>
>
> On Thu, 15 Jul 2021, Robert Kudyba wrote:
>
Here we are Aug 24
> >> ... do you have that log?
> >
> > Uploaded at ...
>
> Nothing remarkable there. Presumably you're aware of this warning
> in that log?
>
See https://storm.cis.fordham.edu/~
> > here are the logs from 10:01 AM Jul 13:
> > Jul 13 10:01:02 storm freshclam[3930506]: Database test passed.
> > Jul 13 10:01:02 storm freshclam[3930506]: daily.cld updated (version:
> 26230, sigs: 3995778, f-level: 63, builder: raynman)
> > Jul 13 10:01:02 storm freshclam[3930506]: daily.cld
> -rw-r--r-- 1 clamav clamav 1438720 Mar 17 10:47 bytecode.cld
> -rw-r--r-- 1 clamav clamav293670 Apr 8 06:32 bytecode.cvd
> -rw-r--r-- 1 clamav clamav 327757824 Jul 12 09:59 daily.cld
> -rw-r--r-- 1 clamav clamav 117859675 Nov 25 2019 main.cvd
>
> and a bunch of others which we're not
MDEND ([ -x
/usr/local/sbin/clamav-unofficial-sigs.sh ] && /usr/bin/bash
/usr/local/sbin/clamav-unofficial-sigs.sh)
On Mon, Jul 12, 2021 at 12:31 PM Robert Kudyba wrote:
>
>>
>> > grep clam /etc/passwd
>> > clamilt:x:989:985:Clamav Milter
>> User:/var/r
>
>
>
> > grep clam /etc/passwd
> > clamilt:x:989:985:Clamav Milter User:/var/run/clamav-milter:/sbin/nologin
> > clamav:x:985:981::/var/run/clamav:/sbin/nologin
> > clamupdate:x:983:979:Clamav database update
> user:/var/lib/clamav:/sbin/nologin
> > clamscan:x:982:978:Clamav scanner
>
> I asked about the permissions on the directories, not on files. In
> your 'find' command there you specifically limit the search to files
> and not directories with "-type f". See 'man find' for more (but IMO
> 'find' is a bit like a cornered rat and I'm starting to think it might
> not be
>> /var/log/clam_perms.log ; \
> |> /bin/ls -l /var/lib/clamav >> /var/log/clam_perms.log
>
OK just set this in cron but I suppose it isn't useful until the problem
happens again.
On Sun, 11 Jul 2021, Robert Kudyba wrote:
> > ls -ld /var/lib/clamav
> >
> > drw
>
> On Sat, 10 Oct 2020, Robert Kudyba wrote:
>
> > ... next time it happens I can try some of these:
> > ...
>
> But put some logging in place before it does, so you get as precise a
> timeline as you can.
>
> > Here's what the -i option returns:
> > .
>
> 1. Is your Perl interpreter in /usr/local/bin/? It's often in usr/bin/.
>
Thanks I saw that after the fact, indeed /usr/bin in Fedora
2. The environment is likely to be different when the script runs via
> freshclam from when it runs at the command line, and it's usually bad
> form in
>
> > >> next if
> /^MBL_\d+:0:\*:68747470733a2f2f64726976652e676f6f676c652e636f6d$/;
> > next if /^MBL_\d+:0:\*:68747470733a2f2f646f63732e676f6f676c652e636f6d$/;
> >
> > You could do better with a regex, see the excellent Perl documentation.
> >
> > So what's the syntax to use || (or) with
>
> On Thu, 29 Apr 2021, Olivier via clamav-users wrote:
> > Robert Kudyba writes:
> >
> >> How would you make this work for docs.google.com as well?
> >>
> >> the following regex corresponds to
> https://urldefense.proofpoin
>
> > How would you make this work for docs.google.com as well?
> >
> > the following regex corresponds to
>
How would you make this work for docs.google.com as well?
the following regex corresponds to https://drive.google.com
next if /^MBL_\d+:0:\*:68747470733a2f2f64726976652e676f6f676c652e636f6d$/;
On Thu, Apr 29, 2021, 12:25 AM Olivier wrote:
> Robert,
>
> In the configuration file user.conf for
I'd like the script and in our case the link starts with docs.google.com
On Wed, Apr 28, 2021, 10:43 PM Olivier via clamav-users <
clamav-users@lists.clamav.net> wrote:
> Hi,
>
> Robert Kudyba writes:
>
> > [1:multipart/alternative Hide]
> >
> >
> > [
Since the signature name has .UNOFFICIAL and starts with MBL I believe
that's Malware Block List. I've submitted a sample to fp (at)
malwarepatrol.net. Is more than one sample needed? I'm posting here to let
others know and as they don't appear to acknowledge nor reply.
Why don't these come up?
> Is there an updated convention for this?
I believe it's more or less unchanged since version 8.6 of Sendmail
> (from the early 1990's). The ID is generated in assign_queueid() in
> .../sendmail/queue.c, which uses the integer as an index to the string
> "0123456789ABCDEF... you get the picture
An important email from our university president was quarantined with
Heuristics.Phishing.Email.SSL-Spoof. I submitted the email as an attachment
to ClamAV. I'm also disabling it based on past reports such as
> Hi there,
>
> On Tue, 13 Apr 2021, Robert Kudyba wrote:
>
> > So I still don't know what "queue_id" is.
>
> Try the command
>
> mailq
>
> and look in the Sendmail docs. The queue ID is just the filename in
> the mail queue directory with
>
> > Also, with clamav-milter and sendmail. I see that the headers of
> quarantined messages go to /var/spool/mqueue with root:smmsp owner/group
> permissions and the header of the email starts with hf whilst the body of
> the message starts with df. So the message in question looks like this:
>
I'm seeing a FP from a Delta Airlines email.
Also, with clamav-milter and sendmail. I see that the headers of
quarantined messages go to /var/spool/mqueue with root:smmsp owner/group
permissions and the header of the email starts with hf whilst the body of
the message starts with df. So the
Using clamav-milter 0.103.1 with sendmail on Fedora 33, we had several
emails quarantined with the MBL_82485625.UNOFFICIAL. All they contained was
a link forwarded as an attachment of a Google Drive folder. I reported this
to the false positive at SaneSecurity address. I also added the signature
>
> > Oct 09 04:15:56 Checking for urlhaus updates...
> > Oct 09 04:15:56 Checking for updated urlhaus database file: urlhaus.ndb
> > Oct 09 04:15:56 Testing updated urlhaus database file: urlhaus.ndb
> > Oct 09 04:15:56 Clamscan reports urlhaus urlhaus.ndb database integrity
> tested good
> > Oct
permissions before running it,
> or run another script before invocations of the update script so that
> the permissions are set first, or hack the update script itself. You
> could even use 'chattr' to make the permissions unchangeable.
>
Yeah I've used the chattr option in other are
>
> > Every few weeks I'll start seeing this error:
> >
> > ERROR: clam database directory (clam_dbs) not writable /var/lib/clamav
> >
> > Running this fixes it:
> > su clamav -s '/usr/local/sbin/clamav-unofficial-sigs.sh'
> >
> > Here are the files not owned by clamav:
> > -rw-r--r-- 1
Running ClamAV 103.0-1 on Fedora, I have freshclam
and clamav-unofficial-sigs.sh from
https://github.com/extremeshok/clamav-unofficial-sigs
Every few weeks I'll start seeing this error:
ERROR: clam database directory (clam_dbs) not writable /var/lib/clamav
Running this fixes it:
su clamav -s
Using Fedora 31, this has been happening for quite a while. After reboot
/var/run/clamav is removed, which is expected. However, wehn ClamAV was
installed the user created in /etc/passwd looks like this:
clamav:x:985:981::/var/run/clamav:/sbin/nologin
So Pulseaudio tries to create the following
Nice
On Fri, May 1, 2020, 9:38 PM James Brown via clamav-users <
clamav-users@lists.clamav.net> wrote:
> On 1 May 2020, at 8:31 pm, Mark Allan via clamav-users <
> clamav-users@lists.clamav.net> wrote:
>
>
> Try excluding Email.Exploit.Efail-6641027-1 from the main ClamAV set.
>
>
> Thanks Mark.
This might be off topic to the list. We have Clam AV running on Fedora 30
with clamav-milter, clamav-0.101.4-1.fc30.x86_64, and sendmail. On one
server the logwatch emails do send a daily recap as desired such as this
stanza:
- Clamav Begin
Viruses
You have to wait for the Fedora maintainers to update it, usually takes a
week or so.
On Fri, Aug 9, 2019, 11:41 AM Cliff Hayes via clamav-users <
clamav-users@lists.clamav.net> wrote:
> I took advice given and used dnf to install clamd and clamav.
> But now I am getting the errors:
>
> WARNING:
ne file per signature. I wonder if any
> of the unofficial databases have similar efforts to keep the volume and
> quality of signatures in check.
>
>
>
> Regards,
>
> Micah
>
>
>
> *From: *clamav-users on behalf of
> Robert Kudyba
> *Reply-To: *C
e
> keeps growing and clamd loading time with it.
>
> But it's really an issue with older machines like the one I have here. :D
>
> Good luck!
> Reio
>
>
> On 30/07/2019 23:30, Robert Kudyba wrote:
>> I did but then I also increased from 600 to 900 and that
when loading the signatures.
>
> Good luck!
> Reio
>
>
> On 30.07.2019 21:58, Robert Kudyba wrote:
>
> rpm -qa clamav-milter
> clamav-milter-0.101.2-2.fc30.x86_64
> rpm -qa clamd
> clamd-0.101.2-2.fc30.x86_64
>
> See some logs and statuses below. clamd tak
rpm -qa clamav-milter
clamav-milter-0.101.2-2.fc30.x86_64
rpm -qa clamd
clamd-0.101.2-2.fc30.x86_64
See some logs and statuses below. clamd takes up all of the CPU. clamd does
appear to start based on the ps command but you can see the status shows no
running;
PID USER PR NIVIRT
>
> sm-client.service: Failed to parse PID from file /run/sm-client.pid:
> Invalid argument
>
> I'm not too familiar with sendmail client, so I'll defer this to someone
> else more knowledgeable.
>
A bug that won't get fixed?
https://bugzilla.redhat.com/show_bug.cgi?id=748171
Anyways any idea
clamav-0.101.0-3.fc29.x86_64
clamd-0.101.0-3.fc29.x86_64
clamav-milter-0.101.0-3.fc29.x86_64
sendmail-8.15.2-29.fc29.x86_64
4.19.13-300.fc29.x86_64
Milter (clamav-milter): write(D) returned -1, expected 23: Broken pipe
Also seeing errors like:
clamd[25994]: LibClamAV Error:
> Jul 23 11:45:39 storm clamd[22351]: LibClamAV Error: yyerror():
>> /var/lib/clamav/packer.yar line 82 undefined identifier "pe"
>>
>
> remove yar rules
>
> clamav is unstable with yara, google it
>
Yes just found
mav-m
ilter/clamav-milter.socket,F=T,T=S:4m;R:4m;E:10m')dnl
What's the difference between `clamav-milter' vs `clamav' in that line?
On Mon, Jul 23, 2018 at 11:51 AM, Robert Kudyba wrote:
> However I still get these errors in sendmail:
>>> Milter: data, reject=451 4.3.2 Please
>
> However I still get these errors in sendmail:
>> Milter: data, reject=451 4.3.2 Please try again later
>>
>
> the syslog entry should give us more information.
>
Jul 23 11:45:33 storm systemd[1]: clamd@scan.service: Main process exited,
code=killed, status=6/A
BRT
Jul 23 11:45:33 storm
t 12:27 PM, Micah Snyder (micasnyd) <
micas...@cisco.com> wrote:
> What are your current user/group ownership and permissions on:
> /var/run/clamd.scan/clamd.sock ?
>
> Regards,
> Micah
>
>
> Micah Snyder
> ClamAV Development
> Talos
> Cisco Systems, Inc.
&g
rds,
> Micah
>
>
> Micah Snyder
> ClamAV Development
> Talos
> Cisco Systems, Inc.
>
>
> On Jul 16, 2018, at 12:19 PM, Robert Kudyba wrote:
>
> I set:
> MilterSocketGroup clamscan
> User clamscan
>
> Still getting the permission denied.
>
> Note the
Development
> Talos
> Cisco Systems, Inc.
>
>
> On Jul 16, 2018, at 11:06 AM, Robert Kudyba wrote:
>
> Thanks Micah, now getting a different error:
> Jul 16 10:59:23 storm clamav-milter[32079]: ClamAV: Unable to remove
> /var/run/clamd.scan/clamd.sock: Permission deni
run/clamd.scan/clamd.sock
>
> Lines in /etc/clamd.d/scan.conf
>
> TCPSocket 3310
> TCPAddr 127.0.0.1
>
> You should use only 1 ( TCP _or_ Unix/Local ) socket for clamd. We
> recommend using Unix/Local sockets.
>
>
> Micah Snyder
> ClamAV Development
> T
r daemon.
What else can I check?
On Tue, Jul 10, 2018 at 7:24 PM, Kees Theunissen
wrote:
> On Tue, 10 Jul 2018, Robert Kudyba wrote:
>
> >Hello hive,
> >
> >Running:
> >clamav-0.100.0-2.fc28.x86_64
> >
> >clamd, freshclam and clamav-milter all up a
Hello hive,
Running:
clamav-0.100.0-2.fc28.x86_64
clamd, freshclam and clamav-milter all up and running:
ps -auwx | grep clam
clamupd+ 20336 0.0 0.0 50672 4016 ?Ss Jun29 1:15
/usr/bin/freshclam -d -c 4
clamav 23713 0.0 0.0 176780 1160 ?Ssl 13:23 0:00
Any idea how to fix this? Happens on a make...
ld: table of contents for archive: /usr/lib/libbz2.a is out of date;
rerun ranlib(1) (can't load from it)
make[2]: *** [clamscan] Error 1
make[1]: *** [all-recursive] Error 1
make: *** [all] Error 2
45 matches
Mail list logo