Re: [Clamav-users] Bug in ClamAV-0.80rc4 - clamdscan error codes differ from clamscan
On Fri, Oct 15, 2004 at 02:06:54AM +0200, Tomasz Kojm wrote: On Fri, 15 Oct 2004 12:03:51 +1300 Jason Haar [EMAIL PROTECTED] wrote: I've got a message being unable to be delivered via Qmail-Scanner because clamdscan is reporting Bad format or broken data ERROR when processing the message. Patch attached (also applied in CVS). I've just downloaded the official 0.80 - and this problem is still present. Did your patch miss the deadline? I am due to release the next version of Qmail-Scanner, and I want clamav-0.80 to be officially supported. But this bug is triggering every day on our network - and we're not even a big site, so I'm relutant to do so. If 0.80 doesn't have this patch, then would it be appropriate for a content filter like Qmail-Scanner to treat exit status 2 errors which contain Bad format or broken data ERROR as being equivalent to exit status 0? (like clamscan does already). If so, I'll put that in until the exit status issue clears up in ClamAV 0.81 or whatever... [I'm just concerned there are some other error conditions (e.g. out of memory or permission problems) that could cause clamdscan to also exit status 2 - and such a hack would end up passing on infected emails when it shouldn't] Thanks! -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Bug in ClamAV-0.80rc4 - clamdscan error codes differ from clamscan
Whoops. Bad form, should have checked the code before sending. I'm afraid your patch is in 0.80 - but isn't working: Find attached a partial that triggers the error. bash$ clamdscan -V ClamAV 0.80/533/Sun Oct 17 14:09:44 2004 bash$ clamdscan Test_Emails//partial-1.eml partial-1.eml: Bad format or broken data ERROR partial-1.eml: OK --- SCAN SUMMARY --- Infected files: 0 Time: 0.002 sec (0 m 0 s) bash$ echo $? 2 Jason On Mon, Oct 18, 2004 at 10:21:03AM +1300, Jason Haar wrote: On Fri, Oct 15, 2004 at 02:06:54AM +0200, Tomasz Kojm wrote: On Fri, 15 Oct 2004 12:03:51 +1300 Jason Haar [EMAIL PROTECTED] wrote: I've got a message being unable to be delivered via Qmail-Scanner because clamdscan is reporting Bad format or broken data ERROR when processing the message. Patch attached (also applied in CVS). I've just downloaded the official 0.80 - and this problem is still present. Did your patch miss the deadline? I am due to release the next version of Qmail-Scanner, and I want clamav-0.80 to be officially supported. But this bug is triggering every day on our network - and we're not even a big site, so I'm relutant to do so. If 0.80 doesn't have this patch, then would it be appropriate for a content filter like Qmail-Scanner to treat exit status 2 errors which contain Bad format or broken data ERROR as being equivalent to exit status 0? (like clamscan does already). If so, I'll put that in until the exit status issue clears up in ClamAV 0.81 or whatever... [I'm just concerned there are some other error conditions (e.g. out of memory or permission problems) that could cause clamdscan to also exit status 2 - and such a hack would end up passing on infected emails when it shouldn't] Thanks! -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 From: me To: you Content-type: message/partial; id=[EMAIL PROTECTED]; number=1; total=3 MIME-Version: 1.0 Subject: example of a partial message Content-type: text/plain MIME-Version: 1.0 helllo ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Bug in ClamAV-0.80rc4 - clamdscan error codes differ from clamscan
On Mon, 18 Oct 2004 10:25:37 +1300 Jason Haar [EMAIL PROTECTED] wrote: Whoops. Bad form, should have checked the code before sending. I'm afraid your patch is in 0.80 - but isn't working: Find attached a partial that triggers the error. Too late... -- oo. Tomasz Kojm [EMAIL PROTECTED] (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Mon Oct 18 03:06:55 CEST 2004 pgp6KmazlI07R.pgp Description: PGP signature ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Bug in ClamAV-0.80rc4 - clamdscan error codes differ from clamscan
On Mon, 18 Oct 2004 03:07:13 +0200 Tomasz Kojm [EMAIL PROTECTED] wrote: On Mon, 18 Oct 2004 10:25:37 +1300 Jason Haar [EMAIL PROTECTED] wrote: Whoops. Bad form, should have checked the code before sending. I'm afraid your patch is in 0.80 - but isn't working: Find attached a partial that triggers the error. Too late... Oh, no. It's working just fine: [EMAIL PROTECTED]:/tmp$ clamscan partial-1.eml LibClamAV Warning: Partial message received from MUA/MTA - message cannot be scanned LibClamAV Warning: Descriptor[3]: Bad format or broken data partial-1.eml: OK --- SCAN SUMMARY --- Known viruses: 25254 Scanned directories: 0 Scanned files: 1 Infected files: 0 Data scanned: 0.00 MB I/O buffer size: 131072 bytes Time: 2.218 sec (0 m 2 s) -- oo. Tomasz Kojm [EMAIL PROTECTED] (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Mon Oct 18 03:08:17 CEST 2004 pgpuC8YCBjUfp.pgp Description: PGP signature ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Bug in ClamAV-0.80rc4 - clamdscan error codes differ from clamscan
On Mon, 2004-10-18 at 03:09 +0200, Tomasz Kojm wrote: Oh, no. It's working just fine: [EMAIL PROTECTED]:/tmp$ clamscan partial-1.eml LibClamAV Warning: Partial message received from MUA/MTA - message cannot be scanned LibClamAV Warning: Descriptor[3]: Bad format or broken data partial-1.eml: OK Heh - you've forgotten my original e-mail. clamscan didn't show the problem - clamdscan did. They differ in their exit status. clamscan exits zero, but clamdscan exits 2 on these messages. This is a large issue for content-filters like Qmail-Scanner, where they try to detect errors by the exit status. i.e. zero means OK, one means virus, and anything else means something went wrong. clamdscan is saying something went wrong whereas clamscan says it's all OK... -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Bug in ClamAV-0.80rc4 - clamdscan error codes differ from clamscan
On Mon, 18 Oct 2004 14:23:59 +1300 Jason Haar [EMAIL PROTECTED] wrote: On Mon, 2004-10-18 at 03:09 +0200, Tomasz Kojm wrote: Oh, no. It's working just fine: [EMAIL PROTECTED]:/tmp$ clamscan partial-1.eml LibClamAV Warning: Partial message received from MUA/MTA - message cannot be scanned LibClamAV Warning: Descriptor[3]: Bad format or broken data partial-1.eml: OK Heh - you've forgotten my original e-mail. clamscan didn't show the problem - clamdscan did. No, I haven't. clamd can't print Bad format or broken data ERROR because it was disabled in libclamav. Looking at your report: bash$ clamdscan -V ClamAV 0.80/533/Sun Oct 17 14:09:44 2004 bash$ clamdscan Test_Emails//partial-1.eml partial-1.eml: Bad format or broken data ERROR partial-1.eml: OK --- SCAN SUMMARY --- Infected files: 0 Time: 0.002 sec (0 m 0 s) I'm almost sure you're still running the old instance of clamd. Restarting it should solve the problem. -- oo. Tomasz Kojm [EMAIL PROTECTED] (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Mon Oct 18 03:24:53 CEST 2004 pgpPK5LaaLumS.pgp Description: PGP signature ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Bug in ClamAV-0.80rc4 - clamdscan error codes differ from clamscan
On Mon, 2004-10-18 at 03:27 +0200, Tomasz Kojm wrote: I'm almost sure you're still running the old instance of clamd. Restarting it should solve the problem. Sheesh - do I feel STUPID :-) Thanks. The two examples I had that caused this problem are now exit status zero - so I'm happy. Thanks for that - and sorry for the screw-up :-) -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Bug in ClamAV-0.80rc4 - clamdscan error codes differ from clamscan
On Fri, 15 Oct 2004 02:06:54 +0200 in [EMAIL PROTECTED] Tomasz Kojm [EMAIL PROTECTED] wrote: On Fri, 15 Oct 2004 12:03:51 +1300 Jason Haar [EMAIL PROTECTED] wrote: I've got a message being unable to be delivered via Qmail-Scanner because clamdscan is reporting Bad format or broken data ERROR when processing the message. Patch attached (also applied in CVS). FYI I'm seeing a Bad Signature message for the signed parts of the email you sent Tomasz, I'd suspect some sort of modification to the format after the signing has occurred. -- Brian Morrison bdm at fenrir dot org dot uk GnuPG key ID DE32E5C5 - http://wwwkeys.uk.pgp.net/pgpnet/wwwkeys.html ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Bug in ClamAV-0.80rc4 - clamdscan error codes differ from clamscan
On Fri, 15 Oct 2004 07:51:00 +0100 Brian Morrison [EMAIL PROTECTED] wrote: On Fri, 15 Oct 2004 02:06:54 +0200 in [EMAIL PROTECTED] Tomasz Kojm [EMAIL PROTECTED] wrote: On Fri, 15 Oct 2004 12:03:51 +1300 Jason Haar [EMAIL PROTECTED] wrote: I've got a message being unable to be delivered via Qmail-Scanner because clamdscan is reporting Bad format or broken data ERROR when processing the message. Patch attached (also applied in CVS). FYI I'm seeing a Bad Signature message for the signed parts of the email you sent Tomasz, I'd suspect some sort of modification to the format after the signing has occurred. It seems to be a problem with the mailing list software (and it only appears with e-mails with attachments). -- oo. Tomasz Kojm [EMAIL PROTECTED] (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Fri Oct 15 10:06:47 CEST 2004 pgp4Gv971x4EI.pgp Description: PGP signature ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
[Clamav-users] Bug in ClamAV-0.80rc4 - clamdscan error codes differ from clamscan
I've got a message being unable to be delivered via Qmail-Scanner because clamdscan is reporting Bad format or broken data ERROR when processing the message. It is part 12 of a 12 part message/partial message... It appears to be a legit mail containing a whole bunch of GIF files (I'm going to guess it's someone sending holiday snaps, and their mailer has chosen to split it into chunks using message/partial. If I run it via clamdscan - it exits error code 2 If I run it via clamscan - it exits error code 0! I think clamscan is correct. This is a broken mail message, but not one which should trigger an error. Shouldn't clamdscan match what clamscan produces? -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Bug in ClamAV-0.80rc4 - clamdscan error codes differ from clamscan
On Fri, 15 Oct 2004 12:03:51 +1300 Jason Haar [EMAIL PROTECTED] wrote: I've got a message being unable to be delivered via Qmail-Scanner because clamdscan is reporting Bad format or broken data ERROR when processing the message. Patch attached (also applied in CVS). -- oo. Tomasz Kojm [EMAIL PROTECTED] (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Fri Oct 15 02:06:34 CEST 2004 cleformat.patch Description: Binary data pgpPb1TEEGuIA.pgp Description: PGP signature ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users