Documentation on ClamAV rules in "Antivirus for Files" app?

Nextcloud version: 15.0.8 (docker “production” tag)
Operating system and version: Ubuntu 18.04

There seems to be no documentation on how to create rules for the Antivirus fro Files app…?

We have a Nextcloud user who builds and maintains an electron app, which is internal to our organization and thus is not published or signed. The Windows executable builds are getting caught by ClamAV, both when an attempt is made to upload through the web interface, and if the file is dropped in to a folder managed by a Nextcloud desktop client.

I’ve attempted to create a rule to mark this file as clean based on a regex of the file name, but I can’t get it to work. The regex I built works if you use it via sed, which appears to be the type of regex standard that is required.

I can’t confirm this, though, because I can’t find any documentation on how to create these rules correctly.

Does anyone know how to create these rules, or is there some documentation I’m missing somewhere…?

I think it would be a good idea to post the file name you want to match and the rule you want to use so that someone else can check it :wink:

I’ll use a fake file name for security.

my_electron_app_version_1.0.23.exe

/.*my.*electron.*app.*version.*.*\.exe/

The regex matches if I do a test using sed like this:

echo "my_electron_app_version_1.0.23.exe" | sed 's/.*my.*electron.*app.*version.*.*\.exe/It\ Worked!/'

So if the antivirus app or clamav uses sed style regexes, then that is correct, however the files I want to allow that match that regex are still being caught and blocked.

Is there maybe an order that the rules get applied, or maybe only one match is required?

Is there some way to make my rule take precedence over any others?

Where is the documentation…!?

You’re right the regular expression should match the file. Unfortunately only the base setup is currently documented but not how rules are set-up or in which order they are processed.

@rullzer Could you please so kind and shed some light on how the files_antivirus app processes its rules, so that we can use that information to extend the documentation accordingly.