Re: [Clamav-users] Request for Testing
Tomasz Kojm wrote: Dear ClamAV users, with the release of 0.93RC1 [1] we've made some significant changes to the ClamAV engine and tools. The most notable change is the new logic of limits - please find the aCaB's post on this here: http://lurker.clamav.net/message/20080313.165458.ac80f65a.en.html Hi, For 0.93RC1 build, I noticed a new 'warning' message when running configure on Solaris 9 Sparc box: checking whether FPU byte ordering is bigendian... auto configure: WARNING: Unable to determine FPU endianess, some features may not be available in this build checking whether byte ordering is bigendian... yes checking for a supported version of gcc... ok (3.4.6) Does the indeterminant FPU endianess make any difference? Thanks! Jon K. -- Jon R. Kibler Chief Technical Officer Advanced Systems Engineering Technology, Inc. Charleston, SC USA o: 843-849-8214 m: 843-224-2494 == Filtered by: TRUSTEM.COM's Email Filtering Service http://www.trustem.com/ No Spam. No Viruses. Just Good Clean Email. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] ClamAV Memory Leak?
Hi, Running clamd 0.93rc1 on Solaris 9 Sparc. Build it with gcc 3.4.6. I know there was a recent thread on clamd memory usage (that rapidly deteriorated into a discussion on scanning email), but I never saw a clear answer to the original question. On 0.92, memory usage would start off around 24/20MB (SIZE/RSS) and grow to maybe 32/24MB after a few hours. On 0.93rc1, memory usage starts off at about 38/32MB and rapidly grows to about 48/44MB, then seems to add about another 2MB for ever 20 to 30 scans. I have had it hit over 120/110 in less than a half day -- but not always (seems random). Never saw this type of growth in previous revs. Is this the result of some new features or is it a potential memory leak? Suggestions to debug? THANKS! Jon Kibler -- Jon R. Kibler Chief Technical Officer Advanced Systems Engineering Technology, Inc. Charleston, SC USA o: 843-849-8214 m: 843-224-2494 == Filtered by: TRUSTEM.COM's Email Filtering Service http://www.trustem.com/ No Spam. No Viruses. Just Good Clean Email. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] ClamAV Memory Leak?
Török Edwin wrote: Jon R. Kibler wrote: Does memory usage ever decrease? I have never seen it decrease. Suggestions to debug? On Linux I would run clamscan under valgrind, and scan some samples (but that is very slow). Maybe a similar tool exists for Solaris? DMalloc seems to be available for Solaris: http://dmalloc.com/docs/latest/online/dmalloc_17.html#SEC21 Or you could scan a set of samples, and watch memory usage of clamd. If you see an increase in mem usage, and it doesn't drop back, open a bugreport and attach the sample. You can also get some malloc statistics with this patch: https://wwws.clamav.net/bugzilla/show_bug.cgi?id=749 Okay, I will try these -- it will be a day or two before I get time. THANKS! Jon K. -- Jon R. Kibler Chief Technical Officer Advanced Systems Engineering Technology, Inc. Charleston, SC USA o: 843-849-8214 m: 843-224-2494 == Filtered by: TRUSTEM.COM's Email Filtering Service http://www.trustem.com/ No Spam. No Viruses. Just Good Clean Email. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Re: New warnings on Solaris 9 build of 0.83
René Berber wrote: > > > I didn't have any problem with resolv.h under Solaris 9, to sort that > out you better look into config.log and see exactly what failed. > > I have the original resolv.h for BIND 4.9.4 that came with the OS even > though I also have Bind 8.3 installed. > Snippet from config.log follows signature paragraph. Using the original resolver libraries on this system. However, running BIND 9.3.x. The original resolver includes are in: /usr/include/resolv.h The new resolver includes are in: /usr/local/bind/include/resolv.h I don't have an include path explicitly set, so I presume that gcc is using the original headers. Nothing about this configuration (other than the version of BIND and ClamAV) has changed since the last time I built clamav, so any idea why it is starting to gag on resolv.h? Also, at what version did clamav start using libcurl and for what? I must have missed that in the release notes. Again, TIA for all help! Jon Kibler -- Jon R. Kibler Chief Technical Officer A.S.E.T., Inc. Charleston, SC USA (843) 849-8214 CONFIG.LOG == > This file contains any messages produced by compilers while > running configure, to aid debugging if configure makes a mistake. > > It was created by configure, which was > generated by GNU Autoconf 2.59. Invocation command line was > > $ ./configure --with-user=defang --with-group=smmsp > --with-dbdir=/var/clamav/databases --enable-bigstack --with-gnu-ld > > ## - ## > ## Platform. ## > ## - ## > > hostname = **DELETED** > uname -m = sun4u > uname -r = 5.9 > uname -s = SunOS > uname -v = Generic_112233-04 > > *** DELETED *** > > configure:10740: checking for __dn_expand in -lresolv > configure:10770: gcc -o conftest -g -O2 -I/usr/local/include -lsocket -lnsl > -L/usr/local/lib conftest.c -lresolv -lsocket -lnsl >&5 > Undefined first referenced > symbol in file > __dn_expand /tmp/ccIQpq9v.o > ld: fatal: Symbol referencing errors. No output written to conftest > collect2: ld returned 1 exit status > configure:10776: $? = 1 > configure: failed program was: > | /* confdefs.h. */ > | > | #define PACKAGE_NAME "" > | #define PACKAGE_TARNAME "" > | #define PACKAGE_VERSION "" > | #define PACKAGE_STRING "" > | #define PACKAGE_BUGREPORT "" > | #define PACKAGE "clamav" > | #define VERSION "0.83" > | #define STDC_HEADERS 1 > | #define HAVE_SYS_TYPES_H 1 > | #define HAVE_SYS_STAT_H 1 > | #define HAVE_STDLIB_H 1 > | #define HAVE_STRING_H 1 > | #define HAVE_MEMORY_H 1 > | #define HAVE_STRINGS_H 1 > | #define HAVE_INTTYPES_H 1 > | #define HAVE_UNISTD_H 1 > | #define HAVE_DLFCN_H 1 > | #define SCANBUFF 131072 > | #define FILEBUFF 8192 > | #define STDC_HEADERS 1 > | #define HAVE_UNISTD_H 1 > | #define HAVE_SYS_INT_TYPES_H 1 > | #define HAVE_DLFCN_H 1 > | #define HAVE_INTTYPES_H 1 > | #define HAVE_SYS_INTTYPES_H 1 > | #define HAVE_MEMORY_H 1 > | #define HAVE_STDLIB_H 1 > | #define HAVE_STRINGS_H 1 > | #define HAVE_STRING_H 1 > | #define HAVE_SYS_MMAN_H 1 > | #define HAVE_SYS_PARAM_H 1 > | #define HAVE_SYS_STAT_H 1 > | #define HAVE_SYS_TYPES_H 1 > | #define HAVE_MALLOC_H 1 > | #define HAVE_POLL_H 1 > | #define HAVE_REGEX_H 1 > | #define HAVE_LIMITS_H 1 > | #define HAVE_SYS_FILIO_H 1 > | #define HAVE_SYS_UIO_H 1 > | #define USE_SYSLOG 1 > | #define SIZEOF_SHORT 2 > | #define SIZEOF_INT 4 > | #define SIZEOF_LONG 4 > | #define SIZEOF_LONG_LONG 8 > | #define HAVE_POLL 1 > | #define HAVE_SETSID 1 > | #define HAVE_MEMCPY 1 > | #define HAVE_SNPRINTF 1 > | #define HAVE_VSNPRINTF 1 > | #define HAVE_STRLCPY 1 > | #define HAVE_STRLCAT 1 > | #define HAVE_INET_NTOP 1 > | #define HAVE_SETGROUPS 1 > | #define HAVE_INITGROUPS 1 > | #define HAVE_STDLIB_H 1 > | #define HAVE_UNISTD_H 1 > | #define HAVE_GETPAGESIZE 1 > | #define HAVE_MMAP 1 > | #define HAVE_FSEEKO 1 > | #define HAVE_ZLIB_H 1 > | #define NOBZ2PREFIX 1 > | #define HAVE_BZLIB_H 1 > | /* end confdefs.h. */ > | > | /* Override any gcc2 internal prototype to avoid an error. */ > | #ifdef __cplusplus > | extern "C" > | #endif > | /* We use char because int might match the return type of a gcc2 > |builtin and then its argument prototype would still apply. */ > | char __dn_expand (); > | int > | main () > | { > | __dn_expand (); > | ; > | return 0; > | } > configure:10801: result: no > configure:10808: checking for dn_expand in -lresolv > configure:10838: gcc -o conftest -g -O2 -I/usr/local/include -lsocket -lnsl &
[Clamav-users] ClamAV -- Squid Cache Integration
Hello, Looking for a way to scan all incoming web content using ClamAV. Is anyone aware of any integration of ClamAV into the Squid Cache proxy server? Similar open-source solutions? THANKS! Jon Kibler -- Jon R. Kibler Chief Technical Officer A.S.E.T., Inc. Charleston, SC USA (843) 849-8214 == Filtered by: TRUSTEM.COM's Email Filtering Service http://www.trustem.com/ No Spam. No Viruses. Just Good Clean Email. ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] ClamAV -- Squid Cache Integration
Rob MacGregor wrote: > > On Thu, 17 Mar 2005 13:43:11 -0500, Jon R. Kibler <[EMAIL PROTECTED]> wrote: > > Hello, > > > > Looking for a way to scan all incoming web content using ClamAV. Is anyone > > aware of any integration of ClamAV into the Squid Cache proxy server? > > Similar open-source solutions? > > Well, there are a number documented on the ClamAV site: > > http://www.clamav.net/3rdparty.html#proxy > > But, of course, you've already looked there :-) > Duh... must be brain dead. Looked everywhere but under 'downloads' -- such as 'who is using it', 'documentation', 'FAQ', etc... but didn't consider that the info would be under 'downloads'. (Maybe the link would be more obvious if moved to be under 'about' or 'support', since the links don't actually download the indicated app?) == Filtered by: TRUSTEM.COM's Email Filtering Service http://www.trustem.com/ No Spam. No Viruses. Just Good Clean Email. ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] ClamAV -- Squid Cache Integration
Kritof Petr wrote: > You can try http://sourceforge.net/projects/squidclam/ > > small and simple program, easy to install. This looks very interesting. However, I have a question that I don't see an answer to: These programs that are based on libclamav -- do they have to reread the virus database for each scan, or do they cache it like clamd? THANKS! Jon Kibler -- Jon R. Kibler Chief Technical Officer A.S.E.T., Inc. Charleston, SC USA (843) 849-8214 == Filtered by: TRUSTEM.COM's Email Filtering Service http://www.trustem.com/ No Spam. No Viruses. Just Good Clean Email. ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] Phishing detection
Greetings, Can someone please tell me how ClamAV goes about phishing detection? I presume it has something to do with libcurl going out to a web site and some checks being performed on whatever is returned. We have had several phishes get through -- most appear to be Google, About, or Ebay redirects, such as: href="http://www.google.com/url?sa=U&q=http://81.196.204.130:82/webscr/index.php"; (A PayPal phish.) Sites were hot at the time the messages were received, so either my concept of how ClamAV blocks phishing is wrong or the detection method is not as generic as I would have thought. Also, I would add that I have submitted a few of these phishes to ClamAV's virus submission and they all seem to get discarded without comment. Any info appreciated! Jon Kibler -- Jon R. Kibler Chief Technical Officer A.S.E.T., Inc. Charleston, SC USA (843) 849-8214 == Filtered by: TRUSTEM.COM's Email Filtering Service http://www.trustem.com/ No Spam. No Viruses. Just Good Clean Email. ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] clamd 0.88.2 hangs
Hello, Upgraded to clamav 0.88.2 on Sunday. We use clamdwatch to monitor clamd. Ever since the upgrade, clamdwatch reports that clamd has hung about 8 to 10 times a day -- sometimes more. (Our supporting shell script then restarts clamd.) We run clamdwatch once a minute. How do we go about debugging this? Any chance that clamdwatch is reporting a hung clamd when it is really not hung? We have verbose logging enabled and the last clamd log entry before shutdown is almost always the EICAR test sig. Environment: Solaris 9 w/ all security patches on a blade 250 load avg at time of reported hangs usually < 0.2 built with gcc version 3.4.1 clamav configure options (which have been in use for several years): --enable-bigstack --with-gnu-ld clamdwatch is run with only the -q option Thanks for all help! Jon Kibler -- Jon R. Kibler Chief Technical Officer Advanced Systems Engineering Technology, Inc. Charleston, SC USA (843) 849-8214 == Filtered by: TRUSTEM.COM's Email Filtering Service http://www.trustem.com/ No Spam. No Viruses. Just Good Clean Email. ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] clamd 0.88.2 hangs
Dennis Peterson wrote: > > Jon R. Kibler wrote: > > Hello, > > > > Upgraded to clamav 0.88.2 on Sunday. We use clamdwatch to monitor clamd. > > Ever > > since the upgrade, clamdwatch reports that clamd has hung about 8 to 10 > > times > > a day -- sometimes more. (Our supporting shell script then restarts clamd.) > > We run clamdwatch once a minute. > > > > How do we go about debugging this? > > Possibly you've hit a limit on threads or other configurable. You might > have your clamdwatch run ps -elLf |grep clam >>/tmp/clamdwatch.log just > before it kills the patient, for example. Review your configuration file > to see if any limits are getting in the way. > > Modify the script so that it retries a couple times before pulling the > trigger. Dennis: Well, Murphy must hate me. I added a system call at the beginning of clamdwatch to capture ps as you suggested. With that change, everything now seems to be working. Weird. I will keep it running like that for a while and see if it again appears to break. For what I see from ps, have plenty of all resources needed, so I do not think it is a resource starvation issue. But, we'll see. THANKS! Jon Kibler -- Jon R. Kibler Chief Technical Officer A.S.E.T., Inc. Charleston, SC USA (843) 849-8214 == Filtered by: TRUSTEM.COM's Email Filtering Service http://www.trustem.com/ No Spam. No Viruses. Just Good Clean Email. ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] Segfaults and hangs
Greetings, We have had ClamAV hang or segfault several times in recent days. Here is a log from a segfault a few minutes ago. The system has just automatically restarted clamd a few minutes before the segfault (at the time the log begins), because clamd had hung. > Sun Jun 11 12:15:16 2006 -> +++ Started at Sun Jun 11 12:15:16 2006 > Sun Jun 11 12:15:16 2006 -> clamd daemon 0.88.2 (OS: solaris2.9, ARCH: sparc, > CPU: sparc) > Sun Jun 11 12:15:16 2006 -> Log file size limited to 83886080 bytes. > Sun Jun 11 12:15:16 2006 -> Verbose logging activated. > Sun Jun 11 12:15:16 2006 -> Running as user defang (UID 104, GID 25) > Sun Jun 11 12:15:16 2006 -> Reading databases from /var/clamav/databases > Sun Jun 11 12:15:22 2006 -> Protecting against 59020 viruses. > Sun Jun 11 12:15:23 2006 -> WARNING: Socket file /var/clamav/clamd.sock > exists. Unclean shutdown? Removing... > Sun Jun 11 12:15:23 2006 -> Unix socket file /var/clamav/clamd.sock > Sun Jun 11 12:15:23 2006 -> Setting connection queue length to 60 > Sun Jun 11 12:15:23 2006 -> Listening daemon: PID: 11590 > Sun Jun 11 12:15:23 2006 -> Archive: Archived file size limit set to 47185920 > bytes. > Sun Jun 11 12:15:23 2006 -> Archive: Recursion level limit set to 12. > Sun Jun 11 12:15:23 2006 -> Archive: Files limit set to 1500. > Sun Jun 11 12:15:23 2006 -> Archive: Compression ratio limit set to 300. > Sun Jun 11 12:15:23 2006 -> Archive support enabled. > Sun Jun 11 12:15:23 2006 -> Archive: RAR support disabled. > Sun Jun 11 12:15:23 2006 -> Archive: Blocking encrypted archives. > Sun Jun 11 12:15:23 2006 -> Archive: Blocking archives that exceed limits. > Sun Jun 11 12:15:23 2006 -> Portable Executable support enabled. > Sun Jun 11 12:15:23 2006 -> Detection of broken executables enabled. > Sun Jun 11 12:15:23 2006 -> Mail files support enabled. > Sun Jun 11 12:15:23 2006 -> Mail: URL scanning enabled. > Sun Jun 11 12:15:23 2006 -> OLE2 support enabled. > Sun Jun 11 12:15:23 2006 -> HTML support enabled. > Sun Jun 11 12:15:23 2006 -> Self checking every 600 seconds. > Sun Jun 11 12:15:28 2006 -> > /var/spool/MIMEDefang/run/mdefang-k5BGFSK0011658/./Work/msg-18091-564.txt: OK > Sun Jun 11 12:16:01 2006 -> /tmp/.clamdwatch-05bFxWCGJZqZbxDj: > Eicar-Test-Signature FOUND > Sun Jun 11 12:19:01 2006 -> /tmp/.clamdwatch-i0XFbMnXhe1Z9bLS: > Eicar-Test-Signature FOUND > Sun Jun 11 12:20:01 2006 -> /tmp/.clamdwatch-555vzKPzD6VmN9hX: > Eicar-Test-Signature FOUND > Sun Jun 11 12:21:01 2006 -> /tmp/.clamdwatch-n8nsuuSNsi8OdYBX: > Eicar-Test-Signature FOUND > Sun Jun 11 12:24:02 2006 -> /tmp/.clamdwatch-EgFthk0psuFQo4s6: > Eicar-Test-Signature FOUND > Sun Jun 11 12:24:43 2006 -> > /var/spool/MIMEDefang/run/mdefang-k5BGOdK0022965/./Work/msg-18091-565.txt: OK > Sun Jun 11 12:24:43 2006 -> > /var/spool/MIMEDefang/run/mdefang-k5BGOdK0022965/./Work/msg-18091-566.html: OK > Sun Jun 11 12:25:02 2006 -> /tmp/.clamdwatch-GHWm2qxz6AlkrHRg: > Eicar-Test-Signature FOUND > Sun Jun 11 12:26:04 2006 -> No stats for Database check - forcing reload > Sun Jun 11 12:26:04 2006 -> Reading databases from /var/clamav/databases > Sun Jun 11 12:26:05 2006 -> /tmp/.clamdwatch-MIIaCZLkARFc2Jj2: > Eicar-Test-Signature FOUND > Sun Jun 11 12:26:16 2006 -> Segmentation fault :-( Bye.. Any ideas? What do I do to debug? THANKS! Jon Kibler -- Jon R. Kibler Chief Technical Officer A.S.E.T., Inc. Charleston, SC USA (843) 849-8214 == Filtered by: TRUSTEM.COM's Email Filtering Service http://www.trustem.com/ No Spam. No Viruses. Just Good Clean Email. ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] Problems running clamdscan
Hello: Running: Solaris 9 Clavav 0.65 We are having problems getting clamdscan to work. The problem is file permissions. The file being scanned must be either other readable, or it must belong to the clamav user or group. We do not have this problem with clamscan. Any thoughts on how to get clamdscan to read files that the user of the program has permission to access, but which clamd does not have permission to access? Also, I am not quite sure that I understand the problem... I thought that clamdscan read the file and passed it to clamd for processing. I guess I must misunderstand something here... Thanks for the feedback. Jon R. Kibler Chief Technical Officer A.S.E.T., Inc. Charleston, SC USA (843) 849-8214 == Filtered by: TRUSTEM.COM's Email Filtering Service http://www.trustem.com/ No Spam. No Viruses. Just Good Clean Email.
[Clamav-users] Multiple stability problems on Solaris 9
Hello: In the past few days we have experienced multiple stability problems with clamav. Here is our environment: Solaris 9 (sparc) mimedefang 2.36 w/ sendmail 8.12.10 clamav 0.65 The problems appear to be two fold: 1) freshclam, run as a daemon, crashes without sending a notify. freshclam appears to die anytime it finds a problem with a database update instead of just reporting the error and keep on running to try again later. 2) "something" is causing clamd to die. this just started Monday. the only indication of a problem is that mimedefang starts reporting all sorts of strange errors. in mimedefang, we are using clamdscan instead of clamd directly, as it appears to catch some problems that are missed when running clamd directly under the control of mimedefang (which I view as a mimedefang problem, not a clamav problem). Detailed logs showing these problems, and commentary explaining what happened when, follow the signature paragraph. I should also add that we deleted both the main and daily databases locally and loaded new ones just to ensure that some local database corruption was not the cause of the problem. Suggestion for a new clamd and freshclam feature: Have a "notify on program exit" that will log a notice or take other action the daemon die. This was submitted to [EMAIL PROTECTED] yesterday... just curious, is there any type of acknowledgment that we should expect from such submittals? TIA for all help! Jon R. Kibler Chief Technical Officer A.S.E.T., Inc. Charleston, SC USA (843) 849-8214 FRESHCLAM PROBLEMS: === This is how we start freshclam -- and in the recent past we have received notifications when updates fail, but I cannot recall ever receiving a notification when freshclam crashes. /usr/local/bin/freshclam -d \ -c 24 \ -u ${CLAMU} \ -l ${CAVLOG} \ --daemon-notify=${CAVCONF} \ --on-error-execute="/usr/bin/logger -i -t freshclam -p daemon.alert 'clamav virus signatures database update failed'" Here is an example of the problem from today. The previous entry in the log was from an hour earlier and all was OK. We discovered freshclam had died (with no notice sent) when we were preparing the documentation for the clamd problem. We received no notice that freshclam had any problems or had died. -- ClamAV update process started at Tue Jan 20 12:22:46 2004 ERROR: Malformed CVD header detected. ERROR: Can't read main.cvd header from database.clamav.net (193.126.14.29) ClamAV update process started at Tue Jan 20 12:22:56 2004 ERROR: Malformed CVD header detected. ERROR: Can't read main.cvd header from database.clamav.net (193.126.14.29) ClamAV update process started at Tue Jan 20 12:23:06 2004 ERROR: Malformed CVD header detected. ERROR: Can't read main.cvd header from database.clamav.net (193.126.14.29) -- Here is another example, this from last Friday, where freshclam died, again, without any notice being logged. -- ClamAV update process started at Fri Jan 16 14:53:19 2004 ERROR: Verification: MD5 verification error. ClamAV update process started at Fri Jan 16 14:57:26 2004 ERROR: Verification: MD5 verification error. ClamAV update process started at Fri Jan 16 15:06:39 2004 ERROR: Maximal time (1200 seconds) reached. CLAMD PROBLEMS: === Yesterday, just before 11:00 we started getting all sorts of 'strange' mimedefang errors -- none of which were 'problem running virus scanner'. Checking, we found that clamd was not running. (We use clamdscan in mimedefang, not clamd directly, as it appears to be somewhat better at catching some viruses.) Notice that it appeared to die the first time shortly after finding 'Worm.Gibe.F' -- with no indication of why it died. (The virus hit was successfully passed back to mimedefang.) Next, at 12:04 we restarted clamd and it died due to a timeout at 12:28. Then we restarted clamd at 12:31 and it died again for some unknown reason around 13:30. At 13:32 we restarted clamd and also changed mimedefang to use clamscan instead of clamdscan. clamd appears stable in so long as it is not being used. We have tried to track down what clamd may have been doing when it died, but we have not been able to find anything in common at its various points of failure. Mon Jan 19 11:00:09 2004 -> +++ Started at Mon Jan 19 11:00:09 2004 Mon Jan 19 11:00:09 2004 -> Log file size limited to 8388608 bytes. Mon Jan 19 11:00:09 2004 -> Running as user defang (UID 104, GID 25) Mon Jan 19 11:00:09 2004 -> Reading databases from /usr/local/share/clamav Mon Jan 19 11:00:10 2004 -> Protecting against 20206 viruses. Mon Jan 19 11:00:11 2004 -> Unix s