<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
Derek,<br>
<br>
<div class="moz-cite-prefix">On 26/07/2018 14:50, Pedrosi, Derek G.
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:WM!a0871d47b6bfe744689de826ba941c11294deed0a3409dbbf6f497b6ee97222c59296449a1ea03ed80d4c1956cd1b69b4829ba97e1aefa035f31b83e4171415f!@mx.jul.es">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:roboto;
panose-1:0 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Courier New \;color\:\#162637";
panose-1:0 0 0 0 0 0 0 0 0 0;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
color:black;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";
color:black;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman",serif;
color:black;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:"Courier New";}
span.EmailStyle20
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.EmailStyle21
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span style="color:#1F497D">This is my
production server, and no changes were made;</span></p>
</div>
</blockquote>
Ah, the famous "But I didn't change anything" defence. :-) :-)<br>
<blockquote type="cite"
cite="mid:WM!a0871d47b6bfe744689de826ba941c11294deed0a3409dbbf6f497b6ee97222c59296449a1ea03ed80d4c1956cd1b69b4829ba97e1aefa035f31b83e4171415f!@mx.jul.es">
<div class="WordSection1">
<p class="MsoNormal"><span style="color:#1F497D"> it just
started throwing the error.</span></p>
</div>
</blockquote>
Ah, but changes *were* made. Just possibly not by you. :-)<br>
Someone (or more likely some*thing*) did a "yum upgrade" or an "apt
upgrade", and replaced the copy of ClamAV that was running.<br>
You see that file "clamd.conf.ucf-dist" in your "ls -al" output
below? That was modified yesterday morning, which is probably
shortly before it all stopped working.<br>
<br>
From your /etc/clamav/clamd.conf file, based on the output from
"clamdscan" below, you should remove the lines that start
"AllowSupplementaryGroups" and "StatsEnabled". Then restart the
clamd service ("service clamd restart" will *probably* do the trick
on almost any Linux variant). Then try that clamdscan command again
and see if it gets further.<br>
<br>
Cheers,<br>
Jules.<br>
<br>
<blockquote type="cite"
cite="mid:WM!a0871d47b6bfe744689de826ba941c11294deed0a3409dbbf6f497b6ee97222c59296449a1ea03ed80d4c1956cd1b69b4829ba97e1aefa035f31b83e4171415f!@mx.jul.es">
<div class="WordSection1">
<p class="MsoNormal"><span style="color:#1F497D"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Running
clamdscan:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:9.0pt;color:#1F497D">root@ZendTo5:/opt/zendto/config#
/usr/bin/clamdscan --stdout preferences.php<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:9.0pt;color:#1F497D">WARNING:
Ignoring deprecated option AllowSupplementaryGroups at line
11<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:9.0pt;color:#1F497D">ERROR:
Parse error at line 79: Unknown option StatsEnabled<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:9.0pt;color:#1F497D">ERROR:
Can't parse clamd configuration file /etc/clamav/clamd.conf<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:9.0pt;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:9.0pt;color:#1F497D">root@ZendTo5:/opt/zendto/config#
clamscan --version<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:9.0pt;color:#1F497D">ClamAV
0.100.1/24784/Thu Jul 26 04:44:34 2018<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:9.0pt;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:9.0pt;color:#1F497D">root@ZendTo5:/opt/zendto/config#
nano /etc/clamav/clamd.conf<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:9.0pt;color:#1F497D">root@ZendTo5:/opt/zendto/config#
ls /etc/clamav -la<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:9.0pt;color:#1F497D">total
36<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:9.0pt;color:#1F497D">drwxr-xr-x
5 root root 4096 Jul 26 09:49 .<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:9.0pt;color:#1F497D">drwxr-xr-x
94 root root 4096 Jul 25 06:06 ..<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:9.0pt;color:#1F497D">-rw-r--r--
1 root root 2059 Mar 5 10:19 clamd.conf<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:9.0pt;color:#1F497D">-rw-r--r--
1 root root 1999 Jul 25 06:06 clamd.conf.ucf-dist<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:9.0pt;color:#1F497D">-rw-r--r--
1 root root 2060 Mar 5 10:19 clamd.conf.zendto<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:9.0pt;color:#1F497D">-r--r--r--
1 clamav adm 702 Jul 25 06:06 freshclam.conf<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:9.0pt;color:#1F497D">drwxr-xr-x
2 root root 4096 Jan 29 11:14 onerrorexecute.d<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:9.0pt;color:#1F497D">drwxr-xr-x
2 root root 4096 Jan 29 11:14 onupdateexecute.d<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:9.0pt;color:#1F497D">drwxr-xr-x
2 root root 4096 Jan 29 11:14 virusevent.d<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">derek<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="color:windowtext">From:</span></b><span
style="color:windowtext"> ZendTo
[<a class="moz-txt-link-freetext" href="mailto:zendto-bounces@zend.to">mailto:zendto-bounces@zend.to</a>]
<b>On Behalf Of </b>Jules Field via ZendTo<br>
<b>Sent:</b> Wednesday, July 25, 2018 12:26 PM<br>
<b>To:</b> Pedrosi, Derek G. via ZendTo
<a class="moz-txt-link-rfc2396E" href="mailto:zendto@zend.to"><zendto@zend.to></a>; ZendTo Users
<a class="moz-txt-link-rfc2396E" href="mailto:zendto@zend.to"><zendto@zend.to></a><br>
<b>Cc:</b> Jules Field <a class="moz-txt-link-rfc2396E" href="mailto:Jules@Zend.To"><Jules@Zend.To></a><br>
<b>Subject:</b> Re: [ZendTo] ClamAV fail<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-bottom:12.0pt">Derek,<br>
<br>
Testing it with "clamscan" won't help. It's "clamdscan" that
has to work, which is a very different beast.<br>
"clamscan" just does it all at once (which is why it takes so
long).<br>
"clamdscan" uses the "clamd" process to actually do the
scanning, and hence is much faster as there's no startup time
while it loads and compiles all the virus signatures.<br>
<br>
If it works with a small text file, but not an archive or docx
file, then you've probably run out of disk space in wherever
clamd is trying to unpack the archive.<br>
<br>
Otherwise, it is almost always permissions/ownership problems.<br>
You shouldn't do any harm by fetching a new copy of the ZendTo
installer and *just* doing the "Setup ClamAV" section.<br>
<br>
If you want to test it by hand, you need to do this:<br>
Edit the /etc/passwd file and give your apache or www-data
user a real shell such as /bin/bash.<br>
"pwconv" (that makes the /etc/shadow file).<br>
"su - apache" (or "su - www-data") to properly become the web
server user.<br>
clamdscan /var/zendto/*<br>
clamdscan --fdpass /var/zendto/*<br>
<br>
If both of those succeed, then start a big upload going in
ZendTo. This will force some data (with the right permissions)
into /var/zendto/incoming. While it's running, do "clamdscan
/var/zendto/incoming/*" and "clamdscan --fdpass
/var/zendto/incoming/*".<br>
<br>
By the time you've done all that lot, you've probably got some
errors from ClamAV which will help narrow down the cause.<br>
<br>
When you've fixed it, remember to put your "/etc/passwd" file
back so the shell says "/sbin/nologin" and run the "pwconv"
command again.<br>
<br>
Hope that helps,<br>
Jules.<br>
<br>
<span style="font-size:12.0pt"><o:p></o:p></span></p>
<div>
<p class="MsoNormal">On 25/07/2018 17:04, Pedrosi, Derek G.
via ZendTo wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal">Suddenly, my drops are no longer being
scanned by AV and users were unable to drop files. No
changes were made.<o:p></o:p></p>
<p class="MsoNormal">User see this…<o:p></o:p></p>
<table class="MsoNormalTable" style="width:100.0%"
width="100%" border="0" cellpadding="0">
<tbody>
<tr>
<td style="padding:7.5pt .75pt .75pt .75pt">
<p class="MsoNormal"><b><span
style="font-family:"roboto",serif;color:#162637">Upload
Error</span></b><o:p></o:p></p>
</td>
</tr>
<tr>
<td style="padding:6.0pt .75pt .75pt .75pt"><br>
</td>
<td style="padding:6.0pt .75pt .75pt .75pt">
<p class="MsoNormal"><b><span
style="font-family:"roboto",serif;color:#162637">The
attempt to virus-scan your drop-off failed.
Please notify the system administrator.</span></b><o:p></o:p></p>
</td>
</tr>
</tbody>
</table>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">I’ve since disable AV scan from the
preferences.php (it was 'clamdscan' =>
'/usr/bin/clamdscan --stdout --fdpass',) and now users can
drop files.<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">The details…<o:p></o:p></p>
<p class="MsoNormal">From ZendTo log…<o:p></o:p></p>
<p class="MsoNormal" style="background:white"><span
style="font-size:10.0pt;font-family:"Courier New
;color:#162637",serif">2018-07-25 08:22:31
172.16.0.103 [XXXX]: Error: Virus scan of dropped-off
files /var/zendto/incoming/phpLfUrV9
/var/zendto/incoming/phpf6ExDv for USER failed with </span><o:p></o:p></p>
<p class="MsoNormal" style="background:white"><span
style="font-size:10.0pt;font-family:"Courier New
;color:#162637",serif"> </span><o:p></o:p></p>
<p class="MsoNormal" style="background:white"><span
style="font-size:10.0pt;font-family:"Courier New
;color:#162637",serif"> </span><o:p></o:p></p>
<p class="MsoNormal">From the /var/log/clamav dir:<o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:10.0pt">root@ZendTo5:/var/log/clamav#
tail freshclam.log</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:10.0pt">Wed Jul 25
11:02:09 2018 -> --------------------------------------</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:10.0pt">Wed Jul 25
11:44:24 2018 -> Update process terminated</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:10.0pt">Wed Jul 25
11:44:25 2018 -> --------------------------------------</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:10.0pt">Wed Jul 25
11:44:25 2018 -> freshclam daemon 0.100.1 (OS:
linux-gnu, ARCH: x86_64, CPU: x86_64)</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:10.0pt">Wed Jul 25
11:44:25 2018 -> ClamAV update process started at Wed
Jul 25 11:44:25 2018</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:10.0pt">Wed Jul 25
11:44:25 2018 -> main.cvd is up to date (version: 58,
sigs: 4566249, f-level: 60, builder: sigmgr)</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:10.0pt">Wed Jul 25
11:44:25 2018 -> daily.cld is up to date (version:
24781, sigs: 2024541, f-level: 63, builder: neo)</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:10.0pt">Wed Jul 25
11:44:25 2018 -> bytecode.cld is up to date (version:
325, sigs: 90, f-level: 63, builder: neo)</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:10.0pt">Wed Jul 25
11:44:25 2018 -> --------------------------------------</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:10.0pt">root@ZendTo5:/var/log/clamav#
tail clamav.log</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:10.0pt">Wed Jul 25
04:47:22 2018 -> SelfCheck: Database status OK.</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:10.0pt">Wed Jul 25
04:57:22 2018 -> SelfCheck: Database status OK.</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:10.0pt">Wed Jul 25
05:07:22 2018 -> SelfCheck: Database status OK.</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:10.0pt">Wed Jul 25
05:17:22 2018 -> SelfCheck: Database status OK.</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:10.0pt">Wed Jul 25
05:27:13 2018 -> Reading databases from /var/lib/clamav</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:10.0pt">Wed Jul 25
05:27:27 2018 -> Database correctly reloaded (6584590
signatures)</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:10.0pt">Wed Jul 25
05:37:27 2018 -> SelfCheck: Database status OK.</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:10.0pt">Wed Jul 25
05:47:27 2018 -> SelfCheck: Database status OK.</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:10.0pt">Wed Jul 25
05:57:27 2018 -> SelfCheck: Database status OK.</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:10.0pt">Wed Jul 25
06:05:55 2018 -> --- Stopped at Wed Jul 25 06:05:55
2018</span><o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">Now, I can scan files manually via the
command line…<o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:9.0pt">clamscan
--verbose /var/log/</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:9.0pt">-----------
SCAN SUMMARY -----------</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:9.0pt">Known
viruses: 6584590</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:9.0pt">Engine
version: 0.100.1</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:9.0pt">Scanned
directories: 1</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:9.0pt">Scanned
files: 43</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:9.0pt">Infected
files: 0</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:9.0pt">Data
scanned: 8.88 MB</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:9.0pt">Data read:
1.75 MB (ratio 5.07:1)</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:9.0pt">Time:
19.976 sec (0 m 19 s)</span><o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">Anywhere else to look?<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">derek<o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times New
Roman",serif"><br>
<br>
<br>
<o:p></o:p></span></p>
<pre>_______________________________________________<o:p></o:p></pre>
<pre>ZendTo mailing list<o:p></o:p></pre>
<pre><a href="mailto:ZendTo@zend.to" moz-do-not-send="true">ZendTo@zend.to</a><o:p></o:p></pre>
<pre><a href="http://jul.es/mailman/listinfo/zendto" moz-do-not-send="true">http://jul.es/mailman/listinfo/zendto</a><o:p></o:p></pre>
</blockquote>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times New
Roman",serif"><br>
<br>
<o:p></o:p></span></p>
<pre>Jules<o:p></o:p></pre>
<pre><o:p> </o:p></pre>
<pre>-- <o:p></o:p></pre>
<pre>Julian Field MEng CEng CITP MBCS MIEEE MACM<o:p></o:p></pre>
<pre><o:p> </o:p></pre>
<pre>Malin, Hebrides: South 5 to 7, occasionally 4 at first. Slight or moderate,<o:p></o:p></pre>
<pre>becoming rough in west. Rain later. Good, occasionally poor.<o:p></o:p></pre>
<pre><o:p> </o:p></pre>
<pre><a href="http://www.Zend.To" moz-do-not-send="true">www.Zend.To</a><o:p></o:p></pre>
<pre>Twitter: @JulesFM<o:p></o:p></pre>
<pre>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654<o:p></o:p></pre>
</div>
</blockquote>
<br>
<pre class="moz-signature" cols="72">Jules
--
Julian Field MEng CEng CITP MBCS MIEEE MACM
'Ensanguining the skies
How heavily it dies
Into the west away;
Past touch and sight and sound
Not further to be found,
How hopeless under ground
Falls the remorseful day.' - A.E.Houseman
<a class="moz-txt-link-abbreviated" href="http://www.Zend.To">www.Zend.To</a>
Twitter: @JulesFM
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
</pre>
</body>
</html>