Mailing List Archive

Hi there,

On Mon, 17 Oct 2022, Jason Hamrick via clamav-users wrote:

> I was testing the scanner in my GCP project, however I seem to be unable to
> upgrade and am being limited. Is there an updated package or any way to
> update this within the GCP terminal shell?

I'm unfamiliar with GCP. I take it you mean Google Cloud Platform but it
would be easier, at least for me, if your descriptions are more specific.

You've said "testing the scanner" but you haven't said which scanner.
Can we take it that it's ClamAV? Are you using clamscan, clamd, etc.?

Again making assumptions, before we talk about updating ClamAV can you
tell us what version you're using now?

What are the symptoms of "being limited"?

--

73,
Ged.
_______________________________________________

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Ged,

I think he's talking about the Google Marketplace images, like AWS images.
Personally instead of relying on a third party to setup the vm, I would just
setup a quick docker instance and use the official ClamAV image.
https://hub.docker.com/r/clamav/clamav

Sincerely,

Eric Tykwinski
TrueNet, Inc.
P: 610-429-8300

-----Original Message-----
From: clamav-users <clamav-users-bounces@lists.clamav.net> On Behalf Of G.W.
Haywood via clamav-users
Sent: Monday, October 17, 2022 12:25 PM
To: Jason Hamrick via clamav-users <clamav-users@lists.clamav.net>
Cc: G.W. Haywood <clamav@jubileegroup.co.uk>
Subject: Re: [clamav-users] GCP Management

Hi there,

On Mon, 17 Oct 2022, Jason Hamrick via clamav-users wrote:

> I was testing the scanner in my GCP project, however I seem to be
> unable to upgrade and am being limited. Is there an updated package or
> any way to update this within the GCP terminal shell?

I'm unfamiliar with GCP. I take it you mean Google Cloud Platform but it
would be easier, at least for me, if your descriptions are more specific.

You've said "testing the scanner" but you haven't said which scanner.
Can we take it that it's ClamAV? Are you using clamscan, clamd, etc.?

Again making assumptions, before we talk about updating ClamAV can you tell
us what version you're using now?

What are the symptoms of "being limited"?

--

73,
Ged.


_______________________________________________

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Yes that is correct, I used the GCP API to install the clamav using the
malware scanner service account exporter via the instructions.

Upon install I was able to scan a clean file and test an "infected" file.
When I went to do another file scan I was rate limited and am no longer
able to run a scan, I am assuming this is the CDN settings as I am in GCP?

The version I am on is 0.103.6 as the log is suggesting I upgrade to the .7
Going through the documentation I was unable to find a method of upgrade or
a command to do this within the GCP Cloud Terminal.

On Mon, Oct 17, 2022 at 10:26 AM G.W. Haywood via clamav-users <
clamav-users@lists.clamav.net> wrote:

> Hi there,
>
> On Mon, 17 Oct 2022, Jason Hamrick via clamav-users wrote:
>
> > I was testing the scanner in my GCP project, however I seem to be unable
> to
> > upgrade and am being limited. Is there an updated package or any way to
> > update this within the GCP terminal shell?
>
> I'm unfamiliar with GCP. I take it you mean Google Cloud Platform but it
> would be easier, at least for me, if your descriptions are more specific.
>
> You've said "testing the scanner" but you haven't said which scanner.
> Can we take it that it's ClamAV? Are you using clamscan, clamd, etc.?
>
> Again making assumptions, before we talk about updating ClamAV can you
> tell us what version you're using now?
>
> What are the symptoms of "being limited"?
>
> --
>
> 73,
> Ged.
> _______________________________________________
>
> Manage your clamav-users mailing list subscription / unsubscribe:
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/Cisco-Talos/clamav-documentation
>
> https://docs.clamav.net/#mailing-lists-and-chat
>

Hello again,

On Mon, 17 Oct 2022, Jason Hamrick via clamav-users wrote:
> On Mon, 17 Oct 2022, G.W. Haywood wrote:
>> On Mon, 17 Oct 2022, Jason Hamrick wrote:
>>
>>> I was testing the scanner in my GCP project, however I seem to be unable to
>>> upgrade and am being limited. Is there an updated package or any way to
>>> update this within the GCP terminal shell?
>>
>> What are the symptoms of "being limited"?
>
> Yes that is correct, I used the GCP API to install the clamav using the
> malware scanner service account exporter via the instructions.
>
> Upon install I was able to scan a clean file and test an "infected" file.
> When I went to do another file scan I was rate limited...

PLEASE: what are the symptoms of "being limited" or "rate limited"?

How exactly did you try to perform the scan?

[aside]
If your platform shares an IP address with many other users of the
same service you might well expect to be throttled by the CDN when you
try to update the ClamAV signature database, but this will only affect
your ability to download updated signatures, it won't affect scanning.
To avoid being throttled when you try to download signatures it might
be that you need to pay for an IP address of your own. I have no idea
how that's arranged for your platform I'm afraid. And I'm guessing.
Alternatively, maybe you could upload the signatures (or 'diff' files)
to your platform from some other system. There are lots of ways of
skinning that particular cat. Don't go off on these tangents until
you have better information to work with than my guesswork.
[/aside]

But again this does *not* prevent you from scanning things using any
signatures which you already have.

Can you run shell commands from some sort of pseudo-terminal? If so
can you try running

clamconf -n

and let us see the output? Amongst other things I would expect to see
in the output something about the state of your signature database.

Do you know where the signature database is stored? Normally it's in
a single directory. There should be a few files in it. Three will be
called main, daily and bytecode, all with an extension 'cld' or 'cvd'.
If you have those you should be able to get ClamAV to scan with them.

> and am no longer able to run a scan, I am assuming this is the CDN
> settings as I am in GCP?

Don't assume things. Find out. Not being able to run a scan does not
tell us anything about being throttled by the CDN which distributes the
ClamAV signatures.

> The version I am on is 0.103.6 as the log is suggesting I upgrade to the .7
> Going through the documentation I was unable to find a method of upgrade or
> a command to do this within the GCP Cloud Terminal.

I'm afraid I can't help you with that unless you can tell me more
about the facilities you have to install software on the platform.

What are you actually trying to achieve?

Please don't just say "scan things". Put some flesh on the bones.

--

73,
Ged.
_______________________________________________

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

I am receiving an error in the logs that I am being blocked until a
specified time this evening. I am not able to load any new files into the
unscanned bucket, they continue to error out.

To perform a scan of a file, you simply upload the file to the unscanned
data bucket. Currently, I receive an error that I am blocked.

When I attempt to run that command in the cloud shell it reports back:
command not found.

I was following the GCP documentation for "Automating malware scanning for
documents uploaded to Cloud Storage" The install clones the docker git
which is an old version that is what im getting stuck on.

Thank you for the update!







On Mon, Oct 17, 2022 at 12:15 PM G.W. Haywood via clamav-users <
clamav-users@lists.clamav.net> wrote:

> Hello again,
>
> On Mon, 17 Oct 2022, Jason Hamrick via clamav-users wrote:
> > On Mon, 17 Oct 2022, G.W. Haywood wrote:
> >> On Mon, 17 Oct 2022, Jason Hamrick wrote:
> >>
> >>> I was testing the scanner in my GCP project, however I seem to be
> unable to
> >>> upgrade and am being limited. Is there an updated package or any way to
> >>> update this within the GCP terminal shell?
> >>
> >> What are the symptoms of "being limited"?
> >
> > Yes that is correct, I used the GCP API to install the clamav using the
> > malware scanner service account exporter via the instructions.
> >
> > Upon install I was able to scan a clean file and test an "infected" file.
> > When I went to do another file scan I was rate limited...
>
> PLEASE: what are the symptoms of "being limited" or "rate limited"?
>
> How exactly did you try to perform the scan?
>
> [aside]
> If your platform shares an IP address with many other users of the
> same service you might well expect to be throttled by the CDN when you
> try to update the ClamAV signature database, but this will only affect
> your ability to download updated signatures, it won't affect scanning.
> To avoid being throttled when you try to download signatures it might
> be that you need to pay for an IP address of your own. I have no idea
> how that's arranged for your platform I'm afraid. And I'm guessing.
> Alternatively, maybe you could upload the signatures (or 'diff' files)
> to your platform from some other system. There are lots of ways of
> skinning that particular cat. Don't go off on these tangents until
> you have better information to work with than my guesswork.
> [/aside]
>
> But again this does *not* prevent you from scanning things using any
> signatures which you already have.
>
> Can you run shell commands from some sort of pseudo-terminal? If so
> can you try running
>
> clamconf -n
>
> and let us see the output? Amongst other things I would expect to see
> in the output something about the state of your signature database.
>
> Do you know where the signature database is stored? Normally it's in
> a single directory. There should be a few files in it. Three will be
> called main, daily and bytecode, all with an extension 'cld' or 'cvd'.
> If you have those you should be able to get ClamAV to scan with them.
>
> > and am no longer able to run a scan, I am assuming this is the CDN
> > settings as I am in GCP?
>
> Don't assume things. Find out. Not being able to run a scan does not
> tell us anything about being throttled by the CDN which distributes the
> ClamAV signatures.
>
> > The version I am on is 0.103.6 as the log is suggesting I upgrade to the
> .7
> > Going through the documentation I was unable to find a method of upgrade
> or
> > a command to do this within the GCP Cloud Terminal.
>
> I'm afraid I can't help you with that unless you can tell me more
> about the facilities you have to install software on the platform.
>
> What are you actually trying to achieve?
>
> Please don't just say "scan things". Put some flesh on the bones.
>
> --
>
> 73,
> Ged.
> _______________________________________________
>
> Manage your clamav-users mailing list subscription / unsubscribe:
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/Cisco-Talos/clamav-documentation
>
> https://docs.clamav.net/#mailing-lists-and-chat
>

Hi there,

On Mon, 17 Oct 2022, Jason Hamrick via clamav-users wrote:

> I am receiving an error in the logs that I am being blocked until a
> specified time this evening. I am not able to load any new files into the
> unscanned bucket, they continue to error out.

It would be more helpful if instead of paraphrasing error messages you
could copy and paste them into your emails so that we can see exactly
what you see.

> To perform a scan of a file, you simply upload the file to the unscanned
> data bucket. Currently, I receive an error that I am blocked.

It seems to me that the supplier of your platform (presumably Google)
has done something creative and perhaps not entirely helpful. Your
description doesn't resemble anything which I recognize as what I'd
call normal ClamAV usage. Let me explain.

In what I'd call normal ClamAV usage you have a platform (some
computer with an operating system, for example Linux or Windows).

This platform has a filesystem which unsurprisingly contains files.

The operating system, through things like shells, scripts, crontabs
and other fun stuff lets you run commands. One of the ways you can
run them is by typing the name of the command at the shell prompt.

Often the point of installing new software is to get new commands that
you can run. Installing ClamAV amongst other things lets you run
commands like 'clamconf' and 'clamscan'. When you run 'clamscan' you
tell it what you want to scan, usually by giving the pathname of a
file (or many files) to be scanned. The scan then takes place, and
clamscan reports what it has found. There's no copying of files to be
scanned into buckets or whatever, they're scanned 'in situ' - exactly
where they are. If you're going to scan a lot of big files it's very
inefficient to have to copy them from place to place to do that but I
grant that the act of copying a file to this 'bucket' of yours might
not truly be copying the data - it might be something like linking.

Your description of the scanning process puzzles me, and so far you've
shown me no convincing evidence that the blocking that you're talking
about has anything at all to do with ClamAV but if you can let us have
detailed log messages we might after all find that's the case.

Apparently you have a shell prompt because you can get "command not
found" from it when you type a command. Unfortunately you don't seem
to be able to run a fundamental utility of a ClamAV installation, the
one which tells you for example how ClamAV is configured. Perhaps you
have what's called a 'restricted shell' which doesn't let you run any
old command just like that. It would make some sort of sense. Maybe
you can find out from the supplier. If that's not the explanation the
command might just not be on the shell's default search path. Not
being able to run it is a problem. Maybe all you need to do is set an
environment variable, or give the full pathname so your shell can find
the command, but I can't believe your platform supplier has made that
omission by accident.

> When I attempt to run that command in the cloud shell it reports back:
> command not found.

I think the supplier of your platform is playing games. I wonder if
in playing these games the requirements of the ClamAV GPLv2 licence
are being met:

https://en.wikipedia.org/wiki/GNU_General_Public_License#Version_2

Well we don't seem to be getting very far here.

To help you much more than this I think I'd need to know a lot more
about your platform than I really want to know but if you can let us
have those log messages we'll at least have somewhere to start from.

--

73,
Ged.
_______________________________________________

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat