Hi Steve, I had Debug enabled already, but running in Foreground mode gave me immensely more information. Sadly, I still have no idea why this isn't working.
I can see that it's loading my gdb database: LibClamAV debug: /var/lib/clamav/cmulocalsigs.gdb loaded When I run clamdscan, clamd does successfully detect the URL: LibClamAV debug: in cli_magic_scandesc (reclevel: 1/16) LibClamAV debug: Recognized ASCII text LibClamAV debug: cache_check: 6d1439176482ebeca042a0c0cf33d43a is positive LibClamAV debug: cli_magic_scandesc: returning 0 at line 2681 (no post, no cache) LibClamAV debug: in cli_magic_scandesc (reclevel: 1/16) LibClamAV debug: Recognized ASCII text LibClamAV debug: Matched signature for file type HTML data at 17 LibClamAV debug: cache_check: fbc990a6edc02cc7c9d76986622fac6c is positive LibClamAV debug: cli_magic_scandesc: returning 0 at line 2681 (no post, no cache) LibClamAV debug: Matched signature for file type Mail file LibClamAV debug: hashtab: Freeing hashset, elements: 0, capacity: 0 LibClamAV debug: cli_magic_scandesc: returning 0 at line 2470 /var/tmp/phish.txt: Heuristics.Phishing.URL.Blacklisted FOUND $Finished scanthread When clamd is invoked by mimedefang, however, it doesn't: LibClamAV debug: in cli_magic_scandesc (reclevel: 0/16) LibClamAV debug: Recognized ASCII text LibClamAV debug: cache_check: d61a028dcb54386edb203cc764bf9250 is negative LibClamAV debug: hashtab: Freeing hashset, elements: 0, capacity: 0 LibClamAV debug: in cli_scanscript() LibClamAV debug: cli_scanscript: saving normalized file to /tmp/clamav-868ad0183f45109e1b922f2206f56c07.tmp LibClamAV debug: cli_magic_scandesc: returning 0 at line 2470 LibClamAV debug: cache_add: d61a028dcb54386edb203cc764bf9250 (level 0) LibClamAV debug: in cli_magic_scandesc (reclevel: 0/16) LibClamAV debug: Recognized ASCII text LibClamAV debug: Matched signature for file type HTML data at 17 LibClamAV debug: cache_check: 6c0c6e4d39e9f9f19b78a1efa51f8242 is negative LibClamAV debug: in cli_scanhtml() LibClamAV debug: cli_scanhtml: using tempdir /tmp/clamav-d503bb5ee916fc37db14792f0914176f.tmp LibClamAV debug: hashtab: Freeing hashset, elements: 0, capacity: 0 LibClamAV debug: hashtab: Freeing hashset, elements: 0, capacity: 0 LibClamAV debug: cli_magic_scandesc: returning 0 at line 2470 LibClamAV debug: cache_add: 6c0c6e4d39e9f9f19b78a1efa51f8242 (level 0) $Finished scanthread The way I'm testing this, there shouldn't be too many variables. I have a raw email message that I sent to myself and then just grabbed from the filesystem on our Cyrus server. I stripped out all the Received headers and saved a copy of it. For the first test above, I'm pointing clamdscan at this file. For the second test above, I'm simply connecting to 25/tcp on the mail server and manually issuing the HELO, MAIL and RCPT commands, then doing a cut-n-paste of the entire raw message for the DATA phase. I was initially sending the message using a program I wrote that basically does the same except it will munge a few of the headers. I stopped using that to remove any variables from my testing. In case it matters, I'm running 0.98.5 built from source. Any additional thoughts? Thanks! Dave ________________________________________ From: clamav-users [clamav-users-boun...@lists.clamav.net] on behalf of Steven Morgan [smor...@sourcefire.com] Sent: Monday, January 26, 2015 11:39 AM To: ClamAV users ML Subject: Re: [clamav-users] clamscan detects, but clamd doesn't Yes, you can enable debugging in clamd by uncommenting the following line in you clamd.conf: #Debug yes I usually run clamd in foreground when debugging. This is done by uncommenting: #Foreground yes Steve On Mon, Jan 26, 2015 at 11:31 AM, Dave McMurtrie <dav...@andrew.cmu.edu> wrote: > Hi Steve, > > Thanks for the suggestion. I didn't know clamdscan existed. Indeed, that > seems to work also: > > [root@andrew-mx-t01 phish]# clamdscan ./phish_test.txt > ./phish_test.txt: Heuristics.Phishing.URL.Blacklisted FOUND > > ----------- SCAN SUMMARY ----------- > Infected files: 1 > Time: 0.017 sec (0 m 0 s) > > > Is there a way to configure clamd to do debug-level logging like you can > do with clamscan? > > Thanks! > > Dave > > ________________________________________ > From: clamav-users [clamav-users-boun...@lists.clamav.net] on behalf of > Steven Morgan [smor...@sourcefire.com] > Sent: Monday, January 26, 2015 11:24 AM > To: ClamAV users ML > Subject: Re: [clamav-users] clamscan detects, but clamd doesn't > > Hi Dave, > > I am wondering what happens if you use clamdscan on your phish_test file? > > Steve > > > On Mon, Jan 26, 2015 at 7:42 AM, Dave McMurtrie <dav...@andrew.cmu.edu> > wrote: > > > Hi, > > > > We've been running ClamAV successfully for years. Recently, I added a > URL > > to our local.gdb database to block a malicious URL. When I send a test > > message containing this URL through an MX server, it does not detect the > > URL: > > > > Jan 26 07:13:17 andrew-mx-t01 clamd[31673]: > > /var/spool/mqueue/mxmilter/mdefang-t0QCDGNx031682/Work/msg-31460-5.txt: > OK > > Jan 26 07:13:17 andrew-mx-t01 clamd[31673]: > > /var/spool/mqueue/mxmilter/mdefang-t0QCDGNx031682/Work/msg-31460-6.html: > OK > > > > However, when I run clamscan against the exact same message on the same > MX > > server, it does successfully detect the URL: > > > > [root@andrew-mx-t01 phish]# clamscan ./phish_test.txt > > ./phish_test.txt: Heuristics.Phishing.URL.Blacklisted FOUND > > > > ----------- SCAN SUMMARY ----------- > > Known viruses: 4835255 > > Engine version: 0.98.1 > > Scanned directories: 0 > > Scanned files: 1 > > Infected files: 1 > > Data scanned: 0.00 MB > > Data read: 0.00 MB (ratio 0.00:1) > > Time: 10.179 sec (0 m 10 s) > > > > When I start clamd, I can see that it successfully loads the local.gdb > > file, so I know that's not the issue. > > > > Any pointers on how to troubleshoot this? sysadmin via google has thus > > far failed me. > > > > Thanks! > > > > Dave > > _______________________________________________ > > Help us build a comprehensive ClamAV guide: > > https://github.com/vrtadmin/clamav-faq > > > > http://www.clamav.net/contact.html#ml > > > _______________________________________________ > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml > _______________________________________________ > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml > _______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml _______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
