Re: [clamav-users] parallel processes fail at startup when clamd is running

[G.W. Haywood via clamav-users]

Hi there,

On Mon, 28 Nov 2022, JOHN URBAN via clamav-users wrote:


Doing a scan of the entire locally attached storage on Linux nodes,


Seems likely that this is just a resource exhaustion problem.


including /tmp and /var; ...


Probably a bad idea.  Recursion in /tmp?  Try it without these two,
then, er, maybe bisect.

FWIW I never scan the local filesystem.  If it's compromised, what's
the point?  If it isn't, what's the point?  That doesn't mean that I
won't scan local files of course - but that's different and I'd have
very specific reasons for doing it.

--

73,
Ged.
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] parallel processes fail at startup when clamd is running

[G.W. Haywood via clamav-users]

Hi there,

On Mon, 28 Nov 2022, JOHN URBAN via clamav-users wrote:


We are experiencing a large number of MPI jobs failing indicating
the fabric is unavailable when the scans are running. Early in the
investigation so not sure if locking, timing, response time or other
factors are involved, but I wanted to ask a quick gernal question to
see if this is a known issue with easy answers. If not, we will post
more detailed information as it is determined.


More information would probably help.  Please could you clarify why in
your subject you write "when clamd is running", yet in the message you
write "when the scans are running"?  Even if it's running, clamd might
not be scanning anything but if it's loaded the official signatures it
will still probably be using a gigabyte or so of RAM, while it's doing
nothing but wait for a client connection.

MPI doesn't figure large in the ClamAV mailing list archives, and MPI
together with ClamAV was equally unrewarding.  The old ClamAV Bugzilla
seems to be broken (at least for searches) and the Cisco/Talos ClamAV
Github issues

https://github.com/Cisco-Talos/clamav/search?q=MPI&type=

gave me no results.  The closest I could get in my searching was [*]:

https://marc.info/?l=clamav-users&m=128309131408757&w=2

I found it by grepping my local mail archive directory, then perusing
my favourite mail archiver.  It's a very old post but even so it might
be helpful.

What are you actually doing with ClamAV?

[*] Sorry for those who don't care for the MARC archive, but it seems
that Pipermail goes back only as far as February 2014. :/

--

73,
Ged.
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] Scanned files count

[G.W. Haywood via clamav-users]

Hi there,

On Sun, 27 Nov 2022, Jorge Elissalde via clamav-users wrote:


Is there a way to get the count of scanned files for a "SCAN folder"
command?


The question lacks context, but maybe something like this instead?

find /path/ -type f | xargs -I'{}' clamdscan '{}'

--

73,
Ged.
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] Socket closed after command

[G.W. Haywood via clamav-users]

Hi there,

On Sat, 26 Nov 2022, Jorge Elissalde via clamav-users wrote:


...  I cannot send CONTSCAN command using IDSESSION.  After scanning
the file using CONTSCAN command clamd closes the socket. The same
happens for any command not using IDSESSION.


That's correct.


Why does clamd closes the socket?


It's tidier than leaving it open and doing nothing with it.  I don't
remember anyone asking this question before.  AFAIK it's always been
this way.


Is there another way to do that?


I'm not sure that I understand the question.  Is it a problem to open
a connection to clamd?


Changing clamd.conf is not a solution, I need both options available
(archives scanning and not archives scanning).


Sometimes I run several copies of clamd, all using different configs
and of course listening to different sockets.  Might that be an option
for you?

--

73,
Ged.
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] Database update error

[G.W. Haywood via clamav-users]

Hi there,

On Thu, 24 Nov 2022, Carlos Andres Oviedo Guerra wrote:


I've installed clamav on my computer, but the database update
failed, when I tried to reach the database update URL I got this error
message.


As Mr. Giese mentioned, you need to use freshclam (or, exceptionally, cvdupdate)
to update the signature database.  You also need to be using a recent version of
ClamAV, old versions are blocked.  What version of ClamAV are you using, and how
did you try to update the database?


There is a chance to know why the CDN is banning me?. My IP be blacklisted
somewhere?


Probably not.


[image: freshclamav_error_Nov24.PNG]


Mailing list messages may be sent to many thousands of recipients.
Please send plain text rather than images.

--

73,
Ged.
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] PUA - Category List, invalid URL in config sample! Packer Category?

[G.W. Haywood via clamav-users]

Hi there,

On Sat, 19 Nov 2022, Andy Schmidt via clamav-users wrote:


Unfortunately, while will specifying "Win.Packer" or even "PUA.Win.Packer" will 
APPEAR to work, the program logic in ExcludePUA  is completely faulty (almost arbitrary).

Yes, it WILL exclude those two - but the problem is, it will exclude GENERICALLY EVERYTHING ELSE 
(e.g., ALL "Win" or  ALL "PUA") - in which case you might as well turn off the 
entire PUA feature!

I finally remembered that I had been down this exact rabbit hole years ago - 
and found this bug report:
https://bugzilla.clamav.net/show_bug.cgi?id=12632#c5

It seems the entire PUA feature is a step-child - by now, not even the config 
sample and documentation are current. Maybe its time to pull the plug on it, if 
no one is taking ownership to making it work?

(Yes, I realize the answer is to just "contribute" the fixes myself - but that 
assumes that every ClamAV user is also a C++ programmer, which I am not.)


The problem in the currently released code is that a 'category' turns
out to be only the second piece of a string made up of potentially
several dot-separated pieces.  It needs more granularity.

Try replacing the function cli_chkpua() in .../libclamav/readdb.c with this:

8<--
static int cli_chkpua(const char *signame, const char *pua_cats, unsigned int 
options)
{
// 2022.11.20 == GWH ==  "Categories" are dot-separated strings.
// The string in the 'pua_cats' argument contains the PUA "categories" 
which are to be (depending on the configuration) included or excluded.
// The category name in 'cat' is to be the string between the first and 
last dots in the signature string held in the 'signame' argument.
// We will extract the category thus defined from the string in 'signame' 
and then look for this category within in the string in pua_cats.
char cat[32], *cat_pt, *pt1, *pt2, *endsig;
const char *sig;
int ret;

cli_dbgmsg("cli_chkpua: Checking signature [%s]\n", signame);

if (strncmp(signame, "PUA.", 4)) {
cli_dbgmsg("Skipping signature %s - no PUA prefix\n", signame);
return 1;
}
sig = signame + 3;
if (!(pt1 = strchr(sig + 1, '.'))) {
// pt1 points to the FIRST dot in the string in 'signame' if there is one, else 
NULL.
cli_dbgmsg("Skipping signature %s - bad syntax\n", signame);
return 1;
}
if ( (pt2 = strrchr(sig + 1, '.')) != pt1 ) {   
// pt2 points to the LAST dot in the string in 'signame' if there is one, else 
NULL.
cli_dbgmsg("Signature has at least three dots [%s]\n", signame);
// If they happen to be the same dot, there are only two of them in the signature.
}
//  else {
//  cli_dbgmsg("Seems signature only has two dots [%s]\n", signame);
//  }
if ((unsigned int)(pt1 - sig + 2) > sizeof(cat)) {
cli_dbgmsg("Skipping signature %s - too long category name, length 
approaching %d characters\n", signame, (unsigned int)(pt1 - sig + 2) );
return 1;
}
//  else {
//  cli_dbgmsg("Allowing signature %s; OK length category name, length 
approaching %d characters\n", signame, (unsigned int)(pt1 - sig + 2) );
//  }
if ((unsigned int)(pt2 - sig + 2) > sizeof(cat)) {
cli_dbgmsg("Skipping signature %s - too long category name, length 
approaching %d characters\n", signame, (unsigned int)(pt2 - sig + 2));
return 1;
}
//  else {
//  cli_dbgmsg("Allowing signature %s; OK length category name, length 
approaching %d characters\n", signame, (unsigned int)(pt2 - sig + 2));
//  }

endsig = strrchr(sig, '.');
strncpy(cat, sig, strlen(sig) - strlen(endsig) + 1);
// Put in 'cat' the string between the first and last dots in sig, including 
the dots.
cat[strlen(sig) - strlen(endsig) + 1] = 0;
cat_pt= strstr(pua_cats, cat);  
// Find if cat exists in pua_cats.
//  cli_dbgmsg("cli_chkpua:   pua_cats=[%s]\n", pua_cats
 );
//  cli_dbgmsg("cli_chkpua:signame=[%s]\n", signame 
 );
cli_dbgmsg("cli_chkpua:cat=[%s]\n", cat 
 );
cli_dbgmsg("cli_chkpua:sig=[%s]\n", sig 
 );
//  cli_dbgmsg("cli_chkpua: endsig=[%s]\n", endsig  
 );
//  cli_dbgmsg("cli_chkpua: cat_pt=[%s]\n", cat_pt  ? cat_pt : 
"null");
//  cli_dbgmsg("cli_chkpua:pt1=[%s]\n", pt1 ? pt1 : "null"  
 );
//  cli_dbgmsg("cli_chkpua:pt2=[%s]\n", pt2 ? pt2 : "null"  
 );
if (options & CL_DB_PUA_INCLUDE)
ret = cat_pt ? 0 : 1;
else
ret = cat_pt ? 1 : 0;

if (ret)
  cli_dbgmsg("Skipping PUA signature %s - excluded category %s\n", signame, 
cat);
return ret;
}
8<---

Re: [clamav-users] On Access Scanning Configuration

[G.W. Haywood via clamav-users]

Hi there,

On Wed, 16 Nov 2022, Nikola Nikolić via clamav-users wrote:


...
Nov 16 02:25:33 ubuntu systemd[1]: Started Clam AntiVirus userspace daemon.
Nov 16 02:25:33 ubuntu clamd[2266]: ERROR: Can't save PID to file /var/run/clam
Nov 16 02:25:33 ubuntu systemd[1]: clamav-daemon.service: Main process exited,


Good error message report, thanks. :)

That looks like a simple one.  You need to make sure that the clamd
daemon can write its PID file to the place where it's configured to
write it.  That might not be the only issue that you'll come across
but we'll cross those bridges if we come to them.

How did you install ClamAV?  I'd have expected this stuff should all
be taken care of for you by the package installation process.

--

73,
Ged.
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] On Access Scanning Configuration

[G.W. Haywood via clamav-users]

Hi there,

On Wed, 16 Nov 2022, Nikola Nikolić via clamav-users wrote:

sre, 16. nov 2022. G.W. Haywood via clamav-users је написао/ла:

On Wed, 16 Nov 2022, Nikola Nikolić via clamav-users wrote:


I’m trying to setup OnAccessScanning on my VM but I’m running in a
lot of problems.

Every time I do “sudo clamonacc” I get next:

ERROR: ClamClient: Could not connect to clamd, Couldn't connect to server
ERROR: Clamonacc: daemon is local, but a connection could not be established


Before we deep-dive into your configuration and scripting, can you
confirm that the clamd daemon is actually running?


How can i provide that informatio, if you can lead me with instructions.


You'll probably need to do some more reading.  Quite a lot, I'm afraid.
There are very many ways to do what I asked.  Below are three.  It's a
cut-n-paste from a 'bash' shell session on my clamd server.  In case
your mail reader has done something helpful with it, there are three
commands (on the lines which begin with a '$' symbol), and six lines
of command output making nine lines in total between the ASCII art
'cut' marks.  The output from the second and third commands is shown
in nice neat columns:

8<--
$ pidof clamd
745
$ ps aux | grep clam
clamav 723  0.0  0.1  63316  6844 ?Ss   Nov04   0:44 
/usr/local/bin/freshclam -d --config-file=/etc/mail/clamav/freshclam.conf
clamav 745  0.2 32.9 1636312 1293948 ? Dsl  Nov04  35:54 
/usr/local/sbin/clamd --config-file=/etc/mail/clamav/clamd_tcp3.conf
root  1265  0.0  0.0   7344   552 pts/2S+   11:38   0:00 grep clam
$ top -b -n 1 | grep clam
  723 clamav20   0   63316   6844   6112 S   0.0   0.2   0:44.72 freshclam
  745 clamav20   0 1636312   1.2g   5720 S   0.0  32.9  35:53.17 clamd
8<--

You can see that the clamd process ID on this machine is 745 and the
process is using 1.2Gbytes of memory.  That's probably a bit more than
most clamd daemons will be using (the official signatures will use in
the region of a gigabyte, but I use many unofficial signatures).  The
same memory consumption is also reasonable for any 'clamscan' process,
but you probably won't want to run both clamd and clamscan at the same
time.  There's a tool called 'clamdscan' which does most of the work
that clamscan does.  Instead of doing the scan itself it uses clamd to
do the bulk of the work.  For a system running a single clamd daemon,
you should budget at least four gigabytes of memory.  You can get away
with less, but to do that safely you'll need to be a lot more familiar
with your systems than you are at the moment.

Just to be clear, when the 'clamonacc' tool decides that something
needs to be scanned, it uses the 'clamd' daemon to do the actual
scanning.  The clamd daemon takes a while to start because it has to
read, check and compile something approaching ten million signatures,
and then it runs indefinitely on the system just waiting for another
process to connect to it to tell it what to do.  Because the clamd
process is already running, the process which tells it what to do
doesn't have to wait a long time for clamd to start up.  That would
impose an unacceptable preformance penalty.  Again just to be clear,
I'm not saying that the performance penalty that you will pay in any
case with "scan on access" will be acceptable to you.  Only you can
know that, in the light of your experiences when you try it.

The output from the commands I showed above is terse, but there's a
lot of information in the output and you'll become familiar will it
all eventually.  With some practice, quite soon you'll absorb it at a
glance; what takes minutes (even hours) now will soon sometimes take
only seconds.

There's online documentation for ClamAV at

https://docs.clamav.net/

but that requires Internet access of course.  On most Linux systems
you can learn a lot, quickly, just by using the 'man' command.  The
name is short for 'manual' and what you get when for example you type

man top

is the "man page" for the 'top' command.  The 'grep' command is one
you'll want to learn about early in your linux career:

man grep

Apart obviously from getting the tools and documentation onto your
machine in the first place, after installation all use of the 'man'
command is entirely local to your machine and no Internet access is
needed to read the documentation.  There are 'man' pages for all the
ClamAV tools.  Although they're a work in progress and the odd error
or omission still surfaces, generally they're pretty good.  If you
don't have the 'man' command or the "man pages" you should be able to
install t

Re: [clamav-users] On Access Scanning Configuration

[G.W. Haywood via clamav-users]

Hi there,

On Wed, 16 Nov 2022, Nikola Nikolić via clamav-users wrote:


*I’m trying to setup OnAccessScanning on my VM but I’m running in a lot of
problems.*

*Every time I do “sudo clamonacc” I get next:*

*ERROR: ClamClient: Could not connect to clamd, Couldn't connect to server*

*ERROR: Clamonacc: daemon is local, but a connection could not be
established*


Before we deep-dive into your configuration and scripting, can you
confirm that the clamd daemon is actually running?

--

73,
Ged.
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] Can't access file ERROR - clamdscan - 0.103.7-1

[G.W. Haywood via clamav-users]

Hello again,

On Mon, 7 Nov 2022, An Schall via clamav-users wrote:


the command we are using is:

sudo -H clamdscan -v -c /etc/clamd.d/scan.conf --multiscan --fdpass


Try it without '--fdpass'.  What do you mean the '-H' to do for you?

[Micah, I've just noticed that '-c file' doesn't appear in the 'man'
page for clamd.conf but '--config-file=file' does.  I *think* I've
mentioned it before but I don't have time to check right now.  The
short version does work instead of the long one, I guess you know.]


We do see the errors in /var/log/clamdscan.log as defined in the
configuration file /etc/clamd.d/scan.conf (see below). The exact error
messages are as follows:

Mon Nov  7 13:50:21 2022 -> 
/data/av-buffer/tmpFilesArchives/clamav-0.103.6-1.fc36/usr/bin/clamconf: Can't 
access file ERROR
Mon Nov  7 13:50:21 2022 -> 
/data/av-buffer/tmpFilesArchives/clamav-0.103.6-1.fc36/usr/bin/clamdscan: Can't 
access file ERROR
Mon Nov  7 13:50:21 2022 -> 
/data/av-buffer/tmpFilesArchives/clamav-0.103.6-1.fc36/usr/bin/clamconf: Can't 
access file ERROR
Mon Nov  7 13:50:21 2022 -> 
/data/av-buffer/tmpFilesArchives/clamav-0.103.6-1.fc36/usr/bin/clamdscan: Can't 
access file ERROR
Mon Nov  7 13:50:21 2022 -> 
/data/av-buffer/tmpFilesArchives/clamav-0.103.6-1.fc36/usr/bin/clamdtop: Can't 
access file ERROR


Can you confirm that the above log extract shows exactly five lines of
the log?  This is to allow tracking exactly what code in the source
actually wrote those log lines.  From my reading of the source code I
would not expect to see 'newline' characters between the filename and
the text of the message "Can't access ..." but you seem to have them
in your mail.


Basically, all the files that we try to scan are triggering the above
error. For some files though the scan fives an "OK" and not above
error message. However, we fail to see any system / correlation for
which files the scans fail and for which the scans are successful. It
seems rather random.


Which do you mean:

(1) it's random whether scanning any particular file will cause the
error message or not  or

(2) scanning some files does not cause the error message, and scanning
these same files never causes the error message; scanning other files
always causes the error message; but you see no common factors which
link (or differentiate) the two sets of files?


Below you can find the output of clamconf -n:
...


Can you explain how you came to be using all the non-default numbers?
Some of them look very optimistic to me.


MaxThreads = "30"


This is on the high side, I believe the default is 10.


MaxQueue = "200"


Ditto, default 100.


ExcludePath = ".*\.nc$", ".*\.bin$", ".*\.xml$", ".*\.hdf$", ".*\.h5$"


This might deserve closer inspection than I can give it but I don't
think it's relevant to the issue.


MaxDirectoryRecursion = "200"


Default 15.


FollowDirectorySymlinks = "yes"
FollowFileSymlinks = "yes"


Both default no.

Might be an issue if you're crossing filesystems.  Are you?


MaxScanTime = "120"


Twenty minutes; default 12 seconds.  It won't be your issue, but are
you sure you want to do that?


MaxScanSize = "4194304000"
MaxFileSize = "4194304000"


These numbers are wishful thinking.  The defaults are 100M and 25M
respectively.  ClamAV cannot yet handle files bigger than 2GB, that's
clear in the 'man' page for clamd.conf if you'd like to look at it.


MaxRecursion = "200"


Default 17.


MaxFiles = "500"


Default 1


MaxZipTypeRcg = "5242880"


Again see the 'man' page.  This applies also to

MaxThreads*MaxRecursion  +  MaxQueue  -  MaxThreads  +  6

which for your configuration I calculate to be

30 * 200 + 200 - 30 + 6 = 6176

which bodes ill if, as is likely, RLIMIT_NOFILE on your system is 1024.
Check it.


As mentioned earlier, for all the files that were failed to scan, we
tried to check access permissions, whether they exist, etc. pp. Those
are regular files with correctly configured ACLs. I also tried to run
clamdscan as root but it results in a similar problem.


You didn't answer my question about running clamd as root but I think
given the non-default lines in your config we're probably beyond that.


Interestingly, when first escalating privileges via "sudo su" and then
running clamdscan against a folder within the home directory of the
user from which the privileges were escalated (i.e. foo), we receive
the following error:

[root@epp-3o-w1 av-scans]# clamdscan -v -c /etc/clamd.d/scan.conf
/home/foo/test/
/home/foo/test: File path check failure: Permission denied. ERROR
/home/foo/test: File path check failure: Permission denied. ERROR

--- SCAN SUMMARY ---
Infected files: 0
Total errors: 2
Time: 0.000 sec (0 m 0 s)
Start Date: 2022:11:07 13:57:07
End Date:   2022:11:07 13:57:07

# ls -dlsa /home/foo/test/
0 drwxr-xr-x 2 foo sudo 292 Nov  3 10:35 /home/foo/test/


It seems odd to me that /home/foo/test/ is in group 'sudo'.  Or indeed
that anything in any user's home directory would be.  Looks to m

Re: [clamav-users] Can't access file ERROR - clamdscan - 0.103.7-1

[G.W. Haywood via clamav-users]

Hi there,

On Mon, 7 Nov 2022, An Schall via clamav-users wrote:


we do have 2 workstations running RHEL 8 and clamav / clamd using an
identical software stack / configuration. In particular we integrate
the clamav packages via the RHEL EPEL repos. So far we have been using
0.103.6-1.el8 without any issues. We have started upgrading to
0.103.7-1.el8 on one of the both workstations. Since then, when using
clamdscan, we receive the below issue:

Can't access file ERROR


Given your problem description I've had trouble understanding how you
might have come to see exactly this error, please tell us what you did
to get it and when and where you see the error (e.g. stderr, logfile).
If this is not the exact error please cut-and-paste it from the screen
or whatever you need to do to show the error *exactly*.

With any luck there'll be a log entry telling you which file caused
the problem.  Have you looked in the logs to see what (if anything) is
there?  It might be helpful to know the file's name, if it is a file
which cannot be accessed, and if not it may be helpful to know that
too.  It may be (see [*] below) you need to tweak your configuration
to write the logs.


We have been investigating the issue with respect to access control
related issues. However, even when using "root" as the clamdscan user
we receive the error.


Have you tried running the clamd daemon itself as root?


From an ACL perspective, we see no systematic cause for this issue.


Have you checked by downgrading to 0.103.6 that the error goes away?


We therefore want to check whether this error has been experienced
by others as well and thus may relate to a bug in version
0.103.7-1.el8 of clamdscan.


The latest version of 0.103.x was released a week ago.  Early days so
anything's possible.  I don't use security software packaged by distro
and I only scan mail, using clamd and my own milters, so I'm afraid I
can't help directly with that question.  However, since it went live
here on 1 November 2022 I can say that I've seen no unexpected issues
with clamd from ClamAV version 0.103.7 running on armv7l 64-bit; this
probably won't help you very much. :(


Below you can find the output of clamconf:


The output of 'clamconf -n' might be easier for us to digest.

[*] Are you sure that you've shown us the right configuration?

--

73,
Ged.
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] version numbers of updated libraries in 0.105.1-2

[G.W. Haywood via clamav-users]

Hi there,

On Wed, 2 Nov 2022, Anjana Patel via clamav-users wrote:


During the build process of 0.105.1-2 on a RHEL7 system (installing
from source) I noticed the following scroll up (I've only listed the
two that are relevant) :

Compiling jpeg-decoder v0.2.6
Compiling tiff v0.7.3

The email announcement said that the issues in the JPEG and TIFF
libraries were resolved in image-tiff version 0.7.4 and jpeg-decoder
version 0.3.0.  I have double-checked that I had downloaded the
correct tar file (clamav-0.105.1-2.tar.gz).  Should I be seeing the
later version numbers during the build?


Yes, I'd have thought so.

Micah says in his announcement that critical vulnerabilities exist in
the 'jpeg-decoder' and 'tiff' rust libraries which are bundled with
the source tarball for 0.105.1.  He further says that these have been
addressed in 0.105.1-2, and 1.0.0-rc.  I'm still unfamiliar with the
new build system but so far I've found no evidence that the packages
for the libraries in the tarballs have changed since 0.105.1:

8<--
$ diff -r -U3 clamav-0.105.1/libclamav_rust/.cargo/vendor/jpeg-decoder/ 
clamav-0.105.1-2/libclamav_rust/.cargo/vendor/jpeg-decoder/
$ diff -r -U3 clamav-0.105.1/libclamav_rust/.cargo/vendor/tiff/ 
clamav-0.105.1-2/libclamav_rust/.cargo/vendor/tiff/
$ diff -r -U3 clamav-0.105.1/libclamav_rust/.cargo/vendor/jpeg-decoder/ 
clamav-1.0.0-rc/libclamav_rust/.cargo/vendor/jpeg-decoder/
$ diff -r -U3 clamav-0.105.1/libclamav_rust/.cargo/vendor/tiff/ 
clamav-1.0.0-rc/libclamav_rust/.cargo/vendor/tiff/
$
8<--

Here's the change log for example for jpeg-decoder bundled in 0.105.1-2:

8<--
$ head clamav-0.105.1-2/libclamav_rust/.cargo/vendor/jpeg-decoder/CHANGELOG.md 
# Change Log

All notable changes to this project will be documented in this file.
This project adheres to [Semantic Versioning](http://semver.org/).

## v0.2.6 (2022-05-09)

- Another fix to allow usage in WASM target.
- Decoding in the WASM target is now actively tested in CI.

## v0.2.5 (2022-05-02)
8<--

As you can see it's still at 0.2.6.

Maybe we're missing something?

--

73,
Ged.
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] [Clamav-announce] New packages for ClamAV 0.103.7, 0.104.4, 0.105.1 to resolve CVE's

[G.W. Haywood via clamav-users]

Hi there,

On Tue, 1 Nov 2022, G.W. Haywood via clamav-users wrote:

On Tue, 1 Nov 2022, Micah Snyder (micasnyd) via clamav-users wrote:

On Tue, 1 Nov 2022, G.W. Haywood via clamav-users wrote:
> On Mon, 31 Oct 2022, Micah Snyder (micasnyd) wrote:
>
> > Today we are publishing updated packages for ClamAV 0.103.7 ...
>
> Maybe I've done something stupid...
>
> Nov  1 17:16:48 mail6 x3[3078]: 2A1HGPGJ007261: xm_clamav_scan( 2425): 
> [74.121.52.251], [AS19795], Response from ClamAV daemon [ENGINE VERSION 
> MISMATCH: devel-11aaa24dd != 0.103.7. ERROR]


It seems that your libclamav is from a different build than your clamd.


Yeah. :)  I don't know how, though.
...
Am I using the right tarball?

$ ls -l clamav-0.103.7.tar.gz -rw-r--r-- 1 ged ged 16501741 Jul 26 22:54 
clamav-0.103.7.tar.gz
$ md5sum clamav-0.103.7.tar.gz 9138e4678fabfb39bbe1844001ff4815 
clamav-0.103.7.tar.gz

...
...  last time I built 0.103.x it was with autotools.  This time I
tried CMake which seemed to work ...
...
... if you can confirm that the tarball on the download page is
wrong that will be a good place to start.


FWIW the problem went away when I used autotools instead of CMake:

Nov  2 10:38:40 mail6 x3[3051]: 2A2AcRf6010225: xm_clamav_scan( 2425): 
[92.52.217.165], [AS208708], Response from ClamAV daemon [ClamAV 
0.103.7/26708/Wed Nov  2 07:51:42 2022] ...

I still don't like the look of that tarball.

--

73,
Ged.
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] Malformed DB in daily-26708.cdiff?

[G.W. Haywood via clamav-users]

Hi there,

On Wed, 2 Nov 2022, Ben Argyle via clamav-users wrote:


I'll admit up front I'm running ClamAV v100.3 on RHEL 6.  This is
not my fault, but also nothing I can do anything about (the hosts
doing so are long-scheduled for decommissioning).  As such I don't
expect any help.  But I am interested if this is where I get another
string to my bow to tell the people who won't move off these hosts
that now they have no ClamAV protection from newer threats.


Maybe show them this blog post:

https://blog.clamav.net/2021/10/clamav-0100-end-of-life-today-and.html

which to me says theoretically they'd have had no ClamAV updates since
last October - but see below.


As of daily-26708.cdiff I get this on all of those hosts when running freshclam:

# freshclam
ClamAV update process started at Wed Nov  2 09:18:06 2022
WARNING: Your ClamAV installation is OUTDATED!
WARNING: Local version: 0.100.3 Recommended version: 0.103.7
DON'T PANIC! Read https://www.clamav.net/documents/upgrading-clamav
main.cld is up to date (version: 62, sigs: 6647427, f-level: 90, builder: 
sigmgr)
Downloading daily-26707.cdiff [100%]
Downloading daily-26708.cdiff [100%]
ERROR: During database load : WARNING: [LibClamAV] cli_hex2str(): Malformed hexstring: 
>>26#ib2#>512 (length: 13) [...] ERROR: Failed to load new database: Malformed 
database
WARNING: Database load exited with status 55
ERROR: Failed to load new database

Is this an incompatibility with v100.3, or an error in the cdiff?


Again, reading the EOL blog post I'm surprised that the CDN is even
allowing you to download the cdiff - are you using a local mirror with
an up-to-date freshclam or something like that?  But since you seem to
be downloading the cdiff OK, I very much doubt that there's anything
wrong with it.  Here's a log extract taken from a clamd server here,
downloading the same two cdiff files:

...
Tue Nov  1 23:14:11 2022 -> ClamAV update process started at Tue Nov  1 
23:14:11 2022
Tue Nov  1 23:14:11 2022 -> daily database available for update (local version: 
26706, remote version: 26707)
Tue Nov  1 23:14:17 2022 -> Testing database: 
'/EXPORTS/clamav/databases/tmp.6cba9d4577/clamav-afd6a8d4c872bc90643557b8ae8a87be.tmp-daily.cld'
 ...
Tue Nov  1 23:14:37 2022 -> Database test passed.
Tue Nov  1 23:14:38 2022 -> daily.cld updated (version: 26707, sigs: 2009761, 
f-level: 90, builder: cmarczewski)
Tue Nov  1 23:14:38 2022 -> main.cld database is up-to-date (version: 62, sigs: 
6647427, f-level: 90, builder: sigmgr)
Tue Nov  1 23:14:38 2022 -> bytecode.cld database is up-to-date (version: 333, 
sigs: 92, f-level: 63, builder: awillia2)
Tue Nov  1 23:14:38 2022 -> Clamd successfully notified about the update.
...
Wed Nov  2 09:36:22 2022 -> ClamAV update process started at Wed Nov  2 
09:36:22 2022
Wed Nov  2 09:36:23 2022 -> daily database available for update (local version: 
26707, remote version: 26708)
Wed Nov  2 09:36:30 2022 -> Testing database: 
'/EXPORTS/clamav/databases/tmp.063d4c241f/clamav-13690daaba0c36fe94ca0c8f0baa091b.tmp-daily.cld'
 ...
Wed Nov  2 09:36:50 2022 -> Database test passed.
Wed Nov  2 09:36:51 2022 -> daily.cld updated (version: 26708, sigs: 2009776, 
f-level: 90, builder: raynman)
Wed Nov  2 09:36:51 2022 -> main.cld database is up-to-date (version: 62, sigs: 
6647427, f-level: 90, builder: sigmgr)
Wed Nov  2 09:36:51 2022 -> bytecode.cld database is up-to-date (version: 333, 
sigs: 92, f-level: 63, builder: awillia2)
Wed Nov  2 09:36:51 2022 -> Clamd successfully notified about the update.
...

The server is running the 0.103.7 LTS release.

HTH

--

73,
Ged.
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] [Clamav-announce] New packages for ClamAV 0.103.7, 0.104.4, 0.105.1 to resolve CVE's

[G.W. Haywood via clamav-users]

Hi Micah,

On Tue, 1 Nov 2022, Micah Snyder (micasnyd) via clamav-users wrote:

On Tue, 1 Nov 2022, G.W. Haywood via clamav-users wrote:
> On Mon, 31 Oct 2022, Micah Snyder (micasnyd) wrote:
>
> > Today we are publishing updated packages for ClamAV 0.103.7 ...
>
> Maybe I've done something stupid...
>
> Nov  1 17:16:48 mail6 x3[3078]: 2A1HGPGJ007261: xm_clamav_scan( 2425): 
[74.121.52.251], [AS19795], Response from ClamAV daemon [ENGINE VERSION MISMATCH: 
devel-11aaa24dd != 0.103.7. ERROR]

It seems that your libclamav is from a different build than your clamd.


Yeah. :)  I don't know how, though.


The number on the right is the version number for clamd.  The
0.103.7 version is what I would expect.


Ack.


The number on the left is the version number for libclamav.  The
short-hash represents this git commit:
https://github.com/cisco-Talos/clamav/commit/11aaa24dd.  This is a
different version string, and even different commit hash, than I
would expect.


Agh.


The release materials for 0.103.7-2 were generated from our
rel/0.103​ branch
https://github.com/Cisco-Talos/clamav/commits/rel/0.103 so I would
at least think that hash would be 416cd0b78.


Am I using the right tarball?

$ ls -l clamav-0.103.7.tar.gz 
-rw-r--r-- 1 ged ged 16501741 Jul 26 22:54 clamav-0.103.7.tar.gz
$ md5sum clamav-0.103.7.tar.gz 
9138e4678fabfb39bbe1844001ff4815  clamav-0.103.7.tar.gz


I grabbed it from the download page.  Your mail said the old versions
were hidden, but the date there looks wrong and it doesn't have the
suffix -2.  It's still the same on the download page as I write.


Of course, I would actually expect the version to be 0.103.7 for
both, and not have the hash.


The code in .../clamd/session.c is

if (strcmp(engine_ver, clamd_ver)) {
mdprintf(desc, "ENGINE VERSION MISMATCH: %s != %s. ERROR%c",
 engine_ver, clamd_ver, term);
return;
}

so it's going to die anyway for *any* commit hash for engine_ver. :(


If I remember correctly, the version string showing a commit hash
means that clamav was built from within a Git clone directory,
rather than building from an un-tarred source tarball.  By chance
did you build and install libclamav from a git clone?


No, all from source.  I don't remember using git to build ClamAV at
any time.  There isn't even a git executable on the machine which is
running this clamd.  I think last time I built 0.103.x it was with
autotools.  This time I tried CMake which seemed to work and then it
all went pear-shaped at runtime.  Maybe that's another problem?  Or
maybe the main one?

It's an arm7 box, Raspberry Pi 4B.  I did try to build 0.105 on there
a few days earlier.  That failed, I posted the error at the time.

When  I've got more time I'll dig into this but if you can confirm
that the tarball on the download page is wrong that will be a good
place to start.

--

73,
Ged.
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] [Clamav-announce] New packages for ClamAV 0.103.7, 0.104.4, 0.105.1 to resolve CVE's

[G.W. Haywood via clamav-users]

Hi there,

On Mon, 31 Oct 2022, Micah Snyder (micasnyd) wrote:


Today we are publishing updated packages for ClamAV 0.103.7 ...


Maybe I've done something stupid...

Nov  1 17:16:48 mail6 x3[3078]: 2A1HGPGJ007261: xm_clamav_scan( 2425): 
[74.121.52.251], [AS19795], Response from ClamAV daemon [ENGINE VERSION 
MISMATCH: devel-11aaa24dd != 0.103.7. ERROR]

Very pressed at the moment, all observations welcome.

--

73,
Ged.
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] Txt.Downloader.Generic-6298945-0 FOUND

[G.W. Haywood via clamav-users]

Hi there,

On Fri, 28 Oct 2022, Wally Spratz wrote:


...
Does anybody have any idea of what this Malware does


The clue is in the name: ".Generic-".

Mr. Varnell has shown you the signature.  As he pointed out it's one
which has been around for several years, so that's evidence that it's
not very prone to false positives; AFAICT it hasn't been mentioned on
the ClamAV Users' list until you brought it up.  If you look at the
strings in the decoded signature, you can probably agree that things
which contain them would be suspect.

If you'd like a second opinion you can always send a copy of the
offending file to Jotti and/or Virus Total:

https://virusscan.jotti.org/

https://www.virustotal.com/old-browsers/

My guess is you will find that at least half a dozen other scanners
complain about it.  They might give you more information, or at least
a bit more context.


and how it is acquired?


Given your description of where it was found, I'd guess by not being
careful in your browsing habits.  Bear in mind that the fact that it's
in your browser cache doesn't necessarily mean that anything on your
system is vulnerable to it, but all the same this isn't something that
you'd want to treat lightly.  If a site is hosting anything malicious,
even if it's something to which your system isn't vulnerable, it must
be considered dangerous because you can never know what else it might
be hosting to which your system *might* be vulnerable.  As you've said
"eventually it comes back" it is - just about - possible that there is
some persistent malware doing things when you aren't looking, but now
I'm getting into the weeds and I think the overwhelming probability is
that you are using some Website which has been compromised.  I'd take
anything like this as a warning that I need to be more careful about
the sites that I visit.  Maybe You can do a service to the community
by trying to find which site it is and alerting the owner, but the
vast majority of compromised Websites are run by hopeless cases and
you'd probably just be wasting your time.  Far better to avoid them,
and let them die a natural death.

I've never seen anything like this in my browser's cache directory but
(1) I'm cautious about Websites that I visit and (2) I never scan it.

--

73,
Ged.
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] freshclam-sleep doesn't exist in epel8 packages

[G.W. Haywood via clamav-users]

Hi there,

On Fri, 28 Oct 2022, khodor barakat via clamav-users wrote:


...
the redhat 8 package is missing the following :

/etc/cron.d/clamav-update
/usr/share/clamav/freshclam-sleep

is this a normal behavior ?


I think you should ask Red Hat.  They don't exist in the official source.

--

73,
Ged.
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] [Clamav-announce] ClamAV 1.0.0 release candidate now available

[G.W. Haywood via clamav-users]

Hi there,

On Tue, 25 Oct 2022, Micah Snyder (micasnyd) wrote:


Please help us validate this release by providing feedback via the ClamAV 
mailing list...


~/clamav-1.0.0-rc/build $ cmake .. -D CMAKE_BUILD_TYPE=Release
...
...
~/clamav-1.0.0-rc/build $ cmake --build .
...
...
[ 42%] Built target lzma_sdk
[ 43%] Building clamav_rust in /home/ged/CLAMAV/clamav-1.0.0-rc/build with:  
/usr/bin/cargo build --target arm-unknown-linux-gnueabihf --release 
--target-dir /home/ged/CLAMAV/clamav-1.0.0-rc/build
error: failed to load source for a dependency on `flate2`

Caused by:
  Unable to update registry `https://github.com/rust-lang/crates.io-index`

Caused by:
  failed to update replaced source registry 
`https://github.com/rust-lang/crates.io-index`

Caused by:
  failed to parse manifest at 
`/home/ged/CLAMAV/clamav-1.0.0-rc/libclamav_rust/.cargo/vendor/bumpalo/Cargo.toml`

Caused by:
  failed to parse the `edition` key

Caused by:
  supported edition values are `2015` or `2018`, but `2021` is unknown
make[2]: *** [libclamav_rust/CMakeFiles/clamav_rust_target.dir/build.make:2955: 
arm-unknown-linux-gnueabihf/release/libclamav_rust.a] Error 101
make[1]: *** [CMakeFiles/Makefile2:1610: 
libclamav_rust/CMakeFiles/clamav_rust_target.dir/all] Error 2
make: *** [Makefile:166: all] Error 2

This is on armv7, Debian Bullseye Linux.  Previously I built 0.103.x
and 0.104.x on this platform, but not 0.105.x, which apparently gave
the same problem when someone tried to build on Solaris last year:

https://www.mail-archive.com/clamav-users@lists.clamav.net/msg51870.html

Currently still running 0.103 in production.

--

73,
Ged.
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] i am not a killer psycho but unfornately do you thing some hackers edit both clamd.conf.exemple and freshclam.conf.exemple finally for keep their threat safe ?

[G.W. Haywood via clamav-users]

Hi there,

On Thu, 20 Oct 2022, Dorian ROSSE via clamav-users wrote:


i am not a killer psycho but unfornately do you thing some hackers
edit both clamd.conf.exemple and freshclam.conf.exemple finally for
keep their threat without problems ?


I think that is most unlikely.  It would expect it to be ineffective
because it would be so easy to find the changes.


so if I have the thrue awareness where can I find both files without bad typed ?


In the official distributions:

https://www.clamav.net/downloads

You will see that you need to edit both files to remove (or alternatively
to comment out) a single line in each file.  The line to remove contains
the single word

Example

and you can either delete it entirely, or alternatively add a single
# character at the beginning of the line to comment it out, like this:

#Example

The files themselves probably[*] need to be named

clamd.conf

and

freshclam.conf

not

clamd.conf.example

and

freshclam.conf.example

You only need clamd.conf if you are using clamd of course.  The
command 'clamscan' does not use the settings in clamd.conf but the
command 'clamdscan' does use them, indirectly, because it uses clamd.

[*] Some distributions change the names of the configuration files, I
hope we don't need to worry about that here.

--

73,
Ged.
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] RE : i have often an error in the scan

[G.W. Haywood via clamav-users]

Hi there,

On Wed, 19 Oct 2022, Dorian ROSSE via clamav-users wrote:


This isn’t the same ask for advice now because finally I ask if I
may use your program by kind administrator,


Your English is not good enough to express your meaning clearly.  I do
not always understand your questions.

Although like many mailing lists the language used here is English,
perhaps it would help as suggested by Mr. Schmidt if you also write
your questions in your native language.

Please be careful if you plan to delete anything which you think has
been identified as a threat by ClamAV.  You can damage your system by
deleting the wrong things.

If you think that there is malicious software on a Windows system it
might be most effective and simplest for you to reinstall Windows.

--

73,
Ged.
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] i have often an error in the scan

[G.W. Haywood via clamav-users]

Hi there,

On Tue, 18 Oct 2022, Dorian ROSSE via clamav-users wrote:


I have often an error in the scan below on my windows system :
LibClamAV Warning: crtmgr_rsa_verify: verification failed: fp_exptmod failed 
with 1
I don't understand why I am got this error often,
If this is a bad error thanks you in advance to repair it,


The message would not normally mean that ClamAV is broken, but it's
possible; at present there are ongoing changes in this part of ClamAV.
The developers read this list and I would expect that they would tell
us if they knew that something was broken.  When ClamAV gives you that
message, it is telling you something about "signed" code.

Signed code was introduced by Microsoft many years ago:

https://blog.clamav.net/2013/02/authenticode-certificate-chain.html

Unfortunately I think it's fair to say that the signed code feature
has not been a great success:

https://arstechnica.com/information-technology/2022/10/how-a-microsoft-blunder-opened-millions-of-pcs-to-potent-malware-attacks/

I personally would ignore the ClamAV message, but you do need to know
that I use no Windows machines, and only very rarely scan filesystems;
I only scan mail.  If someone sent me some code in a mail message, it
would automatically, without the involvement of a human, be reported
to several anti-virus organizations and then be sent to the trash can.


Does this is dangerous to use this option for pass the errors:

'--nocerts'


You need to make that judgement for yourself.  ClamAV can alert you to
something which it thinks isn't right.  Whether or not you then choose
to do anything about it is up to you.  Be aware that a *lot* of things
are "not right" in most computer systems, but that doesn't necessarily
mean that they are dangerous problems.  Forged signatures in drivers
and other code is a very well-known problem, but as you can see from
the article above, checks which use the proper methods of verification
do not necessarily protect you.  I'm afraid it's a minefield.


Thanks you in advance for your answer smart,


May I suggest that you try to use a translation Website?  I have had
good results from this one, at least for a few languages:

https://www.deepl.com/en/translator

--

73,
Ged.
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] GCP Management

[G.W. Haywood via clamav-users]

Hi there,

On Mon, 17 Oct 2022, Jason Hamrick via clamav-users wrote:


I am receiving an error in the logs that I am being blocked until a
specified time this evening. I am not able to load any new files into the
unscanned bucket, they continue to error out.


It would be more helpful if instead of paraphrasing error messages you
could copy and paste them into your emails so that we can see exactly
what you see.


To perform a scan of a file, you simply upload the file to the unscanned
data bucket. Currently, I receive an error that I am blocked.


It seems to me that the supplier of your platform (presumably Google)
has done something creative and perhaps not entirely helpful.  Your
description doesn't resemble anything which I recognize as what I'd
call normal ClamAV usage.  Let me explain.

In what I'd call normal ClamAV usage you have a platform (some
computer with an operating system, for example Linux or Windows).

This platform has a filesystem which unsurprisingly contains files.

The operating system, through things like shells, scripts, crontabs
and other fun stuff lets you run commands.  One of the ways you can
run them is by typing the name of the command at the shell prompt.

Often the point of installing new software is to get new commands that
you can run.  Installing ClamAV amongst other things lets you run
commands like 'clamconf' and 'clamscan'.  When you run 'clamscan' you
tell it what you want to scan, usually by giving the pathname of a
file (or many files) to be scanned.  The scan then takes place, and
clamscan reports what it has found.  There's no copying of files to be
scanned into buckets or whatever, they're scanned 'in situ' - exactly
where they are.  If you're going to scan a lot of big files it's very
inefficient to have to copy them from place to place to do that but I
grant that the act of copying a file to this 'bucket' of yours might
not truly be copying the data - it might be something like linking.

Your description of the scanning process puzzles me, and so far you've
shown me no convincing evidence that the blocking that you're talking
about has anything at all to do with ClamAV but if you can let us have
detailed log messages we might after all find that's the case.

Apparently you have a shell prompt because you can get "command not
found" from it when you type a command.  Unfortunately you don't seem
to be able to run a fundamental utility of a ClamAV installation, the
one which tells you for example how ClamAV is configured.  Perhaps you
have what's called a 'restricted shell' which doesn't let you run any
old command just like that.  It would make some sort of sense.  Maybe
you can find out from the supplier.  If that's not the explanation the
command might just not be on the shell's default search path.  Not
being able to run it is a problem.  Maybe all you need to do is set an
environment variable, or give the full pathname so your shell can find
the command, but I can't believe your platform supplier has made that
omission by accident.


When I attempt to run that command in the cloud shell it reports back:
command not found.


I think the supplier of your platform is playing games.  I wonder if
in playing these games the requirements of the ClamAV GPLv2 licence
are being met:

https://en.wikipedia.org/wiki/GNU_General_Public_License#Version_2

Well we don't seem to be getting very far here.

To help you much more than this I think I'd need to know a lot more
about your platform than I really want to know but if you can let us
have those log messages we'll at least have somewhere to start from.

--

73,
Ged.
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] GCP Management

[G.W. Haywood via clamav-users]

Hello again,

On Mon, 17 Oct 2022, Jason Hamrick via clamav-users wrote:

On Mon, 17 Oct 2022, G.W. Haywood wrote:

 On Mon, 17 Oct 2022, Jason Hamrick wrote:


I was testing the scanner in my GCP project, however I seem to be unable to
upgrade and am being limited. Is there an updated package or any way to
update this within the GCP terminal shell?


What are the symptoms of "being limited"?


Yes that is correct, I used the GCP API to install the clamav using the
malware scanner service account exporter via the instructions.

Upon install I was able to scan a clean file and test an "infected" file.
When I went to do another file scan I was rate limited...


PLEASE: what are the symptoms of "being limited" or "rate limited"?

How exactly did you try to perform the scan?

[aside]
If your platform shares an IP address with many other users of the
same service you might well expect to be throttled by the CDN when you
try to update the ClamAV signature database, but this will only affect
your ability to download updated signatures, it won't affect scanning.
To avoid being throttled when you try to download signatures it might
be that you need to pay for an IP address of your own.  I have no idea
how that's arranged for your platform I'm afraid.  And I'm guessing.
Alternatively, maybe you could upload the signatures (or 'diff' files)
to your platform from some other system.  There are lots of ways of
skinning that particular cat.  Don't go off on these tangents until
you have better information to work with than my guesswork.
[/aside]

But again this does *not* prevent you from scanning things using any
signatures which you already have.

Can you run shell commands from some sort of pseudo-terminal?  If so
can you try running

clamconf -n

and let us see the output?  Amongst other things I would expect to see
in the output something about the state of your signature database.

Do you know where the signature database is stored?  Normally it's in
a single directory.  There should be a few files in it.  Three will be
called main, daily and bytecode, all with an extension 'cld' or 'cvd'.
If you have those you should be able to get ClamAV to scan with them.


and am no longer able to run a scan, I am assuming this is the CDN
settings as I am in GCP?


Don't assume things.  Find out.  Not being able to run a scan does not
tell us anything about being throttled by the CDN which distributes the
ClamAV signatures.


The version I am on is 0.103.6 as the log is suggesting I upgrade to the .7
Going through the documentation I was unable to find a method of upgrade or
a command to do this within the GCP Cloud Terminal.


I'm afraid I can't help you with that unless you can tell me more
about the facilities you have to install software on the platform.

What are you actually trying to achieve?

Please don't just say "scan things".  Put some flesh on the bones.

--

73,
Ged.
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] GCP Management

[G.W. Haywood via clamav-users]

Hi there,

On Mon, 17 Oct 2022, Jason Hamrick via clamav-users wrote:


I was testing the scanner in my GCP project, however I seem to be unable to
upgrade and am being limited. Is there an updated package or any way to
update this within the GCP terminal shell?


I'm unfamiliar with GCP.  I take it you mean Google Cloud Platform but it
would be easier, at least for me, if your descriptions are more specific.

You've said "testing the scanner" but you haven't said which scanner.
Can we take it that it's ClamAV?  Are you using clamscan, clamd, etc.?

Again making assumptions, before we talk about updating ClamAV can you
tell us what version you're using now?

What are the symptoms of "being limited"?

--

73,
Ged.
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] on my microsoft windows with both edited freshclam.conf and clamd.conf unfornately i can't update and i can't scan

[G.W. Haywood via clamav-users]

Hi there,

On Sun, 16 Oct 2022, Dorian ROSSE via clamav-users wrote:


on my microsoft windows with both edited freshclam.conf and clamd.conf 
unfornately i can't update and i can't scan ...


It looks like you did not do what is required at

https://docs.clamav.net/manual/Usage/Configuration.html#windows

In one of your configuration files (freshclam.conf) you still have the
"Example" line which the documentation tells you to remove, and in the
other (clamd.conf) it seems that you have replaced it with the text
"windows clamd enabled" which I'm sure the daemon will not understand.

In the first case this means that freshclam will not download
anything, which then means that clamscan will not work.

In the second case it means that the clamd daemon will not start.

You need to remove (delete) those two lines using an editor.

As a general rule when you install software, you need to do what the
documentation tells you to do exactly.  If you still have difficulty
after you have read this message, please run the command

clamconf -n

and post the output of that command here.  (I hope this command works
the same on Windows as it does on other operating systems, although I
have never personally tried it on Windows,)

--

73,
Ged.
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] ClamAV Action is not working on WHM/cPanel

[G.W. Haywood via clamav-users]

Hi there,

On Thu, 13 Oct 2022, Javier Camacho via clamav-users wrote:


Hi there, I am not sure if this the correct channel to request help. We have
a dedicated WHM/cPanel server at Inmotion Hosting. We have been using ClamAV
for years and it still working well to detect email infected and delete/move
them using a cronjob at cPanel level, but not sure since what version of
WHM/cPanel, ClamAV stopped executing an action (delete of move email
infected). Inmotion hosting support said that they cannot help us with a 3er
party application, so, I was wondering if somebody can point me to the right
direction to this problem. Thanks.


Well we can try. :)

There might be someone reading who is familiar with your setup.  I am
not, but I can say more or less what I'd expect to find in it.

ClamAV is a highly configurable toolkit.  It can be used in many ways
we need to know how you're using it.

Somewhere you must be something which hands data to ClamAV, so that
the scanner [*] can scan it according to your wishes (configurable),
report its findings, and perhaps perform some (also configurable)
actions such as I understand in your case deleting or moving files
if the scanner finds something unwelcome.

To track down the cause of your problem it will probably be necessary
to learn a great deal about the details of all this.  Things like the
names of the mail programs, how they are configured to send the data
to ClamAV and accept its replies, how the ClamAV scanner itself is
implemented (is it a daemon or not) and configured, whther or not you
are using a milter and if so how it is configured, and so on.  In all
cases it will be important to know the exact version numbers of the
software.  In the case of ClamAV for example some versions are past
End Of Life and can no longer be used to download signature updates.

The ClamAV toolkit provides a utility called 'clamconf' which will
display the (ClamaAV only) configurations which you are using - but
only if the utility has been installed and you can run it.  At the
moment I don't even know if you have access to that utility.  If you
can try running

clamconf -n

at a command shell prompt we might learn something.  If it looks
useful please let us have the output cut-and-pasted into an email.

What other details can you supply?

[*] The scanner is usually a daemon, but it doesn't have to be.

--

73,
Ged.
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] Are there test results for ClamAV and which malware is supported

[G.W. Haywood via clamav-users]

Hi there,

On Thu, 6 Oct 2022, Julia - via clamav-users wrote:


I have a general question to ClamAV regarding how good ClamAV is.


It's a good question.  Most people seem not to ask it.


In the internet there are lot of tests with other known products but
I cannot find any for ClamAV.  So, are there any tests or reviews?


I'm slightly surprised you can't find any reviews.  I've seen a few
which I wasn't really looking for, and just now when I ran the search
"ClamAV review" there were at least dozens of hits, too many to count.

There are Wikipedia articles, for example

https://en.wikipedia.org/wiki/Comparison_of_antivirus_software

which might help your research.

For any individual ClamAV user the value of reviews is debatable for
several reasons.  For example there are many options in the ClamAV
configuration; a reviewer might choose options which are different
from those which you choose; a reviewer might have an axe to grind
which you don't; you might be interested in only particular kinds of
threats.  Every installation is different.  I only scan mail, I never
scan filesystems; others only scan filesystems and never mail.  Some
people run Windows boxes, I (usually) don't.

I'd say it's better to make your own assessment of the effectiveness
in real use.  You can find some of my own assessments in the mailing
list archives.


My second question is: Which malwares are in ClamAVs database, only
for Linux or also for Windows and Android, etc.?


Any and every kind of malware is a candidate for inclusion in the
'Official' ClamAV signature database.  ClamAV relies a great deal on
signatures; although it has other ways of detecting threats it can
never really be very much better than the signature database that it's
using but anyone can submit samples of malware to the ClamAV malware
team - indeed everyone is encouraged to do that.  There are numerous
what we call "third-party" signature databases, each of which has its
own set of guidelines.  Currently there are 81 files in our ClamAV
database and only three of them are the ClamAV 'official' files.


Is there a list where you can see all "supported" malwares?


Be careful what you wish for, there are around ten million of them.

Most files in the signature databases are plain text, and most of them
have one signature per line.  Many of the lines contain the "name" of
the malware or threat or whatever it is.  They aren't all malware, and
the name won't mean very much, it's more or less just an identifier.
It isn't going to be very educational but you can just read them, or
you can for example run 'grep' on a file to count the numbers of some
words contained in it such as 'Win.' (not 'Windows'):

$ grep -a 'Win\.' daily.cld | wc -l
323501

Try also for example 'Pdf' and 'Doc'.

Naming of threats is a perennial problem, there are usually several
names for each threat, some of which are used by several anti-virus
vendors and some by only one or two.

Can you paint us a picture of your application?

--

73,
Ged.
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] Log time in clamd logs

[G.W. Haywood via clamav-users]

Hi there,

On Mon, 3 Oct 2022, Jerome Teano via clamav-users wrote:


I need to enable time stamps for clamd logs. I already enabled log time to
yes in the scan.conf file but still, the clamd log files dont show time
stamp. Thank you.


The clamd daemon only reads its configuration when it starts.  One
explanation could be that you did not restart clamd after changing the
configuration.  Of course other explanations are possible, such as for
example that the clamd you're running isn't using the configuration
file that you have changed, or that the configuration is confused, or
broken, or that something else other than ClamAV is doing something
with the logs without your knowledge.

As you have mentioned 'scan.conf' I guess that this is Red Hat or some
similar Linux system, but you really ought to tell us.  There's more
than one way to write logs in a Linux system and you preferably need
to choose one and use it for most logging on the system.  Most of the
time the distribution packagers do that for you, but they seem to do a
lot of crazy things too, like renaming the configuration files.  People
usually use a file called 'clamd.conf'.  If you install from the source
instead of using the distibution's package manager to install ClamAV -
you really should have told us that too - that's what you'll be using.
This is complicated mostly because we don't know yet.  (Rant, about
package managers, and Red Hat in particular, ends. :)

If you run the command

clamconf -n

and let us see the output we might be able to help better.

--

73,
Ged.
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] PDF scan

[G.W. Haywood via clamav-users]

Hi there,

On Tue, 20 Sep 2022, Tsutomu Oyamada wrote:


I hava a question about ClamAV 0.104.2 on IBM AIX7.3 system.


Version 0.104.2 is vintage January 2022.  You really should upgrade:

https://blog.clamav.net/


it takes about 8 seconds to scan PDF file(total 645 page).
(sample file is here: https://www.uinet.or.jp/LPBB0010-10.pdf)

# /opt/freeware/sbin/clamd -V
ClamAV 0.104.2/26663/Mon Sep 19 03:56:35 2022


In case it isn't obvious, the date there is that of the signature
database, not that of the scanning engine.


# clamdscan /home/test/LPBB0010-10.pdf
/home/test/LPBB0010-10.pdf: OK

--- SCAN SUMMARY ---
Infected files: 0
Time: 8.503 sec (0 m 8 s)
Start Date: 2022:09:19 08:38:50
End Date:   2022:09:19 08:38:58
...


I guess we're all in a hurry, but assuming that the file is not in
fact malicious, and that you've scanned nearly a megabyte for ten
million threats, then overall the numbers don't seem too bad to me.
Have you tried other scanners to compare their performance?


# cat /opt/freeware/etc/clamav/clamd.conf |egrep -v '^$|^#'


The output of 'clamconf -n' would be easier for us.


...
User root


It would be better to choose a non-root user if you can.


Could you tell me how to shorten the time?


First you should upgrade the scanner.  This *may* improve performance
but there are no miracles.

You haven't said anything about the signatures database - is it only
the 'official' ClamAV database, or do you have third-party signatures
in addition?

I'm going to assume that you aren't using some horribly slow network
access, and that file read times are small compare with scan times:
8<--
$ wget https://www.uinet.or.jp/LPBB0010-10.pdf
...
$ time cat LPBB0010-10.pdf  > /dev/null

real0m0.035s
user0m0.016s
sys 0m0.012s
8<--

You could always put more horsepower into the scanner and/or make sure
that the scanning machine isn't doing anything else at the same time,
for example move it to a dedicated box.  You could get someone else to
do the scans, so you don't have to. :)  You could be more choosy with
the scanning (for example you could scan for fewer threats; or scan
smaller quantities of data; or even choose the scanner and the type of
scan, possibly on a file-by-file basis; and you could use things like
MD5 digests to keep a database of things which you've already scanned
and that you're confident won't need to be scanned again).  You could
even scan while you're asleep in bed.  We do almost all those things.


From where do the PDF files come?


Do you have any control over their content?

How many of them are there?

Is there a lot of 'churn'?

What are the threats which concern you?

How often do you see malicious PDF files as we say 'in the wild'?

How often, in your experience, does ClamAV find one?

How often, in your experience, does ClamAV fail to find one?

--

73,
Ged.
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] Anyone running a cluster on K8s?

[G.W. Haywood via clamav-users]

Hi there,

On Mon, 12 Sep 2022, Eric Tykwinski via clamav-users wrote:


I’ve been more and more moving things over to K8s from Docker ...


Could you explain that a bit more for me?  My understanding was that
Kubernetes and Docker were more than a little bit complementary. [1]

Disclaimer: I've never actually used any of this new-fangled stuff [2]
and I'm wondering if we might be able to help each other here.


just wondering if anyone is running a stateful set, IE I only want 1
server to run freshclam, but use the same defs for all other clamd


Maybe if I give you my understanding of how things hang together for
clamd it will help.

As far as clamd is concerned, the signature database is read-only.  It
resides in a single directory.  For the 'official' signatures that's
at least three files - main, daily and bytecode - but if you have e.g.
third-party signatures and/or your own Yara rules in the database, it
can be many; there are 82 at the moment in our own database directory.

On startup the clamd daemon reads the whole thing and builds in-memory
a somewhat optimized representation of what it's found.  The in-memory
representation is, as far as the engine is concerned, itself also then
read-only.  In will consume of the order of a gigabyte, so it can take
a while to build it during which time the engine can't scan anything. [3]

The freshclam utility is normally what changes files in the database
directory, but third-party tools exist which also do that and you can
even do it manually if you wish.  I used to do that all the time for
my Yara rules, but after years of pain I've given up on ClamAV's Yara
implementation and now use a separate Yara engine with separate rules.
It's much more efficient, easier to work with, and I haven't yet found
anything in Yara 4.2.2 which behaves other than exactly as documented.


I’m assuming I can just put Example in freshclam.conf, and send a
clamdscan —reload to the service to hit them all?


After the database has been read, clamd does not read any of the files
again until it's time to reload the whole thing.  This can be because
clamd itself detects some change in one of the files in the directory
(there's an internal timeout specified in clamd's configuration file)
or because an instruction is sent to clamd via the socket on which it
is listening.  You can command a 'RELOAD' using clamdscan or simply by
sending the command to the socket, e.g. using 'telnet' or 'socat' from
the command line after modifying signature files.  After an update by
freshclam it sends the command if so configured.  All the methods of
causing a reload have exactly the same effect.  They aren't mutually
exclusive, but I don't know what might happen if you tried to use two
of them at once. :)

I haven't thought about what advantage if any might result from using
multiple clamd daemons running in containers as compared with running
more threads on a single clamd server.  My gut feel is that it would
probably be more efficient just to run more threads.  By now I guess
that's a pretty well tested approach, and there have been issues with
containers but I'm not well informed about them.  The issues on github
are probably the best place to look for that kind of thing.

Now I'm going into the realms of conjecture.  Because you might have
multiple clamd daemons running on a single host sharing resources with
some containerization method, and because the in-memory representation
of the signature database is AFAIK read-only, it stands to reason that
you might carry the extraction beyond containerization, sharing memory
between all the daemons.  I'd bet that would take serious coding if it
were to be done explicitly, but you might be able to get it to work by
accident (almost) in a container environment.  The problem I see is
that each time an instance of clamd reloads its database it will write
all over its in-memory representation and mess up any optimizations of
the copy-on-write variety that the OS has probably already done.  But
fundamentally, as far as the scanner is concerned, the ruleset is just
a pointer to a structure.

[1] 
https://containerjournal.com/topics/container-ecosystems/kubernetes-vs-docker-a-primer/
[2] I use VMs.  I feel I don't know nearly enough about containers to use them 
safely. [4]
[3] For this reason a recent improvement has been that the engine can have
a second, entirely separate in-memory representation, which it can build
while using the first for scanning.  This means that while it is building
the second it can use up to twice as much memory, but after the second is
built, the first chunk of memory will be freed and returned to the OS.  For
that reason, I think you might *not* want all your clamds to reload at once.
[4] e.g. 
https://containerjournal.com/features/the-state-of-k8s-software-supply-chain-attacks/

HTH

A final question: You're putting quite a bit of work into this.  Do
you have a feel for the probability that clamd will find what you're
asking it to 

Re: [clamav-users] hello help with config please

[G.W. Haywood via clamav-users]

Hi there,

On Sat, 10 Sep 2022, colin course via clamav-users wrote:


You are full of Ged i wish someone else had answerd rather than you  just my 
luck ,
You are so up yourself that if you went any further you would diseapear  which 
probally would be a good thing


As a general rule, Colin, handing out personal insults to people who
deal with this stuff all day every day of their working lives and are
genuinely trying to help you isn't the best way to achieve the desired
results.  I understand your frustration but there's really no point in
trying to take it out on others.  It will just alienate them, and then
you'll be completely on your own, no nearer your goal.

Obviously I've upset you so I won't respond to any more of your mail.

If you can try to answer some of my questions I'm sure someone else on
the list will respond.  Do try not to shoot the messenger, though, if
he tells you that your computer isn't powerful enough to run ClamAV.

--

73,
Ged.
___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] hello help with config please

[G.W. Haywood via clamav-users]

Hi there,

On Sat, 10 Sep 2022, colin course via clamav-users wrote:


could you take a quick look at my freshclam config please ...


The configuration for freshclam determines things like when and how
the signature database for ClamAV on your computer will be updated.

If you want us to guess how ClamAV is likely to behave when it looks
for threats on your system, then it would probably be more useful to
post the configuration for the clamd scanning daemon together with a
bit of information about the system.  The configuration is usually in
the file called 'clamd.conf' but some Linux distributions mess around
with the way things are configured so you might need to look for other
files.  Some of the most important things we need to know about the
system are how much memory it has installed; what operating system it
is running; what other things are running on the system (especially if
they might use a lot of memory); what you've done wth it; and anything
you can tell us which makes you think that it's been compromised.  Try
to be very precise.  For reasons which completely elude me, sometimes
in your posts you have deliberately tried to be obscure.  Do please be
aware that the time I have remaining to me in my life is far too short
to bother with riddles.  If you want *me* to guess at things you'll be
disappointed.  Rather than struggle with riddles I'll just ignore them.


i have a virus as i tried to exsplain to Ged been with me since 22nd
of November like an old aquaintence it is now.


In January I told you that, because your computer had less than half a
gigabyte of memory available, it would not be able to run ClamAV with
the full set of 'official' signature files:

https://lists.clamav.net/pipermail/clamav-users/2022-January/012257.html

I also suggested that the safest way to remove the virus from the
computer (if one was there) is to wipe the entire system and install
from scratch:

https://lists.clamav.net/pipermail/clamav-users/2022-January/012247.html

What have you actually done?


One thing it will not let me do is set file permisions in directories


I have already explained that before you mess with file permissions
you need to know what you're doing:

https://lists.clamav.net/pipermail/clamav-users/2022-January/012253.html


i have tried to scan single files with clamtk but its just taking to much juice
i hear clamd is a gentler scanner ,which i do have installed on my system


Unless I've missed something, ClamTK is just a graphical interface to
the ClamAV scanner:

https://en.wikipedia.org/wiki/ClamTk

If anything it is likely to be less gentle than ClamAV used by itself,
at least if you're careful in the way that you use ClamAV commands.

ClamTK will in any case probably use more memory than ClamAV by itself
(because that's the way things usually are with graphical interfaces)
and at least the last time we discussed this your system was much too
short of memory to load the full 'official' ClamAV signature database.

My crystal ball has been distinctly foggy since I fell off my bike so
please, take it from the top and tell us what we need to know so that
we can help you.

If you really do have a virus on your computer it's best if you don't
keep it connected to the Internet.  It's irresponsible.  If it really
is a virus then it's much more likely to be a problem if it's able to
contact (a) the malicious folks who put it on your computer, who will
use it for crime and (b) more victims - by which I mean everyone else.

Incidentally I see you're using Yandex mail.  You might try using your
favourite search engine to search for

Yandex malware

You might just have found something which has taken over your browser,
but that's really a guess.  If you have, then I'm afraid the ClamAV is
not designed to help you get rid of it.  My main advice is unchanged
from what it was in January but you *might* get away with removing all
traces of your browser and installing one from scratch.

--

73,
Ged.
___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] remove me

[G.W. Haywood via clamav-users]

Hi there,

On Thu, 8 Sep 2022, Michael Piziak via clamav-users wrote:


remove me


It would more polite to read the headers of any mail sent to you by the
list, wherein you will find the information you need to remove yourself.

--

73,
Ged.
___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] Incremental updates and server memory

[G.W. Haywood via clamav-users]

Hi there,

On Thu, 8 Sep 2022, Andrew C Aitchison via clamav-users wrote:


I guess that this would be a long term project ...

The malware databases are updated with cdiffs, which means that the
whole database does not have to be re-downloaded with each update.

However, the running daemon has to re-read the whole database from
disk (temporarily doubling the memory requirement).


At the expense of not being able to scan during database reloads you
can prevent the doubling of memory use by of the configuration option

ConcurrentDatabaseReload no


Would it make sense to be able to load the cdiff and avoid reloading
from sratch ?


This kind of thing has been discussed in the past, I think the upshot
was that it isn't feasible because of the way that the engine builds a
(highly optimized) internal representation of millions of sigs.

I've now got around the issue for Yara rules (which are modified here
much more often that the ClamAV signatures) by using a separate Yara
engine to scan for those rules.  This has the added advantage that it
uses an up to date version of Yara rather than the version in ClamAV,
which is a decade or more out of date.

--

73,
Ged.
___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] Best practices when using caching http proxy as cvd private mirror

[G.W. Haywood via clamav-users]

Hi there,

On Thu, 8 Sep 2022, Aaron Leliaert via clamav-users wrote:


On https://docs.clamav.net/appendix/CvdPrivateMirror.html#use-an-http-proxy
Am looking for best practices on how an http proxy should be
configured in this scenario.  Some questions:

1) What mechanism should a proxy use to detect a stale cached file?
 Want to avoid stale files obviously, but also reduce load to the
public mirrors and chance of rate limiting.


There are no public mirrors any more, it's a Content Delivery Network
provided by Cloudflare which also provides some protection against
Denial of Service attacks - which have been part of the landscape for
some time now.  You probably don't need to worry about stale files, it
happens occasionally but the signatures aren't updated much more often
than daily and you could e.g. set up a cron job to mail you if nothing
changes in your copy of the official signature database for 48 hours.
I've been using ClamAV for about two decades and I can't remember the
last time I had to do *anything* about it.  It Just Works.  Whether it
will then find what you're looking for is another question entirely...


2) I see that curl requests to database.clamav.net fail unless I
override the User-Agent header to have a value similar to what
freshclam does, such as "CVDUPDATE/0".  If I have to manually set
this in a proxy, is there guidance on what a good future-proof value
is?  It feels weird to lie in the request.


Using curl and lying in the requests is likely to get the requesting
IP banned.  My understanding is that you have two choices, you either
use (preferably) freshclam or (if necessary) cvdupdate, and that the
use of curl and similar is essentially forbidden.  You will see notes
to this effect in the mailing list, many from Joel, if you search it.


3) Happy to hear any dissenting opinions on the HTTP proxy idea.


Now that the files are distributed by a Content Delivery Network, I
think the need for local caching proxies is much reduced (the CDN can
cope with much more traffic) but you will certainly want to avoid the
appearance of being abusive.  That isn't too difficult unless you're
managing a large number of clients on your network.  For a few dozen
machines I haven't used a proxy for years.  What sort of numbers are
you dealing with?

Please note that replies direct to my clamav@ address are rejected,
it accepts mail only from the mailing list.

--

73,
Ged.
___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] How to set max file size for clamav in docker compose

[G.W. Haywood via clamav-users]

Hi there,

On Wed, 7 Sep 2022, Adrian Bielefeldt via clamav-users wrote:


I'm trying to setup a docker container with clamav and am struggling to
allow for larger files to be scanned. I've set up my docker-compose.yml
like this:


version: "3.3"
services:
 clamav:
   image: clamav/clamav:latest
   environment:
 CLAMD_CONF_MaxFileSize: 250M
 CLAMD_CONF_MaxScanSize: 250M
   restart: always
   ports:
 - "3310:3310"


but that doesn't seem to do it (I keep getting a Broken Pipe Error). I
presume I'm just using the wrong variables, but I can't seem to find
the right ones.

Can anyone point me in the right direction?


I'll try, but I'm afraid I've never used ClamAV with Docker.

Do you have a configuration file somewhere called clamd.conf or
something similar?  If so I'd expect that you just need to edit the
relevant options in that and restart clamd.  For more help see the
'man' page:

man clamd.conf

or the online documentation:

https://docs.clamav.net/

Incidentally as of 0.105.0 the default for MaxScanSize is 400M:

https://blog.clamav.net/2022/05/clamav-01050-01043-01036-released.html

--

73,
Ged.
___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

[clamav-users] Two very similar attachments, one detected, one not.

[G.W. Haywood via clamav-users]

Hi there,

This morning an attempt was made by Digitalocean IP 143.110.237.196 to
send to us a message which contains two malicious attachments.  The two
attachments are almost identical:

8<--
$ atool -l AWB\ #\ 5763190392.DOC.zip 
Archive:  AWB # 5763190392.DOC.zip

  Length  DateTimeName
-  -- -   
   729600  2022-09-06 02:27   AWB # 5763190392.DOC.exe
- ---
   729600 1 file

$ atool -l MFT_5763190392.DOCS.zip 
Archive:  MFT_5763190392.DOCS.zip

  Length  DateTimeName
-  -- -   
   729600  2022-09-06 02:27   MFT_5763190392.DOCS.exe
- ---
   729600 1 file
8<--

Both are .ZIP archives containing PE32 executables:

8<--
$ file AWB\ #\ 5763190392.DOC.zip 
AWB # 5763190392.DOC.zip: Zip archive data, at least v2.0 to extract
$ unzip AWB\ #\ 5763190392.DOC.zip 
Archive:  AWB # 5763190392.DOC.zip
  inflating: AWB # 5763190392.DOC.exe 
$ file AWB\ #\ 5763190392.DOC.exe 
AWB # 5763190392.DOC.exe: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

8<--

8<--
$ file MFT_5763190392.DOCS.zip 
MFT_5763190392.DOCS.zip: Zip archive data, at least v2.0 to extract
$ unzip MFT_5763190392.DOCS.zip 
Archive:  MFT_5763190392.DOCS.zip
  inflating: MFT_5763190392.DOCS.exe 
$ file MFT_5763190392.DOCS.exe

MFT_5763190392.DOCS.exe: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, 
for MS Windows
8<--

The two executables are identical:

8<--
-rw-r--r--  1 ged ged 729600 Sep  6 02:27 'AWB # 5763190392.DOC.exe'
-rw-r--r--  1 ged ged 729600 Sep  6 02:27  MFT_5763190392.DOCS.exe
$ md5sum AWB\ #\ 5763190392.DOC.exe  MFT_5763190392.DOCS.exe
6e15bfd980e87e26ba7f3cf5e488a35d  AWB # 5763190392.DOC.exe
6e15bfd980e87e26ba7f3cf5e488a35d  MFT_5763190392.DOCS.exe
8<--

Curiously enough, ClamAV detected one of the executables as malicious
(as usual by one of the Sanesecurity signatures), while the other was
not detected by ClamAV at all:

8<--
$ clamdscan AWB\ #\ 5763190392.DOC.zip 
/home/ged/AWB # 5763190392.DOC.zip: Sanesecurity.Foxhole.Zip_fs2087.UNOFFICIAL FOUND


--- SCAN SUMMARY ---
Infected files: 1
Time: 37.597 sec (0 m 37 s)
8<--

(Our scanner runs on a Pi4B, remote from the mail server.  It isn't quick. :/)

8<--
$ clamdscan MFT_5763190392.DOCS.zip
/home/ged/MFT_5763190392.DOCS.zip: OK

--- SCAN SUMMARY ---
Infected files: 0
Time: 42.715 sec (0 m 42 s)
8<--

On manually submitting the archive files to Jotti, one of the other
virus scanners (f-secure) had a similar issue:

8<--
AWB\ #\ 5763190392.DOC.zip 
...//alpha.local.jubileegroup.co.uk/perl/jotti.pl?submit=Jotti+Scan&3e8...

8<--
Read 1 parts, length=526974
Summary:
Name:   
3e8ab82e437e15159f5f2156719570767190c7e99d05086a595b6f7afaa4e0f2-526974.txt
Size:   514.62kB (526,974 bytes)
Type:   Zip archive
First seen: September 6, 2022 at 11:33:23 AM GMT+2
MD5:e3d0a3017ebb112ec0da6fa750cc66ca
SHA1:   f55c1cd28f213152d80b86a1f2e70f568a7fdd94
Status: Scan finished. 11/15 scanners reported malware.
Scan taken on:  September 6, 2022 at 11:33:25 AM GMT+2
Results:
https://www.avast.com   Sep 6, 2022 Win32:PWSX-gen
https://www.bitdefender.com Sep 6, 2022 Trojan.GenericKD.61801737
https://www.clamav.net  Sep 6, 2022 Found nothing
https://www.cyren.com   Sep 6, 2022 W32/MSIL_Troj.CIX.gen!Eldorado
https://www.drweb.com   Sep 6, 2022 Found nothing
https://www.escanav.com Sep 6, 2022 Trojan.GenericKD.61801737
https://www.fortinet.comSep 6, 2022 PossibleThreat
https://www.f-secure.comSep 6, 2022 Heuristic.HIDDENEXT/Worm.Gen
https://www.gdatasoftware.com   Sep 6, 2022 
MSIL.Trojan-Stealer.AgentTesla.XHY925
https://www.ikarus.at   Sep 6, 2022 Trojan.MSIL.Inject
https://www.k7computing.com/... Sep 6, 2022 Trojan ( 0058f5f91 )
https://www.kaspersky.com   Sep 6, 2022 Found nothing
https://www.sophos.com  Sep 

Re: [clamav-users] Clam AV on NAS/Personal Cloud Device?

[G.W. Haywood via clamav-users]

Hi there,

On Fri, 2 Sep 2022, tim.pennick--- via clamav-users wrote:


Apologies for the OT follow-up.  I attempted to send this off list, but was
rejected.


Sorry, my mail system is a bit picky about replies to mailing list posts. :)


Very many thanks for your extremely helpful response.  I wonder if you could
clear up a point you raise as I'm not a security expert, but am concerned
that I might be adding unnecessarily to the risks of a security breach.


Concern about these things is good. :)


You say:

"NAS devices respond to requests to read and write data which come from the
other devices on the network.  For backup, my own feeling is that I'd much
rather have something which makes calls to the devices being backed up to
ask for the data but does *not* respond to devices which try to command it.
Effectively there's a firewall between the devices being backed up and the
backup device.  Then if ransomware or similar manages to compromise any of
the devices being backed up, it can't get to the backup device to do any
damage there and you have a much better situation to recover from."

Do you have a product or type of product in mind which would satisfy your
criteria?


Yes.  Something like 'BackupPC'.  It won't quite tick all the boxes without
a bit of work on the box on which it runs, but a little bit of firewalling
can go a long way.  I'm sure there must be others but that's what I've been
using for many years.


Wouldn't it be just as dangerous to allow a storage device to
command a client device to perform a particular task, as vice versa?


No, absolutely not.  The ideal would be to harden a backup device so
that, even if the devices it's backing up are compromised, it can't
itself be compromised.  The backup device says in effect "Please send
some data." and it doesn't care a hoot what data gets sent because its
one and only job is to accept any amount of random data that anything
on the network cares to send to it *after* receiving such a request.

If a device tries to connect to the backup box to instruct it to do
something, the backup box ignores it - and hopefully writes a warning
in the logs somewhere, or sends mail, or whatever kind of alert the
system administrator prefers.

We're OT for this list so I won't go into more detail but if you do a
bit of reading about firewalls you'll start to get the picture.  You
can have a firewall anywhere, it doesn't have to be just at a network
perimeter like in your modem/router.  It just seems like common sense
to me to have at least a firewall between the backup and the things it
backs up.  An air gap is better, but more effort and less convenient.

--

73,
Ged.
___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] Clam AV on NAS/Personal Cloud Device?

[G.W. Haywood via clamav-users]

Hi there,

On Thu, 1 Sep 2022, tim.pennick--- via clamav-users wrote:


Grateful for any advice, and apologies in advance for the necessarily
detailed message below.


You're welcome in advance, and within reason the more detail the better.
More often there isn't nearly enough. :)


I recently purchased a Western Digital MyCloud Ex2 Ultra Personal Cloud/NAS


This sort of thing has come up here before, you might want to search the
mailing list archives.  See the links in the headers in any list mail.


device.  The firmware of this device includes an app store of installable
third party products including what they call Anti Virus Essentials.  This
turns out after some investigation to be Clam Anti Virus.


I *wish* people wouldn't do that.  They never seem to keep on top of it, seems
to me it's just the marketing department's idea.


... the powerful Marvell ARMADA 385 1.3GHz dual-core processor,
you'll get ultra-fast transfer rates for high performance streaming. ...


Yeah, yeah.


... comes with 1GB of DDR3 memory, so you can multitask with ease."


Ah.  But *not* so you can use ClamAV.  Unfortunately that's nowehere
near enough memmory.


... running the configuration as delivered by the firmware to do a full scan
takes several weeks to complete.  I gave up when it had been running for 2
weeks and had only reached 29%, most of which appeared to be scanning its
own libraries.


Sounds about right.  It would probably have been swapping like crazy.


A lengthy exchange of email messages between myself and WD
support, suggested turning off other applications such as streaming, while
the scan was running ...


Well they were on the right track, but it was never really going to fly.


... eventually yielded the advice that as this is a third party
product, I should engage with the third party supplier.


Pity they didn't read the documentation before they stol^H^H^H^H bundled
more bloatware which didn't cost them anything so they could put another
bit of bait on the sales blurb.  I used to think WD was a decent company.

https://docs.clamav.net/Introduction.html#recommended-system-requirements


My questions, with many thanks to anyone still reading this


Still here. :)


are:
1. Is Clam Anti Virus appropriate and/or necessary for an environment such
as this where most of the data is actually backup files generated by the
Windows10 Backup And Restore application.


Necessary is a strong word, but it depends on how it's used.  As it's
based on a more or less general purpose Linux distribution it suffers
from the potential risks of compromise that any network-connected box
will suffer.  When it comes to after-sales service and support some of
the companies pushing this kind of storage have a chequered history so
you're probably best advised to take security matters upon yourself.

NAS devices respond to requests to read and write data which come from
the other devices on the network.  For backup, my own feeling is that
I'd much rather have something which makes calls to the devices being
backed up to ask for the data but does *not* respond to devices which
try to command it.  Effectively there's a firewall between the devices
being backed up and the backup device.  Then if ransomware or similar
manages to compromise any of the devices being backed up, it can't get
to the backup device to do any damage there and you have a much better
situation to recover from.


2. Is the device under-powered to run Clam AV over this amount of data
(currently approximately 3TB including music files for streaming).


To put things into perspective, there are of the order of ten million
signatures in the official signature database and there are third-party
databases available which extend the coverage of the official one, so
memory gets used up pretty quickly when you start scanning for viruses.
The amount of data to be scanned is irrelevant.  As things stand now
the device cannot sensibly run ClamAV.  Before it can even scan a 68
byte EICAR file, the scanner will use up more than 1GByte RAM just to
load the 'official' signature database - and we haven't talked about
keeping it up to date yet.


3. As a total Newbie to Clam AV is there anything I can do to optimise
performance on my device?


If you can put more memory into it, yes.  Otherwise sorry, no, not as
a total newbie.  Maybe you could do things if you were very familiar
with the tools.  It would be a lot of work to set up and very onerous
to keep up to date, something which is done more or less automatically
with a vanilla installation.  You'd basically need a personalized
signature database which was small enough to fit in the available RAM.
The effort would not justify the results.  My recommendation would be
don't even think about it.

--

73,
Ged.
___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://gith

Re: [clamav-users] Please help

[G.W. Haywood via clamav-users]

Hi there,

On Wed, 31 Aug 2022, Jan Elliott wrote:


TO:  "clamd user questions" 

QUESTION:  When I try to execute the command "clamd"  I
get the following message:
  ERROR: Please define server type (local and/or TCP)


The tool (possibly 'clamdscan', but whatever it is) which tells clamd
what it is to scan communicates with clamd through a socket.  Running
clamd on Linux, most people most of the time configure clamd to use a
Unix socket but it can also use a TCP socket.  You need to choose one.
Using a TCP socket may have security implications which I don't think
you need to worry about in your present situation.

https://docs.clamav.net/manual/Usage/Configuration.html#clamdconf

and try the command

man clamd.conf

Look for the configuration options which start with "TCP" and also
those which contain the word "Socket".


 The person who installed Fedora v36 suggested I
try CLAMD to get rid of a virus/whatever that apparently
infected my Chrome browser ...


Try to think of ClamAV as an attempt to prevent rather than a cure.

It isn't generally a good idea to try to get an infected system to
repair itself.  If the criminals who produced the malicious code are
any good at their jobs - and some of them are *very* good because it
can pay well - they will have ways of preventing something like ClamAV
from doing its job.  There might easily be hundreds of compromised
executables in the box.  If you try to replace them all, you only need
to miss one for the exercise to be pointless.  You could never be sure
that you'd found everything, and you might waste a lot of time finding
out that you hadn't.

My advice is to wipe the system and start from scratch.  Thesedays it
seems that even that isn't always enough and if the threat has reached
into the firmware then you might need to write off the machine, or at
least substantial parts of it.  It isn't an especially likely outcome,
but it's one that you should bear in mind.

What's the state of your backups?

--

73,
Ged.
___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] Getting 1020 error when curling

[G.W. Haywood via clamav-users]

Hi there,

On Mon, 29 Aug 2022, Yong Jie YEOH (GOVTECH) via clamav-users wrote:


I would like to check. I have a QA environment which has a forward proxy to 
forward to specific whitelisted url.

Just a few days ago, I got to know that my clamav fails to update daily. I went 
to the forward proxy and tried to curl myself, I got a 1020 error,
When I do it with wget, I got 403 error. Any idea why ?
...


I guess you're suspected of being an abusive user. :(

See for example

https://www.mail-archive.com/clamav-users@lists.clamav.net/msg51015.html

--

73,
Ged.
___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] Inquiry about ClamAV's clamdscan scan timeout

[G.W. Haywood via clamav-users]

Greetings from England,

On Wed, 24 Aug 2022, Tachibanaki Nozomi (橘木 希美) wrote:


1.  Is there any way to check when a scan timeout occurs? (e.g., display a 
message, etc.)


Because clamd can be asked to scan multiple items in a single command
it is sometimes easier to know what happened by looking in the logs,
but even then you might not find what you want.

When clamd scans a ZIP file, if the scan time exceeds the timeout set
in the configuration file (usually clamd.conf) by the "MaxScanTime"
configuration option, the response from clamd should be something like:

8<--
$ clamdscan --config-file=clamd_test.conf CH341SER_LINUX.ZIP 
/home/ged/CH341SER_LINUX.ZIP: Heuristics.Limits.Exceeded FOUND


--- SCAN SUMMARY ---
Infected files: 1
Time: 1.395 sec (0 m 1 s)
Start Date: 2022:08:24 11:15:24
End Date:   2022:08:24 11:15:26
8<--

In the test above I started a copy of clamd with the timeout value set
to 30 milliseconds.  As you can see the limit which was exceeded is
not shown in the reply, so there is no way to know if it was a time
limit or some other limit.  There's a lot of unfinished business in
ClamAV and I believe that in future the developers intend to make
improvements, but I know nothing about their schedule:

8<--
~/clamav-0.103.7/clamd $ grep -r TODO | tail -n 2
clamd_others.c:/* TODO: handle ReadTimeout */
thrmgr.c:/* TODO: show both queues */
8<--

The test below, which I ran a few minutes earlier, used a copy of
clamd with the default MaxScanTime (30 milliseconds) to scan the
same file:

8<--
$ clamdscan --config-file=clamd_test.conf ~/CH341SER_LINUX.ZIP 
/home/ged/CH341SER_LINUX.ZIP: OK


--- SCAN SUMMARY ---
Infected files: 0
Time: 1.747 sec (0 m 1 s)
Start Date: 2022:08:24 11:10:11
End Date:   2022:08:24 11:10:12
8<--

For both scans shown above the clamd configurations were identical,
except for the timeout setting.  Here is a diff of the configuration
files which I used:

8<--
# diff -U2 clamd_test_1.conf clamd_test_2.conf 
--- clamd_test_1.conf   2022-08-24 11:07:26.358628737 +0100

+++ clamd_test_2.conf   2022-08-24 11:08:15.087874778 +0100
@@ -548,5 +548,5 @@
 # Time is in milliseconds.
 # Default: 12
-MaxScanTime 30
+#MaxScanTime 30
8<--

Please note that the file 'clamd_test.conf' given in my command lines
simply tells 'clamdscan' where to find the socket and where to write
log information etc. in these tests - it does not affect the timeout
values, which are fixed after clamd reads the configuration files when
it starts.

In both tests I used verbose logging to the same file, so that I could
see the results in the log:

8<--
# grep CH341SER_LINUX.ZIP /var/log/clamav/clamd_test.log
Wed Aug 24 11:10:11 2022 -> got command CONTSCAN /home/ged/CH341SER_LINUX.ZIP 
(38, 7), argument: /home/ged/CH341SER_LINUX.ZIP
Wed Aug 24 11:10:12 2022 -> /home/ged/CH341SER_LINUX.ZIP: OK
Wed Aug 24 11:15:25 2022 -> got command CONTSCAN /home/ged/CH341SER_LINUX.ZIP 
(38, 7), argument: /home/ged/CH341SER_LINUX.ZIP
Wed Aug 24 11:15:26 2022 -> /home/ged/CH341SER_LINUX.ZIP: 
Heuristics.Limits.Exceeded FOUND
8<--


2.  I scanned a ZIP file(1.7GB) containing a test virus file with clamdscan and 
it exited successfully without detecting any virus. Is this a specification?
The scan.conf settings are as follows：
・ReadTimeout 120
・MaxScanTime 12
・MaxScanSize 2048M
・MaxFileSize　2048M
・MaxZipTypeRcg 2048M


Perhaps it was not an exceeded limit which terminated the scan.  And
as you know there are other limits, perhaps your test exceeded one of
those.  In your situation I should set up verbose logging, and look in
the logs for more information.  You can also choose to keep temporary
files for inspection after the scan has completed which might help you.

I use ClamAV to scan mail, and in my case the client is a milter which
is written in Perl (I do not use clamav-milter).  It's straightforward
to write a client for clamd, the API is very simple.  For my purposes
I implement timeouts and some other limits in the client.  Then I can
configure things like timeouts dynamically, take a view on any limits
per scan (and thus avoid a lot of wasted scanning time), and also get
the client to tell me everything I need to know.

HTH

--

73,
Ged.
___

clamav-users 

Re: [clamav-users] Starting Clamd

[G.W. Haywood via clamav-users]

Hi there,

On Wed, 17 Aug 2022, John wrote:


...
# clamconf -n
Checking configuration files in /usr/--sysconfdir=/etc/clamav/etc

clamd.conf not found

freshclam.conf not found

clamav-milter.conf not found
...


Ouch.  Did this clamconf binary come from a package??

What's the output of

clamconf -V

?


...
Build information
-
GNU C: 8.3.0 (8.3.0)
CPPFLAGS:
CFLAGS: -g -O2  -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64
CXXFLAGS: -g -O2
LDFLAGS:
Configure: '--with-user=Debian-exim' '--with-group=Debian-exim' 
'--bindir=/usr/sbin' '--prefix=/usr/--sysconfdir=/etc/clamav/'
...


It looks like the arguments given to 'configure' were broken when the
binary was built.  There should have been whitespace between the last
two options, so you would have had the prefix value given by

'--prefix=/usr/'

and the sysconfdir value given by

'--sysconfdir=/etc/clamav/'

but they've somehow been run into a single value for "--prefix" which
as you might expect isn't going to work too well.

If your clamd was built in the same way then all bets are off.  It
should probably be rebuilt from scratch.


I found an old clamd binary that now seems to work. We will see!


What version?  How old?  If it's a very old version of clamd there may
be issues with some of the more recent signatures - not to mention the
potential for vulnerabilities which have been published.  Also if you
use an old clamd you will probably need old libraries to support it.

ldd /path/to/old/clamd

will tell you about the libraries that your old clamd expects to find.

--

73,
Ged.
___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] Starting clamd

[G.W. Haywood via clamav-users]

Hi there,

On Tue, 16 Aug 2022, John wrote:


I apologise in advance if this question is trivial but I am getting
very lost. [...] recently I started using the Debian package rather
that a self-build (mainly because clamav requires an increase of
support code)


It isn't too difficult to set up a build system on Debian but there is
quite a bit to do.  It would probably be worth your while to put in
the effort get on top of it.  There's help here.  If you use packages,
unfortunately most package maintainers seem to like a configuration
for ClamAV which is very different from that which which you'll be
familiar if you've been building it yourself.  Things are in different
places, and ownerships and groups will be different.  You will need to
go through all the configuration methodically.  You can use 'clamconf'
to see most of the important configuration settings.


...
Starting ClamAV daemon: Tue Aug  9 16:36:00 2022 -> !LOCAL: Socket file
/var/run/clamav/clamd could not be bound: Permission denied
Tue Aug  9 16:36:00 2022 -> *Closing the main socket.

I have tried changing ownership/permissions on /var/run/clamav with no
noticeable affect.  In the past I had to change ownership to Debian-exim
but that does not seem sufficient.


You haven't actually said what permissions and ownerships you tried, but
just to see if the permissions really are the problem you could try

chmod +777 /var/run/clamav/

I don't mean for you to use those permissions routinely of course.

Another packaging issue is that there's usually an init script or
systemd configuration to start clamd, and that might not do what you
expect.  Instead of relying on that sort of thing, at least to get
clamd running initially you can start it from the command line.  If
you do that you can specify on the command line the configuration file
to be used so there's no room for doubt:

# /path/to/clamd -c /path/to/clamd.conf

The '#' there means you're to start clamd as root.  It will read its
configuration file, drop root permissions and take on the UID of the
owner specified in the config.  That owner has certain permissions.
Set the permissions on the directory which will contain the socket so
that they allow that owner (and/or group if you like) to create the
socket.  It might be helpful to configure verbose logging to a file
which you specify in the config rather than e.g. relying on syslog and
then hunting for messages from clamd in the system logs.

If you still have problems post the output of the command

clamconf -n

to the list.

--

73,
Ged.
___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] excluding a URL from "heueristics" scanning

[G.W. Haywood via clamav-users]

Hi there,

On Thu, 11 Aug 2022, joe a wrote:


[...] I post the contents of an obfuscated "[...]gud-uns.wdb".
[...]
Is it known behavior? An anomaly of my formatting?  A bug?


I have no idea.  I don't have time to mess about with obfuscated information.

--

73,
Ged.
___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] excluding a URL from "heueristics" scanning

[G.W. Haywood via clamav-users]

Hi there,

On Thu, 11 Aug 2022, joe a wrote:

I do not understand why, when entering more than one URL, the first line in 
my "exclude" file: "/var/lib/clamav/ImaOK2day.wdb" seems to be able to match 
when entered "in plain text", while subsequent lines seem to want actual 
"regex" notation (escaped "."), with only the domains entered.


At least that is what it seems takes to "run clean" when re-scanned in debug 
mode.


To add do the above, I found a few recent emails containing the URLs in the 
first entry, mentioned above, that were flagged.  Those emails passed without 
notice when scanned as above.  I removed that first entry, scanned again and 
the email were flagged.  I then entered those URL's again, as the first line, 
this time in regex notation ("." escaped, no "http or https"), scanned again, 
and it was not flagged.


Post your .wdb file here?

--

73,
Ged.
___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] excluding a URL from "heueristics" scanning

[G.W. Haywood via clamav-users]

Hi there,

On Thu, 11 Aug 2022, joe a wrote:

A while back discussed excluding some URL's from triggering the heueristics 
scan.   Seemed to work.  Postfix, spamassassin, clamav in use.


Now seems some addtional URL's are involved. Perhaps I am doing something 
wrong here.


Been determining (?) the offending URL's by examining the entire email using:

clamscan --debug --file-list=SFILE --log=RESULT.txt 2> result.txt

then looking for offenders using:

grep -iB4 "Phishing scan result: URLs are way too different" myfile.txt

entering the URL seen in "Real URL:  http://some.url"; into 
"/var/lib/clamav/somefile.wdb" and restarting clamd (systemctl restart 
clamd.service)


I would presume re-scanning as above should no longer flag the offending 
URL(s)?


You presume a lot.  The documentation seems to say otherwise:

https://docs.clamav.net/manual/Signatures/PhishSigs.html#wdb-format

--

73,
Ged.
___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] Meaning of the exit code -1073740791

[G.W. Haywood via clamav-users]

Hello again Anastasiia,

On Wed, 10 Aug 2022, Anastasiia Korzhylova wrote:


... ClamAV crushes in the attempt to scan any, unfortunately... For
example, I've been using the file in the attachment ("Test.pdf") for
testing purposes - and the scan failed.


As Micah said in his reply to you, if ClamAV is crashing there could
be security implications.  It's best if you follow his advice and make
a report through the channel he suggested.  We are still using the LTS
version (0.103.x) here, and only on Linux, but your sample PDF scanned
here just fine using both clamscan and clamdscan+clamd:

8<--
$ clamscan ~/Test.pdf 
/home/ged/Test.pdf: OK


--- SCAN SUMMARY ---
Known viruses: 8809962
Engine version: 0.103.7
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 0.17 MB
...
...
$ clamdscan ~/Test.pdf 
/home/ged/Test.pdf: OK


--- SCAN SUMMARY ---
Infected files: 0
Time: 1.736 sec (0 m 1 s)
8<--

Having said that I'm not sure that you've found a problem in ClamAV.
Perhaps there are issues with your build and/or implementation processes.


... virusScanCommand is @"C:\Program Files\ClamAV\clamscan.exe" ...


You might want to consider using clamdscan and clamd instead of
clamscan, because clamscan will reload the signature database every
time it runs and that takes some time whereas clamdscan uses clamd,
which is a persistent daemon and only loads the database at startup.


The program doesn't catch any errors and runs normally after
starting the process, it's the variable output that is for some
reason empty.


I guess that's because of the crash - it isn't getting as far as
writing the output.


... downloaded from https://www.clamav.net/downloads and activated
by strictly following these instructions:
https://blog.didierstevens.com/2017/08/24/quickpost-using-clamav-on-windows/.


That post is five years old.  The build system has changed a lot since
2017, and in any case I have very little or no confidence in "Me Too"
Websites, "I did this" blogs and other such hangers-on in the security
world.  I believe it's best to follow the official documentation,
which in this case is to be found at

https://docs.clamav.net

Note especially the instructions for updating the signature database,
see my comments below about your 'daily' database.


TCPSocket = "3310"
TCPAddr = "localhost"


Unless you're planning to both use clamd on the local host, and access
it remotely, I'm not sure that you will want to use TCP.  Clamd's TCP
socket is unprotected, so you would most probably want to firewall it
to prevent possible abuse.


Database information

Database directory: C:\Program Files\ClamAV\database
bytecode.cvd: version 333, sigs: 92, built on Mon Mar  8 16:21:51 2021
daily.cvd: version 26566, sigs: 1985565, built on Wed Jun  8 10:05:45 2022
main.cvd: version 62, sigs: 6647427, built on Thu Sep 16 14:32:42 2021
Total number of signatures: 8633084


Your daily database is two months out of date.  Have you run freshclam?
The 'daily' database really is updated more-or-less daily. :)


...
I am using: ... Windows 10 Enterprise,
...
Platform information

uname: Microsoft Windows 6.2 SP0.0 Build 9200


I'm unfamiliar with the output of the platform information on Windows
but I shouldn't have expected to see "Build 9200" on a Win10 system.


... ClamAV does return an output, when I run the program in debug
mode, but it doesn't when the software is run in release, which
makes the problem even more obscure.


It is not at all unusual for things to run in debug mode and crash in
production.  And of course vice-versa. :(

I'm sure that many thousands of people successfully use ClamAV on
Windows 10 systems, so I feel sure that if something in your build or
install isn't broken then the way that you're trying to use it has
shown up something unexpected, and Micah will be able to help you find
and fix the problem although that may take some time.  In the meantime
I suggest that you remove all the ClamAV code, libraries and binaries
from your machine and re-install ClamAV with reference to the current
official documentation, then try scanning your PDF files again.  It's
important to clean out old libraries etc. because you don't want a new
ClamAV using versions of libraries from an old one.  That's a possible
source of problems which can be difficult to diagnose.

If you still have trouble please do get back to us.

--

73,
Ged.
___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] Meaning of the exit code -1073740791

[G.W. Haywood via clamav-users]

Hi there,

On Tue, 9 Aug 2022, Anastasiia Korzhylova wrote:


I am using ClamAV for work in my company and am contacting you to inquire about 
an exit code, which the software returns at my attempt to scan an ordinary, 
virus-free PDF file:

   -1073740791.

Could you, please, tell me, what the exit code stands for, as I have not found 
any information on it in the documentation on your website.


It's possible that something in ClamAV is having difficulty with some
part of the PDF file, but you have not given enough information for us
to know what you have done so that we could reproduce it if necessary.

If you can repeat the command using verbose logging or verbose output
(see the documentation for how to do that) ClamAV might might provide
more information to you which might help you.

If you can put a copy of the PDF file somewhere on the Web for us so
that we can scan it in the same way that you do that might help too.

But we really need you to tell us exactly what you did.  When you do
that, please include information about your operating system(s), the
version of ClamAV which you are using, how you obtained and installed
it, which parts of it you are using (for example clamd and clamdscan,
or clamscan), the command(s) which you gave when ClamAV gave the exit
code, and the *entire* output of the command.

The output of

clamconf -n

will include much of the information we need and would help us.

Incidentally

1073740791 - 2^30 + 2^10 + 2^3 + 2^0 = 0

Which tells me that a number of flags is set in the return code, but
at the moment I do not know what they are nor why they are being set
because I have no idea what is producing the return code. :/

--

73,
Ged.
___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] freshclam error - ^downloadFile: Unexpected response (502) ...Can't Download CVD

[G.W. Haywood via clamav-users]

Hi there,

On Mon, 8 Aug 2022, Ganesh Kachare, Vodafone (External) via clamav-users wrote:


My local mirror static webserver has 4GB memory.. I can download
the CVD files with Debian based docker image but since it has so
much variabilities, I am using alpine image.


What are the 'variabilities' which lead you to avoid the Debian-based
Docker image?

I know that there have been a few issues with Docker and ClamAV but I
have no personal experience of them.  I can only suggest that if the
Debian version works OK then perhaps you should use it.  Alternatively
try something like

https://github.com/Cisco-Talos/clamav/issues?q=is%3Aissue+is%3Aopen+docker

--

73,
Ged.
___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] freshclam error - ^downloadFile: Unexpected response (502) ...Can't Download CVD

[G.W. Haywood via clamav-users]

Hi there,

On Mon, 8 Aug 2022, Ganesh Kachare, Vodafone (External) via clamav-users wrote:


I am trying to download the clamav updates from private local mirror on my 
custom clamav alpine docker image and  I am keep getting ^downloadFile: 
Unexpected response (502) error from freshclam.

Its not able to download main.cvd, daily.cvd, bytecode.cvd and eventually my 
pod fails after maximum retry. I did tried increasing timeouts and disabling it 
in freshclam.conf file but it did not work.

I have validated my proxy and private mirror server and they are able to 
connect with alpine clamav docker image.

Does anyone face similar issue.. I am using clamav and freshclam v0.104.3-r0 on 
alpine 3.16


Does your mirror server have enough memory?

--

73,
Ged.
___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] CVE_2021_4034-9951522 false positives on node executables

[G.W. Haywood via clamav-users]

Hi Viktor,

On Tue, 2 Aug 2022, Viktor Rosenfeld via clamav-users wrote:


22:51 hesk@kenny:~ $ clamscan /opt/homebrew/Cellar/node/18.7.0/bin/node
Loading: 7s, ETA:   0s [>]8.62M/8.62M sigs
Compiling:   2s, ETA:   0s [>]   41/41 tasks

/opt/homebrew/Cellar/node/18.7.0/bin/node: Osx.Exploit.CVE_2021_4034-9951522-1 
FOUND
...



On Tue, 2 Aug 2022, G.W.Haywood via clamav-users wrote:
...
> If you can post ... a link to where you got the file, AND the MD5 ...

I’m using Homebrew to install nodejs. Below is the curl command that downloads 
...


After several attempts using variations of your curl command I failed
to grab the file, so I took the tarballs (like Al - in fact I grabbed
three, the 16.x ARM and X64 versions and the 18.x ARM version) from
https://nodejs.org and simply unpacked them to a scratch directory to
scan them.  The results are different from yours, see below.

On Tue, 2 Aug 2022, Viktor Rosenfeld via clamav-users wrote:


MD5 (node/18.7.0/bin/node) = bd689141b74bf1c9d897d25aa6878a85


I didn't get the same MD5 for the file

6b8627f0b1327ffee606314125862e27  node-v18.7.0-darwin-arm64/bin/node

so I wonder what's up there.  As it isn't the same file that you have
I didn't bother to scan it, but see below for 'strings' etc.

On Tue, 2 Aug 2022, Maarten Broekman via clamav-users wrote:


Additionally, using the 'strings' command to get any/all ASCII
strings from the binary (yes, I know it doesn't always help) doesn't
show anything...


I don't see the same result at all:

8<--
$ strings ./node-v18.7.0-darwin-arm64/bin/node | perl -ne 
'if(/[a-zA-Z]{5,}/){print;}' | head -n 10
__PAGEZERO
__stubs
__stub_helper
__cstring
__const
__ustring
__oslogstring
__unwind_info
__eh_frame
__DATA_CONST
8<--

Lots of strings in there.

A clamd scan of the entire directory tree found this:

node-v16.16.0-darwin-arm64/lib/node_modules/npm/node_modules/imurmurhash/imurmurhash.min.js:
 PUA.Win.Trojan.Xored-1 FOUND
node-v16.16.0-darwin-x64/lib/node_modules/npm/node_modules/imurmurhash/imurmurhash.min.js:
 PUA.Win.Trojan.Xored-1 FOUND
node-v18.7.0-darwin-arm64/lib/node_modules/npm/node_modules/imurmurhash/imurmurhash.min.js:
 PUA.Win.Trojan.Xored-1 FOUND

As you can see we run with 'PUA' signatures enabled, see

https://docs.clamav.net/faq/faq-misc.html?highlight=false%20positive#what-is-pua-i-get-a-lot-of-false-positives-named-pua

and e.g. the clamscan and clamd.conf 'man' pages for more about PUAs.

This is PUA.Win.Trojan.Xored-1 (it's in 'daily'):

8<--
$ sigtool --find-sigs 'PUA.Win.Trojan.Xored-1' | sigtool --decode-sigs
VIRUS NAME: PUA.Win.Trojan.Xored-1
TARGET TYPE: HTML
OFFSET: *
DECODED SIGNATURE:
charcodeat({WILDCARD_ANY_STRING(LENGTH<=5)})^
8<--

It's just looking for the string 'charcodeat(X)' where X is a string
of 5 or fewer characters.  Pretty generic, I'm amazed that we don't
see more FPs than we do from that source.

The three files in which this is found are identical in the three archives:

8<--
$ md5sum .../*/imurmurhash.min.js
52d2eb410de1c9e0758ef562289289fa  
node-v16.16.0-darwin-arm64/lib/node_modules/npm/node_modules/imurmurhash/imurmurhash.min.js
52d2eb410de1c9e0758ef562289289fa  
node-v16.16.0-darwin-x64/lib/node_modules/npm/node_modules/imurmurhash/imurmurhash.min.js
52d2eb410de1c9e0758ef562289289fa  
node-v18.7.0-darwin-arm64/lib/node_modules/npm/node_modules/imurmurhash/imurmurhash.min.js

$ grep -ci charcodeat 
./node-v18.7.0-darwin-arm64/lib/node_modules/npm/node_modules/imurmurhash/imurmurhash.min.js
1
8<--

You can easily create your own FP entries in the database, see the
documentation at

https://docs.clamav.net/manual/Signatures/AllowLists.html

When I scanned a tree using vanilla 'clamscan', nothing was found:

 $ ./clamscan -ro node-v18.7.0-darwin-arm64
node-v18.7.0-darwin-arm64/bin/npm: Symbolic link
node-v18.7.0-darwin-arm64/bin/npx: Symbolic link
node-v18.7.0-darwin-arm64/bin/corepack: Symbolic link
node-v18.7.0-darwin-arm64/lib/node_modules/npm/node_modules/node-gyp/gyp/pylib/gyp/generator/__init__.py:
 Empty file
node-v18.7.0-darwin-arm64/lib/node_modules/npm/node_modules/smart-buffer/docs/ROADMAP.md:
 Empty file
node-v18.7.0-darwin-arm64/lib/node_modules/npm/.npmrc: Empty file

--- SCAN SUMMARY ---
Known viruses: 8812460
Engine version: 0.103.7
Scanned directories: 954
Scanned files: 4118
Infected files: 0
...

These archives are from 100 to 150 megabytes of code and other junk.

As the PUA signature is so generic, it would almost be surprising if
something was NOT found.  If the archive comes fro

Re: [clamav-users] No daily sig since July 28th

[G.W. Haywood via clamav-users]

Hi there,

On Mon, 1 Aug 2022, Al Varnell via clamav-users wrote:


There have been no such announcements on the [clamav-virusdb] email list since 
the 28th.


My guess is that somebody at Talos went on holiday. :)

Al, the real reason for this post is that you mentioned the other day
that you'd also seen no viusdb mail for CVE CVE_2021_4034 although the
signature had appeared in the DB.  The mail was sent on June 4th, the
sig was the first in the list:

8<--
Date: Sat, 4 Jun 2022 04:05:56 -0400
From: nore...@sourcefire.com
To: clamav-viru...@lists.clamav.net
Subject: [clamav-virusdb] Signatures Published daily - 26562
...
...

ClamAV Signature Publishing Notice

Datefile:   daily
Version:26562
Publisher:  David Raynor
New Sigs:   10
Dropped Sigs:   0
Ignored Sigs:   113


New Detection Signatures:


* Osx.Exploit.CVE_2021_4034-9951522-1
...
...
8<--

Maybe you trash-canned it?

--

73,
Ged.
___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

[clamav-users] New kid on the block?

[G.W. Haywood via clamav-users]

Hi there,

Our scanner found this at about 09:33 UTC today in incoming mail.  Our
automated system reported it to the ClamAV team, using 'clamsubmit' at
that time.

Apparently this is the first time the threat has been seen by Jotti; I
just thought I'd mention it because firstly it's a Windows threat, and
secondly at the time of writing (although ClamAV is detecting it) it
seems that very few of the other scanners are, which is rather unusual.

It was sent by 143.198.53.9.  This is a DigitalOcean IP in AS14061,
which we blacklist routinely.  The IP is already on at least four of
the dozen or so IP-based DNSBLs that we use.

Summary:
Name:   
5562e86df7accb7ba8acfbd9e82946414116149d02b7b28d5850d4829bb46ef7-11266.txt
Size:   11kB (11,266 bytes)
Type:   Microsoft Word 2007+
First seen: August 1, 2022 at 11:50:36 AM GMT+2
MD5:f6c1626fe8f6404971ea949e4bd4d7c6
SHA1:   8a166e8c86b7712fe0d52e3c37260aea755ebc62
Status: Scan finished. 3/15 scanners reported malware.
Scan taken on:  August 1, 2022 at 11:50:38 AM GMT+2
Results:
https://www.avast.com   Aug 1, 2022 Found nothing
https://www.bitdefender.com Aug 1, 2022 Found nothing
https://www.clamav.net  Jul 28, 2022
Doc.Downloader.TemplateInjection-6332119-0
https://www.cyren.com   Aug 1, 2022 Found nothing
https://www.drweb.com   Aug 1, 2022 Found nothing
https://www.escanav.com Aug 1, 2022 Found nothing
https://www.fortinet.comAug 1, 2022 Found nothing
https://www.f-secure.comAug 1, 2022 Found nothing
https://www.gdatasoftware.com   Aug 1, 2022 Found nothing
https://www.ikarus.at   Aug 1, 2022 Trojan-Downloader.Office.Doc
https://www.k7computing.com/... Aug 1, 2022 Found nothing
https://www.kaspersky.com   Aug 1, 2022 HEUR:Exploit.MSOffice.Generic
https://www.sophos.com  Aug 1, 2022 Found nothing
https://www.trendmicro.com  Jul 28, 2022Found nothing
https://anti-virus.by/enJul 29, 2022Found nothing

The 'Name' field above is just our SHA256 digest of the offending
piece of the message.  Its a MIME attachment of course, the SHA is
calculated on the base64-encoded body part but we sent the decoded
payload to Jotti for their scans.

--

73,
Ged.
___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] CVE_2021_4034-9951522 false positives on node executables

[G.W. Haywood via clamav-users]

Hi there,

On Mon, 1 Aug 2022, Viktor Rosenfeld via clamav-users wrote:


about a month ago I reported a possible false positive on nodejs
executables and related files [1]. After checking with Jotti’s Virus
Scan and Virustotal, I also (twice) submitted the files to the
ClamAV website as false positives [2].

I haven’t received a notification after the false positive
submissions and, meanwhile, newer versions of nodejs are still
reported as being infected.

What else can I do to verify that this is indeed a false positive?

Best,
Viktor

[1] https://lists.clamav.net/pipermail/clamav-users/2022-June/012717.html
[2] https://www.clamav.net/reports/fp


If this is indeed a false positive, given the popularity of node.js
I'm a little surprised that you're still seeing ClamAV hits as I'd
have expected the ClamAV signature team to be onto it fairly promptly.

The signature database has the facility to whitelist falsely flagged
files using a digest.  These are propagated with the 'daily' updates.
Are you sure that your signature database is up to date?  What version
of 'daily' do you have?

If you can post an example file somewhere for me to download I can
take a look at it.  (Alternatively post a link to where you got the
file, AND the MD5 digest of the file that ClamAV is flagging so that
we all know that we're looking at the same thing.)

Micah, may we have an authoritative opinion on the use of the virusdb
mailing list to report things like this?  I feel sure that a while ago
in one of your messages to this list you gave an email alternative to
the Web form for FP submissions.  If indeed such a message exists (and
I haven't found it) I can't remember what that alternative might be.

--

73,
Ged.
___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] Inquire about clamav latest stable version -

[G.W. Haywood via clamav-users]

Hi there,

On Thu, 28 Jul 2022, Paul Kosinski via clamav-users wrote:

On Thu, 28 Jul 2022, I wrote:


At the moment three versions are officially supported by Cisco's Talos, the 
authors of the software.


Cisco's Talos are the *current* authors of the software. ...


Gladly I stand corrected.

--

73,
Ged.
___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] Inquire about clamav latest stable version -

[G.W. Haywood via clamav-users]

Hi Jiayi,

Thanks for the extra information.  To answer your questions:

On Wed, 27 Jul 2022, Yang, Jiayi via clamav-users wrote:


1. If we use a relatively older version, for example, 0.103.6, which
is supported by "RedHat & Fedora" and "Fedora & EPEL" package
distribution currently. I will expect some new features and changes
added to version 105 don't exist in version 103.


You are correct that new developments will take place in versions
which began their lives later in time, but supported versions are kept
patched for security vulnerabilities.

ClamAV versions are made up entirely of digits and dots but they
aren't really numbers because they have two dots.  The digit after the
second dot can be considered the 'patch level'.  At the moment three
versions are officially supported by Cisco's Talos, the authors of the
software.  The latest patch versions are 0.103.7, 0.104.4 and 0.105.1,
as you can see at

https://blog.clamav.net/

Unfortunately headlines in the announcements to the mailing list and
in the blog are wrong, stating that version 0.104.1 was released on
July 26th, but as you can see from the text it is really 0.104.4 which
was actually released.  At the time I write the version support matrix

https://docs.clamav.net/faq/faq-eol.html#version-support-matrix

is out of date - it does not show the latest released versions.  The
quality control at Talos leaves something to be desired which I have
mentioned on more than one occasion on this list.

Version 0.103.x source code uses the 'autotools' build system.  It is
the last version which will use autotools.  Versions 0.104.x, 0.105.x
and later use 'cmake'.  Support for 0.104.x will probably end soon, as
in the release announcements it's stated that 0.104.4 will be the last
patch version for the 0.104.x series.  I don't know what will happen
if a serious vulnerability is found before the stated end of support
for 0.104.x in the support matrix and I doubt that Talos does either.
My guess is that support would be withdrawn immediately rather than as
stated in the support matrix.


While could I still assume version 103 is still supported (new
patches will be added)


The version is 0.103 not 103 but yes, that is the 'Long Term Support'
version which will be supported until September 2023 according to the
version support matrix.


and could still give decent malware scanning results?


I would never recommend that anyone rely on one single defence.

Every installation has particular sensitivities and will reside in a
different threat landscape, you'll need to make your own assessments
of the performance based on your own experience.  Mine are on record
in the archives of this mailing list, but bear in mind that we do not
scan machines for viruses, we only scan mail.  Primarily we scan for
spam, and incidentally for threats like viruses which are of little
concern to us here because of the very defensive way that we operate.


2. If we already use older versions (like version 103), upgrading it
to a minor version with patch release(like 103.6) will install the
bug fixes and give us a better using experience. While upgrading it
to a new major version(like 105) may require more extra work, such
as rust toolchain setup which is mentioned in the release note.


Correct, but (1) the toolchain setup is a once-only thing, and (2) if
you use a major Linux distribution and a reasonably well-supported
architecture you should have little difficulty installing the tools.
I did it on a Raspberry Pi just to see if it could be done.  It could,
but it took four hours to build it the first time.


I guess that's the reason why we release new major version 105 and
patch release versions for 103 and 104 together?


Your guess is as good as mine. :)


Sorry I may have some misunderstanding before. ...


No need for apologies. :)

--

73,
Ged.
___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] Inquire about clamav latest stable version -

[G.W. Haywood via clamav-users]

Hi there,

On Wed, 27 Jul 2022, Yang, Jiayi via clamav-users wrote:


We want to get the latest stable version of clamav and use it in our
environment. From the release note
(https://blog.clamav.net/2022/05/clamav-01050-01043-01036-released.html),
we see the v0.105.0 is released with 0.104.3 and 0.103.6(it seems
the latest stable version has also upgraded to 0.105.1 now). ...


Please look again at the blog.  You will see that updates have been
published very recently.


when we intall the package via yum, we still only get the version 103


You did not say which distribution you are using but they all have
their own policies on updates.  Some of them backport security patches
for you.  You must look to the distribution for more information about
it, the ClamAV development team can't help you very much with that.


1. ClamAv 0.105,0, 0.104.3, 0.103.6 got released on the same day. We
don't see any major version change. Then why ClamAv released patch
for 0.014 and 0.103 when 0.105 is release. Since its a minor version
change, we think everyone should get the update?


Are you offering to pay for extra work to be done?


2. What are the differences between 0.105 and 0.103.6? We see the
yum and rpm packages currently only support latest clamav version as
0.103.6 although these versions seem released in the meantime. Are
there any new changes in 0.105 causing the delay in package
distribution update?


Please read the blog and the release notes for information about the
enhancements.  You may also wish to follow developments on Github.


3. Do you have any suggestions that except downloading latest source
package for clamav


What's wrong with the source package?  There's a school of thought
which holds that for security software, the only way to go is to do
exactly that.


how can we make sure we get the latest version without delay?


You can subscribe to the announcement mailing list:

https://lists.clamav.net/mailman/listinfo/clamav-announce

and then watch your distribution's equivalent (if there is one).


Yum and rpm don’t have the latest 105 version for now. While we’re
wondering if you know any other package provider and its repo may
always have the latest updates.


Yum and RPM are simply package installation tools.  They are used to
obtain packages from repositories.  The repositories are maintained by
people who are not part of the ClamAV development team and who usually
have a set of guidelines to which they work - often only when they can
find the time - and which differ from one repository to the next.  It's
up to you to choose a repository which has policies which suit you and
your intended use of the packages they provide.  The alternative to the
use of repositories is to build software from source.  It's up to you.

Version 0.103.x is now provided with Long Term Support.

What do you plan to do with ClamAV?

--

73,
Ged.
___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] Mail contains virus ? MBL_162040584.UNOFFICIAL and some errors.

[G.W. Haywood via clamav-users]

Hi there,

On Fri, 22 Jul 2022, Thomas Barth via clamav-users wrote:


...
Google docs under general suspicion :-)
...


Correct. :)

--

73,
Ged.
___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] Mail contains virus ? MBL_162040584.UNOFFICIAL and some errors.

[G.W. Haywood via clamav-users]

Hi there,

On Fri, 22 Jul 2022, Thomas Barth via clamav-users wrote:


I use ClamAV unofficial signatures and it seems that I get a false positiv ...


I think you're probably right, but to get a dozen or so other opinions
you can submit the file to VirusTotal or Jotti's Malware Scan:

https://www.virustotal.com
https://virusscan.jotti.org


... and some other errors.

[more yyerror() ]
LibClamAV Error: yyerror(): /var/lib/clamav/rfxn.yara line 11389 duplicate 
identifier "zeroaccess_js4"
LibClamAV Error: yyerror(): /var/lib/clamav/rfxn.yara line 11414 duplicate 
identifier "zerox88_js2"
LibClamAV Error: yyerror(): /var/lib/clamav/rfxn.yara line 11444 duplicate 
identifier "zerox88_js3"
LibClamAV Error: yyerror(): /var/lib/clamav/rfxn.yara line 11472 duplicate 
identifier "zeus_js"
LibClamAV Warning: load_oneyara: yara rule contains too many subsigs (1019, 
max: 64), skipping YARA.Backdoor_PHP_WPVCD_TempExecution
LibClamAV Warning: cli_loadyara: failed to parse or load 70 yara rules from 
file /var/lib/clamav/rfxn.yara, successfully loaded 713 rules.


I've seen more than one version of the rfxn.yara signature file.

Having said that I don't see the problem that you've found.  In case
it helps you, here's the directory listing and md5sum of the file
currently in use here.  It's pretty old, and I can't say that I've
noticed very many useful detections from it.

8<--
Downloaded from https://cdn.rfxn.com/downloads/maldet-sigpack.tgz:

$ ls -l rfxn.yara ; md5sum rfxn.yara ; grep ^rule rfxn.yara | wc -l
-rw-r--r-- 1 clamav clamav 410441 Aug 17  2020 rfxn.yara
c8303441af0e8fac43cea4d8fb3dc5f7  rfxn.yara
783
$
8<--

There's a 'current' version on the 'www' site which is even older:

8<--
Downloaded from http://www.rfxn.com/downloads/maldetect-current.tar.gz:

$ ls -l rfxn.yara ; md5sum rfxn.yara ; grep ^rule rfxn.yara | wc -l
-rw-r--r-- 1 clamav clamav 408598 Jul  4  2019 rfxn.yara
25a92fee1f45b81cfa8ba98cf1bc8e3e  rfxn.yara
777
$
8<--

To the best of my knowlege I've had no response from the author when
I've tried to contact him.

Where did you get your copy from?  Check that it isn't damaged, if it
is I suggest that you move it out of your ClamAV signature directory
and try another copy.


/root/virusmail.txt: MBL_162693783.UNOFFICIAL FOUND


I haven't used malwarepatrol since 2013 so I can't help with that signature.

Are you sure you want to do all this with root permissions? :)

--

73,
Ged.
___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] clamav overload ec2 instances

[G.W. Haywood via clamav-users]

Hi there,

On Tue, 19 Jul 2022, Emanuel Gonzalez wrote:

Hi, i use clamav in AWS ec2 instances c5.large. When I run the clamscan 
command /home/user/testfile the cpu usage is triggered and the instance stops 
responding.


Here my config:

clamd --version
ClamAV 0.103.6/26606/Tue Jul 19 04:57:30 2022
...


It would help if you were clearer about exactly what you are doing.

How much RAM do you have available?  If you are using the 'official'
signature database you probably need at least 3, preferably 4 GBytes,
as loading ten million signatures will use about a gigabyte of RAM.

Loading ten million signatures takes a while.  The 'clamd' daemon does
that when it starts and when the signatures are updated (about daily
for the 'official' signature database).  The 'clamscan' utility does
it every time you run it.  The 'clamdscan' utility never does it.

The 'clamdscan' utility uses 'clamd', but 'clamscan' does not.

Please show us the exact command which you use when the problem appears.

If you are running a clamd daemon *and* if you are really running
'clamscan' and not 'clamdscan' then you are probably using twice as
much memory as you need to - not to mention having to wait for the
clamscan process to read ten million signatures every time it runs.

--

73,
Ged.
___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] Inquiries about ClamAV operating environment

[G.W. Haywood via clamav-users]

Hi there,

On Wed, 13 Jul 2022, Tachibanaki Nozomi (橘木 希美) wrote:


I am Tachibanaki from Ricoh IT Solutions Co., Ltd..
I am writing to you for the first time.


Greetings from England. :)


I see in the ClamAV Documentation that ClamAV can run inside a Docker container,
but will ClamAV be supported running on AWS ECS (Fagate)?


Support for ClamAV is provided through this mailing list, both by
ordinary ClamAV users (such as myself) and by ClamAV developers
(who are mostly people employed by one of the companies within Cisco,
although anyone can make contributions).  There is an issue tracking
system to which anyone can contribute:

https://github.com/Cisco-Talos/clamav/issues/

This replaces the original issue tracking system

https://bugzilla.clamav.net/

but the change from Bugzilla to Github has only recently been made,
there are a number of issues which remain to be moved from the older
Bugzilla system to the newer Github system.

Please be aware that ClamAV uses a lot of memory (at least a gigabyte
for the 'official' signature databases alone, plus there are various
third-party signature databases which you might want to use, plus you
might want to write your own signatures and/or Yara rules which will
increase memory consumption by probably a small amount) but I am sure
that Fargate (not Fagate)

https://aws.amazon.com/fargate/

will support ClamAV.  Some of the users on the mailing list use ClamAV
in Docker containers but I have never done that.  There have been some
issues related to using ClamAV specifically in Docker containers, e.g.

https://github.com/Cisco-Talos/clamav/issues/330

You might also find more by searching the archives of this list:

https://lists.clamav.net/pipermail/clamav-users/

What experience do you have of using ClamAV?

What do you want ClamAV to do for you?

Finally please be aware that my mail servers are very conservative in
what mail they accept.  If your reply to me directly, rather than via
the mailing list, your mail will certainly be much delayed and it is
quite likely to be rejected.

--

73,
Ged.
___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] False positive, My program is recently Started to be flagged with Win.Dropper.Tinba-9943147-0

[G.W. Haywood via clamav-users]

Hi there,

On Sat, 9 Jul 2022, Al Varnell via clamav-users wrote:


I've never seen a user post to that list and I've subscribed to it
for decades. My impression has always been it's for database update
announcements only.


You might be right Al but I took the URI from a list post and ISTR that
a while back Micah suggested it as a way to report FPs which might get
a quicker response than using the Web form or the submission utility.

But these ol' neurones aren't what they used to be.

--

73,
Ged.
___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] False positive, My program is recently Started to be flagged with Win.Dropper.Tinba-9943147-0

[G.W. Haywood via clamav-users]

Hi there,

On Sat, 9 Jul 2022, Al Varnell via clamav-users wrote:


...
--- SCAN SUMMARY ---
Known viruses: 12318966
Engine version: 0.104.1
...
... it would appear that there is a valid False Positive entry in
the database for four different files ...
...
So why it's being detected remains a mystery!


A guess: I see you're still using 0.104.1, maybe upgrade your ClamAV?

|| https://blog.clamav.net/2022/03/clamav-01050-release-candidate-now.html
|| 
|| "Fixed an issue causing byte-compare sub-signatures to cause an alert

|| when they match even if other conditions of the given logical
|| signatures were not met."

--

73,
Ged.
___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] False positive, My program is recently Started to be flagged with Win.Dropper.Tinba-9943147-0

[G.W. Haywood via clamav-users]

Hi there,

On Sat, 9 Jul 2022, Yaron Elharar via clamav-users wrote:


My program has recently started to be flagged
with Win.Dropper.Tinba-9943147-0 by ClamAV at Virus Total

File hash
2852bc241913dc07ca13f865f766f0f07596e7d3209bc8caad767ff7f1e39ee9

I've tried to reach out to the team through the false-positive reporting
tool with no success for the past two months
What else can I do?


Did you try the Web form?

https://www.clamav.net/reports/fp

You might also post to the ClamAV virusdb mailing list:

https://lists.clamav.net/mailman/listinfo/clamav-virusdb

--

73,
Ged.
___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] ClamAV does not detect viruses in "ar archive" file format

[G.W. Haywood via clamav-users]

Hi there,

On Fri, 8 Jul 2022, Schroeffu via clamav-users wrote:


I am trying to scan "ar archive" format like .deb packages are. ClamAV
unfortunately does not detect the eicar inside the ar archive. 
Do I miss something to configure so clamav scans/unpacks "ar archive"

formats correctly?


If you have deduced that ClamAV is not unpacking the archive properly,
then I'm not sure that your deduction is correct.  Testing with EICAR
files can be a little tricky because the EICAR specifications are very
particular about what is scanned.

If I create an archive with 'ar' and then scan it here, it my clamd
server does find it:

8<
$ ar r archive.deb eicar tempscan.pl
ar: creating archive.deb
$ clamdscan archive.deb 
/home/ged/archive.deb: {HEX}EICAR.TEST.3.UNOFFICIAL FOUND


--- SCAN SUMMARY ---
Infected files: 1
Time: 1.372 sec (0 m 1 s)
Start Date: 2022:07:08 16:44:05
End Date:   2022:07:08 16:44:06
8<

but this detection is using an UNOFFICIAL signature:

8<
$grep EICAR /EXPORTS/clamav/databases/*
Binary file daily.cld matches
Binary file main.cld matches
rfxn.hdb:44d88612fea8a8f36de82e1278abb02f:68:{MD5}EICAR.TEST.3.59
rfxn.hdb:69630e4574ec6798239b091cda43dca0:69:{MD5}EICAR.TEST.10.58
rfxn.ndb:{HEX}EICAR.TEST.3:0:*:58354f2150254041505b345c505a58353428505e2937434329377d2445494341522d5354414e444152442d414e544956495255532d544553542d46494c452124482b482a
rfxn.ndb:{HEX}EICAR.TEST:0:*:58354f2150254041505b345c505a58353428505e2937434329377d2445494341522d5354414e444152442d414e544956495255532d544553542d46494c452124482b482a
8<

As you can see the official (daily, main) signatures match on the word
EICAR but it isn't the official signatures which triggered detection.

I believe that the rfxn signatures implement the EICAR specifications
incorrectly, but at least the scanner does seem to be unpacking the
archive.  If you search the archives of this mailing list for "EICAR"
you will probably find something more informative.

--

73,
Ged.
___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] Clamav high resource usage

[G.W. Haywood via clamav-users]

Hi there,

On Fri, 8 Jul 2022, Asier Gomez via clamav-users wrote:


We are trying to run Clamav in some instances what not more than 1Gb
of free memory, so when Clamscan runs the scan, the instance dies.


This is to be expected.  You really should read the documentation.

See

"Recommended System Requirements"

at

https://docs.clamav.net/Introduction.html

and also try searching this mailing list for 'memory' and/or 'RAM' for
example.  Expect that the 'official' signature database alone will use
more than 1GByte continuously.  If you use third-party databases (or
if you add signatures yourself) expect memory usage to increase still
further.  Additionally, in the configuration installed by default, if
you use clamd it will briefly ('briefly' depends on the performance of
your system) after a database update use twice as much memory while it
tests and reloads the signature database.


Is anyway to configure Clamascan to use less resources?


There is no 'Clamascan'.  It's 'clamscan' or 'clamdscan'.  You *might*
be able to use a signature database with fewer signatures, but you'd
really need to know what you were doing and I would not recommend that
to someone who's asking the questions that you're asking.


Or is anyway to run Clamav in a centralized server to check the rest
of the instances from the central server?


Yes, that's the sort of thing here.  See the documentation, e.g. try

man clamd

which explains that you can tell clamd on a server to listen on a TCP
port for connections from clients.  Be aware that if you do that, you
likely need to heed the warning in the documentation about making sure
that the whole world can't connect to your clamd server.  See also

man clamdscan

which explains how to configure a client scanner.  It isn't absolutely
necessary to use clamdscan, for example here we use a client which I
wrote in Perl.  Similar things exist elsewhere, but to begin with at
least I recommend that you use the official client until you're very
familiar with the way it all works, and you're clear about how you
want to use it.  I can't offer any advice about the various unofficial
scanning clients, I've never used any except my own.


Checking the following blog: https://www.libellux.com/clamav/, we


Because random blogs and tutorials on the Internet have a habit of
being years out of date (if not just plain wrong in the first place)
in general I would advise that you keep to the official guidance at

https://docs.clamav.net/

AFTER reading it, and the various 'man' pages about the tools which
you will be using, post here for clarification and advice if needed.


found that it is a way to have the clamav database only in a central
server and the clients just read the database from this central
server.


It doesn't work that way, it's the other way around.  The clients do
not read the database from the server.  The clients send the data to
be scanned to the server and then read the server's response.


Should this help for clamscan in the clients' instances to use less
resources?


No, the clamscan tool does not work that way; it will load the entire
signature database into local memory.  Use clamdscan instead, which is
a small utility designed to read the scanned data and pass it to clamd
on the server.

Please feel free to get back to us when you've done some more reading
and hopefully some experimentation.  When you do, please tell us more
about what you're trying to achieve.  "I want to scan things" does not
tell us what we need to know.  Some background about what you're doing
and why can be very important.

--

73,
Ged.
___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] Permanently banned from clamav

[G.W. Haywood via clamav-users]

Hi there,

On Sun, 3 Jul 2022, Calogero Di Legami via clamav-users wrote:


... i am the guy who started the discussion...


Yes, we know.  Hello again. :)


... i download the database trough clamwin ...


You could have saved us a lot of time by mentioning that earlier. :/

The current version of ClamWin is more than a year out of date.  This
isn't the first time that I've pointed out on this list that ClamWin
does not seem to be properly supported.  My opinion is that ClamWin
should be avoided.  My full opinion is unsuitable for publication.

The people who provide both ClamAV and the official ClamAV signatures
have no relationship with ClamWin as far as I know.  Although ClamWin
is mentioned in this page:

https://docs.clamav.net/manual/Installing/Community-projects.html

there is a disclaimer at the top of the page.  If it were up to me the
disclaimer would be worded much more strongly, perhaps something along
the lines of "it is YOUR responsibility to assess the suitability of
anything mentioned below for use in your particular situation".


How the heck can i do freshclam or use cvdupdate on Windows 9x machine?


I'm not sure you can.  Please read the introduction:

https://docs.clamav.net/Introduction.html

Despite what it says on the ClamWin pages, very old Windows versions
are not supported by ClamAV; they are also not supported by Microsoft.
The oldest Windows version which ClamAV claims to support is Windows 7.
Even so it is most unlikely that you will have a supported copy, and
in any case all support for Windows 7 will cease in January 2023.

If you must use Windows, please upgrade to a supported version.  I
haven't seen a Windows 98 machine for a very long time, so I might
just have forgotten, but even if ClamAV had been installed on one I
don't think I've ever seen a Windows 9x machine which would have had
enough memory to load the current official ClamAV database - by itself
it takes up over a gigabyte.  At present you'd probably need three or
four gigabytes (it depends what else the machine is doing), but with
so much memory Windows 9x may well give problems related to the large
amount of memory installed - problems which affect both the operating
system and some of its utilities.

Unless you know what you're doing, connecting unsupported versions of
Windows to the Internet is unsafe and irresponsible.  You're probably
just going to cause problems for everyone else.

Out of interest, how much RAM do you have installed in your machine?

--

73,
Ged.
___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] Permanently banned from clamav

[G.W. Haywood via clamav-users]

Hi Grant,

On Sat, 2 Jul 2022, Grant Taylor via clamav-users wrote:


... the questions are somewhat academic ...


https://en.wikipedia.org/wiki/How_many_angels_can_dance_on_the_head_of_a_pin%3F

:)


I assume you are saying that "regularly" specifies what the cadence is.


No.  My "Yes, it does." was in agreement with your "implies a cadence" but
I can see how it might be open to misinterpretation, for which I apologize.

It was not my intention to make such a meal of this.

But I feel like the comments, especially the lack of definition of the 
/cadence/ of regularly fails to account for someone using a web browser to 
download files once every three years.


Perhaps, but I think it accounts for millions of people all doing the
same thing, so now, it isn't allowed at all:

https://lists.clamav.net/pipermail/clamav-users/2021-March/010685.html

I would find it suspicious if someone were to say that downloading 185 MB 
once every three years is abuse of a system.


I don't think anyone said that.

--

73,
Ged.
___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] Permanently banned from clamav

[G.W. Haywood via clamav-users]

Hi Grant,

On Sat, 2 Jul 2022, Grant Taylor via clamav-users wrote:

On 7/2/22 7:50 AM, G.W. Haywood via clamav-users wrote:

Regular downloading of the entire daily database is not acceptable.


Please clarify what "regularly" means in this case?


I think Mr. Broekman has answered well enough, but I need to reply to
you because I don't want you to think I've ignored you, Grant.


Once a day / hour / week / month / other?


I don't know, it isn't my CDN.  But I did give a link for further
reading.  I think there's enough there for a reasonable man, and I
know you fit that description. :)


Regular just implies a cadence without specifying what that cadence is.


Yes, it does. :)


I understand that freshclam / cvupdate have some optimizations to
determine if an update is needed or not.


There's more to it than just whether or not an update is needed.


I fail to see how using chrome, et al., or anything other than
freshclam / cvupdate, with a weekly cadence will cause any problems
for any server, much less reputable CDN.

What am I not understanding?  Please clarify what problem(s) was
(were) caused.


To run a Content Delivery Network costs money.  Abuse of it costs a
lot of money unnecessarily - and there was chronic, egregious abuse.
In my view, the providers of ClamAV went *well* beyond the call of
duty before finally putting their metaphorical foot down.  If it had
been my own money, I would have been a lot less patient.

It isn't just the traffic.  There are processes hanging around waiting
for slow connections as well.  As of today, the daily file is around
185 Mbytes.  Downloading it here would take a quarter of an hour.  In
the past two months freshclam here has taken an average of 2.9 seconds
to download a diff file.  Scale that up to the global demand and it's
a factor of at least several hundred just on the process count.

When people download 185 Mbytes instead of downloading a few kilobytes
to get the same result it incurs very significant, unnecessary costs
which are borne by those who provide the data - free of charge - to
people who are routinely abusing the service.  And they've been asked
not to do it, so, well, it's just rude!

--

73,
Ged.
___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] Permanently banned from clamav

[G.W. Haywood via clamav-users]

Hi there,

On Sat, 2 Jul 2022, Calogero Di Legami via clamav-users wrote:


Hi, i'm Calogero Di Legami, I'm 24 and I live in Italy
My ISP is Tiscali, a normal Italian ISP
This morning when i tried to download “daily.cvd”, cloudflare told me that
i was permanently banned
Why?


There has been widespread and serious abuse of the Content Delivery
Network, which forced the introduction of protection mechanisms.
Regular downloading of the entire daily database is not acceptable.
There are alternatives which cause much less network traffic.

Your problem *might* be because the IP address that you were using has
been seen to be abusive, or it might be because of the download method
which you were trying to use.

How were you trying to download the daily database?

The accepted method is to use the freshclam utility which was provided
with a fairly recent version of ClamAV.  The utility takes care to use
the minimum network bandwith.  Not using freshclam, or using a version
which is too old, are both likely to cause problems.

More information:

https://blog.clamav.net/

--

73,
Ged.
___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] Off topic question...

[G.W. Haywood via clamav-users]

Hi there,

On Wed, 29 Jun 2022, Eric Tykwinski via clamav-users wrote:


Any one have an abuse contact for Cisco IronPorts hosted service?

Customer of ours received a phishing email from a Cisco client but wasn't
sent by them, at least that what I'm being told.


I don't think you can rely on the customer's say-so.  You need to get
a complete copy of the message - especially full headers - for analysis.
Having said that here's a random hit:

https://www.abuseipdb.com/check/184.94.240.92

If it's really Cisco, and all else fails, I'd send a report to the abuse
address for cisco.com (and to SpamCop - Cisco owns SpamCop of course...:)

--

73,
Ged.
___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] false positives for firefox add-ons?

[G.W. Haywood via clamav-users]

Hi there,

On Sat, 25 Jun 2022, Christian wrote:


...
Archive.Test.Agent2-9953724-0 FOUND/
...


A false positive, as it turns out this is a signature which should never have 
been published:

https://lists.clamav.net/pipermail/clamav-users/2022-June/012731.html

It should go away on the next database reload.

--

73,
Ged.
___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] Clamav found in php files Archive.Test.Agent2-9953724-0

[G.W. Haywood via clamav-users]

Hi there,

On Fri, 24 Jun 2022, Cyrille37 wrote:

I don't understand why, but it appends this morning on already existed files 
(in the wp-cli cache folder) :


Start Date: 2022:06:24 12:15:01
End Date:   2022:06:24 12:15:17
/home/caf37-pt/.wp-cli/cache/core/wordpress-5.8.3-fr_FR.zip: 
Archive.Test.Agent2-9953724-0 FOUND

...
I could not find on the web some discussions about 
"Archive.Test.Agent2-9953724-0" except this one

https://answers.sap.com/questions/13665326/upload-application-content-failed-malware-detected.html


The signature is mentioned in this morning's automated email from the
ClamAV signatures database update process.

I suspect that you're seeing a false positive, that's always a risk
with new or updated signatures.

Perhaps you can upload one of the flagged files to e.g. Jotti's Virus
Scan or VirusTotal to see what a few other scanners make of it.

--

73,
Ged.
___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] CVE_2021_4034-9951522 false positives on node executables

[G.W. Haywood via clamav-users]

Hi there,

On Tue, 21 Jun 2022, Viktor Rosenfeld via clamav-users wrote:


A recent scan of my system found 8 infected files. On closer
inspection, these are all nodejs binaries, either installed through
Homebrew or inside another app (e.g., Docker or Adobe). Clamav
reports that they are infected with CVE_2021_4034-9951522.

As far as I can tell, CVE_2021_4034 is the pkexec privilege
scalation bug. However, I could not find anything relating to
nodejs. Also, the fact that multiple nodejs binaries on my system
are infected, which are installed from different sources, leads me
to believe that this is a false positive.

 I am unsure what to do next. ...


Agreed there might be grounds to suspect a false positive, but I'd
suggest that first you upload anything which has been flagged as
suspicious to somewhere like Virustotal or Jotti's Virus Scan.  Then
take a view.  If ClamAV is in a minority of one, probably filing the
false positive report would be the next step.

--

73,
Ged.
___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] human friendly signatures

[G.W. Haywood via clamav-users]

Hi there,

This is a more or less random data point.

On Mon, 14 Mar 2022, Micah Snyder (micasnyd) via clamav-users wrote:


Sorry that this response come so late that is nearly a necro-thread. ...


Er, ditto.


... If anyone has any other ideas about it, I'd love to hear them. ...


One thing has become much more obvious lately here and I felt the need
to get it written down somewhere.

We're seeing a lot more spam than ever we used to which is written in
CJKV (Chinese, Japanese, Korean, Vietnamese) using UTF-8 encoding.
It's mostly phishing of some sort.

We use UTF-8 text strings in Yara rules to catch a lot of this spam
for our automatic abuse reporting system.

Obviously to make things human friendly it helps a lot if the terminal
emulators, editors and other tools can render the text as appropriate,
but my point is that, however you manipulate Yara rules for ClamAV, as
things are they work fine for this purpose and I'd really hate to lose
that capability.

--

73,
Ged.
___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] Critical Bug Report - Docker Image Crashing

[G.W. Haywood via clamav-users]

Hi there,

On Mon, 20 Jun 2022, Sam Smith wrote:

Good morning, I am using the standard Docker image for a client. This 
morning's anti-virus update is crashing Docker during update. I re-downloaded 
the image, and re-ran the process. I assume this is affecting many users - 
final lines of output are below -


|Downloading database patch # 26577...|

|Time:0.1s, ETA:0.0s [>]   15.21KiB/15.21KiB|

|Testing database: 
'/var/lib/clamav/tmp.36a55ab0c3/clamav-91abc2838c6f6baf854e8435b4a18fd5.tmp-daily.cld'
 ...|

|copying response body from Docker: unexpected EOF|

|
|

Please advise?


More information would be helpful.

We run ClamAV on native ARM7 - a Raspberry Pi 4B, 4GBytes RAM.  We
don't use Docker so I don't know how much help I can give, but FWIW
version 26577 loaded fine here yesterday at about 1332 BST (+0100).

While we're waiting for someone to chime in who knows a lot more about
Docker than I do some things spring to mind.  I don't know if they'll
be relevant to you.

1. Do you have enough RAM in the system?  You probably need 3+ GBytes
if you're running clamd (are you?) unless you take precautions.

2. There have been issues with the distributed configuration files.
Some time back a timeout was much too short, although I can't see that
being the problem here, and (depending on the free RAM) you might need
to set an option to prevent scanning while you update the database.
Perhaps you can let us have the output of

clamconf -n

and some information about the system you're running so that people
might get a better grip on what you're doing.

3, Have you tried downloading the update to a non-Docker machine and
simply copying the updated daily.cld over to the Docker container?
Restart clamd afterwards if you're running it, obviously.

--

73,
Ged.
___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] Heuristics.Phishing.Email.SpoofedDomain false positive desjardins.com and rbc.com

[G.W. Haywood via clamav-users]

Hi there,

On Wed, 15 Jun 2022, joe a wrote:

To semi-hijack, I was attempting to deal with my own occasional false 
positive by using this thread as a clue.


Attempting to follow the docs, I hit a wall here:

"To help you identify what triggered a heuristic phishing alert, clamscan or 
clamd will print a message indicating the "Display URL" and "Real URL" 
involved in a heuristic phishing alert. "


I did not find such an entry in any of the "usual suspect" logs ...


You might have more luck if you use verbose options.  Some logic in

libclamav/phishcheck.c

is a bit convoluted and it looks like under some circumstances there
might be reasons for not flagging a potential phish, and not logging
certain warnings.  I haven't gone over it with a magnifying glass but
there are definitely more informative debug messages available to you.

If you'd like to put a couple of samples up somewhere I could take a
look at them for you.

--

73,
Ged.
___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] On-Access Scanning don't detect new file

[G.W. Haywood via clamav-users]

Hi there,

On Wed, 15 Jun 2022, Tobias Mächler via clamav-users wrote:


I have just configured the On-Access Scanning with clamav. When I use the
command line to download a virus to the new directory it gets scanned
correctly. However I have an application running on the server (centos 7)
and when I upload a virus to my application which stores it on the server
at the same directory, it will not trigger the on Access Scanning ...

How can I configure the On-Access Scanning that it will also detect the
files created by my application and trigger the virus scan?


It's possible to configure clamonacc in ways which would explain this.
Have you read the documentation?  See for example

https://docs.clamav.net/manual/OnAccess.html?highlight=clamonacc#general-use


Please let us see the output of

clamconf -n

Please cut-and-paste or similar, it's sometimes difficult to divine
what's shown in an email and changes in formatting can be important.

Please tell us more about your application.  In particular we need to
know exactly which user IDs are reading and writing any files.

--

73,
Ged.
___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] Heuristics.Phishing.Email.SpoofedDomain false positive desjardins.com and rbc.com

[G.W. Haywood via clamav-users]

Hi there,

On Mon, 13 Jun 2022, Mathieu Morier via clamav-users wrote:


Look like many Canadian Banks are switching their corporate email to
Office 365 ( Microsoft cloud ) and all the links in their email are
then automatically change ...


Don't get me started.


... links to ... hit the Heuristics.Phishing.Email.SpoofedDomain .
... Can this rule be changed ...


Speaking personally, I don't want it to be changed but you could for
example add an 'ignore' rule:

https://docs.clamav.net/manual/Signatures/AllowLists.html?highlight=ignore#signature-ignore-lists


Then will have to trust Microsoft ...


... currently the second worst spam support provider in the world, and
rarely out of the top five:

https://www.spamhaus.org/statistics/networks/

--

73,
Ged.
___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] MS Word Follina - CVE-2022-30190

[G.W. Haywood via clamav-users]

Hi there,

On Thu, 9 Jun 2022, Vangelis Katsikaros via clamav-users wrote:


I am not a security person so I apologize if the question sounds stupid.


It doesn't sound stupid. :)


I'd like to ask if there is a signature in the clamav DB to recognise
Microsoft word documents affected by the "Follina" - CVE-2022-30190 remote
code execution vulnerability.


This particular vulnerability is worrying because it can be exploited
even if the user does not enable Word macros.  It can be exploited by
things other than Word documents, e.g. just a link in an email:

https://forum.eset.com/topic/32571-ms-word-follina-exploit-not-detected/

So as you can imagine it's unlikely that a single signature will be
able to provide complete protection.

At the moment I know of no ClamAV 'official' signature which addresses
the issue in any way at all.  I imagine people are working on it.

My take on it is that if it's a Word document, a Rich Text File, RAR,
ZIP, TGZ and a whole bunch of other things, then no matter what you
claim it is, I don't want it.  Links are treated with great suspicion.
The milters here reflect those views, and have done for many years.

There are mitigations for the vulnerability:

https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/

In the absence of a fix from Microsoft that's your best bet I think
but read my first link first.

It would not be wise to rely on anti-virus techniques for protection
if there's any risk that a user might open a malicious document (or
click a malicious link) before it is known to be safe.  A null scan
result does not mean it's known to be safe.  It means the scanner
didn't find a threat, which does not mean that there are no threats
in there to be found.

--

73,
Ged.
___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] About virus scanning of temporary files

[G.W. Haywood via clamav-users]

Hi there,

On Thu, 9 Jun 2022, ichijo toru via clamav-users wrote:


Hello, I have a question about virus scanning for folders that generate
temporary files.


I do not understand what you mean.  Folders do not generate anything,
the processes which use them do that.  ClamAV neither knows nor cares
that you consider a file to be 'temporary', and, whether you do so or
not, it makes no difference at all to the way ClamAV scans the file.


Why do I get the following error when scanning against that folder? And
what can I do to prevent it from appearing?


WARNING: File path check failure for:

/xx/data/yy/zz_zzz/000101D40002

Quarantine of the file may fail if file path contains symlinks.
Access denied: /xx/data/yy/zz_zzz/000101D40002


The message tells you that ClamAV cannot access a file called

"/xx/data/yy/zz_zzz/000101D40002"

It does not tell you that there are symbolic links in the path.  If
you do not want to see the error then either give ClamAV permission to
read the file or do not ask ClamAV to scan things to which it does not
have access.


I have confirmed that "//data/yy/zz_zzz/" is not a symbolic
link.


The error message does not say that the path is a symbolic link, it is
just warning about quarantining files which have paths which contain
symbolic links.  Whether there are symbolic links in the path or not,

"//data/yy/zz_zzz/"

is not the path given in the error message.  We can probably help you
better if you do not confuse the issue by hiding things, whatever the
reason for hiding them might be.  If the path names contain non-latin
characters we can probably cope with UTF-8.


I am using ClamAV version [0.103.4].


There have been significant improvements in more recent versions.  You
might find that your problem is resolved if you upgrade, but in any
event I would recommend that you do so if you can.  Next time you ask
for help please give the information without obfuscation.  Please also
let us have the output of the command

clamconf -n

Please cut and paste the exact output, do not make us guess.  You might
find that ClamAV gives you more information if you enable verbose logs.
See the documentation for how to do that.

--

73,
Ged.
___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] Uninstall macos universal package

[G.W. Haywood via clamav-users]

Hi there,

On Wed, 1 Jun 2022, Ismael via clamav-users wrote:


I installed the clamav-0.105.0.macos.universal.pkg and I want to remove
whatever was installed on my system but I can't find anything when
searching. How can I remove and find what was installed?


This is less a question about ClamAV than it is about packaging systems.

Sorry, I haven't actually used a Mac for more than twenty years.  Try
to find out more about using the package tools for your system.  The
documentation will be available for you although you might need to
install a documentation package or two.

Package tools which provide the means to install packages usually also
provide the means to remove those same packages.  Often there will be
more than one way to do it.  There will usually also be tools in the
packaging system to answer questions like "what files are in this
package, and where are they in the filesystem?"  There will be things
to watch out for, such as accidentally uninstalling things which you
didn't mean to uninstall, but most packaging systems are reasonably
well-behaved.

But it usually isn't necessary to uninstall something if you just
don't want to use it - is there some compelling reason making you want
to uninstall it?  If you've downloaded the signatures you'll save some
storage space by deleting them, but otherwise you won't save much.

--

73,
Ged.
___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] Heuristics.Phishing.Email.SpoofedDomain false positive desjardins.com

[G.W. Haywood via clamav-users]

Hi there,

On Mon, 30 May 2022, Mathieu Morier via clamav-users wrote:


desjardins.com is a Québec Canada Coop Bank
Institution and for a couple weeks, all their email to our email
server as flag my CLAM for Heuristics.Phishing.Email.SpoofedDomain ...


They probably did something stupid.


But it’s starting to be problematic to exclude so many
Desjardins.com email from Clam.

Any Idea ?


Well you could ask them to think about what they're sending.  But good
luck with that, if it's a bank... :)

How is ClamAV seeing the mail?  Is it through a milter?  Most will
offer the facility to whitelist a domain, or something like that, see
for example "EXCLUSIONS" in

man clamav-milter.conf

but beware that it's possible (and very common) to spoof domain names,
so listing IP addresses might be safer.  I wouldn't recommend relying
on SPF for this domain.  I don't think allowing a couple of /48 CIDRs
(not to mention three each of IPv4 /16 and /17, a /15, a /14 and some
dozens of ranges from /19 to /24) is likely to offer much protection
to anyone from forgeries from IP addresses not controlled by them.  It
looks like instead of thinking about forgery they tried to include as
many IP ranges as they could possibly think of in their SPF record on
the off-chance that some random Outlook user would want to send mail
on their behalf (or more likely they don't care about forgery, just
about not getting their mail rejected).

If it's difficult to do using whatever feeds the mail to ClamAV, then
you could do some post-processing after the ClamAV verdict is given,
or even ignore the signature completely.  See for example

https://docs.clamav.net/faq/faq-ignore.html?highlight=ignore#how-do-i-ignore-a-clamav-signature

but then the signature won't catch spoofing attempts from other sources.

Ideally you'd have fine-grained control in your maili system over what
ClamAV sees, so that you can deal with issues like this easily as they
arise - because they're very common.

--

73,
Ged.
___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] How often can I run cvdupdate?

[G.W. Haywood via clamav-users]

Hi there,

On Wed, 25 May 2022, Orion Poplawski via clamav-users wrote:

We're starting to run clamav on more local hosts and were starting to see 
rate limiting messages.  So I've setup a local private mirror with cvdupdate 
... I'm starting to see warnings like:


Received signal: wake up
ClamAV update process started at Wed May 25 07:26:29 2022
daily database available for update (local version: 26551, remote version: 
26552)

WARNING: downloadFile: file not found: https://MIRROR/daily-26552.cdiff
WARNING: downloadPatch: Can't download daily-26552.cdiff from 
https://MIRROR/daily-26552.cdiff


If it were my choice I'd probably use freshclam rather than cvdupdate,
partly because the docs [1] somewhat discourage use of cvdupdate, partly
because Pypi is a can of worms I wouldn't then have to worry about,

I'm running cvdupdate at the recommended 4 hour interval.  Can I run it more 
often?


The Pypi site uses 4 hours as an example, but I'm not sure that's
exactly a recommendation.  Over at docs.clamav.net [1] it says

[quote]

Now run this as often as you need, or at least once a day to download/update 
the databases:

cvd update

[/quote]

Since it's just using DNS requests to check for updates it's very
lightweight.  I feel sure you can make the queries as often as you
think is reasonable, but do bear in mind that updates to the official
signature database aren't especially frequent - a couple of times a
day or thereabouts at most I think.


... I may just have to exclude these types of warnings from logwatch.


I don't think I'd hide them.  I'd just ignore them when I saw them,
but at least they'd usefully tell me that something was happening.
Of course it depends on how many you'd get. :/

[1] 
https://docs.clamav.net/appendix/CvdPrivateMirror.html?highlight=cvdupdate#private-local-mirrors

--

73,
Ged.
___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] rust on IBM i PASE environment - a must ?

[G.W. Haywood via clamav-users]

Hi there,

On Thu, 19 May 2022, Zvi Kave via clamav-users wrote:


We have ClamAV 0.104.1 compiled from sources and working  fine

in IBM i PASE environment - which is quite same architecture like IBM AIX 
binaries.

We have a problem to compile ClamAV 0.105.0 because at present

we have not rust on IBM i PASE  - nor on AIX.

Is there a way to compile ClamAV 0.105.0 without rust ?


The following is taken from the announcement on 14th March 2022 of the
fist release candidate of ClamAV 0.105.0:

| We are excited to announce the ClamAV 0.105.0 release
| candidate.
| 
| Please help us validate this release. We need your feedback, so let us

| know what you find and join us on the ClamAV mailing
| list, or on our
| Discord.
| ...
| ...
| ClamAV 0.105.0 includes the following improvements and changes.
| 
| New Requirements
| 
|   *   Starting with ClamAV v0.105, the Rust toolchain is required to compile ClamAV.

|
| You can install the Rust toolchain for your development environment by
| following the instructions on the rustup
| website. Some binary package distributions do provide relatively
| up-to-date packages of the Rust toolchain, but many do not. Using
| rustup ensures that you have the most up-to-date Rust compiler at the
| time of installation. Keep your toolchain updated for new features and
| bug/security fixes by periodically executing:
| 
| rustup update
| 
| Building ClamAV requires, at a minimum, Rust compiler version 1.56,

| as it relies on features introduced in the Rust 2021 Edition.
| 
| ClamAV's third-party Rust library dependencies are vendored into the

| release tarball (clamav-.tar.gz) file that we publish on
| clamav.net/downloads. But, if you build
| from a Git clone or from an unofficial tarball taken from
| GitHub.com, you will need the internet to download the Rust
| libraries during the build.
| ...

As you can see, the requirement is not just for Rust, but for at least
a minimum version of Rust.

--

73,
Ged.

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ClamAV Queries on Maximum file size

[G.W. Haywood via clamav-users]

Hi there,

On Thu, 19 May 2022, Deenadhayalan Natarajan via clamav-users wrote:


I would like to get some details about the maximum file size clamAV
can support. As we got to know from the documentation that it
supports upto 4GB of maximum file size but would like any
possibilities of extending the file size ...


Can you tell us more about your requirements?

You should consider 2GBytes (not 4GBytes) to be the maximum file size:

https://docs.clamav.net/manual/Development/tips-and-tricks.html?highlight=limits#general-debugging

To allow ClamAV to scan huge files is to risk crashing the scanner,
and there are other issues which may crop up too.


... any enterprise version of ClamAV available.


I don't know of anything which meets your description precisely.  The
ClamAV maintainers are the folks at Cisco-Talos:

https://github.com/Cisco-Talos/clamav

[Disclaimer: Other than my chats with people on (and occasionally off)
this list, I have no relationship with Cisco nor any Cisco company.]

Cisco offers a range of product for protecting computer systems:

https://www.cisco.com/c/en_uk/products/security/advanced-malware-protection/index.html

There are also numerous third-party tools etc. based on ClamAV:

https://docs.clamav.net/manual/Installing/Community-projects.html

--

73,
Ged.

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] clamav "Can't unlink file ERROR"

[G.W. Haywood via clamav-users]

Hi there,

On Tue, 17 May 2022, An Schall via clamav-users wrote:


we are trying to get clamscan / clamdscan functional on a RHEL with
GPFS as a filesystem.


Is the operating system also on GPFS or is this a separate filesystem?

Do you have any examples of clamdscan actually being able to delete a
test file on this system, or can it never do that?


We are using clamAV 0.104.2. On a different test machine everything
works like a charm.


Does the system which appears to be working as you expect also use the
GPFS filesystem in the same way?


However, on this specific RHEL machine, we get the following errors:
# clamdscan -v --config-file=/etc/clamav/clamd.conf --multiscan \


Do you see the same problem using 'clamscan' instead of 'clamdscan'?


--fdpass ./ /global/mmds/test/platform/antivirus/antivirus/yes\
-virus/dissemination-benchmark-file-set-plus-virus.zip: Can't \
unlink file ERROR
...


Generally speaking it is dangerous to configure ClamAV utilities to
unlink files.  If you get it wrong, you can easily trash a perfectly
good system.  It's possible for ClamAV erroneously to flag something
in one of your system files - what we call a 'false positive'.  These
can happen at more or less any time without warning because signatures
in the official signature databases are updated at least twice per day
and other signatures (if you use them) may be updated at any time.  If
you configure ClamAV to delete suspicious files, you are trusting that
third parties won't make any mistakes that could ruin your whole week.
In any case I wonder if you can be sufficiently confident that you'll
never get it wrong yourself.  Speaking for myself, I'd never be sure
and I'd never let ClamAV delete anything except its own tempfiles.  Of
course you might be happy to delete files in a non-system partition if
you can be sure that's the limit of the foreseeable damage.


...
What is the underlying reason of this error message?


The underlying reason could be that clamdscan does not have permission to
unlink the file.  AppArmor and SELinux often give troubles like this.  In
this case that might not be the explanation.  You tell us that libclamav


"reports something about ""cli_unlink" failure no such file or directory".


The exact error message is usually more helpful than "something about"
but this looks fairly straightforward.  The clue is in the part which
says "no such file or directory".  It seems to be saying that you are
asking libclamav to unlink a file which it can't find.  One thing you
might want to check is that the path which libclamav is complaining
about is what you would expect.  This looks suspicious to me:

/global/mmds/test/platform/antivirus/antivirus/...

Do you really have a directory 'antivirus' which contains a directory
called 'antivirus'?  It isn't impossible but when mounting filesystems
it's the sort of mistake that can happen.  In addition there are some
not-so-subtle differences between 'unlink' and 'remove' which might be
relevant especially if you're using unusual filesystems but I wouldn't
start digging that hole just yet.


Here is the clamd.conf:
...


The output of the command

clamconf -n

is often helpful.

I don't know why libclamav couldn't find the file that it was trying
to delete.  Perhaps it really wasn't there.  Perhaps there's something
funky going on in the filesystem.  Perhaps another process deleted the
file (or renamed it, moved it or part of the path, or whatever) before
libclamav tried.  You need to investigate.  I see you're using verbose
logging, detailed logs might help if you can place them e.g. on a file
sharing service for us to look at.

Read the man page for clamdscan.  Do be aware that although clamdscan
accepts many clamd options, it ignores most of them.  The actual scan
parameters are determined by the clamd configuration in effect at the
time that clamd was started.

Have you checked for possible ClamAV issues in the Github repository?
I don't see anything there which looks likely to explain your problem
and I haven't seen similar complaints on the list, but I might easily
have missed something.

--

73,
Ged.

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ClamAV 0.105.0 service deployed as a Docker container on AWS ECS seem to stop abruptly on startup

[G.W. Haywood via clamav-users]

Hi there,

On Wed, 11 May 2022, John Varghese via clamav-users wrote:


...
Tue May 10 20:14:59 2022 -> Reading databases from /var/lib/clamav

I need help understanding why the clamav service seems to hang after
the container starts.


Using clamd with Docker is a bit new.  I never tried it - I wouldn't
even consider it until it's bedded down for a couple of years - but
there do seem to be a few people using it.  I guess others with more
experience than I may be able to help if it's a genuine clamd/docker
issue which doesn't appear elsewhere.  There have been one or two of
those recently if you trawl the list archives, I'm afraid I can't be
precise because I more or less ignore things related to Docker.  The
search engines should make it easy to search for anything related to
Docker in the archives.  It should also be easy to search the issues
in Github (unless you're using the same browser that I use, Palemoon,
which apparently can't handle anything with 'git' in the domain name).

But first, are you sure it's hanging?  Is it perhaps just taking some
time to read the signature files?  I've seen some systems take several
minutes to do that.


Are there any other logs that will help understand the issue?


There are system logs which might help, but I wonder if we can get
more information about what's happening from clamd.  You can increase
the verbosity in the clamd log the clamd configuration file (see docs)
and then you can see what's being loaded as it happens.

What do you see if you run 'top' while you're starting clamd?  I'd
expect if you sort the output by memory consumed that you'd see a
clamd process climb to the top of the list and stay there.  While it's
loading signatures you'll see whatever CPUs it's allowed to use being
fully utilized until the signatures are loaded, then after some time
(depending on the CPU cycles/s available to clamd) CPU usage will drop
away more or less to zero until clamd is instructed to scan something.

If the process just disappears of course you have a problem.  How much
RAM is available?  You should budget at least 2GB for clamd.  I'd say
3GB would be safer, and 4GB not unreasonable.  You can reduce RAM used
during the database reloads with a configuration option at the cost of
not being able to scan anything during a reload.

--

73,
Ged.

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] The antivirus signatures are outdated

[G.W. Haywood via clamav-users]

Hi there,

On Tue, 10 May 2022, Pena, Moises T [US] (SP) via clamav-users wrote:


Does anyone know how to extend the period in ClamTK so that the
message "The antivirus signatures are outdated" is displayed only if
the definitions are older than 30 days?


Why would you want to do this?  It seems to fly in the face of reason,
since new threats can be considerably more dangerous than old ones.

ClamTK is not part of the official ClamAV packages, but is provided by
a third party:

https://gitlab.com/dave_m/clamtk

Gitlab doesn't work with my browser.  Apart from the description on
the page above I have very little idea what ClamTK actually does.

The official ClamAV tool which updates the signature databases is
called 'freshclam'.  I expect that ClamTK will use it - if it didn't,
it would have difficulty with the content delivery network.  Freshclam
has a configuration file which lets you set the frequency of updates,
and also lets you disable warnings.  If ClamTK uses these facilities
your answer might be as simple as making very trivial changes to the
freshclam configuration file, but I can't say that for certain.  The
configuration file sets the frequency of checks which freshclam makes
in terms of the number of checks per day, and I've never heard of it
being set to a fractional value.  I'd be surprised if that worked.
However you don't have to rely on the freshclam configuration file to
set the frequency of freshclam updates.  Instead of running freshclam
as a daemon you can run it from cron for example, and then you can do
whatever you like.  You could run it annually if you like.  As I said,
I think that would be a very strange thing to want to do.

OTOH if ClamTK makes its own decisions about these things nothing I've
said here would be likely to help.  Perhaps others on this list use it
and might be able to help you more but you might have more luck if you
raise an issue on Gitlab.

--

73,
Ged.

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ClamAV on Amazon Linux 2 with Graviton

[G.W. Haywood via clamav-users]

Hi there,

On Mon, 9 May 2022, Ben Steranka via clamav-users wrote:


...
WARNING: Your ClamAV installation is OUTDATED!
WARNING: Local version: 0.101.4 Recommended version: 0.103.6
DON'T PANIC! Read https://www.clamav.net/documents/upgrading-clamav
WARNING: Can't download main.cvd from database.clamav.net


Old versions of ClamAV's fresclam utility are blocked from downloading
the official signature databases.  This restriction was implemented as
a result of massive abuse of the download servers.

If you want to use the official databases, you really need to upgrade
to a supported version.  See the ClamAV blog for more information:

http://blog.clamav.net/

--

73,
Ged.

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] mimedefang/clamav plagued with 'problem running virus scanner'

[G.W. Haywood via clamav-users]

Hi there,

On Mon, 9 May 2022, Anthony Griffiths via clamav-users wrote:


clamav will not create a clamd.sock file when started up.
I've tried so many different things but I don't know what else to do
to get clamav to create this socket file.


There are quite a few things which can go wrong.  Trying to do things
without a clear plan of attack is most unlikely to get you where you
want to be.  You need an ordered, logical approach based on the way
things are in Unix-style systems.  Welcome to system administration!


in clamd.conf I have
LocalSocket /var/spool/MIMEDefang/clamd.sock
LocalSocketGroup defang
FixStaleSocket yes
User defang

but in the maillog I keep getting mimedefang.: Could not connect
to clamd daemon at /var/spool/MIMEDefang/clamd.sock
thats because the file isn't there because clamav just will not create
it. I've tried rebooting the machine but it still doesn't work. I know
I'll never resolve this problem unless I can get clamav to create a
clamd.sock file but I'm stumped as to why it will not create one


For clamd to create a socket in the directory /var/spool/MIMEDefang/
several things are necessary.  Normally most of it would be taken care
of automatically when you install packages from your distribution, and
if you did use packages I wonder where things went wrong, but we can
worry about that later.  Off the top of my head:

1. The clamd configuration must specify that that is where it's to be.

2. The user and group in the configuration must exist on the system.

3. The configured directory must exist.

4. The configured directory must be writeable by the clamd process.

5. There must not be an existing file/socket with the same name in the
same directory, especially one with different owner/group/permissions
which gets in the way.  I think we've got this covered. :)

6. The clamd process must have been started.

7. The clamd process must at least have attempted to create the socket,
in other words nothing _else_ must have gone wrong before it tried. :/

You haven't given enough information for me to know that most of those
things is true, so we'll need to do a bit of work.  It isn't difficult
but it won't happen by accident.  Taking the requirements one by one:

1. You've said that clamd.conf contains some things, but you haven't
shown any evidence that when you try to start clamd it's really using
that file for its configuration.  Can you demonstrate that somehow?
Many distributions invite confusion because they change the upstream
defaults for configuration file locations and names, then set up their
own scripts to start, stop and query daemons like clamd.  It might not
be obvious what's really being used.  One way to be sure is to run the
clamd daemon directly from the command line, for example something like

# /usr/local/sbin/clamd -c /usr/local/etc/clamd.conf

but note that I've just given this as an example.  Your clamd binary
might not be in /usr/local/sbin/ (although it *is* very likely called
'clamd') and your clamd.conf might not be in /usr/local/etc/ (and it
might not be called clamd.conf, and there might even be more than one
file making up the configuration - and then more work may be needed).
Note that this is a command issued by root, that's necessary so that
the clamd process can change its UID and GID to those configured; if
you run the command as an unprivileged user, it won't work unless the
user is the one configured in the clamd.conf file.  Quite often when
you run a daemon from the command line you'll get error messages sent
to the terminal instead of some log file somewhere if some boot script
starts it for you.  That often helps track down problems.

2. Can you show that the user and group specified in the configuration
file exist on the system?  Look in /etc/passwd and /etc/group for them,
for example

# grep defang /etc/passwd /etc/group

3. Have you satisfied yourself that the configured directory exists?
You can do this with the command 'ls /var/spool/' for example.

4. Have you satisfied yourself that clamd could write to that directory
when it runs with the permissions that your configuration will give to
it?  Again, the 'ls' command (with the -l option) will be useful as it
tells you the owner, group and permissions.  You'll need something like

# ls -l /var/spool/
...
...
drwxr-x--- 2 defang defang 60 May  7 12:17 MIMEDefang



This snippet of output says amongst other things that MIMEDefang is a
directory, that the user 'defang' can read, write and search it, that
the group 'defang' can read and search BUT NOT WRITE in it, and that
other users can't do anything in there at all.  You *might* want the
'group write' bit set (drwxrwx--- instead of drwxr-x---) but only if
you want some process which is *not* owned by the defang user but *is*
in that group to be able to write in there.  You probably don't, as
it's clamd which will create the socket in there (and so needs write
permission) but nothing else needs it.  You don't need to be able to

Re: [clamav-users] newbie: can't get clamd started

[G.W. Haywood via clamav-users]

Hi there,

On Fri, 6 May 2022, Anthony Griffiths via clamav-users wrote:


I managed to install clamav-0.103.5 but I can't get it to work with
mimedefang. In the maillog I always get:

mimedefang.pl[3520]: 245Fuojh003739: Could not connect to clamd daemon
at /var/spool/MIMEDefang/clamd.sock


When you use clamd to scan mail, something (obviously) has to send the
mail to clamd.  The data passes between the process which sends it and
the clamd process through something called a socket.  If the processes
are on different machines (as I explained is the way I do it here) the
socket will be a network-style socket.  It can also be that kind of
socket if the processes are on the same machine, but usually it's what
we call a Unix socket.  The socket appears in the filesystem as a file
and it has characteristics usually associated with files, e.g. a name,
ownerships and a set of permissions.  Whatever sends the mail to clamd
and clamd itself need both to be configured with those things in mind.
To communicate with each other, the processes share a single socket.
It's clamd which creates it.  MIMEDefang looks for it.  Obviously the
socket needs to be created before MIMEDefang looks for it so clamd has
to be started before MIMEDefang so the socket is there to be found.


when I ran ./configure to install mimedefang it detected clamd and it said:
'Make sure clamd runs as the defang user!'
how does one do this?


It's not strictly necessary.  The daemons need to be able to confer,
and having them all run as the same user/group IDs is one way that can
be used to give them the needed permissions on the shared socket.

If the process sending the data to clamd doesn't have write permission
for the socket then clamd won't get the data.  If it doesn't have read
permission, it won't get clamd's replies.

The clamd configuration in clamd.conf (or whatever danged silly name
this configuration file has in a Fedora/RedHat/CentOS system) tells
clamd the owner/group that it's to run as.  The ownership/group of the
socket created by clamd will be that of the user and group given there
too.  MIMEDefang has configuration information stored in a similar way
in its configuration file.  The socket pathname needs to be the same
in both configurations so that the two daemons can talk to each other
via that socket.  If the daemons happen to be running as two different
users you can get around the socket ownership/permissions by putting
those users in the same group.  You can create a group for the purpose
or use an existing one like clamav or mimedefang.  Give the socket the
same group ID and group read/write permission.  You could instead give
to the socket read and write permission for *everyone*, but that's bad
advice so only do it for testing.


I tried:
# runuser -l defang -c/usr/local/sbin/clamd &
but md still throws the same error. it's not creating the clamd.sock file.


If clamd is in /usr/local/sbin/clamd then to start it from the command
line you could just type

/usr/local/sbin/clamd

but you need to configure it by editing the configuration file(s) first.
I say "file(s)" because some distributions mess about with configuration
file names and locations, and Red Hat in particular is one of them.

You can send commands to clamd from the command line for testing.
Read the man page using

man clamd

which explains the syntax.  For example after I edit my Yara rules, I
might send the 'reload' command to the clamd daemon using

# echo "RELOAD" | telnet 192.168.33.19 3310

Notice that's root sending the command, so it has the permissions.  If
I tried to do taht using my own account

$ echo "RELOAD" | telnet 192.168.33.19 3310

it would fail.  My own account doesn't have the needed permissions.

You can set verbose logging in the configuration, and look in the logs
to get more information than you ever thought you wanted about what's
happening at startup...

--

73,
Ged.

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] newbie: can't get clamd started

[G.W. Haywood via clamav-users]

Hi there,

On Fri, 6 May 2022, Anthony Griffiths via clamav-users wrote:

On Fri, May 6, 2022 at 12:10 AM G.W. Haywood wrote:

On Thu, 5 May 2022, Anthony Griffiths via clamav-users wrote:


I'm running clamav on centos 7, got it using clamav-0.101.4.tar.gz.
...


ClamAV version 0.101.4 is almost certainly no use to you ...
... I believe that ClamAV is packaged in the EPEL repository
...

... clamav ... on a raspberry pi and epel is not supported ...


Why not try RasPiOS or Debian instead?  Then you could (I think) just
install ClamAV from packages.


I should have also mentioned I'm using clamav with mimedefang


A few years ago MIMEDefang seemed to head downhill fast, and I cut it
loose, which I'd been planning to do for a while anyway because I'd
written my own Perl milters.  There was no new release of MIMEDefang
between March 2018 and August 2021 but there does recently seem to be
some activity again.  I'd still think caution would be advisable.


only to filter malware out of my mail, no other reason.


If your main concern is viruses you might want to check e.g. the list
archives for estimates of the performance of ClamAV compared to other
virus scanners.

We use ClamAV primarily for filtering mail although the target is spam
rather than malware.  Our clamd server runs 'Buster' on a 4GByte Pi4B.
It does crash now and then (it isn't ClamAV which causes the crashes)
but we run a watchdog on it.  We also have some 8Gbyte Pis, and touch
wood I've never seen one of those crash, but I'm happy enough with the
4G version for scanning mail as the mail volumes are quite small.  The
4G Pi4B would probably cope with running the mail server as well but I
wouldn't be happy for that to crash so often.  All the mail software,
including ClamAV, is built from source although the Pi isn't actually
the mail server - it just runs clamd which listens for TCP connections
from the mail server when mail needs to be scanned.  There have been a
lot of changes to the ClamAV build system recently and it was a bit of
a performance building recent versions on the Pi:

https://lists.clamav.net/pipermail/clamav-users/2021-July/011569.html


so my next question is do I have to uninstall version clamav-0.101.4
before I install a newer version? or could I just install a newer
version over the top?


Until recently I'd have said just install over the top, which is what
I always do, but because of the recent build system changes I wouldn't
be so confident saying this for a system with which I have no current
experience.  If scanning mail using ClamAV is your main reason for
running the Pi and your build skills are a bit rusty, I'd suggest you
use an OS which is as up to date as possible and for which packages
are available for ClamAV and as much of the software that you want to
use as possible.  You might not be getting the most up to date ClamAV
but at least you might be spared the pain of the new build system.  I
doubt that the scanning performance of the latest version will be much
better than for recent supported versions.  My desktop thin client is
running 64-bit RasPiOS 'Bullseye' on an 8G Pi4B so it's very doable.

8<--
raspberrypi:$ apt show clamav
Package: clamav
Version: 0.103.5+dfsg-0+deb11u1
Priority: optional
Section: utils
Maintainer: ClamAV Team 
...
8<--

If you're up for some pain I'd recommend that you go for version 105.0
of ClamAV because it's only just been released (May 4th 2022) and the
developers do read this list.  But do try to get a feel for its likely
performance before you spend a lot of time and energy on building it.

--

73,
Ged.

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] newbie: can't get clamd started

[G.W. Haywood via clamav-users]

Hi there,

On Thu, 5 May 2022, Anthony Griffiths via clamav-users wrote:


I'm running clamav on centos 7, got it using clamav-0.101.4.tar.gz.
...


ClamAV version 0.101.4 is almost certainly no use to you because it's
past EOL and it will be blocked from downloading signature databases.

Check the ClamAV Website for information about ClamAV support:

https://docs.clamav.net/manual/Installing/Packages.html

I believe that ClamAV is packaged in the EPEL repository; I don't know
what version, but I'm sure it will be easier for you to install.  Even
if the package it's a little out of date, at least you would have the
basic layout of the files you need to work with, probably a working
configuration, and the startup scripts would be set up for you.

How long have you been using CentOS?  What do you want to achieve?

--

73,
Ged.

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] How to stop receive messages.

[G.W. Haywood via clamav-users]

Hi there,

On Thu, 5 May 2022, Eric Jin via clamav-users wrote:


I don't want to receive any posted messages. Please tell me how to stop it.


Instructions are in the headers of any mail which you receive from the list.

--

73,
Ged.

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] error files in /

[G.W. Haywood via clamav-users]

Hi there,

On Wed, 4 May 2022, Hoevenaar, Jeffrey (GE Aviation, US) via clamav-users wrote:


I am getting these strange files in the root file system "/" on my linux 
servers.

-rw-r-.   1 root root98 Apr 13 08:00 @??E?U
-rw-r-.   1 root root75 Apr 26 08:00 @g6??U
-rw-r-.   1 root root75 Apr  1 08:00 @g)$?U


The files contain the error message.

ERROR: ClamClient: Connection to clamd failed, Couldn't resolve host name.
ClamScanQueue: stopped


Do they all contain the same error message?  Two of the files are 75
bytes long, the other one is 98 bytes.  The error message in your post
is (give or take formatting in an email) 98 bytes.  The first line of
the error is 75 bytes (with the same proviso).

To connect to clamd, an IP address would be more reliable than a
hostname.  It wouldn't rely on some flaky name resolution service.

In any case more information is needed.  Please could you let us have
the output of the command

clamconf -n

cut and pasted into an email so that there are no accidental changes?


I believe it is occurring when the clam services are restarted each day.


It isn't really necessary to restart those services daily, but it
probably won't do any harm and it might help highlight some issues
(for example like this one).  But I'd be inclined to disable the
restarts, at least for a while, just to find out if the restarts
really are triggering this.


Any idea how to route these errors messages elsewhere?


It will be easy to do but more information is needed.  There are very
few reasons to write files in the root directory, and nothing like
ClamAV has any business doing that.  It might mean there's something
wrong with your configuration; it might not be the ClamAV-specific
configuration but that's a place to start.  ClamAV might be started or
restarted by some configuration that's provided by your operating
system distribution, and not by ClamAV itself.  It would help if you
could give us information about that, such as the OS distribution(s),
the packages which provide ClamAV, etc. and any local configuration
changes made to the distribution defaults.  The ideal would be to get
any utility (such as one provided by ClamAV) to know where to write
its error output (e.g. /var/log/somewhere) before actually doing it.

--

73,
Ged.

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] clamav/safebrowsing updates?

[G.W. Haywood via clamav-users]

Hi there,

On Mon, 25 Apr 2022, Alex via clamav-users wrote:


Is the clamav-safebrowsing repository still maintained?


https://blog.clamav.net/2020/06/the-future-of-clamav-safebrowsing.html

--

73,
Ged.

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Update problem today

[G.W. Haywood via clamav-users]

Hi there,

On Sat, 23 Apr 2022, Paul Smith via clamav-users wrote:

Hi, I'm using ClamAV 104.2 (for Windows) and am getting an update problem 
which looks like one of the mirrors isn't updated properly. It's been doing 
this all day.
It's seeing that the latest version is 26521, but the file it's downloading 
is 26520 and then it's trying to download a patch and that is failing ...


The update to 26521 happened here at 13:29 UTC today, no problem.


...
ERROR: buildcld: Can't add daily.ldb to new daily.cld - please check if there 
is enough disk space available


Did you check?

--

73,
Ged.

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml