Re: [Clamav-users] false positive of Email.FreeGame on MySQL DB
Jon Wagoner - Red Cheetah wrote: Is there any way I can disable the check for Email.FreeGame? Is there any reason to suspect this file will ever contain a viable virus? If not then don't bother scanning it. Sorry I don't have an answer for your question. dp ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] false positive of Email.FreeGame on MySQL DB
I'm not sure what the proper procedure is here. Clamav is detecting Email.FreeGame in two of the database files from my MySQL database (one .MYD and one .ibd). If I dump the contents as text and scan no virus is found, so apparently it's just something in the binary format of the DB triggering it. Clamd -V reports the version as ClamAV 0.91.2/4419/Fri Sep 28 02:36:28 2007. This table from the DB contains proprietary client information, so I can't just submit it for review as a false positive. One of the file is also 1.1GB so I don't think you'd want that anyway. Is there any way I can disable the check for Email.FreeGame? Jon Wagoner Red Cheetah Software ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] false positive of Email.FreeGame on MySQL DB
Jon Wagoner - Red Cheetah wrote: Yes, I'm periodically doing scans of the full drive. I could just skip the mysql directory, but that seems pretty bad security practice. Why does it seem that way to you ? It appears clamav just does a substring match on the exclude, so it would be easy to hide viruses. E.g. If I excluded .MYD, then you could just have your virus named somevirus.MYD and it would not be caught. If I tried to exclude the mysql dir, then a user could have a virus hidden in /home/someuser/var/lib/mysql/my-virus-here. The session you run for system files can have different params than a session run in user space. Looks like you're trying to do it all with a single sweep. Not the way I'd do it, but it's a way. dp ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] false positive of Email.FreeGame on MySQL DB
On Fri, 28 Sep 2007, Jon Wagoner - Red Cheetah wrote: Yes, I'm periodically doing scans of the full drive. I could just skip the mysql directory, but that seems pretty bad security practice. Why does it seem that way to you ? I don't think scanning raw mysql database files is going to give usefull results. Myy gut is that you should in fact exclude them. If a database has specific content that could contain a virus and be a problem (is used to store e-mail or downloadable files), then I would think the only real way to do it is to write something to extract that data and scan it outside of the DB file, each one separately -- as if they were individual files. == Chris Candreva -- [EMAIL PROTECTED] -- (914) 948-3162 WestNet Internet Services of Westchester http://www.westnet.com/ ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] false positive of Email.FreeGame on MySQL DB
Yes, I'm periodically doing scans of the full drive. I could just skip the mysql directory, but that seems pretty bad security practice. Why does it seem that way to you ? It appears clamav just does a substring match on the exclude, so it would be easy to hide viruses. E.g. If I excluded .MYD, then you could just have your virus named somevirus.MYD and it would not be caught. If I tried to exclude the mysql dir, then a user could have a virus hidden in /home/someuser/var/lib/mysql/my-virus-here. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] false positive of Email.FreeGame on MySQL DB
On Fri, September 28, 2007 12:41 pm, Dennis Peterson said: Jon Wagoner - Red Cheetah wrote: Is there any way I can disable the check for Email.FreeGame? Is there any reason to suspect this file will ever contain a viable virus? If not then don't bother scanning it. Sorry I don't have an answer for your question. I'd assume since he is intentially scanning it, he means to scan it, normally... Is there a way to move Email.FreeGame to be classified as a 'Phishing' signature? It appears to be designed to catch emails pointing you to bad sites, which is the defintion of a phish as far as I'm aware... Daniel T. Staal --- This email copyright the author. Unless otherwise noted, you are expressly allowed to retransmit, quote, or otherwise use the contents for non-commercial purposes. This copyright will expire 5 years after the author's death, or in 30 years, whichever is longer, unless such a period is in excess of local copyright law. --- ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] false positive of Email.FreeGame on MySQL DB
On Fri, September 28, 2007 12:41 pm, Dennis Peterson said: Jon Wagoner - Red Cheetah wrote: Is there any way I can disable the check for Email.FreeGame? Is there any reason to suspect this file will ever contain a viable virus? If not then don't bother scanning it. Sorry I don't have an answer for your question. I'd assume since he is intentially scanning it, he means to scan it, normally... Is there a way to move Email.FreeGame to be classified as a 'Phishing' signature? It appears to be designed to catch emails pointing you to bad sites, which is the defintion of a phish as far as I'm aware... Yes, I'm periodically doing scans of the full drive. I could just skip the mysql directory, but that seems pretty bad security practice. Jon Wagoner ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] false positive of Email.FreeGame on MySQL DB
On Fri, 28 Sep 2007, Jon Wagoner - Red Cheetah wrote: It appears clamav just does a substring match on the exclude, so it would be easy to hide viruses. E.g. If I excluded .MYD, then you could just have your virus named somevirus.MYD and it would not be caught. If I would not exclude *.MYD globally. However: I tried to exclude the mysql dir, then a user could have a virus hidden in /home/someuser/var/lib/mysql/my-virus-here. Users should not be able to write to that directory at all, it should be owned/group mysql. If someone did put a virus there you would probably have a bigger problem - namely that mysql had been hacked. Clamd is for scanning specific things, and I don't think mysql db files is one of them. Not that verifying the integrity of your mysql files isn't a good idea, but I think it will take more than clam to do it. Off the top of my head you would want to look for named files that don't belong. After that, a DB integrity check (a good idea anyway) would find other files pretending to be DB files, as they would fail. == Chris Candreva -- [EMAIL PROTECTED] -- (914) 948-3162 WestNet Internet Services of Westchester http://www.westnet.com/ ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] clamd stuck at 100% cpu usage
Once upon a time, Jeff Thurston [EMAIL PROTECTED] said: Im running clamav 91.2 (90.3 did the same thing). After about an hour or so the clamd process gets stuck at 100%. I've checked various logs for the cause and haven't found anything. What OS and platform? I have had load problems with clamd running 100% on Solaris 9 (V480, quad UltraSPARC III 900MHz). I moved ClamAV to a Linux (Fedora 7 x86_64 on dual Xeon 2.8GHz) this week, and that system runs ~90% idle (it did get down to 85% idle once). I tried using PCRE on Solaris, but it didn't seem to help me much. -- Chris Adams [EMAIL PROTECTED] Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] clamd stuck at 100% cpu usage
Im running clamav 91.2 (90.3 did the same thing). After about an hour or so the clamd process gets stuck at 100%. I've checked various logs for the cause and haven't found anything. Clamav is being run by amavis-new 2.3 if that info is of any interest. This is a recent problem, I ran 88.4 just fine for MONTHS, then 90.3 since the day after its release, Wednesday this started happening. I upgraded to 91.2 last night and the problem persists. Even though the clamd process is stuck at max cpu usage, it is still able to scan and detect viruses. Where should I start looking? ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] clamd stuck at 100% cpu usage
-Original Message- From: [EMAIL PROTECTED] [mailto:clamav-users- [EMAIL PROTECTED] On Behalf Of Chris Adams Sent: Friday, September 28, 2007 11:48 AM To: 'ClamAV users ML' Subject: Re: [Clamav-users] clamd stuck at 100% cpu usage Once upon a time, Jeff Thurston [EMAIL PROTECTED] said: Im running clamav 91.2 (90.3 did the same thing). After about an hour or so the clamd process gets stuck at 100%. I've checked various logs for the cause and haven't found anything. What OS and platform? I have had load problems with clamd running 100% on Solaris 9 (V480, quad UltraSPARC III 900MHz). I moved ClamAV to a Linux (Fedora 7 x86_64 on dual Xeon 2.8GHz) this week, and that system runs ~90% idle (it did get down to 85% idle once). I tried using PCRE on Solaris, but it didn't seem to help me much. -- Chris Adams [EMAIL PROTECTED] Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html Ubuntu 6.06.1 Server i686. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] clamd stuck at 100% cpu usage
Jeff Thurston wrote: -Original Message- From: [EMAIL PROTECTED] [mailto:clamav-users- [EMAIL PROTECTED] On Behalf Of Chris Adams Sent: Friday, September 28, 2007 11:48 AM To: 'ClamAV users ML' Subject: Re: [Clamav-users] clamd stuck at 100% cpu usage Once upon a time, Jeff Thurston [EMAIL PROTECTED] said: Im running clamav 91.2 (90.3 did the same thing). After about an hour or so the clamd process gets stuck at 100%. I've checked various logs for the cause and haven't found anything. What OS and platform? Ubuntu 6.06.1 Server i686. What is the name of the process that is stuck at 100%? dp ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] clamd stuck at 100% cpu usage
-Original Message- From: [EMAIL PROTECTED] [mailto:clamav-users- [EMAIL PROTECTED] On Behalf Of Dennis Peterson Sent: Friday, September 28, 2007 12:07 PM To: ClamAV users ML Subject: Re: [Clamav-users] clamd stuck at 100% cpu usage Jeff Thurston wrote: -Original Message- From: [EMAIL PROTECTED] [mailto:clamav-users- [EMAIL PROTECTED] On Behalf Of Chris Adams Sent: Friday, September 28, 2007 11:48 AM To: 'ClamAV users ML' Subject: Re: [Clamav-users] clamd stuck at 100% cpu usage Once upon a time, Jeff Thurston [EMAIL PROTECTED] said: Im running clamav 91.2 (90.3 did the same thing). After about an hour or so the clamd process gets stuck at 100%. I've checked various logs for the cause and haven't found anything. What OS and platform? Ubuntu 6.06.1 Server i686. What is the name of the process that is stuck at 100%? dp ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html According to top, clamd. It currently is not, I disabled pdf scanning, and restarted clamav-daemon. Saw in the archives there may be issues with large pdfs, worth a try. Something is triggering this, I just don't have a clue what, I've searched the logs and not found anything obvious (to me at least). ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] clamd stuck at 100% cpu usage
-Original Message- From: [EMAIL PROTECTED] [mailto:clamav-users- [EMAIL PROTECTED] On Behalf Of Dennis Peterson Sent: Friday, September 28, 2007 12:11 PM To: ClamAV users ML Subject: Re: [Clamav-users] clamd stuck at 100% cpu usage Dennis Peterson wrote: Jeff Thurston wrote: -Original Message- From: [EMAIL PROTECTED] [mailto:clamav-users- [EMAIL PROTECTED] On Behalf Of Chris Adams Sent: Friday, September 28, 2007 11:48 AM To: 'ClamAV users ML' Subject: Re: [Clamav-users] clamd stuck at 100% cpu usage Once upon a time, Jeff Thurston [EMAIL PROTECTED] said: Im running clamav 91.2 (90.3 did the same thing). After about an hour or so the clamd process gets stuck at 100%. I've checked various logs for the cause and haven't found anything. What OS and platform? Ubuntu 6.06.1 Server i686. What is the name of the process that is stuck at 100%? dp Sorry - the question is answered in the subject line. Can you strace it to see what it's doing? dp ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html Please forgive my ignorance, I don't use strace very much... I assume it is as simple as waiting for the process to get stuck at 100% again, then 'strace -p clamd.pid` and look for... what should I look for? ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] clamd stuck at 100% cpu usage
Jeff Thurston wrote: Please forgive my ignorance, I don't use strace very much... I assume it is as simple as waiting for the process to get stuck at 100% again, then 'strace -p clamd.pid` and look for... what should I look for? Yes, pretty much it. You should probably also use the -f (follow) switch to see what the kids are doing, too. You can also learn what files are currently open with lsof. When using these tools it's a good idea to see what the idle clamd is doing as well as what it is doing while processing files so that the results you see have a context. Use vmstat and iostat to see what the cpu and disks are doing before and during one of these events. The idea is to know what things should look like when the system is healthy for comparison for the times it is not. Timing is everything so you should also be aware of what freshclam is doing relative to these lockups. If it happens right after freshclam downloads a new database you can assume there's a relationship, for example. dp ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] clamd stuck at 100% cpu usage
Dennis Peterson wrote: Jeff Thurston wrote: -Original Message- From: [EMAIL PROTECTED] [mailto:clamav-users- [EMAIL PROTECTED] On Behalf Of Chris Adams Sent: Friday, September 28, 2007 11:48 AM To: 'ClamAV users ML' Subject: Re: [Clamav-users] clamd stuck at 100% cpu usage Once upon a time, Jeff Thurston [EMAIL PROTECTED] said: Im running clamav 91.2 (90.3 did the same thing). After about an hour or so the clamd process gets stuck at 100%. I've checked various logs for the cause and haven't found anything. What OS and platform? Ubuntu 6.06.1 Server i686. What is the name of the process that is stuck at 100%? dp Sorry - the question is answered in the subject line. Can you strace it to see what it's doing? dp ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] strace and threads (was Re: clamd stuck at 100% cpu usage)
Dennis Peterson wrote: Yes, pretty much it. You should probably also use the -f (follow) switch to see what the kids are doing, too. Does strace work well with POSIX threads on Linux? My impression was not, but maybe my information is out of date. Regards, David. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] strace and threads (was Re: clamd stuck at 100% cpu usage)
David F. Skoll wrote: Dennis Peterson wrote: Yes, pretty much it. You should probably also use the -f (follow) switch to see what the kids are doing, too. Does strace work well with POSIX threads on Linux? My impression was not, but maybe my information is out of date. I'm a Solaris guy so use truss and dtrace so I can't say. The man page didn't say anything about being posix limited but Linux never fails to surprise me. dp ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] clamd stuck at 100% cpu usage
On 9/28/07, Jeff Thurston [EMAIL PROTECTED] wrote: -Original Message- From: [EMAIL PROTECTED] [mailto:clamav-users- [EMAIL PROTECTED] On Behalf Of Chris Adams Sent: Friday, September 28, 2007 11:48 AM To: 'ClamAV users ML' Subject: Re: [Clamav-users] clamd stuck at 100% cpu usage Once upon a time, Jeff Thurston [EMAIL PROTECTED] said: Im running clamav 91.2 (90.3 did the same thing). After about an hour or so the clamd process gets stuck at 100%. Ubuntu 6.06.1 Server i686. The best way to diagnose this problem is to use a clamd compiled with debug info (-g compiler switch), then attach gdb to the running process. A backtrace on all threads shows where it is wasting^Hspending time. --Edwin ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] false positive of Email.FreeGame on MySQL DB
On Fri, 28 Sep 2007, Jon Wagoner - Red Cheetah wrote: It appears clamav just does a substring match on the exclude, so it would be easy to hide viruses. E.g. If I excluded .MYD, then you could just have your virus named somevirus.MYD and it would not be caught. If I would not exclude *.MYD globally. However: I tried to exclude the mysql dir, then a user could have a virus hidden in /home/someuser/var/lib/mysql/my-virus-here. Users should not be able to write to that directory at all, it should be owned/group mysql. If someone did put a virus there you would probably have a bigger problem - namely that mysql had been hacked. Take a closer look, that's not the real mysql directory, just a subdirectory under the users home folder that would match the exclude for the real /var/lib/mysql. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] false positive of Email.FreeGame on MySQL DB
On Fri, 28 Sep 2007, Jon Wagoner - Red Cheetah wrote: hidden in /home/someuser/var/lib/mysql/my-virus-here. Users should not be able to write to that directory at all, it should be Take a closer look, that's not the real mysql directory, just a subdirectory under the users home folder that would match the exclude for the real /var/lib/mysql. --exclude-dir is listed as taking a regex, so if you --exlucde=^/var/lib/mysql/ You should be fine. I see now though -- if it was a simple substring (or if the current --help output is wrong) that would be a problem. == Chris Candreva -- [EMAIL PROTECTED] -- (914) 948-3162 WestNet Internet Services of Westchester http://www.westnet.com/ ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] strace and threads (was Re: clamd stuck at 100% cpu usage)
-Original Message- From: [EMAIL PROTECTED] [mailto:clamav-users- [EMAIL PROTECTED] On Behalf Of Dennis Peterson Sent: Friday, September 28, 2007 12:35 PM To: ClamAV users ML Subject: Re: [Clamav-users] strace and threads (was Re: clamd stuck at 100% cpu usage) David F. Skoll wrote: Dennis Peterson wrote: Yes, pretty much it. You should probably also use the -f (follow) switch to see what the kids are doing, too. Does strace work well with POSIX threads on Linux? My impression was not, but maybe my information is out of date. I'm a Solaris guy so use truss and dtrace so I can't say. The man page didn't say anything about being posix limited but Linux never fails to surprise me. dp ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html I hope this isn't too soon to call it problem solved, but after disabling PDF scanning I haven't had any problems with Clamd, everything is just fine. Hopefully I won't be back on Monday asking for more help with strace ;) Thanks for the info and all the help! -Jeff ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html