Mailing List Archive

Hi there,

On Wed, 4 May 2022, Hoevenaar, Jeffrey (GE Aviation, US) via clamav-users wrote:

> I am getting these strange files in the root file system "/" on my linux servers.
>
> -rw-r-----. 1 root root 98 Apr 13 08:00 @??E?U
> -rw-r-----. 1 root root 75 Apr 26 08:00 @g6??U
> -rw-r-----. 1 root root 75 Apr 1 08:00 @g)$?U
>
>
> The files contain the error message.
>
> ERROR: ClamClient: Connection to clamd failed, Couldn't resolve host name.
> ClamScanQueue: stopped

Do they all contain the same error message? Two of the files are 75
bytes long, the other one is 98 bytes. The error message in your post
is (give or take formatting in an email) 98 bytes. The first line of
the error is 75 bytes (with the same proviso).

To connect to clamd, an IP address would be more reliable than a
hostname. It wouldn't rely on some flaky name resolution service.

In any case more information is needed. Please could you let us have
the output of the command

clamconf -n

cut and pasted into an email so that there are no accidental changes?

> I believe it is occurring when the clam services are restarted each day.

It isn't really necessary to restart those services daily, but it
probably won't do any harm and it might help highlight some issues
(for example like this one). But I'd be inclined to disable the
restarts, at least for a while, just to find out if the restarts
really are triggering this.

> Any idea how to route these errors messages elsewhere?

It will be easy to do but more information is needed. There are very
few reasons to write files in the root directory, and nothing like
ClamAV has any business doing that. It might mean there's something
wrong with your configuration; it might not be the ClamAV-specific
configuration but that's a place to start. ClamAV might be started or
restarted by some configuration that's provided by your operating
system distribution, and not by ClamAV itself. It would help if you
could give us information about that, such as the OS distribution(s),
the packages which provide ClamAV, etc. and any local configuration
changes made to the distribution defaults. The ideal would be to get
any utility (such as one provided by ClamAV) to know where to write
its error output (e.g. /var/log/somewhere) before actually doing it.

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Please, direct your msg properly.

Tks,
On 04/05/2022 09:46, G.W. Haywood via clamav-users wrote:
> Hi there,
>
> On Wed, 4 May 2022, Hoevenaar, Jeffrey (GE Aviation, US) via
> clamav-users wrote:
>
>> I am getting these strange files in the root file system "/" on my
>> linux servers.
>>
>> -rw-r-----.   1 root root    98 Apr 13 08:00 @??E?U
>> -rw-r-----.   1 root root    75 Apr 26 08:00 @g6??U
>> -rw-r-----.   1 root root    75 Apr  1 08:00 @g)$?U
>>
>>
>> The files contain the error message.
>>
>> ERROR: ClamClient: Connection to clamd failed, Couldn't resolve host
>> name.
>> ClamScanQueue: stopped
>
> Do they all contain the same error message?  Two of the files are 75
> bytes long, the other one is 98 bytes.  The error message in your post
> is (give or take formatting in an email) 98 bytes.  The first line of
> the error is 75 bytes (with the same proviso).
>
> To connect to clamd, an IP address would be more reliable than a
> hostname.  It wouldn't rely on some flaky name resolution service.
>
> In any case more information is needed.  Please could you let us have
> the output of the command
>
> clamconf -n
>
> cut and pasted into an email so that there are no accidental changes?
>
>> I believe it is occurring when the clam services are restarted each day.
>
> It isn't really necessary to restart those services daily, but it
> probably won't do any harm and it might help highlight some issues
> (for example like this one).  But I'd be inclined to disable the
> restarts, at least for a while, just to find out if the restarts
> really are triggering this.
>
>> Any idea how to route these errors messages elsewhere?
>
> It will be easy to do but more information is needed.  There are very
> few reasons to write files in the root directory, and nothing like
> ClamAV has any business doing that.  It might mean there's something
> wrong with your configuration; it might not be the ClamAV-specific
> configuration but that's a place to start.  ClamAV might be started or
> restarted by some configuration that's provided by your operating
> system distribution, and not by ClamAV itself.  It would help if you
> could give us information about that, such as the OS distribution(s),
> the packages which provide ClamAV, etc. and any local configuration
> changes made to the distribution defaults.  The ideal would be to get
> any utility (such as one provided by ClamAV) to know where to write
> its error output (e.g. /var/log/somewhere) before actually doing it.
>

Hi Jeff,

I think you may have run into this issue with ClamOnAcc's --log=FILE? option https://github.com/Cisco-Talos/clamav/issues/168
[https://opengraph.githubassets.com/01d4084328497840588425d18c0f5249e974f585a8ac9032deb27d05b62835dd/Cisco-Talos/clamav/issues/168]<https://github.com/Cisco-Talos/clamav/issues/168>
Files with cryptic names get written in / (unix root) · Issue #168 · Cisco-Talos/clamav<https://github.com/Cisco-Talos/clamav/issues/168>
Describe the bug On Debian/Ubuntu 20.04+ files with cryptic names get written in / (unix root): -rw-r----- 1 root root 0 Jun 8 13:54 &#39;&#39;$&#39;\\006&#39;&#39;1&#39;$&#39;\\375\\226\\035&#39;&#39;...
github.com
I don't know what the exact source of the bug is, but it should go away if you don't use the --log? option.

Regards,
Micah


Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.
________________________________
From: clamav-users <clamav-users-bounces@lists.clamav.net> on behalf of Hoevenaar, Jeffrey (GE Aviation, US) via clamav-users <clamav-users@lists.clamav.net>
Sent: Wednesday, May 4, 2022 4:51 AM
To: clamav-users@lists.clamav.net <clamav-users@lists.clamav.net>
Cc: Hoevenaar, Jeffrey (GE Aviation, US) <Jeffrey.Hoevenaar@ge.com>
Subject: [clamav-users] error files in /


I am getting these strange files in the root file system “/” on my linux servers.



-rw-r-----. 1 root root 98 Apr 13 08:00 @??E?U

-rw-r-----. 1 root root 75 Apr 26 08:00 @g6??U

-rw-r-----. 1 root root 75 Apr 1 08:00 @g)$?U





The files contain the error message.



ERROR: ClamClient: Connection to clamd failed, Couldn't resolve host name.

ClamScanQueue: stopped





I believe it is occurring when the clam services are restarted each day.



Any idea how to route these errors messages elsewhere?



Thanks,

Jeff Hoevenaar

hahaha

u r far away

--
On 04/05/2022 10:57, Micah Snyder (micasnyd) via clamav-users wrote:
> Hi Jeff,
>
> I think you may have run into this issue with ClamOnAcc's
> |--log=FILE|? option https://github.com/Cisco-Talos/clamav/issues/168
> <https://github.com/Cisco-Talos/clamav/issues/168>
>
> Files with cryptic names get written in / (unix root) · Issue #168 ·
> Cisco-Talos/clamav <https://github.com/Cisco-Talos/clamav/issues/168>
> Describe the bug On Debian/Ubuntu 20.04+ files with cryptic names get
> written in / (unix root): -rw-r----- 1 root root 0 Jun 8 13:54
> &#39;&#39;$&#39;\\006&#39;&#39;1&#39;$&#39;\\375\\226\\035&#39;&#39;...
> github.com
>
> I don't know what the exact source of the bug is, but it should go
> away if you don't use the |--log|? option.
>
> Regards,
> Micah
>
>
> Micah Snyder
> ClamAV Development
> Talos
> Cisco Systems, Inc.
> ------------------------------------------------------------------------
> *From:* clamav-users <clamav-users-bounces@lists.clamav.net> on behalf
> of Hoevenaar, Jeffrey (GE Aviation, US) via clamav-users
> <clamav-users@lists.clamav.net>
> *Sent:* Wednesday, May 4, 2022 4:51 AM
> *To:* clamav-users@lists.clamav.net <clamav-users@lists.clamav.net>
> *Cc:* Hoevenaar, Jeffrey (GE Aviation, US) <Jeffrey.Hoevenaar@ge.com>
> *Subject:* [clamav-users] error files in /
>
> I am getting these strange files in the root file system “/” on my
> linux servers.
>
> -rw-r-----.   1 root root    98 Apr 13 08:00 @??E?U
>
> -rw-r-----.   1 root root    75 Apr 26 08:00 @g6??U
>
> -rw-r-----.   1 root root    75 Apr  1 08:00 @g)$?U
>
> The files contain the error message.
>
> ERROR: ClamClient: Connection to clamd failed, Couldn't resolve host name.
>
> ClamScanQueue: stopped
>
> I believe it is occurring when the clam services are restarted each day.
>
> Any idea how to route these errors messages elsewhere?
>
> Thanks,
>
> Jeff Hoevenaar
>
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml

Same basic errors in each file.

I have logs going to /var/log/

The restart occurs via a script run by cron. However, the output is redirected to /dev/null.



[root@rhel7test ~]# clamconf -n
Checking configuration files in /etc

Config file: clamd.d/scan.conf
------------------------------
LogRotate = "yes"
TemporaryDirectory = "/var/tmp"
TCPSocket = "3310"
TCPAddr = "127.0.0.1"
ReadTimeout = "300"
CommandReadTimeout = "120"
CrossFilesystems disabled
ConcurrentDatabaseReload disabled
User = "clamscan"
ScanArchive disabled
OnAccessIncludePath = "/usr", "/home", "/etc", "/root", "/opt", "/boot", "/tmp"
OnAccessExcludePath = "/opt/splunkforwarder", "/opt/commvault", "/opt/SolarWinds"
OnAccessExcludeUname = "clamscan"
OnAccessRetryAttempts = "3"

Config file: freshclam.conf
---------------------------
DatabaseMirror = "database.clamav.net"

mail/clamav-milter.conf not found

Software settings
-----------------
Version: 0.103.3
Optional features supported: MEMPOOL IPv6 AUTOIT_EA06 BZIP2 LIBXML2 PCRE2 ICONV JSON

Database information
--------------------
Database directory: /var/lib/clamav
main.cvd: version 62, sigs: 6647427, built on Thu Sep 16 08:32:42 2021
bytecode.cvd: version 333, sigs: 92, built on Mon Mar 8 10:21:51 2021
daily.cvd: version 26505, sigs: 1977345, built on Thu Apr 7 04:25:37 2022
Total number of signatures: 8624864

Platform information
--------------------
uname: Linux 3.10.0-1160.62.1.el7.x86_64 #1 SMP Wed Mar 23 09:04:02 UTC 2022 x86_64
OS: linux-gnu, ARCH: x86_64, CPU: x86_64
zlib version: 1.2.7 (1.2.7), compile flags: a9
platform id: 0x0a217c7c0800000002040805

Build information
-----------------
GNU C: 4.8.5 20150623 (Red Hat 4.8.5-44) (4.8.5)
CPPFLAGS: -I/usr/include/libprelude
CFLAGS: -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic -fno-strict-aliasing -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64
CXXFLAGS: -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic
LDFLAGS: -Wl,-z,relro -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -Wl,--as-needed -lprelude
Configure: '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--program-prefix=' '--disable-dependency-tracking' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--localstatedir=/var' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--enable-milter' '--disable-clamav' '--disable-static' '--disable-zlib-vcheck' '--disable-unrar' '--enable-id-check' '--enable-dns' '--with-dbdir=/var/lib/clamav' '--with-group=clamupdate' '--with-user=clamupdate' '--disable-rpath' '--disable-silent-rules' '--enable-clamdtop' '--enable-prelude' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'CXXFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64
-mtune=generic' 'LDFLAGS=-Wl,-z,relro -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -Wl,--as-needed' 'CFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic' 'PKG_CONFIG_PATH=:/usr/lib64/pkgconfig:/usr/share/pkgconfig'
sizeof(void*) = 8
Engine flevel: 124, dconf: 124

Thanks,
Jeff Hoevenaar

-----Original Message-----
From: clamav-users <clamav-users-bounces@lists.clamav.net> On Behalf Of G.W. Haywood via clamav-users
Sent: Wednesday, May 4, 2022 8:46 AM
To: Hoevenaar, Jeffrey (GE Aviation, US) via clamav-users <clamav-users@lists.clamav.net>
Cc: G.W. Haywood <clamav@jubileegroup.co.uk>
Subject: EXT: Re: [clamav-users] error files in /

WARNING: This email originated from outside of GE. Please validate the sender's email address before clicking on links or attachments as they may not be safe.

Hi there,

On Wed, 4 May 2022, Hoevenaar, Jeffrey (GE Aviation, US) via clamav-users wrote:

> I am getting these strange files in the root file system "/" on my linux servers.
>
> -rw-r-----. 1 root root 98 Apr 13 08:00 @??E?U
> -rw-r-----. 1 root root 75 Apr 26 08:00 @g6??U
> -rw-r-----. 1 root root 75 Apr 1 08:00 @g)$?U
>
>
> The files contain the error message.
>
> ERROR: ClamClient: Connection to clamd failed, Couldn't resolve host name.
> ClamScanQueue: stopped

Do they all contain the same error message? Two of the files are 75 bytes long, the other one is 98 bytes. The error message in your post is (give or take formatting in an email) 98 bytes. The first line of the error is 75 bytes (with the same proviso).

To connect to clamd, an IP address would be more reliable than a hostname. It wouldn't rely on some flaky name resolution service.

In any case more information is needed. Please could you let us have the output of the command

clamconf -n

cut and pasted into an email so that there are no accidental changes?

> I believe it is occurring when the clam services are restarted each day.

It isn't really necessary to restart those services daily, but it probably won't do any harm and it might help highlight some issues (for example like this one). But I'd be inclined to disable the restarts, at least for a while, just to find out if the restarts really are triggering this.

> Any idea how to route these errors messages elsewhere?

It will be easy to do but more information is needed. There are very few reasons to write files in the root directory, and nothing like ClamAV has any business doing that. It might mean there's something wrong with your configuration; it might not be the ClamAV-specific configuration but that's a place to start. ClamAV might be started or restarted by some configuration that's provided by your operating system distribution, and not by ClamAV itself. It would help if you could give us information about that, such as the OS distribution(s), the packages which provide ClamAV, etc. and any local configuration changes made to the distribution defaults. The ideal would be to get any utility (such as one provided by ClamAV) to know where to write its error output (e.g. /var/log/somewhere) before actually doing it.

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml