I use Gentoo Base System release 1.12.13 as my distro with a hardened
profile.
I can't really say, but I can't seem to find any errors really. I
attached my debug output, but as mentioned, can't see anything wrong
with it really.
I'm not using selinux so not using any of these modes :S
It is really confusing and baffling, as said, especially since freshclam
can't even connect to clamav.
oliver
On 09/03/10 10:11, Philippe Camps wrote:
> Hello,
>
> What is your linux distribution ?
> Have you errors when clamd is starting ?
> Have you selinux in "enforced mode" ? You should try in "permissive mode"
>
> Le 02/09/2010 18:40, Oliver Schinagl a écrit :
>> Hello all,
>>
>> I've been stuffed with the old and known "(!!)ClamAV-clamd av-scanner
>> FAILED: run_av error: Too many retries to talk to
>> /var/run/clamav/clamd.sock (Can't connect to UNIX socket
>> /var/run/clamav/clamd.sock: Permission denied) at (eval 99) line 326.\n"
>> error.
>>
>> I have 2 mail servers running with near identical configs, so I did
>> cross-check them. Also, I googled and verified my permissions and the
>> like, but I can't seem to get amavis to talk to clamav.
>>
>> The socket is world read/write-able, so how this is an issue is
>> beyond me:
>> 7of9 var # ls -laF /var/run/clamav/clamd.sock
>> srw-rw-rw- 1 clamav clamav 0 Sep 2 18:22 /var/run/clamav/clamd.sock=
>>
>> And supplementary groups are enabled:
>> 7of9 var # grep Supp /etc/clamd.conf
>> AllowSupplementaryGroups yes
>>
>> Amavis and clamav aren in each others groups:
>> clamav:x:10024:amavis
>> amavis:x:10021:clamav
>>
>> and when I 'cat' as user amavis, I do get access to the socket (I
>> think?)
>> cat: /var/run/clamav/clamd.sock: No such device or address
>> File: `/var/run/clamav/clamd.sock'
>> Size: 0 Blocks: 0 IO Block: 4096 socket
>> Device: 903h/2307d Inode: 7921 Links: 1
>> Access: (0666/srw-rw-rw-) Uid: ( 116/ clamav) Gid: (10024/ clamav)
>> Access: 2010-09-02 18:22:43.000000000 +0200
>> Modify: 2010-09-02 18:22:43.000000000 +0200
>> Change: 2010-09-02 18:22:43.000000000 +0200
>>
>> Which I think is what is supposed to happen?
>>
>> The thing that is strangest though, is that freshclam can't even connect
>> to the socket:
>> Received signal: wake up
>> ClamAV update process started at Thu Sep 2 09:30:35 2010
>> main.cvd is up to date (version: 52, sigs: 704727, f-level: 44, builder:
>> sven)
>> Downloading daily-11776.cdiff [100%]
>> daily.cld updated (version: 11776, sigs: 118691, f-level: 53, builder:
>> arnaud)
>> bytecode.cld is up to date (version: 40, sigs: 9, f-level: 53, builder:
>> edwin)
>> Database updated (823427 signatures) from database.clamav.net (IP:
>> xx.xx.xx.xx)
>> WARNING: Clamd was NOT notified: Can't connect to clamd through
>> /var/run/clamav/clamd.sock
>>
>> I checked/tried all obvious answers but that's just not it I think.
>>
>> Any other pointers?
>>
>> Oliver
>> _______________________________________________
>> Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
>> http://www.clamav.net/support/ml
>
>
LibClamAV debug: Initialized 0.96.1 engine
LibClamAV debug: Initializing phishcheck module
LibClamAV debug: Phishcheck: Compiling regex: ^
*(http|https|ftp:(//)?)?[0-9]{1,3}(\.[0-9]{1,3}){3}[/?:]? *$
LibClamAV debug: Phishcheck module initialized
host triple is: x86_64-pc-linux-gnu
host cpu is: nocona
LibClamAV debug: Loading databases from /var/lib/clamav
LibClamAV debug: in cli_cvdload()
LibClamAV debug: in cli_tgzload()
LibClamAV debug: daily.info loaded
LibClamAV debug: in cli_tgzload()
LibClamAV debug: daily.cfg loaded
LibClamAV debug: daily.ndu skipped
LibClamAV debug: daily.fp loaded
LibClamAV debug: daily.idb loaded
LibClamAV debug: daily.mdu skipped
LibClamAV debug: Initializing engine->root[0]
LibClamAV debug: Initialising AC pattern matcher of root[0]
LibClamAV debug: cli_initroots: Initializing BM tables of root[0]
LibClamAV debug: Initializing engine->root[1]
LibClamAV debug: Initialising AC pattern matcher of root[1]
LibClamAV debug: cli_initroots: Initializing BM tables of root[1]
LibClamAV debug: Initializing engine->root[2]
LibClamAV debug: Initialising AC pattern matcher of root[2]
LibClamAV debug: Initializing engine->root[3]
LibClamAV debug: Initialising AC pattern matcher of root[3]
LibClamAV debug: Initializing engine->root[4]
LibClamAV debug: Initialising AC pattern matcher of root[4]
LibClamAV debug: Initializing engine->root[5]
LibClamAV debug: Initialising AC pattern matcher of root[5]
LibClamAV debug: Initializing engine->root[6]
LibClamAV debug: Initialising AC pattern matcher of root[6]
LibClamAV debug: Initializing engine->root[7]
LibClamAV debug: Initialising AC pattern matcher of root[7]
LibClamAV debug: Initializing engine->root[8]
LibClamAV debug: Initialising AC pattern matcher of root[8]
LibClamAV debug: Initializing engine->root[9]
LibClamAV debug: Initialising AC pattern matcher of root[9]
LibClamAV debug: cli_loadftm: File type signature for PDF not loaded (required
f-level: 54)
LibClamAV debug: cli_loadftm: File type signature for PDF not loaded (required
f-level: 54)
LibClamAV debug: cli_loadftm: File type signature for PDF document not loaded
(required f-level: 54)
LibClamAV debug: Loaded 117 filetype definitions
LibClamAV debug: daily.ftm loaded
LibClamAV debug: daily.hdu skipped
LibClamAV debug: Loading regex_list
LibClamAV debug: daily.pdb loaded
LibClamAV debug: daily.ldb loaded
LibClamAV debug: daily.mdb loaded
LibClamAV debug: daily.ndb loaded
LibClamAV debug: Loading regex_list
LibClamAV debug: daily.wdb loaded
LibClamAV debug: daily.zmd loaded
LibClamAV debug: daily.db loaded
LibClamAV debug: daily.hdb loaded
LibClamAV debug: /var/lib/clamav/daily.cld loaded
LibClamAV debug: in cli_cvdload()
LibClamAV debug: MD5(.tar.gz) = 59b7133605b0857b1a76bfe8b3645ff5
LibClamAV debug: cli_versig: Decoded signature: 59b7133605b0857b1a76bfe8b3645ff5
LibClamAV debug: cli_versig: Digital signature is correct.
LibClamAV debug: in cli_tgzload()
LibClamAV debug: main.info loaded
LibClamAV debug: in cli_tgzload()
LibClamAV debug: main.db loaded
LibClamAV debug: main.hdb loaded
LibClamAV debug: main.mdb loaded
LibClamAV debug: main.ndb loaded
LibClamAV debug: main.zmd loaded
LibClamAV debug: main.fp loaded
LibClamAV debug: /var/lib/clamav/main.cvd loaded
LibClamAV debug: in cli_cvdload()
LibClamAV debug: in cli_tgzload()
LibClamAV debug: bytecode.info loaded
LibClamAV debug: in cli_tgzload()
LibClamAV debug: last.hdb loaded
LibClamAV debug: Loading trusted bytecode
LibClamAV debug: bytecode: Parsed 11 APIcalls, maxapi 66
LibClamAV debug: Parsed 55 BBs, 258 instructions
LibClamAV debug: Parsed 1 functions
LibClamAV debug: Bytecode 829571.cbc(1) has logical signature:
BC.Exploit.CVE_2010_1885-2;Engine:52-255,Target:3;0;6863703a2f2f{25-700}736372697074{1-3}6465666572
LibClamAV debug: 829571.cbc loaded
LibClamAV debug: Loading trusted bytecode
LibClamAV debug: bytecode: Parsed 6 APIcalls, maxapi 15
LibClamAV debug: Parsed 9 BBs, 93 instructions
LibClamAV debug: Parsed 1 functions
LibClamAV debug: Bytecode 767942.cbc(2) has logical signature:
BC.ClamAV-Test-File-detected-via-bytecode.{};Target:1;(0&2&1);0:4d5a50000200000004000f00ffff0000;EOF-544:4d5a50000200000004000f00ffff0000;S0+0:4d5a50000200000004000f00ffff0000
LibClamAV debug: 767942.cbc loaded
LibClamAV debug: Loading trusted bytecode
LibClamAV debug: bytecode using API 89, but highest API known to libclamav is
71, skipping
LibClamAV debug: 830620.cbc loaded
LibClamAV debug: Loading trusted bytecode
LibClamAV debug: bytecode: Parsed 4 APIcalls, maxapi 16
LibClamAV debug: unknown inst type: 66
LibClamAV debug: Parsed 9 BBs, 31 instructions
LibClamAV debug: Parsed 1 functions
LibClamAV debug: Bytecode 817376.cbc(3) has logical signature:
BC.XLS.Exploit.{CVE_2009_3129};Engine:52-255,Target:0;(0&(2|1));0:d0cf11e0a1b11ae1;*:57006f0072006b0062006f006f006b;*:42006f006f006b
LibClamAV debug: 817376.cbc loaded
LibClamAV debug: Loading trusted bytecode
LibClamAV debug: bytecode: Parsed 8 APIcalls, maxapi 65
LibClamAV debug: Parsed 47 BBs, 228 instructions
LibClamAV debug: Parsed 1 functions
LibClamAV debug: Bytecode 814800.cbc(4) has logical signature:
BC.Exploit.CVE_2010_1885;Engine:52-255,Target:3;0;6863703a2f2f{25-700}736372697074{1-3}6465666572
LibClamAV debug: 814800.cbc loaded
LibClamAV debug: Loading trusted bytecode
LibClamAV debug: bytecode: Parsed 6 APIcalls, maxapi 42
LibClamAV debug: unknown inst type: 67
LibClamAV debug: unknown inst type: 66
LibClamAV debug: unknown inst type: 66
LibClamAV debug: Parsed 48 BBs, 220 instructions
LibClamAV debug: Parsed 1 functions
LibClamAV debug: Bytecode 824716.cbc(5) has logical signature:
BC.Exploit.CVE_2010_2568.{};Target:0;0;4c0000000114020000000000c000000000000046
LibClamAV debug: 824716.cbc loaded
LibClamAV debug: Loading trusted bytecode
LibClamAV debug: bytecode: Parsed 4 APIcalls, maxapi 16
LibClamAV debug: unknown inst type: 67
LibClamAV debug: unknown inst type: 68
LibClamAV debug: Parsed 12 BBs, 47 instructions
LibClamAV debug: Parsed 1 functions
LibClamAV debug: Bytecode 817795.cbc(6) has logical signature:
BC.Exploit.CVE_2010_0815.{Exploit.CVE_2010_0815};Engine:52-255,Target:0;0;0:d0cf11e0a1b11ae1
LibClamAV debug: 817795.cbc loaded
LibClamAV debug: Loading trusted bytecode
LibClamAV debug: Skipping bytecode with (engine) functionality level 51-51
(current 53)
LibClamAV debug: 767943.cbc loaded
LibClamAV debug: Loading trusted bytecode
LibClamAV debug: bytecode using API 89, but highest API known to libclamav is
71, skipping
LibClamAV debug: 837393.cbc loaded
LibClamAV debug: Loading trusted bytecode
LibClamAV debug: bytecode using API 89, but highest API known to libclamav is
71, skipping
LibClamAV debug: 830429.cbc loaded
LibClamAV debug: Loading trusted bytecode
LibClamAV debug: bytecode: Parsed 7 APIcalls, maxapi 66
LibClamAV debug: unknown inst type: 67
LibClamAV debug: Parsed 19 BBs, 97 instructions
LibClamAV debug: Parsed 1 functions
LibClamAV debug: Bytecode 767944.cbc(7) has logical signature:
BC.Win32.Patched.User32;Engine:52-255,Target:1;(0&((((5=0)|(4<2)|(4>2))&3&(2=0))|((4=0)&2))&1);VI:49006e007400650072006e0061006c004e0061006d006500000075007300650072003300;VI:43006f006d00700061006e0079004e0061006d006500000000004d006900630072006f0073006f0066007400200043006f00720070006f007200610074006900;VI:460069006c006500560065007200730069006f006e000000000035002e00;VI:460069006c006500560065007200730069006f006e000000000036002e003000;*:41007000700049006e00690074005f0044004c004c0073;*:4c006f006100640041007000700049006e00690074005f0044004c004c00730000
LibClamAV debug: 767944.cbc loaded
LibClamAV debug: /var/lib/clamav/bytecode.cld loaded
LibClamAV debug: Using filter for trie 0
LibClamAV debug: matcher[0]: GENERIC: AC sigs: 6139 (reloff: 4, absoff: 0) BM
sigs: 30032 (reloff: 15, absoff: 104) maxpatlen 470
LibClamAV debug: Using filter for trie 1
LibClamAV debug: matcher[1]: PE: AC sigs: 13678 (reloff: 4479, absoff: 0) BM
sigs: 47226 (reloff: 43207, absoff: 4019) maxpatlen 468
LibClamAV debug: matcher[2]: OLE2: AC sigs: 1727 (reloff: 0, absoff: 0) BM
sigs: 0 (reloff: 0, absoff: 0) maxpatlen 176 (ac_only mode)
LibClamAV debug: matcher[3]: HTML: AC sigs: 5822 (reloff: 0, absoff: 0) BM
sigs: 0 (reloff: 0, absoff: 0) maxpatlen 461 (ac_only mode)
LibClamAV debug: Using filter for trie 4
LibClamAV debug: matcher[4]: MAIL: AC sigs: 1161 (reloff: 0, absoff: 0) BM
sigs: 0 (reloff: 0, absoff: 0) maxpatlen 255 (ac_only mode)
LibClamAV debug: matcher[5]: GRAPHICS: AC sigs: 26 (reloff: 0, absoff: 0) BM
sigs: 0 (reloff: 0, absoff: 0) maxpatlen 227 (ac_only mode)
LibClamAV debug: matcher[6]: ELF: AC sigs: 22 (reloff: 4, absoff: 0) BM sigs: 0
(reloff: 0, absoff: 0) maxpatlen 304 (ac_only mode)
LibClamAV debug: Using filter for trie 7
LibClamAV debug: matcher[7]: ASCII: AC sigs: 1548 (reloff: 0, absoff: 0) BM
sigs: 0 (reloff: 0, absoff: 0) maxpatlen 467 (ac_only mode)
LibClamAV debug: matcher[8]: NOT USED: AC sigs: 0 (reloff: 0, absoff: 0) BM
sigs: 0 (reloff: 0, absoff: 0) maxpatlen 0 (ac_only mode)
LibClamAV debug: matcher[9]: MACH-O: AC sigs: 0 (reloff: 0, absoff: 0) BM sigs:
0 (reloff: 0, absoff: 0) maxpatlen 0 (ac_only mode)
LibClamAV debug: Building regex list
LibClamAV debug: Using filter for trie 0
LibClamAV debug: hashtab: Freeing hashset, elements: 0, capacity: 0
LibClamAV debug: Building regex list
LibClamAV debug: Using filter for trie 0
LibClamAV debug: hashtab: Freeing hashset, elements: 0, capacity: 0
LibClamAV debug: Converting hashset to array: 40148 entries
LibClamAV debug: hashtab: Freeing hashset, elements: 40148, capacity: 65536
LibClamAV debug: Dynamic engine configuration settings:
LibClamAV debug: --------------------------------------
LibClamAV debug: Module PE: On
LibClamAV debug: * Submodule PARITE: On
LibClamAV debug: * Submodule KRIZ: On
LibClamAV debug: * Submodule MAGISTR: On
LibClamAV debug: * Submodule POLIPOS: On
LibClamAV debug: * Submodule MD5SECT: On
LibClamAV debug: * Submodule UPX: On
LibClamAV debug: * Submodule FSG: On
LibClamAV debug: * Submodule SWIZZOR: On
LibClamAV debug: * Submodule PETITE: On
LibClamAV debug: * Submodule PESPIN: On
LibClamAV debug: * Submodule YC: On
LibClamAV debug: * Submodule WWPACK: On
LibClamAV debug: * Submodule NSPACK: On
LibClamAV debug: * Submodule MEW: On
LibClamAV debug: * Submodule UPACK: On
LibClamAV debug: * Submodule ASPACK: On
LibClamAV debug: Module ELF: On
LibClamAV debug: Module MACHO: On
LibClamAV debug: Module ARCHIVE: On
LibClamAV debug: * Submodule RAR: On
LibClamAV debug: * Submodule ZIP: On
LibClamAV debug: * Submodule GZIP: On
LibClamAV debug: * Submodule BZIP: On
LibClamAV debug: * Submodule ARJ: On
LibClamAV debug: * Submodule SZDD: On
LibClamAV debug: * Submodule CAB: On
LibClamAV debug: * Submodule CHM: On
LibClamAV debug: * Submodule OLE2: On
LibClamAV debug: * Submodule TAR: On
LibClamAV debug: * Submodule CPIO: On
LibClamAV debug: * Submodule BINHEX: On
LibClamAV debug: * Submodule SIS: On
LibClamAV debug: * Submodule NSIS: On
LibClamAV debug: * Submodule AUTOIT: On
LibClamAV debug: * Submodule ISHIELD: On
LibClamAV debug: * Submodule 7zip: On
LibClamAV debug: Module DOCUMENT: On
LibClamAV debug: * Submodule HTML: On
LibClamAV debug: * Submodule RTF: On
LibClamAV debug: * Submodule PDF: On
LibClamAV debug: * Submodule SCRIPT: On
LibClamAV debug: * Submodule HTMLSKIPRAW: On
LibClamAV debug: * Submodule JSNORM: On
LibClamAV debug: Module MAIL: On
LibClamAV debug: * Submodule MBOX: On
LibClamAV debug: * Submodule TNEF: On
LibClamAV debug: Module OTHER: On
LibClamAV debug: * Submodule UUENCODED: On
LibClamAV debug: * Submodule SCRENC: On
LibClamAV debug: * Submodule RIFF: On
LibClamAV debug: * Submodule JPEG: On
LibClamAV debug: * Submodule CRYPTFF: On
LibClamAV debug: * Submodule DLP: On
LibClamAV debug: * Submodule MYDOOMLOG: On
LibClamAV debug: * Submodule PREFILTERING: On
LibClamAV debug: Module PHISHING On
LibClamAV debug: * Submodule ENGINE: On
LibClamAV debug: * Submodule ENTCONV: On
LibClamAV debug: Module BYTECODE On
LibClamAV debug: * Submodule INTERPRETER: On
LibClamAV debug: * Submodule JIT X86: On
LibClamAV debug: * Submodule JIT PPC: On
LibClamAV debug: * Submodule JIT ARM: ** Off **
bytecode JIT: emitted function bc1f0 of 1662 bytes at 0x66cd5d7e5010
bytecode JIT: emitted function bc1f0_wrap of 21 bytes at 0x66cd5d7e56a0
bytecode JIT: emitted function bc2f0 of 660 bytes at 0x66cd5d7e56c0
bytecode JIT: emitted function bc2f0_wrap of 21 bytes at 0x66cd5d7e5960
bytecode JIT: emitted function bc3f0 of 351 bytes at 0x66cd5d7e5980
bytecode JIT: emitted function bc3f0_wrap of 21 bytes at 0x66cd5d7e5af0
bytecode JIT: emitted function bc4f0 of 1483 bytes at 0x66cd5d7e5b10
bytecode JIT: emitted function bc4f0_wrap of 21 bytes at 0x66cd5d7e60f0
bytecode JIT: emitted function bc5f0 of 1373 bytes at 0x66cd5d7e6110
bytecode JIT: emitted function bc5f0_wrap of 21 bytes at 0x66cd5d7e6680
bytecode JIT: emitted function bc6f0 of 521 bytes at 0x66cd5d7e66a0
bytecode JIT: emitted function bc6f0_wrap of 21 bytes at 0x66cd5d7e68c0
bytecode JIT: emitted function bc7f0 of 665 bytes at 0x66cd5d7e68e0
bytecode JIT: emitted function bc7f0_wrap of 21 bytes at 0x66cd5d7e6b90
LibClamAV debug: Bytecode: 7 bytecode prepared with JIT, 0 prepared with
interpreter
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
