How long as this been going on? What is your database set? What version of ClamAV are you using? Are you using the VirusEvent hook?
I've searched the code base high and low and can't find any reasonable excuse why the virus name would be "(null)". There is one reference, but it only uses "(null)" as the virus name in performance event logging for pcre statistics (a --statistics=pcre option for clamscan), and not for actual virus reporting. Suffice to say we're pretty stumped as to why you are seeing that. You can disable Firefox caching as a bandaid to eliminate the logs, but I doubt you want to. Micah Snyder ClamAV Development Talos Cisco Systems, Inc. On Aug 1, 2018, at 6:16 AM, Kretschmer, Jens <kretschmer.j...@siemens.com<mailto:kretschmer.j...@siemens.com>> wrote: Hi, we have ScanOnAccess and OnAccessExtraScanning activated. When I open firefox I get a lot of messages written to /var/log/messages every couple of seconds: Aug 1 12:07:02 hostname1 clamd[4051]: ScanOnAccess: /home/user1/.cache/mozilla/firefox/0pnt0qc2.default/cache2/entries/3F5C8E984584F19905AC4995D97962FE97EFFBEB: (null) FOUND Aug 1 12:07:02 hostname1 clamd[4051]: ScanOnAccess: /home/user1/.cache/mozilla/firefox/0pnt0qc2.default/cache2/doomed/1472223436: (null) FOUND Aug 1 12:07:02 hostname1 clamd[4051]: ScanOnAccess: /home/user1/.cache/mozilla/firefox/0pnt0qc2.default/cache2/entries/5A9A7B6DCAF96FA85AB400F1EFB97A4D2BE4289E: (null) FOUND Aug 1 12:07:02 hostname1 clamd[4051]: ScanOnAccess: /home/user1/.cache/mozilla/firefox/0pnt0qc2.default/cache2/doomed/715632663: (null) FOUND Aug 1 12:07:04 hostname1 clamd[4051]: ScanOnAccess: /home/user1/.cache/mozilla/firefox/0pnt0qc2.default/cache2/entries/8F2E3CF4AC8F00C3ACE4C932BEA76F2089A593E1: (null) FOUND Aug 1 12:07:04 hostname1 clamd[4051]: ScanOnAccess: /home/user1/.cache/mozilla/firefox/0pnt0qc2.default/cache2/doomed/277127757: (null) FOUND Aug 1 12:07:05 hostname1 clamd[4051]: ScanOnAccess: /home/user1/.cache/mozilla/firefox/0pnt0qc2.default/cache2/entries/703A8CB3B4C8311394915B3A285359E7E1AF7520: (null) FOUND Aug 1 12:07:06 hostname1 clamd[4051]: ScanOnAccess: /home/user1/.cache/mozilla/firefox/0pnt0qc2.default/cache2/doomed/1628703657: (null) FOUND Aug 1 12:07:06 hostname1 clamd[4051]: ScanOnAccess: /home/user1/.cache/mozilla/firefox/0pnt0qc2.default/cache2/entries/5D7DBEB1898CFD7B33E3406F9CA1B6D3BA12C3B6: (null) FOUND Aug 1 12:07:06 hostname1 clamd[4051]: ScanOnAccess: /home/user1/.cache/mozilla/firefox/0pnt0qc2.default/cache2/doomed/1952686252: (null) FOUND Aug 1 12:07:07 hostname1 clamd[4051]: ScanOnAccess: /home/user1/.cache/mozilla/firefox/0pnt0qc2.default/cache2/doomed/449677348: (null) FOUND Aug 1 12:07:07 hostname1 clamd[4051]: ScanOnAccess: /home/user1/.cache/mozilla/firefox/0pnt0qc2.default/cache2/doomed/829574285: (null) FOUND Aug 1 12:07:07 hostname1 clamd[4051]: ScanOnAccess: /home/user1/.cache/mozilla/firefox/0pnt0qc2.default/cache2/entries/D2BB3C327EF38DDD2FE5E544DBBE084493F1D608: (null) FOUND Aug 1 12:07:07 hostname1 clamd[4051]: ScanOnAccess: /home/user1/.cache/mozilla/firefox/0pnt0qc2.default/cache2/entries/8F2E3CF4AC8F00C3ACE4C932BEA76F2089A593E1: (null) FOUND Aug 1 12:07:07 hostname1 clamd[4051]: ScanOnAccess: /home/user1/.cache/mozilla/firefox/0pnt0qc2.default/cache2/doomed/636557989: (null) FOUND Aug 1 12:07:07 hostname1 clamd[4051]: ScanOnAccess: /home/user1/.cache/mozilla/firefox/0pnt0qc2.default/cache2/entries/5A9A7B6DCAF96FA85AB400F1EFB97A4D2BE4289E: (null) FOUND Aug 1 12:07:10 hostname1 clamd[4051]: ScanOnAccess: /home/user1/.cache/mozilla/firefox/0pnt0qc2.default/cache2/doomed/1707731390: (null) FOUND Aug 1 12:07:10 hostname1 clamd[4051]: ScanOnAccess: /home/user1/.cache/mozilla/firefox/0pnt0qc2.default/cache2/doomed/617693635: (null) FOUND Aug 1 12:07:11 hostname1 clamd[4051]: ScanOnAccess: /home/user1/.cache/mozilla/firefox/0pnt0qc2.default/cache2/entries/5D7DBEB1898CFD7B33E3406F9CA1B6D3BA12C3B6: (null) FOUND Aug 1 12:07:11 hostname1 clamd[4051]: ScanOnAccess: /home/user1/.cache/mozilla/firefox/0pnt0qc2.default/cache2/doomed/1367025624: (null) FOUND Aug 1 12:07:12 hostname1 clamd[4051]: ScanOnAccess: /home/user1/.cache/mozilla/firefox/0pnt0qc2.default/cache2/doomed/1089051163: (null) FOUND Aug 1 12:07:13 hostname1 clamd[4051]: ScanOnAccess: /home/user1/.cache/mozilla/firefox/0pnt0qc2.default/cache2/doomed/2003921810: (null) FOUND Aug 1 12:07:15 hostname1 clamd[4051]: ScanOnAccess: /home/user1/.cache/mozilla/firefox/0pnt0qc2.default/cache2/entries/703A8CB3B4C8311394915B3A285359E7E1AF7520: (null) FOUND Aug 1 12:07:15 hostname1 clamd[4051]: ScanOnAccess: /home/user1/.cache/mozilla/firefox/0pnt0qc2.default/cache2/doomed/1845070701: (null) FOUND Aug 1 12:07:16 hostname1 clamd[4051]: ScanOnAccess: /home/user1/.cache/mozilla/firefox/0pnt0qc2.default/cache2/doomed/250378345: (null) FOUND Aug 1 12:07:16 hostname1 clamd[4051]: ScanOnAccess: /home/user1/.cache/mozilla/firefox/0pnt0qc2.default/cache2/entries/5D7DBEB1898CFD7B33E3406F9CA1B6D3BA12C3B6: (null) FOUND I already hide the “ScanOnAccess: Performing additional scanning on file …” messages by adding :msg, startswith, "ScanOnAccess: Performing additional scanning on file" stop to a file in /etc/rsyslog.d/. But the messages mentioned above have exactly the same format as when malware is found, so I would rather not hide them. Apart from the fact that those messages are cluttering /var/log/messages, they also trigger malware alarms on our central syslog server. What can I do to stop those messages? Best regards, Jens _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net<mailto:clamav-users@lists.clamav.net> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
_______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
