Mailing List Archive

Hi there,

On Thu, 2 Jan 2020, Michael Newman via clamav-users wrote:

> ClamAV 0.102.1/25679/Mon Dec 30 17:01:01 2019
> macOS 10.15.2
>
> Help me figure out why clamscan is suddenly taking so long.
> ...
> Engine version: 0.100.1
> Total errors: 1
> Time: 8728.307 sec (145 m 28 s)
> ...
> Engine version: 0.102.1
> Total errors: 49
> Time: 32246.560 sec (537 m 26 s)

Please define "suddenly". You are however using a different version
of ClamAV in the later log snippet, which you can probably expect to
be more thorough.

In any case I'd want to know what all those errors are. Try logging
verbosely (remove --quiet, see man page, etc.) and get back to us when
you can give more information.

What has ClamAV found that you think shouldn't have been there?

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

I am running clamav 0.102.1 built with llvm enabled but I have set up a dedicated user id called clamav(n). Then I create a shell script to run clamd and freshclam as daemons using this clamav(n) user id. I run clamdscan for one user and it takes only ten minutes to run. My OS is Catalina 10.15.2 . When you run clamdscan as a different user from clamav(n) you should still use the clamd.conf file of the clamd daemon running as user clamav(n). You might have to adjust the file permissions of clamd.conf to allow another user to access it.
Are you building with the latest Xcode and brew dependent packages (except for llvm)? I built with llvm 3.6.2 using gnu build system, not cmake.


From: Michael Newman via clamav-users<mailto:clamav-users@lists.clamav.net>
Sent: Wednesday, January 1, 2020 7:40 PM
To: ClamAV users ML<mailto:clamav-users@lists.clamav.net>
Cc: Michael Newman<mailto:mgnewman@mac.com>
Subject: [clamav-users] Clamscan taking a very long time

ClamAV 0.102.1/25679/Mon Dec 30 17:01:01 2019
macOS 10.15.2

Help me figure out why clamscan is suddenly taking so long.

An older log file fragment:

----------- SCAN SUMMARY -----------
Known viruses: 6613648
Engine version: 0.100.1
Scanned directories: 261793
Scanned files: 636746
Infected files: 11
Total errors: 1
Data scanned: 81505.97 MB
Data read: 105156.85 MB (ratio 0.78:1)
Time: 8728.307 sec (145 m 28 s)

The most recent log file fragment:

----------- SCAN SUMMARY -----------
Known viruses: 6639105
Engine version: 0.102.1
Scanned directories: 206450
Scanned files: 578017
Infected files: 1
Total errors: 49
Data scanned: 51163.40 MB
Data read: 55583.83 MB (ratio 0.92:1)
Time: 32246.560 sec (537 m 26 s)

Where scanning my home directory used to take just over two hours it is now taking almost nine even though there is less data to scan.

Here?s the command I?m using:

/opt/local/bin/clamscan -r --quiet -i -l $log $scandir --exclude-dir=$exclude --exclude-dir=$exclude2 --stdout >>$log 2>&1

Where $scandir is my home directory, $exclude is a directory with JPEGs and $exclude2 is an iOS device backup directory.


_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

On Jan 3, 2020, at 00:00, G.W. Haywood wrote:

> Please define "suddenly".

Suddenly means that the scan on December 17th took about two hours:

Time: 7569.856 sec (126 m 9 s)

and the next scan, on December 24th took about nine hours:

Time: 35785.296 sec (596 m 25 s)

Both scans used:

Engine version: 0.102.1

> In any case I'd want to know what all those errors are.

So would I. Both of the above scans had:

Total errors: 49

I scanned again removing --quiet, but there’s no indication as to what those errors are.

Today there were just 4 errors.

I’ve searched and looked through the ClamAV documentation but haven’t been smart enough to find a definition for "Total errors:". Does anyone know what it means?

> What has ClamAV found that you think shouldn't have been there?

Nothing. The only problem is that several scans took nine hours when, over the past couple of years, every scan has taken about two hours. Today’s scan, with --quiet removed, took about two and a half hours.

I’d like to know why the recent scans have taken so long.

Here’s the result of today’s scan:

=====

Fri Jan 3 04:44:09 +07 2020 Start clamscan
/Users/mnewman/Library/Mail/V7/40D4A1AB-4AC4-4D92-94A8-ACCBACCBB2CB/Deleted Messages.mbox/96546A05-A248-4911-AD12-0E19978E6803/Data/4/7/4/Messages/474077.partial.emlx: Heuristics.Phishing.Email.SpoofedDomain FOUND
/Users/mnewman/Library/Mail/V7/40D4A1AB-4AC4-4D92-94A8-ACCBACCBB2CB/Deleted Messages.mbox/96546A05-A248-4911-AD12-0E19978E6803/Data/4/7/4/Messages/474077.partial.emlx: Heuristics.Phishing.Email.SpoofedDomain FOUND
/Users/mnewman/Library/Mail/V7/40D4A1AB-4AC4-4D92-94A8-ACCBACCBB2CB/Deleted Messages.mbox/96546A05-A248-4911-AD12-0E19978E6803/Data/4/7/4/Messages/474077.partial.emlx: Heuristics.Phishing.Email.SpoofedDomain FOUND
/Users/mnewman/Library/testfile.txt: Eicar-Test-Signature FOUND
----------- SCAN SUMMARY -----------
Known viruses: 6643097
Engine version: 0.102.1
Scanned directories: 249364
Scanned files: 694140
Infected files: 1
Total errors: 4
Data scanned: 70545.69 MB
Data read: 73821.73 MB (ratio 0.96:1)
Time: 9886.090 sec (164 m 46 s)
ClamAV scan finished: Fri Jan 3 07:28:55 +07 2020


_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Sent from my iPad

On Jan 2, 2020, at 22:38, Michael Newman via clamav-users <clamav-users@lists.clamav.net> wrote:
> I’ve searched and looked through the ClamAV documentation but haven’t been smart enough to find a definition for "Total errors:". Does anyone know what it means?

Most error reports involve files that cannot be completely scanned, either because the user lacks read permission or the file exceeds one of the limits imposed by a configuration parameter.

It does seem odd that the numbers would change between scans by that amount.

Logs can be made to display errors, but I’m not on my computer right now, so can’t say off-hand what needs to be changed in order to display them.

-Al-

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Hi there,

On Fri, 3 Jan 2020, Al Varnell via clamav-users wrote:
>
> Logs can be made to display errors, but I’m not on my computer right
> now, so can’t say off-hand what needs to be changed in order to
> display them.

The OP could try:

man clamd.conf

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Allan Mui wrote:
> Are you building with the latest Xcode and brew dependent packages
I installed with MacPorts and let MacPorts take care of everything.

Al Varnell wrote:
> Most error reports involve files that cannot be completely scanned, either because the user lacks read permission or the file exceeds one of the limits imposed by a configuration parameter.
Normally those sorts of errors are logged by the command that I'm using. Here's an example:

WARNING: Can't open file /Users/mnewman/Library/Preferences/com.apple.AddressBook.plist: Operation not permitted

The four errors I got with yesterday's scan were not logged, so I have no idea what they were.

G.W. Haywood wrote:
> The OP could try: man clamd.conf
I've looked through there and don't find anything about logging errors. Could you help by letting me know what I should change?

Mike Newman
Korat, Thailand

Hi there,

On Sat, 4 Jan 2020, Michael Newman via clamav-users wrote:
> G.W. Haywood wrote:
>> The OP could try: man clamd.conf
> I've looked through there and don't find anything about logging
> errors. Could you help by letting me know what I should change?

Look at the 'LogVerbose' and 'Debug' directives.

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

> On Jan 5, 2020, at 00:00 ,G.W. Haywood wrote:
>
>
> Look at the 'LogVerbose' and 'Debug' directives.

The LogVerbose directive seems to do the same thing as the -v parameter with clamscan. All that does is list every file that is checked. It also tells whether or not the file is OK.

The Debug directive seems to do the same thing as the --debug parameter of clamscan. When scanning my desktop with 47 files it produced over 7000 lines of output, most of which I don't understand.

Is there no easy way to find out exactly what:

Total errors: 4

means and what those errors were?

I see that this question has been asked and not answered before:

https://superuser.com/questions/842916/clamav-shows-errors-found-but-how-to-find-out-what-they-are <https://superuser.com/questions/842916/clamav-shows-errors-found-but-how-to-find-out-what-they-are>

https://askubuntu.com/questions/295477/meaning-of-total-errors-on-result-of-clamav-scan <https://askubuntu.com/questions/295477/meaning-of-total-errors-on-result-of-clamav-scan>

So, I guess the answer is "No"

Hi there,

On Sun, 5 Jan 2020, Michael Newman via clamav-users wrote:
>> On Jan 5, 2020, at 00:00 ,G.W. Haywood wrote:
>>
>> Look at the 'LogVerbose' and 'Debug' directives.
>
> The LogVerbose directive seems to do the same thing as the -v parameter with clamscan. All that does is list every file that is checked. It also tells whether or not the file is OK.
>
> The Debug directive seems to do the same thing as the --debug parameter of clamscan. When scanning my desktop with 47 files it produced over 7000 lines of output, most of which I don't understand.
>
> Is there no easy way to find out exactly what:
>
> Total errors: 4
>
> means and what those errors were?
>
> I see that this question has been asked and not answered before:

There was in fact an answer to the askubuntu question, even if it was
not very helpful, but both those questions were asked over five years
ago so I think they're best ignored.

> So, I guess the answer is "No"

The other questions notwithstanding, your guess is incorrect unless
you meant "if I ask in the wrong place is there no easy way..."

Look at (about) lines 400-444 in clamdscan/proto.c.

I can only be approximate with those line numbers because I'm looking
at a development version of the source code at present, but if you do
take the trouble to look you will see that (1) the errors are counted
by the callbacks which do the scanning under various circumstances and
(2) when errors occur and are counted, they are also logged. So I
guess the errors that you're asking about are noted amongst the 7000+
lines of output of which you have posession. You might want to look
into some of the text processing tools available, such as 'grep'.

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

> G.W. Haywood wrote:

> So I guess the errors that you're asking about are noted amongst the 7000+
> lines of output of which you have posession. You might want to look
> into some of the text processing tools available, such as 'grep'.

Using the --quiet option only logs error messages including infected files.

Combing that with the --infected option (Only print infected files) means that non-infected files that produced an error are not logged.

Removing the --infected option from the command in my script results in a log that includes both infected files and files that produced an error or warning. No need for debug or grep.

I included the following file in a test scan:

-rw------- 1 root wheel 428688 Jan 5 06:02 clam.txt

I also included testfile.txt, the Eicar-Test-Signature

Here's the log file:

=====
/users/mnewman/desktop/bw.log: Empty file
/users/mnewman/desktop/.localized: Empty file
/users/mnewman/desktop/clam.txt: Access denied
/users/mnewman/desktop/Relocated Items: Symbolic link
/users/mnewman/desktop/PowerWalker: Symbolic link
/users/mnewman/desktop/testfile.txt: Eicar-Test-Signature FOUND

----------- SCAN SUMMARY -----------
Known viruses: 6643097
Engine version: 0.102.1
Scanned directories: 1
Scanned files: 52
Infected files: 1
Total errors: 1
Data scanned: 13.82 MB
Data read: 78.07 MB (ratio 0.18:1)
Time: 10.505 sec (0 m 10 s)
=====

I'm assuming that "Access denied" is the error mentioned in the summary and that the other files listed are in the nature of warnings.

If I run that same scan using the --infected option, I get this log which does not include the error and warnings:

=====
/users/mnewman/desktop/testfile.txt: Eicar-Test-Signature FOUND

----------- SCAN SUMMARY -----------
Known viruses: 6643097
Engine version: 0.102.1
Scanned directories: 1
Scanned files: 52
Infected files: 1
Total errors: 1
Data scanned: 13.82 MB
Data read: 78.07 MB (ratio 0.18:1)
Time: 10.282 sec (0 m 10 s)
=====

I haven't been able to find a way to log only errors and not warnings.

Hi there,

On Mon, 6 Jan 2020, Michael Newman via clamav-users wrote:
>
>> G.W. Haywood wrote:
>> ...
>> You might want to look into some of the text processing tools available, such as 'grep'.
> ...
> No need for debug or grep. ... I haven't been able to find a way to log only errors and not warnings.

It's easier to parse logs with 'grep' than it is to tweak the syslog
rule, but aren't we straying from the subject a little? Your logs
should have timestamps, which will tell you what's taking the time.

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

G.W. Haywood wrote:

> It's easier to parse logs with 'grep' than it is to tweak the syslog
> rule, but aren't we straying from the subject a little? Your logs
> should have timestamps, which will tell you what's taking the time.

Nope. I give up. No more clamAV for me. Clearly, I'm not smart enough to figure out how to use it.