Re: [clamav-users] URGENT: Clamd is wedged on multiple installations

2018-01-26 Thread maxal 
nobody of clamav/cisco reading this list? as the impact is heavy and
probably worldwide - anyone with personal contacts or any other channel
to reach someone there? contact info on clamav.net is only referring to
mailing lists and not very useful 

On Fri, 2018-01-26 at 12:07 +0100, Marco wrote:
> Il 26/01/2018 10:39, Ralf Hildebrandt ha scritto:
> 
> > clamd is leaking filedescriptors for temporary files - ls
> > /proc/`pidof clamd`/fd shows a
> > lot of:
> > 
> > lrwx-- 1 root root 64 Jan 26 10:38 993 -> /tmp/clamav-
> > 736a3d0d2a944a0a79d465671fb754d5.tmp (deleted)
> > lrwx-- 1 root root 64 Jan 26 10:38 994 -> /tmp/clamav-
> > 59b5548fe87bc9a454486cbe37d5c89b.tmp (deleted)
> > lrwx-- 1 root root 64 Jan 26 10:38 995 -> /tmp/clamav-
> > 0e2983c3f35c37d833ea37c2867a0aba.tmp (deleted)
> > ...
> 
> I think that Clamav now knows this very big problem... Anyway these
> are 
> other logs I see (0.99.2 version on RH EL7):
> 
> 2018-01-26T03:41:29.246852+01:00  clamd[18086]: LibClamAV Error: 
> cli_gentempfd: Can't create temporary file 
> /tmp/clamav-f553aa378e37664837deb720f2ce10f6.tmp/clamav-
> ef95d457b05dc585eb4bc09d3fc83edc.tmp: 
> Too many open files
> 
> 2018-01-26T03:41:29.247296+01:00  clamd[18086]: LibClamAV Warning: 
> fileblobScan, fullname == NULL
> 
> 2018-01-26T03:41:29.247458+01:00  clamd[18086]: LibClamAV Error: 
> fileblobDestroy: mixedtextportion not saved: report to 
> http://bugs.clamav.net
> 
> 
> Regards
> Marco
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Anyone notice any issues with clamav 0.99.2 and recent patterns?

2018-01-26 Thread maxal 
On Fri, 2018-01-26 at 08:11 +0100, lukn wrote:
> Same on a machine with clamav-milter:
> 
> clamav-milter[8241]: Failed to initiate streaming/fdpassing
> clamav-milter[8241]: Unknown reply from clamd
> clamd[11895]: instream(127.0.0.1@49958): Can't open file or directory
> ERROR
> clamav-milter[8241]: send failed: Broken pipe
> clamav-milter[8241]: Streaming failed
> clamd[11895]: accept() failed:
> 
> I suspect a toxic signature keeps killing clamd

as a side-effect of the issue clamd keeps filling up /tmp/ with clamav-
x.tmp and an empty 'rfc2397' folder and so running out of filedescriptors. 

> 
> 
> 
> On 26.01.2018 07:47, lukn wrote:
> > Good morning list
> > 
> > same here, since about 4am CET we see permanent crashes of clamd.
> > Process indeed disappears, but logging is minimal. All I see is:
> > 
> > clamd[25989]: instream(127.0.0.1@58142): Can't open file or
> > directory ERROR
> > clamd[25989]: accept() failed:
> > 
> > the second line repeats several dozen times.
> > 
> > I use clamd to scan mail with fuglu (fuglu.org) which talks to
> > clamd via
> > TCP socket.
> > 
> 
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Freshclam failure - Still ongoing???

2017-08-25 Thread maxal 
hi,

yes, this is ongoing as there are numerous broken mirrors in different
country zones out there, eg german zone db.de.clamav.net:

db.de.clamav.net has address 62.201.161.84 -> OK
db.de.clamav.net has address 195.30.97.3 -> OK
db.de.clamav.net has address 130.133.110.67 -> OK
db.de.clamav.net has address 212.227.138.145 -> OK
db.de.clamav.net has
address 62.27.56.14 -> OK
db.de.clamav.net has address 62.245.181.53 ->
OK
db.de.clamav.net has address 193.27.49.165 -> OK 
db.de.clamav.net has address 88.198.17.100 -> FAIL 
db.de.clamav.net has address 84.39.110.99 -> FAIL
db.de.clamav.net has address 144.76.28.11 -> FAIL
db.de.clamav.net has address 213.174.32.130 -> FAIL
db.de.clamav.net has address 5.9.253.237 -> FAIL
db.de.clamav.net has address 178.63.73.246 -> FAIL

regards
max


On Fri, 2017-08-25 at 16:24 +0800, Paul Dean wrote:
> Hi,
> 
> I've checked the lists and nuked the mirror.dat file as suggested,
> but still getting failure on dling daily-23699.cdiff via freshclam.
> Also tried via wget, and got a 404 error. So currently I'm stuck on
> 23698.
> 
> Also nuked all .cld files and still failed.
> 
> I've got a few servers/machines that use ClamAV, so hoping a overall
> fix instead of each machine would be preferable.
> 
> All machines are based in AU and failures happen with
> db.local.clamav.net and database.clamav.net.
> 
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Unable to download database

2017-08-24 Thread maxal 
hi,

also some issues here on 193.1.193.64

Thu Aug 24 09:40:07 2017 -> ERROR: getpatch: Can't download daily-
23699.cdiff from database.clamav.net
Thu Aug 24 09:40:07 2017 -> WARNING: Incremental update failed, trying
to download daily.cvd
Thu Aug 24 09:40:07 2017 -> WARNING: getfile: daily.cvd not found on
database.clamav.net (IP: 193.1.193.64)

http://193.1.193.64/daily-23699.cdiff --header
"Host:database.clamav.net"
--2017-08-24 09:42:00--  http://193.1.193.64/daily-23699.cdiff
Connecting to 193.1.193.64:80... connected.
HTTP request sent, awaiting response... 404 Not Found
2017-08-24 09:42:00 ERROR 404: Not Found.

inetnum:193.1.193.0 - 193.1.193.127
org:ORG-HA8-RIPE
netname:HEANET-MIRROR
country:IE

regards
max

On Thu, 2017-08-24 at 09:21 +0200, lukn555 wrote:
> Thank you for your effort, Joel.
> 
> I still have issues with the following server from
> db.centraleu.clamav.net group:
> 
> $ wget http://193.230.240.8/daily-23697.cdiff --header
> "Host:database.clamav.net"
> --2017-08-24 09:02:01--  http://193.230.240.8/daily-23697.cdiff
> Connecting to 193.230.240.8:80... connected.
> HTTP request sent, awaiting response... 403 Forbidden
> 2017-08-24 09:02:01 ERROR 403: Forbidden.
> 
> 
> On 23.08.2017 23:21, Joel Esler (jesler) wrote:
> > All — I sent a note earlier, but this should be fixed/recovering
> > now.  We are working on an idea that may prevent this kind of thing
> > from happening in the future.
> > 
> > Dennis — If you do a health check, and you find things that are…
> > not matching up with our results… please let me know your failure
> > list?
> > 
> > 
> > --
> > Joel Esler | Talos: Manager | jes...@cisco.com > com>
> > 
> > 
> > 
> > 
> > 
> > 
> > On Aug 23, 2017, at 3:16 PM, Dennis Peterson  ailto:denni...@inetnw.com>> wrote:
> > 
> > After testing several of the DNS round robin aliases I found the
> > db.ca.clamav.net had the most reliable
> > server set for North America. After editing the freshclam.conf file
> > the files updated on the next cron.hourly cycle.
> > 
> > I also found that the number of viable mirror sites is a small
> > portion of the total number of mirrors. I also found that a lot of
> > "local" mirrors are not all that local.
> > 
> > I think I'll run a health check of every mirror in the western
> > hemisphere and use the results in a local DNS round robin running
> > my own servers. It is a form of dynamic load balancing using real-
> > time network response time. If nothing else it will stop most if
> > not all attempts to missing mirrors which seem to be the majority.
> > Obviously it will also ignore mirrors that disallow icmp traffic.
> > 
> > dp
> > 
> > On 8/23/17 9:48 AM, Dennis Peterson wrote:
> > nslookup db.local.clamav.net |awk
> > '/Address:/ {print $2}' |xargs -L1 ping -c 1
> > 
> > nslookup db.us.clamav.net |awk '/Address:/
> > {print $2}' |xargs -L1 ping -c 1
> > 
> > nslookup db.ca.clamav.net |awk '/Address:/
> > {print $2}' |xargs -L1 ping -c 1
> > 
> > nslookup db.ru.clamav.net |awk '/Address:/
> > {print $2}' |xargs -L1 ping -c 1
> > 
> > nslookup db.uk.clamav.net |awk '/Address:/
> > {print $2}' |xargs -L1 ping -c 1
> > 
> > 
> > Nobody home.
> > 
> > dp
> > 
> > On 8/23/17 12:26 AM, lukn555 wrote:
> > Good Day ClamAV List
> > 
> > Since yesterday at around noon CET I've been having issues
> > downloading
> > the ClamAV database:
> > 
> > freshclam --version
> > ClamAV 0.99.2/23696/Tue Aug 22 14:36:14 2017
> > 
> > 
> > # /usr/local/bin/freshclam --verbose
> > Current working dir is /usr/local/share/clamav
> > Max retries == 3
> > ClamAV update process started at Wed Aug 23 09:11:52 2017
> > Using IPv6 aware code
> > Querying current.cvd.clamav.net
> > TTL: 609
> > Software version from DNS: 0.99.2
> > main.cvd version from DNS: 58
> > main.cld is up to date (version: 58, sigs: 4566249, f-level: 60,
> > builder: sigmgr)
> > daily.cvd version from DNS: 23700
> > Retrieving http://database.clamav.net/daily-23697.cdiff
> > Ignoring mirror 130.59.113.36 (due to previous errors)
> > Ignoring mirror 193.230.240.8 (due to previous errors)
> > Ignoring mirror 130.59.113.36 (due to previous errors)
> > Ignoring mirror 193.230.240.8 (due to previous errors)
> > WARNING: getpatch: Can't download daily-23697.cdiff from
> > database.clamav.net
> > Retrieving http://database.clamav.net/daily-23697.cdiff
> > Ignoring mirror 130.59.113.36 (due to previous errors)
> > Ignoring mirror 193.230.240.8 (due to previous errors)
> > WARNING: getpatch: Can't download daily-23697.cdiff from
> > database.clamav.net
> > Retrieving http://database.clamav.net/daily-23697.cdiff
> > Ignoring mirror 193.230.240.8 (due to previous errors)
> > Ignoring mirror

Re: [clamav-users] FP Pdf.Exploit.CVE_2016_1091-2

2016-11-30 Thread maxal 
hi,

On Tue, 2016-11-29 at 15:46 -0500, Gene Heskett wrote:
> On Tuesday 29 November 2016 11:53:03 Jeff Dyke wrote:
> 
> > 
> > Is there any way to get updates on a false positives(i submitted
> > this
> > about a week or so ago), if it is or is not, i still find these. In
> > my
> > case they seem to be ok coming from the printer, but then a
> > non-technical person opens and saves the file with a different name
> > (rather than just rename it) which activates this particular
> > exploit,
> > which we've proven by going and grabbing directly from the printer
> > and
> > then having the client open and resave and send us both documents.
> > 
> > We're in the type of business where it would open us up to a ton of
> > liability if we were to white list, without knowing, have have a
> > site
> > user download an infected file.
> > 
> > Thanks, happy to do anything i can.
> > 
> > Jeff
> > 
> I too have submitted an FP report on this one, but haven't been
> advised 
> about it either. IMO it is as phony as a 3 dollar bill.

also numerous hits on this rule on valid/harmless pdfs here - i have
already reported the fp last week and disabled/whitelisted the rule due
to customer complaints.

why is cisco/clamav ignoring all the reports? is this part of the
automated (signature) processing? ~10 days of waiting for a signature-
fix is hard, the rule was published on:

Nov 20, 2016, 3:18 PM 
Datefile: daily
Version: 22573
Publisher: Alain Zidouemba
New Sigs: 1187
Dropped Sigs: 0
Ignored Sigs: 54

kind regards
max














___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml