Re: [clamav-users] Compiling ClamAV for PPC on an Intel Machine
On Jun 2, 2011, at 2:31 PM, Al Varnell wrote: > I'm sure I've seen answers to this question on ClamXav's forum > <http://markallan.co.uk/BB/viewforum.php?f=1> if you don't get an answer > here. Oh, yes, Mark very kindly tried to help me on the ClamAV forums earlier in the year: <http://markallan.co.uk/BB/viewtopic.php?t=2295> His instructions *seemed* to work (at least glancing through the output) but the binaries that were created seemed to just only have intel code (no PPC). When I did lipo -info on the binaries they came back: Non-fat file: /usr/local/clamav/sbin/clamd is architecture: i386 His instructions (after installing a particular compiler) included these steps: CC="/usr/bin/gcc-4.2" CXX="/usr/bin/g++-4.2" CFLAGS="-O2 -g -D_FILE_OFFSET_BITS=64 -mmacosx-version-min=10.4 -isysroot /Developer/SDKs/MacOSX10.4u.sdk -arch ppc -arch i386" CXXFLAGS="-O2 -g -D_FILE_OFFSET_BITS=64 -mmacosx-version-min=10.4 -isysroot /Developer/SDKs/MacOSX10.4u.sdk -arch ppc -arch i386" ./configure --disable-dependency-tracking --enable-llvm --enable-clamdtop --with-user=_clamav --with-group=_clamav --enable-all-jit-targets --prefix=/usr/local/clamav I have wondered if "make" or "make install" needs some kind've flag(?) Thanks. - Russ Tyndall Wake Forest, NC ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
[clamav-users] Compiling ClamAV for PPC on an Intel Machine
I have an OS X.4 Intel machine with Developer Tools 2.5 that I use to compile ClamAV for use on other similar [Intel] machines. Can I also compile a PowerPC version of ClamAV on the same Intel machine? It seems like this is possible (based on some internet discussions) but I have not found the right mix of configuration options yet. These settings are working for me when I compile the Intel version (just in case the info is useful): export CFLAGS="-O3 -march=i686" export CXXFLAGS="-O3 -march=i686" export LDFLAGS="-O3 -march=i686 -L/opt/local/lib" export CC=/usr/local/llvm-gcc4.2-2.3-x86-darwin8/bin/i686-apple-darwin8-gcc-4.2.1 ./configure --prefix=/usr/local/clamav --build=i686-apple-darwin`uname -r` --enable-llvm --enable-check (Fat binaries would also be good...in the past, though, my efforts to achieve that have not been successful.) Thanks for any help. - Russ Tyndall Wake Forest, NC ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] FW: APPLE-SA-2011-03-21-1 Mac OS X v10.6.7 and Security Update 2011-001
On Mar 29, 2011, at 1:38 PM, TR Shaw wrote: > The problem is that the make for dynamic libraries doesn't work out of the > box so even if you compile the static version clam will link with the old > dynamic lib. Can I "tell" clam where to get the bzip2 stuff? I know I am not using the right terminology, but will this work? 1) Compile bzip2 1.0.6 from source on a machine with the right tools and install it in /opt/local/lib 2) Compile clamd from source on the same machine with this flag: export LDFLAGS="-O3 -march=i686 -L/opt/local/lib" (Is the flag above telling clamd where to get bzip2 on the machine where clamd is running?) 3) Copy the /opt/local/lib directory containing bzip2 to each client computer 4) Install and set up the just-compiled clamd to each client computer Since I am leaving the OS-provided [and buggy] version 1.0.5 in place, won't the OS be ok? Thanks in advance for any guidance. - Russ Tyndall Wake Forest, NC ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] FW: APPLE-SA-2011-03-21-1 Mac OS X v10.6.7 and Security Update 2011-001
On Mar 29, 2011, at 9:29 AM, Russ Tyndall wrote: > For older machines (10.4) what is the best way to update bzip2? > > Do I need to put MacPorts on every machine? It looks like MacPorts requires the Developer Tools be installed, which makes that deployment method a lot less practical. ----- Russ Tyndall Wake Forest, NC ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] FW: APPLE-SA-2011-03-21-1 Mac OS X v10.6.7 and Security Update 2011-001
On Mar 27, 2011, at 2:31 AM, Al Varnell wrote: > Some Mac users will recall that several months back we discussed the bzip2 > bug and I filed a bug report with Apple when it wasn't included in their > previous updates back in November. They acknowledged they were working on > it and promised it would be out shortly. Last Monday they posted updates to > both Mac OS X 10.5.8 and 10.6.6 which purports to fix the bug (forwarded > below). For older machines (10.4) what is the best way to update bzip2? Do I need to put MacPorts on every machine? Or can updated bzip2 files be manually installed? Obviously, I am going to have to go third-party. If bzip2 is not updated, will clamd be unstable? Thanks. ----- Russ Tyndall Wake Forest, NC ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Improving Scan Speeds on OS X.4.11
On Mar 19, 2011, at 8:51 AM, G.W. Haywood wrote: > my preference would be to scan files before they > are written to the filesystem, or at least very soon thereafter, so as > to keep to a minimum the risk that an unscanned, dangerous file might > be served to a vulnerable machine. Viruses and similar have a nasty > habit of propagating in an almost explosive fashion; a problem with a > solution as simple as erasing a file can rapidly become one of almost > biblical proportions, involving reinstallations of dozens of operating > systems and much hunting for long-lost backups. It's up to the OP to > make the judgement of course. I think I am going to do an overnight scan of the first 200kb of every file on the system using the MaxScanSize directive and periodic scans throughout the day using the output of a FIND search on recently modified/introduced files (-cmin and -mmin). Hopefully, this means that *every* file on the server is given at least a cursory examination every day and if something new and wicked shows up there is at least some chance of finding it early (i.e., before the more comprehensive overnight scan). (Unrelated question: is there a built-in way to have a timestamp added to the scan summary?) - Russ Tyndall Wake Forest, NC ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Improving Scan Speeds on OS X.4.11
On Mar 16, 2011, at 2:36 PM, Bryan Burke wrote: >> find [path to directory] [path to second directory] ! -type d -mmin -60 > >> [path to output file later read by clamav] > > This might not be too much of an issue, but thought I'd point it out: You > might change > "! -type d" to "-type f" (better to be more specific), because I don't think > you want to > scan device files, pipes, links, etc. Ah, thanks. I did not know whether I should exclude those other types, but I *knew* I did not want directories. Studying the FIND man page a little, I am wondering whether I should actually be using -cmin instead of -mmin. cmin (according to the man page) returns files that have had a "...change of file status information.." in the results. A little testing shows that it includes files in the results that have been newly introduced into the file system, in addition to files that have been modified. This would solve the issue of an "old" baddie being copied onto the machine with an "old" modification date. I'm sure it does not get around the risk of faking file times, though. - Russ Tyndall Wake Forest, NC ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Improving Scan Speeds on OS X.4.11
On Mar 17, 2011, at 7:50 AM, G.W. Haywood wrote: > On Thu, 17 Mar 2011 Russ Tyndall wrote: > >> So I now have two tactics to minimize scan time: >> 1) Partially scan ALL files >> 2) Fully scan a set of recently modified files. > > There might be another option. If you have access to something like > inotify on your OS you could feed incoming data to clamd on the fly, > rather than waiting until the next scan window. > > Sorry, I haven't used OSX for a while so I don't know what's available. It appears that 10.5+ has some technology for monitoring the file system: <http://developer.apple.com/library/mac/#documentation/Darwin/Conceptual/FSEvents_ProgGuide/Introduction/Introduction.html#//apple_ref/doc/uid/TP40005289-CH1-DontLinkElementID_16> Since my machine is running 10.4, I did not delve into it very far. But, a cursory scan of Google results suggest that methods exist for kicking off scripts when a file hierarchy changes. - Russ Tyndall Wake Forest, NC ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Improving Scan Speeds on OS X.4.11
On Mar 15, 2011, at 7:10 PM, TR Shaw wrote: >> On Mar 15, 2011, at 4:48 PM, TR Shaw wrote: >> >>> Look at your config file. You don't need to scan all more than probably >>> 200KB of a file. >> >> So you are suggesting I use the MaxScanSize directive to limit scans to the >> first 200KB of each file? (i.e., add a line to clamd.conf: MaxScanSize >> 200KB). >> >> I imagine that would speed things up nicely :-) >> > > Yes. Pick a size you feel comfy with but I believe there are few signatures > that span large file sizes. You might want to override this once a week to > check large zip/gz files but in general this should be good. Let me know how > it helps. A full scan with default settings (MaxScanSize = 20MB) takes about 2 hours to scan a particular directory. A full scan with MaxScanSize = 1MB takes about 1 hour. A full scan with MaxScanSize = 200K takes about 18 minutes. *** So I now have two tactics to minimize scan time: 1) Partially scan ALL files 2) Fully scan a set of recently modified files. Which is more likely?: That a partial scan (first 200K) misses a baddie? Or that a baddie fakes a modification date? - Russ Tyndall Wake Forest, NC ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Improving Scan Speeds on OS X.4.11
On Mar 16, 2011, at 12:11 PM, Bowie Bailey wrote: > To minimize the risk of a signature being added after the file gets on > the computer, you could continue to scan for a while, rather than using > the 60 minute limit. Depending on your system usage, a limit of one or > two days might still decrease your scan time far enough while still > allowing files to be rescanned with newer signatures. Yes, it seems I can expand the modification date out to multiple days with little impact on scan times. In my unscientific testing, I went 3 days and the scan time still stayed under 10 minutes for a directory with 15GB of data. If I scanned the entire directory, the scan time would be about 2 hours. I believe I could go out much longer than 3 days and still keep the scan periods down to a "reasonable" time. - Russ Tyndall Wake Forest, NC ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Improving Scan Speeds on OS X.4.11
On Mar 15, 2011, at 4:51 PM, Chuck Swiger wrote: > One thing you might consider doing is using "find /location -mtime 1" to > generate a list of which files have been modified over the past day, and only > scanning these via clamdscan -f. I experimented with this option last night (also suggested by Steve Holdoway), and it works as expected. (Vastly decreases scan time by reducing the number of files that need to be scanned to a mere pittance.) The risk is obvious that a baddie could be overlooked because it might present a false modification date or simply not be recognized by clamav for some period after it gets dropped onto the computer. I *think* I ran into one gotcha that I had to work around: I had to filter out directories from the Find results...otherwise, clamav would scan those directories whose contents had already been scanned because those contents were already listed elsewhere in the Find results. Users more experienced with Find may have just thought that requirement was self-evident and didn't need to be stated. My Find command looks something like this, and is supposed to filter out directories and anything modified more than 60 minutes ago: find [path to directory] [path to second directory] ! -type d -mmin -60 > [path to output file later read by clamav] I'm now going to do some testing with the MaxScanSize directive. - Russ Tyndall Wake Forest, NC ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Improving Scan Speeds on OS X.4.11
On Mar 15, 2011, at 4:48 PM, TR Shaw wrote: > Look at your config file. You don't need to scan all more than probably 200KB > of a file. So you are suggesting I use the MaxScanSize directive to limit scans to the first 200KB of each file? (i.e., add a line to clamd.conf: MaxScanSize 200KB). I imagine that would speed things up nicely :-) > If you're using google; don't. It will help for email but probably will not > help finding badness on a file server. Likewise with unofficials. Not all > unofficials are appropriate for your application. Sorry, Tom, I don't have the knowledge to understand this. > > Lastly when you complied you clamd what compiler options did you pick? I updated the bzip-related libraries and made sure I was using GCC 3.3. LDFLAGS="-O3 -L/opt/local/lib" ./configure --prefix=/usr/local --mandir=/usr/local/share/man --sysconfdir=/private/etc/spam/clamav/new --enable-bigstack --with-user=clamav --enable-static --with-group=clamav --with-dbdir=/var/clamav --datadir=/var/clamav Then, make and install. - Russ Tyndall Wake Forest, NC ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Improving Scan Speeds on OS X.4.11
On Mar 15, 2011, at 3:37 PM, Al Varnell wrote: > Add RAM if you haven't maxed it out yet. > > Purchase a faster, Intel Mac. Apple has not supported your OS since 2009 > and seems to have removed support for PPC Macs from a software development > standpoint. Shucks, I would be thrilled with an older PowerPC Mac as long as it had dual processors. In some very unscientific testing with a dual processor G5, when I call clamdscan -m, the scan times improve by 75%. I tested clamdscan -m on the single processor G5 I am working with it but there was only minor scan time improvement and the CPU spiked at 100% for the duration of the scan. This environment is stuck with 10.4 indefinitely. --------- Russ Tyndall Wake Forest, NC ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
[clamav-users] Improving Scan Speeds on OS X.4.11
Hello, I'm running clamav 0.965 on a G5 (1 processor) with OS X Server 10.4.11. Clamav runs as root. This machine is primarily used as a file server, with a mixture of OS X and Windows clients. A launchdaemon automatically kicks off an overnight scan by sending a command to clamdscan. Only directories that are used by the Windows machines are scanned. Because of the huge volume of data being scanned (70 Gb), the scan takes about 6 hours to complete. Is there a practical way to reduce the scan time? Thanks. - Russ Tyndall Wake Forest, NC ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Clamd Crashes When Scanning Certain Folder
On Mar 11, 2011, at 3:14 PM, Török Edwin wrote: > clamscan. > I know you said it processes successfully, but you didn't run clamscan > and clamdscan with same settings: clamd is running in debug mode, and > clamscan is not. > > So try running clamscan in debug mode as I suggested above, and see if > it crashes. You were right; clamd/clamdscan/clamscan only crash on these files in debug mode. I found six files that caused crashes in debug mode. I've made sure that the clamd daemon is not running with Debug=No and that seems to have cleared the issue up. Thanks for the help! - Russ Tyndall Wake Forest, NC ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Clamd Crashes When Scanning Certain Folder
On Mar 11, 2011, at 1:32 PM, Török Edwin wrote: > So try clamscan --debug -rvi /path/to/folder 2>/dev/null, and see on > which file it crashes. "clamscan" or "clamDscan"? I am getting the crash in clamDscan. Clamscan processes the directory successfully. And if you meant clamDscan, do the other arguments still apply? Thanks for your help. Russ ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
[clamav-users] Clamd Crashes When Scanning Certain Folder
Hello, I'm running clamav 0.965 on a G5 with OS X Server 10.4.11. A launchdaemon automatically kicks off an overnight scan by sending a command to clamdscan. Starting last night, clamd began crashing while scanning a certain directory (crash log at the end of this message). Calling clamscan manually to scan that same directory runs successfully. Nothing bad is found. Clamd is running as root on this machine. What is the most practical way to debug and correct this problem? - Russ Tyndall Wake Forest, NC * Host Name: OurFileServer Date/Time: 2011-03-11 08:33:17.454 -0500 OS Version: 10.4.11 (Build 8S169) Report Version: 4 Command: clamd Path:/usr/local/sbin/clamd Parent: launchd [1] Version: ??? (???) PID:2738 Thread: 2 Exception: EXC_BAD_ACCESS (0x0001) Codes: KERN_PROTECTION_FAILURE (0x0002) at 0x Thread 0: 0 libSystem.B.dylib 0x900c7600 poll + 12 1 clamd 0xdbdc fds_poll_recv + 468 (others.c:506) 2 clamd 0xb628 recvloop_th + 3440 (server-th.c:1114) 3 clamd 0x69b8 main + 4344 (clamd.c:589) 4 clamd 0x2094 _start + 760 5 clamd 0x1d98 start + 48 Thread 1: 0 libSystem.B.dylib 0x900c7600 poll + 12 1 clamd 0xdbdc fds_poll_recv + 468 (others.c:506) 2 clamd 0x9e1c acceptloop_th + 104 (server-th.c:328) 3 libSystem.B.dylib 0x9002b908 _pthread_body + 96 Thread 2 Crashed: 0 libSystem.B.dylib 0x90002dc8 strlen + 8 1 libSystem.B.dylib 0x90011c1c __vfprintf + 5768 2 libSystem.B.dylib 0x9002a38c vsnprintf + 300 3 libclamav.6.dylib 0x002b1c30 cli_dbgmsg_internal + 96 (others_common.c:160) 4 libclamav.6.dylib 0x0025d1a8 pdf_extract_obj + 2004 (pdf.c:736) 5 libclamav.6.dylib 0x0025dfac cli_pdf + 1516 (pdf.c:1120) 6 libclamav.6.dylib 0x0021a3f8 cli_scanpdf + 148 (scanners.c:1472) 7 libclamav.6.dylib 0x0021c498 magic_scandesc + 4168 (scanners.c:2261) 8 libclamav.6.dylib 0x0021cb28 cl_scandesc_callback + 188 (scanners.c:2445) 9 libclamav.6.dylib 0x0021ccd4 cl_scanfile_callback + 84 (scanners.c:2503) 10 clamd 0xc364 scan_callback + 944 (scanner.c:232) 11 libclamav.6.dylib 0x002b2b54 cli_ftw_dir + 1068 (others_common.c:771) 12 libclamav.6.dylib 0x002b2b54 cli_ftw_dir + 1068 (others_common.c:771) 13 libclamav.6.dylib 0x002b2b54 cli_ftw_dir + 1068 (others_common.c:771) 14 libclamav.6.dylib 0x002b2b54 cli_ftw_dir + 1068 (others_common.c:771) 15 libclamav.6.dylib 0x002b270c cli_ftw + 488 (others_common.c:607) 16 clamd 0x7860 command + 1468 (session.c:373) 17 clamd 0x9850 scanner_thread + 76 (server-th.c:107) 18 clamd 0x911c thrmgr_worker + 292 (thrmgr.c:653) 19 libSystem.B.dylib 0x9002b908 _pthread_body + 96 Thread 2 crashed with PPC Thread State 64: srr0: 0x90002dc8 srr1: 0x1200d030 vrsave: 0x cr: 0x24088204 xer: 0x lr: 0x90011c1c ctr: 0x90002dc0 r0: 0x90011c1c r1: 0xf01802a0 r2: 0xf0180f7c r3: 0x0001 r4: 0xf018041b r5: 0x0001 r6: 0x0031 r7: 0x r8: 0xf0180419 r9: 0x r10: 0x0004 r11: 0xa00061c0 r12: 0x90002dc0 r13: 0x0001 r14: 0x r15: 0x r16: 0xf0181120 r17: 0xa00022e0 r18: 0x002cfad4 r19: 0x r20: 0xf01809b8 r21: 0x0073 r22: 0xf0180320 r23: 0x r24: 0x0029 r25: 0x0001 r26: 0x r27: 0x0029 r28: 0x002cfad2 r29: 0xf0180328 r30: 0x002cfaca r31: 0x9001059c Binary Images Description: 0x1000 -0x19fff clamd /usr/local/sbin/clamd 0x5 -0x5dfff libbz2.1.0.dylib/opt/local/lib/libbz2.1.0.dylib 0x78000 -0x79fff libclamunrar_iface.so /usr/local/lib/libclamunrar_iface.so 0x8 -0x8afff libclamunrar.6.dylib /usr/local/lib/libclamunrar.6.dylib 0x205000 - 0x2eafff libclamav.6.dylib /usr/local/lib/libclamav.6.dylib 0x8fe0 - 0x8fe52fff dyld 46.16 /usr/lib/dyld 0x9000 - 0x901bcfff libSystem.B.dylib /usr/lib/libSystem.B.dylib 0x90214000 - 0x90219fff libmathCommon.A.dylib /usr/lib/system/libmathCommon.A.dylib 0x91112000 - 0x91120fff libz.1.dylib/usr/lib/libz.1.dylib 0x91434000 - 0x9143 libgcc_s.1.dylib/usr/lib/libgcc_s.1.dylib 0x92a07000 - 0x92af5fff libiconv.2.dylib/usr/lib/libiconv.2.dylib ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] VirusEvent and ClamDScan
On Jul 6, 2010, at 4:51 PM, Noel Jones wrote: > Make sure you restart clamd after editing clamd.conf. Ah, this was the core of my problem. Clamd was not seeing the new VirusEvent command lines I was using for testing. My config file was not really being reloaded. I was starting/stopping clamd like this, in order to reload the config: sudo launchctl stop com.clamd.daemon sudo launchctl start com.clamd.daemon But this doesn't work. What I need to do to reload the configuration is: sudo launchctl unload -w /Library/LaunchDaemons/com.clamxav.clamd.plist Kill [clamv process ID] sudo launchctl load -w /Library/LaunchDaemons/com.clamxav.clamd.plist These three steps above will cause the config file to be reloaded. Of course you can also reboot the machine but sometimes this is not a good option. Is there a better way to force the config file to be reloaded? I don't like the Kill step, but it seems to be necessary. And as a follow-up, the VirusEvent will run a console app. I am grateful for the help, thank you! Russ ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] VirusEvent and ClamDScan
On Jul 6, 2010, at 3:12 PM, Török Edwin wrote: >> Interesting, I made my VirusEvent line look like this in clamd.conf: >> >> VirusEvent /bin/cp /Library/mytestfile.txt /Library/mytestfile2.txt > > Does the 'clamav' user have the right to create files in /Library? > > Note that even if you run clamd as root, a 'User clamav' directive in > clamd.conf it will drop privileges. > > Try copying a file to /tmp, or even simpler just 'touch /tmp/foo'. The "run as another user" directive in my clamd.conf file looks like this: # Run as another user (clamd must be started by root for this option to work) # Default: don't drop privileges #User clamav So, I am interpreting this to mean that clamd will retain its privileges (i.e., run as root). Is that a correct interpretation? In Activity Monitor, the User "owning" clamd is described as root. I have tried both of these commands on the VirusEvent line: VirusEvent /bin/cp /tmp/mytestfile.txt /tmp/mytestfile2.txt and VirusEvent touch /tmp/mytestfile.txt Unfortunately, it does not seem that either event fires, even though the scan does find EICAR. What is the most sensible way to verify that clamd is looking at the correct config file? This is the one that I am updating: /usr/local/ClamXav/etc/clamd.conf Thanks, Russ ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] VirusEvent and ClamDScan
On Jul 6, 2010, at 1:46 PM, Noel Jones wrote: >> What is a suitable command I could use to test that this is firing? I've >> tried a few things with ECHO but nothing shows up. >> > > echo won't work. The event script is run by the clamd daemon, which isn't > attached to a terminal. > >> Maybe some kind've of command to drop some data into a text file or >> something like that? > > Yes, that should work. A typical use of the event script would be to trigger > an email message to the admin. Interesting, I made my VirusEvent line look like this in clamd.conf: VirusEvent /bin/cp /Library/mytestfile.txt /Library/mytestfile2.txt Then I stop and start the daemon using launchctl. Then I do a clamdscan of the folder with EICAR in it. The terminal reports it finds the EICAR. But the mytestfile is not copied. Is this a valid test? Would you expect the VirusEvent action to fire here? Thanks, Russ ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] VirusEvent and ClamDScan
On Jul 6, 2010, at 12:35 PM, Nathan Gibbs wrote: > Usually all that I see are log entries like this > > Jul 6 05:11:32 host clamd[30362]: /path/to/infected/file/infectedfile: > VirusName FOUND > > or this > > Jul 6 05:12:26 host clamd[30362]: stream: VirusName FOUND > > Nothing is logged about the VirusEvent Script. > There may be a way to get that out of clamd, but I'm not sure. So (if I understand correctly), the VirusEvent should be firing. What is a suitable command I could use to test that this is firing? I've tried a few things with ECHO but nothing shows up. Maybe some kind've of command to drop some data into a text file or something like that? I can afford to be a little aggressive with this machine. Thanks, Russ ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
[Clamav-users] VirusEvent and ClamDScan
The system these questions involve is OS X.4.11 Intel using the ClamAV engine 0.95.2. ClamD is running and Clamdscan will perform scans manually and successfully finds the test EICAR file. ClamD is running as Root (as identified in Activity Monitor), started from a LaunchDaemon. Questions: 1) When scans are manually executed vis clamdscan and a virus is found, will the VirusEvent defined in clamd.conf still fire? I can find no evidence that it is firing, nor any signs (log entries) that the command is failing. 2) Can the VirusEvent command be to run a console app? (e.g., /local/bin/mycustomconsoleapp "%v" ) I appreciate any advice. Thanks, Russ ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml