On Tue, 31 May 2022, John Paul Guay wrote:
Hi Andrew,
Initially we had an issue where we were using v0.102.4 and noticed this
stopped working January 4th, 2022. We thought it was an issue with our
proxy since we couldn't download the virus database (we have whitelisted
sites since we're a high profile federal department in the Canadian
government) but after further investigation we realized it was because our
version of ClamAV was no longer supported. We upgraded our Master server to
0.103.6 and are now able to download the virus database daily.
Okay, here's what I have so far. We have a script that runs daily on each
agent. Here is the script:
[root@seti*** ClamAV-scan-scripts]# cat daily_scan
#!/bin/bash
LOGFILE="/var/log/clamav/seti***-clamav-$(date +'%Y-%m-%d').log";
#EMAIL_MSG="Please see the log file attached.";
#EMAIL_FROM="[email protected]";
#EMAIL_TO="[email protected]";
#DIRTOSCAN="/var/www /var/vmail";
DIRTOSCAN="/ /disk /disk2";
for S in ${DIRTOSCAN}; do
DIRSIZE=$(du -sh "$S" 2>/dev/null | cut -f1);
echo "Starting a daily scan of "$S" directory.
Amount of data to be scanned is "$DIRSIZE".";
# clamscan -ri "$S" >> "$LOGFILE";
clamscan -ri --exclude=/root/quarantine --exclude=^/sys
--max-scansize=500M --move=/root/quarantine "$S" >> "$LOGFILE";
chmod 644 "$LOGFILE"
# get the value of "Infected lines"
MALWARE=$(tail "$LOGFILE"|grep Infected|cut -d" " -f3);
# if the value is not equal to zero, send an email with the log file
attached
if [ "$MALWARE" -ne "0" ];then
# using heirloom-mailx below
echo "$EMAIL_MSG"|mail -a "$LOGFILE" -s "Malware Found" -r "$EMAIL_FROM"
"$EMAIL_TO";
fi
done
exit 0
______________________________________
Unusual to have *** in a variable for a filename.
My bash does not behave differently with one or three stars
(unless I set globstar, and that only needs **)
This generates a log file with the following info:
[root@seti*** clamav]# cat seti***-clamav-2022-05-31.log
----------- SCAN SUMMARY -----------
Known viruses: 8617062
Engine version: 0.102.4
Scanned directories: 34535
Scanned files: 264418
Infected files: 0
Data scanned: 19818.75 MB
Data read: 20187.30 MB (ratio 0.98:1)
Time: 4818.083 sec (80 m 18 s)
----------- SCAN SUMMARY -----------
Known viruses: 8617062
Engine version: 0.102.4
Scanned directories: 7
Scanned files: 0
Infected files: 0
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 22.803 sec (0 m 22 s)
----------- SCAN SUMMARY -----------
Known viruses: 8617062
Engine version: 0.102.4
Scanned directories: 0
Scanned files: 0
Infected files: 0
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 22.697 sec (0 m 22 s)
____________________________________
Then on the Master Server we have 2 bash scripts that run. The first script
gathers all of the log files from each agent:
[root@seti*** scripts]# cat rsync_clam.sh
#/usr/bin/sh
# This is a script to copy files from one host to a group of hosts
# There are three variables accepted via commandline
# $1 = first parameter (/source_path/source_filename)
# $2 = second parameter (/target_directory/)
# $3 = third paramter (file that contains list of hosts)
SOURCEFILE=/var/log/clamav/seti*-clamav-2022*.log
TARGETDIR=/disk/ClamAV_scan_reports
HOSTFILE=/home/padmin/scripts/servers.txt
if [ -f $SOURCEFILE ]
then
printf "File found, preparing to transfer\n"
while read server
do
# scp -p $SOURCEFILE ${server}:$TARGETDIR
rsync -zar --remove-source-files padmin@$server:$SOURCEFILE $TARGETDIR
done < $HOSTFILE
else
printf "File \"$SOURCEFILE\" not found\n"
exit 0
fi
exit 0
_________________________________
The second script mergers the results into one log file on the master:
[root@seti*** scripts]# cat merge_scan_report.sh
#!/bin/bash
LOGFILE="/disk/ClamAV_scan_reports/daily_virus_scan_report-$(date
> +'%Y-%m-%d')" ;
more /disk/ClamAV_scan_reports/*.log | cat >> "$LOGFILE" ;
rm -rf /disk/ClamAV_scan_reports/seti*.log ;
exit 0
________________________________
Given that the problem started at the year-change, the definition
of SOURCEFILE concerns me.
*** When did you update it for this year ? ***
I admit that most of my logging is only single lines, but is there
a good reason not to use an existing network logging tool
like syslog, rsyslog or possibly systemd-journald.
In my experience they are usually much better debugged than
home-grown scripts (the only millennium-bugs that caught me were
ones I had written).
Everything was working and generating the results and merging to the master
until January 1st of this year:
-rw-r--r-- 1 root root 12369 Dec 27 07:10
daily_virus_scan_report-2021-12-27
-rw-r--r-- 1 root root 11564 Dec 28 07:10
daily_virus_scan_report-2021-12-28
-rw-r--r-- 1 root root 13172 Dec 29 07:10
daily_virus_scan_report-2021-12-29
-rw-r--r-- 1 root root 12369 Dec 30 07:10
daily_virus_scan_report-2021-12-30
-rw-r--r-- 1 root root 10434 Dec 31 07:10
daily_virus_scan_report-2021-12-31
-rw-r--r-- 1 root root 0 Jan 1 07:10
daily_virus_scan_report-2022-01-01
-rw-r--r-- 1 root root 0 Jan 2 07:10
daily_virus_scan_report-2022-01-02
-rw-r--r-- 1 root root 0 Jan 3 07:10
daily_virus_scan_report-2022-01-03
-rw-r--r-- 1 root root 0 Jan 4 07:10
daily_virus_scan_report-2022-01-04
-rw-r--r-- 1 root root 0 May 31 07:10
daily_virus_scan_report-2022-05-31
This is where we're at and I don't know what to check to see where it
stopped working.
Any guidance would be greatly appreciated.
Thanks
JP
On Tue, May 31, 2022 at 7:32 AM John Paul Guay <[email protected]>
wrote:
Thanks for replying Andrew. I realize I didn’t provide much regarding the
needle or the haystack. I will gather as much info as possible and will
update this thread shortly.
JP
On Tue, May 31, 2022 at 7:28 AM Andrew C Aitchison <[email protected]>
wrote:
On Tue, 31 May 2022, John Paul Guay via clamav-users wrote:
Hello,
I’m new to ClamAV and I need help to fix our master server so it will
scan
each agent daily. I work in a federal department in government and I’ve
been working in our lab environment. We had a consultant who had setup
our
ClamAV to scan all of our Linux VM’s and he left good documentation but
nothing on the issue we’ve encountered now. Everything was working fine,
which I thought, but something “broke” and now it doesn’t do the daily
scans of each agent and send the report to the master. It was working
until
January 1st, 2022. I’m not sure if anything changed between last year
and
this year and this year but I need to get this fixed ASAP. I realize
this
doesn’t provide much details but I can provide anything you need. If I
can
get a conversation opened with someone who knows what they’re doing
when it
comes to ClamAV, that would be great!
Hmm. Do you have a message somewhere saying that something broke ?
If so can we have that please, and where you found it.
Without that much, our first problem is to find the haystack,
never mind the needle, and that is unlikely to benefit from knowledge
of ClamAV.
Can you find out whether the master is supposed to request each scan,
or whether the VMs/agents start the scans on their own initiative ?
Which platforms are in use could help too - all of them, as we don't know
which machine broke.
--
Andrew C. Aitchison Kendal, UK
[email protected]
--
Andrew C. Aitchison Kendal, UK
[email protected]
_______________________________________________
clamav-users mailing list
[email protected]
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation
https://docs.clamav.net/#mailing-lists-and-chat
