I wanted to try using some Linux antivirus to scan files before storing them in app qubes. DuckDuckGo AI suggested me ClamAV. I could install it in Debian template and enable it in Debian disposable VM. Then when I need to check some file I would send it to this VM, scan it with ClamAV and then send it to the target qube. What bothers me is how I can update its virus base and what impact on anonymity can this be exerted. In theory I could uncheck all use reports in its settings and even if it continues to send some data there should not be anything interesting in template except the list of installed apps, right? But the other thing is how I can update its virus database when templates have no network enabled? They use update proxies for updates and installations but will proxy be used to update the database? And even if it will, will this not hurt anonymity and template security in any way? If I update database only in app VM then it persists only until the next shutdown. I could install ClamAV in a standalone but as for me this is too bulky solution. What could you say about all this?
You can make the database persistent in the disposable template [AppVM]?
But since this VM should have been used for potentionally dangerous files scanning this VM should be disposable.
Yep, I should have said “disposable template”.
Unless I could do it in its disposable template, right? Then I need to find out what directory is used for ClamAV database storing. Or is it always standard directory?
So it means that every time I want to update virus database I should to start disposable template and execute the database update command in its terminal? It seems I remember it’s not recommended to use network even in disposable templates. Am I right?
Yes
I don’t know, I personnaly do it sometimes, and sometimes not 
You can automatically update the ClamAV database on every template update like this:
- Create the file:
/etc/qubes/post-install.d/06-freshblam.shin the template - Paste this content there:
#!/bin/sh
# abort if not in a template
if [ "$(qubesdb-read /type)" = "TemplateVM" ]
then
echo "Updating ClamAV database..."
export all_proxy=http://127.0.0.1:8082/
freshclam
echo "Done updating ClamAV database"
fi
Reboot and update your template. Now your AppVMs can use the fresh ClamAV database.
By the way, if you’re making a VM where having malware samples is likely and you’d like to remove them automatically, you can consider using ClamFS: GitHub - burghardt/clamfs: ClamFS is a FUSE-based user-space file system for Linux and BSD with on-access anti-virus file scanning
Thank you very much for your effective help! I forgot to clarify that my Qubes + Whonix set-up does not produce clearnet traffic. Qubes either have netvm none or have sys-whonix as netvm. Sys-whonix is set as update proxy for dom0 and all templates. All update checks configured to be performed only through Whonix qubes (i.e. through Tor). Does your port in your script use sys-whonix as proxy? I need all traffic to go only through Tor and so that there are no clearnet traffic leaks.
The snippet I sent was used by me with “normal” net qubes (sys-net, sys-firewall) only. I think that it should still work correctly with sys-whonix, but I have not tested that and I cannot guarantee that. I guess you could check it with wireshark in sys-net.
What happens if I change port from 8082 to 9050 (Tor port)? Or the port should be only like this?
I dont think it will work. It is the port of the update proxy. The update proxy can use any port after that.
I watched Whonix Workstation update log and this proxy was there. Asked AI what means the command (curl) that mentioned that proxy and it said that command said to route all http traffic through this proxy. So if Whonix Workation uses sys-whonix as update proxy and in the same time still uses proxy 8082 then I interpret this as a sign that the program uses this proxy to redirect traffic through sys-whonix. Anyway I don’t know how to use wireshark app in context of sys-net (never used it at all) so I’m left to trust that I’ve correctly understood the purpose of this proxy in the template.