Mailing List Archive: Re: Clamav problems

Anyone have a solution or thought on this ??

On Thu, May 30, 2019 at 10:04 PM Furkan Yüceba? <frknycbs@gmail.com> wrote:

>
>
> ---------- Forwarded message ---------
> From: Furkan Yüceba? <frknycbs@gmail.com>
> Date: Thu, May 30, 2019 at 1:46 PM
> Subject: Clamav problems
> To: <clamav-devel@lists.clamav.net>
>
>
> Hi there,
> About a month ago, I installed clamav on my debian-based(jessie)linux
> machine from jessie repository.
>
> *You can find first installed version (slow running one)
>
> root@ruhi:~# apt-cache policy clamav
> clamav:
> Kurulu: 0.101.2+dfsg-1
> Aday: 0.101.2+dfsg-1
> Sürüm çizelgesi:
> *** 0.101.2+dfsg-1 500
> 500 http://http.kali.org/kali kali-rolling/main amd64 Packages
> 500 http://ftp.de.debian.org/debian testing/main amd64 Packages
> 100 /var/lib/dpkg/status
> 0.100.0+dfsg-0+deb8u1 500
> 500 http://ftp.tr.debian.org/debian jessie/main amd64 Packages
> root@ruhi:~# apt-cache policy clamdscan
> clamdscan:
> Kurulu: 0.101.2+dfsg-1
> Aday: 0.101.2+dfsg-1
> Sürüm çizelgesi:
> *** 0.101.2+dfsg-1 500
> 500 http://http.kali.org/kali kali-rolling/main amd64 Packages
> 500 http://ftp.de.debian.org/debian testing/main amd64 Packages
> 100 /var/lib/dpkg/status
> 0.100.0+dfsg-0+deb8u1 500
> 500 http://ftp.tr.debian.org/debian jessie/main amd64 Packages
>
> In this try, I had a very serious scanning time problem.
> For 110 mb file (this is not encrypted file - normal exe), scanning time
> is : 1 m 33s (below screenshot)
>
> [image: image.png]
>
> After that, I installed clamav from the source code that you share on your
> web page (same version 0.101.2)
> The problem of slowing has been solved, but now it seems that not running
> stable and it is getting very fast results. I want to make sure the results
> are correct or not. Also you can see that "clamdscan" couldn't find
> infected files in my zip while "clamscan" could. Compressed files is
> enabled in my conf file.
>
> To see scanning time :
>
> root@furkan:~/Downloads# du -sh clamtest2.zip
> 8,7G clamtest2.zip
>
> root@furkan:~/Downloads/clamtest2# ls -la
> toplam 9174376
> drwxr-xr-x 2 root root 4096 May 27 19:26 .
> drwxr-xr-x 29 root root 20480 May 27 19:49 ..
> -rw-r--r-- 1 root root 1951432704 ?ub 20 08:55
> debian-live-9.8.0-amd64-xfce.iso
> -rw-r--r-- 1 root root 68 Nis 29 01:53 eicar.com
> -rw-r--r-- 1 root root 308 Nis 29 01:53 eicarcom2.zip
> -rw-r--r-- 1 root root 184 May 27 18:55 eicar_com.zip
> -rw-r--r-- 1 root root 873116238 Ara 23 18:29
> metasploitable-linux-2.0.0.zip
> -rwxr-xr-x 1 root root 166729977 Ara 27 01:54
> metasploit-latest-linux-x64-installer.run
> -rw-r--r-- 1 root root 317542415 Mar 4 01:08 OMNET_OS3_UAVSim-master.zip
> -rw-r--r-- 1 root root 816301191 Ara 27 02:33 Rapid7Setup-Linux64.bin
> -rw-r--r-- 1 root root 952795136 May 1 16:59 ssi-9.601-5.1.iso
> -rw-r--r-- 1 root root 4168089600 Mar 18 02:41 tsurugi_lab_2018.1.iso
> -rwxr-xr-x 1 root root 148464193 Ara 23 18:24
> VMware-Player-15.0.2-10952284.x86_64.bundle
>
> test :
>
> root@furkan:~/Downloads# clamdscan clamtest2/
> /root/Downloads/clamtest2/eicar_com.zip: Eicar-Test-Signature FOUND
> /root/Downloads/clamtest2/eicar.com: Eicar-Test-Signature FOUND
> /root/Downloads/clamtest2/eicarcom2.zip: Eicar-Test-Signature FOUND
>
> ----------- SCAN SUMMARY -----------
> Infected files: 3
> Time: 0.153 sec (0 m 0 s)
>
> root@furkan:~/Downloads# clamdscan clamtest2.zip
> /root/Downloads/clamtest2.zip: OK
>
> ----------- SCAN SUMMARY -----------
> Infected files: 0
> Time: 0.000 sec (0 m 0 s)
>
> root@furkan:~/Downloads# clamdscan clamtest2/
> /root/Downloads/clamtest2/eicar_com.zip: Eicar-Test-Signature FOUND
> /root/Downloads/clamtest2/eicar.com: Eicar-Test-Signature FOUND
> /root/Downloads/clamtest2/eicarcom2.zip: Eicar-Test-Signature FOUND
>
> ----------- SCAN SUMMARY -----------
> Infected files: 3
> Time: 0.005 sec (0 m 0 s)
>
> root@furkan:~/Downloads# clamscan clamtest2/
> clamtest2/ssi-9.601-5.1.iso: OK
> clamtest2/metasploitable-linux-2.0.0.zip: OK
> clamtest2/tsurugi_lab_2018.1.iso: OK
> clamtest2/eicarcom2.zip: Eicar-Test-Signature FOUND
> clamtest2/metasploit-latest-linux-x64-installer.run: OK
> clamtest2/debian-live-9.8.0-amd64-xfce.iso: OK
> clamtest2/eicar_com.zip: Eicar-Test-Signature FOUND
> clamtest2/OMNET_OS3_UAVSim-master.zip: OK
> clamtest2/VMware-Player-15.0.2-10952284.x86_64.bundle: OK
> clamtest2/Rapid7Setup-Linux64.bin: OK
> clamtest2/eicar.com: Eicar-Test-Signature FOUND
>
> ----------- SCAN SUMMARY -----------
> Known viruses: 6139363
> Engine version: 0.101.2
> Scanned directories: 1
> Scanned files: 11
> Infected files: 3
> Data scanned: 0.00 MB
> Data read: 8959.26 MB (ratio 0.00:1)
> Time: 49.356 sec (0 m 49 s)
>
> root@furkan:~/Downloads# clamscan clamtest2.zip
> clamtest2.zip: OK
>
> ----------- SCAN SUMMARY -----------
> Known viruses: 6139363
> Engine version: 0.101.2
> Scanned directories: 0
> Scanned files: 1
> Infected files: 0
> Data scanned: 0.00 MB
> Data read: 8908.36 MB (ratio 0.00:1)
> Time: 27.641 sec (0 m 27 s)
>
> Problems :
>
> 1) Clamav-daemon couldn't start properly. It starts working on my first
> attempt and then seems to be disabled and I couldn't make service up.
> 2) When I want to use "clamdscan" instead of "clamscan" always getting
> "ERROR: Could not connect to clamd on LocalSocket
> /var/run/clamav/clamd.ctl: No such file or directory" I can fix this to
> restart service and make "freshclam" but when I couldn't service up
> (issue1) I couldn't use clamdscan.
> * All problems and conf files are attached
>
> I hope you can help to fix the issues. Thank you
> Furkan
>
>
>
>

Furkan,

You didn’t provide enough detail on what issue you’re having when starting `clamd` (the clamav daemon). Ordinarily one would just run `clamd` to start it, or if using systemd, run:
systemctl enable clamav-daemon.service
systemctl start clamav-daemon.service

If clamd is not running, clamdscan can’t connect to it to initiate scans. This is expected behavior.

As for scanning the zip: ClamAV has max file-size and max scan-size limits. You can raise these limits by adjusting settings in clamd.conf or the command line options to clamscan. In theory you can raise it up to 4GB, though in practice you can’t go above 2GB for certain file types, I think. Your zip file is over 8GB and well above the clamav’s current limitations.

Regards,
Micah

Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.

From: Furkan Yüceba? <frknycbs@gmail.com>
Date: Monday, June 10, 2019 at 10:55 AM
To: "clamav-devel@lists.clamav.net" <clamav-devel@lists.clamav.net>, "Micah Snyder (micasnyd)" <micasnyd@cisco.com>
Subject: Re: Clamav problems

Anyone have a solution or thought on this ??

On Thu, May 30, 2019 at 10:04 PM Furkan Yüceba? <frknycbs@gmail.com<mailto:frknycbs@gmail.com>> wrote:

---------- Forwarded message ---------
From: Furkan Yüceba? <frknycbs@gmail.com<mailto:frknycbs@gmail.com>>
Date: Thu, May 30, 2019 at 1:46 PM
Subject: Clamav problems
To: <clamav-devel@lists.clamav.net<mailto:clamav-devel@lists.clamav.net>>

Hi there,
About a month ago, I installed clamav on my debian-based(jessie)linux machine from jessie repository.

*You can find first installed version (slow running one)

root@ruhi:~# apt-cache policy clamav
clamav:
Kurulu: 0.101.2+dfsg-1
Aday: 0.101.2+dfsg-1
Sürüm çizelgesi:
*** 0.101.2+dfsg-1 500
500 http://http.kali.org/kali kali-rolling/main amd64 Packages
500 http://ftp.de.debian.org/debian testing/main amd64 Packages
100 /var/lib/dpkg/status
0.100.0+dfsg-0+deb8u1 500
500 http://ftp.tr.debian.org/debian jessie/main amd64 Packages
root@ruhi:~# apt-cache policy clamdscan
clamdscan:
Kurulu: 0.101.2+dfsg-1
Aday: 0.101.2+dfsg-1
Sürüm çizelgesi:
*** 0.101.2+dfsg-1 500
500 http://http.kali.org/kali kali-rolling/main amd64 Packages
500 http://ftp.de.debian.org/debian testing/main amd64 Packages
100 /var/lib/dpkg/status
0.100.0+dfsg-0+deb8u1 500
500 http://ftp.tr.debian.org/debian jessie/main amd64 Packages

In this try, I had a very serious scanning time problem.
For 110 mb file (this is not encrypted file - normal exe), scanning time is : 1 m 33s (below screenshot)

[image.png]

After that, I installed clamav from the source code that you share on your web page (same version 0.101.2)
The problem of slowing has been solved, but now it seems that not running stable and it is getting very fast results. I want to make sure the results are correct or not. Also you can see that "clamdscan" couldn't find infected files in my zip while "clamscan" could. Compressed files is enabled in my conf file.

To see scanning time :

root@furkan:~/Downloads# du -sh clamtest2.zip
8,7G clamtest2.zip

root@furkan:~/Downloads/clamtest2# ls -la
toplam 9174376
drwxr-xr-x 2 root root 4096 May 27 19:26 .
drwxr-xr-x 29 root root 20480 May 27 19:49 ..
-rw-r--r-- 1 root root 1951432704 ?ub 20 08:55 debian-live-9.8.0-amd64-xfce.iso
-rw-r--r-- 1 root root 68 Nis 29 01:53 eicar.com<http://eicar.com>
-rw-r--r-- 1 root root 308 Nis 29 01:53 eicarcom2.zip
-rw-r--r-- 1 root root 184 May 27 18:55 eicar_com.zip
-rw-r--r-- 1 root root 873116238 Ara 23 18:29 metasploitable-linux-2.0.0.zip
-rwxr-xr-x 1 root root 166729977 Ara 27 01:54 metasploit-latest-linux-x64-installer.run
-rw-r--r-- 1 root root 317542415 Mar 4 01:08 OMNET_OS3_UAVSim-master.zip
-rw-r--r-- 1 root root 816301191 Ara 27 02:33 Rapid7Setup-Linux64.bin
-rw-r--r-- 1 root root 952795136 May 1 16:59 ssi-9.601-5.1.iso
-rw-r--r-- 1 root root 4168089600 Mar 18 02:41 tsurugi_lab_2018.1.iso
-rwxr-xr-x 1 root root 148464193 Ara 23 18:24 VMware-Player-15.0.2-10952284.x86_64.bundle

test :

root@furkan:~/Downloads# clamdscan clamtest2/
/root/Downloads/clamtest2/eicar_com.zip: Eicar-Test-Signature FOUND
/root/Downloads/clamtest2/eicar.com<http://eicar.com>: Eicar-Test-Signature FOUND
/root/Downloads/clamtest2/eicarcom2.zip: Eicar-Test-Signature FOUND

----------- SCAN SUMMARY -----------
Infected files: 3
Time: 0.153 sec (0 m 0 s)

root@furkan:~/Downloads# clamdscan clamtest2.zip
/root/Downloads/clamtest2.zip: OK

----------- SCAN SUMMARY -----------
Infected files: 0
Time: 0.000 sec (0 m 0 s)

root@furkan:~/Downloads# clamdscan clamtest2/
/root/Downloads/clamtest2/eicar_com.zip: Eicar-Test-Signature FOUND
/root/Downloads/clamtest2/eicar.com<http://eicar.com>: Eicar-Test-Signature FOUND
/root/Downloads/clamtest2/eicarcom2.zip: Eicar-Test-Signature FOUND

----------- SCAN SUMMARY -----------
Infected files: 3
Time: 0.005 sec (0 m 0 s)

root@furkan:~/Downloads# clamscan clamtest2/
clamtest2/ssi-9.601-5.1.iso: OK
clamtest2/metasploitable-linux-2.0.0.zip: OK
clamtest2/tsurugi_lab_2018.1.iso: OK
clamtest2/eicarcom2.zip: Eicar-Test-Signature FOUND
clamtest2/metasploit-latest-linux-x64-installer.run: OK
clamtest2/debian-live-9.8.0-amd64-xfce.iso: OK
clamtest2/eicar_com.zip: Eicar-Test-Signature FOUND
clamtest2/OMNET_OS3_UAVSim-master.zip: OK
clamtest2/VMware-Player-15.0.2-10952284.x86_64.bundle: OK
clamtest2/Rapid7Setup-Linux64.bin: OK
clamtest2/eicar.com<http://eicar.com>: Eicar-Test-Signature FOUND

----------- SCAN SUMMARY -----------
Known viruses: 6139363
Engine version: 0.101.2
Scanned directories: 1
Scanned files: 11
Infected files: 3
Data scanned: 0.00 MB
Data read: 8959.26 MB (ratio 0.00:1)
Time: 49.356 sec (0 m 49 s)

root@furkan:~/Downloads# clamscan clamtest2.zip
clamtest2.zip: OK

----------- SCAN SUMMARY -----------
Known viruses: 6139363
Engine version: 0.101.2
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 0.00 MB
Data read: 8908.36 MB (ratio 0.00:1)
Time: 27.641 sec (0 m 27 s)

Problems :

1) Clamav-daemon couldn't start properly. It starts working on my first attempt and then seems to be disabled and I couldn't make service up.
2) When I want to use "clamdscan" instead of "clamscan" always getting "ERROR: Could not connect to clamd on LocalSocket /var/run/clamav/clamd.ctl: No such file or directory" I can fix this to restart service and make "freshclam" but when I couldn't service up (issue1) I couldn't use clamdscan.
* All problems and conf files are attached

I hope you can help to fix the issues. Thank you
Furkan

Mailing List Archive

Attached Files:

Attached Files: