search

Cisco-Talos / clamav

ClamAV - Documentation is here: https://docs.clamav.net
https://www.clamav.net/
GNU General Public License v2.0
4.49k stars 709 forks source link

Windows ClamAV 0.104.0 error scanning `c:` indicates issue with `-l` logfile #289

Open owdeea opened 3 years ago

owdeea commented 3 years ago

Describe the bug

After installing the .104.0 Clamav

I open up PowerShell download the database for the .cld and then start clamd.exe (no internet access for freshclam) Then I open another Powershell console and do .\clamdscan.exe -vl clamd.log c: I get this error c:\program files\clamav\clamd.log: file path check failure: Result to large or to small. Error.

On the powershell screen where clamd.exe is running it give the error

.\clamd.exe : LibClamAV Warning: Can't open file C:\Program Files\ClamAV\clamd.log: 32 At line:1 char:1

This makes me think that because clamd.exe is using the clamd.log that clamscan.exe can not open it. I gave clamscan.exe a new .log file and it still gave me the same error.

How to reproduce the problem

I just had to do the steps above to get the error to occur.

Replace this text with the output from the ClamAV command: Config file: clamd.conf

LogFile = "C:\Program Files\ClamAV\clamd.log" LogFileMaxSize = "2097152" LogTime = "yes" ExtendedDetectionInfo = "yes" TCPSocket = "3310" TCPAddr = "127.0.0.1" ExcludePath = "C:\Windows" MaxDirectoryRecursion = "25" SelfCheck = "3600" User = "clamav"

freshclam.conf not found

clamav-milter.conf not found

Software settings

Version: 0.104.0 Optional features supported: MEMPOOL AUTOIT_EA06 BZIP2 LIBXML2 PCRE2 JSON RAR

Database information

Database directory: C:\Program Files\ClamAV\database bytecode.cld: version 333, sigs: 92, built on Mon Mar 8 10:21:51 2021 daily.cld: version 26288, sigs: 1971279, built on Wed Sep 8 04:22:21 2021 main.cvd: version 61, sigs: 6607162, built on Wed Jul 14 22:39:10 2021 Total number of signatures: 8578533

Platform information

uname: Microsoft Windows Server 6.2 SP0.0 Build 9200 OS: Windows, ARCH: AMD64, CPU: AMD64 zlib version: 1.2.11 (1.2.11), compile flags: 65 platform id: 0x10058c8c080000000000077c

Build information

Microsoft Visual C++: (0.7.124) sizeof(void*) = 8 Engine flevel: 140, dconf: 140

Attachments

If applicable, add screenshots to help explain your problem.

If the issue is reproducible only when scanning a specific file, attach it to the ticket.

micahsnyder commented 3 years ago

Thanks for submitting this issue. It looks to me as though clamd is configured to write a log to the C:\Program Files\ClamAV directory, but does not have permissions to create the log file there.

To solve this I think you have two options, you can either start clamd.exe in an Administrator-mode terminal so that it has permissions to create the log file, or you can change clamd.conf setting:

LogFile = "C:\Program Files\ClamAV\clamd.log"

to a different path where your user account can create the file. Perhaps something in your dome directory.

Please let me know if this helps.

owdeea commented 3 years ago

When I run the clamd.exe and then the clamdscan.exe, I get an error message when the Clamdscan.exe starts that the clamd.log file is too large or too small. I always opened Powershell as an Admin and I am also logged on as an admin and my config file does have the correct path to the log file. I was working on troubleshooting this until I heard something and the only thing that I noticed was the paths in the registry. I am guessing, from the look of the machines that I have with ClamAV .103.3 that the registry keys are not in that version and have been added to the new version of ClamAV. If that is so, then the .msi did not put the registry keys in place and I need to add them manually. If I need to add them manually, I am guessing there is more than one key under the clamav key. If that is so, I would like to know the rest of them all so that I can add them and see if I still get the error message.

micahsnyder commented 3 years ago

I somehow missed the way in which you're invoking clamdscan when I first reviewed your report.

I see you're using .\clamdscan.exe -vl clamd.log c: while running in an Administrator-mode powershell prompt as an Admin user. I tried reproducing the issue you described and got similar results. 

❯ .\clamdscan.exe -vl clamd.log c:
--------------------------------------
C:\Program Files\ClamAV\clamd.log: File path check failure: Result too large or too small. ERROR

----------- SCAN SUMMARY -----------
Infected files: 0
Total errors: 1
Time: 0.209 sec (0 m 0 s)
Start Date: 2021:09:28 17:10:39
End Date:   2021:09:28 17:10:39

After trying a few things, I found that the issue appears to be that you need to scan c:\ instead of c:. This works for me: 

❯ .\clamdscan.exe -vl clamd.log c:\
--------------------------------------
...

So it seems that the error has to do with opening c:, not C:\Program Files\ClamAV\clamd.log. If I look at the clamd.exe output, it is also reporting the wrong file (not just clamdscan.exe):

LibClamAV Warning: Can't open file C:\Program Files\ClamAV\clamd.log: 32
WARNING: File path check failure for: C:\Program Files\ClamAV\clamd.log

clamd.exe should indicate the issue with opening/scanning c:.

micahsnyder commented 3 years ago

I noticed also that if you omit the -l clamd.log option when scanning c:, it immediately returns "C:\Program Files\ClamAV: OK" as though it scanned the current directory, but without scanning anything:

C:/Program Files/ClamAV
❯ .\clamdscan.exe -v c:
C:\Program Files\ClamAV: OK

----------- SCAN SUMMARY -----------
Infected files: 0
Time: 0.193 sec (0 m 0 s)
Start Date: 2021:09:28 17:25:46
End Date:   2021:09:28 17:25:47