Mailing List Archive

* David F. Skoll (dfs@roaringpenguin.com) [101201 16:50] wrote:
> It seems that ClamAV 0.96.5 appends some sort of hash to the virus name.
> Whereas before, our tests would return a name like "Eicar-Test-Signature",
> now we get something like "Eicar-Test-Signature(aec7ffd14a66d8b5aa9c398ee3333dad:1309)"
>
> Is this intentional? Documented? Can it be turned off?

Yes. Yes. Yes. ExtendedDetectionInfo in clamd.conf

Jacek
_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net

On Wed, 1 Dec 2010 10:36:29 -0500
"David F. Skoll" <dfs@roaringpenguin.com> wrote:

> Hi,
>
> It seems that ClamAV 0.96.5 appends some sort of hash to the virus
> name. Whereas before, our tests would return a name like
> "Eicar-Test-Signature", now we get something like
> "Eicar-Test-Signature(aec7ffd14a66d8b5aa9c398ee3333dad:1309)"

Where do you see this? clamd logs, clamdscan output, clamscan output?

>
> Is this intentional? Documented? Can it be turned off?

It should only do that if you have 'ExtendedDetectionInfo Yes' in
clamd.conf, which is not the default. Do you have that in clamd.conf?

Also make sure that both your clamd and libclamav are 0.96.5.

Best regards,
--Edwin
_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net

On Wed, 1 Dec 2010 17:53:14 +0200
Török Edwin <edwin@clamav.net> wrote:

> Where do you see this? clamd logs, clamdscan output, clamscan output?

We connect to clamd directly on the UNIX-domain socket and send a SCAN
command (not CONTSCAN). When I configure it to listen on a TCP socket
and telnet by hand, I get this:

$ telnet localhost 3310
Trying 127.0.0.1...
Connected to localhost.localdomain.
Escape character is '^]'.
SCAN /tmp/eicar-test
/tmp/eicar-test: Eicar-Test-Signature(8fd1f39c7e4cf58dfa8c0618364779c2:70) FOUND
Connection closed by foreign host.

When I use CONTSCAN instead of SCAN, I get the same result (with the hash info).
When I trace clamdscan, I see it uses the new(ish) zCONTSCAN zero-terminated
command. Perhaps that one behaves differently?

> It should only do that if you have 'ExtendedDetectionInfo Yes' in
> clamd.conf, which is not the default. Do you have that in clamd.conf?

No, we do not.

> Also make sure that both your clamd and libclamav are 0.96.5.

That's the case.

Regards,

David.
_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net

On Wed, 1 Dec 2010 11:09:08 -0500
"David F. Skoll" <dfs@roaringpenguin.com> wrote:

> On Wed, 1 Dec 2010 17:53:14 +0200
> Török Edwin <edwin@clamav.net> wrote:
>
> > Where do you see this? clamd logs, clamdscan output, clamscan
> > output?
>
> We connect to clamd directly on the UNIX-domain socket and send a SCAN
> command (not CONTSCAN). When I configure it to listen on a TCP socket
> and telnet by hand, I get this:
>
> $ telnet localhost 3310
> Trying 127.0.0.1...
> Connected to localhost.localdomain.
> Escape character is '^]'.
> SCAN /tmp/eicar-test
> /tmp/eicar-test:
> Eicar-Test-Signature(8fd1f39c7e4cf58dfa8c0618364779c2:70) FOUND
> Connection closed by foreign host.

Works here:

$ telnet localhost 3310
Trying ::1...
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
SCAN /home/edwin/clam/git/builds/default/test/clam.exe
/home/edwin/clam/git/builds/default/test/clam.exe: ClamAV-Test-File
FOUND
Connection closed by foreign host.

Same for CONTSCAN.

What does clamdscan --version say?

>
> When I use CONTSCAN instead of SCAN, I get the same result (with the
> hash info). When I trace clamdscan, I see it uses the new(ish)
> zCONTSCAN zero-terminated command. Perhaps that one behaves
> differently?
>
> > It should only do that if you have 'ExtendedDetectionInfo Yes' in
> > clamd.conf, which is not the default. Do you have that in
> > clamd.conf?
>
> No, we do not.

Can you paste the clamconf -n output?

>
> > Also make sure that both your clamd and libclamav are 0.96.5.
>
> That's the case.
>
> Regards,
>
> David.
> _______________________________________________
> http://lurker.clamav.net/list/clamav-devel.html
> Please submit your patches to our Bugzilla: http://bugs.clamav.net

_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net

Hi, All,

If I strace clamdscan, I see this (relevant lines only):

socket(PF_FILE, SOCK_STREAM, 0) = 3
connect(3, {sa_family=AF_FILE, path="/var/spool/MIMEDefang/clamd.sock"}, 110) = 0
send(3, "zCONTSCAN /tmp/eicar-test\0", 26, 0) = 26
recv(3, "/tmp/eicar-test: Eicar-Test-Signature(8fd1f39c7e4cf58dfa8c0618364779c2:70) FOUND\0", 5120, 0) = 81
fstat64(1, {st_mode=S_IFCHR|0600, st_rdev=makedev(136, 0), ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7725000
write(1, "/tmp/eicar-test: Eicar-Test-Signature FOUND\n", 44) = 44
/tmp/eicar-test: Eicar-Test-Signature FOUND

So clamdscan receives the hash value but suppresses it client-side.
Is this an intentional change? If so, I can deal with it.

Regards,

David.




_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net

On Wed, 1 Dec 2010 11:20:25 -0500
"David F. Skoll" <dfs@roaringpenguin.com> wrote:

> Hi, All,
>
> If I strace clamdscan, I see this (relevant lines only):
>
> socket(PF_FILE, SOCK_STREAM, 0) = 3
> connect(3, {sa_family=AF_FILE,
> path="/var/spool/MIMEDefang/clamd.sock"}, 110) = 0 send(3,
> "zCONTSCAN /tmp/eicar-test\0", 26, 0) = 26 recv(3, "/tmp/eicar-test:
> Eicar-Test-Signature(8fd1f39c7e4cf58dfa8c0618364779c2:70) FOUND\0",
> 5120, 0) = 81 fstat64(1, {st_mode=S_IFCHR|0600, st_rdev=makedev(136,
> 0), ...}) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE,
> MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7725000 write(1,
> "/tmp/eicar-test: Eicar-Test-Signature FOUND\n", 44) =
> 44 /tmp/eicar-test: Eicar-Test-Signature FOUND
>
> So clamdscan receives the hash value but suppresses it client-side.
> Is this an intentional change?

That suppression was added for 0.96.4 I think, its not necessarely
needed for 0.96.5.
As I've shown you I get the proper virusname from clamd with telnet.

I still have the feeling that something is the old version, either
clamd was not restarted, or something symlink still points to 0.96.4.

> If so, I can deal with it.
>
> Regards,
>
> David.
>
>
>
>
> _______________________________________________
> http://lurker.clamav.net/list/clamav-devel.html
> Please submit your patches to our Bugzilla: http://bugs.clamav.net

_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net

On Wed, 1 Dec 2010 18:15:17 +0200
Török Edwin <edwin@clamav.net> wrote:

> Works here:

[... no extended info ...]

That's bizarre!

$ clamdscan --version
ClamAV 0.96.5/11413/Thu Jul 22 09:24:53 2010

$ /usr/local/sbin/clamd --version
ClamAV 0.96.5/11413/Thu Jul 22 09:24:53 2010

(The database is old because it's a test box that doesn't get DB updates.)

And this is clamd.conf with all comments and blank lines removed:

PidFile /var/spool/MIMEDefang/clamd.pid
LocalSocket /var/spool/MIMEDefang/clamd.sock
TCPSocket 3310
MaxDirectoryRecursion 15
User defang
AllowSupplementaryGroups Yes
ScanMail Yes
ScanArchive Yes
PhishingScanURLs no

Finally, clamd dynamically-links against /usr/local/lib/libclamav.so.6
which resolves to libclamav.so.6.1.7 -- I believe the correct one.

And here's the weird thing: Right after I start clamd, I get the extended
stats info. If I wait for a while and retry, it stops giving the
extended info!

(Could you try your tests immediately after stopping/restarting clamd?)

This is a source-compiled version on Debian 4.0, i386. I see the same
behaviour on Debian 5.0, i386. The configure script for the Debian
5.0 build was invoked like this:

./configure --build=i486-linux-gnu --prefix=/usr --mandir=/usr/share/man --infodir=/usr/share/info --disable-clamav --with-dbdir=/var/lib/clamav/ --sysconfdir=/etc/clamav --enable-milter --disable-clamuko --with-gnu-ld --enable-dns-fix --disable-unrar --libdir=/usr/lib

Regards,

David.
_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net

[Sorry for all the spam]

As a test, I ran this:

while true ; do strace -t -s100 clamdscan /tmp/eicar-test >> /root/clamdscan-strace 2>&1; sleep 2; done

And here is the interesting output:

11:53:34 socket(PF_FILE, SOCK_STREAM, 0) = 3
11:53:34 connect(3, {sa_family=AF_FILE, path="/var/spool/MIMEDefang/clamd.sock"...}, 110) = 0
11:53:34 send(3, "zCONTSCAN /tmp/eicar-test\0"..., 26, 0) = 26
11:53:34 recv(3, "/tmp/eicar-test: Eicar-Test-Signature(8fd1f39c7e4cf58dfa8c0618364779c2:70) FOUND\0"..., 5120, 0) = 81

11:53:36 socket(PF_FILE, SOCK_STREAM, 0) = 3
11:53:36 connect(3, {sa_family=AF_FILE, path="/var/spool/MIMEDefang/clamd.sock"...}, 110) = 0
11:53:36 send(3, "zCONTSCAN /tmp/eicar-test\0"..., 26, 0) = 26
11:53:36 recv(3, "/tmp/eicar-test: Eicar-Test-Signature FOUND\0"..., 5120, 0) = 44

I did not restart clamd or touch it in any way.

Regards,

David.
_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net

On Wed, 1 Dec 2010 11:34:19 -0500
"David F. Skoll" <dfs@roaringpenguin.com> wrote:

> On Wed, 1 Dec 2010 18:15:17 +0200
> Török Edwin <edwin@clamav.net> wrote:
>
> > Works here:
>
> [... no extended info ...]
>
> That's bizarre!
>
> $ clamdscan --version
> ClamAV 0.96.5/11413/Thu Jul 22 09:24:53 2010
>
> $ /usr/local/sbin/clamd --version
> ClamAV 0.96.5/11413/Thu Jul 22 09:24:53 2010
>
> (The database is old because it's a test box that doesn't get DB
> updates.)
>
> And this is clamd.conf with all comments and blank lines removed:
>
> PidFile /var/spool/MIMEDefang/clamd.pid
> LocalSocket /var/spool/MIMEDefang/clamd.sock
> TCPSocket 3310
> MaxDirectoryRecursion 15
> User defang
> AllowSupplementaryGroups Yes
> ScanMail Yes
> ScanArchive Yes
> PhishingScanURLs no
>
> Finally, clamd dynamically-links against /usr/local/lib/libclamav.so.6
> which resolves to libclamav.so.6.1.7 -- I believe the correct one.
>
> And here's the weird thing: Right after I start clamd, I get the
> extended stats info. If I wait for a while and retry, it stops
> giving the extended info!
>
> (Could you try your tests immediately after stopping/restarting
> clamd?)

Yes, I can reproduce the problem now (I don't know why I couldn't
before).
Looks like ExtendedDetectionInfo only controls what is written to the
logs, but clamd still sends the hash as replies (which clamdscan
filters).
Please open a bug so we fix this for 0.97. For now just filter the hash
if you don't want it.

Best regards,
--Edwin
_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net