Mailing List Archive

ClamAV Daemon Log - Filepath of the infected file
Hi,

I have ClamAV Daemon installed, and if clamdscan detects something I get an
entry log on the /var/log/clamav/clamav.log file, but that entry does not
identify the infected file, it only shows something like this:

Thu Sep 19 16:42:24 2019 -> fd[12]:
Eicar-Test-Signature(44d88612fea8a8f36de82e1278abb02f:68) FOUND

Is it possible to make it show the filepath of the infected file?





--

Com os melhores cumprimentos
Jorge Martins - WeMake, Tecnologias de Informação, Lda.
Tel. 223744827
Tel. 932942004
Re: ClamAV Daemon Log - Filepath of the infected file [ In reply to ]
Hi there,

On Thu, 19 Sep 2019, Jorge Martins wrote:

> I have ClamAV Daemon installed, and if clamdscan detects something I get an
> entry log on the /var/log/clamav/clamav.log file, but that entry does not
> identify the infected file, it only shows something like this:
>
> Thu Sep 19 16:42:24 2019 -> fd[12]:
> Eicar-Test-Signature(44d88612fea8a8f36de82e1278abb02f:68) FOUND
>
> Is it possible to make it show the filepath of the infected file?

There are two tools. One is clamd, which is a daemon and once started
it sits there waiting to be told what to scan. If nothing tells it to
scan something, it does nothing. The other is clamdscan. It doesn't
know how to scan anything, but it can climb around your directory tree
looking for files and it can pass pointers to the files to the clamd
daemon (this tells the daemon to scan them) and await clamd's replies.
There are other ways of scanning files, it's all in the documentation.

You are asking for clamdscan to do what it normally does. You seem to
have given an example of something else (of what clamd does when it is
scanning a stream of data sent to the socket on which it is listening).
This is for example what happens when you use clamav-milter to scan
incoming mail; the incoming message is passed to the clamd daemon on
its socket. When clamd scans a stream of data there is no file name,
it's just a stream of data, so clamd can't give you any name. On the
other hand clamdscan knows the names of the files which it passes to
clamd to scan; when clamd tells clamdscan a file matches a signature,
clamdscan can tell you which file it was, and which signature.

Here's the command I gave to scan a directory full of spam emails this
morning:

$ clamdscan /var/lib/SUBMISSIONS/messages

Here's the result in the log - some of the emails were flagged. I've
edited it for brevity but you can see the pathnames and signature IDs.
The paths are in /var/ and the filenames are all Sendmail message IDs.

8<----------------------------------------------------------------------
Sep 19 10:01:09 clamd[4665]: /var/.../x8EGYHK0009933: 58172 FOUND
Sep 19 10:01:09 clamd[4665]: /var/.../x8HABuOb007396: 58175 FOUND
Sep 19 10:01:09 clamd[4665]: /var/.../x8EIlecT023326: 58171 FOUND
Sep 19 10:01:09 clamd[4665]: /var/.../x8FAjoDx020771: 27775 FOUND
Sep 19 10:01:09 clamd[4665]: /var/.../x8GFcxQs001950: 58174 FOUND
Sep 19 10:01:09 clamd[4665]: /var/.../x8H6Z8UR026649: 58170 FOUND
Sep 19 10:01:09 clamd[4665]: /var/.../x8GJbwD8019380: 27774 FOUND
Sep 19 10:01:09 clamd[4665]: /var/.../x8HE4bQf007238: 58173 FOUND
Sep 19 10:01:09 clamd[4665]: /var/.../x8HHfcPh021663: 58169 FOUND
Sep 19 10:01:09 clamd[4665]: /var/.../x8HN3mEf025577: 58167 FOUND
Sep 19 10:01:09 clamd[4665]: /var/.../x8I1Avox028331: 58168 FOUND
Sep 19 10:01:09 clamd[4665]: /var/.../x8I98tXw019474: 5eb86d FOUND
Sep 19 10:01:09 clamd[4665]: /var/.../x8I9N3iW025511: 4810c4 FOUND
Sep 19 10:01:09 clamd[4665]: /var/.../x8I9QUY9025837: 5eb86d FOUND
Sep 19 10:01:09 clamd[4665]: /var/.../x8IA3Zpb004800: 5eb86d FOUND
8<----------------------------------------------------------------------

Exactly how are you telling clamd/clamdscan to scan the files?
It might also be useful to see your clamd.conf.

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: ClamAV Daemon Log - Filepath of the infected file [ In reply to ]
I Was running like this: clamdscan /home/ --infected --multiscan --fdpass

After some testing I noticed that if I remove the --fdpass the filepath is
correctly logged

Thu Sep 19 18:27:22 2019 -> /home/test/eicar.txt:
Eicar-Test-Signature(69630e4574ec6798239b091cda43dca0:69) FOUND

I really don't understand why, even reading the description on the --fdpass
to me doesn't seam to indicate the the filepath will not be logged, could
be a bug or is it expected?

Thank you


G.W. Haywood via clamav-users <clamav-users@lists.clamav.net> escreveu no
dia quinta, 19/09/2019 à(s) 18:24:

> Hi there,
>
> On Thu, 19 Sep 2019, Jorge Martins wrote:
>
> > I have ClamAV Daemon installed, and if clamdscan detects something I get
> an
> > entry log on the /var/log/clamav/clamav.log file, but that entry does not
> > identify the infected file, it only shows something like this:
> >
> > Thu Sep 19 16:42:24 2019 -> fd[12]:
> > Eicar-Test-Signature(44d88612fea8a8f36de82e1278abb02f:68) FOUND
> >
> > Is it possible to make it show the filepath of the infected file?
>
> There are two tools. One is clamd, which is a daemon and once started
> it sits there waiting to be told what to scan. If nothing tells it to
> scan something, it does nothing. The other is clamdscan. It doesn't
> know how to scan anything, but it can climb around your directory tree
> looking for files and it can pass pointers to the files to the clamd
> daemon (this tells the daemon to scan them) and await clamd's replies.
> There are other ways of scanning files, it's all in the documentation.
>
> You are asking for clamdscan to do what it normally does. You seem to
> have given an example of something else (of what clamd does when it is
> scanning a stream of data sent to the socket on which it is listening).
> This is for example what happens when you use clamav-milter to scan
> incoming mail; the incoming message is passed to the clamd daemon on
> its socket. When clamd scans a stream of data there is no file name,
> it's just a stream of data, so clamd can't give you any name. On the
> other hand clamdscan knows the names of the files which it passes to
> clamd to scan; when clamd tells clamdscan a file matches a signature,
> clamdscan can tell you which file it was, and which signature.
>
> Here's the command I gave to scan a directory full of spam emails this
> morning:
>
> $ clamdscan /var/lib/SUBMISSIONS/messages
>
> Here's the result in the log - some of the emails were flagged. I've
> edited it for brevity but you can see the pathnames and signature IDs.
> The paths are in /var/ and the filenames are all Sendmail message IDs.
>
> 8<----------------------------------------------------------------------
> Sep 19 10:01:09 clamd[4665]: /var/.../x8EGYHK0009933: 58172 FOUND
> Sep 19 10:01:09 clamd[4665]: /var/.../x8HABuOb007396: 58175 FOUND
> Sep 19 10:01:09 clamd[4665]: /var/.../x8EIlecT023326: 58171 FOUND
> Sep 19 10:01:09 clamd[4665]: /var/.../x8FAjoDx020771: 27775 FOUND
> Sep 19 10:01:09 clamd[4665]: /var/.../x8GFcxQs001950: 58174 FOUND
> Sep 19 10:01:09 clamd[4665]: /var/.../x8H6Z8UR026649: 58170 FOUND
> Sep 19 10:01:09 clamd[4665]: /var/.../x8GJbwD8019380: 27774 FOUND
> Sep 19 10:01:09 clamd[4665]: /var/.../x8HE4bQf007238: 58173 FOUND
> Sep 19 10:01:09 clamd[4665]: /var/.../x8HHfcPh021663: 58169 FOUND
> Sep 19 10:01:09 clamd[4665]: /var/.../x8HN3mEf025577: 58167 FOUND
> Sep 19 10:01:09 clamd[4665]: /var/.../x8I1Avox028331: 58168 FOUND
> Sep 19 10:01:09 clamd[4665]: /var/.../x8I98tXw019474: 5eb86d FOUND
> Sep 19 10:01:09 clamd[4665]: /var/.../x8I9N3iW025511: 4810c4 FOUND
> Sep 19 10:01:09 clamd[4665]: /var/.../x8I9QUY9025837: 5eb86d FOUND
> Sep 19 10:01:09 clamd[4665]: /var/.../x8IA3Zpb004800: 5eb86d FOUND
> 8<----------------------------------------------------------------------
>
> Exactly how are you telling clamd/clamdscan to scan the files?
> It might also be useful to see your clamd.conf.
>
> --
>
> 73,
> Ged.
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>


--

Com os melhores cumprimentos
Jorge Martins - WeMake, Tecnologias de Informação, Lda.
Tel. 223744827
Tel. 932942004
Re: ClamAV Daemon Log - Filepath of the infected file [ In reply to ]
On 19.09.19 18:57, Jorge Martins wrote:
>I Was running like this: clamdscan /home/ --infected --multiscan --fdpass
>
>After some testing I noticed that if I remove the --fdpass the filepath is
>correctly logged
>
>Thu Sep 19 18:27:22 2019 -> /home/test/eicar.txt:
>Eicar-Test-Signature(69630e4574ec6798239b091cda43dca0:69) FOUND
>
>I really don't understand why, even reading the description on the --fdpass
>to me doesn't seam to indicate the the filepath will not be logged, could
>be a bug or is it expected?

I would expect that. fdpass means that not the file path, but the file
content is provided to clamd via file descriptor passing mechanism.
Clamd does not know what the real file path is, so it can't log the file
name.
clamdscan should provide file name in this case

--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Nothing is fool-proof to a talented fool.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml