Re: [clamav-users] clamav-0.98.3 does not pass vulnerability scan
On Tue, May 20, 2014 4:22 am, anctop wrote: The file 42.zip was sent 2 times. If there is an antivirus in your MTA, it might have crashed. Please check its status right now, as it is not possible to do so remotely Just for info... Summary: This script sends the 42.zip recursive archive to the mail server. If there is an antivirus filter, it may start eating huge amounts of CPU or memory. Source: http://openvas.komma-nix.de/index.php?oid=11036 VirusTotal Report 42.zip as Agnitum Trojan.ZipBomb.D20140519 AntiVir Bomb/Libit.A20140520 BitDefender Trojan.Script.ATU 20140520 ClamAV Trojan.ArcBomb-120140520 Commtouch ZIP/ArchiveBomb.A!Camelot 20140520 DrWeb Trojan.MailBomb.34902 20140520 F-SecureTrojan.Script.ATU 20140519 FortinetW32/ArchBomb.B!tr 20140520 GData Trojan.Script.ATU 20140520 Kaspersky Trojan-ArcBomb.ZIP.Bubl.b 20140520 McAfee ZIP-Crash 20140520 McAfee-GW-Edition ZIP-Crash 20140519 MicroWorld-eScanTrojan.Script.ATU 20140520 Microsoft DoS:Win32/ZipBomb.A 20140520 NANO-Antivirus Trojan.Zip.Arch-Bomb.yngkq 20140520 TrendMicro TROJ_ZIPBOMB.B 20140520 TrendMicro-HouseCallTROJ_ZIPBOMB.B 20140520 VBA32 suspected of ZIP.MailBomb 20140519 Cheers, Steve Sanesecurity ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] clamav-0.98.3 does not pass vulnerability scan
The file 42.zip was sent 2 times. If there is an antivirus in your MTA, it might have crashed. Please check its status right now, as it is not possible to do so remotely Vulnerability Detection Method Details: SMTP antivirus scanner DoS (OID: 1.3.6.1.4.1.25623.1.0.11036) On 20.05.14 11:22, anctop wrote: But we've verified that ClamAV milter was still running as before. The milter only passes data from milter to clamd. You need to look if the clamd crashed. When using ClamAV-0.98.1, the scan report reads : smtp (25/tcp) / submission (587/tcp) Log (CVSS: 7.2) NVT: SMTP antivirus scanner DoS (OID: 1.3.6.1.4.1.25623.1.0.11036) For some reason, we could not send the 42.zip file to this MTA Vulnerability Detection Method Details: SMTP antivirus scanner DoS (OID: 1.3.6.1.4.1.25623.1.0.11036) Does it mean that ClamAV-0.98.3 is vulnerable to the said DoS attack ? you can set up archive depth and similar limits in clamd.conf -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. He who laughs last thinks slowest. ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] clamav-0.98.3 does not pass vulnerability scan
Both clamav-milter clamd were still working after the attack by the scan. Our config files assume default values for recursive scanning. I'd like to know if the recursion depth is lowered, will clamd fail to detect those viruses deeply hidden in nested directories ? The file 42.zip was sent 2 times. If there is an antivirus in your MTA, it might have crashed. Please check its status right now, as it is not possible to do so remotely Vulnerability Detection Method Details: SMTP antivirus scanner DoS (OID: 1.3.6.1.4.1.25623.1.0.11036) On 20.05.14 11:22, anctop wrote: But we've verified that ClamAV milter was still running as before. The milter only passes data from milter to clamd. You need to look if the clamd crashed. When using ClamAV-0.98.1, the scan report reads : smtp (25/tcp) / submission (587/tcp) Log (CVSS: 7.2) NVT: SMTP antivirus scanner DoS (OID: 1.3.6.1.4.1.25623.1.0.11036) For some reason, we could not send the 42.zip file to this MTA Vulnerability Detection Method Details: SMTP antivirus scanner DoS (OID: 1.3.6.1.4.1.25623.1.0.11036) Does it mean that ClamAV-0.98.3 is vulnerable to the said DoS attack ? you can set up archive depth and similar limits in clamd.conf -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. He who laughs last thinks slowest. ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] clamav-0.98.3 does not pass vulnerability scan
On 20.05.14 16:22, anctop wrote: Both clamav-milter clamd were still working after the attack by the scan. Our config files assume default values for recursive scanning. I'd like to know if the recursion depth is lowered, will clamd fail to detect those viruses deeply hidden in nested directories ? Well, no idea. The scanning will finish with exit code indicating that it was not able to scan the whole structure. There used to be ArchiveBlockMax option that instructed clamav to report infection (with pseudo virus name) but it was removed and I don't see the replacement for it. I also don't see how should clamav-milter behave here. Maybe I should try to test scanning archive of 16 nested directories to see the results... -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. I intend to live forever - so far so good. ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
[clamav-users] clamav-0.98.1 crashing
Hi, I'm using clamd with mailscanner and it keeps crashing. What is the best way to debug this? Thanks, Rich ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] [Clamav-devel] ClamAV®: ClamAV 0.98.4rc1 is now available!
I may have been a bit hasty with this. It appears there's another issue with clamd. I'm receiving reports of clamd crashing when attempting to parse email in an incredibly large (1.15 GB) Thunderbird mailbox file. This particular report is from 0.98.3, but the user is reporting it still happens when testing against 0.98.4-rc1. I'll attempt to get a crash log from the user. Exception Type: EXC_BAD_ACCESS (SIGSEGV) Exception Codes: KERN_INVALID_ADDRESS at 0x000117ff Thread 2 Crashed: 0 libclamav.6.dylib 0x00010004fa6c parseEmailBody + 4668 1 libclamav.6.dylib 0x00010004d701 cli_mbox + 1057 2 libclamav.6.dylib 0x000100048b97 cli_scanmail + 119 3 libclamav.6.dylib 0x000100044349 magic_scandesc + 8537 4 libclamav.6.dylib 0x000100042142 cli_base_scandesc + 242 5 libclamav.6.dylib 0x000100046360 scan_common + 416 6 libclamav.6.dylib 0x0001000465d8 cl_scanfile_callback + 88 7 clamd 0x0001c62d scan_callback + 749 8 libclamav.6.dylib 0x0001006c966c handle_entry + 252 9 libclamav.6.dylib 0x0001006c9388 cli_ftw + 424 10 clamd 0x00017363 command + 1331 11 clamd 0x0001bd38 scanner_thread + 56 12 clamd 0x0001918a thrmgr_worker + 938 13 libsystem_c.dylib 0x7fff8cb7b772 _pthread_start + 327 14 libsystem_c.dylib 0x7fff8cb681a1 thread_start + 13 I'm aware the offsets won't be too useful, but at least the method names ought to help I think. Mark On 16 May 2014, at 03:03 pm, Mark Allan markjal...@gmail.com wrote: All works fine for me on OS X 10.6 - 10.9. For info, compiled on 10.9.2 with support for 10.6 onwards. CFLAGS=-O2 -g -D_FILE_OFFSET_BITS=64 -mmacosx-version-min=10.6 -arch x86_64 CXXFLAGS=-O2 -g -D_FILE_OFFSET_BITS=64 -mmacosx-version-min=10.6 -arch x86_64 ./configure --disable-dependency-tracking --enable-llvm --enable-clamdtop --with-user=_clamav --with-group=_clamav --enable-all-jit-targets Mark On 16 May 2014, at 02:01 pm, Joel Esler (jesler) jes...@cisco.com wrote: http://blog.clamav.net/2014/05/clamav-0984rc1-is-now-available.html ClamAV 0.98.4rc1 is now available for download. Shown below are the notes concerning this release: 0.98.4rc1 -- ClamAV 0.98.4 is a bug fix release. The following issues are now resolved: - Various build problems on Solaris, OpenBSD, AIX. - Crashes of clamd on Windows and Mac OS X platforms when reloading the virus signature database. - Infinite loop in clamdscan when clamd is not running. - Freshclam failure on Solaris 10. - Buffer underruns when handling multi-part MIME email attachments. - Configuration of OpenSSL on various platforms. ClamAV 0.98.4rc1 is available for download here: http://sourceforge.net/projects/clamav/files/RC/clamav-0.98.4-rc1/. Please download, test, and provide feedback to the mailing list here: http://lists.clamav.net/mailman/listinfo/clamav-users ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] [Clamav-devel] ClamAV(R): ClamAV 0.98.4rc1 is now available!
Hey Mark, Is there a way you could get me the sample? Thanks, Shawn On Tue, May 20, 2014 at 6:49 AM, Mark Allan markjal...@blueyonder.co.ukwrote: I may have been a bit hasty with this. It appears there's another issue with clamd. I'm receiving reports of clamd crashing when attempting to parse email in an incredibly large (1.15 GB) Thunderbird mailbox file. This particular report is from 0.98.3, but the user is reporting it still happens when testing against 0.98.4-rc1. I'll attempt to get a crash log from the user. Exception Type: EXC_BAD_ACCESS (SIGSEGV) Exception Codes: KERN_INVALID_ADDRESS at 0x000117ff Thread 2 Crashed: 0 libclamav.6.dylib 0x00010004fa6c parseEmailBody + 4668 1 libclamav.6.dylib 0x00010004d701 cli_mbox + 1057 2 libclamav.6.dylib 0x000100048b97 cli_scanmail + 119 3 libclamav.6.dylib 0x000100044349 magic_scandesc + 8537 4 libclamav.6.dylib 0x000100042142 cli_base_scandesc + 242 5 libclamav.6.dylib 0x000100046360 scan_common + 416 6 libclamav.6.dylib 0x0001000465d8 cl_scanfile_callback + 88 7 clamd 0x0001c62d scan_callback + 749 8 libclamav.6.dylib 0x0001006c966c handle_entry + 252 9 libclamav.6.dylib 0x0001006c9388 cli_ftw + 424 10 clamd 0x00017363 command + 1331 11 clamd 0x0001bd38 scanner_thread + 56 12 clamd 0x0001918a thrmgr_worker + 938 13 libsystem_c.dylib 0x7fff8cb7b772 _pthread_start + 327 14 libsystem_c.dylib 0x7fff8cb681a1 thread_start + 13 I'm aware the offsets won't be too useful, but at least the method names ought to help I think. Mark On 16 May 2014, at 03:03 pm, Mark Allan markjal...@gmail.com wrote: All works fine for me on OS X 10.6 - 10.9. For info, compiled on 10.9.2 with support for 10.6 onwards. CFLAGS=-O2 -g -D_FILE_OFFSET_BITS=64 -mmacosx-version-min=10.6 -arch x86_64 CXXFLAGS=-O2 -g -D_FILE_OFFSET_BITS=64 -mmacosx-version-min=10.6 -arch x86_64 ./configure --disable-dependency-tracking --enable-llvm --enable-clamdtop --with-user=_clamav --with-group=_clamav --enable-all-jit-targets Mark On 16 May 2014, at 02:01 pm, Joel Esler (jesler) jes...@cisco.com wrote: http://blog.clamav.net/2014/05/clamav-0984rc1-is-now-available.html ClamAV 0.98.4rc1 is now available for download. Shown below are the notes concerning this release: 0.98.4rc1 -- ClamAV 0.98.4 is a bug fix release. The following issues are now resolved: - Various build problems on Solaris, OpenBSD, AIX. - Crashes of clamd on Windows and Mac OS X platforms when reloading the virus signature database. - Infinite loop in clamdscan when clamd is not running. - Freshclam failure on Solaris 10. - Buffer underruns when handling multi-part MIME email attachments. - Configuration of OpenSSL on various platforms. ClamAV 0.98.4rc1 is available for download here: http://sourceforge.net/projects/clamav/files/RC/clamav-0.98.4-rc1/. Please download, test, and provide feedback to the mailing list here: http://lists.clamav.net/mailman/listinfo/clamav-users ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] [Clamav-devel] ClamAV(R): ClamAV 0.98.4rc1 is now available!
Hi Shawn, By the sample do you mean the 1.15 GB file? If so, that's the user's personal email mailbox so I can't imagine he'd be willing to share it. If you mean a 0.98.4-rc1 crash log, I've just asked him again, so hopefully he'll be able to find it. Mark On 20 May 2014, at 02:14 pm, Shawn Webb sw...@sourcefire.com wrote: Hey Mark, Is there a way you could get me the sample? Thanks, Shawn On Tue, May 20, 2014 at 6:49 AM, Mark Allan markjal...@blueyonder.co.ukwrote: I may have been a bit hasty with this. It appears there's another issue with clamd. I'm receiving reports of clamd crashing when attempting to parse email in an incredibly large (1.15 GB) Thunderbird mailbox file. This particular report is from 0.98.3, but the user is reporting it still happens when testing against 0.98.4-rc1. I'll attempt to get a crash log from the user. Exception Type: EXC_BAD_ACCESS (SIGSEGV) Exception Codes: KERN_INVALID_ADDRESS at 0x000117ff Thread 2 Crashed: 0 libclamav.6.dylib 0x00010004fa6c parseEmailBody + 4668 1 libclamav.6.dylib 0x00010004d701 cli_mbox + 1057 2 libclamav.6.dylib 0x000100048b97 cli_scanmail + 119 3 libclamav.6.dylib 0x000100044349 magic_scandesc + 8537 4 libclamav.6.dylib 0x000100042142 cli_base_scandesc + 242 5 libclamav.6.dylib 0x000100046360 scan_common + 416 6 libclamav.6.dylib 0x0001000465d8 cl_scanfile_callback + 88 7 clamd 0x0001c62d scan_callback + 749 8 libclamav.6.dylib 0x0001006c966c handle_entry + 252 9 libclamav.6.dylib 0x0001006c9388 cli_ftw + 424 10 clamd 0x00017363 command + 1331 11 clamd 0x0001bd38 scanner_thread + 56 12 clamd 0x0001918a thrmgr_worker + 938 13 libsystem_c.dylib 0x7fff8cb7b772 _pthread_start + 327 14 libsystem_c.dylib 0x7fff8cb681a1 thread_start + 13 I'm aware the offsets won't be too useful, but at least the method names ought to help I think. Mark On 16 May 2014, at 03:03 pm, Mark Allan markjal...@gmail.com wrote: All works fine for me on OS X 10.6 - 10.9. For info, compiled on 10.9.2 with support for 10.6 onwards. CFLAGS=-O2 -g -D_FILE_OFFSET_BITS=64 -mmacosx-version-min=10.6 -arch x86_64 CXXFLAGS=-O2 -g -D_FILE_OFFSET_BITS=64 -mmacosx-version-min=10.6 -arch x86_64 ./configure --disable-dependency-tracking --enable-llvm --enable-clamdtop --with-user=_clamav --with-group=_clamav --enable-all-jit-targets Mark On 16 May 2014, at 02:01 pm, Joel Esler (jesler) jes...@cisco.com wrote: http://blog.clamav.net/2014/05/clamav-0984rc1-is-now-available.html ClamAV 0.98.4rc1 is now available for download. Shown below are the notes concerning this release: 0.98.4rc1 -- ClamAV 0.98.4 is a bug fix release. The following issues are now resolved: - Various build problems on Solaris, OpenBSD, AIX. - Crashes of clamd on Windows and Mac OS X platforms when reloading the virus signature database. - Infinite loop in clamdscan when clamd is not running. - Freshclam failure on Solaris 10. - Buffer underruns when handling multi-part MIME email attachments. - Configuration of OpenSSL on various platforms. ClamAV 0.98.4rc1 is available for download here: http://sourceforge.net/projects/clamav/files/RC/clamav-0.98.4-rc1/. Please download, test, and provide feedback to the mailing list here: http://lists.clamav.net/mailman/listinfo/clamav-users ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] [Clamav-devel] ClamAV(R): ClamAV 0.98.4rc1 is now available!
On 2014/05/20 14:27, Mark Allan wrote: Hi Shawn, By the sample do you mean the 1.15 GB file? If so, that's the user's personal email mailbox so I can't imagine he'd be willing to share it. If you mean a 0.98.4-rc1 crash log, I've just asked him again, so hopefully he'll be able to find it. 1.15GB seems like a lot but it wouldn't take all that many iterations of a binary search to get it to a manageable size, and quite possibly not containing anything particularly personal. Thunderbird mailboxes are plaintext so this could be done by chopping it with head / tail commands .. ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] Compiling error: /usr/lib/libxml2.so: error adding symbols: File in wrong format
On Mon, May 19, 2014 at 2:52 PM, MarkusGMX markus@gmx.at wrote: Am 16/05/14 17:57, schrieb Alexander Tampermeier: Sadly, the libxml2-error still persists in v0.98.4-rc1. Hope, it can be fixed soon. [...] :-( I am also waiting for a bugfix for the build process. ME Hey Markus and Alexander, I have a candidate patch that applies to 0.98.4-rc1. Can you test the candidate patch pasted here: http://ix.io/cvE The patch is also attached to this email. Thanks, Shawn diff --git a/configure b/configure index 96f9240..2b7b5c5 100755 --- a/configure +++ b/configure @@ -16679,15 +16679,20 @@ then as_fn_error $? OpenSSL not found. $LINENO 5 fi -SSL_LDFLAGS=-L$LIBSSL_HOME/lib -SSL_LIBS=-lssl -lcrypto -SSL_CPPFLAGS=-I$LIBSSL_HOME/include - save_LDFLAGS=$LDFLAGS -LDFLAGS=-L$LIBSSL_HOME/lib $SSL_LIBS - save_CFLAGS=$CFLAGS -CFLAGS=$SSL_CPPFLAGS + +if test $LIBSSL_HOME != /usr; then +SSL_LDFLAGS=-L$LIBSSL_HOME/lib +SSL_CPPFLAGS=-I$LIBSSL_HOME/include +LDFLAGS=-L$LIBSSL_HOME/lib $SSL_LIBS +CFLAGS=$SSL_CPPFLAGS +else +SSL_LDFLAGS= +SSL_CPPFLAGS= +fi + +SSL_LIBS=-lssl -lcrypto have_ssl=no have_crypto=no diff --git a/m4/reorganization/libs/openssl.m4 b/m4/reorganization/libs/openssl.m4 index e37c928..e78f8c0 100644 --- a/m4/reorganization/libs/openssl.m4 +++ b/m4/reorganization/libs/openssl.m4 @@ -22,15 +22,20 @@ then AC_MSG_ERROR([OpenSSL not found.]) fi -SSL_LDFLAGS=-L$LIBSSL_HOME/lib -SSL_LIBS=-lssl -lcrypto -SSL_CPPFLAGS=-I$LIBSSL_HOME/include - save_LDFLAGS=$LDFLAGS -LDFLAGS=-L$LIBSSL_HOME/lib $SSL_LIBS - save_CFLAGS=$CFLAGS -CFLAGS=$SSL_CPPFLAGS + +if test $LIBSSL_HOME != /usr; then +SSL_LDFLAGS=-L$LIBSSL_HOME/lib +SSL_CPPFLAGS=-I$LIBSSL_HOME/include +LDFLAGS=-L$LIBSSL_HOME/lib $SSL_LIBS +CFLAGS=$SSL_CPPFLAGS +else +SSL_LDFLAGS= +SSL_CPPFLAGS= +fi + +SSL_LIBS=-lssl -lcrypto have_ssl=no have_crypto=no ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] Compiling error: /usr/lib/libxml2.so: error adding symbols: File in wrong format
Shawn, v0.98.4-rc1 now compiled perfectly with the patch applied. Thanks for the great support Alexander Am 20.05.2014 16:53, schrieb Shawn Webb: On Mon, May 19, 2014 at 2:52 PM, MarkusGMX markus@gmx.at wrote: Am 16/05/14 17:57, schrieb Alexander Tampermeier: Sadly, the libxml2-error still persists in v0.98.4-rc1. Hope, it can be fixed soon. [...] :-( I am also waiting for a bugfix for the build process. ME Hey Markus and Alexander, I have a candidate patch that applies to 0.98.4-rc1. Can you test the candidate patch pasted here: http://ix.io/cvE The patch is also attached to this email. Thanks, Shawn ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] clamav-0.98.1 crashing
Hi Rich, Any details will help for starters, such as a stack trace of the crash, clamav version, OS version, processor architecture, clamav debug logs, etc. Also, you could try the 0.98.4 release candidate, which is a bug fix release. It is here: http://sourceforge.net/projects/clamav/files/RC/clamav-0.98.4-rc1/ If you find that it is a clamav problem, open a bugzilla ticket here: https://bugzilla.clamav.net/ Thanks, Steve On Tue, May 20, 2014 at 6:31 AM, Richard Mealing rich...@fastnet.co.ukwrote: Hi, I'm using clamd with mailscanner and it keeps crashing. What is the best way to debug this? Thanks, Rich ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] clamav-0.98.1 crashing
Thank you Steve, I'm not sure if there is a problem but I would like to know why I see my clamd stops then starts every 10 minutes. During this period, I see the following debug output and I wondering what this means - fds_poll_recv: timeout after 600 seconds I thought it was something to do with the setting 'SelfCheck' but I changed this to 3600 and I still see the program restart every 10 minutes. Debug output - Tue May 20 14:59:55 2014 - Received POLLIN|POLLHUP on fd 4 Tue May 20 14:59:55 2014 - Got new connection, FD 9 Tue May 20 14:59:55 2014 - Received POLLIN|POLLHUP on fd 5 Tue May 20 14:59:55 2014 - fds_poll_recv: timeout after 7 seconds Tue May 20 14:59:55 2014 - Received POLLIN|POLLHUP on fd 9 Tue May 20 14:59:55 2014 - got command PING (4, 6), argument: Tue May 20 14:59:55 2014 - Receive thread: closing conn (FD 9), group finished Tue May 20 14:59:55 2014 - Consumed entire command Tue May 20 14:59:55 2014 - Number of file descriptors polled: 1 fds Tue May 20 14:59:55 2014 - fds_poll_recv: timeout after 600 seconds Tue May 20 14:59:55 2014 - Received POLLIN|POLLHUP on fd 4 Tue May 20 14:59:55 2014 - Got new connection, FD 9 Tue May 20 14:59:55 2014 - Received POLLIN|POLLHUP on fd 5 Tue May 20 14:59:55 2014 - fds_poll_recv: timeout after 7 seconds Tue May 20 14:59:55 2014 - Received POLLIN|POLLHUP on fd 9 Tue May 20 14:59:55 2014 - got command MULTISCAN /tmpfs/82078 (22, 10), argument: /tmpfs/82078 Tue May 20 14:59:55 2014 - mode - MODE_WAITREPLY Tue May 20 14:59:55 2014 - THRMGR: queue (single) crossed low threshold - signaling Tue May 20 14:59:55 2014 - THRMGR: queue (bulk) crossed low threshold - signaling Tue May 20 14:59:55 2014 - Breaking command loop, mode is no longer MODE_COMMAND Tue May 20 14:59:55 2014 - Consumed entire command Tue May 20 14:59:55 2014 - Number of file descriptors polled: 1 fds Tue May 20 14:59:55 2014 - fds_poll_recv: timeout after 600 seconds Tue May 20 14:59:55 2014 - THRMGR: new group: 0x81941e5b0 Tue May 20 14:59:55 2014 - THRMGR: active jobs for 0x81941e5b0: 2 Tue May 20 14:59:55 2014 - THRMGR: active jobs for 0x81941e5b0: 3 Tue May 20 14:59:55 2014 - THRMGR: queue (single) crossed low threshold - signaling Tue May 20 14:59:55 2014 - THRMGR: queue (bulk) crossed low threshold - signaling Tue May 20 14:59:55 2014 - THRMGR: queue (single) crossed low threshold - signaling Tue May 20 14:59:55 2014 - THRMGR: queue (bulk) crossed low threshold - signaling Tue May 20 14:59:55 2014 - THRMGR: active jobs for 0x81941e5b0: 4 Tue May 20 14:59:55 2014 - THRMGR: active jobs for 0x81941e5b0: 5 Tue May 20 14:59:55 2014 - THRMGR: queue (single) crossed low threshold - signaling Tue May 20 14:59:55 2014 - THRMGR: queue (bulk) crossed low threshold - signaling Tue May 20 14:59:55 2014 - THRMGR: queue (single) crossed low threshold - signaling Tue May 20 14:59:55 2014 - THRMGR: queue (bulk) crossed low threshold - signaling Tue May 20 14:59:55 2014 - Finished scanthread Tue May 20 14:59:55 2014 - THRMGR: group_finished: 0x81941e5b0, 5 Tue May 20 14:59:55 2014 - THRMGR: active jobs for 0x81941e5b0: 4 Tue May 20 14:59:55 2014 - THRMGR: queue (single) crossed low threshold - signaling Tue May 20 14:59:55 2014 - THRMGR: queue (bulk) crossed low threshold - signaling Tue May 20 14:59:55 2014 - Finished scanthread Tue May 20 14:59:55 2014 - THRMGR: group_finished: 0x81941e5b0, 4 Tue May 20 14:59:55 2014 - THRMGR: active jobs for 0x81941e5b0: 3 Tue May 20 14:59:55 2014 - THRMGR: queue (single) crossed low threshold - signaling Tue May 20 14:59:55 2014 - THRMGR: queue (bulk) crossed low threshold - signaling Tue May 20 14:59:55 2014 - /tmpfs/82078/s4KDxmlg001866.message: Sanesecurity.Jurlbl.7983.UNOFFICIAL FOUND Tue May 20 14:59:55 2014 - Finished scanthread Tue May 20 14:59:55 2014 - THRMGR: group_finished: 0x81941e5b0, 3 Tue May 20 14:59:55 2014 - THRMGR: active jobs for 0x81941e5b0: 2 Tue May 20 14:59:55 2014 - THRMGR: queue (single) crossed low threshold - signaling Tue May 20 14:59:55 2014 - THRMGR: queue (bulk) crossed low threshold - signaling Tue May 20 14:59:55 2014 - /tmpfs/82078/s4KDxmlg001866.header: Sanesecurity.Junk.40915.UNOFFICIAL FOUND Tue May 20 14:59:55 2014 - Finished scanthread Tue May 20 14:59:55 2014 - THRMGR: group_finished: 0x81941e5b0, 2 Tue May 20 14:59:55 2014 - THRMGR: active jobs for 0x81941e5b0: 1 Tue May 20 14:59:55 2014 - THRMGR: queue (single) crossed low threshold - signaling Tue May 20 14:59:55 2014 - THRMGR: queue (bulk) crossed low threshold - signaling Tue May 20 14:59:55 2014 - THRMGR: group finished freeing 0x81941e5b0 Tue May 20 14:59:55 2014 - Finished scanthread Tue May 20 14:59:55 2014 - Scanthread: connection shut down (FD 9) Tue May 20 14:59:55 2014 - THRMGR: queue (single) crossed low threshold - signaling Tue May 20 14:59:55 2014 - THRMGR: queue (bulk) crossed low threshold - signaling Tue May 20 14:59:56 2014 - Received POLLIN|POLLHUP on fd 4 Tue May 20 14:59:56 2014 - Got new connection, FD 9 Tue May 20
Re: [clamav-users] clamav-0.98.1 crashing
I do not see anything wrong in that output. Anyway, clamd does not restart by itself. There was a user who reported something similar a few weeks ago and it turned out to be his crond setup: https://bugzilla.clamav.net/show_bug.cgi?id=10952 If that is of no help, we need more info in order to debug. I usually chase clamd bugs by setting Forground yes in clamd.conf and use gdb. Also Debug yes in clamd.conf may provide additional clues. Steve On Tue, May 20, 2014 at 12:29 PM, Richard Mealing rich...@fastnet.co.ukwrote: Thank you Steve, I'm not sure if there is a problem but I would like to know why I see my clamd stops then starts every 10 minutes. During this period, I see the following debug output and I wondering what this means - fds_poll_recv: timeout after 600 seconds I thought it was something to do with the setting 'SelfCheck' but I changed this to 3600 and I still see the program restart every 10 minutes. Debug output - Tue May 20 14:59:55 2014 - Received POLLIN|POLLHUP on fd 4 Tue May 20 14:59:55 2014 - Got new connection, FD 9 Tue May 20 14:59:55 2014 - Received POLLIN|POLLHUP on fd 5 Tue May 20 14:59:55 2014 - fds_poll_recv: timeout after 7 seconds Tue May 20 14:59:55 2014 - Received POLLIN|POLLHUP on fd 9 Tue May 20 14:59:55 2014 - got command PING (4, 6), argument: Tue May 20 14:59:55 2014 - Receive thread: closing conn (FD 9), group finished Tue May 20 14:59:55 2014 - Consumed entire command Tue May 20 14:59:55 2014 - Number of file descriptors polled: 1 fds Tue May 20 14:59:55 2014 - fds_poll_recv: timeout after 600 seconds Tue May 20 14:59:55 2014 - Received POLLIN|POLLHUP on fd 4 Tue May 20 14:59:55 2014 - Got new connection, FD 9 Tue May 20 14:59:55 2014 - Received POLLIN|POLLHUP on fd 5 Tue May 20 14:59:55 2014 - fds_poll_recv: timeout after 7 seconds Tue May 20 14:59:55 2014 - Received POLLIN|POLLHUP on fd 9 Tue May 20 14:59:55 2014 - got command MULTISCAN /tmpfs/82078 (22, 10), argument: /tmpfs/82078 Tue May 20 14:59:55 2014 - mode - MODE_WAITREPLY Tue May 20 14:59:55 2014 - THRMGR: queue (single) crossed low threshold - signaling Tue May 20 14:59:55 2014 - THRMGR: queue (bulk) crossed low threshold - signaling Tue May 20 14:59:55 2014 - Breaking command loop, mode is no longer MODE_COMMAND Tue May 20 14:59:55 2014 - Consumed entire command Tue May 20 14:59:55 2014 - Number of file descriptors polled: 1 fds Tue May 20 14:59:55 2014 - fds_poll_recv: timeout after 600 seconds Tue May 20 14:59:55 2014 - THRMGR: new group: 0x81941e5b0 Tue May 20 14:59:55 2014 - THRMGR: active jobs for 0x81941e5b0: 2 Tue May 20 14:59:55 2014 - THRMGR: active jobs for 0x81941e5b0: 3 Tue May 20 14:59:55 2014 - THRMGR: queue (single) crossed low threshold - signaling Tue May 20 14:59:55 2014 - THRMGR: queue (bulk) crossed low threshold - signaling Tue May 20 14:59:55 2014 - THRMGR: queue (single) crossed low threshold - signaling Tue May 20 14:59:55 2014 - THRMGR: queue (bulk) crossed low threshold - signaling Tue May 20 14:59:55 2014 - THRMGR: active jobs for 0x81941e5b0: 4 Tue May 20 14:59:55 2014 - THRMGR: active jobs for 0x81941e5b0: 5 Tue May 20 14:59:55 2014 - THRMGR: queue (single) crossed low threshold - signaling Tue May 20 14:59:55 2014 - THRMGR: queue (bulk) crossed low threshold - signaling Tue May 20 14:59:55 2014 - THRMGR: queue (single) crossed low threshold - signaling Tue May 20 14:59:55 2014 - THRMGR: queue (bulk) crossed low threshold - signaling Tue May 20 14:59:55 2014 - Finished scanthread Tue May 20 14:59:55 2014 - THRMGR: group_finished: 0x81941e5b0, 5 Tue May 20 14:59:55 2014 - THRMGR: active jobs for 0x81941e5b0: 4 Tue May 20 14:59:55 2014 - THRMGR: queue (single) crossed low threshold - signaling Tue May 20 14:59:55 2014 - THRMGR: queue (bulk) crossed low threshold - signaling Tue May 20 14:59:55 2014 - Finished scanthread Tue May 20 14:59:55 2014 - THRMGR: group_finished: 0x81941e5b0, 4 Tue May 20 14:59:55 2014 - THRMGR: active jobs for 0x81941e5b0: 3 Tue May 20 14:59:55 2014 - THRMGR: queue (single) crossed low threshold - signaling Tue May 20 14:59:55 2014 - THRMGR: queue (bulk) crossed low threshold - signaling Tue May 20 14:59:55 2014 - /tmpfs/82078/s4KDxmlg001866.message: Sanesecurity.Jurlbl.7983.UNOFFICIAL FOUND Tue May 20 14:59:55 2014 - Finished scanthread Tue May 20 14:59:55 2014 - THRMGR: group_finished: 0x81941e5b0, 3 Tue May 20 14:59:55 2014 - THRMGR: active jobs for 0x81941e5b0: 2 Tue May 20 14:59:55 2014 - THRMGR: queue (single) crossed low threshold - signaling Tue May 20 14:59:55 2014 - THRMGR: queue (bulk) crossed low threshold - signaling Tue May 20 14:59:55 2014 - /tmpfs/82078/s4KDxmlg001866.header: Sanesecurity.Junk.40915.UNOFFICIAL FOUND Tue May 20 14:59:55 2014 - Finished scanthread Tue May 20 14:59:55 2014 - THRMGR: group_finished: 0x81941e5b0, 2 Tue May 20 14:59:55 2014 - THRMGR: active jobs for 0x81941e5b0: 1 Tue May 20 14:59:55 2014 - THRMGR: queue (single)
Re: [clamav-users] [Clamav-devel] ClamAV(R): ClamAV 0.98.4rc1 is now available!
I think there may be some confusion here. There have been three users report crashed clamd with Thunderbird, but I believe the INBOX files concerned were all less than the 25MB limit at the time. In my case, I had never used Thunderbird and installed it simply for test purposes. So as the INBOX was growing there were many scans required as new messages flooded in which resulted in multiple clamdscan processes being spawned against that same INBOX mailbox. That’s when the clamd crash occurred leaving a could of clamdscan processes running at high CPU usage. After the INBOX grew to 1.15GB and clamd was restarted, there were no more crashes, but the logs show no more scans of the INBOX which is consistent with the 25MB limit. At least one of the other two users has four accounts with INBOX files below 25MB. Both that user and myself are still using 0.98.3. The third user compiled and ran his own copy of 0.98.4rc1 and is still seeing clamd crashes and high CPU usage daily. He has not yet reported the size or number of INBOX files he has and as Mark said, has been asked to supply his crash log. My theory is that it’s the initial flood of messages at Thunderbird startup that’s initiating this and not my huge INBOX. -Al- -- Al Varnell Mountain View, CA On May 20, 2014, at 6:14 AM, Shawn Webb sw...@sourcefire.com wrote: Hey Mark, Is there a way you could get me the sample? Thanks, Shawn On Tue, May 20, 2014 at 6:49 AM, Mark Allan markjal...@blueyonder.co.ukwrote: I may have been a bit hasty with this. It appears there's another issue with clamd. I'm receiving reports of clamd crashing when attempting to parse email in an incredibly large (1.15 GB) Thunderbird mailbox file. This particular report is from 0.98.3, but the user is reporting it still happens when testing against 0.98.4-rc1. I'll attempt to get a crash log from the user. Exception Type: EXC_BAD_ACCESS (SIGSEGV) Exception Codes: KERN_INVALID_ADDRESS at 0x000117ff Thread 2 Crashed: 0 libclamav.6.dylib 0x00010004fa6c parseEmailBody + 4668 1 libclamav.6.dylib 0x00010004d701 cli_mbox + 1057 2 libclamav.6.dylib 0x000100048b97 cli_scanmail + 119 3 libclamav.6.dylib 0x000100044349 magic_scandesc + 8537 4 libclamav.6.dylib 0x000100042142 cli_base_scandesc + 242 5 libclamav.6.dylib 0x000100046360 scan_common + 416 6 libclamav.6.dylib 0x0001000465d8 cl_scanfile_callback + 88 7 clamd 0x0001c62d scan_callback + 749 8 libclamav.6.dylib 0x0001006c966c handle_entry + 252 9 libclamav.6.dylib 0x0001006c9388 cli_ftw + 424 10 clamd 0x00017363 command + 1331 11 clamd 0x0001bd38 scanner_thread + 56 12 clamd 0x0001918a thrmgr_worker + 938 13 libsystem_c.dylib 0x7fff8cb7b772 _pthread_start + 327 14 libsystem_c.dylib 0x7fff8cb681a1 thread_start + 13 I'm aware the offsets won't be too useful, but at least the method names ought to help I think. Mark On 16 May 2014, at 03:03 pm, Mark Allan markjal...@gmail.com wrote: All works fine for me on OS X 10.6 - 10.9. For info, compiled on 10.9.2 with support for 10.6 onwards. CFLAGS=-O2 -g -D_FILE_OFFSET_BITS=64 -mmacosx-version-min=10.6 -arch x86_64 CXXFLAGS=-O2 -g -D_FILE_OFFSET_BITS=64 -mmacosx-version-min=10.6 -arch x86_64 ./configure --disable-dependency-tracking --enable-llvm --enable-clamdtop --with-user=_clamav --with-group=_clamav --enable-all-jit-targets Mark On 16 May 2014, at 02:01 pm, Joel Esler (jesler) jes...@cisco.com wrote: http://blog.clamav.net/2014/05/clamav-0984rc1-is-now-available.html ClamAV 0.98.4rc1 is now available for download. Shown below are the notes concerning this release: 0.98.4rc1 -- ClamAV 0.98.4 is a bug fix release. The following issues are now resolved: - Various build problems on Solaris, OpenBSD, AIX. - Crashes of clamd on Windows and Mac OS X platforms when reloading the virus signature database. - Infinite loop in clamdscan when clamd is not running. - Freshclam failure on Solaris 10. - Buffer underruns when handling multi-part MIME email attachments. - Configuration of OpenSSL on various platforms. ClamAV 0.98.4rc1 is available for download here: http://sourceforge.net/projects/clamav/files/RC/clamav-0.98.4-rc1/. Please download, test, and provide feedback to the mailing list here: http://lists.clamav.net/mailman/listinfo/clamav-users ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] [Clamav-devel] ClamAV(R): ClamAV 0.98.4rc1 is now available!
Hi, It would help a lot and eliminate much guesswork if someone who has this problem could build a debug version of clamav, as in: ./configure --enable-debug [other flags] CFLAGS='-g -O0' and reproduce the problem with clamd running under gdb (sudo gdb clamd) with the clamd.conf statement: Foreground yes When the crash occurs, obtain the stack trace(bt) and also print(p) relevant variable values surrounding the crash location. Either that, or send in some files that we can use to reproduce the problem. Thanks, Steve On Tue, May 20, 2014 at 1:54 PM, Al Varnell alvarn...@mac.com wrote: I think there may be some confusion here. There have been three users report crashed clamd with Thunderbird, but I believe the INBOX files concerned were all less than the 25MB limit at the time. In my case, I had never used Thunderbird and installed it simply for test purposes. So as the INBOX was growing there were many scans required as new messages flooded in which resulted in multiple clamdscan processes being spawned against that same INBOX mailbox. That’s when the clamd crash occurred leaving a could of clamdscan processes running at high CPU usage. After the INBOX grew to 1.15GB and clamd was restarted, there were no more crashes, but the logs show no more scans of the INBOX which is consistent with the 25MB limit. At least one of the other two users has four accounts with INBOX files below 25MB. Both that user and myself are still using 0.98.3. The third user compiled and ran his own copy of 0.98.4rc1 and is still seeing clamd crashes and high CPU usage daily. He has not yet reported the size or number of INBOX files he has and as Mark said, has been asked to supply his crash log. My theory is that it’s the initial flood of messages at Thunderbird startup that’s initiating this and not my huge INBOX. -Al- -- Al Varnell Mountain View, CA On May 20, 2014, at 6:14 AM, Shawn Webb sw...@sourcefire.com wrote: Hey Mark, Is there a way you could get me the sample? Thanks, Shawn On Tue, May 20, 2014 at 6:49 AM, Mark Allan markjal...@blueyonder.co.uk wrote: I may have been a bit hasty with this. It appears there's another issue with clamd. I'm receiving reports of clamd crashing when attempting to parse email in an incredibly large (1.15 GB) Thunderbird mailbox file. This particular report is from 0.98.3, but the user is reporting it still happens when testing against 0.98.4-rc1. I'll attempt to get a crash log from the user. Exception Type: EXC_BAD_ACCESS (SIGSEGV) Exception Codes: KERN_INVALID_ADDRESS at 0x000117ff Thread 2 Crashed: 0 libclamav.6.dylib 0x00010004fa6c parseEmailBody + 4668 1 libclamav.6.dylib 0x00010004d701 cli_mbox + 1057 2 libclamav.6.dylib 0x000100048b97 cli_scanmail + 119 3 libclamav.6.dylib 0x000100044349 magic_scandesc + 8537 4 libclamav.6.dylib 0x000100042142 cli_base_scandesc + 242 5 libclamav.6.dylib 0x000100046360 scan_common + 416 6 libclamav.6.dylib 0x0001000465d8 cl_scanfile_callback + 88 7 clamd 0x0001c62d scan_callback + 749 8 libclamav.6.dylib 0x0001006c966c handle_entry + 252 9 libclamav.6.dylib 0x0001006c9388 cli_ftw + 424 10 clamd 0x00017363 command + 1331 11 clamd 0x0001bd38 scanner_thread + 56 12 clamd 0x0001918a thrmgr_worker + 938 13 libsystem_c.dylib 0x7fff8cb7b772 _pthread_start + 327 14 libsystem_c.dylib 0x7fff8cb681a1 thread_start + 13 I'm aware the offsets won't be too useful, but at least the method names ought to help I think. Mark On 16 May 2014, at 03:03 pm, Mark Allan markjal...@gmail.com wrote: All works fine for me on OS X 10.6 - 10.9. For info, compiled on 10.9.2 with support for 10.6 onwards. CFLAGS=-O2 -g -D_FILE_OFFSET_BITS=64 -mmacosx-version-min=10.6 -arch x86_64 CXXFLAGS=-O2 -g -D_FILE_OFFSET_BITS=64 -mmacosx-version-min=10.6 -arch x86_64 ./configure --disable-dependency-tracking --enable-llvm --enable-clamdtop --with-user=_clamav --with-group=_clamav --enable-all-jit-targets Mark On 16 May 2014, at 02:01 pm, Joel Esler (jesler) jes...@cisco.com wrote: http://blog.clamav.net/2014/05/clamav-0984rc1-is-now-available.html ClamAV 0.98.4rc1 is now available for download. Shown below are the notes concerning this release: 0.98.4rc1 -- ClamAV 0.98.4 is a bug fix release. The following issues are now resolved: - Various build problems on Solaris, OpenBSD, AIX. - Crashes of clamd on Windows and Mac OS X platforms when reloading the virus signature database. - Infinite loop in clamdscan when clamd is not running. - Freshclam failure on Solaris 10. - Buffer underruns when handling multi-part MIME email attachments. - Configuration of OpenSSL on various platforms. ClamAV 0.98.4rc1 is available for download here:
Re: [clamav-users] Compiling error: /usr/lib/libxml2.so: error adding symbols: File in wrong format
It isn't just libxml2. I'm getting the equivalent errors for libbz2 and libz as well. This is with *both* 0.98.3 and 0.98.4rc1. This is when trying to build for 64 bits, on a 64-bit openSuSE 12.3 system which has both the 64-bit and 32-bit 'devel' packages installed. Has ClamAV ever been built in such an environment? If so, how? Paul Kosinski P.S. I also get a *lot* of compiler warnings of the form: discards 'const' qualifier from pointer target type ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml