Re: [clamav-users] running freshclam and 3rd party/clamav-unofficial-sigs.sh owner name changes occasionally

2020-10-09 Thread Robert Kudyba 
>
> > Oct 09 04:15:56 Checking for urlhaus updates...
> > Oct 09 04:15:56 Checking for updated urlhaus database file: urlhaus.ndb
> > Oct 09 04:15:56 Testing updated urlhaus database file: urlhaus.ndb
> > Oct 09 04:15:56 Clamscan reports urlhaus urlhaus.ndb database integrity
> tested good
> > Oct 09 04:15:56 Successfully updated urlhaus production database file:
> urlhaus.ndb
> > Oct 09 04:15:56 Update(s) detected, reloading ClamAV databases
> > Oct 09 04:15:56 ClamAV databases reloading
> > Oct 09 04:15:56 Issue tracker :
> https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_extremeshok_clamav-2Dunofficial-2Dsigs_issues&d=DwICAg&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=WaUuzrJtD_PKZ2pBpU-pfAEoxGBj-_rNdSJwvcK9NiI&s=mMxE841bG6uyKmN8KcULOvoeE948yxFA9Mo2udC0y_U&e=
> > Oct 09 04:15:56   Powered By
> https://urldefense.proofpoint.com/v2/url?u=https-3A__eXtremeSHOK.com&d=DwICAg&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=WaUuzrJtD_PKZ2pBpU-pfAEoxGBj-_rNdSJwvcK9NiI&s=7LlLO6tKn_1eYqKp_e8nViWQ6BAjCFkMgYzNFvigtfs&e=
> >*Oct 09 05:14:02 ERROR: clam database directory (clam_dbs) not writable
> /var/lib/clamav*
>
> Looks clear that the urlhaus db was updated OK.  Does the unofficial
> update script normally take an hour to run on your system?!  The one
> we use usually takes just a few minutes.
>

My bad in trying to economize my post here's the entire update-related
entry:
Oct 09 04:14:01 Preparing Databases
Oct 09 04:14:01 Fri 09 Oct 2020 04:14:01 AM EDT - Pausing database file
updates for 114 seconds...
Oct 09 04:15:55 Fri 09 Oct 2020 04:15:55 AM EDT - Pause complete, checking
for new database files...
Oct 09 04:15:55 Sanesecurity Database File Updates
Oct 09 04:15:55 2 hours have not yet elapsed since the last Sanesecurity
update check
Oct 09 04:15:55 No update check was performed at this time
Oct 09 04:15:55 Next check will be performed in approximately 1 hour(s), 6
minute(s)
Oct 09 04:15:55 SecuriteInfo Database File Updates
Oct 09 04:15:55 4 hours have not yet elapsed since the last SecuriteInfo
update check
Oct 09 04:15:55 No update check was performed at this time
Oct 09 04:15:55 Next check will be performed in approximately 3 hour(s), 6
minute(s)
Oct 09 04:15:55 LinuxMalwareDetect Database File Updates
Oct 09 04:15:55 Checking for LinuxMalwareDetect updates...
Oct 09 04:15:56 No LinuxMalwareDetect database file updates found
Oct 09 04:15:56 MalwarePatrol Database File Updates
Oct 09 04:15:56 24 hours have not yet elapsed since the last malwarepatrol
update check
Oct 09 04:15:56 No update check was performed at this time
Oct 09 04:15:56 Next check will be performed in approximately 7 hour(s), 0
minute(s)
Oct 09 04:15:56 Yara-Rules Database File Updates
Oct 09 04:15:56 Checking for urlhaus updates...
Oct 09 04:15:56 Checking for updated urlhaus database file: urlhaus.ndb
Oct 09 04:15:56 Testing updated urlhaus database file: urlhaus.ndb
Oct 09 04:15:56 Clamscan reports urlhaus urlhaus.ndb database integrity
tested good
Oct 09 04:15:56 Successfully updated urlhaus production database file:
urlhaus.ndb
Oct 09 04:15:56 Update(s) detected, reloading ClamAV databases
Oct 09 04:15:56 ClamAV databases reloading


> > ... perhaps I should contact the ExtremeSHOK contributors ...
>
> I'd have said so, yes.
>

well they may have an idea but I'm starting to think it's not related to
their script. After all the username clamupdate does not come from their
script.

>
> > perhaps there's some debug option that I'm not aware of?
>
> It's just a shell script, you could edit it to put debugging things in
> there if you're comfortable with hacking shell scripts.  Does it give
> usage help if run with no arguments?  Does it have the '-i' option?
>

Indeed I see some options here:
https://github.com/extremeshok/clamav-unofficial-sigs

So next time it happens I can try some of these:
-v, --verbose Be verbose, enabled when not run under cron
-i, --information Output system and configuration information for viewing
or possible debugging purposes
-t, --test-database Clamscan integrity test a specific database file eg:
'-t filename.ext' (do not include file path)
--check-clamav If ClamD status check is enabled and the socket path is
correctly specifiedthen (sic) test to see if clamd is running or not

Here's what the -i option returns:
su - clamav -s /bin/bash -c '/usr/local/sbin/clamav-unofficial-sigs.sh -i'

 eXtremeSHOK.com ClamAV Unofficial Signature Updater
 Version: v7.0.1 (2020-01-25)
 Required Configuration Version: v91
 Copyright (c) Adrian Jon Kriel :: ad...@extremeshok.com

Loading config: /etc/clamav-unofficial-sigs/master.conf
Loading config: /etc/clamav-unofficial-sigs/os.conf
Loading config: /etc/clamav-unofficial-sigs/user.conf

*** SCRIPT INFOR

Re: [clamav-users] running freshclam and 3rd party/clamav-unofficial-sigs.sh owner name changes occasionally

2020-10-09 Thread G.W. Haywood via clamav-users 

Hello again,

On Fri, 9 Oct 2020, Robert Kudyba wrote:


... today when it started:
Oct 09 04:15:56 Checking for urlhaus updates...
Oct 09 04:15:56 Checking for updated urlhaus database file: urlhaus.ndb
Oct 09 04:15:56 Testing updated urlhaus database file: urlhaus.ndb
Oct 09 04:15:56 Clamscan reports urlhaus urlhaus.ndb database integrity tested 
good
Oct 09 04:15:56 Successfully updated urlhaus production database file: 
urlhaus.ndb
Oct 09 04:15:56 Update(s) detected, reloading ClamAV databases
Oct 09 04:15:56 ClamAV databases reloading
Oct 09 04:15:56 Issue tracker : 
https://github.com/extremeshok/clamav-unofficial-sigs/issues
Oct 09 04:15:56   Powered By https://eXtremeSHOK.com
*Oct 09 05:14:02 ERROR: clam database directory (clam_dbs) not writable 
/var/lib/clamav*


Looks clear that the urlhaus db was updated OK.  Does the unofficial
update script normally take an hour to run on your system?!  The one
we use usually takes just a few minutes.


... perhaps I should contact the ExtremeSHOK contributors ...


I'd have said so, yes.


perhaps there's some debug option that I'm not aware of?


It's just a shell script, you could edit it to put debugging things in
there if you're comfortable with hacking shell scripts.  Does it give
usage help if run with no arguments?  Does it have the '-i' option?


... I do see:
systemctl status clam
clamav-clamonacc.serviceclamav-unofficial-sigs.service
clamd.service
clamav-freshclam.serviceclamav-unofficial-sigs.timer
clam-freshclam.service
clamav-milter.service   clamd@scan.service
clamonacc.service


I don't use any of that stuff, I like to know what's going on.  It
might be worth disabling all the service frippery and starting the
daemons from the command line to see if it behaves any differently.


I see Fangfrisch is being
maintained as an alternative. Haven't tried it yet.


It might not be time to throw out the baby just yet, before swapping
one lot of unknowns for another lot of unknowns I'd definitely try a
bit of investigative work.  After all other people use this stuff.  If
extra logging, disabling services etc don't lead you anywhere it might
be worth purging and reinstalling all the implicated packages.

--

73,
Ged.

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] recently noted that scanning firefox browser cache reports many errors

2020-10-09 Thread G.W. Haywood via clamav-users 

Hello again,

On Fri, 9 Oct 2020, mum laris via clamav-users wrote:


gzip -vtl FF13A1C7B9A4E5C26BE58596DF7F58E6CCB3F19F

method  crcdate  time compressed uncompressed ...
defla 00310064 Oct 6 18:52435807   1383269888 ...


A 1.4Gbyte file compressed down to 436kbytes?  Seems unlikely.

--

73,
Ged.

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] running freshclam and 3rd party/clamav-unofficial-sigs.sh owner name changes occasionally

2020-10-09 Thread Robert Kudyba 
>
> Every few weeks I'll start seeing this error:
> >
> > ERROR: clam database directory (clam_dbs) not writable /var/lib/clamav
> > ...
> > -rw-r--r--  1 clamupdate clamupdate296388 Sep 19  2019 bytecode.cvd
> > -rw-r--r--  1 clamupdate clamupdate 112832258 Sep 17 09:53 daily.cvd
> > -rw-r--r--  1 clamupdate clamupdate 117859675 Nov 25  2019 main.cvd
> > ...
> > I've tried grepping for the clamupdate user in all the .conf files and
> > anywhere it appears it's commented out. Any other places to look?
>
> It's a little bit concerning because if something is changing ownership
> of the files then (a) it looks like it's running with root permissions
> and (b) you don't know what it is.
>
> Are you sure that you don't have something else running which sets the
> permissions?


That's what I'm trying to figure out. I've looked through the crontab
files, e.g., in /etc/conf*, bubcus



> Are there logs going back far enough to give you a good
> feel for exactly when it happens?


I believe so and I have access to the backups which go back at least a
year. That's why I pointed to this log:
 /var/log/clamav-unofficial-sigs/clamav-unofficial-sigs.log

And today when it started:
Oct 09 04:15:56 Checking for urlhaus updates...
Oct 09 04:15:56 Checking for updated urlhaus database file: urlhaus.ndb
Oct 09 04:15:56 Testing updated urlhaus database file: urlhaus.ndb
Oct 09 04:15:56 Clamscan reports urlhaus urlhaus.ndb database integrity
tested good
Oct 09 04:15:56 Successfully updated urlhaus production database file:
urlhaus.ndb
Oct 09 04:15:56 Update(s) detected, reloading ClamAV databases
Oct 09 04:15:56 ClamAV databases reloading
Oct 09 04:15:56 Issue tracker :
https://github.com/extremeshok/clamav-unofficial-sigs/issues
Oct 09 04:15:56   Powered By https://eXtremeSHOK.com
*Oct 09 05:14:02 ERROR: clam database directory (clam_dbs) not writable
/var/lib/clamav*

So between 4:15 and 5:15 AM today (EDT).

If it were my problem I'd probably
> start with some simple logging so it was more clear what happened when;
> something like a cron job which just makes a listing of the permissions
> every minute, appending it to a file in /var/log.  Something like this
> in a crontab:
>
> * * * * *  /bin/echo -n "$(/bin/date) " >> /var/log/clam_perms.log ; \
> /bin/ls -l /var/lib/clamav >> /var/log/clam_perms.log
>

I'll consider this too, perhaps I should contact the ExtremeSHOK
contributors at https://github.com/extremeshok/clamav-unofficial-sigs? Or
perhaps there's some debug option that I'm not aware of? In
/etc/clamav-unofficial-sigs/master.conf
I have:
logging_enabled="yes"
log_file_path="/var/log/clamav-unofficial-sigs"
log_file_name="clamav-unofficial-sigs.log"


> If you just want to paper over the cracks you could for example make a
> wrapper for the update script which sets permissions before running it,
> or run another script before invocations of the update script so that
> the permissions are set first, or hack the update script itself.  You
> could even use 'chattr' to make the permissions unchangeable.
>

Yeah I've used the chattr option in other areas, perhaps some logging would
appear if I take this approach.

Later on Fri, 9 Oct 2020, Robert Kudyba wrote:
>
> > The only reference to clamupdate I see are in the various config
> > files, e.g., clamav.conf ...
>
> I'm puzzled.  Why is there a reference to the 'clamupdate' user in a
> file called 'clamav.conf' (which I take to be a bowdlerized version of
> something like clamd.conf) if you don't use the 'clamupdate' user ID?
>

Sure looks like earlier versions of Fedora did this according to this bug
report  and this
discussion
 on
Fedora Project.

Ha bowdlerized
:
(of a text or account) having had material considered improper or offensive
removed.


> It makes me wonder if there have been changes from some original setup
> which did employ that user and which haven't all been flushed through,
> or if something else has modified the ClamAV configuration files that
> you don't know about.
>

I believe I configured and installed it myself less than 2 years ago but
perhaps when I restored some files from a backup I added some old config
files and or/services? I do see:
systemctl status clam
clamav-clamonacc.serviceclamav-unofficial-sigs.service
 clamd.service
clamav-freshclam.serviceclamav-unofficial-sigs.timer
 clam-freshclam.service
clamav-milter.service   clamd@scan.service
 clamonacc.service

Only  clamav-milter, clamd@scan.service and clamav-freshclam.service are
active.

Years ago I had trouble with the forerunner to the extremeshock script
> which resulted in execute bits from scripts getting lost, but that's a
> bit different from what you're seeing and it was

Re: [clamav-users] recently noted that scanning firefox browser cache reports many errors

2020-10-09 Thread mum laris via clamav-users 

Hi!

On 08/10/20 19:31, G.W. Haywood via clamav-users wrote:

Hi there,

On Thu, 8 Oct 2020, mum laris via clamav-users wrote:
[...]



Not at all what I meant.  In the distribution, these default to 'yes':

8<--
$ grep '#Alert' /usr/local/etc/clamd.conf.sample 
#AlertBrokenExecutables yes

#AlertEncrypted yes
#AlertEncryptedArchive yes
#AlertEncryptedDoc yes
#AlertOLE2Macros yes
#AlertPhishingSSLMismatch yes
#AlertPhishingCloak yes
#AlertPartitionIntersection yes
#AlertExceedsMax yes
8<--

but in your clamconf output I see this:

8<--
$ grep Alert clamconf
AlertExceedsMax disabled
HeuristicAlerts = "yes"
AlertBrokenExecutables disabled
AlertEncrypted disabled
AlertEncryptedArchive disabled
AlertEncryptedDoc disabled
AlertOLE2Macros disabled
AlertPhishingSSLMismatch disabled
AlertPhishingCloak disabled
AlertPartitionIntersection disabled
8<--

You might want to know about some of those things rather than have
clamd potentially ignore them, especially if you have Windoze boxes.


Trying new features enabled ... I'll let You know!




/dev/sdaX: clean, 545729/6553600 files, 21748990/26214400 blocks


OK.  I hope the SSD is backed up regularly to some other medium.

twice in a year... no more! :)



file FF13A1C7B9A4E5C26BE58596DF7F58E6CCB3F19F
FF13A1C7B9A4E5C26BE58596DF7F58E6CCB3F19F: gzip compressed data, from 
Unix

...
... please let me know if You think further analysis' needed.


Well it's a compressed file, you could try testing it using gzip.
Check the gzip man page for how to do that.  If it tests out OK then
you could extract the contents (gunzip) and see if it's anything you
can make sense of.  If not a little more digging might be needed.


from size ... may be a youtube cached file as You supposed from starting?

If answer is yes I doubt to be able to rebuild it... :)

> gzip -vtl FF13A1C7B9A4E5C26BE58596DF7F58E6CCB3F19F

method  crc date  time   compressed    uncompressed 
ratio uncompressed_name
defla 00310064 Oct  6 18:52  435807  1383269888 
100.0% FF13A1C7B9A4E5C26BE58596DF7F58E6CCB3F19F



So you're no more relaxing my thoughts...


That's good. :)


Thanks anyway!

:)


___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] running freshclam and 3rd party/clamav-unofficial-sigs.sh owner name changes occasionally

2020-10-09 Thread G.W. Haywood via clamav-users 

Hi there,

On Fri, 9 Oct 2020, Robert Kudyba wrote:


Running ClamAV 103.0-1 on Fedora, I have freshclam
and clamav-unofficial-sigs.sh from
https://github.com/extremeshok/clamav-unofficial-sigs
...
Every few weeks I'll start seeing this error:

ERROR: clam database directory (clam_dbs) not writable /var/lib/clamav
...
-rw-r--r--  1 clamupdate clamupdate296388 Sep 19  2019 bytecode.cvd
-rw-r--r--  1 clamupdate clamupdate 112832258 Sep 17 09:53 daily.cvd
-rw-r--r--  1 clamupdate clamupdate 117859675 Nov 25  2019 main.cvd
...
I've tried grepping for the clamupdate user in all the .conf files and
anywhere it appears it's commented out. Any other places to look?


It's a little bit concerning because if something is changing ownership
of the files then (a) it looks like it's running with root permissions
and (b) you don't know what it is.

Are you sure that you don't have something else running which sets the
permissions?  Are there logs going back far enough to give you a good
feel for exactly when it happens?  If it were my problem I'd probably
start with some simple logging so it was more clear what happened when;
something like a cron job which just makes a listing of the permissions
every minute, appending it to a file in /var/log.  Something like this
in a crontab:

* * * * *  /bin/echo -n "$(/bin/date) " >> /var/log/clam_perms.log ; \
/bin/ls -l /var/lib/clamav >> /var/log/clam_perms.log

If you just want to paper over the cracks you could for example make a
wrapper for the update script which sets permissions before running it,
or run another script before invocations of the update script so that
the permissions are set first, or hack the update script itself.  You
could even use 'chattr' to make the permissions unchangeable.

Later on Fri, 9 Oct 2020, Robert Kudyba wrote:


The only reference to clamupdate I see are in the various config
files, e.g., clamav.conf ...


I'm puzzled.  Why is there a reference to the 'clamupdate' user in a
file called 'clamav.conf' (which I take to be a bowdlerized version of
something like clamd.conf) if you don't use the 'clamupdate' user ID?
It makes me wonder if there have been changes from some original setup
which did employ that user and which haven't all been flushed through,
or if something else has modified the ClamAV configuration files that
you don't know about.

Years ago I had trouble with the forerunner to the extremeshock script
which resulted in execute bits from scripts getting lost, but that's a
bit different from what you're seeing and it was over a decade ago.  I
spent some time with Bill Landry who wrote the original and eventually
we got it fixed.  I only mention it because this is eerily similar.

--

73,
Ged.

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] running freshclam and 3rd party/clamav-unofficial-sigs.sh owner name changes occasionally

2020-10-09 Thread Robert Kudyba 
>
> > Every few weeks I'll start seeing this error:
> >
> > ERROR: clam database directory (clam_dbs) not writable /var/lib/clamav
> >
> > Running this fixes it:
> > su clamav -s '/usr/local/sbin/clamav-unofficial-sigs.sh'
> >
> > Here are the files not owned by clamav:
> > -rw-r--r--  1 clamupdate clamupdate296388 Sep 19  2019 bytecode.cvd
> > -rw-r--r--  1 clamupdate clamupdate 112832258 Sep 17 09:53 daily.cvd
> > -rw-r--r--  1 clamupdate clamupdate 117859675 Nov 25  2019 main.cvd
> >
> At first glance it appears someone is running "freshclam" manually as
> clamupdate/clamupdate.
>
> Is there only one "freshclam" binary on the system?
>

Yes:
ls -l /usr/bin/freshclam*
-rwxr-xr-x 1 root root 45816 Oct  5 14:05 /usr/bin/freshclam

Is it running as a daemon or being invoked by some other method(s)?
>
Via systemctl:
clamav937912  0.0  0.0 102816 15860 ?Ss   04:46   0:04
/usr/bin/freshclam -d --foreground=true

systemctl status clamav-freshclam.service
● clamav-freshclam.service - ClamAV virus database updater
 Loaded: loaded (/usr/lib/systemd/system/clamav-freshclam.service;
enabled; vendor preset: disabled)
 Active: active (running) since Fri 2020-10-09 04:46:04 EDT; 6h ago
   Docs: man:freshclam(1)
 man:freshclam.conf(5)
 https://www.clamav.net/documents
   Main PID: 937912 (freshclam)
  Tasks: 1 (limit: 154197)
 Memory: 337.2M
 CGroup: /system.slice/clamav-freshclam.service
 └─937912 /usr/bin/freshclam -d --foreground=true

And the other one is disabled:
systemctl status clam-freshclam.service
● clam-freshclam.service - freshclam scanner
 Loaded: loaded (/usr/lib/systemd/system/clam-freshclam.service;
disabled; vendor preset: disabled)
 Active: inactive (dead)


> Is there another that is set{g,u}id clamupdate?
>
> Oh, what binaries *are* set{g,u}id clamupdate?
>
> And who/what regularly uses the "clamupdate" id?
>

Note that I know of. The only reference to clamupdate I see are in the
various config files, e.g., clamav.conf and the 3rd party conf files in
/etc/clamav-unofficial-sigs/

I can track down that this started early this morning:
Oct 09 05:14:02 ERROR: clam database directory (clam_dbs) not writable
/var/lib/clamav

But the only thing in the cron log file at that time is this 3rd
party update:

Oct  9 05:01:01 ourserver CROND[948241]: (root) CMD (run-parts
/etc/cron.hourly)
Oct  9 05:01:01 ourserver run-parts[948241]: (/etc/cron.hourly) starting
0anacron
Oct  9 05:01:01 ourserver run-parts[948241]: (/etc/cron.hourly) finished
0anacron
Oct  9 05:14:01 ourserver CROND[956493]: (clamav) CMD ([ -x
/usr/local/sbin/clamav-unofficial-sigs.sh ] && /usr/bin/bash
/usr/local/sbin/clamav-unofficial-sigs.sh)

I also see this:
cat /etc/cron.d/clamav-unofficial-sigs
14 * * * *  clamav [ -x /usr/local/sbin/clamav-unofficial-sigs.sh ] &&
/usr/bin/bash /usr/local/sbin/clamav-unofficial-sigs.sh

and I added a while back clamav to the clamupdate group to try to work
around this:

grep clamupdate /etc/passwd
clamupdate:x:983:979:Clamav database update
user:/var/lib/clamav:/sbin/nologin

grep 979  /etc/group
clamupdate:x:979:clamav

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] running freshclam and 3rd party/clamav-unofficial-sigs.sh owner name changes occasionally

2020-10-09 Thread Gary R. Schmidt 

On 10/10/2020 01:10, Robert Kudyba wrote:
Running ClamAV 103.0-1 on Fedora, I have freshclam 
and clamav-unofficial-sigs.sh from 
https://github.com/extremeshok/clamav-unofficial-sigs 



Every few weeks I'll start seeing this error:

ERROR: clam database directory (clam_dbs) not writable /var/lib/clamav

Running this fixes it:
su clamav -s '/usr/local/sbin/clamav-unofficial-sigs.sh'

Here are the files not owned by clamav:
-rw-r--r--  1 clamupdate clamupdate    296388 Sep 19  2019 bytecode.cvd
-rw-r--r--  1 clamupdate clamupdate 112832258 Sep 17 09:53 daily.cvd
-rw-r--r--  1 clamupdate clamupdate 117859675 Nov 25  2019 main.cvd

At first glance it appears someone is running "freshclam" manually as 
clamupdate/clamupdate.


Is there only one "freshclam" binary on the system?

Is it running as a daemon or being invoked by some other method(s)?

Is there another that is set{g,u}id clamupdate?

Oh, what binaries *are* set{g,u}id clamupdate?

And who/what regularly uses the "clamupdate" id?

Cheers,
GaryB-)


___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] running freshclam and 3rd party/clamav-unofficial-sigs.sh owner name changes occasionally

2020-10-09 Thread Robert Kudyba 
Running ClamAV 103.0-1 on Fedora, I have freshclam
and clamav-unofficial-sigs.sh from
https://github.com/extremeshok/clamav-unofficial-sigs

Every few weeks I'll start seeing this error:

ERROR: clam database directory (clam_dbs) not writable /var/lib/clamav

Running this fixes it:
su clamav -s '/usr/local/sbin/clamav-unofficial-sigs.sh'

Here are the files not owned by clamav:
-rw-r--r--  1 clamupdate clamupdate296388 Sep 19  2019 bytecode.cvd
-rw-r--r--  1 clamupdate clamupdate 112832258 Sep 17 09:53 daily.cvd
-rw-r--r--  1 clamupdate clamupdate 117859675 Nov 25  2019 main.cvd

In /etc/freshclam.conf I have:
DatabaseDirectory /var/lib/clamav
DatabaseOwner clamav

And in ExtremeSHOK I have these settings:
/etc/clamav-unofficial-sigs/user.conf:clam_user="clamav"
/etc/clamav-unofficial-sigs/user.conf:clam_group="clamav"
/etc/clamav-unofficial-sigs/master.conf:clam_user="clamav"
/etc/clamav-unofficial-sigs/master.conf:clam_group="clamav"

Clamd setting:
/etc/clamd.d/scan.conf:User clamav

ps -auwx|grep -i clam
clamav937639  0.3  1.5 2464352 1981128 ? Ssl  04:45   1:06
/usr/sbin/clamd -c /etc/clamd.d/scan.conf
clamav937912  0.0  0.0  27856 12772 ?Ss   04:46   0:00
/usr/bin/freshclam -d --foreground=true
clamilt   938023  0.0  0.0 249988  1448 ?Ssl  04:46   0:00
/usr/sbin/clamav-milter -c /etc/mail/clamav-milter.conf

I've tried grepping for the clamupdate user in all the .conf files and
anywhere it appears it's commented out. Any other places to look?

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml