On 3/22/2019 6:58 AM, Alessandro Vesely via clamav-users wrote:
> On Thu 21/Mar/2019 21:21:45 +0100 Bowie Bailey wrote:
>>
>> And here's the problem.  SecuriteInfo has their own Eicar signatures, so 
>> ClamAV found
>> those first and not the one you were expecting.  My header looks like this:
>>
>> ClamAV-Found: SecuriteInfo.com.Eicar-Test-Signature.UNOFFICIAL
>>   SecuriteInfo.com.Eicar-Test-Signature-4.UNOFFICIAL
>>   SecuriteInfo.com.Eicar-Test-Signature-2.UNOFFICIAL
>>   Eicar-Test-Signature.UNOFFICIAL
>>   SecuriteInfo.com.Eicar-Test-Signature.UNOFFICIAL
>>   SecuriteInfo.com.Eicar-Test-Signature-4.UNOFFICIAL
>>   SecuriteInfo.com.Eicar-Test-Signature-2.UNOFFICIAL
>>   Eicar-Test-Signature.UNOFFICIAL
>
> Uh, yeah, can be.  The small database is made like so:
>
> test.ndb:
>       sigtool -f Eicar-Test-Signature > $@
>
> where the argument to -f is a regular expression.  So the database seems to 
> contain four matching signatures.  Your database (like mine) probably has 
> much more matching signatures, such as Win.Test.EICAR_NDB-1, whose names 
> don't match the above regex.

Maybe you should limit that regex so it only matches the official ClamAV 
signature.

sigtool -f '^Eicar-Test-Signature' > $@

>
>> Not sure why everything is duplicated...
>>

After testing the sigtool command above, it looks like the duplication comes 
from
matching multiple types of files in the database directory.  daily.ndu, 
daily.ndb,
daily.ldu, and daily.ldb all matched an Eicar signature on my system.  I don't 
see a
way with sigtool to limit the match to a particular file type without having to
specify the directory.  Maybe you could just drop all but the first match from 
the
results.  (Although I guess it really doesn't matter since it is only used for 
the test)

Something like this:
sigtool -f '^Eicar-Test-Signature' | grep -m 1 . > $@

Actually, after testing that, I still get the header duplication with only 1
signature in the database.  Oh well...

ClamAV-Found: Eicar-Test-Signature.UNOFFICIAL Eicar-Test-Signature.UNOFFICIAL
  Eicar-Test-Signature.UNOFFICIAL

>> No, egrep works fine once the regex is adjusted to match the header.
>
> Fine.  I'll change that command to "egrep -i '^ClamAV-Found: .*Eicar' 
> eicar.mail".
>
> Thank you for the fix.

If you change how the test database is generated, then you can stick with the
original regex.

>
>> I guess I should have specified that I'm running this on CentOS 7, not that 
>> it
>> matters at this point.
>>
>> Looks like everything is working now.  I'll try integrating it with Courier
>> tomorrow.  If I just want to reject any email that is flagged by ClamAV, I 
>> shouldn't
>> need to adjust the default config, right?
>
> Correct, reject is the default.  You probably need to set "database" to the 
> same directory you configured as "DatabaseDirectory" in freshclam.conf.  
> Also, recall that clamd.conf is not read; please see avfilter.conf(5) if you 
> need to set clamav options.

The database option defaulted to the right location, so I didn't need to adjust
that.  I did need to go through the other clam options and adjust them to match 
what
I was using with clamd.  Oddly, the defaults in clamd aren't quite the same as 
the
defaults in clamscan.  Annoyingly, the option names aren't quite the same 
either...

Everything is working now.  I have avfilter installed and running on Courier 
with
pythonfilter now just doing the rate limiting.  The only problem I have found 
is that
since my databases take so long to load, avfilter_sig times out when reloading 
the
virus definitions.  Is there a way to increase the timeout for avfilter_sig?

-- 
Bowie

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Reply via email to