fix: replace clamav.js with clamscan for ClamAV 1.0+ compatibility

danieltruong · danieltruong · commit b8445dddd408 · 2026-03-02T21:09:53.000Z
The old clamav.js library (v0.12.0, last updated 2015) uses the deprecated
STREAM protocol which was removed in ClamAV 1.0+. This caused 'Malformed
Response[UNKNOWN COMMAND]' errors when scanning files.

Replaced with clamscan v2.4.0 which:
- Uses the modern INSTREAM protocol
- Supports TCP connections to remote clamd daemons
- Is actively maintained (last updated Oct 2024)
- Has proper async/await support
diff --git a/.yarn/install-state.gz b/.yarn/install-state.gz
diff --git a/api/helpers/utils.js b/api/helpers/utils.js
@@ -2,13 +2,49 @@
 
 var _               = require('lodash');
 var mongoose        = require('mongoose');
-var clamav          = require('clamav.js');
-var _serviceHost    = process.env.CLAMAV_SERVICE_HOST || '127.0.0.1';
-var _servicePort    = process.env.CLAMAV_SERVICE_PORT || '3310';
+var NodeClam        = require('clamscan');
 var MAX_LIMIT       = 1000;
 const defaultLog      = require('winston').loggers.get('default');
 var DEFAULT_PAGESIZE  = 100;
 
+// ClamAV scanner instance (initialized on first use)
+let clamScanner = null;
+
+/**
+ * Get or initialize the ClamAV scanner instance.
+ * Uses TCP connection to remote ClamAV daemon.
+ */
+async function getClamScanner() {
+  if (clamScanner) {
+    return clamScanner;
+  }
+
+  const serviceHost = process.env.CLAMAV_SERVICE_HOST || '127.0.0.1';
+  const servicePort = parseInt(process.env.CLAMAV_SERVICE_PORT, 10) || 3310;
+
+  try {
+    clamScanner = await new NodeClam().init({
+      debugMode: false,
+      clamdscan: {
+        host: serviceHost,
+        port: servicePort,
+        timeout: 60000,
+        localFallback: false,
+        active: true,
+      },
+      clamscan: {
+        active: false,  // Don't use local binary
+      },
+      preference: 'clamdscan',
+    });
+    defaultLog.info(`ClamAV scanner initialized: ${serviceHost}:${servicePort}`);
+    return clamScanner;
+  } catch (err) {
+    defaultLog.error(`Failed to initialize ClamAV scanner: ${err.message}`);
+    throw err;
+  }
+}
+
 exports.buildQuery = function (property, values, query) {
   var oids = [];
   if (_.isArray(values)) {
@@ -32,34 +68,38 @@ exports.getBasePath = function (protocol, host) {
   return protocol + '://' + host;
 };
 
-// MBL: TODO Make this event driven instead of synchronous?
-exports.avScan = function (buffer) {
-  return new Promise(function (resolve) {
-    var stream = require('stream');
-    // Initiate the source
-    var bufferStream = new stream.PassThrough();
-    // Write your buffer
+/**
+ * Scan a buffer for viruses using ClamAV.
+ * @param {Buffer} buffer - The file buffer to scan
+ * @returns {Promise<boolean>} - true if file is clean, false if infected or error
+ */
+exports.avScan = async function (buffer) {
+  const stream = require('stream');
+  const serviceHost = process.env.CLAMAV_SERVICE_HOST || '127.0.0.1';
+  const servicePort = process.env.CLAMAV_SERVICE_PORT || '3310';
+
+  try {
+    const clam = await getClamScanner();
+
+    // Create a readable stream from the buffer
+    const bufferStream = new stream.PassThrough();
     bufferStream.end(buffer);
 
-    clamav.ping(_servicePort, _serviceHost, 1000, function (err) {
-      if (err) {
-        defaultLog.warn('ClamAV service: ' + _serviceHost + ':' + _servicePort + ' is not available[' + err + ']');
-        resolve(false);
-      } else {
-        clamav.createScanner(_servicePort, _serviceHost)
-          .scan(bufferStream, function (err, object, malicious) {
-            if (err) {
-              defaultLog.info('Error:', err);
-              resolve(false);
-            } else if (malicious) {
-              resolve(false);
-            } else {
-              resolve(true);
-            }
-          });
-      }
-    });
-  });
+    const { isInfected, viruses } = await clam.scanStream(bufferStream);
+
+    if (isInfected) {
+      defaultLog.warn(`File is infected with: ${viruses.join(', ')}`);
+      return false;
+    }
+
+    defaultLog.info('File passed virus scan');
+    return true;
+  } catch (err) {
+    defaultLog.warn(`ClamAV service: ${serviceHost}:${servicePort} scan failed: ${err.message}`);
+    // Reset scanner instance on error so it can be re-initialized
+    clamScanner = null;
+    return false;
+  }
 };
 
 exports.getSkipLimitParameters = function (pageSize, pageNum) {
diff --git a/package.json b/package.json
@@ -30,7 +30,7 @@
     "bcryptjs": "^2.4.3",
     "biguint-format": "~1.0.0",
     "body-parser": "^1.20.3",
-    "clamav.js": "~0.12.0",
+    "clamscan": "^2.4.0",
     "crypto": "~1.0.1",
     "csv": "~5.1.1",
     "db-migrate": "~0.11.4",
diff --git a/yarn.lock b/yarn.lock
@@ -3606,10 +3606,10 @@ __metadata:
   languageName: node
   linkType: hard
 
-"clamav.js@npm:~0.12.0":
-  version: 0.12.0
-  resolution: "clamav.js@npm:0.12.0"
-  checksum: 10c0/22a52b5dfc769b7fdbf684c189db474a93c342dd6cb99cb11a68185845212253b7dfd2ed82cb6ff81ba618b079cf41606c5b52540b6c465bad6bcf25d7f1bf0b
+"clamscan@npm:^2.4.0":
+  version: 2.4.0
+  resolution: "clamscan@npm:2.4.0"
+  checksum: 10c0/ac15ddc9debf597cf13d98362b62f722a8af087b210991dbabe5849a9fee53902968fc2ea254404296a31ac9dc0dd4c25174289b2b68d26cb4bba85ccfe8e441
   languageName: node
   linkType: hard
 
@@ -4246,7 +4246,7 @@ __metadata:
     biguint-format: "npm:~1.0.0"
     body-parser: "npm:^1.20.3"
     chai: "npm:^4.3.10"
-    clamav.js: "npm:~0.12.0"
+    clamscan: "npm:^2.4.0"
     crypto: "npm:~1.0.1"
     csv: "npm:~5.1.1"
     db-migrate: "npm:~0.11.4"
