Re: [clamav-users] Clamscan taking a very long time

[Michael Newman via clamav-users]

On Jan 3, 2020, at 00:00, G.W. Haywood wrote:

> Please define "suddenly".

Suddenly means that the scan on December 17th took about two hours:

  Time: 7569.856 sec (126 m 9 s)

and the next scan, on December 24th took about nine hours:

  Time: 35785.296 sec (596 m 25 s)

Both scans used:

  Engine version: 0.102.1

> In any case I'd want to know what all those errors are.

So would I. Both of the above scans had:

  Total errors: 49

I scanned again removing --quiet, but there’s no indication as to what those 
errors are. 

Today there were just 4 errors.

I’ve searched and looked through the ClamAV documentation but haven’t been 
smart enough to find a definition for "Total errors:". Does anyone know what it 
means?

> What has ClamAV found that you think shouldn't have been there?

Nothing. The only problem is that several scans took nine hours when, over the 
past couple of years, every scan has taken about two hours. Today’s scan, with 
--quiet removed, took about two and a half hours.

I’d like to know why the recent scans have taken so long.

Here’s the result of today’s scan:

=

Fri Jan  3 04:44:09 +07 2020 Start clamscan
/Users/mnewman/Library/Mail/V7/40D4A1AB-4AC4-4D92-94A8-ACCBACCBB2CB/Deleted 
Messages.mbox/96546A05-A248-4911-AD12-0E19978E6803/Data/4/7/4/Messages/474077.partial.emlx:
 Heuristics.Phishing.Email.SpoofedDomain FOUND
/Users/mnewman/Library/Mail/V7/40D4A1AB-4AC4-4D92-94A8-ACCBACCBB2CB/Deleted 
Messages.mbox/96546A05-A248-4911-AD12-0E19978E6803/Data/4/7/4/Messages/474077.partial.emlx:
 Heuristics.Phishing.Email.SpoofedDomain FOUND
/Users/mnewman/Library/Mail/V7/40D4A1AB-4AC4-4D92-94A8-ACCBACCBB2CB/Deleted 
Messages.mbox/96546A05-A248-4911-AD12-0E19978E6803/Data/4/7/4/Messages/474077.partial.emlx:
 Heuristics.Phishing.Email.SpoofedDomain FOUND
/Users/mnewman/Library/testfile.txt: Eicar-Test-Signature FOUND
--- SCAN SUMMARY ---
Known viruses: 6643097
Engine version: 0.102.1
Scanned directories: 249364
Scanned files: 694140
Infected files: 1
Total errors: 4
Data scanned: 70545.69 MB
Data read: 73821.73 MB (ratio 0.96:1)
Time: 9886.090 sec (164 m 46 s)
ClamAV scan finished: Fri Jan 3 07:28:55 +07 2020


___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] How to purge a CustomDatabaseURL File from clamav completely?

[Arnaud Jacques]

Hello,

Le 03/01/2020 à 00:06, G.W. Haywood via clamav-users a écrit :

Hi there,

On Thu, 2 Jan 2020, J.R. via clamav-users wrote:


All good :-) Going to remove javascript.ndb too. Sorry again.


Rather than deleting entire signature databases because of one false
positive, why don't you either:

1. Whitelist the file (if it's static)
 or
2. Whitelist the signature(s)
...


And report the false positive to the ClamAV team?


All false positives from SecuriteInfo.com signatures should be sent to 
webmas...@securiteinfo.com.

Thank you.

--
Cordialement / Best regards,

Arnaud Jacques
Gérant de SecuriteInfo.com

Téléphone : +33-(0)3.44.39.76.46
E-mail : a...@securiteinfo.com
Site web : https://www.securiteinfo.com
Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286
Twitter : @SecuriteInfoCom

Securiteinfo.com
La Sécurité Informatique - La Sécurité des Informations.
266, rue de Villers
60123 Bonneuil en Valois

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Clamscan taking a very long time

[Allan Mui via clamav-users]

I am running clamav 0.102.1 built with llvm enabled but I have set up a 
dedicated user id called clamav(n). Then I create a shell script to run clamd 
and freshclam as daemons using this clamav(n) user id. I run clamdscan for one 
user and it takes only ten minutes to run. My OS is Catalina 10.15.2 . When you 
run clamdscan as a different user from clamav(n) you should still use the 
clamd.conf file of the clamd daemon running as user clamav(n). You might have 
to adjust the file permissions of clamd.conf to allow another user to access it.
Are you building with the latest Xcode and brew dependent packages (except for 
llvm)? I built with llvm 3.6.2 using gnu build system, not cmake.


From: Michael Newman via clamav-users
Sent: Wednesday, January 1, 2020 7:40 PM
To: ClamAV users ML
Cc: Michael Newman
Subject: [clamav-users] Clamscan taking a very long time

ClamAV 0.102.1/25679/Mon Dec 30 17:01:01 2019
macOS 10.15.2

Help me figure out why clamscan is suddenly taking so long.

An older log file fragment:

--- SCAN SUMMARY ---
Known viruses: 6613648
Engine version: 0.100.1
Scanned directories: 261793
Scanned files: 636746
Infected files: 11
Total errors: 1
Data scanned: 81505.97 MB
Data read: 105156.85 MB (ratio 0.78:1)
Time: 8728.307 sec (145 m 28 s)

The most recent log file fragment:

--- SCAN SUMMARY ---
Known viruses: 6639105
Engine version: 0.102.1
Scanned directories: 206450
Scanned files: 578017
Infected files: 1
Total errors: 49
Data scanned: 51163.40 MB
Data read: 55583.83 MB (ratio 0.92:1)
Time: 32246.560 sec (537 m 26 s)

Where scanning my home directory used to take just over two hours it is now 
taking almost nine even though there is less data to scan.

Here’s the command I’m using:

/opt/local/bin/clamscan -r --quiet -i -l $log $scandir --exclude-dir=$exclude 
--exclude-dir=$exclude2 --stdout >>$log 2>&1

Where $scandir is my home directory, $exclude is a directory with JPEGs and 
$exclude2 is an iOS device backup directory.


___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml


___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Remote On Access Scanning

[G.W. Haywood via clamav-users]

Hi there,

On Thu, 2 Jan 2020, Tom Ossman via clamav-users wrote:


... a central server where clamd is running and a remote client
where I have clamd.conf pointed to the central server, I can run
clamdscan on the remote client, it scans and finds the test file I
have created on it.  I am now trying to perform an On Access Scan on
the remote client, from what I have read about clamonacc it requires
clamd to be running alongside it.  I was hoping that because I can
get clamdscan to run on the remote client the same would be true for
clamonacc, but this is not working for me.  Running the command
`sudo clamonacc` results in a command on found error


It's possible, if unlikely, that the clamonacc binary simply isn't on
the search path.  More likely, I guess, clamonacc hasn't been installed.


I'm assuming clamonacc is included with clamd


If it came from a distro package, it depends on who packaged it.


, but clamd is not installed on the client instance as per the
documentation I found on setting up network mode (something about
clamd fussing about being pointed at a remote server).


I don't know the documentation to which you refer.  I use remote clamd
instances and I don't think of them as being especially fussy.


So at the moment I'm curious if what I am trying to do is possible
and if so if I am missing a step in the setup process?


I believe what you want to do is possible, see for example

https://blog.clamav.net/2019/09/understanding-and-transitioning-to.html

but it might not have been forseen by the people who packaged ClamAV
for your distribution, or perhaps it was forseen but discounted as a
low priority.  If you build from the sources I think you'll get what
you need (although I haven't yet seen a 'man' page for clamonacc).

--

73,
Ged.

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] How to purge a CustomDatabaseURL File from clamav completely?

[G.W. Haywood via clamav-users]

Hi there,

On Thu, 2 Jan 2020, J.R. via clamav-users wrote:


All good :-) Going to remove javascript.ndb too. Sorry again.


Rather than deleting entire signature databases because of one false
positive, why don't you either:

1. Whitelist the file (if it's static)
 or
2. Whitelist the signature(s)
...


And report the false positive to the ClamAV team?

--

73,
Ged.

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] How to purge a CustomDatabaseURL File from clamav completely?

[J.R. via clamav-users]

> All good :-) Going to remove javascript.ndb too. Sorry again.

Rather than deleting entire signature databases because of one false
positive, why don't you either:

1. Whitelist the file (if it's static)
  or
2. Whitelist the signature(s)

Both are a quick google search and very easy to do...

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] Remote On Access Scanning

[Tom Ossman via clamav-users]

Hello,

I'm hoping someone can help me.  I have ClamAV setup in network mode in an
AWS environment on two EC2 instances.  I have a central server where clamd
is running and a remote client where I have clamd.conf pointed to the
central server, I can run clamdscan on the remote client, it scans and
finds the test file I have created on it.  I am now trying to perform an On
Access Scan on the remote client, from what I have read about clamonacc it
requires clamd to be running alongside it.  I was hoping that because I can
get clamdscan to run on the remote client the same would be true for
clamonacc, but this is not working for me.  Running the command `sudo
clamonacc` results in a command on found error, I'm assuming clamonacc is
included with clamd, but clamd is not installed on the client instance as
per the documentation I found on setting up network mode (something about
clamd fussing about being pointed at a remote server).  So at the moment
I'm curious if what I am trying to do is possible and if so if I am missing
a step in the setup process?


*Tom Ossman*

toss...@aspirevc.com | aspirevc.com | +1.717.468.0293

100 North Queen Street | Suite 300 | Lancaster, PA 17603

Engage with us on Twitter  | LinkedIn
 | Facebook


The information contained in this electronic message is legally privileged
and confidential information intended only for the person to whom the
message is addressed. If the reader of this message is not the intended
recipient, you are hereby notified that any dissemination, distribution, or
copy of this electronic message is strictly prohibited. If you have
received this electronic message in error, please immediately notify us by
return electronic message, and then delete this electronic message. Thank
you.

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] How to purge a CustomDatabaseURL File from clamav completely?

[info]

Thx G.W. and J.R for your answers.

Yes i deleted the line in /etc/clamav/freshclam.conf ~2 weeks ago already, 
before it was:

DatabaseMirror db.local.clamav.net
DatabaseMirror database.clamav.net
DatabaseCustomURL http://www.securiteinfo.com/get/signatures/(removed for 
mailing list)/securiteinfo.hdb
DatabaseCustomURL http://www.securiteinfo.com/get/signatures/(removed for 
mailing list)/securiteinfo.ign2
DatabaseCustomURL http://www.securiteinfo.com/get/signatures/(removed for 
mailing list)/javascript.ndb
#DatabaseCustomURL http://www.securiteinfo.com/get/signatures/(personal url 
path here, removed)/securiteinfohtml.hdb ##deleted this line completely
DatabaseCustomURL http://www.securiteinfo.com/get/signatures/(removed for 
mailing list)/securiteinfoascii.hdb
DatabaseCustomURL http://www.securiteinfo.com/get/signatures/(removed for 
mailing list)/securiteinfoold.hdb
DatabaseCustomURL http://www.securiteinfo.com/get/signatures/(removed for 
mailing list)/securiteinfopdf.hdb

> Perhaps freshclam simply replaced the deleted database, did you check?

Yes, the file is not re-created in /var/lib/clamav/securiteinfohtml.hdb

But even with server reboot the signatures from that file are still hitting, 
for example:

Wed, 01 Jan 2020 21:45:17 CET
Clamd: msg-137649-12.html was infected: SecuriteInfo.com.HTML-8188.UNOFFICIAL

Update: Ohh, just while writhing this mail i searched for "HTML-8188" in any 
file at /var/lib/clamav/* and now I see the javascript.ndb is containing this 
Signature too. My fault! My guess Signatures named with HTML-* are from 
securiteinfohtml.hdb ... Sorry!

root@XXX01:/var/lib/clamav# grep -Ri HTML-8188 *
javascript.ndb:SecuriteInfo.com.HTML-8188:3:*:2f2f636c636b2e7275
javascript.ndb:SecuriteInfo.com.HTML-8188:3:*:2f2f772e6d617a696e67657267696a6f6e2e636f6d

All good :-) Going to remove javascript.ndb too. Sorry again.

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] How to purge a CustomDatabaseURL File from clamav completely?

[G.W. Haywood via clamav-users]

Hi there,

On Thu, 2 Jan 2020, i...@schroeffu.ch wrote:


... custom signatures file securiteinfohtml.hdb in ClamAV with false
positives, so I deleted the file /var/lib/clamav/securiteinfohtml.hdb
and restarted clamav (freshclam, clamd).  But ClamAV seems still
using this signature DB, it is still detecting viruses from this
deleted database.  So, somewhere this database is still not purged
or saved in a place i don't know.


Perhaps freshclam simply replaced the deleted database, did you check?


How do I purge a CustomDatabaseURL correctly?


If my guess is correct, in addition to removing the database itself
you need to tell freshclam not to download the securiteinfohtml.hdb
database.  Either remove or comment the DatabaseCustomURL line (not
CustomDatabaseURL) in your freshclam.conf file.


ClamAV 0.101.4 fromdefault Server Repo


A lot has changed since that version of ClamAV, I recommend upgrading.

--

73,
Ged.

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] How to purge a CustomDatabaseURL File from clamav completely?

[J.R. via clamav-users]

> How do I purge a CustomDatabaseURL correctly?

Did you remove that DB from your FreshClam config and / or
clamav-unofficial-signatures script so it won't re-download it?

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] How to purge a CustomDatabaseURL File from clamav completely?

[info]

Hi ClamAV Geeks,

i have had the custom signatures file securiteinfohtml.hdb in ClamAV with false 
positives, so I deleted the file /var/lib/clamav/securiteinfohtml.hdb and 
restarted clamav (freshclam, clamd). But ClamAV seems still using this 
signature DB, it is still detecting viruses from this deleted database. So, 
somewhere this database is still not purged or saved in a place i don't know.

How do I purge a CustomDatabaseURL correctly?

ClamAV 0.101.4 fromdefault Server Repo
OS: Ubuntu 18.04 Server

Thanks for any help in advance
Schroeffu

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Clamscan taking a very long time

[G.W. Haywood via clamav-users]

Hi there,

On Thu, 2 Jan 2020, Michael Newman via clamav-users wrote:


ClamAV 0.102.1/25679/Mon Dec 30 17:01:01 2019
macOS 10.15.2

Help me figure out why clamscan is suddenly taking so long.
...
Engine version: 0.100.1
Total errors: 1
Time: 8728.307 sec (145 m 28 s)
...
Engine version: 0.102.1
Total errors: 49
Time: 32246.560 sec (537 m 26 s)


Please define "suddenly".  You are however using a different version
of ClamAV in the later log snippet, which you can probably expect to
be more thorough.

In any case I'd want to know what all those errors are.  Try logging
verbosely (remove --quiet, see man page, etc.) and get back to us when
you can give more information.

What has ClamAV found that you think shouldn't have been there?

--

73,
Ged.

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml