search

rfxn / linux-malware-detect

Linux Malware Detection (LMD)
http://www.rfxn.com/projects/linux-malware-detect/
GNU General Public License v2.0
1.19k stars 232 forks source link

ClamAV failure #58

Closed captainwasabi closed 9 years ago

captainwasabi commented 9 years ago

It looks like when maldet updated at midnight as part of my daily scan and backup script it broke ClamAV. As this is on my mail server, and amavis uses clamAV to scan for viruses, this is preventing mail from being sent or delivered.

I've tried running freshclam, maldet -d, maldet -u, restarting clamav-daemon, restarting amavis, etc.

When I try to start ClamAV this is what I get:

service clamav-daemon start

contents of /var/lib/clamav:

drwxr-xr-x 2 clamav clamav 4096 Sep 19 02:15 ./ drwxr-xr-x 59 root root 4096 Aug 26 07:41 ../ -rw-r--r-- 1 clamav clamav 407040 Aug 20 11:45 bytecode.cld -rw-r--r-- 1 clamav clamav 101435904 Sep 18 13:52 daily.cld lrwxrwxrwx 1 root root 38 Sep 19 00:01 lmd.user.hdb -> /usr/local/maldetect/sigs/lmd.user.hdb lrwxrwxrwx 1 root root 38 Sep 19 00:01 lmd.user.ndb -> /usr/local/maldetect/sigs/lmd.user.ndb -rw-r--r-- 1 clamav clamav 64720632 Sep 17 2013 main.cvd -rw------- 1 clamav clamav 1196 Sep 19 02:15 mirrors.dat lrwxrwxrwx 1 root root 34 Sep 19 00:01 rfxn.hdb -> /usr/local/maldetect/sigs/rfxn.hdb lrwxrwxrwx 1 root root 34 Sep 19 00:01 rfxn.ndb -> /usr/local/maldetect/sigs/rfxn.ndb

contents of /usr/local/maldetect/sigs:

ll /usr/local/maldetect/sigs total 2584 drwxr-xr-x 3 root root 4096 Sep 19 00:04 ./ drwxr-xr-x 11 root root 4096 Sep 19 02:10 ../ drwxr-xr-x 2 root root 4096 Sep 12 2013 appver/ -rw-r--r-- 1 root root 0 Sep 19 00:01 custom.hex.dat -rw-r--r-- 1 root root 0 Sep 19 00:01 custom.md5.dat -rw-r--r-- 1 root root 429904 Sep 18 18:18 hex.dat lrwxrwxrwx 1 root root 48 Sep 19 00:04 lmd.user.hdb -> /usr/local/maldetect/tmp/.runtime.user.13092.hdb lrwxrwxrwx 1 root root 48 Sep 19 00:04 lmd.user.ndb -> /usr/local/maldetect/tmp/.runtime.user.13092.ndb -rw-r--r-- 1 root root 14 Sep 19 00:01 maldet.sigs.ver -rw-r--r-- 1 root root 551001 Sep 18 18:18 md5.dat -rw-r--r-- 1 root root 602518 Sep 18 18:18 md5v2.dat -rw-r--r-- 1 root root 598632 Sep 18 18:18 rfxn.hdb -rw-r--r-- 1 root root 437560 Sep 18 18:18 rfxn.ndb

contents of /usr/local/maldetect/tmp:

ll /usr/local/maldetect/tmp total 8 drwxr-x--- 2 root root 4096 Sep 19 00:04 ./ drwxr-xr-x 11 root root 4096 Sep 19 02:10 ../ -rw-r--r-- 1 root root 0 Sep 19 00:01 .digest.alert.hits -rw-r--r-- 1 root root 0 Sep 19 00:01 .digest.clean.hits -rw-r--r-- 1 root root 0 Sep 19 00:01 .digest.monitor.alert -rw-r--r-- 1 root root 0 Sep 19 00:01 .digest.susp.hits

so as you can see the .runtime.user.13092.* files are missing.

The error I'm getting in my /var/log/mail.log is:

Sep 19 02:08:52 pigeon amavis[4089]: (04089-06) (!)run_av (ClamAV-clamscan) FAILED - unexpected exit 2, output="LibClamAV Error: cli_load(): Can't open file /var/lib/clamav/lmd.user.hdb\nLibClamAV Error: cli_loaddbdir(): error loading database /var/lib/clamav/lmd.user.hdb\nERROR: Can't open file or directory"

relevant lines from /var/log/clamav/clamav.log:

Fri Sep 18 22:17:23 2015 -> SelfCheck: Database status OK. Fri Sep 18 23:21:25 2015 -> SelfCheck: Database status OK. Sat Sep 19 00:01:35 2015 -> Reading databases from /var/lib/clamav Sat Sep 19 00:01:38 2015 -> ERROR: reload db failed: Can't open file or director y Sat Sep 19 00:01:38 2015 -> Terminating because of a fatal error. Sat Sep 19 00:01:38 2015 -> Pid file removed. Sat Sep 19 00:01:38 2015 -> --- Stopped at Sat Sep 19 00:01:38 2015 Sat Sep 19 00:01:38 2015 -> Socket file removed.

relevant lines from /usr/local/maldetect/logs/event_log

Sep 19 00:01:31 pigeon maldet(11534): {sigup} performing signature update check... Sep 19 00:01:31 pigeon maldet(11534): {sigup} local signature set is version 2015091828029 Sep 19 00:01:31 pigeon maldet(11534): {sigup} latest signature set already installed Sep 19 00:01:31 pigeon maldet(11237): {update} completed update v1.4.2 => v1.5, running signature updates... Sep 19 00:01:31 pigeon maldet(11619): {sigup} performing signature update check... Sep 19 00:01:31 pigeon maldet(11619): {sigup} local signature set is version 2015091828029 Sep 19 00:01:31 pigeon maldet(11619): {sigup} latest signature set already installed Sep 19 00:01:31 pigeon maldet(11237): {update} update and config import completed. Sep 19 00:01:31 pigeon maldet(11237): {sigup} performing signature update check... Sep 19 00:01:31 pigeon maldet(11237): {sigup} local signature set is version 2015091516329 Sep 19 00:01:31 pigeon maldet(11237): {sigup} new signature set (2015091828029) available Sep 19 00:01:32 pigeon maldet(11237): {sigup} downloaded http://cdn.rfxn.com/downloads/md5.dat Sep 19 00:01:33 pigeon maldet(11237): {sigup} downloaded http://cdn.rfxn.com/downloads/hex.dat Sep 19 00:01:34 pigeon maldet(11237): {sigup} downloaded http://cdn.rfxn.com/downloads/rfxn.ndb Sep 19 00:01:35 pigeon maldet(11237): {sigup} downloaded http://cdn.rfxn.com/downloads/rfxn.hdb Sep 19 00:01:35 pigeon maldet(11237): {sigup} downloaded http://cdn.rfxn.com/downloads/maldet-clean.tgz Sep 19 00:01:35 pigeon maldet(11237): {sigup} signature set update completed Sep 19 00:01:35 pigeon maldet(11237): {sigup} 10822 signatures (8908 MD5 / 1914 HEX) Sep 19 00:01:36 pigeon maldet(11791): {scan} launching scan of /root changes in last 1d to background, see /usr/local/maldetect/logs/event_log for progress Sep 19 00:01:36 pigeon maldet(11791): {scan} signatures loaded: 10822 (8908 MD5 / 1914 HEX / 0 USER) Sep 19 00:01:36 pigeon maldet(11791): {scan} building file list for /root of new/modified files from last 1 days, this might take awhile... Sep 19 00:01:36 pigeon maldet(11791): {scan} setting nice scheduler priorities for all operations: cpunice 19 , ionice 6 Sep 19 00:01:36 pigeon maldet(11791): {scan} executed /usr/bin/nice -n 19 /usr/bin/ionice -c2 -n 6 /usr/bin/find /root /tmp /var/tmp /dev/shm -maxdepth 15 -regextype posix-egrep -type f ( -mtime -1 -o -ctime -1 ) -size +24c -size -6947618c -not -perm 000 -not -regex "" -not -uid 0 -not -gid 0 Sep 19 00:01:37 pigeon maldet(11791): {scan} file list completed in 1s, found 69 files... Sep 19 00:01:37 pigeon maldet(11791): {scan} found clamav binary at /usr/bin/clamdscan, using clamav scanner engine... Sep 19 00:01:37 pigeon maldet(11791): {scan} scan of /root (69 files) in progress... Sep 19 00:01:38 pigeon maldet(11791): {scan} clamscan returned an error, check /usr/local/maldetect/logs/clamscan_log for more details!

relevant lines from /usr/local/maldetect/logs/clamscan_log:

Sep 19 00:01:37 pigeon clamscan start Sep 19 00:01:37 pigeon executed: /usr/bin/nice -n 19 /usr/bin/ionice -c2 -n 6 /usr/bin/clamdscan --infected - -no-summary -f /usr/local/maldetect/tmp/.find.11791 ERROR: Communication error ERROR: Could not lookup : Servname not supported for ai_socktype ERROR: Could not lookup : Servname not supported for ai_socktype ERROR: Could not lookup : Servname not supported for ai_socktype . . . Sep 19 00:01:42 pigeon clamscan start Sep 19 00:01:42 pigeon executed: /usr/bin/nice -n 19 /usr/bin/ionice -c2 -n 6 /usr/bin/clamdscan --max-filesiz e=5M --max-scansize=5M -d /usr/local/maldetect/tmp/.runtime.user.12047.hdb -d /usr/local/maldetect/tmp/.runtim e.user.12047.ndb -r --infected --no-summary -f /usr/local/maldetect/tmp/.find.12047 WARNING: Ignoring unsupported option --max-filesize WARNING: Ignoring unsupported option --max-scansize WARNING: Ignoring unsupported option --database (-d) WARNING: Ignoring unsupported option --database (-d) WARNING: Ignoring unsupported option --recursive (-r) ERROR: Could not lookup : Servname not supported for ai_socktype ERROR: Could not lookup : Servname not supported for ai_socktype ERROR: Could not lookup : Servname not supported for ai_socktype . . .

This is a MAJOR issue. for now I have disabled anti-virus checking in amavis like this:

Try this on Debian or Ubuntu:

Add a new file /etc/amavis/conf.d/90-custom

with the following content:

Code:

use strict;

@bypass_virus_checks_maps  = (1);

#------------ Do not modify anything below this line -------------
1;  # insure a defined return

and restart amavisd.

bkw commented 9 years ago

Same here, broken symlinks pointing from /usr/local/maldetect/sigs to non-existing files in tmp.

bkw commented 9 years ago

In my case it turned out to be a permission problem, related to both file permissions and apparmor. Here is what I did to fix it:

chmod o+x /usr/local/maldetect/{,sigs}
chmod o+r /usr/local/maldetect/sigs/*db
echo "/usr/local/maldetect/sigs/* r," >> /etc/apparmor.d/local/usr.sbin.clamd
service apparmor reload
service clamav-daemon restart

The missing lmd.user links where no longer a problem for me after i fixed the permissions. The next signature update will probably reset the file permissions again, I still have to check whether that was due to my tightened root umask setting or the update script itself.

bkw commented 9 years ago

the file permission problem probably was homegrown. I think the apparmor stuff should be all you need:

echo "/usr/local/maldetect/sigs/* r," >> /etc/apparmor.d/local/usr.sbin.clamd
service apparmor reload && service clamav-daemon restart
jcarnus commented 9 years ago

I had the same issue. I will try fo fiw with previous comment

jcarnus commented 9 years ago

For me, file is missing. Only option is to delete symlink from clamav lib dir until a fix is provided

lgonzalez-silen commented 9 years ago

Running CentOS 6.7.

I ran ./uninstall.sh and then downloaded the current again and ran ./install.sh. That still left the bad symlinks in /var/clamav/ in place

lmd.user.hdb -> /usr/local/maldetect/sigs/lmd.user.hdb lmd.user.ndb -> /usr/local/maldetect/sigs/lmd.user.ndb

but these ones were not present any longer in sigs

lmd.user.hdb -> /usr/local/maldetect/tmp/.runtime.user.15757.hdb lmd.user.ndb -> /usr/local/maldetect/tmp/.runtime.user.15757.ndb

I went ahead and deleted the /var/clamav/ lmd symlinks and restarted clamd and it worked ok. If anyone can confirm that the lmd symlinks are not needed in /var/clamav/ that would be great. The following valid symlinks remain there

rfxn.hdb -> /usr/local/maldetect/sigs/rfxn.hdb rfxn.ndb -> /usr/local/maldetect/sigs/rfxn.ndb

It is likely that just deleting the lmd bad symlinks will allow you to restart clamd.

For reference, my initial symptoms were email subjects prepended with the string

UNCHECKED

and the following in the clamd log

Sat Sep 19 03:24:11 2015 -> Reading databases from /var/clamav Sat Sep 19 03:24:21 2015 -> ERROR: reload db failed: Can't open file or directory Sat Sep 19 03:24:21 2015 -> Terminating because of a fatal error.

jcarnus commented 9 years ago

Symlink in /var/lib/clamav to lmd and rfxn has appears back. But lmd symlin still linked to nothing. Clamav 0.98, debian 8

bkw commented 9 years ago

I still have the dangling symlinks pointing from /var/lib/clamav to /usr/local/maldetect/sigs, but no more symlinks pointing from /usr/local/maldetect/sigs to tmp. I do not get errors this way.

rfxn commented 9 years ago

chmod 755 /usr/local/maldetect/tmp

This should fix he issue, it is not so much that the file is empty but that clamav cant lsstat the file due to the parent directories permissions when clamd is running as a non-root user.

I've made an upstream change in the code that I will commit to address this in a few minutes.

captainwasabi commented 9 years ago

tried this and the following still happens when I start clamav

service clamav-daemon start

*Starting ClamAV daemon clamd
LibClamAV Error: cli_load(): Can't open file /var/lib/clamav/rfxn.ndb LibClamAV Error: cli_loaddbdir(): error loading database /var/lib/clamav/rfxn.ndb ERROR: Can't open file or directory [fail]

I also get the same errors as reported above in the maillog (because the daemon isn't running) but it does look like email is being delivered.

BTW, thank you for this great package that I use daily on all my servers. Also thank you for looking at this issue so quickly, it's really appreciated!

rfxn commented 9 years ago

@captainwasabi no problem at all, glad to help. In most sane mail configurations, clamd failing should be a fail-open setup so mail keeps moving.

That being said, can you answer a few questions: What OS version are you running (cat /etc/redhat-release) ? What version of clamd (clamd -V) ? Is there a control panel (e.g cpanel) ?

Thanks

captainwasabi commented 9 years ago

Ubuntu 12.04.5 LTS everything is up to date as of 9/15

Linux version 3.2.0-90-generic (buildd@lgw01-29) (gcc version 4.6.3 (Ubuntu/Linaro 4.6.3-1ubuntu5) ) #128-Ubuntu SMP Fri Aug 14 21:43:58 UTC 2015 (Ubuntu 3.2.0-90.128-generic 3.2.69)

ClamAV 0.98.7/20927/Fri Sep 18 12:41:20 2015

No cpanel, this is a server running on metal.

nanonettr commented 9 years ago

this issue still exists on commit 5ad545275b7b5e4a577adb9e2366668265306909 on Ubuntu 14.04.3 LTS.

root@admin:/var/lib/clamav# ls -la drwxr-xr-x 2 clamav clamav 4096 Sep 19 18:42 . drwxr-xr-x 58 root root 4096 Sep 19 17:45 .. -rw-r--r-- 1 clamav clamav 407040 Aug 20 18:59 bytecode.cld -rw-r--r-- 1 clamav clamav 101435904 Sep 18 20:23 daily.cld lrwxrwxrwx 1 root root 38 Sep 19 18:42 lmd.user.hdb -> /usr/local/maldetect/sigs/lmd.user.hdb lrwxrwxrwx 1 root root 38 Sep 19 18:42 lmd.user.ndb -> /usr/local/maldetect/sigs/lmd.user.ndb -rw-r--r-- 1 clamav clamav 64720632 May 5 21:14 main.cvd -rw------- 1 clamav clamav 2236 Sep 19 18:23 mirrors.dat lrwxrwxrwx 1 root root 34 Sep 19 18:42 rfxn.hdb -> /usr/local/maldetect/sigs/rfxn.hdb lrwxrwxrwx 1 root root 34 Sep 19 18:42 rfxn.ndb -> /usr/local/maldetect/sigs/rfxn.ndb

root@admin:/var/lib/clamav# ls -la /usr/local/maldetect/sigs/ drwxr-xr-x 2 root root 4096 Sep 19 18:42 . drwxr-xr-x 12 root root 4096 Sep 19 18:42 .. -rw-r--r-- 1 root root 0 Sep 19 18:42 custom.hex.dat -rw-r--r-- 1 root root 0 Sep 19 18:42 custom.md5.dat -rw-r--r-- 1 root root 429904 Sep 19 18:42 hex.dat -rw-r--r-- 1 root root 14 Sep 19 18:42 maldet.sigs.ver -rw-r--r-- 1 root root 551001 Sep 19 18:42 md5.dat -rw-r--r-- 1 root root 602518 Sep 19 18:42 md5v2.dat -rw-r--r-- 1 root root 598632 Sep 19 18:42 rfxn.hdb -rw-r--r-- 1 root root 437560 Sep 19 18:42 rfxn.ndb

root@admin:~# service clamav-daemon restart

root@admin:~# lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 14.04.3 LTS Release: 14.04 Codename: trusty

rfxn commented 9 years ago

I've committed update https://github.com/rfxn/linux-malware-detect/commit/fa1db0ad74649a62f5423a59fe6b8ddc20e8f865 which should now resolve the clamd startup errors on ubuntu. The changelog entry goes into detail:

[Fix] clamd.conf configurations containing FollowDirectorySymlinks/FollowFileSymlinks set to false results in the rfxn.* and lmd.user.* links causing clamd startup failures; corrected by updating clamav_linksigs() to copy signatures into clamav data paths instead of linking them

captainwasabi commented 9 years ago

issue verified resolved for Ubuntu 12.04.5

Thanks!

lgonzalez-silen commented 9 years ago

For me the lmd.user files or links did not regenerate. I tried uninstall and install and saw this on install as the first few lines:

cp: cannot stat /usr/local/maldetect/sigs/lmd.user.ndb': No such file or directory cp: cannot stat/usr/local/maldetect/sigs/lmd.user.hdb': No such file or directory cat: /usr/local/maldetect/sess/session.monitor.current: No such file or directory

nanonettr commented 9 years ago

After clean install of lmd clamav-daemon starts correctly. But as @lgonzalez-silen reported lmd.user link failed to create.

root@admin:~/linux-malware-detect-master# ./install.sh cp: cannot stat ‘/usr/local/maldetect/sigs/rfxn.ndb’: No such file or directory cp: cannot stat ‘/usr/local/maldetect/sigs/rfxn.hdb’: No such file or directory cp: cannot stat ‘/usr/local/maldetect/sigs/lmd.user.ndb’: No such file or directory cp: cannot stat ‘/usr/local/maldetect/sigs/lmd.user.hdb’: No such file or directory Removing any system startup links for /etc/init.d/maldet ... update-rc.d: warning: /etc/init.d/maldet missing LSB information update-rc.d: see http://wiki.debian.org/LSBInitScripts Adding system startup for /etc/init.d/maldet ... /etc/rc0.d/K30maldet -> ../init.d/maldet /etc/rc1.d/K30maldet -> ../init.d/maldet /etc/rc6.d/K30maldet -> ../init.d/maldet /etc/rc2.d/S70maldet -> ../init.d/maldet /etc/rc3.d/S70maldet -> ../init.d/maldet /etc/rc4.d/S70maldet -> ../init.d/maldet /etc/rc5.d/S70maldet -> ../init.d/maldet cat: /usr/local/maldetect/sess/session.monitor.current: No such file or directory Linux Malware Detect v1.5 (C) 2002-2015, R-fx Networks proj@r-fx.org (C) 2015, Ryan MacDonald ryan@r-fx.org This program may be freely redistributed under the terms of the GNU GPL

installation completed to /usr/local/maldetect config file: /usr/local/maldetect/conf.maldet exec file: /usr/local/maldetect/maldet exec link: /usr/local/sbin/maldet exec link: /usr/local/sbin/lmd cron.daily: /etc/cron.daily/maldet maldet(28271): {sigup} performing signature update check... maldet(28271): {sigup} could not determine signature version maldet(28271): {sigup} signature files missing or corrupted, forcing update... maldet(28271): {sigup} new signature set (2015091828029) available maldet(28271): {sigup} downloading http://cdn.rfxn.com/downloads/maldet-sigpack.tgz maldet(28271): {sigup} downloading http://cdn.rfxn.com/downloads/maldet-cleanv2.tgz maldet(28271): {sigup} verified md5sum of maldet-sigpack.tgz maldet(28271): {sigup} unpacked and installed maldet-sigpack.tgz cp: cannot stat ‘/usr/local/maldetect/sigs/lmd.user.ndb’: No such file or directory cp: cannot stat ‘/usr/local/maldetect/sigs/lmd.user.hdb’: No such file or directory maldet(28271): {sigup} verified md5sum of maldet-clean.tgz maldet(28271): {sigup} unpacked and installed maldet-clean.tgz maldet(28271): {sigup} signature set update completed maldet(28271): {sigup} 10822 signatures (8908 MD5 / 1914 HEX / 0 USER)

root@admin:~/linux-malware-detect-master# maldet -d -u Linux Malware Detect v1.5 (C) 2002-2015, R-fx Networks proj@rfxn.com (C) 2015, Ryan MacDonald ryan@rfxn.com This program may be freely redistributed under the terms of the GNU GPL v2

maldet(28448): {update} checking for available updates... maldet(28448): {update} hashing install files and checking against server... maldet(28448): {update} latest version already installed. Linux Malware Detect v1.5 (C) 2002-2015, R-fx Networks proj@rfxn.com (C) 2015, Ryan MacDonald ryan@rfxn.com This program may be freely redistributed under the terms of the GNU GPL v2

maldet(28448): {sigup} performing signature update check... maldet(28448): {sigup} local signature set is version 2015091828029 maldet(28448): {sigup} latest signature set already installed

root@admin:~# maldet -u -d -a /var/www/imscp/gui/ Linux Malware Detect v1.5 (C) 2002-2015, R-fx Networks proj@rfxn.com (C) 2015, Ryan MacDonald ryan@rfxn.com This program may be freely redistributed under the terms of the GNU GPL v2

maldet(30475): {sigup} performing signature update check... maldet(30475): {sigup} local signature set is version 2015091828029 maldet(30475): {sigup} latest signature set already installed Linux Malware Detect v1.5 (C) 2002-2015, R-fx Networks proj@rfxn.com (C) 2015, Ryan MacDonald ryan@rfxn.com This program may be freely redistributed under the terms of the GNU GPL v2

cp: cannot stat ‘/usr/local/maldetect/sigs/lmd.user.ndb’: No such file or directory cp: cannot stat ‘/usr/local/maldetect/sigs/lmd.user.hdb’: No such file or directory maldet(30475): {scan} signatures loaded: 10822 (8908 MD5 / 1914 HEX / 0 USER) maldet(30475): {scan} building file list for /var/www/imscp/gui/, this might take awhile... maldet(30475): {scan} setting nice scheduler priorities for all operations: cpunice 19 , ionice 6 maldet(30475): {scan} file list completed in 1s, found 5004 files... maldet(30475): {scan} found clamav binary at /usr/bin/clamdscan, using clamav scanner engine... maldet(30475): {scan} scan of /var/www/imscp/gui/ (5004 files) in progress... maldet(30475): {scan} clamscan returned an error, check /usr/local/maldetect/logs/clamscan_log for more details!

maldet(30475): {scan} scan completed on /var/www/imscp/gui/: files 5004, malware hits 0, cleaned hits 0, time 1s maldet(30475): {scan} scan report saved, to view run: maldet --report 150919-1945.30475

nanonettr commented 9 years ago

also after uninstall the files in /var/lib/clamav did not removed. root@admin:/var/lib/clamav# ls -la -rw-r--r-- 1 root root 598632 Sep 19 19:45 rfxn.hdb -rw-r--r-- 1 root root 437560 Sep 19 19:45 rfxn.ndb

jcarnus commented 9 years ago

update done, but link no recreated in clamav lib folder, how to add it again ?

rfxn commented 9 years ago

@jcarnus the rfxn.* signatures should be copied into the clamav lib folder , not linked. The lmd.user* signatures will now only copy into the clamav lib folder when you have custom signatures defined.

rfxn commented 9 years ago

https://github.com/rfxn/linux-malware-detect/commit/1c7f626800311fa9cbac6e1dd9d336a6ff1c64fb

@lgonzalez-silen Do you have custom signatures? The lmd.user.* signatures will now only copy into the clamav lib path when you have custom signatures created. The error output should now be suppressed in the latest commit, 'maldet -d' or pull from git and fresh install. Thanks!

@nanonettr The uninstall.sh has been updated to address this, Thanks!

lgonzalez-silen commented 9 years ago

No custom signatures, so great!

nanonettr commented 9 years ago

@rfxn thanks for your great efforts. Only one problem left.. When using maldet i got an error; "clamscan returned an error"

$ maldet -u -d -a /var/www/imscp/gui/ maldet(3725): {scan} signatures loaded: 10822 (8908 MD5 / 1914 HEX / 0 USER) maldet(3725): {scan} building file list for /var/www/imscp/gui/, this might take awhile... maldet(3725): {scan} setting nice scheduler priorities for all operations: cpunice 19 , ionice 6 maldet(3725): {scan} file list completed in 0s, found 5004 files... maldet(3725): {scan} found clamav binary at /usr/bin/clamdscan, using clamav scanner engine... maldet(3725): {scan} scan of /var/www/imscp/gui/ (5004 files) in progress... maldet(3725): {scan} clamscan returned an error, check /usr/local/maldetect/logs/clamscan_log for more details! maldet(3725): {scan} scan completed on /var/www/imscp/gui/: files 5004, malware hits 0, cleaned hits 0, time 1s maldet(3725): {scan} scan report saved, to view run: maldet --report 150919-2019.3725

$ maldet --report 150919-2019.3725 HOST: admin SCAN ID: 150919-2019.3725 STARTED: Sep 19 2015 20:19:35 +0300 COMPLETED: Sep 19 2015 20:19:36 +0300 ELAPSED: 1s [find: 0s]

PATH: /var/www/imscp/gui/ TOTAL FILES: 5004 TOTAL HITS: 0 TOTAL CLEANED: 0

Linux Malware Detect v1.5 < proj@rfxn.com >

$ cat /usr/local/maldetect/logs/clamscan_log Sep 19 20:19:35 admin clamscan start Sep 19 20:19:35 admin executed: /usr/bin/nice -n 19 /usr/bin/ionice -c2 -n 6 /usr/bin/clamdscan --max-filesize=5M --max-scansize=5M -d /usr/local/maldetect/tmp/.runtime.user.3725.hdb -d /usr/local/maldetect/tmp/.runtime.user.3725.ndb -r --infected --no-summary -f /usr/local/maldetect/tmp/.find.3725 WARNING: Ignoring unsupported option --max-filesize WARNING: Ignoring unsupported option --max-scansize WARNING: Ignoring unsupported option --database (-d) WARNING: Ignoring unsupported option --database (-d) WARNING: Ignoring unsupported option --recursive (-r) Sep 19 20:19:36 admin clamscan end Sep 19 20:19:36 admin clamscan end

$ which clamscan /usr/bin/clamscan

$ dpkg -S /usr/bin/clamscan clamav: /usr/bin/clamscan

$ aptitude show clamav Package: clamav
State: installed Version: 0.98.7+dfsg-0ubuntu0.14.04.1

nanonettr commented 9 years ago

ah sorry. wrong package reported. it did not clamscan, it is "clamdscan"

root@admin:~# which clamdscan /usr/bin/clamdscan

root@admin:~# dpkg -S clamdscan clamav-daemon: /usr/share/man/man1/clamdscan.1.gz clamav-daemon: /usr/bin/clamdscan

root@admin:~# aptitude show clamav-daemon Package: clamav-daemon
State: installed Version: 0.98.7+dfsg-0ubuntu0.14.04.1

jcarnus commented 9 years ago

Ok seems to be good so right now Thanks for all a saturday :)

captainwasabi commented 9 years ago

I just have one more request. From now on when you update, I don't mind the problems at all, but please respect the sanctity of read-only friday ;)

rfxn commented 9 years ago

@captainwasabi totally understand and read-only friday I usually live and die by but at some point I need to find time to work on maldet and that is usually my weekends :D Will make an effort in the future to limit releases to Monday-Thur cycles.

captainwasabi commented 9 years ago

Oh if you just work this on weekends then more power to you! Awesome stuff, release when you can.

Sent with AquaMail for Android http://www.aqua-mail.com

On September 19, 2015 6:31:06 PM Ryan MacDonald notifications@github.com wrote:

@captainwasabi totally understand and read-only friday I usually live and die by but at some point I need to find time to work on maldet and that is usually my weekends :D Will make an effort in the future to limit releases to Monday-Thur cycles.

Reply to this email directly or view it on GitHub: https://github.com/rfxn/linux-malware-detect/issues/58#issuecomment-141711707