[clamav-users] Freshcalm issues

2017-01-03 Thread Hugo Deprez 
Hello,

I still have some issues with my local clamav proxy.
Here is the command I use to reproduce the issue.

To some up :
- clean up /var/lib/clamav,
- start freshclam to download updates,
- restart freshclam randomly to get update => Here I get warning messages,
and finaly flag my mirror as down

Any idea ?

root@admin:/var/lib/clamav# ll
total 136296
-rw-r--r-- 1 clamav clamav 96528 23.11.2016 21:06 bytecode.cvd
-rw-r--r-- 1 clamav clamav  30314677 03.01.2017 10:43 daily.cvd
-rw-r--r-- 1 clamav clamav 109143933 17.03.2016 06:55 main.cvd
-rw--- 1 clamav clamav52 03.01.2017 14:43 mirrors.dat
root@admin:/var/lib/clamav# rm -f *

root@admin:/var/lib/clamav# freshclam
ClamAV update process started at Tue Jan  3 14:43:25 2017
Downloading main.cvd [100%]
main.cvd updated (version: 57, sigs: 4218790, f-level: 60, builder:
amishhammer)
Downloading daily.cvd [100%]
daily.cvd updated (version: 22827, sigs: 1230804, f-level: 63, builder: neo)
Downloading bytecode.cvd [100%]
bytecode.cvd updated (version: 285, sigs: 57, f-level: 63, builder: bbaker)
Database updated (5449651 signatures) from proxy.domain.local (IP:
192.168.1.1)
root@admin:/var/lib/clamav# freshclam
ClamAV update process started at Tue Jan  3 14:43:48 2017
main.cvd is up to date (version: 57, sigs: 4218790, f-level: 60, builder:
amishhammer)
Downloading daily.cvd [100%]
WARNING: Mirror 192.168.1.1 is not synchronized.
Trying again in 5 secs...
ClamAV update process started at Tue Jan  3 14:43:55 2017
main.cvd is up to date (version: 57, sigs: 4218790, f-level: 60, builder:
amishhammer)
WARNING: Can't download daily.cvd from proxy.domain.local
Trying again in 5 secs...
ClamAV update process started at Tue Jan  3 14:44:00 2017
main.cvd is up to date (version: 57, sigs: 4218790, f-level: 60, builder:
amishhammer)
WARNING: Can't download daily.cvd from proxy.domain.local
Trying again in 5 secs...
ClamAV update process started at Tue Jan  3 14:44:05 2017
main.cvd is up to date (version: 57, sigs: 4218790, f-level: 60, builder:
amishhammer)
WARNING: Can't download daily.cvd from proxy.domain.local
Trying again in 5 secs...
ClamAV update process started at Tue Jan  3 14:44:10 2017
main.cvd is up to date (version: 57, sigs: 4218790, f-level: 60, builder:
amishhammer)
ERROR: Can't download daily.cvd from proxy.domain.local
Giving up on proxy.domain.local...
Update failed. Your network may be down or none of the mirrors listed in
/etc/clamav/freshclam.conf is working. Check
http://www.clamav.net/doc/mirrors-faq.html for possible reasons.
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Howto quarantine emails? "ERROR: VirusEvent: fork failed."

2017-01-03 Thread Gene Heskett 
On Tuesday 03 January 2017 04:25:54 Mathieu D. wrote:

> Hello,
>
> I would like to keep emails detected as virus by ClamAV on the
> filesystem, in order to be able to retrieve false-positive when users
> asks for them. After a few days, a simple cronjob would remove them.
>
> So I though that "VirusEvent" could be an appropriate way to do it.
> (Is there any better way?)
>
> I set the "VirusEvent" in the configuration file to :
>   VirusEvent /bin/run-parts --lsbsysinit /etc/clamav/virusevent.d/
>
> While I am only debugging for the moment, the script `/etc/clamav/
> virusevent.d/test.sh` (chmod'ed +s) contains this:
>   #!/bin/bash
>   echo "$(date) ClamAV found $CLAM_VIRUSEVENT_VIRUSNAME into
> $CLAM_VIRUSEVENT_FILENAME" >> /tmp/clamav-found_virus.log
>
> I also tried directly with this:
>   VirusEvent echo "%v" >> /tmp/clamav-found_virus.log
>
> But all my tests fails. The /tmp.clamav-found_virus.log doesn't get
> anything, while the logs only tells:
>
> ```
> /var/spool/exim4/scan/1cO7Nt-0005Y4-A5/1cO7Nt-0005Y4-A5.eml:
> Heuristics.Phishing.Email.SSL-Spoof(6ed8d5db7b0e9651be9a6d42befc69cb:4
>6580) FOUND
> ERROR: VirusEvent: fork failed.
> ```
>
> Do you have any idea why it doesn't work?
>
> Best regards,

I've no clue, never tried that. What I do for quaranteen is with a 
procmail script. Lemme see if I can find it.  Yup, here are snippets.
At top of file.
#
# Necessary generic definitions
#
# needs in fetchmailrc 'defaults mda "/usr/bin/procmail -d gene"'
DROPPRIVS=yes
VERBOSE=no
COMSAT=no
NULLBOX = "/dev/null"
SPAMBOX = "/home/gene/Mail/spam/new"
VIRIBOX = "/var/spool/mail/virii"
[...]
VERBOSE=YES

# Scan for viruses
:0
VIRUS=|clamdscan --stdout -

:0w
* VIRUS ?? ^.*: \/.* FOUND
$VIRIBOX

VERBOSE=NO


But don't expect a lot of activity. The last time that virii file was 
updated, was June 6th of last (2016) year.

It appears they either are not sending viri by email very often, or 
clamdscan isn't catching them. And I haven't been attacked, and I don't 
click on spammy looking links. Ever.

Cheers, Gene Heskett
-- 
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Genes Web page 
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Howto quarantine emails? "ERROR: VirusEvent: fork failed."

2017-01-03 Thread Mathieu D. 
Le mardi 3 janvier 2017, 10:31:51 CET Vladislav Kurz a écrit :
> > So I though that "VirusEvent" could be an appropriate way to do it. (Is
> > there any better way?)
> 
> try using amavis together with your SMTP server. It has options to put
> mail into quarantine and to notify recipients, that something has been
> quarantined.

Thank you. Yes, I will consider this when refactoring the mail system. But for 
the time being, I have to do without touching too much what's working. ;)

-- 
Mathieu
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Howto quarantine emails? "ERROR: VirusEvent: fork failed."

2017-01-03 Thread Vladislav Kurz 
On 01/03/17 10:25, Mathieu D. wrote:
> Hello,
> 
> I would like to keep emails detected as virus by ClamAV on the filesystem, in 
> order to be able to retrieve false-positive when users asks for them. After a 
> few days, a simple cronjob would remove them.
> 
> So I though that "VirusEvent" could be an appropriate way to do it. (Is there 
> any better way?)

Hello,

try using amavis together with your SMTP server. It has options to put
mail into quarantine and to notify recipients, that something has been
quarantined.


-- 
S pozdravem
Vladislav Kurz

Centrála: Celní 17/5, 63900 Brno, CZ
Web: http://www.webstep.net
E-Mail: podp...@webstep.net
Tel: 840 840 700, +420 548 214 711
Obchodní podmínky: https://zkrat.to/op
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] Howto quarantine emails? "ERROR: VirusEvent: fork failed."

2017-01-03 Thread Mathieu D. 
Hello,

I would like to keep emails detected as virus by ClamAV on the filesystem, in 
order to be able to retrieve false-positive when users asks for them. After a 
few days, a simple cronjob would remove them.

So I though that "VirusEvent" could be an appropriate way to do it. (Is there 
any better way?)

I set the "VirusEvent" in the configuration file to :
  VirusEvent /bin/run-parts --lsbsysinit /etc/clamav/virusevent.d/

While I am only debugging for the moment, the script `/etc/clamav/
virusevent.d/test.sh` (chmod'ed +s) contains this:
  #!/bin/bash
  echo "$(date) ClamAV found $CLAM_VIRUSEVENT_VIRUSNAME into 
$CLAM_VIRUSEVENT_FILENAME" >> /tmp/clamav-found_virus.log

I also tried directly with this:
  VirusEvent echo "%v" >> /tmp/clamav-found_virus.log

But all my tests fails. The /tmp.clamav-found_virus.log doesn't get anything, 
while the logs only tells:

```
/var/spool/exim4/scan/1cO7Nt-0005Y4-A5/1cO7Nt-0005Y4-A5.eml: 
Heuristics.Phishing.Email.SSL-Spoof(6ed8d5db7b0e9651be9a6d42befc69cb:46580) 
FOUND
ERROR: VirusEvent: fork failed.
```

Do you have any idea why it doesn't work?

Best regards,
-- 
Mathieu


___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml