Hi there,
Sorry again for the delay. I've attached a small patch which provides a bit
deeper (and possibly excessive) error reporting for clamonacc. Please give it a
try and let us know what errors pop up so we can better figure out the problem.
Thanks,
Mickey
On 2020-08-17 18:41:49-04:00 clam
Wanted to add a bit of insight to this convo from the dev side of things:
VirusEvent currently works by forking the existing clamd process into a new,
short-lived process that handles execution of the user's script.
This is a legacy design choice and is problematic for a number of reasons--most
https://bugzilla.redhat.com/show_bug.cgi?id=1464269
Hope that helps,
- Mickey
On Tue, Feb 19, 2019 at 11:49 AM Dave Lahn wrote:
> Mickey,
>
> Do you know what needs to be updated in the policies?
>
> Best regards,
> Dave
>
> On Thu, 14 Feb 2019 at 15:59, Mickey Sola wrote:
>
>
t/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
From 20ccc17c46a82cf5cdf42e26b0c25ff901ec2bb7 Mon Sep 17 00:00:00 2001
From: Mickey Sola
Date: Thu, 14 Feb
Hi Jens,
Do you have the OnAccessExtraScanning option on by chance?
There's a known issue with that option which can cause memory consumption
problems. Though I'm still not certain why that would lead to printing
"(null)" virnames.
- Mickey
On Thu, Aug 2, 2018 at 8:45 AM, Kretschmer, Jens <
kre
), just so we have this issue tracked. But know that without a sample
it will be difficult to test/resolve.
- Mickey Sola
On Wed, Apr 4, 2018 at 12:38 PM, Reindl Harald
wrote:
> [Heuristics.Encrypted.PDF(e555f48bc6539cac03976b450b3a33e0:114630)]
>
> hits also non-enrycpted PDF attachemnt
Unfortunately, the ExcludeUID option in 0.99.2 is broken due to an
oversight in how clam's optparser handles numbered lists which include 0.
You can follow along with the resolution of that issue here:
https://bugzilla.clamav.net/show_bug.cgi?id=11978
An important takeaway for you in that thread,
That's because you've gotten to the heart of the matter.
There's no real bug or code related vulnerability here; it's a user-side
network hardening issuing combined with a misunderstanding of clamd
configuration options that allows for this attack surface to exist.
As Steve has already pointed ou
I might be remembering wrong, but I believe there was work done to address
Clam's large filesize handling issues in the year between 0.99.2 and 0.99.3.
Have you tested out the beta yet to see if your needs have been addressed?
On Thu, Sep 14, 2017 at 2:45 PM, Paul Kosinski
wrote:
> To continue.
> Referenced from: /usr/local/clamav/sbin/clamd
> Expected in: /usr/lib/libSystem.B.dylib
>
> Note that this *not* being built on 10.6. It's being built on 10.12 with
> support for running the compiled binaries on 10.6 by way of the
> -mmacosx-version-min=10.6 compiler flag.
>
>
Hi Mark,
The strnlen and strndup reworks have made it up to master if you wanted to
take a look and make sure everything builds OK on 10.6
You'll need commits 47a544dc07b75c284e0fc475164bcdc5e9d5b18b thru
8cb271e25cf43bd5d6296827d2c0f25a33420fd9
(4 in total)
-Mickey
On Mon, Aug 14, 2017 at 1:41
Hi Roelof,
The on-access scanner is configured through clamd.conf. This is a
freshclam.conf file.
As such, it makes sense that freshclam would complain about that
configuration option, since freshclam and clamd are separate applications.
Remove the erroneous option and freshclam should pull down
r, according to policy, we require to scan
> the complete filesystem.
>
>
> Best Regards,
>
> Remi
>
>
> -Original Message-
> From: clamav-users [mailto:clamav-users-boun...@lists.clamav.net] On
> Behalf Of Mickey Sola
> Sent: Thursday, March 30, 2017 6:52
Hi Remi,
Your configuration looks fine, and it seems like you're getting expected
behavior given what the log shows.
I'll explain a bit more what's happening, and why you can freely move
around the eicar testfile.
The important line is here:
Thu Mar 30 09:58:54 2017 -> ScanOnAccess: notifying on
; I couldn't actually use the config file's example of /home - it refused to
> start. I was able to specify my download directory though,
>
> Best Regards,
> Hugo
>
> On Tue, 30 Aug 2016 at 16:02 Mickey Sola wrote:
>
> > H, when running clamd manually could
Aug 30 13:20:17 localhost.localdomain clamd[13472]:
> /home//Documents/minuscule.pdf: OK
>
> When I open the same file with evince, I get nothing from clamd. Note that
> I've been sticking to small files to avoid hitting the default file max
> (5m).
>
> Best,
> Hugo
>
&
Hi Hugo,
Could you try setting the max filesize option to a non-zero value and let
me know if that changes anything?
-Mickey
On Aug 30, 2016 7:51 AM, "Hugo Bernier" wrote:
> We have a new requirement at work that we have virus scanners installed on
> our workstations.
>
> What I'm trying to do
Hi,
Have you tried running clamd itself with root permissions?
e.g. $sudo clamd [options]
-Mickey
On Sun, Aug 7, 2016 at 1:18 AM, Z F wrote:
> I have noticed in /var/log/clamav/clamav.log
>
> Sun Aug 7 01:14:28 2016 -> ERROR: ScanOnAccess: fanotify_init failed:
> Operation not permittedSun
Mikko,
I know you didn't find anything in audit.log, but is your primary issue
resolved when you set SELinux to Permissive? Looking at the code, and the
debug output, so far everything points to this being an issue with
permissions.
Regarding your secondary problems:
As documented, OnAccess scan
Hi Rob,
Just tested this, and it seems setting both "StructuredSSNFormatNormal" and
"StructuredSSNFormatStripped" to "no" in clamd.conf should give you the
behaviour you want.
Let me know if that works for you.
Cheers,
Mickey
On Wed, May 4, 2016 at 5:41 PM, Rob McKennon wrote:
> Hello!
>
> We
6 at 11:08 AM, kamil kapturkiewicz wrote:
> Dnia Czwartek, 25 Lutego 2016 16:53 Mickey Sola
> napisaĆ(a)
> > Hi Kamil,
> >
> > A few things: what OS and kernel version are you using? what are the
> > results of opening the eicar file with vi (or your editor of choice)? are
&g
Hi Kamil,
A few things: what OS and kernel version are you using? what are the
results of opening the eicar file with vi (or your editor of choice)? are
/home/ and or /var/ftp/ mount points? if so, are there symlinks within
those directory hierarchies? is your kernel configured with
CONFIG_FANOTIF
t;
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Sadly. Linux is not single OS in the world for servers.
>
> 12.01.16 22:20, Mickey Sola ?:
> > More specifically, only Linux is supported for on access scanning.
> >
> > While some legacy functionality
and up).
On Tue, Jan 12, 2016 at 10:43 AM, Yuri Voinov wrote:
>
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> // Corrected. You are welcome ;)
>
> 12.01.16 21:42, Mickey Sola ?:
> > Hi Istvan,
> >
> > While clamd does provide on-access scanning
Hi Istvan,
While clamd does provide on-access scanning capabilities, that feature is
only available on Linux systems. On Windows, you will need to periodically
run a scan on the target directory.
Cheers,
Mickey
On Tue, Jan 12, 2016 at 9:52 AM, Istvan Szabo wrote:
> If clamd is running on the s
Hi Kamil,
Unfortunately, the current version of on-access scanning is limited to
non-recursive detection during access attempts--not prevention. This is due
to particularities in how clamd leverages fanotify (and partially due to
limitations from fanotify itself).
Work is being done to flesh out
26 matches
Mail list logo
