Lior, Bypassing the Java client was a good idea! Now it sounds like a clamd problem or (more likely?) a Kubernetes problem.
I know almost nothing about Kubernetes, except that is something like a virtualizer for applications. Perhaps Kubernetes is rejecting attempts to set up a TCP session on port 3310. The PCAP data you sent only shows that *something* at the server IP terminated the connection. Do you have to tell Kuber what ports to allow? Does it have any tracing or debug capabilities that would allow you to gather info on what exactly is happening? Good luck, Paul On Wed, 10 Dec 2025 15:51:51 +0200 Lior Koskas <[email protected]> wrote: > Hi Paul, > > Thank you for your comments. The issue it's happening even when I'm trying > a simple PONG or printing the version request to the clamav server: > > printf "VERSION\n" | nc my.dns.dns 3310 > > > On Wed, Dec 10, 2025 at 12:05 AM Paul Kosinski <[email protected]> > wrote: > > > Hi Lior, > > > > Assuming that the 6 TCP packets below are contiguous in the TCP stream, > > it's pretty clear that no actual date are being sent from 10.210.86.39 (the > > client) to 10.210.84.7 (the server). > > > > The first 3 packets ([SYN], [SYN,ACK] and [ACK]) are the usual TCP > > "handshake" which starts a TCP session. But that is immediately followed by > > a [FIN,ACK] from the client to the server -- the [FIN, ACK] says "I'm done" > > (and by the way, "I got your last packet"). The last 2 packets are just the > > standard end of a session. > > > > So I would say that the Java client is simply not sending any actual data > > of any kind to the remote clamd. But clamd is listening on port 3310 (or at > > least something is) or else the "handshake" wouldn't have happened. > > > > Paul > > > > P.S. If any real data were transferred, viewing the PCAP file via the > > Wireshark GUI would likely be a powerful analytical tool! > > > > ------------------------------------- > > > > On Tue, 9 Dec 2025 17:13:42 +0200 > > Lior Koskas <[email protected]> wrote: > > > > > Thank you for your suggestion. I created a pcap file and I see a lot of > > > lines like this: > > > > > > > > > 1689 46.344568 10.210.86.39 10.210.84.7 TCP 80 14952 → 3310 [SYN] Seq=0 > > > Win=8961 Len=0 MSS=8361 SACK_PERM TSval=2413887455 TSecr=0 WS=1 > > > 1690 46.344586 10.210.84.7 10.210.86.39 TCP 80 3310 → 14952 [SYN, ACK] > > > Seq=0 Ack=1 Win=62643 Len=0 MSS=8961 SACK_PERM TSval=1236561427 > > > TSecr=2413887455 WS=128 > > > 1691 46.345415 10.210.86.39 10.210.84.7 TCP 72 14952 → 3310 [ACK] Seq=1 > > > Ack=1 Win=8961 Len=0 TSval=2413887456 TSecr=1236561427 > > > 1692 46.345468 10.210.86.39 10.210.84.7 TCP 72 14952 → 3310 [FIN, ACK] > > > Seq=1 Ack=1 Win=8961 Len=0 TSval=2413887456 TSecr=1236561427 > > > 1693 46.345575 10.210.84.7 10.210.86.39 TCP 72 3310 → 14952 [FIN, ACK] > > > Seq=1 Ack=2 Win=62720 Len=0 TSval=1236561428 TSecr=2413887456 > > > 1694 46.346108 10.210.86.39 10.210.84.7 TCP 72 14952 → 3310 [ACK] Seq=2 > > > Ack=2 Win=8960 Len=0 TSval=2413887457 TSecr=1236561428 > > > > > > On Thu, Dec 4, 2025 at 4:42 AM Paul Kosinski <[email protected]> > > wrote: > > > > > > > Have you tried watching network traffic with Wireshark (or TCPdump) for > > > > both the telnet and Java attempts? Perhaps that would show something. > > E.g., > > > > the Java client doesn't send anything, or does send something but it's > > > > wrong. > > > > > > > > And, of course, if you also run clamdscan itself, you can see what the > > > > correct interaction is. > > > > > > > > P.S. I find Wireshark gives much more detail than TCPdump, and you can > > > > even change what you look at after the fact, if you capture a PCAP > > output > > > > file during the test. > > > > > > > > > > > > On Wed, 3 Dec 2025 17:46:36 +0200 > > > > Lior Koskas via clamav-users <[email protected]> wrote: > > > > > > > > > Hi, > > > > > > > > > > I'm running ClamAv on Kubernetes. The image tag is > > clamav/clamav:1.5.1. I > > > > > have a Java app based SpringBoot that communicates with ClamAV. > > > > > When I'm trying to scan a file using my Java app The app hangs up at > > this > > > > > line: > > > > > > > > > > ClamavClient clamScan = new ClamavClient(url, port); > > > > > > > > > > clamScan.ping(); // hangs up > > > > > > > > > > When I'm running the telnet command to my URL the command run as > > > > expected. > > > > > > > > > > My clamd config file: > > > > > > > > > > ############################## > > > > > # Network Settings (TCP mode) > > > > > ############################## > > > > > TCPSocket 3310 > > > > > TCPAddr 0.0.0.0 > > > > > LocalSocket /run/clamav/clamd.sock > > > > > LocalSocketGroup clamav > > > > > LocalSocketMode 666 > > > > > > > > > > ############################## > > > > > # Logging > > > > > ############################## > > > > > # LogFile /var/log/clamav/clamd.log > > > > > LogFileUnlock yes > > > > > LogTime yes > > > > > LogVerbose no # Change to "yes" for debug > > > > > ExtendedDetectionInfo yes > > > > > LogVerbose yes # Enable verbose for debugging > > > > > > > > > > ############################## > > > > > # Performance & Limits > > > > > ############################## > > > > > MaxScanSize 200M > > > > > MaxFileSize 100M > > > > > StreamMaxLength 150M > > > > > MaxRecursion 20 > > > > > MaxFiles 10000 > > > > > MaxScanTime 120000 # 120 seconds > > > > > ReadTimeout 120 > > > > > IdleTimeout 60 > > > > > > > > > > ############################## > > > > > # Heuristics / Features > > > > > ############################## > > > > > ScanArchive yes > > > > > ScanOLE2 yes > > > > > ScanPDF yes > > > > > ScanSWF yes > > > > > ScanHWP3 yes > > > > > HeuristicScanPrecedence yes > > > > > > > > > > ############################## > > > > > # Misc > > > > > ############################## > > > > > Foreground yes > > > > > User clamav > > > > > SelfCheck 3600 # Every 60 minutes > > > > > > > > > > My freshclam config file: > > > > > > > > > > ############### > > > > > # Database Updates > > > > > ############### > > > > > DatabaseOwner clamav > > > > > Checks 12 # every 2 hours > > > > > > > > > > DatabaseMirror database.clamav.net > > > > > DNSDatabaseInfo current.cvd.clamav.net > > > > > > > > > > ############### > > > > > # Logging > > > > > ############### > > > > > UpdateLogFile /var/log/clamav/freshclam.log > > > > > LogVerbose yes > > > > > > > > > > > > > > > > > > > _______________________________________________ Manage your clamav-users mailing list subscription / unsubscribe: https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/Cisco-Talos/clamav-documentation https://docs.clamav.net/#mailing-lists-and-chat
