[clamav-users] FW: Problem with setup

Philip Andersson philip.andersson.ha at live.se
Wed May 25 02:54:55 EDT 2016


> From: philip.andersson.ha at live.se
> To: clamav-users at lists.clamav.net
> Date: Tue, 24 May 2016 19:17:42 +0200
> Subject: Re: [clamav-users] Problem with setup
> 
> The Eicar virus is stopped, a colleague of mine tested it, but this pdf virus is still slinking through CVE-2010-1240. 
> 
> I know that this virus is old but because of old systems on end users it is still a risk. It picks it up in clamdscan though as noted before. Cant see socket output right now but the regular output is dead silent. Only start up things and database updates. The last row is the clamdscan output. Runs the same output-file.
>  
> Tue May 24 12:45:30 2016 -> +++ Started at Tue May 24 12:45:30 2016
> Tue May 24 12:45:30 2016 -> Received 0 file descriptor(s) from systemd.
> Tue May 24 12:45:30 2016 -> clamd daemon 0.99.2 (OS: linux-gnu, ARCH: x86_64, CPU: x86_64)
> Tue May 24 12:45:30 2016 -> Log file size limited to 104857600 bytes.
> Tue May 24 12:45:30 2016 -> Reading databases from /program/clamav_new/database
> Tue May 24 12:45:30 2016 -> Not loading PUA signatures.
> Tue May 24 12:45:30 2016 -> Bytecode: Security mode set to "TrustSigned".
> Tue May 24 12:45:38 2016 -> Loaded 4383889 signatures.
> Tue May 24 12:45:39 2016 -> TCP: Bound to [0.0.0.0]:3310
> Tue May 24 12:45:39 2016 -> TCP: Setting connection queue length to 200
> Tue May 24 12:45:39 2016 -> LOCAL: Unix socket file /tmp/clamd.socket
> Tue May 24 12:45:39 2016 -> LOCAL: Setting connection queue length to 200
> Tue May 24 12:45:39 2016 -> Limits: Global size limit set to 104857600 bytes.
> Tue May 24 12:45:39 2016 -> Limits: File size limit set to 41943040 bytes.
> Tue May 24 12:45:39 2016 -> Limits: Recursion level limit set to 16.
> Tue May 24 12:45:39 2016 -> Limits: Files limit set to 10000.
> Tue May 24 12:45:39 2016 -> Limits: MaxEmbeddedPE limit set to 10485760 bytes.
> Tue May 24 12:45:39 2016 -> Limits: MaxHTMLNormalize limit set to 10485760 bytes.
> Tue May 24 12:45:39 2016 -> Limits: MaxHTMLNoTags limit set to 2097152 bytes.
> Tue May 24 12:45:39 2016 -> Limits: MaxScriptNormalize limit set to 5242880 bytes.
> Tue May 24 12:45:39 2016 -> Limits: MaxZipTypeRcg limit set to 1048576 bytes.
> Tue May 24 12:45:39 2016 -> Limits: MaxPartitions limit set to 50.
> Tue May 24 12:45:39 2016 -> Limits: MaxIconsPE limit set to 100.
> Tue May 24 12:45:39 2016 -> Limits: MaxRecHWP3 limit set to 16.
> Tue May 24 12:45:39 2016 -> Limits: PCREMatchLimit limit set to 10000.
> Tue May 24 12:45:39 2016 -> Limits: PCRERecMatchLimit limit set to 5000.
> Tue May 24 12:45:39 2016 -> Limits: PCREMaxFileSize limit set to 26214400.
> Tue May 24 12:45:39 2016 -> Archive support enabled.
> Tue May 24 12:45:39 2016 -> Algorithmic detection enabled.
> Tue May 24 12:45:39 2016 -> Portable Executable support enabled.
> Tue May 24 12:45:39 2016 -> ELF support enabled.
> Tue May 24 12:45:39 2016 -> Mail files support enabled.
> Tue May 24 12:45:39 2016 -> OLE2 support enabled.
> Tue May 24 12:45:39 2016 -> PDF support enabled.
> Tue May 24 12:45:39 2016 -> SWF support enabled.
> Tue May 24 12:45:39 2016 -> HTML support enabled.
> Tue May 24 12:45:39 2016 -> XMLDOCS support enabled.
> Tue May 24 12:45:39 2016 -> HWP3 support enabled.
> Tue May 24 12:45:39 2016 -> Self checking every 600 seconds.
> Tue May 24 12:55:54 2016 -> SelfCheck: Database status OK.
> Tue May 24 13:13:18 2016 -> SelfCheck: Database status OK.
> Tue May 24 13:23:18 2016 -> SelfCheck: Database status OK.
> Tue May 24 13:33:18 2016 -> SelfCheck: Database status OK.
> Tue May 24 13:43:18 2016 -> SelfCheck: Database status OK.
> Tue May 24 13:53:18 2016 -> SelfCheck: Database status OK.
> Tue May 24 13:58:29 2016 -> /nfshome/66118710/clam/cybercom_pentest2.pdf: Win.Trojan.MSShellcode-7(0fefca28d5c5509397979d86c4e8d1cb:95307) FOUND
>  
> Output from clamdscan:
> $/program/clamav_new/clamav/bin/clamdscan -c /program/clamav_new/clamav/etc/clamd-A1.conf /nfshome/66118710/clam/cybercom_pentest2.pdf 
> /nfshome/66118710/clam/cybercom_pentest2.pdf: Win.Trojan.MSShellcode-7 FOUND
>  
> ----------- SCAN SUMMARY -----------
> Infected files: 1
> Time: 0.047 sec (0 m 0 s)
> 
>  
> > To: clamav-users at lists.clamav.net
> > From: clamav at cosis.dk
> > Date: Tue, 24 May 2016 16:52:22 +0200
> > Subject: Re: [clamav-users] Problem with setup
> > 
> > 
> > 
> > On 05/24/2016 04:29 PM, Philip Andersson wrote:
> > > I know that the setup have work before, but the test virus is new and the clamav version is new. The plugins is written by me and used in small MTS application.
> > >   
> > > I am not reading the log-file but the output stream from clamd, its two different things.
> > >   
> > > I just wonder how the clamd is missing a virus that clamdscan picks up when using the same settings and same database.
> > > Is there a difference in the way they work?
> > >   
> > >    		 	   		
> > > _________
> > You could have saved us all a lot of time, if only you had given us that 
> > information up-front.
> > 
> > With the new ClamAV Version - does it detect the standard Eicar Test 
> > Virus? (Sent in an attachment as eg. Eicar.com)
> > 
> > Could you provide the output from the ClamD when injecting the infected 
> > PDF file. (All output please - log and socket)
> > 
> > Also the output from Clamscan processing the same file would be useful.
> > 
> > Best regards
> >    Michael
> > 
> > 
> > 
> > _______________________________________________
> > Help us build a comprehensive ClamAV guide:
> > https://github.com/vrtadmin/clamav-faq
> > 
> > http://www.clamav.net/contact.html#ml
>  		 	   		  
> _______________________________________________
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml

 		 	   		  


More information about the clamav-users mailing list