[ZendTo] ClamAV fail

Dippery, Kyle kyle.dippery at uky.edu
Thu Jul 26 15:25:46 BST 2018 

That looks like something I saw on a non-Zendto system just this morning.  The clamd.conf file probably got changed during the latest clamav-daemon upgrade.

It will probably be happy if you edit /etc/clamav/clamd.conf, remove the StatsEnabled line, save the file, and restart clamav.

Also if you're not using the AllowSupplementaryGroups option (line 11 of the clamd.conf file), go ahead and remove that line, too, or something like this will happen when they get around to taking it out of the code.

Cheers,
Kyle
--
Kyle Dippery
Engineering Computing Services
219 RMB
859-257-1346

________________________________________
From: ZendTo <zendto-bounces at zend.to> on behalf of Pedrosi, Derek G. via ZendTo <zendto at zend.to>
Sent: Thursday, July 26, 2018 9:50 AM
To: ZendTo Users
Cc: Pedrosi, Derek G.
Subject: Re: [ZendTo] ClamAV fail

This is my production server, and no changes were made; it just started throwing the error.

Running clamdscan:
root at ZendTo5:/opt/zendto/config# /usr/bin/clamdscan --stdout preferences.php
WARNING: Ignoring deprecated option AllowSupplementaryGroups at line 11
ERROR: Parse error at line 79: Unknown option StatsEnabled
ERROR: Can't parse clamd configuration file /etc/clamav/clamd.conf

root at ZendTo5:/opt/zendto/config# clamscan --version
ClamAV 0.100.1/24784/Thu Jul 26 04:44:34 2018

root at ZendTo5:/opt/zendto/config# nano  /etc/clamav/clamd.conf
root at ZendTo5:/opt/zendto/config# ls  /etc/clamav -la
total 36
drwxr-xr-x  5 root   root 4096 Jul 26 09:49 .
drwxr-xr-x 94 root   root 4096 Jul 25 06:06 ..
-rw-r--r--  1 root   root 2059 Mar  5 10:19 clamd.conf
-rw-r--r--  1 root   root 1999 Jul 25 06:06 clamd.conf.ucf-dist
-rw-r--r--  1 root   root 2060 Mar  5 10:19 clamd.conf.zendto
-r--r--r--  1 clamav adm   702 Jul 25 06:06 freshclam.conf
drwxr-xr-x  2 root   root 4096 Jan 29 11:14 onerrorexecute.d
drwxr-xr-x  2 root   root 4096 Jan 29 11:14 onupdateexecute.d
drwxr-xr-x  2 root   root 4096 Jan 29 11:14 virusevent.d



derek


From: ZendTo [mailto:zendto-bounces at zend.to] On Behalf Of Jules Field via ZendTo
Sent: Wednesday, July 25, 2018 12:26 PM
To: Pedrosi, Derek G. via ZendTo <zendto at zend.to>; ZendTo Users <zendto at zend.to>
Cc: Jules Field <Jules at Zend.To>
Subject: Re: [ZendTo] ClamAV fail

Derek,

Testing it with "clamscan" won't help. It's "clamdscan" that has to work, which is a very different beast.
"clamscan" just does it all at once (which is why it takes so long).
"clamdscan" uses the "clamd" process to actually do the scanning, and hence is much faster as there's no startup time while it loads and compiles all the virus signatures.

If it works with a small text file, but not an archive or docx file, then you've probably run out of disk space in wherever clamd is trying to unpack the archive.

Otherwise, it is almost always permissions/ownership problems.
You shouldn't do any harm by fetching a new copy of the ZendTo installer and *just* doing the "Setup ClamAV" section.

If you want to test it by hand, you need to do this:
Edit the /etc/passwd file and give your apache or www-data user a real shell such as /bin/bash.
"pwconv" (that makes the /etc/shadow file).
"su - apache" (or "su - www-data") to properly become the web server user.
clamdscan /var/zendto/*
clamdscan --fdpass /var/zendto/*

If both of those succeed, then start a big upload going in ZendTo. This will force some data (with the right permissions) into /var/zendto/incoming. While it's running, do "clamdscan /var/zendto/incoming/*" and "clamdscan --fdpass /var/zendto/incoming/*".

By the time you've done all that lot, you've probably got some errors from ClamAV which will help narrow down the cause.

When you've fixed it, remember to put your "/etc/passwd" file back so the shell says "/sbin/nologin" and run the "pwconv" command again.

Hope that helps,
Jules.

On 25/07/2018 17:04, Pedrosi, Derek G. via ZendTo wrote:
Suddenly, my drops are no longer being scanned by AV and users were unable to drop files.  No changes were made.
User see this…
Upload Error


The attempt to virus-scan your drop-off failed. Please notify the system administrator.




I’ve since disable AV scan from the preferences.php (it was 'clamdscan' => '/usr/bin/clamdscan --stdout --fdpass',) and now users can drop files.


The details…
>From ZendTo log…
2018-07-25 08:22:31 172.16.0.103 [XXXX]: Error: Virus scan of dropped-off files  /var/zendto/incoming/phpLfUrV9 /var/zendto/incoming/phpf6ExDv for USER failed with


>From the /var/log/clamav dir:
root at ZendTo5:/var/log/clamav# tail freshclam.log
Wed Jul 25 11:02:09 2018 -> --------------------------------------
Wed Jul 25 11:44:24 2018 -> Update process terminated
Wed Jul 25 11:44:25 2018 -> --------------------------------------
Wed Jul 25 11:44:25 2018 -> freshclam daemon 0.100.1 (OS: linux-gnu, ARCH: x86_64, CPU: x86_64)
Wed Jul 25 11:44:25 2018 -> ClamAV update process started at Wed Jul 25 11:44:25 2018
Wed Jul 25 11:44:25 2018 -> main.cvd is up to date (version: 58, sigs: 4566249, f-level: 60, builder: sigmgr)
Wed Jul 25 11:44:25 2018 -> daily.cld is up to date (version: 24781, sigs: 2024541, f-level: 63, builder: neo)
Wed Jul 25 11:44:25 2018 -> bytecode.cld is up to date (version: 325, sigs: 90, f-level: 63, builder: neo)
Wed Jul 25 11:44:25 2018 -> --------------------------------------
root at ZendTo5:/var/log/clamav# tail clamav.log
Wed Jul 25 04:47:22 2018 -> SelfCheck: Database status OK.
Wed Jul 25 04:57:22 2018 -> SelfCheck: Database status OK.
Wed Jul 25 05:07:22 2018 -> SelfCheck: Database status OK.
Wed Jul 25 05:17:22 2018 -> SelfCheck: Database status OK.
Wed Jul 25 05:27:13 2018 -> Reading databases from /var/lib/clamav
Wed Jul 25 05:27:27 2018 -> Database correctly reloaded (6584590 signatures)
Wed Jul 25 05:37:27 2018 -> SelfCheck: Database status OK.
Wed Jul 25 05:47:27 2018 -> SelfCheck: Database status OK.
Wed Jul 25 05:57:27 2018 -> SelfCheck: Database status OK.
Wed Jul 25 06:05:55 2018 -> --- Stopped at Wed Jul 25 06:05:55 2018


Now, I can scan files manually via the command line…
clamscan --verbose  /var/log/
----------- SCAN SUMMARY -----------
Known viruses: 6584590
Engine version: 0.100.1
Scanned directories: 1
Scanned files: 43
Infected files: 0
Data scanned: 8.88 MB
Data read: 1.75 MB (ratio 5.07:1)
Time: 19.976 sec (0 m 19 s)



Anywhere else to look?

derek




_______________________________________________

ZendTo mailing list

ZendTo at zend.to<mailto:ZendTo at zend.to>

http://jul.es/mailman/listinfo/zendto<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fjul.es%2Fmailman%2Flistinfo%2Fzendto&data=02%7C01%7Ckyle.dippery%40uky.edu%7C9864adecbc224b20983e08d5f3004a41%7C2b30530b69b64457b818481cb53d42ae%7C0%7C0%7C636682104947030416&sdata=%2FGzEUL0%2FrLumOoQjdcf3aOSkLpC3TOcPySs8QcWIjPg%3D&reserved=0>



Jules



--

Julian Field MEng CEng CITP MBCS MIEEE MACM



Malin, Hebrides: South 5 to 7, occasionally 4 at first. Slight or moderate,

becoming rough in west. Rain later. Good, occasionally poor.



www.Zend.To<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.Zend.To&data=02%7C01%7Ckyle.dippery%40uky.edu%7C9864adecbc224b20983e08d5f3004a41%7C2b30530b69b64457b818481cb53d42ae%7C0%7C0%7C636682104947040424&sdata=Gvcbr7U2SlSzeuntixHAmM%2FV6FvrZQfPdaALS9DHtMA%3D&reserved=0>

Twitter: @JulesFM

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

More information about the ZendTo mailing list