Mailing List Archive

Hi there,

On Sun, 13 Dec 2020, Aitor Serra Mart?n wrote:

> I'm getting this error all the time with complete scans:
>
> LibClamAV Error: [scan_biff_for_xlm_macros] Unexpected state value 4
> ...
> NAME="CloudLinux"
> ...

This message is emitted by the function scan_biff_for_xlm_macros() in
.../libclamav/ole2_extract.c when ClamAV has trouble parsing the data
that it's given. It should theoretically never happen but perhaps the
things that you're scanning are confusing ClamAV. I haven't spent a
lot of time reading the code in that area because I very rarely have
any interest in Microsoft stuff, so some of this is guesswork, but if
you scan large amounts of more or less random binary data for things
like Microsoft Office macros then you can expect sometimes to see odd
results. There may be cases where badly formed (perhaps malicious)
data will confuse ClamAV's parsers - whether MS Office macros or not.
To some extent this is inevitable, and a message like this might be a
warning flag about a clever attack, or more likely it might be noise.

> Any idea about how to fix it?

It isn't clear to me that this is broken, but it might be. To decide
if anything needs to be done, more information is needed. I do not
know what you mean by "all the time with complete scans", please be
more specific. Could we please also have the following:

(a) your version of ClamAV,
(b) how and when it was installed,
(c) exactly which databases you are using,
(d) how you are keeping the databases up to date,
(e) how long you have been using ClamAV and
(f) whether or not it otherwise behaves as you would expect,
(g) your ClamAV configuration - the output of 'clamconf -n',
(h) exactly what you are scanning - sample(s) which give the error,
(i) exactly how you are scanning it - let us see the command line(s) and/or script.

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Hello! and thank you for your help. Here are the answers:

(a) your version of ClamAV: Version 0.103.0.

(b) how and when it was installed: was installing using custombuild
scripts from Directa Admin control panel.

(c) exactly which databases you are using: ClamAV 0.103.0/26016/Sun Dec
13 15:31:03 2020

(d) how you are keeping the databases up to date: I think it's done
daily by frescam

(e) how long you have been using ClamAV: 2 years in some servers

(f) whether or not it otherwise behaves as you would expect: It still
clean files but give long reports with the error commented several times.

(g) your ClamAV configuration - the output of 'clamconf -n':

Checking configuration files in /etc

Config file: clamd.conf
-----------------------
PidFile = "/var/run/clamd/clamd.pid"
TCPSocket = "3310"
TCPAddr = "127.0.0.1"

Config file: freshclam.conf
---------------------------
LogSyslog = "yes"
PidFile = "/var/run/clamd/freshclam.pid"
DatabaseMirror = "database.clamav.net"

clamav-milter.conf not found

Software settings
-----------------
Version: 0.103.0
Optional features supported: MEMPOOL IPv6 AUTOIT_EA06 BZIP2 LIBXML2
PCRE2 ICONV RAR

Database information
--------------------
Database directory: /usr/local/share/clamav
daily.cld: version 26016, sigs: 4401988, built on Sun Dec 13 15:31:03 2020
bytecode.cvd: version 331, sigs: 94, built on Thu Sep 19 18:12:33 2019
main.cvd: version 59, sigs: 4564902, built on Mon Nov 25 14:56:15 2019
[3rd Party] rfxn.hdb: 12926 sigs
[3rd Party] rfxn.yara: 11527 sigs
[3rd Party] rfxn.ndb: 2039 sigs
Total number of signatures: 8993476

Platform information
--------------------
uname: Linux 4.18.0-147.8.1.el8.lve.1.x86_64 #1 SMP Mon Jun 29 09:55:57
EDT 2020 x86_64
OS: linux-gnu, ARCH: x86_64, CPU: x86_64
zlib version: 1.2.11 (1.2.11), compile flags: a9
platform id: 0x0a2179790800000000080301

Build information
-----------------
GNU C: 8.3.1 20191121 (Red Hat 8.3.1-5) (8.3.1)
CPPFLAGS: -I/usr/kerberos/include
CFLAGS: -g -O2 -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE
-D_FILE_OFFSET_BITS=64
CXXFLAGS: -g -O2
LDFLAGS: -L/usr/lib
Configure: '--prefix=/usr/local' '--sysconfdir=/etc'
'--with-xml=/usr/local' '--with-zlib=/usr' '--with-libcurl=/usr/local'
'PKG_CONFIG_PATH=/usr/local/icu/lib/pkgconfig:/usr/local/lib64/pkgconfig:/usr/local/lib/pkgconfig:/usr/lib/x86_64-linux-gnu/pkgconfig'
--enable-ltdl-convenience
sizeof(void*) = 8
Engine flevel: 121, dconf: 121


(h) exactly what you are scanning - sample(s) which give the error:

/usr/local/bin/clamscan -ri --remove /home2-81/*


(i) exactly how you are scanning it - let us see the command line(s)
and/or script.

The same command.

Thank you!



El 13/12/2020 a las 12:41, G.W. Haywood via clamav-users escribi?:
> (a) your version of ClamAV,
> (b) how and when it was installed,
> (c) exactly which databases you are using,
> (d) how you are keeping the databases up to date,
> (e) how long you have been using ClamAV and
> (f) whether or not it otherwise behaves as you would expect,
> (g) your ClamAV configuration - the output of 'clamconf -n',
> (h) exactly what you are scanning - sample(s) which give the error,
> (i) exactly how you are scanning it - let us see the command line(s)
> and/or script.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Hi there,

On Mon, 14 Dec 2020, Aitor Serra Mart?n wrote:

> El 13/12/2020 a las 12:41, G.W. Haywood via clamav-users escribi?:

>> (a) your version of ClamAV:

> Version 0.103.0.

OK.

>> (b) how and when it was installed:
> was installing using custombuild scripts from Directa Admin control panel.

I do not know what that is, but I guess you did not compile ClamAV yourself?

>> (c) exactly which databases you are using:

> ClamAV 0.103.0/26016/Sun Dec 13 15:31:03 2020

OK.

>> (d) how you are keeping the databases up to date:

> I think it's done daily by frescam

Check the logs to make sure. You should be doing that routinely.

>> (e) how long you have been using ClamAV:

> 2 years in some servers

OK.

>> (f) whether or not it otherwise behaves as you would expect:

> It still clean files but give long reports with the error commented several times.

Where are these "long reports"? Are they in the log files, or are
they output to your screen when you run the 'clamscan' command?

>> (g) your ClamAV configuration - the output of 'clamconf -n':

> ...
> Config file: clamd.conf
> -----------------------
> PidFile = "/var/run/clamd/clamd.pid"
> TCPSocket = "3310"
> TCPAddr = "127.0.0.1"

Is the clamd daemon running?
Are you using it for anything?
Why are you using a TCP socket instead of the default filesystem socket?

> Config file: freshclam.conf
> ---------------------------
> LogSyslog = "yes"
> PidFile = "/var/run/clamd/freshclam.pid"
> DatabaseMirror = "database.clamav.net"

I see nothing in your freshclam.conf which will update the rfxn databases.

> Database information
> --------------------
> Database directory: /usr/local/share/clamav
> daily.cld: version 26016, sigs: 4401988, built on Sun Dec 13 15:31:03 2020
> bytecode.cvd: version 331, sigs: 94, built on Thu Sep 19 18:12:33 2019
> main.cvd: version 59, sigs: 4564902, built on Mon Nov 25 14:56:15 2019

OK

> [3rd Party] rfxn.hdb: 12926 sigs
> [3rd Party] rfxn.yara: 11527 sigs
> [3rd Party] rfxn.ndb: 2039 sigs

Are these databases being updated? If so, how? Check the timestamps
on the files in the database directory and the freshclam logs.

> (h) exactly what you are scanning - sample(s) which give the error:
>
> /usr/local/bin/clamscan -ri --remove /home2-81/*

This is the answer to my question (i) below. I meant please provide
samples of files which give the error message when scanned. Please do
not try to attach samples to a message sent to the mailing list; place
files somewhere on the Web, and provide links to them in your message.

>> (i) exactly how you are scanning it - let us see the command line(s) and/or script.

> The same command.

What user runs this command?

The --remove option is dangerous. If there are false positives, it
may remove files which should not have been removed. Are you happy
with that?

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Hello,

- It's update daily. I did it mannually now:

ClamAV update process started at Mon Dec 14 16:14:53 2020
daily database available for update (local version: 26016, remote
version: 26017)
Current database is 1 version behind.

- The "long reports" are mails I'm getting when the cronjobs run. It's
the "output to the screen when you run the clamscan"

- clamd daemon it's running. I think it's because run with exim or
anything similar. It's the default installation on Directadmin servers.
I didn't change the socket.

- I didn't check individual files, I just check the /home directories
where viruses could be. If there are possible virus, I preffer to delete
them.


El 14/12/2020 a las 11:36, G.W. Haywood via clamav-users escribi?:
> Hi there,
>
> On Mon, 14 Dec 2020, Aitor Serra Mart?n wrote:
>
>> El 13/12/2020 a las 12:41, G.W. Haywood via clamav-users escribi?:
>
>>> (a) your version of ClamAV:
>
>> Version 0.103.0.
>
> OK.
>
>>> (b) how and when it was installed:
>> was installing using custombuild scripts from Directa Admin control
>> panel.
>
> I do not know what that is, but I guess you did not compile ClamAV
> yourself?
>
>>> (c) exactly which databases you are using:
>
>> ClamAV 0.103.0/26016/Sun Dec 13 15:31:03 2020
>
> OK.
>
>>> (d) how you are keeping the databases up to date:
>
>> I think it's done daily by frescam
>
> Check the logs to make sure.? You should be doing that routinely.
>
>>> (e) how long you have been using ClamAV:
>
>> 2 years in some servers
>
> OK.
>
>>> (f) whether or not it otherwise behaves as you would expect:
>
>> It still clean files but give long reports with the error commented
>> several times.
>
> Where are these "long reports"?? Are they in the log files, or are
> they output to your screen when you run the 'clamscan' command?
>
>>> (g) your ClamAV configuration - the output of 'clamconf -n':
>
>> ...
>> Config file: clamd.conf
>> -----------------------
>> PidFile = "/var/run/clamd/clamd.pid"
>> TCPSocket = "3310"
>> TCPAddr = "127.0.0.1"
>
> Is the clamd daemon running?
> Are you using it for anything?
> Why are you using a TCP socket instead of the default filesystem socket?
>
>> Config file: freshclam.conf
>> ---------------------------
>> LogSyslog = "yes"
>> PidFile = "/var/run/clamd/freshclam.pid"
>> DatabaseMirror = "database.clamav.net"
>
> I see nothing in your freshclam.conf which will update the rfxn databases.
>
>> Database information
>> --------------------
>> Database directory: /usr/local/share/clamav
>> daily.cld: version 26016, sigs: 4401988, built on Sun Dec 13 15:31:03
>> 2020
>> bytecode.cvd: version 331, sigs: 94, built on Thu Sep 19 18:12:33 2019
>> main.cvd: version 59, sigs: 4564902, built on Mon Nov 25 14:56:15 2019
>
> OK
>
>> [3rd Party] rfxn.hdb: 12926 sigs
>> [3rd Party] rfxn.yara: 11527 sigs
>> [3rd Party] rfxn.ndb: 2039 sigs
>
> Are these databases being updated?? If so, how?? Check the timestamps
> on the files in the database directory and the freshclam logs.
>
>> (h) exactly what you are scanning - sample(s) which give the error:
>>
>> /usr/local/bin/clamscan -ri --remove /home2-81/*
>
> This is the answer to my question (i) below.? I meant please provide
> samples of files which give the error message when scanned.? Please do
> not try to attach samples to a message sent to the mailing list; place
> files somewhere on the Web, and provide links to them in your message.
>
>>> (i) exactly how you are scanning it - let us see the command line(s)
>>> and/or script.
>
>> The same command.
>
> What user runs this command?
>
> The --remove option is dangerous.? If there are false positives, it
> may remove files which should not have been removed.? Are you happy
> with that?
>

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Hi there,

On Mon, 14 Dec 2020, Aitor Serra Mart?n wrote:

> - It's update daily. I did it mannually now:
>
> ClamAV update process started at Mon Dec 14 16:14:53 2020
> daily database available for update (local version: 26016 ...

This does not appear to update the rfxn databases.

How are _they_ updated?

The reason I ask is that if there are false positives, and the
databases are not updated to remove the false positives, then you may
be running the risk of deleting files which should not be deleted.

> - The "long reports" are mails I'm getting when the cronjobs run.

Your cron jobs are not part of the ClamAV distribution. Please may we
see them?

> It's the "output to the screen when you run the clamscan"

If the reports are difficult to handle you could for example use a
utility like procmail to send them somewhere like /home/user/mail/junk
instead of your inbox, or you could even use grep to remove lines that
you don't want to see before the messages are sent. But neither will
address the root of the problem, that is finding out why the messages
are being produced and whether or not they are produced correctly.

> - clamd daemon it's running. I think it's because run with exim or anything
> similar. It's the default installation on Directadmin servers. I didn't
> change the socket.

Are you using exim? If you are, is exim using clamd? Please be aware
that the 'clamscan' command does not use clamd, and if something is not
using clamd then it will be using a large amount of RAM for no reason.
Perhaps some of your cron jobs use clamd?

> - I didn't check individual files, I just check the /home directories where
> viruses could be. If there are possible virus, I preffer to delete them.

I understand. But I would _still_ like to see an example of a file
which gives the error message which started this thread so that I can
try to find out if the message is produced correctly or if there's a
fault in ClamAV. The output of clamscan should give file names, you
can choose one or two of them - preferably small ones - as samples.

Do you have some reason to suppose that there might be viruses in your
home directories? Can you describe the kinds of things which you
expect will be stored in them?

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml