Re: [clamav-users] exclude-dir with clamdscan
--- Begin Message --- Hi there, On Tue, 15 May 2018, Stefan Schumacher wrote: I would like to use clamdscan to scan an entire server but exclude sys, proc and dev. mail6:~$ >>> cat testfile /etc/perl/ mail6:~$ >>> clamdscan -f testfile /etc/perl: OK --- SCAN SUMMARY --- Infected files: 0 Time: 0.020 sec (0 m 0 s) 8<-- Log extract: 8<-- May 15 17:21:22 mail6 clamd[670]: /etc/perl/sitecustomize.pl: OK May 15 17:21:22 mail6 clamd[670]: /etc/perl/Net/libnet.cfg: OK May 15 17:21:22 mail6 clamd[670]: /etc/perl/XML/SAX/ParserDetails.ini: OK May 15 17:22:03 mail6 clamd[670]: /etc/perl/sitecustomize.pl: OK May 15 17:22:03 mail6 clamd[670]: /etc/perl/Net/libnet.cfg: OK May 15 17:22:03 mail6 clamd[670]: /etc/perl/XML/SAX/ParserDetails.ini: OK 8<-- -- 73, Ged. --- End Message --- ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
[clamav-users] Curiosity.
Hi there, Trawling the logs (sad, I know, but I do it), I noticed this: 8<-- Received: from clammail.vrt.sourcefire.com (localhost [127.0.0.1]) by lists.clamav.net (Postfix) with ESMTP id B166D18D633; Wed, 20 Feb 2019 12:00:01 -0500 (EST) From: clamav-users-requ...@lists.clamav.net Subject: clamav-users Digest, Vol 171, Issue 16 To: clamav-users@lists.clamav.net Reply-To: clamav-users@lists.clamav.net Date: Wed, 20 Feb 2019 12:00:00 -0500 8<-- and this: 8<-- Received: from mailmanlists.network (localhost [IPv6:::1]) by mailmanlists.network (Postfix) with ESMTP id 3C0E321A37; Thu, 21 Feb 2019 12:01:54 -0500 (EST) From: clamav-users-requ...@lists.clamav.net Subject: clamav-users Digest, Vol 171, Issue 16 To: clamav-users@lists.clamav.net Reply-To: clamav-users@lists.clamav.net Date: Thu, 21 Feb 2019 12:00:03 -0500 8<-- Anyone care? -- 73, Ged. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] rpm files question [was: ClamAV 0.101.2 announcement?]
Hi there, On Fri, 29 Mar 2019, Micah Snyder wrote: This won't help you right now, but our team has been discussing publishing ClamAV on Linux using Snapcraft at the time of each release. Snapcraft sounds like it may be a good option to make ClamAV accessible faster. Would you, and others here, be interested in installing a ClamAV snap in the future? Not if it wants me to install systemd... laptop3:~# >>> cat /etc/debian_version 9.8 laptop3:~# >>> apt-get install snapd Reading package lists... Done Building dependency tree Reading state information... Done Some packages could not be installed. This may mean that you have requested an impossible situation or if you are using the unstable distribution that some required packages have not yet been created or been moved out of Incoming. The following information may help to resolve the situation: The following packages have unmet dependencies: snapd : Depends: systemd ... -- 73, Ged. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] connect clamscan output to journal with systemd-cat
Hi there, On Wed, 3 Apr 2019, Kretschmer, Jens wrote: I would like to redirect the output of clamscan to the journal ... man logger Do you have any idea what could be causing the issue? It's not clear to me which system you're using, but try man cron -- 73, Ged. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] looking for solution for proxy of clamd and redirecting clamdscan to go to remote clamd running on another server
Hi there, On Thu, 4 Apr 2019, Annette (impersonating Tom Brady) wrote: I have tried using the tcpsocket parameter on the clamd.conf. I have [two] different clamd instances running on different servers. While I can get the clamdscan to talk to the local (on the same server) clamd instance, I cannot get clamdscan to talk to an remote instance of clamd running on a different server and different port. You may need to change the 'TCPAddr' directive in clamd.conf so that the daemon binds to an address which will accept remote connections. As others have warned, the socket should be protected from potential sources of mischief. That means, basically, the entire Internet. -- 73, Ged. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Installing question
Hello, On Thu, 28 Mar 2019, MOHAMED OMAR MAKRAM wrote: I've had this for few months. The only thing i was able to do is to pay for virus protection but it is so expensive. Is there a way to find those hidden files? Do you think they are in the db or in the files? I am moving out to another server right now. Is there a good process to do this without copying the virus along with the files? Firstly, you have already been told that this is not the right mailing list for your questions. Many such lists and similar resources exist. Search for them. Secondly, even if you were to install ClamAV, with your current level of skill you would not be able to use it to solve your problems. In my view, ClamAV is not now and never will be capable of solving them because that is not why it was developed. As far as I can tell its main attraction for you is that it is free, and that people on this mailing list support it for free. It would be far better for you to find out what your problem is before you try to implement a solution. If you must pay for it, then you need to do a cost-benefit analysis. Thirdly, if you are making Websites available on the public Internet and those Websites are not properly secured, and indeed have already been compromised, then you represent a danger, not only to the people who visit those sites, but also to *any* Internet-connected equipment. That is both irresponsible and reprehensible. The fact that you have ignored advice that your questions are inappropriate for this mailing list probably tells us how much you have thought about that, or care. My advice is to stop what you are doing until either you can find someone competent to do it safely for you, or you become sufficiently competent to do it safely yourself. There is no quick HOWTO for the impatient. Please do not willfully add to the problems that the rest of us have to face daily. -- 73, Ged. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Scan very slow
Hi there, On Sun, 7 Apr 2019, Maarten Broekman wrote: Given that the PhishTank signatures, specifically, have been causing the performance issues, no. It's not unreasonable to want to pull them, and only them, out. Having them in a separate db file would be highly beneficial to those of us that don't want or need them at all. Barring that, having a configuration option to disable them that is separate from heuristics and safebrowsing would be just as effective. How about something like grep -a '^Phishtank.Phishing' daily.cld | cut -d':' -f1 > ~/phishtank.ign2 ? -- 73, Ged. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Procedure for Correct Action
Hi there, On Sat, 6 Apr 2019, Robert F. Poe wrote: I need clarification for the proper action to take after finding viruses and malware. I'll try not to be misled by your questions. I use ClamAv Virus Scanner (or Clamscan) to scan my server on a weekly basis. I have the Virus Scanner via my cPanel control panel. I have always taken the action to Destroy the files, but others will return over a period of time. Later, I'll ask you to provide more information. My Question is "What is the difference between the choices Disinfect and Quarantine?" This question is inappropriate, so I'll skip some and explain later. I have been Destroying all infected files, both malware and email, It's not clear to me what these infected files are. but I'm not sure if that is my best option. I'm quite sure it isn't. You should stop whatever you're doing and, before you start doing it again, take some time to think about it. As I said earlier, more information is needed. You haven't said what operating system or systems you're using on your server. You haven't said who provides your "control panel", nor what it actually does when you "scan my server". You haven't said what these files are that you have always destroyed nor what you think was wrong with them. Without much more information (and I'm fairly sure that you don't yet have it, so you will need to direct questions to your supplier) we can't help much more than give general advice. So this is general advice - back to thinking about it. If the server we're talking about is for example a Linux box, then it will definitely not be normal to find malware and viruses on it - at least for most definitions of 'normal'. There are (and here I take a few liberties) two exceptions to this, and I'm going to distinguish between those cases and the rest (the vast majority) of more or less any server. The exceptions are when the server provides space for unknown data to be stored, and when the server handles email; similar, but not quite the same thing. Both are effectively handling unknown data from unknown sources. In one case you store it and maybe serve it back to clients, in the other you usually pass it on. This isn't something that I'd recommend to anyone, and if you're not strong on security I'd strongly recommend against doing it, because you will just become part of the problem and you might even be blamed for it. Drink deep, or taste not. Apart from handling mail and unknown data, using something like ClamAV to scan a server should be contemplated only after a great deal of work has been done to make yourself as sure as is possible that there will never be anything for ClamAV to find. That means at least making an inventory of all the software (and that includes firmware) on the machine, and putting in place procedures to keep informed of security issues as they appear and to deal with them promptly and effectively. You will shut down all but essential services, set up defences against attacks on any services which are available over the network, make sure that you control access to the server by any other means, and of course set up a monitoring system to keep an eye on it all and record for posterity - or at least the Courts - that you've been doing the job conscientiously. Recently, even some processors (CPUs) have been found to be vulnerable to some kinds of attack, and you'll need to understand the implications of that in your situation. Security issues pop up more than daily in a population of software packages which on most machines will number at least in the hundreds, usually in the thousands and quite possibly in the tens of thousands. So it's quite a task; nobody else can really do it for you unless you can pay them to do it. Not doing it (or not having it done for you) is at best irresponsible. Doing the job well will probably mean that scanning the server with ClamAV uses resources which could be more profitably employed in other ways. Trawling the system's logs springs to mind, when did you last look at yours? Having put in place the proper mechanisms for keeping yourself well- informed and your server software patched up to date and very possibly taking steps to be able to replace the server hardware if it becomes necessary, then you can breathe a little more easily. This doesn't mean that your server won't be successfully attacked, but it means it won't be hanging amongst the low fruit, which is where you seem to be telling us that it IS hanging at the moment. The low-hanging fruit is routinely attacked, by automated means. Its compromise is a foregone conclusion, and is just a matter of time. You've said that you always destroy "all infected files" but you haven't said what they've been infected with, nor what you did to prevent a repetition, nor even what steps you've taken to ensure that they were, in fact, infected. Don't make the mistake of thinking that if ClamAV says it has found a file is infected, that
Re: [clamav-users] Scan very slow
Hello again, On Mon, 8 Apr 2019, Arnaud Jacques wrote: Le 07/04/2019 ? 18:18, G.W. Haywood via clamav-users a ?crit?: > > grep -a '^Phishtank.Phishing' daily.cld | cut -d':' -f1 > > ~/phishtank.ign2 This is not optimized : Phishtank.Phishing are loaded in memory. Then phishtank.ign2 is loaded on memory. Possibly true, I haven't looked at the code, but if I'd coded it then it would work in a more sensible way. I'd free the ignored signatures from memory (and keep a note of the databases/files in use, and check their mtimes every now and again - perhaps even for every scan - etc.). So there is a lot of memory used for nothing. Conjecture? And I guess this will slow down the scan. Conjecture, but easily tested. And if it *does* slow down the scan, I'd suggest that something must be horribly wrong. It should be far quicker to ignore a signature than to check some block of data to see if it's matched. Of course if the signature doesn't exist (i.e. it's been removed from memory) then it will take zero time to process it. :) ... and one day I created a *huge* ign2 file and it crashed clamd. Has this fault in the code been reported? Ign2 files may not be appropriate to ignore tons of signatures. I did count the number of signatures before suggesting this. mail6:~# >>> wc -l phishtank.ign2 3968 phishtank.ign2 mail6:~# >>> I agree that it might not make sense to do this for somthing like all the Android signatures; if we're talking about hundreds of thousands, instead of just a few thousand, then I'd start asking if it weren't more appropriate to create my own databases from the published ones or something like that. But for just a few thousand signatures, I'd have thought a .ign2 file would be quite satisfactory. Isn't that what this mechanism is for? -- 73, Ged. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Are signatures for Windows only?
Hi there, On Mon, 25 Mar 2019, J.R. wrote: ... I've seen an increasing amount of people posting about their non-windows platforms that are scanning their *entire* system ... People have been doing that kind of thing for years, I'm not sure how much it's increasing. Most of the time it seems to me they don't know why they're doing it nor even, if there is something in there to find, how likely it is that a ClamAV scan will find it. You often see scans of /proc/, /dev/ and the like - which is only going to cause problems, not solve them. If for example you're hosting files for Windows hosts on non-windows platforms there's certainly a case for scanning shared data areas, but I don't know how representative that is of the typical ClamAV user. Although we share files with Windows platforms we really only use ClamAV to scan mail. I guess we're as untypical of a ClamAV user as you'll get. The main reason we use ClamAV is for third-party databases such as the excellent set produced by Steve at Sanesecurity (once again, thanks, Steve). Even so, ever since we took to rejecting mail based on things like geography it really is just the occasional catch. With an average incoming rate of mail of ca. 1200 attempts per day(*), since January 2018 I've seen one genuine catch by ClamAV. As it happens it was a malicious Word document, cunningly disguised as a statement of account from a local hotel. As it happens we don't have an account with that hotel - and we don't use Word, nor even Windows. (*) After firewalling, 15 percent actually get to connect to port 25. I'm wondering if it is just a waste of CPU cycles, or if there are actual signatures that could detect anything on those platforms (that are not windows related)? People do all sorts of daft things. A lot of what they do wastes CPU (and the associated energy, which I think thesedays is more important) but one can't really deny that there might be the occasional surprise. Very occasional indeed, however, in the case of most *nix boxes, and I can't remember the last time I scanned a Linux box using ClamAV or any other package. At the time I didn't expect to find anything, I think it was an experiment just to see how many false positives it gave and how long it took. It's a while since I looked at this, so I did a few 'grep's on 'daily': mail6:/etc/mail/clamav# >>> wc daily.cld 1531682 1534564 117369856 daily.cld mail6:/etc/mail/clamav# >>> grep -ai Win daily.cld | wc 853283 853326 66772035 mail6:/etc/mail/clamav# >>> grep -ai Andr daily.cld | wc 255329 255329 18510754 mail6:/etc/mail/clamav# >>> grep -ai doc daily.cld | wc 154521 154584 11340974 mail6:/etc/mail/clamav# >>> grep -ai unix daily.cld | wc 86435 86437 6496632 mail6:/etc/mail/clamav# >>> grep -ai java daily.cld | wc 38254 38260 2686509 mail6:/etc/mail/clamav# >>> grep -ai OSX daily.cld | wc 35652 35652 2531765 mail6:/etc/mail/clamav# >>> grep -ai PDF daily.cld | wc 11133 11147 801891 mail6:/etc/mail/clamav# >>> grep -ai xls daily.cld | wc 10227 10227 748439 mail6:/etc/mail/clamav# >>> grep -ai Phish daily.cld | wc 32573257 1348569 mail6:/etc/mail/clamav# >>> grep -ai linux daily.cld | wc 2 2 296 All right, I ran that last one as a bit of a joke but you can see where the biggest problems are. -- 73, Ged. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Issue with clamav logical signature generation
Hi there, On Mon, 25 Feb 2019, Al Varnell wrote: ... the strings you provided appear to contain an extra digit. I thought hex strings always contain an even number of digits? Just as decimal strings are strings composed of decimal digits and can be any length, hexadecimal strings are strings composed of hexadecimal digits - and can also be any length. They usually present as an even number of digits only because they generally represent the even numbers of four-bit binary numbers found in machine registers: 8-bit bytes and 16-bit words from decades ago, 32-bit, 64-bit and even 128-bit words (e.g. for IPv6 addresses) in more recent times. I'm sure I did once use 12-bit word lengths for some reason, but I can't now remember what the hardware was. -- 73, Ged. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Database updated over unencrypted connection?
Hi there, On Fri, 15 Mar 2019, Franky Van Liedekerkewrote: Certifcates cost nothing ... CPU cycles don't. -- 73, Ged. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Slow reload
Hi there, On Thu, 21 Mar 2019, J.R. wrote: > The simplest way to achieve this right now would probably be to use > two servers for scanning ... Or just have the mail server send a 'tempfail' and the remote mail server will retry sending usually within 10 minutes... The OP specifically mentioned Thunderbird, not a remote mail server. You often can't be sure what a mail client will do in this kind of situation. Especially when it's Thunderbird. :( Agreed the tempfail would be fine most of the time, but some people do seem to confuse email with Instant Messaging. Just the other day, in a discussion about email security, a guy grumbled about my greylisting his mail for ten minutes! I decided not to tell him that the default greylist period here is a couple of hours, and just whitelisted him... -- 73, Ged. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Slow reload
Hi there, On Wed, 20 Mar 2019, Micah Snyder wrote: On 3/20/19, 10:04 AM, "clamav-users on behalf of Bowie Bailey" wrote: On 3/20/2019 8:42 AM, Alessandro Vesely via clamav-users wrote: On Tue 19/Mar/2019 15:35:39 +0100 Bowie Bailey wrote: ClamAV is taking about 2 1/2 minutes to reload its database on my mail server. This seems to frequently happen when we are sending an email, so the Thunderbird will time out on the send (although the message will frequently go through anyway). The mail server should scan the message with the database at hand. A forked child can do the filtering while the parent reloads. Upon loading, the child exits and new messages will be scanned by the parent with the updated database. That would be ideal, but it doesn't seem to be happening that way. If I look at my logs, I see "SelfCheck", then "Reading databases", and at that point all scanning stops until the "Database correctly reloaded" message 2 1/2 minutes later. Is there a setting somewhere to allow scanning to continue with the existing child processes while the reload happens? I think Alessandro was suggesting how it could work, not how it does work. Clamd doesn't work that way at present. It has been a feature request for a very long time, one that I hope we can address sometime soon, but I don't know when. The simplest way to achieve this right now would probably be to use two servers for scanning, and arrange for them to update their DBs at different times. A simple milter with a knowledge of the update schedule could choose which scanner to use just by checking the time. I imagine that it wouldn't be difficult, for example, to modify the well-known MimeDefang to do that. It wouldn't be much more difficult to create a milter especially for the purpose. -- 73, Ged. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] virus/malware risk level
Hi there, On Thu, 30 May 2019, WagdeZ wrote Using clamav... Is there any way to find out what is the risk level (score/priority/...) of the detected virus/malware? The question is rather vague. In many cases the signature name gives some sort of clue to what the signature is about, so if you have a grasp of the infrastructure that you're dealing with (if you don't - get one, quick) you can get a feel for the relevance to you in your specific situation. This is part of the risk assessment that only you, with your very particular knowledge of your situation, can make. For example, if I were to see an incoming mail message flagged with Win.Exploit.CVE_2019_0758-6968262-1 it wouldn't have me on the edge of my seat because I don't operate any Windows boxes. There's no risk to any of my equipment from an exploit that can only attack a Windows operating system, although obviously I'd want to understand the reason for the detection before I forwarded the message to anyone else. I'd also want to know why the message got as far as it did through the chain of defences, because I haven't seen a mail message trigger a detection since last September and that's the way I like things to be. Peaceful. Nothing to keep me awake at night. Increasingly commonly, successful attacks employ many vulnerabilities rather than a single one. Often these multiple vulnerabilities are perceived as "low risk" individually, but when they're all brought together by a competent attacker the result is a complete compromise of the network. Misery. Any single detected threat is one too many. -- 73, Ged. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] clamd using ~1GB memory on Debian Stretch
Hi there, On Mon, 13 May 2019, Avinash Sonawane wrote: e.g. I am expecting an email at 6 PM. I don't mind clamd taking that much of a memory *at* 6 PM and then release it. I find it absolutely inconvenient to having to forgo ~1GB memory since the morning. As I said, a poor bargain. The bargain is the one that you made when you installed ClamAV. If you now feel that it is a poor one, you can of course uninstall it at no extra charge. Also consider that the email that you receive at 6PM might conceivably contain something which could completely destroy _all_ the software in your computer system. Perhaps not such a poor bargain then, if ClamAV manages to prevent this malicious message from doing its nasty work? You will probably agree that your use case is unusual (even I get more mail than you do... :). Unfortunately it is difficult to accommodate the needs of every user within a single package. It is unlikely that the development team will schedule big changes to ClamAV for a single user who receives one single email per day. The same install is used by some people on this list to scan more than one message every single second of every single day; the design of ClamAV appears to suit those people better than it suits you. There is still some hope, however. The ClamAV source code is published. If you want to contribute code which reduces the memory consumption of clamd without making serious compromises in performance, I'm sure that people here will be pleased to take a look at it. Incidentally I normally run three copies of clamd on the a single mail server. Each copy uses 1GB RAM. On a typical day, the server sees a few thousand to a couple of tens of thousands of attempts to send mail to it; thankfully most of the time it's at the lower end of the range. The last time any of them found anything was on 26 September 2018, and speaking personally I'm more than happy with that. -- 73, Ged. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Duplicate database, 525 minutes to complete, >90% CPU
Hi there, On Tue, 21 May 2019, Clark Dunson wrote: ... /usr/bin/clamscan -o -i -r --quiet / ... Don't do that. Search the list archives for explanations. -- 73, Ged. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] ClamAV reputation rating
Hi there, On Fri, 28 Jun 2019, Al Varnell wrote: On Thu, Jun 27, 2019 at 07:51 AM, Joel Esler (jesler) via clamav-users wrote: On Jun 26, 2019, at 7:25 PM, Epicon Elysium via clamav-users mailto:clamav-users@lists.clamav.net>> wrote: We're building a PaaS where everything runs on Linux. As part of the security requirements, we have to deploy Antivirus as well. We chose ClamAV in this case. One of the requirement in terms of Antivirus is that we should enable reputation rating. ... The short answer is "No". ClamAV does not do reputation ratings, unless you are talking about a scale of not malicious, heuristic, PUA, and full on malicious. But there is not a reputation system, no. The OP is going to have to explain more fully, but I took the question as does ClamXAV consider any reputation ratings that are made by the e-mail systems through which a message transits which are often expressed as spam or malware scores in the header information. Seems to me that the OP doesn't know what he wants, but he has some kind of requirements specification which was written by somebody who doesn't know either, and he's doing his best to comply with that. Anti-virus and reputation are pretty much orthogonal concepts. My take on reputation is: If it comes from something somehow listed in one of my blacklists, it has a bad reputation and I don't want it (to the point of automatically adding a firewall TARPIT rule if it tries to send me anything). mail6:/etc/mail/x-milter# >>> wc -l *blacklist 140 x-milter_ASN_blacklist 324 x-milter_connect_blacklist 57 x-milter_country_blacklist (*) 166 x-milter_envfrom_blacklist 104 x-milter_header_blacklist 107 x-milter_helo_blacklist 18 x-milter_rcpt_blacklist 14 x-milter_RP_blacklist 6 x-milter_SPF_blacklist 9 x-milter_whois_blacklist 945 total (*) The line count is rather misleading for this file, there are at the moment 165 ISO 3166-1 country codes in it: https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2 If anyone wants to see any of this stuff I'm happy to publish it. Of course this is a Sendmail milter which scans mail. If you're shaving yaks, things are very different. I just hope that there's something here that might stimulate. -- 73, Ged. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Disable official database
Hi there, On Sat, 24 Aug 2019, Joel Esler (jesler) wrote: I mean, it's possible not to download the official definitions and just point at a custom file right? No idea. Haven't tried it. If you can, it seems like it would be a security hole. The code seems to be saying that it wants to load the daily.c[lv]d file before anything else; the name is hard-coded into the file I mentioned; and those files are signed. Given that there's already been some discussion along these lines (e.g. see the link in my last post) I'd be surprised if nobody else has tried it, but I've been surprised before. :) -- 73, Ged. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Disable official database
Hi there, On Sat, 24 Aug 2019, azu...@pobox.sk wrote: is it possible to disable official virus database? I would like to use only custom database. Thanks for info. A quick look at the code in libclamav/readdb.c suggests to me that this won't be very straightforward. The name of the 'daily' database is hard-coded into the source. Database files are digitally signed, so in theory you can't easily create an empty one and expect it to load correctly. Perhaps the easiest approach would be to disable the signature checks. Maybe you could patch the code so that it doesn't read the databases which you don't need, and I'd guess that would be useful to others too; it's been mentioned on this list recently, see for example https://lists.clamav.net/pipermail/clamav-users/2019-April/007901.html I'm sure Micah would welcome well thought-out patches. -- 73, Ged. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Disable official database
Hi there, On Sun, 25 Aug 2019, Kees Theunissen wrote: On Sat, 24 Aug 2019, azu...@pobox.sk wrote: is it possible to disable official virus database? I would like to use only custom database. Thanks for info. ... I didn't need virus databases at all ... (I didn't even test if I could start clamd without databases.) I created a database dirctory containing only a custom database ... So yes, at that time, it was possible to run at least clamd without the official virus database. I only used this with clamd, not with clamscan. And I didn't test this with the current clamav version. To find out what might work and what might not, here's what I did: == Using 'clamd': 8<-- 1. I moved the 'main.cld' and 'daily.cld' files from my working clamav database directory to a temporary directory, replaced them with empty files, and by sending a message to its TCP port I told one of my clamd daemons to reload its databases. (By default clamd doesn't listen on TCP, but I normally configure that anyway.) Here's what happened: Aug 25 08:28:01 mail6 root: PONG Aug 25 08:28:20 mail6 ged: RELOADING Aug 25 08:28:23 mail6 clamd[4518]: Reading databases from /etc/mail/clamav Aug 25 08:28:23 mail6 clamd[4518]: reload db failed: Malformed database Aug 25 08:28:23 mail6 clamd[4518]: Terminating because of a fatal error. Aug 25 08:28:23 mail6 clamd[4518]: Pid file removed. Aug 25 08:28:23 mail6 clamd[4518]: --- Stopped at Sun Aug 25 08:28:23 2019 The clamd daemon disliked the empty 'main' and 'daily' files and died. I guess some folk might prefer it to carry on with the old databases, but at least it's very clear what's happened. 8<-- 2. Instead, I simply moved the two files elsewhere and said 'RELOAD'. This was successful. Just the 'safebrowsing' etc. and third-party signatures were reloaded and the daemon seemed happy. As you can see, without 'main' and 'daily' there were only 2.6 million signatures: Aug 25 08:35:01 mail6 root: PONG Aug 25 08:35:32 mail6 ged: RELOADING Aug 25 08:35:35 mail6 clamd[5479]: Reading databases from /etc/mail/clamav Aug 25 08:35:49 mail6 clamd[5479]: Database correctly reloaded (2603979 signatures) Aug 25 08:36:01 mail6 root: PONG 8<-- 3. After replacing 'main' and 'daily' where they normally live, back up to nearly 9 million signatures: Aug 25 08:36:39 mail6 ged: RELOADING Aug 25 08:36:40 mail6 clamd[5479]: Reading databases from /etc/mail/clamav Aug 25 08:36:56 mail6 ged: RELOADING Aug 25 08:37:01 mail6 root: PONG Aug 25 08:38:01 mail6 root: PONG Aug 25 08:39:01 mail6 root: PONG Aug 25 08:40:01 mail6 root: PONG Aug 25 08:40:05 mail6 clamd[5479]: Database correctly reloaded (8900727 signatures) Aug 25 08:41:01 mail6 root: PONG == Using 'clamscan': 8<-- 4. Running clamscan with my production database directory on a random test file supplied by the ClamAV install: mail6:~/src/net/mail/clamav-0.101.4/test$ >>> clamscan -d /etc/mail/clamav clam.exe clam.exe: Clamav.Test.File-6 FOUND --- SCAN SUMMARY --- Known viruses: 8893502 Engine version: 0.101.4 Scanned directories: 0 Scanned files: 1 Infected files: 1 Data scanned: 0.00 MB Data read: 0.00 MB (ratio 0.00:1) Time: 215.517 sec (3 m 35 s) 8<-- 5. The same, using a completely empty database directory: mail6:~/src/net/mail/clamav-0.101.4/test$ >>> clamscan -d /etc/mail/clamav/empty clam.exe LibClamAV Error: cli_loaddbdir(): No supported database files found in /etc/mail/clamav/empty ERROR: Can't open file or directory --- SCAN SUMMARY --- Known viruses: 0 Engine version: 0.101.4 Scanned directories: 0 Scanned files: 0 Infected files: 0 Data scanned: 0.00 MB Data read: 0.00 MB (ratio 0.00:1) Time: 0.015 sec (0 m 0 s) 8<-- 6. The same, using a database directory containing just an empty file: mail6:~/src/net/mail/clamav-0.101.4/test$ >>> ls -l /etc/mail/clamav/empty/ total 0 -rw-r--r-- 1 root root 0 Aug 25 10:25 empty.ign2 mail6:~/src/net/mail/clamav-0.101.4/test$ >>> /usr/local/bin/clamscan -d /etc/mail/clamav/empty clam.exe clam.exe: OK --- SCAN SUMMARY --- Known viruses: 0 Engine version: 0.101.4 Scanned directories: 0 Scanned files: 1 Infected files: 0 Data scanned: 0.00 MB Data read: 0.00 MB (ratio 0.00:1) Time: 0.017 sec (0 m 0 s) 8<-- This was all with the current ClamAV version. LibClamAV is not happy with no database files at all, but it's happy if at least
Re: [clamav-users] Port number
Good morning, Alpesh Thakare via clamav-users wrote: Date: Tue, 27 Aug 2019 10:53:30 +0530 What is the port number used by ClamAV. Date: Tue, 27 Aug 2019 11:58:34 +0530 3310 port what is this ? Date: Tue, 27 Aug 2019 12:48:09 +0530 What is the clamd service port in centos. Could you please read some of the documentation? -- 73, Ged. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] OnAccessExcludePath
Hi there, On Thu, 29 Aug 2019, Frans de Boer wrote: OnAccessExludePath STRING, where string denotes a directory. Does this also imply "that directory and anything below that", or just the directory only? .../docs/html/UserManual/OnAccess.html -- 73, Ged. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Still Baffled: cli_scanxz: decompress file size exceeds limits
Hi there, On Fri, 30 Aug 2019, Michael Newman via clamav-users wrote: I’m still baffled trying to figure out what is causing this error. It's not an error. As it says, it's a warning. You're probably worrying about nothing but it's usually as well to find out exactly what's happening. /Users/mnewman/Downloads/Safety-Cut GFCI.pdf: OK LibClamAV Warning: cli_scanxz: decompress file size exceeds limits - only scanning 27262976 bytes /Users/mnewman/Downloads/gettext-0.19.6-MACOS-10.11-10.12-SDK-10.11.pkg: OK ... ... I have many files which are much bigger than 25 MB, but only this one, unidentified file is causing the problem. There are quite a few limits set by the scanning engine. Some of them are set for the safety of the system, so that, for example, you don't inadvertently give the computer more work to do than it's capable ever of doing. Amongst other things, that might happen if you scan a file like a compressed archive which itself is small, but which claims that it contains billions of enormous files. That appears to be the sort of thing that's happening here. It's not the size of the file, it's the size of the extracted, uncompressed content. That, after all, is what needs to be scanned. Unfortuately, faults in the implementation of compression methods, and even the techniques themselves, can expose the system to risk from malicious files in this way. It's unlikely to do a lot of damage, but it might cause a type of denial of service so it has to be considered by the software. That's not to say that you have a malicious file on your system, but it seems there's at least one which triggers a safety limit. Some of these limits are set quite conservatively, and they can be adjusted, but most people don't bother. I don't bother. I ran clamscan so that the log file would be verbose. I’m including a few lines from the log on both sides of the error message. As far as I can see, it doesn’t give me a clue as to what file is causing the error: The clue is there - it's decompressing something. Unfortunately it's possible to have compressed data in all sorts of files. Some parts of the ClamAV libraries never actually know the name of the file that's being scanned (there might not even be a file, it might just be a scan of a stream of data sent to a socket for example), so at the point where the warning is generated, there isn't any filename to give you. If I wanted to know which file was triggering the warning in this case I'd start with a scan of /Users/mnewman/Downloads/gettext-0.19.6-MACOS-10.11-10.12-SDK-10.11.pkg because it looks to me like that's the file which was being scanned when LibClamAV decided to emit the warning, but I don't know exactly how you got the output that you've posted for us. The log messages for multi-tasking, multi-user systems often don't appear in exactly the sequence that you might expect, nor even exactly in the chronological sequence that they were generated, so things can sometimes get a bit confusing. You'll get used to it after a couple of decades. :) If that's what's happening here you could scan one directory at a time, then one sub-directory at a time and so on until you find it. When you're confused by the system logs then it can be easier to figure out what's going on if instead of you get all the output from the scan to go to the console. -- 73, Ged. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] OnAccessExcludePath
Hi there, On Fri, 30 Aug 2019, Frans de Boer wrote: On 30-08-19 10:26, G.W. Haywood via clamav-users wrote: On Thu, 29 Aug 2019, Frans de Boer wrote: OnAccessExludePath STRING, where string denotes a directory. Does this also imply "that directory and anything below that", or just the directory only? .../docs/html/UserManual/OnAccess.html Ok, I read it and almost the only word extra is "recursively". So, my setup should work, but it does not. Read it again. It's quite clear on the point. Here's the point: OnAccessMountPath <<<<< OnAccessExcludePath <<<<< -- 73, Ged. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] How to boost clamav? Reloading database results in a talking timeout?
Hi there, On Sat, 31 Aug 2019, Henrik K wrote: The reload bug has been known for years, even has a ready patch. https://bugzilla.clamav.net/show_bug.cgi?id=10979 But nothing you can do about it... Well not quite nothing, since you can download the source, apply the patch, and rebuild ClamAV. At the moment I'm scanning mail with two copies of clamd, one patched and one plain vanilla. Despite some concerns about the reliability in #10979, which is why I'm running an unpatched copy as well, the patched version seems to be holding up - at least at fairly low mail volumes. This is with my own Perl milter, see my recent post on the dev list describing it. If anyone wants to try it they're more than welcome. -- 73, Ged. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Question regarding Metasploit signatures
Hi there, On Fri, 30 Aug 2019, Manna, Mohammed via clamav-users wrote: What I can see that ClamAV cannot always successfully detect reverse shell type of files (built using Metasploit msfvenom). And also, if the file is covered using a pseudo extension e.g. test.exe.txt When I was comparing this on virustotal.com ClamAV seems to be missing quite a lot of them. Is there any reason why ClamAV doesn't do a more extensive search? ClamAV is by no means perfect, but you haven't told us how you have configured it, nor how you are using it, so it's difficult to make any particular observations. There is a system for reporting failed detections which you can use, but to avoid wasted effort it will be as well for you first to check that your issue is not simply the expected result of how you have configured your ClamAV installation. Reverse shell or bind shell both are sensitive files and I was expecting ClamAV to be detecting them somehow. In network security, expecting things to work as intended is sure to lead to eventual disappointment. If instead you expect things to fail, and base your behaviour on that expectation, you will likely be surprised less often - and suffer fewer system compromises. For example, although I scan all mail using ClamAV, I never expect it to find anything; but I also block all mail from more than a hundred and sixty ISO 3166 country codes, which is partly why ClamAV hasn't reported anything malicious in our mail since last September. That doesn't mean that ClamAV wouldn't have found anything if it had been given the opportunity to scan it, but it *does* mean that there is a much reduced probability of something nasty reaching one of my users. Of course, even if it did, it's unlikely to have any serious effect because (a) the users are educated and (b) they're using Linux boxes which are immune from the vast majority of malicious software. This is called "defence in depth". There's more, which I won't reveal in a public forum. Could someone clarify? Also, if this is mentioned anywhere in the docs, I would be grateful if you please point me to that. The 'man' pages for clamscan, clamd.conf and clamsubmit might be good places to start. -- 73, Ged. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] How to boost clamav? Reloading database results in a talking timeout?
Hi there, On Sat, 31 Aug 2019, Henrik K wrote: ... If I encountered a bug like that on some project that I'm maintaining, I would be shamed not to rapidly fix it. If you called it a limitation I could agree, but I guess it's working as designed. I'd call it an issue rather than a fault in the software. If there _are_ bugs in this issue they're in the patch for it, which may be why, AFAICT, I'm one of only about three people on the planet who are actually running it. More testing, by people prepared to chip in some effort instead of complaining about something that they get for free, would be great. -- 73, Ged. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] How to boost clamav? Reloading database results in a talking timeout?
Hi there, On Sat, 31 Aug 2019, J.R. via clamav-users wrote: ... I wouldn't call the current design a "bug"... It works as intended. +1 However it would be nice if a fresh DB could be parsed & loaded, then swapped, to prevent service interruption. That's exactly what the patch in #10979 does. Unfortunately, although as I've said it's simple enough to apply the patch, it's by no means a simple patch and it would greatly benefit from some serious testing by the community - especially by people who see higher volumes of mail than I do. Perhaps we should call it "crowd-sourcing"? Would that be better? :) -- 73, Ged. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] freshclam incremental update
Hi there, On Sat, 31 Aug 2019, Birger Birger via clamav-users wrote: have tried that but download of daily.cvd with freshclam still stops at 99% and never completes downloading daily and icremental with wget works fine If others don't have the same issue, and you can download the files OK with wget, then it seems to point towards something in your system. In the last few days I've seen freshclam remove a few broken mirrors.dat files: mail6:~$ >>> grep broken /var/log/clamav/freshclam.log Wed Aug 21 19:02:10 2019 -> WARNING: Removing broken mirrors.dat file. Fri Aug 23 16:18:59 2019 -> WARNING: Removing broken mirrors.dat file. Fri Aug 23 16:28:38 2019 -> WARNING: Removing broken mirrors.dat file. Maybe try removing the file manually? I've no idea if it will help, and I've never seen here anything like the issue you're seeing there. -- 73, Ged. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Question regarding Metasploit signatures
Hi there, On Sat, 31 Aug 2019, J.R. via clamav-users wrote: If the virus pattern is in one of the database files, then you are alerted... If it's not, then no alert... That's how every antivirus works... There's a bit more to it than that. Some detection is based on other characteristics, such as behaviour. But I think it's true to say that the mainstay of detection by ClamAV is through the signature databases. That's how I use it - there are a few excellent third-party databases. -- 73, Ged. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] How to boost clamav? Reloading database results in a talking timeout?
Hi there, On Sat, 31 Aug 2019, Henrik K wrote: On Sat, Aug 31, 2019, G.W. Haywood via clamav-users wrote: Well not quite nothing, since you can download the source, apply the patch, and rebuild ClamAV. Sure but it's not reality for majority of users.. While it's good that people try it out, I doubt if would take long for a dev to verify the patch carefully and implement boolean for it's use. But I guess new features pay more than having a robust engine. It's not quite as simple as that. This software has to run reliably on millions of systems with thousands of combinations and permutations of configurations. It's doing that right now. There've occasionally been examples of a change made perhaps a little too hastily which gave grief to many users and rise to a lot of spleen-venting on the users' mailing list. It would be a brave decision, in the face of the valid concerns noted in #10979, to release a new version, world-wide, for production use, which contains the patch that I'm running now merely as an experiment with my eyes wide open on a server that crashed four times this month because I'm also working on some netfilter stuff. This is a community effort. If you're familiar with C it isn't at all difficult to apply the patch, and I'd be happy to mail the two patched files (56kBytes in total) to anyone who didn't feel up to applying the patches themselves. Then, if you felt brave enough, it would _almost_ be as simple as ./configure && make && sudo make install to build and install it. Incidentally I'm a Sendmail dinosaur, and the default timeouts appear to be longer for Sendmail than they are for Postfix. I'm sure it's easy to make them longer for Postfix; then this issue would, if not disappear, at least more or less be transparent. It really isn't that big a deal if you know what you're doing. -- 73, Ged. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] How to boost clamav? Reloading database results in a talking timeout?
Hi there, On Sat, 31 Aug 2019, Henrik K wrote: On Sat, Aug 31, 2019 at 04:48:54PM +0100, G.W. Haywood via clamav-users wrote: The final responsibility of implementing and testing the issue is still that of the ClamAV team. Agreed. You are really making this much more complex and "scary" issue than it is. No, I don't think I am. How much experience do you have of writing thread-safe code in C? -- 73, Ged. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] How to boost clamav? Reloading database results in a talking timeout?
Hi there, On Sun, 1 Sep 2019, Thomas Barth via clamav-users wrote: Am 2019-08-31 20:35, schrieb G.W. Haywood via clamav-users: That's exactly what the patch in #10979 does. ... And where can I find this patch? If you navigate to https://bugzilla.clamav.net/show_bug.cgi?id=10979 and then down to "Comment 2" (dated 2016-11-28 12:16:52 EST) you will see a link "attachment 7196". This is a modification to the original #10979 patch. If you navigate to that link you will see a page which gives a representation of the patch 'diff'. Near the top of that page there is a link "Raw Unified", which takes you to the raw unified diff text which is here: https://bugzilla.clamav.net/attachment.cgi?id=7196=diff=patch==1=raw You might be able to use this as input to 'patch' but I didn't try it, I did not expect it to work well on code which is years younger than that on which the patch is based. Instead, I applied the patch by hand with an editor. It was tedious but not difficult. Even if you do not believe that you can trust my patched files (which I think is a perfectly reasonable belief:) I should be happy to mail the patched files to you so that you can compare the results of patching to give you some confidence that it will work. ... what happens if I update my system (# aptitude update && aptitude safe-upgrade) and a new verson of clamav is being installed. Do I always have to repatch clamav? If you want to use this patch you must compile and install ClamAV from the sources distributed on the clamav.net Website. You cannot use the package management system of any Operating System (OS) distribution to install any version of the ClamAV package(s) from the OS distribution. Of course you could create your own package from the patched sources, and then use the package management system to install your own package. Many administrators do that when they have large numbers of machines to be installed but they have some reason to avoid using the packages produced by the OS publisher. If 'upstream' produces a new version of the package which (still) does not contain the patch then yes, you do have to re-apply the patch. Your package manager will probably set up ClamAV in a way which is very different from the way it is set up after building from source, e.g. using directory paths like /usr/bin and /usr/sbin instead of /usr/local/bin, /usr/local/sbin etc. - here are some samples from a machine with both kinds of package installed: mail6:~$ >>> l /usr/sbin/clam* -rwxr-xr-x 1 root root 223296 Apr 15 22:12 /usr/sbin/clamd -rwxr-xr-x 1 root root 233424 Apr 15 22:12 /usr/sbin/clamav-milter mail6:~$ >>> l /usr/local/sbin/clam* -rwxr-xr-x 1 root staff 581080 Aug 21 18:43 /usr/local/sbin/clamd -rwxr-xr-x 1 root staff 581368 Aug 22 14:33 /usr/local/sbin/clamd_patched mail6:~$ >>> l /usr/bin/freshclam -rwxr-xr-x 1 root root 202816 Apr 15 22:12 /usr/bin/freshclam mail6:~$ >>> l /usr/local/bin/freshclam -rwxr-xr-x 1 root staff 442616 Aug 22 14:33 /usr/local/bin/freshclam Note that there are THREE versions of clamd on this machine - the OS distribution version and two versions built from source. The versions built from source are the two which are currently running on the machine: mail6:~$ >>> top -n1 -b -u clamav top - 18:04:21 up 9 days, 1:49, 9 users, load average: 0.11, 0.33, 0.29 Tasks: 152 total, 1 running, 151 sleeping, 0 stopped, 0 zombie %Cpu(s): 2.1 us, 0.5 sy, 0.1 ni, 92.5 id, 0.3 wa, 0.0 hi, 4.4 si, 0.0 st KiB Mem: 16469180 total, 15243004 used, 1226176 free, 232408 buffers KiB Swap: 3212284 total,0 used, 3212284 free. 11851656 cached Mem PID USER PR NIVIRTRESSHR S %CPU %MEM TIME+ COMMAND 3846 clamav20 0 61220 5644 4568 S 0.0 0.0 4:07.37 freshclam 5479 clamav20 0 1430760 1.058g 4604 S 0.0 6.7 115:21.15 clamd 7689 clamav20 0 1490600 1.061g 4656 S 0.0 6.8 123:10.10 clamd_patched There will be other path differences too, for configuration and data file stores. If you do something like this then you need to make sure that you're running the right binaries, and that the binaries will use the right configurations and libraries. If you aren't sure you can do that then it would be best to uninstall and *purge* the OS versions of the packages before you install the package from source. This applies not just to ClamAV, but to any package where there may be conflicts of this kind. HTH -- 73, Ged. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] freshclam incremental update
Hello again, On Sun, 1 Sep 2019, Birger Birger via clamav-users wrote: Deleted the mirrors.dat file and tried a new freshclam with result: getpatch: can't download daily-25559.cdiff from db.se.clamav.net Incrental update failed, trying to update daily.cvd Can see that in /var/lib/clamav/ there is a new mirrors.dat file of 104 byte and a new clamav*. tmp folder with 28 files and 135.8 MB. I have been struggling with this now for more than a year. Something is very wrong! I guess you knew that. :( What operating system distribution are you using? What version? What version of ClamAV are you using? How did you install it? Have you _ever_ installed any other versions of ClamAV on the computer? If you have installed other versions, how did you do that? Which user runs freshclam? Does that user have the necessary access to all files and directories it uses? How much free space on all partitions? How much memory on the computer? Where is the computer located (geography)? How is it connected to the Internet? What is the public IP address right now? Is the public IP address static or dynamic? If the public IP address is dynamic, how often does it change? Do you run any packet filtering on the computer? (That is, is there any firewalling by iptables, netfilter or anything similar?) Please post the full output of the commands locate freshclam and freshclam --list-mirrors plus the complete log of the most recently failed attempt by freshclam to update the databases. Please COPY AND PASTE the last three items, do not alter them in any way. -- 73, Ged. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Fwd: Fwd: freshclam incremental update
Hi there, On Tue, 3 Sep 2019, Birger Birger via clamav-users wrote: Sep 3 10:43:22 zentyal kernel: [266193.080510] zentyal-firewall drop IN= OUT=eth0 SRC=192.168.1.30 DST=104.16.218.84 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=52480 DF PROTO=TCP SPT=51666 DPT=80 WINDOW=9057 RES=0x00 ACK FIN URGP=0 MARK=0x1 That's a Cloudflare destination IP. You see it in your freshclam log. Cloudflare delivers the ClamAV data and you're dropping packets sent to it from 192.168.1.30. I guess that's your immediate problem. Another question about "Ubuntu Syslog". Sep 3 10:41:17 zentyal kernel: [266068.432972] zentyal-firewall drop IN=eth0 OUT= MAC=00:0c:29:be:5d:f2:00:1d:aa:69:86:78:08:00 SRC=112.85.42.229 DST=192.168.1.30 LEN=67 TOS=0x00 PREC=0x00 TTL=46 ID=58277 DF PROTO=TCP SPT=14305 DPT=22 WINDOW=229 RES=0x00 ACK PSH UR$ The IP address 112.85.42.229 appears to be in Shanghai, and it appears that it's trying to make SSH connections to 192.168.1.30. If that were my router, I would not let these attempts through it. I repeat that I sugggest you upgrade ClamAV to the latest version. -- 73, Ged. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Automated submissions to third party databases?
Hi there, On Tue, 3 Sep 2019, Henrik K wrote: General comment: Using any third party rules with ClamAV is a gamble, but Agreed. In fact I'd go further than that. Relying on something like ClamAV is a gamble. If there's a new 0-day just out, there may be no chance of spotting it at all. In my systems ClamAV is the last of the filters, just a tweak in the already heavily weighted probabilities. Of course I'm only talking about scanning mail. they are very good for scoring with Amavisd/Spamassassin etc. In my setup I don't even trust the official signatures, I just score everything along with SA. While I'm very happy to trust official signatures, I do something very similar with scores, early in the SMTP conversation. Here, under normal circumstances, ninety-nine point some nines percent of the junk is filtered out by nearly a dozen DNSBLs and a custom GeoIP database. ClamAV flags something as 'FOUND' about once a year, because the other filtering has already taken care of it before clamd even sees it. I found SpamAssassin too complex for my liking, and it absorbed more effort than I felt was justified by its efficacy. Using their mailing list was a most unpleasant experience, although that was some years ago now and things might well have improved. But I do have the luxury of being able to write custom milters; without that, things would most likely be different. -- 73, Ged. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Automated submissions to third party databases?
Hi there, On Tue, 3 Sep 2019, Arnaud Jacques via clamav-users wrote: On Sep 2, 2019, at 05:11, G.W. Haywood via clamav-users wrote: > ... I'm flagging up quite a few messages which are guaranteed spam, > but which aren't in any of the third-party databases that I'm using > ... My milter can very easily process these messages ... then send > ... the results ... to anyone who'd like to have that information. > ... Did you try spam_marketing.ndb from securiteinfo.com ? We detect many spams/phishing. Thanks - no, I don't use that one. It's listed at Sanesecurity as having a high false positive rate. ... could you please send spam/phishing/malwares to malw...@surfezsanspub.fr ? I will set that up today, and also contact you off-list. -- 73, Ged. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Automated submissions to third party databases?
Hi Joel, On Tue, 3 Sep 2019, Joel Esler (jesler) wrote: On Mon, 2 Sep 2019, Joel Esler (jesler) wrote: >> On Sep 2, 2019, at 05:11, G.W. Haywood via clamav-users ... wrote: >> >> ... I'm flagging up quite a few messages which are guaranteed spam, >> but which aren't in any of the third-party databases that I'm using >> ... My milter can very easily process these messages ... then send >> ... the results ... to anyone who'd like to have that information. > > Have you automated their upload to ClamAV.net using clamsubmit? Not yet, but as I said it would be easy to do. Let me know when you do? We'd like to take a look at what you're submitting. Sure, I'll do that next chance I get. Just battling uninitialized variables for Securiteinfo at the moment. :/ -- 73, Ged. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Am I allowed to use yara rules?
Hi there, On Mon, 2 Sep 2019, Thomas Barth via clamav-users wrote: today I got informed that I should not use the yara rules. They have major issues with clamav 1.0.1, ie memory leaks and complete failure of clamav. I see nothing in which refers to such an issue in the ClamAV Bugzilla. My question is where I can download a bunch of infected e-mails of all types to test clamav and see if it really crashes. It's a tricky request, please see for example https://www.eicar.org/?page_id=3950 I hope you're going to do this in a sandbox! -- 73, Ged. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Automated submissions to third party databases?
Hi Joel, On Mon, 2 Sep 2019, Joel Esler (jesler) wrote: On Sep 2, 2019, at 05:11, G.W. Haywood via clamav-users ... wrote: ... I'm flagging up quite a few messages which are guaranteed spam, but which aren't in any of the third-party databases that I'm using ... My milter can very easily process these messages ... then send ... the results ... to anyone who'd like to have that information. Have you automated their upload to ClamAV.net using clamsubmit? Not yet, but as I said it would be easy to do. This isn't the kind of thing I'd be comfortable to set up without first discussing it with the recipients. For example, I'd want to check that I won't be causing unnecessary work for any reason. If you think it's OK for me to go ahead and submit some samples that way I'll be glad to. Bear in mind that these are AFAICT purely spam, not viruses, although I couldn't rule out malicious links and the like. It's depressing to trawl through this stuff. Makes me feel we really should have stayed in the trees. Incidentally I seem to be having issues with the @cisco servers again so I'm leaving that address out of the reply. -- 73, Ged. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Scanning on Mac without installation
Hi there, On Fri, 23 Aug 2019, Dexter Rivera via clamav-users wrote: On 8/22/19, 9:19 AM, "Eric Tykwinski" wrote: ... Something like ansible? Use ansible's homebrew module to install ClamAV, run a scan, than use the module again to uninstall. That's exactly the scenario I'd like to have. ... I'd be interested to know why you don't want ClamAV to be installed on the Macs themselves. Here's just a note of caution: if you don't keep the malware databases installed on the machines, then, every time you want to scan one, you'll need to send something on the order of half a gigabyte of data to it before you start a scan. It doesn't scale well. ClamAV goes to great lengths to minimize the amount of data transfer needed to keep the malware databases up to date, and you'll be taking no advantage of those efficiencies if you remove them after each scan. -- 73, Ged. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Disable official database
Hi there, On Mon, 26 Aug 2019, Kris Deugau wrote: The only constant is that there must be at least one signature database, even if it's a trivial hash database with one signature that matches on an empty file. AFAICT the signature database file doesn't even need to have any signatures in it; it can just be an empty file. See my earlier post, extract below: 8<-- 6. The same, using a database directory containing just an empty file: mail6:~/src/net/mail/clamav-0.101.4/test$ >>> ls -l /etc/mail/clamav/empty/ total 0 -rw-r--r-- 1 root root 0 Aug 25 10:25 empty.ign2 mail6:~/src/net/mail/clamav-0.101.4/test$ >>> /usr/local/bin/clamscan -d /etc/mail/clamav/empty clam.exe clam.exe: OK --- SCAN SUMMARY --- Known viruses: 0 Engine version: 0.101.4 Scanned directories: 0 Scanned files: 1 Infected files: 0 Data scanned: 0.00 MB Data read: 0.00 MB (ratio 0.00:1) Time: 0.017 sec (0 m 0 s) 8<-- This aspect is a little concerning. There's the potential for e.g. a typo on a command line (or a misconfiguration) to permit a malicious file, which might otherwise be detected, quietly to escape detection. -- 73, Ged. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Disable official database
Hi there, On Mon, 26 Aug 2019, Kris Deugau wrote: G.W. Haywood via clamav-users wrote: 6. The same, using a database directory containing just an empty file: mail6:~/src/net/mail/clamav-0.101.4/test$ >>> ls -l /etc/mail/clamav/empty/ total 0 -rw-r--r-- 1 root root 0 Aug 25 10:25 empty.ign2 This is consistent with my experience ... Mails crossed :/ -- 73, Ged. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
[clamav-users] Automated submissions to third party databases?
Hi there, If you've been paying even scant attention to the list mail you'll know that I've been doing some testing, particularly of clamd, when it's used for scanning mail. This is something of side issue, but I'll throw it into the pot to see if anything comes of it. The testing that I'm doing is for more than one purpose; there's clamd itself (that is whether my patched version crashes, or whatever); and there's the milter which feeds it. The milter isn't the one supplied with ClamAV, it's one of my own written in pure Perl and it needs much more thrashing than it's getting at the moment because I need it to be reliable. And now, there's this side issue - which might blossom into something which I think may be more interesting - the potential for an automated submission system for messages which are certainly spam, but for which the databases don't have a matching signature. It could go well beyond that, but right now I don't want to get ahead of myself. There seems to be some kind of a spammer campaign at the moment which uses IPs from all over the planet to attempt to send much the same kind of message. Normally I wouldn't see these messages, they'd be rejected at the CONNECT stage after the connecting IP had been found in nearly a dozen DNS block lists. But I'm desperate for more traffic to test clamd and my milter, so I've configured the milter to allow a message which has already triggered a REJECT response to reach all the way to End Of Message, so that clamd can scan it. Then, after logging the message text, even if clamd says "OK", I'll reject it anyway. If nothing else it might slow them down a little. :) So I'm flagging up quite a few messages which are guaranteed spam, but which aren't in any of the third-party databases that I'm using. The successes are all 'Sanesecurity.Junk.N', where 'N' is usually a five-digit number beginning with '5'. The detection success rate is in the region of 35% at present, so I'm collecting ~two out of three. My milter can very easily process these messages, in any way, and then send them, or the results of this processing, in any format and by any means, to anyone who'd like to have that information. Once set up, it could do it all in real time, without manual intervention at my end. Any takers? -- 73, Ged. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] How to boost clamav? Reloading database results in a talking timeout?
Hi Joel, On Sun, 1 Sep 2019, Joel Esler (jesler) wrote: Alright. I think we’ve beat the proverbial dead horse here. ... I don't think anybody's beating anything here Joel. Just we users, discussing, on the users' list, ways of dealing with an issue. On Sat, 31 Aug 2019, G.W. Haywood wrote: It really isn't that big a deal if you know what you're doing. You saw that part? -- 73, Ged. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Fwd: freshclam incremental update
Hi there, On Mon, 2 Sep 2019, Birger Birger via clamav-users wrote: I have a Vigor 2926 router between computer and internet. https://www.switchnetservices.co.uk/draytek-zero-day/ -- 73, Ged. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Fwd: freshclam incremental update
Hello again, On Mon, 2 Sep 2019, Birger Birger via clamav-users wrote: Mon Sep 2 11:05:27 2019 -> nonblock_recv: recv timing out (30 secs) Mon Sep 2 11:05:27 2019 -> WARNING: getfile: Download interrupted: Operation now in progress (IP: 104.16.219.84) Looks like a network issue at your end. I guess we knew that already. What devices are between your computer and your Internet connection? I've seen home routers which drop pacckets more or less at random and cause issues like this, you might want to try a different one; and if it were mine, I'd want to know that it wasn't listed as vulnerable on some public Website. Is anything else using the same connection which might be taking up most of the bandwidth? For the avoidance of doubt I've seen many updates from 104.16.219.84, with no issues at all. For example here's and extract from my freshclam log for August: Fri Aug 2 00:31:11 ... (8772012 signatures) ... (IP: 104.16.219.84) Sat Aug 3 00:37:29 ... (8771907 signatures) ... (IP: 104.16.219.84) Sun Aug 4 00:43:46 ... (8770485 signatures) ... (IP: 104.16.219.84) ... ... Fri Aug 30 01:10:42 ... (8706411 signatures) ... (IP: 104.16.219.84) Sat Aug 31 00:17:04 ... (8704638 signatures) ... (IP: 104.16.219.84) Sun Sep 1 00:23:24 ... (8699840 signatures) ... (IP: 104.16.219.84) Mon Sep 2 00:29:02 ... (8694374 signatures) ... (IP: 104.16.219.84) Mon Sep 2 11:04:05 2019 -> WARNING: Local version: 0.100.3 Recommended version: 0.101.4 I'd also suggest trying an upgrade to the latest version of ClamAV, but that's more because it's standard procedure whenever there's a problem. Even if there is a problem in the code, nobody wants to investigate old code problems which might have been fixed already. It's just about possible that there's a routing issue in Sweden but I think it's unlikely as there will be other ClamAV users there. Maybe we could get an order of magnitude figure from the ClamAV team? You could set up a VPN so you could get downloads via another country to see if that made any difference. I'd be prepared to set up a VPN for you if you wanted to try it, but my bet's on a consumer-grade router at the moment. -- 73, Ged. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] freshclam incremental update
Hi there, On Sat, 31 Aug 2019, Birger Birger via clamav-users wrote: Den lör 31 aug. 2019 20:35 G.W. Haywood skrev: On Sat, 31 Aug 2019, Birger Birger via clamav-users wrote: ... download of daily.cvd with freshclam still stops at 99% In the last few days I've seen freshclam remove a few broken mirrors.dat files: mail6:~$ >>> grep broken /var/log/clamav/freshclam.log Wed Aug 21 19:02:10 2019 -> WARNING: Removing broken mirrors.dat file. Fri Aug 23 16:18:59 2019 -> WARNING: Removing broken mirrors.dat file. Fri Aug 23 16:28:38 2019 -> WARNING: Removing broken mirrors.dat file. Maybe try removing the file manually? I've no idea if it will help, and I've never seen here anything like the issue you're seeing there. Have tried to remove the files manually already. That did not help. Just to be clear, I meant remove 'mirrors.dat' - not daily.cvd. -- 73, Ged. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
[clamav-users] Pure Perl milter for clamd.
Hi there, Anyone interested in a pure Perl ClamAV milter? Over on clamav-devel I've posted about a milter that I'm working on and which I'd be pleased to see getting some more exercise: https://lists.gt.net/clamav/devel/76575 I'd be happy to help with installation if you're not very familiar with using milters. Apologies for the cut'n'paste error in the dev post subject line. :( -- 73, Ged. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Questions about ClamAV installers
Hi there, On Wed, 28 Aug 2019, Scott A. Wozny via clamav-users wrote: I’m looking at installing Clam on my CentOS 7 servers ... Sorry, but I have to ask :) Why? sites offering install tutorials recommend installing H. Sites with tutorials. I guess I avoid them. clamav-server clamav-data clamav-update clamav-filesystem clamav clamav-scanner-systemd clamav-devel clamav-lib AND clamav-server-systemd. Those are 'packages' from the OS distributions, created and maintained by the OS distribution maintainers. The ClamAV source (which you'd get e.g. from the clamav.net site) is a completely different animal. It's like this: There are (approximately) two approaches to installing software on a Linux (or similar Unix-like) box. Method 1. - You can get the source of the software and build it on the box, using (and here I abridge, paraphrase and bowdlerize mercilessly) some set of commands such as, for example, say, perhaps, the ClamAV software: cd ~/src/ wget http://server.clamav.net/downloads/clamav-0.101.4.tar.gz tar czvf clamav-0.101.4.tar.gz cd clamav-0.101.4 ./configure make su make install Now you have ClamAV installed into the places in your system that the people who produced it decided that it would go when they made that tarball. You can now delete ~/src/clamav-0.101.4/ and everything in there, you're done with it. Really. The result of all this might not be what you want, so you can twiddle things to put things elsewhere, but don't get involved in that yet. It also might not work, because there might be things _not_ on your machine that are needed in order to compile this particular software. Or indeed _any_ software. You won't get very far without a compiler for example, and some distributions don't ship with one as standard. Method 2. - You can install a 'package' from the people who produce your 'flavour' of Linux, or other OS. You can simply say apt-get install clamav and the package tool (in my example APT, but then this is a Debian box) will not only install clamav (whatever that is) but it will also install everything that clamav package needs if it isn't already on the system. Compilers and all the gubbins that goes with them tend to be BIG. You most likely won't need one if you do it this way because you'll be installing *binaries* (that have already been compiled for your system's architecture - i686, AMD64, etc.) from the packages. This is a lot simpler, and generally recommended if you aren't VERY familiar with your system. The main trouble is that documentation as you seem to have discovered is sometimes a bit sparse, so you don't always know which packages you need in order to do what you want, always assuming that you know what you want to do in the first place. Another problem is that OS package maintainers often do strange things with the packages before they ship them out. They'll almost always put everything in different locations, so you can have (at least) two versions of the software on the system: the OS packaged version and the built from source ('upstream') version. But dont do that unless you really know what you're doing. Another problem is that the OS packages are often out of date. For something like ClamAV, I'd almost always compile from source. Oh, and Macs are a bit different, but they're basically BSD boxes. For some reason whenever I play with one, it always seems like I'm blindfolded, with my hands tied behind my back. the official documentation is just to install ClamAV. The OS distribution packages on the one hand, and ClamAV from the Sourcefire/Talos/Cisco emporium on the other hand bear no resemblance to each other, except that the same sources, more or less, were used to create both. So, is there a list of the purpose of each of these packages somewhere? That's up to the OS people who packaged it. ... looks like ClamAV contains all the major pieces (clamav, clamav-filesystem, clamav-lib, clamav-update, libtool-ltdl and pcre2) EXCEPT for clamd. It's not like that. If you download for example clamav-0.101.4.tar.gz from the clamav.net site you get everything you need to get _from_the_ _ClamAV_people_ in the one tarball. But you'll need other stuff too. You won't get a compiler of course, and you won't get a bunch of 'C' header files and libraries and stuff which will probably be in those pesky '-devel' packages we'll talk about later. There's much more. I guess my fundamental question is what does clamd do that clamav does not and vice versa? It's not like that. ClamAV includes a thing called a daemon, which you can start and allow to run indefinitely. It just sits there, in about a gigabyte of RAM, waiting for you to ask it to scan something. That daemon is clamd. I'm running two of them on the machine that's going to send this mail to you - but then it's a mail server. You'd normally be expected to ask the daemon to scan something by using a command-line tool like 'clamdscan' or by
Re: [clamav-users] False Positive for Txt.Coinminer.Generic-7132166-0
Hi there, On Tue, 27 Aug 2019, Brian Cole via clamav-users wrote: ... we are seeing ClamAV think that CoinMiner virus exists in ... /var/log/sid_changes.log ... Would it not make more sense to exclude such files from your scans? -- 73, Ged. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Automated submissions to third party databases?
Hi Joel, On Wed, 4 Sep 2019, G.W. Haywood wrote: ... some junk mails aren't being detected by clamd, even though there are valid signatures in the database that are supposed to match them. I guess you have the two files which I attached. You can see below what happens when I scan them using clamdscan. The one which is not detected is as it came in on the wire today, and, when my milter sent it to clamd as it arrived, it wasn't detected then either. The other file is the same thing, but edited by me. You can see what's in them, and if you compare them you will see the one change which I made which allows the detection to succeed. Without knowing more I don't want to say it's a fault in the scanner, but this looks strange to me. 8<-- mail6:~$ >>> clamdscan /tmp/t16289.* /tmp/t16289.found_1: Sanesecurity.Phishing.Fake.26520.UNOFFICIAL FOUND /tmp/t16289.not_found_1: OK --- SCAN SUMMARY --- Infected files: 1 Time: 0.047 sec (0 m 0 s) 8<-- I don't understand why one of them triggers a detection and the other one doesn't. If anyone there can tell me I'd be glad to know. To be clear, the change that I made is an example. It seems that there may be many ways of getting the scan to succeed. -- 73, Ged. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] How to boost clamav? Reloading database results in a talking timeout?
Hi there, On 9/4/19, 1:40 PM, Thomas Barth via wrote: > Why not using half of the cores to also reduce the loading time? Many > years ago when I used eMule for downloading big files, I was so > fascinated by the download mechanism: one big file, many download > sources to get the file together piece by piece. And it didn't have to > follow any order. That would be fun to programm for loading the > databases, am I right? :-) You might be right that it might be fun, but torrents are completely irrelevant to this issue, and they exist elsewhere to sove a problem which does not exist here. On Wed, 4 Sep 2019, Micah Snyder (micasnyd) via clamav-users wrote: ... There might be some performance to be gained by using multiple threads. I'm not certain. Definitely a bunch of thread safety code would need to be written. The database load times are a couple of orders of magnitude shorter than the database update periods. It makes no sense to try to make the load times shorter when they can already be done by a separate thread, while scanning continues, if necessary, in another thread. -- 73, Ged. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] How to boost clamav? Reloading database results in a talking timeout?
Hi there, On Fri, 6 Sep 2019, Reio Remma via clamav-users wrote: I guess many of us are just running too old hardware. :) Here's a comparison between my mail server and identical config running in a VM. Sep 6 09:41:06 mail clamd[31441]: Reading databases from /var/lib/clamav Sep 6 09:44:05 mail clamd[31441]: Database correctly reloaded (10741767 ... Sep 6 09:56:43 vm clamd[2108]: Reading databases from /var/lib/clamav Sep 6 09:57:17 vm clamd[2108]: Database correctly reloaded (10742128 ... That's very useful, thanks. Can you compare the costs of running them for us? -- 73, Ged. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Freshclam to only pull safebrowsing.cvd
Hi there, On Fri, 6 Sep 2019, Brent Clark via clamav-users wrote: We have project to have a to have freshclam *only* pull / update safebrowsing.cvd what I find is, when I run my custom freshclam.conf file it still pulls daily.cvd, main.cvd, bytecode.cvd Anyone know how I can switch this off? From the freshclam 'man' page: --update-db=DBNAME With this option you can limit updates to a subset of database files. The DBNAME should be "main", "daily", "bytecode", "safebrowsing" or one of the 3rd party database names. This option can be used multiple times and only works with the official and 3rd party databases distributed through the ClamAV mirrors, your custom databases (specified with DatabaseCustomURL in freshclam.conf) will not be ignored. Does this not work for you? -- 73, Ged. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] How to boost clamav? Reloading database results in a talking timeout?
Hi there, On Thu, 12 Sep 2019, Micah Snyder (micasnyd) via clamav-users wrote: https://bugzilla.clamav.net/show_bug.cgi?id=10979#c19 This patch applies to the current head of dev/0.102 ... If the development version is a step too far, the two files which I posted on September 10th implement a patch which has been sitting on the ClamAV Bugzilla (at #c2) for nearly three years: https://bugzilla.clamav.net/show_bug.cgi?id=10979#c13 https://bugzilla.clamav.net/show_bug.cgi?id=10979#c14 These replace two files in the current (v0.101.4) release, to produce results very similar to those from the patch at #c19 for v0.102.x. Unfortunately there are so many cosmetic changes in the development version that a direct comparison of the patches might be tedious, but the essentials are the same. Load new data in a separate thread, and in the meantime scan using the old database; switch database pointers (virtually instantaneous) on reload completion; ignore database reload requests if reloading is already in progress; and when the old data is no longer needed, drop it. Test results and/or observations welcome. This will not of course help start-up times at all, but it's easy to arrange to load a smaller database at startup if that's what you feel you must do - there has been a discussion about using what I'll call non-standard databases recently. Personally I don't see the need for anything like that; the runtimes of my clamd daemons are rarely less than months, even if I'm testing things, so it's of no consequence if loading the data at the beginning of a run takes a couple of minutes. Since I'm only scanning mail, rather than scan it with less than the full deck I'll just delay it a couple of minutes. Until I worked on this patch, that's what I'd been doing on every database reload and, as I've always maintained, it's really no big deal. ...do not confuse the fact that we are paid with the thought that you are paying us. I'm not sure that ham-fisted attempt at a justification was entirely called for, Micah. You had a patch for several years. Then, two and a half days after I posted the two files shown above, you're galvanized into action; but you studiously avoid mention of the prior work by several people, and then imply that people are confused when everything is crystal clear. We of course always appreciate help from the community ... Perhaps you could try to make it a little more obvious. -- 73, Ged. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] How to boost clamav? Reloading database results in a talking timeout?
Hi there, On Fri, 13 Sep 2019, Micah Snyder (micasnyd) via clamav-users wrote: One thing we could do is have clamd "start" before loading the database. That is to say that it would immediately begin listening on the unix/tcp socket for requests and fork into the background so as not to block the boot process. All scan requests would then be blocked while the database loads. I imagine this would solve most of the frustration around boot-up load time. I don't think you should be trying to second-guess stuff like this, and I don't quite see how in these days of parallel boot processes that anything will get blocked that doesn't need to be blocked. Will you be looking at the network interfaces? The routes? You'll end up writing another systemd. The system administrator/integrator needs to earn his living somehow; not asking a utility to do things when it's not yet ready to do them is one of his jobs. It's why there are all those symlinks in /etc/rc3.d/. Does this have any appeal? Seems like a waste of effort to me. -- 73, Ged. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Running round in circles here.
Hi there, On Mon, 9 Sep 2019, Hal MacLean via clamav-users wrote: ... been using ClamAV to help secure a few Moodle systems and this has been working fine for years. It seems this year to have been causing a problem. Whatever the reason, it's fixable. There have been a few issues long past, but in my experience ClamAV is now extremely reliable. This sort of thing can sometimes happen when 'upstream' versions make big changes, and distribution 'packages' aren't updated as carefully as they might have been - either by the maintainer or the user - or some dependency hasn't caught up because of some specific issue in the particular system. For example some needed upgrade of a library might be 'held back' for whatever reason. Or it might just be the result of meddling, often itself a result of bad advice. :( I'm going to assume that (as you're running Moodle, Web servers and database servers) the computers have adequate specifications - in particular the RAM - but more information about that would be useful. I frequently get this: ClamAV has failed to run. The return error message was " An error occured". The exact message in your double-quotes does not appear anywhere in the latest ClamAV sources, except in a comment within a longer string. So either that isn't the exact message - and getting the exact message can often be an issue, so please confirm; or it came from something which is not built from the latest sources; or from something else. Theyre often issues too and we might need to investigate later on. Here is the output from ClamAV: ERROR: Could not lookup : Servname not supported for ai_socktype Please be more specific. "ClamAV" isn't a binary which runs. By inspection of the latest sources, the only binary which could have produced this message is clamdscan. Please give the exact command or at least more detail about how and when this message is produced. I have been all over the internet looking this up ... You should have come straight here! following dead ends and poor advice ... That's today's Internet I'm afraid. I’ve uninstalled, re-installed, updated ... Please be more specific about the uninstall/re-install. At https://packages.ubuntu.com/xenial/clamav I see several packages. If you're using the Ubuntu packages, did you take care to uninstall and re-install all of them? If not, you might have mixed versions of the different packages which will in some cases cause problems. Did you 'purge' the packages after uninstalling them? Are you using binary packages or the less usual 'source packages'? I’m running Ubuntu 16.04 with latest ClamAV. Please be more specific about the version of ClamAV. Do you mean the latest ClamAV or the latest version which is packaged for your version of Ubuntu? From a cursory search the latest package seems out of date but that's often the way with packages. If ClamAV is from packages, (note the plural) please give the exact package versions, for example clamav (0.100.3+dfsg-0ubuntu0.16.04.1) libclamav7 (0.100.3+dfsg-0ubuntu0.16.04.1) clamav-freshclam (0.100.3+dfsg-0ubuntu0.16.04.1) otherwise please give the source version such as 0.101.4 which, at the time of writing, really *is* the latest version. :) We use Freshclam for updating and clamd for running as a service. We simply need it to catch the likely problems when users upload files to our Moodle systems. Then I'm guessing that you need on-access scanning, please confirm? ... need some sane advice from users with far more experience ... You've finally arrived at the right place. :) What causes this error, and how do I fix it? We'll get there. Others might have seen this and know already, but I don't know yet. Consider this an initial request for further details, plus something to try until we get more eyes on when e.g. people in the USA start their day. In addition to the information already requested (please read *all* carefully, and answer all the questions and confirm where requested), you haven't said if anything actually works as you think it should. Can you for example scan a file using "clamscan" (not "clamdscan")? What happens if you do that? Copy/paste command and output please. Does 'freshclam' seem to be doing what it should? How do you know? Are you keeping logs? Do you look at them? Have you tried 'verbose' settings/options? Next I suggest you try running the clamd binary that's installed at the moment with a configuration file which I'll supply below as a test of the clamd binary and its interaction with the rest of your system. I'd like to see it run from the command line, without 'help' from some abomination like systemd. You will need another gigabyte of RAM or so to run this daemon, will that be an issue? 8<-- LogFile /tmp/clamd_tcp1.log LogFileMaxSize 0 LogTime yes LogClean yes LogVerbose yes PidFile /tmp/clamd_tcp1.pid TemporaryDirectory /tmp #
Re: [clamav-users] Running round in circles here.
Hello again, On Mon, 9 Sep 2019, G.W. Haywood via clamav-users wrote: telnet localhost 3311 That should of course have been telnet localhost 3313 to connect to the port given in the configuration. -- 73, Ged. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Fwd: Fwd: Fwd: Fwd: freshclam incremental update
Hi there, On Wed, 11 Sep 2019, Birger Birger via clamav-users wrote: Now it seems the firewall is stopping freshclam to download updates. That's what I told you in my Sept 3rd reply to you. Any ideas? Stop the firewall from dropping the packets? -- 73, Ged. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] How to boost clamav? Reloading database results in a talking timeout?
Hi Micah, On Fri, 13 Sep 2019, Micah Snyder (micasnyd) wrote: I'm sorry, Ged... Apology accepted. :) I'm now running the development (0.102) version of clamd, patched with Mr. Wu's patch, alongside two version 101.4 clamd daemons (an unpatched one, and one with the patch that I posted on Bugzilla). The milter scans all mail with all three daemons. On the arrival of a message, if the database is not already being reloaded I start a fresh reload before the scan so that, for all scans, a reload always executes concurrently. Nothing seems to have broken, and so far there's nothing terribly interesting to report other than the strange failure to detect which I sent to Joel early this week (and which I'm sure has nothing to do with these patches). -- 73, Ged. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] clamAV w/o using original virus databases?
Hi there, On Mon, 9 Sep 2019, cla...@script-test.de wrote: ... is it possible to run clamAV without using the official virus databases? i tried it but my clamd wont start because the daily-DB is missing. ... Short answer is yes, a longer answer is this has been discussed very recently on this list, check the archives. -- 73, Ged. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] How to boost clamav? Reloading database results in a talking timeout?
Hi there, On Thu, 5 Sep 2019, Thomas Barth via clamav-users wrote: freshclam just downloads the standard databases to keep them fresh. In /etc/clamav/freshclam.conf you can set the check interval. That s ok. # Check for new database 24 times a day Checks 24 Good so far. But it s /usr/sbin/clamd who loads the databases into memory. Yes. In /etc/clamav/clamd.conf there should be a value of 12 for an every two hour load, right? No. It seems that the two hour loading is hardcoded in the daemon. No. There are two ways to trigger reloading the databases. One is to set the 'SelfCheck' interval. The other is to send a 'RELOAD' command on the port or socket on which the daemon is listening. For example if the daemon is listening on TCP port 127.0.0.1:3311 manually I might do this at a shell prompt: $ /bin/echo 'RELOAD' | /bin/nc localhost 3311 | /usr/bin/logger -p mail.debug 2>&1 The 'SelfCheck' interval tells the daemon to reload the databases only if something has changed: mail6:~$ >>> grep 'SelfCheck' /var/log/mail.debug ... Sep 4 02:15:12 mail6 clamd[5479]: SelfCheck: Database status OK. Sep 4 03:37:14 mail6 clamd[7689]: SelfCheck: Database status OK. Sep 4 05:02:02 mail6 clamd[5479]: SelfCheck: Database status OK. Sep 4 06:24:14 mail6 clamd[7689]: SelfCheck: Database status OK. Sep 4 07:49:13 mail6 clamd[5479]: SelfCheck: Database status OK. Sep 4 09:11:11 mail6 clamd[7689]: SelfCheck: Database modification detected. Forcing reload. Sep 4 10:36:12 mail6 clamd[5479]: SelfCheck: Database modification detected. Forcing reload. Sep 4 12:03:14 mail6 clamd[7689]: SelfCheck: Database modification detected. Forcing reload. Sep 4 13:27:12 mail6 clamd[5479]: SelfCheck: Database status OK. Sep 4 14:54:15 mail6 clamd[7689]: SelfCheck: Database status OK. Sep 4 16:14:12 mail6 clamd[5479]: SelfCheck: Database status OK. Sep 4 17:41:14 mail6 clamd[7689]: SelfCheck: Database status OK. Sep 4 19:01:12 mail6 clamd[5479]: SelfCheck: Database status OK. Sep 4 20:28:14 mail6 clamd[7689]: SelfCheck: Database status OK. Sep 4 21:48:12 mail6 clamd[5479]: SelfCheck: Database status OK. Sep 4 23:15:14 mail6 clamd[7689]: SelfCheck: Database modification detected. Forcing reload. Sep 5 00:35:12 mail6 clamd[5479]: SelfCheck: Database modification detected. Forcing reload. Sep 5 02:07:14 mail6 clamd[7689]: SelfCheck: Database modification detected. Forcing reload. Sep 5 03:26:12 mail6 clamd[5479]: SelfCheck: Database modification detected. Forcing reload. Sep 5 04:59:14 mail6 clamd[7689]: SelfCheck: Database status OK. Sep 5 06:17:12 mail6 clamd[5479]: SelfCheck: Database status OK. Sep 5 07:46:14 mail6 clamd[7689]: SelfCheck: Database status OK. Sep 5 09:04:12 mail6 clamd[5479]: SelfCheck: Database modification detected. Forcing reload. I PING the daemons every minute. I've patched the, er, patched daemon also to reply in lower case to PING commands, so that I can see which one replies when. Here's my *unpatched* daemon reloading this morning: Sep 5 09:02:12 mail6 root: PONG Sep 5 09:02:14 mail6 root: pong Sep 5 09:03:12 mail6 root: PONG Sep 5 09:03:14 mail6 root: pong Sep 5 09:04:12 mail6 clamd[5479]: SelfCheck: Database modification detected. Forcing reload. Sep 5 09:04:14 mail6 clamd[5479]: Reading databases from /etc/mail/clamav Sep 5 09:04:14 mail6 root: pong Sep 5 09:05:14 mail6 root: pong Sep 5 09:06:14 mail6 root: pong Sep 5 09:07:14 mail6 root: pong Sep 5 09:07:59 mail6 clamd[5479]: Database correctly reloaded (8869225 signatures) Sep 5 09:05:12 mail6 root: PONG Sep 5 09:06:12 mail6 root: PONG Sep 5 09:04:12 mail6 root: PONG Sep 5 09:07:12 mail6 root: PONG Sep 5 09:08:12 mail6 root: PONG Sep 5 09:08:14 mail6 root: pong Sep 5 09:09:12 mail6 root: PONG Sep 5 09:09:14 mail6 root: pong Sep 5 09:10:12 mail6 root: PONG Here's the *patched daemon reloading: Sep 5 02:06:12 mail6 root: PONG Sep 5 02:06:14 mail6 root: pong Sep 5 02:07:12 mail6 root: PONG Sep 5 02:07:14 mail6 clamd[7689]: SelfCheck: Database modification detected. Forcing reload. Sep 5 02:07:14 mail6 clamd[7689]: Reading databases from /etc/mail/clamav Sep 5 02:07:14 mail6 root: pong Sep 5 02:08:12 mail6 root: PONG Sep 5 02:08:14 mail6 root: pong Sep 5 02:09:12 mail6 root: PONG Sep 5 02:09:14 mail6 root: pong Sep 5 02:10:12 mail6 root: PONG Sep 5 02:10:14 mail6 root: pong Sep 5 02:11:12 mail6 root: PONG Sep 5 02:11:14 mail6 root: pong Sep 5 02:11:35 mail6 clamd[7689]: Database correctly reloaded (8871522 signatures) Sep 5 02:12:12 mail6 root: PONG Sep 5 02:12:14 mail6 root: pong Sep 5 02:13:12 mail6 root: PONG Sep 5 02:13:14 mail6 root: pong Sep 5 02:14:12 mail6 root: PONG Sep 5 02:14:14 mail6 root: pong See the difference? The patched daemon does what you want. The unpatched one doesn't. -- 73, Ged. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users
Re: [clamav-users] Fwd: Fwd: Fwd: freshclam incremental update
Hi there, On Thu, 5 Sep 2019, Birger Birger via clamav-users wrote: This might provide additional information. /usr/bin/freshclam *Trying to retrieve CVD header of http://%s/%s %cremote_cvdhead: write failed %cremote_cvdhead: Error while reading CVD header from %s The '%c' and '%s' parts are from 'printf' calls in C and should have been replaced on the fly during execution by characters and strings. I've never seen anything like that before in ClamAV and it looks to me like your ClamAV installation is badly broken. I don't know what else might be broken. I've already suggested more than once that you install the latest version of ClamAV. If you don't want to do that, perhaps you should purge the existing installation and start again. But if there are other parts of the system which are as broken as ClamAV is, there's no way to know if even a purge and fresh install will fix it. -- 73, Ged. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Fwd: Fwd: Fwd: Fwd: freshclam incremental update
Hi there, On Wed, 11 Sep 2019, Birger Birger via clamav-users wrote: Den ons 11 sep. 2019 11:35G.W. Haywood via clamav-users skrev: On Wed, 11 Sep 2019, Birger Birger via clamav-users wrote: Now it seems the firewall is stopping freshclam to download updates. Stop the firewall from dropping the packets? Turned firewall off with "sudo zs firewall stop" and run the command "freshclam". Now all the files "main.cvd", "daily.cvd", "bytecode.cvd" and "mirrors" was rapidly and successfully updated. After I turned the firewall on again. Changes are obviously needed in iptables and/or firewall but don't know what. First you need to learn about TCP/IP. This list is not the right place. I suggest you start with something like the 'Networking concepts HOWTO' and the 'Packet Filtering HOWTO', which are very old but which contain much which is still relevant. You can find them, and some other useful documents about networking, in several languages, here: https://www.netfilter.org/documentation/ There are many other sources of useful information about networking, but please try to stay away from 'quick fixes'. You need to build your understanding of what you are doing; if you simply follow a few instructions you will not learn very much, and you risk both leaving your systems vulnerable to attack and giving the gift of a free tool to criminals who will abuse your systems. In other words you will become part of the problem. Please do not underestimate the task ahead of you. You will need to do at least many weeks of study before you can attain any proficiency in firewall management. -- 73, Ged. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] ClamAV Daemon Log - Filepath of the infected file
Hi there, On Thu, 19 Sep 2019, Jorge Martins wrote: I have ClamAV Daemon installed, and if clamdscan detects something I get an entry log on the /var/log/clamav/clamav.log file, but that entry does not identify the infected file, it only shows something like this: Thu Sep 19 16:42:24 2019 -> fd[12]: Eicar-Test-Signature(44d88612fea8a8f36de82e1278abb02f:68) FOUND Is it possible to make it show the filepath of the infected file? There are two tools. One is clamd, which is a daemon and once started it sits there waiting to be told what to scan. If nothing tells it to scan something, it does nothing. The other is clamdscan. It doesn't know how to scan anything, but it can climb around your directory tree looking for files and it can pass pointers to the files to the clamd daemon (this tells the daemon to scan them) and await clamd's replies. There are other ways of scanning files, it's all in the documentation. You are asking for clamdscan to do what it normally does. You seem to have given an example of something else (of what clamd does when it is scanning a stream of data sent to the socket on which it is listening). This is for example what happens when you use clamav-milter to scan incoming mail; the incoming message is passed to the clamd daemon on its socket. When clamd scans a stream of data there is no file name, it's just a stream of data, so clamd can't give you any name. On the other hand clamdscan knows the names of the files which it passes to clamd to scan; when clamd tells clamdscan a file matches a signature, clamdscan can tell you which file it was, and which signature. Here's the command I gave to scan a directory full of spam emails this morning: $ clamdscan /var/lib/SUBMISSIONS/messages Here's the result in the log - some of the emails were flagged. I've edited it for brevity but you can see the pathnames and signature IDs. The paths are in /var/ and the filenames are all Sendmail message IDs. 8<-- Sep 19 10:01:09 clamd[4665]: /var/.../x8EGYHK0009933: 58172 FOUND Sep 19 10:01:09 clamd[4665]: /var/.../x8HABuOb007396: 58175 FOUND Sep 19 10:01:09 clamd[4665]: /var/.../x8EIlecT023326: 58171 FOUND Sep 19 10:01:09 clamd[4665]: /var/.../x8FAjoDx020771: 27775 FOUND Sep 19 10:01:09 clamd[4665]: /var/.../x8GFcxQs001950: 58174 FOUND Sep 19 10:01:09 clamd[4665]: /var/.../x8H6Z8UR026649: 58170 FOUND Sep 19 10:01:09 clamd[4665]: /var/.../x8GJbwD8019380: 27774 FOUND Sep 19 10:01:09 clamd[4665]: /var/.../x8HE4bQf007238: 58173 FOUND Sep 19 10:01:09 clamd[4665]: /var/.../x8HHfcPh021663: 58169 FOUND Sep 19 10:01:09 clamd[4665]: /var/.../x8HN3mEf025577: 58167 FOUND Sep 19 10:01:09 clamd[4665]: /var/.../x8I1Avox028331: 58168 FOUND Sep 19 10:01:09 clamd[4665]: /var/.../x8I98tXw019474: 5eb86d FOUND Sep 19 10:01:09 clamd[4665]: /var/.../x8I9N3iW025511: 4810c4 FOUND Sep 19 10:01:09 clamd[4665]: /var/.../x8I9QUY9025837: 5eb86d FOUND Sep 19 10:01:09 clamd[4665]: /var/.../x8IA3Zpb004800: 5eb86d FOUND 8<-- Exactly how are you telling clamd/clamdscan to scan the files? It might also be useful to see your clamd.conf. -- 73, Ged. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] OnAccessExcludePath being ignored.
Hi there, On Thu, 26 Sep 2019, CROFT Ian wrote: But when I put an EICAR test txt file in /var/log/test.txt it is getting picked up by the OnAccess scanner. I have tried ^/var/log/ and ^/var/log/* - same issue the test.txt is still picked up by the OnAccess scanner when it should in my mind be being ignored. Any ideas ? You really do need to get used to reading the 'man' pages. In this case the man page for clamd.conf states OnAccessExcludePath STRING which means that the argument is a STRING, not a REGEX. You must not put things like '^' and '*' in a STRING argument because a STRING is taken literally. You are excluding names which do not exist on your system. -- 73, Ged. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] OnAccessExcludePath being ignored.
Hello again, On Thu, 26 Sep 2019, CROFT Ian via clamav-users wrote: ... making sure they are all strings looks better now in most cases. So I now have these :- OnAccessIncludePath /var/log ( Only added to include to get around the bug previously mentioned ) OnAccessIncludePath /var OnAccessExcludePath /var/log However eicar test as /var/log/test.txt is still being picked up. Its working fine on other real sub directories ( not separate munts ), feels like this is falling foul of the fact /var/log is a sub mount point perhaps. H. Bugs or no bugs it seems rather willful having both of these: OnAccessIncludePath /var/log OnAccessExcludePath /var/log and I'm not surprised that things seem a bit insane if you do. :) Unfortunately on bugzilla, issue 12306 itself is restricted access. Because of that I didn't even know of its existence - I've trawled through every issue listed in the components pages at https://bugzilla.clamav.net/describecomponents.cgi?product=ClamAV and AFAICT it doesn't appear in any of them. So I don't think I can add anything useful to what I've already said. To repeat what I've already said, I think scanning /var/log isn't a great idea. -- 73, Ged. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] ClamAV® blog: ClamAV 0.102.0 Release Candidate is now available
Hi there, I don't think this needs to go to clamav-devel. On Fri, 27 Sep 2019, Franky Van Liedekerke via clamav-users wrote: ... why would clamonacc during compilation need libcurl? And ... https://blog.clamav.net/2019/08/clamav-01013-security-patch-release-and.html I can't justify newer clamav version to need to install non-rhel libcurl and libssh2 (dependancy) versions on a server just like that to my manager ... You don't have to. You can build it all in your home directory, then build a package, and then install from your package. Once you have a system set up to do that it's just a matter of plugging in new sources as and when they're released and then turning the handle. You can use your package to install on unlimited numbers of machines and it's much better than relying on the whims of some distro's packaging anyway as you have full control of the build process. But it could seem a little strange that your manager might insist that you use out of date utilities for your security systems... :) -- 73, Ged. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] ClamAV® blog: ClamAV 0.102.0 Release Candidate is now available
Hi there, On Fri, 27 Sep 2019, Matus UHLAR - fantomas wrote: On 27.09.19 15:21, G.W. Haywood via clamav-users wrote: ... But it could seem a little strange that your manager might insist that you use out of date utilities for your security systems... :) redhat version of libcurl is maintained and supported by redhat. That is not true for self-installed versions. My quip was meant to be light-hearted, hence the emoticon. Hopefully, unlike the attempt at humour in your sig, it did not offend. -- 73, Ged. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] RHEL ScanonAccess includepaths
Hi there, On Tue, 24 Sep 2019, CROFT Ian wrote: We have a need to have OnAccessScanning on our RHEL servers but with some path exclusions. May I ask why? So as I read the manuals etc it seems I have to use the OnAccessIncludePath rather than the OnAccessMountPath. I guess that's right unless you have separate partitions mounted for things like /var, /usr/local, /home and whatever. So the filesystem layout is as such :- / /boot /home /var /var/log /var/tmp /var/log/audit Are these all separate mount points/partitions? So I have set up the following IncludePath entries in scan.conf I guess the file scan.conf is something that RH does with ClamAV. There is no such file in any of my systems built from source. OnAccessIncludePath /dev There be dragons, I wouldn't do that. OnAccessIncludePath /var I wouldn't do that. Does anybody know where I am going wrong ? Why do you want to scan everything under /var/log? It seems pointless scanning a bunch of files which are effectively write-only logs. You *might* theorize that a text file could have something written to it which would compromise a pager or something when you tried to read the log with it, but it seems quite a, well, a Stretch of the imagination. I would suggest reading the release notes for version 0.102, there are some significant changes for on-acess scanning. -- 73, Ged. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] OnAccess renders system unusable in ~24h
Hi there, On Tue, 24 Sep 2019, Tim Stubbs wrote: I am running clamd with OnAccess enabled, however its causing the load on the systems to make them almost unusable within about 24hours. This may be true, but I'd want to know that the suspicion is justified (and front and centre I personally think scanning most Linux boxes with ClamAV is a waste of CPU). as you can see sys is at 98% ... No, I see CPU 27% idle and three clamd processes doing nothing. But I do see a load average of around seven. On my dual CPU 2.7GHz Opterons I routinely see an average of that sort of figure when they do backups for a bunch of other machines, and Nagios will whine about it when it gets over 8, but I don't usually worry about it until it gets into the double digits. it seem clamd is stopping other applications from processing somehow. cannot find anything in the logs. not sure what debugging would be helpful? any advice would be helpful here? My immediate reaction is - if the suspicion is found to be justified - that you should try to reduce, initially to a bare minimum, the amount of work which you're asking the machine to do. OnAccessIncludePath = "/home", "/root", "/etc", "/sftp", "/boot", \ "/opt", "/media", "/mnt" For example you could remove most of the directories from this list to see if it helps. There are other things you might try, like limiting the number of threads. But again, I don't see anything in your 'top' output which tells me that clamd is heavily loading your machine. What kinds of threats do you care about? If for example you're not expecting your Linux boxes to be attacked by Windows malware you could reduce the size of the ClamAV databases very significantly which might improve scanning performance. ClamaV version 0.102 has just been released as a candidate for testing and I've been running it for some time before the RC was released. It contains some significant improvements for on-access scanning and, if you do intend to persevere with on-access scanning, I'd recommend that you install the latest version from the source. -- 73, Ged. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Setting up logrotation
Hi there, On Tue, 24 Sep 2019, Lars Åhman wrote: Im running clamav as a daemon on a fedora and basically keep it running 24/7 except for an occasional update every now and then. It isn't clear to me from what you've written that you know what the ClamAV daemon (clamd) actually does. Do you? I want the main clamd log to rotate and have the LogFileMaxSize set to some small amount for testing purposes and LogRotate set to yes. I had no prior experience with any log rotation and here I learned that just these settings alone won't suffice to get the logs to rotate. Correct me if I'm wrong, but I think I have to set up a script to /etc/logrotate.d/ as well. You stand corrected. :/ Log rotation can be done EITHER by the logrotate system (which usually uses /etc/logrotate.conf and the files in /etc/logrotate.d) OR by some other system (such as, in this case, a package which provides clamd). You do not want both of them trying to do it, and IMO it's better to leave things like that to the logrotate system - which already rotates a lot of logs for you. Simply don't set the logrotate configuration option in clamd.conf (or set it to 'no' which is the default) and then set up a logrotate configuration by creating a file in /etc/logrotate.d/ like J.R. suggested. (In clamd.conf, that is, if you actually have a clamd.conf - but we'll look at that later.) But it gets worse: you can tell clamd to log to a file, or you can tell it to use what we call 'syslog' instead. The more experienced administrators tend to use syslog because it offers quite a bit more flexibility than is usually available from just writing to a file, including being able to log to remote systems and choosing what kind of messages to log and what to ignore. There's more than one syslog daemon that you can use too; I prefer syslog-ng, but let's not get ahead of ourselves. The downside is a little more configuration but it really is worth getting used to syslog-style logging. You can log both to a file *and* through syslog, but most of the time that would just be a waste of CPU and storage. For your introduction to all this I suggest you avoid syslog just now, tell clamd to log to a file, and tell the logrotate system to do what it does best by using a snippet like one posted by J.R. In /etc/logrotate.d/ the only clamav related file is called "clamav-update", though. Not being familiar with how RedHat does things, I'll guess that this is for the 'freshclam' logs. The databases are normally updated by the 'freshclam' utility, but they don't have to be. It will usually be configured to log things when it runs. Nothing clamd related. Im pretty lost with the whole log rotation thing as I can't understand the connection between the scan.conf settings and the inbuilt logrotate on my fedora. I can't help you with 'scan.conf' because I don't know what it is, I've never seen a file of that name. It doesn't come with ClamAV when you get the original sources from clamav.net. I'd hope that whoever created it also documented it somewhere. Normally I would expect a file called 'clamd.conf' for the clamd configuration. It doesn't have to be called that name, but it normally is. If it is called something else then you can tell clamd on its command line, see man clamd for more information about that. If possible I want to be able to keep running clamd without interruption while rotating logs when they get too big. That's the way it's normally done. There's one issue to address; when the log files are rotated, the thing that's logging has to be told either to close and re-open its log file (so that it starts writing to the new, empty file instead of carrying on writing to the old one which now has a different name) or, if it can't do that, simply to shut down and restart so that it will find the new, empty file anyway. Logrotate sends a signal to the thing that's logging to tell it to do this. You'll note that JR showed a second snippet for freshclam logs, and he mentioned that he runs freshclam from cron, not as a daemon. A daemon would need to be told to close and re-open its log after rotation, but as JR runs his database update process on a schedule from cron, freshclam shuts down after every update and closes its log file so that instruction isn't necessary. Incidentally the logrotate system runs on a schedule from cron (or something like it) as well. See man cron and man crontab Please do note that where JR gets his logs to be written might not be the same places that you will get yours to be written, so the snippets are really just templates to give you an idea of what's needed. How can I achieve this? What configurations do I have to do? What scripts do I have to set up? How can I affect the names of the stored logs? The first three questions should be answered by typing man logrotate on your system. But as this is what we call a 'man' page it will be very terse information and you might need more help with it.
Re: [clamav-users] OnAccess renders system unusable in ~24h
Hello again, On Tue, 24 Sep 2019, Tim Stubbs wrote: What kinds of threats do you care about? If for example you're not expecting your Linux boxes to be attacked by Windows malware you could reduce the size of the ClamAV databases very significantly which might improve scanning performance. Sorry could you point me in the right direction for how to do this? good hasn't helped me so far? Check the archives for this list, it's been discussed recently how to use an empty database. That might be a good start. -- 73, Ged. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Question
Hi there, On Thu, 3 Oct 2019, alex mc via clamav-users wrote: ... lately I've been looking for the clamav antivirus code but I don't know why I can't find it, could you send it to me or tell me where to find it? ... http://catb.org/~esr/faqs/smart-questions.html -- 73, Ged. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Determine if ClamAV is looking for a specific piece of ransomware (Linux)
Hi there, On Mon, 4 Nov 2019, Scott Shannon via clamav-users wrote: I’m attempting to determine if a specific ransomware, Friedex.d, a variant of Iencrypt, is being scanned for ... It isn't clear to me if you have a ClamAV installation or not. If you do, you can presumably get a copy of the malware and scan for it. If you don't, and you don't want to, then you could submit a sample to a Website like Jotti's: https://virusscan.jotti.org/ which will scan it using a couple of dozen scanners, ClamAV included. ... with the current definitions. Please define "the current definitions". :) There are many third-party signatures. Depending on requirements at a particular site, they may or may not be in use at that site. For example, I'm mainly interested in filtering mail for spam. So I use a lot of third party spam signatures but I make little effort to add to ClamAV's 'official' virus database. I came across an article that basically said to dump the database and search for the name... But which name? There's no universal naming convention for malware. However, in this case, maybe you're in luck: $ grep -ia friedex /var/lib/clamav/databases/* daily.cld:Win.Ransomware.Friedex-6961100-0;Engine:81-255,Target:1;[snip] Of course there could be a whole family of the little varmints. ... I can’t find anywhere on the website to submit data for a known piece of ransomware ... My first search: https://www.bing.com/search?q=clamav+submit+virus The first hit: https://www.clamav.net/reports/malware But it would be as well to check first that it isn't already covered. -- 73, Ged. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] LibClamAV Error: cli_scangpt: could not determine sector size
Hi there, On Mon, 11 Nov 2019, Michael Newman via clamav-users wrote: On Nov 11, 2019, at 00:00,G.W. Haywood wrote: Exactly what do you do in order to obtain this message? Does it appear in a terminal session, in a log file,…? I run clamscan from a bash script with this command: /opt/local/bin/clamscan -r --quiet -i -l $log $scandir --exclude-dir="$exclude" --exclude-dir="$exclude2" --stdout >>$log 2>&1 That leaves quite a lot to the imagination. :/ Ideally we'd want to know the values of all the variables in the command. It doesn't much matter about $log, but $scandir and the two '$exclude's are important. I have no idea if the MacPorts reclaim removed all of clamav. I think you might need to look into that, I'm sure there must be adequate documentation. But to avoid any geese-chasing it would be better not to jump to any conclusions about broken installations at this stage. It might not be broken, it might just be scanning in a different way from how it used to be, or something in the filesystem might have changed. The error message seems to be telling us that you're scanning a disc partition rather than a file, and I wonder if for example one of the '$exclude's is not being set correctly - this might for example result in asking to scan something like partitions in '/dev' when you don't intend to. If they're scanning filesystems, most people will just scan the files, not the partitions. You may have particular requirements, but if you do I'd have expected that you would have mentioned that by now. Is there something I can do to have clamscan give me more information about the sector size problem? The 'man' pages for the various ClamAV tools are a very good resource. If you remove the '-i' it may let you see what's being scanned at the time of the error. If it's as simple as something that shouldn't be scanned then maybe you'll see that and that might lead to something like a failure to set an $exclude in the script or whatever calls it. If that doesn't help you might replace '--quiet' with '--debug' and run the command, but I don't know how much help that will be. And be aware that making deductions from what you see in the log files isn't always straightforward. I have to say I'm no fan of scanning Unix-type filesystems like this. -- 73, Ged. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Clamav error using YARA
Hi there, On Sun, 10 Nov 2019, Philippe Lefèvre wrote: Since some time (less than a month I think) I now get this message when I launch a directory scan. LibClamAV Error: yyerror(): /var/lib/clamav/rfxn.yara line 8955 undefined identifier "is__elf" LibClamAV Warning: cli_loadyara: failed to parse or load 1 yara rules from file /var/lib/clamav/rfxn.yara, successfully loaded 784 rules. Please post the output of grep -n is__elf /var/lib/clamav/rfxn.yara -- 73, Ged. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Clamav error using YARA
Hi there, On Mon, 11 Nov 2019, Philippe Lefèvre wrote: # grep -n is__elf /var/lib/clamav/rfxn.yara 9112: is__elf and all of ($s*) Maybe this will help: https://www.rfxn.com/downloads/maldetect-current.tar.gz 8<-- laptop3:~$ >>> grep -n is__elf ~/Downloads/maldetect-1.6.4/files/sigs/rfxn.yara 9068:private rule is__elf 9105:is__elf and all of ($s*) laptop3:~$ >>> 8<-- -- 73, Ged. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] clamd onaccess scanning NFS
Hi there, On Mon, 11 Nov 2019, Mark Parker via clamav-users wrote: On 11/11/2019 12:05 PM, G.W. Haywood via clamav-users wrote: On Mon, 11 Nov 2019, Mark Parker via clamav-users wrote: ... need onaccess scanning but .. clamd .. doesn't have permissions to view a user's home directory contents. Am I missing something? Group read? Well, I don't want to change permissions on 30 million files to make this work. Seems like the wrong thing to do. It seems like you've made this harder than it needs to be. Normally I'd expect a private home directory to contain mostly files with 'ugo' read, and the permissions on the home directory would be what controls access to them. Each user will be in a group of the same name (that's usual in a lot of setups anyway) and all you need to do to permit the clamav user to scan the files would be to put that user in every group. Everyone here knows I'm not a great fan of using ClamAV in this way, but of course in the '.edu' TLD you do have different issues from the rest of us... -- 73, Ged. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] clamd onaccess scanning NFS
Hi there, On Mon, 11 Nov 2019, Mark Parker via clamav-users wrote: ... need onaccess scanning but .. clamd .. doesn't have permissions to view a user's home directory contents. Am I missing something? Group read? -- 73, Ged. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] A better zip bomb
Hi there, On Fri, 8 Nov 2019, Markus Kolb via clamav-users wrote: Am 08.11.2019 11:58, schrieb G.W. Haywood via clamav-users: > On Fri, 8 Nov 2019, Arnaud Jacques wrote: > ...Brent wrote: [...] > > clamscan --alert-exceeds-max=yes --max-recursion=5 --max-ziptypercg=5M > > /var/tmp/tmp/zbxl.zip: Heuristics.Limits.Exceeded FOUND > > It seems that there might be room for improvement in Brent's client's > ClamAV configuration, perhaps we should be trying to understand why it > is in this state. It should be a deliberate choice to disable a test > for excessive resource usage, not an accident. The alerting on exceed is disabled by default. Ah, good point. I'd forgotten that long ago I'd set 'AlertExceedsMax' to 'yes' in the base configuration that I usually use as a starting point. Maybe that should default to 'yes', perhaps with higher values for some of the limits if that's an issue? I must say that I don't recall any problems with the default values for archive limits in many years of using ClamAV. There was one contract draughtsman who for some time insisted on sending 30- megabyte emails to the QA manager at his client, but it was a Sendmail limit which rejected the messages, not ClamAV. In the end they stopped using him. :/ -- 73, Ged. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
[clamav-users] Administrivia.
Hi there, Many people use aliases for mailing list correspondence, so that the bots which scrape list archives for email addresses and then send spam to those addresses get the aliases and not the real addresses. It's a simple matter to permit mail to the aliases from only the list servers, and that's what I've done for a couple of decades for many lists. It seems that if someone replies to a message which I've sent to the ClamAV list using 'reply to originator' with 'cc to list' (or whatever the mail client calls those things), then when the ClamAV list server processes the message, it doesn't send the message to me. It's kinda unhelpful, as I'll then see no reply unless I happen to see the REJECT message in the logs, or maybe look at the list archives. Is this really what's happening, and if so, is it by design? -- 73, Ged. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] strace - select(13, [12], NULL, NULL, NULL) = -1 EBADF (Bad file descriptor) <0.000017>
Hi there, On Thu, 7 Nov 2019, J.R. via clamav-users wrote: Which brought clamd back to life and the system load returned to normal. no idea is this is a OS bug, a ClamAV bug or some kind of user error, any help here will be appreciated. What version of ClamAV? What OS? What customization / edits to config files have you made? And what are you scanning??? -- 73, Ged. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] ClamAV not listed at VirusTotal anymore
Hi there, On Wed, 6 Nov 2019, Joel Esler (jesler) via clamav-users wrote: On Nov 6, 2019, at 9:04 AM, MAYER Hans via clamav-users wrote: I uploaded a file for testing at VirusTotal just now. I am wondering that ClamAV is not listed ... hours earlier it was. I just uploaded a file, and I see it There's always Jotti's site: https://virusscan.jotti.org/ -- 73, Ged. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] unexplainable tar behaviour
Hi there, On Thu, 31 Oct 2019, J.R. via clamav-users wrote: Is ClamAV scanning the archive as-is, then additionally (hopefully) decompressing it and scanning individual files? man clamd.conf (search for 'ScanArchive') Is there a way to debug with more info to see exactly what is going on with the process? More detail about the sort of thing you'd be looking for would help. As described in the 'man pages there are 'verbose' and 'debug' options for the scanners and the libraries, I don't know how much help they'll be to you. As has previously been mentioned, to investigate you can always use the built-in OS tools to chop a file into parts (although my preference would usually be to script something with Perl; that's just because I'm very familiar with Perl's regexes, there's not much that can't be done with them - nor, for that matter, with Perl.) The bulk of the signatures are pretty simple, otherwise they'd tend to be fragile; in my experience most of the time it's easy to understand what they mean just by inspection. I don't often find myself doing it but when I do it's usually something like $ sigtool --datadir=... -fSanesecurity.ScamL.613 | sigtool --decode-sigs VIRUS NAME: Sanesecurity.ScamL.613 TARGET TYPE: MAIL OFFSET: * DECODED SIGNATURE: REFERENCE NoMBre{WILDCARD_ANY_STRING(LENGTH<=50)}BATCH NoMBre{WILDCARD_ANY_STRING}W1NN1NG $ As you can see in this signature there are two variable length strings with arbitrary content, and one one of them can be any length, and the entire expression can appear in the file at any offset. The word 'any' in this usage means very approximately "less than 4GBytes". These are the sorts of things which can give unexpected results in the likes of mailbox files, database files and archives which can contain a bunch of possibly unconnected things that are effectively concatenated. As far as ClamAV is concerned, they're just long strings. So signature- writing must be something of an art, one I'm happy to leave to others. Obviously I changed the words in the command output above so it won't trigger the match, and you'll get the chance to read this message if you're using Steve's signatures. :) -- 73, Ged. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] unexplainable tar behaviour
Hi there, On Wed, 30 Oct 2019, Steffen Sledz wrote: On 29.10.19 15:10, Alan Stern wrote: Try bisection... That makes things even more confusing. I don't see what's confusing about this. The match is just an expression. It isn't magic. You could do just the same thing from the command line for example with 'grep' although it might take a while and you might need to read up about expressions. Then you'll see that the word 'unexplainable' is incorrect. The replies from Mr. Varnell and Mr. Jones both point you in the right direction, and Mr. Stern simply offered a methodical way of locating the matching pieces in what might be an unwieldy file. -- 73, Ged. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] How to boost clamav? Reloading database results in a talking timeout?
Hi Reio, On Mon, 28 Oct 2019, Reio Remma via clamav-users wrote: ... I've been running a patched 101.4 for a few weeks now and unfortunately I'm observing a memory leak from the multithreaded database reloads. I'm observing clamd memory usage going up when the new database loads ... The problem however shows itself if clamd happens to reload its database 2 times if a row with no mail processed in between. Seemingly it will have 3 databases in memory then and the next mail being processed releases one of them, but the extra database will remain "somewhere". .. As I said I'm using 0.102-rc with the older patch, and I haven't seen this behaviour (but I have been looking for it, and anything like it, using Nagios etc.). On our servers there's no risk of clamd reloading databases without processing a message inbetween the reloads, but I'm sure I could arrange it if neccessary. :) Unfortunately at the moment I have no time to investigate but I guess it will be simple to fix if it isn't something peculiar to your setup - for example it might be a problem with threads in a library. From my reading of the code, going back admittedly a little while now, it seemed very clear that the old database should be freed unconditionally after the new one was loaded. I'd suggest that you raise an issue in the ClamAV Bugzilla. -- 73, Ged. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Logwatch not showing "Viruses detected"
Hi there, On Wed, 30 Oct 2019, Robert Kudyba wrote: This might be off topic to the list. We have Clam AV running on Fedora 30 with clamav-milter, clamav-0.101.4-1.fc30.x86_64, and sendmail. On one server the logwatch emails do send a daily recap as desired ... ... On the other server, logwatch only shows ... ... Is there another config file for this that I'm missing? ... Guessing here, are the same messages being written to the logs on both machines? I haven't used it in a lng time, but I'm sure there's a reason it's called 'logwatch'... :) -- 73, Ged. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Problem running virus scanner: code=999, category=cannot-execute, action=tempfail
Hi there, On Wed, 13 Nov 2019, Andrew Watkins via clamav-users wrote: I get the following error a few times a day for a while, so I thought I would look into it. I am using mimedefang to send mail to clamd and it works fine, but at random point of the day I get the error: mimedefang.pl[26234]: xAD8PbeZ009878: Timeout reading from clamd daemon at /var/spool/MIMEDefang/clamd.sock Perhaps clamd is reloading its databases when you see this. Depending on configuration and the host performance it can take anywhere between a few tens of seconds and several minutes to reload all the databases, and during that time currently released versions of clamd won't scan. Check the logs for the reload messages. There's a patch currently in testing which permits clamd to continue scanning while reloading, the patch is available if you wish to build clamd yourself, and it should be available in a released version of clamd quite soon I hope. There has been some discussion on this list recently if you'd like to look. -- 73, Ged. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Problem running virus scanner: code=999, category=cannot-execute, action=tempfail
Hi there, On Wed, 13 Nov 2019, Andrew Watkins via clamav-users wrote: On 11/13/19 10:33 AM, G.W. Haywood via clamav-users wrote: Perhaps clamd is reloading its databases when you see this. Depending on configuration and the host performance it can take anywhere between a few tens of seconds and several minutes to reload all the databases... Ah! I had read that discussion, but didn't put 2 and 2 together since I thought the database re-load had finished, but I think it may be this. I will look at download and build patched version. You could of course just increase your timeouts. :) -- 73, Ged. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Html.Malware.Agent-7380889-0 false positive on Apache files?
Hi there, On Wed, 13 Nov 2019, Christina Qian wrote: Thank you very much for your reply. I just realized that I was on the wrong thread though. I meant to ask the reason for the alarms below, or at least to confirm it's a false alarm, so I can just exclude the files. Do you or anybody on the list has information on this? Thanks. ... /folder_name/jupyter/miniconda2/include/openssl/tls1.h: YARA.php_malware_hexinject.UNOFFICIAL FOUND /folder_name/jupyter/miniconda2/pkgs/openssl-1.0.2k-1/include/openssl/tls1.h: YARA.php_malware_hexinject.UNOFFICIAL FOUND /folder_name/anaconda2/pkgs/openssl-1.0.2k-1/include/openssl/tls1.h: YARA.php_malware_hexinject.UNOFFICIAL FOUND Those files are published in open source packages. If you have any concerns about them you can always go to the originals and compare. In my view scanning files in this way causes more problems (and this is probably one of the most frequent) than it can ever solve. -- 73, Ged. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] clamav
Hi there, On Thu, 14 Nov 2019, ALMOKBEL, RAWAN wrote: Good Day! Well it's been raining here for weeks, but good day to you too! :) Does clamav scan embedded virus and malicious inside files ? If you mean archive files the question has already been answered well, but I would add that it is almost true to say that ClamAV _only_ scans inside files. It is only 'almost' true because you can, for example, ask clamd to listen to a socket, and feed data directly to it via the socket. But most of the time it will be a file which you pipe to the socket. In that case, clamd itself will know nothing about the file, except perhaps its length - or at least the amount of data it scanned before it found something which for example matches a signature. All it knows is what came along from the socket - this does not include, for example, the name of the file, and the data is normally sent in 'chunks' so clamd generally only knows the length of the 'chunks'. Processing mail using a milter is a very common use of ClamAV, and indeed ClamAV packages its own milter, 'clamav-milter', for that purpose. A milter sends data to clamd via a socket, for scanning in the same way that clamdscan does. Neither scans the data itself, but simply passes the data to clamd. (Again, 'simply' is almost true.) I wonder if you meant to ask if ClamAV can scan memory. Unlike some commercial anti-virus packages, ClamAV cannot do that directly; but you can if you wish write code to read memory and pipe the data to a clamd process for scanning. With existing signature databases I do not know how effective that might be, because I do not know how many (if any) signatures have been written with the intention of finding things in memory rather than in files, or which might be expected to match memory content even if not written with that intention. Most executable files are modified when they are loaded into memory, and it is common for the data in other files to be modified as it is loaded, even if not for execution. For e.g. the 'heuristics' type signatures I'd say all bets are off. If you have particular requirements to scan memory, in principle it would not be difficult to produce the signatures. But it would be a substantial undertaking to scan memory in a multi-user, multi-tasking operating system (which may be using paging, sharing, virtual memory, swap and DMA) using clamd in a way which makes any real sense. I'd be pleased to be proven wrong, and if I'm wrong I'm sure Sourcefire would be pleased too. :) -- 73, Ged. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] clamav
Hi there, On Thu, 14 Nov 2019, Paul Kosinski via clamav-users wrote: ClamAV also can't deal with files bigger than 4 GB. This prevents it from scanning some videos, DVD-size ISOs, etc. The usefulness of scanning such files is debatable, but you can split large files into pieces and scan the pieces using streaming to clamd. -- 73, Ged. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] ERROR: Malformed database -> Closing the main socket.
Hi there, On Sun, 17 Nov 2019, Jim Ward via clamav-users wrote: I poked around based on the 'Disable Official Database' thread previously mentioned. Clam wanted nothing to do with either missing or zero length main and daily files. However digging in to syslogs, I found this interesting tidbit of information: ... Nov 17 09:10:57 clamd[4496]: LibClamAV Error: mpool_malloc(): Can't allocate memory (262144 bytes). free -m totalusedfree shared buff/cache available Mem:994 250 692 12 51 642 Swap: 0 0 0 So the question now is where to go from here To the memory shop. You don't have enough to run clamd with the official databases, which alone will take something like 1GByte. -- 73, Ged. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] ERROR: Malformed database -> Closing the main socket.
Hi there, On Mon, 18 Nov 2019, Jim Ward via clamav-users wrote: I've taken a trip to the swap shop. Added 2G and we seem to be working at this point. ... Like I said, logic, not magic. Good luck. :) -- 73, Ged. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Clamav error using YARA
Hello again, On Mon, 11 Nov 2019, Philippe Lefèvre wrote: thanks for your post Ged. You're very welcome. :) ... it seems that neither Clamav nor Maldet installed on my Debian box have the right rfxn.* files I'm not familiar with these programs but I would like to understand if clamav is delivered with an instance of rfxn files or if those files are installed with Maldet (part of Maldet package?) or something else. There are Debian packages for ClamAV. I don't think Debian has its own package for the rfxn signatures but I haven't looked carefully. If you are using a Debian system I would suggest that using the Debian ClamAV packages would be the simplest way to install ClamAV. Then you can install extra signatures very simply, more or less by copying files to the ClamAV database directory. ClamAV does not supply the Maldet files, they are what the supplier of ClamAV calls 'third-party' or 'unofficial' signatures. There are many such sets of signatures which essentially add functionality to ClamAV, for example I use the Sanesecurity signatures on mail servers to catch a lot of spam; I'm less interested in malware as I rule my systems with a rod of iron. :) May be something is/was broken somewhere and it would save me time reinstall maldet or clamav, both, copy the rfxn.* files? Please your advise. The people who produce the Maldet files should be able to help you better than I can, I'm afraid I know nothing about the installation process for Maldet. If ClamAV is scanning files normally then I don't think you need to reinstall it. If ClamAV finds a set of signatures in a suitable form in its database directory then it will try to load and use them unless you tell it otherwise. I looked briefly at the documentation at https://www.rfxn.com/projects/linux-malware-detect/ and I'm afraid it left me asking more questions rather than fewer. -- 73, Ged. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] ERROR: Malformed database -> Closing the main socket.
Hi there, On Sat, 16 Nov 2019, Jim Ward via clamav-users wrote: I have yet to get past this one. I've done multiple builds to no avail. I have run in circles so much at this point that I have no idea where to start or where to go. Anyone have the magic cure?? I don't do magic, but I can take a shot at logic. :) You say you've done multiple builds, but you're running Debian. That sounds like a recipe for confusion if you're not _very_ familiar with things like the Filesystem Hierarchy Standard, or, to put it another way, if not very familiar with the ways Debian screws everything up. :/ When you build from the 'upstream' sources, quite likely everything is done differently from the way Debian does it. In the case of ClamAV, it's not just different locations for lots of files; Debian packages the single ClamAV package from Sourcefire into several, so you install separate packages for the scanner, the updater and the daemon. Theory I guess says that you might not necessarily want all of them so you're given a choice. Practice seems to say it all gets confusing. If you install from Debian packages, then install from the upstream sources without cleaning up very thoroughly first, not only can you get very confused but things might not work - and they might not work in some non-obvious ways, especially if the versions were different. So the first question: Have you at any stage installed ClamAV from a Debian (or other) package, have you subsequently built from source, and if you did those things did you make absolutely sure that all the Debianated stuff was removed (purged) before building from source? Second: If you're comfortable with all the above, do you know exactly where all your ClamAV configuration files and databases are? Do you know what is responsible for updating the databases, do you know that nothing else is doing anything to them, and are you sure that they're being updated how and when you think they're being updated? If yes, please can you show us full directory listings of them including timestamps and file sizes? It might also be useful to see md5sums for each file. Third: Check back in the mailing archives of this list for this post: Date: Mon, 26 Aug 2019 16:38:16 +0100 (BST) From: G.W. Haywood via clamav-users To: ClamAV users ML Subject: Re: [clamav-users] Disable official database Try starting clamd with no databases. Check if it's running OK, by connecting to its socket from the command line with a tool like telnet and sending the 'PING' command. Does it reply 'PONG'? Please report back here with the results. In addition to telling us something, this will likely be useful exercise. Finally, for now: What exactly are you doing with ClamAV on Debian? -- 73, Ged. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] clamav
Hi there, On Fri, 15 Nov 2019, Paul Kosinski via clamav-users wrote: On Thu, 14 Nov 2019 G.W. Haywood via clamav-users wrote: On Thu, 14 Nov 2019, Paul Kosinski via clamav-users wrote: ClamAV also can't deal with files bigger than 4 GB. This prevents it from scanning some videos, DVD-size ISOs, etc. The usefulness of scanning such files is debatable, but you can split large files into pieces and scan the pieces using streaming to clamd. Video files have been used to attack buggy video players, and ISOs that hold software distributions can easily be that big. And remember that DVDs and flash disks that may be created from an ISO are often booted from to install whatever. This could mean your system is compromised at birth. ... None of this alters the fact that if you look for malware with ClamAV, then, if it's not a zero-day, by my estimation you have about a one in three chance of finding it, even if the malware is in a 900 byte file. Of course if it _is_ a zero-day, you have practically no chance. So, even if you scan it, your system can *still* be compromised at birth, except that now you'll think it isn't, because you've scanned it. Trying to detect problems by scanning gigabytes of data for irrelevant threats, or scanning entire Linux systems for some millions of Windows viruses, when instead you could be doing something rational to prevent those problems in the first place, is plain crackers. There seems to be a school of thought that to secure a system, all you have to do is install an anti-virus package, regularly scan your entire filesystem, and you're safe. That's nonsense, and I'm not sure that the purveyors of anti-virus packages aren't in some ways contributing to the general misunderstanding. If I were going to take risks like viewing random files that I'd (for example) downloaded from the Internet using (for example) some dodgy video player, then I'd at least first spin up a VM to do it with. If an employee knowingly did such a thing at work then they'd be fired; they've already signed a bit of paper which says so. One of the main uses for ClamAV here is looking for emails which try to trick people into doing just that sort of thing. If I'm thinking of running some installer from an .iso file I'll be looking at least for an md5sum, and more likely quite a bit more than that. -- 73, Ged. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml