Re: [Clamav-users] eicar Identified But Not Moved
The following is what appears in the trace that I belive is relevant (it is all
that appears relevant to eicar)
lstat64(/home/justlgn/test/eicar.com, {st_mode=S_IFREG|0644, st_size=69,
...}) = 0
stat64(/home/justlgn/test/eicar.com, {st_mode=S_IFREG|0644, st_size=69, ...})
= 0
stat64(/home/justlgn/test/eicar.com, {st_mode=S_IFREG|0644, st_size=69, ...})
= 0
geteuid32() = 0
open(/home/justlgn/test/eicar.com, O_RDONLY) = -1 EPERM (Operation not
permitted)
write(3, WARNING: Can\'t open file /home/j..., 54) = 54
write(2, WARNING: Can\'t open file /home/j..., 54) = 54
I'm trying to find what I can on the -1 EPERM (Operation not permitted), but so
far nothing.
If anyone has any insight, that would be much appreciated.
Thank you.
Sean
- Original Message
From: Török Edvin [EMAIL PROTECTED]
To: ClamAV users ML clamav-users@lists.clamav.net
Sent: Tuesday, October 16, 2007 3:18:43 PM
Subject: Re: [Clamav-users] eicar Identified But Not Moved
On 10/16/07, Sean McGlynn [EMAIL PROTECTED] wrote:
Just to be certain (It's not my first day with Linux, but I'm still
relatively new to it), you mean NFS as in Network File System, as in mounting
a remote file system on the Linux server, correct? If correct, then no, NFS
is not involved. Both the directory being scanned and the destination
directory for quarantine files on on the root filesystem, local to the
machine.
Try this:
$ strace clamscan -r --move=/var/log/clam/infected -l
/var/log/clam/dailyclamscanSPM /home/justlgn/test/eicar.com
Then we'll know exactly what happened. Can't open file looks like a
message from the scanner, if the file couldn't be moved, it should
have said that it cannot move the file.
--Edwin
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html
__
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] eicar Identified But Not Moved
P.S.S For what it's worth, it wont remove the file either. Same can't open file message is displayed. - Original Message From: Török Edvin [EMAIL PROTECTED] To: ClamAV users ML clamav-users@lists.clamav.net Sent: Tuesday, October 16, 2007 3:18:43 PM Subject: Re: [Clamav-users] eicar Identified But Not Moved On 10/16/07, Sean McGlynn [EMAIL PROTECTED] wrote: Just to be certain (It's not my first day with Linux, but I'm still relatively new to it), you mean NFS as in Network File System, as in mounting a remote file system on the Linux server, correct? If correct, then no, NFS is not involved. Both the directory being scanned and the destination directory for quarantine files on on the root filesystem, local to the machine. Try this: $ strace clamscan -r --move=/var/log/clam/infected -l /var/log/clam/dailyclamscanSPM /home/justlgn/test/eicar.com Then we'll know exactly what happened. Can't open file looks like a message from the scanner, if the file couldn't be moved, it should have said that it cannot move the file. --Edwin ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] eicar Identified But Not Moved
Hey,
I don't know if clamuko should deny access to this file. If you are
running Clamuko then disable it please ;-) or show us ls -al
/home/justlgn/test/eicar.com
/rl
Sean McGlynn wrote:
The following is what appears in the trace that I belive is relevant (it is
all that appears relevant to eicar)
lstat64(/home/justlgn/test/eicar.com, {st_mode=S_IFREG|0644, st_size=69,
...}) = 0
stat64(/home/justlgn/test/eicar.com, {st_mode=S_IFREG|0644, st_size=69,
...}) = 0
stat64(/home/justlgn/test/eicar.com, {st_mode=S_IFREG|0644, st_size=69,
...}) = 0
geteuid32() = 0
open(/home/justlgn/test/eicar.com, O_RDONLY) = -1 EPERM (Operation not
permitted)
write(3, WARNING: Can\'t open file /home/j..., 54) = 54
write(2, WARNING: Can\'t open file /home/j..., 54) = 54
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] eicar Identified But Not Moved
P.S. Based on the trace results I believe what you are saying about this not being about moving the file is correct. I don't think the process has gotten as far as trying to move the file. For the record, I can manually move the file: OES-FS05:/home/justlgn/test # mv eicar.com /var/log/clam/infected/ OES-FS05:/home/justlgn/test # ls -al total 2 drwxr-xr-x 2 rootroot48 Oct 17 08:55 . drwxr-xr-x 13 justlgn users 1856 Oct 17 07:55 .. OES-FS05:/home/justlgn/test # ls -al /var/log/clam/infected/ total 4 drwxr-xr-x 2 rootroot 80 Oct 17 08:55 . drwxr-xr-x 4 rootroot 232 Oct 17 06:56 .. -rw-r--r-- 1 justlgn users 69 Oct 16 10:56 eicar.com Thanks again. - Original Message From: Török Edvin [EMAIL PROTECTED] To: ClamAV users ML clamav-users@lists.clamav.net Sent: Tuesday, October 16, 2007 3:18:43 PM Subject: Re: [Clamav-users] eicar Identified But Not Moved On 10/16/07, Sean McGlynn [EMAIL PROTECTED] wrote: Just to be certain (It's not my first day with Linux, but I'm still relatively new to it), you mean NFS as in Network File System, as in mounting a remote file system on the Linux server, correct? If correct, then no, NFS is not involved. Both the directory being scanned and the destination directory for quarantine files on on the root filesystem, local to the machine. Try this: $ strace clamscan -r --move=/var/log/clam/infected -l /var/log/clam/dailyclamscanSPM /home/justlgn/test/eicar.com Then we'll know exactly what happened. Can't open file looks like a message from the scanner, if the file couldn't be moved, it should have said that it cannot move the file. --Edwin ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] eicar Identified But Not Moved
Sean McGlynn schrieb: For the record, I can manually move the file: OES-FS05:/home/justlgn/test # mv eicar.com /var/log/clam/infected/ Judging from the prompt, you are doing this as root, but beneath your (justlgn's) home directory. OES-FS05:/home/justlgn/test # ls -al total 2 drwxr-xr-x 2 rootroot48 Oct 17 08:55 . drwxr-xr-x 13 justlgn users 1856 Oct 17 07:55 .. The test directory is below your home directory, but owned by root, not by you, and you don't have write/modify access to it. OES-FS05:/home/justlgn/test # ls -al /var/log/clam/infected/ total 4 drwxr-xr-x 2 rootroot 80 Oct 17 08:55 . drwxr-xr-x 4 rootroot 232 Oct 17 06:56 .. -rw-r--r-- 1 justlgn users 69 Oct 16 10:56 eicar.com The EICAR test file itself, however, is again owned by you. What user are you running clamscan as? HTH T. -- Tilman Schmidt Abteilungsleiter Technik Tilman Schmidt [EMAIL PROTECTED] Phoenix Software GmbH Tel. +49 228 97199 0 Geschäftsführer: W. Grießl Fax +49 228 97199 99 Adolf-Hombitzer-Str. 12 www.phoenixsoftware.de 53227 Bonn, GermanyAmtsgericht Bonn HRB 2934 signature.asc Description: OpenPGP digital signature ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] eicar Identified But Not Moved
Tilman, Thank you for your reply. Everything is being done as root. Sean - Original Message From: Tilman Schmidt [EMAIL PROTECTED] To: ClamAV users ML clamav-users@lists.clamav.net Sent: Wednesday, October 17, 2007 9:30:23 AM Subject: Re: [Clamav-users] eicar Identified But Not Moved Sean McGlynn schrieb: For the record, I can manually move the file: OES-FS05:/home/justlgn/test # mv eicar.com /var/log/clam/infected/ Judging from the prompt, you are doing this as root, but beneath your (justlgn's) home directory. OES-FS05:/home/justlgn/test # ls -al total 2 drwxr-xr-x 2 rootroot48 Oct 17 08:55 . drwxr-xr-x 13 justlgn users 1856 Oct 17 07:55 .. The test directory is below your home directory, but owned by root, not by you, and you don't have write/modify access to it. OES-FS05:/home/justlgn/test # ls -al /var/log/clam/infected/ total 4 drwxr-xr-x 2 rootroot 80 Oct 17 08:55 . drwxr-xr-x 4 rootroot 232 Oct 17 06:56 .. -rw-r--r-- 1 justlgn users 69 Oct 16 10:56 eicar.com The EICAR test file itself, however, is again owned by you. What user are you running clamscan as? HTH T. -- Tilman Schmidt Abteilungsleiter Technik Tilman Schmidt [EMAIL PROTECTED] Phoenix Software GmbH Tel. +49 228 97199 0 Geschäftsführer: W. GrießlFax +49 228 97199 99 Adolf-Hombitzer-Str. 12 www.phoenixsoftware.de 53227 Bonn, GermanyAmtsgericht Bonn HRB 2934 -Inline Attachment Follows- ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] eicar Identified But Not Moved
That's it!! When I disable clamuko, the scan results indicated an infected
file was found (which it was not doing) and the file was moved to the
quarantine directory.
Now, that said, where does that leave me as far as clumuko? We rely on that
for on access scanning. I assume, now that I'm seeing this, that when clamscan
attempts to scan the file clamuko won't allow it. Therefore the file is not
deemed infected, and not moved.
Are we left in a position where if we want to use clamuko we'll just have to
manually address each infected file as it is discovered, rather than expecting
it to be moved to a quarantine area? Where does this leave with our nightly
full scans of the file system? It would seem that our nightly scans will only
result in notifications that a file can't be opened if it discovers an infected
file. Will we need to rely on reviewing the clamd.log file to see if an
infected file is found?
Thank you for pointing me in the right direction, and for any additional input
(from anyone).
- Original Message
From: Thorolf [EMAIL PROTECTED]
To: ClamAV users ML clamav-users@lists.clamav.net
Sent: Wednesday, October 17, 2007 9:08:54 AM
Subject: Re: [Clamav-users] eicar Identified But Not Moved
Hey,
I don't know if clamuko should deny access to this file. If you are
running Clamuko then disable it please ;-) or show us ls -al
/home/justlgn/test/eicar.com
/rl
Sean McGlynn wrote:
The following is what appears in the trace that I belive is relevant (it is
all that appears relevant to eicar)
lstat64(/home/justlgn/test/eicar.com, {st_mode=S_IFREG|0644, st_size=69,
...}) = 0
stat64(/home/justlgn/test/eicar.com, {st_mode=S_IFREG|0644, st_size=69,
...}) = 0
stat64(/home/justlgn/test/eicar.com, {st_mode=S_IFREG|0644, st_size=69,
...}) = 0
geteuid32()= 0
open(/home/justlgn/test/eicar.com, O_RDONLY) = -1 EPERM (Operation not
permitted)
write(3, WARNING: Can\'t open file /home/j..., 54) = 54
write(2, WARNING: Can\'t open file /home/j..., 54) = 54
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html
__
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] create cvd using cdiffs?
Hello! Is it possible to create new .cvd files from older .cvd files, using the appropriate .cdiff files? If this is not possible (with .cdiff files), do u think that we can somehow create a binary diff file from the two .cvd versions (old against new)? Thanks ilias PS: sorry for posting this twice __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] Hacktool.PCGI false positive? What to do?
Greetings, Recently, ClamAV version 0.90.2 with main.cvd version 44 and daily.cvd version 4540 reported that an EXE on one of our servers was infected with Hacktool.PCGI. This EXE came from a pretty reputable source, and when I scanned the same file with Symantec AntiVirus, it claimed that the file was clean. So, what now? Is there any way I can provide information to the folks who maintain the ClamAV virus definitions to help them (a) determine whether ClamAV or SAV is correct, and (b) if the latter, fine-tune the ClamAV signature to prevent this false positive from recurring? Basically, what's the protocol for a suspected false positive? Thanks, jik ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Hacktool.PCGI false positive? What to do?
Jonathan Kamens wrote: Greetings, Recently, ClamAV version 0.90.2 with main.cvd version 44 and daily.cvd version 4540 reported that an EXE on one of our servers was infected with Hacktool.PCGI. This EXE came from a pretty reputable source, and when I scanned the same file with Symantec AntiVirus, it claimed that the file was clean. So, what now? Is there any way I can provide information to the folks who maintain the ClamAV virus definitions to help them (a) determine whether ClamAV or SAV is correct, and (b) if the latter, fine-tune the ClamAV signature to prevent this false positive from recurring? Basically, what's the protocol for a suspected false positive? Thanks, jik http://cgi.clamav.net/sendvirus.cgi Mark it as a false positive. dp ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
