Switch from clamscan to clamd + clamdscan --multiscan

clamscan single-threaded scans were the LS26 bottleneck. Daemon mode
parallelises across MaxThreads=8 and only loads signatures once.

- Add clamav-daemon + clamav-clamdscan packages.
- start.sh::start_clamd waits up to 60s for /tmp/clamd.sock.
- New clamd.conf: MaxThreads 8, DetectPUA, AlertOLE2Macros,
  ExcludePath ^/data/(proc|sys|dev|run)/, log to /tmp/clamd.log.
- Drop final USER user so clamd can own its socket as clamav.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Dockerfile

@@ -14,20 +14,16 @@ FROM alpine
 ARG PUID=1001
 ARG PGID=1001
 MAINTAINER tabledevil
-RUN apk add -u --no-cache clamav bash clamav-libunrar 
+RUN apk add -u --no-cache clamav clamav-daemon clamav-clamdscan bash clamav-libunrar
 COPY --from=builder /var/lib/clamav /var/lib/clamav
-#add startscript
+ADD clamd.conf /etc/clamav/clamd.conf
 ADD start.sh /start.sh
 RUN chmod +x /start.sh
-#customize clamav config
-RUN sed -ie 's/#DetectPUA yes/DetectPUA yes/p' /etc/clamav/clamd.conf
-RUN sed -ie 's/#AlertOLE2Macros yes/AlertOLE2Macros yes/p' /etc/clamav/clamd.conf
-#
 RUN chown root /usr/bin/freshclam
 RUN chmod u+s /usr/bin/freshclam
-#add user
+RUN mkdir -p /tmp && chown clamav:clamav /tmp
 RUN addgroup -g ${PGID} user && \
-    adduser -D -u ${PUID} -G user user
+    adduser -D -u ${PUID} -G user user && \
+    adduser user clamav
 ENTRYPOINT ["/start.sh"]
 CMD ["shell"]
-USER user

clamd.conf

@@ -0,0 +1,14 @@
+LocalSocket /tmp/clamd.sock
+Foreground no
+MaxThreads 8
+MaxScanSize 400M
+MaxFileSize 100M
+MaxRecursion 8
+DetectPUA yes
+AlertOLE2Macros yes
+ConcurrentDatabaseReload no
+ExcludePath ^/data/(proc|sys|dev|run)/
+DatabaseDirectory /var/lib/clamav
+LogSyslog no
+LogFile /tmp/clamd.log
+LogVerbose no

start.sh

@@ -1,25 +1,45 @@
 #!/bin/sh
+
+start_clamd() {
+    clamd --config-file=/etc/clamav/clamd.conf
+    echo "Waiting for clamd..."
+    attempts=0
+    while [ ! -S /tmp/clamd.sock ] && [ "$attempts" -lt 120 ]; do
+        sleep 0.5
+        attempts=$((attempts + 1))
+    done
+    if [ ! -S /tmp/clamd.sock ]; then
+        echo "ERROR: clamd failed to start"
+        cat /tmp/clamd.log 2>/dev/null
+        exit 2
+    fi
+    echo "clamd ready ($(cat /tmp/clamd.log 2>/dev/null | grep -c 'loaded') databases loaded)"
+}
+
 case "${1}" in
   version )
     echo "stage: ${1}"
     clamscan --version
     clamconf | sed -ne '/Database information/,/^$/p'
-    for file in /var/lib/clamav/* ; 
+    for file in /var/lib/clamav/* ;
     do
-      (clamscan -d $file /proc/cmdline > /dev/null 2>&1) && echo "+ ${file}" || echo "Bad Signaturefile ${file}" 
+      (clamscan -d $file /proc/cmdline > /dev/null 2>&1) && echo "+ ${file}" || echo "Bad Signaturefile ${file}"
     done
     echo "$(sigtool --list-sigs | wc -l) Signatures loaded"
-
     ;;
   scan )
     echo "stage: ${1}"
-    echo "Starting Scan of /data:"
+    start_clamd
-    clamscan -ir /data
+    echo "Starting multiscan of /data:"
+    clamdscan --multiscan /data
+    rc=$?
+    exit $rc
     ;;
   * )
     echo "stage: ${1}"
-    echo "Usage:"
+    echo "Usage: scan | version | shell"
-    clamscan --help | head -n 20
+    echo "  scan    - multithreaded scan of /data via clamd"
+    echo "  version - show engine + signature info"
     /bin/sh
     ;;
 esac