Re: [Clamav-users] clamdscan return code problem
I did not get any answer about my problem; maybe I ask to the wrong mailling list or I ask a woring question; please could someone point me in the right place ? thanks in advance Roberto On Sab, Ottobre 17, 2009 14:03, Roberto wrote: Hi I discover the following issue: after installing clamav-daemon on Lenny, I start scanning file and directories to test the clamdscan utility and I found when scannig private directory (the clamd daemon is running as different unpriv user) the command is reporting misleading result according to me. What happen is clamd report an error and no scan happen, but clamdscan report no virus find (but no scan had ever happened). Example: drwxr-x--- 3 roby roby 4096 2009-10-17 11:55 noaccess $ clamdscan noaccess /home/roby/noaccess: lstat() failed: Permission denied. ERROR --- SCAN SUMMARY --- Infected files: 0 Time: 0.009 sec (0 m 0 s) r...@fmgw01:~$ echo $? 0 r...@fmgw01:~$ clamdscan -V ClamAV 0.95.2/9908/Sat Oct 17 11:07:01 2009 r...@fmgw01:~$ = what I consider misleading is the error code $? returned to the shell (some program like qmailscan could be thinking all is fine - but actually no scan happened) and Infected files: 0. I understand I can use the clamdscan option --fdpass but this is not the default behaviour, so I wondering what is the reason of not reporting the error to the caller ? thank in advance, Roberto ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] clamdscan return code problem
On Sat, 17 Oct 2009 15:03:03 +0200 (CEST) Roberto rober...@redix.it wrote: Hi I discover the following issue: after installing clamav-daemon on Lenny, I start scanning file and directories to test the clamdscan utility and I found when scannig private directory (the clamd daemon is running as different unpriv user) the command is reporting misleading result according to me. What happen is clamd report an error and no scan happen, but clamdscan report no virus find (but no scan had ever happened). Hi Roberto, sounds like a bug, please open a report at bugs.clamav.net Thanks, -- oo. Tomasz Kojm tk...@clamav.net (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Mon Oct 26 08:56:22 CET 2009 ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] ExcludePath rears its ugly head again
On Thu, 22 Oct 2009 14:11:59 -0400 Scott Mohnkern mohnk...@gmail.com wrote: Ignore, after further exploration I realized that the ExcludePath still goes through the files, it just doesn't actually scan them. In 0.95.3 the directories will be skipped properly: https://wwws.clamav.net/bugzilla/show_bug.cgi?id=1656 Regards, -- oo. Tomasz Kojm tk...@clamav.net (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Mon Oct 26 09:36:41 CET 2009 ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] clamdscan return code problem
On Mon, 26 Oct 2009 08:16:26 +0100 (CET) Roberto rober...@redix.it wrote: I did not get any answer about my problem; maybe I ask to the wrong mailling list or I ask a woring question; please could someone point me in the right place ? Hi Roberto, sounds like a bug, please open a report at bugs.clamav.net Thanks, -- oo. Tomasz Kojm tk...@clamav.net (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Mon Oct 26 08:55:52 CET 2009 ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Why does ClamAV does not detect this via amavisd-new
On Fri, 23 Oct 2009 17:25:36 +0300 Jari Fredriksson ja...@iki.fi wrote: This may or may not be an amavisd-new question, but I start here. [...] This DHL payload is only malware which behaves like this for me. Any ideas? Hi Jari, you need to uncomment this line in amavisd-new config file: qr'^MAIL$', # retain full original message for virus checking (can be slow) Regards, -- oo. Tomasz Kojm tk...@clamav.net (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Mon Oct 26 12:32:21 CET 2009 ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] ExcludePath rears its ugly head again
Thanks! I thought I was going crazy. Scott Mohnkern On Mon, Oct 26, 2009 at 4:36 AM, Tomasz Kojm tk...@clamav.net wrote: On Thu, 22 Oct 2009 14:11:59 -0400 Scott Mohnkern mohnk...@gmail.com wrote: Ignore, after further exploration I realized that the ExcludePath still goes through the files, it just doesn't actually scan them. In 0.95.3 the directories will be skipped properly: https://wwws.clamav.net/bugzilla/show_bug.cgi?id=1656 Regards, -- oo. Tomasz Kojm tk...@clamav.net (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Mon Oct 26 09:36:41 CET 2009 ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] ExcludePath rears its ugly head again
Is there an expected release date for .95.3? Scott Mohnkern On Mon, Oct 26, 2009 at 4:36 AM, Tomasz Kojm tk...@clamav.net wrote: On Thu, 22 Oct 2009 14:11:59 -0400 Scott Mohnkern mohnk...@gmail.com wrote: Ignore, after further exploration I realized that the ExcludePath still goes through the files, it just doesn't actually scan them. In 0.95.3 the directories will be skipped properly: https://wwws.clamav.net/bugzilla/show_bug.cgi?id=1656 Regards, -- oo. Tomasz Kojm tk...@clamav.net (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Mon Oct 26 09:36:41 CET 2009 ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] ExcludePath rears its ugly head again
On Mon, 26 Oct 2009 10:48:11 -0400 Scott Mohnkern mohnk...@gmail.com wrote: Is there an expected release date for .95.3? October 28 as announced on our website -- oo. Tomasz Kojm tk...@clamav.net (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Mon Oct 26 15:49:38 CET 2009 ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] [Fwd: [sanesecurity] x86_64 users: possible malformed database problems]
On Sun, Oct 25, 2009 at 11:27 AM, Steve Basford steveb_cla...@sanesecurity.com wrote: Hi All, Some users (mainly x86_64 so far) noticed database errors (malformed database) when loading signatures. As signature integrity is checked before upload to the mirrors and the download scripts check integrity before use, this issue should not arise. With help from various people on the Sanesecurity list, the problem was narrowed down to users on x86_64 os versions eg: CentOS 5.4 on x86_64, who were using nearly all the available Third Party databases. The typical errors were: LibClamAV Error: mpool_malloc(): Attempt to allocate 2097152 bytes. Please report to http://bugs.clamav.net LibClamAV Error: cli_ac_addpatt: Can't realloc ac_pattable LibClamAV Error: cli_parse_add(): Thanks to the ClamAV team, the bug was fixed in the clamav-devel version: clamav-devel: +Sat Oct 24 15:06:50 CEST 2009 (acab) + * libclamav/mpool.c: increase max pool to 8M to allow loading huge custom dbs I realise that people may not be able to move to the devel version in production environments, so the only work-around is to try and limit the number of databases that you are using for example: Largest size signature databases: 25/10/2009 15:53 2,526,656 jurlbl.ndb 24/10/2009 16:53 3,082,316 junk.ndb 25/10/2009 15:38 3,327,576 INetMsg-SpamDomains-2w.ndb 25/10/2009 15:29 3,886,074 scamnailer.ndb 25/10/2009 15:53 6,967,926 jurlbla.ndb 28/08/2009 12:10 9,393,566 securiteinfo.hdb 25/10/2009 15:47 12,645,831 INetMsg-SpamDomains-2m.ndb As a reminder if you are using InetMsg signatures, you need to select: *either* INetMsg-SpamDomains-2w.ndb *or* INetMsg-SpamDomains-2m.ndb *not* both to save a bit of memory. Hopefully once the devel version bugfix makes it's way into the stable version, this problem should go away. Sorry for any problems this has caused. Cheers, Steve Sanesecurity ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml We are using Ubuntu 9.04 x86_64. What symptoms were observed when they noticed database errors? -- Robert Lopez Unix Systems Administrator Central New Mexico Community College (CNM) 525 Buena Vista SE Albuquerque, New Mexico 87106 ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Why does ClamAV does not detect this via amavisd-new
26.10.2009 13:43, Tomasz Kojm kirjoitti: On Fri, 23 Oct 2009 17:25:36 +0300 Jari Fredriksson ja...@iki.fi wrote: This may or may not be an amavisd-new question, but I start here. [...] This DHL payload is only malware which behaves like this for me. Any ideas? Hi Jari, you need to uncomment this line in amavisd-new config file: qr'^MAIL$', # retain full original message for virus checking (can be slow) Thanks, but it was already uncommented in my /etc/amavis/conf.d/20-debian_defaults -- http://www.iki.fi/jarif/ Your boss is a few sandwiches short of a picnic. signature.asc Description: OpenPGP digital signature ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Why does ClamAV does not detect this via amavisd-new
On 2009-10-23 19:46, Jari Fredriksson wrote: 23.10.2009 17:25, Jari Fredriksson kirjoitti: This may or may not be an amavisd-new question, but I start here. Now things changed a bit. That was detected, but with a MIME error. Did you change anything, or did it change with a signature update? Cheers. -- A virus was found: Bad header: MIME error: error: part did not end with expected boundary This message is not coming from ClamAV. It looks like amavisd-new cannot MIME-decode the message (perhaps because it is intentionally non-RFC conforming), and shows an error. Still since ClamAV did detect a Virus, it should classify it as a virus. Doesn't it? Scanner detecting a virus: ClamAV-clamd Content type: Virus Internal reference code for the message is 16851-07/Zh1IxQou4Qc0 First upstream SMTP client IP address: [10.123.29.115] According to a 'Received:' trace, the message originated at: [93.83.198.166], 93.83.198.166 Return-Path: deliv...@dhl-usa.com From: Manager Collin Escobar deliv...@dhl-usa.com Message-ID: 000d01ca53fe$a0163910$6400a...@chowderedh Subject: DHL Express Services. Please get your parcel NR.25483 The message has been quarantined as: Z/virus-Zh1IxQou4Qc0 Notification to sender will not be mailed. The message WAS NOT relayed to: s...@wellington.fredriksson.dy.fi: 250 2.7.0 Ok, discarded, id=16851-07 - INFECTED: Virus scanner output: p004: Suspect.Bredozip-zippwd-2 FOUND p002: Suspect.Bredozip-zippwd-2 FOUND Looks like ClamAV is working properly, right? Best regards, --Edwin ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Why does ClamAV does not detect this via amavisd-new
26.10.2009 19:45, Török Edwin kirjoitti: On 2009-10-23 19:46, Jari Fredriksson wrote: 23.10.2009 17:25, Jari Fredriksson kirjoitti: This may or may not be an amavisd-new question, but I start here. Now things changed a bit. That was detected, but with a MIME error. Did you change anything, or did it change with a signature update? No. But *that* happened only once, so it might have been some kind of malfunction in amavis or in the email itself. Scanner detecting a virus: ClamAV-clamd Content type: Virus Internal reference code for the message is 16851-07/Zh1IxQou4Qc0 First upstream SMTP client IP address: [10.123.29.115] According to a 'Received:' trace, the message originated at: [93.83.198.166], 93.83.198.166 Return-Path: deliv...@dhl-usa.com From: Manager Collin Escobar deliv...@dhl-usa.com Message-ID: 000d01ca53fe$a0163910$6400a...@chowderedh Subject: DHL Express Services. Please get your parcel NR.25483 The message has been quarantined as: Z/virus-Zh1IxQou4Qc0 Notification to sender will not be mailed. The message WAS NOT relayed to: s...@wellington.fredriksson.dy.fi: 250 2.7.0 Ok, discarded, id=16851-07 - INFECTED: Virus scanner output: p004: Suspect.Bredozip-zippwd-2 FOUND p002: Suspect.Bredozip-zippwd-2 FOUND Looks like ClamAV is working properly, right? Indeed. But again the latest of that breed: A virus was found: W32/Bredolab!Generic Banned name: .exe,.exe-ms,DHL_package_label_295aa.exe Scanners detecting a virus: F-PROT Antivirus for UNIX, BitDefender Content type: Virus Internal reference code for the message is 11679-19/A5+k6kl3BppJ First upstream SMTP client IP address: [10.123.29.115] According to a 'Received:' trace, the message originated at: [207.253.37.144], 207.253.37.144 Return-Path: servi...@dhl-usa.com From: Manager Tami Mcgee servi...@dhl-usa.com Message-ID: 000d01ca55d0$f97d56e0$6400a...@cadaverousw Subject: DHL Delivery Services. You should get the parcel NR.92234 The message has been quarantined as: A/virus-A5+k6kl3BppJ Notification to sender will not be mailed. The message WAS NOT relayed to: s...@wellington.fredriksson.dy.fi: 250 2.7.0 Ok, discarded, id=11679-19 - INFECTED: W32/Bredolab!Generic Virus scanner output: [Found virus] W32/Bredolab!Generic p004 [Found worm] EML/Bredolab.gen (exact) p001 Detected by F-Prot and BitDefender, but not ClamAV. But then manually scanning the attachement, clamscan detects it. This is strange. It happens only with these DHL postings. signature.asc Description: OpenPGP digital signature ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml