Debian 12: can't get ClamAV to listen on TCP 3310

Question

ClamAV seems to have a bug on Debian 12 (bookworm) making it difficult to get it listening on TCP 3310.

I tried the two approaches described in

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1042377

to no avail. I also tried

https://bbs.archlinux.org/viewtopic.php?id=233951

and ran

dpkg-reconfigure clamav-daemon

as suggested in

Debian 8: can't get ClamAV to listen on TCP 3310

Any idea? Thanks. Here are my configuration files, the clamav log file, and the commands to restart the service and to check where clamd is listening.

/etc/systemd/system/clamav-daemon.service.d/tcp-socket.conf

[Socket]
ListenStream=3310

/etc/clamav/clamd.conf

#Automatically Generated by clamav-daemon postinst
#To reconfigure clamd run #dpkg-reconfigure clamav-daemon
#Please read /usr/share/doc/clamav-daemon/README.Debian.gz for details
TCPSocket 3310
TCPAddr 127.0.0.1
# TemporaryDirectory is not set to its default /tmp here to make overriding
# the default with environment variables TMPDIR/TMP/TEMP possible
User clamav
ScanMail false
ScanArchive true
ArchiveBlockEncrypted false
MaxDirectoryRecursion 15
FollowDirectorySymlinks false
FollowFileSymlinks false
ReadTimeout 180
MaxThreads 12
MaxConnectionQueueLength 15
LogSyslog false
LogRotate true
LogFacility LOG_LOCAL6
LogClean false
LogVerbose false
PreludeEnable no
PreludeAnalyzerName ClamAV
DatabaseDirectory /var/lib/clamav
OfficialDatabaseOnly false
SelfCheck 3600
Foreground false
Debug false
ScanPE true
MaxEmbeddedPE 10M
ScanOLE2 true
ScanPDF true
ScanHTML true
MaxHTMLNormalize 10M
MaxHTMLNoTags 2M
MaxScriptNormalize 5M
MaxZipTypeRcg 1M
ScanSWF true
ExitOnOOM false
LeaveTemporaryFiles false
AlgorithmicDetection true
ScanELF true
IdleTimeout 30
CrossFilesystems true
PhishingSignatures true
PhishingScanURLs true
PhishingAlwaysBlockSSLMismatch false
PhishingAlwaysBlockCloak false
PartitionIntersection false
DetectPUA false
ScanPartialMessages false
HeuristicScanPrecedence false
StructuredDataDetection false
CommandReadTimeout 30
SendBufTimeout 200
MaxQueue 100
ExtendedDetectionInfo true
OLE2BlockMacros false
AllowAllMatchScan true
ForceToDisk false
DisableCertCheck false
DisableCache false
MaxScanTime 120000
MaxScanSize 100M
MaxFileSize 25M
MaxRecursion 16
MaxFiles 10000
MaxPartitions 50
MaxIconsPE 100
PCREMatchLimit 10000
PCRERecMatchLimit 5000
PCREMaxFileSize 25M
ScanXMLDOCS true
ScanHWP3 true
MaxRecHWP3 16
StreamMaxLength 50M
LogFile /var/log/clamav/clamav.log
LogTime true
LogFileUnlock false
LogFileMaxSize 0
Bytecode true
BytecodeSecurity TrustSigned
BytecodeTimeout 60000
OnAccessMaxFileSize 5M

/var/log/clamav/clamav.log

Sat Dec 16 01:23:16 2023 -> +++ Started at Sat Dec 16 01:23:16 2023
Sat Dec 16 01:23:16 2023 -> Received 1 file descriptor(s) from systemd.
Sat Dec 16 01:23:16 2023 -> clamd daemon 1.0.3 (OS: Linux, ARCH: x86_64, CPU: x86_64)
Sat Dec 16 01:23:16 2023 -> Log file size limited to 4294967295 bytes.
Sat Dec 16 01:23:16 2023 -> Reading databases from /var/lib/clamav
Sat Dec 16 01:23:16 2023 -> Not loading PUA signatures.
Sat Dec 16 01:23:16 2023 -> Bytecode: Security mode set to "TrustSigned".
Sat Dec 16 01:23:27 2023 -> Loaded 8680737 signatures.
Sat Dec 16 01:23:29 2023 -> TCP: No tcp AF_INET/AF_INET6 SOCK_STREAM socket received from systemd.
Sat Dec 16 01:23:29 2023 -> LOCAL: Received AF_UNIX SOCK_STREAM socket from systemd.
Sat Dec 16 01:23:29 2023 -> Limits: Global time limit set to 120000 milliseconds.
Sat Dec 16 01:23:29 2023 -> Limits: Global size limit set to 104857600 bytes.
Sat Dec 16 01:23:29 2023 -> Limits: File size limit set to 26214400 bytes.
Sat Dec 16 01:23:29 2023 -> Limits: Recursion level limit set to 16.
Sat Dec 16 01:23:29 2023 -> Limits: Files limit set to 10000.
Sat Dec 16 01:23:29 2023 -> Limits: MaxEmbeddedPE limit set to 10485760 bytes.
Sat Dec 16 01:23:29 2023 -> Limits: MaxHTMLNormalize limit set to 10485760 bytes.
Sat Dec 16 01:23:29 2023 -> Limits: MaxHTMLNoTags limit set to 2097152 bytes.
Sat Dec 16 01:23:29 2023 -> Limits: MaxScriptNormalize limit set to 5242880 bytes.
Sat Dec 16 01:23:29 2023 -> Limits: MaxZipTypeRcg limit set to 1048576 bytes.
Sat Dec 16 01:23:29 2023 -> Limits: MaxPartitions limit set to 50.
Sat Dec 16 01:23:29 2023 -> Limits: MaxIconsPE limit set to 100.
Sat Dec 16 01:23:29 2023 -> Limits: MaxRecHWP3 limit set to 16.
Sat Dec 16 01:23:29 2023 -> Limits: PCREMatchLimit limit set to 10000.
Sat Dec 16 01:23:29 2023 -> Limits: PCRERecMatchLimit limit set to 5000.
Sat Dec 16 01:23:29 2023 -> Limits: PCREMaxFileSize limit set to 26214400.
Sat Dec 16 01:23:29 2023 -> Archive support enabled.
Sat Dec 16 01:23:29 2023 -> AlertExceedsMax heuristic detection disabled.
Sat Dec 16 01:23:29 2023 -> Heuristic alerts enabled.
Sat Dec 16 01:23:29 2023 -> Portable Executable support enabled.
Sat Dec 16 01:23:29 2023 -> ELF support enabled.
Sat Dec 16 01:23:29 2023 -> Mail files support disabled.
Sat Dec 16 01:23:29 2023 -> OLE2 support enabled.
Sat Dec 16 01:23:29 2023 -> PDF support enabled.
Sat Dec 16 01:23:29 2023 -> SWF support enabled.
Sat Dec 16 01:23:29 2023 -> HTML support enabled.
Sat Dec 16 01:23:29 2023 -> XMLDOCS support enabled.
Sat Dec 16 01:23:29 2023 -> HWP3 support enabled.
Sat Dec 16 01:23:29 2023 -> Self checking every 3600 seconds.

Commands and output:

# systemctl stop clamav-daemon.socket
# systemctl stop clamav-daemon.service
# systemctl daemon-reload
# systemctl start clamav-daemon.service
# systemctl status clamav-daemon.service
● clamav-daemon.service - Clam AntiVirus userspace daemon
     Loaded: loaded (/lib/systemd/system/clamav-daemon.service; enabled; preset: enabled)
    Drop-In: /etc/systemd/system/clamav-daemon.service.d
             └─extend.conf, tcp-socket.conf
     Active: active (running) since Sat 2023-12-16 01:31:15 CET; 8s ago
TriggeredBy: ● clamav-daemon.socket
       Docs: man:clamd(8)
             man:clamd.conf(5)
             https://docs.clamav.net/
    Process: 2741989 ExecStartPre=/bin/mkdir -p /run/clamav (code=exited, status=0/SUCCESS)
    Process: 2741990 ExecStartPre=/bin/chown clamav /run/clamav (code=exited, status=0/SUCCESS)
   Main PID: 2741991 (clamd)
      Tasks: 1 (limit: 76845)
     Memory: 1.0G
        CPU: 8.734s
     CGroup: /system.slice/clamav-daemon.service
             └─2741991 /usr/sbin/clamd --foreground=true
systemd[1]: Starting clamav-daemon.service - Clam AntiVirus userspace daemon...
systemd[1]: Started clamav-daemon.service - Clam AntiVirus userspace daemon.
netstat -anp | grep -E "(Active|State|clam|3310)"
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags       Type       State         I-Node   PID/Program name     Path
unix  3      [ ]         STREAM     CONNECTED     7558837  2741991/clamd
unix  3      [ ]         STREAM     CONNECTED     7472325  2675419/freshclam
unix  2      [ ACC ]     STREAM     LISTENING     7562309  1/systemd            /run/clamav/clamd.ctl

score 5 · Accepted Answer · answered Dec 16 '23 at 00:51

I just found the error myself:

The file tcp-socket.conf containing

[Socket]
ListenStream=3310

must be stored in

/etc/systemd/system/clamav-daemon.socket.d and not in

/etc/systemd/system/clamav-daemon.service.d

It is working now! I found the error using

journalctl -u clamav-daemon

which included the warning

/etc/systemd/system/clamav-daemon.service.d/tcp-socket.conf:1: Unknown section 'Socket'. Ignoring.

score 2 · Answer 2 · answered Mar 27 '24 at 13:42

Actually I found it easier to edit /etc/systemd/system/sockets.target.wants/clamav-daemon.socket. There's already [Socket] section where you just need to remove or comment out the line

ListenStream=/run/clamav/clamd.ctl

and uncomment the next ListenStream line, optionally changing the port to 3310.

And then there's one crucial thing: after you make your changes you have to reload systemd configuration with

systemctl daemon-reload

Then restart clamav-daemon and you are all set.

Note that without reloading systemd config ClamAV won't see the new socket configuration and will still bind to local socket. Took me some time to figure it out.

The complete /etc/systemd/system/sockets.target.wants/clamav-daemon.socket file should look like this:

[Unit]
Description=Socket for Clam AntiVirus userspace daemon
Documentation=man:clamd(8) man:clamd.conf(5) https://docs.clamav.net/
# Check for database existence
ConditionPathExistsGlob=/var/lib/clamav/main.{c[vl]d,inc}
ConditionPathExistsGlob=/var/lib/clamav/daily.{c[vl]d,inc}
[Socket]
#ListenStream=/run/clamav/clamd.ctl
ListenStream=3310
SocketUser=clamav
SocketGroup=clamav
RemoveOnStop=True
[Install]
WantedBy=sockets.target

Debian 12: can't get ClamAV to listen on TCP 3310

netstat -anp | grep -E "(Active|State|clam|3310)"

2 Answers2