[clamav-users] The "=" sign in freshclam options (---datadir= as an example) is mandatory?
I discovered that the "=" sign in freshclam option is mandatory. For example: freshclam --datadir=c:\temp\database (with =) and freshclam --datadir c:\temp\database (without =) are different. In the latter, the option "--datadir c:\temp\database" is ignored as if it were not specified. On the other hand, the "=" in clamscan option is optional, i.e. clamscan --log=c:\tmp\my.log and clamscan --log c:\tmp\my.log are equivalent. I would like to get a confirmation that this is true, and secondly to get an opinion if this is a bug, as far as I know, the = in option should be optional. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] clamscan: permission denied on many files being used by another process
The version I am running is clamav-0.103.3-win-x64-portable.zip <https://www.clamav.net/downloads/production/clamav-0.103.3-win-x64-portable.zip> from https://www.clamav.net/downloads#otherversions . The advantage of using the portable version is that you do not need to install, but just to use the software from the network path. I understand "more" is not clamscan, I was just showing that the file in question cannot be opened with clamscan nor with "more" as administrator. I also understand if clamscan cannot read a file, it cannot scan it. My question is how I can let clamscan to read a file, as I have shown that even I cannot "more" a file used by another process as administrator. If clamscan cannot scan a file used by another process, then I question the usefulness of the software because a hacker can just install a virus file and use it, clamscan will not be able to detect it. On Mon, Jul 12, 2021 at 11:45 AM G.W. Haywood via clamav-users < clamav-users@lists.clamav.net> wrote: > Hi there, > > On Mon, 12 Jul 2021, Michael Wang via clamav-users wrote: > > > I run ClamAV on windows using the latest portable installation with all > > default configuration. > > What version of ClamAV, and where did it come from? > > > I run the task scheduler under the SYSTEM user with the highest > > credentials checked, but I still have lots of permission denied > > messages. > > That's to be expected if the scanning process can't read the data. > > > I logged in locally and checked one of the files under a powershell > window > > as *ADMINISTRATOR*, and I got: > > > > *PS C:\Users\j.doe\AppData\local\Microsoft\Windows\WebCache> more > .\V01.log* > > *Get-Content : The process cannot access the file > > 'C:\Users\j.doe\AppData\local\Microsoft\Windows\WebCache\V01.log' because > > it is being used by another process.* > > The 'more' command is a pager, not a scanner. In what you've posted I > see no evidence of a ClamAV process doing (or failing to do) anything. > > > So do I have to live with it? If there is a virus file and this file is > > being currently used, clamscan cannot detect it? > > Not necessarily. If the scanner does not have permission to read > something which you want it to scan, then obviously it cannot scan it. > This applies just as much to devices and data streams via sockets as > is does to files. It's up to you to arrange for the scanner to have > permission to do what you want it to do. And in my view it's usually > pointless to scan a log file with a virus scanner - if indeed that is > what you're doing - and this applies especially to the log which is > recording the progress of the scan. > > -- > > 73, > Ged. > > ___ > > clamav-users mailing list > clamav-users@lists.clamav.net > https://lists.clamav.net/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml > ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
[clamav-users] Php.Trojan.MSShellcode-81 FOUND on MS IIS log file?
Clamscan detested a virus in Microsoft Internet Information Services 8.5 log file: *C:\inetpub\logs\LogFiles\W3SVC1\u_exNN.log: Php.Trojan.MSShellcode-81 > FOUND* > I looked at the file manually, it consists of comments and GET and POST messages. How do I determine if this is a real or false positive? The files are dynamic and new files will be generated, how are my options? Thanks. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
[clamav-users] clamscan: permission denied on many files being used by another process
Hello all ClamAV users: I run ClamAV on windows using the latest portable installation with all default configuration. I run the task scheduler under the SYSTEM user with the highest credentials checked, but I still have lots of permission denied messages. I logged in locally and checked one of the files under a powershell window as *ADMINISTRATOR*, and I got: *PS C:\Users\j.doe\AppData\local\Microsoft\Windows\WebCache> more .\V01.log* *Get-Content : The process cannot access the file 'C:\Users\j.doe\AppData\local\Microsoft\Windows\WebCache\V01.log' because it is being used by another process.* So do I have to live with it? If there is a virus file and this file is being currently used, clamscan cannot detect it? ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] How to make freshclam to update existing files?
Hi, After more testing, I can rule out the disk space problem because I have 1TB free space. I can also rule out the permission problem because this happens during fresh runs. I discovered the problem I had was due to the use of the *Universal Naming Convention (UNC) Path*, "\\xx-x411\clamav". Even on the same server where "\\xx-x411\clamav" and "D:\clamav" are the same, the behaviors are different as shown below. With the "D:\clamav" path, it found that the database is not up to date, then it gets the cld file, and no issues. WIth the UNC path, it downloads the same cvd file and complains that the file exists. I wanted to use the UNC path because I want to share the database across the servers. Here is the log to show the problem: PS D:\ClamAV\clamav-0.103.3-win-x64-portable\database> *rm -recurse ** PS D:\ClamAV\clamav-0.103.3-win-x64-portable\database> \\xx-x411\clamav\clamav-0.103.3-win-x64-portable\freshclam.exe *--datadir=d:\clamav\clamav-0.103.3-win-x64-portable\database* ClamAV update process started at Fri Jul 9 15:48:10 2021 daily database available for download (remote version: 26226) Time:3.6s, ETA:0.0s [>] 102.43MiB/102.43MiB Testing database: 'd:\clamav\clamav-0.103.3-win-x64-portable\database\tmp.1276ba4a31\clamav-7f99d642a7a4902e4a2f435c323e2552.tmp-daily.cvd' ... Database test passed. daily.cvd updated (version: 26225, sigs: 3994327, f-level: 63, builder: raynman) *Received an older daily CVD than was advertised. We'll retry so the incremental update will ensure we're up-to-date.*daily database available for update (local version: 26225, remote version: 26226) *Current database is 1 version behind.Downloading database patch # 26226...* Time:0.0s, ETA:0.0s [>] 19.36KiB/19.36KiB Testing database: 'd:\clamav\clamav-0.103.3-win-x64-portable\database\tmp.1276ba4a31\clamav-baae84e4ef91bcdfa772d7d82c8af6f8.tmp-daily.cld' ... Database test passed. daily.cld updated (version: 26226, sigs: 3994579, f-level: 63, builder: raynman) main database available for download (remote version: 59) Time:4.0s, ETA:0.0s [>] 112.40MiB/112.40MiB Testing database: 'd:\clamav\clamav-0.103.3-win-x64-portable\database\tmp.1276ba4a31\clamav-046d7008715c9c8fba4d462be7120643.tmp-main.cvd' ... Database test passed. main.cvd updated (version: 59, sigs: 4564902, f-level: 60, builder: sigmgr) bytecode database available for download (remote version: 333) Time:0.1s, ETA:0.0s [>] 286.79KiB/286.79KiB Testing database: 'd:\clamav\clamav-0.103.3-win-x64-portable\database\tmp.1276ba4a31\clamav-f4500f3362769ec4bcbdfcaa854f cfb8.tmp-bytecode.cvd' ... Database test passed. bytecode.cvd updated (version: 333, sigs: 92, f-level: 63, builder: awillia2) PS D:\ClamAV\clamav-0.103.3-win-x64-portable\database> rm -recurse * PS D:\ClamAV\clamav-0.103.3-win-x64-portable\database> \\xx-x411\clamav\clamav-0.103.3-win-x64-portable\freshclam.exe --datadir=\\xx-x411\clamav\clamav-0.103.3-win-x64-portable\database ClamAV update process started at Fri Jul 9 15:51:05 2021 daily database available for download (remote version: 26226) Time:4.1s, ETA:0.0s [>] 102.43MiB/102.43MiB Testing database: '\\xx-x411\clamav\clamav-0.103.3-win-x64-portable\database\tmp.dcd8c0cb40\clamav-a9ada8b934fb64989e60cabb093b72ec.tmp-daily.cvd' ... Database test passed. daily.cvd updated (version: 26225, sigs: 3994327, f-level: 63, builder: raynman) *Received an older daily CVD than was advertised. We'll retry so the incremental update will ensure we're up-to-date.* daily database available for download (remote version: 26226) Time:3.8s, ETA:0.0s [>] 102.43MiB/102.43MiB *Testing database: '\\xx-x411\clamav\clamav-0.103.3-win-x64-portable\database\tmp.dcd8c0cb40\clamav-907671efc5b51d897ec211313228eb86.tmp-daily.cvd' ...* Database test passed. *ERROR: updatedb: Can't rename \\xx-x411\clamav\clamav-0.103.3-win-x64-portable\database\tmp.dcd8c0cb40\clamav-907671efc5b51d897ec211313228eb86.tmp-daily.cvd to daily.cvd: File exists*ERROR: Unexpected error when attempting to update daily: Failed to read/write file to database directory ERROR: Database update process failed: Failed to read/write file to database directory ERROR: Update failed. On Thu, Jul 8, 2021 at 9:31 AM Michael Wang wrote: > I am running the freshclam.exe like this: > > PS C:\Users\m.wang> \\xxx\clamav\bin\freshclam.exe --datadir > \\xxx\clamav\bin\database > > and I got the following error: > > ERROR: updatedb: *Can't rename* > \\xxx\clamav\bin\database\tmp.78a757d3cf\clamav-57fd2bf1f4d6d423e4896f0ef3e97c52.tmp-daily.cvd > to daily.cv > d: *File exists* > > I am thinking of removing the *.cvd files before running freshclam, but is > there an option to make freshclam to override the existin
[clamav-users] How to make freshclam to update existing files?
I am running the freshclam.exe like this: PS C:\Users\m.wang> \\xxx\clamav\bin\freshclam.exe --datadir \\xxx\clamav\bin\database and I got the following error: ERROR: updatedb: *Can't rename* \\xxx\clamav\bin\database\tmp.78a757d3cf\clamav-57fd2bf1f4d6d423e4896f0ef3e97c52.tmp-daily.cvd to daily.cv d: *File exists* I am thinking of removing the *.cvd files before running freshclam, but is there an option to make freshclam to override the existing old *.cvd files? Thanks. Full log: PS C:\Users\m.wang> \\xxx\clamav\bin\freshclam.exe --datadir \\xxx\clamav\bin\database ClamAV update process started at Wed Jul 7 18:40:18 2021 WARNING: Your ClamAV installation is OUTDATED! WARNING: Local version: 0.103.2 Recommended version: 0.103.3 DON'T PANIC! Read https://www.clamav.net/documents/upgrading-clamav daily database available for download (remote version: 26224) Time: 12.4s, ETA:0.0s [>] 102.41MiB/102.41MiB Testing database: '\\xxx\clamav\bin\database\tmp.78a757d3cf\clamav-57fd2bf1f4d6d423e4896f0ef3e97c52.tmp-daily.cvd' ... Database test passed. ERROR: updatedb: Can't rename \\xxx\clamav\bin\database\tmp.78a757d3cf\clamav-57fd2bf1f4d6d423e4896f0ef3e97c52.tmp-daily.cvd to daily.cv d: File exists ERROR: Unexpected error when attempting to update daily: Failed to read/write file to database directory ERROR: Database update process failed: Failed to read/write file to database directory ERROR: Update failed. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] clamav incremental scan?
Grant, I do not disagree with you on the separate functionality of the scheduling engine and scanning engine. The question is: does such an engine exist? I feel it is too much for each individual user to implement such a scheduling engine. I am new to ClamAV, does the question / solution ever pop up? Thanks. On Tue, May 4, 2021 at 4:29 PM Grant Taylor via clamav-users < clamav-users@lists.clamav.net> wrote: > On 5/4/21 12:19 PM, Michael Wang wrote: > > looks like this should be a functionality of the clamav itself. > > What you are describing sounds like something independent of the ClamAV > /scanning/ engine. More specifically, it sounds like the responsibility > of a /scheduling/ engine. > > My understanding is that the scheduling is outside of the scope of what > ClamAV normally does. > > I see no reason why you couldn't have something -- run as a user with > sufficient privileges to read the file(s) in question -- which maintains > metadata about files; name, ctime, mtime, permissions, owner, group, > hash, last scan time, etc, and determines if a file has changed since > the last time it was scanned. /That/ /scheduling/ engine could then > easily ask the ClamAV /scanning/ engine -- likely running as a different > non-root user -- to scan the files handed to it by -- what is > effectively -- the /scheduling/ engine. > > There are a lot of different ways to go about something like this. My > opinion is that most of them are outside of the scope of the ClamAV's > /scanning/ engine. > > > > -- > Grant. . . . > unix || die > > > ___ > > clamav-users mailing list > clamav-users@lists.clamav.net > https://lists.clamav.net/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml > ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
[clamav-users] clamav incremental scan?
It seems that this should be a common question, but I did not find a definite answer via Google search. I saw solutions to only scan files in the last 60 days, but it is not difficult for a virus file to change date, isn't it? I can think of to maintain hash table with file name and its checksum, but looks like this should be a functionality of the clamav itself. How do you do it? Just do a full scan every time? Thanks. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
[clamav-users] automate clamav on windows and user manual popup
Hello All: I would like to automate the clamav install on windows. The method I have in mind is to create a GPO which is a scheduled job written in powershell, and this job will install ClamAV, setup other jobs to download the database and do the scan. I could find info on the topic, so please share what you have done successfully automating on a large number of servers. The first problem I encounter is that when I install it very cliently with Start-Process $exe_file -ArgumentList "/VERYSILENT /LOG=$log_file" It pops a notepad with the user manual. I assume I can kill the process (I chose no -Wait option), but is there a way to select no user manual pop up? If I install interactively, there is a box I can unselect. Thanks a lot. ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml