clamavmodule

Jeff A. Earickson jaearick at COLBY.EDU
Tue Nov 29 19:39:52 GMT 2005 

Julian,

    I'm working on Phil Randal's suggestion of a search-and-destroy
for all clam files, followed by a re-install.  I found a bunch of
directories in /var/tmp, eg /var/tmp/clamav-98764cfb85182039, with
zip files therein.  So I ran them thru sophos sweep and clamscan
by hand:

     === Checking reg_pass-data.zipynaOYP with Sophos sweep
     SWEEP virus detection utility
     Version 3.99.0 [Solaris/SPARC]
     Virus data version 3.99, November 2005
     Includes detection for 113565 viruses, trojans and worms
     Copyright (c) 1989-2005 Sophos Plc, www.sophos.com

     System time 14:04:31, System date 29 November 2005
     Command line qualifiers are: -sc -f -all -rec -archive -cab -loopback
     --no-follow-symlinks --no-reset-atime -tnef

     IDE directory is: /opt/sophos/ide

     Using IDE file iefea-ar.ide
     [snip]
     Full Sweeping

     >>> Virus 'W32/Sober-Z' found in file
     reg_pass-data.zipynaOYP/File-packed_dataInfo.exe
     >>> Virus 'W32/Sober-Z' found in file reg_pass-data.zipynaOYP

     1 file swept in 9 seconds.
     2 viruses were discovered.
     1 file out of 1 was infected.
     End of Sweep.
     sweep return code = 3

     === Checking reg_pass-data.zipynaOYP with ClamAV clamscan
     Scanning reg_pass-data.zipynaOYP
     /home/admin/jaearick/bin/virus.scan[19]: 20848 Bus Error
     clamscan return code = 138

Ka-BOOOM!  The relevant line in my "virus.scan" script is:

/opt/clamav/bin/clamscan -v -d /opt/clamav/share/clamav -r "$1"

Now attempting to debug this...  I also upgraded my unrar from 
3.4.3 to 3.5.4 (http://files5.rarlab.com/rar/), no help.

Jeff Earickson
Colby College

On Tue, 29 Nov 2005, Julian Field wrote:

> Date: Tue, 29 Nov 2005 15:59:08 +0000
> From: Julian Field <MailScanner at ECS.SOTON.AC.UK>
> Reply-To: MailScanner mailing list <MAILSCANNER at JISCMAIL.AC.UK>
> To: MAILSCANNER at JISCMAIL.AC.UK
> Subject: Re: clamavmodule
> 
> -----BEGIN PGP SIGNED MESSAGE-----
>
> If you quarantine the attachment, then run clamscan on it by hand,
> what do you get?
>
> On 29 Nov 2005, at 15:50, Jeff A. Earickson wrote:
>
>> Gang,
>>
>> I boosted the Clamavmodule Recursion level to 8, applied the patch
>> below, switched from clamav to clamavmodule and back again -- nothing.
>> Clam refuses to catch the Sober.U/Sober-Z virus for me.  Sophos is
>> on the job though.  My setup: Solaris 9, ClamAV 0.87.1, MS 4.47.4,
>> sophos 3.99.  <head scratch>
>>
>> Jeff Earickson
>> Colby College
>>
>> On Wed, 23 Nov 2005, Rick Cooper wrote:
>>
>>> Date: Wed, 23 Nov 2005 10:22:41 -0500
>>> From: Rick Cooper <rcooper at DWFORD.COM>
>>> Reply-To: MailScanner mailing list <MAILSCANNER at JISCMAIL.AC.UK>
>>> To: MAILSCANNER at JISCMAIL.AC.UK
>>> Subject: Re: clamavmodule
>>>
>>>  -----Original Message-----
>>>  From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK]
>>> On Behalf Of Rodney Green
>>>  Sent: Wednesday, November 23, 2005 7:15 AM
>>>  To: MAILSCANNER at JISCMAIL.AC.UK
>>>  Subject: clamavmodule
>>>
>>>
>>>  Hello,
>>>
>>>  With the recent Sober outbreak I have just noticed that ClamAV
>>> does not appear to be scanning. I'm using both bitdefender and
>>> ClamAV and bitdefender is listed as having detected the virus/worm
>>> but ClamAV is not. I'm using clamavmodule, MailScanner 4.37.7,
>>> ClamAV version 0.87.1. Any ideas why clam isn't scanning?
>> [snip]
>>>
>>>  [Rick Cooper]
>>>
>>>  Ok I noted a couple of things that could cause a problem.
>>> MailScanner.conf
>>>
>>>  ClamAVmodule Maximum Recursion Level should be at least 8, don't
>>> know what the default is
>>>  ClamAVmodule Maximum Compression Ratio should be at least 250,
>>> don't know what the default is
>>>
>>>  Apply the following patch, if Julian ok's it of course, to
>>> SweepViruses.pm. It adds CL_SCAN_BLOCKBROKEN() because,
>>> apparently, if this is not set it may not handle several viruses
>>> correctly. The clam author (tomitz?) was mostly concerned about
>>> the user's maxrecursion being below 8 and flatly state at his
>>> current setting (I think it was one) Clam would miss a large
>>> number of malware.
>>>
>>>  Julian, do you think CL_SCAN_BLOCKBROKEN() should be a default or
>>> a config option. Broken PE files are pretty much always malware
>>> anyway.
>>>
>>>  ================================= Cut below ==========
>>>  --- SweepViruses.pm     Wed Nov 23 10:08:36 2005
>>>  +++ SweepVirusesClamFix.pm      Wed Nov 23 10:09:10 2005
>>>  @@ -1023,15 +1023,17 @@
>>>           $results = $Clam->scan("$dirname/$childname/$filename",
>>>                                  Mail::ClamAV::CL_SCAN_STDOPT() |
>>>                                  Mail::ClamAV::CL_SCAN_ARCHIVE() |
>>>                                  Mail::ClamAV::CL_SCAN_PE() |
>>>  +                               Mail::ClamAV::CL_SCAN_BLOCKBROKEN
>>> () |
>>>                                  Mail::ClamAV::CL_SCAN_OLE2());
>>>         } else {
>>>           $results = $Clam->scan("$dirname/$childname/$filename",
>>>                                  Mail::ClamAV::CL_SCAN_STDOPT() |
>>>                                  Mail::ClamAV::CL_SCAN_ARCHIVE() |
>>>                                  Mail::ClamAV::CL_SCAN_PE() |
>>>
>>> Mail::ClamAV::CL_SCAN_BLOCKENCRYPTED() |
>>>  +                               Mail::ClamAV::CL_SCAN_BLOCKBROKEN
>>> () |
>>>                                  Mail::ClamAV::CL_SCAN_OLE2());
>>>         }
>>>
>>>         unless ($results) {
>>>
>>>  ======================== End Cut ======================
>>>
>>>  Rick
>
> - --
> Julian Field
> www.MailScanner.info
> Buy the MailScanner book at www.MailScanner.info/store
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP Desktop 9.0.3 (Build 2932)
>
> iQEVAwUBQ4x6zvw32o+k+q+hAQFYHQf/cvoJ2n2ZxBHm+PAwEEsMoq4ifxh0FtX3
> GD1qCwo62Kuxk0cRygGJoQi0J/h4VPmakv1KJeM6tqAxXMWI8P6ms4j6m8+KLccY
> 25NPTGszvRdYU7d1zDEdPkKT0wQ9MEGji7PSCrutKPBx8pyXCeYNAynf5XO+5qyg
> 32cRMR6NrdV6XyTFFtPlX5rWMRncoMIesGfk2ENcNuxIm+Llyp6HMki0HrsU9ana
> yfc7dsm1KX55PBj06SnLUGPLzJis+FhQUzZ+LvlepX6IhoVIj2o1RkPYf0gMKwbD
> Mxv5Ea4286UyFVgogbN+xVccr48F6oEYRvXLVxbVRsYim+5jBB+HMA==
> =Eh/9
> -----END PGP SIGNATURE-----
>
> -- 
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
> ------------------------ MailScanner list ------------------------
> To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
> 'leave mailscanner' in the body of the email.
> Before posting, read the Wiki (http://wiki.mailscanner.info/) and
> the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>
> Support MailScanner development - buy the book off the website!
>

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!

More information about the MailScanner mailing list