[ZendTo] ClamAV fail

Jules Field Jules at Zend.To
Thu Jul 26 15:26:53 BST 2018


Derek,

On 26/07/2018 14:50, Pedrosi, Derek G. wrote:
>
> This is my production server, and no changes were made;
>
Ah, the famous "But I didn't change anything" defence. :-) :-)
>
> it just started throwing the error.
>
Ah, but changes *were* made. Just possibly not by you. :-)
Someone (or more likely some*thing*) did a "yum upgrade" or an "apt 
upgrade", and replaced the copy of ClamAV that was running.
You see that file "clamd.conf.ucf-dist" in your "ls -al" output below? 
That was modified yesterday morning, which is probably shortly before it 
all stopped working.

 From your /etc/clamav/clamd.conf file, based on the output from 
"clamdscan" below, you should remove the lines that start 
"AllowSupplementaryGroups" and "StatsEnabled". Then restart the clamd 
service ("service clamd restart" will *probably* do the trick on almost 
any Linux variant). Then try that clamdscan command again and see if it 
gets further.

Cheers,
Jules.

> Running clamdscan:
>
> root at ZendTo5:/opt/zendto/config# /usr/bin/clamdscan --stdout 
> preferences.php
>
> WARNING: Ignoring deprecated option AllowSupplementaryGroups at line 11
>
> ERROR: Parse error at line 79: Unknown option StatsEnabled
>
> ERROR: Can't parse clamd configuration file /etc/clamav/clamd.conf
>
> root at ZendTo5:/opt/zendto/config# clamscan --version
>
> ClamAV 0.100.1/24784/Thu Jul 26 04:44:34 2018
>
> root at ZendTo5:/opt/zendto/config# nano  /etc/clamav/clamd.conf
>
> root at ZendTo5:/opt/zendto/config# ls  /etc/clamav -la
>
> total 36
>
> drwxr-xr-x 5 root   root 4096 Jul 26 09:49 .
>
> drwxr-xr-x 94 root   root 4096 Jul 25 06:06 ..
>
> -rw-r--r-- 1 root   root 2059 Mar  5 10:19 clamd.conf
>
> -rw-r--r-- 1 root   root 1999 Jul 25 06:06 clamd.conf.ucf-dist
>
> -rw-r--r-- 1 root   root 2060 Mar  5 10:19 clamd.conf.zendto
>
> -r--r--r-- 1 clamav adm   702 Jul 25 06:06 freshclam.conf
>
> drwxr-xr-x 2 root   root 4096 Jan 29 11:14 onerrorexecute.d
>
> drwxr-xr-x 2 root   root 4096 Jan 29 11:14 onupdateexecute.d
>
> drwxr-xr-x 2 root   root 4096 Jan 29 11:14 virusevent.d
>
> derek
>
> *From:*ZendTo [mailto:zendto-bounces at zend.to] *On Behalf Of *Jules 
> Field via ZendTo
> *Sent:* Wednesday, July 25, 2018 12:26 PM
> *To:* Pedrosi, Derek G. via ZendTo <zendto at zend.to>; ZendTo Users 
> <zendto at zend.to>
> *Cc:* Jules Field <Jules at Zend.To>
> *Subject:* Re: [ZendTo] ClamAV fail
>
> Derek,
>
> Testing it with "clamscan" won't help. It's "clamdscan" that has to 
> work, which is a very different beast.
> "clamscan" just does it all at once (which is why it takes so long).
> "clamdscan" uses the "clamd" process to actually do the scanning, and 
> hence is much faster as there's no startup time while it loads and 
> compiles all the virus signatures.
>
> If it works with a small text file, but not an archive or docx file, 
> then you've probably run out of disk space in wherever clamd is trying 
> to unpack the archive.
>
> Otherwise, it is almost always permissions/ownership problems.
> You shouldn't do any harm by fetching a new copy of the ZendTo 
> installer and *just* doing the "Setup ClamAV" section.
>
> If you want to test it by hand, you need to do this:
> Edit the /etc/passwd file and give your apache or www-data user a real 
> shell such as /bin/bash.
> "pwconv" (that makes the /etc/shadow file).
> "su - apache" (or "su - www-data") to properly become the web server user.
> clamdscan /var/zendto/*
> clamdscan --fdpass /var/zendto/*
>
> If both of those succeed, then start a big upload going in ZendTo. 
> This will force some data (with the right permissions) into 
> /var/zendto/incoming. While it's running, do "clamdscan 
> /var/zendto/incoming/*" and "clamdscan --fdpass /var/zendto/incoming/*".
>
> By the time you've done all that lot, you've probably got some errors 
> from ClamAV which will help narrow down the cause.
>
> When you've fixed it, remember to put your "/etc/passwd" file back so 
> the shell says "/sbin/nologin" and run the "pwconv" command again.
>
> Hope that helps,
> Jules.
>
> On 25/07/2018 17:04, Pedrosi, Derek G. via ZendTo wrote:
>
>     Suddenly, my drops are no longer being scanned by AV and users
>     were unable to drop files.  No changes were made.
>
>     User see this…
>
>     *Upload Error*
>
>
>     	
>
>     *The attempt to virus-scan your drop-off failed. Please notify the
>     system administrator.*
>
>     I’ve since disable AV scan from the preferences.php (it was
>     'clamdscan' => '/usr/bin/clamdscan --stdout --fdpass',) and now
>     users can drop files.
>
>     The details…
>
>     From ZendTo log…
>
>     2018-07-25 08:22:31 172.16.0.103 [XXXX]: Error: Virus scan of
>     dropped-off files  /var/zendto/incoming/phpLfUrV9
>     /var/zendto/incoming/phpf6ExDv for USER failed with
>
>     From the /var/log/clamav dir:
>
>     root at ZendTo5:/var/log/clamav# tail freshclam.log
>
>     Wed Jul 25 11:02:09 2018 -> --------------------------------------
>
>     Wed Jul 25 11:44:24 2018 -> Update process terminated
>
>     Wed Jul 25 11:44:25 2018 -> --------------------------------------
>
>     Wed Jul 25 11:44:25 2018 -> freshclam daemon 0.100.1 (OS:
>     linux-gnu, ARCH: x86_64, CPU: x86_64)
>
>     Wed Jul 25 11:44:25 2018 -> ClamAV update process started at Wed
>     Jul 25 11:44:25 2018
>
>     Wed Jul 25 11:44:25 2018 -> main.cvd is up to date (version: 58,
>     sigs: 4566249, f-level: 60, builder: sigmgr)
>
>     Wed Jul 25 11:44:25 2018 -> daily.cld is up to date (version:
>     24781, sigs: 2024541, f-level: 63, builder: neo)
>
>     Wed Jul 25 11:44:25 2018 -> bytecode.cld is up to date (version:
>     325, sigs: 90, f-level: 63, builder: neo)
>
>     Wed Jul 25 11:44:25 2018 -> --------------------------------------
>
>     root at ZendTo5:/var/log/clamav# tail clamav.log
>
>     Wed Jul 25 04:47:22 2018 -> SelfCheck: Database status OK.
>
>     Wed Jul 25 04:57:22 2018 -> SelfCheck: Database status OK.
>
>     Wed Jul 25 05:07:22 2018 -> SelfCheck: Database status OK.
>
>     Wed Jul 25 05:17:22 2018 -> SelfCheck: Database status OK.
>
>     Wed Jul 25 05:27:13 2018 -> Reading databases from /var/lib/clamav
>
>     Wed Jul 25 05:27:27 2018 -> Database correctly reloaded (6584590
>     signatures)
>
>     Wed Jul 25 05:37:27 2018 -> SelfCheck: Database status OK.
>
>     Wed Jul 25 05:47:27 2018 -> SelfCheck: Database status OK.
>
>     Wed Jul 25 05:57:27 2018 -> SelfCheck: Database status OK.
>
>     Wed Jul 25 06:05:55 2018 -> --- Stopped at Wed Jul 25 06:05:55 2018
>
>     Now, I can scan files manually via the command line…
>
>     clamscan --verbose  /var/log/
>
>     ----------- SCAN SUMMARY -----------
>
>     Known viruses: 6584590
>
>     Engine version: 0.100.1
>
>     Scanned directories: 1
>
>     Scanned files: 43
>
>     Infected files: 0
>
>     Data scanned: 8.88 MB
>
>     Data read: 1.75 MB (ratio 5.07:1)
>
>     Time: 19.976 sec (0 m 19 s)
>
>     Anywhere else to look?
>
>     derek
>
>
>
>
>     _______________________________________________
>
>     ZendTo mailing list
>
>     ZendTo at zend.to <mailto:ZendTo at zend.to>
>
>     http://jul.es/mailman/listinfo/zendto
>
>
>
> Jules
> -- 
> Julian Field MEng CEng CITP MBCS MIEEE MACM
> Malin, Hebrides: South 5 to 7, occasionally 4 at first. Slight or moderate,
> becoming rough in west. Rain later. Good, occasionally poor.
> www.Zend.To <http://www.Zend.To>
> Twitter: @JulesFM
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

Jules

-- 
Julian Field MEng CEng CITP MBCS MIEEE MACM

'Ensanguining the skies
  How heavily it dies
  Into the west away;
  Past touch and sight and sound
  Not further to be found,
  How hopeless under ground
    Falls the remorseful day.' - A.E.Houseman

www.Zend.To
Twitter: @JulesFM
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://jul.es/pipermail/zendto/attachments/20180726/9d97fb60/attachment-0001.html>


More information about the ZendTo mailing list