Dave, If you specify (uncomment) in clamd.conf:
LeaveTemporaryFiles yes and rerun you tests, can you tell any differences in the temporary files? You may also want to use the TemporaryDirectory config statement in order to isolate the file for each test. Also, sometimes it is helpful to rescan the temporary files. Steve On Mon, Jan 26, 2015 at 1:32 PM, Dave McMurtrie <dav...@andrew.cmu.edu> wrote: > Hi Steve, > > I had Debug enabled already, but running in Foreground mode gave me > immensely more information. Sadly, I still have no idea why this isn't > working. > > I can see that it's loading my gdb database: > > LibClamAV debug: /var/lib/clamav/cmulocalsigs.gdb loaded > > When I run clamdscan, clamd does successfully detect the URL: > > LibClamAV debug: in cli_magic_scandesc (reclevel: 1/16) > LibClamAV debug: Recognized ASCII text > LibClamAV debug: cache_check: 6d1439176482ebeca042a0c0cf33d43a is positive > LibClamAV debug: cli_magic_scandesc: returning 0 at line 2681 (no post, > no cache) > LibClamAV debug: in cli_magic_scandesc (reclevel: 1/16) > LibClamAV debug: Recognized ASCII text > LibClamAV debug: Matched signature for file type HTML data at 17 > LibClamAV debug: cache_check: fbc990a6edc02cc7c9d76986622fac6c is positive > LibClamAV debug: cli_magic_scandesc: returning 0 at line 2681 (no post, > no cache) > LibClamAV debug: Matched signature for file type Mail file > LibClamAV debug: hashtab: Freeing hashset, elements: 0, capacity: 0 > LibClamAV debug: cli_magic_scandesc: returning 0 at line 2470 > /var/tmp/phish.txt: Heuristics.Phishing.URL.Blacklisted FOUND > $Finished scanthread > > When clamd is invoked by mimedefang, however, it doesn't: > > LibClamAV debug: in cli_magic_scandesc (reclevel: 0/16) > LibClamAV debug: Recognized ASCII text > LibClamAV debug: cache_check: d61a028dcb54386edb203cc764bf9250 is negative > LibClamAV debug: hashtab: Freeing hashset, elements: 0, capacity: 0 > LibClamAV debug: in cli_scanscript() > LibClamAV debug: cli_scanscript: saving normalized file to > /tmp/clamav-868ad0183f45109e1b922f2206f56c07.tmp > LibClamAV debug: cli_magic_scandesc: returning 0 at line 2470 > LibClamAV debug: cache_add: d61a028dcb54386edb203cc764bf9250 (level 0) > LibClamAV debug: in cli_magic_scandesc (reclevel: 0/16) > LibClamAV debug: Recognized ASCII text > LibClamAV debug: Matched signature for file type HTML data at 17 > LibClamAV debug: cache_check: 6c0c6e4d39e9f9f19b78a1efa51f8242 is negative > LibClamAV debug: in cli_scanhtml() > LibClamAV debug: cli_scanhtml: using tempdir > /tmp/clamav-d503bb5ee916fc37db14792f0914176f.tmp > LibClamAV debug: hashtab: Freeing hashset, elements: 0, capacity: 0 > LibClamAV debug: hashtab: Freeing hashset, elements: 0, capacity: 0 > LibClamAV debug: cli_magic_scandesc: returning 0 at line 2470 > LibClamAV debug: cache_add: 6c0c6e4d39e9f9f19b78a1efa51f8242 (level 0) > $Finished scanthread > > The way I'm testing this, there shouldn't be too many variables. I have a > raw email message that I sent to myself and then just grabbed from the > filesystem on our Cyrus server. I stripped out all the Received headers > and saved a copy of it. For the first test above, I'm pointing clamdscan > at this file. For the second test above, I'm simply connecting to 25/tcp > on the mail server and manually issuing the HELO, MAIL and RCPT commands, > then doing a cut-n-paste of the entire raw message for the DATA phase. I > was initially sending the message using a program I wrote that basically > does the same except it will munge a few of the headers. I stopped using > that to remove any variables from my testing. > > In case it matters, I'm running 0.98.5 built from source. > > Any additional thoughts? > > Thanks! > > Dave > ________________________________________ > From: clamav-users [clamav-users-boun...@lists.clamav.net] on behalf of > Steven Morgan [smor...@sourcefire.com] > Sent: Monday, January 26, 2015 11:39 AM > To: ClamAV users ML > Subject: Re: [clamav-users] clamscan detects, but clamd doesn't > > Yes, you can enable debugging in clamd by uncommenting the following line > in you clamd.conf: > > #Debug yes > > I usually run clamd in foreground when debugging. This is done by > uncommenting: > > #Foreground yes > > Steve > > > On Mon, Jan 26, 2015 at 11:31 AM, Dave McMurtrie <dav...@andrew.cmu.edu> > wrote: > > > Hi Steve, > > > > Thanks for the suggestion. I didn't know clamdscan existed. Indeed, > that > > seems to work also: > > > > [root@andrew-mx-t01 phish]# clamdscan ./phish_test.txt > > ./phish_test.txt: Heuristics.Phishing.URL.Blacklisted FOUND > > > > ----------- SCAN SUMMARY ----------- > > Infected files: 1 > > Time: 0.017 sec (0 m 0 s) > > > > > > Is there a way to configure clamd to do debug-level logging like you can > > do with clamscan? > > > > Thanks! > > > > Dave > > > > ________________________________________ > > From: clamav-users [clamav-users-boun...@lists.clamav.net] on behalf of > > Steven Morgan [smor...@sourcefire.com] > > Sent: Monday, January 26, 2015 11:24 AM > > To: ClamAV users ML > > Subject: Re: [clamav-users] clamscan detects, but clamd doesn't > > > > Hi Dave, > > > > I am wondering what happens if you use clamdscan on your phish_test file? > > > > Steve > > > > > > On Mon, Jan 26, 2015 at 7:42 AM, Dave McMurtrie <dav...@andrew.cmu.edu> > > wrote: > > > > > Hi, > > > > > > We've been running ClamAV successfully for years. Recently, I added a > > URL > > > to our local.gdb database to block a malicious URL. When I send a test > > > message containing this URL through an MX server, it does not detect > the > > > URL: > > > > > > Jan 26 07:13:17 andrew-mx-t01 clamd[31673]: > > > /var/spool/mqueue/mxmilter/mdefang-t0QCDGNx031682/Work/msg-31460-5.txt: > > OK > > > Jan 26 07:13:17 andrew-mx-t01 clamd[31673]: > > > > /var/spool/mqueue/mxmilter/mdefang-t0QCDGNx031682/Work/msg-31460-6.html: > > OK > > > > > > However, when I run clamscan against the exact same message on the same > > MX > > > server, it does successfully detect the URL: > > > > > > [root@andrew-mx-t01 phish]# clamscan ./phish_test.txt > > > ./phish_test.txt: Heuristics.Phishing.URL.Blacklisted FOUND > > > > > > ----------- SCAN SUMMARY ----------- > > > Known viruses: 4835255 > > > Engine version: 0.98.1 > > > Scanned directories: 0 > > > Scanned files: 1 > > > Infected files: 1 > > > Data scanned: 0.00 MB > > > Data read: 0.00 MB (ratio 0.00:1) > > > Time: 10.179 sec (0 m 10 s) > > > > > > When I start clamd, I can see that it successfully loads the local.gdb > > > file, so I know that's not the issue. > > > > > > Any pointers on how to troubleshoot this? sysadmin via google has thus > > > far failed me. > > > > > > Thanks! > > > > > > Dave > > > _______________________________________________ > > > Help us build a comprehensive ClamAV guide: > > > https://github.com/vrtadmin/clamav-faq > > > > > > http://www.clamav.net/contact.html#ml > > > > > _______________________________________________ > > Help us build a comprehensive ClamAV guide: > > https://github.com/vrtadmin/clamav-faq > > > > http://www.clamav.net/contact.html#ml > > _______________________________________________ > > Help us build a comprehensive ClamAV guide: > > https://github.com/vrtadmin/clamav-faq > > > > http://www.clamav.net/contact.html#ml > > > _______________________________________________ > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml > _______________________________________________ > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml > _______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
