Re: [clamav-users] Question on Restriction of Clamscan Privileges

[Michael Orlitzky via clamav-users]

On Tue, 2023-10-17 at 19:53 +0200, Michael via clamav-users wrote:
> Dear ladies and gentleman,
> 
> I have a question about the linux clamscan permissions.
> 
> 

Use clamdscan (NOT clamscan) with the --fdpass option. That will scan
under the privileges of the clamd daemon by passing it a reference to
the file rather than requiring that the daemon be able to read the file
itself. As as a result the daemon can run with few privileges.

___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

[clamav-users] Question on Restriction of Clamscan Privileges

[Michael via clamav-users]

Dear ladies and gentleman,

I have a question about the linux clamscan permissions.

By starting the clamscan from the linux desktop user - for example [user1] - it 
seems that clamscan gets the permissions as it was [user1], because it can 
remove infected files.

Therefore, if this was right, it would also have the privileges to write files.

By, for example, using third party virus signatures provided by Fangfrisch 
there could be the risk for a maliciously crafted signature file that is then 
downloaded by Fangfrisch or freshclam-service.

Because of the write/delete permissions clamscan seems to have, maliciously 
crafted code could be executed within the [user1] by clamscan.

Is there by any means a chance to give clamscan only read, but not write 
permissions, so that data could be crawled by clamscan but no arbitrary code 
executed could be written to the file system?

I acutally built a work around with a completely restricted user I have called 
[clamscan], who then is executed in the [user1] shell by su clamscan -s 
/bin/bash. Folders/files to be scanned are set to user1:clamscan by chown and 
0750 by chmod, so clamscan executed by
[clamscan] can only read but not write and [clamscan] itself has no write 
privileges in his own home folders. Works fine, but it's not just scanning some 
files by "hit and done".

When scanning external drives I have found a way, too, but it is very time 
consuming and only works with ext (FAT has no rights, NTFS can't be mounted by 
non-administrators and the users option in fstab doesn't seem to work with 
NTFS).

Therefore restricting clamav-clamscan's abilities would be the easiest solution.


Any help is appreciated very much.


Sincerely,

Michael
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] ClamAV 1.2.0 release candidate now available

[Michael Orlitzky via clamav-users]

On Fri, 2023-08-04 at 18:38 +, Micah Snyder (micasnyd) via clamav-
users wrote:
> 
>   *   The suggested path for the clamd.pid and clamd.sock file in the sample 
> configs have been updated to reflect the recommended locations for these 
> files in the Docker images. These are:
> 
>  *   /run/clamav/clamd.pid
>  *   /run/clamav/clamd.sock
> 

The PID file can't live in a directory that's writable by a non-root
user; otherwise that user can trick "service stop" into killing
arbitrary processes. I think you already fixed this once :)

I know it's just a comment, but it would be better to suggest
/run/clamd.pid.


___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] [ext] Segfaults with database version 26908

[Michael Orlitzky via clamav-users]

On Tue, 2023-05-16 at 12:08 +0200, Ralf Hildebrandt via clamav-users
wrote:
> 
> > 
> > Has anyone seen this, too?
> 
> I've seen this with 1.1.0-1 as well. Maybe they're related to the
> "pattern issue" I posted a while ago 
> 

Me three.

___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

[clamav-users] ClamAV critical vulnerability

[Michael Kyriacou via clamav-users]

Does anybody know if the 0.104.2 version of clamav for AIX addresses
CVE-2023-20032?

I’m confused on the 3 different types of versions that they state it affects

1.0.0 and earlier
0.105.1 and earlier
0.103.7 and earlier
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] Future support of clamav in EPEL7 and EPEL8

[Michael Orlitzky via clamav-users]

On Thu, 2023-02-23 at 01:27 +, Micah Snyder (micasnyd) via clamav-
users wrote:
> Hi Scott, Michael, Orion,
> 
> You make some good points. In particular as Linux/Unix distributions
> are still learning how to package Rust software.
> 

It's not a matter of knowing how to package rust. It's just another
compiled language. But it's new, and...

  * Currently at the peak of its fad language phase.
  * Unstable; has no specification, breaking changes in every release.
  * Mainly used by people who want to write rust for the sake of 
writing rust, rather than for writing and maintaining programs 
that solve real problems.
  * Comes with a NIH build system that only works with rust code.
  * Has its own package manager that encourages you to pin specific
versions and bundle them into your package.
  * Has its own code hosting platform that bypasses our supply-chain
security.
  * Doesn't work on the platforms we support.

So: it's a matter of maturity. There's simply no way to package it
right now that meets the quality standards that we've set for ourselves
and for our users. It will be many years (if ever) before there's a
rust specification, and before the fad chasers have moved on and we're
left with people doing actual software engineering.

Or, it could never happen. I wrote a lot of things in Haskell, which
does everything rust does but better and did it decades earlier. Ask me
how that's going.

The problem isn't specific to rust. You only hear about it with rust
because a few high-profile projects (Firefox, ClamAV, librsvg, python
cryptography, etc.) have added bits of rust into their non-rust
codebases *after* becoming popular. Faced with the prospect of deleting
those packages and everything that depends on them, distros were
instead forced to compromise a few principles. But rust isn't really to
blame; the same problem would arise if you tried to add a few lines of
Zig code to a popular C++ package. Luckily with most other languages no
one has been crazy enough to do it [0].


> I'm certain there have been discussions along how to
> package/distribute Rust itself within each distro. I am a fan of the
> approach that OpenSUSE has taken: https://en.opensuse.org/Rust I hope
> that some of the other distributions adopt a similar strategy.

Despite the page title, they're not packaging it in the usual sense.
They're shipping you a giant executable that never gets security
updates. (It's the same with rust on Gentoo and every other distro.)
That's how Windows software is "packaged," and it's just not good
enough -- especially for a network-facing daemon whose job is to be fed
malicious code.



[0] Patiently awaiting the day I don't need Ruby to build webkit. 
Remember that week when Ruby was cool?

___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] Future support of clamav in EPEL7 and EPEL8

[Michael Orlitzky via clamav-users]

On 2023-02-18 15:40:55, Orion Poplawski via clamav-users wrote:
> 
> This email is to start a discussion of what will happen with clamav 
> support in EPEL7 and EPEL8.  In particular, to inform everyone that it 
> will be impossible to build clamav 1.X in EPEL7 and EPEL8 due to lack of 
> rust support.  Fedora packaging policies prohibit the downloading of 
> files from the internet during builds, and the rust/rpm versions in 
> EL7/EL8 are too old to support the current Fedora rust ecosystem.

I'll be backporting security fixes for as long as that's less work
than removing clamav from our mail system (or until newer signatures
are incompatible with the old engine). Feel free to watch the Gentoo
tree and steal our patches.
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] How many viruses/malware is clamav protecting us from?

[Michael Kyriacou via clamav-users]

Thank you for this

On Mon, Dec 19, 2022 at 4:47 PM Sylvain Robitaille 
wrote:

> On Thu, 15 Dec 2022, Michael Kyriacou wrote:
>
> > Hello, is there a way to see how viruses/malware clamav current
> > protects us from. Additionally, is there a way to see the amount of
> > added virus definitions/signatures per update if clamav?
>
> I know that this isn't what was being asked for, but I suspect that it
> may be more useful to know how many messages that clamav has matched
> against which virus / malware signature.  In other words, how many
> viruses and other malware did clamav protect *our* (users') systems
> from today?  To that end, I use the following (admittedly simple)
> script, run nightly on each mail relay server, and I get a daily
> report that I can point to, to show what is being protected against.
>
> #!/bin/sh
> #
> #   @(#)maillog_report_clamav_matches 2022-11-25 Sylvain Robitaille
> #
> # report on which clamav signatures have matched, and how many times
> # each have matched from the latest maillog file (or the file(s) named
> # as argument(s).
>
> PATH=/usr/local/bin:/usr/bin:/bin
> # 
> IFS="
> "
> export PATH;
> export IFS;
> umask 022
>
> # if we have no arguments, we'll default to the current maillog file;
> # else the arguments are the list;
> if [ "$*" ]; then
>MAILLOG=$*
> else
>MAILLOG="/var/log/maillog"
> fi
>
> # That's it ...
> grep -w FOUND ${MAILLOG} |\
>awk '{print $(NF-1)}' |\
>sort -h |\
>uniq -c |\
>sort -rh |\
>awk '{total+=$1; print} END {if (NR > 1) print "total:", total}'
>
>
> I'm hoping that this can help, or it might perhaps inspire a script
> that's more relevant to your own situation.
>
> --
> --
> Sylvain Robitaille   s...@encs.concordia.ca
>
> Systems analyst / Postmaster / AITS   Concordia University
> Faculty of Engineering and Computer Science   Montreal, Quebec, Canada
> --
> ___
>
> Manage your clamav-users mailing list subscription / unsubscribe:
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/Cisco-Talos/clamav-documentation
>
> https://docs.clamav.net/#mailing-lists-and-chat
>
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

[clamav-users] How many viruses/malware is clamav protecting us from?

[Michael Kyriacou via clamav-users]

Hello, is there a way to see how viruses/malware clamav current protects us
from. Additionally, is there a way to see the amount of added virus
definitions/signatures per update if clamav?
___

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

[clamav-users] remove me

[Michael Piziak via clamav-users]

remove me

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Re: [clamav-users] ClamAV 0.105 release candidate

[Michael Peterson (mipeter2) via clamav-users]

Same behavior with previous version:

➜  ~ wget 
https://www.clamav.net/downloads/release_candidate/clamav-0.104.2.tar.gz
--2022-03-14 17:34:36--  
https://www.clamav.net/downloads/release_candidate/clamav-0.104.2.tar.gz
Resolving www.clamav.net (www.clamav.net)... 2606:4700::6810:da54, 
2606:4700::6810:db54, 104.16.218.84, ...
Connecting to www.clamav.net (www.clamav.net)|2606:4700::6810:da54|:443... 
connected.
HTTP request sent, awaiting response... 403 Forbidden
2022-03-14 17:34:37 ERROR 403: Forbidden.

But both work via the browser. Maybe a User Agent issue?

--Michael

From: clamav-users  on behalf of 
Yasuhiro Kimura 
Date: Monday, March 14, 2022 at 5:29 PM
To: clamav-users@lists.clamav.net 
Subject: Re: [clamav-users] ClamAV 0.105 release candidate
From: "Micah Snyder \(micasnyd\) via clamav-users" 

Subject: [clamav-users] ClamAV 0.105 release candidate
Date: Mon, 14 Mar 2022 20:14:18 +

> Read this announcement online at 
> https://blog.clamav.net/2022/03/clamav-01050-release-candidate-now.html
>
> We are excited to announce the ClamAV 0.105.0 release candidate.
>
> Please help us validate this release. We need your feedback, so let us know 
> what you find and join us on the
> ClamAV mailing list, or on our Discord.
>
> This release candidate phase is only expected to last about two to four weeks 
> before the 0.105.0 Stable
> version will be published. Take this opportunity to verify that you 0.105.0 
> can build and run in your
> environment.
>
> There is one known issue:
>
>   • Yara rules containing regex strings will fail to load. The fix for this 
> issue will be in the final
> release or next release candidate.
>
> Please submit bug reports to the ClamAV project GitHub Issues.

I tried to download source archive of 0.105.0-rc but it fails with 403
forbitten.

yasu@rolling-vm-freebsd2[1373]% wget 
https://www.clamav.net/downloads/release_candidate/clamav-0.105.0-rc.tar.gz

--2022-03-15 09:25:16--  
https://www.clamav.net/downloads/release_candidate/clamav-0.105.0-rc.tar.gz
Resolving www.clamav.net<http://www.clamav.net> 
(www.clamav.net<http://www.clamav.net>)... 2606:4700::6810:db54, 
2606:4700::6810:da54, 104.16.218.84, ...
Connecting to www.clamav.net<http://www.clamav.net> 
(www.clamav.net<http://www.clamav.net>)|2606:4700::6810:db54|:443... connected.
HTTP request sent, awaiting response... 403 Forbidden
2022-03-15 09:25:17 ERROR 403: Forbidden.

yasu@rolling-vm-freebsd2[1374]%

---
Yasuhiro KIMURA

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] CLAMAV: Docker Tag 0.104.2 has 9 Medium Vulnerabilities for Busy Box

[Michael Orlitzky via clamav-users]

On Sun, 2022-02-13 at 13:10 +, Marc wrote:
> > 
> > My team is new to maintaining images on Docker Hub. We hadn't yet
> > identified the best practices for how to publish an image for the
> > same
> > ClamAV version with a new base image. After a little investigation,
> > I
> > settled on this on this scheme.
> > 
> 
> Maybe it is time to allow environment variables in the config files? 
> 

Then you'll need a file that's just as long, but setting environment
variables instead of config parameters =)

But there is room for improvement here. The build system knows the
correct values for many of those config file parameters. It should
substitute in the ones it knows (like the clamav user, "/run" path,
etc.) For bonus points it could default to syslog which exists
precisely so that you don't have to configure logging manually in each
daemon.



___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] Locating clamav-milter to match v0.104.2

[Hall, Michael H. (GSFC-423.0)[RAYTHEON COMPANY] via clamav-users]

I am hoping to find a clamav-milter to match the current version of clamav.
The current link on website seems to go to GitHub.
GitHub then says that you need to get software from ClamAV.
If there is somewhere that I can get a clamav-milter v0.104.2 RPM, it would be 
much appreciated.

——
Michael H. “Mike” Hall, Sr.   NASA-GSFC
Working Remotely from Baltimore


___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Calm AV assistance

[Michael Pifer via clamav-users]

basically.  users upload a file to our windows servers.  now maybe we save
that to s3 and somehow pass the s3 url or bucket/file to clamav to scan.  I
don't know what's easiest to do.  That or to forward that file from the
windows server to the clamav linux server for scanning.  but somehow, we
need to take that uploaded file, save it somewhere that clamav can scan and
let us know if it's bad or not.  if it's bad, we can delete it in our
code.

On Fri, Nov 5, 2021 at 10:09 AM G.W. Haywood via clamav-users <
clamav-users@lists.clamav.net> wrote:

> Hi there,
>
> On Fri, 5 Nov 2021, Michael Pifer via clamav-users wrote:
>
> > I am specifically looking for assistance in setting up and configuring
> Clam
> > AV in our AWS EC2 environment.
> >
> > We are specifically looking to create a scanning service using clam av
> that
> > can be called everywhere a file is uploaded.  Make sure that if a file is
> > flagged as having a virus that we delete the file and return a message to
> > the user that the file appears to be infected and was not successfully
> > uploaded.
> >
> > Any assistance would be greatly appreciated!
>
> ClamAV is really just a toolkit.  You can learn how to use it to scan
> data streams, files, directories and whole filesystems against a set
> of signatures and other stuff which is stored - more or less locally -
> by you in a sort of database.  You decide what to put in the database
> (and then you have to maintain it, there are tools in the ClamAV suite
> to help you to do that).  Other tools in the suite can help you to do
> something like what you want to do, but if we are to provide any help
> other than generalities and pointers to the documentation you need to
> give us sufficient detail about what you intend to do.  The online
> documentation is at
>
> https://docs.clamav.net/
>
> and if you download ClamAV from one of the archives at
>
> https://www.clamav.net/downloads
>
> you will also find documentation in the archive.
>
> Things like returning messages to users are the sorts of things that
> you have to do in your own software, which can use the ClamAV toolkit
> and perhaps collect information from ClamAV scan results which can be
> returned to your users.  These things are not part of ClamAV itself.
> The messages provided by ClamAV are at best rather terse, you would
> probably want to embellish them in your own software for consumption
> by your users.
>
> If ClamAV *does* flag a file, deleting it will not always be the best
> choice of the options available to you.
>
> If ClamAV does *not* flag a file, accepting that it is safe will not
> always be the best choice of the options available to you.  You should
> consider carefully the probabilities that ClamAV will detect the kinds
> of threats which concern you.
>
> --
>
> 73,
> Ged.
>
> ___
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] Calm AV assistance

[Michael Pifer via clamav-users]

I am specifically looking for assistance in setting up and configuring Clam
AV in our AWS EC2 environment.

We are specifically looking to create a scanning service using clam av that
can be called everywhere a file is uploaded.  Make sure that if a file is
flagged as having a virus that we delete the file and return a message to
the user that the file appears to be infected and was not successfully
uploaded.

Any assistance would be greatly appreciated!

-- 
Michael Pifer
Systems Administrator
<https://www.foxhire.com/?utm_source=teamEmail_medium=email>
Phone: 330) 974-1261
Fax: (330) 455-2374

*To unsubscribe from this message please respond UNSUBSCRIBE.*


*NOTICE: The information contained in this communication is CONFIDENTIAL
and/or LEGALLY PRIVILEGED. It is intended only for the use of the
individual or entity named as the recipient. If you are not the intended
recipient, be aware that any disclosure, copying, distribution or use of
this information is strictly prohibited and may be subject to civil and
criminal penalty. If you have received this communication in error, please
destroy it without copying and notify us by telephone immediately (888)
534-9417.*

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] clamd RAM issue?

[Michael Orlitzky via clamav-users]

On Sun, 2021-10-31 at 13:05 -0400, Mark G Thomas wrote:
> 
> Has anyone else had similar experiences recently?
> 


Not recently per se, but it happens. Do you limit the number of scans
that can be run simultaneously, if (for example) some doofus BCCs a
20MB nested zip file to everyone in his organization?



___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] buiding 0.104.0

[Michael Peterson (mipeter2) via clamav-users]

I noticed your plea for Debian package. Perhaps you didn’t notice but if you 
look at the downloads page those packages are available from the ClamAV team. 
If you prefer to wait for the official one from the Debian package maintainers 
you’re welcome to do so.

https://www.clamav.net/downloads

[cid:image001.png@01D7A3E6.2F595C30]

Michael Peterson
Talos
Cisco Systems, Inc.

From: clamav-users  on behalf of Micah 
Snyder (micasnyd) via clamav-users 
Date: Tuesday, September 7, 2021 at 12:22 PM
To: clamav-users@lists.clamav.net 
Cc: Micah Snyder (micasnyd) , john 
Subject: Re: [clamav-users] buiding 0.104.0
Hi John,

If you're seeing a test failure, please submit an issue on the clamav github 
issues page https://github.com/Cisco-Talos/clamav/issues and include the test 
results (log file, or a copy paste from the terminal when using the verbose 
option).  The test results should help us identify what's going wrong.

I only noticed a one strange thing in that you're setting the regular bin 
directory to be the same as your service bin (sbin) directory. That is odd, but 
I wouldn't expect this change to cause a test failure.


Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.

From: clamav-users  on behalf of john 
via clamav-users 
Sent: Tuesday, September 7, 2021 9:40 AM
To: clamav-users@lists.clamav.net 
Cc: john 
Subject: [clamav-users] buiding 0.104.0

i tried building for Debian 10 on x64 but clearly  have failed t understand
something

I used to configure with

./configure --with-user=Debian-exim --with-group=Debian-exim \
--bindir=/usr/sbin --prefix=/usr --sysconfdir=/etc/clamav/

so I tried cmake with

cmake -D CLAMAV_USER=Debian-exim -D CLAMAV_GROUP=Debian-exim \
-D CLAMAV_BINDIR=/usr/sbin -D CLAMAV_PREFIX=/usr ..

and that seemed to work so I did a make which completed OK. Trying "make
test" on the other and gave failure for the first 6 tests and passed the other
4.

Not sure what to do next.  I could carry on with 0.103.42 and hope
eventually some kind person creates a Debian package, or  could stop using
clamav.  Or someone could point out how stupid I am being and tell me what
I did wrong.

==John ffitch

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Opinion wanted: Change default config directory usr/clamav

[Michael Orlitzky via clamav-users]

On Sat, 2021-07-31 at 14:47 +0200, Arjen de Korte via clamav-users
wrote:
> 
> What might be useful to add, is an option to set the name of the UNIX  
> socket (which is hard coded now) through a cmake option. In openSUSE  
> we patch this to a different name, but this needs to be done in  
> several files, so a cmake option would help.
> 

If the configuration files are changed to templates, the line

  #LocalSocket /tmp/clamd.socket

(which creates a security vulnerability) could become

  #LocalSocket @RUNSTATEDIR@/clamav/clamd.ctl

instead. That's not _completely_ configurable, but it's a secure
setting that could be used by everyone without patching.



___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Long Term Support (LTS) program proposal

[Michael Orlitzky via clamav-users]

On 2021-07-28 23:53:35, Micah Snyder (micasnyd) via clamav-users wrote:
> 
> I would like your feedback.
> 

Starting with v0.103 will be really helpful. I've already voiced my
concerns about CMake... As the Gentoo maintainer, the switch is a bit
annoying, since we've been fixing autotools issues for years with many
of our patches forgotten upstream. With CMake, our users are going to
have to re-experience and re-report those bugs, and then we're going
to have to re-fix and re-submit them all (and someone is going to have
to re-write my open OpenRC pull request for CMake -- no easy task).

But in the end, everything will be OK. I plan to step down as
maintainer and let someone else deal with it =) In the meantime,
having security support for a version that supports our init system
will be nice.

The rust requirement, on the other hand, is a personal deal-breaker. I
don't mean to pile on more negativity, but tl;dr we'll be replacing
(or just removing) clamav at work when there are no more secure,
rust-free versions available. And I'll be glad to not have to deal
with that for a few more years!

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] The "=" sign in freshclam options (---datadir= as an example) is mandatory?

[Michael Wang]

I discovered that the "=" sign in freshclam option is mandatory. For
example:

freshclam --datadir=c:\temp\database (with =)
and
freshclam --datadir c:\temp\database (without =)

are different. In the latter, the option "--datadir c:\temp\database" is
ignored as if it were not specified.

On the other hand, the "=" in clamscan option is optional, i.e.

clamscan --log=c:\tmp\my.log
and
clamscan --log c:\tmp\my.log

are equivalent.

I would like to get a confirmation that this is true, and secondly to get
an opinion if this is a bug, as far as I know, the = in option should be
optional.

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] clamscan: permission denied on many files being used by another process

[Michael Wang]

The version I am running is clamav-0.103.3-win-x64-portable.zip
<https://www.clamav.net/downloads/production/clamav-0.103.3-win-x64-portable.zip>
from https://www.clamav.net/downloads#otherversions . The advantage of
using the portable version is that you do not need to install, but just to
use the software from the network path.

I understand "more" is not clamscan, I was just showing that the file in
question cannot be opened with clamscan nor with "more" as administrator. I
also understand if clamscan cannot read a file, it cannot scan it. My
question is how I can let clamscan to read a file, as I have shown that
even I cannot "more" a file used by another process as administrator.

If clamscan cannot scan a file used by another process, then I question the
usefulness of the software because a hacker can just install a virus file
and use it, clamscan will not be able to detect it.

On Mon, Jul 12, 2021 at 11:45 AM G.W. Haywood via clamav-users <
clamav-users@lists.clamav.net> wrote:

> Hi there,
>
> On Mon, 12 Jul 2021, Michael Wang via clamav-users wrote:
>
> > I run ClamAV on windows using the latest portable installation with all
> > default configuration.
>
> What version of ClamAV, and where did it come from?
>
> > I run the task scheduler under the SYSTEM user with the highest
> > credentials checked, but I still have lots of permission denied
> > messages.
>
> That's to be expected if the scanning process can't read the data.
>
> > I logged in locally and checked one of the files under a powershell
> window
> > as *ADMINISTRATOR*, and I got:
> >
> > *PS C:\Users\j.doe\AppData\local\Microsoft\Windows\WebCache> more
> .\V01.log*
> > *Get-Content : The process cannot access the file
> > 'C:\Users\j.doe\AppData\local\Microsoft\Windows\WebCache\V01.log' because
> > it is being used by another process.*
>
> The 'more' command is a pager, not a scanner.  In what you've posted I
> see no evidence of a ClamAV process doing (or failing to do) anything.
>
> > So do I have to live with it? If there is a virus file and this file is
> > being currently used, clamscan cannot detect it?
>
> Not necessarily.  If the scanner does not have permission to read
> something which you want it to scan, then obviously it cannot scan it.
> This applies just as much to devices and data streams via sockets as
> is does to files.  It's up to you to arrange for the scanner to have
> permission to do what you want it to do.  And in my view it's usually
> pointless to scan a log file with a virus scanner - if indeed that is
> what you're doing - and this applies especially to the log which is
> recording the progress of the scan.
>
> --
>
> 73,
> Ged.
>
> ___
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] Php.Trojan.MSShellcode-81 FOUND on MS IIS log file?

[Michael Wang]

Clamscan detested a virus in Microsoft Internet Information Services 8.5
log file:

*C:\inetpub\logs\LogFiles\W3SVC1\u_exNN.log: Php.Trojan.MSShellcode-81
> FOUND*
>

I looked at the file manually, it consists of comments and GET and POST
messages. How do I determine if  this is a real or false positive? The
files are dynamic and new files will be generated, how are my options?
Thanks.

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] clamscan: permission denied on many files being used by another process

[Michael Wang via clamav-users]

Hello all ClamAV users:

I run ClamAV on windows using the latest portable installation with all
default configuration. I run the task scheduler under the SYSTEM user with
the highest credentials checked, but I still have lots of permission denied
messages.

I logged in locally and checked one of the files under a powershell window
as *ADMINISTRATOR*, and I got:

*PS C:\Users\j.doe\AppData\local\Microsoft\Windows\WebCache> more .\V01.log*
*Get-Content : The process cannot access the file
'C:\Users\j.doe\AppData\local\Microsoft\Windows\WebCache\V01.log' because
it is being used by another process.*

So do I have to live with it? If there is a virus file and this file is
being currently used, clamscan cannot detect it?

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] How to make freshclam to update existing files?

[Michael Wang]

Hi,

After more testing, I can rule out the disk space problem because I have
1TB free space. I can also rule out the permission problem because this
happens during fresh runs.

I discovered the problem I had was due to the use of the *Universal Naming
Convention (UNC) Path*, "\\xx-x411\clamav". Even on the same server where
"\\xx-x411\clamav" and "D:\clamav" are the same, the behaviors are
different as shown below.

With the "D:\clamav" path, it found that the database is not up to date,
then it gets the cld file, and no issues. WIth the UNC path, it downloads
the same cvd file and complains that the file exists. I wanted to use the
UNC path because I want to share the database across the servers.

Here is the log to show the problem:

PS D:\ClamAV\clamav-0.103.3-win-x64-portable\database> *rm -recurse **

PS D:\ClamAV\clamav-0.103.3-win-x64-portable\database>
\\xx-x411\clamav\clamav-0.103.3-win-x64-portable\freshclam.exe
*--datadir=d:\clamav\clamav-0.103.3-win-x64-portable\database*
ClamAV update process started at Fri Jul  9 15:48:10 2021
daily database available for download (remote version: 26226)
Time:3.6s, ETA:0.0s [>]  102.43MiB/102.43MiB
Testing database:
'd:\clamav\clamav-0.103.3-win-x64-portable\database\tmp.1276ba4a31\clamav-7f99d642a7a4902e4a2f435c323e2552.tmp-daily.cvd'
...
Database test passed.
daily.cvd updated (version: 26225, sigs: 3994327, f-level: 63, builder:
raynman)

*Received an older daily CVD than was advertised. We'll retry so the
incremental update will ensure we're up-to-date.*daily database available
for update (local version: 26225, remote version: 26226)

*Current database is 1 version behind.Downloading database patch # 26226...*
Time:0.0s, ETA:0.0s [>]   19.36KiB/19.36KiB
Testing database:
'd:\clamav\clamav-0.103.3-win-x64-portable\database\tmp.1276ba4a31\clamav-baae84e4ef91bcdfa772d7d82c8af6f8.tmp-daily.cld'
...
Database test passed.
daily.cld updated (version: 26226, sigs: 3994579, f-level: 63, builder:
raynman)
main database available for download (remote version: 59)
Time:4.0s, ETA:0.0s [>]  112.40MiB/112.40MiB
Testing database:
'd:\clamav\clamav-0.103.3-win-x64-portable\database\tmp.1276ba4a31\clamav-046d7008715c9c8fba4d462be7120643.tmp-main.cvd'
...
Database test passed.
main.cvd updated (version: 59, sigs: 4564902, f-level: 60, builder: sigmgr)
bytecode database available for download (remote version: 333)
Time:0.1s, ETA:0.0s [>]  286.79KiB/286.79KiB
Testing database:
'd:\clamav\clamav-0.103.3-win-x64-portable\database\tmp.1276ba4a31\clamav-f4500f3362769ec4bcbdfcaa854f
cfb8.tmp-bytecode.cvd' ...
Database test passed.
bytecode.cvd updated (version: 333, sigs: 92, f-level: 63, builder:
awillia2)

PS D:\ClamAV\clamav-0.103.3-win-x64-portable\database> rm -recurse *

PS D:\ClamAV\clamav-0.103.3-win-x64-portable\database>
\\xx-x411\clamav\clamav-0.103.3-win-x64-portable\freshclam.exe
--datadir=\\xx-x411\clamav\clamav-0.103.3-win-x64-portable\database
ClamAV update process started at Fri Jul  9 15:51:05 2021
daily database available for download (remote version: 26226)
Time:4.1s, ETA:0.0s [>]  102.43MiB/102.43MiB
Testing database:
'\\xx-x411\clamav\clamav-0.103.3-win-x64-portable\database\tmp.dcd8c0cb40\clamav-a9ada8b934fb64989e60cabb093b72ec.tmp-daily.cvd'
...
Database test passed.
daily.cvd updated (version: 26225, sigs: 3994327, f-level: 63, builder:
raynman)
*Received an older daily CVD than was advertised. We'll retry so the
incremental update will ensure we're up-to-date.*
daily database available for download (remote version: 26226)
Time:3.8s, ETA:0.0s [>]  102.43MiB/102.43MiB
*Testing database:
'\\xx-x411\clamav\clamav-0.103.3-win-x64-portable\database\tmp.dcd8c0cb40\clamav-907671efc5b51d897ec211313228eb86.tmp-daily.cvd'
...*
Database test passed.

*ERROR: updatedb: Can't rename
\\xx-x411\clamav\clamav-0.103.3-win-x64-portable\database\tmp.dcd8c0cb40\clamav-907671efc5b51d897ec211313228eb86.tmp-daily.cvd
to daily.cvd: File exists*ERROR: Unexpected error when attempting to update
daily: Failed to read/write file to database directory
ERROR: Database update process failed: Failed to read/write file to
database directory
ERROR: Update failed.

On Thu, Jul 8, 2021 at 9:31 AM Michael Wang  wrote:

> I am running the freshclam.exe like this:
>
> PS C:\Users\m.wang> \\xxx\clamav\bin\freshclam.exe --datadir
> \\xxx\clamav\bin\database
>
> and I got the following error:
>
> ERROR: updatedb: *Can't rename*
> \\xxx\clamav\bin\database\tmp.78a757d3cf\clamav-57fd2bf1f4d6d423e4896f0ef3e97c52.tmp-daily.cvd
> to daily.cv
> d: *File exists*
>
> I am thinking of removing the *.cvd files before running freshclam, but is
> there an option to make freshclam to override the existin

[clamav-users] How to make freshclam to update existing files?

[Michael Wang]

I am running the freshclam.exe like this:

PS C:\Users\m.wang> \\xxx\clamav\bin\freshclam.exe --datadir
\\xxx\clamav\bin\database

and I got the following error:

ERROR: updatedb: *Can't rename*
\\xxx\clamav\bin\database\tmp.78a757d3cf\clamav-57fd2bf1f4d6d423e4896f0ef3e97c52.tmp-daily.cvd
to daily.cv
d: *File exists*

I am thinking of removing the *.cvd files before running freshclam, but is
there an option to make freshclam to override the existing old *.cvd files?
Thanks.

Full log:

PS C:\Users\m.wang> \\xxx\clamav\bin\freshclam.exe --datadir
\\xxx\clamav\bin\database
ClamAV update process started at Wed Jul  7 18:40:18 2021
WARNING: Your ClamAV installation is OUTDATED!
WARNING: Local version: 0.103.2 Recommended version: 0.103.3
DON'T PANIC! Read https://www.clamav.net/documents/upgrading-clamav
daily database available for download (remote version: 26224)
Time:   12.4s, ETA:0.0s [>]  102.41MiB/102.41MiB
Testing database:
'\\xxx\clamav\bin\database\tmp.78a757d3cf\clamav-57fd2bf1f4d6d423e4896f0ef3e97c52.tmp-daily.cvd'
...
Database test passed.
ERROR: updatedb: Can't rename
\\xxx\clamav\bin\database\tmp.78a757d3cf\clamav-57fd2bf1f4d6d423e4896f0ef3e97c52.tmp-daily.cvd
to daily.cv
d: File exists
ERROR: Unexpected error when attempting to update daily: Failed to
read/write file to database directory
ERROR: Database update process failed: Failed to read/write file to
database directory
ERROR: Update failed.

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] clamav error

[Michael Orlitzky via clamav-users]

On 2021-06-17 09:00:09, Jigar via clamav-users wrote:
> Hello,
> 
> Suddenly, we are getting the following error in clamd.log file
> 
> Thu Jun 17 08:52:49 2021 ->
> /var/amavis/tmp/amavis-20210617T083549-04876-63FaXGZk/parts/p001:
> Can't create new file ERROR
> Thu Jun 17 08:52:49 2021 ->
> /var/amavis/tmp/amavis-20210617T083549-04876-63FaXGZk/parts/p002:
> Can't open file or directory ERROR
> 
> We have checked up all the permission and ownership. There is no change in it.
> 

If you are (or can be) using a local socket to communicate with clamd,
then I would suggest changing the way that amavisd invokes the virus
scanner in amavisd.conf:

  # Use clamdscan with the --fdpass option so that the "clamav" user
  # doesn't need to be able to read amavis's private working
  # directory.
  @av_scanners = (
['ClamAV-clamdscan', 'clamdscan', "--fdpass --stdout --no-summary {}",
  [0], qr/:.*\sFOUND$/m, qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ],
  );

This is now the way that amavisd recommends, and assumes that your
clamd socket is writable by the amavis user.

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] clamav incremental scan?

[Michael Wang]

Grant,

I do not disagree with you on the separate functionality of the scheduling
engine and scanning engine. The question is: does such an engine exist? I
feel it is too much for each individual user to implement such a scheduling
engine. I am new to ClamAV, does the question / solution ever pop up?
Thanks.

On Tue, May 4, 2021 at 4:29 PM Grant Taylor via clamav-users <
clamav-users@lists.clamav.net> wrote:

> On 5/4/21 12:19 PM, Michael Wang wrote:
> > looks like this should be a functionality of the clamav itself.
>
> What you are describing sounds like something independent of the ClamAV
> /scanning/ engine.  More specifically, it sounds like the responsibility
> of a /scheduling/ engine.
>
> My understanding is that the scheduling is outside of the scope of what
> ClamAV normally does.
>
> I see no reason why you couldn't have something -- run as a user with
> sufficient privileges to read the file(s) in question -- which maintains
> metadata about files; name, ctime, mtime, permissions, owner, group,
> hash, last scan time, etc, and determines if a file has changed since
> the last time it was scanned.  /That/ /scheduling/ engine could then
> easily ask the ClamAV /scanning/ engine -- likely running as a different
> non-root user -- to scan the files handed to it by -- what is
> effectively -- the /scheduling/ engine.
>
> There are a lot of different ways to go about something like this.  My
> opinion is that most of them are outside of the scope of the ClamAV's
> /scanning/ engine.
>
>
>
> --
> Grant. . . .
> unix || die
>
>
> ___
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] clamav incremental scan?

[Michael Wang]

It seems that this should be a common question, but I did not find a
definite answer via Google search. I saw solutions to only scan files in
the last 60 days, but it is not difficult for a virus file to change date,
isn't it? I can think of to maintain hash table with file name and its
checksum, but looks like this should be a functionality of the clamav
itself. How do you do it? Just do a full scan every time? Thanks.

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] false positive on MBL_85256034.UNOFFICIAL with Google Drive links

[Michael Orlitzky via clamav-users]

On Thu, 2021-04-29 at 16:22 +0100, G.W. Haywood via clamav-users wrote:
> 
> 3. What is uid 110 on your system?  On my clamd server it's 'sshd'.
> This means that if I were to run it as root as it is, the script would
> change ownership of the modified files to the wrong user (which would
> break future updates unless root did them) and for other users fail.
> 

If you're lucky. The clamav user can replace those files with
sym/hardlinks to take over any file on the system.



___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] automate clamav on windows and user manual popup

[Michael Wang]

Hello All:

I would like to automate the clamav install on windows. The method I have
in mind is to create a GPO which is a scheduled job written in powershell,
and this job will install ClamAV, setup other jobs to download the database
and do the scan. I could find info on the topic, so please share what you
have done successfully automating on a large number of servers.

The first problem I encounter is that when I install it very cliently with

Start-Process $exe_file -ArgumentList "/VERYSILENT /LOG=$log_file"

It pops a notepad with the user manual. I assume I can kill the process (I
chose no -Wait option), but is there a way to select no user manual pop up?
If I install interactively, there is a box I can unselect.

Thanks a lot.

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Can't start clamd - lchown to user failed

[Michael Orlitzky via clamav-users]

On Sat, 2021-04-24 at 13:46 +, Keith Graber wrote:
> I'm running ClamAV as user 'clamav' who owns /var/log/clamav

Clamd probably expects to be run as root if it's trying to use
lchown(). Have you tried the --foreground flag?

In any case, you will save yourself a lot of trouble if you just log to
syslog and then tweak your syslog config file to put clamav entries
under /var/log/clamav. Trusting users, developers, distributions, and
init scripts to all agree on the permission scheme for /var/log has
failed.



___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] malwarepatrol.db invalid

[Michael Orlitzky via clamav-users]

On Mon, 2021-03-29 at 14:03 +, Steve Hanselman wrote:
> Is anyone able to successfully use the malwarepatrol.db file?

I've contacted malwarepatrol about this but it never got resolved. As
far as I know, it's still issue #16509 with them.

The problem is that sometimes the "extended" signature URL returns the
"normal" (i.e. not extended) signatures. This happens somewhat
randomly; usually they send one or the other for a few days in a row,
but then switch to the other type without warning.

Thing is, the "extended" signature databases should have an "ndb"
extension while the normal (i.e. not extended) signature databases
should have a "db" extension. If they don't, verification will fail.
So, which filename do you pick? Whichever one you choose is going to be
wrong after they randomly flip the contents on you in a week.



___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ExcludePath Segmentation Fault Errorr

[Michael Kyriacou via clamav-users]

How can I apply this patch?

On Sat, Mar 6, 2021 at 5:03 PM Micah Snyder (micasnyd) via clamav-users <
clamav-users@lists.clamav.net> wrote:

> Hi Michael,
>
> It looks to me like you've stumbled across this issue:
> https://bugzilla.clamav.net/show_bug.cgi?id=12676
>
> I have a fix on the way.  The attached patch works, though I am still
> tidying up some additional error handling cleanup work per peer review.
>
> Regards,
> Micah
>
> > -Original Message-
> > From: clamav-users  On Behalf Of
> > G.W. Haywood via clamav-users
> > Sent: Thursday, March 4, 2021 8:20 AM
> > To: Michael Kyriacou via clamav-users 
> > Cc: G.W. Haywood 
> > Subject: Re: [clamav-users] ExcludePath Segmentation Fault Errorr
> >
> > Hi there,
> >
> > On Thu, 4 Mar 2021, Michael Kyriacou via clamav-users wrote:
> >
> > > Hello, I am running into a bug/error when adding an ExcludePath to my
> > > clamd.conf I am running Ubuntu 20.04.2, with clamav 0.103.1(from
> > > source) When I add the line: ExlucudePath .*\.sys$, the following
> > > issues occur when running the command "clamdscan -m --fdpass
> > > /path/to/mounted/filesystem
> > > *Note: This error occurs only when using the -m parameter in
> > > combination with --fdpass against a Mounted filesystem other than the
> > > main harddrive*
> > >
> > > Running it against my home directory
> > > [image: image.png]
> > > Running it against a mounted filesystem with data in it
> > > [image: image.png]
> > > I tested this on over 50 different mounted filesystem, and the same
> > > error occurs.
> > >
> > > Is there any fix to this?
> >
> > You are using the asterisk charater in your command lines incorrectly.
> > You need to quote it (and any other 'special' characters you use in a
> command),
> > or (in the case of a path) quote the entire path.  Otherwise the shell
> will expand
> > the asterisk which will result in a command very unlike the one you
> intended.
> > See the 'man' page for the bash shell:
> >
> > man bash
> >
> > But, even with incorrect command lines, there should not be segfaults.
> >
> > Check the ClamAV bugzilla, and if you don't find anything which seems to
> > describe your issue please either open a new report yourself or reply
> here and
> > someone will be able to open one:
> >
> > https://bugzilla.clamav.net/buglist.cgi?component=clamd=ClamAV
> >
> > --
> >
> > 73,
> > Ged.
> >
> > ___
> >
> > clamav-users mailing list
> > clamav-users@lists.clamav.net
> > https://lists.clamav.net/mailman/listinfo/clamav-users
> >
> >
> > Help us build a comprehensive ClamAV guide:
> > https://github.com/vrtadmin/clamav-faq
> >
> > http://www.clamav.net/contact.html#ml
>
> ___
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Can’t allocate memory error

[Michael Kyriacou via clamav-users]

Yes I use 64 bit executables.

Just some more information:

My I/O speed caps around 500MB/s.

I’m running clamdscan across ~30 mounted file systems on each scanner. Some
of these are ntfs, others are ext4. Each filesystem has  its own clamd
process run against it.


On Thu, Mar 4, 2021 at 12:37 PM G.W. Haywood via clamav-users <
clamav-users@lists.clamav.net> wrote:

> Hi there,
>
> On Thu, 4 Mar 2021, Michael Kyriacou via clamav-users wrote:
>
> > when I type man clamd, I don’t get any information on threads.
>
> Please accept my apologies.  I meant the 'man' page for clamd.conf.
>
> > I’ve tested setting MaxThreads to 100 vs 16(the amount of vcpus the
> scanner
> > has), and I did not see a performance increase.
> > What is the recommend setting for MaxThreads/MaxQueue for a 16 core
> system?
>
> The 'man' page for clamd.conf should give you a better idea.  There's
> more than one thing to think about.  I don't know of any specific
> recommendations for particular systems or even classes of systems.  I
> think you'll need to think about your particular scenario and perhaps
> experiment with settings.  Now that we've identified the issue with
> use of special characters on your command lines you might find that
> things start to make more sense to you.  Look again at the logs and
> check the process activity (for example with 'top', or better 'atop').
> You might need to look into the documentation about ClamAV's logging
> get it to help you more.
>
> > Also another question- Is there anyway to force clamd to use more RAM to
> > increase performance.
>
> If you're going to scan millions of files for millions of signatures,
> performance is always going to be an issue, and especially so if a lot
> of the files will be big archives.  You might need to think about the
> approach, rather than just point the scanner at an enormous data store
> and hope for the best.
>
> You're probably seeing a number of limitations, not just memory.  The
> performance of mass storage I/O, memory and CPU will all bear on the
> overall performance of your scans.  The daemon will use what memory is
> available to it, but it seems to me that memory is unlikely to be the
> biggest issue in your system.  You need to get a good feel for which
> resources are under pressure and which aren't.  Given what you've said
> you're doing, I trust that you use exclusively 64-bit executables?
>
> --
>
> 73,
> Ged.
>
> ___
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ExcludePath Segmentation Fault Errorr

[Michael Kyriacou via clamav-users]

Oh I see, sorry. I’ve always been using that to recursively scan. If I
remove the asterisk completely will it still do the same thing?

On Thu, Mar 4, 2021 at 12:40 PM G.W. Haywood via clamav-users <
clamav-users@lists.clamav.net> wrote:

> Hi there,
>
> On Thu, 4 Mar 2021, Michael Kyriacou via clamav-users wrote:
> > On Thu, Mar 4, 2021 at 11:21 AM G.W. Haywood via clamav-users wrote:
> >
> >> You are using the asterisk charater in your command lines incorrectly.
> >> You need to quote it (and any other 'special' characters you use in a
> >> command), or (in the case of a path) quote the entire path.  Otherwise
> >> the shell will expand the asterisk ...
> >
> > I changed the ExcludePath to:
> > .*\.sys$
> >
> > The error still occurs. I do a ticket created for an identical issue.
> > It looks like there is a patch to fix the problem, but I’m not sure how
> to
> > apply said patch
>
> The asterisks in your command lines, not in your configuration file.
>
> --
>
> 73,
> Ged.
>
> ___
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ExcludePath Segmentation Fault Errorr

[Michael Kyriacou via clamav-users]

I changed the ExcludePath to:
.*\.sys$

The error still occurs. I do a ticket created for an identical issue.
It looks like there is a patch to fix the problem, but I’m not sure how to
apply said patch

On Thu, Mar 4, 2021 at 11:21 AM G.W. Haywood via clamav-users <
clamav-users@lists.clamav.net> wrote:

> Hi there,
>
> On Thu, 4 Mar 2021, Michael Kyriacou via clamav-users wrote:
>
> > Hello, I am running into a bug/error when adding an ExcludePath to my
> clamd.conf
> > I am running Ubuntu 20.04.2, with clamav 0.103.1(from source)
> > When I add the line: ExlucudePath .*\.sys$, the following issues occur
> when
> > running the command "clamdscan -m --fdpass /path/to/mounted/filesystem
> > *Note: This error occurs only when using the -m parameter in combination
> > with --fdpass against a Mounted filesystem other than the main harddrive*
> >
> > Running it against my home directory
> > [image: image.png]
> > Running it against a mounted filesystem with data in it
> > [image: image.png]
> > I tested this on over 50 different mounted filesystem, and the same error
> > occurs.
> >
> > Is there any fix to this?
>
> You are using the asterisk charater in your command lines incorrectly.
> You need to quote it (and any other 'special' characters you use in a
> command), or (in the case of a path) quote the entire path.  Otherwise
> the shell will expand the asterisk which will result in a command very
> unlike the one you intended.  See the 'man' page for the bash shell:
>
> man bash
>
> But, even with incorrect command lines, there should not be segfaults.
>
> Check the ClamAV bugzilla, and if you don't find anything which seems
> to describe your issue please either open a new report yourself or reply
> here and someone will be able to open one:
>
> https://bugzilla.clamav.net/buglist.cgi?component=clamd=ClamAV
>
> --
>
> 73,
> Ged.
>
> ___
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Can’t allocate memory error

[Michael Kyriacou via clamav-users]

I am not using on-access scanning.
when I type man clamd, I don’t get any information on threads.

I’ve tested setting MaxThreads to 100 vs 16(the amount of vcpus the scanner
has), and I did not see a performance increase.
What is the recommend setting for MaxThreads/MaxQueue for a 16 core system?

Also another question- Is there anyway to force clamd to use more RAM to
increase performance.

On Thu, Mar 4, 2021 at 10:55 AM G.W. Haywood via clamav-users <
clamav-users@lists.clamav.net> wrote:

> Hi there,
>
> On Thu, 4 Mar 2021, Michael Kyriacou via clamav-users wrote:
>
> > ...  This is just one example of the many times the clamd process
> > seems to pause or hang. ...
>
> That looks to me like clamd is working as designed.  It has a queueing
> system which manages threads doing different kinds of work.  If you
> are giving the daemon a lot of work to do, under some circumstances it
> will defer processing for some threads, based on a queuing algorithm.
>
> For more information see the 'man' page for clamd (look for 'threads',
> which should lead you to configuration options to experiment with) and
> perhaps also .../clamd/thrmgr.c in the ClamAV source.
>
> Are you using any on-access scanning?
>
> --
>
> 73,
> Ged.
>
> ___
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] ExcludePath Segmentation Fault Errorr

[Michael Kyriacou via clamav-users]

Hello, I am running into a bug/error when adding an ExcludePath to my
clamd.conf
I am running Ubuntu 20.04.2, with clamav 0.103.1(from source)
When I add the line: ExlucudePath .*\.sys$, the following issues occur when
running the command "clamdscan -m --fdpass /path/to/mounted/filesystem
*Note: This error occurs only when using the -m parameter in combination
with --fdpass against a Mounted filesystem other than the main harddrive*

Running it against my home directory
[image: image.png]
Running it against a mounted filesystem with data in it
[image: image.png]
I tested this on over 50 different mounted filesystem, and the same error
occurs.

Is there any fix to this?

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Can’t allocate memory error

[Michael Kyriacou via clamav-users]

The 3 filesizes below are as follows:

70K
260M
80K

This is just one example of the many times the clamd process seems to pause
or hang.

Thu Mar  4 09:54:03 2021 ->
/imports/INPRDSS122/mnt1/Boot/et-EE/bootmgr.exe.mui: OK
Thu Mar  4 09:54:03 2021 -> Closed fd 44
Thu Mar  4 09:54:03 2021 -> Finished scanthread
Thu Mar  4 09:54:03 2021 -> THRMGR: group_finished: 0x561583a417b0, 10
Thu Mar  4 09:54:03 2021 -> THRMGR: active jobs for 0x561583a417b0: 9
Thu Mar  4 09:54:03 2021 -> THRMGR: queue (single) crossed low threshold ->
signaling
Thu Mar  4 09:54:03 2021 -> THRMGR: queue (bulk) crossed low threshold ->
signaling
Thu Mar  4 09:54:03 2021 -> THRMGR: contended, woken
Thu Mar  4 09:54:03 2021 -> Consumed entire command
Thu Mar  4 09:54:03 2021 -> got command IDSESSION (10, 13), argument:
Thu Mar  4 09:54:03 2021 -> THRMGR: new group: 0x5615837aa6e0
Thu Mar  4 09:54:03 2021 -> got command FILDES (7, 11), argument:
Thu Mar  4 09:54:03 2021 -> RECVTH: FILDES command complete
Thu Mar  4 09:54:03 2021 -> THRMGR: active jobs for 0x5615837aa6e0: 2
Thu Mar  4 09:54:03 2021 -> THRMGR: contended, sleeping
Thu Mar  4 09:55:04 2021 ->
/imports/INPRDSUPDS121_1/mnt2/UPDs/UVHD-S-1-5-21-3556941465-1377616134-1990869325-122888.vhdx:
OK
Thu Mar  4 09:55:04 2021 -> Closed fd 178
Thu Mar  4 09:55:04 2021 -> Finished scanthread
Thu Mar  4 09:55:04 2021 -> THRMGR: group_finished: 0x5615837bee00, 17
Thu Mar  4 09:55:04 2021 -> THRMGR: active jobs for 0x5615837bee00: 16
Thu Mar  4 09:55:04 2021 -> THRMGR: queue (single) crossed low threshold ->
signaling
Thu Mar  4 09:55:04 2021 -> THRMGR: queue (bulk) crossed low threshold ->
signaling
Thu Mar  4 09:55:04 2021 -> THRMGR: contended, woken
Thu Mar  4 09:55:04 2021 -> Consumed entire command
Thu Mar  4 09:55:04 2021 -> got command IDSESSION (10, 13), argument:
Thu Mar  4 09:55:04 2021 -> THRMGR: new group: 0x5615837aa760
Thu Mar  4 09:55:04 2021 -> got command FILDES (7, 11), argument:
Thu Mar  4 09:55:04 2021 -> RECVTH: FILDES command complete
Thu Mar  4 09:55:04 2021 -> THRMGR: active jobs for 0x5615837aa760: 2
Thu Mar  4 09:55:04 2021 -> THRMGR: contended, sleeping
Thu Mar  4 09:55:04 2021 ->
/imports/INPMBXFERS121/mnt1/Boot/de-DE/bootmgr.exe.mui: OK
Thu Mar  4 09:55:04 2021 -> Closed fd 46
Thu Mar  4 09:55:04 2021 -> Finished scanthread
Thu Mar  4 09:55:04 2021 -> THRMGR: group_finished: 0x5615837b87f0, 10
Thu Mar  4 09:55:04 2021 -> THRMGR: active jobs for 0x5615837b87f0: 9
Thu Mar  4 09:55:04 2021 -> THRMGR: queue (single) crossed low threshold ->
signaling
Thu Mar  4 09:55:04 2021 -> THRMGR: queue (bulk) crossed low threshold ->
signaling
Thu Mar  4 09:55:04 2021 -> THRMGR: contended, woken
Thu Mar  4 09:55:04 2021 -> Consumed entire command
Thu Mar  4 09:55:04 2021 -> got command IDSESSION (10, 13), argument:
Thu Mar  4 09:55:04 2021 -> THRMGR: new group: 0x5615837aa7e0


On Wed, Mar 3, 2021 at 4:30 AM G.W. Haywood via clamav-users <
clamav-users@lists.clamav.net> wrote:

> Hi there,
>
> On Tue, 2 Mar 2021, Michael Kyriacou via clamav-users wrote:
>
> > I am scanning large Data sets for a company. These file systems have
> > hundreds of thousands of files in them. Most files are small in size,
> <1GB,
> > while a few are large, >10GB. Most files are documents, archives, and
> > executables. I am scanning them to detect if there are any malware.
> >
> > These are virtual machines, running Ubuntu 20.04.
> > The cpu on the esxi host is an Intel Xeon Platinum 828 CPu @2.70GHz. I
> have
> > in total, 112 logical processors available, and 512 GB of RAM.
> >
> > The message it says is the following:
> > 
> > Got command FILDES(7,11) argument
> > RECVTH FILDES command complete
> > THMGR active jobs for ***: 2
> > THRMGR: Contended, sleeping
> > 
>
> Please _cut_and_paste_ the exact messages that you are seeing, not some
> approximation to it.
> It might also help if you can get your logging system(s) to prepend
> timestamps.  It's usual
> to see (and I'm much more comfortable with) logs which look something like
> this:
>
> Wed Mar  3 09:13:45 2021 -> Got new connection, FD 10
> Wed Mar  3 09:13:45 2021 -> Received POLLIN|POLLHUP on fd 6
> Wed Mar  3 09:13:45 2021 -> fds_poll_recv: timeout after 30 seconds
> Wed Mar  3 09:13:45 2021 -> Received POLLIN|POLLHUP on fd 10
> Wed Mar  3 09:13:45 2021 -> got command ALLMATCHINSTREAM (17, 24),
> argument:
> Wed Mar  3 09:13:45 2021 -> Receive thread: INSTREAM:
> /EXPORTS/clamav/tmp/tcp3/clamav-dc107bae2242d939f16bcf2bf9dd409c.tmp fd 11
> Wed Mar  3 09:13:45 2021 -> Breaking command loop, mode is no longer
> MODE_COMMAND
> Wed Mar  3 09:13:45 2021 -> Move

Re: [clamav-users] Can’t allocate memory error

[Michael Kyriacou via clamav-users]

I am scanning large Data sets for a company. These file systems have
hundreds of thousands of files in them. Most files are small in size, <1GB,
while a few are large, >10GB. Most files are documents, archives, and
executables. I am scanning them to detect if there are any malware.

These are virtual machines, running Ubuntu 20.04.
The cpu on the esxi host is an Intel Xeon Platinum 828 CPu @2.70GHz. I have
in total, 112 logical processors available, and 512 GB of RAM.

The message it says is the following:

Got command FILDES(7,11) argument
RECVTH FILDES command complete
THMGR active jobs for ***: 2
THRMGR: Contended, sleeping

Nothin under this command, it pauses, then after a couple minutes it will
continue, repeating

On Tue, Mar 2, 2021 at 9:40 AM G.W. Haywood via clamav-users <
clamav-users@lists.clamav.net> wrote:

> Hi there,
>
> On Tue, 2 Mar 2021, Michael Kyriacou via clamav-users wrote:
> > On Tue, Mar 2, 2021 at 4:08 AM G.W. Haywood via clamav-users wrote:
> >> On Mon, 1 Mar 2021, Michael Kyriacou via clamav-users wrote:
> >>
> >>> ... clamav 103.1 on ubuntu 20.04. I am getting “can’t allocate
> >>> memory errors” on very large files ( 10GB +). I thought clamdscan
> >>> was supposed to skip files that are larger than what you set the
> >>> maxfilesize/maxscansize to.
> >>
> >> Unfortunately this is a known issue:
> >>
> >> https://bugzilla.clamav.net/show_bug.cgi?id=12374
> >>
> >> Have you tried other ways to avoid scanning huge files?
> >
> > I was not aware of any other way to avoid scanning large files. Where
> can I
> > find such solutions?
>
> The operating system offers ways to avoid shooting your own feet.  You
> could just arrange for all the huge files to be in some corner of the
> filesystem which you don't normally scan - which begs the questions
> what are you scanning, and why?  There will of course be pseudo-files
> in your system which you should _never_ scan.  The 'find' utility will
> let you specify size limits.  You will need to spend some quality time
> with the 'man' pages to gain familiarity with using standard utilities
> in conjunction with something like ClamAV.  Using the 'man' pages is
> something of an acquired taste, which you do need to acquire if you're
> to get the most out of a Linux box.  The 'man' page for clamd.conf
> contains information about usage of resources.  Also there are some
> warnings, which to my mind are perhaps a little over the top, but they
> serve to remind us that the system's resources may be shared between a
> large number of processes; that these processes compete for resources;
> and that things can get ugly when there aren't enough to go around.
>
> The concept of "not scanning a file larger than X bytes" is a bit too
> simplistic when talking about scanning with something like ClamAV which
> (a) depending on the file type may use different approaches to scanning
> and (b) can extract the content from types of file (e.g. Zip, RAR, etc.)
> which can contain whole directory structures and also employ compression
> techniques, and which as a result are subject to various and sometimes
> non-obvious Denial-Of-Service type attacks.  So there are numerous clamd
> configuration options which permit fine-tuning of the resource usage of
> the ClamAV tools.  To make the best use of these options you'll need to
> be familiar with the your system's resources, and the constraints.
>
> How much memory does the box have?  You'll probably need a gigabyte or
> so to store the signature database before you even start a scan, plus
> whatever the scanner uses when it scans something - that depends a lot
> on what it's scanning.  Then if you keep the default configuration to
> permit scanning while reloading the databases, another gigabyte will
> be used (briefly) every time clamd reloads the database.  Note that
> the extra memory will not be released until the completion of any scan
> which was started before the reload.  I'd recommend that if you don't
> want to have to work on memory management, four gigabytes of RAM is
> about the minimum for a clamd server.  The longer it takes to scan a
> file, the more likely it is that you'll try to reload the database
> during a scan, so if you're short on memory and you want to scan files
> which take a long time to scan then it's worth considering the option
> to scan data only while a database reload is not taking place.
>
> --
>
> 73,
> Ged.
>
> ___
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us 

Re: [clamav-users] Can’t allocate memory error

[Michael Kyriacou via clamav-users]

My scanners have 16vcpus and 64 GB Ram allocated to them. (Each) I noticed
that the clamd process actually began hanging on some of the scanners. This
slowed the scanning by a lot. looking at the log, the only thing it says is
“... sleep”. After 5-10 minutes it will continue, and then pause again.

Do you know how I can troubleshoot this issue?

On Tue, Mar 2, 2021 at 9:40 AM G.W. Haywood via clamav-users <
clamav-users@lists.clamav.net> wrote:

> Hi there,
>
> On Tue, 2 Mar 2021, Michael Kyriacou via clamav-users wrote:
> > On Tue, Mar 2, 2021 at 4:08 AM G.W. Haywood via clamav-users wrote:
> >> On Mon, 1 Mar 2021, Michael Kyriacou via clamav-users wrote:
> >>
> >>> ... clamav 103.1 on ubuntu 20.04. I am getting “can’t allocate
> >>> memory errors” on very large files ( 10GB +). I thought clamdscan
> >>> was supposed to skip files that are larger than what you set the
> >>> maxfilesize/maxscansize to.
> >>
> >> Unfortunately this is a known issue:
> >>
> >> https://bugzilla.clamav.net/show_bug.cgi?id=12374
> >>
> >> Have you tried other ways to avoid scanning huge files?
> >
> > I was not aware of any other way to avoid scanning large files. Where
> can I
> > find such solutions?
>
> The operating system offers ways to avoid shooting your own feet.  You
> could just arrange for all the huge files to be in some corner of the
> filesystem which you don't normally scan - which begs the questions
> what are you scanning, and why?  There will of course be pseudo-files
> in your system which you should _never_ scan.  The 'find' utility will
> let you specify size limits.  You will need to spend some quality time
> with the 'man' pages to gain familiarity with using standard utilities
> in conjunction with something like ClamAV.  Using the 'man' pages is
> something of an acquired taste, which you do need to acquire if you're
> to get the most out of a Linux box.  The 'man' page for clamd.conf
> contains information about usage of resources.  Also there are some
> warnings, which to my mind are perhaps a little over the top, but they
> serve to remind us that the system's resources may be shared between a
> large number of processes; that these processes compete for resources;
> and that things can get ugly when there aren't enough to go around.
>
> The concept of "not scanning a file larger than X bytes" is a bit too
> simplistic when talking about scanning with something like ClamAV which
> (a) depending on the file type may use different approaches to scanning
> and (b) can extract the content from types of file (e.g. Zip, RAR, etc.)
> which can contain whole directory structures and also employ compression
> techniques, and which as a result are subject to various and sometimes
> non-obvious Denial-Of-Service type attacks.  So there are numerous clamd
> configuration options which permit fine-tuning of the resource usage of
> the ClamAV tools.  To make the best use of these options you'll need to
> be familiar with the your system's resources, and the constraints.
>
> How much memory does the box have?  You'll probably need a gigabyte or
> so to store the signature database before you even start a scan, plus
> whatever the scanner uses when it scans something - that depends a lot
> on what it's scanning.  Then if you keep the default configuration to
> permit scanning while reloading the databases, another gigabyte will
> be used (briefly) every time clamd reloads the database.  Note that
> the extra memory will not be released until the completion of any scan
> which was started before the reload.  I'd recommend that if you don't
> want to have to work on memory management, four gigabytes of RAM is
> about the minimum for a clamd server.  The longer it takes to scan a
> file, the more likely it is that you'll try to reload the database
> during a scan, so if you're short on memory and you want to scan files
> which take a long time to scan then it's worth considering the option
> to scan data only while a database reload is not taking place.
>
> --
>
> 73,
> Ged.
>
> ___
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Can’t allocate memory error

[Michael Kyriacou via clamav-users]

I was not aware of any other way to avoid scanning large files. Where can I
find such solutions?

On Tue, Mar 2, 2021 at 4:08 AM G.W. Haywood via clamav-users <
clamav-users@lists.clamav.net> wrote:

> Hi there,
>
> On Mon, 1 Mar 2021, Michael Kyriacou via clamav-users wrote:
>
> > ... clamav 103.1 on ubuntu 20.04. I am getting “can’t allocate
> > memory errors” on very large files ( 10GB +). I thought clamdscan
> > was supposed to skip files that are larger than what you set the
> > maxfilesize/maxscansize to.
>
> Unfortunately this is a known issue:
>
> https://bugzilla.clamav.net/show_bug.cgi?id=12374
>
> Have you tried other ways to avoid scanning huge files?
>
> --
>
> 73,
> Ged.
>  OA
>
> ___
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] Can’t allocate memory error

[Michael Kyriacou via clamav-users]

Hello. I am using clamav 103.1 on ubuntu 20.04. I am getting “can’t
allocate memory errors” on very large files ( 10GB +). I thought clamdscan
was supposed to skip files that are larger than what you set the
maxfilesize/maxscansize to.

Is there any workaround/fix for this?

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Use ClamAV on ARM Platform (Nvidia

[Michael Kang via clamav-users]

Hi Grant,

Thanks very much for sharing your thoughts.  I appreciate it. 

Michael

-Original Message-
From: clamav-users  On Behalf Of Grant 
Taylor via clamav-users
Sent: March 1, 2021 12:21 PM
To: clamav-users@lists.clamav.net
Cc: Grant Taylor 
Subject: Re: [clamav-users] Use ClamAV on ARM Platform (Nvidia

On 3/1/21 9:45 AM, Michael Kang via clamav-users wrote:
> Hi there,

Hi,

> I understand ClamAV could be cross-compiled to run on ARM platform.

I would also expect that it could be compiled natively on said ARM platform.  
;-)

> My questions is more related to the virus database/signature files.
> 
> I am assuming the existing virus database is for x86 architectures 
> (Intel or AMD CPUs).
> 
> Since ARM binaries are different from x86 binaries, can I assume 
> different database/signature files would be needed for ARM platforms?

I don't know.

But I have two thoughts.

1)  Do you still want to scan for the same viruses for other platforms? 
If so, I'd think you would want the same definitions.  You would also want 
additional definitions for the local platform.

2)  Are the virus definitions subject to big-endian vs little-endian byte 
ordering?  Or are they agnostic?

I don't know.  But I hope to learn by watching and reading this thread.



--
Grant. . . .
unix || die

Disclaimer

The information contained in this communication from the sender is 
confidential. It is intended solely for use by the recipient and others 
authorized to receive it. If you are not the recipient, you are hereby notified 
that any disclosure, copying, distribution or taking action in relation of the 
contents of this information is strictly prohibited and may be unlawful.

This email has been scanned for viruses and malware.

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] What value to put max threads too

[Michael Kyriacou via clamav-users]

Yes I read clamd.conf. It states the maximum number of threads running at
the same time.
I am a little confused on how many threads to put. 100 threads=100 clamd
processes.

On Mon, Mar 1, 2021 at 12:09 PM G.W. Haywood via clamav-users <
clamav-users@lists.clamav.net> wrote:

> Hi there,
>
> On Mon, 1 Mar 2021, Michael Kyriacou via clamav-users wrote:
>
> > ... what value I should put Max Threads to? I am running an ubuntu
> > machine with 16 cores. I currently have it set to 100.
> > Is this to much?
>
> That depends.
>
> Did you read
>
> man clamd.conf
>
> ?
>
> --
>
> 73,
> Ged.
>
> ___
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Use ClamAV on ARM Platform (Nvidia

[Michael M. Minor via clamav-users]

Michael Kang:
It depends on what you are trying to detect.  The signatures should
work fine for detecting the malware they contain signatures for, but if you
are looking for ClamAV to detect malware compiled for ARM, it will detect
them if there are signatures written for that malware. The definitions are
host system agnostic, which is why many people use them on Linux/BSD
systems to detect Windows malware.

Michael M. Minor


On Mon, Mar 1, 2021 at 11:50 AM Michael Kang via clamav-users <
clamav-users@lists.clamav.net> wrote:

> Hi there,
>
>
>
> We are working on Nvidia’s Jetson Xavier NX product, of which the CPU is
> “6-core NVIDIA Carmel 64-bit ARMv8.2 @ 1400MHz* (6MB L2 + 4MB L3)”.
>
> The operating system is Linux Ubuntu 18.04 for ARM. Below is a link to the
> platform:
>
>
> https://developer.nvidia.com/blog/jetson-xavier-nx-the-worlds-smallest-ai-supercomputer/
>
>
>
> I understand ClamAV could be cross-compiled to run on ARM platform.
>
>
>
> My questions is more related to the virus database/signature files.
>
>
>
> I am assuming the existing virus database is for x86 architectures (Intel
> or AMD CPUs).
>
>
>
> Since ARM binaries are different from x86 binaries, can I assume different
> database/signature files would be needed for ARM platforms?
>
>
>
> Thanks,
>
> Michael Kang
>
>
>
>
> *Disclaimer*
>
> This e-mail is intended only for the person to whom it is addressed (the
> "addressee") and may contain confidential and/or privileged material. This
> email and the information contained within are the property of WOLF
> Advanced Technology. Any review, retransmission, dissemination or other use
> that a person other than the addressee makes of this communication is
> prohibited and any reliance or decisions made based on it, are the
> responsibility of such person. We accept no responsibility for any loss or
> damages suffered as a result of decisions made or actions taken based on
> this communication or otherwise. Please note that any views or opinions
> presented in this e-mail are solely those of the author and do not
> necessarily represent those of WOLF Advanced Technology. The addressee
> should check this e-mail and any attachments for the presence of malware.
> WOLF Advanced Technology accepts no liability for any damage caused by any
> malware transmitted by this e-mail. If you received this in error, please
> contact the sender and destroy all copies of this e-mail.
>
>
> ___
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] Use ClamAV on ARM Platform (Nvidia

[Michael Kang via clamav-users]

Hi there,

We are working on Nvidia's Jetson Xavier NX product, of which the CPU is 
"6-core NVIDIA Carmel 64-bit ARMv8.2 @ 1400MHz* (6MB L2 + 4MB L3)".
The operating system is Linux Ubuntu 18.04 for ARM. Below is a link to the 
platform:
https://developer.nvidia.com/blog/jetson-xavier-nx-the-worlds-smallest-ai-supercomputer/

I understand ClamAV could be cross-compiled to run on ARM platform.

My questions is more related to the virus database/signature files.

I am assuming the existing virus database is for x86 architectures (Intel or 
AMD CPUs).

Since ARM binaries are different from x86 binaries, can I assume different 
database/signature files would be needed for ARM platforms?

Thanks,
Michael Kang

Disclaimer

The information contained in this communication from the sender is 
confidential. It is intended solely for use by the recipient and others 
authorized to receive it. If you are not the recipient, you are hereby notified 
that any disclosure, copying, distribution or taking action in relation of the 
contents of this information is strictly prohibited and may be unlawful.

This email has been scanned for viruses and malware.

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] What value to put max threads too

[Michael Kyriacou via clamav-users]

Hello, I was wondering what value I should put Max Threads to? I am running
an ubuntu machine with 16 cores. I currently have it set to 100. Is this to
much?

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] How to exclude specific files from clamdscan

[Michael Kyriacou via clamav-users]

Ok thank you very much

On Wed, Jan 27, 2021 at 11:56 AM G.W. Haywood via clamav-users <
clamav-users@lists.clamav.net> wrote:

> Hi there,
>
> On Wed, 27 Jan 2021, Michael Kyriacou via clamav-users wrote:
>
> > Hello, thank you for the response. I tried to reinstall clamav after I
> saw
> > that there was a new update, but when I install it, it installs version
> > 0.102.4.
>
> One of the problems with using packages is that they tend to be out of
> date.  For something like ClamAV I prefer to install from source.
>
> > Could you give me an example of an ‘ExcludePath’  that could do the
> > following:
> >
> > Exclude a file in /path/to/file
>
> ExcludePath ^/path/to/file$
>
> > Exclude a file in /different/path/to/file
>
> ExcludePath ^/different/path/to/file$
>
> > Exclude all files with a .sys extension, regardless of path
>
> ExcludePath .*\.sys$
>
> There are many sources of information and tutorials about regular
> expressions available on the Web.  There are unfortunately a few
> different kinds of regular expressions.  Stick to the POSIX kind
> and you should be OK.  The regexes used in signatures may be of a
> different (and simplified) kind from POSIX expressions, don't get
> confused if you come across them in the signature documentation.
> POSIX expressions work there too, but possibly less efficiently.
>
> Don't forget to restart the clamd daemon after changing clamd.conf
> (or whatever your package calls the configuration file).
>
> --
>
> 73,
> Ged.
>
> ___
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] How to exclude specific files from clamdscan

[Michael Kyriacou via clamav-users]

Hello, thank you for the response. I tried to reinstall clamav after I saw
that there was a new update, but when I install it, it installs version
0.102.4.

Could you give me an example of an ‘ExcludePath’  that could do the
following:

Exclude a file in /path/to/file
Exclude a file in /different/path/to/file
Exclude all files with a .sys extension, regardless of path

P.S. I am mounting many file systems on a system, and scanning all the
files in them.


On Wed, Jan 27, 2021 at 10:41 AM G.W. Haywood via clamav-users <
clamav-users@lists.clamav.net> wrote:

> Hi there,
>
> On Wed, 27 Jan 2021, Michael Kyriacou via clamav-users wrote:
>
> > ... I am using clamav version 0.102.4, on Ubuntu 20.04.
>
> You really should be upgrading to the latest version.
>
> > I want clamd to exclude all pagefile.sys files it finds when scanning
> > mounted filesystems. Currently, it scans them. Is there anyway to do
> this?
> > I know on the source version you can add “Exclude Path”, but I’m not sure
> > if it works on the non-source version.
>
> Unless the package maintainer has done something staggeringly foolish,
> it will work the same whether you build from source or use a package.
>
> > Additionally, it may get more complicated as the path to the pagefile.sys
> > is not the same for each file system. Is there a way to exclude a
> specific
> > file that matches a .sys extension?
>
> The 'ExcludePath' (not 'Exclude Path') directive takes as its argument
> a regular expression.  You just need to fabricate a regular expression
> which matches all the files you don't want to scan.  You can have more
> than one 'ExcludePath' directive in the configuration file if you wish
> and that might help if the regex gets unwieldy.
>
> Feel free to experiment while looking at the verbose logs, no harm will
> be done.
>
> You could instead of course move your page files to some other place,
> which won't be scanned.
>
> --
>
> 73,
> Ged.
>
> ___
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] How to exclude specific files from clamdscan

[Michael Kyriacou via clamav-users]

Hello again! I am using clamav version 0.102.4, on Ubuntu 20.04.

I want clamd to exclude all pagefile.sys files it finds when scanning
mounted filesystems. Currently, it scans them. Is there anyway to do this?
I know on the source version you can add “Exclude Path”, but I’m not sure
if it works on the non-source version.

Additionally, it may get more complicated as the path to the pagefile.sys
is not the same for each file system. Is there a way to exclude a specific
file that matches a .sys extension?

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] Clamdscan is scanning files larger than 4GB

[Michael Kyriacou via clamav-users]

Hello! I am using clamav version 0.102.4, on Ubuntu 20.04.
I configured the max file size and Maxscansize to be 10M. When I scan files
larger than that, it returns with an OK, telling me that it scanned.

It seems to me that clamdscan is completely ignoring this configuration. Is
there something I’m doing wrong?

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Freshclam can't get started

[Michael Orlitzky via clamav-users]

On 2020-10-03 16:39, Matthew Campbell via clamav-users wrote:
> Directory permisions for /var/local/clamav are 06770 owned by clamav:clamav.

So the clamav user can't traverse that directory? (You should also set
that mode o-w, at the very least, or risk exploits.)

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] freshclam leaving files in /tmp

[Michael Orlitzky via clamav-users]

On 2020-09-29 08:30, Duncan Berriman via clamav-users wrote:
> Good point. I will sort it out.
> 
> Perhaps the example conf files should use/suggest a better location.

Soonish:

 https://github.com/Cisco-Talos/clamav-devel/pull/132/commits/d078ea13

The main roadblock is that the service manager (systemd, OpenRC, SysV
init...) needs to know about that location, too, so that it can create
the parent directory and make it writable to (only) the user/group that
clamd is running as.

I'm only guessing, but /tmp/clamd.sock was probably chosen because it
works "out of the box," by virtue of /tmp being world-writable. Of
course, that's why you should NOT use it...

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] freshclam leaving files in /tmp

[Michael Orlitzky via clamav-users]

On 2020-09-29 07:18, Duncan Berriman via clamav-users wrote:
> Hi,
> 
> Each time freshclam runs automatically via clamd it is leaving 2
> temporary files in /tmp.
> 
> -rw---   1 root   root         0 Sep 29 09:17 tmp.UdjG3Qnk4E
> ...
> srw-rw-rw-   1 root   root         0 Sep 29 11:00 clamd.socket
> -rw-r-   1 clamav clamav     377 Sep 29 11:11 ClamAV.update.log
> 

Off-topic: you shouldn't use /tmp for the clamd socket, or anything else
with a predictable name (that's why all the other tmp.* files have
"random" names). Anyone on the machine can create (and thus own) that
file after the machine reboots, leading to security issues.

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ClamAV 0.103.0 release candidate - systemd service start fails

[Michael Orlitzky via clamav-users]

On 2020-08-21 11:29, Arjen de Korte via clamav-users wrote:
> 
>>   # ps ax | grep clamd
>>   7436 ?Ssl0:25 sbin/clamd
> 
>  # ps ax | grep clamd
>  7840 pts/2S+ 0:00 /usr/sbin/clamd --debug
>  7841 ?Ssl0:38 /usr/sbin/clamd --debug
> 
> Previously I've waited for more than an hour, no change. The process  
> running under root never exits.
> 

Ok, I can confirm this! After setting

  User clamav

in clamd.conf, I've seen the root process get stuck as well. That's not
an intended effect of the PID file change.


___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ClamAV 0.103.0 release candidate - systemd service start fails

[Michael Orlitzky via clamav-users]

On 2020-08-21 09:38, Arjen de Korte via clamav-users wrote:
>>
>> However, systemd isn't the only service manager, and the problem still
>> exists in all of the other ones. Systemd is able to avail itself of
>> platform-specific features in brand-new Linux kernels. SysV init,
>> OpenRC, and others must stick to real or de-facto standard tools, and
>> there is no standard way to implement what systemd says they've done.
> 
> That may be, but now you have replaced it with two processes that run  
> in the foreground, one of them as unpriviledged user and one as root  
> (probably to delete the PIDFile upon exit). I don't consider this  
> progress.
> 

The clamd process starts in the foreground, and then forks (a new
process) to the background. The PID file should contain the PID of the
forked process. No root process should be left running in the
foreground; the service manager is in charge of cleaning up the file.


>>
>> That's fine, now you just need to synchronize the PIDFile and PidFile
>> entries in your systemd service and clamd.conf, respectively.
> 
> No, as stated before, systemd doesn't need the PIDFile at all. It  
> keeps track of the processes it started without the help of a PIDFile.  
> It *can* use a PIDFile if you provide it with one and the only thing  
> it will do with that is to remove that file if the service doesn't do  
> it itself upon exit. Nothing more, it is not used for process control.  
> There is absolutely no need for a PIDFile in the clamd.service, even  
> with Type=forking.

Systemd tries to guess the PID file with Type=forking when you don't
provide one (the GuessMainPID option). Either way, systemd does need to
know the PID file's location -- the only question is whether or not it's
able to guess. Something isn't working, so to rule some things out, it
might help to point it at the PID file manually.


>> Well empirically that's not true, because it isn't working. Add PIDFile
>> entries to your service files when using Type=forking, and synchronize
>> them with the PidFile lines in clamd.conf and freshclam.conf.
> 
> Makes no difference at all. Even without using systemd, clamd doesn't  
> daemonize anymore, it will always run in the foreground.

How long have you waited for clamd to start? With git head (and only
official signatures), it takes about 25 seconds here:

  # time sbin/clamd

  real  0m25.409s
  user  0m0.005s
  sys   0m0.005s

but after that the process does indeed fork into the background. If it
doesn't, maybe we're looking in the wrong place. The PID file also
points to the correct (forked) process in my case:

  # cat run/clamd.pid
  7436
  # ps ax | grep clamd
  7436 ?Ssl0:25 sbin/clamd

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ClamAV 0.103.0 release candidate - systemd service start fails

[Michael Orlitzky via clamav-users]

On 2020-08-21 08:11, Arjen de Korte via clamav-users wrote:
> 
> Not unconditionally. See the following from 'man 5 systemd.service':
> 
> "The PID file does not need to be owned by a privileged user, but if it
>  is owned by an unprivileged user additional safety restrictions are
>  enforced: the file may not be a symlink to a file owned by a different
>  user (neither directly nor indirectly), and the PID file must refer to
>  a process already belonging to the service."
> 

FWIW this was committed on Jan 8th 2018, and solves the problem by
keeping a separate pid <-> process <-> service map that's writable only
by root. The patch in question provides the same security to other
service managers.

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ClamAV 0.103.0 release candidate - systemd service start fails

[Michael Orlitzky via clamav-users]

On 2020-08-21 08:11, Arjen de Korte via clamav-users wrote:
> Citeren Michael Orlitzky via clamav-users :
> 
>> On 2020-08-21 04:45, Arjen de Korte via clamav-users wrote:
>>>
>>> It is not clear to me what problem this patch intends to solve (for a
>>> systemd service it is absolute not required from a security point of
>>> view). The PIDFile should be writable by vscan user only anyway.
>>>
>>
>> With a Type=forking service, systemd will send SIGTERM to the contents
>> of the PID file as root.
> 
> Not unconditionally. See the following from 'man 5 systemd.service':
> 
> "The PID file does not need to be owned by a privileged user, but if it
>  is owned by an unprivileged user additional safety restrictions are
>  enforced: the file may not be a symlink to a file owned by a different
>  user (neither directly nor indirectly), and the PID file must refer to
>  a process already belonging to the service."
> 

That's good to hear (and is news to me), and maybe they've found another
way to prevent this vulnerability in systemd.


>> If the "vscan" user can put whatever he wants
>> in the PID file, then he can kill root processes.
> 
> See above: you're trying to fix a problem that doesn't exist.

However, systemd isn't the only service manager, and the problem still
exists in all of the other ones. Systemd is able to avail itself of
platform-specific features in brand-new Linux kernels. SysV init,
OpenRC, and others must stick to real or de-facto standard tools, and
there is no standard way to implement what systemd says they've done.


>> Are you using the upstream systemd service?
> 
> No, we're using "Type=forking" since the clamd.service can take  
> several minutes to start and we don't want to start services that  
> depend on it before it actually finished starting up. Creating the  
> socket beforehand is not a solution, as clamd won't start serving any  
> requests until it has actually finished starting up.

That's fine, now you just need to synchronize the PIDFile and PidFile
entries in your systemd service and clamd.conf, respectively. I suggest
/run/clamd.pid, or any other location that is writable only by root.


>> It defaults to Type=simple, and runs clamd in the foreground.
> 
> See above. Actually, with this patch clamd wil always run in the  
> foreground, as daemonizing is now completely broken. Up to and  
> including 0.102.4, starting clamd on the commandline without any  
> further options would just start the daemon and return. Now, it never  
> returns.
That's not true, your service file just needs to know where the PID file
lives. It always did, but somehow it managed to not crash in the past.


>> In that case, your clamd daemon
>> shouldn't be creating a PID file at all -- systemd should take care of
>> it when it shoves the process into the background. PidFile should be
>> left unset in clamd.conf.
> 
> There is no PIDFile in the clamd.service file as systemd doesn't need  
> that here (even when running as Type=forking). The same goes for  
> freshclam.service. Systemd has other ways to keep track of which  
> processes it has started and will not use the PIDFile unless you tell  
> it to do so (with the above mentioned restrictions).

Well empirically that's not true, because it isn't working. Add PIDFile
entries to your service files when using Type=forking, and synchronize
them with the PidFile lines in clamd.conf and freshclam.conf.

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ClamAV 0.103.0 release candidate - systemd service start fails

[Michael Orlitzky via clamav-users]

On 2020-08-21 04:45, Arjen de Korte via clamav-users wrote:
> 
> It is not clear to me what problem this patch intends to solve (for a  
> systemd service it is absolute not required from a security point of  
> view). The PIDFile should be writable by vscan user only anyway.
> 

With a Type=forking service, systemd will send SIGTERM to the contents
of the PID file as root. If the "vscan" user can put whatever he wants
in the PID file, then he can kill root processes.

Are you using the upstream systemd service? It defaults to Type=simple,
and runs clamd in the foreground. In that case, your clamd daemon
shouldn't be creating a PID file at all -- systemd should take care of
it when it shoves the process into the background. PidFile should be
left unset in clamd.conf.


___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Problems compiling 0.102.4 on OLD system

[Michael Orlitzky via clamav-users]

On 2020-07-16 19:10, Michael Orlitzky via clamav-users wrote:
> 
> Micah: openat() only provides "one level of safety" in that when opening
> /foo/bar/baz, it ensures that "baz" is where you think it is. You may
> want to investigate whether or not an attacker can replace "bar" by a
> symlink in that situation. 

False alarm, I guess this is the problem that was reported because the
fix already traverses the path from the root upwards.

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Problems compiling 0.102.4 on OLD system

[Michael Orlitzky via clamav-users]

On 2020-07-16 17:22, Kevin A. McGrail via clamav-users wrote:
> Hi, I have an old system I'm compiling.
> 
> I have 0.102.3 working on it.
> 
> Here's the config line:
> 
> ...
>   CCLD clamscan
> actions.o: In function `traverse_to':
> ../shared/actions.c:328: undefined reference to `openat'
> actions.o: In function `traverse_unlink':
> ../shared/actions.c:568: undefined reference to `unlinkat'
> actions.o: In function `action_move':
> ../shared/actions.c:455: undefined reference to `renameat'

This is from the fix for CVE-2020-3350. The "at" system calls are
POSIX.1-2008 and are more or less necessary to handle links safely.
ClamAV have gone out of their way to provide a compatibility function on
Windows, though, so maybe you're not totally out of luck.

Micah: openat() only provides "one level of safety" in that when opening
/foo/bar/baz, it ensures that "baz" is where you think it is. You may
want to investigate whether or not an attacker can replace "bar" by a
symlink in that situation. Other programs address this same problem by
running openat() on /, /foo, /foo/bar, and then /foo/bar/baz all in
succession to ensure that everything is trustworthy (the root is assumed
to be sacred). See http://michael.orlitzky.com/cves/cve-2018-6954.xhtml.

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] Trouble installing clamav on AIX 7.1(Errors)

[Michael Kyriacou via clamav-users]

Hellow, on AIX 7.1, I am having trouble installing clamav 0.101 or 0.102. I
run into these errors: They occur when I try to use "make". Any help would
be much appreciated

ld: 0711-317 ERROR: Undefined symbol: .flock

ld: 0711-345 Use the -bloadmap or -bnoquiet option to obtain more
information.

collect2: error: ld returned 8 exit status

make: The error code from the last command is 1.



Stop.

make: The error code from the last command is 1.



Stop.

make: The error code from the last command is 2.



Stop.

make: The error code from the last command is 1.



Stop.

make: The error code from the last command is 2.



Stop.





Also, this is the other error seen for make



###

CC   libclamav_la-matcher-hash.lo

In file included from fmap.h:30,

 from filetypes.h:28,

 from matcher.h:28,

 from matcher-hash.c:25:

/opt/freeware/lib/gcc/powerpc-ibm-aix7.1.0.0/8.3.0/include-fixed/unistd.h:210:16:
error: conflicting types for 'lseek64'

extern off64_t lseek64(int, off64_t, int);

^~~

/opt/freeware/lib/gcc/powerpc-ibm-aix7.1.0.0/8.3.0/include-fixed/unistd.h:208:14:
note: previous declaration of 'lseek64' was here

extern off_t lseek(int, off_t, int);

  ^

In file included from
/opt/freeware/lib/gcc/powerpc-ibm-aix7.1.0.0/8.3.0/include-fixed/unistd.h:866,

 from fmap.h:30,

 from filetypes.h:28,

 from matcher.h:28,

 from matcher-hash.c:25:

/usr/include/sys/lockf.h:64:13: error: conflicting types for 'lockf64'

  extern int lockf64 (int, int, off64_t);

 ^~~

/usr/include/sys/lockf.h:62:13: note: previous declaration of 'lockf64' was
here

  extern int lockf (int, int, off_t);

 ^

In file included from fmap.h:30,

 from filetypes.h:28,

 from matcher.h:28,

 from matcher-hash.c:25:

/opt/freeware/lib/gcc/powerpc-ibm-aix7.1.0.0/8.3.0/include-fixed/unistd.h:939:14:
error: conflicting types for 'ftruncate64'

  extern int  ftruncate64(int, off64_t);

  ^~~

In file included from fmap.h:30,

 from filetypes.h:28,

 from matcher.h:28,

 from matcher-hash.c:25:

/opt/freeware/lib/gcc/powerpc-ibm-aix7.1.0.0/8.3.0/include-fixed/unistd.h:937:14:
note: previous declaration of 'ftruncate64' was here

  extern int  ftruncate(int, off_t);

  ^

In file included from fmap.h:30,

 from filetypes.h:28,

 from matcher.h:28,

 from matcher-hash.c:25:

/opt/freeware/lib/gcc/powerpc-ibm-aix7.1.0.0/8.3.0/include-fixed/unistd.h:996:14:
error: conflicting types for 'truncate64'

  extern int  truncate64(const char *, off64_t);

  ^~

In file included from fmap.h:30,

 from filetypes.h:28,

 from matcher.h:28,

 from matcher-hash.c:25:

/opt/freeware/lib/gcc/powerpc-ibm-aix7.1.0.0/8.3.0/include-fixed/unistd.h:994:14:
note: previous declaration of 'truncate64' was here

  extern int  truncate(const char *, off_t);

  ^~~~

In file included from fmap.h:30,

 from filetypes.h:28,

 from matcher.h:28,

 from matcher-hash.c:25:

/opt/freeware/lib/gcc/powerpc-ibm-aix7.1.0.0/8.3.0/include-fixed/unistd.h:1015:18:
error: conflicting types for 'pread64'

  extern ssize_t  pread64(int, void *, size_t, off64_t);

  ^~~

/opt/freeware/lib/gcc/powerpc-ibm-aix7.1.0.0/8.3.0/include-fixed/unistd.h:1012:18:
note: previous declaration of 'pread64' was here

  extern ssize_t  pread(int, void *, size_t, off_t);

  ^

/opt/freeware/lib/gcc/powerpc-ibm-aix7.1.0.0/8.3.0/include-fixed/unistd.h:1016:18:
error: conflicting types for 'pwrite64'

  extern ssize_t  pwrite64(int, const void *, size_t, off64_t);

  ^~~~

/opt/freeware/lib/gcc/powerpc-ibm-aix7.1.0.0/8.3.0/include-fixed/unistd.h:1013:18:
note: previous declaration of 'pwrite64' was here

  extern ssize_t  pwrite(int, const void *, size_t, off_t);

  ^~

/opt/freeware/lib/gcc/powerpc-ibm-aix7.1.0.0/8.3.0/include-fixed/unistd.h:1105:17:
error: conflicting types for 'fclear64'

  extern off64_t fclear64(int, off64_t);

 ^~~~

/opt/freeware/lib/gcc/powerpc-ibm-aix7.1.0.0/8.3.0/include-fixed/unistd.h:1102:15:
note: previous declaration of 'fclear64' was here

  extern off_t fclear(int, off_t);

   ^~

/opt/freeware/lib/gcc/powerpc-ibm-aix7.1.0.0/8.3.0/include-fixed/unistd.h:1106:13:
error: conflicting types for 'fsync_range64'

  extern int fsync_range64(int, int, off64_t, off64_t);

 ^

/opt/freeware/lib/gcc/powerpc-ibm-aix7.1.0.0/8.3.0/include-fixed/unistd.h:1103:13:
note: previous declaration of 'fsync_range64' was here

  extern int 

Re: [clamav-users] unable to build with --enable-libclamav-only

[Michael Orlitzky via clamav-users]

On 2/25/20 4:32 AM, Per Jessen wrote:
> 
> Okay, thanks for letting me know.  I guess it would be easy to update in
> configure.ac ? 
> 

I think it's in m4/reorganization/libs/curl.m4, but basically yes.

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] unable to build with --enable-libclamav-only

[Michael Orlitzky via clamav-users]

On 2/24/20 5:28 AM, Per Jessen wrote:
> I've just stumbled on this new config
> option - "--enable-libclamav-only ".  However, I still get complaints
> about libcurl (for freshclam and clamdsubmit) ? 
> 

I reported this already (bug is still private):

  https://bugzilla.clamav.net/show_bug.cgi?id=12494

It's just a bug in the build system, nothing exciting.

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] [External] Re: ClamAV® blog: ClamAV 0.102.2 security patch released

[Michael Orlitzky via clamav-users]

On 2/6/20 5:28 AM, G.W. Haywood via clamav-users wrote:
> 
> I am familiar with the UI of the bug tracking software at the ClamAV
> Bugzilla.  It has a drop-down box which gives an option to mark a new
> issue with "security" - but that is not the default, and I do not know
> of any "security" box, which is why I asked the question.

When you create a new bug, it automatically gets marked as being a
private "security" bug until someone comes along and undoes that.

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ClamAV® blog: ClamAV 0.102.2 security patch released

[Michael Orlitzky via clamav-users]

On 2/5/20 12:29 PM, Joel Esler (jesler) via clamav-users wrote:
> 
> ClamAV 0.102.2 is a security patch release to address the following issues.

Off-topic: please help us help you. It would make tracking what issues
are (not) fixed a lot easier for us downstream if we could see the bugs
on bugzilla. In practice, no one ever unchecks the "security" box and
trivial issues are invisible for years.

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] clamav-unofficial-sigs download script updated

[Michael Orlitzky via clamav-users]

On 2/4/20 9:08 PM, Ralph Seichter via clamav-users wrote:
> 
> Opening a ticket reading "Your script is broken and should be rewritten
> from the ground up" does not seem a viable option to me.

My feeling as well. I can rattle off a hundred things,

  * The --install-man option is dumb, just include the man page.
  * The --install-logrotate option is dumb, just include it.
  * The --install-cron option is dumb, just include it.
  * The systemd files are included separately, but the paths aren't
configurable (which is to say, they're wrong everywhere) and run as
root.
  * The --install-all option is dumb, use a build system. make install.
  * Running as root to configure everything is dumb, use a build system.
make install.
  * The implementation of the installation/configuration as root is
wildly insecure.
  * The --remove-script option is dumb, we have package managers, or
make uninstall (use a build system), or plain rm -r.
  * The --upgrade options are dumb, we have package managers, or (use a
build system) make install.
  * Every call to chown/chmod is wrong: you're accessing files created
by yourself. Set the umask how you want it, and if users have
issues, troubleshoot them. They did something wrong.
  * Trying to enumerate every possible system configuration in config/os
is ridiculous, let those distros configure your package (make it
easy, use a build system).
  * Having multiple levels of configuration files (master, os, user) is
ridiculous, there should be one file and its values should be set
before you install the thing. Then you don't need a complicated
system of run-time overrides.
  * There are standard ways to do integrity checking, let's use them.
  * You don't need to check for wget, curl, clamscan, etc. every time
the script runs. Do it during the installation.
  * You don't need to run "sudo" in crontab.
  * Most errors are uncaught, because bash scripts don't care if a
command succeeds. The script then eventually exits with success
and the cron job doesn't notify you.
  * Errors should be printed to stderr.
  ...

but I don't think that's going to have the intended effect. If you don't
have anything nice to say, and all that. I am instead holding my breath
until freshclam learns how to do this. The main functionality is
straightforward. Only the special cases like MalwarePatrol are tricky
(and that's broken right now).

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] clamav-unofficial-sigs download script updated

[Michael Orlitzky via clamav-users]

On 2/4/20 8:50 PM, James Brown via clamav-users wrote:
> 
> The author of the script probably does not read this mailing list.
> 
> Have you put your concerns into the issue tracker on GitHub?
> 
> https://github.com/extremeshok/clamav-unofficial-sigs/issues
> 

Yes, but... there's no way to put this gently: things get worse every
time an issue is fixed.

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] clamav-unofficial-sigs download script updated

[Michael Orlitzky via clamav-users]

On 1/31/20 10:01 AM, Reio Remma via clamav-users wrote:
> 
> The way it's set up is that it needs to be ran as root once to have it 
> set itself up. From cron it runs as clamav user.
> 

The upstream systemd service runs as root as well. And from a distro
point of view, it's just bad mojo to install vulnerable scripts to
root's $PATH.

I've been dragging my feet on these updates because I don't know how to
fix this. The least-bad idea I have so far is to just patch the script
to die if it's run as EUID == 0.

But the rest of the script is even more insane, doing things like using
the following as an integrity check:

  if [ "$(tail -n 1 "${0}" | head -n 1 | cut -c 1-7)" != "exit \$?" ];
  then
  echo "FATAL ERROR: Script is incomplete, please redownload"
  exit 1
  fi

I don't even know how to file a bug report for that =P

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] clamav-unofficial-sigs download script updated

[Michael Orlitzky via clamav-users]

On 1/31/20 2:47 AM, Steve Basford wrote:
> Hi All,
> 
> eXtremeSHOK.com's clamav-unofficial-sigs download script has been 
> updated:
> 
> https://github.com/extremeshok/clamav-unofficial-sigs
> 
> Change Log
> 
> Version 7.0.1 (Updated 25 January 2020)
> 

Beware, as of a few versions ago this script is filled with a million
unsafe uses of chown and chmod, running as root. The script should never
be using chown/chmod in the first place, so all of these are wrong,

  $ grep 'chown\|chmod' clamav-unofficial-sigs.sh | wc -l
  40

and many of them are exploitable if the clamav user swaps out one of the
targets for a symlink pointing to e.g. /etc/passwd. And since the script
runs on a predictable schedule, you have all the time in the world to do
that.

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Clamscan taking a very long time

[Michael Newman via clamav-users]

G.W. Haywood wrote:

> It's easier to parse logs with 'grep' than it is to tweak the syslog
> rule, but aren't we straying from the subject a little?  Your logs
> should have timestamps, which will tell you what's taking the time.

Nope. I give up. No more clamAV for me. Clearly, I'm not smart enough to figure 
out how to use it.


___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Clamscan taking a very long time

[Michael Newman via clamav-users]

> G.W. Haywood wrote:

> So I guess the errors that you're asking about are noted amongst the 7000+
> lines of output of which you have posession.  You might want to look
> into some of the text processing tools available, such as 'grep'.

Using the --quiet option only logs error messages including infected files.

Combing that with the --infected option (Only print infected files) means that 
non-infected files that produced an error are not logged.

Removing the --infected option from the command in my script results in a log 
that includes both infected files and files that produced an error or warning. 
No need for debug or grep.

I included the following file in a test scan:

-rw---1 root wheel428688 Jan  5 06:02 clam.txt

I also included testfile.txt, the Eicar-Test-Signature

Here's the log file:

=
/users/mnewman/desktop/bw.log: Empty file
/users/mnewman/desktop/.localized: Empty file
/users/mnewman/desktop/clam.txt: Access denied
/users/mnewman/desktop/Relocated Items: Symbolic link
/users/mnewman/desktop/PowerWalker: Symbolic link
/users/mnewman/desktop/testfile.txt: Eicar-Test-Signature FOUND

--- SCAN SUMMARY ---
Known viruses: 6643097
Engine version: 0.102.1
Scanned directories: 1
Scanned files: 52
Infected files: 1
Total errors: 1
Data scanned: 13.82 MB
Data read: 78.07 MB (ratio 0.18:1)
Time: 10.505 sec (0 m 10 s)
=

I'm assuming that "Access denied" is the error mentioned in the summary and 
that the other files listed are in the nature of warnings.

If I run that same scan using the --infected option, I get this log which does 
not include the error and warnings:

=
/users/mnewman/desktop/testfile.txt: Eicar-Test-Signature FOUND

--- SCAN SUMMARY ---
Known viruses: 6643097
Engine version: 0.102.1
Scanned directories: 1
Scanned files: 52
Infected files: 1
Total errors: 1
Data scanned: 13.82 MB
Data read: 78.07 MB (ratio 0.18:1)
Time: 10.282 sec (0 m 10 s)
=

I haven't been able to find a way to log only errors and not warnings.


___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Clamscan taking a very long time

[Michael Newman via clamav-users]

> On Jan 5, 2020, at 00:00 ,G.W. Haywood wrote:
> 
> 
> Look at the 'LogVerbose' and 'Debug' directives.

The LogVerbose directive seems to do the same thing as the -v parameter with 
clamscan. All that does is list every file that is checked. It also tells 
whether or not the file is OK.

The Debug directive seems to do the same thing as the --debug parameter of 
clamscan. When scanning my desktop with 47 files it produced over 7000 lines of 
output, most of which I don't understand.

Is there no easy way to find out exactly what:

Total errors: 4

means and what those errors were?

I see that this question has been asked and not answered before:

https://superuser.com/questions/842916/clamav-shows-errors-found-but-how-to-find-out-what-they-are
 


https://askubuntu.com/questions/295477/meaning-of-total-errors-on-result-of-clamav-scan
 


So, I guess the answer is "No"



___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Clamscan taking a very long time

[Michael Newman via clamav-users]

Allan Mui wrote:
> Are you building with the latest Xcode and brew dependent packages
I installed with MacPorts and let MacPorts take care of everything.

Al Varnell wrote:
> Most error reports involve files that cannot be completely scanned, either 
> because the user lacks read permission or the file exceeds one of the limits 
> imposed by a configuration parameter.
Normally those sorts of errors are logged by the command that I'm using. Here's 
an example:

WARNING: Can't open file 
/Users/mnewman/Library/Preferences/com.apple.AddressBook.plist: Operation not 
permitted

The four errors I got with yesterday's scan were not logged, so I have no idea 
what they were.

G.W. Haywood wrote:
> The OP could try: man clamd.conf
I've looked through there and don't find anything about logging errors. Could 
you help by letting me know what I should change?

Mike Newman
Korat, Thailand
___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Clamscan taking a very long time

[Michael Newman via clamav-users]

On Jan 3, 2020, at 00:00, G.W. Haywood wrote:

> Please define "suddenly".

Suddenly means that the scan on December 17th took about two hours:

  Time: 7569.856 sec (126 m 9 s)

and the next scan, on December 24th took about nine hours:

  Time: 35785.296 sec (596 m 25 s)

Both scans used:

  Engine version: 0.102.1

> In any case I'd want to know what all those errors are.

So would I. Both of the above scans had:

  Total errors: 49

I scanned again removing --quiet, but there’s no indication as to what those 
errors are. 

Today there were just 4 errors.

I’ve searched and looked through the ClamAV documentation but haven’t been 
smart enough to find a definition for "Total errors:". Does anyone know what it 
means?

> What has ClamAV found that you think shouldn't have been there?

Nothing. The only problem is that several scans took nine hours when, over the 
past couple of years, every scan has taken about two hours. Today’s scan, with 
--quiet removed, took about two and a half hours.

I’d like to know why the recent scans have taken so long.

Here’s the result of today’s scan:

=

Fri Jan  3 04:44:09 +07 2020 Start clamscan
/Users/mnewman/Library/Mail/V7/40D4A1AB-4AC4-4D92-94A8-ACCBACCBB2CB/Deleted 
Messages.mbox/96546A05-A248-4911-AD12-0E19978E6803/Data/4/7/4/Messages/474077.partial.emlx:
 Heuristics.Phishing.Email.SpoofedDomain FOUND
/Users/mnewman/Library/Mail/V7/40D4A1AB-4AC4-4D92-94A8-ACCBACCBB2CB/Deleted 
Messages.mbox/96546A05-A248-4911-AD12-0E19978E6803/Data/4/7/4/Messages/474077.partial.emlx:
 Heuristics.Phishing.Email.SpoofedDomain FOUND
/Users/mnewman/Library/Mail/V7/40D4A1AB-4AC4-4D92-94A8-ACCBACCBB2CB/Deleted 
Messages.mbox/96546A05-A248-4911-AD12-0E19978E6803/Data/4/7/4/Messages/474077.partial.emlx:
 Heuristics.Phishing.Email.SpoofedDomain FOUND
/Users/mnewman/Library/testfile.txt: Eicar-Test-Signature FOUND
--- SCAN SUMMARY ---
Known viruses: 6643097
Engine version: 0.102.1
Scanned directories: 249364
Scanned files: 694140
Infected files: 1
Total errors: 4
Data scanned: 70545.69 MB
Data read: 73821.73 MB (ratio 0.96:1)
Time: 9886.090 sec (164 m 46 s)
ClamAV scan finished: Fri Jan 3 07:28:55 +07 2020


___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] Clamscan taking a very long time

[Michael Newman via clamav-users]

ClamAV 0.102.1/25679/Mon Dec 30 17:01:01 2019
macOS 10.15.2

Help me figure out why clamscan is suddenly taking so long.

An older log file fragment:

--- SCAN SUMMARY ---
Known viruses: 6613648
Engine version: 0.100.1
Scanned directories: 261793
Scanned files: 636746
Infected files: 11
Total errors: 1
Data scanned: 81505.97 MB
Data read: 105156.85 MB (ratio 0.78:1)
Time: 8728.307 sec (145 m 28 s)

The most recent log file fragment:

--- SCAN SUMMARY ---
Known viruses: 6639105
Engine version: 0.102.1
Scanned directories: 206450
Scanned files: 578017
Infected files: 1
Total errors: 49
Data scanned: 51163.40 MB
Data read: 55583.83 MB (ratio 0.92:1)
Time: 32246.560 sec (537 m 26 s)

Where scanning my home directory used to take just over two hours it is now 
taking almost nine even though there is less data to scan.

Here’s the command I’m using:

/opt/local/bin/clamscan -r --quiet -i -l $log $scandir --exclude-dir=$exclude 
--exclude-dir=$exclude2 --stdout >>$log 2>&1

Where $scandir is my home directory, $exclude is a directory with JPEGs and 
$exclude2 is an iOS device backup directory.


___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Freshclam errors after MacOS Catalina update

[Michael Newman via clamav-users]

Thank you. 

I will just go ahead and put it in ~/Library/Logs


> On Dec 17, 2019, at 05:26, Micah Snyder (micasnyd)  wrote:
> 
> If your clamav instance is installed to /opt/local, then your freshclam.conf 
> is probably in /opt/local/etc/freshclam.conf
> 
> Edit the freshclam.conf file and set the "UpdateLogFile" option to a filepath 
> that your user is allowed to write to. 
> 
> I haven't had this particular issue on my Catalina test machine or personal 
> laptop, but I also haven't done very thorough tests to investigate if we need 
> to change default options or add logic to request permissions in macOS 
> Catalina.  It's possible that we may need to make some adjustments as Apple 
> continues to try to lockdown directory access in macOS.
> 
> Micah
> 
> On 12/16/19, 4:45 PM, "clamav-users on behalf of Michael Newman via 
> clamav-users"  clamav-users@lists.clamav.net> wrote:
> 
>After updating to MacOS Catalina I get the following errors when running 
> freshclaim:
> 
>ERROR: Can't open /private/var/log/freshclam.log in append mode (check 
> permissions!).
>ERROR: Problem with internal logger (UpdateLogFile = 
> /private/var/log/freshclam.log).
>ERROR: initialize: libfreshclam init failed.
>ERROR: Initialization error!
> 
>But, there is no such file as:  /private/var/log/freshclam.log
> 
>I’m running this from a shell script. Here’s the command I’m using:
> 
>/opt/local/bin/freshclam -v --stdout >>$log
> 
>Where log is just ~/Library/Logs/clam.log
> 
>How do I fix this?
> 
>___
> 
>clamav-users mailing list
>clamav-users@lists.clamav.net
>https://lists.clamav.net/mailman/listinfo/clamav-users
> 
> 
>Help us build a comprehensive ClamAV guide:
>https://github.com/vrtadmin/clamav-faq
> 
>http://www.clamav.net/contact.html#ml
> 
> 


___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] Freshclam errors after MacOS Catalina update

[Michael Newman via clamav-users]

After updating to MacOS Catalina I get the following errors when running 
freshclaim:

ERROR: Can't open /private/var/log/freshclam.log in append mode (check 
permissions!).
ERROR: Problem with internal logger (UpdateLogFile = 
/private/var/log/freshclam.log).
ERROR: initialize: libfreshclam init failed.
ERROR: Initialization error!

But, there is no such file as:  /private/var/log/freshclam.log

I’m running this from a shell script. Here’s the command I’m using:

/opt/local/bin/freshclam -v --stdout >>$log

Where log is just ~/Library/Logs/clam.log

How do I fix this?

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] LibClamAV Error: cli_scangpt: could not determine sector size

[Michael Newman via clamav-users]

> On Nov 11, 2019, at 00:00,G.W. Haywood wrote:
> 
> Exactly what do you do in order to obtain
> this message?  Does it appear in a terminal session, in a log file,…?

I run clamscan from a bash script with this command:

/opt/local/bin/clamscan -r --quiet -i -l $log $scandir --exclude-dir="$exclude" 
--exclude-dir="$exclude2" --stdout >>$log 2>&1

The message appears in the log file.

I’ve been using clamav for about a year now and didn’t have this error message 
before the reinstall.

I originally installed clamav using MacPorts about a year ago. 

I have no idea if the MacPorts reclaim removed all of clamav. "reclaim" is used 
to remove ports that do not have any dependents and which were not originally 
installed based on a user request. Since I did install clamav, the fact that 
clamav was not listed as requested may be a bug in MacPorts which seems to have 
already been reported.

Is there something I can do to have clamscan give me more information about the 
sector size problem?

Mike Newman
Korat, Thailand



___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] LibClamAV Error: cli_scangpt: could not determine sector size

[Michael Newman via clamav-users]

I recently had to reinstall clamav after an errant MacPorts reclaim removed my 
installation.

After reinstalling I’m now getting this error: 

LibClamAV Error: cli_scangpt: could not determine sector size

I’ve searched around, but can’t find an explanation anywhere.

What does it mean and what do I have to do about it?

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] Programmatic determination of latest stable version

[Callahan, Michael (M.) via clamav-users]

Is there an endpoint or preferred method of programmatically determining the 
latest stable version of ClamAV?


___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] How to boost clamav? Reloading database results in a talking timeout?

[Michael Orlitzky via clamav-users]

On 8/31/19 11:00 AM, Thomas Barth via clamav-users wrote:
> 
> Realy bad attitude of developers! 

Micah took the time to answer a question and provide a status update.
It's counterproductive to shame people for being honest.

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Still Baffled: cli_scanxz: decompress file size exceeds limits

[Michael Newman via clamav-users]

"G.W. Haywood" mailto:cla...@jubileegroup.co.uk>> 
wrote:
> 
> If I wanted to know which file was triggering the warning in this case
> I'd start with a scan of
> 
> /Users/mnewman/Downloads/gettext-0.19.6-MACOS-10.11-10.12-SDK-10.11.pkg

Thank you for taking the time to write such a clear and informative explanation.

You nailed it:

MrMuscle:Downloads mnewman$ clamscan 
gettext-0.19.6-MACOS-10.11-10.12-SDK-10.11.pkg
LibClamAV Warning: cli_scanxz: decompress file size exceeds limits - only 
scanning 27262976 bytes
gettext-0.19.6-MACOS-10.11-10.12-SDK-10.11.pkg: OK


Thanks again.



___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] Still Baffled: cli_scanxz: decompress file size exceeds limits

[Michael Newman via clamav-users]

I’m still baffled trying to figure out what is causing this error. I ran 
clamscan so that the log file would be verbose. I’m including a few lines from 
the log on both sides of the error message. As far as I can see, it doesn’t 
give me a clue as to what file is causing the error:

/Users/mnewman/Downloads/ShutdownWizardInstall_Mac.app/Contents/PkgInfo: OK
/Users/mnewman/Downloads/IMG_2478.PNG: OK
/Users/mnewman/Downloads/yimax-autoexec-zip.13669.html: OK
/Users/mnewman/Downloads/OnyX.dmg: OK
/Users/mnewman/Downloads/main.py: OK
/Users/mnewman/Downloads/Safety-Cut GFCI.pdf: OK
LibClamAV Warning: cli_scanxz: decompress file size exceeds limits - only 
scanning 27262976 bytes
/Users/mnewman/Downloads/gettext-0.19.6-MACOS-10.11-10.12-SDK-10.11.pkg: OK
/Users/mnewman/Downloads/libusb-0.1.13-MACOS-10.11-10.12-SDK-10.11.pkg: OK
/Users/mnewman/Downloads/installPowerWalker_ViewPower_MAC_x86-64.app/Contents/MacOS/installPowerWalker_ViewPower_MAC_x86-64:
 OK
/Users/mnewman/Downloads/installPowerWalker_ViewPower_MAC_x86-64.app/Contents/Resources/Java/IAMac.dylib:
 OK
/Users/mnewman/Downloads/installPowerWalker_ViewPower_MAC_x86-64.app/Contents/Resources/Java/InstalledMedias.properties:
 OK
/Users/mnewman/Downloads/installPowerWalker_ViewPower_MAC_x86-64.app/Contents/Resources/Java/IAClasses.zip:
 OK

I am only scanning my home directory, but I have many files which are much 
bigger than 25 MB, but only this one, unidentified file is causing the problem.

Please give me some explicit instructions on what I need to do to figure this 
out. Assume I know nothing, which is probably a valid assumption in this case.

 

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] decompress file size exceeds limits

[Michael Newman via clamav-users]

I keep getting this message:

"LibClamAV Warning: cli_scanxz: decompress file size exceeds limits - only 
scanning 27262976 bytes"

I know what it means. Is there some way to find that file?

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] Js.Coinminer.Generic-7104549-0 FOUND

[Michael Newman via clamav-users]

Do I need to do something about this:

/Users/mnewman/Library/Application 
Support/Google/Chrome/Default/Extensions/cjpalhdlnbpafiamejdnhcphjbkeiagm/1.21.6_0/assets/ublock/unbreak.txt:
 Js.Coinminer.Generic-7104549-0 FOUND

-- 
www.mgnewman.com

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Can clamd only reload changed databases?

[Michael M. Minor via clamav-users]

Could you run two copies of clamd, one using stock db and the other using
your custom sigs? Then you would only need to signal the one running the
custom sigs when they change. Yes you would need to trigger two scans of
the target data, but the overhead shouldn't be too bad. The only thing I
can't remember is how to tell each clamdscan which clamd to use, but I'm
pretty sure it's possible.

On Tue, Apr 30, 2019, 9:08 AM Tobi  
wrote:

> We have the problem that we change our custom clamav rules quite often.
> A job syncs changed rules files to clamav server and then sends a
> SIGUSR2 signal to reload the signatures. In that time of reloading
> clamav does not really work and the application using clamd has to wait
> for up to 30s.
> So we wonder if it's somehow possible to "tell" the clamd that only
> changed databases have to be re-read. As our own sigs are very small
> compared to the stock sigs, the reload for our sigs is quite fast. What
> takes long is the reload of stock sigs.
> Basically we're looking for a way to tell clamd to only reload defined
> databases or changed databases.
>
> If that is not possible in current clamav, would it be worth considered
> a feature request for future releases?
>
> Thanks for any idea
>
>
>
> ___
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Update Failure

[Michael Newman via clamav-users]

> On Apr 23, 2019, at 23:00,Al Varnell wrote:
> 
> Appears to have been a failure regarding your Internet connection at the 
> time. Probably a short outage. I'm not seeing any issues from where I am on 
> the West Coast at this time.

Yes, you’re right. I went back and checked logs and found the my network was 
down, very briefly, at the same time as the update.

Last night’s update was successful, as usual.

Thanks.
___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] Update Failure

[Michael Newman via clamav-users]

I’ve not had trouble updating in the past, but last night:

Querying current.cvd.clamav.net 
WARNING: Can't query current.cvd.clamav.net 
WARNING: Invalid DNS reply. Falling back to HTTP mode.
If-Modified-Since: Wed, 07 Jun 2017 21:38:10 GMT
Reading CVD header (main.cvd): WARNING: Can't get information about 
db.US.clamav.net : nodename nor servname provided, or 
not known
WARNING: Can't read main.cvd header from db.US.clamav.net 
 (IP: )
Trying again in 5 secs…

And

Update failed. Your network may be down or none of the mirrors listed in 
/opt/local/etc/freshclam.conf is working. Check 
https://www.clamav.net/documents/official-mirror-faq 
 for possible reasons.

But, when I check the official-mirror-faq I get a 404 error.

What do I need to do to fix this?



___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] Radically Different Scan Times

[Michael Newman via clamav-users]

MacOS 10.14.4 - 2017 iMac
ClamAV 0.101.1 (Updated today: ClamAV 0.101.2/25410/Fri Apr  5 14:58:26 2019)

Yesterday’s results:

--- SCAN SUMMARY ---
Known viruses: 6101439
Engine version: 0.101.1
Scanned directories: 227591
Scanned files: 594694
Infected files: 1
Total errors: 35
Data scanned: 63016.47 MB
Data read: 92969.95 MB (ratio 0.68:1)
Time: 12755.457 sec (212 m 35 s)

Today’s results:

--- SCAN SUMMARY ---
Known viruses: 6110476
Engine version: 0.101.1
Scanned directories: 227492
Scanned files: 592573
Infected files: 1
Total errors: 35
Data scanned: 63134.07 MB
Data read: 93149.45 MB (ratio 0.68:1)
Time: 36218.816 sec (603 m 38 s)

(Note that the "infected file" is the Eicar-Test-Signature.)

Even though the number of files and amount of data scanned is about the same, 
the scan took almost three times as long. I’ve never seen this before. Normally 
the scan results are there when I wake up in the morning. But, not today.

I have no idea what to look for here. I’ve not changed anything about the scan 
nor were other IO intensive jobs running overnight.

Any suggestions?



___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Txt.Trojan.Kryptik-6887991-0 FOUND

[Michael Newman via clamav-users]

Thanks for the prompt reply. I’m relieved….

> On Mar 13, 2019, at 10:42, Andrew Williams  wrote:
> 
> Michael,
> 
> The reported detections are likely false positives (I too am seeing matches 
> on Chrome cache files).  The signature will be dropped soon.
> 
> Thanks for bringing this to our attention.
> 
> -Andrew
> 
> Andrew Williams
> Malware Research Team
> Cisco Talos
> 


___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] Txt.Trojan.Kryptik-6887991-0 FOUND

[Michael Newman via clamav-users]

Mac OS 10.14.3

I wake up this morning to find that clamav has discovered sixteen instances of 
this:

Txt.Trojan.Kryptik-6887991-0 FOUND

Most of these are in Chrome cache files, but a few were in Apple Automator 
cache files.

I’ve searched around, but find precious little on this infecting Macs. (Lots on 
Windows.)

Can someone point me in the right direction to find out just what this is, 
where it came from and how I can get rid of it?
___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Difference between datadir and datarootdir

[Michael Orlitzky via clamav-users]

On 3/4/19 9:28 PM, Jobst Schmalenbach via clamav-users wrote:
> 
> This is really confusing as datadir points DATAROOTDIR.
> 
> Can I make them the same?
> 

It's confusing in clamav because it's confusing everywhere. Those
directories and their meanings' come from autotools:

  https://www.gnu.org/prep/standards/html_node/Directory-Variables.html

but you shouldn't expect to be enlightened after reading that page.
Probably the best way to understand it is with an example. First, many
of the other directories (datadir, mandir, infodir,...) are defined in
terms of datarootdir. So, for example, we might have

  * DATADIR=$(DATAROOTDIR),
  * MANDIR=$(DATAROOTDIR)/man, and
  * INFODIR=$(DATAROOTDIR)/info

That means that if you want to move *all of that stuff*, then you would
move the datarootdir.

But then what is datadir for? Well... historically, some people have
wanted to treat e.g. games as second-class packages. So, for example,
they wanted to put all of the graphics files for games under
/usr/share/games/. That's fine, if the games themselves
know where to look for that stuff. But things like man/info pages can't
go there -- they need to be in the place where "man" or "info" will look
for them! And basically, you can set DATADIR=/usr/share/games to
accomplish that sort of thing.

So to summarize: yes, you can set them the same, and they will usually
be the same.

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] Does clamav modify access time?

[Michael Harris]

Does running clamav modify the access timestamp?
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Latest report on update "delays"

[Michael Da Cova]

Hi

On 24/10/2018 04:09, Dave Warren wrote:
> On Tue, Oct 23, 2018, at 11:50, Paul Kosinski wrote:
>> "...it works smoothly for a very large number of people, myself
>> included."
>>
>> It would be interesting to know what percentage have experienced our
>> original problem of all mirrors ending up blacklisted.

I still get the issue now and again, today report below if I notice it I 
remove the mirror.dat file

Retrieving http://database.clamav.net/daily.cvd
Ignoring mirror 104.16.187.138 (due to previous errors)
Ignoring mirror 104.16.188.138 (due to previous errors)
Ignoring mirror 104.16.185.138 (due to previous errors)
Ignoring mirror 104.16.186.138 (due to previous errors)
Ignoring mirror 104.16.189.138 (due to previous errors)
Trying host database.clamav.net (2400:cb00:2048:1::6810:ba8a)...
nonblock_connect: connect(): fd=4 errno=101: Network is unreachable

~michael
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Mac: clamAV vs. Mojave

[Michael Newman]

Eric Tykwinski wrote: 
> Well definitely a permissions issue, my guess is that you used a binary 
> installation.
> Make sure the user that’s running freshclam has permissions to write to 
> /private/var/log/freshclam.log
Yes, I used a binary installation. I’ve never figured out how to use Brew. So 
many incomprehensible error messages. Sorry.

In any event, I’ve got the permissions issue with the freshclam.log sorted.

But, I’m still having problems with clamd and some files in: ~/Library/

I’m getting numerous error messages like:

/Users/mnewman/Library/Calendars: lstat() failed: Operation not permitted. ERROR

I don’t really know, but I’m guess that clamd uses lstat() to examine symbolic 
links. It was working pre-Mojave, but fails now.

Is there anything I can do about this?



___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] Mac: clamAV vs. Mojave

[Michael Newman]

After installing Mojave I’ve run into two problems:

ERROR: Can't open /private/var/log/freshclam.log in append mode (check 
permissions!).
ERROR: Problem with internal logger (UpdateLogFile = 
/private/var/log/freshclam.log).

What should the ownership and permission be for the log file and the parent 
directory?

I have clamav set up to scan my entire home directory. Never received any error 
messages, but after installing Mojave I get many errors regarding ~/Library, 
like this:

/Users/mnewman/Library/Application Support/AddressBook: lstat() failed: 
Operation not permitted. ERROR

What does this mean and how do I fix it?


___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Batch file for Windows.

[Michael Da Cova]

Hi Jeff

have you looked at clamwin? http://www.clamwin.com/


Michael

On 18/09/18 02:44, Jeff wrote:


Guys and Gals,

I’ve been unsuccessful in creating  a working batch file. I’ve Googled 
and searched the ClamAV list but only found one incomplete sample…


Can someone share a Windows batch file or PowerShell script that does 
the following:


When ran, recursively scans a particular directory, moves any infected 
files to another directory and emails an alert if a virus is detected. 
The email alert should contain info about the infected file(s) 
including the path.


Keeping fingers crossed :-)

Thanks,

Jeff

--



___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml


___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] updates

[Michael Da Cova]

Hi

is anyone else getting sync errors

Michael



On 07/09/18 10:11, Michael Da Cova wrote:

Hi

I still get "WARNING: Mirror 104.16.187.138 is not synchronized" often 
on freshclam updates


Trying to download http://database.clamav.net/daily.cvd (IP: 
104.16.187.138)

Downloading daily.cvd [100%]
WARNING: Mirror 104.16.187.138 is not synchronized

Trying to download http://database.clamav.net/daily.cvd (IP: 
104.16.185.138)

Downloading daily.cvd [100%]
WARNING: Mirror 104.16.185.138 is not synchronized.

Trying to download http://database.clamav.net/daily.cvd (IP: 
104.16.186.138)

Downloading daily.cvd [100%]
WARNING: Mirror 104.16.186.138 is not synchronized.

Querying daily.0.79.0.0.6810BA8A.ping.clamav.net
Giving up on database.clamav.net...

I have been deleting the mirror.dat file which seems to help for a while



--
Michael Da Cova

Technical Support Manager

Main Tel: +44 (0)117 3357335 / Mob: +44 (0)790887629
Email: mdac...@netpilot.com - Web: www.netpilot.com

NetPilot Global Ltd. 9 Portland Square, Bristol, BS2 8ST

Registered in England & Wales, Company No. 11034665 - VAT Number. 280 6776 73
Privileged/Confidential Information may be contained in this message.
If you are not the addressee indicated in this message (or responsible for 
delivery of the message to such person),
you may not copy or deliver this message to anyone. In such case, you should 
destroy this message and kindly notify the sender by reply email.
Please advise immediately if you or your employer do not consent to Internet 
email for messages of this kind. Opinions,
conclusions and other information in this message that do not relate to the 
official business of NetPilot Global Ltd shall be understood as neither given 
nor endorsed by it.

NetPilot Global Ltd is committed to GDPR compliance.
We are also committed to helping our customers comply with the GDPR by 
providing stringent privacy and security protections that are built into our 
service and contracts.
Any personal information that NetPilot Global Ltd may collect (including, but 
not limited to, your name, company and email address) will be collected, used 
and held in accordance with the provisions of GDPR and your rights under that 
Act.

 


___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml