Re: [clamav-users] temporary directories left in /var/lib/clamav

2017-06-20 Thread David Pullman 
Hi Steve,

I've gathered some logs from one of the servers that had a bunch of the
clamor-nn.tmp directories over a number of days. I've aggregated
seven days of them below (we rotate the log daily). We run freshclam from
cron each day.

Please let me know if there's any suggestion on how I can get a definitive
reason for this, or correcting this? We have two issues, one is of course
that the sigs are not updated, but also on some of the smaller instances
the disk space is affected by the tmp files left in /var/lib/clamav.

Thanks very much for any suggestions or help!

Tue Jun 13 00:03:01 2017 -> --
Tue Jun 13 00:03:01 2017 -> ClamAV update process started at Tue Jun 13
00:03:01 2017
Tue Jun 13 00:03:01 2017 -> main.cld is up to date (version: 58, sigs:
4566249, f-level: 60, builder: sigmgr)
Tue Jun 13 00:03:09 2017 -> Downloading daily-23452.cdiff [100%]
Tue Jun 13 00:03:10 2017 -> Downloading daily-23453.cdiff [100%]
Tue Jun 13 00:03:13 2017 -> Downloading daily-23454.cdiff [100%]
Wed Jun 14 00:03:02 2017 -> --
Wed Jun 14 00:03:02 2017 -> ClamAV update process started at Wed Jun 14
00:03:02 2017
Wed Jun 14 00:03:02 2017 -> main.cld is up to date (version: 58, sigs:
4566249, f-level: 60, builder: sigmgr)
Wed Jun 14 00:03:38 2017 -> nonblock_connect: connect timing out (30 secs)
Wed Jun 14 00:03:38 2017 -> Can't connect to port 80 of host
db.us.clamav.net (IP: 207.57.106.31)
Wed Jun 14 00:04:08 2017 -> nonblock_connect: connect timing out (30 secs)
Wed Jun 14 00:04:08 2017 -> Can't connect to port 80 of host
db.us.clamav.net (IP: 208.72.56.53)
Wed Jun 14 00:04:08 2017 -> Trying host db.us.clamav.net (69.163.100.14)...
Wed Jun 14 00:04:08 2017 -> Downloading daily-23452.cdiff [100%]
Wed Jun 14 00:04:08 2017 -> Downloading daily-23453.cdiff [100%]
Wed Jun 14 00:04:17 2017 -> Downloading daily-23454.cdiff [100%]
Thu Jun 15 00:03:01 2017 -> --
Thu Jun 15 00:03:01 2017 -> ClamAV update process started at Thu Jun 15
00:03:01 2017
Thu Jun 15 00:03:01 2017 -> main.cld is up to date (version: 58, sigs:
4566249, f-level: 60, builder: sigmgr)
Thu Jun 15 00:03:09 2017 -> Downloading daily-23452.cdiff [100%]
Thu Jun 15 00:03:09 2017 -> Downloading daily-23453.cdiff [100%]
Thu Jun 15 00:03:11 2017 -> Downloading daily-23454.cdiff [100%]
Fri Jun 16 00:03:01 2017 -> --
Fri Jun 16 00:03:01 2017 -> ClamAV update process started at Fri Jun 16
00:03:01 2017
Fri Jun 16 00:03:01 2017 -> main.cld is up to date (version: 58, sigs:
4566249, f-level: 60, builder: sigmgr)
Fri Jun 16 00:03:37 2017 -> nonblock_connect: connect timing out (30 secs)
Fri Jun 16 00:03:38 2017 -> Can't connect to port 80 of host
db.us.clamav.net (IP: 128.199.133.36)
Fri Jun 16 00:03:38 2017 -> Trying host db.us.clamav.net (194.8.197.22)...
Fri Jun 16 00:03:38 2017 -> Downloading daily-23452.cdiff [100%]
Fri Jun 16 00:03:38 2017 -> Downloading daily-23453.cdiff [100%]
Fri Jun 16 00:03:55 2017 -> Downloading daily-23454.cdiff [100%]
Sat Jun 17 00:03:02 2017 -> --
Sat Jun 17 00:03:02 2017 -> ClamAV update process started at Sat Jun 17
00:03:02 2017
Sat Jun 17 00:03:02 2017 -> main.cld is up to date (version: 58, sigs:
4566249, f-level: 60, builder: sigmgr)
Sat Jun 17 00:03:37 2017 -> nonblock_connect: connect timing out (30 secs)
Sat Jun 17 00:03:37 2017 -> Can't connect to port 80 of host
db.us.clamav.net (IP: 168.143.19.95)
Sat Jun 17 00:03:37 2017 -> Trying host db.us.clamav.net (69.12.162.28)...
Sat Jun 17 00:03:37 2017 -> Downloading daily-23452.cdiff [100%]
Sat Jun 17 00:03:38 2017 -> Downloading daily-23453.cdiff [100%]
Sat Jun 17 00:03:39 2017 -> Downloading daily-23454.cdiff [100%]
Sun Jun 18 00:03:02 2017 -> --
Sun Jun 18 00:03:02 2017 -> ClamAV update process started at Sun Jun 18
00:03:02 2017
Sun Jun 18 00:03:02 2017 -> main.cld is up to date (version: 58, sigs:
4566249, f-level: 60, builder: sigmgr)
Sun Jun 18 00:03:44 2017 -> nonblock_recv: recv timing out (30 secs)
Sun Jun 18 00:03:44 2017 -> WARNING: getfile: Error while reading database
from db.us.clamav.net (IP: 104.131.196.175): Operation now in progress
Sun Jun 18 00:03:44 2017 -> WARNING: getpatch: Can't download
daily-23452.cdiff from db.us.clamav.net
Mon Jun 19 00:03:01 2017 -> --
Mon Jun 19 00:03:01 2017 -> ClamAV update process started at Mon Jun 19
00:03:01 2017
Mon Jun 19 00:03:01 2017 -> main.cld is up to date (version: 58, sigs:
4566249, f-level: 60, builder: sigmgr)
Mon Jun 19 00:03:08 2017 -> Downloading daily-23452.cdiff [100%]
Mon Jun 19 00:03:09 2017 -> Downloading daily-23453.cdiff [100%]
Mon Jun 19 00:03:11 2017 -> Downloading daily-23454.cdiff [100%]

Cheers!

David


On Mon, Jun 19, 2017 at 1:15 PM, Steven Morgan 
wrote:

> Hi,
>
> Any temporary files left by "normal" ClamAV processing is considered to be
> a bug.

[clamav-users] partition-intersection ?

2017-06-20 Thread Zvi Kave 
Where can I find deeper explanation of
--partition-intersection - Not clear enough.

Also:
--block-encrypted - Mark encrypted archives as viruses (Encrypted.Zip,
Encrypted.RAR).
Zip/rar files are secured by password. Why it says encrypted ?

Regards,

Zvi
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] issues with mirror - 194.186.47.19

2017-06-20 Thread Paul Kosinski 
According to my filtering logs, I get *lots* of spam from ".edu"
domains. But I never see it in my mail reader, because it gets rejected
by 'bogofilter' analysis -- thus blanket ".edu" blocking is neither
necessary nor desirable.



On Tue, 20 Jun 2017 08:11:07 +0200
"Walter H."  wrote:

> On Sat, June 17, 2017 18:23, Paul Kosinski wrote:
> > Why do you reject *all* email from ".edu". Doesn't that cut you off
> > from lots of useful technological info? (I don't think I *ever* see
> > spam from ".edu".)
> 
> you are a lucky boy; whenever I get an email from ".edu" it is
> spam ...
> 
> 
> 
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml
> 
> 
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] temporary directories left in /var/lib/clamav

2017-06-20 Thread Steven Morgan 
David,

So freshclam runs every day at ~00:03:00, and to confirm, the temp
directories/files are left for each of these runs?

Which version of ClamAV are you using?

Steve

On Tue, Jun 20, 2017 at 7:51 AM, David Pullman 
wrote:

> Hi Steve,
>
> I've gathered some logs from one of the servers that had a bunch of the
> clamor-nn.tmp directories over a number of days. I've aggregated
> seven days of them below (we rotate the log daily). We run freshclam from
> cron each day.
>
> Please let me know if there's any suggestion on how I can get a definitive
> reason for this, or correcting this? We have two issues, one is of course
> that the sigs are not updated, but also on some of the smaller instances
> the disk space is affected by the tmp files left in /var/lib/clamav.
>
> Thanks very much for any suggestions or help!
>
> Tue Jun 13 00:03:01 2017 -> --
> Tue Jun 13 00:03:01 2017 -> ClamAV update process started at Tue Jun 13
> 00:03:01 2017
> Tue Jun 13 00:03:01 2017 -> main.cld is up to date (version: 58, sigs:
> 4566249, f-level: 60, builder: sigmgr)
> Tue Jun 13 00:03:09 2017 -> Downloading daily-23452.cdiff [100%]
> Tue Jun 13 00:03:10 2017 -> Downloading daily-23453.cdiff [100%]
> Tue Jun 13 00:03:13 2017 -> Downloading daily-23454.cdiff [100%]
> Wed Jun 14 00:03:02 2017 -> --
> Wed Jun 14 00:03:02 2017 -> ClamAV update process started at Wed Jun 14
> 00:03:02 2017
> Wed Jun 14 00:03:02 2017 -> main.cld is up to date (version: 58, sigs:
> 4566249, f-level: 60, builder: sigmgr)
> Wed Jun 14 00:03:38 2017 -> nonblock_connect: connect timing out (30 secs)
>
>
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] temporary directories left in /var/lib/clamav

2017-06-20 Thread David Pullman 
Steve,

Yes, we run freshclam and then clamscan once each day at 00:03 UTC. There
were many days of tmp directories. We ran the freshclam utility by hand
yesterday, on the instance the logs are from, at about 22:00 UTC, and it
completed the download. The subsequent update at 00:03 this morning
completed successfully as well.

The version is the package install on Ubuntu of clamav and
clamav-freshclam: 0.99.2+addedllvm-0ubuntu0.14.04.1.

Thanks!

David

On Tue, Jun 20, 2017 at 11:03 AM, Steven Morgan 
wrote:

> David,
>
> So freshclam runs every day at ~00:03:00, and to confirm, the temp
> directories/files are left for each of these runs?
>
> Which version of ClamAV are you using?
>
> Steve
>
> On Tue, Jun 20, 2017 at 7:51 AM, David Pullman 
> wrote:
>
> > Hi Steve,
> >
> > I've gathered some logs from one of the servers that had a bunch of the
> > clamor-nn.tmp directories over a number of days. I've aggregated
> > seven days of them below (we rotate the log daily). We run freshclam from
> > cron each day.
> >
> > Please let me know if there's any suggestion on how I can get a
> definitive
> > reason for this, or correcting this? We have two issues, one is of course
> > that the sigs are not updated, but also on some of the smaller instances
> > the disk space is affected by the tmp files left in /var/lib/clamav.
> >
> > Thanks very much for any suggestions or help!
> >
> > Tue Jun 13 00:03:01 2017 -> --
> > Tue Jun 13 00:03:01 2017 -> ClamAV update process started at Tue Jun 13
> > 00:03:01 2017
> > Tue Jun 13 00:03:01 2017 -> main.cld is up to date (version: 58, sigs:
> > 4566249, f-level: 60, builder: sigmgr)
> > Tue Jun 13 00:03:09 2017 -> Downloading daily-23452.cdiff [100%]
> > Tue Jun 13 00:03:10 2017 -> Downloading daily-23453.cdiff [100%]
> > Tue Jun 13 00:03:13 2017 -> Downloading daily-23454.cdiff [100%]
> > Wed Jun 14 00:03:02 2017 -> --
> > Wed Jun 14 00:03:02 2017 -> ClamAV update process started at Wed Jun 14
> > 00:03:02 2017
> > Wed Jun 14 00:03:02 2017 -> main.cld is up to date (version: 58, sigs:
> > 4566249, f-level: 60, builder: sigmgr)
> > Wed Jun 14 00:03:38 2017 -> nonblock_connect: connect timing out (30
> secs)
> >
> >
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Question on GUI notifications of virus detection

2017-06-20 Thread Bryan Everly 
On Mon, 2017-06-19 at 20:44 +0200, Michael D. wrote:
> 
Hi Bryan,
> 
> The problem isn't with ClamAV, it's the difference in sessions between a 
> daemon and a user.
> 
> A user that is logged in, is in a shell with lot's of environment 
> variables set, whereas a daemon is running in a bare-minimum environment.
> 
> You probably need to set the variable DBUS_SESSION_BUS_ADDRESS in your 
> script as described here:
> 
> https://askubuntu.com/questions/298608/notify-send-doesnt-work-from-crontab
> 
> Best regards
>Michael
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml


Michael,

Thanks for your help.  I ended up with the following for my script. 
Thought I would put it in this thread in case some future person was
searching for a solution to this as well:

#!/usr/bin/bash

USER=your_user_name

eval "export $(egrep -z DBUS_SESSION_BUS_ADDRESS /proc/$(pgrep -u $USER
gnome-session)/environ)";

su $USER -c '/usr/bin/notify-send -u critical "Virus Found
$CLAM_VIRUSEVENT_VIRUSNAME" "$CLAM_VIRUSEVENT_FILENAME has been
removed"'
echo "$(date) - $CLAM_VIRUSEVENT_VIRUSNAME > $CLAM_VIRUSEVENT_FILENAME"
>> /var/log/clamav/infected.log
rm $CLAM_VIRUSEVENT_FILENAME
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] issues with mirror - 194.186.47.19

2017-06-20 Thread Orrick, Diana 

Still having issues with this IP in the mirrors, could it be pulled please??

Thanks for any assistance, this download failed twice overnight...

--2017-06-20 09:20:01-- http://db.us.clamav.net/daily.cvd Resolving 
db.us.clamav.net (db.us.clamav.net)... 208.72.56.53, 194.186.47.19, 
128.199.133.36, ... Connecting to db.us.clamav.net 
(db.us.clamav.net)|208.72.56.53|:80... failed: Connection timed out. 
Connecting to db.us.clamav.net (db.us.clamav.net)|194.186.47.19|:80... 
connected. HTTP request sent, awaiting response... 200 OK Length: 
50480243 (48M) [text/plain] The sizes do not match (local 41762159) -- 
retrieving. --2017-06-20 09:21:13-- http://db.us.clamav.net/daily.cvd 
Reusing existing connection to db.us.clamav.net:80. HTTP request sent, 
awaiting response... No data received. Retrying. --2017-06-20 09:21:27-- 
(try: 2) http://db.us.clamav.net/daily.cvd Connecting to 
db.us.clamav.net (db.us.clamav.net)|194.186.47.19|:80... connected. HTTP 
request sent, awaiting response... 200 OK Length: 50480243 (48M) 
[text/plain] Saving to: ‘daily.cvd’ 0K 0% 213 =39s 2017-06-20 09:23:45 
(213 B/s) - Read error at byte 8380/50480243 (Connection timed out). 
Retrying. --2017-06-20 09:23:47-- (try: 3) 
http://db.us.clamav.net/daily.cvd Connecting to db.us.clamav.net 
(db.us.clamav.net)|194.186.47.19|:80... connected. HTTP request sent, 
awaiting response... 206 Partial Content Length: 50480243 (48M), 
50471863 (48M) remaining [text/plain] Saving to: ‘daily.cvd’ 0K 0K 0% 
192 =43s 2017-06-20 09:26:12 (192 B/s) - Read error at byte 
16702/50480243 (Connection timed out). Retrying. --2017-06-20 09:26:15-- 
(try: 4) http://db.us.clamav.net/daily.cvd Connecting to 
db.us.clamav.net (db.us.clamav.net)|194.186.47.19|:80... connected. HTTP 
request sent, awaiting response... 206 Partial Content Length: 50480243 
(48M), 50463541 (48M) remaining [text/plain] Saving to: ‘daily.cvd’ 0K 
0K 0% 191 =44s 2017-06-20 09:28:43 (191 B/s) - Read error at byte 
25023/50480243 (Connection timed out). Retrying. --2017-06-20 09:28:47-- 
(try: 5) http://db.us.clamav.net/daily.cvd Connecting to 
db.us.clamav.net (db.us.clamav.net)|194.186.47.19|:80... connected. HTTP 
request sent, awaiting response... 206 Partial Content Length: 50480243 
(48M), 50455220 (48M) remaining [text/plain] Saving to: ‘daily.cvd’ 0K 
0K 0% 214 =39s 2017-06-20 09:31:05 (214 B/s) - Read error at byte 
33344/50480243 (Connection timed out). Retrying. ... ... 2017-06-19 
18:09:22 (207 B/s) - Read error at byte 80715/109143933 (Connection 
timed out). Giving up.



On 6/15/2017 12:54 PM, Orrick, Diana wrote:
[This sender failed our fraud detection checks and may not be who they 
appear to be. Learn about spoofing at http://aka.ms/LearnAboutSpoofing]


We pull sig file updates down to a local server that serves as a proxy
for updates to disperse to local servers.

Very recently this mirror 194.186.47.19 has had extremely slow response
and the wget ends up failing
or running for hours rather than the quick speeds we're used to.

Any one else having similar issues? We're also looking into local
networking, etc.

I've requested to join the mirrors list to review archives, waiting on
subscription notice.

Reviewed docs and can't locate the Mirrors status output info, hoping
that will be part of the mirrors list output.



--



Diana Mayer Orrick

Information Technology Services

Florida State University

orr...@fsu.edu - (850) 645-8009



___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] temporary directories left in /var/lib/clamav

2017-06-20 Thread Steven Morgan 
David,

Thanks, so when you say freshclam "completed successfully" you mean there
were no temp files left?

Steve

On Tue, Jun 20, 2017 at 11:21 AM, David Pullman 
wrote:

> Steve,
>
> Yes, we run freshclam and then clamscan once each day at 00:03 UTC. There
> were many days of tmp directories. We ran the freshclam utility by hand
> yesterday, on the instance the logs are from, at about 22:00 UTC, and it
> completed the download. The subsequent update at 00:03 this morning
> completed successfully as well.
>
> The version is the package install on Ubuntu of clamav and
> clamav-freshclam: 0.99.2+addedllvm-0ubuntu0.14.04.1.
>
> Thanks!
>
> David
>
> On Tue, Jun 20, 2017 at 11:03 AM, Steven Morgan 
> wrote:
>
> > David,
> >
> > So freshclam runs every day at ~00:03:00, and to confirm, the temp
> > directories/files are left for each of these runs?
> >
> > Which version of ClamAV are you using?
> >
> > Steve
> >
> > On Tue, Jun 20, 2017 at 7:51 AM, David Pullman 
> > wrote:
> >
> > > Hi Steve,
> > >
> > > I've gathered some logs from one of the servers that had a bunch of the
> > > clamor-nn.tmp directories over a number of days. I've
> aggregated
> > > seven days of them below (we rotate the log daily). We run freshclam
> from
> > > cron each day.
> > >
> > > Please let me know if there's any suggestion on how I can get a
> > definitive
> > > reason for this, or correcting this? We have two issues, one is of
> course
> > > that the sigs are not updated, but also on some of the smaller
> instances
> > > the disk space is affected by the tmp files left in /var/lib/clamav.
> > >
> > > Thanks very much for any suggestions or help!
> > >
> > > Tue Jun 13 00:03:01 2017 -> --
> > > Tue Jun 13 00:03:01 2017 -> ClamAV update process started at Tue Jun 13
> > > 00:03:01 2017
> > > Tue Jun 13 00:03:01 2017 -> main.cld is up to date (version: 58, sigs:
> > > 4566249, f-level: 60, builder: sigmgr)
> > > Tue Jun 13 00:03:09 2017 -> Downloading daily-23452.cdiff [100%]
> > > Tue Jun 13 00:03:10 2017 -> Downloading daily-23453.cdiff [100%]
> > > Tue Jun 13 00:03:13 2017 -> Downloading daily-23454.cdiff [100%]
> > > Wed Jun 14 00:03:02 2017 -> --
> > > Wed Jun 14 00:03:02 2017 -> ClamAV update process started at Wed Jun 14
> > > 00:03:02 2017
> > > Wed Jun 14 00:03:02 2017 -> main.cld is up to date (version: 58, sigs:
> > > 4566249, f-level: 60, builder: sigmgr)
> > > Wed Jun 14 00:03:38 2017 -> nonblock_connect: connect timing out (30
> > secs)
> > >
> > >
> > ___
> > clamav-users mailing list
> > clamav-users@lists.clamav.net
> > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> >
> >
> > Help us build a comprehensive ClamAV guide:
> > https://github.com/vrtadmin/clamav-faq
> >
> > http://www.clamav.net/contact.html#ml
> >
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml