Re: [clamav-users] Problem with freshclam
Hi all! I've just ran freshclam again, and it worked. I'll keep an eye on it. Regards, Alex On 29.12.22 15:36, newcomer01 via clamav-users wrote: Hi @ all, i have this problem with freshclam since long time and I can't fix it (Ubuntu 22.04.1) When i run freshclam with a cron job (@rebot) this log come's up: Thu Dec 29 13:36:51 2022 -> -- Thu Dec 29 13:36:51 2022 -> ClamAV update process started at Thu Dec 29 13:36:51 2022 Thu Dec 29 13:36:51 2022 -> WARNING: Can't query current.cvd.clamav.net Thu Dec 29 13:36:51 2022 -> WARNING: Invalid DNS reply. Falling back to HTTP mode. Thu Dec 29 13:36:51 2022 -> Trying to retrieve CVD header from https://database.clamav.net/daily.cvd Thu Dec 29 13:36:51 2022 -> WARNING: remote_cvdhead: Download failed (6) Thu Dec 29 13:36:51 2022 -> WARNING: Message: Couldn't resolve host name Thu Dec 29 13:36:51 2022 -> WARNING: Failed to get daily database version information from server: https://database.clamav.net Thu Dec 29 13:36:51 2022 -> ERROR: check_for_new_database_version: Failed to find daily database using server https://database.clamav.net. Thu Dec 29 13:36:51 2022 -> Trying again in 5 secs... Thu Dec 29 13:36:56 2022 -> Trying to retrieve CVD header from https://database.clamav.net/daily.cvd Thu Dec 29 13:36:56 2022 -> WARNING: remote_cvdhead: Download failed (6) Thu Dec 29 13:36:56 2022 -> WARNING: Message: Couldn't resolve host name Thu Dec 29 13:36:56 2022 -> WARNING: Failed to get daily database version information from server: https://database.clamav.net Thu Dec 29 13:36:56 2022 -> ERROR: check_for_new_database_version: Failed to find daily database using server https://database.clamav.net. Thu Dec 29 13:36:56 2022 -> Trying again in 5 secs... Thu Dec 29 13:37:01 2022 -> Trying to retrieve CVD header from https://database.clamav.net/daily.cvd Thu Dec 29 13:37:01 2022 -> OK Thu Dec 29 13:37:01 2022 -> daily database available for download (remote version: 26765) Thu Dec 29 13:37:12 2022 -> Testing database: '/var/lib/clamav/tmp.3cb7e09743/clamav-85bea499e24cfdaa871411c2b4b92e38.tmp-daily.cvd' ... Thu Dec 29 13:37:20 2022 -> Database test passed. Thu Dec 29 13:37:20 2022 -> daily.cvd updated (version: 26765, sigs: 2014567, f-level: 90, builder: raynman) Thu Dec 29 13:37:20 2022 -> Trying to retrieve CVD header from https://database.clamav.net/main.cvd Thu Dec 29 13:37:20 2022 -> OK Thu Dec 29 13:37:20 2022 -> main database available for download (remote version: 62) Thu Dec 29 13:37:47 2022 -> Testing database: '/var/lib/clamav/tmp.3cb7e09743/clamav-3d85cd963c0af4f35466d5a069aff5e5.tmp-main.cvd' ... Thu Dec 29 13:37:54 2022 -> Database test passed. Thu Dec 29 13:37:54 2022 -> main.cvd updated (version: 62, sigs: 6647427, f-level: 90, builder: sigmgr) Thu Dec 29 13:37:54 2022 -> Trying to retrieve CVD header from https://database.clamav.net/bytecode.cvd Thu Dec 29 13:37:54 2022 -> OK Thu Dec 29 13:37:54 2022 -> bytecode database available for download (remote version: 333) Thu Dec 29 13:37:54 2022 -> Testing database: '/var/lib/clamav/tmp.3cb7e09743/clamav-e15dec8534c6c98f62a54cdab9ce00fb.tmp-bytecode.cvd' ... Thu Dec 29 13:37:54 2022 -> Database test passed. Thu Dec 29 13:37:54 2022 -> bytecode.cvd updated (version: 333, sigs: 92, f-level: 63, builder: awillia2) When I run the same command later in the day, all is fine. What can I do to solve the issue? Regards,Marc ___ Manage your clamav-users mailing list subscription / unsubscribe: https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/Cisco-Talos/clamav-documentation https://docs.clamav.net/#mailing-lists-and-chat -- Alexander LochmannPGP key: 0xBC3EF6FD OpenPGP_signature Description: OpenPGP digital signature ___ Manage your clamav-users mailing list subscription / unsubscribe: https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/Cisco-Talos/clamav-documentation https://docs.clamav.net/#mailing-lists-and-chat
Re: [clamav-users] freshclam: Verification: Can't verify database integrity
Hi all! I'm seeing the same issue with ClamAV 0.103.7 on Debian Testing (Bookworm). The freshclam.conf is as provided by the Debian package. Any news on this issue? Regards, Alex___ Manage your clamav-users mailing list subscription / unsubscribe: https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/Cisco-Talos/clamav-documentation https://docs.clamav.net/#mailing-lists-and-chat
Re: [clamav-users] Dealing with weak SSL proxy certificates
> On Wed, Jul 29, 2020 at 1:43 PM Koch, Alexander wrote: >> Hi clamav-users, >> >> I know that the proxy is bad and you can't imagine how much I hate >> SSL-breaking 'enterprise' security gear, but I cannot do anything about >> it. Is there a way to make freshclam (or the SSL library it uses) accept >> weak certificates? Something like '-k' for curl? > Hello, > > Please, check these links: > > https://itectec.com/ubuntu/ubuntu-ubuntu-20-04-how-to-set-lower-ssl-security-level/ > https://askubuntu.com/questions/1233186/ubuntu-20-04-how-to-set-lower-ssl-security-level > https://unix.stackexchange.com/questions/537279/overriding-openssl-cipherstring-at-a-more-granular-level-in-debian-10 > > Hope it helps. > Thanks, I'll go with the 'SECLEVEL=1' workaround until our proxy gets fixed. Best regards, Alex ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
[clamav-users] Dealing with weak SSL proxy certificates
Hi clamav-users, I just upgraded one of our Linux machines from Ubuntu 18.04 to 20.04. It seems that the ClamAV package (although having the same version as in 18.04) has been built with stronger OpenSSL/cURL flags. Freshclam is no longer able to fetch definition updates due to a weak SSL certificate that is presented by our (crappy) corporate proxy: * Connected to proxy.company.lan (172.22.xxx.yyy) port 8080 (#0) * allocate connect buffer! * Establish HTTP proxy tunnel to database.clamav.net:443 > CONNECT database.clamav.net:443 HTTP/1.1 Host: database.clamav.net:443 User-Agent: ClamAV/0.102.4 (OS: linux-gnu, ARCH: x86_64, CPU: x86_64) Proxy-Connection: Keep-Alive < HTTP/1.1 200 Connection established < Proxy-Connection: keep-alive < * Proxy replied 200 to CONNECT request * CONNECT phase completed! * ALPN, offering h2 * ALPN, offering http/1.1 * successfully set certificate verify locations: * CAfile: /etc/ssl/certs/ca-certificates.crt CApath: /etc/ssl/certs * CONNECT phase completed! * CONNECT phase completed! * SSL certificate problem: *EE certificate key too weak* * Closing connection 0 I know that the proxy is bad and you can't imagine how much I hate SSL-breaking 'enterprise' security gear, but I cannot do anything about it. Is there a way to make freshclam (or the SSL library it uses) accept weak certificates? Something like '-k' for curl? I've already tried changing to plain HTTP for database downloads, but this doesn't work either: !downloadFile: Unexpected response (0) from http://database.clamav.net/daily.cvd (Proxy: proxy.company.lan:8080) Thanks in advance for any recommendations! Best regards, Alex ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
[clamav-users] IDSESSION debugging
Hi all, I was hoping someone might have some advice on debugging an IDSESSION command when streaming content to the clamav daemon. I'm trying to understand why small files (<=1 mb) are being processed appropriately but when I scale the file up to 2 mb or so, it just spins until it times out. There's nothing in the logs, and when I check clamdTOP it doesn't look like anything's actually made it to the daemon. Is there a better place to look for debugging information? Thanks! ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Structuring instream calls to clamd
Thanks for the response, Micah. If the benefits are, indeed, unclear, then I probably won't be futzing much with a perfectly functional implementation in the near future--but if I do any experiments, I'll be sure to share the results. - Alex From: clamav-users on behalf of Micah Snyder (micasnyd) Sent: Tuesday, October 30, 2018 1:08:08 PM To: ClamAV users ML Subject: Re: [clamav-users] Structuring instream calls to clamd Hi Alex, I don't like seeing a well researched question go un-answered, though I don't have a very good answer for you. We don't have any documentation from any previous work to say if there is an optimum chunk size for TCP sockets or unix sockets. Intuitively, if you're using a TCP socket, particularly if sending over the network (hopefully using an encrypted SSH tunnel) then chunking will probably be done for you, and if you do chunking then ensuring that your chunk size is lower than the MTU for the TCP/IP stack may prevent you from sending ittybitty chunks every other packet. If you're using a unix local socket, I really don't know if chunking buys you anything. If you do end up doing some testing, it would be interesting to find out what you learn. Micah Snyder ClamAV Development Talos Cisco Systems, Inc. On Oct 29, 2018, at 3:32 PM, Wreschnig, Alexander Scott mailto:as...@pitt.edu>> wrote: I have what is hopefully a quick question regarding clamd. What’s a good method for determining ideal chunk sizes when streaming data to the daemon over a socket connection? Or should I ignore chunking altogether and just stream one big contiguous file? The background: I’ve developed a very simple plugin for an unrelated application that sends user-uploaded files of varying formats to clamd over a socket for some basic virus scanning. At the moment, and based on some of the clamd documentation, it loops over each file grabbing small chunks at a time and streams each of those chunks to clamd. It’s working fine, so I can in theory leave it exactly as-is. But I used an arbitrary value for chunk size and as I’m looking more closely I’m having a hard time finding documentation on how this works or what my chunk size should be (beyond the maximum chunk size, which I can see is StreamMaxLength). For reference, from man clamd: “The stream is sent to clamd in chunks, after INSTREAM, on the same socket on which the command was sent. This avoids the overhead of establishing new TCP connections and problems with NAT. The format of the chunk is: '' where is the size of the following data in bytes expressed as a 4 byte unsigned integer in network byte order and is the actual chunk. Streaming is terminated by sending a zero-length chunk. Note: do not exceed StreamMaxLength as defined in clamd.conf […]” StreamMaxLength, on the other hand, is documented as “[…] This option allows you to specify the upper limit for data size that will be transfered to remote daemon when scanning a single file. It should match your MTA's limit for a maximum attachment size.” Looking at this combination I’m wondering if, since I’m only worrying about attachments (which by definition shouldn’t be larger than maximum attachment size), there’s another good reason to chunk things up or if I should just stream everything in one go. Sorry if there’s an obvious answer staring at me and I’m not seeing it—I swear I looked! And thanks for any advice. — Alex Wreschnig ___ clamav-users mailing list clamav-users@lists.clamav.net<mailto:clamav-users@lists.clamav.net> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Flists.clamav.net%2Fcgi-bin%2Fmailman%2Flistinfo%2Fclamav-users=02%7C01%7Casw76%40pitt.edu%7C88798b7583a1492d14a208d63e8a5da1%7C9ef9f489e0a04eeb87cc3a526112fd0d%7C1%7C0%7C636765161336080249=jmfeWvpjY6NyO2S6wj4j1vj6XIMMLvBqU9L02inSvsc%3D=0> Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fvrtadmin%2Fclamav-faq=02%7C01%7Casw76%40pitt.edu%7C88798b7583a1492d14a208d63e8a5da1%7C9ef9f489e0a04eeb87cc3a526112fd0d%7C1%7C0%7C636765161336090257=3kJmnMtXagOBlpuJ3B18a5rm2iDLiS9COqPd9SoqVvs%3D=0> http://www.clamav.net/contact.html#ml<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.clamav.net%2Fcontact.html%23ml=02%7C01%7Casw76%40pitt.edu%7C88798b7583a1492d14a208d63e8a5da1%7C9ef9f489e0a04eeb87cc3a526112fd0d%7C1%7C0%7C636765161336100265=Ub33go65LMCuOcmdKPlJ0Ma4AH0AoHhKjuGxH2qES0s%3D=0> ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
[clamav-users] Structuring instream calls to clamd
I have what is hopefully a quick question regarding clamd. What's a good method for determining ideal chunk sizes when streaming data to the daemon over a socket connection? Or should I ignore chunking altogether and just stream one big contiguous file? The background: I've developed a very simple plugin for an unrelated application that sends user-uploaded files of varying formats to clamd over a socket for some basic virus scanning. At the moment, and based on some of the clamd documentation, it loops over each file grabbing small chunks at a time and streams each of those chunks to clamd. It's working fine, so I can in theory leave it exactly as-is. But I used an arbitrary value for chunk size and as I'm looking more closely I'm having a hard time finding documentation on how this works or what my chunk size should be (beyond the maximum chunk size, which I can see is StreamMaxLength). For reference, from man clamd: "The stream is sent to clamd in chunks, after INSTREAM, on the same socket on which the command was sent. This avoids the overhead of establishing new TCP connections and problems with NAT. The format of the chunk is: '' where is the size of the following data in bytes expressed as a 4 byte unsigned integer in network byte order and is the actual chunk. Streaming is terminated by sending a zero-length chunk. Note: do not exceed StreamMaxLength as defined in clamd.conf [...]" StreamMaxLength, on the other hand, is documented as "[...] This option allows you to specify the upper limit for data size that will be transfered to remote daemon when scanning a single file. It should match your MTA's limit for a maximum attachment size." Looking at this combination I'm wondering if, since I'm only worrying about attachments (which by definition shouldn't be larger than maximum attachment size), there's another good reason to chunk things up or if I should just stream everything in one go. Sorry if there's an obvious answer staring at me and I'm not seeing it-I swear I looked! And thanks for any advice. - Alex Wreschnig ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] daily-23474 & daily-23475 updates are failing to load
draynor at sourcefire.com wrote: > To work around the trouble, you can add the "Win.Worm.Fadok-6328944-0" to a > local ign2 file in the same directory as the daily.cvd or daily.cld and any > affected ClamAV versions will load properly. I am seeing the issue in 0.98.6 and I tried to create a ign2 file, however this doesn't fix the issue, it looks like the entry is processed regardless. Is there another way to fix that other than waiting for the update? Thanks. Alexander -- Alexander Lehmann <alexl...@gmail.com> https://about.me/alexlehm ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
[clamav-users] on access scan ubuntu 14.04
Hi I m trying to configure on access scan in my clamav ubuntu instalation In clamd.conf i set the following ScanOnAccess true OnAccessIncludePath /home When start clamd-daemon (sudo /etc/init.d/clamav-daemon start) in /var/log/clamav/clamav.log appears the following " ERROR: ScanOnAccess: fanotify_init failed: Operation not permited" " ScanOnAccess: clamd must be satarted by root" Then I edit the configuration file clamd.conf and change the line: "User clamav" to "User root" And try to start clamav-daemon again and the following error appears in the console: "ERROR: initgroups () failed" Am I doing things well? My clamav version is 0.98.7 Greetings ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Trying to track down bug using lsof clamscan/clamdscan.. odd behavior
Sure, its not really relevant to ClamAV which is why I omitted it but basically the logic in our node application was incorrect so we were returning a status before the stream was closed which was causing our problem. On Fri, Aug 28, 2015 at 1:25 PM, Shawn Webb latt...@gmail.com wrote: Would it be possible to share that knowledge so that others who may have the same experience can draw from yours? On Friday, 28 August 2015 05:22:16 PM Alexander Urcioli wrote: I'm happy to report we located the bug which was not at all due to clamav. However knowledge gained! Thanks everyone. On Fri, Aug 28, 2015, 12:31 Shawn Webb latt...@gmail.com wrote: On Thursday, 27 August 2015 01:48:00 PM Charles Swiger wrote: On Aug 27, 2015, at 1:13 PM, Alexander Urcioli alex...@gmail.com wrote: We were running into an issue where larger files were not able to be moved after scanning with ClamAV. Our hypothesis was that perhaps the process has not released access to the file and we were experiencing a race condition. Upon investigating I attempted to monitor the file we were scanning using lsof on repeat mode. To my suprise, upon scanning a 900MB file with clamscan and clamdscan, lsof never lists the file as being opened byanything... It's not unusual for programs to read file data via mmap() rather than open(). That said, it's also quite possible that a 900 MB file is being skipped entirely due to MaxScanSize setting, which defaults to 100 MB unless you have changed it. A file descriptor still has to be opened for mmap. lsof would show that file as being opened. Your thinking about ClamAV's scan size settings are likely correct. What I'd do is scan that one archive with verbose debugging mode enabled in clamscan. That will tell you if ClamAV skipped the file due to scan size limits. Thanks, Shawn___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Trying to track down bug using lsof clamscan/clamdscan.. odd behavior
I'm happy to report we located the bug which was not at all due to clamav. However knowledge gained! Thanks everyone. On Fri, Aug 28, 2015, 12:31 Shawn Webb latt...@gmail.com wrote: On Thursday, 27 August 2015 01:48:00 PM Charles Swiger wrote: On Aug 27, 2015, at 1:13 PM, Alexander Urcioli alex...@gmail.com wrote: We were running into an issue where larger files were not able to be moved after scanning with ClamAV. Our hypothesis was that perhaps the process has not released access to the file and we were experiencing a race condition. Upon investigating I attempted to monitor the file we were scanning using lsof on repeat mode. To my suprise, upon scanning a 900MB file with clamscan and clamdscan, lsof never lists the file as being opened byanything... It's not unusual for programs to read file data via mmap() rather than open(). That said, it's also quite possible that a 900 MB file is being skipped entirely due to MaxScanSize setting, which defaults to 100 MB unless you have changed it. A file descriptor still has to be opened for mmap. lsof would show that file as being opened. Your thinking about ClamAV's scan size settings are likely correct. What I'd do is scan that one archive with verbose debugging mode enabled in clamscan. That will tell you if ClamAV skipped the file due to scan size limits. Thanks, Shawn___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Trying to track down bug using lsof clamscan/clamdscan.. odd behavior
Ah, I thought it would be something like that (mmap) but also yes my MaxScanSize setting was at 100 MB. Thank you for the prompt reply. At this point I am skeptical of my hypothesis that clamav is not releasing the file. Thanks On Thu, Aug 27, 2015 at 4:48 PM, Charles Swiger cswi...@mac.com wrote: On Aug 27, 2015, at 1:13 PM, Alexander Urcioli alex...@gmail.com wrote: We were running into an issue where larger files were not able to be moved after scanning with ClamAV. Our hypothesis was that perhaps the process has not released access to the file and we were experiencing a race condition. Upon investigating I attempted to monitor the file we were scanning using lsof on repeat mode. To my suprise, upon scanning a 900MB file with clamscan and clamdscan, lsof never lists the file as being opened byanything... It's not unusual for programs to read file data via mmap() rather than open(). That said, it's also quite possible that a 900 MB file is being skipped entirely due to MaxScanSize setting, which defaults to 100 MB unless you have changed it. Regards, -- -Chuck ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Compiling error: /usr/lib/libxml2.so: error adding symbols: File in wrong format
Shawn, v0.98.4-rc1 now compiled perfectly with the patch applied. Thanks for the great support Alexander Am 20.05.2014 16:53, schrieb Shawn Webb: On Mon, May 19, 2014 at 2:52 PM, MarkusGMX markus@gmx.at wrote: Am 16/05/14 17:57, schrieb Alexander Tampermeier: Sadly, the libxml2-error still persists in v0.98.4-rc1. Hope, it can be fixed soon. [...] :-( I am also waiting for a bugfix for the build process. ME Hey Markus and Alexander, I have a candidate patch that applies to 0.98.4-rc1. Can you test the candidate patch pasted here: http://ix.io/cvE The patch is also attached to this email. Thanks, Shawn ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] Compiling error: /usr/lib/libxml2.so: error adding symbols: File in wrong format
Sadly, the libxml2-error still persists in v0.98.4-rc1. Hope, it can be fixed soon. Regards Alexander Am 14.05.2014 01:19, schrieb MarkusGMX: Am 08/05/14 22:52, schrieb Alexander Tampermeier: Dave, thank you for your detailed response. First, I tried to configure with option --disable-xml as you suggested but this attempt led to further problems: CC libclamav_internal_utils_la-regerror.lo CC libclamav_internal_utils_la-regexec.lo CC libclamav_internal_utils_la-regfree.lo CCLD libclamav_internal_utils.la CCLD libclamav.la /usr/bin/ld: skipping incompatible /usr/lib/libz.so when searching for -lz /usr/bin/ld: skipping incompatible /usr/lib/libz.a when searching for -lz /usr/bin/ld: skipping incompatible /usr/lib/libbz2.so when searching for -lbz2 /usr/bin/ld: skipping incompatible /usr/lib/libbz2.a when searching for -lbz2 /usr/lib/libltdl.so: error adding symbols: File in wrong format collect2: error: ld returned 1 exit status Similar errors with clamav-0.98.3 here with an older SuSE 12.1: /usr/lib64/gcc/x86_64-suse-linux/4.6/../../../../x86_64-suse-linux/bin/ld: skipping incompatible /usr/lib/libz.so when searching for -lz /usr/lib/libltdl.so: could not read symbols: File in wrong format collect2: ld returned 1 exit status make[4]: *** [libclamav.la] Error 1 clamav-0.98.1 just compiles fine. First time that I have compile problems with clamav afair. Any solution for this? BR Markus ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] Compiling error: /usr/lib/libxml2.so: error adding symbols: File in wrong format
Matus, thank you for your response and for pointing out the arch-independence of the includes. uname -a gives (I hope that answers your question; if not, please let me know): Linux myhost 3.13.0-rc8 #1 SMP Sun Jan 26 14:27:15 CET 2014 x86_64 Intel(R) Core(TM)2 Duo CPU E6850 @ 3.00GHz GenuineIntel GNU/Linux The system was built according to Cross-Compiled Linux from scratch, x86_64 (http://cross-lfs.org/view/svn/x86_64/). There are /lib and /usr/lib directories holding the 32bit-libraries as well as /lib64 and /usr/lib64 directories holding the 64bit-libraries. These are no links. There is a tiny /usr/bin/multiarch_wrapper executable as well which will execute either 32bit or 64bit programs based on the |USE_ARCH| varia|ble. According to http://cross-lfs.org/view/svn/x86_64/final-system/multiarch_wrapper.html t|he multiarch-wrapper is used to wrap certain binaries that have hardcoded paths to libraries or are architecture specific. Although I do not understand the specifics I can attest that I have been using this architecture for several years and never experienced similar issues. As I understand it: For example, there are three binaries for xml2-config (/usr/bin/xml2-config, /usr/bin/xml2-config-32, /usr/bin/xml2-config-64), with /usr/bin/xml2-config being just a symlink to /usr/bin/multiarch_wrapper. So, if /usr/bin/xml2-config is executed, the multiarch-wrapper gets executed and decides to execute either the 32bit or the 64bit binary depending on the contents of the environment variable USE_ARCH=32. If USE_ARCH holds 32 then the 32bit executable is run, otherwise the 64bit executable. Regards Alexander Am 09.05.2014 10:25, schrieb Matus UHLAR - fantomas: On 08.05.14 22:52, Alexander Tampermeier wrote: So, I got into the same error adding symbols-trouble as before with libxml2, now with libltdl. First I thought, that this might be a general issue with my libraries. But then I tried to recompile several packages including php (which also uses libxml2) and everything compiled perfectly. This makes me believe that this issue might not be related to my system only. Apparently clamav compilation detects wrong system architecture. What is the current kernel arch running on, and where do /lib and /usr/lib point to? But what definitely is strange: xml2-config-32 --libs and xml2-config-64 --libs both bring the same result: -lxml2 -lz -lm -ldl ./xml2-config-32 --cflags and ./xml2-config-64 --cflags both bring the same result: -I/usr/include/libxml2 I don't find this strange. You need the same includes (arch-independent) and the same libraries (although from different directories). ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] Compiling error: /usr/lib/libxml2.so: error adding symbols: File in wrong format
Hello Shawn, thank you for your response. This is output of 'file /usr/lib/libxml2.so': /usr/lib/libxml2.so: symbolic link to `libxml2.so.2.9.1' And 'file /usr/lib/libxml2.so.2.9.1' outputs: /usr/lib/libxml2.so.2.9.1: ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, not stripped As my box is cross compiled x86/x64 there are also 64bit libraries, so that 'file /usr/lib64/libxml2.so' gives: /usr/lib64/libxml2.so: symbolic link to `libxml2.so.2.9.1' And file 'file /usr/lib64/libxml2.so.2.9.1' outputs: /usr/lib64/libxml2.so.2.9.1: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, not stripped This is my configure command (building 64bit): CC=gcc ${BUILD64} ./configure --prefix=/usr --sysconfdir=/etc/clamav --with-zlib=/usr --with-dbdir=/usr/share/clamav Where 'echo ${BUILD64}' outputs: -m64 I pasted the content of my config.log at http://de.pastebin.de/124754 Regards Alexander Am 08.05.2014 07:52, schrieb Shawn Webb: What's the output of this command: file /usr/lib/libxml2.so Can you paste (preferably to a pastebin service) your config.log? What options did you pass to ./configure? On Thu, May 8, 2014 at 1:48 AM, Alexander Tampermeier alexan...@tampermeier.at wrote: I have been using ClamAV on my Linux box (Cross Compiled Linux from Scratch; gcc 4.8.2) for years now and it always compiled well. Now, compiling version 0.98.3 (and also in 0.98.2) I get the following compiling error: CC libclamav_la-fp_sqr_comba_8.lo CC libclamav_la-fp_sqr_comba_9.lo CC libclamav_la-fp_sqr_comba_generic.lo CC libclamav_la-fp_sqr_comba_small_set.lo CC libclamav_la-fp_sqrmod.lo CC libclamav_internal_utils_la-str.lo CC libclamav_internal_utils_la-crypto.lo CC libclamav_internal_utils_la-iowrap.lo CC libclamav_internal_utils_la-others_common.lo CC libclamav_internal_utils_la-qsort.lo CC libclamav_internal_utils_la-regcomp.lo CC libclamav_internal_utils_la-regerror.lo CC libclamav_internal_utils_la-regexec.lo CC libclamav_internal_utils_la-regfree.lo CCLD libclamav_internal_utils.la CCLD libclamav.la /usr/lib/libxml2.so: error adding symbols: File in wrong format collect2: error: ld returned 1 exit status Makefile:969: recipe for target 'libclamav.la' failed make[4]: *** [libclamav.la] Error 1 make[4]: Leaving directory '/j/development/clamav-0.98.3/libclamav' Makefile:3011: recipe for target 'all-recursive' failed make[3]: *** [all-recursive] Error 1 make[3]: Leaving directory '/j/development/clamav-0.98.3/libclamav' Makefile:893: recipe for target 'all' failed make[2]: *** [all] Error 2 make[2]: Leaving directory '/j/development/clamav-0.98.3/libclamav' Makefile:649: recipe for target 'all-recursive' failed make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory '/j/development/clamav-0.98.3' Makefile:477: recipe for target 'all' failed make: *** [all] Error 2 Does anybody know how to get around this? I already recompiled libxml2 (v2.9.1) but the error persists. ClamAV v0.98.1 still compiles perfectly. Regards Alexander ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] Compiling error: /usr/lib/libxml2.so: error adding symbols: File in wrong format
Hello Shawn, I executed 'make clean distclean'. I pasted the output of command #2 (CC=gcc ${BUILD64} ./configure ...) at http://de.pastebin.de/124756 Output of command #3 (make) is pasted at http://de.pastebin.de/124757 Regards Alexander Am 08.05.2014 08:40, schrieb Shawn Webb: Can you run these commands, and paste the output of commands 2 and 3 to your pastebin service (friendly remember to pipe stderr to stdout): 1. make clean distclean 2. CC=gcc ${BUILD64} ./configure --prefix=/usr --sysconfdir=/etc/clamav --with-zlib=/usr --with-dbdir=/usr/share/clamav --disable-silent-rules 3. make Thanks, Shawn On Thu, May 8, 2014 at 2:33 AM, Alexander Tampermeier alexan...@tampermeier.at wrote: Hello Shawn, thank you for your response. This is output of 'file /usr/lib/libxml2.so': /usr/lib/libxml2.so: symbolic link to `libxml2.so.2.9.1' And 'file /usr/lib/libxml2.so.2.9.1' outputs: /usr/lib/libxml2.so.2.9.1: ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, not stripped As my box is cross compiled x86/x64 there are also 64bit libraries, so that 'file /usr/lib64/libxml2.so' gives: /usr/lib64/libxml2.so: symbolic link to `libxml2.so.2.9.1' And file 'file /usr/lib64/libxml2.so.2.9.1' outputs: /usr/lib64/libxml2.so.2.9.1: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, not stripped This is my configure command (building 64bit): CC=gcc ${BUILD64} ./configure --prefix=/usr --sysconfdir=/etc/clamav --with-zlib=/usr --with-dbdir=/usr/share/clamav Where 'echo ${BUILD64}' outputs: -m64 I pasted the content of my config.log at http://de.pastebin.de/124754 Regards Alexander Am 08.05.2014 07:52, schrieb Shawn Webb: What's the output of this command: file /usr/lib/libxml2.so Can you paste (preferably to a pastebin service) your config.log? What options did you pass to ./configure? On Thu, May 8, 2014 at 1:48 AM, Alexander Tampermeier alexan...@tampermeier.at wrote: I have been using ClamAV on my Linux box (Cross Compiled Linux from Scratch; gcc 4.8.2) for years now and it always compiled well. Now, compiling version 0.98.3 (and also in 0.98.2) I get the following compiling error: CC libclamav_la-fp_sqr_comba_8.lo CC libclamav_la-fp_sqr_comba_9.lo CC libclamav_la-fp_sqr_comba_generic.lo CC libclamav_la-fp_sqr_comba_small_set.lo CC libclamav_la-fp_sqrmod.lo CC libclamav_internal_utils_la-str.lo CC libclamav_internal_utils_la-crypto.lo CC libclamav_internal_utils_la-iowrap.lo CC libclamav_internal_utils_la-others_common.lo CC libclamav_internal_utils_la-qsort.lo CC libclamav_internal_utils_la-regcomp.lo CC libclamav_internal_utils_la-regerror.lo CC libclamav_internal_utils_la-regexec.lo CC libclamav_internal_utils_la-regfree.lo CCLD libclamav_internal_utils.la CCLD libclamav.la /usr/lib/libxml2.so: error adding symbols: File in wrong format collect2: error: ld returned 1 exit status Makefile:969: recipe for target 'libclamav.la' failed make[4]: *** [libclamav.la] Error 1 make[4]: Leaving directory '/j/development/clamav-0.98.3/libclamav' Makefile:3011: recipe for target 'all-recursive' failed make[3]: *** [all-recursive] Error 1 make[3]: Leaving directory '/j/development/clamav-0.98.3/libclamav' Makefile:893: recipe for target 'all' failed make[2]: *** [all] Error 2 make[2]: Leaving directory '/j/development/clamav-0.98.3/libclamav' Makefile:649: recipe for target 'all-recursive' failed make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory '/j/development/clamav-0.98.3' Makefile:477: recipe for target 'all' failed make: *** [all] Error 2 Does anybody know how to get around this? I already recompiled libxml2 (v2.9.1) but the error persists. ClamAV v0.98.1 still compiles perfectly. Regards Alexander ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] Compiling error: /usr/lib/libxml2.so: error adding symbols: File in wrong format
Shawn, I am very sorry. Obviously I mixed something up totally. Here is the corrected output of the configure command (now including option --disable-silent-rules): http://de.pastebin.de/124760 And here is the corrected output of the make command: http://de.pastebin.de/124761 Regards Alexander Am 08.05.2014 09:29, schrieb Shawn Webb: Did you add the --disable-silent-rules to your ./configure run? It looks like step 3 is still producing friendly output. On Thu, May 8, 2014 at 3:21 AM, Alexander Tampermeier alexan...@tampermeier.at wrote: Hello Shawn, I executed 'make clean distclean'. I pasted the output of command #2 (CC=gcc ${BUILD64} ./configure ...) at http://de.pastebin.de/124756 Output of command #3 (make) is pasted at http://de.pastebin.de/124757 Regards Alexander Am 08.05.2014 08:40, schrieb Shawn Webb: Can you run these commands, and paste the output of commands 2 and 3 to your pastebin service (friendly remember to pipe stderr to stdout): 1. make clean distclean 2. CC=gcc ${BUILD64} ./configure --prefix=/usr --sysconfdir=/etc/clamav --with-zlib=/usr --with-dbdir=/usr/share/clamav --disable-silent-rules 3. make Thanks, Shawn On Thu, May 8, 2014 at 2:33 AM, Alexander Tampermeier alexan...@tampermeier.at wrote: Hello Shawn, thank you for your response. This is output of 'file /usr/lib/libxml2.so': /usr/lib/libxml2.so: symbolic link to `libxml2.so.2.9.1' And 'file /usr/lib/libxml2.so.2.9.1' outputs: /usr/lib/libxml2.so.2.9.1: ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, not stripped As my box is cross compiled x86/x64 there are also 64bit libraries, so that 'file /usr/lib64/libxml2.so' gives: /usr/lib64/libxml2.so: symbolic link to `libxml2.so.2.9.1' And file 'file /usr/lib64/libxml2.so.2.9.1' outputs: /usr/lib64/libxml2.so.2.9.1: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, not stripped This is my configure command (building 64bit): CC=gcc ${BUILD64} ./configure --prefix=/usr --sysconfdir=/etc/clamav --with-zlib=/usr --with-dbdir=/usr/share/clamav Where 'echo ${BUILD64}' outputs: -m64 I pasted the content of my config.log at http://de.pastebin.de/124754 Regards Alexander Am 08.05.2014 07:52, schrieb Shawn Webb: What's the output of this command: file /usr/lib/libxml2.so Can you paste (preferably to a pastebin service) your config.log? What options did you pass to ./configure? On Thu, May 8, 2014 at 1:48 AM, Alexander Tampermeier alexan...@tampermeier.at wrote: I have been using ClamAV on my Linux box (Cross Compiled Linux from Scratch; gcc 4.8.2) for years now and it always compiled well. Now, compiling version 0.98.3 (and also in 0.98.2) I get the following compiling error: CC libclamav_la-fp_sqr_comba_8.lo CC libclamav_la-fp_sqr_comba_9.lo CC libclamav_la-fp_sqr_comba_generic.lo CC libclamav_la-fp_sqr_comba_small_set.lo CC libclamav_la-fp_sqrmod.lo CC libclamav_internal_utils_la-str.lo CC libclamav_internal_utils_la-crypto.lo CC libclamav_internal_utils_la-iowrap.lo CC libclamav_internal_utils_la-others_common.lo CC libclamav_internal_utils_la-qsort.lo CC libclamav_internal_utils_la-regcomp.lo CC libclamav_internal_utils_la-regerror.lo CC libclamav_internal_utils_la-regexec.lo CC libclamav_internal_utils_la-regfree.lo CCLD libclamav_internal_utils.la CCLD libclamav.la /usr/lib/libxml2.so: error adding symbols: File in wrong format collect2: error: ld returned 1 exit status Makefile:969: recipe for target 'libclamav.la' failed make[4]: *** [libclamav.la] Error 1 make[4]: Leaving directory '/j/development/clamav-0.98.3/libclamav' Makefile:3011: recipe for target 'all-recursive' failed make[3]: *** [all-recursive] Error 1 make[3]: Leaving directory '/j/development/clamav-0.98.3/libclamav' Makefile:893: recipe for target 'all' failed make[2]: *** [all] Error 2 make[2]: Leaving directory '/j/development/clamav-0.98.3/libclamav' Makefile:649: recipe for target 'all-recursive' failed make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory '/j/development/clamav-0.98.3' Makefile:477: recipe for target 'all' failed make: *** [all] Error 2 Does anybody know how to get around this? I already recompiled libxml2 (v2.9.1) but the error persists. ClamAV v0.98.1 still compiles perfectly. Regards Alexander ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] Compiling error: /usr/lib/libxml2.so: error adding symbols: File in wrong format
Dave, thank you for your detailed response. First, I tried to configure with option --disable-xml as you suggested but this attempt led to further problems: CC libclamav_internal_utils_la-regerror.lo CC libclamav_internal_utils_la-regexec.lo CC libclamav_internal_utils_la-regfree.lo CCLD libclamav_internal_utils.la CCLD libclamav.la /usr/bin/ld: skipping incompatible /usr/lib/libz.so when searching for -lz /usr/bin/ld: skipping incompatible /usr/lib/libz.a when searching for -lz /usr/bin/ld: skipping incompatible /usr/lib/libbz2.so when searching for -lbz2 /usr/bin/ld: skipping incompatible /usr/lib/libbz2.a when searching for -lbz2 /usr/lib/libltdl.so: error adding symbols: File in wrong format collect2: error: ld returned 1 exit status Makefile:969: recipe for target 'libclamav.la' failed make[4]: *** [libclamav.la] Error 1 make[4]: Leaving directory '/j/development/clamav-0.98.3/libclamav' Makefile:3011: recipe for target 'all-recursive' failed make[3]: *** [all-recursive] Error 1 make[3]: Leaving directory '/j/development/clamav-0.98.3/libclamav' Makefile:893: recipe for target 'all' failed make[2]: *** [all] Error 2 make[2]: Leaving directory '/j/development/clamav-0.98.3/libclamav' Makefile:649: recipe for target 'all-recursive' failed make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory '/j/development/clamav-0.98.3' Makefile:477: recipe for target 'all' failed make: *** [all] Error 2 So, I got into the same error adding symbols-trouble as before with libxml2, now with libltdl. First I thought, that this might be a general issue with my libraries. But then I tried to recompile several packages including php (which also uses libxml2) and everything compiled perfectly. This makes me believe that this issue might not be related to my system only. My Cross-Compiled Linux From Scratch system relies on a multiarch-wrapper script as desribed in http://cross-lfs.org/view/CLFS-2.1.0/x86_64/final-system/multiarch_wrapper.html to switch between 32bit and 64bit. I tested this wrapper script and it definitely can switch between 32bit and 64bit as expected. I also tried to temporarily substitute xml2-config for 32bit with the one used for 64bit as you suggested but that also ends up in a compilation error: CCLD libclamav_internal_utils.la CCLD libclamav.la /usr/lib/libxml2.so: error adding symbols: File in wrong format collect2: error: ld returned 1 exit status Makefile:969: recipe for target 'libclamav.la' failed The permanent workaround you suggested also led to the error adding symbols-error as described above. But what definitely is strange: xml2-config-32 --libs and xml2-config-64 --libs both bring the same result: -lxml2 -lz -lm -ldl ./xml2-config-32 --cflags and ./xml2-config-64 --cflags both bring the same result: -I/usr/include/libxml2 So finally, I temporarily changed both scripts (xml2-config-32 and xml2-config-64) to always give back -L/usr/lib64 -lxml2 -lz -lm -ldl when calling either script with option --cflags directly or by calling the wrapper script xml2-config. But this still resulted in the same error as described above. Could this mean that the reason for the compilation error might not (only) lie in xml2-config? What really is confusing: As clamav v0.98.1 and other packages still compile perfectly I suspect that the issue has also something to do with changes in clamav v0.98.2 and 0.98.3 regarding the way clamav searches for needed libraries. Could you verify such a conclusion? Regards Alexander Am 08.05.2014 18:15, schrieb David Raynor: Alexander, For libxml2, the configure script is finding and running the xml2-config script that is part of a typical xml2 install to get the appropriate CFLAGS and LIBS values to get to libxml2. Your fallback option, if this gets too complicated, is to simply run configure with --disable-xml and avoid the impacted use cases and code paths. If you want to get it working with xml enabled, I will outline some choices you have for getting the proper libs pointed to. The ClamAV configure script is finding the xml2-config script and running it based on these lines in your config.log output: checking for libxml2 installation... /usrchecking xml2-config version... 2.9.1checking for xmlreader.h in /usr... foundchecking for xmlTextReaderRead in -lxml2... yesconfigure: Compiling and linking with libxml2 from /usr In your case, the xml2-config is finding and reporting the 32-bit versions from /usr/lib. You should be able to see what it is reporting by running 'xml2-config --libs'. A little bit more info about that helper script is available here as questions 1 and 2 in their Developers Corner section : http://xmlsoft.org/FAQ.html You can work around this, as long as you have an xml2-config script that will report the --libs and --cflags values that correspond to your 64-bit libraries instead of the 32-bit ones. But this is exactly why we need a script like
[clamav-users] Compiling error: /usr/lib/libxml2.so: error adding symbols: File in wrong format
I have been using ClamAV on my Linux box (Cross Compiled Linux from Scratch; gcc 4.8.2) for years now and it always compiled well. Now, compiling version 0.98.3 (and also in 0.98.2) I get the following compiling error: CC libclamav_la-fp_sqr_comba_8.lo CC libclamav_la-fp_sqr_comba_9.lo CC libclamav_la-fp_sqr_comba_generic.lo CC libclamav_la-fp_sqr_comba_small_set.lo CC libclamav_la-fp_sqrmod.lo CC libclamav_internal_utils_la-str.lo CC libclamav_internal_utils_la-crypto.lo CC libclamav_internal_utils_la-iowrap.lo CC libclamav_internal_utils_la-others_common.lo CC libclamav_internal_utils_la-qsort.lo CC libclamav_internal_utils_la-regcomp.lo CC libclamav_internal_utils_la-regerror.lo CC libclamav_internal_utils_la-regexec.lo CC libclamav_internal_utils_la-regfree.lo CCLD libclamav_internal_utils.la CCLD libclamav.la /usr/lib/libxml2.so: error adding symbols: File in wrong format collect2: error: ld returned 1 exit status Makefile:969: recipe for target 'libclamav.la' failed make[4]: *** [libclamav.la] Error 1 make[4]: Leaving directory '/j/development/clamav-0.98.3/libclamav' Makefile:3011: recipe for target 'all-recursive' failed make[3]: *** [all-recursive] Error 1 make[3]: Leaving directory '/j/development/clamav-0.98.3/libclamav' Makefile:893: recipe for target 'all' failed make[2]: *** [all] Error 2 make[2]: Leaving directory '/j/development/clamav-0.98.3/libclamav' Makefile:649: recipe for target 'all-recursive' failed make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory '/j/development/clamav-0.98.3' Makefile:477: recipe for target 'all' failed make: *** [all] Error 2 Does anybody know how to get around this? I already recompiled libxml2 (v2.9.1) but the error persists. ClamAV v0.98.1 still compiles perfectly. Regards Alexander ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] False Positive BC.Exploit.CVE_2010_0815.BC.Exploit.CVE_2010_0815
Thanks for the tip, Matt. I just uploaded both files. Thanks, Sasha On Jan 30, 2012, at 3:00 AM, clamav-users-requ...@lists.clamav.net wrote: From: Matt Watchinski mwatchin...@sourcefire.com Subject: Re: [clamav-users] False Positive BC.Exploit.CVE_2010_0815.BC.Exploit.CVE_2010_0815 Date: January 29, 2012 6:55:08 PM PST To: ClamAV users ML clamav-users@lists.clamav.net Reply-To: ClamAV users ML clamav-users@lists.clamav.net Have you uploaded the files that are being incorrectly detected here: http://www.clamav.net/lang/en/sendvirus/submit-fp/ ? Cheers, -matt On Sat, Jan 28, 2012 at 7:22 PM, Alexander Sasha Y. Avanesov spiritofdiscov...@gmail.com wrote: Hello, ClamAV falsely detects a BC.Exploit.CVE_2010_0815 in a .ppt file. I ran the file through VirusTotal and only ClamAV shows it as infected. I found a 2-year old message related to this issue: http://lurker.clamav.net/search/20380101.00.@ml:clamav-users,false,positive,bc.exploit.cve%5F2010%5F0815.en.html http://www.gossamer-threads.com/lists/clamav/users/48954 though it was never fully resolved. Alain Zidouemba reported he updated the detection for CVE_2010_0815, but Ewald Beekam reported he continued to have the problem. There was no response and I am also having this issue. Please advise on this. Thanks for your time and effort! Sincerely, Sasha P.S. I am running release 0.97.2 (using ClamXav), so I don't know if the 0.97.3 takes care of this or not, but given that this issue persisted for over 2 years, I doubt anything has been done. Any help with this would be greatly appreciated. P.P.S I also had a false positive on BC.Exploit.CVE_2010_3970 in Word document (that I created and which only had a numbered list of about 10 items), though VirusTotal reports the file is clean (aside from the ClamAV scan). After I copied the contents of an infected file into a new word document, the file is reported as clean, but I do wonder if this is another ClamAV issue that needs to be looked into. Thanks again for your help. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml -- Matthew Watchinski V.P. Vulnerability Research (VRT) Sourcefire, Inc. Office: 410-423-1928 http://vrt-blog.snort.org http://www.snort.org/vrt/ ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
[clamav-users] False Positive BC.Exploit.CVE_2010_0815.BC.Exploit.CVE_2010_0815
Hello, ClamAV falsely detects a BC.Exploit.CVE_2010_0815 in a .ppt file. I ran the file through VirusTotal and only ClamAV shows it as infected. I found a 2-year old message related to this issue: http://lurker.clamav.net/search/20380101.00.@ml:clamav-users,false,positive,bc.exploit.cve%5F2010%5F0815.en.html http://www.gossamer-threads.com/lists/clamav/users/48954 though it was never fully resolved. Alain Zidouemba reported he updated the detection for CVE_2010_0815, but Ewald Beekam reported he continued to have the problem. There was no response and I am also having this issue. Please advise on this. Thanks for your time and effort! Sincerely, Sasha P.S. I am running release 0.97.2 (using ClamXav), so I don't know if the 0.97.3 takes care of this or not, but given that this issue persisted for over 2 years, I doubt anything has been done. Any help with this would be greatly appreciated. P.P.S I also had a false positive on BC.Exploit.CVE_2010_3970 in Word document (that I created and which only had a numbered list of about 10 items), though VirusTotal reports the file is clean (aside from the ClamAV scan). After I copied the contents of an infected file into a new word document, the file is reported as clean, but I do wonder if this is another ClamAV issue that needs to be looked into. Thanks again for your help. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Many Javascript false - positives
Arnaud Jacques schrieb: At the moment, PUA should not be used in production environment. See FAQ (http://www.clamav.org/support/faq/) for details. Thank you for this advice. I just wondered that this problem only occured since the last main.cvd - update, but we can change this. But I have another one, also without PUA ;-) http://www.beta.wetter.com/lib/js/1d7c7a52.js -- Trojan.Downloader.JS.Agent-2 This is also a ajax - jquery - lib from a popular, german - website. Best regards, Alex ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] OT: Sanesecurity Sigs: Important News
Ralf, I wrote a small script by myself - very simpel. It seems to work now for months. #!/bin/sh cd /tmp # Unofficial Phising rules for ClamAV wget -nd -m http://ftp.tiscali.nl/sanesecurity/phish.ndb.gz wget -nd -m http://ftp.tiscali.nl/sanesecurity/scam.ndb.gz cp phish.ndb.gz /var/lib/clamav/ cp scam.ndb.gz /var/lib/clamav/ cd /var/lib/clamav gunzip -f phish.ndb.gz gunzip -f scam.ndb.gz chown vscan:vscan phish.ndb chown vscan:vscan scam.ndb rcclamd restart Run by root via crontab. Regards, Alexander ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] error stops clamd
Hello :-) Same here since 12:45h MESZ. After some tests this helped me to get all working again: sudo killall freshclam sudo rcclamd restart sudo rcapplication restart And do NOT forget to comment you freshclam Updtes in cron out. Hope this quick hack helps... ISC Handler Marteen told me just a few minutes ago: Last night the ClamAV project released a new main.cvd, which was about 9 megabytes in size. As many users are still using Clamav 0.8, which downloads this file in full, this causes high stress for a number of mirrors. As more users upgrade from 0.8 to 0.9, this problem will disappear with future updates. Version 0.9 only transfers the difference between CVDs instead of the files in full. Regards, Alexander ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] LibclamAV - Very Slow
[EMAIL PROTECTED] schrieb am : On 2006-09-27 14:27, Alexander Hagenah wrote: But they are as different speedy, I never expected. You're loading and unpacking the virus database each time. You see the same difference between clamscan and clamdscan. I see and found the fault in my code. But, can't I change it like I the signatures/database is loaded once into memory and after, I just call this instead? -- Mit freundlichem Gruss Alexander Hagenah Technik top concepts Internetmarketing GmbH Am Steinkamp 7 - D-21684 Stade - Germany Damit wir Ihnen bestmöglichen Service bieten können, senden Sie Ihre E-Mail-Anfragen bitte an [EMAIL PROTECTED] http://www.topconcepts.deTel. +49 1805 9977 501* E-Mail: [EMAIL PROTECTED] Fax. +49 1805 9977 502* Handelsregister: AG Tostedt HRB 100687 - UstId: DE 213645563 *) EUR 0,12/Min. (CNS24) ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] RAR module failure even with external unrar
I have just encountered a problem: clamscan --unrar works good only if archive has extension .rar This behavior was found on Debian sarge and on SUSE9.0: here follows some example: $ clamscan --unrar clam-error.rar /home/lel/tmp/clam-error.rar: RAR module failure UNRAR 3.30 freeware Copyright (c) 1993-2004 Eugene Roshal Extracting from /home/lel/tmp/clam-error.rar Extracting clam.exe OK All OK /tmp/clamav-ff80a84a8d55f11d/clam.exe: ClamAV-Test-File FOUND /home/lel/tmp/clam-error.rar: Infected Archive FOUND --- SCAN SUMMARY --- Known viruses: 31812 Scanned directories: 1 Scanned files: 2 Infected files: 1 Data scanned: 0.00 MB I/O buffer size: 131072 bytes Time: 0.749 sec (0 m 0 s) Everything OK sofar. Let's rename file: $ mv clam-error.rar 999 What we can get now: $ clamscan --unrar 999 /home/lel/tmp/999: RAR module failure --- SCAN SUMMARY --- Known viruses: 31812 Scanned directories: 0 Scanned files: 1 Infected files: 0 Data scanned: 0.00 MB I/O buffer size: 131072 bytes Time: 0.764 sec (0 m 0 s) ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] Re: RAR module failure even with external unrar
Alexander Lelyakin wrote: I have just encountered a problem: clamscan --unrar works good only if archive has extension .rar Following command: $ cat clam-error.rar | clamscan --unrar - also does not catch viruses ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] Re: RAR module failure even with external unrar
Pierluigi Di Lorenzo wrote: Following command: $ cat clam-error.rar | clamscan --unrar - try: $cat clam-error.rar | xargs clamscan --unrar And have You tried it yourself? Probably You mean: echo clam-error.rar | xargs clamscan --unrar But the problem is that clamscan cannot check rar archives from stdin, without first saving them to file (with .rar extension) For checking a rar file that has no .rar extension I have some very simple workaround that works for me (shell script): #!/bin/bash case `file $1` in *RAR*) $tmp=tmp$$.rar ln -s $1 $1 file=$tmp;; *) file=$1;; esac clamscan --unrar $file if [[ -n $tmp ]]; then rm $tmp fi ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] Segmentation fault (0.83)
Greetings, Clamd works correctly in foreground. /var/log/clamd.log ... +++ Started at Thu Mar 17 22:56:17 2005 clamd daemon 0.83 (OS: linux-gnu, ARCH: i386, CPU: i686) Log file size limited to 10485760 bytes. Verbose logging activated. Reading databases from /var/lib/clamav Protecting against 31635 viruses. Unix socket file /var/run/clamav/clamd Setting connection queue length to 30 Listening daemon: PID: 8378 Archive: Archived file size limit set to 10485760 bytes. Archive: Recursion level limit set to 8. Archive: Files limit set to 1000. Archive: Compression ratio limit set to 250. Archive support enabled. Archive: RAR support disabled. Portable Executable support enabled. Mail files support enabled. OLE2 support enabled. HTML support enabled. Self checking every 1800 seconds. No stats for Database check - forcing reload Reading databases from /var/lib/clamav Database correctly reloaded (31635 viruses) /var/spool/exim/scan/1DCA1i-0006yG-Fh/1DCA1i-0006yG-Fh.eml: Worm.SomeFool.P FOUND But in background mode: /var/log/clamd.log ... Archive: Recursion level limit set to 8. Archive: Files limit set to 1000. Archive: Compression ratio limit set to 250. Archive support enabled. Archive: RAR support disabled. Portable Executable support enabled. Mail files support enabled. OLE2 support enabled. HTML support enabled. Self checking every 1800 seconds. Segmentation fault :-( Bye.. Segmentation fault :-( Bye.. Segmentation fault :-( Bye.. Segmentation fault :-( Bye.. Segmentation fault :-( Bye.. Segmentation fault :-( Bye.. Segmentation fault :-( Bye.. Segmentation fault :-( Bye.. Segmentation fault :-( Bye.. Segmentation fault :-( Bye.. Which stops exim4 from receiving mail :-( Any idea? ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] clamav-milter-0.81e caused sendmail to stop accepting mails
Hi, i have sendmail server, the clamav-milter is running on a remote host. In sendmail.cf server i have clamav configured like this: Xclamav, S=inet:[EMAIL PROTECTED], T=C:1m;S:30s;R:30s;E:5m On the clamserver calamav-milter runs with following flags: -x 1 --external --config-file=/etc/clam/clamd.conf --quarantine-dir=/var/lib/clamav/viruses \ --max-children=10 -l -N -P -p [EMAIL PROTECTED] inet:[EMAIL PROTECTED] and connect clamd throght LocalSocket Today on the second day since upgrade from clamav-0.80 to clamav-devel-20050131 the sendmail stoped accepting mails see below: mail -v piavka Subject: blah blah . Cc: piavka... Connecting to indigo.cs.bgu.ac.il. via nullclient... 220 indigo.cs.bgu.ac.il ESMTP Sendmail 8.13.1/8.13.1; Tue, 1 Feb 2005 15:06:08 +0200 (IST) EHLO piavlo.cs.bgu.ac.il 250-indigo.cs.bgu.ac.il Hello piavlo [132.72.41.95], pleased to meet you 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-8BITMIME 250-SIZE 250-DSN 250-ETRN 250-DELIVERBY 250 HELP MAIL From:[EMAIL PROTECTED] SIZE=33 250 2.1.0 [EMAIL PROTECTED]... Sender ok RCPT To:[EMAIL PROTECTED] DATA 250 2.1.5 [EMAIL PROTECTED]... Recipient ok 354 Enter mail, end with . on a line by itself . 451 4.3.2 Please try again later piavka... Connecting to mx2.bgu.ac.il. via nullclient... in the senamil log i get messages like this Feb 1 15:05:51 indigo sendmail[9926]: j11D5oFt009926: Milter: data, reject=451 4.3.2 Please try again later Feb 1 15:05:51 indigo sendmail[9926]: j11D5oFt009926: to=[EMAIL PROTECTED], delay=00:00:00, pri=88537, stat=Please try again later restarting the sendmail did not help but then i only restarted clamav-milter (the clamd was not restarted) the sendmail began to work ok i never had such problem before with previous clamav versions. Do you have any idea why would clamav-milter start behaveing so? Thanks a lot ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] ERROR: Can't query current.cvd.clamav.net
On Sunday 30 January 2005 12:15 am, Marco van den Bovenkamp wrote: Stephen Gran wrote: This is indeed your problem. Probably the problem is that your DNS is not returning the text record, but returning host not found. Correct. The 'DNS server' (such as it is) in an Alcatel Speedtouch only resolves A records. Any other type returns host not found. I got bitten by it when running a mail server trying to resolve MX records. Will I still be able to download Signatures? Or will I need a new DNS server? If I do need a new DNS server is their one that I can trust. I could install it on my Linux box unfortunately my partner won't understand/cope with having to ensure that the Linux machine is running before accessing the internet and or printing. Thanks ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
[Clamav-users] clamav-milter won't start with my sendmail.cf
Hi, i've upgraded to clamav-0.81 but the clamav-milter complains that: clamav-milter: socket-addr (inet:[EMAIL PROTECTED]) doesn't agree with sendmail.cf and does not start. How can i disable this check?? My sendmail server is running on another hosts and connects to clamav-milter on 132.72.41.68:3310 and the sendmail.cf on 132.72.41.68 is used just as sendmail client to send mails and clamav virus notifies to the sendmail server, thus the above check is wrong for my setup pls help On Sun, 30 Jan 2005, Gary Weinfurther wrote: Sounds like the answer is no? Christoph Cordes wrote: Gary Weinfurther wrote: Does ClamAv protect against W32.Spybot.IVQ, a worm with Denial of Service and Back Door capabilities? This is not easy to answer - this Spybots/Mybots/Gaobots/Wootbots/SdBots come in many different flavours, packed and crypted with one or more runtimepackers. ClamAV is able to detect more than thousand variants - if it detects this one can only be told if we have a sample to test it. ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
[Clamav-users] clamav-milter won't start with my sendmail.cf
Hi, i've upgraded to clamav-0.81 but the clamav-milter complains that: clamav-milter: socket-addr (inet:[EMAIL PROTECTED]) doesn't agree with sendmail.cf and does not start. How can i disable this check?? My sendmail server is running on another hosts and connects to clamav-milter on 132.72.41.68:3310 and the sendmail.cf on 132.72.41.68 is used just as sendmail client to send mails and clamav virus notifies to the sendmail server, thus the above check is wrong for my setup pls help ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] clamav-milter won't start with my sendmail.cf
On Sun, 30 Jan 2005, Nigel Horne wrote: On Sunday 30 Jan 2005 14:19, Alexander Piavka wrote: Hi, i've upgraded to clamav-0.81 but the clamav-milter complains that: clamav-milter: socket-addr (inet:[EMAIL PROTECTED]) doesn't agree with sendmail.cf and does not start. 3310 is the port used to communicate from clamav-milter-clamd, it would not be wise to use the same port number from sendmail-clamav-milter in my setup clamav-milter-clamd communicathe throght LocalSocket, thus i use this port of convinience. Anyway changing the port does not solve the problem. Does someone know a way to skip the sendmail.cf check? Thanks ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] clamav-milter won't start with my sendmail.cf
On Sun, 30 Jan 2005, Nigel Horne wrote: On Sunday 30 Jan 2005 16:47, Alexander Piavka wrote: Does someone know a way to skip the sendmail.cf check Update to clamav-milter 0.81e The latest cvs version is 0.81d on the site (which i tried with no success ), or there is another repository i can down from? Thanks ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] problems compiling
On Thursday 20 Jan 2005 04:58, John Alexander wrote: Hi, gcc -DHAVE_CONFIG_H -I. -I. -I.. -I.. -I./zziplib -I./mspack -g -O2 -c mbox.c -Wp,-MD,.deps/mbox.TPlo -o mbox.o mbox.c:568: curl/curl.h: No such file or directory *** Error code 1 Try: make distclean configure --disable-libcurl your-other-options make John Alexander -Nigel well.. different issues now. I ran it with --disable-libcurl and got the same error. I ran it with --without-libcurl and got this .. please pardon the amount of stuff... mkdir .libs gcc -g -O2 -o clamscan output.o getopt.o memory.o cfgparser.o misc.o clamscan.o options.o others.o manager.o treewalk.o ../libclamav/.libs/libclamav.a -lz -lbz2 ../shared/output.c:83: Undefined symbol `_pthread_mutex_lock' referenced from text segment ../shared/output.c:90: Undefined symbol `_pthread_mutex_unlock' referenced from text segment //and more of the same// scanners.c:98: Undefined symbol `_pthread_mutex_unlock' referenced from text segment scanners.c:116: Undefined symbol `_pthread_cleanup_push' referenced from text segment scanners.c:117: Undefined symbol `_pthread_mutex_lock' referenced from text segment scanners.c:0: More undefined symbol _pthread_mutex_unlock refs follow scanners.c:254: Undefined symbol `_pthread_cleanup_pop' referenced from text segment mbox.c:776: Undefined symbol `_pthread_mutex_lock' referenced from text segment message.c:508: Undefined symbol `_pthread_mutex_lock' referenced from text segment collect2: ld returned 1 exit status *** Error code 1 Sorry.. but I'm pretty lost now. John Alexander This message was sent using IMP, the Internet Messaging Program. ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] problems compiling
Quoting Trog [EMAIL PROTECTED]: On Thu, 2005-01-20 at 16:18, John Alexander wrote: well.. different issues now. I ran it with --disable-libcurl and got the same error. I ran it with --without-libcurl and got this .. please pardon the amount of stuff... mkdir .libs gcc -g -O2 -o clamscan output.o getopt.o memory.o cfgparser.o misc.o clamscan.o options.o others.o manager.o treewalk.o ../libclamav/.libs/libclamav.a -lz -lbz2 ../shared/output.c:83: Undefined symbol `_pthread_mutex_lock' referenced from text segment ../shared/output.c:90: Undefined symbol `_pthread_mutex_unlock' referenced from text segment What platform are you on, and what was your full configure line? -trog I'm running OpenBSD 3.1 ./configure --without-libcurl John This message was sent using IMP, the Internet Messaging Program. ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] problems compiling
Quoting Trog [EMAIL PROTECTED]: I'm running OpenBSD 3.1 ./configure --without-libcurl Thats quite an old version. I don't have any OpenBSD. Looks like something is wrong with the build process, it't not trying to link in pthread support or a bunch of other libraries. -trog I've greatly desired to upgrade that box for some time, but for a number of reasons, can't. Do you have any ideas or recommendations? John This message was sent using IMP, the Internet Messaging Program. ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] problems compiling
Quoting Nigel Horne [EMAIL PROTECTED]: ../shared/output.c:90: Undefined symbol `_pthread_mutex_unlock' referenced from text segment Try configure --disable-pthreads -- That seems to have done the trick. It built and installed. After I correctly edited freshclam.conf and clamd.conf all seems to be working properly. My configure line was: ./configure --disable-pthreads --without-libcurl Thanks much, Nigel. John Alexander This message was sent using IMP, the Internet Messaging Program. ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
[Clamav-users] problems compiling
Hi, This evidently has been covered before, but I couldn't find a resolution. I'm running OpenBSD 3.1 and have ClamAV 0.60 - should have upgraded long ago... I can't get ClamAV 0.80 to compile with the following error: gcc -DHAVE_CONFIG_H -I. -I. -I.. -I.. -I./zziplib -I./mspack -g -O2 -c mbox.c -Wp,-MD,.deps/mbox.TPlo -o mbox.o mbox.c:568: curl/curl.h: No such file or directory *** Error code 1 Stop in /var/downloads/clamav-0.80/libclamav. *** Error code 1 Stop in /var/downloads/clamav-0.80 (line 351 of Makefile). *** Error code 1 Stop in /var/downloads/clamav-0.80 (line 216 of Makefile). Curl is installed in /usr/local/include/curl Any thoughts or resolutions? -- John Alexander This message was sent using IMP, the Internet Messaging Program. ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] clamuko - howto scan downloads while save them?
Am Mon, Nov 08, 2004 at 05:32:10PM +0100 schrieb Alexander Stielau: Is it possible to use something like ClamukoScanOnWrite, or is there a logical mistake by myself? I asked by the dazuko-developers, and it is *not* possible at this time to use ON_CLOSE-Events with 2.6.X-kernels: http://savannah.nongnu.org/support/?func=detailitemitem_id=103547 So i switched back to 2.4.27, and now i get an event ON_CLOSE by dazuko/clamuko via clamd in the syslog, when i try to cp an testfile from the source-distribution to a clamuko-scanned directory, but no action against: zwiebelfisch:/tmp# cp /usr/src/clamav-0.80/test/clam.exe /tmp/ zwiebelfisch:/tmp# ls -la /tmp/clam.exe -rw-r--r-- 1 root root 544 Nov 10 17:54 /tmp/clam.exe zwiebelfisch:/tmp# tail -1 /var/log/syslog Nov 10 17:47:22 zwiebelfisch clamd[26600]: Clamuko: /tmp/clam.exe: ClamAV-Test-File FOUND So i got only a logging action on ScanOnClose, with ScanOnOpen i get 'real' actions. I need actions (e.g. do not bind the inode to the directory structure information before the filehandle is unlocked or something like that) also for ScanOnClose. Aleks ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
[Clamav-users] clamuko - howto scan downloads while save them?
my setup: Debian/sid vendor-kernel 2.6.8-1-k7 dazuko-module 2.0.4 (vanilla, debian-package is very old) clamv 0.80 (vanilla, because of the debian-package clamav-daemon 0.80-2 seems not to use the clamuk/dazuko-interface: Nov 8 16:59:47 taurus2 clamd[2814]: Clamuko is not available. clamv-daemon starting looks good: , | Nov 8 17:12:00 taurus2 clamd[12713]: Daemon started. | Nov 8 17:12:00 taurus2 clamd[12713]: clamd daemon 0.80 (OS: linux-gnu, ARCH: i386, CPU: i686) | Nov 8 17:12:00 taurus2 clamd[12713]: Log file size limit disabled. | Nov 8 17:12:00 taurus2 clamd[12713]: Running as user clamav (UID 106, GID 106) | Nov 8 17:12:00 taurus2 clamd[12713]: Reading databases from /var/lib/clamav/ | Nov 8 17:12:00 taurus2 clamd[12713]: Protecting against 26367 viruses. | Nov 8 17:12:00 taurus2 clamd[12714]: Unix socket file /var/run/clamav/clamd.ctl | Nov 8 17:12:00 taurus2 clamd[12714]: Setting connection queue length to 15 | Nov 8 17:12:00 taurus2 clamd[12714]: Archive: Archived file size limit set to 62914560 bytes. | Nov 8 17:12:00 taurus2 clamd[12714]: Archive: Recursion level limit set to 5. | Nov 8 17:12:00 taurus2 clamd[12714]: Archive: Files limit set to 1000. | Nov 8 17:12:00 taurus2 clamd[12714]: Archive: Compression ratio limit set to 250. | Nov 8 17:12:00 taurus2 clamd[12714]: Archive support enabled. | Nov 8 17:12:00 taurus2 clamd[12714]: Archive: RAR support disabled. | Nov 8 17:12:00 taurus2 clamd[12714]: Archive: Blocking archives that exceed limits. | Nov 8 17:12:00 taurus2 clamd[12714]: Portable Executable support enabled. | Nov 8 17:12:00 taurus2 clamd[12714]: Detection of broken executables enabled. | Nov 8 17:12:00 taurus2 clamd[12714]: Mail files support enabled. | Nov 8 17:12:00 taurus2 clamd[12714]: OLE2 support enabled. | Nov 8 17:12:00 taurus2 clamd[12714]: HTML support enabled. | Nov 8 17:12:00 taurus2 clamd[12714]: Self checking every 3600 seconds. | Nov 8 17:12:00 taurus2 kernel: dazuko: linux_dazuko_device_open() [12715] | Nov 8 17:12:00 taurus2 kernel: dazuko: linux_dazuko_device_read() [12715] | Nov 8 17:12:00 taurus2 kernel: dazuko: dazuko_register_daemon() [0] | Nov 8 17:12:00 taurus2 kernel: dazuko: slot[0] assigned to daemon 5 | Nov 8 17:12:00 taurus2 clamd[12714]: Clamuko: Correctly registered with Dazuko. | Nov 8 17:12:00 taurus2 clamd[12714]: Clamuko: Scan-on-open mode activated. | Nov 8 17:12:00 taurus2 clamd[12714]: Clamuko: Scan-on-close mode activated. | Nov 8 17:12:00 taurus2 clamd[12714]: Clamuko: Scan-on-exec mode activated. | Nov 8 17:12:00 taurus2 kernel: dazuko: adding incl / | Nov 8 17:12:00 taurus2 clamd[12714]: Clamuko: Included path / | Nov 8 17:12:00 taurus2 kernel: dazuko: adding excl /proc | Nov 8 17:12:00 taurus2 clamd[12714]: Clamuko: Excluded path /proc | Nov 8 17:12:00 taurus2 clamd[12714]: Clamuko: Max file size limited to 5242880 bytes. | Nov 8 17:13:10 taurus2 clamd[12714]: Clamuko: /tmp/foo/clam.cab: ClamAV-Test-File FOUND ` ,[ /etc/clamav/clamd.conf ] | ClamukoScanOnAccess | ClamukoIncludePath / | ClamukoExcludePath /proc | ClamukoScanOnLine | ClamukoScanOnOpen | ClamukoScanOnClose | ClamukoScanOnExec | ClamukoMaxFileSize 0 | ClamukoScanArchive ` And, finally, it works (mostly): , | taurus2:/tmp/foo# cp /usr/share/clamav-testfiles/clam.zip /tmp/ | cp: ,,/usr/share/clamav-testfiles/clam.zip kann nicht zum Lesen geöffnet werden: Die Operation ist nicht erlaubt | | Nov 8 17:18:18 taurus2 clamd[12714]: Clamuko: /usr/share/clamav-testfiles/clam.zip: ClamAV-Test-File FOUND ` eh, changing to LANG=C... sorry. but it is possible to download 'infected' files, and write them to disk: , | taurus2:/tmp/foo# wget http://oerks.de/tmp/clam.cab | --17:19:27-- http://oerks.de/tmp/clam.cab |= `clam.cab' | Resolving oerks.de... 212.42.230.8 | Connecting to oerks.de[212.42.230.8]:80... connected. | HTTP request sent, awaiting response... 200 OK | Length: 621 [text/plain] | | 100%[=] 621 --.--K/s | | 17:19:27 (5.92 MB/s) - `clam.cab' saved [621/621] ` , | taurus2:/tmp/foo# cp clam.cab /tmp/ | cp: cannot open `clam.cab' for reading: Operation not permitted | | BUT: | | taurus2:/tmp/foo# mv clam.cab /tmp/ | taurus2:/tmp/foo# ` Is it possible to use something like ClamukoScanOnWrite, or is there a logical mistake by myself? Aleks ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
[Clamav-users] manipulated and encrypted zip files
Hello all, I tested my clamd version 0.80-1 which I use on my mail server with manipulated zip files as I read some warnings in some news regarding this issue. Clamd didn't find the virus in a zip file where the zip file information is manipulated. The global information in this zip file about the size of the file was set to 0 Byte. Further on the clamd didn't find the virus in an encrypted zip file. I saw the option in the config to block encrypted archives but this didn't work neiter. Does anybody have experiance with this. I hope the developers will have a look into these issues soon. Thanks for any help! Cheers, Alexander ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
[Clamav-users] freshclam on cobalt raq550
Hi, I am trying to update the definitions, but i always get the error. SECURITY WARNING: NO SUPPORT FOR DIGITAL SIGNATURES I have installed the gmp-devel package but still the error... Any ideas? Alex
Re: [Clamav-users] OT: Virus page almost ready to go
On Wed, 2004-06-16 at 12:57, Alch wrote: Hi All, As promised, the virus stats page is almost ready to go. I'll clean up the code tomorrow or Thursday and release it GPL. http://mail.limelyte.net/admin/virus/ for a preview. Suggestions, critique, etc are welcomed. Regards, Rick Thanks Rick this is great. I was looking for something like this to put on www.clamwin.com website. However my clamav install processes rather small volumes of email and catches less than 10 viruses a day on average. Would you mind if I include your page (http://mail.limelyte.net/admin/virus/) as an iframe on clamwin.com? Or alternatively if someone is willing to share statistics for even larger volumes that would be even better. Cheers, Alch Hi Alch and Rick You can check our stats for the current and previous days mail virii... http://mail.dcsi.net.au/index.html They don't look as pretty, but there's quite a few viruses caught with clam.. John --- This SF.Net email is sponsored by The 2004 JavaOne(SM) Conference Learn from the experts at JavaOne(SM), Sun's Worldwide Java Developer Conference, June 28 - July 1 at the Moscone Center in San Francisco, CA REGISTER AND SAVE! http://java.sun.com/javaone/sf Priority Code NWMGYKND ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] can not get clamav installaed on Debian Woody on a PPC machine
hi, trying to install clamav on a ppc running debian woody and I am running into problems. Configure gives me the following error: Please install zlib and zlib-devel packages. zlib is installed. I also tried apt-get and installed clamav but there is no clamd deamon present after install. Thanks AR
[Clamav-users] clamav-milter-0.71 queues virus notification mails instead of sending them
Hi, clamav-milter work ok excpet one thing the virus notifications are not sent but stay in /var/spool/mqueue and i've to send them manually by '/usr/sbin/sendmail -qI' then i go back to clamav-0.70 it work ok. the flags are: CLAMAV_FLAGS=--config-file=/etc/clam/clamav.conf --quarantine-dir=/var/lib/amavis/clamav/viruses --max-children=10 -f -N -P -p [EMAIL PROTECTED] inet:[EMAIL PROTECTED] with clamav-0.70 i've: May 24 12:09:48 ha-rs1 sendmail[7]: i4O99mZ7: from=amavis, size=409, class=0, nrcpts=1, msgid=[EMAIL PROTECTED], [EMAIL PROTECTED] May 24 12:09:50 ha-rs1 sendmail[9]: i4O99mZ7: [EMAIL PROTECTED], ctladdr=amavis (15/106), delay=00:00:02, xdelay=00:00:02, mailer=nullclient, pri=30409, relay=indigo.cs.bgu.ac.il. [132.72.42.23], dsn=2.0.0, stat=Sent (i4O99lxB006213 Message accepted for delivery) with clamav-0.71: May 24 12:31:12 ha-rs2 sendmail[4989]: i4O9VC904989: from=amavis, size=416, class=0, nrcpts=1, msgid=[EMAIL PROTECTED], [EMAIL PROTECTED] May 24 12:31:12 ha-rs2 sendmail[4989]: i4O9VC904989: [EMAIL PROTECTED], delay=00:00:00, mailer=nullclient, pri=30416, stat=queued and then i run '/usr/sbin/sendmail -qI' i get: May 24 12:32:10 ha-rs2 sendmail[5018]: i4O9VC904989: [EMAIL PROTECTED], delay=00:00:58, xdelay=00:00:02, mailer=nullclient, pri=120416, relay=indigo.cs.bgu.ac.il. [132.72.42.23], dsn=2.0.0, stat=Sent (i4O9W9iQ012489 Message accepted for delivery) why is that only with clamav-0.71 the message gets queued , while all other mails are sent ok? ps. if it matters i use rpms maintained by Bill Randle on mandrake9.1 both for clamav 0.70 0.71 Thanks. --- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149alloc_id=8166op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] many files in /var/lib/clamav created on the same day
Hi, i'm running mandrake9.1 and have the following rpms installed libclamav1-0.66-0.20031204.1mdk clamav-0.66-0.20031204.1mdk clamd-0.66-0.20031204.1mdk clamav-db-0.66-0.20031204.1mdk libclamav1-devel-0.66-0.20031204.1mdk clamav-milter-0.66-0.20031204.1mdk today i found that over just one night in /var/lib/clamav many dirctories with mostly email text files were created, which took about 700M. This has never happend before, what could be the cause of this? 0336627833969047/ 2af2095321235b73/ 5c3ef507d5c5efc6/ 8457b40ee1792a22/ bd5dabbf44020ad3/ daily.cvd 085b21e84059d9b3/ 303a659157f18301/ 5fa73c8b73bb6867/ 84622e91d0e49068/ c08079e274465dbe df4bfa0fa22f315d/ 092c251d0d96496d/ 3d092bbaabe4a60d/ 637edebca0cb377c/ 85774786e12e829f/ cb8f1fa11b3e04a2/ eeb002563b1180e4/ 0d97566bd3afb14e/ 45d4d76bda0e5ffb/ 6d3266f6ef310aa9/ a1519d4f7a57cbdc/ clamd.socket= f1c8333948b66647/ 10ee20f3d522354d/ 50202f10fe5ad4be/ 6fd188a041673a49/ a2d5c8767f7e2309/ d36040d5db8a1348/ f5c8dce7a9af9546/ 18cedd25c73cdf28/ 58916d995e603cbc/ 71d5f35c1017f136/ a86a69fb67cdd00b/ d6c74b624e0b0fb7/ main.cvd 28eea215bf4820f6/ 5bbec38cf37d40aa/ 7e310e8730db63ac/ bbd6932712de9c63/ d74d177a6a0f8fc6/ mirrors.txt Thanks --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] clamav-milter problems
Hi, the clamav-milter does not want to send a virus message to the recipient, or any kind of notification inspite of that i tell it not to block virus emails and deliver them to user. I use the flags CLAMAV_FLAGS=--config-file=/etc/clam/clamav.conf --quarantine-dir=/var/lib/clamav/viruses --max-children=10 -f -p [EMAIL PROTECTED] inet:[EMAIL PROTECTED] Is this a bug? Thanks --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] Re: clamav-milter problems
Hi, the clamav-milter does not want to send a virus message to the recipient, or any kind of notification inspite of that i tell it not to block virus emails and deliver them to user. I use the flags CLAMAV_FLAGS=--config-file=/etc/clam/clamav.conf --quarantine-dir=/var/lib/clamav/viruses --max-children=10 -f -p [EMAIL PROTECTED] inet:[EMAIL PROTECTED] Is this a bug? Thanks ps. what i want is just to add the X-Virus-Scanned header, and in procmail i'll just look if X-Virus-Scanned says the mail is a virus it will put it in a different mailbox. But virus emails never reach the recipient no matter which options i use pls help --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] long startup time with recent clamav snapshots?
Hi, I've been successfully running a clamav devel-20031128 snapshot on my OpenBSD 3.3 box to scan mail via smtp-vilter for quite some time now (it's a bit low-end hardware, K6/233). I tried twice to upgrade to newer snapshots (specifically, clamav-devel-20031204 and clamav-devel-20040127), but somehow clamd as well as freshclam need a incredibly long time for startup with extremely high CPU usage (didn't wait for the end, I killed both after about 5 minutes). Nothing like this happens with the 20031128 snapshot. (I tried clamd with a backup of the old cvd files after the newer freshclam failed to fetch new ones.) Anyone noticed something similar? Alex. --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users