TrueNAS Scale ClamAV
Overview
Setup ClamAV on TrueNAS Scale.
Assumptions
TrueNAS Scale Setup completed.
Logged in as administrative user.
Install ClamAV
Navigate to the Applications page in the TrueNAS Scale dashboard, Apps on the main navigation.
Switch to the Available Applications tab in the Applications page.
Using the search tool, find the clamav application. Verify ClamAV is from the TrueNAS catalog and is on the Community train.
Select Install to begin configuration and installation of the application. Configuration options not mentioned in this section can be left as default.
Application Name
| Setting | Value | Description |
|---|---|---|
| Application Name | clamav | Name for the application. |
| Version Number | #.#.# | Version to use, latest by default. |
ClamAV Configuration
| Setting | Value | Description |
|---|---|---|
| Disable Clamd | false | Disables ClamAV daemon, preventing file scans. |
| Disable Freshclamd | false | Disables automatic updates of ClamAV signature database. |
| Disable Milterd | true | Disables ClamAV mail filter daemon. |
| Clamd Startup Timeout | 1800 | Seconds to wait before timeout of ClamAV daemon, 30 minutes. |
| Freshclamd Check | 1 | Number of times to update signature database in a day. 1 is daily, 24 is hourly. |
| Additional Environment Variables | | None required. |
Network Configuration
| Setting | Value | Description |
|---|---|---|
| Clamd Port | 30005 | ClamAV daemon port. |
| Milterd Port | 30006 | ClamAV mail daemon port. |
| Host Network | false | Leave disabled in most cases. |
Storage Configuration
| Setting | Value | Description |
|---|---|---|
| ClamAV Signature Database Storage | — | — |
| Type | ixVolume | Use ixVolume for signature storage. |
| Enable ACL | false | Enabled to configure Access Control List. |
| ClamAV Scan Directory Storage | — | — |
| Type | ixVolume | Use ixVolume for scan storage. |
| Enable ACL | false | Enabled to configure Access Control List. |
Resources Configuration
| Setting | Value | Description |
|---|---|---|
| CPU Limit | 2 | Configure a CPU thread limit for the application. |
| Memory Limit | 4096 | Memery limit in megabytes. |
Install
Verify you have checked the TrueNAS documentation for ClamAV and Install. The application will complete installation and deploy. Navigate to the Applications tab to monitor the status.
Log Storage
ClamAV will send scan reports via email if TrueNAS Scale has been configured to send emails. Consider creating a dataset to store scan reports, especially on systems without email configured.
Add Dataset
Create a new dataset for log storage, tank01/logs in this example.
Edit the logs dataset permissions. Configure the User as root with Read, Write, Execute permissions. Configure the Group as wheel with Read, Execute permissions. Configure Other permissions as None. Apply the permissions recursively and Save.
Mount Dataset
Add the logs dataset as Additional Storage for ClamAV.
From the ClamAV application Storage Configuration, Add an Additional Storage path to the logs dataset.
| Setting | Value | Description |
|---|---|---|
| Additional Storage | — | — |
| Type | Host Path | Define a path on the system. |
| Read Only | false | ClamAV requires write access to write the logs. |
| Mount Path | /mnt/logs | Where the host path will be mounted in the application container. |
| Enable ACL | false | Enabled to configure Access Control List. |
| Host Path | /mnt/tank01/logs | Path to the logs dataset. |
Access Logs
Generated logs can be accessed however system data is currently accessed. Adjust the file permissions as needed.
Consider deploying a File Browser application instance, pointed at the logs dataset. Change the logs dataset Group to apps to allow other applications to read the logs. Change the User to apps to allow other applications to modify logs.
Scan Storage
A storage scan target could have been specified during initial setup using the ClamAV Scan Directory. This example has avoided this because of its editability limitations, and inability to define multiple seperate paths. Instead, multiple Additional Storage directories will be mounted to the application.
Mount Datasets
Mount the datasets that will be scanned. Repeat the process for each dataset.
From the ClamAV application Storage Configuration, Add an Additional Storage path for the dataset to scan.
| Setting | Value | Description |
|---|---|---|
| Additional Storage | — | — |
| Type | Host Path | Define a path on the system. |
| Read Only | true | Disable write permission, unless ClamAV will be configured to take action on files. |
| Mount Path | /mnt/scan/tank01-example-dataset | Where the host path will be mounted in the application container. |
| Enable ACL | false | Enabled to configure Access Control List. |
| Host Path | /mnt/tank01/example-dataset | Path of the dataset to scan. |
Schedule Scan
ClamAV will not scan anything by default. Create a cron job to run the scan at scheduled intervals.
Scan Command
The following command will scan /mnt/scan recursively and store the log output in the previously mounted logs dataset. Remove log flag and value when only using email.
If the default application name was not used when installing ClamAV, modify the container name ix-clamav-clamav-1. The correct value can be found with the docker ps command.
docker exec ix-clamav-clamav-1 clamscan --recursive /mnt/scan --log /mnt/logs/clamav-scan-$(date +\%Y-\%m-\%d_\%H-\%M).logSchedule Scan
Schedule the scan using cron. ClamAV scans can take a long time to complete. Consider running scans monthly and adjusting from there.
From the TrueNAS dashboard, navigate to System, Advanced Settings. Find Cron Jobs in the list and Add a new one.
Configure the job as required.
| Setting | Value | Description |
|---|---|---|
| Description | clamav-scan | Job name. |
| Command | docker exec ix-clamav-clamav-1 clamscan --recursive /mnt/scan --log /mnt/logs/clamav-scan-$(date +\%Y-\%m-\%d_\%H-\%M).log | Scan command. |
| Run As User | root | Run as root user. |
| Schedule | Monthly | Job frequency. |
| Hide Standard Output | false | Disable to get output reports. |
| Hide Standard Error | false | Disable to get error reports. |
| Enabled | true | Enable to activate the job. |
Scan Summary
The scan summary will be emailed if the TrueNAS server is configured to send emails. Find it in the logs dataset, if configured.
----------- SCAN SUMMARY -----------
Known viruses: #######
Engine version: #.#.#
Scanned directories: ##
Scanned files: ##
Infected files: 0
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 00.000 sec (0 m 0 s)
Start Date: 2024:04:20 12:00:00
End Date: 2024:04:20 12:00:00Schedule Cleanup
Consider creating another cron job to remove old ClamAV scan logs. The following command will delete all log files mounted to ClamAV under /mnt/logs that start with match clamav-scan-*-.log that are older than 90 days.
docker exec ix-clamav-clamav-1 find /mnt/logs -type f -name "clamav-scan-*-.log" -mtime +90 -exec rm {} \;Schedule the cleanup command to run a few minutes before the ClamAV job each month.
| Setting | Value | Description |
|---|---|---|
| Description | clamav-cleanup | Job name. |
| Command | docker exec ix-clamav-clamav-1 find /mnt/logs -type f -name "clamav-scan-*-.log" -mtime +90 -exec rm {} \; | Scan command. |
| Run As User | root | Run as root user. |
| Schedule | Monthly | Job frequency. Optionally adjust to run a few minutes before the scan. |
| Hide Standard Output | true | Disable to get output reports. |
| Hide Standard Error | false | Disable to get error reports. |
| Enabled | true | Enable to activate the job. |
Errors
137 Exit Status
The cron job may fail with exit code 137. This is most likely a memory issue for the ClamAV container. In some cases, this error will present when the command is run in a cron job, but not when run manually.
Increase the amount of RAM assigned to the ClamAV container and restart the job.
Error: Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/middlewared/job.py", line 488, in run
await self.future
File "/usr/lib/python3/dist-packages/middlewared/job.py", line 535, in __run_body
rv = await self.middleware.run_in_thread(self.method, *args)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/middlewared/main.py", line 1364, in run_in_thread
return await self.run_in_executor(io_thread_pool_executor, method, *args, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/middlewared/main.py", line 1361, in run_in_executor
return await loop.run_in_executor(pool, functools.partial(method, *args, **kwargs))
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3.11/concurrent/futures/thread.py", line 58, in run
result = self.fn(*self.args, **self.kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/middlewared/schema/processor.py", line 183, in nf
return func(*args, **kwargs)
^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/middlewared/schema/processor.py", line 55, in nf
res = f(*args, **kwargs)
^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/middlewared/plugins/cron.py", line 278, in run
raise CallError(f'CronTask "{cron_cmd}" exited with {cp.returncode} (non-zero) exit status.')
middlewared.service_exception.CallError: [EFAULT] CronTask "docker exec ix-clamav-clamav-1 clamscan --recursive /mnt/scan --log /mnt/logs/clamav-scan-$(date +\%Y-\%m-\%d_\%H-\%M).log" exited with 137 (non-zero) exit status.References
iXsystems. “TrueNAS Documentation.” 2024. ↩︎
iXsystems. “TrueNAS ClamAV Documentation..” 2024. ↩︎
Cisco. ClamAV Documentation. 2024. ↩︎
ClamAV Team. ClamAV GitHub. 2024. ↩︎