----- Original Message -----
From: "Todd Lyons" <[EMAIL PROTECTED]>
To: <clamav-users@lists.clamav.net>
Sent: Friday, March 16, 2007 3:07 PM
Subject: Re: ClamAV not LOGGING viruses was [Clamav-users] 0.90.1 not
findingviruses
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Thu, Mar 15, 2007 at 07:11:20PM -0400, John Fleming wrote:
- And the clamav log is free of errors and indicated that the database
is
updated appropriately and clamd is being notified of changes.
OK, clamav is finding viruses again, but they are not being LOGGED in
/var/log/clamav.log. The database upgrades and any restarts ARE being
logged - just not the "FOUND <virusname>" that I'm used to. (Thus my
virus
Turn on LogVerbose and LogClean and restart clamd. You should see lots
of stuff going to that file then. If you're not, then clamd is not
writing to the file you think it is, or clamd is not getting the files
at all. (I do not know clamassassin so I do not know if it connects to
clamd directly or if it calls clamdscan or if it calls clamscan.)
1. I've made the clamassassin script available here:
http://wa9als.com/clamassassin.txt
2. OK, LogVerbose and LogClean are on. Log cleared manually. Clamd
restarted, same thing as usual put in /var/log/clamav/clamav.log:
Fri Mar 16 19:25:26 2007 -> Shutting down the main socket.
Fri Mar 16 19:25:26 2007 -> Closing the main socket.
Fri Mar 16 19:25:26 2007 -> Socket file removed.
Fri Mar 16 19:25:26 2007 -> Pid file removed.
Fri Mar 16 19:25:26 2007 -> --- Stopped at Fri Mar 16 19:25:26 2007
Fri Mar 16 19:25:27 2007 -> +++ Started at Fri Mar 16 19:25:27 2007
Fri Mar 16 19:25:27 2007 -> clamd daemon 0.90.1 (OS: linux-gnu, ARCH: i386,
CPU: i386)
Fri Mar 16 19:25:27 2007 -> Log file size limit disabled.
Fri Mar 16 19:25:27 2007 -> Reading databases from /var/lib/clamav/
Fri Mar 16 19:25:30 2007 -> Loaded 99452 signatures.
Fri Mar 16 19:25:30 2007 -> Unix socket file /var/run/clamav/clamd.ctl
Fri Mar 16 19:25:30 2007 -> Setting connection queue length to 15
Fri Mar 16 19:25:30 2007 -> Listening daemon: PID: 21364
Fri Mar 16 19:25:30 2007 -> Archive: Archived file size limit set to
10485760 bytes.
Fri Mar 16 19:25:30 2007 -> Archive: Recursion level limit set to 5.
Fri Mar 16 19:25:30 2007 -> Archive: Files limit set to 1000.
Fri Mar 16 19:25:30 2007 -> Archive: Compression ratio limit set to 250.
Fri Mar 16 19:25:30 2007 -> Archive support enabled.
Fri Mar 16 19:25:30 2007 -> Algorithmic detection enabled.
Fri Mar 16 19:25:30 2007 -> Portable Executable support enabled.
Fri Mar 16 19:25:30 2007 -> ELF support enabled.
Fri Mar 16 19:25:30 2007 -> Mail files support enabled.
Fri Mar 16 19:25:30 2007 -> Mail: Recursion level limit set to 64.
Fri Mar 16 19:25:30 2007 -> OLE2 support enabled.
Fri Mar 16 19:25:30 2007 -> PDF support disabled.
Fri Mar 16 19:25:30 2007 -> HTML support enabled.
Fri Mar 16 19:25:30 2007 -> Self checking every 3600 seconds.
3. Then I sent myself the Eicar and got the expected headers, and via
procmail, the "infected" message went to the expected virus IMAP folder with
these headers:
X-Virus-Status: Yes
X-Virus-Report: Eicar-Test-Signature FOUND
X-Virus-Checker-Version: clamassassin 1.2.4 with clamscan / ClamAV
0.90.1/2853/Fri Mar 16 15:48:54 2007
4. I rechecked the clamav.log, and it was the same as above - no virus
logged.
5. Perhaps interesting to some of you, I checked the log about 3-4 minutes
later (no new viruses in the virus folder) and it had these 2 additional
lines:
Fri Mar 16 19:32:02 2007 -> Accepted connection on port 1880, fd 8
Fri Mar 16 19:32:02 2007 -> stream 1880: OK
Anyway, I don't think there's any doubt that clamd is logging some things to
this file. Although clamassassin writes a "FOUND" <virusname> to the mail
header, I don't see that it does anything with the clamav.log.
And to answer an earlier question, no, I'm not using clamav milter. Thanks
for those of you sticking with me on this!
- John
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html
