Hey, I'm having some trouble with a virus that got past clamav.
Log is pasted below, but I seem to have two problems: 1) libclamav is saying my database is old when it isn't 2) it can't seem to read the .exe, yet another system running clamav (solaris, slightly older version) can. I'm worried now other virii might be getting through :( Have I missed something blatently obvious? Thanks, Andy. mx tmp # clamscan --debug postcard.exe LibClamAV debug: Loading databases from /var/lib/clamav LibClamAV debug: Loading /var/lib/clamav/daily.cvd LibClamAV debug: in cli_cvdload() LibClamAV debug: MD5(.tar.gz) = 3c0a0e2639c5669f3e21153e447a6046 LibClamAV debug: Decoded signature: 3c0a0e2639c5669f3e21153e447a6046 LibClamAV debug: Digital signature is correct. LibClamAV Warning: ************************************************** LibClamAV Warning: *** The virus database is older than 7 days. *** LibClamAV Warning: *** Please update it IMMEDIATELY! *** LibClamAV Warning: ************************************************** LibClamAV debug: in cli_untgz() LibClamAV debug: Unpacking /tmp/clamav-1b1637d6b2796848/COPYING LibClamAV debug: Unpacking /tmp/clamav-1b1637d6b2796848/daily.db LibClamAV debug: Unpacking /tmp/clamav-1b1637d6b2796848/daily.hdb LibClamAV debug: Unpacking /tmp/clamav-1b1637d6b2796848/daily.ndb LibClamAV debug: Unpacking /tmp/clamav-1b1637d6b2796848/daily.zmd LibClamAV debug: Unpacking /tmp/clamav-1b1637d6b2796848/daily.fp LibClamAV debug: Unpacking /tmp/clamav-1b1637d6b2796848/daily.info LibClamAV debug: Unpacking /tmp/clamav-1b1637d6b2796848/daily.pdb LibClamAV debug: Loading databases from /tmp/clamav-1b1637d6b2796848 LibClamAV debug: Loading /tmp/clamav-1b1637d6b2796848/daily.db LibClamAV debug: Initializing main node LibClamAV debug: Initializing trie LibClamAV debug: Initializing BM tables LibClamAV debug: in cli_bm_init() LibClamAV debug: BM: Number of indexes = 63744 LibClamAV debug: Loading /tmp/clamav-1b1637d6b2796848/daily.hdb LibClamAV debug: Initializing md5 list structure LibClamAV debug: Loading /tmp/clamav-1b1637d6b2796848/daily.ndb LibClamAV debug: Loading /tmp/clamav-1b1637d6b2796848/daily.zmd LibClamAV debug: Loading /tmp/clamav-1b1637d6b2796848/daily.fp LibClamAV debug: Loading /var/lib/clamav/main.cvd LibClamAV debug: in cli_cvdload() LibClamAV debug: MD5(.tar.gz) = bbd0a1fe83da562a1d6b43e22f4c0626 LibClamAV debug: Decoded signature: bbd0a1fe83da562a1d6b43e22f4c0626 LibClamAV debug: Digital signature is correct. LibClamAV debug: in cli_untgz() LibClamAV debug: Unpacking /tmp/clamav-7cb274b619d28a99/COPYING LibClamAV debug: Unpacking /tmp/clamav-7cb274b619d28a99/main.db LibClamAV debug: Unpacking /tmp/clamav-7cb274b619d28a99/main.hdb LibClamAV debug: Unpacking /tmp/clamav-7cb274b619d28a99/main.ndb LibClamAV debug: Unpacking /tmp/clamav-7cb274b619d28a99/main.zmd LibClamAV debug: Unpacking /tmp/clamav-7cb274b619d28a99/main.fp LibClamAV debug: Unpacking /tmp/clamav-7cb274b619d28a99/main.info LibClamAV debug: Loading databases from /tmp/clamav-7cb274b619d28a99 LibClamAV debug: Loading /tmp/clamav-7cb274b619d28a99/main.db LibClamAV debug: Loading /tmp/clamav-7cb274b619d28a99/main.hdb LibClamAV debug: Loading /tmp/clamav-7cb274b619d28a99/main.ndb LibClamAV debug: Loading /tmp/clamav-7cb274b619d28a99/main.zmd LibClamAV debug: Loading /tmp/clamav-7cb274b619d28a99/main.fp LibClamAV debug: Recognized DOS/W32 executable/library/driver file LibClamAV debug: in cli_peheader LibClamAV debug: Virus offset: 14979, expected: 16798 (Exploit.CVE_2006_4182) LibClamAV debug: Calculated MD5 checksum: 53f943e6b04ae707d57877629ad66738 LibClamAV debug: e_lfanew == 12 LibClamAV debug: File type: Executable LibClamAV debug: Machine type: 80386 LibClamAV debug: NumberOfSections: 2 LibClamAV debug: TimeDateStamp: Thu Jan 1 01:00:00 1970 LibClamAV debug: SizeOfOptionalHeader: 224 LibClamAV debug: MajorLinkerVersion: 5 LibClamAV debug: MinorLinkerVersion: 12 LibClamAV debug: SizeOfCode: 512 LibClamAV debug: SizeOfInitializedData: 0 LibClamAV debug: SizeOfUninitializedData: 0 LibClamAV debug: AddressOfEntryPoint: 0x10f9e LibClamAV debug: SectionAlignment: 4096 LibClamAV debug: FileAlignment: 512 LibClamAV debug: MajorSubsystemVersion: 4 LibClamAV debug: MinorSubsystemVersion: 0 LibClamAV debug: SizeOfImage: 131072 LibClamAV debug: SizeOfHeaders: 512 LibClamAV debug: Subsystem: Win32 GUI LibClamAV debug: NumberOfRvaAndSizes: 16 LibClamAV debug: ------------------------------------ LibClamAV debug: Section 0 LibClamAV debug: Section name: MEW LibClamAV debug: VirtualSize: 49152 LibClamAV debug: VirtualAddress: 0x1000 LibClamAV debug: SizeOfRawData: 0 LibClamAV debug: PointerToRawData: 0x0 (0) LibClamAV debug: Section contains executable code LibClamAV debug: Section's memory is writeable LibClamAV debug: ------------------------------------ LibClamAV debug: Section 1 LibClamAV debug: Section name: <garbled, can't paste> LibClamAV debug: VirtualSize: 77824 LibClamAV debug: VirtualAddress: 0xd000 LibClamAV debug: SizeOfRawData: 16311 LibClamAV debug: PointerToRawData: 0x200 (512) LibClamAV debug: Section contains executable code LibClamAV debug: Section's memory is writeable LibClamAV debug: ------------------------------------ LibClamAV debug: EntryPoint offset: 0x419e (16798) LibClamAV debug: UPX/FSG: empty section found - assuming compression LibClamAV debug: UPX/FSG: Can't read 168 bytes at 0x419e (16798) LibClamAV debug: UPX/FSG: Broken or not UPX/FSG compressed file postcard.exe: OK ----------- SCAN SUMMARY ----------- Known viruses: 80498 Engine version: 0.88.7 Scanned directories: 0 Scanned files: 1 Infected files: 0 Data scanned: 0.02 MB Time: 1.902 sec (0 m 1 s) mx tmp # ls -l /var/lib/clamav/daily.cvd -rw-rw-r-- 1 clamav clamav 752606 Jan 23 09:41 /var/lib/clamav/daily.cvd mx tmp # ls -l /var/lib/clamav/main.cvd -rw-rw-r-- 1 clamav clamav 6924820 Jan 23 09:41 /var/lib/clamav/main.cvd _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
