The 0.97 code you have running is not scanning SWF files as deeply. From
the README for ClamAV 0.98:
" - Scanning enhancements: New filetypes can be unpacked and scanned,
including ISO9660, Flash, and self-extracting 7z files."
It is most likely that the messages you are seeing are complaining about
specific files (such as a truncated SWF file). I'll take a look at the
messages and code. They should probably be at warning level and not error.
Dave R.
On Wed, Oct 2, 2013 at 11:49 AM, McGranahan, Jamen <
jamen.mcgrana...@vanderbilt.edu> wrote:
> It just seems odd to me that this is only happening on the servers we
> upgraded to 0.98. The servers till running 0.97 do not have this error.
> Here is the output of clamconf. If you can assist, I would greatly
> appreciate it. Thank you!
>
> Checking configuration files in /etc
>
> Config file: clamd.conf
> -----------------------
> LogFile = "/var/log/clamav/clamd.log"
> LogFileUnlock disabled
> LogFileMaxSize = "4294967295"
> LogTime = "yes"
> LogClean disabled
> LogSyslog = "yes"
> LogFacility = "LOG_LOCAL6"
> LogVerbose disabled
> LogRotate disabled
> ExtendedDetectionInfo disabled
> PidFile = "/var/run/clamav/clamd.pid"
> TemporaryDirectory = "/var/tmp"
> DatabaseDirectory = "/var/clamav"
> OfficialDatabaseOnly disabled
> LocalSocket = "/var/run/clamav/clamd.sock"
> LocalSocketGroup disabled
> LocalSocketMode disabled
> FixStaleSocket = "yes"
> TCPSocket = "3310"
> TCPAddr = "127.0.0.1"
> MaxConnectionQueueLength = "30"
> StreamMaxLength = "26214400"
> StreamMinPort = "1024"
> StreamMaxPort = "2048"
> MaxThreads = "50"
> ReadTimeout = "300"
> CommandReadTimeout = "5"
> SendBufTimeout = "500"
> MaxQueue = "100"
> IdleTimeout = "30"
> ExcludePath disabled
> MaxDirectoryRecursion = "15"
> FollowDirectorySymlinks disabled
> FollowFileSymlinks disabled
> CrossFilesystems = "yes"
> SelfCheck = "600"
> VirusEvent disabled
> ExitOnOOM disabled
> AllowAllMatchScan = "yes"
> Foreground disabled
> Debug disabled
> LeaveTemporaryFiles disabled
> User = "clamav"
> AllowSupplementaryGroups = "yes"
> Bytecode = "yes"
> BytecodeSecurity = "TrustSigned"
> BytecodeTimeout = "5000"
> BytecodeUnsigned disabled
> BytecodeMode = "Auto"
> DetectPUA disabled
> ExcludePUA disabled
> IncludePUA disabled
> AlgorithmicDetection = "yes"
> ScanPE = "yes"
> ScanELF = "yes"
> DetectBrokenExecutables = "yes"
> ScanMail = "yes"
> ScanPartialMessages disabled
> PhishingSignatures = "yes"
> PhishingScanURLs = "yes"
> PhishingAlwaysBlockCloak disabled
> PhishingAlwaysBlockSSLMismatch disabled
> HeuristicScanPrecedence disabled
> StructuredDataDetection disabled
> StructuredMinCreditCardCount = "3"
> StructuredMinSSNCount = "3"
> StructuredSSNFormatNormal = "yes"
> StructuredSSNFormatStripped disabled
> ScanHTML = "yes"
> ScanOLE2 = "yes"
> OLE2BlockMacros disabled
> ScanPDF = "yes"
> ScanSWF = "yes"
> ScanArchive = "yes"
> ArchiveBlockEncrypted disabled
> MaxScanSize = "104857600"
> MaxFileSize = "26214400"
> MaxRecursion = "16"
> MaxFiles = "10000"
> MaxEmbeddedPE = "10485760"
> MaxHTMLNormalize = "10485760"
> MaxHTMLNoTags = "2097152"
> MaxScriptNormalize = "5242880"
> MaxZipTypeRcg = "1048576"
> ScanOnAccess disabled
> OnAccessIncludePath disabled
> OnAccessExcludePath disabled
> OnAccessExcludeUID disabled
> OnAccessMaxFileSize = "5242880"
> DevACOnly disabled
> DevACDepth disabled
> DevPerformance disabled
> DevLiblog disabled
> DisableCertCheck disabled
>
> Config file: freshclam.conf
> ---------------------------
> LogFileMaxSize = "1048576"
> LogTime disabled
> LogSyslog = "yes"
> LogFacility = "LOG_LOCAL6"
> LogVerbose disabled
> LogRotate disabled
> PidFile disabled
> DatabaseDirectory = "/var/clamav"
> Foreground disabled
> Debug disabled
> AllowSupplementaryGroups disabled
> UpdateLogFile = "/var/log/clamav/freshclam.log"
> DatabaseOwner = "clamav"
> Checks = "12"
> DNSDatabaseInfo = "current.cvd.clamav.net"
> DatabaseMirror = "db.us.clamav.net", "db.us.clamav.net", "
> db.local.clamav.net"
> PrivateMirror disabled
> MaxAttempts = "3"
> ScriptedUpdates = "yes"
> TestDatabases = "yes"
> CompressLocalDatabase disabled
> ExtraDatabase disabled
> DatabaseCustomURL disabled
> HTTPProxyServer disabled
> HTTPProxyPort disabled
> HTTPProxyUsername disabled
> HTTPProxyPassword disabled
> HTTPUserAgent disabled
> NotifyClamd = "/etc/clamd.conf"
> OnUpdateExecute disabled
> OnErrorExecute disabled
> OnOutdatedExecute disabled
> LocalIPAddress disabled
> ConnectTimeout = "30"
> ReceiveTimeout = "30"
> SubmitDetectionStats disabled
> DetectionStatsCountry disabled
> DetectionStatsHostID disabled
> SafeBrowsing disabled
> Bytecode = "yes"
>
> Config file: clamav-milter.conf
> -------------------------------
> LogFile = "/var/log/clamav/clamav-milter.log"
> LogFileUnlock disabled
> LogFileMaxSize = "4294967295"
> LogTime = "yes"
> LogSyslog = "yes"
> LogFacility = "LOG_LOCAL6"
> LogVerbose disabled
> LogRotate disabled
> PidFile disabled
> TemporaryDirectory disabled
> FixStaleSocket = "yes"
> MaxThreads = "10"
> ReadTimeout = "120"
> Foreground disabled
> User = "clamav"
> AllowSupplementaryGroups = "yes"
> MaxFileSize = "26214400"
> ClamdSocket = "unix:/var/run/clamav/clamd.sock"
> MilterSocket = "unix:/var/clamav/clmilter.socket"
> MilterSocketGroup disabled
> MilterSocketMode disabled
> LocalNet disabled
> OnClean = "Accept"
> OnInfected = "Quarantine"
> OnFail = "Defer"
> RejectMsg disabled
> AddHeader = "no"
> ReportHostname disabled
> VirusAction disabled
> Chroot disabled
> Whitelist disabled
> SkipAuthenticated disabled
> LogInfected disabled
> LogClean disabled
> SupportMultipleRecipients disabled
>
> Software settings
> -----------------
> Version: 0.98
> Optional features supported: MEMPOOL IPv6 AUTOIT_EA06 BZIP2 RAR
>
> Database information
> --------------------
> Database directory: /var/clamav
> daily.cld: version 17927, sigs: 389870, built on Wed Oct 2 08:53:07 2013
> main.cld: version 55, sigs: 2424225, built on Tue Sep 17 09:57:28 2013
> bytecode.cld: version 226, sigs: 43, built on Thu Sep 19 08:12:03 2013
> Total number of signatures: 2814138
>
> Platform information
> --------------------
> uname: Linux 2.6.18-194.11.4.el5 #1 SMP Fri Sep 17 04:57:05 EDT 2010 x86_64
> OS: linux-gnu, ARCH: x86_64, CPU: x86_64
> Full OS version: "Red Hat Enterprise Linux Server release 5.10 (Tikanga)"
> zlib version: 1.2.3 (1.2.3), compile flags: a9
> platform id: 0x0a214a4a0800000000040102
>
> Build information
> -----------------
> GNU C: 4.1.2 20080704 (Red Hat 4.1.2-54) (4.1.2)
> CPPFLAGS:
> CFLAGS: -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions
> -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic
> -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE
> CXXFLAGS: -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions
> -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic
> LDFLAGS:
> Configure: '--build=x86_64-redhat-linux-gnu'
> '--host=x86_64-redhat-linux-gnu' '--target=x86_64-redhat-linux-gnu'
> '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin'
> '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share'
> '--includedir=/usr/include' '--libdir=/usr/lib64'
> '--libexecdir=/usr/libexec' '--localstatedir=/var'
> '--sharedstatedir=/usr/com' '--mandir=/usr/share/man'
> '--infodir=/usr/share/info' '--program-prefix=' '--disable-clamav'
> '--disable-llvm' '--disable-static' '--disable-zlib-vcheck'
> '--enable-check' '--enable-clamdtop' '--enable-dns' '--enable-id-check'
> '--enable-milter' '--with-dbdir=/var/clamav' '--with-group=clamav'
> '--with-libcurl' '--with-user=clamav' 'build_alias=x86_64-redhat-linux-gnu'
> 'host_alias=x86_64-redhat-linux-gnu' 'target_alias=x86_64-redhat-linux-gnu'
> 'CFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions
> -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic'
> --enable-ltdl-convenience
> sizeof(void*) = 8
> Engine flevel: 74, dconf: 74
>
> Jamen McGranahan
> Systems Services Librarian
> Vanderbilt University Library
>
>
> -----Original Message-----
> From: clamav-users-boun...@lists.clamav.net [mailto:
> clamav-users-boun...@lists.clamav.net] On Behalf Of David Raynor
> Sent: Monday, September 30, 2013 8:17 AM
> To: ClamAV users ML
> Subject: Re: [clamav-users] 0.98 / LibClamAV Warning & Error
>
> On Sun, Sep 29, 2013 at 6:16 AM, McGranahan, Jamen <
> jamen.mcgrana...@vanderbilt.edu> wrote:
>
> > I'm using Clam 0.98 on RedHat 5 servers and since upgrading to 0.98, I
> > am seeing the following when trying to run a clamscan:
> >
> > LibClamAV Warning: SWF: Invalid tag length LibClamAV Error:
> > cli_scanswf:
> > GETBITS: Can't read file
> >
> > I've never seen this error before and am not sure how to correct it. I
> > couldn't find anything that remotely relates to this when trying to
> > search for it, so any advice and/or suggestions are greatly
> > appreciated. Since this is happening on one of our primary servers, it
> > makes me nervous, so I really need to get this fixed ASAP. Thank you!
> >
> > Jamen McGranahan
> > Systems Services Librarian
> > Vanderbilt University LIbrary
> > Central Library
> > Room 811
> > 419 21st Avenue South
> > Nashville, TN 37214
> >
> > _______________________________________________
> > Help us build a comprehensive ClamAV guide:
> > https://github.com/vrtadmin/clamav-faq
> > http://www.clamav.net/support/ml
> >
>
> This error message comes from reading bits out of a SWF file. It has two
> potential causes:
> 1) Invalid offset inside file (less serious, problem with the file)
> 2) File read failed (more serious, problem accessing the file or the fmap)
>
> If you are not seeing other issues and warnings, it is most likely due to
> problem files and not a more serious issue. If you find a file that
> re-creates the issue, we can take a look. Any more assessment than this
> will require a file and/or your configuration as reported by clamconf.
>
> Hope this helps,
>
> Dave R.
>
> --
> ---
> Dave Raynor
> Sourcefire Vulnerability Research Team
> dray...@sourcefire.com
> _______________________________________________
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> http://www.clamav.net/support/ml
>
>
> _______________________________________________
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> http://www.clamav.net/support/ml
>
--
---
Dave Raynor
Sourcefire Vulnerability Research Team
dray...@sourcefire.com
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/support/ml
