Re: [clamav-users] running freshclam and 3rd party/clamav-unofficial-sigs.sh owner name changes occasionally

[Robert Kudyba]

>
>
> On Thu, 15 Jul 2021, Robert Kudyba wrote:
>

Here we are Aug 24


> >> ... do you have that log?
> >
> > Uploaded at ...
>
> Nothing remarkable there.  Presumably you're aware of this warning
> in that log?
>

See https://storm.cis.fordham.edu/~rkudyba/aug24

At 5:14 AM the problem started happening and cron has:

Aug 24 05:14:01 storm CROND[537748]: (clamav) CMD ([ -x
/usr/local/sbin/clamav-unofficial-sigs.sh ] && /usr/bin/bash
/usr/local/sbin/clamav-unofficial-sigs.sh)

Aug 24 05:14:03 storm CROND[537718]: (clamav) CMDEND ([ -x
/usr/local/sbin/clamav-unofficial-sigs.sh ] && /usr/bin/bash
/usr/local/sbin/clamav-unofficial-sigs.sh)
Aug 24 05:15:01 storm CROND[538116]: (root) CMD (/bin/date >> $FILE ;
/bin/ls -l /var/lib/clamav >> $FILE)

>
> If it's the same OS distribution you should be able to compare the
> configurations, see what they both put in the logs etc.  The command
>
> clamconf -n
>
> would be very useful for that but there are other configs as well.
>

clamconf -n

Checking configuration files in /etc


Config file: clamd.d/scan.conf

--

LogFile = "/var/log/clamd.log"

TCPSocket = "3310"

TCPAddr = "127.0.0.1"

User = "clamav"

PhishingScanURLs disabled

HeuristicScanPrecedence = "yes"

AlertBrokenExecutables = "yes"

AlertBrokenMedia = "yes"

AlertEncrypted = "yes"

AlertEncryptedArchive = "yes"

AlertEncryptedDoc = "yes"

AlertOLE2Macros = "yes"

AlertPhishingSSLMismatch = "yes"

AlertPartitionIntersection = "yes"

MaxScanTime = "35"

MaxScanSize = "157286400"

MaxFileSize = "31457280"


Config file: freshclam.conf

---

LogFileMaxSize = "262144000"

LogRotate = "yes"

UpdateLogFile = "/var/log/freshclam.log"

DatabaseOwner = "clamav"

DatabaseMirror = "database.clamav.net"

ConnectTimeout = "60"

ReceiveTimeout = "60"


Config file: mail/clamav-milter.conf



LogFile = "/var/log/clamav-milter.log"

LogTime = "yes"

LogVerbose = "yes"

User = "clamilt"

ClamdSocket = "tcp:127.0.0.1:3310"

MilterSocket = "inet:"

AddHeader = "Add"

Whitelist = "/etc/mail/clamav-milter-whitelist.conf"


Software settings

-

Version: 0.103.3

Optional features supported: MEMPOOL IPv6 AUTOIT_EA06 BZIP2 LIBXML2 PCRE2
ICONV JSON


Database information



Database directory: /var/lib/clamav

[3rd Party] badmacro.ndb: 621 sigs

[3rd Party] shelter.ldb: 49 sigs

[3rd Party] CVE-2013-0074.yar: 22 sigs

[3rd Party] foxhole_js.cdb: 48 sigs

[3rd Party] rfxn.yara: 11527 sigs

[3rd Party] urlhaus.ndb: 5445 sigs

[3rd Party] malware.expert.ndb: 1 sig

[3rd Party] sanesecurity.ftm: 170 sigs

[3rd Party] CVE-2013-0422.yar: 25 sigs

[3rd Party] sigwhitelist.ign2: 12 sigs

[3rd Party] junk.ndb: 55801 sigs

[3rd Party] jurlbl.ndb: 5650 sigs

[3rd Party] phish.ndb: 28047 sigs

[3rd Party] rogue.hdb: 1005 sigs

[3rd Party] scam.ndb: 12747 sigs

[3rd Party] spamimg.hdb: 200 sigs

[3rd Party] CVE-2015-1701.yar: 30 sigs

[3rd Party] spamattach.hdb: 14 sigs

[3rd Party] blurl.ndb: 2194 sigs

[3rd Party] CVE-2015-2426.yar: 49 sigs

[3rd Party] malwarehash.hsb: 771 sigs

[3rd Party] CVE-2015-2545.yar: 76 sigs

[3rd Party] foxhole_generic.cdb: 212 sigs

[3rd Party] CVE-2015-5119.yar: 22 sigs

[3rd Party] foxhole_filename.cdb: 2612 sigs

[3rd Party] CVE-2016-5195.yar: 40 sigs

[3rd Party] winnow_malware.hdb: 293 sigs

[3rd Party] winnow_extended_malware_links.ndb: 1 sig

[3rd Party] winnow_malware_links.ndb: 133 sigs

[3rd Party] MiscreantPunch099-Low.ldb: 1199 sigs

[3rd Party] winnow_extended_malware.hdb: 245 sigs

[3rd Party] safebrowsing.gdb: 49126 sigs

[3rd Party] winnow.attachments.hdb: 182 sigs

[3rd Party] CVE-2017-11882.yar: 66 sigs

[3rd Party] winnow_bad_cw.hdb: 1 sig

[3rd Party] EK_BleedingLife.yar: 112 sigs

[3rd Party] bofhland_cracked_URL.ndb: 40 sigs

[3rd Party] WShell_ASPXSpy.yar: 21 sigs

[3rd Party] bofhland_malware_URL.ndb: 4 sigs

[3rd Party] WShell_Drupalgeddon2_icos.yar: 26 sigs

[3rd Party] bofhland_phishing_URL.ndb: 72 sigs

[3rd Party] CVE-2010-0805.yar: 19 sigs

[3rd Party] bofhland_malware_attach.hdb: 1836 sigs

[3rd Party] CVE-2018-20250.yar: 22 sigs

[3rd Party] hackingteam.hsb: 435 sigs

[3rd Party] CVE-2018-4878.yar: 39 sigs

[3rd Party] porcupine.ndb: 6622 sigs

[3rd Party] bank_rule.yar: 11 sigs

[3rd Party] phishtank.ndb: 9388 sigs

[3rd Party] EMAIL_Cryptowall.yar: 52 sigs

[3rd Party] porcupine.hsb: 208 sigs

[3rd Party] scam.yar: 35 sigs

[3rd Party] securiteinfo.ign2: 86 sigs

[3rd Party] JJencode.yar: 19 sigs

[3rd Party] securiteinfo.hdb: 159918 sigs

[3r

Re: [clamav-users] running freshclam and 3rd party/clamav-unofficial-sigs.sh owner name changes occasionally

[Robert Kudyba]

> > here are the logs from 10:01 AM Jul 13:
> > Jul 13 10:01:02 storm freshclam[3930506]: Database test passed.
> > Jul 13 10:01:02 storm freshclam[3930506]: daily.cld updated (version:
> 26230, sigs: 3995778, f-level: 63, builder: raynman)
> > Jul 13 10:01:02 storm freshclam[3930506]: daily.cld updated (version:
> 26230, sigs: 3995778, f-level: 63, builder: raynman)
> > ...
> > ps -auwx|grep freshclam
> > clamav  3818  0.0  0.0  28952 12864 ?Ss   12:00   0:00
> /usr/bin/freshclam -d --foreground=true
>
> The logs contain a lot of duplicated lines.  Maybe you have both a
> line like
>
> StandardOutput=syslog
>
> in your freshclam.service and *also* a line like
>
> LogSyslog yes
>
> in your freshclam.conf (or whatever passes for freshclam.conf in these
> screwy RedHat systems).  Well, you want one or the other but not both.
> I'd suggest commenting out the "LogSyslog yes" line and restarting the
> freshclam daemon.
>

I didn't have both set to yes but now I commented out LogSyslog and set
freshclam to log to its own log:
grep -v ^\# /etc/freshclam.conf | grep  .
DatabaseDirectory /var/lib/clamav
UpdateLogFile /var/log/freshclam.log
DatabaseOwner clamav
DatabaseMirror database.clamav.net
ConnectTimeout 60
ReceiveTimeout 60
SafeBrowsing no

Side note I did have af few of these enabled but I believe the unofficial
sigs program has them.
#DatabaseCustomURL
http://www.securiteinfo.com/get/signatures/xxx/securiteinfo.hdb
#DatabaseCustomURL
http://www.securiteinfo.com/get/signatures/xxx/securiteinfo.ign2


> Looks like it was either the update or the reboot.  An easy way to
> find out would be to just reboot.
>

Perhaps next week as we have summer session and some researchers logged in

>> Assuming that we can believe the timestamps, then any problems that
> >> arose from ownership by the clamupdate user/group had already happened
> >> at 12:02 so it was *not* the run of clamav-unofficial-sigs.sh at 12:14
> >> which caused them.
> >>
> >> Is this the first time that clamav-unofficial-sigs.sh ran?
> >
> > No it's been running all the time.
>
> I think we're confusing each other.  The clamav-unofficial-sigs.sh
> script doesn't run like a daemon runs.  The script is started by
> something like a cron entry; it updates the configured databases if
> needed, then stops.  The unofficial update script only updates (or
> should only update) the third-party signature database files, that is
> everything except 'main', 'daily' and 'bytecode'.  I meant was it at
> 12:14 that the clamav-unofficial-sigs.sh script ran?  Presumably it's
> logging its activities somewhere, do you have that log?  The log
> location will be set in the configuration for the unofficial script.
>

Uploaded at
https://storm.cis.fordham.edu/~rkudyba/clamav-unofficial-sigs.log


>   Something changed the
>
permissions on the directory /var/lib/clamav/, freshclam can no longer
> create the temporary directory it needs for the update.  I guess the
> unofficial update script disagrees with freshclam about the user and
> group for the database directory.  I believe freshclam is running as
> user clamupdate, group clamupdate (983:979) but you have the ownership
> on the directory set to user clamav, group clamav (985:981).


Right which is why I also tried added user clamav to the clamupdate group.


> Note
> that the only things which need to be able to write to the directory
> are freshclam and the unofficial update script.  These two must be
> configured to use the same user:group (or at least so that they can
> both write into the directory).  Find out where these things are
> configured and set them the same.


grep -i owner /etc/freshclam.conf (comments removed)
DatabaseOwner clamav

grep -i user /etc/clamav-unofficial-sigs/user.conf
user_configuration_complete="yes"
clam_user="clamav"

grep -i user /etc/clamav-unofficial-sigs/user.conf
user_configuration_complete="yes"
clam_user="clamav"


> If RedHat updates are setting the
> configuration of the freshclam daemon to use clamupdate:clamupdate it
> would explain why this happens after an update.


AFAIK, you have to manually run something like rpmconf -a to do force a new
config file.


> In that case it may
> be better to settle on clamupdate:clamupdate for both freshclam and
> the unofficial script.


I'm starting to believe the same. This is how it's set on another server I
oversee and no issues.


> It's also possible that you have something in
> the startup which is setting the directory user:group too, we'll take
> a look at that later if need be.
>

I believe it's this file:
cat /usr/lib/systemd/system/clamav-freshclam.service
[Unit]
Description=ClamAV virus database updater
Documentation=man:freshclam(1) man:freshclam.conf(5)
https://www.clamav.net/documents
# If user wants it run from cron, don't start the daemon.
ConditionPathExists=!/etc/cron.d/clamav-update
Wants=network-online.target
After=network-online.target

[Service]
ExecStart=/usr/bin/freshclam -d --foreground=true

Re: [clamav-users] running freshclam and 3rd party/clamav-unofficial-sigs.sh owner name changes occasionally

[Robert Kudyba]

> -rw-r--r-- 1 clamav clamav   1438720 Mar 17 10:47 bytecode.cld
> -rw-r--r-- 1 clamav clamav293670 Apr  8 06:32 bytecode.cvd
> -rw-r--r-- 1 clamav clamav 327757824 Jul 12 09:59 daily.cld
> -rw-r--r-- 1 clamav clamav 117859675 Nov 25  2019 main.cvd
>
> and a bunch of others which we're not concerned with.  Firstly, you
> really don't want both a bytecode.cld *and* a bytecode.cvd, so you
> should probably just delete the older one.


Done.


> Here's what happens just after 10AM on the 13th:
>
> Tue Jul 13 10:01:01 AM EDT 2021
> -rw-r--r-- 1 clamav clamav   1438720 Mar 17 10:47 bytecode.cld
> -rw-r--r-- 1 clamav clamav293670 Apr  8 06:32 bytecode.cvd
> -rw-r--r-- 1 clamav clamav 327757824 Jul 12 09:59 daily.cld
> -rw-r--r-- 1 clamav clamav 117859675 Nov 25  2019 main.cvd
> Tue Jul 13 10:02:01 AM EDT 2021
> -rw-r--r-- 1 clamav clamav   1438720 Mar 17 10:47 bytecode.cld
> -rw-r--r-- 1 clamav clamav293670 Apr  8 06:32 bytecode.cvd
> -rw-r--r-- 1 clamav clamav 327797248 Jul 13 10:00 daily.cld
> -rw-r--r-- 1 clamav clamav 117859675 Nov 25  2019 main.cvd
>
> So daily.cld was updated, presumably by freshclam.  That's good, as
> nothing seems to have broken.  Can you confirm that happened from the
> freshclam log?


here are the logs from 10:01 AM Jul 13:
Jul 13 10:01:02 storm freshclam[3930506]: Database test passed.
Jul 13 10:01:02 storm freshclam[3930506]: daily.cld updated (version:
26230, sigs: 3995778, f-level: 63, builder: raynman)
Jul 13 10:01:02 storm freshclam[3930506]: daily.cld updated (version:
26230, sigs: 3995778, f-level: 63, builder: raynman)
Jul 13 10:01:02 storm freshclam[3930506]: main.cvd database is up-to-date
(version: 59, sigs: 4564902, f-level: 60, builder: sigmgr)
Jul 13 10:01:02 storm freshclam[3930506]: main.cvd database is up-to-date
(version: 59, sigs: 4564902, f-level: 60, builder: sigmgr)
Jul 13 10:01:02 storm freshclam[3930506]: bytecode.cvd database is
up-to-date (version: 333, sigs: 92, f-level: 63, builder: awillia2)
Jul 13 10:01:02 storm freshclam[3930506]: bytecode.cvd database is
up-to-date (version: 333, sigs: 92, f-level: 63, builder: awillia2)
Jul 13 10:01:03 storm freshclam[3930506]: securiteinfo.hdb is up-to-date
(version: custom database)
Jul 13 10:01:03 storm freshclam[3930506]: securiteinfo.hdb is up-to-date
(version: custom database)
Jul 13 10:01:03 storm freshclam[3930506]: securiteinfo.ign2 is up-to-date
(version: custom database)
Jul 13 10:01:03 storm freshclam[3930506]: securiteinfo.ign2 is up-to-date
(version: custom database)
Jul 13 10:01:03 storm freshclam[3930506]: javascript.ndb is up-to-date
(version: custom database)
Jul 13 10:01:03 storm freshclam[3930506]: javascript.ndb is up-to-date
(version: custom database)
Jul 13 10:01:10 storm freshclam[3930506]: Testing database:
'/var/lib/clamav/tmp.f9e1fecbc3/clamav-7b04ccc60e7adc16d356b3b689db8e0f.tmp-spam_marketing.ndb'
...
Jul 13 10:01:10  ourserver   freshclam[3930506]: Testing database:
'/var/lib/clamav/tmp.f9e1fecbc3/clamav-7b04ccc60e7adc16d356b3b689db8e0f.tmp-spam_marketing.ndb'
...
Jul 13 10:01:10 ourserver freshclam[3930506]: Database test passed.
Jul 13 10:01:10  ourserver   freshclam[3930506]: Database test passed.
Jul 13 10:01:10  ourserver   freshclam[3930506]: spam_marketing.ndb updated
(version: custom database, sigs: 31016)
Jul 13 10:01:10  ourserver   freshclam[3930506]: spam_marketing.ndb updated
(version: custom database, sigs: 31016)
Jul 13 10:01:10  ourserver   freshclam[3930506]: securiteinfohtml.hdb is
up-to-date (version: custom database)
Jul 13 10:01:10  ourserver   freshclam[3930506]: securiteinfohtml.hdb is
up-to-date (version: custom database)
Jul 13 10:01:10  ourserver   freshclam[3930506]: securiteinfoascii.hdb is
up-to-date (version: custom database)
Jul 13 10:01:10  ourserver   freshclam[3930506]: securiteinfoascii.hdb is
up-to-date (version: custom database)
Jul 13 10:01:11  ourserver   freshclam[3930506]: securiteinfoandroid.hdb is
up-to-date (version: custom database)
Jul 13 10:01:11  ourserver   freshclam[3930506]: securiteinfoandroid.hdb is
up-to-date (version: custom database)
Jul 13 10:01:11  ourserver   freshclam[3930506]: securiteinfoold.hdb is
up-to-date (version: custom database)
Jul 13 10:01:11  ourserver   freshclam[3930506]: securiteinfoold.hdb is
up-to-date (version: custom database)
Jul 13 10:01:11  ourserver   freshclam[3930506]: securiteinfopdf.hdb is
up-to-date (version: custom database)
Jul 13 10:01:11  ourserver   freshclam[3930506]: securiteinfopdf.hdb is
up-to-date (version: custom database)
Jul 13 10:01:11  ourserver   freshclam[3930506]: safebrowsing.gdb is
up-to-date (version: custom database)
Jul 13 10:01:11  ourserver   freshclam[3930506]: safebrowsing.gdb is
up-to-date (version: custom database)
Jul 13 10:01:11  ourserver   freshclam[3930506]:
--


> Is freshclam running from cron or as a daemon?
>

Daemon
ps -auwx|grep freshclam
clamav  3818  0.0  0.0  28952 12864 ?Ss   12:00   0:00

Re: [clamav-users] running freshclam and 3rd party/clamav-unofficial-sigs.sh owner name changes occasionally

[Robert Kudyba]

After an upgrade of Fedora and subsequent reboot the permission problem
returned. Same the files:
-rw-r--r-- 1 clamupdate clamupdate293670 Apr  8 06:32 bytecode.cvd
-rw-r--r-- 1 clamupdate clamupdate 107169718 Jun 22 18:06 daily.cvd
-rw-r--r-- 1 clamupdate clamupdate 117859675 Nov 25  2019 main.cvd

as well as the directory:
ls -dl /var/lib/clamav
drwxr-xr-x 4 clamupdate clamupdate 8192 Jul 13 11:39 /var/lib/clamav

Also in the clamav-unofficial-sigs.log file
Jul 13 12:14:01 ERROR: clam database directory (clam_dbs) not writable
/var/lib/clamav

Permission log file is available at
https://storm.cis.fordham.edu/~rkudyba/clam_perms.log

>From the cron log file:
Jul 13 12:14:01 ourserver CROND[22349]: (clamav) CMD ([ -x
/usr/local/sbin/clamav-unofficial-sigs.sh ] && /usr/bin/bash
/usr/local/sbin/clamav-unofficial-sigs.sh)
Jul 13 12:14:03  ourserver CROND[22318]: (clamav) CMDEND ([ -x
/usr/local/sbin/clamav-unofficial-sigs.sh ] && /usr/bin/bash
/usr/local/sbin/clamav-unofficial-sigs.sh)

On Mon, Jul 12, 2021 at 12:31 PM Robert Kudyba  wrote:

>
>>
>> > grep clam /etc/passwd
>> > clamilt:x:989:985:Clamav Milter
>> User:/var/run/clamav-milter:/sbin/nologin
>> > clamav:x:985:981::/var/run/clamav:/sbin/nologin
>> > clamupdate:x:983:979:Clamav database update
>> user:/var/lib/clamav:/sbin/nologin
>> > clamscan:x:982:978:Clamav scanner user:/:/sbin/nologin
>>
>> Interesting.  The 'clamav' user seems not to have been created by the
>> same setup process which created the other three, since it didn't get
>> a text description.  There's a suspicious gap in the numeric IDs from
>> 985:981 to 989:985 like the milter IDs were added later.  Make sense?
>>
>> What does
>>
>> grep clam /etc/group
>>
>> give you?
>>
> grep clam /etc/group
> clamilt:x:985:clamav,clamscan
> clamav:x:981:clamscan,clamilt,clamupdate
> clamupdate:x:979:clamav
> clamscan:x:978:clamilt,clamav
> virusgroup:x:949:clamupdate,clamscan,clamilt
>
>

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] running freshclam and 3rd party/clamav-unofficial-sigs.sh owner name changes occasionally

[Robert Kudyba]

>
>
>
> > grep clam /etc/passwd
> > clamilt:x:989:985:Clamav Milter User:/var/run/clamav-milter:/sbin/nologin
> > clamav:x:985:981::/var/run/clamav:/sbin/nologin
> > clamupdate:x:983:979:Clamav database update
> user:/var/lib/clamav:/sbin/nologin
> > clamscan:x:982:978:Clamav scanner user:/:/sbin/nologin
>
> Interesting.  The 'clamav' user seems not to have been created by the
> same setup process which created the other three, since it didn't get
> a text description.  There's a suspicious gap in the numeric IDs from
> 985:981 to 989:985 like the milter IDs were added later.  Make sense?
>
> What does
>
> grep clam /etc/group
>
> give you?
>
grep clam /etc/group
clamilt:x:985:clamav,clamscan
clamav:x:981:clamscan,clamilt,clamupdate
clamupdate:x:979:clamav
clamscan:x:978:clamilt,clamav
virusgroup:x:949:clamupdate,clamscan,clamilt

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] running freshclam and 3rd party/clamav-unofficial-sigs.sh owner name changes occasionally

[Robert Kudyba]

>
> I asked about the permissions on the directories, not on files.  In
> your 'find' command there you specifically limit the search to files
> and not directories with "-type f".  See 'man find' for more (but IMO
> 'find' is a bit like a cornered rat and I'm starting to think it might
> not be the best tool in the box for you to be playing with).  Just use
>
> ls -l / | grep var
>

> to see the permissions on /var and
>

ls -l / | grep var
lrwxrwxrwx1 root root  19 Aug 31  2020 snap -> /var/lib/snapd/snap
drwxr-xr-x.  23 root root4096 Jan 11 14:49 var


> ls -l /var | grep lib
>
> to see the permissions on /var/lib.
>

ls -l /var | grep lib
drwxr-xr-x. 95 root root 4096 Mar 20 08:00 lib

>> But I'd still want to see that log.
> >
> > The log from the cronjob, freshclam or eXtremeSHOK.com ClamAV Unofficial
> > Signature Updater?
>
> The cron job which I suggested.  From a root shell prompt, to edit the
> crontab give the command
>
> crontab -e
>
> which will fire up the default editor or the one you've configured.
> Just paste these two lines (I tweaked it a bit from last October's
> version) right at at the bottom:
>
> FILE=/var/log/clam_perms.log
> * * * * * /bin/date >> $FILE ; /bin/ls -l /var/lib/clamav >> $FILE
>
> That will write a time/date stamp and a directory listing to the file
> every minute until further notice.  Yes, there will be quite a lot of
> output, but (by the standards of the 21st century) it won't be a huge
> file, and you'll get what I'm looking for which is when (to about the
> nearest minute) the permissions were changed.  If you know to within
> the same sort of precision when things are run, that should give you
> some clue to what changed the permissions.
>

I had * * * * *  /bin/echo -n "$(/bin/date) " >> /var/log/clam_perms.log &&
/bin/ls -l /var/lib/clamav >> /var/log/clam_perms.log so it's been
populating for a couple of hours.

> grep 981 /etc/group
> > clamav:x:981:clamscan,clamilt,clamupdate
>
> Hmmm.  So group ID 981 is 'clamav'.  What's the numeric ID for the
> 'clamupdate' group (and 'clamilt' for completeness)?  To me it seems
> just a little excessive to have separate users (and maybe groups) for
> clamd, clamav-milter and freshclam.  I think somebody (probably this
> was somebody at Red Hat) lost the plot there, but I suppose you're
> stuck with that unless you junk the ClamAV packages and build it all
> from source.  IMO there's a lot to recommend that.
>

grep clam /etc/passwd
clamilt:x:989:985:Clamav Milter User:/var/run/clamav-milter:/sbin/nologin
clamav:x:985:981::/var/run/clamav:/sbin/nologin
clamupdate:x:983:979:Clamav database update
user:/var/lib/clamav:/sbin/nologin
clamscan:x:982:978:Clamav scanner user:/:/sbin/nologin

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] running freshclam and 3rd party/clamav-unofficial-sigs.sh owner name changes occasionally

[Robert Kudyba]

>
> >> ... next time it happens I can try some of these:
> >>> ...
> >>
> >> ... put some logging in place before it does, so you get as precise a
> >> timeline as you can.
> >
> > Indeed and here we are 9 months later and the problem is back. I can see
> > this happened after Jul 3 at 4:22 AM:
> > ...
> > Jul 03 05:14:01 ERROR: clam database directory (clam_dbs) not writable
> /var/lib/clamav
>
> Where's the log of the permissions, listed every minute, which I
> suggested to you back in October?!
>

I did proffer the -i option:
su - clamav -s /bin/bash -c '/usr/local/sbin/clamav-unofficial-sigs.sh -i'

 eXtremeSHOK.com ClamAV Unofficial Signature Updater
 Version: v7.2.5 (2021-03-20)
 Required Configuration Version: v96
 Copyright (c) Adrian Jon Kriel :: ad...@extremeshok.com

Loading config: /etc/clamav-unofficial-sigs/master.conf
Loading config: /etc/clamav-unofficial-sigs/os.conf
Loading config: /etc/clamav-unofficial-sigs/user.conf

*** SCRIPT INFORMATION ***
clamav-unofficial-sigs.sh 7.2.5 (2021-03-20)
Master.conf Version: 97
Minimum required config: 96
*** SYSTEM INFORMATION ***
Linux storm.cis.fordham.edu 5.12.12-200.fc33.x86_64 #1 SMP Fri Jun 18
14:28:47 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
*** CLAMSCAN LOCATION & VERSION ***
/usr/bin/clamscan
ClamAV 0.103.3/26228/Sun Jul 11 07:05:30 2021
*** RSYNC LOCATION & VERSION ***
/usr/bin/rsync
rsync  version 3.2.3  protocol version 31
*** CURL LOCATION & VERSION ***
/usr/bin/curl
curl 7.71.1 (x86_64-redhat-linux-gnu) libcurl/7.71.1 OpenSSL/1.1.1k-fips
zlib/1.2.11 brotli/1.0.9 libidn2/2.3.1 libpsl/0.21.1 (+libidn2/2.3.0)
libssh/0.9.5/openssl/zlib nghttp2/1.43.0
*** GPG LOCATION & VERSION ***
/usr/bin/gpg
gpg (GnuPG) 2.2.25
*** DIRECTORY INFORMATION ***
Working Directory: /var/lib/clamav-unofficial-sigs
Clam Database Directory: /var/lib/clamav
Configuration Directory: /etc/clamav-unofficial-sigs

The suggestion you gave me previously:

>* It's just a shell script, you could edit it to put debugging things in
*>* there if you're comfortable with hacking shell scripts.  Does it give
*>* usage help if run with no arguments?*

I guess the answer is I'm not comfortable with hacking the shell script.


>
> On Fri, 9 Oct 2020, G.W. Haywood wrote:
> |> ...start with some simple logging  [...]  Something like this
> |> in a crontab:
> |>
> |> * * * * *  /bin/echo -n "$(/bin/date) " >> /var/log/clam_perms.log ; \
> |>     /bin/ls -l /var/lib/clamav >> /var/log/clam_perms.log
>

OK just set this in cron but I suppose it isn't useful until the problem
happens again.

On Sun, 11 Jul 2021, Robert Kudyba wrote:
> > ls -ld /var/lib/clamav
> >
> > drwxr-xr-x. 4 clamupdate clamupdate 8192 Jul  3 04:46 */var/lib/clamav*
>
> The 'dot' after the directory permissions probably means that SELinux
> or similar is involved.  If so, it might have been good to mention it
> earlier.  Have you made sure that there's no other access control than
> the file and directory permissions which you've been showing us?
>

SELinux definitely disabled this entire time.
sestatus
SELinux status: disabled

ls -ald /var/lib/clamav
drwxrwxr-x. 4 clamav clamav 8192 Jul 12 08:23 /var/lib/clamav

ls -Zd /var/lib/clamav
system_u:object_r:antivirus_db_t:s0 /var/lib/clamav


> If you made the permissions
>
> drwxrwxr-x
>
> instead, you could probably forget about it - but again it might be to
> paper over a crack.


OK so some variation of setfattr -h -x security.selinux


> Another thought, do you have the 'setgid' bit set on one of the parent
> directories?
>

Running find /var/lib/ -perm /6000 -type f results in only some Docker
containers


>
> > ... these 3 files have their owner changed but note the old date
> timestamp:
> >
> > -rw-r--r--  1 clamupdate clamupdate293670 Apr  8 06:32 bytecode.cvd
> >
> > -rw-r--r--  1 clamupdate clamupdate 107169718 Jun 22 18:06 daily.cvd
> >
> > -rw-r--r--  1 clamupdate clamupdate 117859675 Nov 25  2019 main.cvd
>
> If it's only these files which are getting the wrong UID/GID then it
> sort of implicates whatever is running freshclam, since that's likely
> to be the thing which modifies only those files.


ps -auwx|grep fresh
clamav   3930506  0.0  0.0 103116 16108 ?Ss   Jul11   0:05
/usr/bin/freshclam -d --foreground=true


> But I'd still want to see that log.
>

The log from the cronjob, freshclam or eXtremeSHOK.com ClamAV Unofficial
Signature Updater?


> > grep 985 /etc/passwd
> >
> > clamav:x:*985*:981::/var/run/clamav:/sbin/nologin
>
> I 

Re: [clamav-users] running freshclam and 3rd party/clamav-unofficial-sigs.sh owner name changes occasionally

[Robert Kudyba]

>
> On Sat, 10 Oct 2020, Robert Kudyba wrote:
>
> > ... next time it happens I can try some of these:
> > ...
>
> But put some logging in place before it does, so you get as precise a
> timeline as you can.
>
> > Here's what the -i option returns:
> > ...
> > Loading config: /etc/clamav-unofficial-sigs/master.conf
> > Loading config: /etc/clamav-unofficial-sigs/os.conf
> > Loading config: /etc/clamav-unofficial-sigs/user.conf
>
> I take it you've examined these files for clues?  And the systemd unit
> files etc.?
>

Indeed and here we are 9 months later and the problem is back. I can see
this happened after Jul 3 at 4:22 AM:
Jul 03 04:22:22 Checking for updated interServer database file:
interservertopline.db

Jul 03 04:22:22 No updated interServer interservertopline.db database file

Jul 03 04:22:22 No interServer database file updates

Jul 03 04:22:22 MalwarePatrol Database File Updates

Jul 03 04:22:22 24 hours have not yet elapsed since the last malwarepatrol
update check

Jul 03 04:22:22 No update check was performed at this time

Jul 03 04:22:22 Next check will be performed in approximately 6 hour(s), 53
minute(s)

Jul 03 04:22:22 URLhaus Database File Updates

Jul 03 04:22:22 Checking for urlhaus updates...

Jul 03 04:22:22 Checking for updated urlhaus database file: urlhaus.ndb

Jul 03 04:22:22 WARNING: Failed connection to
https://urlhaus.abuse.ch/downloads - SKIPPED urlhaus urlhaus.ndb update

Jul 03 04:22:22 No updated urlhaus urlhaus.ndb database file

Jul 03 04:22:22 No urlhaus database file updates

Jul 03 04:22:22 Yara-Rules Database File Updates

Jul 03 04:22:22 24 hours have not yet elapsed since the last
yararulesproject update check

Jul 03 04:22:22 No update check was performed at this time

Jul 03 04:22:22 Next check will be performed in approximately 6 hour(s), 53
minute(s)

Jul 03 04:22:22 Update(s) detected, reloading ClamAV databases

Jul 03 04:22:22 ClamAV databases reloading

Jul 03 04:22:22 Issue tracker :
https://github.com/extremeshok/clamav-unofficial-sigs/issues

Jul 03 04:22:22   Powered By https://eXtremeSHOK.com

Jul 03 05:14:01 ERROR: clam database directory (clam_dbs) not writable
/var/lib/clamav


 ps -auwx|grep clam

*clam*av   1533123  0.0  1.2 2783400 1678272 ? Ssl  Jul03   7:13
/usr/sbin/*clam*d -c /etc/*clam*d.d/scan.conf

*clam*ilt  1533191  0.0  0.0 1053352 3616 ?Ssl  Jul03   0:05
/usr/sbin/*clam*av-milter -c /etc/mail/*clam*av-milter.conf

*clam*av   1533209  0.0  0.0  28268 12480 ?Ss   Jul03   0:00
/usr/bin/fresh*clam* -d --foreground=true


ls -ld /var/lib/clamav

drwxr-xr-x. 4 clamupdate clamupdate 8192 Jul  3 04:46 */var/lib/clamav*


and these 3 files have their owner changed but note the old date timestamp:

-rw-r--r--  1 clamupdate clamupdate293670 Apr  8 06:32 bytecode.cvd

-rw-r--r--  1 clamupdate clamupdate 107169718 Jun 22 18:06 daily.cvd

-rw-r--r--  1 clamupdate clamupdate 117859675 Nov 25  2019 main.cvd


grep clamupdate /etc/clam*/*

/etc/clamav-unofficial-sigs/os.conf:#clam_user="*clamupdate*"

/etc/clamav-unofficial-sigs/os.conf:#clam_group="*clamupdate*"


status clamav-freshclam.service

*●* clamav-freshclam.service - ClamAV virus database updater

 Loaded: loaded (/usr/lib/systemd/system/clamav-freshclam.service;
enabled; vendor preset: disabled)

 Active: *active (running)* since Sat 2021-07-03 04:46:13 EDT; 1 weeks
1 days ago

   Docs: man:freshclam(1)

 man:freshclam.conf(5)

 https://www.clamav.net/documents

   Main PID: 1533209 (freshclam)

  Tasks: 1 (limit: 154192)

 Memory: 1.7M

 CGroup: /system.slice/clamav-freshclam.service

 └─1533209 /usr/bin/freshclam -d --foreground=true


Jul 11 20:46:13 ourserver.edu freshclam[1533209]: ERROR: Can't create
temporary directory /var/lib/clamav/tmp.92f6163053

Jul 11 20:46:13 ourserver.edu freshclam[1533209]: Hint: The database
directory must be writable for UID 985 or GID 981

Jul 11 20:46:13 ourserver.edu freshclam[1533209]: ERROR: Update failed.

Jul 11 20:46:13 ourserver.edu freshclam[1533209]: Received signal: wake up

Jul 11 20:46:13 ourserver.edu freshclam[1533209]: ClamAV update process
started at Sun Jul 11 20:46:13 2021

Jul 11 20:46:13 ourserver.edu freshclam[1533209]: *DNS record is older than
3 hours.*

Jul 11 20:46:13 ourserver.edu freshclam[1533209]: *Can't create temporary
directory /var/lib/clamav/tmp.92f6163053*

Jul 11 20:46:13 ourserver.edu freshclam[1533209]: Hint: The database
directory must be writable for UID 985 or GID 981

Jul 11 20:46:13 ourserver.edu freshclam[1533209]: *Update failed.*

Jul 11 20:46:13 ourserver.edu freshclam[1533209]:
--


cat /usr/lib/systemd/system/clamav-freshclam.service

[Unit]

Description=ClamAV virus database updater

Documentation=man:freshclam(1) man:freshclam.conf(5)
https://www.clamav.net/documents

# If user wants i

Re: [clamav-users] false positive on MBL_85256034.UNOFFICIAL with Google Drive links

[Robert Kudyba]

>
> 1. Is your Perl interpreter in /usr/local/bin/?  It's often in usr/bin/.
>

Thanks I saw that after the fact, indeed /usr/bin in Fedora

2. The environment is likely to be different when the script runs via
> freshclam from when it runs at the command line, and it's usually bad
> form in scripts to rely on the environment anyway, so in any script of
> this kind I'd use full paths to executables.  For example on my system
> these would be
>
> /bin/chown
> /usr/bin/logger
> and
> /usr/local/bin/clamdscan
>
> but what are they on yours?  I'd also use full paths everywhere else
> instead of relative paths.  Things can go wrogn ervy kuiqly.
>

/usr/bin for the all 3

> 3. What is uid 110 on your system?  On my clamd server it's 'sshd'.
> This means that if I were to run it as root as it is, the script would
> change ownership of the modified files to the wrong user (which would
> break future updates unless root did them) and for other users fail.
>

Yes caught those after the fact and updated the script accordingly

4. People store the ClamAV databases in different places.  The script
> makes assumptions about them, have you changed them in the script to
> suit your system, or do you have or have you the needed directories?
> /var/db/clamav-unofficial-sigs/post-control/
> /var/db/clamav/
>

Different on ours:
/var/lib/clamav-unofficial-sigs/dbs-mbl/

And I went ahead and created
/var/lib/clamav-unofficial-sigs/dbs-mbl/post-control

and not sure why we have a test dir:

/var/lib/clamav-unofficial-sigs/test

5. The script does no error checking at all.  It's good practice in
> scripts to check the return values of functions which provide them,
> such as 'chdir', 'link', 'unlink', 'chown' and (especially) 'open'.
>

Anything off the top of your head I can add?

> Is there a sigtool command I can use to check that it worked? I can
> > compare this against another server that I have yet to install this.
>
> sigtool --find-sigs 
>
> should give you an idea of what's happened.


The signature does not exist when I run this command.

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] false positive on MBL_85256034.UNOFFICIAL with Google Drive links

[Robert Kudyba]

>
> >  >> next if
> /^MBL_\d+:0:\*:68747470733a2f2f64726976652e676f6f676c652e636f6d$/;
> >  next if /^MBL_\d+:0:\*:68747470733a2f2f646f63732e676f6f676c652e636f6d$/;
> >
> >  You could do better with a regex, see the excellent Perl documentation.
> >
> > So what's the syntax to use || (or) with this? Something like this?
> >
> > next if
> /^MBL_\d+:0:\*:68747470733a2f2f64726976652e676f6f676c652e636f6d$/ ||
> > /^MBL_\d+:0:\*:68747470733a2f2f646f63732e676f6f676c652e636f6d$/;
>
> I would make it more simple:
>
> next if /^MBL_\d+:0:\*:123.../;
> next if /^MBL_\d+:0:\*:abc.../;
> next if /^MBL_\d+:0:\*:097.../;
>
> That way you can comment on each individual line what they code for and
> if you need to remove one test, you only need to comment out the
> corresponding line without messing up with the regex or the condition.
>
> This script is only run once each time you update the ClamAV unofficial
> signatures and each test is run once per line, that makes not much sense
> to try to optimize the run time of the script.
> 


Excellent thanks, no error(s) when I just ran it manually. Is there a
sigtool command I can use to check that it worked? I can compare this
against another server that I have yet to install this.

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] false positive on MBL_85256034.UNOFFICIAL with Google Drive links

[Robert Kudyba]

>
> On Thu, 29 Apr 2021, Olivier via clamav-users wrote:
> > Robert Kudyba  writes:
> >
> >> How would you make this work for docs.google.com as well?
> >>
> >> the following regex corresponds to
> https://urldefense.proofpoint.com/v2/url?u=https-3A__drive.google.com=DwICAg=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY=SkwoZXN0BGYwxD3l5CHHiEWxkW3gsgDkyyRFxanK24E=s750n2M4VDb8ZyWHaPUG_1uRE3SwKLylqFvjoCuh4No=
> >> next if
> /^MBL_\d+:0:\*:68747470733a2f2f64726976652e676f6f676c652e636f6d$/;
> >
> > If I remember correctly (I am at home and I have nothing to check), the
> > URL is encoded in base64 ...
>
> This is plain hexadecimal representation of the individual characters,
> not Base64 encoding.
>
> > ... so it should be:
> > 68747470733a2f2f646f637s2e676f6f676c652e636f6d
>
> The character 's' is not in the range [0-9a-f] which are normally used
> to represent hexadecimal numbers.
>
> ASCII   hex
>
> h   68
> t   74
> t   74
> p   70
> s   73
> :   3a
>
> # the following regex corresponds to
> https://urldefense.proofpoint.com/v2/url?u=https-3A__drive.google.com=DwICAg=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY=SkwoZXN0BGYwxD3l5CHHiEWxkW3gsgDkyyRFxanK24E=s750n2M4VDb8ZyWHaPUG_1uRE3SwKLylqFvjoCuh4No=
> next if /^MBL_\d+:0:\*:68747470733a2f2f64726976652e676f6f676c652e636f6d$/;
>
> # the following regex corresponds to
> https://urldefense.proofpoint.com/v2/url?u=https-3A__docs.google.com=DwICAg=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY=SkwoZXN0BGYwxD3l5CHHiEWxkW3gsgDkyyRFxanK24E=koxwoqL0T012SCZYRi1RC-KrEQTjHA2KJ2z-GDUv9iM=
> next if /^MBL_\d+:0:\*:68747470733a2f2f646f63732e676f6f676c652e636f6d$/;
>
> You could do better with a regex, see the excellent Perl documentation.
>

So what's the syntax to use || (or) with this? Something like this?

next if /^MBL_\d+:0:\*:68747470733a2f2f64726976652e676f6f676c652e636f6d$/ ||
/^MBL_\d+:0:\*:68747470733a2f2f646f63732e676f6f676c652e636f6d$/;

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] false positive on MBL_85256034.UNOFFICIAL with Google Drive links

[Robert Kudyba]

>
> > How would you make this work for docs.google.com as well?
> >
> > the following regex corresponds to
> https://urldefense.proofpoint.com/v2/url?u=https-3A__drive.google.com=DwIBAg=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY=rEXlMfZlmblv9Z7-T3igLJxWqr_PGyZY9iAcmjGZlI8=WpPUlXqGbkNw_lGZL2cge923JMkot3sLI36an1salO4=
> > next if
> /^MBL_\d+:0:\*:68747470733a2f2f64726976652e676f6f676c652e636f6d$/;
>
> If I remember correctly (I am at home and I have nothing to check), the
> URL is encoded in base64 so it should be:
> 68747470733a2f2f646f637s2e676f6f676c652e636f6d
>
> But you better double check :)


>From your comments in the script:

> the following regex corresponds to https://drive.google.com


 When I use an online base64 converter that ends up
being aHR0cHM6Ly9kcml2ZS5nb29nbGUuY29t

But what I'm asking for is to also include an "OR" to catch
https://docs.google.com (note the 'docs', not 'drive')

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] false positive on MBL_85256034.UNOFFICIAL with Google Drive links

[Robert Kudyba]

How would you make this work for docs.google.com as well?

the following regex corresponds to https://drive.google.com
next if /^MBL_\d+:0:\*:68747470733a2f2f64726976652e676f6f676c652e636f6d$/;


On Thu, Apr 29, 2021, 12:25 AM Olivier  wrote:

> Robert,
>
> In the configuration file user.conf for ClamAV-unofficial-sig, I set the
> following variable:
>
> clamd_reload_opt="/usr/local/bin/clamav-unofficial-sigs-post.pl"
>
> And the script is attached below.
>
> Best regards,
>
> Olivier
>
> --
>

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] false positive on MBL_85256034.UNOFFICIAL with Google Drive links

[Robert Kudyba]

I'd like the script and in our case the link starts with docs.google.com

On Wed, Apr 28, 2021, 10:43 PM Olivier via clamav-users <
clamav-users@lists.clamav.net> wrote:

> Hi,
>
> Robert Kudyba  writes:
>
> > [1:multipart/alternative Hide]
> >
> >
> > [1/1:text/plain Show]
> >
> >
> > [1/2:text/html Hide Save:noname (3kB)]
> >
> > Since the signature name has .UNOFFICIAL and starts with MBL I believe
> that's Malware Block List. I've
> > submitted a sample to fp (at) malwarepatrol.net. Is more than one
> sample needed? I'm posting here to let
> > others know and as they don't appear to acknowledge nor reply.
>
> I contacted thenm once and te reply was in the line that thy considered
> that the risk was real enough to keep the rule(s).
>
> As I am updating ClamAV unofficial with the clamav-unofficial-sigs.sh
> script, I wrote a hook that removes any drive.google.doc from the
> signature (there are/were at least 3 entries).
>
> As I wrote the hook, I can modify it in the future to fit my needs, so it
> is not wasted time.
>
> I can share the script.
>
> Best regards,
>
> Olivier
>
> >
> > Why don't these come up?
> >
> > sigtool --find-sigs MBL_85256034*|sigtool --decode-sigs
> > sigtool --find-sigs MBL_85256034|sigtool --decode-sigs
> > sigtool --find-sigs MBL_85256034.UNOFFICIAL|sigtool --decode-sigs
> >
> > I also see multiple signature whitelists with some duplication:
> > /var/lib/clamav/securiteinfo.ign2
> > /var/lib/clamav/sigwhitelist.ign2
> > /var/lib/clamav-unofficial-sigs/dbs-si/securiteinfo.ign2
> > /var/lib/clamav-unofficial-sigs/dbs-ss/sigwhitelist.ign2
> >
> > That should be ok?
> >
> > I've seen this reported here before, e.g.,
> >
> https://urldefense.proofpoint.com/v2/url?u=https-3A__clamav-2Dusers.clamav.narkive.com_mqj2qe6y_malwarepatrol-2Dfalse-2Dpositive=DwICAg=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY=KhBuIVsvfs5eqh3J98L6ty_bMZSro_LkgwbCQWFzCWI=6tCDXT_YVJu-MkGcpYo2ALyUNCBZcYdjQOuu9h1VefM=
> and
> >
> https://urldefense.proofpoint.com/v2/url?u=https-3A__clamav-2Dusers.clamav.narkive.com_5QYf5SQW_mbl-2D17713260-2Dfalse-2Dpositive=DwICAg=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY=KhBuIVsvfs5eqh3J98L6ty_bMZSro_LkgwbCQWFzCWI=KMcxrU5RpN6SA57PjUQsvl9GL8c4Hj5IrYHxdYYrqzw=
> >
> > [2:text/plain Hide]
> >
> >
> > ___
> >
> > clamav-users mailing list
> > clamav-users@lists.clamav.net
> >
> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.clamav.net_mailman_listinfo_clamav-2Dusers=DwICAg=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY=KhBuIVsvfs5eqh3J98L6ty_bMZSro_LkgwbCQWFzCWI=qYk_rum7Qgxzc3SMXv3y-sIqiPNggyxaTUZv8WMPzac=
> >
> >
> > Help us build a comprehensive ClamAV guide:
> >
> https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_vrtadmin_clamav-2Dfaq=DwICAg=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY=KhBuIVsvfs5eqh3J98L6ty_bMZSro_LkgwbCQWFzCWI=Ga3hycovx2zHfpkqkvDfpqDjlh65VAwU5EURxyItqZ8=
> >
> >
> https://urldefense.proofpoint.com/v2/url?u=http-3A__www.clamav.net_contact.html-23ml=DwICAg=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY=KhBuIVsvfs5eqh3J98L6ty_bMZSro_LkgwbCQWFzCWI=tFiu7fSA8X_CruKhzeg7NKZ-GPDRv-iyINn2cc9-Wro=
>
> --
>
> ___
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
>
> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.clamav.net_mailman_listinfo_clamav-2Dusers=DwICAg=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY=KhBuIVsvfs5eqh3J98L6ty_bMZSro_LkgwbCQWFzCWI=qYk_rum7Qgxzc3SMXv3y-sIqiPNggyxaTUZv8WMPzac=
>
>
> Help us build a comprehensive ClamAV guide:
>
> https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_vrtadmin_clamav-2Dfaq=DwICAg=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY=KhBuIVsvfs5eqh3J98L6ty_bMZSro_LkgwbCQWFzCWI=Ga3hycovx2zHfpkqkvDfpqDjlh65VAwU5EURxyItqZ8=
>
>
> https://urldefense.proofpoint.com/v2/url?u=http-3A__www.clamav.net_contact.html-23ml=DwICAg=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY=KhBuIVsvfs5eqh3J98L6ty_bMZSro_LkgwbCQWFzCWI=tFiu7fSA8X_CruKhzeg7NKZ-GPDRv-iyINn2cc9-Wro=
>

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] false positive on MBL_85256034.UNOFFICIAL with Google Drive links

[Robert Kudyba]

Since the signature name has .UNOFFICIAL and starts with MBL I believe
that's Malware Block List. I've submitted a sample to fp (at)
malwarepatrol.net. Is more than one sample needed? I'm posting here to let
others know and as they don't appear to acknowledge nor reply.

Why don't these come up?

sigtool --find-sigs  MBL_85256034*|sigtool --decode-sigs
sigtool --find-sigs  MBL_85256034|sigtool --decode-sigs
sigtool --find-sigs  MBL_85256034.UNOFFICIAL|sigtool --decode-sigs

I also see multiple signature whitelists with some duplication:
/var/lib/clamav/securiteinfo.ign2
/var/lib/clamav/sigwhitelist.ign2
/var/lib/clamav-unofficial-sigs/dbs-si/securiteinfo.ign2
/var/lib/clamav-unofficial-sigs/dbs-ss/sigwhitelist.ign2

That should be ok?

I've seen this reported here before, e.g.,
https://clamav-users.clamav.narkive.com/mqj2qe6y/malwarepatrol-false-positive
and
https://clamav-users.clamav.narkive.com/5QYf5SQW/mbl-17713260-false-positive

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] Fwd: [OT] Heuristics.Phishing.Email.SpoofedDomain...

[Robert Kudyba]

> Is there an updated convention for this?

I believe it's more or less unchanged since version 8.6 of Sendmail
> (from the early 1990's).  The ID is generated in assign_queueid() in
> .../sendmail/queue.c, which uses the integer as an index to the string
> "0123456789ABCDEF... you get the picture vwxyz"


So how does 001CJwkY1702541 translate to this? first 0 = 2020, second 0 =
January, third 0 = first of the month but how does CJw --> hour, minute,
second?

Also, tapping into your regex skills I'm trying to sort mails in quarantine
to include year. I have this:

mailq -qQ|grep "^[A-F0-9]" | sort -k8n -k4M -k5n -k6n|more
001CJwkY1702541 5623 Wed Jan  1 07:19
<3407-238-87890-1062-ouruser=ourdomani.ed
001D02KP1709240   188941 Wed Jan  1 08:00 >
001IECdg1762795 4394 Wed Jan  1 13:14
<4408-492-342908-717-ouruser=ourdomain.edu 
102AQKeQ2731196 5771 Sat Jan  2 05:26
<25353-49186-27195-6631-ouruser=ourdomain
002D03oe1955787   188941 Thu Jan  2 08:00 ouru...@ourdomain.edu
>
102DY4K52763204  Sat Jan  2 08:34 

But that does doesn't take into account the year. Any idea how to add to
the sort to look at the first character?

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] False positive on Heuristics.Phishing.Email.SSL-Spoof, no attachment

[Robert Kudyba]

An important email from our university president was quarantined with
Heuristics.Phishing.Email.SSL-Spoof. I submitted the email as an attachment
to ClamAV. I'm also disabling it based on past reports such as
https://qmailtoaster-list.qmailtoaster.narkive.com/NYaYAjLl/disabling-clamav-heuristic-phishing-checks
,
https://portal.smartertools.com/community/a1225/how-to-disable-a-specific-clamav-scan.aspx
and https://sanesecurity.com/support/false-positives/

If anyone wants a sample I can send the email as an attachment.

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Heuristics.Phishing.Email.SpoofedDomain...

[Robert Kudyba]

> Hi there,
>
> On Tue, 13 Apr 2021, Robert Kudyba wrote:
>
> > So I still don't know what "queue_id" is.
>
> Try the command
>
> mailq
>
> and look in the Sendmail docs.  The queue ID is just the filename in
> the mail queue directory without the first two characters.  For each
> message in the queue there are two files, named [dq]fYMDhmsNp.
> Remove the df or qf and you have the queue ID.  YMD is encoded year,
> month and day; hms you can guess; N is envelope number (usually 0) and
> p is the first five digits (may be zero padded) of the process ID
> of the sendmail which originally received the message.
>

Thanks I found a tip that mailq -qQ works but the naming convention you
posted no longer appears to match. Here are a few if ours:
13GD62ID4037876
13GDQhfE4041600
03GJUOKl4119253
fYMDhmsNp doesn't match. It does appear the first number, "1", is the
year. But these messages were sent in April so the "3" doesn't
correspond, unless January is "0" so April would be "3"? Is there an
updated convention for this?

This is just barely on-topic for this list.
>
> --
>
> 73,
> Ged.
>

Sorry I know you block emails directly to you so I had to send this to all.

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Heuristics.Phishing.Email.SpoofedDomain...

[Robert Kudyba]

>
> > Also, with clamav-milter and sendmail. I see that the headers of
> quarantined messages go to /var/spool/mqueue with root:smmsp owner/group
> permissions and the header of the email starts with hf whilst the body of
> the message starts with df. So the message in question looks like this:
> > -rw--- 1 root smmsp10050 Apr 12 09:40 hf13CDdtaZ2926176
> > -rw--- 1 root smmsp   100157 Apr 12 09:39 df13CDdtaZ2926176
> >
> > To release the message how does one find the queue_id to use the
> sendmail -qI command?
>
> I just checked out our quarantine to see what you were talking about and
> found a couple of ads in there.
> Forwarded off a sample to Micah, but it looks like there are some very
> phishy looking links in the samples I have.
> HTML link: americanexpress.com/rewards-info
> Actual underlying link:
> https://urldefense.proofpoint.com/v2/url?u=https-3A__click.o.delta.com_u_-3Fqs-3D1568763c78f67b6cdcd44df9cfac10c6bdd8a68c567c4d04238da45d4092cc1adeef2f53a3a8c4248f7140f92bd80fb33b830537983d2ad07ed440f137dd0226=DwICAg=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY=P8yJim8mHfh9YWQcm2zQMPSq7pKr5iHpgTAzY5BA-xw=PC29G4XeTV8m9J0VpeSVtq9inSWRkSuL-sm_4k0mvpA=
>
> If you ask me, that deserves to be quarantined.
>

Yes I agree but it's a bit subjective.


> For Sendmail, it should be something like "sendmail -q" I would definitely
> look it up in the man pages, as I've been using postfix and exim now for
> awhile.


Well from http://www.postfix.org/postqueue.1.html
-i queue_id
Schedule  immediate delivery of deferred mail with the specified queue ID.
This option implements the traditional sendmail -qI command,  by contacting
the flush(8) server.

But that (sendmail -qI) doesn't appear to unquarantine anything. My
question is what does "queue_id" refer to?

And from a user's blog (with translation on)
https://nauwg3k7ped5ecgcukpptbgr6e-jj2cvlaia66be-www-usebox-net.translate.goog/jjm/sendmail/

Processing the queue
> If we remember the Sendmail execution line, we will see that it is
> indicated by means of -q30m processing the messages stored in the queue
> every 30 minutes. You can force the process by:
> # sendmail -q
> If we wanted to process a specific message we would use -qI _Q-ID_, for
> example:
> # sendmail -qI hB8HQQhK013863
> Or indicating the sender with -qS _remitente_:
> # sendmail -qS ''
> Or indicating one of the recipients with -qR _destinatario_:
> # sendmail -qR ''


So I still don't know what "queue_id" is.

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Heuristics.Phishing.Email.SpoofedDomain...

[Robert Kudyba]

I'm seeing a FP from a Delta Airlines email.

Also, with clamav-milter and sendmail. I see that the headers of
quarantined messages go to /var/spool/mqueue with root:smmsp owner/group
permissions and the header of the email starts with hf whilst the body of
the message starts with df. So the message in question looks like this:
-rw--- 1 root smmsp10050 Apr 12 09:40 hf13CDdtaZ2926176
-rw--- 1 root smmsp   100157 Apr 12 09:39 df13CDdtaZ2926176

To release the message how does one find the queue_id to use the sendmail
-qI command?


On Thu, Apr 1, 2021 at 7:11 PM G.W. Haywood via clamav-users <
clamav-users@lists.clamav.net> wrote:

> Hi there,
>
> On Thu, 1 Apr 2021, eric-l...@truenet.com wrote:
>
> > Just a heads up.  I noticed a bunch of American Express Statements in our
> > quarantine.
> > My guess is because they are using m.amex and go.amex links in the
> emails.
> >
> > DKIM and SPF pass so these definitely seem to be legit AMEX emails.
> > From address is "American Express" 
>
> Name(s) of the signature(s) detected?
>
> --
>
> 73,
> Ged.
>
> ___
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
>
> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.clamav.net_mailman_listinfo_clamav-2Dusers=DwICAg=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY=-Ywl1Y1MejQU-csE6Jqe9E3SmvO8PsWBo-EwYfHf15s=Bdo5j9dvw_GstTEa1ILzn6mOYmD8W0IVP0I8_GsdYHY=
>
>
> Help us build a comprehensive ClamAV guide:
>
> https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_vrtadmin_clamav-2Dfaq=DwICAg=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY=-Ywl1Y1MejQU-csE6Jqe9E3SmvO8PsWBo-EwYfHf15s=M_PbxgBAZBj7rq-kfXkFAipn5xCbNt98-fKsWwVxAtE=
>
>
> https://urldefense.proofpoint.com/v2/url?u=http-3A__www.clamav.net_contact.html-23ml=DwICAg=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY=-Ywl1Y1MejQU-csE6Jqe9E3SmvO8PsWBo-EwYfHf15s=HLTiTlk4nPlro9VIn2SAysUbnxk5AHP6mJZx2kXLVMs=
>

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] false positive on MBL_82485625.UNOFFICIAL for Google Drive links sent as attachments

[Robert Kudyba]

Using clamav-milter 0.103.1 with sendmail on Fedora 33, we had several
emails quarantined with the MBL_82485625.UNOFFICIAL. All they contained was
a link forwarded as an attachment of a Google Drive folder. I reported this
to the false positive at SaneSecurity address. I also added the signature
to a file called  /var/lib/clamav/sigwhitelist.ign2

Is there a way to verify that the signature itself was fixed?

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] running freshclam and 3rd party/clamav-unofficial-sigs.sh owner name changes occasionally

[Robert Kudyba]

>
> > Oct 09 04:15:56 Checking for urlhaus updates...
> > Oct 09 04:15:56 Checking for updated urlhaus database file: urlhaus.ndb
> > Oct 09 04:15:56 Testing updated urlhaus database file: urlhaus.ndb
> > Oct 09 04:15:56 Clamscan reports urlhaus urlhaus.ndb database integrity
> tested good
> > Oct 09 04:15:56 Successfully updated urlhaus production database file:
> urlhaus.ndb
> > Oct 09 04:15:56 Update(s) detected, reloading ClamAV databases
> > Oct 09 04:15:56 ClamAV databases reloading
> > Oct 09 04:15:56 Issue tracker :
> https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_extremeshok_clamav-2Dunofficial-2Dsigs_issues=DwICAg=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY=WaUuzrJtD_PKZ2pBpU-pfAEoxGBj-_rNdSJwvcK9NiI=mMxE841bG6uyKmN8KcULOvoeE948yxFA9Mo2udC0y_U=
> > Oct 09 04:15:56   Powered By
> https://urldefense.proofpoint.com/v2/url?u=https-3A__eXtremeSHOK.com=DwICAg=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY=WaUuzrJtD_PKZ2pBpU-pfAEoxGBj-_rNdSJwvcK9NiI=7LlLO6tKn_1eYqKp_e8nViWQ6BAjCFkMgYzNFvigtfs=
> >*Oct 09 05:14:02 ERROR: clam database directory (clam_dbs) not writable
> /var/lib/clamav*
>
> Looks clear that the urlhaus db was updated OK.  Does the unofficial
> update script normally take an hour to run on your system?!  The one
> we use usually takes just a few minutes.
>

My bad in trying to economize my post here's the entire update-related
entry:
Oct 09 04:14:01 Preparing Databases
Oct 09 04:14:01 Fri 09 Oct 2020 04:14:01 AM EDT - Pausing database file
updates for 114 seconds...
Oct 09 04:15:55 Fri 09 Oct 2020 04:15:55 AM EDT - Pause complete, checking
for new database files...
Oct 09 04:15:55 Sanesecurity Database File Updates
Oct 09 04:15:55 2 hours have not yet elapsed since the last Sanesecurity
update check
Oct 09 04:15:55 No update check was performed at this time
Oct 09 04:15:55 Next check will be performed in approximately 1 hour(s), 6
minute(s)
Oct 09 04:15:55 SecuriteInfo Database File Updates
Oct 09 04:15:55 4 hours have not yet elapsed since the last SecuriteInfo
update check
Oct 09 04:15:55 No update check was performed at this time
Oct 09 04:15:55 Next check will be performed in approximately 3 hour(s), 6
minute(s)
Oct 09 04:15:55 LinuxMalwareDetect Database File Updates
Oct 09 04:15:55 Checking for LinuxMalwareDetect updates...
Oct 09 04:15:56 No LinuxMalwareDetect database file updates found
Oct 09 04:15:56 MalwarePatrol Database File Updates
Oct 09 04:15:56 24 hours have not yet elapsed since the last malwarepatrol
update check
Oct 09 04:15:56 No update check was performed at this time
Oct 09 04:15:56 Next check will be performed in approximately 7 hour(s), 0
minute(s)
Oct 09 04:15:56 Yara-Rules Database File Updates
Oct 09 04:15:56 Checking for urlhaus updates...
Oct 09 04:15:56 Checking for updated urlhaus database file: urlhaus.ndb
Oct 09 04:15:56 Testing updated urlhaus database file: urlhaus.ndb
Oct 09 04:15:56 Clamscan reports urlhaus urlhaus.ndb database integrity
tested good
Oct 09 04:15:56 Successfully updated urlhaus production database file:
urlhaus.ndb
Oct 09 04:15:56 Update(s) detected, reloading ClamAV databases
Oct 09 04:15:56 ClamAV databases reloading


> > ... perhaps I should contact the ExtremeSHOK contributors ...
>
> I'd have said so, yes.
>

well they may have an idea but I'm starting to think it's not related to
their script. After all the username clamupdate does not come from their
script.

>
> > perhaps there's some debug option that I'm not aware of?
>
> It's just a shell script, you could edit it to put debugging things in
> there if you're comfortable with hacking shell scripts.  Does it give
> usage help if run with no arguments?  Does it have the '-i' option?
>

Indeed I see some options here:
https://github.com/extremeshok/clamav-unofficial-sigs

So next time it happens I can try some of these:
-v, --verbose Be verbose, enabled when not run under cron
-i, --information Output system and configuration information for viewing
or possible debugging purposes
-t, --test-database Clamscan integrity test a specific database file eg:
'-t filename.ext' (do not include file path)
--check-clamav If ClamD status check is enabled and the socket path is
correctly specifiedthen (sic) test to see if clamd is running or not

Here's what the -i option returns:
su - clamav -s /bin/bash -c '/usr/local/sbin/clamav-unofficial-sigs.sh -i'

 eXtremeSHOK.com ClamAV Unofficial Signature Updater
 Version: v7.0.1 (2020-01-25)
 Required Configuration Version: v91
 Copyright (c) Adrian Jon Kriel :: ad...@extremeshok.com

Loading config: /etc/clamav-unofficial-sigs/master.conf
Loading config: /etc/clamav-unofficial-sigs/os.conf
Loading config: /etc/clamav-unofficial-sigs/user.conf

*** SCRIPT INFORMATION ***

Re: [clamav-users] running freshclam and 3rd party/clamav-unofficial-sigs.sh owner name changes occasionally

[Robert Kudyba]

>
> Every few weeks I'll start seeing this error:
> >
> > ERROR: clam database directory (clam_dbs) not writable /var/lib/clamav
> > ...
> > -rw-r--r--  1 clamupdate clamupdate296388 Sep 19  2019 bytecode.cvd
> > -rw-r--r--  1 clamupdate clamupdate 112832258 Sep 17 09:53 daily.cvd
> > -rw-r--r--  1 clamupdate clamupdate 117859675 Nov 25  2019 main.cvd
> > ...
> > I've tried grepping for the clamupdate user in all the .conf files and
> > anywhere it appears it's commented out. Any other places to look?
>
> It's a little bit concerning because if something is changing ownership
> of the files then (a) it looks like it's running with root permissions
> and (b) you don't know what it is.
>
> Are you sure that you don't have something else running which sets the
> permissions?


That's what I'm trying to figure out. I've looked through the crontab
files, e.g., in /etc/conf*, bubcus



> Are there logs going back far enough to give you a good
> feel for exactly when it happens?


I believe so and I have access to the backups which go back at least a
year. That's why I pointed to this log:
 /var/log/clamav-unofficial-sigs/clamav-unofficial-sigs.log

And today when it started:
Oct 09 04:15:56 Checking for urlhaus updates...
Oct 09 04:15:56 Checking for updated urlhaus database file: urlhaus.ndb
Oct 09 04:15:56 Testing updated urlhaus database file: urlhaus.ndb
Oct 09 04:15:56 Clamscan reports urlhaus urlhaus.ndb database integrity
tested good
Oct 09 04:15:56 Successfully updated urlhaus production database file:
urlhaus.ndb
Oct 09 04:15:56 Update(s) detected, reloading ClamAV databases
Oct 09 04:15:56 ClamAV databases reloading
Oct 09 04:15:56 Issue tracker :
https://github.com/extremeshok/clamav-unofficial-sigs/issues
Oct 09 04:15:56   Powered By https://eXtremeSHOK.com
*Oct 09 05:14:02 ERROR: clam database directory (clam_dbs) not writable
/var/lib/clamav*

So between 4:15 and 5:15 AM today (EDT).

If it were my problem I'd probably
> start with some simple logging so it was more clear what happened when;
> something like a cron job which just makes a listing of the permissions
> every minute, appending it to a file in /var/log.  Something like this
> in a crontab:
>
> * * * * *  /bin/echo -n "$(/bin/date) " >> /var/log/clam_perms.log ; \
> /bin/ls -l /var/lib/clamav >> /var/log/clam_perms.log
>

I'll consider this too, perhaps I should contact the ExtremeSHOK
contributors at https://github.com/extremeshok/clamav-unofficial-sigs? Or
perhaps there's some debug option that I'm not aware of? In
/etc/clamav-unofficial-sigs/master.conf
I have:
logging_enabled="yes"
log_file_path="/var/log/clamav-unofficial-sigs"
log_file_name="clamav-unofficial-sigs.log"


> If you just want to paper over the cracks you could for example make a
> wrapper for the update script which sets permissions before running it,
> or run another script before invocations of the update script so that
> the permissions are set first, or hack the update script itself.  You
> could even use 'chattr' to make the permissions unchangeable.
>

Yeah I've used the chattr option in other areas, perhaps some logging would
appear if I take this approach.

Later on Fri, 9 Oct 2020, Robert Kudyba wrote:
>
> > The only reference to clamupdate I see are in the various config
> > files, e.g., clamav.conf ...
>
> I'm puzzled.  Why is there a reference to the 'clamupdate' user in a
> file called 'clamav.conf' (which I take to be a bowdlerized version of
> something like clamd.conf) if you don't use the 'clamupdate' user ID?
>

Sure looks like earlier versions of Fedora did this according to this bug
report <https://bugzilla.redhat.com/show_bug.cgi?id=963920> and this
discussion
<https://lists.fedoraproject.org/pipermail/test/2013-May/115552.html> on
Fedora Project.

Ha bowdlerized
<https://www.google.com/search?q=bowdlerized=1C1CHBF_enUS796US796=bow=chrome.0.69i59j69i57j0l5j69i60.952j1j4=chrome=UTF-8>:
(of a text or account) having had material considered improper or offensive
removed.


> It makes me wonder if there have been changes from some original setup
> which did employ that user and which haven't all been flushed through,
> or if something else has modified the ClamAV configuration files that
> you don't know about.
>

I believe I configured and installed it myself less than 2 years ago but
perhaps when I restored some files from a backup I added some old config
files and or/services? I do see:
systemctl status clam
clamav-clamonacc.serviceclamav-unofficial-sigs.service
 clamd.service
clamav-freshclam.serviceclamav-unofficial-sigs.timer
 clam-freshclam.service
clamav-milter.service   clamd@scan.service
 clamonacc.service

Only  clamav-milter, clamd@scan.service and clamav-fre

Re: [clamav-users] running freshclam and 3rd party/clamav-unofficial-sigs.sh owner name changes occasionally

[Robert Kudyba]

>
> > Every few weeks I'll start seeing this error:
> >
> > ERROR: clam database directory (clam_dbs) not writable /var/lib/clamav
> >
> > Running this fixes it:
> > su clamav -s '/usr/local/sbin/clamav-unofficial-sigs.sh'
> >
> > Here are the files not owned by clamav:
> > -rw-r--r--  1 clamupdate clamupdate296388 Sep 19  2019 bytecode.cvd
> > -rw-r--r--  1 clamupdate clamupdate 112832258 Sep 17 09:53 daily.cvd
> > -rw-r--r--  1 clamupdate clamupdate 117859675 Nov 25  2019 main.cvd
> >
> At first glance it appears someone is running "freshclam" manually as
> clamupdate/clamupdate.
>
> Is there only one "freshclam" binary on the system?
>

Yes:
ls -l /usr/bin/freshclam*
-rwxr-xr-x 1 root root 45816 Oct  5 14:05 /usr/bin/freshclam

Is it running as a daemon or being invoked by some other method(s)?
>
Via systemctl:
clamav937912  0.0  0.0 102816 15860 ?Ss   04:46   0:04
/usr/bin/freshclam -d --foreground=true

systemctl status clamav-freshclam.service
● clamav-freshclam.service - ClamAV virus database updater
 Loaded: loaded (/usr/lib/systemd/system/clamav-freshclam.service;
enabled; vendor preset: disabled)
 Active: active (running) since Fri 2020-10-09 04:46:04 EDT; 6h ago
   Docs: man:freshclam(1)
 man:freshclam.conf(5)
 https://www.clamav.net/documents
   Main PID: 937912 (freshclam)
  Tasks: 1 (limit: 154197)
 Memory: 337.2M
 CGroup: /system.slice/clamav-freshclam.service
 └─937912 /usr/bin/freshclam -d --foreground=true

And the other one is disabled:
systemctl status clam-freshclam.service
● clam-freshclam.service - freshclam scanner
 Loaded: loaded (/usr/lib/systemd/system/clam-freshclam.service;
disabled; vendor preset: disabled)
 Active: inactive (dead)


> Is there another that is set{g,u}id clamupdate?
>
> Oh, what binaries *are* set{g,u}id clamupdate?
>
> And who/what regularly uses the "clamupdate" id?
>

Note that I know of. The only reference to clamupdate I see are in the
various config files, e.g., clamav.conf and the 3rd party conf files in
/etc/clamav-unofficial-sigs/

I can track down that this started early this morning:
Oct 09 05:14:02 ERROR: clam database directory (clam_dbs) not writable
/var/lib/clamav

But the only thing in the cron log file at that time is this 3rd
party update:

Oct  9 05:01:01 ourserver CROND[948241]: (root) CMD (run-parts
/etc/cron.hourly)
Oct  9 05:01:01 ourserver run-parts[948241]: (/etc/cron.hourly) starting
0anacron
Oct  9 05:01:01 ourserver run-parts[948241]: (/etc/cron.hourly) finished
0anacron
Oct  9 05:14:01 ourserver CROND[956493]: (clamav) CMD ([ -x
/usr/local/sbin/clamav-unofficial-sigs.sh ] && /usr/bin/bash
/usr/local/sbin/clamav-unofficial-sigs.sh)

I also see this:
cat /etc/cron.d/clamav-unofficial-sigs
14 * * * *  clamav [ -x /usr/local/sbin/clamav-unofficial-sigs.sh ] &&
/usr/bin/bash /usr/local/sbin/clamav-unofficial-sigs.sh

and I added a while back clamav to the clamupdate group to try to work
around this:

grep clamupdate /etc/passwd
clamupdate:x:983:979:Clamav database update
user:/var/lib/clamav:/sbin/nologin

grep 979  /etc/group
clamupdate:x:979:clamav

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] running freshclam and 3rd party/clamav-unofficial-sigs.sh owner name changes occasionally

[Robert Kudyba]

Running ClamAV 103.0-1 on Fedora, I have freshclam
and clamav-unofficial-sigs.sh from
https://github.com/extremeshok/clamav-unofficial-sigs

Every few weeks I'll start seeing this error:

ERROR: clam database directory (clam_dbs) not writable /var/lib/clamav

Running this fixes it:
su clamav -s '/usr/local/sbin/clamav-unofficial-sigs.sh'

Here are the files not owned by clamav:
-rw-r--r--  1 clamupdate clamupdate296388 Sep 19  2019 bytecode.cvd
-rw-r--r--  1 clamupdate clamupdate 112832258 Sep 17 09:53 daily.cvd
-rw-r--r--  1 clamupdate clamupdate 117859675 Nov 25  2019 main.cvd

In /etc/freshclam.conf I have:
DatabaseDirectory /var/lib/clamav
DatabaseOwner clamav

And in ExtremeSHOK I have these settings:
/etc/clamav-unofficial-sigs/user.conf:clam_user="clamav"
/etc/clamav-unofficial-sigs/user.conf:clam_group="clamav"
/etc/clamav-unofficial-sigs/master.conf:clam_user="clamav"
/etc/clamav-unofficial-sigs/master.conf:clam_group="clamav"

Clamd setting:
/etc/clamd.d/scan.conf:User clamav

ps -auwx|grep -i clam
clamav937639  0.3  1.5 2464352 1981128 ? Ssl  04:45   1:06
/usr/sbin/clamd -c /etc/clamd.d/scan.conf
clamav937912  0.0  0.0  27856 12772 ?Ss   04:46   0:00
/usr/bin/freshclam -d --foreground=true
clamilt   938023  0.0  0.0 249988  1448 ?Ssl  04:46   0:00
/usr/sbin/clamav-milter -c /etc/mail/clamav-milter.conf

I've tried grepping for the clamupdate user in all the .conf files and
anywhere it appears it's commented out. Any other places to look?

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] create /var/run/clamav on reboot in Fedora, otherwise Pulseaudio errors occur

[Robert Kudyba]

Using Fedora 31, this has been happening for quite a while. After reboot
/var/run/clamav is removed, which is expected. However, wehn ClamAV was
installed the user created in /etc/passwd looks like this:
clamav:x:985:981::/var/run/clamav:/sbin/nologin

So Pulseaudio tries to create the following directories/files:

Aug  5 10:14:02 myuser pulseaudio[1392074]: E: [pulseaudio] core-util.c:
Failed to create secure directory (/var/run/clamav/.config/pulse): No such
file or directory
Aug  5 10:14:02 myuser systemd[1392030]: pulseaudio.service: Main process
exited, code=exited, status=1/FAILURE
Aug  5 10:14:02 myuser systemd[1392030]: pulseaudio.service: Failed with
result 'exit-code'.
Aug  5 10:14:02 myuser systemd[1392030]: Failed to start Sound Service.
Aug  5 10:14:02 myuser systemd[1392030]: pulseaudio.service: Scheduled
restart job, restart counter is at 2.
Aug  5 10:14:02 myuser systemd[1392030]: Stopped Sound Service.
Aug  5 10:14:02 myuser systemd[1392030]: Starting Sound Service...

So a work-around I've found
 is to update
/lib/systemd/system/clamd.service with:

ExecStartPre = /usr/bin/mkdir -p /var/run/clamav
ExecStartPre = /usr/bin/chown -R clamav.clamav /var/run/clamav

Is this a known issue?

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Clamd crashes frequently - macOS Catalina

[Robert Kudyba]

Nice
On Fri, May 1, 2020, 9:38 PM James Brown via clamav-users <
clamav-users@lists.clamav.net> wrote:

> On 1 May 2020, at 8:31 pm, Mark Allan via clamav-users <
> clamav-users@lists.clamav.net> wrote:
>
>
> Try excluding Email.Exploit.Efail-6641027-1 from the main ClamAV set.
>
>
> Thanks Mark. After over 12 hours clamd is still up and running. Looks like
> that sig was causing the problem.
>
> James.
>
> ___
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] Logwatch not showing "Viruses detected"

[Robert Kudyba]

This might be off topic to the list. We have Clam AV running on Fedora 30
with clamav-milter, clamav-0.101.4-1.fc30.x86_64, and sendmail. On one
server the logwatch emails do send a daily recap as desired such as this
stanza:
 - Clamav Begin 
 Viruses detected:
Sanesecurity.Jurlbl.2a2f26.UNOFFICIAL: 1 Time(s)
Sanesecurity.Jurlbl.550e2a.UNOFFICIAL: 1 Time(s)
Sanesecurity.Jurlbl.66a5cd.UNOFFICIAL: 1 Time(s)
SecuriteInfo.com.Spam-3504.UNOFFICIAL: 1 Time(s)
SecuriteInfo.com.Spam-3953.UNOFFICIAL: 1 Time(s)
SecuriteInfo.com.Spam-4044.UNOFFICIAL: 2 Time(s)
 -- Clamav End -

On the other server, logwatch only shows this (not the above):

 Messages quarantined by milter: [Occurrences >= 1]
 clamav-milter: quarantined by clamav-milter 6
Time
 Total:  6

This config file is the same on both servers:
cat  /usr/share/logwatch/default.conf/services/clamav-milter.conf
##
#
# clamav script ver. 0.85.1 for Logwatch.
#
# Written by S. Schimkat .
#
# Find latest version here: www.schimkat.dk/clamav
#
##

Title = "Clamav-milter"
LogFile = messages
# maillog retained for backwards compatibility, but may be deleted
# at a later time
LogFile = maillog
*OnlyService = clamav-milter
*RemoveHeaders

# To turnoff unmatched output set to 1
$clamav_ignoreunmatched = 0

# vi: shiftwidth=3 tabstop=3 et

Is there another config file for this that I'm missing? Side note, the URL
above, www.schimkat.dk/clamav, is now 404 page not found.

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Install error on Fedora 30

[Robert Kudyba]

You have to wait for the Fedora maintainers to update it, usually takes a
week or so.

On Fri, Aug 9, 2019, 11:41 AM Cliff Hayes via clamav-users <
clamav-users@lists.clamav.net> wrote:

> I took advice given and used dnf to install clamd and clamav.
> But now I am getting the errors:
>
> WARNING: Your ClamAV installation is OUTDATED!
> WARNING: Local version: 0.101.2 Recommended version: 0.101.3
>
> I have tried dnf update clamd and dnf update clamav daily and there are
> no updates.
>
> I looked at
> https://urldefense.proofpoint.com/v2/url?u=https-3A__www.clamav.net_documents_upgrading-2Dclamav=DwICAg=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY=qUbw_RYWRJBLl8pu_MXS7pH1ul71yyWamnmB1frkLw4=WPEYRcogl30kOwNnEXhHOXZsFguDoIOjYg0JSrijwzA=
> but there is no advice about this particular problem.
>
> How do I get updates for a dnf installed clam?
>
> On 7/23/2019 2:33 PM, J.R. via clamav-users wrote:
> > Have you tried building without specifying the paths to see what it does?
> >
> > There is a 0.101.2 RPM for FC30... Why not just modify the .src.rpm if
> > you want to enable some custom options?
> >
> > I believe you also need libxml2-devel last time I looked at the .SPEC
> > for EPEL...
> >
> > You can also try the following, though unless your openssl is
> > installed in a custom directory it should find it in the standard
> > paths...
> >
> > CPPFLAGS=`pkg-config --cflags openssl`; export CPPFLAGS
> > LDFLAGS="-Wl,-O1 `pkg-config --libs openssl`"; export LDFLAGS
>
> ___
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
>
> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.clamav.net_mailman_listinfo_clamav-2Dusers=DwICAg=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY=qUbw_RYWRJBLl8pu_MXS7pH1ul71yyWamnmB1frkLw4=IcEo9HeWT8Vn-JK8rK6m40Tz4c7t-yrhfwKHEO6zvxo=
>
>
> Help us build a comprehensive ClamAV guide:
>
> https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_vrtadmin_clamav-2Dfaq=DwICAg=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY=qUbw_RYWRJBLl8pu_MXS7pH1ul71yyWamnmB1frkLw4=ARoAuO0qo9thIdarwK4SErql6gOceFD7unqMdoM219M=
>
>
> https://urldefense.proofpoint.com/v2/url?u=http-3A__www.clamav.net_contact.html-23ml=DwICAg=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY=qUbw_RYWRJBLl8pu_MXS7pH1ul71yyWamnmB1frkLw4=7i_-McY9YcItJPWXIQkmgoQkEMo8b77kbSNVzJhtV20=
>

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] ***Spam 3.041*** clamd using 100% CPU in Fedora 30 with sendmail & clamav-milter, : Probe for slot 1 returned: failed

[Robert Kudyba]

Indeed we do use clamav-unofficial-sigs from
https://github.com/extremeshok/clamav-unofficial-sigs/blob/master/README.md.

And interesting timing just announced a new version:
Version 6.0 (30 July 2019)

On Wed, Jul 31, 2019 at 10:41 AM Micah Snyder (micasnyd) via clamav-users <
clamav-users@lists.clamav.net> wrote:

> If you don’t mind my asking – are you using a large number of third party
> databases?  Our official databases have grown quite a bit this year – but I
> wouldn’t expect anywhere near 5 minutes for load time. On my laptop this
> morning I see around 45 seconds load time for clamd.
>
>
>
> Every now and then it’s prudent to groom the database and remove
> problematic signatures, or consolidate them. We do this on occasion, and
> have an ongoing effort to replace hash-based signatures with logical
> signatures that detect more than one file per signature.  I wonder if any
> of the unofficial databases have similar efforts to keep the volume and
> quality of signatures in check.
>
>
>
> Regards,
>
> Micah
>
>
>
> *From: *clamav-users  on behalf of
> Robert Kudyba 
> *Reply-To: *ClamAV users ML 
> *Date: *Wednesday, July 31, 2019 at 10:29 AM
> *To: *Reio Remma , "clamav-users@lists.clamav.net" <
> clamav-users@lists.clamav.net>
> *Subject: *Re: [clamav-users] ***Spam 3.041*** clamd using 100% CPU in
> Fedora 30 with sendmail & clamav-milter, : Probe for slot 1 returned: failed
>
>
>
> Sorry forgot to include the hive in my responses. So increasing the
> timeout value to 900 did work. I didn’t time it but it definitely seems
> like 4-5 minutes to finally start. We rebooted and it started fine.
>
>
>
> Should a big report be created? Would this be in Fedora’s Bugzilla, or
> Clamav’s bug tracker? Are there any other optimization settings?
>
>
>
> On Jul 31, 2019, at 2:47 AM, Reio Remma  wrote:
>
>
>
> Just curious, did you note how long it actually took to fully load clamd
> afterwards?
>
> It might be worth taking this to CentOS devs, because the signatures
> database keeps growing and clamd loading time with it.
>
> But it's really an issue with older machines like the one I have here. :D
>
> Good luck!
> Reio
>
>
> On 30/07/2019 23:30, Robert Kudyba wrote:
>
> I did but then I also increased from 600 to 900 and that started the
> daemon. Any idea why this wouldn't be considered a bug?
>
>
>
> Thanks for the response.
>
>
>
> On Tue, Jul 30, 2019 at 3:48 PM Reio Remma  wrote:
>
> Did you do "systemctl daemon-reload" before restarting the service again?
>
> On 30.07.2019 22:23, Robert Kudyba wrote:
>
> No luck:
>
>
>
>  systemd[1]: Starting Generic clamav scanner daemon...
>  journalctl -xe
> -- Defined-By: systemd
> -- Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.freedesktop.org_mailman_listinfo_systemd-2Ddevel=DwMDaQ=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY=qdbDc4JHdK2uYYGA7aB9lPX-XVVvrrkt2cBbMiopJX4=HeyWNpOta-zU4iUgsT6qIc2Inh2JoVpyP8g7tjAJKuc=>
> --
> -- An ExecStart= process belonging to unit clamd@scan.service has exited.
> --
> -- The process' exit code is 'killed' and its exit status is 15.
> Jul 30 15:20:21 storm.cis.fordham.edu systemd[1]: clamd@scan.service:
> Failed with result 'timeout'.
> -- Subject: Unit failed
> -- Defined-By: systemd
> -- Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.freedesktop.org_mailman_listinfo_systemd-2Ddevel=DwMDaQ=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY=qdbDc4JHdK2uYYGA7aB9lPX-XVVvrrkt2cBbMiopJX4=HeyWNpOta-zU4iUgsT6qIc2Inh2JoVpyP8g7tjAJKuc=>
> --
> -- The unit clamd@scan.service has entered the 'failed' state with result
> 'timeout'.
> Jul 30 15:20:21 storm.cis.fordham.edu systemd[1]: Failed to start Generic
> clamav scanner daemon.
> -- Subject: A start job for unit clamd@scan.service has failed
> -- Defined-By: systemd
> -- Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.freedesktop.org_mailman_listinfo_systemd-2Ddevel=DwMDaQ=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY=qdbDc4JHdK2uYYGA7aB9lPX-XVVvrrkt2cBbMiopJX4=HeyWNpOta-zU4iUgsT6qIc2Inh2JoVpyP8g7tjAJKuc=>
> --
> -- A start job for unit clamd@scan.service has finished with a failure.
> --
> -- The job identifier is 331899 and the job result is failed.
>
>
>
> It's as if clamd continues to try to start as running 'top' shows 100%

Re: [clamav-users] ***Spam 3.041*** clamd using 100% CPU in Fedora 30 with sendmail & clamav-milter, : Probe for slot 1 returned: failed

[Robert Kudyba]

Sorry forgot to include the hive in my responses. So increasing the timeout 
value to 900 did work. I didn’t time it but it definitely seems like 4-5 
minutes to finally start. We rebooted and it started fine.

Should a big report be created? Would this be in Fedora’s Bugzilla, or Clamav’s 
bug tracker? Are there any other optimization settings?

> On Jul 31, 2019, at 2:47 AM, Reio Remma  wrote:
> 
> Just curious, did you note how long it actually took to fully load clamd 
> afterwards?
> 
> It might be worth taking this to CentOS devs, because the signatures database 
> keeps growing and clamd loading time with it.
> 
> But it's really an issue with older machines like the one I have here. :D
> 
> Good luck!
> Reio
> 
> 
> On 30/07/2019 23:30, Robert Kudyba wrote:
>> I did but then I also increased from 600 to 900 and that started the daemon. 
>> Any idea why this wouldn't be considered a bug?
>> 
>> Thanks for the response.
>> 
>> On Tue, Jul 30, 2019 at 3:48 PM Reio Remma > <mailto:r...@mrstuudio.ee>> wrote:
>> Did you do "systemctl daemon-reload" before restarting the service again?
>> 
>> On 30.07.2019 22:23, Robert Kudyba wrote:
>>> No luck:
>>> 
>>>  systemd[1]: Starting Generic clamav scanner daemon...
>>>  journalctl -xe
>>> -- Defined-By: systemd
>>> -- Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel 
>>> <https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.freedesktop.org_mailman_listinfo_systemd-2Ddevel=DwMDaQ=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY=qdbDc4JHdK2uYYGA7aB9lPX-XVVvrrkt2cBbMiopJX4=HeyWNpOta-zU4iUgsT6qIc2Inh2JoVpyP8g7tjAJKuc=>
>>> --
>>> -- An ExecStart= process belonging to unit clamd@scan.service 
>>> <mailto:clamd@scan.service> has exited.
>>> --
>>> -- The process' exit code is 'killed' and its exit status is 15.
>>> Jul 30 15:20:21 storm.cis.fordham.edu <http://storm.cis.fordham.edu/> 
>>> systemd[1]: clamd@scan.service <mailto:clamd@scan.service>: Failed with 
>>> result 'timeout'.
>>> -- Subject: Unit failed
>>> -- Defined-By: systemd
>>> -- Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel 
>>> <https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.freedesktop.org_mailman_listinfo_systemd-2Ddevel=DwMDaQ=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY=qdbDc4JHdK2uYYGA7aB9lPX-XVVvrrkt2cBbMiopJX4=HeyWNpOta-zU4iUgsT6qIc2Inh2JoVpyP8g7tjAJKuc=>
>>> --
>>> -- The unit clamd@scan.service <mailto:clamd@scan.service> has entered the 
>>> 'failed' state with result 'timeout'.
>>> Jul 30 15:20:21 storm.cis.fordham.edu <http://storm.cis.fordham.edu/> 
>>> systemd[1]: Failed to start Generic clamav scanner daemon.
>>> -- Subject: A start job for unit clamd@scan.service 
>>> <mailto:clamd@scan.service> has failed
>>> -- Defined-By: systemd
>>> -- Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel 
>>> <https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.freedesktop.org_mailman_listinfo_systemd-2Ddevel=DwMDaQ=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY=qdbDc4JHdK2uYYGA7aB9lPX-XVVvrrkt2cBbMiopJX4=HeyWNpOta-zU4iUgsT6qIc2Inh2JoVpyP8g7tjAJKuc=>
>>> --
>>> -- A start job for unit clamd@scan.service <mailto:clamd@scan.service> has 
>>> finished with a failure.
>>> --
>>> -- The job identifier is 331899 and the job result is failed.
>>> 
>>> It's as if clamd continues to try to start as running 'top' shows 100% CPU:
>>>   PID USER  PR  NIVIRTRESSHR S  %CPU  %MEM TIME+ COMMAND
>>>  4949 root  20   0  774044 727648   7736 R  93.8   1.5   1:16.88 clamd
>>> 
>>> status shows it's still trying to start:
>>>  systemctl status clamd@scan.service <mailto:clamd@scan.service>
>>> * clamd@scan.service <mailto:clamd@scan.service> - Generic clamav scanner 
>>> daemon
>>>Loaded: loaded (/usr/lib/systemd/system/clamd@scan.service; enabled; 
>>> vendor preset: disabled)
>>>Active: activating (start) since Tue 2019-07-30 15:21:52 EDT; 26s ago
>>>  Docs: man:clamd(8)
>>>man:clamd.conf(5)
>>>https://www.clamav.net/documents/ 
>>> <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.clamav.net_documents_=DwMDaQ=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY=qdbDc4JHdK2uY

Re: [clamav-users] ***Spam 3.041*** clamd using 100% CPU in Fedora 30 with sendmail & clamav-milter, : Probe for slot 1 returned: failed

[Robert Kudyba]

No luck:

 systemd[1]: Starting Generic clamav scanner daemon...
 journalctl -xe
-- Defined-By: systemd
-- Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- An ExecStart= process belonging to unit clamd@scan.service has exited.
--
-- The process' exit code is 'killed' and its exit status is 15.
Jul 30 15:20:21 storm.cis.fordham.edu systemd[1]: clamd@scan.service:
Failed with result 'timeout'.
-- Subject: Unit failed
-- Defined-By: systemd
-- Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- The unit clamd@scan.service has entered the 'failed' state with result
'timeout'.
Jul 30 15:20:21 storm.cis.fordham.edu systemd[1]: Failed to start Generic
clamav scanner daemon.
-- Subject: A start job for unit clamd@scan.service has failed
-- Defined-By: systemd
-- Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- A start job for unit clamd@scan.service has finished with a failure.
--
-- The job identifier is 331899 and the job result is failed.

It's as if clamd continues to try to start as running 'top' shows 100% CPU:
  PID USER  PR  NIVIRTRESSHR S  %CPU  %MEM TIME+ COMMAND
 4949 root  20   0  774044 727648   7736 R  93.8   1.5   1:16.88 clamd

status shows it's still trying to start:
 systemctl status clamd@scan.service
* clamd@scan.service - Generic clamav scanner daemon
   Loaded: loaded (/usr/lib/systemd/system/clamd@scan.service; enabled;
vendor preset: disabled)
   Active: activating (start) since Tue 2019-07-30 15:21:52 EDT; 26s ago
 Docs: man:clamd(8)
   man:clamd.conf(5)
   https://www.clamav.net/documents/
Cntrl PID: 5175 (clamd)
Tasks: 1 (limit: 4915)
   Memory: 244.0M
   CGroup: /system.slice/system-clamd.slice/clamd@scan.service
   `-5175 /usr/sbin/clamd -c /etc/clamd.d/scan.conf

Jul 30 15:21:52 ourdomain systemd[1]: Starting Generic clamav scanner
daemon...

And just to be sure:
cat  /lib/systemd/system/clamd@.service
[Unit]
Description = clamd scanner (%i) daemon
Documentation=man:clamd(8) man:clamd.conf(5)
https://www.clamav.net/documents/
# Check for database existence
# ConditionPathExistsGlob=@DBDIR@/main.{c[vl]d,inc}
# ConditionPathExistsGlob=@DBDIR@/daily.{c[vl]d,inc}
After = syslog.target nss-lookup.target network.target

[Service]
Type = forking
ExecStart = /usr/sbin/clamd -c /etc/clamd.d/%i.conf
Restart = on-failure
TimeoutSec=600

On Tue, Jul 30, 2019 at 3:12 PM Reio Remma via clamav-users <
clamav-users@lists.clamav.net> wrote:

> I suspect it's might be the same issue I had a few days back.
>
> Check out the thread "Clamd fails to start with daily.cvd".
>
> As suggested by user Axb:
>
> in file clamd.service
> to section:
> [Service]
> add
> TimeoutSec=900
>
> restart clamd service
>
> I personally increased the limit to 300 seconds. :)
>
> I suspect systemd is killing the process because it goes over the timeout
> threshold when loading the signatures.
>
> Good luck!
> Reio
>
>
> On 30.07.2019 21:58, Robert Kudyba wrote:
>
> rpm -qa clamav-milter
> clamav-milter-0.101.2-2.fc30.x86_64
> rpm -qa clamd
> clamd-0.101.2-2.fc30.x86_64
>
> See some logs and statuses below. clamd takes up all of the CPU. clamd
> does appear to start based on the ps command but you can see the status
> shows no running;
>
>   PID USER  PR  NIVIRTRESSHR S  %CPU  %MEM TIME+
> COMMAND
> 26618 root  20   0  214188 207576   7996 R  99.0   0.4   0:10.76 clamd
>
> Tue Jul 30 14:30:17 2019 -> WARNING: No clamd server appears to be
> available
> Tue Jul 30 14:31:16 2019 -> Failed to establish a connection to clamd
> Tue Jul 30 14:31:16 2019 -> Probe for slot 1 returned: failed
> Tue Jul 30 14:31:16 2019 -> WARNING: No clamd server appears to be
> available
> Tue Jul 30 14:32:15 2019 -> Failed to establish a connection to clamd
> Tue Jul 30 14:32:15 2019 -> Probe for slot 1 returned: failed
> Tue Jul 30 14:32:15 2019 -> WARNING: No clamd server appears to be
> available
>
>  ps -auwx|grep clam
> clamav2538  0.0  0.0  18348  3156 ?Ss   Jul29   0:00
> /usr/bin/freshclam -d -c 4
> clamav   24692  0.0  0.0  19852 10044 ?Ss   14:10   0:00
> /usr/lib/systemd/systemd --user
> clamav   24697  0.0  0.0 181296  5200 ?S14:10   0:00 (sd-pam)
> clamav   24717  0.0  0.0 113064  3312 ?Ss   14:10   0:00 /bin/sh
> -c [ -x /usr/local/sbin/clamav-unofficial-sigs.sh ] && /usr/bin/bash
> /usr/local/sbin/clamav-unofficial-sigs.sh > /dev/null
> clamav   24718  0.0  0.0 113848  3908 ?S14:10   0:00
> /usr/bin/bash /usr/local/sbin/clamav-unofficial-sigs.sh
> clamilt  26222  0.0  0.0  88488   588 ?Ssl  14:18   0:00
> /usr/sbin/clamav-milter -c /etc/mail/clamav-milter.conf
> root 26227 99.6  0

[clamav-users] clamd using 100% CPU in Fedora 30 with sendmail & clamav-milter, : Probe for slot 1 returned: failed

[Robert Kudyba]

rpm -qa clamav-milter
clamav-milter-0.101.2-2.fc30.x86_64
rpm -qa clamd
clamd-0.101.2-2.fc30.x86_64

See some logs and statuses below. clamd takes up all of the CPU. clamd does
appear to start based on the ps command but you can see the status shows no
running;

  PID USER  PR  NIVIRTRESSHR S  %CPU  %MEM TIME+ COMMAND
26618 root  20   0  214188 207576   7996 R  99.0   0.4   0:10.76 clamd

Tue Jul 30 14:30:17 2019 -> WARNING: No clamd server appears to be available
Tue Jul 30 14:31:16 2019 -> Failed to establish a connection to clamd
Tue Jul 30 14:31:16 2019 -> Probe for slot 1 returned: failed
Tue Jul 30 14:31:16 2019 -> WARNING: No clamd server appears to be available
Tue Jul 30 14:32:15 2019 -> Failed to establish a connection to clamd
Tue Jul 30 14:32:15 2019 -> Probe for slot 1 returned: failed
Tue Jul 30 14:32:15 2019 -> WARNING: No clamd server appears to be available

 ps -auwx|grep clam
clamav2538  0.0  0.0  18348  3156 ?Ss   Jul29   0:00
/usr/bin/freshclam -d -c 4
clamav   24692  0.0  0.0  19852 10044 ?Ss   14:10   0:00
/usr/lib/systemd/systemd --user
clamav   24697  0.0  0.0 181296  5200 ?S14:10   0:00 (sd-pam)
clamav   24717  0.0  0.0 113064  3312 ?Ss   14:10   0:00 /bin/sh -c
[ -x /usr/local/sbin/clamav-unofficial-sigs.sh ] && /usr/bin/bash
/usr/local/sbin/clamav-unofficial-sigs.sh > /dev/null
clamav   24718  0.0  0.0 113848  3908 ?S14:10   0:00
/usr/bin/bash /usr/local/sbin/clamav-unofficial-sigs.sh
clamilt  26222  0.0  0.0  88488   588 ?Ssl  14:18   0:00
/usr/sbin/clamav-milter -c /etc/mail/clamav-milter.conf
root 26227 99.6  0.5 263348 251924 ?   Rs   14:18   0:20
/usr/sbin/clamd -c /etc/clamd.d/scan.conf
clamav   26360  1.8  0.0 126316 12992 ?S14:18   0:00
/usr/bin/wget --no-check-certificate --quiet --connect-timeout=60
--random-wait --tries=3 --timeout=180
--output-document=/var/lib/clamav-unofficial-sigs/dbs-si/securiteinfo.hdb
https://www.securiteinfo.com/get/signatures/6651194e2baf9979742029c715d7dd90c94e25355ca57fdf22c81828f6fe7a3fc01bfbee6c9a20efa17559c52a04cc4aab1cbe6810596bb16afae8518a9400d1/securiteinfo.hdb\

systemctl  status clamd@scan.service
* clamd@scan.service - Generic clamav scanner daemon
   Loaded: loaded (/usr/lib/systemd/system/clamd@scan.service; enabled;
vendor preset: disabled)
   Active: inactive (dead) since Mon 2019-07-29 13:24:11 EDT; 24h ago
 Docs: man:clamd(8)
   man:clamd.conf(5)
   https://www.clamav.net/documents/

Jul 29 13:24:09 ourdomain.edu systemd[1]:
/usr/lib/systemd/system/clamd@scan.service:1: .include directives are
deprecated, and support for them will be removed in a future version of
systemd. Please use drop-in files instead.
Jul 29 13:24:11 ourdomain.edu systemd[1]: clamd@scan.service: Control
process exited, code=killed, status=15/TERM
Jul 29 13:24:11 ourdomain.edu systemd[1]: clamd@scan.service: Succeeded.
Jul 29 13:24:11 ourdomain.edu systemd[1]: Stopped Generic clamav scanner
daemon.
Jul 30 04:53:06 ourdomain.edu systemd[1]:
/usr/lib/systemd/system/clamd@scan.service:1: .include directives are
deprecated, and support for them will be removed in a future version of
systemd. Please use drop-in files instead.
Jul 30 11:13:50 ourdomain.edu systemd[1]:
/usr/lib/systemd/system/clamd@scan.service:1: .include directives are
deprecated, and support for them will be removed in a future version of
systemd. Please use drop-in files instead.
Jul 30 11:19:10 ourdomain.edu systemd[1]:
/usr/lib/systemd/system/clamd@scan.service:1: .include directives are
deprecated, and support for them will be removed in a future version of
systemd. Please use drop-in files instead.
Jul 30 14:05:05 ourdomain.edu systemd[1]:
/usr/lib/systemd/system/clamd@scan.service:1: .include directives are
deprecated, and support for them will be removed in a future version of
systemd. Please use drop-in files instead.
Jul 30 14:05:07 ourdomain.edu systemd[1]:
/usr/lib/systemd/system/clamd@scan.service:1: .include directives are
deprecated, and support for them will be removed in a future version of
systemd. Please use drop-in files instead.
Jul 30 14:05:08 ourdomain.edu systemd[1]:
/usr/lib/systemd/system/clamd@scan.service:1: .include directives are
deprecated, and support for them will be removed in a future version of
systemd. Please use drop-in files instead.

systemctl status clamav-milter
* clamav-milter.service - Milter module for the Clam Antivirus scanner
   Loaded: loaded (/usr/lib/systemd/system/clamav-milter.service; enabled;
vendor preset: disabled)
   Active: active (running) since Mon 2019-07-29 13:23:46 EDT; 24h ago
 Main PID: 4350 (clamav-milter)
Tasks: 3 (limit: 4915)
   Memory: 2.6M
   CGroup: /system.slice/clamav-milter.service
   `-4350 /usr/sbin/clamav-milter -c /etc/mail/clamav-milter.conf

Jul 29 13:23:45 ourserver systemd[1]: Starting Milter module for the Clam
Antivirus scanner...
Jul 29 13:23:46  ourserver  systemd[1]: 

Re: [clamav-users] sendmail w clamav-milter stops errors with: write(D) returned -1, expected 23: Broken pipe, Fedora 29

[Robert Kudyba]

>
> sm-client.service: Failed to parse PID from file /run/sm-client.pid:
> Invalid argument
>
> I'm not too familiar with sendmail client, so I'll defer this to someone
> else more knowledgeable.
>

A bug that won't get fixed?
https://bugzilla.redhat.com/show_bug.cgi?id=748171

Anyways any idea why this error happens:
Milter (clamav-milter): write(D) returned -1, expected 23: Broken pipe
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] sendmail w clamav-milter stops errors with: write(D) returned -1, expected 23: Broken pipe, Fedora 29

[Robert Kudyba]

clamav-0.101.0-3.fc29.x86_64
clamd-0.101.0-3.fc29.x86_64
clamav-milter-0.101.0-3.fc29.x86_64
sendmail-8.15.2-29.fc29.x86_64
4.19.13-300.fc29.x86_64

Milter (clamav-milter): write(D) returned -1, expected 23: Broken pipe

Also seeing errors like:
clamd[25994]: LibClamAV Error: cli_get_filepath_from_filedesc: File path
for fd [10] is: /tmp/clamav-f71a825e6280ce33121e5fdc8578591a.tmp

and (probably unrelated)
sm-client.service: Failed to parse PID from file /run/sm-client.pid:
Invalid argument

The respective configs are:
clamav-milter.conf:
MilterSocket inet:
ClamdSocket tcp:127.0.0.1:3310

clamd.conf:
TCPSocket 3310
TCPAddr 127.0.0.1

sendmail.mc:
INPUT_MAIL_FILTER(`clamav-milter', `S=inet:@127.0.0.1, F=,
T=S:4m;R:4m')dnl

Any other logs or configs I can provide?
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] clamav-milter with sendmail on Fedora 28: init failed to open, to error state, initialization failed, temp failing commands

[Robert Kudyba]

> Jul 23 11:45:39 storm clamd[22351]: LibClamAV Error: yyerror():
>> /var/lib/clamav/packer.yar line 82 undefined identifier "pe"
>>
>
> remove yar rules
>

> clamav is unstable with yara, google it
>


Yes just found
https://github.com/extremeshok/clamav-unofficial-sigs/issues/203#issuecomment-400211109


> and systemd is not working with milter interfaces
>

Where is this documented or referenced?
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] clamav-milter with sendmail on Fedora 28: init failed to open, to error state, initialization failed, temp failing commands

[Robert Kudyba]

Any other suggestions on this? Still getting /var/log/clamav-milter.log:
Mon Jul 30 08:55:09 2018 -> Probe for slot 1 returned: success

So I'm pretty sure it's the setting in /etc/mail/sendmail.mc that needs
updating. Here's what we have:
INPUT_MAIL_FILTER(`clamav-milter',`S=local:/var/run/clamav-m
ilter/clamav-milter.socket,F=T,T=S:4m;R:4m;E:10m')dnl

What's the difference between `clamav-milter' vs `clamav' in that line?


On Mon, Jul 23, 2018 at 11:51 AM, Robert Kudyba  wrote:

> However I still get these errors in sendmail:
>>> Milter: data, reject=451 4.3.2 Please try again later
>>>
>>
>> the syslog entry should give us more information.
>>
>
>
> Jul 23 11:45:33 storm systemd[1]: clamd@scan.service: Main process
> exited, code=killed, status=6/ABRT
> Jul 23 11:45:33 storm systemd[1]: clamd@scan.service: Failed with result
> 'signal'.
> Jul 23 11:45:33 storm systemd[1]: clamd@scan.service: Service hold-off
> time over, scheduling restart.
> Jul 23 11:45:33 storm systemd[1]: clamd@scan.service: Scheduled restart
> job, restart counter is at  4.
> Jul 23 11:45:33 storm systemd[1]: Stopped Generic clamav scanner daemon.
> Jul 23 11:45:33 storm systemd[1]: Starting Generic clamav scanner daemon...
> Jul 23 11:45:39 storm clamd[22351]: LibClamAV Error: yyerror():
> /var/lib/clamav/packer.yar line 82 undefined identifier "pe"
> [... snip]
> Jul 23 11:46:48 storm systemd-journald[623]: Suppressed 418 messages from
> clamd@scan.service
> Jul 23 11:46:48 storm clamd[22351]: LibClamAV Error: yyerror():
> /var/lib/clamav/maldoc_somerules.yar line 245 undefined identifier
> "uint32be"
> Jul 23 11:46:48 storm clamd[22351]: LibClamAV Warning: cli_loadyara:
> failed to parse or load 1 yara rules from file 
> /var/lib/clamav/maldoc_somerules.yar,
> successfully loaded 15 rules.
> Jul 23 11:46:55 storm systemd[1]: Started Generic clamav scanner daemon.
>
>
> The sendmail.mc ClamAV line looks like this:
>>> INPUT_MAIL_FILTER(`clamav-milter',`S=local:/var/run/clamav-m
>>> ilter/clamav-milter.socket,F=T,T=S:4m;R:4m;E:10m')dnl
>>>
>>
>> Some relevant results from clamconf:
>>>
>>> ClamdSocket = "unix:/var/run/clamd.scan/clamd.sock"
>>> MilterSocket = "/var/run/clamav-milter/clamav-milter.socket"
>>>
>>
>> note that both sendmail and clamav-milter need read/write access to the
>> socket as
>> long as read/execute access to the directory (to access the socket).
>>
>> I believe you mean "as well as"? Here are the permissions:
> drwx--x---  2 clamiltclamilt  60 Jul 17 15:49 clamav-milter
> drwx--x---  2 clamscan   clamscan 80 Jul 17 15:49 clamd.scan
>
> srw-r--r-- 1 clamilt virusgroup 0 Jul 17 15:49 clamav-milter.socket
>
> -rw-rw-r-- 1 clamscan clamscan 4 Jul 17 15:49 clamd.pid
> srw-rw-rw- 1 clamscan clamscan 0 Jul 17 15:49 clamd.sock
>
>
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] clamav-milter with sendmail on Fedora 28: init failed to open, to error state, initialization failed, temp failing commands

[Robert Kudyba]

>
> However I still get these errors in sendmail:
>> Milter: data, reject=451 4.3.2 Please try again later
>>
>
> the syslog entry should give us more information.
>


Jul 23 11:45:33 storm systemd[1]: clamd@scan.service: Main process exited,
code=killed, status=6/A
BRT
Jul 23 11:45:33 storm systemd[1]: clamd@scan.service: Failed with result
'signal'.
Jul 23 11:45:33 storm systemd[1]: clamd@scan.service: Service hold-off time
over, scheduling resta
rt.
Jul 23 11:45:33 storm systemd[1]: clamd@scan.service: Scheduled restart
job, restart counter is at
 4.
Jul 23 11:45:33 storm systemd[1]: Stopped Generic clamav scanner daemon.
Jul 23 11:45:33 storm systemd[1]: Starting Generic clamav scanner daemon...
Jul 23 11:45:39 storm clamd[22351]: LibClamAV Error: yyerror():
/var/lib/clamav/packer.yar line 82 undefined identifier "pe"
[...]
Jul 23 11:46:48 storm systemd-journald[623]: Suppressed 418 messages from
clamd@scan.service
Jul 23 11:46:48 storm clamd[22351]: LibClamAV Error: yyerror():
/var/lib/clamav/maldoc_somerules.yar line 245 undefined identifier
"uint32be"
Jul 23 11:46:48 storm clamd[22351]: LibClamAV Warning: cli_loadyara: failed
to parse or load 1 yara rules from file
/var/lib/clamav/maldoc_somerules.yar, successfully loaded 15 rules.
Jul 23 11:46:55 storm systemd[1]: Started Generic clamav scanner daemon.


The sendmail.mc ClamAV line looks like this:
>> INPUT_MAIL_FILTER(`clamav-milter',`S=local:/var/run/clamav-
>> milter/clamav-milter.socket,F=T,T=S:4m;R:4m;E:10m')dnl
>>
>
> Some relevant results from clamconf:
>>
>> ClamdSocket = "unix:/var/run/clamd.scan/clamd.sock"
>> MilterSocket = "/var/run/clamav-milter/clamav-milter.socket"
>>
>
> note that both sendmail and clamav-milter need read/write access to the
> socket as
> long as read/execute access to the directory (to access the socket).
>
> I believe you mean "as well as"? Here are the permissions:
drwx--x---  2 clamiltclamilt  60 Jul 17 15:49 clamav-milter
drwx--x---  2 clamscan   clamscan 80 Jul 17 15:49 clamd.scan

srw-r--r-- 1 clamilt virusgroup 0 Jul 17 15:49 clamav-milter.socket

-rw-rw-r-- 1 clamscan clamscan 4 Jul 17 15:49 clamd.pid
srw-rw-rw- 1 clamscan clamscan 0 Jul 17 15:49 clamd.sock
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] clamav-milter with sendmail on Fedora 28: init failed to open, to error state, initialization failed, temp failing commands

[Robert Kudyba]

An update, I got clamav-milter to run, from the clamav-milter logs:
Tue Jul 17 15:34:15 2018 -> +++ Started at Tue Jul 17 15:34:15 2018
Tue Jul 17 15:34:15 2018 -> Probe for slot 1 returned: success
Tue Jul 17 15:35:50 2018 -> +++ Started at Tue Jul 17 15:35:50 2018
Tue Jul 17 15:35:50 2018 -> Probe for slot 1 returned: success


ps -auwx | grep clam
clamupd+  2252  0.0  0.0  50740  3832 ?Ss   Jul11   0:45
/usr/bin/freshclam -d -c 4
clamscan 18943  0.0  4.6 1406760 1142296 ? Ssl  15:34   0:00
/usr/sbin/clamd -c /etc/clamd.d/scan.conf
root 19249  0.0  0.0 119104  3080 ?Ss   15:00   0:00 /bin/bash
/usr/share/clamav/freshclam-sleep
clamilt  20686  0.0  0.0 107312   524 ?Ssl  15:35   0:00
/usr/sbin/clamav-milter -c /etc/mail/clamav-milter.conf

However I still get these errors in sendmail:
Milter: data, reject=451 4.3.2 Please try again later

The sendmail.mc ClamAV line looks like this:
INPUT_MAIL_FILTER(`clamav-milter',`S=local:/var/run/clamav-milter/clamav-milter.socket,F=T,T=S:4m;R:4m;E:10m')dnl

Some relevant results from clamconf:

ClamdSocket = "unix:/var/run/clamd.scan/clamd.sock"
MilterSocket = "/var/run/clamav-milter/clamav-milter.socket"
MilterSocketGroup = "virusgroup"
[...]
LocalSocket = "/var/run/clamd.scan/clamd.sock"
LocalSocketGroup = "clamscan"
LocalSocketMode disabled
FixStaleSocket = "yes"
TCPSocket disabled
TCPAddr disabled





On Mon, Jul 16, 2018 at 12:27 PM, Micah Snyder (micasnyd) <
micas...@cisco.com> wrote:

> What are your current user/group ownership and permissions on:
>  /var/run/clamd.scan/clamd.sock ?
>
> Regards,
> Micah
>
>
> Micah Snyder
> ClamAV Development
> Talos
> Cisco Systems, Inc.
>
>
> On Jul 16, 2018, at 12:19 PM, Robert Kudyba  wrote:
>
> I set:
> MilterSocketGroup clamscan
> User clamscan
>
> Still getting the permission denied.
>
> Note the process:
> clamscan 30407  1.4  4.6 1406020 1150544 ? Ssl  10:57   1:08
> /usr/sbin/clamd -c /etc/clamd.d/scan.conf
>
> And I added most of the clamav-related users to the closely name groups:
> clamilt:x:123:clamav,clamscan
> clamav:x:124:clamscan,clamilt
> clamupdate:x:125:
> clamscan:x:126:clamilt,clamav
> virusgroup:x:127:clamupdate,clamscan,clamilt
>
>
> On Mon, Jul 16, 2018 at 11:50 AM, Micah Snyder (micasnyd) <
> micas...@cisco.com> wrote:
>
>> Hi Robert,
>>
>> clamav-milter is a separate process that interacts with clamd.  What user
>> are you running clamav-milter under?  It seems as thought clamav-milter
>> doesn't have permission to access the clamd socket file to interact with
>> clamd.
>>
>> Regarding multiple socket options:
>>
>> You are correct in that the ClamdSocket option in the milter config file
>> may be used multiple times in case you have multiple clamd instances set
>> up.  However, each clamd instance will only listen on 1 socket, so you must
>> select either 1 TCP or 1 Unix/Local.
>>
>> Cheers,
>> Micah
>>
>> Micah Snyder
>> ClamAV Development
>> Talos
>> Cisco Systems, Inc.
>>
>>
>> On Jul 16, 2018, at 11:06 AM, Robert Kudyba  wrote:
>>
>> Thanks Micah, now getting a different error:
>> Jul 16 10:59:23 storm clamav-milter[32079]: ClamAV: Unable to remove
>> /var/run/clamd.scan/clamd.sock: Permission denied
>> Jul 16 10:59:23 storm clamav-milter[32079]: ERROR: Failed to create
>> socket /var/run/clamd.scan/clamd.sock
>> Jul 16 10:59:23 storm clamav-milter[32079]: ClamAV: Unable to create
>> listening socket on conn /var/run/clamd.scan/clamd.sock
>>
>> ls -l /var/run/clamd.scan/clamd.sock
>> srw-rw-rw- 1 clamscan clamscan 0 Jul 16 10:57
>> /var/run/clamd.scan/clamd.sock
>>
>> In the /etc/mail/clamav-milter.conf I have:
>> MilterSocket /var/run/clamd.scan/clamd.sock
>> ClamdSocket unix:/var/run/clamd.scan/clamd.sock
>>
>> Clamd is running, note as the user clamscan:
>> ps -auwx | grep clam
>> clamupd+  2252  0.0  0.0  50740  3832 ?Ss   Jul11   0:38
>> /usr/bin/freshclam -d -c 4
>> root 17462  0.0  0.0 119104  3264 ?Ss   09:00   0:00
>> /bin/bash /usr/share/clamav/freshclam-sleep
>> clamscan 30407  0.0  4.6 1406020 1141612 ? Ssl  10:57   0:00
>> /usr/sbin/clamd -c /etc/clamd.d/scan.conf
>>
>> The last few lines of /var/log/clamav-milter.log has:
>> Mon Jul 16 10:30:15 2018 -> Failed to establish a connection to clamd
>> Mon Jul 16 10:30:15 2018 -> Probe for slot 1 returned: failed
>> Mon Jul 16 10:30:15 2018 -> Failed to establish a connection to clamd
>> Mon Jul 16 10:30:15 2018 -> Probe for slot 2 returned: fai

Re: [clamav-users] clamav-milter with sendmail on Fedora 28: init failed to open, to error state, initialization failed, temp failing commands

[Robert Kudyba]

/var/run/clamd.scan/clamd.sock
srw-rw-rw- 1 clamscan clamscan 0 Jul 16 10:57 /var/run/clamd.scan/clamd.sock

On Mon, Jul 16, 2018, 12:27 PM Micah Snyder (micasnyd) 
wrote:

> What are your current user/group ownership and permissions on:
>  /var/run/clamd.scan/clamd.sock ?
>
> Regards,
> Micah
>
>
> Micah Snyder
> ClamAV Development
> Talos
> Cisco Systems, Inc.
>
>
> On Jul 16, 2018, at 12:19 PM, Robert Kudyba  wrote:
>
> I set:
> MilterSocketGroup clamscan
> User clamscan
>
> Still getting the permission denied.
>
> Note the process:
> clamscan 30407  1.4  4.6 1406020 1150544 ? Ssl  10:57   1:08
> /usr/sbin/clamd -c /etc/clamd.d/scan.conf
>
> And I added most of the clamav-related users to the closely name groups:
> clamilt:x:123:clamav,clamscan
> clamav:x:124:clamscan,clamilt
> clamupdate:x:125:
> clamscan:x:126:clamilt,clamav
> virusgroup:x:127:clamupdate,clamscan,clamilt
>
>
> On Mon, Jul 16, 2018 at 11:50 AM, Micah Snyder (micasnyd) <
> micas...@cisco.com> wrote:
>
>> Hi Robert,
>>
>> clamav-milter is a separate process that interacts with clamd.  What user
>> are you running clamav-milter under?  It seems as thought clamav-milter
>> doesn't have permission to access the clamd socket file to interact with
>> clamd.
>>
>> Regarding multiple socket options:
>>
>> You are correct in that the ClamdSocket option in the milter config file
>> may be used multiple times in case you have multiple clamd instances set
>> up.  However, each clamd instance will only listen on 1 socket, so you must
>> select either 1 TCP or 1 Unix/Local.
>>
>> Cheers,
>> Micah
>>
>> Micah Snyder
>> ClamAV Development
>> Talos
>> Cisco Systems, Inc.
>>
>>
>> On Jul 16, 2018, at 11:06 AM, Robert Kudyba  wrote:
>>
>> Thanks Micah, now getting a different error:
>> Jul 16 10:59:23 storm clamav-milter[32079]: ClamAV: Unable to remove
>> /var/run/clamd.scan/clamd.sock: Permission denied
>> Jul 16 10:59:23 storm clamav-milter[32079]: ERROR: Failed to create
>> socket /var/run/clamd.scan/clamd.sock
>> Jul 16 10:59:23 storm clamav-milter[32079]: ClamAV: Unable to create
>> listening socket on conn /var/run/clamd.scan/clamd.sock
>>
>> ls -l /var/run/clamd.scan/clamd.sock
>> srw-rw-rw- 1 clamscan clamscan 0 Jul 16 10:57
>> /var/run/clamd.scan/clamd.sock
>>
>> In the /etc/mail/clamav-milter.conf I have:
>> MilterSocket /var/run/clamd.scan/clamd.sock
>> ClamdSocket unix:/var/run/clamd.scan/clamd.sock
>>
>> Clamd is running, note as the user clamscan:
>> ps -auwx | grep clam
>> clamupd+  2252  0.0  0.0  50740  3832 ?Ss   Jul11   0:38
>> /usr/bin/freshclam -d -c 4
>> root 17462  0.0  0.0 119104  3264 ?Ss   09:00   0:00
>> /bin/bash /usr/share/clamav/freshclam-sleep
>> clamscan 30407  0.0  4.6 1406020 1141612 ? Ssl  10:57   0:00
>> /usr/sbin/clamd -c /etc/clamd.d/scan.conf
>>
>> The last few lines of /var/log/clamav-milter.log has:
>> Mon Jul 16 10:30:15 2018 -> Failed to establish a connection to clamd
>> Mon Jul 16 10:30:15 2018 -> Probe for slot 1 returned: failed
>> Mon Jul 16 10:30:15 2018 -> Failed to establish a connection to clamd
>> Mon Jul 16 10:30:15 2018 -> Probe for slot 2 returned: failed
>> Mon Jul 16 10:30:15 2018 -> Probe for slot 3 returned: success
>>
>> You wrote: "You should use only 1 ( TCP _or_ Unix/Local ) socket for
>> clamd"
>> But in the clamav-milter.conf it says:
>> # This option can be repeated several times with different sockets or even
>> # with the same socket: clamd servers will be selected in a round-robin
>> # fashion.
>>
>> Anyways, seems to be a permission problem. Is clamav-milter trying to
>> restart clamd based on the logs above??
>>
>> On Fri, Jul 13, 2018 at 9:06 AM, Micah Snyder (micasnyd) <
>> micas...@cisco.com> wrote:
>>
>>> It looks to me like you have 2 types of sockets set up in your milter
>>> config, and only 1 type of socket set up in your clamd config:
>>>
>>>
>>> ClamdSocket tcp:localhost:3310
>>> ClamdSocket unix:/var/run/clamd.scan/clamd.sock
>>>
>>> Lines in /etc/clamd.d/scan.conf
>>>
>>> TCPSocket 3310
>>> TCPAddr 127.0.0.1
>>>
>>> You should use only 1 ( TCP _or_ Unix/Local ) socket for clamd.  We
>>> recommend using Unix/Local sockets.
>>>
>>>
>>> Micah Snyder
>>> ClamAV Development
>>> Talos
>>> Cisco Systems, Inc

Re: [clamav-users] clamav-milter with sendmail on Fedora 28: init failed to open, to error state, initialization failed, temp failing commands

[Robert Kudyba]

I set:
MilterSocketGroup clamscan
User clamscan

Still getting the permission denied.

Note the process:
clamscan 30407  1.4  4.6 1406020 1150544 ? Ssl  10:57   1:08
/usr/sbin/clamd -c /etc/clamd.d/scan.conf

And I added most of the clamav-related users to the closely name groups:
clamilt:x:123:clamav,clamscan
clamav:x:124:clamscan,clamilt
clamupdate:x:125:
clamscan:x:126:clamilt,clamav
virusgroup:x:127:clamupdate,clamscan,clamilt


On Mon, Jul 16, 2018 at 11:50 AM, Micah Snyder (micasnyd) <
micas...@cisco.com> wrote:

> Hi Robert,
>
> clamav-milter is a separate process that interacts with clamd.  What user
> are you running clamav-milter under?  It seems as thought clamav-milter
> doesn't have permission to access the clamd socket file to interact with
> clamd.
>
> Regarding multiple socket options:
>
> You are correct in that the ClamdSocket option in the milter config file
> may be used multiple times in case you have multiple clamd instances set
> up.  However, each clamd instance will only listen on 1 socket, so you must
> select either 1 TCP or 1 Unix/Local.
>
> Cheers,
> Micah
>
> Micah Snyder
> ClamAV Development
> Talos
> Cisco Systems, Inc.
>
>
> On Jul 16, 2018, at 11:06 AM, Robert Kudyba  wrote:
>
> Thanks Micah, now getting a different error:
> Jul 16 10:59:23 storm clamav-milter[32079]: ClamAV: Unable to remove
> /var/run/clamd.scan/clamd.sock: Permission denied
> Jul 16 10:59:23 storm clamav-milter[32079]: ERROR: Failed to create socket
> /var/run/clamd.scan/clamd.sock
> Jul 16 10:59:23 storm clamav-milter[32079]: ClamAV: Unable to create
> listening socket on conn /var/run/clamd.scan/clamd.sock
>
> ls -l /var/run/clamd.scan/clamd.sock
> srw-rw-rw- 1 clamscan clamscan 0 Jul 16 10:57
> /var/run/clamd.scan/clamd.sock
>
> In the /etc/mail/clamav-milter.conf I have:
> MilterSocket /var/run/clamd.scan/clamd.sock
> ClamdSocket unix:/var/run/clamd.scan/clamd.sock
>
> Clamd is running, note as the user clamscan:
> ps -auwx | grep clam
> clamupd+  2252  0.0  0.0  50740  3832 ?Ss   Jul11   0:38
> /usr/bin/freshclam -d -c 4
> root 17462  0.0  0.0 119104  3264 ?Ss   09:00   0:00 /bin/bash
> /usr/share/clamav/freshclam-sleep
> clamscan 30407  0.0  4.6 1406020 1141612 ? Ssl  10:57   0:00
> /usr/sbin/clamd -c /etc/clamd.d/scan.conf
>
> The last few lines of /var/log/clamav-milter.log has:
> Mon Jul 16 10:30:15 2018 -> Failed to establish a connection to clamd
> Mon Jul 16 10:30:15 2018 -> Probe for slot 1 returned: failed
> Mon Jul 16 10:30:15 2018 -> Failed to establish a connection to clamd
> Mon Jul 16 10:30:15 2018 -> Probe for slot 2 returned: failed
> Mon Jul 16 10:30:15 2018 -> Probe for slot 3 returned: success
>
> You wrote: "You should use only 1 ( TCP _or_ Unix/Local ) socket for clamd"
> But in the clamav-milter.conf it says:
> # This option can be repeated several times with different sockets or even
> # with the same socket: clamd servers will be selected in a round-robin
> # fashion.
>
> Anyways, seems to be a permission problem. Is clamav-milter trying to
> restart clamd based on the logs above??
>
> On Fri, Jul 13, 2018 at 9:06 AM, Micah Snyder (micasnyd) <
> micas...@cisco.com> wrote:
>
>> It looks to me like you have 2 types of sockets set up in your milter
>> config, and only 1 type of socket set up in your clamd config:
>>
>>
>> ClamdSocket tcp:localhost:3310
>> ClamdSocket unix:/var/run/clamd.scan/clamd.sock
>>
>> Lines in /etc/clamd.d/scan.conf
>>
>> TCPSocket 3310
>> TCPAddr 127.0.0.1
>>
>> You should use only 1 ( TCP _or_ Unix/Local ) socket for clamd.  We
>> recommend using Unix/Local sockets.
>>
>>
>> Micah Snyder
>> ClamAV Development
>> Talos
>> Cisco Systems, Inc.
>>
>>
>> On Jul 10, 2018, at 5:12 PM, Robert Kudyba  wrote:
>>
>>
>> ClamdSocket tcp:localhost:3310
>> ClamdSocket unix:/var/run/clamd.scan/clamd.sock
>>
>> Lines in /etc/clamd.d/scan.conf
>>
>> TCPSocket 3310
>> TCPAddr 127.0.0.1
>>
>>
>>
>> ___
>> clamav-users mailing list
>> clamav-users@lists.clamav.net
>> https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.cl
>> amav.net_cgi-2Dbin_mailman_listinfo_clamav-2Dusers=DwICAg&
>> c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM=X0jL9y0sL4r4
>> iU_qVtR3lLNo4tOL1ry_m7-psV3GejY=unhaF4uJnMs3AVEXQaA4Mffu_38QO9
>> gp0_R1MQ-vQbQ=WuF3C5NO_kof-zA6OSL5C7p8pwYXzTfQq5aoMOg0GSM=
>>
>>
>> Help us build a comprehensive ClamAV guide:
>> https://urldefense.proofpoint.com/v2/url?u=ht

Re: [clamav-users] clamav-milter with sendmail on Fedora 28: init failed to open, to error state, initialization failed, temp failing commands

[Robert Kudyba]

Thanks Micah, now getting a different error:
Jul 16 10:59:23 storm clamav-milter[32079]: ClamAV: Unable to remove
/var/run/clamd.scan/clamd.sock: Permission denied
Jul 16 10:59:23 storm clamav-milter[32079]: ERROR: Failed to create socket
/var/run/clamd.scan/clamd.sock
Jul 16 10:59:23 storm clamav-milter[32079]: ClamAV: Unable to create
listening socket on conn /var/run/clamd.scan/clamd.sock

ls -l /var/run/clamd.scan/clamd.sock
srw-rw-rw- 1 clamscan clamscan 0 Jul 16 10:57 /var/run/clamd.scan/clamd.sock

In the /etc/mail/clamav-milter.conf I have:
MilterSocket /var/run/clamd.scan/clamd.sock
ClamdSocket unix:/var/run/clamd.scan/clamd.sock

Clamd is running, note as the user clamscan:
ps -auwx | grep clam
clamupd+  2252  0.0  0.0  50740  3832 ?Ss   Jul11   0:38
/usr/bin/freshclam -d -c 4
root 17462  0.0  0.0 119104  3264 ?Ss   09:00   0:00 /bin/bash
/usr/share/clamav/freshclam-sleep
clamscan 30407  0.0  4.6 1406020 1141612 ? Ssl  10:57   0:00
/usr/sbin/clamd -c /etc/clamd.d/scan.conf

The last few lines of /var/log/clamav-milter.log has:
Mon Jul 16 10:30:15 2018 -> Failed to establish a connection to clamd
Mon Jul 16 10:30:15 2018 -> Probe for slot 1 returned: failed
Mon Jul 16 10:30:15 2018 -> Failed to establish a connection to clamd
Mon Jul 16 10:30:15 2018 -> Probe for slot 2 returned: failed
Mon Jul 16 10:30:15 2018 -> Probe for slot 3 returned: success

You wrote: "You should use only 1 ( TCP _or_ Unix/Local ) socket for clamd"
But in the clamav-milter.conf it says:
# This option can be repeated several times with different sockets or even
# with the same socket: clamd servers will be selected in a round-robin
# fashion.

Anyways, seems to be a permission problem. Is clamav-milter trying to
restart clamd based on the logs above??

On Fri, Jul 13, 2018 at 9:06 AM, Micah Snyder (micasnyd)  wrote:

> It looks to me like you have 2 types of sockets set up in your milter
> config, and only 1 type of socket set up in your clamd config:
>
>
> ClamdSocket tcp:localhost:3310
> ClamdSocket unix:/var/run/clamd.scan/clamd.sock
>
> Lines in /etc/clamd.d/scan.conf
>
> TCPSocket 3310
> TCPAddr 127.0.0.1
>
> You should use only 1 ( TCP _or_ Unix/Local ) socket for clamd.  We
> recommend using Unix/Local sockets.
>
>
> Micah Snyder
> ClamAV Development
> Talos
> Cisco Systems, Inc.
>
>
> On Jul 10, 2018, at 5:12 PM, Robert Kudyba  wrote:
>
>
> ClamdSocket tcp:localhost:3310
> ClamdSocket unix:/var/run/clamd.scan/clamd.sock
>
> Lines in /etc/clamd.d/scan.conf
>
> TCPSocket 3310
> TCPAddr 127.0.0.1
>
>
>
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.
> clamav.net_cgi-2Dbin_mailman_listinfo_clamav-2Dusers=DwICAg=
> aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM=X0jL9y0sL4r4iU_
> qVtR3lLNo4tOL1ry_m7-psV3GejY=unhaF4uJnMs3AVEXQaA4Mffu_
> 38QO9gp0_R1MQ-vQbQ=WuF3C5NO_kof-zA6OSL5C7p8pwYXzTfQq5aoMOg0GSM=
>
>
> Help us build a comprehensive ClamAV guide:
> https://urldefense.proofpoint.com/v2/url?u=https-3A__github.
> com_vrtadmin_clamav-2Dfaq=DwICAg=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURk
> cqADc2guUW8IM=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&
> m=unhaF4uJnMs3AVEXQaA4Mffu_38QO9gp0_R1MQ-vQbQ=
> iUmHiP0ZFNaK22hm6e5QIA7sGao0Gh0ztdSLV2Qhg9U=
>
> https://urldefense.proofpoint.com/v2/url?u=http-3A__www.
> clamav.net_contact.html-23ml=DwICAg=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURk
> cqADc2guUW8IM=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&
> m=unhaF4uJnMs3AVEXQaA4Mffu_38QO9gp0_R1MQ-vQbQ=d-
> 9aIaJVTefoOJR2YIGYgVGiD73p8LHdsXg3uY8WeNs=
>
>
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] clamav-milter with sendmail on Fedora 28: init failed to open, to error state, initialization failed, temp failing commands

[Robert Kudyba]

Well I changed sendmail.mc to:
INPUT_MAIL_FILTER(`clamav-milter',`S=local:/var/run/clamav-milter/clamav-milter.socket,F=,
T=S:4m;R:4m')dnl

But now in clamav-milter.log I see these errors:
Thu Jul 12 13:46:40 2018 -> Probe for slot 1 returned: success
Thu Jul 12 13:46:40 2018 -> Probe for slot 2 returned: success
Thu Jul 12 13:47:08 2018 -> ERROR: Connection closed while reading from
socket
Thu Jul 12 13:47:08 2018 -> ERROR: No reply from clamd
Thu Jul 12 13:47:18 2018 -> connect failed: Connection refused
Thu Jul 12 13:47:18 2018 -> ERROR: Failed to initiate streaming/fdpassing

But:
 ps -auwx | grep clam
clamupd+  2252  0.0  0.0  50680  4240 ?Ss   Jul11   0:07
/usr/bin/freshclam -d -c 4
clamilt   2831  0.0  0.0 250512  1132 ?Ssl  13:42   0:00
/usr/sbin/clamav-milter -c /etc/mail/clamav-milter.conf
clamscan  6704  0.0  4.6 1406420 1141724 ? Ssl  13:49   0:00
/usr/sbin/clamd -c /etc/clamd.d/scan.conf
root 22999  0.0  0.0 119104  3216 ?Ss   12:00   0:00 /bin/bash
/usr/share/clamav/freshclam-sleep

And:
systemctl status clamav-milter
* clamav-milter.service - Milter module for the Clam Antivirus scanner
   Loaded: loaded (/usr/lib/systemd/system/clamav-milter.service; enabled;
vendor preset: disabled)
   Active: active (running) since Thu 2018-07-12 13:42:02 EDT; 8min ago
  Process: 2830 ExecStart=/usr/sbin/clamav-milter -c
/etc/mail/clamav-milter.conf (code=exited, status=0/SUCCESS)
 Main PID: 2831 (clamav-milter)
Tasks: 3 (limit: 4915)
   Memory: 1.9M
   CGroup: /system.slice/clamav-milter.service
   `-2831 /usr/sbin/clamav-milter -c /etc/mail/clamav-milter.conf

Jul 12 13:42:02  systemd[1]: Starting Milter module for the Clam Antivirus
scanner...
Jul 12 13:42:02  systemd[1]: Started Milter module for the Clam Antivirus
scanner.

As well as:
systemctl status clamd@scan
* clamd@scan.service - Generic clamav scanner daemon
   Loaded: loaded (/usr/lib/systemd/system/clamd@scan.service; enabled;
vendor preset: disabled)
   Active: active (running) since Thu 2018-07-12 13:49:38 EDT; 40s ago
  Process: 5816 ExecStart=/usr/sbin/clamd -c /etc/clamd.d/scan.conf
(code=exited, status=0/SUCCESS)
 Main PID: 6704 (clamd)
Tasks: 2 (limit: 4915)
   Memory: 1.0G
   CGroup: /system.slice/system-clamd.slice/clamd@scan.service
   `-6704 /usr/sbin/clamd -c /etc/clamd.d/scan.conf

Jul 12 13:48:31  clamd[5816]: LibClamAV Error: yyerror():
/var/lib/clamav/packer.yar line 14217 undefined identifier "pe"
Jul 12 13:48:31  clamd[5816]: LibClamAV Error: yyerror():
/var/lib/clamav/packer.yar line 14241 undefined identifier "pe"
Jul 12 13:48:31  clamd[5816]: LibClamAV Error: yyerror():
/var/lib/clamav/packer.yar line 14253 undefined identifier "pe"
Jul 12 13:48:31  clamd[5816]: LibClamAV Error: yyerror():
/var/lib/clamav/packer.yar line 14265 undefined identifier "pe"
Jul 12 13:48:31  clamd[5816]: LibClamAV Error: yyerror():
/var/lib/clamav/packer.yar line 14277 undefined identifier "pe"
Jul 12 13:48:31  clamd[5816]: LibClamAV Error: yyerror():
/var/lib/clamav/packer.yar line 14290 undefined identifier "pe"
Jul 12 13:49:32  systemd-journald[623]: Suppressed 420 messages from
clamd@scan.service
Jul 12 13:49:32  clamd[5816]: LibClamAV Error: yyerror():
/var/lib/clamav/maldoc_somerules.yar line 245 undefined identifier
"uint32be"
Jul 12 13:49:32  clamd[5816]: LibClamAV Warning: cli_loadyara: failed to
parse or load 1 yara rules from file /var/lib/clamav/maldoc_somerule>
Jul 12 13:49:38 [1]: Started Generic clamav scanner daemon.


What else can I check?

On Tue, Jul 10, 2018 at 7:24 PM, Kees Theunissen 
wrote:

> On Tue, 10 Jul 2018, Robert Kudyba wrote:
>
> >Hello hive,
> >
> >Running:
> >clamav-0.100.0-2.fc28.x86_64
> >
> >clamd, freshclam and clamav-milter all up and running:
> >ps -auwx | grep clam
> >clamupd+ 20336  0.0  0.0  50672  4016 ?Ss   Jun29   1:15
> >/usr/bin/freshclam -d -c 4
> >clamav   23713  0.0  0.0 176780  1160 ?Ssl  13:23   0:00
> >/usr/sbin/clamav-milter -c /etc/mail/clamav-milter.conf
> >clamscan 25458  0.0  4.6 1405848 1142996 ? Ssl  13:27   0:00
> >/usr/sbin/clamd -c /etc/clamd.d/scan.conf
> >root 25593  0.0  0.0   9156  1084 pts/1S+   17:02   0:00 grep
> >--color=auto clam
> >
> >However it fails with sendmail with these errors:
> >Jul 10 17:03:45 storm sendmail[26273]: w6AL3j2R026273:
> >milter_sys_read(clamav): cmd read returned 11, expecting 1431194445
> >Jul 10 17:03:45 storm sendmail[26273]: w6AL3j2R026273: Milter (clamav): to
> >error state
> >Jul 10 17:03:45 storm sendmail[26273]: w6AL3j2R026273: Milter (clamav):
> >init failed to open
> >Jul 10 17:03:45 storm sendmail[26273]: w6AL3j2R026273: Milter (clamav): to
> >error state
> >Jul 10 17:03:45 storm sendmail[26273]: w6AL

[clamav-users] clamav-milter with sendmail on Fedora 28: init failed to open, to error state, initialization failed, temp failing commands

[Robert Kudyba]

Hello hive,

Running:
clamav-0.100.0-2.fc28.x86_64

clamd, freshclam and clamav-milter all up and running:
ps -auwx | grep clam
clamupd+ 20336  0.0  0.0  50672  4016 ?Ss   Jun29   1:15
/usr/bin/freshclam -d -c 4
clamav   23713  0.0  0.0 176780  1160 ?Ssl  13:23   0:00
/usr/sbin/clamav-milter -c /etc/mail/clamav-milter.conf
clamscan 25458  0.0  4.6 1405848 1142996 ? Ssl  13:27   0:00
/usr/sbin/clamd -c /etc/clamd.d/scan.conf
root 25593  0.0  0.0   9156  1084 pts/1S+   17:02   0:00 grep
--color=auto clam

However it fails with sendmail with these errors:
Jul 10 17:03:45 storm sendmail[26273]: w6AL3j2R026273:
milter_sys_read(clamav): cmd read returned 11, expecting 1431194445
Jul 10 17:03:45 storm sendmail[26273]: w6AL3j2R026273: Milter (clamav): to
error state
Jul 10 17:03:45 storm sendmail[26273]: w6AL3j2R026273: Milter (clamav):
init failed to open
Jul 10 17:03:45 storm sendmail[26273]: w6AL3j2R026273: Milter (clamav): to
error state
Jul 10 17:03:45 storm sendmail[26273]: w6AL3j2R026273: Milter:
initialization failed, temp failing commands

Here's the relevant line in sendmail.mc:
INPUT_MAIL_FILTER(`clamav', `S=local:/var/run/clamd.scan/clamd.sock,
F=T,T=S:4m;R:4m;E:10m')dnl

Lines in /etc/mail/clamav-milter.conf
MilterSocket /var/run/clamav-milter/clamav-milter.socket
MilterSocket inet:7357
ClamdSocket tcp:localhost:3310
ClamdSocket unix:/var/run/clamd.scan/clamd.sock

Lines in /etc/clamd.d/scan.conf

TCPSocket 3310
TCPAddr 127.0.0.1

Everything I've read says that as long as ClamdSocket in the
clamav-milter.conf and INPUT_MAIL_FILTER in sendmail.mc match it should
work.

Is my syntax wrong some where?
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[Clamav-users] error on make in OS X/Jaguar clamav-0.70-rc

[Robert Kudyba]

Any idea how to fix this? Happens on a make...

ld: table of contents for archive: /usr/lib/libbz2.a is out of date; 
rerun ranlib(1) (can't load from it)
make[2]: *** [clamscan] Error 1
make[1]: *** [all-recursive] Error 1
make: *** [all] Error 2

---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users