Re: [clamav-users] Terminate clamscan after specific time
Right, that's why I suggested to make a full scan daily/weekly. Scanning is not bulletproof neither, as the virus signature comes by definition after the virus creation. If you have some trust in your OS provider then additional basic tools like rpm -qV, dpkg -V or debsums (even if not perfect) could be used to verify the authenticity of the package files in your reference snapshot. Elfsign could be used to check binaries, if they are signed (on Solaris they are, not sure on Linux), and the kernel could enforce the check on execution if desired (still on Solaris). Auditd is also available... but I stop here because, questionning who we can trust, we could end up with the chain of trust and the TPM chip... secured by God's signature as you know. Anyway, as the initial idea was to stop scanning during work hours, I think my suggestions (to scan changed files only during these hours) were still safer... Pierre On 6 Jan 2021 at 12:53, Paul Kosinski via clamav-users wrote: The problem with only scanning files that have changed since they were last scanned is that there usually have been virus signature updates in the meantime. So you could have an "old" file that contains what was a zero-day virus at the time it was scanned, and now there is a signature that would detect it. On Wed, 06 Jan 2021 11:56:47 +0100 "Pierre Dehaen" wrote: > Hi, > > On 6 Jan 2021 at 9:58, G.W. Haywood via clamav-users wrote: > > > > My goal is to terminate scan of big number of files like '/' on CPU busy > > > hours. > > Do not scan everything under the root directory. > > Use zfs, make regular snapshots, scan once, then use zfs diff to find the > new/changed(/removed) files, scan these only. > > Or make a full scan every week if desired, then use a auditing program to > regularly search for > the files that were added/updated(/removed), scan these only. These auditing > programs use > hash signatures which are faster to compute than doing full virus scans, but > they will anyway > make a lot of i/o as they will read all files. If you are really constrained > by the i/o you could run > a less secure but lighter audit based on the file attributes (size, > ownership, mode, dates...) > and once a day/week a full audit... > > There are many options... > > HTH, > Pierre > ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Terminate clamscan after specific time
Hi, On 6 Jan 2021 at 9:58, G.W. Haywood via clamav-users wrote: > > My goal is to terminate scan of big number of files like '/' on CPU busy > > hours. > Do not scan everything under the root directory. Use zfs, make regular snapshots, scan once, then use zfs diff to find the new/changed(/removed) files, scan these only. Or make a full scan every week if desired, then use a auditing program to regularly search for the files that were added/updated(/removed), scan these only. These auditing programs use hash signatures which are faster to compute than doing full virus scans, but they will anyway make a lot of i/o as they will read all files. If you are really constrained by the i/o you could run a less secure but lighter audit based on the file attributes (size, ownership, mode, dates...) and once a day/week a full audit... There are many options... HTH, Pierre ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Fwd: Fwd: freshclam incremental update
Is this ok? Pierre On 3 Sep 2019 at 11:02, Birger Birger via clamav-users wrote: Ubuntu Syslog ... Sep 3 10:41:42 zentyal kernel: [266093.463049] audit: type=1400 audit(1567500102.736:78): apparmor="DENIED" operation="open" profile="/usr/bin/freshclam" name="/etc/ssl/openssl.cnf" pid=14221 comm="freshclam" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Sep 3 10:41:42 zentyal kernel: [266093.468537] audit: type=1400 audit(1567500102.740:79): apparmor="DENIED" operation="connect" profile="/usr/bin/freshclam" name="/run/samba/winbindd/pipe" pid=14221 comm="freshclam" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0 ... ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Problem with freshclam updating daily-25380.cdiff
Yes Micah, it finished while I was checking the computer because of the messages received on the mailing list. $ tail -50 /var/log/freshclam.log ... -- ClamAV update process started at Wed Mar 6 11:37:46 2019 WARNING: Your ClamAV installation is OUTDATED! WARNING: Local version: 0.100.0 Recommended version: 0.101.1 DON'T PANIC! Read https://www.clamav.net/documents/upgrading-clamav securiteinfo.hdb is up to date (version: custom database) securiteinfo.ign2 is up to date (version: custom database) Downloading javascript.ndb [*] javascript.ndb updated (version: custom database, sigs: 45008) securiteinfohtml.hdb is up to date (version: custom database) securiteinfoascii.hdb is up to date (version: custom database) securiteinfopdf.hdb is up to date (version: custom database) Downloading spam_marketing.ndb [*] spam_marketing.ndb updated (version: custom database, sigs: 24199) main.cld is up to date (version: 58, sigs: 4566249, f-level: 60, builder: sigmgr) Downloading daily-25380.cdiff [100%] daily.cld updated (version: 25380, sigs: 1503528, f-level: 63, builder: raynman) bytecode.cld is up to date (version: 328, sigs: 94, f-level: 63, builder: neo) Database updated (6139078 signatures) from db.be.clamav.net (IP: 104.16.219.84) Clamd successfully notified about the update. $ ls -l /var/log/freshclam.log -rw-r--r-- 1 clamav clamav701634 Mar 6 14:51 /var/log/freshclam.log It ran from 11:37 to 14:51. It might run faster on x86 computers though. Pierre On 6 Mar 2019 at 14:20, Micah Snyder (micasnyd) via clamav-users wrote: Pierre, So you're saying it actually did finish after 3 hours, 15 minutes on its own? That is good news for all of the automated systems, even if this is a potentially terrible bug. I'm still investigating the cause, and asking our signature management team if they have any additional details. Micah Micah Snyder ClamAV Development Talos Cisco Systems, Inc. On 3/6/19, 9:06 AM, "clamav-users on behalf of Pierre Dehaen" wrote: Here too: it took about 3 hours and 15 minutes to calm down (SPARC, Solaris 11, v0.100.0)... without noticiable error in freshclam.log. On 6 Mar 2019 at 6:27, J.R. via clamav-users wrote: > When crontab execs freshclam > CPU server goes to 100% > Hanged finishing Downloading daily-25380.cdiff [100%] Just checked my server and it happened to me too! A little after 5am central time. :( ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Problem with freshclam updating daily-25380.cdiff
Here too: it took about 3 hours and 15 minutes to calm down (SPARC, Solaris 11, v0.100.0)... without noticiable error in freshclam.log. On 6 Mar 2019 at 6:27, J.R. via clamav-users wrote: > When crontab execs freshclam > CPU server goes to 100% > Hanged finishing Downloading daily-25380.cdiff [100%] Just checked my server and it happened to me too! A little after 5am central time. :( ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml ___ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] ClamAV mirrors have gotten worse!
> On 11/22/18 8:51 PM, Paul Kosinski wrote: > I wonder how many users of ClamAV actually log their freshclam updates. > Those who don't likely won't notice freshclam temporary failures due > to an out-of-sync condition. I do log and do analyze all logs on all servers everyday, sometimes every hour (a little script sends me an email if anything abnormal happens). If you mean "Mirror not synchronized" messages, I've received some since 2016 (list attached) but there was no big issue excepted the recent problem with the "be" mirror, now fixed, that I submitted here. The logs show that the errors generally happen in a row, maybe some temporary issues on some servers? Pierre <> ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Problem with BE db
Yes, # vi /etc/opt/csw/freshclam.conf ==> restore config to db.be.clamav.net # freshclam --update-db=daily --stdout ClamAV update process started at Mon Nov 12 19:46:46 2018 WARNING: Your ClamAV installation is OUTDATED! WARNING: Local version: 0.100.0 Recommended version: 0.100.2 DON'T PANIC! Read https://www.clamav.net/documents/upgrading-clamav daily.cld is up to date (version: 25114, sigs: 2149227, f-level: 63, builder: neo) It looks like it works now. I even tried: # wget http://db.be.clamav.net/daily.cvd converted 'http://db.be.clamav.net/daily.cvd' (646) -> 'http://db.be.clamav.net/daily.cvd' (UTF- 8) --2018-11-12 19:49:27-- http://db.be.clamav.net/daily.cvd Resolving db.be.clamav.net (db.be.clamav.net)... 104.16.185.138, 104.16.187.138, 104.16.188.138, ... Connecting to db.be.clamav.net (db.be.clamav.net)|104.16.185.138|:80... connected. HTTP request sent, awaiting response... 200 OK Thank you very much, Pierre On 12 Nov 2018 at 18:12, Joel Esler (jesler) wrote: Can you try now? > On Nov 12, 2018, at 12:31 PM, Pierre Dehaen wrote: > > Hi Joel, > > # freshclam --version > ClamAV 0.100.0/25114/Mon Nov 12 15:08:04 2018 > > It's running on Solaris 11... I see now that 0.100.2 is available on opencsw, > I'll try to upgrade > soon. > > Thanks, > Pierre > > On 12 Nov 2018 at 16:41, Joel Esler (jesler) wrote: > > Okay, so a couple things. > > Wget probably isn't going to work in the manner you expect. Which is why you > got the 530 > response. > > What version of freshclam are you using? > >> On Nov 11, 2018, at 11:18 AM, Pierre Dehaen wrote: >> >> Hi, >> >> It seems the db.be.clamav.net does not work any more since Nov 9th. I tried >> to delete the >> mirrors.dat but no way, I still get: >> >> # freshclam --update-db=daily --stdout >> ... >> daily.cvd version from DNS: 25111 >> Retrieving http://db.be.clamav.net/daily-25104.cdiff >> Trying to download http://db.be.clamav.net/daily-25104.cdiff (IP: >> 104.16.187.138) >> WARNING: getfile: Unknown response from db.be.clamav.net (IP: 104.16.187.138) >> WARNING: getpatch: Can't download daily-25104.cdiff from db.be.clamav.net >> Querying daily.25104.91.0.0.6810BB8A.ping.clamav.net >> Retrieving http://db.be.clamav.net/daily-25104.cdiff >> Trying to download http://db.be.clamav.net/daily-25104.cdiff (IP: >> 104.16.185.138) >> WARNING: getfile: Unknown response from db.be.clamav.net (IP: 104.16.185.138) >> WARNING: getpatch: Can't download daily-25104.cdiff from db.be.clamav.net >> Querying daily.25104.91.0.0.6810B98A.ping.clamav.net >> ... >> >> # wget http://db.be.clamav.net/daily.cvd >> converted 'http://db.be.clamav.net/daily.cvd' (646) -> >> 'http://db.be.clamav.net/daily.cvd' (UTF- >> 8) >> --2018-11-11 17:03:08-- http://db.be.clamav.net/daily.cvd >> Resolving db.be.clamav.net (db.be.clamav.net)... 104.16.188.138, >> 104.16.189.138, >> 104.16.187.138, ... >> Connecting to db.be.clamav.net (db.be.clamav.net)|104.16.188.138|:80... >> connected. >> HTTP request sent, awaiting response... 530 >> 2018-11-11 17:03:08 ERROR 530: (no description). >> >> The (temporary?) solution is to: >> >> # vi .../freshclam.conf >> => replace db.be.clamav.net by db.de.clamav.net (for instance) >> >> # rm ...clamav/db/mirrors.dat >> >> # freshclam --update-db=daily --stdout >> ClamAV update process started at Sun Nov 11 17:04:02 2018 >> WARNING: Your ClamAV installation is OUTDATED! >> WARNING: Local version: 0.100.0 Recommended version: 0.100.2 >> DON'T PANIC! Read https://www.clamav.net/documents/upgrading-clamav >> Downloading daily-25104.cdiff [100%] >> Downloading daily-25105.cdiff [100%] >> Downloading daily-25106.cdiff [100%] >> Downloading daily-25107.cdiff [100%] >> Downloading daily-25108.cdiff [100%] >> Downloading daily-25109.cdiff [100%] >> Downloading daily-25110.cdiff [100%] >> Downloading daily-25111.cdiff [100%] >> daily.cld updated (version: 25111, sigs: 2148413, f-level: 63, builder: neo) >> Database updated (2148413 signatures) from db.de.clamav.net (IP: >> 104.16.187.138) >> Clamd successfully notified about the update. >> >> Thanks >> Pierre >> ___ >> clamav-users mailing list >> clamav-users@lists.clamav.net >> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users >> >> >> Help us build a comprehensive ClamAV guide: >> https://github.com/vrtadmin/clamav-faq >> >> http://www.clamav.net/contact.html#ml > >
Re: [clamav-users] Problem with BE db
Hi Joel, # freshclam --version ClamAV 0.100.0/25114/Mon Nov 12 15:08:04 2018 It's running on Solaris 11... I see now that 0.100.2 is available on opencsw, I'll try to upgrade soon. Thanks, Pierre On 12 Nov 2018 at 16:41, Joel Esler (jesler) wrote: Okay, so a couple things. Wget probably isn't going to work in the manner you expect. Which is why you got the 530 response. What version of freshclam are you using? > On Nov 11, 2018, at 11:18 AM, Pierre Dehaen wrote: > > Hi, > > It seems the db.be.clamav.net does not work any more since Nov 9th. I tried > to delete the > mirrors.dat but no way, I still get: > > # freshclam --update-db=daily --stdout > ... > daily.cvd version from DNS: 25111 > Retrieving http://db.be.clamav.net/daily-25104.cdiff > Trying to download http://db.be.clamav.net/daily-25104.cdiff (IP: > 104.16.187.138) > WARNING: getfile: Unknown response from db.be.clamav.net (IP: 104.16.187.138) > WARNING: getpatch: Can't download daily-25104.cdiff from db.be.clamav.net > Querying daily.25104.91.0.0.6810BB8A.ping.clamav.net > Retrieving http://db.be.clamav.net/daily-25104.cdiff > Trying to download http://db.be.clamav.net/daily-25104.cdiff (IP: > 104.16.185.138) > WARNING: getfile: Unknown response from db.be.clamav.net (IP: 104.16.185.138) > WARNING: getpatch: Can't download daily-25104.cdiff from db.be.clamav.net > Querying daily.25104.91.0.0.6810B98A.ping.clamav.net > ... > > # wget http://db.be.clamav.net/daily.cvd > converted 'http://db.be.clamav.net/daily.cvd' (646) -> > 'http://db.be.clamav.net/daily.cvd' (UTF- > 8) > --2018-11-11 17:03:08-- http://db.be.clamav.net/daily.cvd > Resolving db.be.clamav.net (db.be.clamav.net)... 104.16.188.138, > 104.16.189.138, > 104.16.187.138, ... > Connecting to db.be.clamav.net (db.be.clamav.net)|104.16.188.138|:80... > connected. > HTTP request sent, awaiting response... 530 > 2018-11-11 17:03:08 ERROR 530: (no description). > > The (temporary?) solution is to: > > # vi .../freshclam.conf > => replace db.be.clamav.net by db.de.clamav.net (for instance) > > # rm ...clamav/db/mirrors.dat > > # freshclam --update-db=daily --stdout > ClamAV update process started at Sun Nov 11 17:04:02 2018 > WARNING: Your ClamAV installation is OUTDATED! > WARNING: Local version: 0.100.0 Recommended version: 0.100.2 > DON'T PANIC! Read https://www.clamav.net/documents/upgrading-clamav > Downloading daily-25104.cdiff [100%] > Downloading daily-25105.cdiff [100%] > Downloading daily-25106.cdiff [100%] > Downloading daily-25107.cdiff [100%] > Downloading daily-25108.cdiff [100%] > Downloading daily-25109.cdiff [100%] > Downloading daily-25110.cdiff [100%] > Downloading daily-25111.cdiff [100%] > daily.cld updated (version: 25111, sigs: 2148413, f-level: 63, builder: neo) > Database updated (2148413 signatures) from db.de.clamav.net (IP: > 104.16.187.138) > Clamd successfully notified about the update. > > Thanks > Pierre > ___ > clamav-users mailing list > clamav-users@lists.clamav.net > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
[clamav-users] Problem with BE db
Hi, It seems the db.be.clamav.net does not work any more since Nov 9th. I tried to delete the mirrors.dat but no way, I still get: # freshclam --update-db=daily --stdout ... daily.cvd version from DNS: 25111 Retrieving http://db.be.clamav.net/daily-25104.cdiff Trying to download http://db.be.clamav.net/daily-25104.cdiff (IP: 104.16.187.138) WARNING: getfile: Unknown response from db.be.clamav.net (IP: 104.16.187.138) WARNING: getpatch: Can't download daily-25104.cdiff from db.be.clamav.net Querying daily.25104.91.0.0.6810BB8A.ping.clamav.net Retrieving http://db.be.clamav.net/daily-25104.cdiff Trying to download http://db.be.clamav.net/daily-25104.cdiff (IP: 104.16.185.138) WARNING: getfile: Unknown response from db.be.clamav.net (IP: 104.16.185.138) WARNING: getpatch: Can't download daily-25104.cdiff from db.be.clamav.net Querying daily.25104.91.0.0.6810B98A.ping.clamav.net ... # wget http://db.be.clamav.net/daily.cvd converted 'http://db.be.clamav.net/daily.cvd' (646) -> 'http://db.be.clamav.net/daily.cvd' (UTF- 8) --2018-11-11 17:03:08-- http://db.be.clamav.net/daily.cvd Resolving db.be.clamav.net (db.be.clamav.net)... 104.16.188.138, 104.16.189.138, 104.16.187.138, ... Connecting to db.be.clamav.net (db.be.clamav.net)|104.16.188.138|:80... connected. HTTP request sent, awaiting response... 530 2018-11-11 17:03:08 ERROR 530: (no description). The (temporary?) solution is to: # vi .../freshclam.conf => replace db.be.clamav.net by db.de.clamav.net (for instance) # rm ...clamav/db/mirrors.dat # freshclam --update-db=daily --stdout ClamAV update process started at Sun Nov 11 17:04:02 2018 WARNING: Your ClamAV installation is OUTDATED! WARNING: Local version: 0.100.0 Recommended version: 0.100.2 DON'T PANIC! Read https://www.clamav.net/documents/upgrading-clamav Downloading daily-25104.cdiff [100%] Downloading daily-25105.cdiff [100%] Downloading daily-25106.cdiff [100%] Downloading daily-25107.cdiff [100%] Downloading daily-25108.cdiff [100%] Downloading daily-25109.cdiff [100%] Downloading daily-25110.cdiff [100%] Downloading daily-25111.cdiff [100%] daily.cld updated (version: 25111, sigs: 2148413, f-level: 63, builder: neo) Database updated (2148413 signatures) from db.de.clamav.net (IP: 104.16.187.138) Clamd successfully notified about the update. Thanks Pierre ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Clam user has read permissions, but I still get "lstat() failed: Permission denied"
Hi, I would try: # ps -ef | grep clamd ==> see owner (as you are running clamdscan): if it is not clamav it means there is another config file or an option in the startup procedure... # sudo -u clamav clamscan -v --config-file=/etc/clamav/clamd.conf nc_data/ ==> it should work as we are running as clamav # strace -o /tmp/strace.out -fp "`pgrep clamd`" & # clamdscan -v --config-file=/etc/clamav/clamd.conf nc_data/ # kill %1 # more /tmp/strace.out ==> analyze Pierre On 30 Oct 2018 at 18:22, Doug Ingham wrote: Hi all, For some reason, clamdscan is returning a permissions error for files it has read access to. I've copied some output below to help show the situation... == root@arquivos0:/var/www# grep User /etc/clamav/clamd.conf User clamav root@arquivos0:/var/www# grep clamav /etc/group www-data:x:33:clamav clamav:x:121: root@arquivos0:/var/www# ls -ld nc_data/ drwxrwx--- 59 www-data www-data 4096 Out 22 08:40 nc_data/ root@arquivos0:/var/www# clamdscan -v --config-file=/etc/clamav/clamd.conf nc_data/ /var/www/nc_data: lstat() failed: Permission denied. ERROR --- SCAN SUMMARY --- Infected files: 0 Total errors: 1 Time: 0.000 sec (0 m 0 s) root@arquivos0:/var/www# sudo -u clamav ls nc_data/ [correct directory contents listed] root@arquivos0:/var/www# ls -al /var/log/clamav/ total 20 drwxr-xr-x 2 clamav clamav 45 Out 30 12:29 . drwxrwxr-x 16 root syslog 4096 Out 30 15:41 .. -rw-r- 1 clamav adm 10914 Out 30 17:12 clamav.log -rw-r- 1 clamav adm 2352 Out 30 15:17 freshclam.log root@arquivos0:/var/www# clamdscan -v --config-file=/etc/clamav/clamd.conf /var/log/clamav/ /var/log/clamav: lstat() failed: Permission denied. ERROR --- SCAN SUMMARY --- Infected files: 0 Total errors: 1 Time: 0.000 sec (0 m 0 s) == To quote Aristotle, "WTF?" Any help appreciated! -- Doug ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] [Clamav-devel] ClamAV® blog: ClamAV 0.100.0 has been released!
+1 Thanks, Pierre On 12 Apr 2018 at 13:39, SCOTT PACKARD wrote: Just wanted to wave to Gary, another Solaris 11.3 user. There aren't many of us left. Regards, Scott ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] High CPU load during startup/reload of sigs for a long time.
On 30 Dec 2017 at 11:52, Thorsten Schöning wrote: > That's the main difference, the VM where I have the problems has 48 GB > of RAM and currently 10 assigned vCPUs, formerly 6. The VMs where this > is not happening have only 2 vCPUs and 6 or 8 GB of RAM, where only 2-4 > GB are in use by apps and else is cache. The problematic VM has ~10 GB > in use by apps and everything else for caches and buffers. > The only thing that really jumps out is the number of context switches > in the host and how long this happens. On the working host those climb > from ~6'500 to 10-15'000 for very few seconds, while on the > "non-working" host those climb from ~5'000 to 50'000 for a much longer > period of time. While in all cases the VMs itself don't have many > context switches themselfs. Could it be that your are oversubscribing your vCPUs? I mean if you assign more vCPUs to your VMs than you physically have then I guess it's expected to see lots of context switches on the host, and that would not good of course. HTH, Pierre ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Maximize availability during rule loading
Hi, As this question comes back now and then (from me in the past as well), I have a proposal IF you have enough RAM. On reload: - start a second instance with a slightly different config file containing "LocalSocket .../clamd.sock.new" - wait in the logs for "Database correctly reloaded" - stop the first instance - mv .../clamd.sock.new .../clamd.sock I see some possible issues though: - Other programs are connected to the original socket, but I suppose the socket will be deleted when the first instance stops, so the other parties will try to reconnect and then communicate with the new instance. - The log file that would be opened and updated by both instances. The LogFileUnlock option might be necessary but then the messages from one might overwrite those from the other. So, if possible, the syslog could be used instead. Without the syslog I think it would be better to define a clamd.log.new for the second instance and rotate the log file after the first instance is stopped (clamd.log -> clamd.log.prev, clamd.log.new -> clamd.log, clamd.log.prev -> clamd.log.new). The LogRotate might need to be disabled in the conf file and done outside of clamd. - The PidFile should be disabled (both instance would be killed at service stop). Anyway on my system the service stop procedure uses a "pkill -x $prog", that means it would not stop the "clamd --config ...clamd.conf.new" if it is running... - If the database is not reloaded correctly both instances might remain up, we should wait for the message with a timeout. - It would not work in TCPSocket mode, only in LocalSocket mode. Do you think this would work? Of course you would need temporarily an additional ~1GB of RAM... Somehow I must say I don't much like this procedure: it's a bit tricky. I would prefer to have 2 real service instances, each with its own configuration file, one persistently enabled, the other not as it would be enabled temporarily during a db reload. But then I guess I would need 2 different socket, log and pid files. As I'm using mimedefang to connect to the socket I could maybe make it failover to the second socket in case the first one is not responding... I think it is a matter of updating mimedefang-filter: < my($code, $category, $action) = message_contains_virus(); -- > $ClamdSock = /...first.sock; > my($code, $category, $action) = message_contains_virus(); > if ($action eq "tempfail") { > $ClamdSock = /...second.sock; > my($code, $category, $action) = message_contains_virus(); > } The on reload procedure would do: - start a second service instance with its different config (socket, log, pid) - wait in the log for "Database correctly reloaded" - reload the first instance - wait in the log for "Database correctly reloaded" - stop the second instance Thanks, Pierre On 20 Nov 2016 at 17:24, Charles Sprickman wrote: Hi all, I have two VMs running clamav and I monitor both with a simple nagios check (it sends, PING, waits for PONG). I have been getting quite a few notifications lately after adding sane security and other 3rd party AV rulesets. Looking at the logs, I see that my timeouts line up with the reloading messages: Nov 20 16:39:02 spam-a clamd[1417]: Reading databases from /var/db/clamav Nov 20 16:41:14 spam-a clamd[1417]: Database correctly reloaded (7986341 signatures) I do have two servers, so if this is expected behavior, I´ll just make nagios less touchy and let the mail server just fail over to the other box. If not, what can be done to maintain availability while the db reloads? I currently reload every hour (based on clamd.conf), occasionally more often if there are new rules detected by clamav-unofficial-sigs. Thanks, Charles -- Charles Sprickman NetEng/SysAdmin Bway.net - New York's Best Internet www.bway.net ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Version 0.98.3 fails on Solaris
On 8 May 2014 at 11:23, Shawn Webb wrote: On Thu, May 8, 2014 at 11:13 AM, Martin Preen Is there a way you can get to me main.cvd.broken? I'm wondering if the change to OpenSSL for hashing has somehow changed parsing CVDs and CLDs on big-endian machines running Solaris. I thoroughly tested the code on a sparc64 machine (an old SunFire 280r) running FreeBSD 9.2 successfully. To help me debug the issue: what version of OpenSSL do you have installed? Can you give me the output of the clamdconf command (preferably to a pastebin service)? Can you give me (again, pastebin) the output of your config.log? I can install Solaris on this sparc64 machine as early as next week. If for Solaris 10 it is ok, I'm afraid you won't be able to test Solaris 11 on this machine: you need a sun4v or M-series sun4u, or a 64-bit x86 (machine or virtual machine). Pierre Note: I did not try 0.98.3 yet but I skipped 0.98.1 as well because it did not compile with my usual script neither (on Solaris 10 sparc) and I have had to time to debug the problem yet. ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] configure error with clamav-0.98
Thanks for the configure patch, Lawrence, you solved the issue on sparc as well. And with the Types.h patch of Shawn, the make passed too. Pierre On 27 Sep 2013 at 15:54, Lawrence K. Chen, P.Eng. wrote: - Original Message - Been struggling with configure complaining that it can't find -lz (and later not figuring out how to make a shared library correctly.) Turns out there's two spots in configure that use -Wl,-rpath=$ZLIB_HOME/lib, ignoring that configure had determined that ld is not gnu. In the previous versions this was -L$ZLIB_HOME/lib While the correct form would be -Wl,-R$ZLIB_HOME/lib this doesn't on its own make clamav build on, as the library it needs is in $ZLIB_HOME/lib/amd64 (building 64-bit on Solaris x64) Which I've been doing by setting LDFLAGS in my build environment. -- Who: Lawrence K. Chen, P.Eng. - W0LKC - Senior Unix Systems Administrator For: Enterprise Server Technologies (EST) -- SafeZone Ally ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml For completeness, what I did was patch configure, like so (make it like it was in previous releases) --- configure 19 Sep 2013 20:05:30 - 1.1.1.22 +++ configure 20 Sep 2013 21:39:57 - 1.2 @@ -15952,7 +15952,7 @@ if test $ZLIB_HOME != /usr; then CPPFLAGS=$CPPFLAGS -I$ZLIB_HOME/include save_LDFLAGS=$LDFLAGS - LDFLAGS=$LDFLAGS -Wl,-rpath=$ZLIB_HOME/lib + LDFLAGS=$LDFLAGS -L$ZLIB_HOME/lib { $as_echo $as_me:${as_lineno-$LINENO}: checking for inflateEnd in -lz 5 $as_echo_n checking for inflateEnd in -lz... 6; } if ${ac_cv_lib_z_inflateEnd+:} false; then : @@ -15990,7 +15990,7 @@ { $as_echo $as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_z_inflateEnd 5 $as_echo $ac_cv_lib_z_inflateEnd 6; } if test x$ac_cv_lib_z_inflateEnd = xyes; then : - LIBCLAMAV_LIBS=$LIBCLAMAV_LIBS -Wl,-rpath=$ZLIB_HOME/lib -lz; FRESHCLAM_LIBS=$FRESHCLAM_LIBS -Wl,-rpath=$ZLIB_HOME/lib -lz + LIBCLAMAV_LIBS=$LIBCLAMAV_LIBS -L$ZLIB_HOME/lib -lz; FRESHCLAM_LIBS=$FRESHCLAM_LIBS -L$ZLIB_HOME/lib -lz else as_fn_error $? Please install zlib and zlib-devel packages $LINENO 5 fi Then in my build config.mk, I have something like this: ... ifeq $(_CHROOT_OS_ARCH) sparc CM_CONFIG_ENV=LDFLAGS=-Wl,-R/usr/local/lib/sparcv9 -L/usr/local/lib/sparcv9 -Wl,-R/usr/local/lib -L/usr/local/lib CFLAGS=-O0 -m64 else CM_CONFIG_ENV=LDFLAGS=-Wl,-R/usr/local/lib/amd64 -L/usr/local/lib/amd64 -Wl,-R/usr/local/lib -L/usr/local/lib CFLAGS=-O0 -m64 endif Where _CHROOT_OS_ARCH is `uname -p` -- Who: Lawrence K. Chen, P.Eng. - W0LKC - Senior Unix Systems Administrator For: Enterprise Server Technologies (EST) -- SafeZone Ally ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] ClamAV - OpenNMS
Hello Marcel, does ClamAV provide SNMP support? My idea is that ClamAV sends snmp traps with all information (like the results at the prompt) to a snmp server like OpenNMS, when a virus was found. OpenNMS is a network management system. Primary it monitors network infrastructures. But you can also handle snmp traps from printers, servers, programs and and and... So why not from ClamAV? You're talking about the command line (prompt) so I guess you are not scanning emails but rather directories... but, who knows, this might give you ideas. I use ClamAV for mail scanning and I don't send traps on mail viruses and spams as there are too many of them, but I let my management system query the mail relay via SNMP every 5 minutes. I added this to my snmpd.conf: exec 1.3.6.1.4.1.2021.8.990 mailstat.pl /usr/sbin/mailstat.pl -t exec 1.3.6.1.4.1.2021.8.991 mailstat.pl /usr/sbin/mailstat.pl -v And I created the mailstat.pl as follows. Of course, depending on your needs and on the tools you use, you might have to tune this... It computes statistics out of /var/log/syslog and out of the output of /usr/bin/mailstats (that you might need to initialize first, and reset at midnight for instance). Persistent counters are saved in /var/log/mailstats. --mailstat.pl--- #!/usr/bin/perl # Dhn, 2008/06/30 # Script used by snmpd to collect and return mail statistics but # it can run from the CLI too. # Usage: mailstat.pl [-t] [-v] # Returns the title:value statistics by defaults, or only the titles (-t) # or only the values (-v). The statistics are always displayed in the # same order (see @keys array). #use strict; # Defaults my $in=/var/log/syslog; # log pipe my $stats=/var/log/mailstats; # persistent counters my $fl = ;# flags for output (''|t|v) my %ctr = (); # current counters my $w = 0; # write flag my @ln = ();# splitted line my @arr = (); # splitted word my @stat = (); # file stats my $key = ; # one hash key my $out = ; # buffer for outputt #my $pos = 0; # current position my @keys = qw/accepted blacklisted discard greeting ham mail pca seen spam unknown virus bytesfr bytesto msgsfr msgsto connfr connto mailq inode position zlast/; # Functions / handlers sub writestats { $ctr{seen} = $ctr{greeting} + $ctr{blacklisted} + $ctr{unknown} + $ctr{spam} + + $ctr{virus} + $ctr{ham}; $ctr{accepted} = $ctr{spam} - $ctr{discard} + $ctr{ham}; $ctr{pca} = int(($ctr{seen} != 0) ? (1 * $ctr{accepted} / $ctr{seen}) : 0)/100; #$ctr{position} = $pos; open OUT, , $stats or die Cannot open $stats for writing: $!\n; $out = ; #foreach $key (sort keys %ctr) { foreach $key (@keys) { if ($key eq zlast) { printf OUT %12s: %-60s\n, $key, $ctr{$key}; } else { printf OUT %12s: %12d\n, $key, $ctr{$key}; } saveout($key); } close OUT; $w = 0; } sub saveout { my $key = @_[0]; return if ($key eq inode || $key eq position || $key eq zlast); if ($fl eq t) { $out .= $key\n; } elsif ($fl eq v) { $out .= $ctr{$key}\n; } else { $out .= sprintf(%12s: %12d\n, $key, $ctr{$key}); } } sub computestats { seek IN, $ctr{position}, SEEK_SET; #$pos = $ctr{position}; while (IN) { #$pos += length($_); $ctr{position} += length($_); $ctr{zlast} = substr($_, 0, 60); @ln = split; if (/ sendmail.* reject=550 5.7.1 Spam blocked /) { $ctr{blacklisted}++; $w++; } elsif (/ sendmail.* reject=550 5.1.1 .* User unknown/) { $ctr{unknown}++; $w++; } elsif (/ sendmail.* due to pre-greeting traffic/) { $ctr{greeting}++; $w++; } elsif ($ln[4] =~ /^mimedefang.pl/ $ln[8] =~ /^MDLOG,/) { @arr = split /,/, $ln[8]; #if ($arr[2] eq spam $arr[3] 9) { # $ctr{spam}++; $ctr{discard}++; $w++; if ($arr[2] eq spamd) { $ctr{spam}++; $ctr{discard}++; $w++; } elsif ($arr[2] eq spam) { $ctr{spam}++; $w++; } elsif ($arr[2] eq virus) { if ($arr[3] =~ /^Sanesecurity/) { $ctr{spam}++; $ctr{discard}++; $w++; } else { $ctr{virus}++; $w++; } } elsif ($arr[2] eq ham) { $ctr{ham}++; $w++; } elsif ($arr[2] eq mail_in) { $ctr{mail}++; $w++; } } writestats if ($w = 100); } } sub sendmailstats { open STATS, /usr/bin/mailstats| or die $0: mailstats error /usr/bin/mailstats: $!; while (chomp ($line = STATS)) { if ($. 2) { ($m, $line) = split(' ', $line, 2); if ($m eq T) { ($msgsfr, $bytesfr, $msgsto, $bytesto) = (split (/ +/, $line))[0,1,2,3]; chop $bytesfr; # remove K chop $bytesto; } elsif ($m eq C) { ($connfr, $connto, $connrej) = split (/ +/, $line);
Re: [clamav-users] DLP scan configuration using clamscan
On 25 Sep 2012 at 20:16, Fredrich Maney wrote: While a good idea, it's not really feasible for me. I'm dealing with several hundred terabytes of data and I simply do not have that much spare disk available. You might try something like: clamscan --detect-structured=yes \ --structured-cc-count=2 \ --structured-ssn-count=2 \ --structured-ssn-format=2 \ --cross-fs=no \ --exclude=/zones \ -r \ $((df -F ufs; df -F zfs) | nawk '{printf %s , $1}') ...or like: clamscan --detect-structured=yes \ --structured-cc-count=2 \ --structured-ssn-count=2 \ --structured-ssn-format=2 \ $(nawk '/ *#/{next} {printf --exclude-dir=%s , $1}' /etc/excludedirs.conf) \ -r \ / ...but pay attention to the maximum length for a command. Note that, if you're not expecting malicious behaviors, you could speed things up (and cool the cpu down) by scanning only the files that where updated since last scan... HTH Pierre ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
[clamav-users] signature too short
Hi, What does it mean when a signature you add is said to be too short ? The error is: LibClamAV Error: cli_ac_addsig: Signature for Sanesecurity.Pierre.35 is too short LibClamAV Error: cli_parse_add(): Problem adding signature (1). LibClamAV Error: Problem parsing database at line 35 LibClamAV Error: Can't load /tmp/pierre.ndb: Malformed database ERROR: Malformed database In the source code I found: if(strlen(hexsig) / 2 root-ac_mindepth) { cli_errmsg(cli_ac_addsig: Signature for %s is too short\n, virname); return CL_EMALFDB; } That happens to me now and then but I already successfully added shorter signatures into the ndb file. Is it the signature that is too short, or is it a string of it, or is it related to other signatures ? The signature I am trying to add is: Vigra{-20}$*http://{-20}doctor.ru but this does not work neither: Vigra*http://{-20}doctor.ru Thanks for any advice, Pierre ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Basic newbie question
Hi Eddie, I'm not running debian squeeze but, from your question, I guess you are using clamav for scanning emails with the help of amavis. So it is not a question of scanning files and directories on the disk. In this case (emails), it is probably in the amavis configuration that you will find your answer: clamav just tells the file is infected and amavis decides what to do with it and with the email. Look for instance at the following page: http://www200.pair.com/mecham/spam/amavisd- settings.html HTH Pierre On 4 May 2012 at 7:39, Mr. Eddie Jackson wrote: Please answer this simple basic newbie webmaster question. I have spent hous and read the entire clamav manual and it is not answered. I simply need to know if clamav deletes or quarantines viruses it finds in a default debian squeeze apache2 general web/mail/db etc server? I am seeing lots of viruses, trojans and mail viruses FOUND in the logs, but no indication whatsoever that clamav (or amavis) is deleting or quarantining them. When I look at /etc/clamav/, both the /onerrorexecute.d/ and the /virusevent.d/ sub-directories are empty. Is anything happening to the viruses that clamav (and amavis) is finding? Thank you. Newbie webmaster who can't afford a real one. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] [sanesecurity] Re: Long DB refresh ti
On 26 Apr 2012 at 21:18, Török Edwin wrote: On 04/26/2012 08:37 PM, Michael Orlitzky wrote: On 04/26/2012 10:32 AM, Dennis Peterson wrote: On 4/25/12 7:34 AM, Michael Orlitzky wrote: On 04/25/12 07:55, Török Edwin wrote: I don't know if this can help speeding up the process but I collected some statistics on clamscan of a small file (wallclock duration: ~25sec): I think I'm missing some context here: which DB files are slow to load? The official ones? Just the sanesecurity ones? Any particular DB from the sanesecurity ones? My problem isn't so much that it takes a while to load the signatures, but that clamd (and thus the mail server) is effectively down the entire time. This has been a problem on every Sparc system I've ever installed ClamAV on and that goes back quite a few years. I still use in on several Netra 500 mHz pizza boxes. It is also quite a memory hole which is more related to the available memory and number of sigs, so on memory constrained systems I've cut back on the number of SS signatures. And at my peril, I might add, as they have long been the most valuable in terms of results. And because of the dead time when reloading I've cut freshclam to once a day. That has resulted in a net improvement in detections because of the higher availability time. The signature databases are created once, and loaded thousands of times. They should just be sorted, so that lookups are instantaneous. Then it's trivial to update the databases in the background, because you can quickly determine if a particular signature was added or deleted. The wall-time-elapsed would be a bit worse, but nobody would care. Its a bit more complicated than that. To ensure fast pattern-matching the signatures are loaded into an Aho-Corasick trie for example. It would be possible to add to the trie (thats what happens when loading signatures), but removing is more tricky. And to determine what to remove you need to go through all the signatures in the database anyway. Also updating the loaded signature database would require the scanning threads to take read locks, which would slow things down and make updating it harder (right now the loaded signature database is never modified, hence no locks are needed). It would be easier to just move reload_db to a different thread and allow scanning with the old database during the DB reload. Then when the DB reload is finished atomically replace the engine pointer and free the old engine. Downside would be that you get twice the memory usage during reload, but you don't have downtime, so this should probably be controlled by a flag in clamd.conf. Doing that with 2 different processes rather than with 2 threads would at least free all the initial process memory when the transfer of service is done and that process can exit. AFAIK freeing the memory inside of a process does not necessarily reduce the memory space consumed. But I'm not an expert. Of course that transfer of service would be more tricky between 2 processes... Regards, Pierre ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] [sanesecurity] Re: Long DB refresh times
On 24 Apr 2012 at 18:11, Steve Basford wrote: Has anyone else seen these kinds of delays? Is there any way to get these databases to load faster or to allow ClamAV to continue scanning when the database is being reloaded? Sorry for the briefness here, as I'm currently sorting out my home internet access... For those having issues: a) what databases are loaded b) what OS are you running It could be, as someone else suggested a tipping point in memory, but we need to get a handle on db's used etc. Perhaps we can then get a set of test data and create a bugzilla clamav entry I don't know if this can help speeding up the process but I collected some statistics on clamscan of a small file (wallclock duration: ~25sec): # ./DTraceToolkit-0.96/procsystime -cen clamscan Elapsed Times for processes clamscan, SYSCALL TIME (ns) getuid 3750 gtime 4083 lwp_sigmask 4667 sigpending 4667 systeminfo 5750 times 6167 getpid 7417 sysconfig 11332 fstat 15082 setcontext 16250 getrlimit 17751 fcntl 26000 dup 28750 stat 36251 fsat 44833 mprotect 46000 pread 51416 lstat 53250 schedctl 57500 getdents64 107667 access 154583 ioctl 209083 write 301667 lseek 336754 fstat64 435166 resolvepath 629499 memcntl 749498 llseek 816746 open1308664 stat641714168 brk1799754 close1835584 mmap 24644318 munmap 125520181 read 1469157031 Syscall Counts for processes clamscan, SYSCALL COUNT fsat 1 getuid 1 gtime 1 lstat 1 lwp_sigmask 1 pread 1 rexit 1 schedctl 1 sigpending 1 systeminfo 1 times 1 fstat 2 getpid 2 getrlimit 2 mprotect 2 setcontext 2 stat 2 sysconfig 3 getdents64 4 dup 6 fcntl 7 access 9 write 10 memcntl 20 ioctl 29 resolvepath 29 open 46 close 52 fstat64 58 lseek 88 stat64101 brk170 llseek175 munmap612 mmap674 read 13573 At first glance it looks like the 13573 reads (of 8KB, as seen with another command) take most of the system time (1.5 sec). Larger reads might help, but it seems that it is in userland that most of the time is spent. Inside the process, after executing about 19000 the __udivdi3 function, there is a long delay (most of the execution time), and then about 69000 times the __ashidi3 function. Now, looking at all functions occurences (from binary or libraries), these are the most often called ones: FUNCTION COUNT ... cli_htu32_next 201030 cli_isnumber 202744 atoi 202763 __mul64 206909 cli_caloff 226946 fgets242252 memccpy 244999 cli_strtok 252988 _realbufend 255751 getxfdat 255774 sprintf 259956 _ndoprnt 259975 ferror 259975
Re: [clamav-users] [sanesecurity] Re: Long DB refresh times
On 25 Apr 2012 at 14:55, Török Edwin wrote: On 04/25/2012 02:33 PM, Pierre Dehaen wrote: On 24 Apr 2012 at 18:11, Steve Basford wrote: Has anyone else seen these kinds of delays? Is there any way to get these databases to load faster or to allow ClamAV to continue scanning when the database is being reloaded? Sorry for the briefness here, as I'm currently sorting out my home internet access... For those having issues: a) what databases are loaded b) what OS are you running It could be, as someone else suggested a tipping point in memory, but we need to get a handle on db's used etc. Perhaps we can then get a set of test data and create a bugzilla clamav entry I don't know if this can help speeding up the process but I collected some statistics on clamscan of a small file (wallclock duration: ~25sec): I think I'm missing some context here: which DB files are slow to load? The official ones? Just the sanesecurity ones? Any particular DB from the sanesecurity ones? $ clamscan --official-db-only=yes afile afile: OK --- SCAN SUMMARY --- Known viruses: 1204045 Engine version: 0.97.3 Scanned directories: 0 Scanned files: 1 Infected files: 0 Data scanned: 0.00 MB Data read: 0.00 MB (ratio 0.00:1) Time: 14.235 sec (0 m 14 s) $ clamscan afile afile: OK --- SCAN SUMMARY --- Known viruses: 1446134 Engine version: 0.97.3 Scanned directories: 0 Scanned files: 1 Infected files: 0 Data scanned: 0.00 MB Data read: 0.00 MB (ratio 0.00:1) Time: 26.130 sec (0 m 26 s) # This shows time delta between open syscalls (and the DBs used): $ truss -Dt open clamscan afile [...] 0.0015 open(/opt/clamav/etc/freshclam.conf, O_RDONLY) = 3 0.0232 open(/opt/clamav/share/clamav/sigwhitelist.ign2, O_RDONLY) = 4 0.0026 open(/opt/clamav/share/clamav/daily.cld, O_RDONLY) = 4 0.0004 open(/opt/clamav/share/clamav/daily.cld, O_RDONLY) = 4 1.4788 open(/opt/clamav/share/clamav/main.cld, O_RDONLY) = 4 11.3070 open(/opt/clamav/share/clamav/winnow_malware.hdb, O_RDONLY) = 4 0.0015 open(/opt/clamav/share/clamav/junk.ndb, O_RDONLY) = 4 1.4502 open(/opt/clamav/share/clamav/jurlbl.ndb, O_RDONLY) = 4 0.2828 open(/opt/clamav/share/clamav/phish.ndb, O_RDONLY) = 4 6.3976 open(/opt/clamav/share/clamav/rogue.hdb, O_RDONLY) = 4 0.0201 open(/opt/clamav/share/clamav/scam.ndb, O_RDONLY) = 4 1.6515 open(/opt/clamav/share/clamav/spamimg.hdb, O_RDONLY) = 4 0.0073 open(/opt/clamav/share/clamav/winnow_malware_links.ndb, O_RDONLY) = 4 0.4164 open(/opt/clamav/share/clamav/MSRBL-Images.hdb, O_RDONLY) = 4 0.0203 open(/opt/clamav/share/clamav/MSRBL-SPAM.ndb, O_RDONLY) = 4 0.2371 open(/opt/clamav/share/clamav/bytecode.cld, O_RDONLY) = 4 0.0609 open(/opt/clamav/share/clamav/pierre.ndb, O_RDONLY) = 4 0.0050 open(/opt/clamav/share/clamav/securiteinfo.hdb, O_RDONLY) = 4 1.0959 open(/opt/clamav/share/clamav/spamattach.hdb, O_RDONLY) = 4 0.0052 open(/opt/clamav/share/clamav/honeynet.hdb, O_RDONLY) = 4 0.0055 open(/opt/clamav/share/clamav/mbl.ndb, O_RDONLY) = 4 0.0512 open(/opt/clamav/share/clamav/sanesecurity.ftm, O_RDONLY) = 4 1.4356 open(afile, O_RDONLY) = 3 afile: OK --- SCAN SUMMARY --- Known viruses: 1446134 Engine version: 0.97.3 Scanned directories: 0 Scanned files: 1 Infected files: 0 Data scanned: 0.00 MB Data read: 0.00 MB (ratio 0.00:1) Time: 26.650 sec (0 m 26 s) So main.cdl is taking most of the time. Note that I do not complain about the load time: to me, 26sec, it is not a problem. This just delays mail scanning a little bit. Regards, Pierre ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] [sanesecurity] Re: Long DB refresh times
On 24 Apr 2012 at 18:11, Steve Basford wrote: Has anyone else seen these kinds of delays? Is there any way to get these databases to load faster or to allow ClamAV to continue scanning when the database is being reloaded? Sorry for the briefness here, as I'm currently sorting out my home internet access... For those having issues: a) what databases are loaded b) what OS are you running It could be, as someone else suggested a tipping point in memory, but we need to get a handle on db's used etc. Perhaps we can then get a set of test data and create a bugzilla clamav entry Cheers, Steve Sanesecurity No problem here, a clamscan (which should load all dbs AFAIK) takes 26 sec on an old SPARC. I'm on Solaris, 0.97.3 and I use more or less the same sigs as Robo Kupka but I don't use bofhland sigs. Pierre ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] trouble compiling clamav 0.97.4 - Just a general comment on programming and error messages.
On 18 Apr 2012 at 11:45, Chuck Swiger wrote: On Apr 18, 2012, at 10:25 AM, Jim Preston wrote: Too many times error messages are meaningless to almost anyone who is not part of the build team. That's may well be true in general, but ClamAV is open source: you've got the source code and build infrastructure available to inspect and determine the reason for an error message. In other words, if you're running ./configure, welcome to the build team. As an happy user of ClamAV and other open source softwares (on Solaris, Linux), I must recognize compiling has always been a challenge, especially on Solaris, as it is less often tested by developers I guess. I generally succeed anyway, when all dependencies are installed, and sometimes with a fix in a source file like adding an include which was skipped due to an apparently wrong #ifdef... (that was for the passenger (mod_rails) module for apache, not for ClamAV). The compiler, when it detects such an error, can just tell me a variable in undefined, not that the include file is missing of course, otherwise it could fix the error itself ! I'm not a gcc expert but, with some programming experience and some queries on the web, I can generally find my way. I find it more difficult to understand exactly the meaning of some configure flags. What are the consequences of a --disable-clamuko or --enable-bigstack for instance ? When should I use them ? The little configure --help description is generally not enough for these special options. I know I have to --disable-static and add some CFLAGS when I compile on Solaris for instance, but why would I need static libraries for clamav or what can't I do if I miss them ? Up to now I don't know as that is not explained AFAIK... but everything I need works. IMHO explaining these options (why, when, consequences) could be a nice enhancement. Thank you anyway for this very useful tool ! Best regards, Pierre ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Compiling and installing from an NFS mount
Hmm, my script is a bit more complex as it: - unzip untar - configure - make make check - backs up the current clamav directory (who knows...) - backs up the configuration files - disable the clamav service (I'm running on Solaris) - make uninstall (from the previous build directory) - make install - mkdir, chown, chmod the service method and manifest subdirectories under the prefix directory (which is /opt/clamav here) - touches /opt/clamav/etc/clamd if needed - copies the manifest if needed - imports the manifest to create the service if needed - compares the old revision freshclam.conf.orig and freshclam.conf to reapply (patch) the same changes to the current freshclam.conf - does the same for clamd.conf - checks if my own signatures have not disappeared - enables the service and checks if it starts smoothly. It's maybe overkill here and there but, for instance, I don't want to reconfigure manually clamav and freshclam from the default files, and I don't want to keep the old configuration files that may miss new settings. If you have any advise, please share ! Thank you Regards, Pierre On 13 Mar 2012 at 11:47, G.W. Haywood wrote: [...] What's wrong with a small shell script? #!/bin/bash cd /tmp tar xzvf /nfs_mount/clamav-x.xx.tgz cd clamav-x.xx ./configure --with-various-options make sudo make install cd .. rm -rf clamav-x.xx -- 73, Ged. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Compiling and installing from an NFS mount
No, I just install on a few mail filtering machines, all Solaris... and the script is not automated: it asks for confirmation before doing each step and it shows output of commands, so you can stop the script, verify, fix, etc, and restart, skip some steps already done, and complete the update. And ss this is something I have to do every few months only, it helps to remember the exact procedure. Build on one, distribute to others can be risky if they are not at the same revision of the packages. Pierre On 13 Mar 2012 at 12:08, Shawn Bakhtiar wrote: As in administrator I would be very afraid to automate the installation or updating of any software. Are you doing many machines? If so, and they all use the same OS, why not build on one, and just distribute the build to all the others? Just sharing :) From: deha...@drever.be To: clamav-users@lists.clamav.net Date: Tue, 13 Mar 2012 15:32:40 +0100 Subject: Re: [clamav-users] Compiling and installing from an NFS mount Hmm, my script is a bit more complex as it: - unzip untar - configure - make make check - backs up the current clamav directory (who knows...) - backs up the configuration files - disable the clamav service (I'm running on Solaris) - make uninstall (from the previous build directory) - make install - mkdir, chown, chmod the service method and manifest subdirectories under the prefix directory (which is /opt/clamav here) - touches /opt/clamav/etc/clamd if needed - copies the manifest if needed - imports the manifest to create the service if needed - compares the old revision freshclam.conf.orig and freshclam.conf to reapply (patch) the same changes to the current freshclam.conf - does the same for clamd.conf - checks if my own signatures have not disappeared - enables the service and checks if it starts smoothly. It's maybe overkill here and there but, for instance, I don't want to reconfigure manually clamav and freshclam from the default files, and I don't want to keep the old configuration files that may miss new settings. If you have any advise, please share ! Thank you Regards, Pierre On 13 Mar 2012 at 11:47, G.W. Haywood wrote: [...] What's wrong with a small shell script? #!/bin/bash cd /tmp tar xzvf /nfs_mount/clamav-x.xx.tgz cd clamav-x.xx ./configure --with-various-options make sudo make install cd .. rm -rf clamav-x.xx -- 73, Ged. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] New user
On 1 Dec 2011 at 7:53, pushpa gouder wrote: Thanks a lot, very helpful!. I have been researching about this for quite a while now, If 'clamd' daemon does not scan anything why do they even have options like SCAN MULTISCAN INSTREAM...etc in its man page, I am just curious. Hi, Read again the man page. These keywords are under the COMMANDS section, not under OPTIONS. Commands are given via a UNIX and/or TCP socket. Rgds, Pierre ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] problems with daily.cld 13960
On 17 Nov 2011 at 8:57, David Alix wrote: Is anyone else having problems with clamd after the daily.cld updated to version 13960. I'm running clamd 0.97.1, on Solaris 9 SPARC. SInce 13960 was installed, clamd abends, with no error messages anywhere. Sometimes clamd will run for up to 20 minutes; it is now dying every 2 minutes. Hi David, Running 0.97.1 on Solaris 10 SPARC. No problem for the moment, the deamon is running since Oct 29. What is your bytecode version ? Before 152 there was a problem. Here are my current versions: ClamAV update process started at Thu Nov 17 17:37:00 2011 main.cld is up to date (version: 54, sigs: 1044387, f-level: 60, builder: sven) daily.cld is up to date (version: 13960, sigs: 30564, f-level: 60, builder: ccordes) bytecode.cld is up to date (version: 152, sigs: 38, f-level: 60, builder: edwin) HTH Pierre ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
[clamav-users] clamd stops during selfcheck (here too)
Hi, Following the thread of David Alix clamd abending at selfcheck (th:e2ab86f7), I would like to report my related issue. I am running Clamav and freshclam 0.97.1 too, called from mimedefang too, but with sendmail on Solaris 10. This sever has been running for a long time without problem. Suddenly, yesterday I got this message in freshclam.log: -- ClamAV update process started at Sun Oct 23 11:37:00 2011 main.cld is up to date (version: 54, sigs: 1044387, f-level: 60, builder: sven) daily.cld is up to date (version: 13841, sigs: 15898, f-level: 60, builder: mallan) Downloading bytecode-149.cdiff [100%] bytecode.cld updated (version: 149, sigs: 39, f-level: 60, builder: edwin) Can't query bytecode.149.61.1.0.193.1.193.64.ping.clamav.net Database updated (1060324 signatures) from db.be.clamav.net (IP: 193.1.193.64) Clamd successfully notified about the update. -- There was never anything about ping.clamav.net before, and since then the Can't query messages comes regularly but the rest of the line changes. Anyway it said the darabase was updated and clamd notified. Now, in the clamd.log file, it's worse: -- Oct 23 11:38:11 2011 - +++ Started at Sun Oct 23 11:38:11 2011 Sun Oct 23 11:38:11 2011 - clamd daemon 0.97.1 (OS: solaris2.10, ARCH: sparc, CPU: sparc) Sun Oct 23 11:38:11 2011 - Running as user defang (UID 101, GID 102) Sun Oct 23 11:38:11 2011 - Log file size limited to 2097152 bytes. Sun Oct 23 11:38:11 2011 - Reading databases from /opt/clamav/share/clamav Sun Oct 23 11:38:11 2011 - Not loading PUA signatures. Sun Oct 23 11:38:11 2011 - Bytecode: Security mode set to TrustSigned. Sun Oct 23 11:38:31 2011 - Loaded 1159267 signatures. Sun Oct 23 11:38:32 2011 - LOCAL: Unix socket file /opt/clamav/var/clamav/clamd.sock Sun Oct 23 11:38:32 2011 - LOCAL: Setting connection queue length to 200 Sun Oct 23 11:38:32 2011 - Limits: Global size limit set to 104857600 bytes. Sun Oct 23 11:38:32 2011 - Limits: File size limit set to 26214400 bytes. Sun Oct 23 11:38:32 2011 - Limits: Recursion level limit set to 16. Sun Oct 23 11:38:32 2011 - Limits: Files limit set to 1. Sun Oct 23 11:38:32 2011 - Archive support enabled. Sun Oct 23 11:38:32 2011 - Algorithmic detection enabled. Sun Oct 23 11:38:32 2011 - Portable Executable support enabled. Sun Oct 23 11:38:32 2011 - ELF support enabled. Sun Oct 23 11:38:32 2011 - Mail files support enabled. Sun Oct 23 11:38:32 2011 - OLE2 support enabled. Sun Oct 23 11:38:32 2011 - PDF support enabled. Sun Oct 23 11:38:32 2011 - HTML support enabled. Sun Oct 23 11:38:32 2011 - Self checking every 600 seconds. Sun Oct 23 11:44:03 2011 - /var/run/MIMEDefang/mdefang- p9N9hxhE011873/Work/INPUTMBOX: Sanesecurity.Jurlbl.15054.UNOFFICIAL FOUND Sun Oct 23 11:48:50 2011 - No stats for Database check - forcing reload Sun Oct 23 11:48:50 2011 - Reading databases from /opt/clamav/share/clamav Sun Oct 23 11:49:12 2011 - ERROR: Database initialization error: can't compile engine: Failure in bytecode testmode Sun Oct 23 11:49:13 2011 - Terminating because of a fatal error. Sun Oct 23 11:49:13 2011 - Pid file removed. Sun Oct 23 11:49:13 2011 - --- Stopped at Sun Oct 23 11:49:13 2011 -- Just like David, clamd starts, scans correctly for 600 seconds, then a selfcheck is done and clamd gives an error and stops without dumping a core. Hopefully it is under control of SMF (Service Management Facility) which restarts it. And since yeaterday the cycle continues... I trussed (equivalent of strace on linux) the clamd daemon: -- [...] 4166/1: open(/opt/clamav/share/clamav/MSRBL-SPAM.ndb, O_RDONLY) = 12 4166/1: fstat64(12, 0xFFBF62D8) = 0 4166/1: fstat64(12, 0xFFBF6180) = 0 4166/1: ioctl(12, TCGETA, 0xFFBF6264) Err#25 ENOTTY 4166/1: read(12, M S R B L - S P A M . W.., 8192)= 8192 4166/1: read(12, 0 6 5 7 2 2 D 6 D 2 0 7.., 8192)= 8192 4166/1: read(12, 9 3 8 3 4 5 F 3 0 3 1 3.., 8192)= 8192 [...] 4166/1: read(12, . M e d s . 2 7 1 6 : 4.., 8192)= 8192 4166/1: read(12, 7 4 2 0 4 C 2 C 2 0 4 D.., 8192)= 7075 4166/1: read(12, 0x000C74AC, 8192) = 0 4166/1: llseek(12, 0, SEEK_CUR) = 244643 4166/1: close(12) = 0 4166/1: open(/opt/clamav/share/clamav/bytecode.cld, O_RDONLY) = 12 4166/1: lseek(12, 0, SEEK_SET) = 0 4166/1: fstat64(12, 0xFFBF7F60) = 0 4166/1: fstat64(12, 0xFFBF7E08) = 0 4166/1: ioctl(12, TCGETA, 0xFFBF7EEC) Err#25 ENOTTY 4166/1: read(12, C l a m A V - V D B : 2.., 8192)= 8192 4166/1:
Re: [clamav-users] clamd unexpected termination: ... Failure in bytecode testmode
On 24 Oct 2011 at 15:23, Török Edwin wrote: On 2011-10-24 15:03, Török Edwin wrote: On 2011-10-24 14:55, Matthias Egger wrote: Hello all On 24.10.2011 12:13, Matthew Slowe wrote: I'm seeing a problem on a bunch of Solaris 10 SPARC servers running 0.97.x since about 00:55 BST this morning. Just wanted to confirm what Matthew sees. * Also on Solaris 10 SPARC Machines * Same Error since 01:52 MEST this Morning (which should be 00:55 BST?) * Error occurs every 10 Minutes (SelfCheck 600) * upgraded from 0.97.1 to 0.97.3 from scratch (with new definitions) Since we monitor the service it get's restarted every 10min, but this creates always a warning. So i prefer to solve the problem :-) I just published bytecode.cvd version 150 (and 151 should come out soon too). Does it fix the problem? 152 is out which should include the fix for this crash on Sparc. Once it reaches your mirrors and freshclam confirms that you got bytecode.cvd 152 can you test again to see if it fixed the crash for you? Edwin, The update just hit my server 2 minutes ago. In freshclam.log: ClamAV update process started at Mon Oct 24 14:37:00 2011 main.cld is up to date (version: 54, sigs: 1044387, f-level: 60, builder: sven) daily.cld is up to date (version: 13843, sigs: 15910, f-level: 60, builder: guitar) Downloading bytecode-150.cdiff [100%] Downloading bytecode-151.cdiff [100%] Downloading bytecode-152.cdiff [100%] bytecode.cld updated (version: 152, sigs: 38, f-level: 60, builder: edwin) Database updated (1060335 signatures) from db.be.clamav.net (IP: 193.1.193.64) Clamd successfully notified about the update. In clamd.log: Mon Oct 24 14:36:15 2011 - Algorithmic detection enabled. Mon Oct 24 14:36:15 2011 - Portable Executable support enabled. Mon Oct 24 14:36:15 2011 - ELF support enabled. Mon Oct 24 14:36:15 2011 - Mail files support enabled. Mon Oct 24 14:36:15 2011 - OLE2 support enabled. Mon Oct 24 14:36:15 2011 - PDF support enabled. Mon Oct 24 14:36:15 2011 - HTML support enabled. Mon Oct 24 14:36:15 2011 - Self checking every 600 seconds. Mon Oct 24 14:36:15 2011 - /var/run/MIMEDefang/mdefang- p9OCaCjA011594/Work/INPUTMBOX: Sanesecurity.Jurlbl.14950.UNOFFICIAL FOUND Mon Oct 24 14:37:06 2011 - Reading databases from /opt/clamav/share/clamav Mon Oct 24 14:37:27 2011 - ERROR: Database initialization error: can't compile engine: Failure in bytecode testmode Mon Oct 24 14:37:28 2011 - Terminating because of a fatal error. Mon Oct 24 14:37:28 2011 - Pid file removed. Mon Oct 24 14:37:28 2011 - --- Stopped at Mon Oct 24 14:37:28 2011 Regards, Pierre ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] clamd unexpected termination: ... Failure in bytecode testmode
On 24 Oct 2011 at 15:44, Török Edwin wrote: On 2011-10-24 15:40, Pierre Dehaen wrote: On 24 Oct 2011 at 15:23, Török Edwin wrote: On 2011-10-24 15:03, Török Edwin wrote: On 2011-10-24 14:55, Matthias Egger wrote: Hello all On 24.10.2011 12:13, Matthew Slowe wrote: I'm seeing a problem on a bunch of Solaris 10 SPARC servers running 0.97.x since about 00:55 BST this morning. Just wanted to confirm what Matthew sees. * Also on Solaris 10 SPARC Machines * Same Error since 01:52 MEST this Morning (which should be 00:55 BST?) * Error occurs every 10 Minutes (SelfCheck 600) * upgraded from 0.97.1 to 0.97.3 from scratch (with new definitions) Since we monitor the service it get's restarted every 10min, but this creates always a warning. So i prefer to solve the problem :-) I just published bytecode.cvd version 150 (and 151 should come out soon too). Does it fix the problem? 152 is out which should include the fix for this crash on Sparc. Once it reaches your mirrors and freshclam confirms that you got bytecode.cvd 152 can you test again to see if it fixed the crash for you? Edwin, The update just hit my server 2 minutes ago. In freshclam.log: ClamAV update process started at Mon Oct 24 14:37:00 2011 main.cld is up to date (version: 54, sigs: 1044387, f-level: 60, builder: sven) daily.cld is up to date (version: 13843, sigs: 15910, f-level: 60, builder: guitar) Downloading bytecode-150.cdiff [100%] Downloading bytecode-151.cdiff [100%] Downloading bytecode-152.cdiff [100%] bytecode.cld updated (version: 152, sigs: 38, f-level: 60, builder: edwin) Database updated (1060335 signatures) from db.be.clamav.net (IP: 193.1.193.64) Clamd successfully notified about the update. In clamd.log: Mon Oct 24 14:36:15 2011 - Algorithmic detection enabled. Mon Oct 24 14:36:15 2011 - Portable Executable support enabled. Mon Oct 24 14:36:15 2011 - ELF support enabled. Mon Oct 24 14:36:15 2011 - Mail files support enabled. Mon Oct 24 14:36:15 2011 - OLE2 support enabled. Mon Oct 24 14:36:15 2011 - PDF support enabled. Mon Oct 24 14:36:15 2011 - HTML support enabled. Mon Oct 24 14:36:15 2011 - Self checking every 600 seconds. Mon Oct 24 14:36:15 2011 - /var/run/MIMEDefang/mdefang- p9OCaCjA011594/Work/INPUTMBOX: Sanesecurity.Jurlbl.14950.UNOFFICIAL FOUND Mon Oct 24 14:37:06 2011 - Reading databases from /opt/clamav/share/clamav Mon Oct 24 14:37:27 2011 - ERROR: Database initialization error: can't compile engine: Failure in bytecode testmode Yes it still had the old one loaded, when you restart clamd now does it work? Try clamdscan --reload and see if it still gives the ERROR. It looks good ! clamdscan --reload gives: Mon Oct 24 14:47:42 2011 - Reading databases from /opt/clamav/share/clamav Mon Oct 24 14:48:04 2011 - Database correctly reloaded (1159407 signatures) Thank you Edwin ! ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml