We will describe and resolve the most common errors that appear when using the ClamAV antivirus (clamscan, clamdscan, and freshclam).
Compilation errors for ClamAV from its sources are not covered here.

clamdscan "Can't open file or directory ERROR"

When scanning files or directories, some of them may cause this error. These files will not be scanned and bypass malware checks.
This can be due to the permissions of directories or files. You should verify that clamdscan has read and write permissions on these folders and files.
However, it can also be due to AppArmor. The solution is to set clamd into AppArmor's "complain" mode. Here is the solution for Debian:

apt-get install apparmor-utils
aa-complain /usr/sbin/clamd


clamdscan "File path check failure: Permission denied. ERROR"

To fix this error, you can try the following three solutions:

• Set scanned files and directories to permissions 666: chmod 666 *
• Use clamdscan with the --fdpass option: clamdscan --fdpass
• Use clamdscan with the --stream option: clamdscan --stream

"Ignoring mirror (due to previous errors)" in freshclam logs

When this error message appears, it means you are unable to download the antivirus signature databases.
This message corresponds to versions prior to ClamAV 0.102.
Starting from version 0.102, the network-related code in freshclam was radically changed. Therefore, to resolve this error, it is necessary to update your version of ClamAV.

"nonblock_connect: connect(): fd=5 errno=101: Network is unreachable" and "WARNING: getpatch: Can't download daily-xxx.cdiff from db.local.clamav.net" in freshclam logs

This message indicates an inability to connect to ClamAV servers to download the antivirus signature databases.

• Your server may have an Internet connection issue.
• You may be using a proxy (transparent or not). Freshclam prefers a direct connection to ClamAV servers and does not handle proxy connections well, especially if the proxy modifies HTTP(S) connection properties, such as changing the User-Agent.
• You may be using a very old version of the ClamAV antivirus, in which case it is essential to update it.

"WARNING: Can't read main.cvd header from db.local.clamav.net (IP: )" in freshclam logs

You are unable to download the antivirus signature databases.
It is possible that the mirrors.dat file is overloaded. This file is used to blacklist ClamAV mirror servers that encounter errors. If you had an Internet disconnection, freshclam might have blacklisted all mirrors, leaving none available.
The solution is to delete this file (e.g., /var/lib/clamav/mirrors.dat for Debian) and restart freshclam.

Note that since version 0.100, this problem no longer exists. Therefore, if you see this type of error, it is crucial to update ClamAV.

"WARNING: Message: SSL peer certificate or SSH remote key was not OK" in freshclam logs

You are unable to update the antivirus signature databases, and this message appears.
It is possible that your computer's date and time are incorrect. Update the date and time using NTP.

"ERROR: This tool requires libclamav with functionality level XXX or higher (current f-level: XXX)"

You may have two different versions of libclamav installed on your system. These could be two versions provided by your operating system. Simply remove the older version. It could also be a mix of an installation from ClamAV source code and a version provided by the operating system. Always ensure only one version of libclamav is installed on your system.

"LibClamAV Error: yyerror()" and "LibClamAV Warning: cli_loadyara: failed to parse or load 1 yara rules from file"

ClamAV supports antivirus signatures in the YARA format. However, the YARA interpreter engine used is specific and internal to ClamAV, and it is not 100% compatible with the official YARA interpreter.
Some YARA rules may not fully work with ClamAV.
To resolve this issue:

• You can rewrite the problematic YARA rule to make it compatible with ClamAV.
• Alternatively, you can wait for future improvements to the ClamAV YARA engine.

Errors like "LibClamAV Error: [scan_biff_for_xlm_macros] Unexpected state value 4" when using ClamAV

These errors are very specific and may highlight a scanning issue caused by poorly handled data in ClamAV. We recommend reporting the issue to the ClamAV development team on their official GitHub.

"LibClamAV Warning: fmap: map allocation failed", "LibClamAV Error: CRITICAL: fmap() failed" and "Can't allocate memory ERROR" when using ClamAV

This error message generally indicates insufficient RAM during a scan. Therefore:

• Either you do not have enough memory; consider increasing the RAM on your server or VPS.
• Or you are scanning an object that is too large. To prevent this, set limits on the size of objects being scanned using the --max-filesize or --max-scansize command-line options.
• Or you are scanning system files or directories, such as the /proc directory on Linux. This is prohibited; do not do it.

"Segmentation fault (core dumped)" when using ClamAV

This error message is arguably the most critical. It indicates a crash of the antivirus so severe that the operating system terminated the ClamAV process.

However, the message is too generic and results from numerous potential causes, such as your operating system's configuration, available resources (RAM), or the object you are attempting to scan with ClamAV (too large or a system file like /proc, for example).

It is therefore not possible to determine the exact cause of the crash. The best solution is to open a bug ticket with the ClamAV development team on their official GitHub.

TCP: No tcp AF_INET/AF_INET6 SOCK_STREAM socket received from systemd

The ClamAV daemon is running, but TCP port 3310 is not open: the command "lsof -i|grep clamd" returns nothing.
When starting clamd, the following error message appears: "TCP: No tcp AF_INET/AF_INET6 SOCK_STREAM socket received from systemd".

The solution is to create the directory /etc/systemd/system/clamav-daemon.socket.d/ and add the file /etc/systemd/system/clamav-daemon.socket.d/extend.conf:

cat /etc/systemd/system/clamav-daemon.socket.d/extend.conf
[Socket]
SocketUser=clamav
ListenStream=3310

Then restart your server.

The End-Of-Life (EOL) policy of the ClamAV antivirus

Since December 15, 2024, only versions 1.0.x, 1.3.x, and 1.4.x of the ClamAV antivirus are supported and maintained.
If you have an earlier version, ClamAV is no longer expected to work because the recent signature databases are no longer compatible with those older versions. Therefore, either you use our additional signatures for ClamAV, at least the Professional versions, or you urgently update your ClamAV antivirus. Or both, which is even better!
For more information, we recommend reading our article about using old versions of the ClamAV antivirus.

The ClamWin antivirus no longer works

ClamWin is a Windows port of the ClamAV antivirus but created by a third party. Therefore, ClamWin is not supported or developed by Cisco/Sourcefire teams. Unfortunately, this antivirus for Windows is no longer maintained by its owner, and its latest available version is 0.103.2.1. As mentioned earlier, version 0.103 is no longer supported by ClamAV, so ClamAV has disabled downloading signature databases for ClamWin. This renders it completely ineffective, and it is not recommended to use ClamWin in business or production environments.

We recommend downloading the official version of ClamAV for Windows. Both 32-bit and 64-bit versions are available. While this version does not have a graphical user interface (GUI), ClamAV's command-line interface is straightforward, and a few simple BAT files will suffice to automate disk scans.

There is also an unofficial port of the ClamAV antivirus for Windows that works with very old versions of Windows (WinNT and Windows 98!). However, it remains command-line only and lacks a graphical interface.

Error 426 with SecuriteInfo.com signatures

If you encounter an error 426 when using freshclam to download our antivirus signatures, it means you have a free account and an outdated ClamAV antivirus.

The solution is to either update your ClamAV installation or subscribe to a "Professional" plan to download our signatures. Or do both to significantly improve malware detection with your setup.

I can't download securiteinfoold.hdb, or I get 'nonblock_recv: recv timing out (30 secs)' or 'Download failed (28) ... Message: Timeout was reached' errors

• For ClamAV versions older than 0.102.2, add "ReceiveTimeout 2400" to your freshclam.conf file and restart the freshclam daemon.


• For ClamAV 0.102.2 and later, remove ReceiveTimeout from your freshclam.conf file and restart the freshclam daemon.

Updating your ClamAV version

As you can see, most problems are resolved by updating the ClamAV antivirus to the latest known version. There are several ways to do this; choose the one that suits your environment.

• If you compiled ClamAV from source, simply get the latest source files and recompile it in your environment. However, be cautious about your operating system version: if you use an outdated OS, the latest ClamAV version might result in compilation errors.


• If you have an executable version of ClamAV, such as ClamAV for Windows, just install the package containing the new executable version. This is the simplest solution!


• If your operating system provided the ClamAV antivirus, as is the case for most Linux environments (Ubuntu, Debian, Red Hat, CentOS...), it is imperative to update your OS. If updating is not possible due to constraints, we recommend removing the ClamAV package and then installing and recompiling ClamAV from source. But as mentioned earlier, if your OS is too old, ClamAV might not compile.

For more details, we recommend reading our article What are the risks of using an old version of the ClamAV antivirus?

SecuriteInfo.com Support

If you have specific needs regarding ClamAV, such as a maintenance contract, compilation support, or technology monitoring, do not hesitate to contact us and explain your needs. We will be happy to meet your antivirus protection requirements with ClamAV.

Official ClamAV Support

If you encounter other error messages or wish to get direct support from the ClamAV development teams, you have two options:

• Sign up for the official mailing list (English only), where you can ask questions via email. The community and some ClamAV developers will respond on this list.
• Create a ticket on their official GitHub. However, you must be a developer because you will need to provide extensive technical details. This is not for the general public.

Did you know?

SecuriteInfo.com provides additional antivirus signatures for ClamAV. These greatly enhance malware and spam detection.


Note: ClamAV is a registered trademark of Cisco

Tags

ANTIVIRUS CLAMAV LINUX WINDOWS MACOS

Inscription à notre lettre d'information

Inscrivez-vous à notre lettre d'information pour vous tenir au courant de nos actualités et de nos dernières trouvailles.

SecuriteInfo.com est une entreprise française de cybersécurité. Nous proposons différentes solutions matérielles et prestations de services permettant de sécuriser les données des Systèmes d'Information d'entreprises ou de collectivités. Notre périmètre d'intervention couvre l'intégralité de votre système d'information : Sécurité périmétrique, réseaux, accès distants, VPN, solutions anti-spam et anti-malwares, différents audits réseaux et systèmes, vérification de la politique de sécurité, hébergement sécurisé ...