Mailing List Archive: [clamav-users] Clamav signature

[clamav-users] Clamav signature

jeffkoch at intersessions

Sep 17, 2020, 10:11 AM

Post #1 of 8 (715 views)

HI

Looking through our scanning logs we see what appears to be a signature
that looks like this

clamav: 0.102.4/m:59/d:25920

'0.102.4' refers to the clamav version but what does the rest mean -
m:59/d:25920 ?

Thanks, Jeff

Re: [clamav-users] Clamav signature [ In reply to ]

azidouemba at sourcefire

Sep 17, 2020, 10:31 AM

Post #2 of 8 (715 views)

It means that you are using ClamAV version 0.102, with the main.cvd
signature file version 59, and the daily.cvd signature file version 25920.

-Alain

On Thu, Sep 17, 2020 at 1:12 PM Jeff Koch <jeffkoch@intersessions.com>
wrote:

>
> HI
>
> Looking through our scanning logs we see what appears to be a signature
> that looks like this
>
> clamav: 0.102.4/m:59/d:25920
>
> '0.102.4' refers to the clamav version but what does the rest mean -
> m:59/d:25920 ?
>
> Thanks, Jeff
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>

Re: [clamav-users] Clamav signature [ In reply to ]

clamav-users at lists

Sep 17, 2020, 10:46 AM

Post #3 of 8 (715 views)

Citeren Jeff Koch <jeffkoch@intersessions.com>:

> HI
>
> Looking through our scanning logs we see what appears to be a
> signature that looks like this
>
> clamav: 0.102.4/m:59/d:25920
>
> '0.102.4' refers to the clamav version but what does the rest mean -
> m:59/d:25920 ?

If you look at the freshclam logs, the pattern is fairly obvious:

sep 17 18:45:42 mail freshclam[65271]: daily.cld database is up to
date (version: 25931, sigs: 4319278, f-level: 63, builder: raynman)
sep 17 18:45:42 mail freshclam[65271]: main.cld database is up to date
(version: 59, sigs: 4564902, f-level: 60, builder: sigmgr)
sep 17 18:45:42 mail freshclam[65271]: bytecode.cld database is up to
date (version: 331, sigs: 94, f-level: 63, builder: anvilleg)

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users

Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Clamav signature [ In reply to ]

jeffkoch at intersessions

Sep 17, 2020, 11:28 AM

Post #4 of 8 (715 views)

Thanks.

The freshclam logs show daily.cvd signature file version 25930 is
installed but simscan: clamscan currently shows version 25920 being
used. How do I get clamscan to use the latest version downloaded?

version 25920 appears to be from September 4th.

Jeff

On 9/17/2020 1:31 PM, Alain Zidouemba wrote:
> It means that you are using ClamAV version 0.102, with the main.cvd
> signature file version 59, and the daily.cvd signature file version
> 25920.
>
> -Alain
>
> On Thu, Sep 17, 2020 at 1:12 PM Jeff Koch <jeffkoch@intersessions.com
> <mailto:jeffkoch@intersessions.com>> wrote:
>
>
> HI
>
> Looking through our scanning logs we see what appears to be a
> signature that looks like this
>
> clamav: 0.102.4/m:59/d:25920
>
> '0.102.4' refers to the clamav version but what does the rest mean
> - m:59/d:25920 ?
>
> Thanks, Jeff
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net>
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml

Re: [clamav-users] Clamav signature [ In reply to ]

clamav-users at lists

Sep 17, 2020, 12:10 PM

Post #5 of 8 (715 views)

Citeren Jeff Koch <jeffkoch@intersessions.com>:

> Thanks.
>
> The freshclam logs show daily.cvd signature file version 25930 is
> installed but simscan: clamscan currently shows version 25920 being
> used. How do I get clamscan to use the latest version downloaded?

Could be a different location is configured where freshclam updates
the database and where clamd is looking for it:

# grep DatabaseDirectory /etc/clamd.conf /etc/freshclam.conf
/etc/clamd.conf:#DatabaseDirectory /var/lib/clamav
/etc/freshclam.conf:#DatabaseDirectory /var/lib/clamav

Here the build-in defaults are used for both and they are the same. It
could be yours differ. Typically, clamd will check this directory
every 10 minutes, so even if the signal from freshclam that a new
database is available, clamd should be running the latest one shortly
after download.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users

Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Clamav signature [ In reply to ]

clamav-users at lists

Sep 17, 2020, 3:21 PM

Post #6 of 8 (715 views)

Hi there,

On Thu, 17 Sep 2020, Jeff Koch wrote:

> The freshclam logs show daily.cvd signature file version 25930 is installed
> but simscan: clamscan currently shows version 25920 being used. How do I get
> clamscan to use the latest version downloaded?

First take a look through the output of 'clamconf', it might shed some light.

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users

Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Clamav signature [ In reply to ]

jeffkoch at intersessions

Sep 17, 2020, 7:50 PM

Post #7 of 8 (715 views)

Hi

It appears clamscan is using the latest signature database. We needed to
run 'qmailctl cdb' to update the signatures being included in logs and
email headers. Once that was done the signature file version 25931 was
reported. Seems strange that the clamscan logs needed to get that
information from qmail's simversions.cdb file.

I ran 'clamconf' - it reports the

Database information
--------------------
Database directory: /var/lib/clamav
daily.cld: version 25931, sigs: 4319278, built on Thu Sep 17 09:53:56 2020
bytecode.cld: version 331, sigs: 94, built on Thu Sep 19 12:12:33 2019
main.cld: version 59, sigs: 4564902, built on Mon Nov 25 08:56:15 2019
Total number of signatures: 8884274

Thanks, Jeff

On 9/17/2020 6:21 PM, G.W. Haywood via clamav-users wrote:
> Hi there,
>
> On Thu, 17 Sep 2020, Jeff Koch wrote:
>
>> The freshclam logs show daily.cvd signature file version 25930 is
>> installed but simscan: clamscan currently shows version 25920 being
>> used. How do I get clamscan to use the latest version downloaded?
>
> First take a look through the output of 'clamconf', it might shed some
> light.
>

Re: [clamav-users] Clamav signature [ In reply to ]

clamav-users at lists

Sep 18, 2020, 12:00 AM

Post #8 of 8 (715 views)

Dear Jeff,

I don't know what 'qmailctl cdb' is doing in your Linux(since qmail is
over-patched nowdays) but i believe is touching ONLY the qmail tcprules.
This means simscam cdbs and not generated/updated when is needed.

Basically for simscan you need to run:

/var/qmail/bin/simscanmk (path might be diff) to generate simcontrol.cdb
which basically contains: if clamav is used, if spamassassin is used,
which files you don't accept, etc

AND

/var/qmail/bin/simscanmk -g(path might be diff) will generate the
simversions.cdb which contains the versions of clamav and spamassassin.

Long story short, you most probably forgot to run simscanmk -g .

PS:I love qmail, is quite simple, good security but unfortunately is
quite difficult to maintain a very good email server with it today. You
are missing a lot of functionalities (or you need to be very creative
about which patch you apply, in which stage). Unfortunately from my
point if view hist simplicity is now a headache. Please consider using
more up-to-date MTA(exim,postfix). Just think about it.

PPS: sorry for my deviation from the subject :) I know we are on clamav
mailing-list :)

---
Best regards,
Iulian Stan

On 2020-09-18 05:50, Jeff Koch wrote:

> Hi
>
> It appears clamscan is using the latest signature database. We needed to run 'qmailctl cdb' to update the signatures being included in logs and email headers. Once that was done the signature file version 25931 was reported. Seems strange that the clamscan logs needed to get that information from qmail's simversions.cdb file.
>
> I ran 'clamconf' - it reports the
>
> Database information
> --------------------
> Database directory: /var/lib/clamav
> daily.cld: version 25931, sigs: 4319278, built on Thu Sep 17 09:53:56 2020
> bytecode.cld: version 331, sigs: 94, built on Thu Sep 19 12:12:33 2019
> main.cld: version 59, sigs: 4564902, built on Mon Nov 25 08:56:15 2019
> Total number of signatures: 8884274
>
> Thanks, Jeff
>
> On 9/17/2020 6:21 PM, G.W. Haywood via clamav-users wrote: Hi there,
>
> On Thu, 17 Sep 2020, Jeff Koch wrote:
>
> The freshclam logs show daily.cvd signature file version 25930 is installed but simscan: clamscan currently shows version 25920 being used. How do I get clamscan to use the latest version downloaded?
> First take a look through the output of 'clamconf', it might shed some light.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users

Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml