Hi all! This is my first post here and Im hoping someone can help me find
a solution to a scanning issue Im having.
Im trying to set up an appliance/Virtual Machine based on Ubuntu
9.10,smbfs, and clamav that will allow me to scan remote Windows systems
(given the appropriate credentials). I found a bit of discussion on the
topic and it looked pretty straightforward. It looked like folks had it
working under Hardy. After a few days of troubleshooting and trying every
documented parameter I could find, Im still getting an unusual Cant
Access File message from clamscan with no luck scanning.
Heres the scenario:
Fully updated Ubuntu 9.10 (fresh install 32-bit [uname a below]
Sudo Apt-get install smbfs
Sudo Apt-get install clamav clamav-freshclam [clamconf n below]
No unusual log messages. Run this and all is well:
[sudo Mkdir /quarantine]
/usr/bin/clamscan -r /root /usr /var /home /sbin /tmp \
--infected \
--log="$LOG_FILE" \
--move=/quarantine \
Now enter CIFS. Ive tried this to both a Windows 2008 R2 server and a
Windows XP system with a Domain Admin account just to eliminate a
permissions issue. I can mount any share with the following (all sudod of
course)
Mount t cifs //my_server/a_share /mnt/my_server -o
username=<user>,password=<password>
I also tried a more specific form with more parameters but I get the same
results:
Mount t cifs //my_server/a_share /mnt/my_server -o
username=<user>,password=<password>
,iocharset=utf8,nocase,dir_mode=0775,file_mode=0775,nobrl
What happens is the share mounts fine. I can access it
I can cat a file,
I can vi and create/open/save, I can even get to it through gedit showing
that the permissions used to mount the share are effective across root and
regular users.
Now when I try to run sudo'd clamscan with the command below I get the
following message (of course I tried running just a basic clamscan ri
/mnt/my_server sudod as well as just logged in but the results are always
the same):
/usr/bin/clamscan -r /mnt/my_server \
--infected \
--detect-pua=Yes \
--max-scansize=100M \
--max-filesize=200M \
--log="/var/log/clamav/my_server.log" \
--debug -v \
LibClamAV debug: searching for unrar, user-searchpath: /usr/lib
LibClamAV debug: searching for unrar: libclamunrar_iface.so.6.0.5 not found
LibClamAV debug: searching for unrar: libclamunrar_iface.so.6 not found
LibClamAV debug: searching for unrar: libclamunrar_iface.so not found
LibClamAV debug: searching for unrar: libclamunrar_iface.a not found
LibClamAV debug: Cannot dlopen libclamunrar_iface: file not found - unrar
support unavailable
LibClamAV debug: Initialized 0.95.3 engine
LibClamAV debug: Initializing phishcheck module
LibClamAV debug: Phishcheck: Compiling regex: ^
*(http|https|ftp:(//)?)?[0-9]{1,3}(\.[0-9]{1,3}){3}[/?:]? *$
LibClamAV debug: Phishcheck module initialized
LibClamAV debug: Loading databases from /var/lib/clamav/
LibClamAV debug: in cli_cvdload()
LibClamAV debug: in cli_tgzload()
LibClamAV debug: daily.cfg loaded
LibClamAV debug: Initializing engine->root[0]
LibClamAV debug: Initialising AC pattern matcher of root[0]
LibClamAV debug: cli_initroots: Initializing BM tables of root[0]
LibClamAV debug: Initializing engine->root[1]
LibClamAV debug: Initialising AC pattern matcher of root[1]
LibClamAV debug: cli_initroots: Initializing BM tables of root[1]
LibClamAV debug: Initializing engine->root[2]
LibClamAV debug: Initialising AC pattern matcher of root[2]
LibClamAV debug: Initializing engine->root[3]
LibClamAV debug: Initialising AC pattern matcher of root[3]
LibClamAV debug: Initializing engine->root[4]
LibClamAV debug: Initialising AC pattern matcher of root[4]
LibClamAV debug: Initializing engine->root[5]
LibClamAV debug: Initialising AC pattern matcher of root[5]
LibClamAV debug: Initializing engine->root[6]
LibClamAV debug: Initialising AC pattern matcher of root[6]
LibClamAV debug: Initializing engine->root[7]
LibClamAV debug: Initialising AC pattern matcher of root[7]
LibClamAV debug: Initializing engine->root[8]
LibClamAV debug: Initialising AC pattern matcher of root[8]
LibClamAV debug: Signature for Trojan.Autoit-77 not loaded (required
f-level: 49)
LibClamAV debug: daily.ndb loaded
LibClamAV debug: cli_loadftm: File type signature for Mach-O LE not loaded
(required f-level: 45)
LibClamAV debug: cli_loadftm: File type signature for Mach-O LE 64-bit not
loaded (required f-level: 45)
LibClamAV debug: cli_loadftm: File type signature for Mach-O BE not loaded
(required f-level: 45)
LibClamAV debug: cli_loadftm: File type signature for Mach-O BE 64-bit not
loaded (required f-level: 45)
LibClamAV debug: cli_loadftm: File type signature for Universal Binary/Java
Bytecode not loaded (required f-level: 46)
LibClamAV debug: cli_loadftm: File type signature for ISHIELD-MSI not loaded
(required f-level: 45)
LibClamAV debug: cli_loadftm: File type signature for 7zip not loaded
(required f-level: 47)
LibClamAV debug: cli_loadftm: File type signature for CPIO NEWC not loaded
(required f-level: 45)
LibClamAV debug: cli_loadftm: File type signature for CPIO CRC not loaded
(required f-level: 45)
LibClamAV debug: cli_loadftm: File type signature for CPIO ODC not loaded
(required f-level: 45)
LibClamAV debug: cli_loadftm: File type signature for CPIO OLD BINARY BE not
loaded (required f-level: 45)
LibClamAV debug: cli_loadftm: File type signature for CPIO OLD BINARY LE not
loaded (required f-level: 45)
LibClamAV debug: Loaded 105 filetype definitions
LibClamAV debug: daily.ftm loaded
LibClamAV debug: daily.fp loaded
LibClamAV debug: daily.hdu loaded
LibClamAV debug: daily.db loaded
LibClamAV debug: daily.zmd loaded
LibClamAV debug: Loading regex_list
LibClamAV debug: daily.pdb loaded
LibClamAV debug: daily.ldb loaded
LibClamAV debug: daily.mdu loaded
LibClamAV debug: daily.ndu loaded
LibClamAV debug: daily.ign loaded
LibClamAV debug: Loading regex_list
LibClamAV debug: daily.wdb loaded
LibClamAV debug: daily.hdb loaded
LibClamAV debug: daily.mdb loaded
LibClamAV debug: /var/lib/clamav//daily.cld loaded
LibClamAV debug: in cli_cvdload()
LibClamAV debug: MD5(.tar.gz) = 4e3fb7ff64c71cd4b79147ac30a382d3
LibClamAV debug: cli_versig: Decoded signature:
4e3fb7ff64c71cd4b79147ac30a382d3
LibClamAV debug: cli_versig: Digital signature is correct.
LibClamAV debug: in cli_untgz()
LibClamAV debug: cli_untgz: Unpacking
/tmp/clamav-cc9f08d1dde2af1567e657d7cfa4163c/COPYING
LibClamAV debug: cli_untgz: Unpacking
/tmp/clamav-cc9f08d1dde2af1567e657d7cfa4163c/main.info
LibClamAV debug: cli_untgz: Unpacking
/tmp/clamav-cc9f08d1dde2af1567e657d7cfa4163c/main.db
LibClamAV debug: cli_untgz: Unpacking
/tmp/clamav-cc9f08d1dde2af1567e657d7cfa4163c/main.hdb
LibClamAV debug: cli_untgz: Unpacking
/tmp/clamav-cc9f08d1dde2af1567e657d7cfa4163c/main.mdb
LibClamAV debug: cli_untgz: Unpacking
/tmp/clamav-cc9f08d1dde2af1567e657d7cfa4163c/main.ndb
LibClamAV debug: cli_untgz: Unpacking
/tmp/clamav-cc9f08d1dde2af1567e657d7cfa4163c/main.zmd
LibClamAV debug: cli_untgz: Unpacking
/tmp/clamav-cc9f08d1dde2af1567e657d7cfa4163c/main.fp
LibClamAV debug: Loading databases from
/tmp/clamav-cc9f08d1dde2af1567e657d7cfa4163c
LibClamAV debug: /tmp/clamav-cc9f08d1dde2af1567e657d7cfa4163c/main.zmd
loaded
LibClamAV debug: /tmp/clamav-cc9f08d1dde2af1567e657d7cfa4163c/main.db loaded
LibClamAV debug: /tmp/clamav-cc9f08d1dde2af1567e657d7cfa4163c/main.hdb
loaded
LibClamAV debug: Skipping signature Trojan.Inject-64 @ main.mdb:82292
LibClamAV debug: Skipping signature Trojan.Agent-14246 @ main.mdb:126457
LibClamAV debug: Skipping signature Trojan.Agent-14235 @ main.mdb:126458
LibClamAV debug: Skipping signature Trojan.Hupigon-9737 @ main.mdb:135888
LibClamAV debug: Skipping signature Trojan.Downloader-28690 @
main.mdb:145248
LibClamAV debug: Skipping signature Trojan.Dropper-6897 @ main.mdb:186062
LibClamAV debug: Skipping signature Adware.Agent-2559 @ main.mdb:207453
LibClamAV debug: Skipping signature Trojan.Keygen-7 @ main.mdb:216774
LibClamAV debug: Skipping signature Trojan.Lowzones-73 @ main.mdb:252216
LibClamAV debug: Skipping signature Trojan.Downloader.Banload-4698 @
main.mdb:271395
LibClamAV debug: Skipping signature Trojan.Spy-48905 @ main.mdb:284713
LibClamAV debug: Skipping signature Trojan.Dropper-12634 @ main.mdb:302886
LibClamAV debug: Skipping signature Trojan.Dropper-15440 @ main.mdb:343245
LibClamAV debug: Skipping signature Trojan.Agent-83031 @ main.mdb:416296
LibClamAV debug: Skipping signature Trojan.TDss-10 @ main.mdb:429588
LibClamAV debug: Skipping signature Worm.Downadup-340 @ main.mdb:433993
LibClamAV debug: /tmp/clamav-cc9f08d1dde2af1567e657d7cfa4163c/main.mdb
loaded
LibClamAV debug: /tmp/clamav-cc9f08d1dde2af1567e657d7cfa4163c/main.fp loaded
LibClamAV debug: Skipping signature HTML.Phishing.Bank-870 @ main.ndb:32780
LibClamAV debug: Skipping signature WM.BluFish @ main.ndb:54120
LibClamAV debug: Skipping signature Email.Phishing.DblDom-116 @
main.ndb:55006
LibClamAV debug: Skipping signature Trojan.Agent-24920 @ main.ndb:55801
LibClamAV debug: Skipping signature Worm.VB-740 @ main.ndb:56399
LibClamAV debug: Skipping signature Pua.Hideexec @ main.ndb:58523
LibClamAV debug: Skipping signature Trojan.Fakeav-42 @ main.ndb:58697
LibClamAV debug: Skipping signature Trojan.Autoit-72 @ main.ndb:58749
LibClamAV debug: /tmp/clamav-cc9f08d1dde2af1567e657d7cfa4163c/main.ndb
loaded
LibClamAV debug: /var/lib/clamav//main.cvd loaded
LibClamAV debug: matcher[0]: GENERIC: AC sigs: 5181 BM sigs: 29940
LibClamAV debug: matcher[1]: PE: AC sigs: 8335 BM sigs: 50974
LibClamAV debug: matcher[2]: OLE2: AC sigs: 1720 BM sigs: 0 (ac_only mode)
LibClamAV debug: matcher[3]: HTML: AC sigs: 5534 BM sigs: 0 (ac_only mode)
LibClamAV debug: matcher[4]: MAIL: AC sigs: 1123 BM sigs: 0 (ac_only mode)
LibClamAV debug: matcher[5]: GRAPHICS: AC sigs: 6 BM sigs: 0 (ac_only mode)
LibClamAV debug: matcher[6]: ELF: AC sigs: 18 BM sigs: 0 (ac_only mode)
LibClamAV debug: matcher[7]: ASCII: AC sigs: 1410 BM sigs: 0 (ac_only mode)
LibClamAV debug: matcher[8]: DISASM: AC sigs: 0 BM sigs: 0 (ac_only mode)
LibClamAV debug: Building regex list
LibClamAV debug: hashtab: Freeing hashset, elements: 0, capacity: 0
LibClamAV debug: Building regex list
LibClamAV debug: hashtab: Freeing hashset, elements: 0, capacity: 0
LibClamAV debug: Converting hashset to array: 37452 entries
LibClamAV debug: hashtab: Freeing hashset, elements: 37452, capacity: 65536
LibClamAV debug: hashtab: Freeing hashset, elements: 31, capacity: 64
LibClamAV debug: Dynamic engine configuration settings:
LibClamAV debug: --------------------------------------
LibClamAV debug: Module PE: On
LibClamAV debug: * Submodule PARITE: On
LibClamAV debug: * Submodule KRIZ: On
LibClamAV debug: * Submodule MAGISTR: On
LibClamAV debug: * Submodule POLIPOS: On
LibClamAV debug: * Submodule MD5SECT: On
LibClamAV debug: * Submodule UPX: On
LibClamAV debug: * Submodule FSG: On
LibClamAV debug: * Submodule SWIZZOR: On
LibClamAV debug: * Submodule PETITE: On
LibClamAV debug: * Submodule PESPIN: On
LibClamAV debug: * Submodule YC: On
LibClamAV debug: * Submodule WWPACK: On
LibClamAV debug: * Submodule NSPACK: On
LibClamAV debug: * Submodule MEW: On
LibClamAV debug: * Submodule UPACK: On
LibClamAV debug: * Submodule ASPACK: On
LibClamAV debug: Module ELF: On
LibClamAV debug: Module ARCHIVE: On
LibClamAV debug: * Submodule RAR: On
LibClamAV debug: * Submodule ZIP: On
LibClamAV debug: * Submodule GZIP: On
LibClamAV debug: * Submodule BZIP: On
LibClamAV debug: * Submodule ARJ: On
LibClamAV debug: * Submodule SZDD: On
LibClamAV debug: * Submodule CAB: On
LibClamAV debug: * Submodule CHM: On
LibClamAV debug: * Submodule OLE2: On
LibClamAV debug: * Submodule TAR: On
LibClamAV debug: * Submodule BINHEX: On
LibClamAV debug: * Submodule SIS: On
LibClamAV debug: * Submodule NSIS: On
LibClamAV debug: * Submodule AUTOIT: On
LibClamAV debug: Module DOCUMENT: On
LibClamAV debug: * Submodule HTML: On
LibClamAV debug: * Submodule RTF: On
LibClamAV debug: * Submodule PDF: On
LibClamAV debug: * Submodule SCRIPT: On
LibClamAV debug: * Submodule HTMLSKIPRAW: On
LibClamAV debug: * Submodule JSNORM: On
LibClamAV debug: Module MAIL: On
LibClamAV debug: * Submodule MBOX: On
LibClamAV debug: * Submodule TNEF: On
LibClamAV debug: Module OTHER: On
LibClamAV debug: * Submodule UUENCODED: On
LibClamAV debug: * Submodule SCRENC: On
LibClamAV debug: * Submodule RIFF: On
LibClamAV debug: * Submodule JPEG: On
LibClamAV debug: * Submodule CRYPTFF: On
LibClamAV debug: * Submodule DLP: On
LibClamAV debug: * Submodule MYDOOMLOG: On
LibClamAV debug: Module PHISHING On
LibClamAV debug: * Submodule ENGINE: On
LibClamAV debug: * Submodule ENTCONV: On
WARNING: Can't access file /mnt/my_server
/mnt/my_server: Value too large for defined data type
LibClamAV debug: Cleaning up phishcheck
LibClamAV debug: Freeing phishcheck struct
LibClamAV debug: Phishcheck cleaned up
----------- SCAN SUMMARY -----------
Known viruses: 655161
Engine version: 0.95.3
Scanned directories: 0
Scanned files: 0
Infected files: 0
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 5.600 sec (0 m 5 s)
I think Ive tried every mount and clamscan parameter I can find but I still
get the Cant access file message.
Heres some more version info:
Clamconf n
Config file: clamd.conf
-----------------------
LogFile = "/var/log/clamav/clamav.log"
LogFileMaxSize disabled
LogTime = "yes"
PidFile = "/var/run/clamav/clamd.pid"
DatabaseDirectory = "/var/lib/clamav"
LocalSocket = "/var/run/clamav/clamd.ctl"
StreamMaxLength = "10485760"
MaxThreads = "12"
ReadTimeout = "180"
CommandReadTimeout = "25"
SendBufTimeout = "200"
FollowDirectorySymlinks = "yes"
FollowFileSymlinks = "yes"
SelfCheck = "3600"
User = "clamav"
Config file: freshclam.conf
---------------------------
LogFileMaxSize disabled
PidFile = "/var/run/clamav/freshclam.pid"
UpdateLogFile = "/var/log/clamav/freshclam.log"
Checks = "24"
DatabaseMirror = "db.local.clamav.net", "database.clamav.net"
MaxAttempts = "5"
clamav-milter.conf not found
Software settings
-----------------
Version: 0.95.3
Optional features supported: MEMPOOL IPv6 FRESHCLAM_DNS_FIX AUTOIT_EA06
BZIP2
Database directory: /var/lib/clamav/
main.cvd: version 51, sigs: 545035, built on Thu May 14 10:28:45 2009
daily.cld: version 10056, sigs: 110150, built on Sat Nov 21 21:25:30 2009
Uname a
Linux csirt2 2.6.31-14-generic #48-Ubuntu SMP Fri Oct 16 14:04:26 UTC 2009
i686 GNU/Linux
I think Ive decided its either something unique about the smbfs not
responding as expected to file i/o requests, or something odd in the way
clamscan is trying to open files (possibly a timeout value). But thats
just speculation on my part since doing the same scan against anything local
works just fine.
Any help would be greatly appreciated!
Thanks
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
