[EMAIL PROTECTED](Rainer Zocholl) 11.03.05 17:36
Some more "funny" messages of clamscan (ClamAV 0.83/761/): Command used: SCNU=ftp nice -19 su $SCNU -s/bin/sh -c "clamscan -ir --block-encrypted --block-max --detect-broken --unzip --unrar --unarj --unzoo --lha --jar --deb --tar --tgz /home/$SCNU/" ->/tmp/clamav-72a681e01f7b677b/usr/share/limewire/lib/QTJava.zip: ->Zip.ExceededFilesLimit FOUND Can those "problems" like too large zips maybe counted separately as "limit problems", not as virus? That would reduce users "panic" ;-) (But more important: print always the original files name (and path)) tons of: ->LibClamAV Warning: Multipart MIME message contains no boundaries ->LibClamAV Warning: messageFindArgument: no '=' sign found in MIME header But: No hint where to search! clamscan was "only" scanning /home/ftp! No mail folders... ->/tmp/clamav-78fd499b51b5bf5f/usr/share/clamav-testfiles/clam.cab: ->ClamAV-Test-File FOUND OK, it works! :-)) But what is clamscan doing at "/" ??? ->/tmp/clamav-2e9da59d2668c5e8/usr/src/kernel-source-2.4.27.tar.bz2: ->Archive.ExceededRecursionLimit FOUND OK... ->/tmp/clamav-fd5213342772ace1/TWDT.txt.gz: Exploit.IFrame.Gen FOUND "locate" can't find such a file! (now?) ->/tmp/clamav-8811b8460885392c/usr/share/doc/lg-issue86/lg-issue86.tar.gz: ->Infected Archive FOUND Infected with what? and where? "locate" is not the right way to go, IMHO, as only sometimes it gives a "hint" # ll /usr/share/doc/lg-issue86/ ls: /usr/share/doc/lg-issue86/: No such file or directory # locate lg-issue86 /home/ftp/mirrors/debian/debian/pool/main/l/lg-issue86 /home/ftp/mirrors/debian/debian/pool/main/l/lg-issue86/lg-issue86_1-1_all.deb ->/tmp/clamav-09fc84e4b0591146/misc/laundrette/laundrette-108.txt: ->HTML.Phishing.Bank-1 FOUND seems to be false alarm, but where? a fresh "locate" does not find any "laundrette". ->/tmp/clamav-7f6b7046608264c0/var/lib/mailman/tests/msgs/nimda.txt: ->Exploit.IFrame.Gen FOUND # ll /var/lib/mailman/tests/msgs/nimda.txt -rw-r--r-- 1 root list 1438 Feb 16 22:15 /var/lib/mailman/tests/msgs/nimda.txt # locate nimda.txt /root/Work/mailman-2.1.1/tests/msgs/nimda.txt /var/lib/mailman/tests/msgs/nimda.txt What is clamscan doing at "/" ??? ->>>LibClamAV Warning: Attempt to send Content-type message/external-body ->>>trappedLibClamAV Warning: Multipart MIME message contains no boundaries ->>>LibClamAV Warning: Multipart MIME message contains no boundaries -> -> ->>>>/tmp/clamav-0c031974181c0edb/usr/lib/python2.3/site-packages/aima/data/spam.t ->xt: Worm.Sircam FOUND false alarm? ->>>>/tmp/clamav-f191af7d90d223bd/usr/lib/python2.3/site-packages/aima/data/spam.t ->xt: Worm.Sircam FOUND false alarm? ->LibClamAV Warning: Multipart MIME message contains no boundaries ->LibClamAV Warning: Ignoring empty field in " ... ->boundary="=ABACAB:=_0006@@UtD0uere5ZCIrVlOp0vV" trailing=" ->LibClamAV Warning: Multipart MIME message contains no boundaries ->LibClamAV Warning: Ignoring empty field in " ->boundary="=ABACAB:=_0006@@UtD0uere5ZCIrVlOp0vV" trailing=" ->LibClamAV Warning: Ignoring empty field in " ->boundary="=ABACAB:=_0006@@UtD0uere5ZCIrVlOp0vV" trailing=" ->LibClamAV Warning: Multipart MIME message contains no boundaries ->LibClamAV Warning: Ignoring empty field in " ->boundary="=ABACAB:=_0006@@UtD0uere5ZCIrVlOp0vV" trailing=" ... -> ->/tmp/clamav-cd079da1c2845cc3/usr/share/doc/scanmail/examples/990427818.7803_5 ->.proxy.gz: VBS.HomePage.2 FOUND -> ->LibClamAV Warning: Multipart MIME message contains no boundaries ->LibClamAV Warning: Multipart MIME message contains no boundaries ... ->LibClamAV Warning: Unsupported message format `sipfrag' ->- if you believe this file contains a virus, ->report it to [EMAIL PROTECTED] I would like to do very much! But Again: Which file? You ask why i wonder would like to kwon the pathes? Because there were 3,Mio files scanned... :-) ->----------- SCAN SUMMARY ----------- ->Known viruses: 31,566 ->Scanned directories: 743,523 ->Scanned files: 3,446,612 ->Infected files: 39 ->Data scanned: 100,810.04 MB ->I/O buffer size: 131,072 bytes ->Time: 51,719.119 sec (861 m 59 s) (I added some "," to make the big numbers "human readable" ;-)) But any how: Congratulation to the programmers! The programm did find the test patterns and was running for 14h stable without any "oopses" ! Great! Are those "MB" decimal based "mio byte" 10^6 or binarybased "MiB" 2^20 If the second format is used some where, "MiB" would avoid problems. Too: Why not give the exact count in "bytes" ? (made readable with ",") And having the "netto" volume would be nice too. I assume "Scanned files:" counts the files inside archives too, or? So here it would be useful too to count thw "real files" to be able to make sure that scanclam really found all files! FTR: # cat /proc/cpuinfo vendor_id : GenuineIntel cpu family : 6 model : 8 model name : Pentium III (Coppermine) stepping : 10 cpu MHz : 1001.903 cache size : 256 KB #cat /proc/version Linux version 2.4.29 # hdparm -tT /dev/ataraid/d0p10 /dev/ataraid/d0p10: Timing cached reads: 780 MB in 2.00 seconds = 390.00 MB/sec Timing buffered disk reads: 120 MB in 3.01 seconds = 39.87 MB/sec but take into account that it ran under "nice -19" (but the box was not loaded very much, clamscna was mostly at "top") But i wonder how clamscan could scan 100GB on a 40GB partition: # df /home/ftp Filesystem 1K-blocks Used Available Use% Mounted on /dev/ataraid/d0p10 39412652 35180136 4232516 90% /home/ftp _______________________________________________ http://lurker.clamav.net/list/clamav-users.html
