[ZendTo] ClamAV fail

Jules Field Jules at Zend.To
Wed Jul 25 17:26:07 BST 2018 

Derek,

Testing it with "clamscan" won't help. It's "clamdscan" that has to 
work, which is a very different beast.
"clamscan" just does it all at once (which is why it takes so long).
"clamdscan" uses the "clamd" process to actually do the scanning, and 
hence is much faster as there's no startup time while it loads and 
compiles all the virus signatures.

If it works with a small text file, but not an archive or docx file, 
then you've probably run out of disk space in wherever clamd is trying 
to unpack the archive.

Otherwise, it is almost always permissions/ownership problems.
You shouldn't do any harm by fetching a new copy of the ZendTo installer 
and *just* doing the "Setup ClamAV" section.

If you want to test it by hand, you need to do this:
Edit the /etc/passwd file and give your apache or www-data user a real 
shell such as /bin/bash.
"pwconv" (that makes the /etc/shadow file).
"su - apache" (or "su - www-data") to properly become the web server user.
clamdscan /var/zendto/*
clamdscan --fdpass /var/zendto/*

If both of those succeed, then start a big upload going in ZendTo. This 
will force some data (with the right permissions) into 
/var/zendto/incoming. While it's running, do "clamdscan 
/var/zendto/incoming/*" and "clamdscan --fdpass /var/zendto/incoming/*".

By the time you've done all that lot, you've probably got some errors 
from ClamAV which will help narrow down the cause.

When you've fixed it, remember to put your "/etc/passwd" file back so 
the shell says "/sbin/nologin" and run the "pwconv" command again.

Hope that helps,
Jules.


On 25/07/2018 17:04, Pedrosi, Derek G. via ZendTo wrote:
>
> Suddenly, my drops are no longer being scanned by AV and users were 
> unable to drop files.  No changes were made.
>
> User see this…
>
> *Upload Error*
>
>
> 	
>
> *The attempt to virus-scan your drop-off failed. Please notify the 
> system administrator.*
>
> I’ve since disable AV scan from the preferences.php (it was 
> 'clamdscan' => '/usr/bin/clamdscan --stdout --fdpass',) and now users 
> can drop files.
>
> The details…
>
> From ZendTo log…
>
> 2018-07-25 08:22:31 172.16.0.103 [XXXX]: Error: Virus scan of 
> dropped-off files /var/zendto/incoming/phpLfUrV9 
> /var/zendto/incoming/phpf6ExDv for USER failed with
>
> From the /var/log/clamav dir:
>
> root at ZendTo5:/var/log/clamav# tail freshclam.log
>
> Wed Jul 25 11:02:09 2018 -> --------------------------------------
>
> Wed Jul 25 11:44:24 2018 -> Update process terminated
>
> Wed Jul 25 11:44:25 2018 -> --------------------------------------
>
> Wed Jul 25 11:44:25 2018 -> freshclam daemon 0.100.1 (OS: linux-gnu, 
> ARCH: x86_64, CPU: x86_64)
>
> Wed Jul 25 11:44:25 2018 -> ClamAV update process started at Wed Jul 
> 25 11:44:25 2018
>
> Wed Jul 25 11:44:25 2018 -> main.cvd is up to date (version: 58, sigs: 
> 4566249, f-level: 60, builder: sigmgr)
>
> Wed Jul 25 11:44:25 2018 -> daily.cld is up to date (version: 24781, 
> sigs: 2024541, f-level: 63, builder: neo)
>
> Wed Jul 25 11:44:25 2018 -> bytecode.cld is up to date (version: 325, 
> sigs: 90, f-level: 63, builder: neo)
>
> Wed Jul 25 11:44:25 2018 -> --------------------------------------
>
> root at ZendTo5:/var/log/clamav# tail clamav.log
>
> Wed Jul 25 04:47:22 2018 -> SelfCheck: Database status OK.
>
> Wed Jul 25 04:57:22 2018 -> SelfCheck: Database status OK.
>
> Wed Jul 25 05:07:22 2018 -> SelfCheck: Database status OK.
>
> Wed Jul 25 05:17:22 2018 -> SelfCheck: Database status OK.
>
> Wed Jul 25 05:27:13 2018 -> Reading databases from /var/lib/clamav
>
> Wed Jul 25 05:27:27 2018 -> Database correctly reloaded (6584590 
> signatures)
>
> Wed Jul 25 05:37:27 2018 -> SelfCheck: Database status OK.
>
> Wed Jul 25 05:47:27 2018 -> SelfCheck: Database status OK.
>
> Wed Jul 25 05:57:27 2018 -> SelfCheck: Database status OK.
>
> Wed Jul 25 06:05:55 2018 -> --- Stopped at Wed Jul 25 06:05:55 2018
>
> Now, I can scan files manually via the command line…
>
> clamscan --verbose  /var/log/
>
> ----------- SCAN SUMMARY -----------
>
> Known viruses: 6584590
>
> Engine version: 0.100.1
>
> Scanned directories: 1
>
> Scanned files: 43
>
> Infected files: 0
>
> Data scanned: 8.88 MB
>
> Data read: 1.75 MB (ratio 5.07:1)
>
> Time: 19.976 sec (0 m 19 s)
>
> Anywhere else to look?
>
> derek
>
>
>
> _______________________________________________
> ZendTo mailing list
> ZendTo at zend.to
> http://jul.es/mailman/listinfo/zendto

Jules

-- 
Julian Field MEng CEng CITP MBCS MIEEE MACM

Malin, Hebrides: South 5 to 7, occasionally 4 at first. Slight or moderate,
becoming rough in west. Rain later. Good, occasionally poor.

www.Zend.To
Twitter: @JulesFM
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://jul.es/pipermail/zendto/attachments/20180725/a933e869/attachment.html>

More information about the ZendTo mailing list