Re: [clamav-users] On Access Scanning as a Service
On Mon, 16 Dec 2019, Walker, Glen wrote: > Hello fellow ClamAV users! > > I am trying to start clamonacc as a service and have created the following > file: /etc/systemd/system/clamonacc.service: > > # > [Unit] > Description=ClamAV On Access Scanner > Requires=clamav-daemon.socket > After=syslog.target network.target clamav-daemon.service > > [Service] > Type=simple > User=root > ExecStart=/usr/local/bin/clamonacc -F --log=/var/log/clamav/clamonacc > --move=/tmp/quarantine > > [Install] > WantedBy=multi-user.target > ## > > I can start the service manually no problem ("systemctl start clamonacc") but > when I enable it I get the following error on boot: > > ERROR: ClamClient: could not connect to remote clam daemon, Couldn't connect > to server > ERROR: Clamonacc: daemon is local, but the connection could not be established > > I suspect that the problem is that my clamonacc.service is trying to start > before the clamav-daemon service/socket is properly up and running (which is > why I am able to manually start it after the boot process has completed). > > Does anyone have an insight or is there a guide/example clamonacc.service > file that I could use/follow? See the description of Requires= in the systemd.unit man page. It says: Note that requirement dependencies do not influence the order in which services are started or stopped. This has to be configured independently with the After= or Before= options. If a unit foo.service requires a unit bar.service as configured with Requires= and no ordering is configured with After= or Before=, then both units will be started simultaneously and without any delay between them if foo.service is activated. Often, it is a better choice to use Wants= instead of Requires= in order to achieve a system that is more robust when dealing with failing services. So you may need to add clamav-daemon.socket explicitly to the After= line in the unit file. Alan Stern ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] unexplainable tar behaviour
On Tue, 29 Oct 2019, Steffen Sledz wrote: > We've a really unexplainable behaviour related to clamdscan and tar. > > There's a tree of subdirs and files. > > If I tar the complete tree and scan it with 'clamdscan -v --fdpass all.tar' > an infected file is reported: 'Java.Trojan.Agent-36975 FOUND'. > > If I tar all subdirs of the first level in separate tars and scan them, all > of them are reported OK. Same if I scan all files one by one. > > So where's the infected file report is coming from? Any ideas? Try bisection. Divide the tar file in half (roughly) and see which half triggers the detection in clamdscan. (If neither half does, split the file somewhere else, say the first 1/4 and last 3/4.) The two pieces won't be valid tar files any more, but that's okay since all you care about is whether the virus scanner objects. Keep doing this until you have a minimal file, that is, until removing anything from the beginning or end will cause clamdscan not to detect a problem. Then see what's in the file and compare it to the original files and directories in the tree. If you want, you can be a little more careful about how this is done. For instance, just remove parts from the end of the file until clamdscan says the file is okay. Then you'll know that the last piece you removed matches part of the signature. And the remaining initial segment of the file will still be a semi-valid tar archive, so you can list the contents and see what the final entry in the archive is. Then start removing parts from the front of the original file until clamdscan says the remainder is okay. You'll know that the part you removed matches the beginning of the signature. Take the part that you removed and have tar list its contents; the last entry will be where the signature starts. Alan Stern ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] ClamAV Info
On Tue, 21 May 2019, Leonardo Rodrigues wrote: > Em 21/05/2019 11:37, Christopher Do - IQ-C via clamav-users escreveu: > > Hi, > > > > I'm looking at endpoint security solutions and was wondering if anyone > > could help me out with this info for ClamAV? > > > > basically, clamav is not what you're looking for ... it's basically > a file scanner antivirus, not a resident antivirus, not a memory > scanning antivirus, nothing of these features you're looking for. clamav > is not an endpoint antivirus, it's a simply file scanner antivirus. In fact, ClamAV is simply a file virus scanner. It isn't an "antivirus" at all -- it cannot remove viruses or deactivate them. Alan Stern ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] clamd using ~1GB memory on Debian Stretch
On Mon, 13 May 2019, Matus UHLAR - fantomas wrote: > >> On Mon, 13 May 2019 19:30:12 +0530 > >> Avinash Sonawane wrote: > >> > >> > Single email account here. On average, I receive one email a day. > >> > Devoting 1Gb memory all the time for that seems a poor bargain. > > >On Mon, 13 May 2019, Avinash Sonawane via clamav-users wrote: > >> Why can't clamd let databases/signatures stay in secondary memory > >> itself. Just load them when you actually receive message (or performing > >> the scan explicitly asked by user). Process and then again unload. > >> Waiting for next message. > >> > >> Why clamd needs to have signatures/databases loaded in primary memory > >> all the time? Even when there is no active scan or incoming email? This > >> doesn't make sense. > > On 13.05.19 10:34, Alan Stern wrote: > >What you're asking for is clamscan (as opposed to clamd and clamdscan). > >It loads the signatures when it runs, and after scanning all the memory > >is released. > > however, it uses about the same memory: > > PID USER PR NIVIRTRESSHR S %CPU %MEM TIME+ COMMAND > 2634 clamav20 0 999856 866284 12656 S 0.0 21.0 265:55.79 clamd > 24906 root 20 0 967288 875404 22844 R 98.3 21.2 0:38.71 clamscan > > but much longer time: > > # time clamscan /tmp/hwinfo > /tmp/hwinfo: OK > > --- SCAN SUMMARY --- > Known viruses: 9157095 > Engine version: 0.100.3 > Scanned directories: 0 > Scanned files: 1 > Infected files: 0 > Data scanned: 0.57 MB > Data read: 0.29 MB (ratio 1.95:1) > Time: 39.043 sec (0 m 39 s) > 38.208u 0.652s 0:39.11 99.3%0+0k 78984+0io 13pf+0w > > > # time clamdscan /tmp/hwinfo > /tmp/hwinfo: OK > > --- SCAN SUMMARY --- > Infected files: 0 > Time: 0.161 sec (0 m 0 s) > 0.004u 0.000s 0:00.17 0.0% 0+0k 8+0io 0pf+0w True, but it has the behavior that Avinash asked for: It doesn't use up 1 GB of memory when it's not busy loading or scanning. For someone who only receives about one email per day, trading off 39 seconds execution time for 1 GB of permanently occupied memory might be worthwhile. Alan Stern ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] clamd using ~1GB memory on Debian Stretch
On Mon, 13 May 2019, Avinash Sonawane via clamav-users wrote: > On Mon, 13 May 2019 19:30:12 +0530 > Avinash Sonawane wrote: > > > Single email account here. On average, I receive one email a day. > > Devoting 1Gb memory all the time for that seems a poor bargain. > > Why can't clamd let databases/signatures stay in secondary memory > itself. Just load them when you actually receive message (or performing > the scan explicitly asked by user). Process and then again unload. > Waiting for next message. > > Why clamd needs to have signatures/databases loaded in primary memory > all the time? Even when there is no active scan or incoming email? This > doesn't make sense. What you're asking for is clamscan (as opposed to clamd and clamdscan). It loads the signatures when it runs, and after scanning all the memory is released. Alan Stern ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] [Clamav-devel] ClamAV® blog: ClamAV 0.101.1 Patch has been released
On Wed, 9 Jan 2019, Micah Snyder (micasnyd) wrote: > Hi Alan, > > It sounds like your system defaults to having the -Wall and -Wextra > compiler flags enabled. We do indeed still have a lot of work to > clean up warnings when building with -Wall and -Wextra, I certainly > want to clean up all the warnings long term, but the other remaining > ones are, to my knowledge, not as worrisome. That makes sense. > I wasn't actually able to reproduce the warning that Gary reported > (with clang or gcc on Mac or Ubuntu 18), but a quick look at the code > showed that the issue was real. I got the same warning as Gary, as well. > The "Variable may be used uninitialized" type warnings are more > serious-sounding ones but if I recall correctly, they occur in the > tomsfastmath 3rd party library code. It's on my to-do list to see if > there's an update for that code as our copy hasn't been updated in a > while. I'm not sure which source files belong to that third party library. The two non-bogus warnings I got were: libclamunrar/arcread.cpp:32:3: warning: 'ReadSize' may be used uninitialized in this function libclamunrar/rijndael.cpp:101:21: warning: 'uKeyLenInBytes' may be used uninitialized in this function These seem to assume that an input variable takes on an allowed value; I don't know if that assumption can always be guaranteed. > The warnings in our own code regarding integers of different > signedness are probably most concerning. I very much want to take a > stab at cleaning those up as soon as I find time, but it will require > much care and heavy regression testing as it can be very easy to > break things when changing variable types. Indeed. On-the-spot typecasting is less invasive but more awkward. Alan Stern ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] [Clamav-devel] ClamAV® blog: ClamAV 0.101.1 Patch has been released
If anyone is interested, on my system (Fedora 28) building ClamAV generates a ton of warning messages. Some of them are bogus, but a lot are valid. Things like: Variable may be used uninitialized; Variable defined but not used; Variable set but not used; Static function declared but not used; Statement label defined but not used; Comparing integers of different signedness; Misleading indentation of "if" - "else" clauses; Unrecognized command line option ('-Wno-logical-op-parentheses'); Suggest parentheses around '&&' within '||'; Writing to an object with no trivial copy-assignment; use copy-assignment or copy-initialization instead; Left-hand operand of comma expression has no effect; and a few others. I can send the log file to a developer if anyone would like to see it. Alan Stern On Tue, 8 Jan 2019, Scott Kitterman wrote: > On Tuesday, January 08, 2019 05:05:37 PM Gary R. Schmidt wrote: > > On 08/01/2019 05:33, Joel Esler (jesler) wrote: > > >> https://blog.clamav.net/2019/01/clamav-01011-patch-has-been-released.html > > >> <https://blog.clamav.net/2019/01/clamav-01011-patch-has-been-released.ht > > >> ml> > > >> > > >> ClamAV 0.101.1 Patch has been released > > >> > > >> ClamAV 0.101.1 is an urgent patch release to address an issue in 0.101.0 > > >> specifically for developers that depend on libclamav. The issue in > > >> 0.101.0 is that clamav.h required supporting headers that were not > > >> provided on make install. To address this issue, the internal cltypes.h > > >> header has been replaced by a clamav-types.h that is generated on > > >> ./configure and will be installed alongside clamav.h. > > >> > > >> Other changes > > >> > > >> Increased the default CommandReadTimeout to reduce the chance of mail > > >> loss if using clamav-milter with the TCP socket. Contribution by Scott > > >> Kitterman. Fixes for --with-libjson and --with-libcurl to correctly > > >> accept library install path arguments. > > >> > > >> Acknowledgements > > >> > > >> The ClamAV team thanks the following individuals for their code > > >> submissions: Scott Kitterman>> > > >> Known Issues > > >> > > >> Some users have observed crashes the first time running freshclam after > > >> upgrading from 0.100 to 0.101. We haven't yet tracked down the source of > > >> the issue, but have found that the issue resolves itself and that > > >> subsequent calls to freshclam work as expected. > > >> > > >> Please download and update to 0.101.1 <http://www.clamav.net/downloads>, > > >> send us your feedback on ClamAV-Users > > >> <http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users>. > > Building on Solaris 11.3 with GCC/G++ 7.3.0 and I just noticed gives > > this warning. The warning was also in 0.101.0, and possibly earlier > > versions, but I didn't notice it. > > > > -- > > libtool: compile: gcc -DHAVE_CONFIG_H -I. -I.. -I../libclammspack -I.. > > -I./nsis -I../libltdl -DWARN_DLOPEN_FAIL -I/usr/local/include > > -I/opt/local/include -I../libclammspack/mspack -DHAVE_INTERNAL_MSPACK > > -DHAVE_YARA -DSEARCH_LIBDIR=\"/opt/local/lib\" -I/usr/local/include > > -I/usr/include/json-c -I/usr/local/include -I/usr/local/include > > -I/usr/include/libxml2 -g -O2 -fno-strict-aliasing -D_LARGEFILE_SOURCE > > -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -MT libclamav_la-pdf.lo -MD > > -MP -MF .deps/libclamav_la-pdf.Tpo -c pdf.c -fPIC -DPIC -o > > .libs/libclamav_la-pdf.o > > pdf.c: In function 'find_length': > > pdf.c:947:80: warning: passing argument 5 of 'cli_strntoul_wrap' from > > incompatible pointer type [-Wincompatible-pointer-types] > > if (CL_SUCCESS != cli_strntoul_wrap(index, > > bytes_remaining, 0, 10, )) { > > > > ^ > > In file included from yara_clam.h:46:0, > > from others.h:58, > > from matcher.h:29, > > from others.h:22, > > from pdf.c:56: > > str.h:78:12: note: expected 'long unsigned int *' but argument is of > > type 'size_t * {aka unsigned int *}' > > cl_error_t cli_strntoul_wrap(const char *buf, size_t buf_size, int > > fail_at_nondigit, int base, unsigned long *result); > > ^ > > In Debian we haven't uploaded 0.101.1, so I can't confirm that. I did go > back > and look at build logs and for us we have the same warning for 0.101.0. It > is > not present in 0.100.2, so this is a new issue. > > Scott K ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Errors compiling ClamAV
On Mon, 28 May 2018, CoDDoC wrote: > Hi to all! > > I try compile ClamAV 0.100.0 under CentOS 6.9 (kernel 4.16.11 x86_64) > After './configure --enable-milter' I got: > > fanotify : no (disabled) > and > llvm : no (disabled) > > But: > yum list installed | grep llvm > llvm.x86_64 3.4.2-4.el6 > llvm-libs.x86_64 3.4.2-4.el6 > mesa-private-llvm.x86_64 3.6.2-1.el6 > > cat /boot/config-4.16.11 | grep FANOTIFY > CONFIG_FANOTIFY=y > CONFIG_FANOTIFY_ACCESS_PERMISSIONS=y > > In config.log: > conftest.c:165:26: error: sys/fanotify.h: No such file or directory > > What I doing wrong? In CentOS 7, /usr/include/sys/fanotify.h is part of the glibc-headers package, and presumably the same is true in CentOS 6. You need to install that package. Alan Stern ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] clamav-milter Can't Find Clamd
On Tue, 7 Nov 2017, Colony.three wrote: > Since I installed clamd a week ago, I've had to manually create the > /run/clamd.scan directory and the clamd.sock file. The clamd daemon is not > doing this even though it is running as root. > # ps aux |grep clamd > root 1963 93.0 25.5 345992 258728 ? Rs 11:34 0:02 > /usr/sbin/clamd -c /etc/clamd.d/clamd.conf --foreground=yes > > In its config file is: > LocalSocket /run/clamd.scan/clamd.sock > LocalSocketGroup virusgroup > LocalSocketMode 660 > FixStaleSocket yes > AllowSupplementaryGroups yes > > ... so I can't imagine why it is not creating its own socket directory and > socket. I even rebooted with selinux disabled, but no improvement. > > When I create its socket it pretends to bind to it, but then -milter can't > see clamd. Maybe the problem is with clamd after all. This is a severe problem and it needs to be solved. Nevertheless, if your primary interest for the moment is just getting clamd to work, there is a simple workaround: Tell clamd to bind to a TCP socket on the loopback interface instead of a Unix socket. #LocalSocket /run/clamd.scan/clamd.sock TCPSocket 3310 TCPAddr 127.0.0.1 It's not as efficient in terms of communication speed, but it doesn't suffer from permissions issues. Alan Stern ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] clamd does not bind to port when starting through init.d/service ubuntu 16.04
On Sat, 27 Aug 2016, Reindl Harald wrote: > Am 27.08.2016 um 18:30 schrieb G.W. Haywood: > > Hi there, > > > > On Sat, 27 Aug 2016, Jeff Dyke wrote: > > > >> ... if i start clamd with > >> sudo -u clamav /usr/sbin/clamd --config-file=/etc/clamav/clamd.conf > >> it *will* bind to that address and port. > >> ... > >> When starting via /etc/init.d/clamav-daemon start or sudo service > >> clamav-daemon start it does not bind to the port. > >> > >> ... No ... socket received from systemd. > >> ... > > > > Are the other servers also Ubuntu 16.04? > > > > What are they all doing? > > > > Anything more from the clamd.conf debug options? > > > > I use ClamAV only on mail servers. I tend not to use distro packages > > for things mail, and anyway I have yet to use ClamAV on a systemd box > > (and with luck I never will) - but in your shoes I'd be inclined e.g. > > to chmod a-x the ClamAV scripts in /etc/init.d then put something to > > start clamd in /etc/rc.local to see if it works there after the > > network stack is all up and running > > to start with a proper environment don't contain anything in /etc/init.d > if we talk about systemd > > so what tells "systemctl list-units | grep clam" and what tells > "systemctl status" for each listed uint - to get a minimum overview how > the system is wired togehter (not that good when using compat startscripts) The impression I got from the original bug report is that there should be a "clamd.socket" unit file that either is missing or is not running properly. Alan Stern ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Error (Cannot connect to unix socket '/var/lib/clamav/clamd.socket': connect: No such file or directory)
On Sun, 7 Aug 2016, Chris wrote: > On Sun, 2016-08-07 at 10:49 +0200, Tobi wrote: > > It might a systemd issue. Have you tried to start clamd by calling it > > directly on cli? Does it create the socket then? > > > > Cheers > > > > tobi > > I've tried that lots of times Tobi, however, it still doesn't create > it: > > chris@localhost:~$ sudo service clamav-daemon stop [ - ] clamav- > daemon > > chris@localhost:~$ sudo service clamav-daemon start [ + ] clamav- > daemon When systemd is installed, the "service" command is redirected to invoke systemctl. To truly bypass systemd you would need to do something like "sudo /etc/init.d/clamav-daemon stop", etc. > The 'clamd.socket' file should be between these two but it's not: > > -rw-r--r-- 1 clamav clamav446464 Jun 23 11:40 bytecode.cld > -rw-r--r-- 1 clamav clamav82 Jul 13 14:44 crdfam.clamav.hdb This also could be caused by SELinux. It can prevent files from being created even when all the permission settings are okay. Have you checked the system logs for audit violations? Also, have you checked clamd's log file? Alan Stern ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Yum Updater Breaks My Set Up
On Fri, 26 Jun 2015, Bob Cohen wrote: Grr. The yum update breaks my amavisd/clam installation. I’m running CentoOs 5.x. It appears to be a permissions problem: Starting Clam AntiVirus Daemon: ERROR: LOCAL: Socket file /var/run/clamav/clamd.sock could not be bound: Permission denied I’ve reviewed the CentOS Amavisd-new, ClamAV and SpamAssassin setup recipe (http://wiki.centos.org/HowTos/Amavisd) and gone over my clamd.conf and amavisd.conf. Everything seems in order. I’m stymied. I can’t remember what I did the last time this happened and I fixed it. Here’s the socket settings in my clamd.conf file: # Value below used to work until a recent yum udate LocalSocket /var/run/clamav/clamd.sock # New value as of 12/5/2013. Matches amavisd.conf #LocalSocket /var/amavis/clamd.sock Help would be appreciated. Thank you. So what are the permissions for /var/run/clamav? (Does that directory even exist?) And what user/group IDs does your clamd daemon run under? Alan Stern ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Yum Updater Breaks My Set Up
On Fri, 26 Jun 2015, Bob Cohen wrote: On Jun 26, 2015, at 2:19 PM, Alan Stern st...@rowland.harvard.edu wrote: So what are the permissions for /var/run/clamav? (Does that directory even exist?) And what user/group IDs does your clamd daemon run under? Thanks for responding: Yes the directory exists Permissions: [root etc]# ls -la /var/run/clamav total 16 drwxr-xr-x 2 clam clam 4096 Apr 29 14:39 . drwxr-xr-x 31 root root 4096 Jun 26 14:40 .. Okay. Now I see what happened. The owner and group should be set to clamav. And now it works. Thank you. I knew it was something simple. This makes sense. After a yum update clam sets the log file owner to clam:clam instead of clamav:clamav and it must also change the user name which causes the permissions error. How can I get amavisd, spamassassin, and clam to play nicely with Yum Update? That's a question for the CentOS-5 maintainers. I suppose you could run clamd under the clam userid instead of under clamav. But there might be good reasons not to do that, or it might cause other problems. Alan Stern ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
[clamav-users] Duplicate entry in SecuriteInfo spam_marketing database
Steve: I noticed this when the whitelist update notices from the clamav-unofficial-sigs.sh script started growing exponentially. The script doesn't anticipate that one signature's hex string might be a sub-sequence of another signature's, and it doesn't handle them properly when that happens. In this case, the two entries in the spam_marketing.ndb database are: SecuriteInfo.com.Spammer.bluehornet.com:4:*:626c7565686f726e65742e636f6d SecuriteInfo.com.Spammer.echo.bluehornet.com:4:*:6563686f2e626c7565686f726e65742e636f6d There doesn't seem to be any reason for the second signature, because anything it matches will already be matched by the first sig. There may well be other duplicated entries; this is just the one I noticed. Alan Stern ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] An FP?
On Wed, 5 Feb 2014, Gene Heskett wrote: Greetings; The daily system scan is fussing about /home/gene/src/linux-3.8.2/Documentation/usb/gadget_multi.txt: MBL_400944.UNOFFICIAL FOUND /home/gene/src/linux-3.12.6/Documentation/usb/gadget_multi.txt: MBL_400944.UNOFFICIAL FOUND /home/gene/src/linux-3.8.3/Documentation/usb/gadget_multi.txt: MBL_400944.UNOFFICIAL FOUND /home/gene/src/linux-3.12.9/Documentation/usb/gadget_multi.txt: MBL_400944.UNOFFICIAL FOUND /home/gene/src/linux-3.4.36/Documentation/usb/gadget_multi.txt: MBL_400944.UNOFFICIAL FOUND /home/gene/src/linux-3.0.69/Documentation/usb/gadget_multi.txt: MBL_400944.UNOFFICIAL FOUND /home/gene/src/linux-3.2.40/Documentation/usb/gadget_multi.txt: MBL_400944.UNOFFICIAL FOUND But https://virustotal.com thinks otherwise. Gene: I have had annoying experiences with false positives from the MBL database in the past. Since the number of valid matches from that database (for my workload) been quite small, I have dropped it entirely. Alan Stern ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [Clamav-users] Tiered freshclam updates on port443
On Thu, 20 May 2010, Simon Hobson wrote: Shawn Bakhtiar wrote: I still say having firewalls from higher security zones to lower ones, does not make sense. Security is only valid when it is INBOUND. Outbound security is no security at all, just a pain for your users. I used to think like that, but now I'd respectfully disagree. It's not an answer in it's own right, but used intelligently it provides another layer of protection. OK, if your server gets compromised then it doesn't protect the server, but it does restrict the damage it can do. I'd go even farther. Although this is true more for security in general (such as protecting military secrets) than it is for email scanning, there is a place for outbound enforcement. If you have secrets to protect, you don't want them to be sent out -- either mistakenly or deliberately. Alan Stern ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Mirror problem?
.cdiff not found on remote server (IP: 155.98.64.87) WARNING: getpatch: Can't download daily-10880.cdiff from db.local.clamav.net Trying host db.local.clamav.net (155.98.64.87)... WARNING: getfile: daily-10880.cdiff not found on remote server (IP: 155.98.64.87) WARNING: getpatch: Can't download daily-10880.cdiff from db.local.clamav.net Trying host db.local.clamav.net (155.98.64.87)... WARNING: getfile: daily-10880.cdiff not found on remote server (IP: 155.98.64.87) WARNING: getpatch: Can't download daily-10880.cdiff from db.local.clamav.net WARNING: Incremental update failed, trying to download daily.cvd Trying host db.local.clamav.net (155.98.64.87)... Downloading daily.cvd [100%] WARNING: Mirror 155.98.64.87 is not synchronized. Trying again in 5 secs... ClamAV update process started at Sat May 1 03:13:10 2010 main.cld is up to date (version: 52, sigs: 704727, f-level: 44, builder: sven) Trying host db.local.clamav.net (155.98.64.87)... WARNING: getfile: daily-10880.cdiff not found on remote server (IP: 155.98.64.87) WARNING: getpatch: Can't download daily-10880.cdiff from db.local.clamav.net Trying host db.local.clamav.net (155.98.64.87)... WARNING: getfile: daily-10880.cdiff not found on remote server (IP: 155.98.64.87) WARNING: getpatch: Can't download daily-10880.cdiff from db.local.clamav.net Trying host db.local.clamav.net (155.98.64.87)... WARNING: getfile: daily-10880.cdiff not found on remote server (IP: 155.98.64.87) ERROR: getpatch: Can't download daily-10880.cdiff from db.local.clamav.net WARNING: Incremental update failed, trying to download daily.cvd Trying host db.local.clamav.net (155.98.64.87)... Downloading daily.cvd [100%] WARNING: Mirror 155.98.64.87 is not synchronized. Giving up on db.local.clamav.net... Update failed. Your network may be down or none of the mirrors listed in /etc/freshclam.conf is working. Check http://www.clamav.net/support/mirror-problem for possible reasons. -- I would expect freshclam to try (or to be directed to) a different mirror after each failure, instead of the same one over and over again. Alan Stern ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Mirror problem?
On Wed, 5 May 2010, Török Edwin wrote: That's exactly what seems peculiar. Here's my cron output (with no filtering): -- ClamAV update process started at Sat May 1 03:12:30 2010 main.cld is up to date (version: 52, sigs: 704727, f-level: 44, builder: sven) Trying host db.us.clamav.net (155.98.64.87)... WARNING: getfile: daily-10880.cdiff not found on remote server (IP: 155.98.64.87) WARNING: getpatch: Can't download daily-10880.cdiff from db.us.clamav.net Trying host db.us.clamav.net (155.98.64.87)... WARNING: getfile: daily-10880.cdiff not found on remote server (IP: 155.98.64.87) WARNING: getpatch: Can't download daily-10880.cdiff from db.us.clamav.net ... Try running freshclam with -v (or LogVerbose) to see when mirrors are blacklisted. freshclam -v does not say anything about blacklisted mirrors. It also doesn't try to use 155.98.64.87 -- it uses a different mirror (213.165.80.159) and succeeds immediately. Does it still keep trying the same mirror over and over, and the others are not blacklisted? It doesn't have to retry anything. Can you suggest a way to make to make freshclam try 155.98.64.87 first? Alan Stern ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Mirror problem?
On Wed, 5 May 2010, Török Edwin wrote: It doesn't have to retry anything. Can you suggest a way to make to make freshclam try 155.98.64.87 first? Remove mirrors.dat, run freshclam until 155.98.64.87 is the first mirror. If not remove mirrors.data again, and retry. Nothing interesting happened after the first time I tried this (and the first time it used a different mirror). Now all I get is: # freshclam -v Current working dir is /var/clamav Max retries == 3 ClamAV update process started at Wed May 5 14:44:14 2010 Using IPv6 aware code Querying current.cvd.clamav.net TTL: 787 Software version from DNS: 0.96 main.cvd version from DNS: 52 main.cld is up to date (version: 52, sigs: 704727, f-level: 44, builder: sven) daily.cvd version from DNS: 10928 daily.cld is up to date (version: 10928, sigs: 58816, f-level: 51, builder: arnaud) bytecode.cvd version from DNS: 15 bytecode.cld is up to date (version: 15, sigs: 2, f-level: 51, builder: nervous) Alan Stern ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
[Clamav-users] Mirror problem?
I've been getting messages like this: main.cld is up to date (version: 52, sigs: 704727, f-level: 44, builder: sven) Trying host db.local.clamav.net (155.98.64.87)... WARNING: getfile: daily-10891.cdiff not found on remote server (IP: 155.98.64.87) WARNING: getpatch: Can't download daily-10891.cdiff from db.local.clamav.net Trying host db.local.clamav.net (155.98.64.87)... WARNING: getfile: daily-10891.cdiff not found on remote server (IP: 155.98.64.87) WARNING: getpatch: Can't download daily-10891.cdiff from db.local.clamav.net Trying host db.local.clamav.net (155.98.64.87)... WARNING: getfile: daily-10891.cdiff not found on remote server (IP: 155.98.64.87) ERROR: getpatch: Can't download daily-10891.cdiff from db.local.clamav.net WARNING: Incremental update failed, trying to download daily.cvd Trying host db.local.clamav.net (155.98.64.87)... Downloading daily.cvd [100%] WARNING: Mirror 155.98.64.87 is not synchronized. Is there a problem with this mirror? Alan Stern ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Experiencing clamd crashes? Check clamd SelfCheck times
On Thu, 5 Mar 2009, Bill Landry wrote: * Cross-posted to the SaneSecurity And ClamAV-Users lists. Folks, I disabled clamd's SelfCheck (SelfCheck 0) a few weeks ago and have not seen any crashed since. However, I went back this morning and parsed some of my old clamd.log files to see when clamd SelfCheck's were happening. I didn't think I would find any forced reloads from SelfCheck since freshclam and my script were both set to signal clamd to reload databases when an update was detected. However, that was not the case. If fact, every SelfCheck forced reload came either within the same time interval as my scripts pause-run time-frame or at the same time as a freshclam update happened. I had SelfCheck configured to check ever 10 minutes, and it appears that at random times this SelfCheck would just happen to run either while a script update or a freshclam update was happening. If you have SelfCheck enabled in your clamd.conf, you can check and possibly confirm this by parsing your clamd.log files with: grep SelfCheck.*Forcing reload /your/path/to/clamd.log Check the time-frames and see if they coordinate with your script's run-times or your freshclam updates (see frashclam.log). That's not what I see on my server. Here's an extract from my log. The self-checks occur at intervals of approximately 30 minutes and they usually don't force a reload: Wed Mar 4 03:10:43 2009 - SelfCheck: Database status OK. Wed Mar 4 03:42:02 2009 - SelfCheck: Database status OK. Wed Mar 4 04:01:01 2009 - /tmp/vtemp1J7Og.com: Eicar-Test-Signature FOUND Wed Mar 4 04:12:13 2009 - SelfCheck: Database status OK. Wed Mar 4 04:27:19 2009 - Reading databases from /var/clamav Wed Mar 4 04:27:22 2009 - Database correctly reloaded (514127 signatures) Wed Mar 4 04:45:45 2009 - SelfCheck: Database status OK. Wed Mar 4 05:01:02 2009 - /tmp/vtempJDpIl.com: Eicar-Test-Signature FOUND Wed Mar 4 05:16:02 2009 - SelfCheck: Database status OK. Wed Mar 4 05:46:13 2009 - SelfCheck: Database status OK. Here freshclam ran at 4:27:18. On one occasion the selfcheck did happen to run at the same time as freshclam. Here's what happened: Thu Mar 5 04:27:17 2009 - SelfCheck: Database modification detected. Forcing reload. Thu Mar 5 04:27:17 2009 - Reading databases from /var/clamav Thu Mar 5 04:27:21 2009 - Database correctly reloaded (514203 signatures) Alan Stern ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] WARNING: Suspicious recipient address blocked
On Mon, 14 Apr 2008, Michael Brown wrote: The | character is not allowed in any e-mail address because it's a Unix shell reserved character. Here's a list right off the top of my head that are usually blocked/disabled by just about every MTA out there. 1. Control Characters 2. Space 3. ! 4. 5. # 6. $ 7. % 8. 9. ( 10. ) 11. * 12. , 13. / 14. : 15. ; 16. 17. 18. @ (when used more than once) 19. [ 20. \ 21. ] 22. | 23. DEL There's certainly something wrong here. The open and close bracket characters ('[' and ']', items 19 and 21) can indeed be part of a valid email address. For example: [EMAIL PROTECTED] Alan Stern ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] Problems connecting to freshclam servers
) Database updated (234394 signatures) from db.us.clamav.net (IP: 208.67.80.27) Clamd successfully notified about the update. This was a particularly bad case. Can anyone explain why there should be so many errors? Is 4:30 AM just a bad time for downloading? Alan Stern ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Problems connecting to freshclam servers
On Wed, 26 Mar 2008 [EMAIL PROTECTED] wrote: Is your clam AV version up to date? Not very far behind, I should imagine. I sometimes see similar messages when Im more than one levelset behind and the mirrors have changed. What does clamscan -V and freshclam -V reveal? # clamscan -V ClamAV 0.92.1 # freshclam -V ClamAV 0.92.1/6393/Wed Mar 26 04:15:38 2008 Alan Stern ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Problems connecting to freshclam servers
On Wed, 26 Mar 2008, Brandon Perry wrote: This is what gets me: Can't connect to port 80 of host db.us.clamav.net (IP: 206.154.202.13) Trying host db.us.clamav.net (206.154.203.213)... Downloading daily-6363.cdiff [100%] Downloading daily-6364.cdiff [100%] Downloading daily-6365.cdiff [100%] nonblock_connect: connect timing out (30 secs) Can't connect to port 80 of host 206.154.203.213 (IP: 206.154.203.213) Can't connect to port 80 of host db.us.clamav.net (IP: 199.239.233.95) Trying host db.us.clamav.net (206.154.202.13)... Downloading daily-6371.cdiff [100%] Downloading daily-6372.cdiff [100%] Downloading daily-6373.cdiff [100%] Downloading daily-6374.cdiff [100%] Downloading daily-6375.cdiff [100%] Downloading daily-6376.cdiff [100%] Downloading daily-6377.cdiff [100%] Downloading daily-6378.cdiff [100%] Downloading daily-6379.cdiff [100%] nonblock_connect: connect timing out (30 secs) Can't connect to port 80 of host 206.154.202.13 (IP: 206.154.202.13) ERROR: getpatch: Can't download daily-6380.cdiff from db.us.clamav.net etc... Everytime you _do_ download any defs, it is from db.us.clamav.net. It pretty much has to be. The only database address lines in my freshclam.conf file are: DatabaseMirror db.us.clamav.net DatabaseMirror db.local.clamav.net and I'm located in the US so they both refer to the same thing. Possibly an ISP problem? Or router? What happens if you ping the places you can't connect to? I doubt it is a network-related problem of the sort you mention. (Not that I have any real evidence; this is just an intuition.) At any rate, I can't ping anything because pings are blocked on my campus network. Traceroute works, but in all the cases I tried it gets blocked before reaching the final destination. Alan Stern ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] clamav 0.91.2 is out. Don't use it.
On Tue, 21 Aug 2007, John Rudd wrote: - the problem would be trivial for them to fix, it's just a one line change in clamav.h ... all that has to be done is a simple change to include CL_SCAN_PHISHING_DOMAINLIST in the definition of CL_SCAN_STDOPT Why don't you write a patch to fix the problem yourself and post it on the development mailing list, with appropriate CC's to the people responsible for maintaining that file? Alan Stern ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] ClamAV timing out
On Fri, 1 Jun 2007, Rob Sterenborg wrote: Start with your mail log, which messages are causing the problem? are they big, do they have certain type of attachments, etc. (all these attributes can be controlled with MailScanner) If you can isolate one sample, better, that way you'll have something to test directly. From what I see in the logs it times out on virtually all email. If I let the MTA continue receiving and scanning email, it will hangup itself. Have you tested clamav? for instance running clamscan on the test directory that comes with the source. Yes I tested clamscan and it is working, I suppose clamavmodule should be working too then. We also use Sohpos so, after I wrote this message I disabled ClamAV and tried with just Sohpos: the same timeout occurred. So I deleted and reinstalled all of ClamAV. At first it didn't timeout but later it started again. Next I noticed SpamAssassin also started to timeout *a lot*. Since we suffered a crash because of poweroutage (it's quite silly: the UPS-es worked great and we would have survived it if it weren't for the airco's that were not connected to an external power aggregate. A lot of machines shutdown -some more, some less- because of heat problems) I figure we have data corruption or something. So, I'm not so sure if this is ClamAV related. Maybe this doesn't belong here... I'll continue searching. Are you using clamscan instead of clamdscan? That could be the reason for your trouble. Both programs take a long time to start up, easily long enough to overrun a timeout. But clamdscan starts up only once, whereas clamscan starts up fresh for every new mail message. Alan Stern ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] Performance decrease with clamav-0.90.2
I upgraded clamav a few days ago from 0.90.1 to 0.90.2 and found that clamscan's performance had deminished tremendously. The time required to scan a single 49 KB file increased from 19 seconds to 36 seconds! Now that scanning for viruses is a factor of two slower, my email server is constantly bogged down. What's the story? Is this a bug? Should the performance be that bad? Alan Stern ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html