>
>
> On Thu, 15 Jul 2021, Robert Kudyba wrote:
>
Here we are Aug 24
> >> ... do you have that log?
> >
> > Uploaded at ...
>
> Nothing remarkable there. Presumably you're aware of this warning
> in that log?
>
See
https://storm.cis.fordham.edu/~rkudyba/aug24 At 5:14 AM the problem started happening and cron has:
Aug 24 05:14:01 storm CROND[537748]: (clamav) CMD ([ -x
/usr/local/sbin/clamav-unofficial-sigs.sh ] && /usr/bin/bash
/usr/local/sbin/clamav-unofficial-sigs.sh)
Aug 24 05:14:03 storm CROND[537718]: (clamav) CMDEND ([ -x
/usr/local/sbin/clamav-unofficial-sigs.sh ] && /usr/bin/bash
/usr/local/sbin/clamav-unofficial-sigs.sh)
Aug 24 05:15:01 storm CROND[538116]: (root) CMD (/bin/date >> $FILE ;
/bin/ls -l /var/lib/clamav >> $FILE)
>
> If it's the same OS distribution you should be able to compare the
> configurations, see what they both put in the logs etc. The command
>
> clamconf -n
>
> would be very useful for that but there are other configs as well.
>
clamconf -n
Checking configuration files in /etc
Config file: clamd.d/scan.conf
------------------------------
LogFile = "/var/log/clamd.log"
TCPSocket = "3310"
TCPAddr = "127.0.0.1"
User = "clamav"
PhishingScanURLs disabled
HeuristicScanPrecedence = "yes"
AlertBrokenExecutables = "yes"
AlertBrokenMedia = "yes"
AlertEncrypted = "yes"
AlertEncryptedArchive = "yes"
AlertEncryptedDoc = "yes"
AlertOLE2Macros = "yes"
AlertPhishingSSLMismatch = "yes"
AlertPartitionIntersection = "yes"
MaxScanTime = "350000"
MaxScanSize = "157286400"
MaxFileSize = "31457280"
Config file: freshclam.conf
---------------------------
LogFileMaxSize = "262144000"
LogRotate = "yes"
UpdateLogFile = "/var/log/freshclam.log"
DatabaseOwner = "clamav"
DatabaseMirror = "database.clamav.net"
ConnectTimeout = "60"
ReceiveTimeout = "60"
Config file: mail/clamav-milter.conf
------------------------------------
LogFile = "/var/log/clamav-milter.log"
LogTime = "yes"
LogVerbose = "yes"
User = "clamilt"
ClamdSocket = "tcp:127.0.0.1:3310"
MilterSocket = "inet:6666"
AddHeader = "Add"
Whitelist = "/etc/mail/clamav-milter-whitelist.conf"
Software settings
-----------------
Version: 0.103.3
Optional features supported: MEMPOOL IPv6 AUTOIT_EA06 BZIP2 LIBXML2 PCRE2
ICONV JSON
Database information
--------------------
Database directory: /var/lib/clamav
[3rd Party] badmacro.ndb: 621 sigs
[3rd Party] shelter.ldb: 49 sigs
[3rd Party] CVE-2013-0074.yar: 22 sigs
[3rd Party] foxhole_js.cdb: 48 sigs
[3rd Party] rfxn.yara: 11527 sigs
[3rd Party] urlhaus.ndb: 5445 sigs
[3rd Party] malware.expert.ndb: 1 sig
[3rd Party] sanesecurity.ftm: 170 sigs
[3rd Party] CVE-2013-0422.yar: 25 sigs
[3rd Party] sigwhitelist.ign2: 12 sigs
[3rd Party] junk.ndb: 55801 sigs
[3rd Party] jurlbl.ndb: 5650 sigs
[3rd Party] phish.ndb: 28047 sigs
[3rd Party] rogue.hdb: 1005 sigs
[3rd Party] scam.ndb: 12747 sigs
[3rd Party] spamimg.hdb: 200 sigs
[3rd Party] CVE-2015-1701.yar: 30 sigs
[3rd Party] spamattach.hdb: 14 sigs
[3rd Party] blurl.ndb: 2194 sigs
[3rd Party] CVE-2015-2426.yar: 49 sigs
[3rd Party] malwarehash.hsb: 771 sigs
[3rd Party] CVE-2015-2545.yar: 76 sigs
[3rd Party] foxhole_generic.cdb: 212 sigs
[3rd Party] CVE-2015-5119.yar: 22 sigs
[3rd Party] foxhole_filename.cdb: 2612 sigs
[3rd Party] CVE-2016-5195.yar: 40 sigs
[3rd Party] winnow_malware.hdb: 293 sigs
[3rd Party] winnow_extended_malware_links.ndb: 1 sig
[3rd Party] winnow_malware_links.ndb: 133 sigs
[3rd Party] MiscreantPunch099-Low.ldb: 1199 sigs
[3rd Party] winnow_extended_malware.hdb: 245 sigs
[3rd Party] safebrowsing.gdb: 49126 sigs
[3rd Party] winnow.attachments.hdb: 182 sigs
[3rd Party] CVE-2017-11882.yar: 66 sigs
[3rd Party] winnow_bad_cw.hdb: 1 sig
[3rd Party] EK_BleedingLife.yar: 112 sigs
[3rd Party] bofhland_cracked_URL.ndb: 40 sigs
[3rd Party] WShell_ASPXSpy.yar: 21 sigs
[3rd Party] bofhland_malware_URL.ndb: 4 sigs
[3rd Party] WShell_Drupalgeddon2_icos.yar: 26 sigs
[3rd Party] bofhland_phishing_URL.ndb: 72 sigs
[3rd Party] CVE-2010-0805.yar: 19 sigs
[3rd Party] bofhland_malware_attach.hdb: 1836 sigs
[3rd Party] CVE-2018-20250.yar: 22 sigs
[3rd Party] hackingteam.hsb: 435 sigs
[3rd Party] CVE-2018-4878.yar: 39 sigs
[3rd Party] porcupine.ndb: 6622 sigs
[3rd Party] bank_rule.yar: 11 sigs
[3rd Party] phishtank.ndb: 9388 sigs
[3rd Party] EMAIL_Cryptowall.yar: 52 sigs
[3rd Party] porcupine.hsb: 208 sigs
[3rd Party] scam.yar: 35 sigs
[3rd Party] securiteinfo.ign2: 86 sigs
[3rd Party] JJencode.yar: 19 sigs
[3rd Party] securiteinfo.hdb: 159918 sigs
[3rd Party] interserver256.hdb: 3626 sigs
[3rd Party] securiteinfoold.hdb: 3525608 sigs
[3rd Party] interservertopline.db: 161 sigs
[3rd Party] javascript.ndb: 43708 sigs
main.cvd: version 61, sigs: 6607162, built on Wed Jul 14 22:39:10 2021
[3rd Party] securiteinfohtml.hdb: 55106 sigs
[3rd Party] CVE-2010-0887.yar: 22 sigs
[3rd Party] securiteinfoascii.hdb: 98410 sigs
daily.cld: version 26272, sigs: 1968128, built on Mon Aug 23 04:21:13 2021
[3rd Party] securiteinfopdf.hdb: 3408 sigs
[3rd Party] CVE-2010-1297.yar: 20 sigs
[3rd Party] securiteinfoandroid.hdb: 84401 sigs
[3rd Party] rfxn.ndb: 2039 sigs
[3rd Party] rfxn.hdb: 12932 sigs
daily.cvd: version 26209, sigs: 3992031, built on Tue Jun 22 07:07:55 2021
[3rd Party] malware.expert.hdb: 1 sig
[3rd Party] malware.expert.ldb: 1 sig
[3rd Party] foxhole_js.ndb: 4 sigs
[3rd Party] CVE-2012-0158.yar: 27 sigs
[3rd Party] winnow_spam_complete.ndb: 26 sigs
[3rd Party] whitelist.fp: 3081 sigs
[3rd Party] winnow.complex.patterns.ldb: 3 sigs
[3rd Party] Sanesecurity_spam.yara: 46 sigs
[3rd Party] jurlbla.ndb: 1388 sigs
[3rd Party] lott.ndb: 2335 sigs
[3rd Party] spam.ldb: 2 sigs
[3rd Party] spear.ndb: 1 sig
[3rd Party] spearl.ndb: 1 sig
[3rd Party] malware.expert.fp: 1 sig
[3rd Party] scamnailer.ndb: 1 sig
bytecode.cvd: version 333, sigs: 92, built on Mon Mar 8 10:21:51 2021
[3rd Party] winnow_phish_complete_url.ndb: 54 sigs
[3rd Party] malwarepatrol.db: 9180 sigs
[3rd Party] Sanesecurity_sigtest.yara: 54 sigs
[3rd Party] email_Ukraine_BE_powerattack.yar: 33 sigs
[3rd Party] Email_fake_it_maintenance_bulletin.yar: 29 sigs
[3rd Party] Email_quota_limit_warning.yar: 31 sigs
Total number of signatures: 16770754
Platform information
--------------------
uname: Linux 5.12.14-300.fc34.x86_64 #1 SMP Wed Jun 30 18:30:21 UTC 2021
x86_64
OS: linux-gnu, ARCH: x86_64, CPU: x86_64
zlib version: 1.2.11 (1.2.11), compile flags: a9
platform id: 0x0a217c7c08000000020b0201
Build information
-----------------
GNU C: 11.2.1 20210728 (Red Hat 11.2.1-1) (11.2.1)
CPPFLAGS: -I/usr/include/libprelude
CFLAGS: -O2 -flto=auto -ffat-lto-objects -fexceptions -g
-grecord-gcc-switches -pipe -Wall -Werror=format-security
-Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS
-specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong
-specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic
-fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection
-D_LARGEFILE_SOURCE
-D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64
CXXFLAGS: -O2 -flto=auto -ffat-lto-objects -fexceptions -g
-grecord-gcc-switches -pipe -Wall -Werror=format-security
-Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS
-specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong
-specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic
-fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection
LDFLAGS: -Wl,-z,relro -Wl,--as-needed -Wl,-z,now
-specs=/usr/lib/rpm/redhat/redhat-hardened-ld -lprelude
Configure: '--build=x86_64-redhat-linux-gnu'
'--host=x86_64-redhat-linux-gnu' '--program-prefix='
'--disable-dependency-tracking' '--prefix=/usr' '--exec-prefix=/usr'
'--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc'
'--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64'
'--libexecdir=/usr/libexec' '--localstatedir=/var'
'--sharedstatedir=/var/lib' '--mandir=/usr/share/man'
'--infodir=/usr/share/info' '--enable-milter' '--disable-clamav'
'--disable-static' '--disable-zlib-vcheck' '--disable-unrar'
'--enable-id-check' '--enable-dns' '--with-dbdir=/var/lib/clamav'
'--with-group=clamupdate' '--with-user=clamupdate' '--disable-rpath'
'--disable-silent-rules' '--enable-clamdtop' '--enable-prelude'
'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu'
'CXX=g++' 'CXXFLAGS=-O2 -flto=auto -ffat-lto-objects -fexceptions -g
-grecord-gcc-switches -pipe -Wall -Werror=format-security
-Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS
-specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong
-specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic
-fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection'
'LDFLAGS=-Wl,-z,relro -Wl,--as-needed -Wl,-z,now
-specs=/usr/lib/rpm/redhat/redhat-hardened-ld' 'CC=gcc' 'CFLAGS=-O2
-flto=auto -ffat-lto-objects -fexceptions -g -grecord-gcc-switches -pipe
-Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2
-Wp,-D_GLIBCXX_ASSERTIONS -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1
-fstack-protector-strong -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64
-mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection
-fcf-protection' 'LT_SYS_LIBRARY_PATH=/usr/lib64:'
'PKG_CONFIG_PATH=:/usr/lib64/pkgconfig:/usr/share/pkgconfig'
sizeof(void*) = 8
Engine flevel: 124, dconf: 124
>
>