service  
systemctl stop clamav-daemon.socket

with manual starting of the clamd service

clamd --foreground=true

the entry in the systemd unit file in the position of the ExecStart parameter had the positive consequence that clamd could listen on port 3310 and localhost. The result was that the file attachments were scanned again when they were received or sent.

Problem analysis

The problem therefore lies somewhere in the area of ​​Systemd and Clamd as of Version 0.99.2. Since there was only one unit file for the clamav-daemon.service in the clamav-daemon package in Bullseye, Bookworm contains a unit file for the clamav-daemon.socket in addition to the service unit file. According to the Systemd man page, a service process is automatically passed on by all sockets with the same name. Since the unit file for the clamav-daemon.socket was missing in Bullseye, no sockets were passed on to clamd by Systemd, regardless of what was specified in the configuration file.

Current solution under Debian Bookworm

Currently the problem is solved by creating a drop-in for the clamav-daemon.socket unit file:

/etc/systemd/system/clamav-daemon.socket.d/tcp-socket.conf
-
[Socket]
ListenStream=3310
-

The exact syntax can be found in the man page. Additionally, it would be advisable to remove all socket configurations in the clamd.conf to avoid confusion.

Now the daemon can be started properly after Systemd has been informed of changes to the configuration files:

systemctl daemon-reload
systemctl start clamav-daemon.service
systemctl status clamav-daemon.socket

clamav-daemon.socket - Socket for Clam AntiVirus userspace daemon
    Loaded: loaded (/lib/systemd/system/clamav-daemon.socket; enabled´enabled ´
   Drop-In: /etc/systemd/system/clamav-daemon.socket.d
            └─tcp-socket.conf
    Active: active (running)´ since Tue 2024-07-02 09:32:05 CEST; 1s ago ´
  Triggers: clamav-daemon.service
      Docs: man:clamd(8)
            man:clamd.conf(5)
            https://docs.clamav.net/
    Listen: /run/clamav/clamd.ctl (Stream)
            [::]:3310 (Stream)
     Tasks: 0 (limit: 4643)
    Memory: 4.0K
       CPU: 1ms
    CGroup: /system.slice/clamav-daemon.socket

Jul 02 09:32:05 mx systemd[1]: Starting clamav-daemon.socket - Socket for Clam AntiVirus userspace daemon...
Jul 02 09:32:05 mx systemd[1]: Listening on clamav-daemon.socket - Socket for Clam AntiVirus userspace daemon.
 

The attached file that has just been added is clearly visible under the "Drop in". This indicates

# ss -l -n | grep -i 3310
tcp   LISTEN 0      4096                          *:3310                   *:*

the existence of clamd under port 3310 on the network interfaces.

It is expected that Debian will include this solution in its next release, so that in a dist upgrade this solution would have to be undone if the scanning process were to be discontinued again.