<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:roboto;
panose-1:0 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Courier New \;color\:\#162637";
panose-1:0 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Times New Roman \,serif";
panose-1:0 0 0 0 0 0 0 0 0 0;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
color:black;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New",serif;
color:black;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman",serif;
color:black;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:"Courier New",serif;}
span.EmailStyle20
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.EmailStyle21
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:#1F497D;}
span.EmailStyle22
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:#1F497D;}
span.EmailStyle23
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.EmailStyle24
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body bgcolor="white" lang="EN-US" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:12.0pt;color:#1F497D">Running clamdscan with changes Jules outlined yields the following.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:12.0pt;color:#1F497D">When I go to that directory, the file /var/run/clamav/clamd.ctl does not exist.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:12.0pt;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:12.0pt;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:9.0pt;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:9.0pt;color:#1F497D">www-data@ZendTo5:~$ clamdscan --verbose /var/zendto/*<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:9.0pt;color:#1F497D">ERROR: Could not connect to clamd on LocalSocket /var/run/clamav/clamd.ctl: No such file or directory<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:9.0pt;color:#1F497D">ERROR: Could not connect to clamd on LocalSocket /var/run/clamav/clamd.ctl: No such file or directory<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:9.0pt;color:#1F497D">ERROR: Could not connect to clamd on LocalSocket /var/run/clamav/clamd.ctl: No such file or directory<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:9.0pt;color:#1F497D">ERROR: Could not connect to clamd on LocalSocket /var/run/clamav/clamd.ctl: No such file or directory<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:9.0pt;color:#1F497D">ERROR: Could not connect to clamd on LocalSocket /var/run/clamav/clamd.ctl: No such file or directory<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:9.0pt;color:#1F497D">ERROR: Could not connect to clamd on LocalSocket /var/run/clamav/clamd.ctl: No such file or directory<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:9.0pt;color:#1F497D">ERROR: Could not connect to clamd on LocalSocket /var/run/clamav/clamd.ctl: No such file or directory<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:9.0pt;color:#1F497D">ERROR: Could not connect to clamd on LocalSocket /var/run/clamav/clamd.ctl: No such file or directory<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:9.0pt;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:9.0pt;color:#1F497D">----------- SCAN SUMMARY -----------<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:9.0pt;color:#1F497D">Infected files: 0<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:9.0pt;color:#1F497D">Total errors: 8<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:9.0pt;color:#1F497D">Time: 0.001 sec (0 m 0 s)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:9.0pt;color:#1F497D">www-data@ZendTo5:~$ clamdscan --verbose --fdpass /var/zendto/*<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:9.0pt;color:#1F497D">ERROR: Could not connect to clamd on LocalSocket /var/run/clamav/clamd.ctl: No such file or directory<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:9.0pt;color:#1F497D">ERROR: Could not connect to clamd on LocalSocket /var/run/clamav/clamd.ctl: No such file or directory<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:9.0pt;color:#1F497D">/var/zendto/incoming: OK<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:9.0pt;color:#1F497D">/var/zendto/library: OK<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:9.0pt;color:#1F497D">ERROR: Could not connect to clamd on LocalSocket /var/run/clamav/clamd.ctl: No such file or directory<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:9.0pt;color:#1F497D">ERROR: Could not connect to clamd on LocalSocket /var/run/clamav/clamd.ctl: No such file or directory<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:9.0pt;color:#1F497D">ERROR: Could not connect to clamd on LocalSocket /var/run/clamav/clamd.ctl: No such file or directory<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:9.0pt;color:#1F497D">ERROR: Could not connect to clamd on LocalSocket /var/run/clamav/clamd.ctl: No such file or directory<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:9.0pt;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:9.0pt;color:#1F497D">----------- SCAN SUMMARY -----------<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:9.0pt;color:#1F497D">Infected files: 0<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:9.0pt;color:#1F497D">Total errors: 6<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:9.0pt;color:#1F497D">Time: 0.000 sec (0 m 0 s)</span><span style="font-size:9.0pt;color:windowtext"><o:p></o:p></span></p>
<div>
<div>
<div>
<p class="MsoNormal"><span style="color:red"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:red"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:windowtext">derek<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:red"><o:p> </o:p></span></p>
</div>
</div>
</div>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="color:windowtext">From:</span></b><span style="color:windowtext"> Jules Field [mailto:Jules@Zend.To]
<br>
<b>Sent:</b> Thursday, July 26, 2018 11:13 AM<br>
<b>To:</b> Pedrosi, Derek G. <pedrosi@millercanfield.com>; ZendTo Users <zendto@zend.to><br>
<b>Subject:</b> Re: [ZendTo] ClamAV fail<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-bottom:12.0pt">Derek,<span style="font-size:12.0pt"><o:p></o:p></span></p>
<div>
<p class="MsoNormal">On 26/07/2018 16:07, Pedrosi, Derek G. wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"><span style="color:#1F497D">Jules,</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D">I’m the only one with ANY access to this system (other than web), and I was on vacation.</span><o:p></o:p></p>
</blockquote>
<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Times New Roman",serif">Hence my suggestion of some*thing*.<br>
Such as your cron daemon, which appears to have been installing updates (they might well have been tagged as security updates, so got automatically installed).<br>
<br>
Having read your lines below, have you tried this bit I suggested in my original reply to you?<br>
<br>
If you want to test it by hand, you need to do this:<br>
Edit the /etc/passwd file and give your apache or www-data user a real shell such as /bin/bash.<br>
"pwconv" (that makes the /etc/shadow file).<br>
"su - apache" (or "su - www-data") to properly become the web server user.<br>
clamdscan /var/zendto/*<br>
clamdscan --fdpass /var/zendto/*<br>
<br>
What does that lot output?<br>
<br>
You not only need to get the location of the LocalSocket correct enough for clamd to start and clamdscan to talk to it, but freshclam.conf needs to know where it is too, or else freshclam can't tell clamd that its signatures have been updated and hence needs
to restart itself.<br>
<br>
Cheers,<br>
Jules.<br>
<br>
<o:p></o:p></span></p>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"><span style="color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D">Nevertheless, I’ve comment out the stats lines in clamd.conf and then I received this error.</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:8.0pt;color:#1F497D">root@ZendTo5:/opt/zendto/config# /usr/bin/clamdscan preferences.php</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:8.0pt;color:#1F497D">ERROR: Could not connect to clamd on LocalSocket /var/run/clamav/clamd.ctl: No such file or directory</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:8.0pt;color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:8.0pt;color:#1F497D">----------- SCAN SUMMARY -----------</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:8.0pt;color:#1F497D">Infected files: 0</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:8.0pt;color:#1F497D">Total errors: 1</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:8.0pt;color:#1F497D">Time: 0.000 sec (0 m 0 s)</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:8.0pt;color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D">Likewise in ZendTo the log shows…</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:8.0pt;color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal" style="background:white"><span style="font-size:8.0pt;font-family:"Courier New ;color:#162637",serif">Error: Virus scan of dropped-off files /var/zendto/incoming/phpSAkd0U for dgpedrosi failed with ERROR: Could not connect to clamd on
LocalSocket /var/run/clamav/clamd.ctl: No such file or directory ----------- SCAN SUMMARY ----------- Infected files: 0 Total errors: 1 Time: 0.000 sec (0 m 0 s)</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:8.0pt;color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D">Then from clamd.conf I commented out these lines</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:8.0pt;color:#1F497D">#LocalSocket /var/run/clamav/clamd.ctl</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:8.0pt;color:#1F497D">#FixStaleSocket true</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:8.0pt;color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D">And now I can run a command line scan without error:</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:8.0pt;color:#1F497D">root@ZendTo5:/opt/zendto/config# /usr/bin/clamdscan preferences.php</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:8.0pt;color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:8.0pt;color:#1F497D">----------- SCAN SUMMARY -----------</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:8.0pt;color:#1F497D">Infected files: 0</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:8.0pt;color:#1F497D">Total errors: 1</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:8.0pt;color:#1F497D">Time: 0.000 sec (0 m 0 s)</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:8.0pt;color:#1F497D">root@ZendTo5:/opt/zendto/config#</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D">But ZendTo will still not AV scan, from the ZendTo log:</span><o:p></o:p></p>
<p class="MsoNormal" style="background:white"><span style="font-size:10.0pt;font-family:"Courier New ;color:#162637",serif">Error: Virus scan of dropped-off files /var/zendto/incoming/phpcz1Ojf for dgpedrosi failed with ----------- SCAN SUMMARY -----------
Infected files: 0 Total errors: 1 Time: 0.000 sec (0 m 0 s)</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D">Also, I’m running Ubuntu 16.04.4 LTS no clamd service to be found:</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:8.0pt;color:#1F497D">root@ZendTo5:/opt/zendto/config# service --status-all</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:8.0pt;color:#1F497D">[ + ] acpid</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:8.0pt;color:#1F497D">[ + ] apache-htcacheclean</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:8.0pt;color:#1F497D">[ + ] apache2</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:8.0pt;color:#1F497D">[ + ] apparmor</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:8.0pt;color:#1F497D">[ + ] apport</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:8.0pt;color:#1F497D">[ + ] atd</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:8.0pt;color:#1F497D">[ - ] bootmisc.sh</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:8.0pt;color:#1F497D">[ - ] checkfs.sh</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:8.0pt;color:#1F497D">[ - ] checkroot-bootclean.sh</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:8.0pt;color:#1F497D">[ - ] checkroot.sh</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:8.0pt;color:#1F497D">[ - ] clamav-daemon</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:8.0pt;color:#1F497D">[ + ] clamav-freshclam</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:8.0pt;color:#1F497D">[ + ] console-setup</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:8.0pt;color:#1F497D">[ + ] cron</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D">But I did reboot the server, and I’m still seeing the issue.</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D">???</span><o:p></o:p></p>
<div>
<div>
<div>
<p class="MsoNormal"><span style="color:red"> </span><o:p></o:p></p>
</div>
</div>
</div>
<p class="MsoNormal"><span style="color:#1F497D"> </span><o:p></o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="color:windowtext">From:</span></b><span style="color:windowtext"> Jules Field [<a href="mailto:Jules@Zend.To">mailto:Jules@Zend.To</a>]
<br>
<b>Sent:</b> Thursday, July 26, 2018 10:27 AM<br>
<b>To:</b> Pedrosi, Derek G. <a href="mailto:pedrosi@millercanfield.com"><pedrosi@millercanfield.com></a>; ZendTo Users
<a href="mailto:zendto@zend.to"><zendto@zend.to></a><br>
<b>Subject:</b> Re: [ZendTo] ClamAV fail</span><o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal" style="margin-bottom:12.0pt">Derek,<o:p></o:p></p>
<div>
<p class="MsoNormal">On 26/07/2018 14:50, Pedrosi, Derek G. wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"><span style="color:#1F497D">This is my production server, and no changes were made;</span><o:p></o:p></p>
</blockquote>
<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Times New Roman ,serif",serif">Ah, the famous "But I didn't change anything" defence. :-) :-)<br>
<br>
<br>
</span><o:p></o:p></p>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"><span style="color:#1F497D">it just started throwing the error.</span><o:p></o:p></p>
</blockquote>
<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Times New Roman ,serif",serif">Ah, but changes *were* made. Just possibly not by you. :-)<br>
Someone (or more likely some*thing*) did a "yum upgrade" or an "apt upgrade", and replaced the copy of ClamAV that was running.<br>
You see that file "clamd.conf.ucf-dist" in your "ls -al" output below? That was modified yesterday morning, which is probably shortly before it all stopped working.<br>
<br>
From your /etc/clamav/clamd.conf file, based on the output from "clamdscan" below, you should remove the lines that start "AllowSupplementaryGroups" and "StatsEnabled". Then restart the clamd service ("service clamd restart" will *probably* do the trick on
almost any Linux variant). Then try that clamdscan command again and see if it gets further.<br>
<br>
Cheers,<br>
Jules.<br>
<br>
<br>
<br>
</span><o:p></o:p></p>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"><span style="color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D">Running clamdscan:</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:9.0pt;color:#1F497D">root@ZendTo5:/opt/zendto/config# /usr/bin/clamdscan --stdout preferences.php</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:9.0pt;color:#1F497D">WARNING: Ignoring deprecated option AllowSupplementaryGroups at line 11</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:9.0pt;color:#1F497D">ERROR: Parse error at line 79: Unknown option StatsEnabled</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:9.0pt;color:#1F497D">ERROR: Can't parse clamd configuration file /etc/clamav/clamd.conf</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:9.0pt;color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:9.0pt;color:#1F497D">root@ZendTo5:/opt/zendto/config# clamscan --version</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:9.0pt;color:#1F497D">ClamAV 0.100.1/24784/Thu Jul 26 04:44:34 2018</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:9.0pt;color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:9.0pt;color:#1F497D">root@ZendTo5:/opt/zendto/config# nano /etc/clamav/clamd.conf</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:9.0pt;color:#1F497D">root@ZendTo5:/opt/zendto/config# ls /etc/clamav -la</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:9.0pt;color:#1F497D">total 36</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:9.0pt;color:#1F497D">drwxr-xr-x 5 root root 4096 Jul 26 09:49 .</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:9.0pt;color:#1F497D">drwxr-xr-x 94 root root 4096 Jul 25 06:06 ..</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:9.0pt;color:#1F497D">-rw-r--r-- 1 root root 2059 Mar 5 10:19 clamd.conf</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:9.0pt;color:#1F497D">-rw-r--r-- 1 root root 1999 Jul 25 06:06 clamd.conf.ucf-dist</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:9.0pt;color:#1F497D">-rw-r--r-- 1 root root 2060 Mar 5 10:19 clamd.conf.zendto</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:9.0pt;color:#1F497D">-r--r--r-- 1 clamav adm 702 Jul 25 06:06 freshclam.conf</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:9.0pt;color:#1F497D">drwxr-xr-x 2 root root 4096 Jan 29 11:14 onerrorexecute.d</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:9.0pt;color:#1F497D">drwxr-xr-x 2 root root 4096 Jan 29 11:14 onupdateexecute.d</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:9.0pt;color:#1F497D">drwxr-xr-x 2 root root 4096 Jan 29 11:14 virusevent.d</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D">derek</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"> </span><o:p></o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="color:windowtext">From:</span></b><span style="color:windowtext"> ZendTo [<a href="mailto:zendto-bounces@zend.to">mailto:zendto-bounces@zend.to</a>]
<b>On Behalf Of </b>Jules Field via ZendTo<br>
<b>Sent:</b> Wednesday, July 25, 2018 12:26 PM<br>
<b>To:</b> Pedrosi, Derek G. via ZendTo <a href="mailto:zendto@zend.to"><zendto@zend.to></a>; ZendTo Users
<a href="mailto:zendto@zend.to"><zendto@zend.to></a><br>
<b>Cc:</b> Jules Field <a href="mailto:Jules@Zend.To"><Jules@Zend.To></a><br>
<b>Subject:</b> Re: [ZendTo] ClamAV fail</span><o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal" style="margin-bottom:12.0pt">Derek,<br>
<br>
Testing it with "clamscan" won't help. It's "clamdscan" that has to work, which is a very different beast.<br>
"clamscan" just does it all at once (which is why it takes so long).<br>
"clamdscan" uses the "clamd" process to actually do the scanning, and hence is much faster as there's no startup time while it loads and compiles all the virus signatures.<br>
<br>
If it works with a small text file, but not an archive or docx file, then you've probably run out of disk space in wherever clamd is trying to unpack the archive.<br>
<br>
Otherwise, it is almost always permissions/ownership problems.<br>
You shouldn't do any harm by fetching a new copy of the ZendTo installer and *just* doing the "Setup ClamAV" section.<br>
<br>
If you want to test it by hand, you need to do this:<br>
Edit the /etc/passwd file and give your apache or www-data user a real shell such as /bin/bash.<br>
"pwconv" (that makes the /etc/shadow file).<br>
"su - apache" (or "su - www-data") to properly become the web server user.<br>
clamdscan /var/zendto/*<br>
clamdscan --fdpass /var/zendto/*<br>
<br>
If both of those succeed, then start a big upload going in ZendTo. This will force some data (with the right permissions) into /var/zendto/incoming. While it's running, do "clamdscan /var/zendto/incoming/*" and "clamdscan --fdpass /var/zendto/incoming/*".<br>
<br>
By the time you've done all that lot, you've probably got some errors from ClamAV which will help narrow down the cause.<br>
<br>
When you've fixed it, remember to put your "/etc/passwd" file back so the shell says "/sbin/nologin" and run the "pwconv" command again.<br>
<br>
Hope that helps,<br>
Jules.<br>
<br>
<br>
<br>
<o:p></o:p></p>
<div>
<p class="MsoNormal">On 25/07/2018 17:04, Pedrosi, Derek G. via ZendTo wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal">Suddenly, my drops are no longer being scanned by AV and users were unable to drop files. No changes were made.<o:p></o:p></p>
<p class="MsoNormal">User see this…<o:p></o:p></p>
<table class="MsoNormalTable" border="0" cellpadding="0" width="100%" style="width:100.0%">
<tbody>
<tr>
<td style="padding:7.5pt .75pt .75pt .75pt">
<p class="MsoNormal"><b><span style="font-family:"roboto",serif;color:#162637">Upload Error</span></b><o:p></o:p></p>
</td>
</tr>
<tr>
<td style="padding:6.0pt .75pt .75pt .75pt"></td>
<td style="padding:6.0pt .75pt .75pt .75pt">
<p class="MsoNormal"><b><span style="font-family:"roboto",serif;color:#162637">The attempt to virus-scan your drop-off failed. Please notify the system administrator.</span></b><o:p></o:p></p>
</td>
</tr>
</tbody>
</table>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">I’ve since disable AV scan from the preferences.php (it was 'clamdscan' => '/usr/bin/clamdscan --stdout --fdpass',) and now users can drop files.<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">The details…<o:p></o:p></p>
<p class="MsoNormal">From ZendTo log…<o:p></o:p></p>
<p class="MsoNormal" style="background:white"><span style="font-size:10.0pt;font-family:"Courier New",serif">2018-07-25 08:22:31 172.16.0.103 [XXXX]: Error: Virus scan of dropped-off files /var/zendto/incoming/phpLfUrV9 /var/zendto/incoming/phpf6ExDv for USER
failed with </span><o:p></o:p></p>
<p class="MsoNormal" style="background:white"><span style="font-size:10.0pt;font-family:"Courier New",serif"> </span><o:p></o:p></p>
<p class="MsoNormal" style="background:white"><span style="font-size:10.0pt;font-family:"Courier New",serif"> </span><o:p></o:p></p>
<p class="MsoNormal">From the /var/log/clamav dir:<o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:10.0pt">root@ZendTo5:/var/log/clamav# tail freshclam.log</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:10.0pt">Wed Jul 25 11:02:09 2018 -> --------------------------------------</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:10.0pt">Wed Jul 25 11:44:24 2018 -> Update process terminated</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:10.0pt">Wed Jul 25 11:44:25 2018 -> --------------------------------------</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:10.0pt">Wed Jul 25 11:44:25 2018 -> freshclam daemon 0.100.1 (OS: linux-gnu, ARCH: x86_64, CPU: x86_64)</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:10.0pt">Wed Jul 25 11:44:25 2018 -> ClamAV update process started at Wed Jul 25 11:44:25 2018</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:10.0pt">Wed Jul 25 11:44:25 2018 -> main.cvd is up to date (version: 58, sigs: 4566249, f-level: 60, builder: sigmgr)</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:10.0pt">Wed Jul 25 11:44:25 2018 -> daily.cld is up to date (version: 24781, sigs: 2024541, f-level: 63, builder: neo)</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:10.0pt">Wed Jul 25 11:44:25 2018 -> bytecode.cld is up to date (version: 325, sigs: 90, f-level: 63, builder: neo)</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:10.0pt">Wed Jul 25 11:44:25 2018 -> --------------------------------------</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:10.0pt">root@ZendTo5:/var/log/clamav# tail clamav.log</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:10.0pt">Wed Jul 25 04:47:22 2018 -> SelfCheck: Database status OK.</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:10.0pt">Wed Jul 25 04:57:22 2018 -> SelfCheck: Database status OK.</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:10.0pt">Wed Jul 25 05:07:22 2018 -> SelfCheck: Database status OK.</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:10.0pt">Wed Jul 25 05:17:22 2018 -> SelfCheck: Database status OK.</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:10.0pt">Wed Jul 25 05:27:13 2018 -> Reading databases from /var/lib/clamav</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:10.0pt">Wed Jul 25 05:27:27 2018 -> Database correctly reloaded (6584590 signatures)</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:10.0pt">Wed Jul 25 05:37:27 2018 -> SelfCheck: Database status OK.</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:10.0pt">Wed Jul 25 05:47:27 2018 -> SelfCheck: Database status OK.</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:10.0pt">Wed Jul 25 05:57:27 2018 -> SelfCheck: Database status OK.</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:10.0pt">Wed Jul 25 06:05:55 2018 -> --- Stopped at Wed Jul 25 06:05:55 2018</span><o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">Now, I can scan files manually via the command line…<o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:9.0pt">clamscan --verbose /var/log/</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:9.0pt">----------- SCAN SUMMARY -----------</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:9.0pt">Known viruses: 6584590</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:9.0pt">Engine version: 0.100.1</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:9.0pt">Scanned directories: 1</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:9.0pt">Scanned files: 43</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:9.0pt">Infected files: 0</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:9.0pt">Data scanned: 8.88 MB</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:9.0pt">Data read: 1.75 MB (ratio 5.07:1)</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:9.0pt">Time: 19.976 sec (0 m 19 s)</span><o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">Anywhere else to look?<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">derek<o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Times New Roman",serif"><br>
<br>
<br>
<br>
<br>
</span><o:p></o:p></p>
<pre>_______________________________________________<o:p></o:p></pre>
<pre>ZendTo mailing list<o:p></o:p></pre>
<pre><a href="mailto:ZendTo@zend.to">ZendTo@zend.to</a><o:p></o:p></pre>
<pre><a href="http://jul.es/mailman/listinfo/zendto">http://jul.es/mailman/listinfo/zendto</a><o:p></o:p></pre>
</blockquote>
<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Times New Roman",serif"><br>
<br>
<br>
<br>
</span><o:p></o:p></p>
<pre>Jules<o:p></o:p></pre>
<pre> <o:p></o:p></pre>
<pre>-- <o:p></o:p></pre>
<pre>Julian Field MEng CEng CITP MBCS MIEEE MACM<o:p></o:p></pre>
<pre> <o:p></o:p></pre>
<pre>Malin, Hebrides: South 5 to 7, occasionally 4 at first. Slight or moderate,<o:p></o:p></pre>
<pre>becoming rough in west. Rain later. Good, occasionally poor.<o:p></o:p></pre>
<pre> <o:p></o:p></pre>
<pre><a href="http://www.Zend.To">www.Zend.To</a><o:p></o:p></pre>
<pre>Twitter: @JulesFM<o:p></o:p></pre>
<pre>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654<o:p></o:p></pre>
</blockquote>
<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Times New Roman ,serif",serif"><br>
<br>
<br>
</span><o:p></o:p></p>
<pre>Jules<o:p></o:p></pre>
<pre> <o:p></o:p></pre>
<pre>-- <o:p></o:p></pre>
<pre>Julian Field MEng CEng CITP MBCS MIEEE MACM<o:p></o:p></pre>
<pre> <o:p></o:p></pre>
<pre>'Ensanguining the skies<o:p></o:p></pre>
<pre> How heavily it dies<o:p></o:p></pre>
<pre> Into the west away;<o:p></o:p></pre>
<pre> Past touch and sight and sound<o:p></o:p></pre>
<pre> Not further to be found,<o:p></o:p></pre>
<pre> How hopeless under ground<o:p></o:p></pre>
<pre> Falls the remorseful day.' - A.E.Houseman<o:p></o:p></pre>
<pre> <o:p></o:p></pre>
<pre><a href="http://www.Zend.To">www.Zend.To</a><o:p></o:p></pre>
<pre>Twitter: @JulesFM<o:p></o:p></pre>
<pre>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654<o:p></o:p></pre>
</blockquote>
<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Times New Roman",serif"><br>
<br>
<o:p></o:p></span></p>
<pre>Jules<o:p></o:p></pre>
<pre><o:p> </o:p></pre>
<pre>-- <o:p></o:p></pre>
<pre>Julian Field MEng CEng CITP MBCS MIEEE MACM<o:p></o:p></pre>
<pre><o:p> </o:p></pre>
<pre>'We face neither East nor West: we face forward.' - Kwame Nkrumah<o:p></o:p></pre>
<pre><o:p> </o:p></pre>
<pre><a href="http://www.Zend.To">www.Zend.To</a><o:p></o:p></pre>
<pre>Twitter: @JulesFM<o:p></o:p></pre>
<pre>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654<o:p></o:p></pre>
</div>
</body>
</html>