Hi there,
On Thu, 8 Oct 2020, mum laris via clamav-users wrote:
> thanks for your quick answer.
Er, my answer is below. On a mailing list, check the subject lines. :)
> Attached required report.
On a quick glance I wonder why clamconf didn't find freshclam.conf.
Are you running freshclam? You might want to enable the 'encrypted'
alerts for archives etc. as encrypted douments which contain malware
seem to be much more common recently but it's mostly Windows malware.
Earlier On Thu, 8 Oct 2020, mum laris via clamav-users wrote:
> Just to better understand, I've recently noted that cache scanning
> of my firefox browser reports many errors like this:
> ...
> Can't parse data ERROR
This could be one of those cases where ClamAV leads you on a dance to
no purpose. You might get more information if you try scanning the
file with debugging and verbose logging enabled, but it's not certain
to give you an answer. Some of the error reporting in ClamAV could be
improved, it's an on-going development task but it will take time.
Most utilities are designed to handle just a few file types. Think of
a word processor for example, it might need to handle quite a few, but
there are many it won't handle at all. Because of what it's asked to
do, ClamAV needs to be able to handle more or less *anything*. And it
has to be able to handle them whether they're on disc, in mail, or as
a bare stream of data, *and* it's expecting whatever it scans also to
be a malicious example of the type. That's a tall order. There's a
long list of code modules which just process different file types for
the scanning engine to scan. It's a fair job of work just to maintain
them - to keep them in step with developments in the many and various
specifications and fix occasional faults in them. Look at the list
archives and you'll see a mention of that in the last couple of days.
Having said that there might not be any fault in ClamAV. Random data
can appear to a file classifier to be more or less any type of file.
It might just be that ClamAV is being unavoidably confused by a chunk
of random data which resembles something it isn't. The chances might
be small, but they're not zero. Browsers in particular have a habit
of storing huge numbers of files which most of us would have trouble
identifying. Much of the time the files are written speculatively to
local storage 'just in case' they might be used again, but never are.
It might even be a filesystem or system error, although I'm not sure
how likely that is without more information. I'd expect there to be
other indications of that sort of thing. What's the storage device?
Is it near its best-before date? Are you familiar with 'fsck'?
> I've checked and it's a regular file. But it's content isn't a plain
> text file.
It could be almost anything. You can use the 'file' utility for more
information. It might be a compressed file or something like that and
it might be broken. Anything as bloated and complex as the graphical
browsers of the 21st century is almost expected to leave broken files
lying around the filesystem when it trips over its own great big feet.
> I'm almost sure not happened before...
Maybe it's happening now because of an update to the browser version.
Maybe it's because you updated ClamAV or changed its configuration, or
changed something else. If it is just an odd log message now and then
I'd ignore it unless I had time on my hands to investigate. If it's a
lot more than that then it might tell you that something needs fixing,
but it would need some investigation. You could put some files on a
file sharing site and post a link here to see if anyone wants to take
up the challenge but if you do that, please make sure that you won't
be posting anything you want to keep private.
Some browsers will store gigabytes of junk for years. You can tell
them to delete the cache, or restrict the size of the cache, which
will at least mean it takes a lot less time to scan. You could tell
ClamAV not to scan it, but as it might be one of the more likely
places on the system to find threats, if you're concerned about them I
wouldn't want to go so far as that.
As long as your system - and particularly your browser - is kept up to
date with security patches, and you're sensible about where and what
you browse, and if the storage devices etc. are generally healthy, you
shouldn't need to worry too much. Most of the alerts from ClamAV will
either be false alarms, warnings about exceeding some limit or other,
or for Windows things to which a Linux box is immune. If ClamAV does
find something in the browser cache which is a threat to your browser,
it's probably already too late to stop it doing its nasty work.
--
73,
Ged.
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml