Re: [clamav-users] ClamAV® blog: ClamAV 0.99.3 has been released!

[Scott Kitterman]

On January 26, 2018 2:54:57 PM UTC, "Joel Esler (jesler)"  
wrote:
>
>
>On Jan 26, 2018, at 9:49 AM, Reindl Harald
>> wrote:
>
>Am 26.01.2018 um 15:40 schrieb Joel Esler (jesler):
>As previously mentioned, if you downloaded the beta version of ClamAV
>0.99.3, you will need to completely uninstall it and do a fresh install
>with the production version of 0.99.3 as there are significant code
>differences
>
>when i read something like this in 2018 my brain ends with a bluescreen
>
>This is something we debated for a couple weeks here internally and we
>found this to be the best solution.  We were stuck between a rock in
>and a hard place.  Trust me, this is not the user experience I want for
>our users either.

Couldn't (old) 0.99.3 beta users just have ignored (new) 0.99.3? As far as I 
can tell, the beta had all the fixes.

Assuming that is correct, I think better advice for beta users would be to do 
nothing now and update to 0.100 beta when it is available.

Scott K
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ClamAV® blog: ClamAV 0.99.3 has been released!

[Scott Kitterman]

Historically, fixes for such issues would have not been part of a pre-release.  
They would have been added to the public VCS on release day.

You may not have been able to announce the CVEs for some reason, but I don't 
think silently disclosing the fixes was the best thing to have done.

Scott K

On January 26, 2018 9:55:49 PM UTC, "Joel Esler (jesler)"  
wrote:
>There are outside issues that prevented us from announcing the CVEs at
>that time.  It's not because we were trying to hide something.
>
>
>--
>Joel Esler | Talos: Manager | jes...@cisco.com
>
>
>
>
>
>
>On Jan 26, 2018, at 2:39 PM, Andreas Schulze
>> wrote:
>
>Am 26.01.2018 um 16:06 schrieb Tobi:
>As far as I understand the release notes of 99.3 its a security fix
>which has nothing to do with former 99.3 beta.
>The former beta now is 0.100
>(http://blog.clamav.net/2018/01/clamav-version-number-adjustment.html).
>So at least for me it makes sense that you have to remove the beta
>first to apply fixed 99.3 version
>I compared 0.99.2 and 0.99.3 and found most of the diffs be present in
>0.99.3beta2
>
>now, as the links to bugzilla.clamav.net
>are public, we see, the issues where known to the developers since
>October/November 2017!
>They published these changes silent as part of "beta2". They discusses
>about CVE at this time!
>This is *not* amazing.
>
>Andreas
>
>
>___
>clamav-users mailing list
>clamav-users@lists.clamav.net
>http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
>Help us build a comprehensive ClamAV guide:
>https://github.com/vrtadmin/clamav-faq
>
>http://www.clamav.net/contact.html#ml
>
>___
>clamav-users mailing list
>clamav-users@lists.clamav.net
>http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
>Help us build a comprehensive ClamAV guide:
>https://github.com/vrtadmin/clamav-faq
>
>http://www.clamav.net/contact.html#ml
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ClamAV® blog: ClamAV 0.99.3 has been released!

[Joel Esler (jesler)]

There are outside issues that prevented us from announcing the CVEs at that 
time.  It's not because we were trying to hide something.


--
Joel Esler | Talos: Manager | jes...@cisco.com






On Jan 26, 2018, at 2:39 PM, Andreas Schulze 
> wrote:

Am 26.01.2018 um 16:06 schrieb Tobi:
As far as I understand the release notes of 99.3 its a security fix which has 
nothing to do with former 99.3 beta.
The former beta now is 0.100 
(http://blog.clamav.net/2018/01/clamav-version-number-adjustment.html).
So at least for me it makes sense that you have to remove the beta first to 
apply fixed 99.3 version
I compared 0.99.2 and 0.99.3 and found most of the diffs be present in 
0.99.3beta2

now, as the links to bugzilla.clamav.net are 
public, we see, the issues where known to the developers since October/November 
2017!
They published these changes silent as part of "beta2". They discusses about 
CVE at this time!
This is *not* amazing.

Andreas


___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] ClamAV® blog: Update on the recent "File Descriptors" issue in ClamAV

[Joel Esler (jesler)]

http://blog.clamav.net/2018/01/update-on-recent-file-descriptors-issue.html

Update on the recent "File Descriptors" issue in ClamAV
A signature introduced in daily.cvd version 24256 triggered bug that exists in 
all current stable releases of ClamAV.

The symptoms on a Linux/Unix machine running clamd under heavy load results in 
the system running out of file descriptors, because the file descriptors for 
deleted temp files were not being closed.  On Windows systems, a different 
error occurred wherein the system reported “permission denied” errors when 
closing (unlinking) the temp files.

The bug was reported as early as April 2016 here: 
https://bugzilla.clamav.net/show_bug.cgi?id=11549. A patch for this bug was 
applied towards the upcoming 0.100.0 feature release of ClamAV, but 
unfortunately the fix didn’t make it into the recent 0.99.3 security patch 
release.

For the time-being, the offending signature was pulled as of daily.cvd version 
24258, and changes to our backend processes have been implemented to prevent 
this from happening again.

We apologize for the inconvenience this has caused. Future releases of ClamAV 
will have a fix in place to prevent this issue from reocurring.



--
Joel Esler | Talos: Manager | jes...@cisco.com






___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] deleted files eating up file descriptors

[Ruben Cardenal]

You're absolutely right Mitch. The weekend was threatening with being a
real mess :) 

Will apply that asap. Sorry for so-quick-posting about it. 

Thanks! 

Rubén. 

El 2018-01-26 20:54, Mitch (BitBlock) escribió:

> Hi Ruben if you scroll back just through the last 24 hours, this has been 
> resolved...
> 
> Likely already, but if not, you can disable this signature:
> 
> echo 'Vbs.Downloader.Generic-6431223-0' >>/var/lib/clamav/local.ign2
> chown clamav:clamav /var/lib/clamav/local.ign2
> 
> Then restart your clamd
> The issue will likely be fixed in the next signature update - but I haven't 
> read a message that it has been yet.
> You could try simply updating signatures first depending on your tolerace for 
> a recurrence.
> Cheers,
> Mitch
> 
> -Original Message-
> From: clamav-users [mailto:clamav-users-boun...@lists.clamav.net] On Behalf 
> Of Ruben Cardenal
> Sent: January-26-18 11:35 AM
> To: clamav-users@lists.clamav.net
> Subject: [clamav-users] deleted files eating up file descriptors
> 
> Hi, 
> 
> Today, all of a sudden, in 5 of our email servers (to be more precise, mx 
> processing servers), we started to get qmail-scanner errors (the feared "qq 
> temporary error" message). After some digging, we found out the reason was 
> clamav (0-99.2) was dead. Erros like: 
> 
> /var/spool/qscan/tmp/mx3151697687779817876/1516976877.17928-1.mx3: Can't open 
> file or directory ERROR
> /var/spool/qscan/tmp/mx3151697687779817876/image001.jpg: Can't open file or 
> directory ERROR
> /var/spool/qscan/tmp/mx3151697687779817876/image002.jpg: Can't open file or 
> directory ERROR
> /var/spool/qscan/tmp/mx3151697687779817876/image003.jpg: Can't open file or 
> directory ERROR 
> 
> ERROR: accept() failed:
> ERROR: accept() failed:
> ERROR: accept() failed:
> ERROR: accept() failed:
> ERROR: accept() failed:
> ERROR: accept() failed:
> ERROR: accept() failed: 
> 
> and more apparently fs/resource related errors. No disk space problems, no 
> permission problems, no inode problems. Plenty of free RAM. CPU usage and 
> load averages very low. Upgrading to the recent 0-99.3 didn't help. 
> 
> Finally, strace found out what's happening: 
> 
> [pid 10797]
> open("/tmp/clamav-43d08860615a4d14dae3046aee3e5e98.tmp/clamav-781e98988f119c6433f2328d7224825c.tmp",
> O_RDWR|O_CREAT|O_EXCL|O_TRUNC, 0700) = -1 EMFILE (Too many open files) 
> 
> [pid 10797] write(2, "LibClamAV Warning: fileblobScan, fullname == NULL\n", 
> 50) = 50 [pid 10797] write(2, "LibClamAV Error: fileblobDestroy: textportion 
> not
> saved: report to http://bugs.clamav.net\n;, 90) = 90 
> 
> which is weird, because the system is not even near to be so heavily loaded 
> (by workload) to get clamav to eat up the default 1024 descriptors. So 
> looking at /proc/PID/fd ... 
> 
> lrwx-- 1 root root 64 Jan 26 19:20 68 -> 
> /tmp/clamav-2b88cf1b1e55ab0d8cb045ab908e3273.tmp (deleted)
> lrwx-- 1 root root 64 Jan 26 19:20 680 -> 
> /tmp/clamav-7564115561d870008cbd6783ea304e96.tmp (deleted)
> lrwx-- 1 root root 64 Jan 26 19:20 681 -> 
> /tmp/clamav-a3be54920dff8420d86dfffcf6df41ea.tmp (deleted)
> lrwx-- 1 root root 64 Jan 26 19:20 682 -> 
> /tmp/clamav-270dd0e754c54dacab1bcd28a90c38e3.tmp (deleted)
> lrwx-- 1 root root 64 Jan 26 19:20 683 -> 
> /tmp/clamav-7405a8caced08e2020809f2621cd16a2.tmp (deleted)
> lrwx-- 1 root root 64 Jan 26 19:20 684 -> 
> /tmp/clamav-b41105e2aeb1da3cef054e6938f5e26a.tmp (deleted)
> lrwx-- 1 root root 64 Jan 26 19:20 685 -> 
> /tmp/clamav-d8735b7980637a5866dd7a2ee274a272.tmp (deleted)
> lrwx-- 1 root root 64 Jan 26 19:20 686 -> 
> /tmp/clamav-9395651f00ea6530a58bdb8480d93223.tmp (deleted)
> lrwx-- 1 root root 64 Jan 26 19:20 687 -> 
> /tmp/clamav-01c6f26331d41a92e5454203d7ee3229.tmp (deleted)
> lrwx-- 1 root root 64 Jan 26 19:20 688 -> 
> /tmp/clamav-d6d3b8d9da8982ae0f724b2920d37c47.tmp (deleted)
> lrwx-- 1 root root 64 Jan 26 19:20 689 -> 
> /tmp/clamav-b5328deea4127b4c5f07a9d0a6f095c0.tmp (deleted) 
> 
> Those servers have been working with the same configuration for years, 
> without this happening until now. 
> 
> Of course we could ulimit to a high value the nofiles value, but that would 
> just postpone the daemon's dead. 
> 
> Any help would be greatly appreciated. 
> 
> Thanks, 
> 
> Rubén.
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml
___
clamav-users mailing list

Re: [clamav-users] deleted files eating up file descriptors

[Mitch (BitBlock)]

Just read back - at 9:39 (UCT-7) Joel announced the new daily is shipping - so 
run freshclam and restart your clamd to be safe.
M


-Original Message-
From: clamav-users [mailto:clamav-users-boun...@lists.clamav.net] On Behalf Of 
Ruben Cardenal
Sent: January-26-18 11:35 AM
To: clamav-users@lists.clamav.net
Subject: [clamav-users] deleted files eating up file descriptors

Hi, 

Today, all of a sudden, in 5 of our email servers (to be more precise, mx 
processing servers), we started to get qmail-scanner errors (the feared "qq 
temporary error" message). After some digging, we found out the reason was 
clamav (0-99.2) was dead. Erros like: 

/var/spool/qscan/tmp/mx3151697687779817876/1516976877.17928-1.mx3: Can't open 
file or directory ERROR
/var/spool/qscan/tmp/mx3151697687779817876/image001.jpg: Can't open file or 
directory ERROR
/var/spool/qscan/tmp/mx3151697687779817876/image002.jpg: Can't open file or 
directory ERROR
/var/spool/qscan/tmp/mx3151697687779817876/image003.jpg: Can't open file or 
directory ERROR 

ERROR: accept() failed:
ERROR: accept() failed:
ERROR: accept() failed:
ERROR: accept() failed:
ERROR: accept() failed:
ERROR: accept() failed:
ERROR: accept() failed: 

and more apparently fs/resource related errors. No disk space problems, no 
permission problems, no inode problems. Plenty of free RAM. CPU usage and load 
averages very low. Upgrading to the recent 0-99.3 didn't help. 

Finally, strace found out what's happening: 

[pid 10797]
open("/tmp/clamav-43d08860615a4d14dae3046aee3e5e98.tmp/clamav-781e98988f119c6433f2328d7224825c.tmp",
O_RDWR|O_CREAT|O_EXCL|O_TRUNC, 0700) = -1 EMFILE (Too many open files) 

[pid 10797] write(2, "LibClamAV Warning: fileblobScan, fullname == NULL\n", 50) 
= 50 [pid 10797] write(2, "LibClamAV Error: fileblobDestroy: textportion not
saved: report to http://bugs.clamav.net\n;, 90) = 90 

which is weird, because the system is not even near to be so heavily loaded (by 
workload) to get clamav to eat up the default 1024 descriptors. So looking at 
/proc/PID/fd ... 

lrwx-- 1 root root 64 Jan 26 19:20 68 -> 
/tmp/clamav-2b88cf1b1e55ab0d8cb045ab908e3273.tmp (deleted)
lrwx-- 1 root root 64 Jan 26 19:20 680 -> 
/tmp/clamav-7564115561d870008cbd6783ea304e96.tmp (deleted)
lrwx-- 1 root root 64 Jan 26 19:20 681 -> 
/tmp/clamav-a3be54920dff8420d86dfffcf6df41ea.tmp (deleted)
lrwx-- 1 root root 64 Jan 26 19:20 682 -> 
/tmp/clamav-270dd0e754c54dacab1bcd28a90c38e3.tmp (deleted)
lrwx-- 1 root root 64 Jan 26 19:20 683 -> 
/tmp/clamav-7405a8caced08e2020809f2621cd16a2.tmp (deleted)
lrwx-- 1 root root 64 Jan 26 19:20 684 -> 
/tmp/clamav-b41105e2aeb1da3cef054e6938f5e26a.tmp (deleted)
lrwx-- 1 root root 64 Jan 26 19:20 685 -> 
/tmp/clamav-d8735b7980637a5866dd7a2ee274a272.tmp (deleted)
lrwx-- 1 root root 64 Jan 26 19:20 686 -> 
/tmp/clamav-9395651f00ea6530a58bdb8480d93223.tmp (deleted)
lrwx-- 1 root root 64 Jan 26 19:20 687 -> 
/tmp/clamav-01c6f26331d41a92e5454203d7ee3229.tmp (deleted)
lrwx-- 1 root root 64 Jan 26 19:20 688 -> 
/tmp/clamav-d6d3b8d9da8982ae0f724b2920d37c47.tmp (deleted)
lrwx-- 1 root root 64 Jan 26 19:20 689 -> 
/tmp/clamav-b5328deea4127b4c5f07a9d0a6f095c0.tmp (deleted) 

Those servers have been working with the same configuration for years, without 
this happening until now. 

Of course we could ulimit to a high value the nofiles value, but that would 
just postpone the daemon's dead. 

Any help would be greatly appreciated. 

Thanks, 

Rubén.
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] deleted files eating up file descriptors

[Mitch (BitBlock)]

Hi Ruben if you scroll back just through the last 24 hours, this has been 
resolved...

Likely already, but if not, you can disable this signature:

echo 'Vbs.Downloader.Generic-6431223-0' >>/var/lib/clamav/local.ign2
chown clamav:clamav /var/lib/clamav/local.ign2

Then restart your clamd
The issue will likely be fixed in the next signature update - but I haven't 
read a message that it has been yet.
You could try simply updating signatures first depending on your tolerace for a 
recurrence.
Cheers,
Mitch

-Original Message-
From: clamav-users [mailto:clamav-users-boun...@lists.clamav.net] On Behalf Of 
Ruben Cardenal
Sent: January-26-18 11:35 AM
To: clamav-users@lists.clamav.net
Subject: [clamav-users] deleted files eating up file descriptors

Hi, 

Today, all of a sudden, in 5 of our email servers (to be more precise, mx 
processing servers), we started to get qmail-scanner errors (the feared "qq 
temporary error" message). After some digging, we found out the reason was 
clamav (0-99.2) was dead. Erros like: 

/var/spool/qscan/tmp/mx3151697687779817876/1516976877.17928-1.mx3: Can't open 
file or directory ERROR
/var/spool/qscan/tmp/mx3151697687779817876/image001.jpg: Can't open file or 
directory ERROR
/var/spool/qscan/tmp/mx3151697687779817876/image002.jpg: Can't open file or 
directory ERROR
/var/spool/qscan/tmp/mx3151697687779817876/image003.jpg: Can't open file or 
directory ERROR 

ERROR: accept() failed:
ERROR: accept() failed:
ERROR: accept() failed:
ERROR: accept() failed:
ERROR: accept() failed:
ERROR: accept() failed:
ERROR: accept() failed: 

and more apparently fs/resource related errors. No disk space problems, no 
permission problems, no inode problems. Plenty of free RAM. CPU usage and load 
averages very low. Upgrading to the recent 0-99.3 didn't help. 

Finally, strace found out what's happening: 

[pid 10797]
open("/tmp/clamav-43d08860615a4d14dae3046aee3e5e98.tmp/clamav-781e98988f119c6433f2328d7224825c.tmp",
O_RDWR|O_CREAT|O_EXCL|O_TRUNC, 0700) = -1 EMFILE (Too many open files) 

[pid 10797] write(2, "LibClamAV Warning: fileblobScan, fullname == NULL\n", 50) 
= 50 [pid 10797] write(2, "LibClamAV Error: fileblobDestroy: textportion not
saved: report to http://bugs.clamav.net\n;, 90) = 90 

which is weird, because the system is not even near to be so heavily loaded (by 
workload) to get clamav to eat up the default 1024 descriptors. So looking at 
/proc/PID/fd ... 

lrwx-- 1 root root 64 Jan 26 19:20 68 -> 
/tmp/clamav-2b88cf1b1e55ab0d8cb045ab908e3273.tmp (deleted)
lrwx-- 1 root root 64 Jan 26 19:20 680 -> 
/tmp/clamav-7564115561d870008cbd6783ea304e96.tmp (deleted)
lrwx-- 1 root root 64 Jan 26 19:20 681 -> 
/tmp/clamav-a3be54920dff8420d86dfffcf6df41ea.tmp (deleted)
lrwx-- 1 root root 64 Jan 26 19:20 682 -> 
/tmp/clamav-270dd0e754c54dacab1bcd28a90c38e3.tmp (deleted)
lrwx-- 1 root root 64 Jan 26 19:20 683 -> 
/tmp/clamav-7405a8caced08e2020809f2621cd16a2.tmp (deleted)
lrwx-- 1 root root 64 Jan 26 19:20 684 -> 
/tmp/clamav-b41105e2aeb1da3cef054e6938f5e26a.tmp (deleted)
lrwx-- 1 root root 64 Jan 26 19:20 685 -> 
/tmp/clamav-d8735b7980637a5866dd7a2ee274a272.tmp (deleted)
lrwx-- 1 root root 64 Jan 26 19:20 686 -> 
/tmp/clamav-9395651f00ea6530a58bdb8480d93223.tmp (deleted)
lrwx-- 1 root root 64 Jan 26 19:20 687 -> 
/tmp/clamav-01c6f26331d41a92e5454203d7ee3229.tmp (deleted)
lrwx-- 1 root root 64 Jan 26 19:20 688 -> 
/tmp/clamav-d6d3b8d9da8982ae0f724b2920d37c47.tmp (deleted)
lrwx-- 1 root root 64 Jan 26 19:20 689 -> 
/tmp/clamav-b5328deea4127b4c5f07a9d0a6f095c0.tmp (deleted) 

Those servers have been working with the same configuration for years, without 
this happening until now. 

Of course we could ulimit to a high value the nofiles value, but that would 
just postpone the daemon's dead. 

Any help would be greatly appreciated. 

Thanks, 

Rubén.
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ClamAV® blog: ClamAV 0.99.3 has been released!

[Andreas Schulze]

Am 26.01.2018 um 16:06 schrieb Tobi:

As far as I understand the release notes of 99.3 its a security fix which has 
nothing to do with former 99.3 beta.
The former beta now is 0.100 
(http://blog.clamav.net/2018/01/clamav-version-number-adjustment.html).
So at least for me it makes sense that you have to remove the beta first to 
apply fixed 99.3 version
I compared 0.99.2 and 0.99.3 and found most of the diffs be present in 
0.99.3beta2


now, as the links to bugzilla.clamav.net are public, we see, the issues 
where known to the developers since October/November 2017!
They published these changes silent as part of "beta2". They discusses 
about CVE at this time!

This is *not* amazing.

Andreas


___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] deleted files eating up file descriptors

[Ruben Cardenal]

Hi, 

Today, all of a sudden, in 5 of our email servers (to be more precise,
mx processing servers), we started to get qmail-scanner errors (the
feared "qq temporary error" message). After some digging, we found out
the reason was clamav (0-99.2) was dead. Erros like: 

/var/spool/qscan/tmp/mx3151697687779817876/1516976877.17928-1.mx3: Can't
open file or directory ERROR
/var/spool/qscan/tmp/mx3151697687779817876/image001.jpg: Can't open file
or directory ERROR
/var/spool/qscan/tmp/mx3151697687779817876/image002.jpg: Can't open file
or directory ERROR
/var/spool/qscan/tmp/mx3151697687779817876/image003.jpg: Can't open file
or directory ERROR 

ERROR: accept() failed:
ERROR: accept() failed:
ERROR: accept() failed:
ERROR: accept() failed:
ERROR: accept() failed:
ERROR: accept() failed:
ERROR: accept() failed: 

and more apparently fs/resource related errors. No disk space problems,
no permission problems, no inode problems. Plenty of free RAM. CPU usage
and load averages very low. Upgrading to the recent 0-99.3 didn't help. 

Finally, strace found out what's happening: 

[pid 10797]
open("/tmp/clamav-43d08860615a4d14dae3046aee3e5e98.tmp/clamav-781e98988f119c6433f2328d7224825c.tmp",
O_RDWR|O_CREAT|O_EXCL|O_TRUNC, 0700) = -1 EMFILE (Too many open files) 

[pid 10797] write(2, "LibClamAV Warning: fileblobScan, fullname ==
NULL\n", 50) = 50
[pid 10797] write(2, "LibClamAV Error: fileblobDestroy: textportion not
saved: report to http://bugs.clamav.net\n;, 90) = 90 

which is weird, because the system is not even near to be so heavily
loaded (by workload) to get clamav to eat up the default 1024
descriptors. So looking at /proc/PID/fd ... 

lrwx-- 1 root root 64 Jan 26 19:20 68 ->
/tmp/clamav-2b88cf1b1e55ab0d8cb045ab908e3273.tmp (deleted)
lrwx-- 1 root root 64 Jan 26 19:20 680 ->
/tmp/clamav-7564115561d870008cbd6783ea304e96.tmp (deleted)
lrwx-- 1 root root 64 Jan 26 19:20 681 ->
/tmp/clamav-a3be54920dff8420d86dfffcf6df41ea.tmp (deleted)
lrwx-- 1 root root 64 Jan 26 19:20 682 ->
/tmp/clamav-270dd0e754c54dacab1bcd28a90c38e3.tmp (deleted)
lrwx-- 1 root root 64 Jan 26 19:20 683 ->
/tmp/clamav-7405a8caced08e2020809f2621cd16a2.tmp (deleted)
lrwx-- 1 root root 64 Jan 26 19:20 684 ->
/tmp/clamav-b41105e2aeb1da3cef054e6938f5e26a.tmp (deleted)
lrwx-- 1 root root 64 Jan 26 19:20 685 ->
/tmp/clamav-d8735b7980637a5866dd7a2ee274a272.tmp (deleted)
lrwx-- 1 root root 64 Jan 26 19:20 686 ->
/tmp/clamav-9395651f00ea6530a58bdb8480d93223.tmp (deleted)
lrwx-- 1 root root 64 Jan 26 19:20 687 ->
/tmp/clamav-01c6f26331d41a92e5454203d7ee3229.tmp (deleted)
lrwx-- 1 root root 64 Jan 26 19:20 688 ->
/tmp/clamav-d6d3b8d9da8982ae0f724b2920d37c47.tmp (deleted)
lrwx-- 1 root root 64 Jan 26 19:20 689 ->
/tmp/clamav-b5328deea4127b4c5f07a9d0a6f095c0.tmp (deleted) 

Those servers have been working with the same configuration for years,
without this happening until now. 

Of course we could ulimit to a high value the nofiles value, but that
would just postpone the daemon's dead. 

Any help would be greatly appreciated. 

Thanks, 

Rubén.
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] How the bad signature happened - conjecture (was Re: URGENT: Clamd is wedged on multiple installations)

[Reio Remma]

Thanks!

fd's holding steady now.

Maybe I should go clean some logs now before nightly Logwatch kicks in.

Good luck!
Reio

On 26.01.2018 19:38, Joel Esler (jesler) wrote:

Reio,

Thanks, I was just about to send this out.  A new daily.cvd is now shipping.


--
Joel Esler | Talos: Manager | jes...@cisco.com






On Jan 26, 2018, at 12:35 PM, Reio Remma 
> wrote:

Hello!

News from the front:

daily.cld updated (version: 24258, sigs: 1836466, f-level: 63, builder: neo)

Good luck!
Reio



___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] How the bad signature happened - conjecture (was Re: URGENT: Clamd is wedged on multiple installations)

[Reio Remma]

Hello!

News from the front:

daily.cld updated (version: 24258, sigs: 1836466, f-level: 63, builder: neo)

Good luck!
Reio


On 26.01.2018 19:29, Joel Esler (jesler) wrote:

Steve Morgan, a developer here at Cisco that worked on ClamAV for about the 
past five years or so, decided to retire.  Monday was his last day.  On top of 
that, one our other developers (Micah) was out of the office today for a 
holiday, and so that only left, essentially myself and a couple other people to 
see this action on the list.

So while we regret the issue that this signature caused (and we will fix, not 
only the signature, but the code itself in an upcoming release), I am super 
proud of the community that came together and solved the problem.



--
Joel Esler | Talos: Manager | jes...@cisco.com






On Jan 26, 2018, at 10:02 AM, Dianne Skoll 
> wrote:

On Fri, 26 Jan 2018 06:44:30 -0800
"Jason J. W. Williams" 
> wrote:

We started seeing this problem last night as well. Reading through the
thread, it doesn't appear that ClamAV has fixed the signatures yet
(as of 24257), or am I wrong?

Not only has it not been fixed, there hasn't been a peep out of the
developers.

This is NOT the way to deal with issues like this, especially in
security-sensitive software.

Regards,

Dianne.
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml


___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] How the bad signature happened - conjecture (was Re: URGENT: Clamd is wedged on multiple installations)

[Joel Esler (jesler)]

Steve Morgan, a developer here at Cisco that worked on ClamAV for about the 
past five years or so, decided to retire.  Monday was his last day.  On top of 
that, one our other developers (Micah) was out of the office today for a 
holiday, and so that only left, essentially myself and a couple other people to 
see this action on the list.

So while we regret the issue that this signature caused (and we will fix, not 
only the signature, but the code itself in an upcoming release), I am super 
proud of the community that came together and solved the problem.



--
Joel Esler | Talos: Manager | jes...@cisco.com






On Jan 26, 2018, at 10:02 AM, Dianne Skoll 
> wrote:

On Fri, 26 Jan 2018 06:44:30 -0800
"Jason J. W. Williams" 
> wrote:

We started seeing this problem last night as well. Reading through the
thread, it doesn't appear that ClamAV has fixed the signatures yet
(as of 24257), or am I wrong?

Not only has it not been fixed, there hasn't been a peep out of the
developers.

This is NOT the way to deal with issues like this, especially in
security-sensitive software.

Regards,

Dianne.
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] I have older daily.cvd files if anyone is interested

[Paul Kosinski]

Oh yes, and I disabled freshclam on all our machines (including those
using our central mirror).


On Fri, 26 Jan 2018 11:56:37 -0500
Paul Kosinski  wrote:

> I have been keeping various old versions of the "daily" files for
> years, and felt like that was silly -- until now!
> 
> I have now replaced my daily.cvd with version 24253, and clamd doesn't
> seem to be eating file descriptors.
> 
> If anyone wants 24253, I have made it available at
> 
>http://iment.com/clamav/daily.cvd.24253
> 
> 
> On Fri, 26 Jan 2018 07:02:09 -0800
> "Jason J. W. Williams"  wrote:
> 
> > How does one manually download an old daily.cld?
> > 
> > -J
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml
> 
> 
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ClamAV® blog: ClamAV 0.99.3 has been released!

[Matus UHLAR - fantomas]

Am 26.01.2018 um 15:40 schrieb Joel Esler (jesler):

As previously mentioned, if you downloaded the beta version of ClamAV 0.99.3, 
you will need to completely uninstall it and do a fresh install with the 
production version of 0.99.3 as there are significant code differences


On 26.01.18 15:49, Reindl Harald wrote:

when i read something like this in 2018 my brain ends with a bluescreen


It's because you have forgot to uninstall first...

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Depression is merely anger without enthusiasm. 
___

clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] I have older daily.cvd files if anyone is interested

[Paul Kosinski]

I have been keeping various old versions of the "daily" files for years,
and felt like that was silly -- until now!

I have now replaced my daily.cvd with version 24253, and clamd doesn't
seem to be eating file descriptors.

If anyone wants 24253, I have made it available at

   http://iment.com/clamav/daily.cvd.24253


On Fri, 26 Jan 2018 07:02:09 -0800
"Jason J. W. Williams"  wrote:

> How does one manually download an old daily.cld?
> 
> -J
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Fwd: Undelivered Mail Returned to Sender

[Reindl Harald]

Am 26.01.2018 um 17:35 schrieb Matus UHLAR - fantomas:

On 26.01.18 15:04, Reindl Harald wrote:

which f**g idiot is responsible for that?


guess...

Received: from mucha.arges.net.pl (mucha.arges.net.pl [87.98.235.141])
  by fantomas.fantomas.sk (8.14.4/8.14.4/Debian-4+deb7u1) with 
ESMTP id w0QE6FG8026629
  (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 
verify=NOT);

  Fri, 26 Jan 2018 15:06:21 +0100
Received: by mucha.arges.net.pl (Postfix, from userid 0)
  id D3D3A6821E; Fri, 26 Jan 2018 14:58:17 +0100 (CET)
Received: from lists.clamav.net (lists.clamav.net [198.148.79.53])
  by mucha.arges.net.pl (Postfix) with ESMTP id C6678681C3
  for ; Fri, 26 Jan 2018 11:47:05 +0100 (CET)

...I wasn't able to find contact address for this list, were you?


no idea - but i have never seen a bigger ididot than taking mailing-list 
messages, use the from-address as sender and bounce it back to myself


frankly i even wouldn't know how to do that when i want it

Jan 26 14:58:42 mail-gw postfix/smtpd[20604]: NOQUEUE: reject: RCPT from 
mucha.arges.net.pl[87.98.235.141]: 554 5.7.1 : 
Sender address rejected: Sender Spoofed; from= 
to= proto=ESMTP helo=


Jan 26 15:00:27 mail-gw postfix/smtpd[20006]: NOQUEUE: reject: RCPT from 
mucha.arges.net.pl[87.98.235.141]: 554 5.7.1 : 
Sender address rejected: Sender Spoofed; from= 
to= proto=ESMTP helo=



This is the mail system at host lists.clamav.net.

I'm sorry to have to inform you that your message could not
be delivered to one or more recipients. It's attached below.

For further assistance, please send mail to postmaster.

If you do so, please include this problem report. You can
delete your own text from the attached returned message.

  The mail system

: mail forwarding loop for
   clamav-users@lists.clamav.net

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] URGENT: Clamd is wedged on multiple installations

[Matus UHLAR - fantomas]

On 26.01.18 13:09, Kees Theunissen wrote:

On Fri, 26 Jan 2018, Al Varnell wrote:


If you can't revert to daily 24255 then disable daily.cld until you know it's 
fixed.

Has anybody updated to daily 24257 to see if that helps? I doubt that it does 
as no sigs are shown as dropped.


I'm running ClamAv 0.99.2 on two mail servers (debian 9, with
sendmail / MimeDefang / SpamAssassing /ClamAv) and a
workstation (slackware 14.2) without any problem.

I'm currently running daily 24257. But 24256 ran without
problems too.


I've had to start clamd on 3 of servers I looked at, some other were OK.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
He who laughs last thinks slowest. 
___

clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Fwd: Undelivered Mail Returned to Sender

[Matus UHLAR - fantomas]

On 26.01.18 15:04, Reindl Harald wrote:

which f**g idiot is responsible for that?


guess...

Received: from mucha.arges.net.pl (mucha.arges.net.pl [87.98.235.141])
 by fantomas.fantomas.sk (8.14.4/8.14.4/Debian-4+deb7u1) with ESMTP id 
w0QE6FG8026629
 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT);
 Fri, 26 Jan 2018 15:06:21 +0100
Received: by mucha.arges.net.pl (Postfix, from userid 0)
 id D3D3A6821E; Fri, 26 Jan 2018 14:58:17 +0100 (CET)
Received: from lists.clamav.net (lists.clamav.net [198.148.79.53])
 by mucha.arges.net.pl (Postfix) with ESMTP id C6678681C3
 for ; Fri, 26 Jan 2018 11:47:05 +0100 (CET)

...I wasn't able to find contact address for this list, were you?


This is the mail system at host lists.clamav.net.

I'm sorry to have to inform you that your message could not
be delivered to one or more recipients. It's attached below.

For further assistance, please send mail to postmaster.

If you do so, please include this problem report. You can
delete your own text from the attached returned message.

  The mail system

: mail forwarding loop for
   clamav-users@lists.clamav.net


--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Despite the cost of living, have you noticed how popular it remains? 
___

clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] 99.3 for Ubuntu

[Chris]

On Fri, 2018-01-26 at 16:25 +0100, Reindl Harald wrote:
> 
> Am 26.01.2018 um 16:15 schrieb Chris:
> > 
> > On Fri, 2018-01-26 at 15:37 +0100, Tilman Schmidt wrote:
> > > 
> > > Ubuntu doesn't have 0.99.3 release yet.
> > > You need to go to http://www.clamav.net/downloads
> > That will get me the newest source however I need this as I don't
> > really want to install from source:
> > 
> > clamav_0.99.3~beta1+dfsg-2ubuntu1.dsc
> > 
> > Not the beta of course but the clamav_0.99.3+dfsg-2ubuntu1.dsc or
> > something to that effect (I just pasted the '...99.2..dsc file name
> > here for reference). I guess then I'll have to wait to see when I
> > can
> > download the Ubuntu source (clamav_0.99.3+dfsg-
> > 2ubuntu1.debian.tar.xz
> > and the .dsc file
> if you use distribution packages you are supposed to wait for a
> update 
> from the distribution or learn to proper package at your own
> 
That's what pbuiler is for, building the Ubuntu package. It takes the
Ubuntu source w/patches and builds it. So, I'll just have to wait for
the 99.3 Ubuntu source not the Ubuntu beta source.

-- 
Chris
KeyID 0xE372A7DA98E6705C
31.11972; -97.90167 (Elev. 1092 ft)
10:27:13 up 2:14, 1 user, load average: 0.82, 0.57, 0.43
Description:Ubuntu 16.04.3 LTS, kernel 4.13.0-32-generic


signature.asc
Description: This is a digitally signed message part
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] How the bad signature happened - conjecture (was

[Tilman Schmidt]

Am 26.01.2018 um 17:13 schrieb Martin Gagne:
> 
> Hi Paul,
> 
> =20
> 
> Can you please help me getting a copy of 24255 ?
> =20
> Thanks !
> 
> =20
> 
> =20
> 
> Best regards, Martin Gagne

Don't go that way. It's much better to add the signature
Vbs.Downloader.Generic-6431223-0 which is causing the problem to
the ignore list (file local.ign2) so that ClamAV stops using it.

HTH
Tilman
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] How the bad signature happened - conjecture (was

[Martin Gagne]

 Re: URGENT: Clamd is wedged on multiple installations)
X-Priority: 3
X-Mailer: Oracle Beehive Extensions for Outlook 2.0.1.9.1  (1003210) [OL
 16.0.4639.0 (x86)]
Content-Type: multipart/mixed;
 boundary="__151698318884622454abhmp0010.oracle.com"

--__151698318884622454abhmp0010.oracle.com
Content-Type: multipart/alternative;
 boundary="__151698318884822455abhmp0010.oracle.com"

--__151698318884822455abhmp0010.oracle.com
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: quoted-printable

Hi Paul,

=20

Can you please help me getting a copy of 24255 ?
=20
Thanks !

=20

=20

Best regards, Martin Gagne


Martin Gagne | Senior System Administrator
Phone: HYPERLINK "tel:+14182639440"+14182639440 | Mobile: HYPERLINK "tel:+1=
4184468447"+14184468447=20
Oracle Production Engineering & Operations - Service OPS Application Admini=
strator
ORACLE Canada | 330, St-Vallier East, Quebec, Quebec G1K 9C5

=20

http://www.oracle.com/commitment

Oracle is committed to developing practices and products that help protect =
the environment

=20

=20

--__151698318884822455abhmp0010.oracle.com
Content-Type: multipart/related;
 boundary="__151698318884922456abhmp0010.oracle.com"

--__151698318884922456abhmp0010.oracle.com
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: quoted-printable

http://schemas.microsoft.com/office/2004/12/omml; xmlns=3D"http:=
//www.w3.org/TR/REC-html40">Hi Paul,=
Can you pleas=
e help me getting a copy of 24255 ?<=
/pre>Thanks !Best regards, M=
artin GagneMartin Gagne | Senior System AdministratorPhone: +14182639440 | Mobile: <=
a href=3D"tel:+14184468447">+14184468447=
 Oracle Producti=
on Engineering  Operations =
11; Service OPS Application AdministratorORACLE Canada | 330, St-Vallie=
r East, Quebec, Quebec G1K 9C5http://www.oracle.=
com/commitment" target=3D"_blank">Oracle is committed to developing practi=
ces and products that help protect the environment<=

[clamav-users] mirrors, again

[Dennis Peterson]

While working the problems this morning I note that freshclam --list-mirrors 
shows 7 mirrors for db.us.clamav.net and 6 of them are being ignored. And that 
is after I removed mirrors.dat. In your spare time...


dp

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Problem with Max Open descriptor Files limit

[Micah Snyder (micasnyd)]

I’m sorry to say that 0.99.3 does not eliminate the 32-bit scan size limit.  
This, and variable type consistency (particularly for file sizes) between our 
various libraries, is definitely on my radar.


Micah Snyder
Software Engineer
Talos
Cisco Systems, Inc.



On Jan 26, 2018, at 10:34 AM, Paul Kosinski 
> wrote:

I observed this running out of file descriptors yesterday when running
0.99.2 to scan the download of 0.99.3. I had never seen this behavior
before, but ascribed it to using clamscan with its memory limit set to
4095M to ensure that absolutely everything was scanned.

One of our clamd process died trying to reload the database (see below),
and another is about to run out of file descriptors (419 and counting
of mostly 'deleted' ones according to lsof).

On the plus side HAVP, which uses libclamav with the standard set of
signatures, still seem to be running OK.

P.S. Does 0.99.3 eliminate the obsolete 32-bit scan size limit?

---

Fri Jan 26 06:11:38 2018 -> SelfCheck: Database status OK.
Fri Jan 26 06:21:38 2018 -> SelfCheck: Database modification detected.
Forcing reload.
Fri Jan 26 06:21:38 2018 -> Reading databases
from /opt/clamav.d/clamav.0.99.2/share/clamav
Fri Jan 26 06:21:38 2018 -> ERROR: reload db failed: Can't duplicate
file descriptor
Fri Jan 26 06:21:38 2018 -> Terminating because of a fatal error.
Fri Jan 26 06:21:38 2018 -> Waiting for all threads to finish
Fri Jan 26 06:21:38 2018 -> Shutting down the main socket.
Fri Jan 26 06:21:38 2018 -> Pid file removed.
Fri Jan 26 06:21:38 2018 -> --- Stopped at Fri Jan 26 06:21:38 2018
Fri Jan 26 06:21:38 2018 -> Closing the main socket.

---



On Fri, 26 Jan 2018 15:03:32 +0100
Carlos García Gómez 
> wrote:

Hi,

We have a problem with ClamAV due to Max Open desciptor Files limit
It’s seems like delete temp files are not freeded
When the soft is reached the clamav proccess responses with an ERROR

THe problem has begined Today with 0.99.2 clamav version
We have updated to the last release 0.99.3 but then problem again be
here.



 [root@mx2 tmp]# ps -ef |grep clamav
 clamav   22927 1  0 13:50 ?
00:00:00 /home/vmail/antivirus/clamav/bin/freshclam -d root 23128
21677  0 15:01 pts/100:00:00 grep clamav clamav   23137 1  2
13:51 ?00:01:39 /home/vmail/antivirus/clamav/sbin/clamd


 [root@mx2 tmp]# lsof -p
23137 COMMAND   PID   USER   FD   TYPE DEVICE SIZE   NODE
NAME clamd   23137 clamav  cwdDIR8,1 4096  2 /
 clamd   23137 clamav  rtdDIR8,1 4096  2 /
 clamd   23137 clamav  txtREG8,2   330823
1507346 /home/vmail/antivirus/clamav-0.99.3/sbin/clamd clamd   23137
clamav   11u   REG8,2   46
1540613 
/home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-40e1c3eb5c91506cd8029a626d44e430.tmp
(deleted) clamd   23137 clamav   12u   REG8,2  119
1540264 
/home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-6191bbf55622fa150f6a562fedaa96bf.tmp
(deleted) clamd   23137 clamav   13u   REG8,2  119
1540266 
/home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-d23444b929c3e8f70b245d0f7df9c64e.tmp
(deleted) clamd   23137 clamav   14u   REG8,2   36
1540265 
/home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-0323a84d6821a592bccefde5a36c0bb4.tmp
(deleted) clamd   23137 clamav   15u   REG8,2 4793
1540268 
/home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-a08b30fcf5ca4cbc35089753a49b688f.tmp
(deleted) clamd   23137 clamav   16u   REG8,2 4793
1540267 
/home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-8fa41cdf16f7e03e3fef00fa7faefe66.tmp
(deleted) clamd   23137 clamav   17u   REG8,2   58
1540270 
/home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-8106966405936ecc207ceb37377b2be5.tmp
(deleted) clamd   23137 clamav   18u   REG8,2  183
1540272 
/home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-6f395db61ea80440bbcdcccf8c1fd87e.tmp
(deleted) clamd   23137 clamav   19u   REG8,2  293
1540273 
/home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-4d454dfbedfa70c192000a2cc021a0e9.tmp
(deleted) clamd   23137 clamav   20u   REG8,2  183
1540271 
/home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-d7b9350895ea3c7c16a95810da93cbcd.tmp
(deleted) clamd   23137 clamav   21u   REG8,2 3137
1540274 
/home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-61ead91328b1a1fb2eed66e0092fab37.tmp
(deleted) clamd   23137 clamav   22u   REG8,2 3137
1540276 
/home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-ea8e77c7746f4e20efa08dd714e3bab1.tmp
(deleted) clamd   23137 clamav   23u   REG8,2   42
1540275 
/home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-6dc27ea80d232f5cf3354a7a3c8ec58d.tmp
(deleted) clamd   23137 clamav   24u   REG8,2   44
1540277 

Re: [clamav-users] Problem with Max Open desciptor Files limit

[Steve Basford]

On Fri, January 26, 2018 3:35 pm, Dianne Skoll wrote:
> On Fri, 26 Jan 2018 15:18:10 +
> David Shrimpton  wrote:
>
>
>> I found adding Vbs.Downloader.Generic-6431223-0 to local.ign2 and
>> restarting clamd fixed the problem.
>
> Thank you!  That was immensely helpful.

Thanks!

Dropped on the Sanesecurity mirrors using sigwhitelist.ign2.

I'll remove tomorrow or when the sig is fixed.

As 3rd party sigs are downloading hourly, it may fix it for some people
quicker than their normal freshclam settings.

-- 
Cheers,

Steve
Twitter: @sanesecurity

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Max Open File Descriptors issue found this morning

[Joel Esler]

On Fri, Jan 26, 2018 at 07:41:05AM -0800, Jason J. W. Williams wrote:

Hi Joel,

Appreciate you chiming in. For what its worth, I can confirm David
Shrimpton's suggestion of adding Vbs.Downloader.Generic-6431223-0 to
local.ign2 stops the problem.



Yes.  We've dropped that sig from our side and are currently building a new 
daily

--
Joel Esler
Manager
Open Source, Design, Web, and Education
Talos Group
http://www.talosintelligence.com.
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Max Open File Descriptors issue found this morning

[Jason J. W. Williams]

Hi Joel,

Appreciate you chiming in. For what its worth, I can confirm David
Shrimpton's suggestion of adding Vbs.Downloader.Generic-6431223-0 to
local.ign2 stops the problem.

-J

On Fri, Jan 26, 2018 at 7:38 AM, Joel Esler (jesler) 
wrote:

> There are a bunch of threads going on, so I am going to try and address
> most of them with this email, sorry if I leave anything out.
>
> There are reports of exploits against 0.99.2 in the wild. Heise reports
> on that (in german, can't find an english source right now):
> https://heise.de/-3951801
>
> No that I  have seen.  Maybe I'm wrong and maybe one of my coworkers here
> at Cisco knows something that I don't, but all of the referenced CVE's in
> my blog post here: http://blog.clamav.net/2018/01/clamav-0993-has-been-
> released.html were disclosed to us responsibly by the folks from
> Offensive Research at Salesforce.com.  We
> appreciate their work, and it helps tremendously.
>
> Reading through the
> thread, it doesn't appear that ClamAV has fixed the signatures yet (as of
> 24257), or am I wrong?
>
>
> We are currently reviewing the issue to see if we can isolate the cause
> and work out a fix.  This is a "All Hands on Deck" situation (https://en.
> oxforddictionaries.com/definition/all_hands_on_deck) here.  We apologize
> for any issues, and we'll do a post mortem analysis once we fix it to
> figure out what went wrong and what we can do to remedy this in the future.
>
> ClamAV QA team: In future, please run new signatures against a clamd
> process a few thousand times to check for possible resource leakage.
>
>
> Thank you for your suggestion.  We have had some transition in personnel
> in the last several months on the ClamAV team, as well as further
> augmenting our QA resources.  I'm not making excuses, I'm just trying to
> let you all know the reality we've faced.  We want to change the model of
> ClamAV to be even more open source and develop more in a "Bazaar" method.
> More on this over time.
>
> Re: Mail loops
>
> which f**g idiot is responsible for that?
>
> Unfortunately Reindl, from what you reported, and your eloquent
> description, I'm not sure what the issue is.  I'm not seeing that issue on
> my side.
>
> Am 26.01.2018 um 15:40 schrieb Joel Esler (jesler):
> As previously mentioned, if you downloaded the beta version of ClamAV
> 0.99.3, you will need to completely uninstall it and do a fresh install
> with the production version of 0.99.3 as there are significant code
> differences
>
> when i read something like this in 2018 my brain ends with a bluescreen
>
> This is something we debated for a couple weeks here internally and we
> found this to be the best solution.  We were stuck between a rock in and a
> hard place.  Trust me, this is not the user experience I want for our users
> either, but we were faced with a tough choice, and replacing the 0.99.3
> beta with a completely different codebase was the one we found to be the
> best path forward without upsetting even more people.
>
>
>
>
>
> --
> Joel Esler | Talos: Manager | jes...@cisco.com
>
>
>
>
>
>
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] Max Open File Descriptors issue found this morning

[Joel Esler (jesler)]

There are a bunch of threads going on, so I am going to try and address most of 
them with this email, sorry if I leave anything out.

There are reports of exploits against 0.99.2 in the wild. Heise reports
on that (in german, can't find an english source right now):
https://heise.de/-3951801

No that I  have seen.  Maybe I'm wrong and maybe one of my coworkers here at 
Cisco knows something that I don't, but all of the referenced CVE's in my blog 
post here: http://blog.clamav.net/2018/01/clamav-0993-has-been-released.html 
were disclosed to us responsibly by the folks from Offensive Research at 
Salesforce.com.  We appreciate their work, and it helps 
tremendously.

Reading through the
thread, it doesn't appear that ClamAV has fixed the signatures yet (as of
24257), or am I wrong?


We are currently reviewing the issue to see if we can isolate the cause and 
work out a fix.  This is a "All Hands on Deck" situation 
(https://en.oxforddictionaries.com/definition/all_hands_on_deck) here.  We 
apologize for any issues, and we'll do a post mortem analysis once we fix it to 
figure out what went wrong and what we can do to remedy this in the future.

ClamAV QA team: In future, please run new signatures against a clamd
process a few thousand times to check for possible resource leakage.


Thank you for your suggestion.  We have had some transition in personnel in the 
last several months on the ClamAV team, as well as further augmenting our QA 
resources.  I'm not making excuses, I'm just trying to let you all know the 
reality we've faced.  We want to change the model of ClamAV to be even more 
open source and develop more in a "Bazaar" method.  More on this over time.

Re: Mail loops

which f**g idiot is responsible for that?

Unfortunately Reindl, from what you reported, and your eloquent description, 
I'm not sure what the issue is.  I'm not seeing that issue on my side.

Am 26.01.2018 um 15:40 schrieb Joel Esler (jesler):
As previously mentioned, if you downloaded the beta version of ClamAV 0.99.3, 
you will need to completely uninstall it and do a fresh install with the 
production version of 0.99.3 as there are significant code differences

when i read something like this in 2018 my brain ends with a bluescreen

This is something we debated for a couple weeks here internally and we found 
this to be the best solution.  We were stuck between a rock in and a hard 
place.  Trust me, this is not the user experience I want for our users either, 
but we were faced with a tough choice, and replacing the 0.99.3 beta with a 
completely different codebase was the one we found to be the best path forward 
without upsetting even more people.





--
Joel Esler | Talos: Manager | jes...@cisco.com






___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Problem with Max Open desciptor Files limit

[Dianne Skoll]

On Fri, 26 Jan 2018 15:18:10 +
David Shrimpton  wrote:

> I found adding Vbs.Downloader.Generic-6431223-0 to local.ign2 and
> restarting clamd fixed the problem.

Thank you!  That was immensely helpful.

Regards,

Dianne.
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Problem with Max Open descriptor Files limit

[Paul Kosinski]

I observed this running out of file descriptors yesterday when running
0.99.2 to scan the download of 0.99.3. I had never seen this behavior
before, but ascribed it to using clamscan with its memory limit set to
4095M to ensure that absolutely everything was scanned.

One of our clamd process died trying to reload the database (see below),
and another is about to run out of file descriptors (419 and counting
of mostly 'deleted' ones according to lsof).

On the plus side HAVP, which uses libclamav with the standard set of
signatures, still seem to be running OK.

P.S. Does 0.99.3 eliminate the obsolete 32-bit scan size limit?

---

Fri Jan 26 06:11:38 2018 -> SelfCheck: Database status OK.
Fri Jan 26 06:21:38 2018 -> SelfCheck: Database modification detected.
Forcing reload.
Fri Jan 26 06:21:38 2018 -> Reading databases
from /opt/clamav.d/clamav.0.99.2/share/clamav
Fri Jan 26 06:21:38 2018 -> ERROR: reload db failed: Can't duplicate
file descriptor
Fri Jan 26 06:21:38 2018 -> Terminating because of a fatal error.
Fri Jan 26 06:21:38 2018 -> Waiting for all threads to finish
Fri Jan 26 06:21:38 2018 -> Shutting down the main socket.
Fri Jan 26 06:21:38 2018 -> Pid file removed.
Fri Jan 26 06:21:38 2018 -> --- Stopped at Fri Jan 26 06:21:38 2018
Fri Jan 26 06:21:38 2018 -> Closing the main socket.

---



On Fri, 26 Jan 2018 15:03:32 +0100
Carlos García Gómez  wrote:

> Hi,
> 
> We have a problem with ClamAV due to Max Open desciptor Files limit
> It’s seems like delete temp files are not freeded 
> When the soft is reached the clamav proccess responses with an ERROR
> 
> THe problem has begined Today with 0.99.2 clamav version
> We have updated to the last release 0.99.3 but then problem again be
> here.
> 
> 
> 
>   [root@mx2 tmp]# ps -ef |grep clamav
>   clamav   22927 1  0 13:50 ?
> 00:00:00 /home/vmail/antivirus/clamav/bin/freshclam -d root 23128
> 21677  0 15:01 pts/100:00:00 grep clamav clamav   23137 1  2
> 13:51 ?00:01:39 /home/vmail/antivirus/clamav/sbin/clamd
> 
> 
>   [root@mx2 tmp]# lsof -p
> 23137 COMMAND   PID   USER   FD   TYPE DEVICE SIZE   NODE
> NAME clamd   23137 clamav  cwdDIR8,1 4096  2 /
>   clamd   23137 clamav  rtdDIR8,1 4096  2 /
>   clamd   23137 clamav  txtREG8,2   330823
> 1507346 /home/vmail/antivirus/clamav-0.99.3/sbin/clamd clamd   23137
> clamav   11u   REG8,2   46
> 1540613 
> /home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-40e1c3eb5c91506cd8029a626d44e430.tmp
> (deleted) clamd   23137 clamav   12u   REG8,2  119
> 1540264 
> /home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-6191bbf55622fa150f6a562fedaa96bf.tmp
> (deleted) clamd   23137 clamav   13u   REG8,2  119
> 1540266 
> /home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-d23444b929c3e8f70b245d0f7df9c64e.tmp
> (deleted) clamd   23137 clamav   14u   REG8,2   36
> 1540265 
> /home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-0323a84d6821a592bccefde5a36c0bb4.tmp
> (deleted) clamd   23137 clamav   15u   REG8,2 4793
> 1540268 
> /home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-a08b30fcf5ca4cbc35089753a49b688f.tmp
> (deleted) clamd   23137 clamav   16u   REG8,2 4793
> 1540267 
> /home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-8fa41cdf16f7e03e3fef00fa7faefe66.tmp
> (deleted) clamd   23137 clamav   17u   REG8,2   58
> 1540270 
> /home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-8106966405936ecc207ceb37377b2be5.tmp
> (deleted) clamd   23137 clamav   18u   REG8,2  183
> 1540272 
> /home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-6f395db61ea80440bbcdcccf8c1fd87e.tmp
> (deleted) clamd   23137 clamav   19u   REG8,2  293
> 1540273 
> /home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-4d454dfbedfa70c192000a2cc021a0e9.tmp
> (deleted) clamd   23137 clamav   20u   REG8,2  183
> 1540271 
> /home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-d7b9350895ea3c7c16a95810da93cbcd.tmp
> (deleted) clamd   23137 clamav   21u   REG8,2 3137
> 1540274 
> /home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-61ead91328b1a1fb2eed66e0092fab37.tmp
> (deleted) clamd   23137 clamav   22u   REG8,2 3137
> 1540276 
> /home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-ea8e77c7746f4e20efa08dd714e3bab1.tmp
> (deleted) clamd   23137 clamav   23u   REG8,2   42
> 1540275 
> /home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-6dc27ea80d232f5cf3354a7a3c8ec58d.tmp
> (deleted) clamd   23137 clamav   24u   REG8,2   44
> 1540277 
> /home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-fee6d1b3d366eda4e15f5ff8416bc606.tmp
> (deleted) clamd   23137 clamav   25u   REG8,2  677
> 1540279 
> /home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-2b9716c6173771c795a3b1c3bef56470.tmp
> (deleted) clamd   23137 clamav   26u   REG8,2  155
> 1540280 
> 

Re: [clamav-users] ClamAV(R) blog: ClamAV 0.99.3 has been released!

[Thomas McCourt (tmccourt)]

Hello,

We are looking into the signature issue and will post soon with more details.


Thank you,


Tom M




On 1/26/18, 10:18 AM, "clamav-users on behalf of Jason J. W. Williams" 
 
wrote:

>Hi Joel & Micah,
>
>Is anyone from Cisco going to be commenting on the signatures issue
>everyone is seeing with daily.cld 24256+?
>
>-J
>
>On Fri, Jan 26, 2018 at 7:13 AM, Micah Snyder (micasnyd) > wrote:
>
>> Tobi,
>>
>> Yup this is correct.  We are planning to get an 0.100.0 beta out next week
>> to replace the old 0.99.3-beta2.
>>
>> Going forwards, the last number in our version string will be reserved for
>> urgent fixes so we don’t find ourselves in this position again. The 2nd
>> number will be used when there are improvements and new features.
>>
>> Again, sorry for the confusion in this update.
>>
>>
>> Micah Snyder
>> Software Engineer
>> Talos
>> Cisco Systems, Inc.
>>
>>
>>
>> On Jan 26, 2018, at 10:06 AM, Tobi  obiswo...@gmail.com>> wrote:
>>
>> As far as I understand the release notes of 99.3 its a security fix which
>> has nothing to do with former 99.3 beta.
>> The former beta now is 0.100 (http://blog.clamav.net/2018/
>> 01/clamav-version-number-adjustment.html).
>> So at least for me it makes sense that you have to remove the beta first
>> to apply fixed 99.3 version
>>
>> Am 26. Januar 2018 15:49:14 MEZ schrieb Reindl Harald <
>> h.rei...@thelounge.net>:
>>
>> ___
>> clamav-users mailing list
>> clamav-users@lists.clamav.net
>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>>
>>
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>>
>> http://www.clamav.net/contact.html#ml
>>
>> ___
>> clamav-users mailing list
>> clamav-users@lists.clamav.net
>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>>
>>
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>>
>> http://www.clamav.net/contact.html#ml
>>
>___
>clamav-users mailing list
>clamav-users@lists.clamav.net
>http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
>Help us build a comprehensive ClamAV guide:
>https://github.com/vrtadmin/clamav-faq
>
>http://www.clamav.net/contact.html#ml
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] 99.3 for Ubuntu

[Reindl Harald]

Am 26.01.2018 um 16:15 schrieb Chris:

On Fri, 2018-01-26 at 15:37 +0100, Tilman Schmidt wrote:

Ubuntu doesn't have 0.99.3 release yet.
You need to go to http://www.clamav.net/downloads


That will get me the newest source however I need this as I don't
really want to install from source:

clamav_0.99.3~beta1+dfsg-2ubuntu1.dsc

Not the beta of course but the clamav_0.99.3+dfsg-2ubuntu1.dsc or
something to that effect (I just pasted the '...99.2..dsc file name
here for reference). I guess then I'll have to wait to see when I can
download the Ubuntu source (clamav_0.99.3+dfsg-2ubuntu1.debian.tar.xz
and the .dsc file


if you use distribution packages you are supposed to wait for a update 
from the distribution or learn to proper package at your own


i heard that's not that easy as on Redhat systems because you don't have 
everything in a .src.rpm and just need to replace the tarball after 
unpack the src.rpm and edit the version in the spec file but again:


it's up to your distribution - whatever "pull-lp-source" does the Ubuntu 
package is pretty sure full of patches and so on


so again: build your own package diretcly from the tarball or wait as 
others do for upgrades over the regular channels of your OS, otherwise 
you will end here again sooner or later asking how to fix the fallout 
you produce with doing something you are not firm with

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Problem with Max Open desciptor Files limit

[Jason J. W. Williams]

Good find David. Thank you very much.

-J

On Fri, Jan 26, 2018 at 7:18 AM, David Shrimpton 
wrote:

> I found adding Vbs.Downloader.Generic-6431223-0 to local.ign2 and
> restarting clamd fixed the problem.
>
> This sig turned up in an update at 11:51AM GMT+10 26/1/2018 and problem
> began  a few minutes later
> clamd run out of file descriptors.
>
> I also had to clean out TemporaryDirectory before restarting.
>
> Not sure what the exact reason for problem is.
>
> There is an EOF-15 in a subsig.  Perhaps this causes a performance hit on
> large text files as end
> of file must be seeked to and this is sufficient on busy system to cause
> demand to exceed supply.
>
> sigtool --find Vbs.Downloader.Generic-6431223-0
> Vbs.Downloader.Generic-6431223-0;Engine:51-255,Target:7;(0|1)&2&3;0:
> 207075626c69632073756220;0:2073756220;EOF-15:
> 203d202272652220656e6420696620;657865202f63207374617274
>
> sigtool --find Vbs.Downloader.Generic-6431223-0 | sigtool --decode-sigs
> VIRUS NAME: Vbs.Downloader.Generic-6431223-0
> TDB: Engine:51-255,Target:7
> LOGICAL EXPRESSION: (0|1)&2&3
>  * SUBSIG ID 0
>  +-> OFFSET: 0
>  +-> SIGMOD: NONE
>  +-> DECODED SUBSIGNATURE:
>  public sub
>  * SUBSIG ID 1
>  +-> OFFSET: 0
>  +-> SIGMOD: NONE
>  +-> DECODED SUBSIGNATURE:
>  sub
>  * SUBSIG ID 2
>  +-> OFFSET: EOF-15
>  +-> SIGMOD: NONE
>  +-> DECODED SUBSIGNATURE:
>  = "re" end if
>  * SUBSIG ID 3
>  +-> OFFSET: ANY
>  +-> SIGMOD: NONE
>  +-> DECODED SUBSIGNATURE:
> exe /c start
>
>
>
>
> David Shrimpton
>
> 
> From: clamav-users  on behalf of
> Carlos García Gómez 
> Sent: Saturday, January 27, 2018 12:03:32 AM
> To: clamav-users@lists.clamav.net
> Subject: [clamav-users] Problem with Max Open desciptor Files limit
>
> Hi,
>
> We have a problem with ClamAV due to Max Open desciptor Files limit
> It’s seems like delete temp files are not freeded
> When the soft is reached the clamav proccess responses with an ERROR
>
> THe problem has begined Today with 0.99.2 clamav version
> We have updated to the last release 0.99.3 but then problem again be here.
>
>
>
>   [root@mx2 tmp]# ps -ef |grep clamav
>   clamav   22927 1  0 13:50 ?00:00:00
> /home/vmail/antivirus/clamav/bin/freshclam -d
>   root 23128 21677  0 15:01 pts/100:00:00 grep clamav
>   clamav   23137 1  2 13:51 ?00:01:39
> /home/vmail/antivirus/clamav/sbin/clamd
>
>
>   [root@mx2 tmp]# lsof -p 23137
>   COMMAND   PID   USER   FD   TYPE DEVICE SIZE   NODE NAME
>   clamd   23137 clamav  cwdDIR8,1 4096  2 /
>   clamd   23137 clamav  rtdDIR8,1 4096  2 /
>   clamd   23137 clamav  txtREG8,2   3308231507346
> /home/vmail/antivirus/clamav-0.99.3/sbin/clamd
>   clamd   23137 clamav   11u   REG8,2   461540613
> /home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-
> 40e1c3eb5c91506cd8029a626d44e430.tmp (deleted)
>   clamd   23137 clamav   12u   REG8,2  1191540264
> /home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-
> 6191bbf55622fa150f6a562fedaa96bf.tmp (deleted)
>   clamd   23137 clamav   13u   REG8,2  1191540266
> /home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-
> d23444b929c3e8f70b245d0f7df9c64e.tmp (deleted)
>   clamd   23137 clamav   14u   REG8,2   361540265
> /home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-
> 0323a84d6821a592bccefde5a36c0bb4.tmp (deleted)
>   clamd   23137 clamav   15u   REG8,2 47931540268
> /home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-
> a08b30fcf5ca4cbc35089753a49b688f.tmp (deleted)
>   clamd   23137 clamav   16u   REG8,2 47931540267
> /home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-
> 8fa41cdf16f7e03e3fef00fa7faefe66.tmp (deleted)
>   clamd   23137 clamav   17u   REG8,2   581540270
> /home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-
> 8106966405936ecc207ceb37377b2be5.tmp (deleted)
>   clamd   23137 clamav   18u   REG8,2  1831540272
> /home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-
> 6f395db61ea80440bbcdcccf8c1fd87e.tmp (deleted)
>   clamd   23137 clamav   19u   REG8,2  2931540273
> /home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-
> 4d454dfbedfa70c192000a2cc021a0e9.tmp (deleted)
>   clamd   23137 clamav   20u   REG8,2  1831540271
> /home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-
> d7b9350895ea3c7c16a95810da93cbcd.tmp (deleted)
>   clamd   23137 clamav   21u   REG8,2 31371540274
> /home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-
> 61ead91328b1a1fb2eed66e0092fab37.tmp (deleted)
>   clamd   23137 clamav   22u   REG8,2 31371540276
> /home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-
> ea8e77c7746f4e20efa08dd714e3bab1.tmp (deleted)
>   clamd   23137 clamav   23u   REG8,2   421540275
> 

Re: [clamav-users] ClamAV(R) blog: ClamAV 0.99.3 has been released!

[Jason J. W. Williams]

Hi Joel & Micah,

Is anyone from Cisco going to be commenting on the signatures issue
everyone is seeing with daily.cld 24256+?

-J

On Fri, Jan 26, 2018 at 7:13 AM, Micah Snyder (micasnyd)  wrote:

> Tobi,
>
> Yup this is correct.  We are planning to get an 0.100.0 beta out next week
> to replace the old 0.99.3-beta2.
>
> Going forwards, the last number in our version string will be reserved for
> urgent fixes so we don’t find ourselves in this position again. The 2nd
> number will be used when there are improvements and new features.
>
> Again, sorry for the confusion in this update.
>
>
> Micah Snyder
> Software Engineer
> Talos
> Cisco Systems, Inc.
>
>
>
> On Jan 26, 2018, at 10:06 AM, Tobi > wrote:
>
> As far as I understand the release notes of 99.3 its a security fix which
> has nothing to do with former 99.3 beta.
> The former beta now is 0.100 (http://blog.clamav.net/2018/
> 01/clamav-version-number-adjustment.html).
> So at least for me it makes sense that you have to remove the beta first
> to apply fixed 99.3 version
>
> Am 26. Januar 2018 15:49:14 MEZ schrieb Reindl Harald <
> h.rei...@thelounge.net>:
>
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Problem with Max Open desciptor Files limit

[David Shrimpton]

I found adding Vbs.Downloader.Generic-6431223-0 to local.ign2 and restarting 
clamd fixed the problem.

This sig turned up in an update at 11:51AM GMT+10 26/1/2018 and problem began  
a few minutes later
clamd run out of file descriptors.

I also had to clean out TemporaryDirectory before restarting.

Not sure what the exact reason for problem is.

There is an EOF-15 in a subsig.  Perhaps this causes a performance hit on large 
text files as end
of file must be seeked to and this is sufficient on busy system to cause demand 
to exceed supply.

sigtool --find Vbs.Downloader.Generic-6431223-0
Vbs.Downloader.Generic-6431223-0;Engine:51-255,Target:7;(0|1)&2&3;0:207075626c69632073756220;0:2073756220;EOF-15:203d202272652220656e6420696620;657865202f63207374617274

sigtool --find Vbs.Downloader.Generic-6431223-0 | sigtool --decode-sigs
VIRUS NAME: Vbs.Downloader.Generic-6431223-0
TDB: Engine:51-255,Target:7
LOGICAL EXPRESSION: (0|1)&2&3
 * SUBSIG ID 0
 +-> OFFSET: 0
 +-> SIGMOD: NONE
 +-> DECODED SUBSIGNATURE:
 public sub
 * SUBSIG ID 1
 +-> OFFSET: 0
 +-> SIGMOD: NONE
 +-> DECODED SUBSIGNATURE:
 sub
 * SUBSIG ID 2
 +-> OFFSET: EOF-15
 +-> SIGMOD: NONE
 +-> DECODED SUBSIGNATURE:
 = "re" end if
 * SUBSIG ID 3
 +-> OFFSET: ANY
 +-> SIGMOD: NONE
 +-> DECODED SUBSIGNATURE:
exe /c start




David Shrimpton


From: clamav-users  on behalf of Carlos 
García Gómez 
Sent: Saturday, January 27, 2018 12:03:32 AM
To: clamav-users@lists.clamav.net
Subject: [clamav-users] Problem with Max Open desciptor Files limit

Hi,

We have a problem with ClamAV due to Max Open desciptor Files limit
It’s seems like delete temp files are not freeded
When the soft is reached the clamav proccess responses with an ERROR

THe problem has begined Today with 0.99.2 clamav version
We have updated to the last release 0.99.3 but then problem again be here.



  [root@mx2 tmp]# ps -ef |grep clamav
  clamav   22927 1  0 13:50 ?00:00:00 
/home/vmail/antivirus/clamav/bin/freshclam -d
  root 23128 21677  0 15:01 pts/100:00:00 grep clamav
  clamav   23137 1  2 13:51 ?00:01:39 
/home/vmail/antivirus/clamav/sbin/clamd


  [root@mx2 tmp]# lsof -p 23137
  COMMAND   PID   USER   FD   TYPE DEVICE SIZE   NODE NAME
  clamd   23137 clamav  cwdDIR8,1 4096  2 /
  clamd   23137 clamav  rtdDIR8,1 4096  2 /
  clamd   23137 clamav  txtREG8,2   3308231507346 
/home/vmail/antivirus/clamav-0.99.3/sbin/clamd
  clamd   23137 clamav   11u   REG8,2   461540613 
/home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-40e1c3eb5c91506cd8029a626d44e430.tmp
 (deleted)
  clamd   23137 clamav   12u   REG8,2  1191540264 
/home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-6191bbf55622fa150f6a562fedaa96bf.tmp
 (deleted)
  clamd   23137 clamav   13u   REG8,2  1191540266 
/home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-d23444b929c3e8f70b245d0f7df9c64e.tmp
 (deleted)
  clamd   23137 clamav   14u   REG8,2   361540265 
/home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-0323a84d6821a592bccefde5a36c0bb4.tmp
 (deleted)
  clamd   23137 clamav   15u   REG8,2 47931540268 
/home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-a08b30fcf5ca4cbc35089753a49b688f.tmp
 (deleted)
  clamd   23137 clamav   16u   REG8,2 47931540267 
/home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-8fa41cdf16f7e03e3fef00fa7faefe66.tmp
 (deleted)
  clamd   23137 clamav   17u   REG8,2   581540270 
/home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-8106966405936ecc207ceb37377b2be5.tmp
 (deleted)
  clamd   23137 clamav   18u   REG8,2  1831540272 
/home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-6f395db61ea80440bbcdcccf8c1fd87e.tmp
 (deleted)
  clamd   23137 clamav   19u   REG8,2  2931540273 
/home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-4d454dfbedfa70c192000a2cc021a0e9.tmp
 (deleted)
  clamd   23137 clamav   20u   REG8,2  1831540271 
/home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-d7b9350895ea3c7c16a95810da93cbcd.tmp
 (deleted)
  clamd   23137 clamav   21u   REG8,2 31371540274 
/home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-61ead91328b1a1fb2eed66e0092fab37.tmp
 (deleted)
  clamd   23137 clamav   22u   REG8,2 31371540276 
/home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-ea8e77c7746f4e20efa08dd714e3bab1.tmp
 (deleted)
  clamd   23137 clamav   23u   REG8,2   421540275 
/home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-6dc27ea80d232f5cf3354a7a3c8ec58d.tmp
 (deleted)
  clamd   23137 clamav   24u   REG8,2   441540277 
/home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-fee6d1b3d366eda4e15f5ff8416bc606.tmp
 (deleted)
  clamd   23137 clamav   25u   REG8,2  6771540279 

Re: [clamav-users] 99.3 for Ubuntu

[Chris]

On Fri, 2018-01-26 at 15:37 +0100, Tilman Schmidt wrote:
> Ubuntu doesn't have 0.99.3 release yet.
> You need to go to http://www.clamav.net/downloads

That will get me the newest source however I need this as I don't
really want to install from source:

clamav_0.99.3~beta1+dfsg-2ubuntu1.dsc

Not the beta of course but the clamav_0.99.3+dfsg-2ubuntu1.dsc or
something to that effect (I just pasted the '...99.2..dsc file name
here for reference). I guess then I'll have to wait to see when I can
download the Ubuntu source (clamav_0.99.3+dfsg-2ubuntu1.debian.tar.xz
and the .dsc file.

> 
> Am 26.01.2018 um 15:31 schrieb Chris:
> > 
> > On Thu, 2018-01-25 at 19:18 -0800, Al Varnell wrote:
> > > 
> > > Are you sure you have the correct 0.99.3 download released late
> > > today
> > > from ?
> > > 
> > Hi Al, when trying to get the release source via "pull-lp-source
> > clamav" I instead get the beta1 source:
> > 
> > pull-lp-source clamav
> > pull-lp-source: Downloading clamav version 0.99.3~beta1+dfsg-
> > 2ubuntu1
> [...]
> 
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml
-- 
Chris
KeyID 0xE372A7DA98E6705C
31.11972; -97.90167 (Elev. 1092 ft)
09:03:45 up 51 min, 1 user, load average: 4.53, 2.48, 1.45
Description:Ubuntu 16.04.3 LTS, kernel 4.13.0-32-generic


signature.asc
Description: This is a digitally signed message part
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ClamAV® blog: ClamAV 0.99.3 has been released!

[Micah Snyder (micasnyd)]

Tobi,

Yup this is correct.  We are planning to get an 0.100.0 beta out next week to 
replace the old 0.99.3-beta2.

Going forwards, the last number in our version string will be reserved for 
urgent fixes so we don’t find ourselves in this position again. The 2nd number 
will be used when there are improvements and new features.

Again, sorry for the confusion in this update.


Micah Snyder
Software Engineer
Talos
Cisco Systems, Inc.



On Jan 26, 2018, at 10:06 AM, Tobi 
> wrote:

As far as I understand the release notes of 99.3 its a security fix which has 
nothing to do with former 99.3 beta.
The former beta now is 0.100 
(http://blog.clamav.net/2018/01/clamav-version-number-adjustment.html).
So at least for me it makes sense that you have to remove the beta first to 
apply fixed 99.3 version

Am 26. Januar 2018 15:49:14 MEZ schrieb Reindl Harald 
>:

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] How the bad signature happened - conjecture (was Re: URGENT: Clamd is wedged on multiple installations)

[Jason J. W. Williams]

HI Marcus,

Any chance you'd be willing to share your copy of 24255?

-J

On Fri, Jan 26, 2018 at 7:07 AM, Marcus Schopen  wrote:

> Am Freitag, den 26.01.2018, 07:02 -0800 schrieb Jason J. W. Williams:
> > How does one manually download an old daily.cld?
>
> Good question. workaround: got the old version from my backup.
>
> Ciao!
>
>
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] How the bad signature happened - conjecture (was Re: URGENT: Clamd is wedged on multiple installations)

[Marcus Schopen]

Am Freitag, den 26.01.2018, 07:02 -0800 schrieb Jason J. W. Williams:
> How does one manually download an old daily.cld?

Good question. workaround: got the old version from my backup.

Ciao!

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ClamAV® blog: ClamAV 0.99.3 has been released!

[Tobi]

As far as I understand the release notes of 99.3 its a security fix which has 
nothing to do with former 99.3 beta. 
The former beta now is 0.100 
(http://blog.clamav.net/2018/01/clamav-version-number-adjustment.html).
So at least for me it makes sense that you have to remove the beta first to 
apply fixed 99.3 version

Am 26. Januar 2018 15:49:14 MEZ schrieb Reindl Harald :
>
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] How the bad signature happened - conjecture (was Re: URGENT: Clamd is wedged on multiple installations)

[Jason J. W. Williams]

How does one manually download an old daily.cld?

-J

On Fri, Jan 26, 2018 at 7:00 AM, Paul  wrote:

> On 26/01/2018 14:56, Marcus Schopen wrote:
>
> Am Freitag, den 26.01.2018, 07:48 -0700 schrieb Rafael Ferreira:
>>
>>> Nope, latest is still
>>>
>>> File: daily.cvd
>>> Build time: 26 Jan 2018 04:24 -0500
>>> Version: 24257
>>> Signatures: 1835982
>>> Functionality level: 63
>>> Builder: neo
>>> MD5: 3b3092994fdf9aa39aae480c38fb31ab
>>> Digital signature:
>>> D7RfRs/Zbl/2fFW4FZKHoHskjH5BWU1K/Qqyhc0qEyO4bHblupzLq/m3oJo4CfcVfysd3
>>> cOMZNPhwRzTzJlKTGWQx4Y4VT/jhM+5NOI8tcVZgFzpvQE699hBHggYRqDZq+mlTiFNmZ
>>> 7pCUR9ACmso3uElfFpRZP4oy4I3ULxkXg
>>>
>>> which appears to have the issue, we, scanii.com ,
>>> are having quite a bit of run today because of it.
>>>
>> What about replacing the current daily.cld with an older one, e.g. with
>> 24255? Disable freshclam, stop clamd, replace daily.cld by old one
>> (24255) and start clamd again. Wouldn't that work until a fixed
>> daily.cld is provided?
>>
>> Ciao!
>>
>> ___
>> clamav-users mailing list
>> clamav-users@lists.clamav.net
>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>>
>>
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>>
>> http://www.clamav.net/contact.html#ml
>>
>>
>> This has worked for me all day
>
>
>
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] How the bad signature happened - conjecture (was Re: URGENT: Clamd is wedged on multiple installations)

[Dianne Skoll]

On Fri, 26 Jan 2018 06:44:30 -0800
"Jason J. W. Williams"  wrote:

> We started seeing this problem last night as well. Reading through the
> thread, it doesn't appear that ClamAV has fixed the signatures yet
> (as of 24257), or am I wrong?

Not only has it not been fixed, there hasn't been a peep out of the
developers.

This is NOT the way to deal with issues like this, especially in
security-sensitive software.

Regards,

Dianne.
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] How the bad signature happened - conjecture (was Re: URGENT: Clamd is wedged on multiple installations)

[Paul]

On 26/01/2018 14:56, Marcus Schopen wrote:


Am Freitag, den 26.01.2018, 07:48 -0700 schrieb Rafael Ferreira:

Nope, latest is still

File: daily.cvd
Build time: 26 Jan 2018 04:24 -0500
Version: 24257
Signatures: 1835982
Functionality level: 63
Builder: neo
MD5: 3b3092994fdf9aa39aae480c38fb31ab
Digital signature:
D7RfRs/Zbl/2fFW4FZKHoHskjH5BWU1K/Qqyhc0qEyO4bHblupzLq/m3oJo4CfcVfysd3
cOMZNPhwRzTzJlKTGWQx4Y4VT/jhM+5NOI8tcVZgFzpvQE699hBHggYRqDZq+mlTiFNmZ
7pCUR9ACmso3uElfFpRZP4oy4I3ULxkXg

which appears to have the issue, we, scanii.com ,
are having quite a bit of run today because of it.

What about replacing the current daily.cld with an older one, e.g. with
24255? Disable freshclam, stop clamd, replace daily.cld by old one
(24255) and start clamd again. Wouldn't that work until a fixed
daily.cld is provided?

Ciao!

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml



This has worked for me all day


___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] How the bad signature happened - conjecture (was Re: URGENT: Clamd is wedged on multiple installations)

[Marcus Schopen]

Am Freitag, den 26.01.2018, 07:48 -0700 schrieb Rafael Ferreira:
> Nope, latest is still 
> 
> File: daily.cvd
> Build time: 26 Jan 2018 04:24 -0500
> Version: 24257
> Signatures: 1835982
> Functionality level: 63
> Builder: neo
> MD5: 3b3092994fdf9aa39aae480c38fb31ab
> Digital signature:
> D7RfRs/Zbl/2fFW4FZKHoHskjH5BWU1K/Qqyhc0qEyO4bHblupzLq/m3oJo4CfcVfysd3
> cOMZNPhwRzTzJlKTGWQx4Y4VT/jhM+5NOI8tcVZgFzpvQE699hBHggYRqDZq+mlTiFNmZ
> 7pCUR9ACmso3uElfFpRZP4oy4I3ULxkXg
> 
> which appears to have the issue, we, scanii.com ,
> are having quite a bit of run today because of it. 

What about replacing the current daily.cld with an older one, e.g. with
24255? Disable freshclam, stop clamd, replace daily.cld by old one
(24255) and start clamd again. Wouldn't that work until a fixed
daily.cld is provided?

Ciao!

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ClamAV® blog: ClamAV 0.99.3 has been released!

[Joel Esler (jesler)]

On Jan 26, 2018, at 9:49 AM, Reindl Harald 
> wrote:

Am 26.01.2018 um 15:40 schrieb Joel Esler (jesler):
As previously mentioned, if you downloaded the beta version of ClamAV 0.99.3, 
you will need to completely uninstall it and do a fresh install with the 
production version of 0.99.3 as there are significant code differences

when i read something like this in 2018 my brain ends with a bluescreen

This is something we debated for a couple weeks here internally and we found 
this to be the best solution.  We were stuck between a rock in and a hard 
place.  Trust me, this is not the user experience I want for our users either.

--
Joel Esler
Manager
Open Source, Design, Web, and Education
Talos Group
http://www.talosintelligence.com
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ClamAV® blog: ClamAV 0.99.3 has been released!

[Reindl Harald]

Am 26.01.2018 um 15:40 schrieb Joel Esler (jesler):

As previously mentioned, if you downloaded the beta version of ClamAV 0.99.3, 
you will need to completely uninstall it and do a fresh install with the 
production version of 0.99.3 as there are significant code differences


when i read something like this in 2018 my brain ends with a bluescreen

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] How the bad signature happened - conjecture (was Re: URGENT: Clamd is wedged on multiple installations)

[Rafael Ferreira]

Nope, latest is still 

File: daily.cvd
Build time: 26 Jan 2018 04:24 -0500
Version: 24257
Signatures: 1835982
Functionality level: 63
Builder: neo
MD5: 3b3092994fdf9aa39aae480c38fb31ab
Digital signature: 
D7RfRs/Zbl/2fFW4FZKHoHskjH5BWU1K/Qqyhc0qEyO4bHblupzLq/m3oJo4CfcVfysd3cOMZNPhwRzTzJlKTGWQx4Y4VT/jhM+5NOI8tcVZgFzpvQE699hBHggYRqDZq+mlTiFNmZ7pCUR9ACmso3uElfFpRZP4oy4I3ULxkXg

which appears to have the issue, we, scanii.com , are 
having quite a bit of run today because of it. 


> On Jan 26, 2018, at 7:44 AM, Jason J. W. Williams  
> wrote:
> 
> We started seeing this problem last night as well. Reading through the
> thread, it doesn't appear that ClamAV has fixed the signatures yet (as of
> 24257), or am I wrong?
> 
> -J
> 
> On Fri, Jan 26, 2018 at 6:24 AM, Dianne Skoll 
> wrote:
> 
>> On Fri, 26 Jan 2018 13:50:27 +0100
>> Ralf Hildebrandt  wrote:
>> 
>>> If I had to guess: they used the beta for testing, but the release
>>> versions (both 0.99.2 and 0.99.3!) fail to operate properly...
>> 
>> No, I bet that's not what happened.  A file descriptor leak doesn't show
>> up right away.  They probably tested the signatures on a lightly-loaded
>> server and didn't notice any problems.
>> 
>> ClamAV QA team: In future, please run new signatures against a clamd
>> process a few thousand times to check for possible resource leakage.
>> 
>> Regards,
>> 
>> Dianne.
>> 
>> ___
>> clamav-users mailing list
>> clamav-users@lists.clamav.net
>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>> 
>> 
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>> 
>> http://www.clamav.net/contact.html#ml
>> 
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] How the bad signature happened - conjecture (was Re: URGENT: Clamd is wedged on multiple installations)

[Jason J. W. Williams]

We started seeing this problem last night as well. Reading through the
thread, it doesn't appear that ClamAV has fixed the signatures yet (as of
24257), or am I wrong?

-J

On Fri, Jan 26, 2018 at 6:24 AM, Dianne Skoll 
wrote:

> On Fri, 26 Jan 2018 13:50:27 +0100
> Ralf Hildebrandt  wrote:
>
> > If I had to guess: they used the beta for testing, but the release
> > versions (both 0.99.2 and 0.99.3!) fail to operate properly...
>
> No, I bet that's not what happened.  A file descriptor leak doesn't show
> up right away.  They probably tested the signatures on a lightly-loaded
> server and didn't notice any problems.
>
> ClamAV QA team: In future, please run new signatures against a clamd
> process a few thousand times to check for possible resource leakage.
>
> Regards,
>
> Dianne.
>
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] ClamAV® blog: ClamAV 0.99.3 has been released!

[Joel Esler (jesler)]

http://blog.clamav.net/2018/01/clamav-0993-has-been-released.html

ClamAV 0.99.3 has been released!
Join us as we welcome ClamAV 0.99.3 to the family!

As previously mentioned, if you downloaded the beta version of ClamAV 0.99.3, 
you will need to completely uninstall it and do a fresh install with the 
production version of 0.99.3 as there are significant code differences.

Also, please ensure that you read our blog post on ClamAV Version Number 
Adjustments
 to ensure that you are staying current with our future plans for releases.

This release is a security release and is recommended for all ClamAV users.  
Please see details below:

CVE-2017-12374
1. ClamAV UAF (use-after-free) Vulnerabilities

The ClamAV AntiVirus software versions 0.99.2 and prior contain a vulnerability 
that could allow an unauthenticated, remote attacker to cause a denial of 
service (DoS) condition on an affected device.

The vulnerability is due to a lack of input validation checking mechanisms 
during certain mail parsing operations. If successfully exploited, the ClamAV 
software could allow a variable pointing to the mail body which could cause a 
used after being free (use-after-free) instance which may lead to a disruption 
of services on an affected device to include a denial of service condition.

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
https://bugzilla.clamav.net/show_bug.cgi?id=11939

CVE-2017-12375
2. ClamAV Buffer Overflow Vulnerability

The ClamAV AntiVirus software versions 0.99.2 and prior contain a vulnerability 
that could allow an unauthenticated, remote attacker to cause a denial of 
service (DoS) condition on an affected device.

The vulnerability is due to a lack of input validation checking mechanisms 
during certain mail parsing functions. An unauthenticated, remote attacker 
could exploit this vulnerability by sending a crafted email to the affected 
device. This action could cause a buffer overflow condition when ClamAV scans 
the malicious email, allowing the attacker to potentially cause a DoS condition 
on an affected device.

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N /A:L
https://bugzilla.clamav.net/show_bug.cgi?id=11940

CVE-2017-12376
3. ClamAV Buffer Overflow in handle_pdfname Vulnerability

ClamAV AntiVirus software versions 0.99.2 and prior contain a vulnerability 
that could allow an unauthenticated, remote attacker to cause a denial of 
service (DoS) condition or potentially execute arbitrary code on an affected 
device.

The vulnerability is due to improper input validation checking mechanisms when 
handling Portable Document Format (.pdf) files sent to an affected device. An 
unauthenticated, remote attacker could exploit this vulnerability by sending a 
crafted .pdf file to an affected device. This action could cause a buffer 
overflow when ClamAV scans the malicious file, allowing the attacker to cause a 
DoS condition or potentially execute arbitrary code.

https://bugzilla.clamav.net/show_bug.cgi?id=11942
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVE-2017-12377
4. ClamAV Mew Packet Heap Overflow Vulnerability

ClamAV AntiVirus software versions 0.99.2 and prior contain a vulnerability 
that could allow an unauthenticated, remote attacker to cause a denial of 
service (DoS) condition or potentially execute arbitrary code on an affected 
device.

The vulnerability is due to improper input validation checking mechanisms in 
mew packet files sent to an affected device. A successful exploit could cause a 
heap overflow condition when ClamAV scans the malicious file, allowing the 
attacker to cause a DoS condition or potentially execute arbitrary code on the 
affected device.

https://bugzilla.clamav.net/show_bug.cgi?id=11943
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L /A:L

CVE-2017-12378
5. ClamAV Buffer Over Read Vulnerability

ClamAV AntiVirus software versions 0.99.2 and prior contain a vulnerability 
that could allow an unauthenticated, remote attacker to cause a denial of 
service (DoS) condition on an affected device.

The vulnerability is due to improper input validation checking mechanisms of 
.tar (Tape Archive) files sent to an affected device. A successful exploit 
could cause a buffer over-read condition when ClamAV scans the malicious .tar 
file, potentially allowing the attacker to cause a DoS condition on the 
affected device.

https://bugzilla.clamav.net/show_bug.cgi?id=11946
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N /A:L

CVE-2017-12379
6. ClamAV Buffer Overflow in messageAddArgument Vulnerability

ClamAV AntiVirus software versions 0.99.2 and prior contain a vulnerability 
that could allow an unauthenticated, remote attacker to cause a denial of 
service (DoS) condition or potentially execute arbitrary code on an affected 
device.

The vulnerability is due to improper input validation checking mechanisms in 
the message parsing function on an affected system. An unauthenticated, remote 
attacker 

Re: [clamav-users] Announcement missing

[Ralf Hildebrandt]

* Joel Esler (jesler) :
> You're right.  That's my fault.  I'll correct that here in a second after I 
> read through all the emails in my ClamAV folder.

OK, tomorrow then :)

-- 
Ralf Hildebrandt   Charite Universitätsmedizin Berlin
ralf.hildebra...@charite.deCampus Benjamin Franklin
https://www.charite.de Hindenburgdamm 30, 12203 Berlin
Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] 99.3 for Ubuntu

[Tilman Schmidt]

Ubuntu doesn't have 0.99.3 release yet.
You need to go to http://www.clamav.net/downloads

Am 26.01.2018 um 15:31 schrieb Chris:
> On Thu, 2018-01-25 at 19:18 -0800, Al Varnell wrote:
>> Are you sure you have the correct 0.99.3 download released late today
>> from ?
>>
> Hi Al, when trying to get the release source via "pull-lp-source
> clamav" I instead get the beta1 source:
> 
> pull-lp-source clamav
> pull-lp-source: Downloading clamav version 0.99.3~beta1+dfsg-2ubuntu1
[...]

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] 99.3 for Ubuntu

[Chris]

On Fri, 2018-01-26 at 08:41 +0100, Matus UHLAR - fantomas wrote:
> > 
> > > 
> > > On January 25, 2018 11:18:41 PM UTC, Chris  > > om>
> > > wrote:
> > > > 
> > > > I'm trying to build 99.3 for Ubuntu 16.04LTS. I had no problems
> > > > building 99.2 with pbuilder. When downloading the source I got
> > 
> > > 
> > > > 
> > > > https://pastebin.com/K1LfbwXX
> > 
> > On Fri, 2018-01-26 at 00:46 +, Scott Kitterman wrote:
> > > 
> > > From the pastebin:
> > > 
> > > Depends: llvm-3.9-dev
> > > 
> > > That's not available on 16.04.  Change it to the version that is
> > > available there (I don't track Ubuntu things anymore, so I don't
> > > know
> > > which one that is.
> On 25.01.18 20:46, Chris wrote:
> > 
> > Thanks for the reply Scott. According to this:
> > 
> > apt-cache policy llvm-3.9
> > llvm-3.9:
> >   Installed: 1:3.9.1-4ubuntu3~16.04.2
> >   Candidate: 1:3.9.1-4ubuntu3~16.04.2
> > 
> > apt-cache policy llvm-3.9-dev
> > llvm-3.9-dev:
> >   Installed: 1:3.9.1-4ubuntu3~16.04.2
> >   Candidate: 1:3.9.1-4ubuntu3~16.04.2
> > 
> > But then the pbuilder output says - Depends: llvm-3.9-dev
> because it needs it to build clamav. this has nothign with internal
> clamav
> issued.
> 
> do:
> 
> apt-get install llvm-3.9-dev
> 
> and see what it does.
Hi Matus, I do have it installed:

sudo apt install llvm-3.9-dev
[sudo] password for chris: 
Reading package lists... Done
Building dependency tree   
Reading state information... Done
llvm-3.9-dev is already the newest version (1:3.9.1-4ubuntu3~16.04.2).
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

I think the problem is that when I run "pull-lp-source clamav" I'm
getting the beta1 source and not the release source.

Chris

-- 
Chris
KeyID 0xE372A7DA98E6705C
31.11972; -97.90167 (Elev. 1092 ft)
08:22:09 up 9 min, 1 user, load average: 0.95, 2.43, 1.78
Description:Ubuntu 16.04.3 LTS, kernel 4.13.0-32-generic


signature.asc
Description: This is a digitally signed message part
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] 99.3 for Ubuntu

[Chris]

On Thu, 2018-01-25 at 19:18 -0800, Al Varnell wrote:
> Are you sure you have the correct 0.99.3 download released late today
> from ?
> 
Hi Al, when trying to get the release source via "pull-lp-source
clamav" I instead get the beta1 source:

pull-lp-source clamav
pull-lp-source: Downloading clamav version 0.99.3~beta1+dfsg-2ubuntu1
pull-lp-source: Downloading clamav_0.99.3~beta1+dfsg.orig.tar.xz from
archive.ubuntu.com (5.611 MiB)
pull-lp-source: Downloading clamav_0.99.3~beta1+dfsg-
2ubuntu1.debian.tar.xz from archive.ubuntu.com (0.207 MiB)
gpgv: Signature made Thu 23 Nov 2017 02:02:52 AM CST using RSA key ID
8280B242
gpgv: Can't check signature: public key not found
dpkg-source: warning: failed to verify signature on
./clamav_0.99.3~beta1+dfsg-2ubuntu1.dsc
dpkg-source: info: extracting clamav in clamav-0.99.3~beta1+dfsg
dpkg-source: info: unpacking clamav_0.99.3~beta1+dfsg.orig.tar.xz
dpkg-source: info: unpacking clamav_0.99.3~beta1+dfsg-
2ubuntu1.debian.tar.xz
dpkg-source: info: applying Change-paths-in-sample-conf-file-to-match-
Debian.patch
dpkg-source: info: applying add-support-for-system-tomsfastmath.patch
dpkg-source: info: applying
clamd_dont_depend_on_clamav_demon_socket.patch
dpkg-source: info: applying Add-support-for-LLVM-3.7.patch
dpkg-source: info: applying Add-support-for-LLVM-3.8.patch
dpkg-source: info: applying Add-support-for-LLVM-3.9.patch
dpkg-source: info: applying Fix_detection_of_libcurl.patch
dpkg-source: info: applying clamsubmit-add-JSON-libs-to-
clamsubmit.patch
dpkg-source: info: applying fix_newer_zlib.patch

I tried again just now to get the release source and still got beta1.



> That README only contains the following:
> 
> > 
> > 0.99.3
> > --
> > 
> > ClamAV 0.99.3 is a hotfix release to patch a set of
> > vulnerabilities.
> > 
> > - fixes for the following CVE's: CVE-2017-6418, CVE-2017-6420, 
> >   CVE-2017-12374, CVE-2017-12375, CVE-2017-12376, CVE-2017-
> > 12377, 
> >   CVE-2017-12378, CVE-2017-12379, CVE-2017-12380. 
> > - also included are 2 minor fixes to properly detect openssl
> > install
> >   locations on FreeBSD 11, and prevent false warnings about
> > zlib 1.2.1#
> >   version numbers. 
> > 
> > Thank you to the following ClamAV community members for your code
> > submissions and bug reports! 
> > 
> > Alberto Garcia
> > Daniel J. Luke
> > Francisco Oca
> > Sebastian A. Siewior
> > Suleman Ali
> > 
> > Special thanks to Offensive Research at Salesforce.com for
> > responsible disclosure.
> -Al-
> 
> On Thu, Jan 25, 2018 at 06:46 PM, Chris wrote:
> > 
> > 
> > I noticed this in the README:
> > 
> > Additionally, we have introduced important changes and new features
> > in
> > ClamAV 0.99.3, including:
> > - Deprecating internal LLVM code support. The configure script
> > has
> > changed to search the system for an installed instance of the LLVM
> > development libraries, and to otherwise use the bytecode
> > interpreter
> > for ClamAV bytecode signatures. To use the LLVM Just-In-Time
> > compiler
> > for executing bytecode signatures, please ensure that the LLVM
> > development package at version 3.6 or lower is installed. Using the
> > deprecated LLVM code is possible with the command: './configure --
> > with-
> > system-llvm=no', but it no longer compiles on all platforms.
> > 
> > If I read the above correctly - 
> > 
> > To use the LLVM Just-In-Time compiler for executing bytecode
> > signatures, please ensure that the LLVM development package at
> > version
> > 3.6 or lower is installed. Using the deprecated LLVM code is
> > possible
> > with the command: './configure --with-system-llvm=no', but it no
> > longer
> > compiles on all platforms.
> > 
> > But then the pbuilder output says - Depends: llvm-3.9-dev
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml
-- 
Chris
KeyID 0xE372A7DA98E6705C
31.11972; -97.90167 (Elev. 1092 ft)
08:22:56 up 10 min, 1 user, load average: 0.51, 2.11, 1.70
Description:Ubuntu 16.04.3 LTS, kernel 4.13.0-32-generic


signature.asc
Description: This is a digitally signed message part
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Announcement missing

[Joel Esler (jesler)]

You're right.  That's my fault.  I'll correct that here in a second after I 
read through all the emails in my ClamAV folder.

--
Joel Esler | Talos: Manager | jes...@cisco.com






On Jan 26, 2018, at 8:22 AM, Andreas Schulze 
> wrote:

Am 26.01.2018 um 14:09 schrieb Tobi:
Do you mean this one ?
http://blog.clamav.net/2018/01/clamav-0993-has-been-released.html

@Cisco: is it so hard to use 
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-announce



--
A. Schulze
DATEV eG
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] How the bad signature happened - conjecture (was Re: URGENT: Clamd is wedged on multiple installations)

[Dianne Skoll]

On Fri, 26 Jan 2018 13:50:27 +0100
Ralf Hildebrandt  wrote:

> If I had to guess: they used the beta for testing, but the release
> versions (both 0.99.2 and 0.99.3!) fail to operate properly...

No, I bet that's not what happened.  A file descriptor leak doesn't show
up right away.  They probably tested the signatures on a lightly-loaded
server and didn't notice any problems.

ClamAV QA team: In future, please run new signatures against a clamd
process a few thousand times to check for possible resource leakage.

Regards,

Dianne.

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] Fwd: Undelivered Mail Returned to Sender

[Reindl Harald]

which f**g idiot is responsible for that?

This is the mail system at host lists.clamav.net.

I'm sorry to have to inform you that your message could not
be delivered to one or more recipients. It's attached below.

For further assistance, please send mail to postmaster.

If you do so, please include this problem report. You can
delete your own text from the attached returned message.

   The mail system

: mail forwarding loop for
clamav-users@lists.clamav.net

 Weitergeleitete Nachricht 
Betreff: Undelivered Mail Returned to Sender
Datum: Fri, 26 Jan 2018 14:58:52 +0100 (CET)
Von: Mail Delivery System 
An: h.rei...@thelounge.net

This is the mail system at host mucha.arges.net.pl.

I'm sorry to have to inform you that your message could not
be delivered to one or more recipients. It's attached below.

For further assistance, please send mail to postmaster.

If you do so, please include this problem report. You can
delete your own text from the attached returned message.

   The mail system

: host mail-gw.thelounge.net[91.118.73.19] said: 554
5.7.1 : Sender address rejected: Sender 
Spoofed,

please forward this to YOUR tech-support first, time: Jan 26 14:58:42,
client: 87.98.235.141, server: mail-gw.thelounge.net, contact:
 +4315953999 (in reply to RCPT TO command)
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] Problem with Max Open desciptor Files limit

[Carlos García Gómez]

Hi,

We have a problem with ClamAV due to Max Open desciptor Files limit
It’s seems like delete temp files are not freeded 
When the soft is reached the clamav proccess responses with an ERROR

THe problem has begined Today with 0.99.2 clamav version
We have updated to the last release 0.99.3 but then problem again be here.



  [root@mx2 tmp]# ps -ef |grep clamav
  clamav   22927 1  0 13:50 ?00:00:00 
/home/vmail/antivirus/clamav/bin/freshclam -d
  root 23128 21677  0 15:01 pts/100:00:00 grep clamav
  clamav   23137 1  2 13:51 ?00:01:39 
/home/vmail/antivirus/clamav/sbin/clamd


  [root@mx2 tmp]# lsof -p 23137 


   
  COMMAND   PID   USER   FD   TYPE DEVICE SIZE   NODE NAME
  clamd   23137 clamav  cwdDIR8,1 4096  2 /
  clamd   23137 clamav  rtdDIR8,1 4096  2 /
  clamd   23137 clamav  txtREG8,2   3308231507346 
/home/vmail/antivirus/clamav-0.99.3/sbin/clamd
  clamd   23137 clamav   11u   REG8,2   461540613 
/home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-40e1c3eb5c91506cd8029a626d44e430.tmp
 (deleted)
  clamd   23137 clamav   12u   REG8,2  1191540264 
/home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-6191bbf55622fa150f6a562fedaa96bf.tmp
 (deleted)
  clamd   23137 clamav   13u   REG8,2  1191540266 
/home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-d23444b929c3e8f70b245d0f7df9c64e.tmp
 (deleted)
  clamd   23137 clamav   14u   REG8,2   361540265 
/home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-0323a84d6821a592bccefde5a36c0bb4.tmp
 (deleted)
  clamd   23137 clamav   15u   REG8,2 47931540268 
/home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-a08b30fcf5ca4cbc35089753a49b688f.tmp
 (deleted)
  clamd   23137 clamav   16u   REG8,2 47931540267 
/home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-8fa41cdf16f7e03e3fef00fa7faefe66.tmp
 (deleted)
  clamd   23137 clamav   17u   REG8,2   581540270 
/home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-8106966405936ecc207ceb37377b2be5.tmp
 (deleted)
  clamd   23137 clamav   18u   REG8,2  1831540272 
/home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-6f395db61ea80440bbcdcccf8c1fd87e.tmp
 (deleted)
  clamd   23137 clamav   19u   REG8,2  2931540273 
/home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-4d454dfbedfa70c192000a2cc021a0e9.tmp
 (deleted)
  clamd   23137 clamav   20u   REG8,2  1831540271 
/home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-d7b9350895ea3c7c16a95810da93cbcd.tmp
 (deleted)
  clamd   23137 clamav   21u   REG8,2 31371540274 
/home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-61ead91328b1a1fb2eed66e0092fab37.tmp
 (deleted)
  clamd   23137 clamav   22u   REG8,2 31371540276 
/home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-ea8e77c7746f4e20efa08dd714e3bab1.tmp
 (deleted)
  clamd   23137 clamav   23u   REG8,2   421540275 
/home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-6dc27ea80d232f5cf3354a7a3c8ec58d.tmp
 (deleted)
  clamd   23137 clamav   24u   REG8,2   441540277 
/home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-fee6d1b3d366eda4e15f5ff8416bc606.tmp
 (deleted)
  clamd   23137 clamav   25u   REG8,2  6771540279 
/home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-2b9716c6173771c795a3b1c3bef56470.tmp
 (deleted)
  clamd   23137 clamav   26u   REG8,2  1551540280 
/home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-e63b9a7454908ebb5f47657898bdb2c5.tmp
 (deleted)
  clamd   23137 clamav   27u   REG8,2 16811540281 
/home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-ba047ebfc0396a5b38b595eeec0f7437.tmp
 (deleted)
  clamd   23137 clamav   28u   REG8,2   461540278 
/home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-49dbcc76c3c8b14d279a9d0aa74310a1.tmp
 (deleted)
  clamd   23137 clamav   29u   REG8,2 16811540283 
/home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-46898158d350efefbe01636215301fad.tmp
 (deleted)
  clamd   23137 clamav   30u   REG8,2   481540282 
/home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-fdc1f1fdaca0933e22778c22bf4306c2.tmp
 (deleted)
  clamd   23137 clamav   31u   REG8,2 12351540285 
/home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-3849f6d05e67f2ad565d668e9a925158.tmp
 (deleted)
  clamd   23137 clamav   32u   REG8,2   381540284 
/home/vmail/antivirus/clamav-0.99.3/var/tmp/clamav-9428301ea35432270076585aad066354.tmp
 (deleted)

When there are 1024 FD => ClamAV crash

Any Ideas?

Regards.




___
clamav-users mailing list

Re: [clamav-users] URGENT: Clamd is wedged on multiple installations

[Marcus Schopen]

Am Freitag, den 26.01.2018, 09:22 +0100 schrieb Reindl Harald:
> 
> Am 26.01.2018 um 09:19 schrieb Marco:
> > Il 26/01/2018 09:00, Reindl Harald ha scritto:
> > > freshclam and a custom script downloads anything to 
> > > /var/lib/clamav-download and then for the two "/var/lib/clamav"
> > > and 
> > > "/var/lib/clamav-sa" basend on file-lists hardlinks are set -
> > > from the 
> > > official only "safebrowsing" is active
> > 
> > We have the same problem: I confirm that without official
> > signature 
> > Clamav works!
> 
> looks like "freshclam" needs something like a downgrade option when
> bad 
> signatures can lead to such a massive fuckup

Is there a way to "downgrade" to 24255 as it seems it started with
24256. My first crash was at 7:47am GMT+1 and at this time I was on
24256.

Ciao!

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] URGENT: Clamd is wedged on multiple installations

[ungifted01]

26.01.2018 16:22, Manuel Mausz пишет:

On 26.01.2018 14:10, Manuel Mausz wrote:

Hello list,

the attached patch should fix the fd leak in cli_scanscript.


The list stripped my attachment. 2nd try:
https://gist.github.com/manuelm/dbc94001c77c07363cdcb5b390c2cb04


Thanks! Works fine.

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] URGENT: Clamd is wedged on multiple installations

[Gene Heskett]

On Friday 26 January 2018 08:10:51 Manuel Mausz wrote:

> Hello list,
>
> the attached patch should fix the fd leak in cli_scanscript.
>
> cheers,
> manuel

What patch? This list apparently does NOT pass attachments. So please 
insert them in your text plz.

> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml



-- 
Cheers, Gene Heskett
--
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Genes Web page 
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Announcement without access to linked information

[Andreas Schulze]

Am 26.01.2018 um 14:22 schrieb Andreas Schulze:
> Am 26.01.2018 um 14:09 schrieb Tobi:
>> Do you mean this one ? 
>> http://blog.clamav.net/2018/01/clamav-0993-has-been-released.html
> 
> @Cisco: is it so hard to use 
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-announce
> 

what is the intension sending an announcement with links to bugzilla.clamav.net
that are not public accessible?

Looks like structured incident management is completely new stuff for cisco.


-- 
A. Schulze
DATEV eG
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] Announcement missing

[Andreas Schulze]

Am 26.01.2018 um 14:09 schrieb Tobi:
> Do you mean this one ? 
> http://blog.clamav.net/2018/01/clamav-0993-has-been-released.html

@Cisco: is it so hard to use 
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-announce



-- 
A. Schulze
DATEV eG
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] URGENT: Clamd is wedged on multiple installations

[Manuel Mausz]

On 26.01.2018 14:10, Manuel Mausz wrote:
> Hello list,
> 
> the attached patch should fix the fd leak in cli_scanscript.

The list stripped my attachment. 2nd try:
https://gist.github.com/manuelm/dbc94001c77c07363cdcb5b390c2cb04

manuel
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] URGENT: Clamd is wedged on multiple installations

[Yashodhan Barve]

On 2018-01-26 5:36 AM, Al Varnell wrote:

If you can't revert to daily 24255 then disable daily.cld until you know it's 
fixed.

Has anybody updated to daily 24257 to see if that helps? I doubt that it does 
as no sigs are shown as dropped.


[mailfw@mailfw clamav]# sigtool --info=daily.cld
File: daily.cld
Build time: 26 Jan 2018 04:24 -0500
Version: 24257
Signatures: 1835982
Functionality level: 63
Builder: neo
Verification OK.

Working well on 4 servers.

-yb

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] URGENT: Clamd is wedged on multiple installations

[Manuel Mausz]

Hello list,

the attached patch should fix the fd leak in cli_scanscript.

cheers,
manuel
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] URGENT: Clamd is wedged on multiple installations

[Tobi]

Do you mean this one ? 
http://blog.clamav.net/2018/01/clamav-0993-has-been-released.html

Am 26. Januar 2018 14:03:14 MEZ schrieb Andreas Schulze 
:
>
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] URGENT: Clamd is wedged on multiple installations

[Andreas Schulze]

Am 26.01.2018 um 13:50 schrieb Ralf Hildebrandt:
> If I had to guess: they used the beta for testing, but the release
> versions (both 0.99.2 and 0.99.3!) fail to operate properly...
yes, it's the explanation the matches best to the observed fallout :-/

usually there is a "official" announcement about new version with references to 
fixed CVEs
did only I misses that?


-- 
A. Schulze
DATEV eG
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] URGENT: Clamd is wedged on multiple installations

[Reindl Harald]

Am 26.01.2018 um 13:50 schrieb Ralf Hildebrandt:

* Reindl Harald :



Am 26.01.2018 um 13:40 schrieb Ralf Hildebrandt:

* maxal :

nobody of clamav/cisco reading this list?


It's 7:45AM on the east coast


so what - i don't get how such updates slip through at all - it's not rocket
science load them on a test-machine and fire up a script that pies a
test-corups against clamd and *read* stderr/stdout/logs for "warning" and
"error"


If I had to guess: they used the beta for testing, but the release
versions (both 0.99.2 and 0.99.3!) fail to operate properly...


if thats true than they are plain idiots because the world is not using 
the beta and if the issue happens on the few beta users that's the risk 
they took by using something called "beta"

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] URGENT: Clamd is wedged on multiple installations

[Ralf Hildebrandt]

* Reindl Harald :
> 
> 
> Am 26.01.2018 um 13:40 schrieb Ralf Hildebrandt:
> > * maxal :
> > > nobody of clamav/cisco reading this list?
> > 
> > It's 7:45AM on the east coast
> 
> so what - i don't get how such updates slip through at all - it's not rocket
> science load them on a test-machine and fire up a script that pies a
> test-corups against clamd and *read* stderr/stdout/logs for "warning" and
> "error"

If I had to guess: they used the beta for testing, but the release
versions (both 0.99.2 and 0.99.3!) fail to operate properly...

-- 
Ralf Hildebrandt   Charite Universitätsmedizin Berlin
ralf.hildebra...@charite.deCampus Benjamin Franklin
https://www.charite.de Hindenburgdamm 30, 12203 Berlin
Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155


signature.asc
Description: PGP signature
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] URGENT: Clamd is wedged on multiple installations

[Reindl Harald]

Am 26.01.2018 um 13:40 schrieb Ralf Hildebrandt:

* maxal :

nobody of clamav/cisco reading this list?


It's 7:45AM on the east coast


so what - i don't get how such updates slip through at all - it's not 
rocket science load them on a test-machine and fire up a script that 
pies a test-corups against clamd and *read* stderr/stdout/logs for 
"warning" and "error"


but that requires that the word "fail", "warn" and "error" are not 
common left and right as it is in the shiny new IT world where nobody 
cares about anything - that applies also to distributions with broken 
systemd-units because the f***er who made the change don't do his basic 
homework after a reboot befor pipe his crap even on a distro-server


[root@srv-rhsoft:~]$ cat /scripts/system-errors.sh
#!/bin/bash
dmesg | grep -i warn
dmesg | grep -i fail
dmesg | grep -i error
cat /var/log/messages | grep -i warn
cat /var/log/messages | grep -i fail
cat /var/log/messages | grep -i error


___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] URGENT: Clamd is wedged on multiple installations

[Ralf Hildebrandt]

* lukn :

> As ClamAV/Thalos is owned by Cisco I assume all ClamAV employees are
> located in Silicon Valley area and therefore still enjoying a good
> Californian night's sleep.

Or maybe in Philadelphia.

-- 
Ralf Hildebrandt   Charite Universitätsmedizin Berlin
ralf.hildebra...@charite.deCampus Benjamin Franklin
https://www.charite.de Hindenburgdamm 30, 12203 Berlin
Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] URGENT: Clamd is wedged on multiple installations

[Ralf Hildebrandt]

* maxal :
> nobody of clamav/cisco reading this list? 

It's 7:45AM on the east coast.

-- 
Ralf Hildebrandt   Charite Universitätsmedizin Berlin
ralf.hildebra...@charite.deCampus Benjamin Franklin
https://www.charite.de Hindenburgdamm 30, 12203 Berlin
Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] URGENT: Clamd is wedged on multiple installations

[lukn]

As ClamAV/Thalos is owned by Cisco I assume all ClamAV employees are
located in Silicon Valley area and therefore still enjoying a good
Californian night's sleep.

On 26.01.2018 13:17, maxal wrote:
> nobody of clamav/cisco reading this list? as the impact is heavy and
> probably worldwide - anyone with personal contacts or any other channel
> to reach someone there? contact info on clamav.net is only referring to
> mailing lists and not very useful 
> 
> On Fri, 2018-01-26 at 12:07 +0100, Marco wrote:
>> Il 26/01/2018 10:39, Ralf Hildebrandt ha scritto:
>>
>>> clamd is leaking filedescriptors for temporary files - ls
>>> /proc/`pidof clamd`/fd shows a
>>> lot of:
>>>
>>> lrwx-- 1 root root 64 Jan 26 10:38 993 -> /tmp/clamav-
>>> 736a3d0d2a944a0a79d465671fb754d5.tmp (deleted)
>>> lrwx-- 1 root root 64 Jan 26 10:38 994 -> /tmp/clamav-
>>> 59b5548fe87bc9a454486cbe37d5c89b.tmp (deleted)
>>> lrwx-- 1 root root 64 Jan 26 10:38 995 -> /tmp/clamav-
>>> 0e2983c3f35c37d833ea37c2867a0aba.tmp (deleted)
>>> ...
>>
>> I think that Clamav now knows this very big problem... Anyway these
>> are 
>> other logs I see (0.99.2 version on RH EL7):
>>
>> 2018-01-26T03:41:29.246852+01:00  clamd[18086]: LibClamAV Error: 
>> cli_gentempfd: Can't create temporary file 
>> /tmp/clamav-f553aa378e37664837deb720f2ce10f6.tmp/clamav-
>> ef95d457b05dc585eb4bc09d3fc83edc.tmp: 
>> Too many open files
>>
>> 2018-01-26T03:41:29.247296+01:00  clamd[18086]: LibClamAV Warning: 
>> fileblobScan, fullname == NULL
>>
>> 2018-01-26T03:41:29.247458+01:00  clamd[18086]: LibClamAV Error: 
>> fileblobDestroy: mixedtextportion not saved: report to 
>> http://bugs.clamav.net
>>
>>
>> Regards
>> Marco
>> ___
>> clamav-users mailing list
>> clamav-users@lists.clamav.net
>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>>
>>
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>>
>> http://www.clamav.net/contact.html#ml
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml
> 
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] URGENT: Clamd is wedged on multiple installations

[Reindl Harald]

Am 26.01.2018 um 13:17 schrieb maxal:

nobody of clamav/cisco reading this list? as the impact is heavy and
probably worldwide - anyone with personal contacts or any other channel
to reach someone there? contact info on clamav.net is only referring to
mailing lists and not very useful


the better question is has the whole fucking IT branche lost it's brain 
because nobody seems to have tests for anything, spit out random junk 
and watch for the fallout, be it Cisco or Intel with microcode updates 
where you than get such things:


DISCLAIMER: This update supersedes microcode provided  by Red Hat with 
the CVE-2017-5715 (?Spectre?)
DISCLAIMER: CPU branch injection vulnerability mitigation. 
(Historically, Red Hat has provided updated
DISCLAIMER: microcode, developed by our microprocessor partners, as a 
customer convenience.) Further
DISCLAIMER: testing has uncovered problems with the microcode provided 
along with the ?Spectre? mitigation
DISCLAIMER: that could lead to system instabilities. As a result, Red 
Hat is providing an microcode update
DISCLAIMER: that reverts to the last known good microcode version dated 
before 03 January 2018.
DISCLAIMER: Red Hat strongly recommends that customers contact their 
hardware provider for the latest microcode updates.

DISCLAIMER:
DISCLAIMER: IMPORTANT: Customers using Intel Skylake-, Broadwell-, and 
Haswell-based platforms must obtain and
DISCLAIMER: install updated microcode from their hardware vendor 
immediately. The "Spectre" mitigation requires
DISCLAIMER: both an updated kernel from Red Hat and updated microcode 
from your hardware vendor.

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] URGENT: Clamd is wedged on multiple installations

[maxal]

nobody of clamav/cisco reading this list? as the impact is heavy and
probably worldwide - anyone with personal contacts or any other channel
to reach someone there? contact info on clamav.net is only referring to
mailing lists and not very useful 

On Fri, 2018-01-26 at 12:07 +0100, Marco wrote:
> Il 26/01/2018 10:39, Ralf Hildebrandt ha scritto:
> 
> > clamd is leaking filedescriptors for temporary files - ls
> > /proc/`pidof clamd`/fd shows a
> > lot of:
> > 
> > lrwx-- 1 root root 64 Jan 26 10:38 993 -> /tmp/clamav-
> > 736a3d0d2a944a0a79d465671fb754d5.tmp (deleted)
> > lrwx-- 1 root root 64 Jan 26 10:38 994 -> /tmp/clamav-
> > 59b5548fe87bc9a454486cbe37d5c89b.tmp (deleted)
> > lrwx-- 1 root root 64 Jan 26 10:38 995 -> /tmp/clamav-
> > 0e2983c3f35c37d833ea37c2867a0aba.tmp (deleted)
> > ...
> 
> I think that Clamav now knows this very big problem... Anyway these
> are 
> other logs I see (0.99.2 version on RH EL7):
> 
> 2018-01-26T03:41:29.246852+01:00  clamd[18086]: LibClamAV Error: 
> cli_gentempfd: Can't create temporary file 
> /tmp/clamav-f553aa378e37664837deb720f2ce10f6.tmp/clamav-
> ef95d457b05dc585eb4bc09d3fc83edc.tmp: 
> Too many open files
> 
> 2018-01-26T03:41:29.247296+01:00  clamd[18086]: LibClamAV Warning: 
> fileblobScan, fullname == NULL
> 
> 2018-01-26T03:41:29.247458+01:00  clamd[18086]: LibClamAV Error: 
> fileblobDestroy: mixedtextportion not saved: report to 
> http://bugs.clamav.net
> 
> 
> Regards
> Marco
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Anyone notice any issues with clamav 0.99.2 and recent patterns?

[Christoph Moench-Tegeder]

## Karl Pielorz (kpielorz_...@tdx.co.uk):

> We're currently running clamav 0.99.2 (technically shown as 0.99.2_8) under 
> FreeBSD 10.3 amd64 - since then we've seen an issue where clamd "kind of 
> dies" - it's still running, there are no errors logged anywhere (we log to 
> syslog) - but whilst it's accepting connections to scan things - for lots 
> of them it doesn't seem to either be accepting data sent to it's socket 
> (causing the caller to hang/timeout eventually) - or return results.

There are reports of exploits against 0.99.2 in the wild. Heise reports
on that (in german, can't find an english source right now):
https://heise.de/-3951801

> I can't yet update to 0.99.3 (as we use FreeBSD's pkg system - and it's not 
> available yet).

If possible, update from HEAD - I already pinged the committer
about MFHing.

Regards,
Christoph

-- 
Spare Space
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] URGENT: Clamd is wedged on multiple installations

[Kees Theunissen]

On Fri, 26 Jan 2018, Al Varnell wrote:

>If you can't revert to daily 24255 then disable daily.cld until you know it's 
>fixed.
>
>Has anybody updated to daily 24257 to see if that helps? I doubt that it does 
>as no sigs are shown as dropped.

I'm running ClamAv 0.99.2 on two mail servers (debian 9, with
sendmail / MimeDefang / SpamAssassing /ClamAv) and a
workstation (slackware 14.2) without any problem.

I'm currently running daily 24257. But 24256 ran without
problems too.


Regards,

Kees Theunissen.

-- 
Kees Theunissen,  System and network manager,   Tel: +31 (0)40-3334724
Dutch Institute For Fundamental Energy Research (DIFFER)
e-mail address:   c.j.theunis...@differ.nl
postal address:   PO Box 6336, 5600 HH, Eindhoven, the Netherlands
visitors address: De Zaale 20, 5612 AJ, Eindhoven, the Netherlands

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] reduce memory footprint by removing some virus definitions on a low memory server

[Al Varnell]

Actually, Main is shown to have 4,566,249 signatures whereas daily only has 
1,835,139 with my setup.

But those in Main are older and probably less likely to identify a current 
threat.

-Al-

On Fri, Jan 26, 2018 at 02:46 AM, Matus UHLAR - fantomas wrote:
> I think it would be more logical to drop main.cvd and leave daily.cvd
> - daily.cvd contains more actual signatures.
> 
> bytecode.cvd requires more CPU power - if you are low on CPU, you could skip
> that one too. If not, better keep that one.

-Al-
-- 
Al Varnell
Mountain View, CA







smime.p7s
Description: S/MIME cryptographic signature
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] reduce memory footprint by removing some virus definitions on a low memory server

[Matus UHLAR - fantomas]

On Jan 26, 2018, at 2:46 AM, Matus UHLAR - fantomas  wrote:

I think it would be more logical to drop main.cvd and leave daily.cvd
- daily.cvd contains more actual signatures.


On 26.01.18 02:48, Al Varnell wrote:

Daily contains the corrupted signature that is causing all the grief.


this is a different thread, about lowering clamav' memory footprint. 
:-)

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Honk if you love peace and quiet. 
___

clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] URGENT: Clamd is wedged on multiple installations

[Marco]

Il 26/01/2018 10:39, Ralf Hildebrandt ha scritto:


clamd is leaking filedescriptors for temporary files - ls /proc/`pidof 
clamd`/fd shows a
lot of:

lrwx-- 1 root root 64 Jan 26 10:38 993 -> 
/tmp/clamav-736a3d0d2a944a0a79d465671fb754d5.tmp (deleted)
lrwx-- 1 root root 64 Jan 26 10:38 994 -> 
/tmp/clamav-59b5548fe87bc9a454486cbe37d5c89b.tmp (deleted)
lrwx-- 1 root root 64 Jan 26 10:38 995 -> 
/tmp/clamav-0e2983c3f35c37d833ea37c2867a0aba.tmp (deleted)
...


I think that Clamav now knows this very big problem... Anyway these are 
other logs I see (0.99.2 version on RH EL7):


2018-01-26T03:41:29.246852+01:00  clamd[18086]: LibClamAV Error: 
cli_gentempfd: Can't create temporary file 
/tmp/clamav-f553aa378e37664837deb720f2ce10f6.tmp/clamav-ef95d457b05dc585eb4bc09d3fc83edc.tmp: 
Too many open files


2018-01-26T03:41:29.247296+01:00  clamd[18086]: LibClamAV Warning: 
fileblobScan, fullname == NULL


2018-01-26T03:41:29.247458+01:00  clamd[18086]: LibClamAV Error: 
fileblobDestroy: mixedtextportion not saved: report to 
http://bugs.clamav.net



Regards
Marco
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] reduce memory footprint by removing some virus definitions on a low memory server

[Tilman Schmidt]

Try

# service clamav-freshclam stop

The exact command may vary depending on your OS and distribution which
you didn't mention.

Am 26.01.2018 um 11:54 schrieb Rajesh M:
> hi all
> 
> even though i removed
> 
> daily.cld
> main.cld
> bytecode.cld
> mirrors.dat 
> 
> all of these has been recreated automatically
> 
> i am not running freshclam via a cron job
> 
> help required in disabling clam updates 
> 
> rajesh

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] URGENT: Clamd is wedged on multiple installations

[Andreas Schulze]

Am 26.01.2018 um 11:48 schrieb Ralf Hildebrandt:
>> Arguably if a bug in the signatures can lead to such massive problems
>> then that is in itself a bug in the software, which might be (but
>> apparently so far isn't) fixed in a later version.
> 
> Amen to that.

the former 0.99.3beta2 don't crash with latest daily.cvd
I'll could use that version, but what's with the CVE's?
assume, they are still unfixed in the beta code...


-- 
A. Schulze
DATEV eG
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] reduce memory footprint by removing somevirusdefinitions on a low memory server

[lukn]

stop freshclam daemon

On 26.01.2018 11:54, Rajesh M wrote:
> hi all
> 
> even though i removed
> 
> daily.cld
> main.cld
> bytecode.cld
> mirrors.dat 
> 
> all of these has been recreated automatically
> 
> i am not running freshclam via a cron job
> 
> help required in disabling clam updates 
> 
> rajesh
> 
> 
> - Original Message -
> From: Sophie Loewenthal [mailto:sop...@klunky.co.uk]
> To: clamav-users@lists.clamav.net
> Sent: Fri, 26 Jan 2018 10:12:12 +0100
> Subject: 
> 
> Thanks for the suggestions  h.rei...@thelounge.net 
>  and 24x7ser...@24x7server.net 
>  and alvarn...@mac.com 
> 
> Daily removed for the timebeing anyway.
> 
> 
> 
>> On 26 Jan 2018, at 09:55, Rajesh M <24x7ser...@24x7server.net> wrote:
>>
>> hi 
>>
>> this is what i did on my mail server
>>
>> cd /var/lib/clamav
>>
>> mv daily.cld daily.cld.BAK
>> mv main.cld main.cld.BAK
>> mv bytecode.cld bytecode.cld.BAK
>> mv mirrors.dat mirrors.dat.BAK
>>
>> kept foxhole_all and badmacro.ndb unoffical which handles all kinds of bad 
>> attachments / macros.
>>
>> also have spam-assassin with oledb macro plugin.
>>
>> things seem to work now
>>
>> rajesh
>>
>>
>> - Original Message -
>> From: Sophie Loewenthal [mailto:sop...@klunky.co.uk]
>> To: clamav-users@lists.clamav.net
>> Sent: Fri, 26 Jan 2018 09:41:38 +0100
>> Subject: 
>>
>> Hi everybody,
>>
>> Would removing some of the virus definitions on a memory sparse server still 
>> leave a semi-usable clamav scanner? 
>>
>> e.g if I just left 
>> main.cvd
>> bytecode.cvd
>>
>> and dropped daily.cvd?
>>
>> Or some other config.
>>
>> e.g just kept the unoffical sigs and the bytecode.
>>
>> I realize this is reducing clamav’s effectiveness, but my other option is to 
>> remove clamav.
>>
>> Kind regards,
>> Sophie
>>
>>
>>
>>
>>
>>
>> ___
>> clamav-users mailing list
>> clamav-users@lists.clamav.net
>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>>
>>
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>>
>> http://www.clamav.net/contact.html#ml
>>
>> ___
>> clamav-users mailing list
>> clamav-users@lists.clamav.net
>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>>
>>
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>>
>> http://www.clamav.net/contact.html#ml
> 
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml
> 
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml
> 
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] reduce memory footprint by removing somevirusdefinitions on a low memory server

[Rajesh M]

hi all

even though i removed

daily.cld
main.cld
bytecode.cld
mirrors.dat 

all of these has been recreated automatically

i am not running freshclam via a cron job

help required in disabling clam updates 

rajesh


- Original Message -
From: Sophie Loewenthal [mailto:sop...@klunky.co.uk]
To: clamav-users@lists.clamav.net
Sent: Fri, 26 Jan 2018 10:12:12 +0100
Subject: 

Thanks for the suggestions  h.rei...@thelounge.net 
 and 24x7ser...@24x7server.net 
 and alvarn...@mac.com 

Daily removed for the timebeing anyway.



> On 26 Jan 2018, at 09:55, Rajesh M <24x7ser...@24x7server.net> wrote:
> 
> hi 
> 
> this is what i did on my mail server
> 
> cd /var/lib/clamav
> 
> mv daily.cld daily.cld.BAK
> mv main.cld main.cld.BAK
> mv bytecode.cld bytecode.cld.BAK
> mv mirrors.dat mirrors.dat.BAK
> 
> kept foxhole_all and badmacro.ndb unoffical which handles all kinds of bad 
> attachments / macros.
> 
> also have spam-assassin with oledb macro plugin.
> 
> things seem to work now
> 
> rajesh
> 
> 
> - Original Message -
> From: Sophie Loewenthal [mailto:sop...@klunky.co.uk]
> To: clamav-users@lists.clamav.net
> Sent: Fri, 26 Jan 2018 09:41:38 +0100
> Subject: 
> 
> Hi everybody,
> 
> Would removing some of the virus definitions on a memory sparse server still 
> leave a semi-usable clamav scanner? 
> 
> e.g if I just left 
> main.cvd
> bytecode.cvd
> 
> and dropped daily.cvd?
> 
> Or some other config.
> 
> e.g just kept the unoffical sigs and the bytecode.
> 
> I realize this is reducing clamav’s effectiveness, but my other option is to 
> remove clamav.
> 
> Kind regards,
> Sophie
> 
> 
> 
> 
> 
> 
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml
> 
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] reduce memory footprint by removing some virus definitions on a low memory server

[Al Varnell]

Daily contains the corrupted signature that is causing all the grief.

Sent from my iPad

-Al-

> On Jan 26, 2018, at 2:46 AM, Matus UHLAR - fantomas  wrote:
> 
> I think it would be more logical to drop main.cvd and leave daily.cvd
> - daily.cvd contains more actual signatures.
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] URGENT: Clamd is wedged on multiple installations

[Ralf Hildebrandt]

> Arguably if a bug in the signatures can lead to such massive problems
> then that is in itself a bug in the software, which might be (but
> apparently so far isn't) fixed in a later version.

Amen to that.
-- 
Ralf Hildebrandt   Charite Universitätsmedizin Berlin
ralf.hildebra...@charite.deCampus Benjamin Franklin
https://www.charite.de Hindenburgdamm 30, 12203 Berlin
Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155


signature.asc
Description: PGP signature
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] URGENT: Clamd is wedged on multiple installations

[Tilman Schmidt]

Am 26.01.2018 um 11:36 schrieb Reindl Harald:
> Am 26.01.2018 um 11:28 schrieb Andreas Schulze:
>>
>> just updated to 0.99.3 ( which is a 0.99.2 + Security fixes ) bit
>> still clamav don't work as expected.
>>
>> Fri Jan 26 11:23:10 2018 -> ERROR: accept() failed:
>> Fri Jan 26 11:23:10 2018 -> ERROR: accept() failed:
> 
> because it's a bug in the signatures?
> as expected!

Arguably if a bug in the signatures can lead to such massive problems
then that is in itself a bug in the software, which might be (but
apparently so far isn't) fixed in a later version.

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] reduce memory footprint by removing some virus definitions on a low memory server

[Matus UHLAR - fantomas]

On 26.01.18 09:41, Sophie Loewenthal wrote:

Would removing some of the virus definitions on a memory sparse server still 
leave a semi-usable clamav scanner?

e.g if I just left
main.cvd
bytecode.cvd

and dropped daily.cvd?


I think it would be more logical to drop main.cvd and leave daily.cvd
- daily.cvd contains more actual signatures.

bytecode.cvd requires more CPU power - if you are low on CPU, you could skip
that one too. If not, better keep that one.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
I wonder how much deeper the ocean would be without sponges. 
___

clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] URGENT: Clamd is wedged on multiple installations

[Reindl Harald]

Am 26.01.2018 um 11:28 schrieb Andreas Schulze:

Am 26.01.2018 um 10:01 schrieb Ralf Hildebrandt:

* Reindl Harald :


sounds like an issue with the official signatures given that you are not the
first reporter and that we don't use them and have no problems


Thought so. Must be a recent signature in daily.cvd.


just updated to 0.99.3 ( which is a 0.99.2 + Security fixes ) bit still clamav 
don't work as expected.

Fri Jan 26 11:23:10 2018 -> ERROR: accept() failed:
Fri Jan 26 11:23:10 2018 -> ERROR: accept() failed:


because it's a bug in the signatures?
as expected!
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] URGENT: Clamd is wedged on multiple installations

[Al Varnell]

If you can't revert to daily 24255 then disable daily.cld until you know it's 
fixed.

Has anybody updated to daily 24257 to see if that helps? I doubt that it does 
as no sigs are shown as dropped.

Sent from my iPad

-Al-

> On Jan 26, 2018, at 2:28 AM, Andreas Schulze  wrote:
> 
> looks like we have to disable official sigs or clamav at all...
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] open file descriptors

[Johan Loubser]

On 26/01/2018 12:15, Reindl Harald wrote:

besides that such signatures are braindead on a public list please
look at the other threads - the daily sigs are fucked up currently

Am 26.01.2018 um 11:13 schrieb Johan Loubser:

The integrity and confidentiality of this email is governed by these
terms / Die integriteit en vertroulikheid van hierdie e-pos word deur
die volgende bepalings gereël. http://www.sun.ac.za/emaildisclaimer


___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Thanks i saw the rest of the list and that i am not the only with this
problem.

Below the detail that was did get to the list in the first email.

Hi
ClamAV 0.99.2/24257/Fri Jan 26 11:24:57 2018
clamd on rhel7 with exim was working without problems for many years.
this is on 3 mail relay servers.

I suddenly run out of open file descriptors.
clamd   20426 clam *684u   REG  253,2  2220 3811775
/var/tmp/clamav-24e66ae5ebcc6fbb1b688a86e7c5d925.tmp (deleted)
clamd   20426 clam *685u   REG  253,2   531 3811777
/var/tmp/clamav-f8e9b48915af784f045dff36b229da7d.tmp (deleted)

I hit the 1024 limit after extending via systemd config i now can go
past 1024 limit but openfiles that is deleted.
The total keep growing until restart of clamd
Any help would be appreciated.

The problem started.
Fri Jan 26 04:35:55 2018 -> ERROR: accept() failed:
Fri Jan 26 04:35:55 2018 -> ERROR: accept() failed:
Fri Jan 26 04:35:55 2018 -> ERROR: accept() failed:
Fri Jan 26 04:35:55 2018 -> ERROR: accept() failed:
Fri Jan 26 04:35:55 2018 -> ERROR: accept() failed:
Fri Jan 26 04:35:55 2018 ->
/var/spool/exim/scan/1eetru-0004Cl-RG/1eetru-0004Cl-RG.eml: Can't open
file or directory ERROR
Fri Jan 26 04:35:55 2018 ->
/var/spool/exim/scan/1eetru-0004Cm-RO/1eetru-0004Cm-RO.eml: Can't open
file or directory ERROR
Fri Jan 26 04:35:58 2018 ->
/var/spool/exim/scan/1eetry-0004D2-0h/1eetry-0004D2-0h.eml: Can't open
file or directory ERROR

*Johan Loubser*

The integrity and confidentiality of this email is governed by these terms / 
Die integriteit en vertroulikheid van hierdie e-pos word deur die volgende 
bepalings gereël. http://www.sun.ac.za/emaildisclaimer
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] URGENT: Clamd is wedged on multiple installations

[Andreas Schulze]

Am 26.01.2018 um 10:01 schrieb Ralf Hildebrandt:
> * Reindl Harald :
> 
>> sounds like an issue with the official signatures given that you are not the
>> first reporter and that we don't use them and have no problems
> 
> Thought so. Must be a recent signature in daily.cvd.

just updated to 0.99.3 ( which is a 0.99.2 + Security fixes ) bit still clamav 
don't work as expected.

Fri Jan 26 11:23:10 2018 -> ERROR: accept() failed: 
Fri Jan 26 11:23:10 2018 -> ERROR: accept() failed: 
Fri Jan 26 11:23:10 2018 -> ERROR: accept() failed: 
Fri Jan 26 11:23:10 2018 -> ERROR: accept() failed: 
Fri Jan 26 11:23:10 2018 -> ERROR: accept() failed: 
Fri Jan 26 11:23:10 2018 -> ERROR: accept() failed: 
Fri Jan 26 11:23:10 2018 -> ERROR: accept() failed: 
Fri Jan 26 11:23:10 2018 -> ERROR: accept() failed: 
Fri Jan 26 11:23:10 2018 -> ERROR: accept() failed: 
Fri Jan 26 11:23:10 2018 -> ERROR: accept() failed: 
Fri Jan 26 11:23:10 2018 -> ERROR: accept() failed: 
Fri Jan 26 11:23:10 2018 -> ERROR: accept() failed: 
Fri Jan 26 11:23:10 2018 -> ERROR: accept() failed: 
Fri Jan 26 11:23:10 2018 -> ERROR: accept() failed: 
Fri Jan 26 11:23:10 2018 -> ERROR: accept() failed: 
Fri Jan 26 11:23:10 2018 -> ERROR: accept() failed: 
Fri Jan 26 11:23:10 2018 -> ERROR: accept() failed: 
Fri Jan 26 11:23:10 2018 -> ERROR: accept() failed: 
Fri Jan 26 11:23:10 2018 -> /opt/amavis/tmp/afwkdfLS/parts/p006: Can't open 
file or directory ERROR
Fri Jan 26 11:23:10 2018 -> /opt/amavis/tmp/afpEpkat/parts/p004: Can't open 
file or directory ERROR
Fri Jan 26 11:23:10 2018 -> /opt/amavis/tmp/afpEpkat/parts/p001: Can't 
create new file ERROR
Fri Jan 26 11:23:10 2018 -> /opt/amavis/tmp/afpEpkat/parts/p002: Can't open 
file or directory ERROR
Fri Jan 26 11:23:10 2018 -> /opt/amavis/tmp/afka2dVq/parts/p001: Can't 
create new file ERROR
Fri Jan 26 11:23:10 2018 -> /opt/amavis/tmp/afka2dVq/parts/p005: Can't open 
file or directory ERROR
Fri Jan 26 11:23:10 2018 -> /opt/amavis/tmp/afka2dVq/parts/p002: Can't 
create new file ERROR
Fri Jan 26 11:23:10 2018 -> /opt/amavis/tmp/afka2dVq/parts/p003: Can't open 
file or directory ERROR
Fri Jan 26 11:23:10 2018 -> /opt/amavis/tmp/afVaWWDm/parts/p007: Can't open 
file or directory ERROR
Fri Jan 26 11:23:10 2018 -> /opt/amavis/tmp/afVaWWDm/parts/p001: Can't 
create new file ERROR
Fri Jan 26 11:23:10 2018 -> /opt/amavis/tmp/afVaWWDm/parts/p002: Can't open 
file or directory ERROR
Fri Jan 26 11:23:10 2018 -> /opt/amavis/tmp/afruM9hl/parts/p001: Can't 
create new file ERROR
Fri Jan 26 11:23:11 2018 -> /opt/amavis/tmp/afruM9hl/parts/p004: Can't 
create temporary file ERROR
Fri Jan 26 11:23:11 2018 -> /opt/amavis/tmp/afruM9hl/parts/p005: Can't 
create temporary file ERROR

looks like we have to disable official sigs or clamav at all...

-- 
A. Schulze
DATEV eG
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] open file descriptors

[Reindl Harald]

besides that such signatures are braindead on a public list please look 
at the other threads - the daily sigs are fucked up currently


Am 26.01.2018 um 11:13 schrieb Johan Loubser:

The integrity and confidentiality of this email is governed by these terms / 
Die integriteit en vertroulikheid van hierdie e-pos word deur die volgende 
bepalings gereël. http://www.sun.ac.za/emaildisclaimer


___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] open file descriptors

[Johan Loubser]

The integrity and confidentiality of this email is governed by these terms / 
Die integriteit en vertroulikheid van hierdie e-pos word deur die volgende 
bepalings gereël. http://www.sun.ac.za/emaildisclaimer
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] URGENT: Clamd is wedged on multiple installations

[Ralf Hildebrandt]

* Dianne Skoll :
> Hi,
> 
> Something went badly wrong with clamd recently; it's stuck with
> hundreds/thousands of open files per process and interrupting mail flow.
> 
> When a scanning thread finishes, I see this in the strace output.
> (I ran clamdscan /etc/hosts as a test):
> 
> [pid  3707] 02:11:01 sendto(295, "/etc/hosts: OK\n", 15, 0, NULL, 0) = 15
> [pid  3707] 02:11:01 shutdown(295, SHUT_RDWR) = 0
> [pid  3707] 02:11:01 close(295) = 0
> [pid  3707] 02:11:01 futex(0x1933c3c, 
> FUTEX_WAIT_BITSET_PRIVATE|FUTEX_CLOCK_REALTIME, 387, {1516950691, 0}, 
> ) = -1 ETIMEDOUT (Connection timed out)
> [pid  3707] 02:11:31 futex(0x1933c10, FUTEX_WAKE_PRIVATE, 1) = 0
> [pid  3707] 02:11:31 madvise(0x7fae6affe000, 8368128, MADV_DONTNEED) = 0
> [pid  3707] 02:11:31 _exit(0)   = ?
> [pid  3707] 02:11:31 +++ exited with 0 +++

clamd is leaking filedescriptors for temporary files - ls /proc/`pidof 
clamd`/fd shows a
lot of:

lrwx-- 1 root root 64 Jan 26 10:38 993 -> 
/tmp/clamav-736a3d0d2a944a0a79d465671fb754d5.tmp (deleted)
lrwx-- 1 root root 64 Jan 26 10:38 994 -> 
/tmp/clamav-59b5548fe87bc9a454486cbe37d5c89b.tmp (deleted)
lrwx-- 1 root root 64 Jan 26 10:38 995 -> 
/tmp/clamav-0e2983c3f35c37d833ea37c2867a0aba.tmp (deleted)
...

-- 
Ralf Hildebrandt   Charite Universitätsmedizin Berlin
ralf.hildebra...@charite.deCampus Benjamin Franklin
https://www.charite.de Hindenburgdamm 30, 12203 Berlin
Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155


signature.asc
Description: PGP signature
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Anyone notice any issues with clamav 0.99.2 and recent patterns?

[Gene Heskett]

On Friday 26 January 2018 04:04:53 Gene Heskett wrote:

> On Friday 26 January 2018 03:19:52 maxal wrote:
> > On Fri, 2018-01-26 at 08:11 +0100, lukn wrote:
> > > Same on a machine with clamav-milter:
> > >
> > > clamav-milter[8241]: Failed to initiate streaming/fdpassing
> > > clamav-milter[8241]: Unknown reply from clamd
> > > clamd[11895]: instream(127.0.0.1@49958): Can't open file or
> > > directory ERROR
> > > clamav-milter[8241]: send failed: Broken pipe
> > > clamav-milter[8241]: Streaming failed
> > > clamd[11895]: accept() failed:
> > >
> > > I suspect a toxic signature keeps killing clamd
> >
> > as a side-effect of the issue clamd keeps filling up /tmp/ with
> > clamav- x.tmp and an empty 'rfc2397' folder and so running out of
> > filedescriptors.
>
> I've got clamav-hash.tmp's, way too many for rmdir to clean up,
> argument list too long.  And growing rapidly. So I'm going to kill it
> all. Including the procmail useages. That gave me enough system to rm
> -fR clamav-*

But I had to reboot just to send these emails.

Please post when its safe to restart clamav's daemon.
>
> > > On 26.01.2018 07:47, lukn wrote:
> > > > Good morning list
> > > >
> > > > same here, since about 4am CET we see permanent crashes of
> > > > clamd. Process indeed disappears, but logging is minimal. All I
> > > > see is:
> > > >
> > > > clamd[25989]: instream(127.0.0.1@58142): Can't open file or
> > > > directory ERROR
> > > > clamd[25989]: accept() failed:
> > > >
> > > > the second line repeats several dozen times.
> > > >
> > > > I use clamd to scan mail with fuglu (fuglu.org) which talks to
> > > > clamd via
> > > > TCP socket.
> > >
> > > ___
> > > clamav-users mailing list
> > > clamav-users@lists.clamav.net
> > > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> > >
> > >
> > > Help us build a comprehensive ClamAV guide:
> > > https://github.com/vrtadmin/clamav-faq
> > >
> > > http://www.clamav.net/contact.html#ml
> >
> > ___
> > clamav-users mailing list
> > clamav-users@lists.clamav.net
> > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> >
> >
> > Help us build a comprehensive ClamAV guide:
> > https://github.com/vrtadmin/clamav-faq
> >
> > http://www.clamav.net/contact.html#ml



-- 
Cheers, Gene Heskett
--
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Genes Web page 
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Anyone notice any issues with clamav 0.99.2 and recent patterns?

[Gene Heskett]

On Friday 26 January 2018 03:19:52 maxal wrote:

> On Fri, 2018-01-26 at 08:11 +0100, lukn wrote:
> > Same on a machine with clamav-milter:
> >
> > clamav-milter[8241]: Failed to initiate streaming/fdpassing
> > clamav-milter[8241]: Unknown reply from clamd
> > clamd[11895]: instream(127.0.0.1@49958): Can't open file or
> > directory ERROR
> > clamav-milter[8241]: send failed: Broken pipe
> > clamav-milter[8241]: Streaming failed
> > clamd[11895]: accept() failed:
> >
> > I suspect a toxic signature keeps killing clamd
>
> as a side-effect of the issue clamd keeps filling up /tmp/ with
> clamav- x.tmp and an empty 'rfc2397' folder and so running out of
> filedescriptors.
>
I've got clamav-hash.tmp's, way too many for rmdir to clean up, argument 
list too long.  And growing rapidly. So I'm going to kill it all. 
Including the procmail useages. That gave me enough system to rm -fR 
clamav-*


> > On 26.01.2018 07:47, lukn wrote:
> > > Good morning list
> > >
> > > same here, since about 4am CET we see permanent crashes of clamd.
> > > Process indeed disappears, but logging is minimal. All I see is:
> > >
> > > clamd[25989]: instream(127.0.0.1@58142): Can't open file or
> > > directory ERROR
> > > clamd[25989]: accept() failed:
> > >
> > > the second line repeats several dozen times.
> > >
> > > I use clamd to scan mail with fuglu (fuglu.org) which talks to
> > > clamd via
> > > TCP socket.
> >
> > ___
> > clamav-users mailing list
> > clamav-users@lists.clamav.net
> > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> >
> >
> > Help us build a comprehensive ClamAV guide:
> > https://github.com/vrtadmin/clamav-faq
> >
> > http://www.clamav.net/contact.html#ml
>
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml



-- 
Cheers, Gene Heskett
--
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Genes Web page 
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] reduce memory footprint by removing some virusdefinitions on a low memory server

[Sophie Loewenthal]

Thanks for the suggestions  h.rei...@thelounge.net 
 and 24x7ser...@24x7server.net 
 and alvarn...@mac.com 

Daily removed for the timebeing anyway.



> On 26 Jan 2018, at 09:55, Rajesh M <24x7ser...@24x7server.net> wrote:
> 
> hi 
> 
> this is what i did on my mail server
> 
> cd /var/lib/clamav
> 
> mv daily.cld daily.cld.BAK
> mv main.cld main.cld.BAK
> mv bytecode.cld bytecode.cld.BAK
> mv mirrors.dat mirrors.dat.BAK
> 
> kept foxhole_all and badmacro.ndb unoffical which handles all kinds of bad 
> attachments / macros.
> 
> also have spam-assassin with oledb macro plugin.
> 
> things seem to work now
> 
> rajesh
> 
> 
> - Original Message -
> From: Sophie Loewenthal [mailto:sop...@klunky.co.uk]
> To: clamav-users@lists.clamav.net
> Sent: Fri, 26 Jan 2018 09:41:38 +0100
> Subject: 
> 
> Hi everybody,
> 
> Would removing some of the virus definitions on a memory sparse server still 
> leave a semi-usable clamav scanner? 
> 
> e.g if I just left 
> main.cvd
> bytecode.cvd
> 
> and dropped daily.cvd?
> 
> Or some other config.
> 
> e.g just kept the unoffical sigs and the bytecode.
> 
> I realize this is reducing clamav’s effectiveness, but my other option is to 
> remove clamav.
> 
> Kind regards,
> Sophie
> 
> 
> 
> 
> 
> 
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml
> 
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] URGENT: Clamd is wedged on multiple installations

[Ralf Hildebrandt]

* Reindl Harald :

> sounds like an issue with the official signatures given that you are not the
> first reporter and that we don't use them and have no problems

Thought so. Must be a recent signature in daily.cvd.

-- 
Ralf Hildebrandt   Charite Universitätsmedizin Berlin
ralf.hildebra...@charite.deCampus Benjamin Franklin
https://www.charite.de Hindenburgdamm 30, 12203 Berlin
Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155


signature.asc
Description: PGP signature
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] reduce memory footprint by removing some virusdefinitions on a low memory server

[Al Varnell]

The problem is clearly with daily.cld which was the only thing updated today, 
so disabling it should work for now.

mirrors.dat has nothing to do with signatures. It just keeps track of the 
mirrors used and any failures associated with them to prevent their use if 
necessary.

-Al-

On Fri, Jan 26, 2018 at 12:55 AM, Rajesh M wrote:
> hi 
> 
> this is what i did on my mail server
> 
> cd /var/lib/clamav
> 
> mv daily.cld daily.cld.BAK
> mv main.cld main.cld.BAK
> mv bytecode.cld bytecode.cld.BAK
> mv mirrors.dat mirrors.dat.BAK
> 
> kept foxhole_all and badmacro.ndb unoffical which handles all kinds of bad 
> attachments / macros.
> 
> also have spam-assassin with oledb macro plugin.
> 
> things seem to work now
> 
> rajesh
> 
> 
> - Original Message -
> From: Sophie Loewenthal [mailto:sop...@klunky.co.uk 
> ]
> To: clamav-users@lists.clamav.net 
> Sent: Fri, 26 Jan 2018 09:41:38 +0100
> Subject: 
> 
> Hi everybody,
> 
> Would removing some of the virus definitions on a memory sparse server still 
> leave a semi-usable clamav scanner? 
> 
> e.g if I just left 
> main.cvd
> bytecode.cvd
> 
> and dropped daily.cvd?
> 
> Or some other config.
> 
> e.g just kept the unoffical sigs and the bytecode.
> 
> I realize this is reducing clamav’s effectiveness, but my other option is to 
> remove clamav.
> 
> Kind regards,
> Sophie
> 
> 
> 
> 
> 
> 
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net 
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml
> 
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml

-Al-
-- 
Al Varnell
Mountain View, CA






smime.p7s
Description: S/MIME cryptographic signature
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Anyone notice any issues with clamav 0.99.2 and recent patterns?

[Ralf Hildebrandt]

* Karl Pielorz :

> This ends up with a lot of wedged mail processes (and we slowly run out of
> fd's as the process table fills up).

Same here on Ubuntu 16.04 with official patterns.

-- 
Ralf Hildebrandt   Charite Universitätsmedizin Berlin
ralf.hildebra...@charite.deCampus Benjamin Franklin
https://www.charite.de Hindenburgdamm 30, 12203 Berlin
Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155


signature.asc
Description: PGP signature
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml