Re: [clamav-users] clamav-milter Can't Find Clamd

2017-11-07 Thread Reindl Harald 



Am 08.11.2017 um 00:06 schrieb Colony.three:

Am 07.11.2017 um 22:46 schrieb Colony.three:


So much for that theory. There are about a million of these in the logfile. 
It's not making its own socket for unknown reasons which may be New To Science.

well, that looks like clamd is restarted again and again because it's
failing, most likely /run/clamd.scan/ don't exist or has the wrong
permissions


Correct, /run/clamd.scan/ does -not- exist.  Why?  Because the clamd@ service 
destroys it on restart. (along with its socket)  I could merrily re-create the 
directory and socket all day long, but on restart it would only be wiped out 
again.  Of course the permissions are correct, as per above;  it couldn't have 
been destroyed by the service otherwise.


"systemctl status" as well as the syslogs should tell you that the
service is failing if you just look at it

are you aware that /run is a tmpfs and hence anything below does not
survive a reboot?


Why yes, I am.  As I say, clamd destroys its socket directory on stop, but then 
does not re-create it on start, like it's supposed to.

This is the problem which I have been trying to explain


you explained it very bad when you initial post conatins all sort of 
config snippets, even milter related ones instead focus on the problem 
clamd itself don't start properly - simply becaus ein that case anything 
else don't matter until clad is up and running fine and to make it 
harder you don#t post your complete systemd-unit, at least not at the 
thread start


http://www.catb.org/esr/faqs/smart-questions.html

well, i disabled all the services and made my own units years ago as i 
do for any production stuff below /etc/systemd/system/ and be it only to 
ensure Type=simple, automatic restart and not start any process as root 
when it's not needed to begin with

__

[root@localhost:~]$ cat /etc/systemd/system/clamd.service
[Unit]
Description=ClamAV Scanner Daemon

[Service]
Type=forking
Environment="TMPDIR=/tmp"
Environment="LANG=en_GB.UTF-8"
ExecStart=/usr/sbin/clamd -c /etc/clamd.d/scan.conf
ExecReload=/usr/bin/kill -SIGUSR2 $MAINPID
Restart=always
RestartSec=1
Nice=5
User=clamscan
Group=clamilt
PrivateTmp=yes
PrivateDevices=yes
PrivateNetwork=no
NoNewPrivileges=yes
CapabilityBoundingSet=CAP_KILL
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
SystemCallArchitectures=x86-64
ReadOnlyDirectories=/
ReadWriteDirectories=/run/clamd.scan
ReadWriteDirectories=/run/clamd
ReadWriteDirectories=/var/log
ReadWriteDirectories=/tmp
__

[root@localhost:~]$ cat /etc/clamd.d/scan.conf
User clamscan
AllowSupplementaryGroups yes
PidFile /run/clamd.scan/clamd.pid
TemporaryDirectory /tmp
DatabaseDirectory /var/lib/clamav
OfficialDatabaseOnly no
LocalSocket /run/clamd/clamd.sock
LocalSocketMode 0666
MaxConnectionQueueLength 100
StreamMaxLength 35M
StreamMinPort 31000
StreamMaxPort 32000
MaxThreads 10
MaxQueue 50
ReadTimeout 120
CommandReadTimeout 5
SendBufTimeout 200
IdleTimeout 30
ExcludePath ^/proc/
ExcludePath ^/sys/
MaxDirectoryRecursion 20
FollowDirectorySymlinks no
FollowFileSymlinks no
CrossFilesystems yes
SelfCheck 86400
ExitOnOOM yes
Foreground no
Debug no
LeaveTemporaryFiles no
AllowAllMatchScan no
DetectPUA no
AlgorithmicDetection yes
DisableCache no
ScanPE yes
DisableCertCheck yes
ScanELF yes
DetectBrokenExecutables yes
ScanOLE2 yes
OLE2BlockMacros no
ScanPDF yes
ScanSWF yes
ScanMail yes
ScanPartialMessages no
PhishingSignatures yes
PhishingScanURLs no
PhishingAlwaysBlockSSLMismatch no
PhishingAlwaysBlockCloak no
PartitionIntersection no
HeuristicScanPrecedence yes
StructuredDataDetection no
ScanHTML yes
ScanArchive yes
ArchiveBlockEncrypted no
MaxScanSize 50M
MaxFileSize 50M
MaxRecursion 10
MaxFiles 1
MaxEmbeddedPE 10M
MaxHTMLNormalize 10M
MaxHTMLNoTags 2M
MaxScriptNormalize 5M
MaxZipTypeRcg 5M
MaxPartitions 50
MaxIconsPE 100
ScanOnAccess no
Bytecode yes
BytecodeSecurity TrustSigned
BytecodeTimeout 2000
StatsEnabled no
StatsPEDisabled yes
LogFile /var/log/clamscan.log
LogFileMaxSize 32M
LogTime yes
LogClean no
ExtendedDetectionInfo yes
LogFileUnlock yes
__

[root@localhost:~]$ cat /etc/systemd/system/clamav-milter.service
[Unit]
Description=ClamAV Postfix-Milter
Wants=clamd.service
After=clamd.service
Before=postfix.service

[Service]
Type=simple
Environment="TMPDIR=/tmp"
ExecStart=/usr/sbin/clamav-milter -c /etc/mail/clamav-milter.conf
User=clamilt
Group=clamilt
Environment="LANG=en_GB.UTF-8"
Restart=always
RestartSec=1
Nice=5
PrivateTmp=yes
PrivateDevices=yes
PrivateNetwork=yes
NoNewPrivileges=yes
CapabilityBoundingSet=CAP_KILL
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
SystemCallArchitectures=x86-64
ReadOnlyDirectories=/
ReadWriteDirectories=-/run/clamav-milter
ReadWriteDirectories=-/run/clamd
ReadWriteDirectories=-/tmp

Re: [clamav-users] clamav-milter Can't Find Clamd

2017-11-07 Thread Colony.three 
Am 07.11.2017 um 22:46 schrieb Colony.three:

>> So much for that theory. There are about a million of these in the logfile. 
>> It's not making its own socket for unknown reasons which may be New To 
>> Science.
>>
>> well, that looks like clamd is restarted again and again because it's
>> failing, most likely /run/clamd.scan/ don't exist or has the wrong
>> permissions

Correct, /run/clamd.scan/ does -not- exist.  Why?  Because the clamd@ service 
destroys it on restart. (along with its socket)  I could merrily re-create the 
directory and socket all day long, but on restart it would only be wiped out 
again.  Of course the permissions are correct, as per above;  it couldn't have 
been destroyed by the service otherwise.

>> "systemctl status" as well as the syslogs should tell you that the
>> service is failing if you just look at it
>>
>> are you aware that /run is a tmpfs and hence anything below does not
>> survive a reboot?

Why yes, I am.  As I say, clamd destroys its socket directory on stop, but then 
does not re-create it on start, like it's supposed to.

This is the problem which I have been trying to explain.  The problem is that 
clamd destroys its socket directory and socket on stop, but then fails to 
re-create these on start.  It is not making its own socket to communicate, even 
after the sig database is complete, and when it goes to look for its socket, oh 
no, it's not there!  Surprise!  It can't find the socket that it failed to 
create.
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] clamav-milter Can't Find Clamd

2017-11-07 Thread Reindl Harald 



Am 07.11.2017 um 22:46 schrieb Colony.three:

So much for that theory.  There are about a million of these in the logfile.  
It's not making its own socket for unknown reasons which may be New To Science.


well, that looks like clamd is restarted again and again because it's 
failing, most likely /run/clamd.scan/ don't exist or has the wrong 
permissions


"systemctl status" as well as the syslogs should tell you that the 
service is failing if you just look at it


are you aware that /run is a tmpfs and hence anything below does not 
survive a reboot?


[root@mail-gw:~]$ cat /etc/tmpfiles.d/clamd.scan.conf
d /run/clamd 0775 clamscan clamilt

https://www.freedesktop.org/software/systemd/man/tmpfiles.d.html



Tue Nov  7 13:41:54 2017 -> ERROR: LOCAL: Socket file 
/run/clamd.scan/clamd.sock could not be bound: No such file or directory
Tue Nov  7 13:41:55 2017 -> +++ Started at Tue Nov  7 13:41:55 2017
Tue Nov  7 13:41:55 2017 -> Received 0 file descriptor(s) from systemd.
Tue Nov  7 13:41:55 2017 -> clamd daemon 0.99.2 (OS: linux-gnu, ARCH: x86_64, 
CPU: x86_64)
Tue Nov  7 13:41:55 2017 -> Running as user root (UID 0, GID 0)
Tue Nov  7 13:41:55 2017 -> Log file size limited to 2097152 bytes.
Tue Nov  7 13:41:55 2017 -> Reading databases from /var/lib/clamav
Tue Nov  7 13:41:55 2017 -> Not loading PUA signatures.
Tue Nov  7 13:41:55 2017 -> Bytecode: Security mode set to "TrustSigned".
Tue Nov  7 13:42:04 2017 -> Loaded 6474764 signatures.
Tue Nov  7 13:42:06 2017 -> ERROR: LOCAL: Socket file 
/run/clamd.scan/clamd.sock could not be bound: No such file or directory
Tue Nov  7 13:42:07 2017 -> +++ Started at Tue Nov  7 13:42:07 2017

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] clamav-milter Can't Find Clamd

2017-11-07 Thread Colony.three 
> But I'm beginning to gather that the reason clamd is not creating its socket 
> is that it's still loading current pattern databases.  It's consuming 98% of 
> CPU, although I'm not seeing any sign of network traffic, which seems odd.  
> The signature database (main.cld) is 300MB and daily.cld is 126MB, so maybe 
> that has something to do with it.  Maybe it's reconciling or something.
>
> I guess I'll move on to other things and see if clamd eventually creates its 
> own socket without my intervention.  This seems like a severe handicap to 
> receiving email.  In the clamd@.service I've niced it so I can be doing other 
> things.

So much for that theory.  There are about a million of these in the logfile.  
It's not making its own socket for unknown reasons which may be New To Science.

Tue Nov  7 13:41:54 2017 -> ERROR: LOCAL: Socket file 
/run/clamd.scan/clamd.sock could not be bound: No such file or directory
Tue Nov  7 13:41:55 2017 -> +++ Started at Tue Nov  7 13:41:55 2017
Tue Nov  7 13:41:55 2017 -> Received 0 file descriptor(s) from systemd.
Tue Nov  7 13:41:55 2017 -> clamd daemon 0.99.2 (OS: linux-gnu, ARCH: x86_64, 
CPU: x86_64)
Tue Nov  7 13:41:55 2017 -> Running as user root (UID 0, GID 0)
Tue Nov  7 13:41:55 2017 -> Log file size limited to 2097152 bytes.
Tue Nov  7 13:41:55 2017 -> Reading databases from /var/lib/clamav
Tue Nov  7 13:41:55 2017 -> Not loading PUA signatures.
Tue Nov  7 13:41:55 2017 -> Bytecode: Security mode set to "TrustSigned".
Tue Nov  7 13:42:04 2017 -> Loaded 6474764 signatures.
Tue Nov  7 13:42:06 2017 -> ERROR: LOCAL: Socket file 
/run/clamd.scan/clamd.sock could not be bound: No such file or directory
Tue Nov  7 13:42:07 2017 -> +++ Started at Tue Nov  7 13:42:07 2017
Tue Nov  7 13:42:07 2017 -> Received 0 file descriptor(s) from systemd.
Tue Nov  7 13:42:07 2017 -> clamd daemon 0.99.2 (OS: linux-gnu, ARCH: x86_64, 
CPU: x86_64)
Tue Nov  7 13:42:07 2017 -> Running as user root (UID 0, GID 0)
Tue Nov  7 13:42:07 2017 -> Log file size limited to 2097152 bytes.
Tue Nov  7 13:42:07 2017 -> Reading databases from /var/lib/clamav
Tue Nov  7 13:42:07 2017 -> Not loading PUA signatures.
Tue Nov  7 13:42:07 2017 -> Bytecode: Security mode set to "TrustSigned".
Tue Nov  7 13:42:17 2017 -> Loaded 6474764 signatures.
Tue Nov  7 13:42:19 2017 -> ERROR: LOCAL: Socket file 
/run/clamd.scan/clamd.sock could not be bound: No such file or directory
Tue Nov  7 13:42:19 2017 -> +++ Started at Tue Nov  7 13:42:19 2017
Tue Nov  7 13:42:19 2017 -> Received 0 file descriptor(s) from systemd.
Tue Nov  7 13:42:19 2017 -> clamd daemon 0.99.2 (OS: linux-gnu, ARCH: x86_64, 
CPU: x86_64)
Tue Nov  7 13:42:19 2017 -> Running as user root (UID 0, GID 0)
Tue Nov  7 13:42:19 2017 -> Log file size limited to 2097152 bytes.
Tue Nov  7 13:42:19 2017 -> Reading databases from /var/lib/clamav
Tue Nov  7 13:42:19 2017 -> Not loading PUA signatures.
Tue Nov  7 13:42:19 2017 -> Bytecode: Security mode set to "TrustSigned".
Tue Nov  7 13:42:29 2017 -> Loaded 6474764 signatures.
Tue Nov  7 13:42:31 2017 -> ERROR: LOCAL: Socket file 
/run/clamd.scan/clamd.sock could not be bound: No such file or directory
Tue Nov  7 13:42:32 2017 -> +++ Started at Tue Nov  7 13:42:32 2017
Tue Nov  7 13:42:32 2017 -> Received 0 file descriptor(s) from systemd.
Tue Nov  7 13:42:32 2017 -> clamd daemon 0.99.2 (OS: linux-gnu, ARCH: x86_64, 
CPU: x86_64)
Tue Nov  7 13:42:32 2017 -> Running as user root (UID 0, GID 0)
Tue Nov  7 13:42:32 2017 -> Log file size limited to 2097152 bytes.
Tue Nov  7 13:42:32 2017 -> Reading databases from /var/lib/clamav
Tue Nov  7 13:42:32 2017 -> Not loading PUA signatures.
Tue Nov  7 13:42:32 2017 -> Bytecode: Security mode set to "TrustSigned".
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] clamav-milter Can't Find Clamd

2017-11-07 Thread Colony.three 
> On Tue, 7 Nov 2017, Colony.three wrote:
>
>> Since I installed clamd a week ago, I've had to manually create the 
>> /run/clamd.scan directory and the clamd.sock file. The clamd daemon is not 
>> doing this even though it is running as root.
>>
>> ps aux |grep clamd
>>
>> root 1963 93.0 25.5 345992 258728 ? Rs 11:34 0:02 /usr/sbin/clamd -c 
>> /etc/clamd.d/clamd.conf --foreground=yes
>> In its config file is:
>> LocalSocket /run/clamd.scan/clamd.sock
>> LocalSocketGroup virusgroup
>> LocalSocketMode 660
>> FixStaleSocket yes
>> AllowSupplementaryGroups yes
>> ... so I can't imagine why it is not creating its own socket directory and 
>> socket. I even rebooted with selinux disabled, but no improvement.
>> When I create its socket it pretends to bind to it, but then -milter can't 
>> see clamd. Maybe the problem is with clamd after all.
>>
>> This is a severe problem and it needs to be solved. Nevertheless, if
>> your primary interest for the moment is just getting clamd to work,
>> there is a simple workaround: Tell clamd to bind to a TCP socket on the
>> loopback interface instead of a Unix socket.
>>
>> #LocalSocket /run/clamd.scan/clamd.sock
>> TCPSocket 3310
>> TCPAddr 127.0.0.1
>>
>> It's not as efficient in terms of communication speed, but it doesn't
>> suffer from permissions issues.
>>
>> Alan Stern

Thanks Alan, I may have to do this.

But I'm beginning to gather that the reason clamd is not creating its socket is 
that it's still loading current pattern databases.  It's consuming 98% of CPU, 
although I'm not seeing any sign of network traffic, which seems odd.  The 
signature database (main.cld) is 300MB and daily.cld is 126MB, so maybe that 
has something to do with it.  Maybe it's reconciling or something.

I guess I'll move on to other things and see if clamd eventually creates its 
own socket without my intervention.  This seems like a severe handicap to 
receiving email.  In the clamd@.service I've niced it so I can be doing other 
things.
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] clamav-milter Can't Find Clamd

2017-11-07 Thread Alan Stern 
On Tue, 7 Nov 2017, Colony.three wrote:

> Since I installed clamd a week ago, I've had to manually create the 
> /run/clamd.scan directory and the clamd.sock file.  The clamd daemon is not 
> doing this even though it is running as root.
> # ps aux |grep clamd
> root  1963 93.0 25.5 345992 258728 ?   Rs   11:34   0:02 
> /usr/sbin/clamd -c /etc/clamd.d/clamd.conf --foreground=yes
> 
> In its config file is:
> LocalSocket /run/clamd.scan/clamd.sock
> LocalSocketGroup virusgroup
> LocalSocketMode 660
> FixStaleSocket yes
> AllowSupplementaryGroups yes
> 
> ... so I can't imagine why it is not creating its own socket directory and 
> socket.  I even rebooted with selinux disabled, but no improvement.
> 
> When I create its socket it pretends to bind to it, but then -milter can't 
> see clamd.  Maybe the problem is with clamd after all.

This is a severe problem and it needs to be solved.  Nevertheless, if
your primary interest for the moment is just getting clamd to work,
there is a simple workaround: Tell clamd to bind to a TCP socket on the
loopback interface instead of a Unix socket.

#LocalSocket /run/clamd.scan/clamd.sock
TCPSocket 3310
TCPAddr 127.0.0.1

It's not as efficient in terms of communication speed, but it doesn't 
suffer from permissions issues.

Alan Stern

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] clamav-milter Can't Find Clamd

2017-11-07 Thread Colony.three 
> Hi,
>
>> Have you checked the directory permissions:
>>
>> ls -ld /var/run/clamd.scan /run/clamd.scan
>>
>> Regards
>> Mark.
>
> Sure, it's the third one up from this post.

Since I installed clamd a week ago, I've had to manually create the 
/run/clamd.scan directory and the clamd.sock file.  The clamd daemon is not 
doing this even though it is running as root.
# ps aux |grep clamd
root  1963 93.0 25.5 345992 258728 ?   Rs   11:34   0:02 
/usr/sbin/clamd -c /etc/clamd.d/clamd.conf --foreground=yes

In its config file is:
LocalSocket /run/clamd.scan/clamd.sock
LocalSocketGroup virusgroup
LocalSocketMode 660
FixStaleSocket yes
AllowSupplementaryGroups yes

... so I can't imagine why it is not creating its own socket directory and 
socket.  I even rebooted with selinux disabled, but no improvement.

When I create its socket it pretends to bind to it, but then -milter can't see 
clamd.  Maybe the problem is with clamd after all.
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] clamav-milter Can't Find Clamd

2017-11-07 Thread Colony.three 
Hi,

> Have you checked the directory permissions:
>
> ls -ld /var/run/clamd.scan /run/clamd.scan
>
> Regards
> Mark.

Sure, it's the third one up from this post.
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] clamav-milter Can't Find Clamd

2017-11-07 Thread Mark Fortescue 

Hi,

Have you checked the directory permissions:

 ls -ld /var/run/clamd.scan /run/clamd.scan

Regards
Mark.

On 07/11/17 19:15, Colony.three wrote:

Trying to make milter see the clam daemon but can't figure out what's wrong. 
CentOS7.


In /etc/clamd.d/clamd.conf:
LocalSocket /var/run/clamd.scan/clamd.sock
LocalSocketGroup virusgroup
LocalSocketMode 660
FixStaleSocket yes

AllowSupplementaryGroups yes

and you need that too in the milter configuration and postfix needs to
be in the same group, at least when you start everything with as less as
possible permissions, hence i made the comments years ago after figure
it out

cat /etc/mail/clamav-milter.conf


Postfix Milter-Konfiguration

Pre-Queue Virenscanner

Postfix muss in die "clamilt"-Usergruppe

usermod -a -G clamilt postfix

usermod -a -G sa-milt postfix

User clamilt
AllowSupplementaryGroups yes


Thanks, but unfortunately 'AllowSupplementaryGroups yes' is enabled in both 
clamd.conf and clamav.conf.  I've now added postfix to the additional groups.


Of course both daemons are running.
# systemctl status clamd\@scan.service
● clamd@scan.service - clamd scanner (scan) daemon
Loaded: loaded (/usr/local/lib/systemd/system/clamd@.service; static; 
vendor preset: disabled)
Active: active (running) since Tue 2017-11-07 10:29:19 PST; 8s ago
Main PID: 49318 (clamd)
CGroup: /system.slice/system-clamd.slice/clamd@scan.service
└─49318 /usr/sbin/clamd -c /etc/clamd.d/clamd.conf --foreground=yes

Nov 07 10:29:19 quantum.localdomain systemd[1]: Started clamd scanner (scan) 
daemon.
Nov 07 10:29:19 quantum.localdomain systemd[1]: Starting clamd scanner (scan) 
daemon...

# systemctl status clamav-milter
● clamav-milter.service - Milter module for the Clam Antivirus scanner
Loaded: loaded (/usr/lib/systemd/system/clamav-milter.service; enabled; 
vendor preset: disabled)
Active: active (running) since Tue 2017-11-07 10:29:38 PST; 5s ago
Main PID: 49331 (clamav-milter)
CGroup: /system.slice/clamav-milter.service
└─49331 /usr/sbin/clamav-milter -c /etc/mail/clamav-milter.conf 
--foreground=yes

Nov 07 10:29:38 quantum.localdomain systemd[1]: Started Milter module for the 
Clam Antivirus scanner.
Nov 07 10:29:38 quantum.localdomain systemd[1]: Starting Milter module for the 
Clam Antivirus scanner...
Nov 07 10:29:38 quantum.localdomain clamav-milter[49331]: +++ Started at Tue 
Nov  7 10:29:38 2017
Nov 07 10:29:38 quantum.localdomain clamav-milter[49331]: WARNING: No clamd 
server appears to be available
Nov 07 10:29:38 quantum.localdomain clamav-milter[49331]: No clamd server 
appears to be available

I am at a loss.  I've tried restarting -milter after clamd has had plenty of 
time up download its database.

Anyone have any ideas?  This is a showstopper.


According to clamd's logfile:  "Tue Nov  7 10:29:31 2017 -> LOCAL: Unix socket file 
/run/clamd.scan/clamd.sock"
... so it seems to be binding fine to the socket.

The -milter log says:
Tue Nov  7 11:09:47 2017 -> connect failed: Permission denied
Tue Nov  7 11:09:47 2017 -> Probe for slot 1 returned: failed
Tue Nov  7 11:09:47 2017 -> WARNING: No clamd server appears to be available

Huh?
# cat /etc/group
virusgroup:x:990:clamupdate,clamilt,postfix
clamilt:x:989:postfix,clamilt

In /etc/mail/clamav-milter.conf
MilterSocketGroup virusgroup
AllowSupplementaryGroups yes

# ll /run/clamd.scan/
srw-rw. 1 root virusgroup 0 Nov  7 10:29 clamd.sock

I thought it might be an selinux problem with my self-created .sock file, but I 
ran a restorecon -r on /run

Baffling.
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml


___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] clamav-milter Can't Find Clamd

2017-11-07 Thread Colony.three 
> Trying to make milter see the clam daemon but can't figure out what's wrong. 
> CentOS7.
>
 In /etc/clamd.d/clamd.conf:
 LocalSocket /var/run/clamd.scan/clamd.sock
 LocalSocketGroup virusgroup
 LocalSocketMode 660
 FixStaleSocket yes

 AllowSupplementaryGroups yes

 and you need that too in the milter configuration and postfix needs to
 be in the same group, at least when you start everything with as less as
 possible permissions, hence i made the comments years ago after figure
 it out

 cat /etc/mail/clamav-milter.conf
>>>
>>> Postfix Milter-Konfiguration
>>>
>>> Pre-Queue Virenscanner
>>>
>>> Postfix muss in die "clamilt"-Usergruppe
>>>
>>> usermod -a -G clamilt postfix
>>>
>>> usermod -a -G sa-milt postfix
>>>
>>> User clamilt
>>> AllowSupplementaryGroups yes
>>
>> Thanks, but unfortunately 'AllowSupplementaryGroups yes' is enabled in both 
>> clamd.conf and clamav.conf.  I've now added postfix to the additional groups.
>
> Of course both daemons are running.
> # systemctl status clamd\@scan.service
> ● clamd@scan.service - clamd scanner (scan) daemon
>Loaded: loaded (/usr/local/lib/systemd/system/clamd@.service; static; 
> vendor preset: disabled)
>Active: active (running) since Tue 2017-11-07 10:29:19 PST; 8s ago
> Main PID: 49318 (clamd)
>CGroup: /system.slice/system-clamd.slice/clamd@scan.service
>└─49318 /usr/sbin/clamd -c /etc/clamd.d/clamd.conf --foreground=yes
>
> Nov 07 10:29:19 quantum.localdomain systemd[1]: Started clamd scanner (scan) 
> daemon.
> Nov 07 10:29:19 quantum.localdomain systemd[1]: Starting clamd scanner (scan) 
> daemon...
>
> # systemctl status clamav-milter
> ● clamav-milter.service - Milter module for the Clam Antivirus scanner
>Loaded: loaded (/usr/lib/systemd/system/clamav-milter.service; enabled; 
> vendor preset: disabled)
>Active: active (running) since Tue 2017-11-07 10:29:38 PST; 5s ago
> Main PID: 49331 (clamav-milter)
>CGroup: /system.slice/clamav-milter.service
>└─49331 /usr/sbin/clamav-milter -c /etc/mail/clamav-milter.conf 
> --foreground=yes
>
> Nov 07 10:29:38 quantum.localdomain systemd[1]: Started Milter module for the 
> Clam Antivirus scanner.
> Nov 07 10:29:38 quantum.localdomain systemd[1]: Starting Milter module for 
> the Clam Antivirus scanner...
> Nov 07 10:29:38 quantum.localdomain clamav-milter[49331]: +++ Started at Tue 
> Nov  7 10:29:38 2017
> Nov 07 10:29:38 quantum.localdomain clamav-milter[49331]: WARNING: No clamd 
> server appears to be available
> Nov 07 10:29:38 quantum.localdomain clamav-milter[49331]: No clamd server 
> appears to be available
>
> I am at a loss.  I've tried restarting -milter after clamd has had plenty of 
> time up download its database.
>
> Anyone have any ideas?  This is a showstopper.

According to clamd's logfile:  "Tue Nov  7 10:29:31 2017 -> LOCAL: Unix socket 
file /run/clamd.scan/clamd.sock"
... so it seems to be binding fine to the socket.

The -milter log says:
Tue Nov  7 11:09:47 2017 -> connect failed: Permission denied
Tue Nov  7 11:09:47 2017 -> Probe for slot 1 returned: failed
Tue Nov  7 11:09:47 2017 -> WARNING: No clamd server appears to be available

Huh?
# cat /etc/group
virusgroup:x:990:clamupdate,clamilt,postfix
clamilt:x:989:postfix,clamilt

In /etc/mail/clamav-milter.conf
MilterSocketGroup virusgroup
AllowSupplementaryGroups yes

# ll /run/clamd.scan/
srw-rw. 1 root virusgroup 0 Nov  7 10:29 clamd.sock

I thought it might be an selinux problem with my self-created .sock file, but I 
ran a restorecon -r on /run

Baffling.
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] Clamav + EXIM error malware acl condition: error while creating mbox spool file

2017-11-07 Thread Emanuel 

I use exim with clamav.

Everything is working fine and mails with attachment get scanned,and if 
malware is found, these are rejected. BUT I have lots of


malware acl condition: error while creating mbox spool file

eximscan  100M  100M 0 100% /var/spool/exim/scan

Why is not the partition cleaned?

Thanks for any hints or help in advance.
--
envialosimple.com   
Emanuel Gonzalez
Deliverability Specialist
emanuel.gonza...@donweb.com 
www.envialosimple.com 
by donweb 

Nota de confidencialidad: Este mensaje y archivos adjuntos al mismo son 
confidenciales, de uso exclusivo para el destinatario del mismo. La 
divulgación y/o uso del mismo sin autorización por parte de DonWeb.com 
queda prohibida.
DonWeb.com no se hace responsable del mensaje por la falsificación y/o 
alteración del mismo.
De no ser Ud el destinatario del mismo y lo ha recibido por error, por 
favor, notifique al remitente y elimínelo de su sistema.
Confidentiality Note: This message and any attachments (the message) are 
confidential and intended solely for the addressees. Any unauthorised 
use or dissemination is prohibited by DonWeb.com.

DonWeb.com shall not be liable  for the message if altered or falsified.
If you are not the intended addressee of this message, please cancel it 
immediately and inform the sender
Nota de Confidencialidade: Esta mensagem e seus eventuais anexos podem 
conter dados confidenciais ou privilegiados.
Se você os recebeu por engano ou não é um dos destinatários aos quais 
ela foi endereçada, por favor destrua-a e a todos os seus eventuais 
anexos ou copias realizadas, imediatamente.
É proibida a retenção, distribuição, divulgação ou utilização de 
quaisquer informações aqui contidas.
Por favor, informenos sobre o recebimento indevido desta mensagem, 
retornando-a para o autor.


___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] clamav-milter Can't Find Clamd

2017-11-07 Thread Colony.three 
Trying to make milter see the clam daemon but can't figure out what's wrong. 
CentOS7.

>>> In /etc/clamd.d/clamd.conf:
>>> LocalSocket /var/run/clamd.scan/clamd.sock
>>> LocalSocketGroup virusgroup
>>> LocalSocketMode 660
>>> FixStaleSocket yes
>>>
>>> AllowSupplementaryGroups yes
>>>
>>> and you need that too in the milter configuration and postfix needs to
>>> be in the same group, at least when you start everything with as less as
>>> possible permissions, hence i made the comments years ago after figure
>>> it out
>>>
>>> cat /etc/mail/clamav-milter.conf
>>
>> Postfix Milter-Konfiguration
>>
>> Pre-Queue Virenscanner
>>
>> Postfix muss in die "clamilt"-Usergruppe
>>
>> usermod -a -G clamilt postfix
>>
>> usermod -a -G sa-milt postfix
>>
>> User clamilt
>> AllowSupplementaryGroups yes
>
> Thanks, but unfortunately 'AllowSupplementaryGroups yes' is enabled in both 
> clamd.conf and clamav.conf.  I've now added postfix to the additional groups.

Of course both daemons are running.
# systemctl status clamd\@scan.service
● clamd@scan.service - clamd scanner (scan) daemon
   Loaded: loaded (/usr/local/lib/systemd/system/clamd@.service; static; vendor 
preset: disabled)
   Active: active (running) since Tue 2017-11-07 10:29:19 PST; 8s ago
Main PID: 49318 (clamd)
   CGroup: /system.slice/system-clamd.slice/clamd@scan.service
   └─49318 /usr/sbin/clamd -c /etc/clamd.d/clamd.conf --foreground=yes

Nov 07 10:29:19 quantum.localdomain systemd[1]: Started clamd scanner (scan) 
daemon.
Nov 07 10:29:19 quantum.localdomain systemd[1]: Starting clamd scanner (scan) 
daemon...

# systemctl status clamav-milter
● clamav-milter.service - Milter module for the Clam Antivirus scanner
   Loaded: loaded (/usr/lib/systemd/system/clamav-milter.service; enabled; 
vendor preset: disabled)
   Active: active (running) since Tue 2017-11-07 10:29:38 PST; 5s ago
Main PID: 49331 (clamav-milter)
   CGroup: /system.slice/clamav-milter.service
   └─49331 /usr/sbin/clamav-milter -c /etc/mail/clamav-milter.conf 
--foreground=yes

Nov 07 10:29:38 quantum.localdomain systemd[1]: Started Milter module for the 
Clam Antivirus scanner.
Nov 07 10:29:38 quantum.localdomain systemd[1]: Starting Milter module for the 
Clam Antivirus scanner...
Nov 07 10:29:38 quantum.localdomain clamav-milter[49331]: +++ Started at Tue 
Nov  7 10:29:38 2017
Nov 07 10:29:38 quantum.localdomain clamav-milter[49331]: WARNING: No clamd 
server appears to be available
Nov 07 10:29:38 quantum.localdomain clamav-milter[49331]: No clamd server 
appears to be available

I am at a loss.  I've tried restarting -milter after clamd has had plenty of 
time up download its database.

Anyone have any ideas?  This is a showstopper.
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Heuristics.Broken.Executable FOUND for core files/core dumps

2017-11-07 Thread Kris Deugau 

Ravi wrote:

Thanks Kris for your comments. Currently we scan the incoming
files(zips/archives) placed on the local hard drive with the
clamdscan(which uses clamd daemon), Can you share more info on what you
meant on handling the result differently if we are using the clamdscan?


Whatever calls clamdscan needs to look at the results in more detail, 
and instead of just blindly treating any positive result as a virus, 
check the virus "name" to see if there is some other action, or if the 
result is something that should be let past.


For instance, I've added checks to several mail systems that treat a 
resulting "virus name" of "Heuristics.Phishing.SpoofDomain" differently 
from other results, because that test (PhishingScanURLs) tends to FP on 
legitimate mail.  The test is still valuable but it's not reliable as an 
absolute black/white result.


In general, if you don't want certain things to cause false positives 
with a content filter, either:


- don't pass those things to the filter in the first place,

- handle the results from the filter differently for your problem case,

- disable the problematic test(s) in the filter

Exactly what changes you need to make for each of these will depend on 
how you're passing content to the filter, how you're accepting the scan 
results back, and how configurable the filter is.


-kgd

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Heuristics.Broken.Executable FOUND for core files/core dumps

2017-11-07 Thread Ravi 
Thanks Kris for your comments. Currently we scan the incoming
files(zips/archives) placed on the local hard drive with the
clamdscan(which uses clamd daemon), Can you share more info on what you
meant on handling the result differently if we are using the clamdscan?

Thanks
Ravi

On Tue, Nov 7, 2017 at 5:00 AM, Kris Deugau  wrote:

> Ravi wrote:
>
>> Hi,
>>
>> Looking forward for comments and suggestions for the below reported issue
>> from the community.
>>
>
> Well, to answer your original question, it looks to me like the test is
> doing exactly what it's supposed to.  Core dumps would quite reasonably
> contain executable chunks, but may not contain the complete executable, or
> may come out with wrong code entry points, and so they are "broken" when
> assumed to be executable files.
>
> For your use case you should probably either turn this test off, or adjust
> your filter system glue layer to handle this result differently. Whether
> you can do the latter depends on how you call Clam.
>
> -kgd
>
>
>
> On Oct 27, 2017 4:09 PM, "Ravi"  wrote:
>>
>> Hi,
>>>
>>> We are seeing instances when customer uploads his zip files which
>>> contains
>>> core files/core dumps during scanning ClamAV is treating some of them as
>>> “Heuristics.Broken.Executable FOUND”. Currently we have turned-on this
>>> check in the clamd.conf as below.
>>>
>>> *# With this option clamav will try to detect broken executables (both PE
>>> and*
>>> *# ELF) and mark them as Broken.Executable.*
>>> *# Default: no*
>>> *DetectBrokenExecutables yes*
>>>
>>> The question is why ClamAV is treating core files/core dumps as
>>> “Heuristics.Broken.Executable FOUND”. Is it safe to turn-off this setting
>>> for ClamAV? or is there way to skip these checks for core files/core
>>> dumps
>>> in ClamAV?
>>>
>>> Thanks
>>> Ravi
>>>
>>>
>>> ___
>> clamav-users mailing list
>> clamav-users@lists.clamav.net
>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>>
>>
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>>
>> http://www.clamav.net/contact.html#ml
>>
>>
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] fail updates

2017-11-07 Thread Simon Mousey Smith 
Hi,

Still having a few issues here, even after ' rm -rfv mirrors.dat '

Reading CVD header (main.cvd): WARNING: main.cvd not found on remote server
WARNING: Can't read main.cvd header from db.gb.clamav.net (IP: 193.1.193.64)

WARNING: DNS record is older than 3 hours.
WARNING: Invalid DNS reply. Falling back to HTTP mode.

Regards

Simon

> On 7 Nov 2017, at 00:41, Paul Kosinski  wrote:
> 
> I killed our "mirrors.dat" at 2017-11-06 19:35:35 (EST). It was last
> modified at 2017-11-06 18:06:29 (EST). We'll see what happens.
> 
> Paul Kosinski
> 
> 
> 
> On Mon, 6 Nov 2017 21:21:58 +
> "Joel Esler (jesler)"  wrote:
> 
>> It would be helpful, if, starting now, deleting mirrors.dat and
>> *then* telling us about failing mirrors…. Cause…. We’ve done many
>> changes in the past month, it would be good to start from a clean
>> slate.
>> 
>> 
>> --
>> Joel Esler | Talos: Manager |
>> jes...@cisco.com
> 
>> http://www.clamav.net/contact.html#ml
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml