Hi all! This is my first post here and Im hoping someone can help me find a solution to a scanning issue Im having.
Im trying to set up an appliance/Virtual Machine based on Ubuntu 9.10,smbfs, and clamav that will allow me to scan remote Windows systems (given the appropriate credentials). I found a bit of discussion on the topic and it looked pretty straightforward. It looked like folks had it working under Hardy. After a few days of troubleshooting and trying every documented parameter I could find, Im still getting an unusual Cant Access File message from clamscan with no luck scanning. Heres the scenario: Fully updated Ubuntu 9.10 (fresh install 32-bit [uname a below] Sudo Apt-get install smbfs Sudo Apt-get install clamav clamav-freshclam [clamconf n below] No unusual log messages. Run this and all is well: [sudo Mkdir /quarantine] /usr/bin/clamscan -r /root /usr /var /home /sbin /tmp \ --infected \ --log="$LOG_FILE" \ --move=/quarantine \ Now enter CIFS. Ive tried this to both a Windows 2008 R2 server and a Windows XP system with a Domain Admin account just to eliminate a permissions issue. I can mount any share with the following (all sudod of course) Mount t cifs //my_server/a_share /mnt/my_server -o username=<user>,password=<password> I also tried a more specific form with more parameters but I get the same results: Mount t cifs //my_server/a_share /mnt/my_server -o username=<user>,password=<password> ,iocharset=utf8,nocase,dir_mode=0775,file_mode=0775,nobrl What happens is the share mounts fine. I can access it I can cat a file, I can vi and create/open/save, I can even get to it through gedit showing that the permissions used to mount the share are effective across root and regular users. Now when I try to run sudo'd clamscan with the command below I get the following message (of course I tried running just a basic clamscan ri /mnt/my_server sudod as well as just logged in but the results are always the same): /usr/bin/clamscan -r /mnt/my_server \ --infected \ --detect-pua=Yes \ --max-scansize=100M \ --max-filesize=200M \ --log="/var/log/clamav/my_server.log" \ --debug -v \ LibClamAV debug: searching for unrar, user-searchpath: /usr/lib LibClamAV debug: searching for unrar: libclamunrar_iface.so.6.0.5 not found LibClamAV debug: searching for unrar: libclamunrar_iface.so.6 not found LibClamAV debug: searching for unrar: libclamunrar_iface.so not found LibClamAV debug: searching for unrar: libclamunrar_iface.a not found LibClamAV debug: Cannot dlopen libclamunrar_iface: file not found - unrar support unavailable LibClamAV debug: Initialized 0.95.3 engine LibClamAV debug: Initializing phishcheck module LibClamAV debug: Phishcheck: Compiling regex: ^ *(http|https|ftp:(//)?)?[0-9]{1,3}(\.[0-9]{1,3}){3}[/?:]? *$ LibClamAV debug: Phishcheck module initialized LibClamAV debug: Loading databases from /var/lib/clamav/ LibClamAV debug: in cli_cvdload() LibClamAV debug: in cli_tgzload() LibClamAV debug: daily.cfg loaded LibClamAV debug: Initializing engine->root[0] LibClamAV debug: Initialising AC pattern matcher of root[0] LibClamAV debug: cli_initroots: Initializing BM tables of root[0] LibClamAV debug: Initializing engine->root[1] LibClamAV debug: Initialising AC pattern matcher of root[1] LibClamAV debug: cli_initroots: Initializing BM tables of root[1] LibClamAV debug: Initializing engine->root[2] LibClamAV debug: Initialising AC pattern matcher of root[2] LibClamAV debug: Initializing engine->root[3] LibClamAV debug: Initialising AC pattern matcher of root[3] LibClamAV debug: Initializing engine->root[4] LibClamAV debug: Initialising AC pattern matcher of root[4] LibClamAV debug: Initializing engine->root[5] LibClamAV debug: Initialising AC pattern matcher of root[5] LibClamAV debug: Initializing engine->root[6] LibClamAV debug: Initialising AC pattern matcher of root[6] LibClamAV debug: Initializing engine->root[7] LibClamAV debug: Initialising AC pattern matcher of root[7] LibClamAV debug: Initializing engine->root[8] LibClamAV debug: Initialising AC pattern matcher of root[8] LibClamAV debug: Signature for Trojan.Autoit-77 not loaded (required f-level: 49) LibClamAV debug: daily.ndb loaded LibClamAV debug: cli_loadftm: File type signature for Mach-O LE not loaded (required f-level: 45) LibClamAV debug: cli_loadftm: File type signature for Mach-O LE 64-bit not loaded (required f-level: 45) LibClamAV debug: cli_loadftm: File type signature for Mach-O BE not loaded (required f-level: 45) LibClamAV debug: cli_loadftm: File type signature for Mach-O BE 64-bit not loaded (required f-level: 45) LibClamAV debug: cli_loadftm: File type signature for Universal Binary/Java Bytecode not loaded (required f-level: 46) LibClamAV debug: cli_loadftm: File type signature for ISHIELD-MSI not loaded (required f-level: 45) LibClamAV debug: cli_loadftm: File type signature for 7zip not loaded (required f-level: 47) LibClamAV debug: cli_loadftm: File type signature for CPIO NEWC not loaded (required f-level: 45) LibClamAV debug: cli_loadftm: File type signature for CPIO CRC not loaded (required f-level: 45) LibClamAV debug: cli_loadftm: File type signature for CPIO ODC not loaded (required f-level: 45) LibClamAV debug: cli_loadftm: File type signature for CPIO OLD BINARY BE not loaded (required f-level: 45) LibClamAV debug: cli_loadftm: File type signature for CPIO OLD BINARY LE not loaded (required f-level: 45) LibClamAV debug: Loaded 105 filetype definitions LibClamAV debug: daily.ftm loaded LibClamAV debug: daily.fp loaded LibClamAV debug: daily.hdu loaded LibClamAV debug: daily.db loaded LibClamAV debug: daily.zmd loaded LibClamAV debug: Loading regex_list LibClamAV debug: daily.pdb loaded LibClamAV debug: daily.ldb loaded LibClamAV debug: daily.mdu loaded LibClamAV debug: daily.ndu loaded LibClamAV debug: daily.ign loaded LibClamAV debug: Loading regex_list LibClamAV debug: daily.wdb loaded LibClamAV debug: daily.hdb loaded LibClamAV debug: daily.mdb loaded LibClamAV debug: /var/lib/clamav//daily.cld loaded LibClamAV debug: in cli_cvdload() LibClamAV debug: MD5(.tar.gz) = 4e3fb7ff64c71cd4b79147ac30a382d3 LibClamAV debug: cli_versig: Decoded signature: 4e3fb7ff64c71cd4b79147ac30a382d3 LibClamAV debug: cli_versig: Digital signature is correct. LibClamAV debug: in cli_untgz() LibClamAV debug: cli_untgz: Unpacking /tmp/clamav-cc9f08d1dde2af1567e657d7cfa4163c/COPYING LibClamAV debug: cli_untgz: Unpacking /tmp/clamav-cc9f08d1dde2af1567e657d7cfa4163c/main.info LibClamAV debug: cli_untgz: Unpacking /tmp/clamav-cc9f08d1dde2af1567e657d7cfa4163c/main.db LibClamAV debug: cli_untgz: Unpacking /tmp/clamav-cc9f08d1dde2af1567e657d7cfa4163c/main.hdb LibClamAV debug: cli_untgz: Unpacking /tmp/clamav-cc9f08d1dde2af1567e657d7cfa4163c/main.mdb LibClamAV debug: cli_untgz: Unpacking /tmp/clamav-cc9f08d1dde2af1567e657d7cfa4163c/main.ndb LibClamAV debug: cli_untgz: Unpacking /tmp/clamav-cc9f08d1dde2af1567e657d7cfa4163c/main.zmd LibClamAV debug: cli_untgz: Unpacking /tmp/clamav-cc9f08d1dde2af1567e657d7cfa4163c/main.fp LibClamAV debug: Loading databases from /tmp/clamav-cc9f08d1dde2af1567e657d7cfa4163c LibClamAV debug: /tmp/clamav-cc9f08d1dde2af1567e657d7cfa4163c/main.zmd loaded LibClamAV debug: /tmp/clamav-cc9f08d1dde2af1567e657d7cfa4163c/main.db loaded LibClamAV debug: /tmp/clamav-cc9f08d1dde2af1567e657d7cfa4163c/main.hdb loaded LibClamAV debug: Skipping signature Trojan.Inject-64 @ main.mdb:82292 LibClamAV debug: Skipping signature Trojan.Agent-14246 @ main.mdb:126457 LibClamAV debug: Skipping signature Trojan.Agent-14235 @ main.mdb:126458 LibClamAV debug: Skipping signature Trojan.Hupigon-9737 @ main.mdb:135888 LibClamAV debug: Skipping signature Trojan.Downloader-28690 @ main.mdb:145248 LibClamAV debug: Skipping signature Trojan.Dropper-6897 @ main.mdb:186062 LibClamAV debug: Skipping signature Adware.Agent-2559 @ main.mdb:207453 LibClamAV debug: Skipping signature Trojan.Keygen-7 @ main.mdb:216774 LibClamAV debug: Skipping signature Trojan.Lowzones-73 @ main.mdb:252216 LibClamAV debug: Skipping signature Trojan.Downloader.Banload-4698 @ main.mdb:271395 LibClamAV debug: Skipping signature Trojan.Spy-48905 @ main.mdb:284713 LibClamAV debug: Skipping signature Trojan.Dropper-12634 @ main.mdb:302886 LibClamAV debug: Skipping signature Trojan.Dropper-15440 @ main.mdb:343245 LibClamAV debug: Skipping signature Trojan.Agent-83031 @ main.mdb:416296 LibClamAV debug: Skipping signature Trojan.TDss-10 @ main.mdb:429588 LibClamAV debug: Skipping signature Worm.Downadup-340 @ main.mdb:433993 LibClamAV debug: /tmp/clamav-cc9f08d1dde2af1567e657d7cfa4163c/main.mdb loaded LibClamAV debug: /tmp/clamav-cc9f08d1dde2af1567e657d7cfa4163c/main.fp loaded LibClamAV debug: Skipping signature HTML.Phishing.Bank-870 @ main.ndb:32780 LibClamAV debug: Skipping signature WM.BluFish @ main.ndb:54120 LibClamAV debug: Skipping signature Email.Phishing.DblDom-116 @ main.ndb:55006 LibClamAV debug: Skipping signature Trojan.Agent-24920 @ main.ndb:55801 LibClamAV debug: Skipping signature Worm.VB-740 @ main.ndb:56399 LibClamAV debug: Skipping signature Pua.Hideexec @ main.ndb:58523 LibClamAV debug: Skipping signature Trojan.Fakeav-42 @ main.ndb:58697 LibClamAV debug: Skipping signature Trojan.Autoit-72 @ main.ndb:58749 LibClamAV debug: /tmp/clamav-cc9f08d1dde2af1567e657d7cfa4163c/main.ndb loaded LibClamAV debug: /var/lib/clamav//main.cvd loaded LibClamAV debug: matcher[0]: GENERIC: AC sigs: 5181 BM sigs: 29940 LibClamAV debug: matcher[1]: PE: AC sigs: 8335 BM sigs: 50974 LibClamAV debug: matcher[2]: OLE2: AC sigs: 1720 BM sigs: 0 (ac_only mode) LibClamAV debug: matcher[3]: HTML: AC sigs: 5534 BM sigs: 0 (ac_only mode) LibClamAV debug: matcher[4]: MAIL: AC sigs: 1123 BM sigs: 0 (ac_only mode) LibClamAV debug: matcher[5]: GRAPHICS: AC sigs: 6 BM sigs: 0 (ac_only mode) LibClamAV debug: matcher[6]: ELF: AC sigs: 18 BM sigs: 0 (ac_only mode) LibClamAV debug: matcher[7]: ASCII: AC sigs: 1410 BM sigs: 0 (ac_only mode) LibClamAV debug: matcher[8]: DISASM: AC sigs: 0 BM sigs: 0 (ac_only mode) LibClamAV debug: Building regex list LibClamAV debug: hashtab: Freeing hashset, elements: 0, capacity: 0 LibClamAV debug: Building regex list LibClamAV debug: hashtab: Freeing hashset, elements: 0, capacity: 0 LibClamAV debug: Converting hashset to array: 37452 entries LibClamAV debug: hashtab: Freeing hashset, elements: 37452, capacity: 65536 LibClamAV debug: hashtab: Freeing hashset, elements: 31, capacity: 64 LibClamAV debug: Dynamic engine configuration settings: LibClamAV debug: -------------------------------------- LibClamAV debug: Module PE: On LibClamAV debug: * Submodule PARITE: On LibClamAV debug: * Submodule KRIZ: On LibClamAV debug: * Submodule MAGISTR: On LibClamAV debug: * Submodule POLIPOS: On LibClamAV debug: * Submodule MD5SECT: On LibClamAV debug: * Submodule UPX: On LibClamAV debug: * Submodule FSG: On LibClamAV debug: * Submodule SWIZZOR: On LibClamAV debug: * Submodule PETITE: On LibClamAV debug: * Submodule PESPIN: On LibClamAV debug: * Submodule YC: On LibClamAV debug: * Submodule WWPACK: On LibClamAV debug: * Submodule NSPACK: On LibClamAV debug: * Submodule MEW: On LibClamAV debug: * Submodule UPACK: On LibClamAV debug: * Submodule ASPACK: On LibClamAV debug: Module ELF: On LibClamAV debug: Module ARCHIVE: On LibClamAV debug: * Submodule RAR: On LibClamAV debug: * Submodule ZIP: On LibClamAV debug: * Submodule GZIP: On LibClamAV debug: * Submodule BZIP: On LibClamAV debug: * Submodule ARJ: On LibClamAV debug: * Submodule SZDD: On LibClamAV debug: * Submodule CAB: On LibClamAV debug: * Submodule CHM: On LibClamAV debug: * Submodule OLE2: On LibClamAV debug: * Submodule TAR: On LibClamAV debug: * Submodule BINHEX: On LibClamAV debug: * Submodule SIS: On LibClamAV debug: * Submodule NSIS: On LibClamAV debug: * Submodule AUTOIT: On LibClamAV debug: Module DOCUMENT: On LibClamAV debug: * Submodule HTML: On LibClamAV debug: * Submodule RTF: On LibClamAV debug: * Submodule PDF: On LibClamAV debug: * Submodule SCRIPT: On LibClamAV debug: * Submodule HTMLSKIPRAW: On LibClamAV debug: * Submodule JSNORM: On LibClamAV debug: Module MAIL: On LibClamAV debug: * Submodule MBOX: On LibClamAV debug: * Submodule TNEF: On LibClamAV debug: Module OTHER: On LibClamAV debug: * Submodule UUENCODED: On LibClamAV debug: * Submodule SCRENC: On LibClamAV debug: * Submodule RIFF: On LibClamAV debug: * Submodule JPEG: On LibClamAV debug: * Submodule CRYPTFF: On LibClamAV debug: * Submodule DLP: On LibClamAV debug: * Submodule MYDOOMLOG: On LibClamAV debug: Module PHISHING On LibClamAV debug: * Submodule ENGINE: On LibClamAV debug: * Submodule ENTCONV: On WARNING: Can't access file /mnt/my_server /mnt/my_server: Value too large for defined data type LibClamAV debug: Cleaning up phishcheck LibClamAV debug: Freeing phishcheck struct LibClamAV debug: Phishcheck cleaned up ----------- SCAN SUMMARY ----------- Known viruses: 655161 Engine version: 0.95.3 Scanned directories: 0 Scanned files: 0 Infected files: 0 Data scanned: 0.00 MB Data read: 0.00 MB (ratio 0.00:1) Time: 5.600 sec (0 m 5 s) I think Ive tried every mount and clamscan parameter I can find but I still get the Cant access file message. Heres some more version info: Clamconf n Config file: clamd.conf ----------------------- LogFile = "/var/log/clamav/clamav.log" LogFileMaxSize disabled LogTime = "yes" PidFile = "/var/run/clamav/clamd.pid" DatabaseDirectory = "/var/lib/clamav" LocalSocket = "/var/run/clamav/clamd.ctl" StreamMaxLength = "10485760" MaxThreads = "12" ReadTimeout = "180" CommandReadTimeout = "25" SendBufTimeout = "200" FollowDirectorySymlinks = "yes" FollowFileSymlinks = "yes" SelfCheck = "3600" User = "clamav" Config file: freshclam.conf --------------------------- LogFileMaxSize disabled PidFile = "/var/run/clamav/freshclam.pid" UpdateLogFile = "/var/log/clamav/freshclam.log" Checks = "24" DatabaseMirror = "db.local.clamav.net", "database.clamav.net" MaxAttempts = "5" clamav-milter.conf not found Software settings ----------------- Version: 0.95.3 Optional features supported: MEMPOOL IPv6 FRESHCLAM_DNS_FIX AUTOIT_EA06 BZIP2 Database directory: /var/lib/clamav/ main.cvd: version 51, sigs: 545035, built on Thu May 14 10:28:45 2009 daily.cld: version 10056, sigs: 110150, built on Sat Nov 21 21:25:30 2009 Uname a Linux csirt2 2.6.31-14-generic #48-Ubuntu SMP Fri Oct 16 14:04:26 UTC 2009 i686 GNU/Linux I think Ive decided its either something unique about the smbfs not responding as expected to file i/o requests, or something odd in the way clamscan is trying to open files (possibly a timeout value). But thats just speculation on my part since doing the same scan against anything local works just fine. Any help would be greatly appreciated! Thanks _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml