[clamav-users] clamav-start problem under CentOS-7.7
Hi, I have a problem while starting clamav. The start time is **2 Min. 34 sec.** and it seems that the time was waste on or after the step --> Bytecode: Security mode set to "TrustSigned". Please can someone tell me what I'm doing wrong. Which information are required to help me? - %< - # time systemctl restart clamd.e2guardian.service real2m34.902s user0m0.030s sys 0m0.026s /var/log/clamav.log Nov 9 08:37:21 vml70050 clamd[10761]: clamd daemon 0.101.4 (OS: linux-gnu, ARCH: x86_64, CPU: x86_64) Nov 9 08:37:21 vml70050 clamd[10761]: Running as user e2guardian (UID 399, GID 399) Nov 9 08:37:21 vml70050 clamd[10761]: Log file size limited to 1048576 bytes. Nov 9 08:37:21 vml70050 clamd[10761]: Reading databases from /var/lib/clamav Nov 9 08:37:21 vml70050 clamd[10761]: Not loading PUA signatures. Nov 9 08:37:21 vml70050 clamd[10761]: Bytecode: Security mode set to "TrustSigned". Nov 9 08:39:50 vml70050 clamd[10761]: Loaded 6533172 signatures. Nov 9 08:39:52 vml70050 clamd[10761]: LOCAL: Unix socket file /var/run/e2guardian/clamd.sock Nov 9 08:39:52 vml70050 clamd[10761]: LOCAL: Setting connection queue length to 200 Nov 9 08:39:52 vml70050 clamd[11492]: Limits: Global time limit set to 12 milliseconds. Nov 9 08:39:52 vml70050 clamd[11492]: Limits: Global size limit set to 104857600 bytes. Nov 9 08:39:52 vml70050 clamd[11492]: Limits: File size limit set to 26214400 bytes. Nov 9 08:39:52 vml70050 clamd[11492]: Limits: Recursion level limit set to 16. Nov 9 08:39:52 vml70050 clamd[11492]: Limits: Files limit set to 1. Nov 9 08:39:52 vml70050 clamd[11492]: Limits: MaxEmbeddedPE limit set to 10485760 bytes. Nov 9 08:39:52 vml70050 clamd[11492]: Limits: MaxHTMLNormalize limit set to 10485760 bytes. Nov 9 08:39:52 vml70050 clamd[11492]: Limits: MaxHTMLNoTags limit set to 2097152 bytes. Nov 9 08:39:52 vml70050 clamd[11492]: Limits: MaxScriptNormalize limit set to 5242880 bytes. Nov 9 08:39:52 vml70050 clamd[11492]: Limits: MaxZipTypeRcg limit set to 1048576 bytes. Nov 9 08:39:52 vml70050 clamd[11492]: Limits: MaxPartitions limit set to 50. Nov 9 08:39:52 vml70050 clamd[11492]: Limits: MaxIconsPE limit set to 100. Nov 9 08:39:52 vml70050 clamd[11492]: Limits: MaxRecHWP3 limit set to 16. Nov 9 08:39:52 vml70050 clamd[11492]: Limits: PCREMatchLimit limit set to 10. Nov 9 08:39:52 vml70050 clamd[11492]: Limits: PCRERecMatchLimit limit set to 2000. Nov 9 08:39:52 vml70050 clamd[11492]: Limits: PCREMaxFileSize limit set to 26214400. Nov 9 08:39:52 vml70050 clamd[11492]: Archive support enabled. Nov 9 08:39:52 vml70050 clamd[11492]: AlertExceedsMax heuristic detection disabled. Nov 9 08:39:52 vml70050 clamd[11492]: Heuristic alerts enabled. Nov 9 08:39:52 vml70050 clamd[11492]: Portable Executable support enabled. Nov 9 08:39:52 vml70050 clamd[11492]: ELF support enabled. Nov 9 08:39:52 vml70050 clamd[11492]: Mail files support enabled. Nov 9 08:39:52 vml70050 clamd[11492]: OLE2 support enabled. Nov 9 08:39:52 vml70050 clamd[11492]: PDF support enabled. Nov 9 08:39:52 vml70050 clamd[11492]: SWF support enabled. Nov 9 08:39:52 vml70050 clamd[11492]: HTML support enabled. Nov 9 08:39:52 vml70050 clamd[11492]: XMLDOCS support enabled. Nov 9 08:39:52 vml70050 clamd[11492]: HWP3 support enabled. Nov 9 08:39:52 vml70050 clamd[11492]: Self checking every 600 seconds. - >% - Thank you! Klaus. -- e-Mail : kl...@tachtler.net Homepage: https://www.tachtler.net DokuWiki: https://dokuwiki.tachtler.net binYS0SV_56bz.bin Description: Öffentlicher PGP-Schlüssel ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] strace - select(13, [12], NULL, NULL, NULL) = -1 EBADF (Bad file descriptor) <0.000017>
thanks for the response; we are experiancing this issues on a fresh install VM, a Java application VM & a Jump server with gnome. a mix of 2 and 4 coure VM's with 2,4 & 6GB RAM [root@xxx]# uname -a Linux xx 3.10.0-1062.1.1.el7.x86_64 #1 SMP Fri Sep 13 22:55:44 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux [root@x ]# cat /etc/centos-release CentOS Linux release 7.7.1908 (Core) # Config LogFile /var/log/clamav/clamav.log LogFileUnlock yes LogFileMaxSize 10M LogTime yes LogSyslog no LogRotate no ExtendedDetectionInfo yes PidFile /var/run/clamd.scan/clamd.pid DatabaseDirectory /var/lib/clamav LocalSocket /var/run/clamd.scan/clamd.sock LocalSocketGroup virusgroup LocalSocketMode 666 FixStaleSocket yes MaxThreads 10 ReadTimeout 180 SendBufTimeout 200 MaxQueue 100 ExcludePath ^/proc/ ExcludePath ^/sys/ ExcludePath ^/root/ ExcludePath ^/var\/lib\/openvas\/plugins/ ExcludePath ^/opt\/metasploit/ ExcludePath ^/var\/mqm/ ExcludePath ^/var\/lib\/mysql/ ExcludePath ^/glusterfs/ ExcludePath ^/mnt/ ExcludePath ^/nfs/ ExcludePath ^/tmp\/clamav-.*/ MaxDirectoryRecursion 20 FollowDirectorySymlinks no FollowFileSymlinks no SelfCheck 600 ExitOnOOM yes User root ScanMail yes ScanHTML yes ScanOLE2 yes ScanArchive yes ForceToDisk no ScanOnAccess yes OnAccessIncludePath /bin OnAccessIncludePath /boot OnAccessIncludePath /etc OnAccessIncludePath /home OnAccessIncludePath /media OnAccessIncludePath /mnt OnAccessIncludePath /opt OnAccessIncludePath /root OnAccessIncludePath /sbin OnAccessIncludePath /sftp OnAccessIncludePath /usr OnAccessExcludePath /opt/tomcat/.m2/repository OnAccessExcludeRootUID yes OnAccessMaxFileSize 5M OnAccessDisableDDD no OnAccessExtraScanning yes DisableCertCheck no I've got a few more bits of information; - the FD it is missing is for 'anon_inode:inotify' healthy system: [root@ ]# ls -l /proc/226347/fd total 0 lr-x--. 1 root root 64 Nov 8 06:41 0 -> /dev/null l-wx--. 1 root root 64 Nov 8 06:41 1 -> /dev/null l-wx--. 1 root root 64 Nov 8 06:41 10 -> pipe:[2543521] lrwx--. 1 root root 64 Nov 8 06:41 11 -> anon_inode:[fanotify] lr-x--. 1 root root 64 Nov 8 06:41 12 -> anon_inode:inotify l-wx--. 1 root root 64 Nov 8 06:41 2 -> /dev/null lr-x--. 1 root root 64 Nov 8 06:41 3 -> /var/lib/sss/mc/initgroups lrwx--. 1 root root 64 Nov 8 06:41 4 -> socket:[2543359] l-wx--. 1 root root 64 Nov 8 03:26 5 -> /var/log/clamav/clamav.log lrwx--. 1 root root 64 Nov 8 06:41 6 -> socket:[2544261] lr-x--. 1 root root 64 Nov 8 06:41 7 -> pipe:[2543520] l-wx--. 1 root root 64 Nov 8 06:41 8 -> pipe:[2543520] lr-x--. 1 root root 64 Nov 8 06:41 9 -> pipe:[2543521] Broken system: [root@xx ]# ls -l /proc/33492/fd total 0 lr-x--. 1 root root 64 Nov 7 10:58 0 -> /dev/null l-wx--. 1 root root 64 Nov 7 10:58 1 -> /dev/null l-wx--. 1 root root 64 Nov 7 10:58 10 -> pipe:[788328] lrwx--. 1 root root 64 Nov 7 10:58 11 -> anon_inode:[fanotify] lr-x--. 1 root root 64 Nov 5 09:52 13 -> /etc/clamd.d/scan.conf lrwx--. 1 root root 64 Nov 5 09:52 14 -> /tmp/clamav-46ff34ef6c75cb2abc0435d1056ee697.tmp l-wx--. 1 root root 64 Nov 7 10:58 2 -> /dev/null lr-x--. 1 root root 64 Nov 7 10:58 3 -> /var/lib/sss/mc/initgroups lrwx--. 1 root root 64 Nov 7 10:58 4 -> socket:[790831] l-wx--. 1 root root 64 Nov 7 10:58 5 -> /var/log/clamav/clamav.log lrwx--. 1 root root 64 Nov 7 10:58 6 -> socket:[790832] lr-x--. 1 root root 64 Nov 7 10:58 7 -> pipe:[788327] l-wx--. 1 root root 64 Nov 7 10:58 8 -> pipe:[788327] lr-x--. 1 root root 64 Nov 7 10:58 9 -> pipe:[788328] thanks Tim -Original Message- From: G.W. Haywood via clamav-users mailto:%22g.w.%20haywood%20via%20clamav-users%22%20%3cclamav-us...@lists.clamav.net%3e>> Reply-To: ClamAV users ML mailto:clamav%20users%20ml%20%3cclamav-us...@lists.clamav.net%3e>> To: J.R. via clamav-users mailto:%22j.r.%20via%20clamav-users%22%20%3cclamav-us...@lists.clamav.net%3e>> Cc: G.W. Haywood mailto:%22g.w.%20haywood%22%20%3ccla...@jubileegroup.co.uk%3e>> Subject: Re: [clamav-users] strace - select(13, [12], NULL, NULL, NULL) = -1 EBADF (Bad file descriptor) <0.17> Date: Thu, 07 Nov 2019 15:55:29 + Hi there, On Thu, 7 Nov 2019, J.R. via clamav-users wrote: Which brought clamd back to life and the system load returned to normal. no idea is this is a OS bug, a ClamAV bug or some kind of user error, any help here will be appreciated. What version of ClamAV? What OS? What customization / edits to config files have you made? And what are you scanning??? [Winner of the 2018 Consumer Credit Awards] ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] A better zip bomb
Hi there, On Fri, 8 Nov 2019, Arnaud Jacques wrote: ...Brent wrote: https://www.bamsoftware.com/hacks/zipbomb/ Here you can see I scanned the zip file, thats made available from the above site. As you can see, clamav (inconjunction with Sanesecurity), the file passed. vagrant@stretch:~/src$ clamscan zbsm.zip zbsm.zip: OK No need 3rd party signatures, official ClamAV seems to work fine with these files : clamscan --alert-exceeds-max=yes --max-recursion=5 --max-ziptypercg=5M /var/tmp/tmp/zblg.zip: Heuristics.Limits.Exceeded FOUND /var/tmp/tmp/zbsm.zip: Heuristics.Limits.Exceeded FOUND /var/tmp/tmp/zbxl.zip: Heuristics.Limits.Exceeded FOUND It seems that there might be room for improvement in Brent's client's ClamAV configuration, perhaps we should be trying to understand why it is in this state. It should be a deliberate choice to disable a test for excessive resource usage, not an accident. -- 73, Ged. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] A better zip bomb
Good day Arnaud Thanks so much for this. Really appreciate the fast reply and help. Regards Brent Clark On 2019/11/08 10:23, Arnaud Jacques wrote: Hello Brent, https://www.bamsoftware.com/hacks/zipbomb/ I took the liberty of spinning up a vagrant instance to find out for myself. Here you can see I scanned the zip file, thats made available from the above site. As you can see, clamav (inconjunction with Sanesecurity), the file passed. vagrant@stretch:~/src$ clamscan zbsm.zip zbsm.zip: OK --- SCAN SUMMARY --- Known viruses: 8944025 Engine version: 0.101.4 Scanned directories: 0 Scanned files: 1 Infected files: 0 Data scanned: 63.13 MB Data read: 0.04 MB (ratio 1616.20:1) Time: 196.787 sec (3 m 16 s) No need 3rd party signatures, official ClamAV seems to work fine with these files : clamscan --alert-exceeds-max=yes --max-recursion=5 --max-ziptypercg=5M /var/tmp/tmp/zblg.zip: Heuristics.Limits.Exceeded FOUND /var/tmp/tmp/zbsm.zip: Heuristics.Limits.Exceeded FOUND /var/tmp/tmp/zbxl.zip: Heuristics.Limits.Exceeded FOUND --- SCAN SUMMARY --- Known viruses: 8748540 Engine version: 0.101.4 Scanned directories: 1 Scanned files: 3 Infected files: 3 Data scanned: 169.38 MB Data read: 53.22 MB (ratio 3.18:1) Time: 396.918 sec (6 m 36 s) ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] A better zip bomb
Hello Brent, https://www.bamsoftware.com/hacks/zipbomb/ I took the liberty of spinning up a vagrant instance to find out for myself. Here you can see I scanned the zip file, thats made available from the above site. As you can see, clamav (inconjunction with Sanesecurity), the file passed. vagrant@stretch:~/src$ clamscan zbsm.zip zbsm.zip: OK --- SCAN SUMMARY --- Known viruses: 8944025 Engine version: 0.101.4 Scanned directories: 0 Scanned files: 1 Infected files: 0 Data scanned: 63.13 MB Data read: 0.04 MB (ratio 1616.20:1) Time: 196.787 sec (3 m 16 s) No need 3rd party signatures, official ClamAV seems to work fine with these files : clamscan --alert-exceeds-max=yes --max-recursion=5 --max-ziptypercg=5M /var/tmp/tmp/zblg.zip: Heuristics.Limits.Exceeded FOUND /var/tmp/tmp/zbsm.zip: Heuristics.Limits.Exceeded FOUND /var/tmp/tmp/zbxl.zip: Heuristics.Limits.Exceeded FOUND --- SCAN SUMMARY --- Known viruses: 8748540 Engine version: 0.101.4 Scanned directories: 1 Scanned files: 3 Infected files: 3 Data scanned: 169.38 MB Data read: 53.22 MB (ratio 3.18:1) Time: 396.918 sec (6 m 36 s) -- Cordialement / Best regards, Arnaud Jacques Gérant de SecuriteInfo.com Téléphone : +33-(0)3.44.39.76.46 E-mail : a...@securiteinfo.com Site web : https://www.securiteinfo.com Facebook : https://www.facebook.com/pages/SecuriteInfocom/132872523492286 Twitter : @SecuriteInfoCom Securiteinfo.com La Sécurité Informatique - La Sécurité des Informations. 266, rue de Villers 60123 Bonneuil en Valois ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
[clamav-users] A better zip bomb
Good day ClamAV and Steve I have a client declaring that ClamAV signatures is not detecting zip bombs. https://www.bamsoftware.com/hacks/zipbomb/ I took the liberty of spinning up a vagrant instance to find out for myself. Here you can see I scanned the zip file, thats made available from the above site. As you can see, clamav (inconjunction with Sanesecurity), the file passed. vagrant@stretch:~/src$ clamscan zbsm.zip zbsm.zip: OK --- SCAN SUMMARY --- Known viruses: 8944025 Engine version: 0.101.4 Scanned directories: 0 Scanned files: 1 Infected files: 0 Data scanned: 63.13 MB Data read: 0.04 MB (ratio 1616.20:1) Time: 196.787 sec (3 m 16 s) Here you can see the list of signatures loaded / available. https://pastebin.com/raw/SyHcrYVX If the community or anyone can look into this and / or make a signature available, it would be appreciated. Many thanks, regards Brent Clark ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml