[clamav-users] ScanOnAccess: ... (null) FOUND
Micah Snyder (micasnyd)
micasnyd at cisco.com
Wed Aug 1 17:43:00 UTC 2018
How long as this been going on?
What is your database set?
What version of ClamAV are you using?
Are you using the VirusEvent hook?
I've searched the code base high and low and can't find any reasonable excuse why the virus name would be "(null)". There is one reference, but it only uses "(null)" as the virus name in performance event logging for pcre statistics (a --statistics=pcre option for clamscan), and not for actual virus reporting. Suffice to say we're pretty stumped as to why you are seeing that.
You can disable Firefox caching as a bandaid to eliminate the logs, but I doubt you want to.
Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.
On Aug 1, 2018, at 6:16 AM, Kretschmer, Jens <kretschmer.jens at siemens.com<mailto:kretschmer.jens at siemens.com>> wrote:
Hi,
we have ScanOnAccess and OnAccessExtraScanning activated. When I open firefox I get a lot of messages written to /var/log/messages every couple of seconds:
Aug 1 12:07:02 hostname1 clamd[4051]: ScanOnAccess: /home/user1/.cache/mozilla/firefox/0pnt0qc2.default/cache2/entries/3F5C8E984584F19905AC4995D97962FE97EFFBEB: (null) FOUND
Aug 1 12:07:02 hostname1 clamd[4051]: ScanOnAccess: /home/user1/.cache/mozilla/firefox/0pnt0qc2.default/cache2/doomed/1472223436: (null) FOUND
Aug 1 12:07:02 hostname1 clamd[4051]: ScanOnAccess: /home/user1/.cache/mozilla/firefox/0pnt0qc2.default/cache2/entries/5A9A7B6DCAF96FA85AB400F1EFB97A4D2BE4289E: (null) FOUND
Aug 1 12:07:02 hostname1 clamd[4051]: ScanOnAccess: /home/user1/.cache/mozilla/firefox/0pnt0qc2.default/cache2/doomed/715632663: (null) FOUND
Aug 1 12:07:04 hostname1 clamd[4051]: ScanOnAccess: /home/user1/.cache/mozilla/firefox/0pnt0qc2.default/cache2/entries/8F2E3CF4AC8F00C3ACE4C932BEA76F2089A593E1: (null) FOUND
Aug 1 12:07:04 hostname1 clamd[4051]: ScanOnAccess: /home/user1/.cache/mozilla/firefox/0pnt0qc2.default/cache2/doomed/277127757: (null) FOUND
Aug 1 12:07:05 hostname1 clamd[4051]: ScanOnAccess: /home/user1/.cache/mozilla/firefox/0pnt0qc2.default/cache2/entries/703A8CB3B4C8311394915B3A285359E7E1AF7520: (null) FOUND
Aug 1 12:07:06 hostname1 clamd[4051]: ScanOnAccess: /home/user1/.cache/mozilla/firefox/0pnt0qc2.default/cache2/doomed/1628703657: (null) FOUND
Aug 1 12:07:06 hostname1 clamd[4051]: ScanOnAccess: /home/user1/.cache/mozilla/firefox/0pnt0qc2.default/cache2/entries/5D7DBEB1898CFD7B33E3406F9CA1B6D3BA12C3B6: (null) FOUND
Aug 1 12:07:06 hostname1 clamd[4051]: ScanOnAccess: /home/user1/.cache/mozilla/firefox/0pnt0qc2.default/cache2/doomed/1952686252: (null) FOUND
Aug 1 12:07:07 hostname1 clamd[4051]: ScanOnAccess: /home/user1/.cache/mozilla/firefox/0pnt0qc2.default/cache2/doomed/449677348: (null) FOUND
Aug 1 12:07:07 hostname1 clamd[4051]: ScanOnAccess: /home/user1/.cache/mozilla/firefox/0pnt0qc2.default/cache2/doomed/829574285: (null) FOUND
Aug 1 12:07:07 hostname1 clamd[4051]: ScanOnAccess: /home/user1/.cache/mozilla/firefox/0pnt0qc2.default/cache2/entries/D2BB3C327EF38DDD2FE5E544DBBE084493F1D608: (null) FOUND
Aug 1 12:07:07 hostname1 clamd[4051]: ScanOnAccess: /home/user1/.cache/mozilla/firefox/0pnt0qc2.default/cache2/entries/8F2E3CF4AC8F00C3ACE4C932BEA76F2089A593E1: (null) FOUND
Aug 1 12:07:07 hostname1 clamd[4051]: ScanOnAccess: /home/user1/.cache/mozilla/firefox/0pnt0qc2.default/cache2/doomed/636557989: (null) FOUND
Aug 1 12:07:07 hostname1 clamd[4051]: ScanOnAccess: /home/user1/.cache/mozilla/firefox/0pnt0qc2.default/cache2/entries/5A9A7B6DCAF96FA85AB400F1EFB97A4D2BE4289E: (null) FOUND
Aug 1 12:07:10 hostname1 clamd[4051]: ScanOnAccess: /home/user1/.cache/mozilla/firefox/0pnt0qc2.default/cache2/doomed/1707731390: (null) FOUND
Aug 1 12:07:10 hostname1 clamd[4051]: ScanOnAccess: /home/user1/.cache/mozilla/firefox/0pnt0qc2.default/cache2/doomed/617693635: (null) FOUND
Aug 1 12:07:11 hostname1 clamd[4051]: ScanOnAccess: /home/user1/.cache/mozilla/firefox/0pnt0qc2.default/cache2/entries/5D7DBEB1898CFD7B33E3406F9CA1B6D3BA12C3B6: (null) FOUND
Aug 1 12:07:11 hostname1 clamd[4051]: ScanOnAccess: /home/user1/.cache/mozilla/firefox/0pnt0qc2.default/cache2/doomed/1367025624: (null) FOUND
Aug 1 12:07:12 hostname1 clamd[4051]: ScanOnAccess: /home/user1/.cache/mozilla/firefox/0pnt0qc2.default/cache2/doomed/1089051163: (null) FOUND
Aug 1 12:07:13 hostname1 clamd[4051]: ScanOnAccess: /home/user1/.cache/mozilla/firefox/0pnt0qc2.default/cache2/doomed/2003921810: (null) FOUND
Aug 1 12:07:15 hostname1 clamd[4051]: ScanOnAccess: /home/user1/.cache/mozilla/firefox/0pnt0qc2.default/cache2/entries/703A8CB3B4C8311394915B3A285359E7E1AF7520: (null) FOUND
Aug 1 12:07:15 hostname1 clamd[4051]: ScanOnAccess: /home/user1/.cache/mozilla/firefox/0pnt0qc2.default/cache2/doomed/1845070701: (null) FOUND
Aug 1 12:07:16 hostname1 clamd[4051]: ScanOnAccess: /home/user1/.cache/mozilla/firefox/0pnt0qc2.default/cache2/doomed/250378345: (null) FOUND
Aug 1 12:07:16 hostname1 clamd[4051]: ScanOnAccess: /home/user1/.cache/mozilla/firefox/0pnt0qc2.default/cache2/entries/5D7DBEB1898CFD7B33E3406F9CA1B6D3BA12C3B6: (null) FOUND
I already hide the “ScanOnAccess: Performing additional scanning on file …” messages by adding
:msg, startswith, "ScanOnAccess: Performing additional scanning on file" stop
to a file in /etc/rsyslog.d/. But the messages mentioned above have exactly the same format as when malware is found, so I would rather not hide them. Apart from the fact that those messages are cluttering /var/log/messages, they also trigger malware alarms on our central syslog server. What can I do to stop those messages?
Best regards,
Jens
_______________________________________________
clamav-users mailing list
clamav-users at lists.clamav.net<mailto:clamav-users at lists.clamav.net>
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20180801/a9e2fb93/attachment.htm>
More information about the clamav-users
mailing list