Re: [clamav-users] Clamav error using YARA
Hi there, On Sun, 10 Nov 2019, Philippe Lefèvre wrote: Since some time (less than a month I think) I now get this message when I launch a directory scan. LibClamAV Error: yyerror(): /var/lib/clamav/rfxn.yara line 8955 undefined identifier "is__elf" LibClamAV Warning: cli_loadyara: failed to parse or load 1 yara rules from file /var/lib/clamav/rfxn.yara, successfully loaded 784 rules. Please post the output of grep -n is__elf /var/lib/clamav/rfxn.yara -- 73, Ged. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] LibClamAV Error: cli_scangpt: could not determine sector size
Hi there, On Mon, 11 Nov 2019, Michael Newman via clamav-users wrote: On Nov 11, 2019, at 00:00,G.W. Haywood wrote: Exactly what do you do in order to obtain this message? Does it appear in a terminal session, in a log file,…? I run clamscan from a bash script with this command: /opt/local/bin/clamscan -r --quiet -i -l $log $scandir --exclude-dir="$exclude" --exclude-dir="$exclude2" --stdout >>$log 2>&1 That leaves quite a lot to the imagination. :/ Ideally we'd want to know the values of all the variables in the command. It doesn't much matter about $log, but $scandir and the two '$exclude's are important. I have no idea if the MacPorts reclaim removed all of clamav. I think you might need to look into that, I'm sure there must be adequate documentation. But to avoid any geese-chasing it would be better not to jump to any conclusions about broken installations at this stage. It might not be broken, it might just be scanning in a different way from how it used to be, or something in the filesystem might have changed. The error message seems to be telling us that you're scanning a disc partition rather than a file, and I wonder if for example one of the '$exclude's is not being set correctly - this might for example result in asking to scan something like partitions in '/dev' when you don't intend to. If they're scanning filesystems, most people will just scan the files, not the partitions. You may have particular requirements, but if you do I'd have expected that you would have mentioned that by now. Is there something I can do to have clamscan give me more information about the sector size problem? The 'man' pages for the various ClamAV tools are a very good resource. If you remove the '-i' it may let you see what's being scanned at the time of the error. If it's as simple as something that shouldn't be scanned then maybe you'll see that and that might lead to something like a failure to set an $exclude in the script or whatever calls it. If that doesn't help you might replace '--quiet' with '--debug' and run the command, but I don't know how much help that will be. And be aware that making deductions from what you see in the log files isn't always straightforward. I have to say I'm no fan of scanning Unix-type filesystems like this. -- 73, Ged. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
[clamav-users] Clamav error using YARA
Hello, Since some time (less than a month I think) I now get this message when I launch a directory scan. LibClamAV Error: yyerror(): /var/lib/clamav/rfxn.yara line 8955 undefined identifier "is__elf" LibClamAV Warning: cli_loadyara: failed to parse or load 1 yara rules from file /var/lib/clamav/rfxn.yara, successfully loaded 784 rules. -- SCAN SUMMARY --- Known viruses: 6703721 Engine version: 0.101.4 Scanned directories: 27 Scanned files: 341 Infected files: 0 Data scanned: 1602.74 MB Data read: 1514.41 MB (ratio 1.06:1) Time: 652.779 sec (10 m 52 s) Anyone already encounter this ? is there something I could do to fix it ? Thanks for you advise. Kind regards Philippe ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] LibClamAV Error: cli_scangpt: could not determine sector size
> On Nov 11, 2019, at 00:00,G.W. Haywood wrote: > > Exactly what do you do in order to obtain > this message? Does it appear in a terminal session, in a log file,…? I run clamscan from a bash script with this command: /opt/local/bin/clamscan -r --quiet -i -l $log $scandir --exclude-dir="$exclude" --exclude-dir="$exclude2" --stdout >>$log 2>&1 The message appears in the log file. I’ve been using clamav for about a year now and didn’t have this error message before the reinstall. I originally installed clamav using MacPorts about a year ago. I have no idea if the MacPorts reclaim removed all of clamav. "reclaim" is used to remove ports that do not have any dependents and which were not originally installed based on a user request. Since I did install clamav, the fact that clamav was not listed as requested may be a bug in MacPorts which seems to have already been reported. Is there something I can do to have clamscan give me more information about the sector size problem? Mike Newman Korat, Thailand ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] strace - select(13, [12], NULL, NULL, NULL) = -1 EBADF (Bad file descriptor) <0.000017>
update: I have now managed to recreate this issues on different hardware, I can also simulate the sys load issues once the clamd process is in its EBADF state. I am still yet unable to trigger this issue, it seems to happen at random, however we have now noticed the problems on more VM's running all sorts of management applications. Any ideas how I can debug this further to see what may be triggering the problem? I haven't yet found any other references to this issue on the internet? thanks Tim -Original Message- From: Tim Stubbs To: ClamAV users ML Cc: G.W. Haywood Subject: Re: [clamav-users] strace - select(13, [12], NULL, NULL, NULL) = -1 EBADF (Bad file descriptor) <0.17> Date: Fri, 08 Nov 2019 12:19:27 + thanks for the response; we are experiancing this issues on a fresh install VM, a Java application VM & a Jump server with gnome. a mix of 2 and 4 coure VM's with 2,4 & 6GB RAM [root@xxx]# uname -a Linux xx 3.10.0-1062.1.1.el7.x86_64 #1 SMP Fri Sep 13 22:55:44 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux [root@x ]# cat /etc/centos-release CentOS Linux release 7.7.1908 (Core) # Config LogFile /var/log/clamav/clamav.log LogFileUnlock yes LogFileMaxSize 10M LogTime yes LogSyslog no LogRotate no ExtendedDetectionInfo yes PidFile /var/run/clamd.scan/clamd.pid DatabaseDirectory /var/lib/clamav LocalSocket /var/run/clamd.scan/clamd.sock LocalSocketGroup virusgroup LocalSocketMode 666 FixStaleSocket yes MaxThreads 10 ReadTimeout 180 SendBufTimeout 200 MaxQueue 100 ExcludePath ^/proc/ ExcludePath ^/sys/ ExcludePath ^/root/ ExcludePath ^/var\/lib\/openvas\/plugins/ ExcludePath ^/opt\/metasploit/ ExcludePath ^/var\/mqm/ ExcludePath ^/var\/lib\/mysql/ ExcludePath ^/glusterfs/ ExcludePath ^/mnt/ ExcludePath ^/nfs/ ExcludePath ^/tmp\/clamav-.*/ MaxDirectoryRecursion 20 FollowDirectorySymlinks no FollowFileSymlinks no SelfCheck 600 ExitOnOOM yes User root ScanMail yes ScanHTML yes ScanOLE2 yes ScanArchive yes ForceToDisk no ScanOnAccess yes OnAccessIncludePath /bin OnAccessIncludePath /boot OnAccessIncludePath /etc OnAccessIncludePath /home OnAccessIncludePath /media OnAccessIncludePath /mnt OnAccessIncludePath /opt OnAccessIncludePath /root OnAccessIncludePath /sbin OnAccessIncludePath /sftp OnAccessIncludePath /usr OnAccessExcludePath /opt/tomcat/.m2/repository OnAccessExcludeRootUID yes OnAccessMaxFileSize 5M OnAccessDisableDDD no OnAccessExtraScanning yes DisableCertCheck no I've got a few more bits of information; - the FD it is missing is for 'anon_inode:inotify' healthy system: [root@ ]# ls -l /proc/226347/fd total 0 lr-x--. 1 root root 64 Nov 8 06:41 0 -> /dev/null l-wx--. 1 root root 64 Nov 8 06:41 1 -> /dev/null l-wx--. 1 root root 64 Nov 8 06:41 10 -> pipe:[2543521] lrwx--. 1 root root 64 Nov 8 06:41 11 -> anon_inode:[fanotify] lr-x--. 1 root root 64 Nov 8 06:41 12 -> anon_inode:inotify l-wx--. 1 root root 64 Nov 8 06:41 2 -> /dev/null lr-x--. 1 root root 64 Nov 8 06:41 3 -> /var/lib/sss/mc/initgroups lrwx--. 1 root root 64 Nov 8 06:41 4 -> socket:[2543359] l-wx--. 1 root root 64 Nov 8 03:26 5 -> /var/log/clamav/clamav.log lrwx--. 1 root root 64 Nov 8 06:41 6 -> socket:[2544261] lr-x--. 1 root root 64 Nov 8 06:41 7 -> pipe:[2543520] l-wx--. 1 root root 64 Nov 8 06:41 8 -> pipe:[2543520] lr-x--. 1 root root 64 Nov 8 06:41 9 -> pipe:[2543521] Broken system: [root@xx ]# ls -l /proc/33492/fd total 0 lr-x--. 1 root root 64 Nov 7 10:58 0 -> /dev/null l-wx--. 1 root root 64 Nov 7 10:58 1 -> /dev/null l-wx--. 1 root root 64 Nov 7 10:58 10 -> pipe:[788328] lrwx--. 1 root root 64 Nov 7 10:58 11 -> anon_inode:[fanotify] lr-x--. 1 root root 64 Nov 5 09:52 13 -> /etc/clamd.d/scan.conf lrwx--. 1 root root 64 Nov 5 09:52 14 -> /tmp/clamav- 46ff34ef6c75cb2abc0435d1056ee697.tmp l-wx--. 1 root root 64 Nov 7 10:58 2 -> /dev/null lr-x--. 1 root root 64 Nov 7 10:58 3 -> /var/lib/sss/mc/initgroups lrwx--. 1 root root 64 Nov 7 10:58 4 -> socket:[790831] l-wx--. 1 root root 64 Nov 7 10:58 5 -> /var/log/clamav/clamav.log lrwx--. 1 root root 64 Nov 7 10:58 6 -> socket:[790832] lr-x--. 1 root root 64 Nov 7 10:58 7 -> pipe:[788327] l-wx--. 1 root root 64 Nov 7 10:58 8 -> pipe:[788327] lr-x--. 1 root root 64 Nov 7 10:58 9 -> pipe:[788328] thanks Tim -Original Message- From: G.W. Haywood via clamav-users Reply-To: ClamAV users ML To: J.R. via clamav-users Cc: G.W. Haywood Subject: Re: [clamav-users] strace - select(13, [12], NULL, NULL, NULL) = -1 EBADF (Bad file descriptor) <0.17> Date: Thu, 07 Nov 2019 15:55:29 + Hi there, On Thu, 7 Nov 2019, J.R. via clamav-users wrote: > > Which brought clamd back to life and the system load returned to > > normal. no idea is this is a OS bug, a ClamAV bug or some kind of > > user > > error, any help here will be appreciated. > > What version of ClamAV? What OS? What cust