Re: [Clamav-users] clamdscan/clamd doesn't find a virus that clamscan does

Bogusław Brandys Thu, 12 May 2005 00:42:28 -0700

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[EMAIL PROTECTED] wrote:
> I recently ran into a virus that amavisd-new/clamd doesn't detect but
> clamscan does.
> 
> I'm running clamav-0.85 on FreeBSD 4.5.
> 
> Here's the results from clamscan:
> 
> root edoras[25]: clamscan --debug email-doc.scr
> LibClamAV debug: CVD -> No creation time in seconds (old file format)
> LibClamAV debug: Loading databases from /var/db/clamav
> LibClamAV debug: Loading /var/db/clamav/main.cvd
> LibClamAV debug: in cli_cvdload()
> LibClamAV debug: MD5(.tar.gz) = 97483b1d8189548e820e8a3f4bef787b
> LibClamAV debug: Decoded signature: 97483b1d8189548e820e8a3f4bef787b
> LibClamAV debug: Digital signature is correct.
> LibClamAV debug: in cli_untgz()
> LibClamAV debug: Unpacking /var/tmp//clamav-626b2f632dcfa3b1/COPYING
> LibClamAV debug: Unpacking /var/tmp//clamav-626b2f632dcfa3b1/main.db
> LibClamAV debug: Unpacking /var/tmp//clamav-626b2f632dcfa3b1/main.hdb
> LibClamAV debug: Unpacking /var/tmp//clamav-626b2f632dcfa3b1/main.ndb
> LibClamAV debug: Unpacking /var/tmp//clamav-626b2f632dcfa3b1/main.zmd
> LibClamAV debug: Unpacking /var/tmp//clamav-626b2f632dcfa3b1/main.fp
> LibClamAV debug: Loading databases from /var/tmp//clamav-626b2f632dcfa3b1
> LibClamAV debug: Loading /var/tmp//clamav-626b2f632dcfa3b1/main.db
> LibClamAV debug: Initializing main node
> LibClamAV debug: Initializing trie
> LibClamAV debug: Initializing BM tables
> LibClamAV debug: in cli_bm_init()
> LibClamAV debug: BM: Number of indexes = 63744
> LibClamAV debug: Loading /var/tmp//clamav-626b2f632dcfa3b1/main.hdb
> LibClamAV debug: Initializing md5 list structure
> LibClamAV debug: Loading /var/tmp//clamav-626b2f632dcfa3b1/main.ndb
> LibClamAV debug: Loading /var/tmp//clamav-626b2f632dcfa3b1/main.zmd
> LibClamAV debug: Loading /var/tmp//clamav-626b2f632dcfa3b1/main.fp
> LibClamAV debug: Loading /var/db/clamav/daily.cvd
> LibClamAV debug: in cli_cvdload()
> LibClamAV debug: MD5(.tar.gz) = 28f45cc32498c82312899352df1686c3
> LibClamAV debug: Decoded signature: 28f45cc32498c82312899352df1686c3
> LibClamAV debug: Digital signature is correct.
> LibClamAV debug: in cli_untgz()
> LibClamAV debug: Unpacking /var/tmp//clamav-13af5a94b984433c/COPYING
> LibClamAV debug: Unpacking /var/tmp//clamav-13af5a94b984433c/daily.db
> LibClamAV debug: Unpacking /var/tmp//clamav-13af5a94b984433c/daily.hdb
> LibClamAV debug: Unpacking /var/tmp//clamav-13af5a94b984433c/daily.ndb
> LibClamAV debug: Loading databases from /var/tmp//clamav-13af5a94b984433c
> LibClamAV debug: Loading /var/tmp//clamav-13af5a94b984433c/daily.db
> LibClamAV debug: Loading /var/tmp//clamav-13af5a94b984433c/daily.hdb
> LibClamAV debug: Loading /var/tmp//clamav-13af5a94b984433c/daily.ndb
> LibClamAV debug: Recognized DOS/W32 executable/library/driver file
> LibClamAV debug: Worm.Mytob.BN-1 found in descriptor 5.
> email-doc.scr: Worm.Mytob.BN-1 FOUND
> 
> ----------- SCAN SUMMARY -----------
> Known viruses: 34297
> Engine version: 0.85
> Scanned directories: 0
> Scanned files: 1
> Infected files: 1
> Data scanned: 0.03 MB
> Time: 10.840 sec (0 m 10 s)
> 
> 
> Here's the output from clamdscan:
> 
> root edoras[21]: clamdscan --config-file=/usr/local/etc/clamd-debug.conf 
> email-doc.scr
> /var/tmp/email-doc.scr: OK
> 
> ----------- SCAN SUMMARY -----------
> Infected files: 0
> Time: 0.381 sec (0 m 0 s)
> 
> 
> .. and here's the output from clamd?
> 
> root edoras[43]: /usr/local/sbin/clamd -c /usr/local/etc/clamd-debug.conf
> LibClamAV debug: Setting /var/tmp as global temporary directory
> LibClamAV debug: Loading databases from /var/db/clamav
> LibClamAV debug: Loading /var/db/clamav/main.cvd
> LibClamAV debug: in cli_cvdload()
> LibClamAV debug: MD5(.tar.gz) = 97483b1d8189548e820e8a3f4bef787b
> LibClamAV debug: Decoded signature: 97483b1d8189548e820e8a3f4bef787b
> LibClamAV debug: Digital signature is correct.
> LibClamAV debug: in cli_untgz()
> LibClamAV debug: Unpacking /var/tmp/clamav-5c859521fba63e28/COPYING
> LibClamAV debug: Unpacking /var/tmp/clamav-5c859521fba63e28/main.db
> LibClamAV debug: Unpacking /var/tmp/clamav-5c859521fba63e28/main.hdb
> LibClamAV debug: Unpacking /var/tmp/clamav-5c859521fba63e28/main.ndb
> LibClamAV debug: Unpacking /var/tmp/clamav-5c859521fba63e28/main.zmd
> LibClamAV debug: Unpacking /var/tmp/clamav-5c859521fba63e28/main.fp
> LibClamAV debug: Loading databases from /var/tmp/clamav-5c859521fba63e28
> LibClamAV debug: Loading /var/tmp/clamav-5c859521fba63e28/main.db
> LibClamAV debug: Initializing main node
> LibClamAV debug: Initializing trie
> LibClamAV debug: Initializing BM tables
> LibClamAV debug: in cli_bm_init()
> LibClamAV debug: BM: Number of indexes = 63744
> LibClamAV debug: Loading /var/tmp/clamav-5c859521fba63e28/main.hdb
> LibClamAV debug: Initializing md5 list structure
> LibClamAV debug: Loading /var/tmp/clamav-5c859521fba63e28/main.ndb
> LibClamAV debug: Loading /var/tmp/clamav-5c859521fba63e28/main.zmd
> LibClamAV debug: Loading /var/tmp/clamav-5c859521fba63e28/main.fp
> LibClamAV debug: Loading /var/db/clamav/daily.cvd
> LibClamAV debug: in cli_cvdload()
> LibClamAV debug: MD5(.tar.gz) = 28f45cc32498c82312899352df1686c3
> LibClamAV debug: Decoded signature: 28f45cc32498c82312899352df1686c3
> LibClamAV debug: Digital signature is correct.
> LibClamAV debug: in cli_untgz()
> LibClamAV debug: Unpacking /var/tmp/clamav-02a276c9ad19f14a/COPYING
> LibClamAV debug: Unpacking /var/tmp/clamav-02a276c9ad19f14a/daily.db
> LibClamAV debug: Unpacking /var/tmp/clamav-02a276c9ad19f14a/daily.hdb
> LibClamAV debug: Unpacking /var/tmp/clamav-02a276c9ad19f14a/daily.ndb
> LibClamAV debug: Loading databases from /var/tmp/clamav-02a276c9ad19f14a
> LibClamAV debug: Loading /var/tmp/clamav-02a276c9ad19f14a/daily.db
> LibClamAV debug: Loading /var/tmp/clamav-02a276c9ad19f14a/daily.hdb
> LibClamAV debug: Loading /var/tmp/clamav-02a276c9ad19f14a/daily.ndb
> LibClamAV debug: set stacksize to 262144
> LibClamAV debug: Raw mode: No support for special files
> LibClamAV debug: Type: 0, expected: 502 (Worm.Mytob.BN-1)
> LibClamAV debug: Calculated MD5 checksum: aa11b5ec238c1de2c674da1418b4de69
> 
> 
> The "Type: 0, expected: 502 (Worm.Mytob.BN-1)" line is interesting
> because it shows the virus name that clamscan detects.  Is this a
> clue?


This is more interesting ;-) :

LibClamAV debug: Raw mode: No support for special files

probably you should check your clamd configuration


> Thanks,
> 
> -- Bob
> _______________________________________________
> http://lurker.clamav.net/list/clamav-users.html
> 
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFCgwlhtuGICzHOh+YRAiEwAJ4n6uFK/Y5pSI24WfP+ww+UiD/U3QCeLdBY
yjimgt6NkxpLVDuhDHgkBvc=
=sgO4
-----END PGP SIGNATURE-----
_______________________________________________
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] clamdscan/clamd doesn't find a virus that clamscan does

Reply via email to