>>>> This is what I see from the strace:
>>>>
>>>> sendto(3, "zCONTSCAN /etc/gshadow\0", 23, 0, NULL, 0) = 23
>>>That's interesting. Does the client machine access clamav-central via a
>>>local proxy? Or more precisely, does the exemplary TCPAddr
>>>"clamav-central.company.com" resolve to an IP-address that the client
>>>machine uses on one of its interfaces?
>>
>>No, it's a direct connection. In both straces I can see a connect with the
>>correct destination address.
>>
>>On another host that has the same version of clamav and the same
>>configuration file I see the zINSTREAM call.
>>
>>The "broken" host is on the same subnet as the central clamav server. The
>>"working" host is on a different subnet.
I have another "broken" host on a different subnet, so I doubt the subnet
matters here. That wouldn't make much sense, but I'm exploring all options.
>>>>So is it safe to use --stream in this case, despite the documentation
>>>>warning?
>>>Well, somehow the central server needs to obtain the file contents for
>>>scanning.
>>
>>I wasn't sure if clamdscan was doing something else that I couldn't see with
>>strace that was causing the file to be passed.
>
>Please check if there is a
>
>bind(3, {sa_family=AF_INET, sin_port=htons(0),
>sin_addr=inet_addr("ip.addr.of.central-clamav")}, 16)
>Is that call successful or does it return an error?
socket(AF_INET, SOCK_STREAM, IPPROTO_TCP) = 3
bind(3, {sa_family=AF_INET, sin_port=htons(0),
sin_addr=inet_addr("IP address")}, 16) = 0
_______________________________________________
Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation
https://docs.clamav.net/#mailing-lists-and-chat
