[clamav-users] Slow reload

Alessandro Vesely vesely at tana.it
Thu Mar 21 19:14:40 UTC 2019 

On Thu 21/Mar/2019 15:05:59 +0100 Bowie Bailey wrote:
> 
> $ pkg-config --atleast-version=0.101.0 libclamav --print-errors
> Package libclamav was not found in the pkg-config search path.
> Perhaps you should add the directory containing `libclamav.pc'
> to the PKG_CONFIG_PATH environment variable
> No package 'libclamav' found
> 
> Once I found that file (in /usr/local/lib64/pkgconfig) and added the directory to the
> config path, I was able to complete the configure and make without any further errors.


Hm.. that way pkg-config couldn't find itself?


> When I ran "make check", it failed on 11 of 12 tests.  I was able to fix most of the
> tests by adding '/usr/local/lib64' to the LD_LIBRARY_PATH so it could find
> libclamav.so.  I assume I'll need to make a similar change somewhere when I add the
> filter to Courier.


Or you might add it to ld.so.conf?  Otherwise, you may try building with CFLAGS=-Wl,-rpath,/usr/local/lib64 and check ldd.  The issue is the ability to have libraries of different versions simultaneously installed on the same system.  See e.g.:
https://unix.stackexchange.com/questions/356624/why-isnt-usr-local-lib-on-the-library-path-by-default


> Now, it's only failing the per-virus behavior test.  The relevant section of the
> testsuite.log looks like this:
> 
> 9. testsuite.at:540: testing per-virus behavior ...
> ./testsuite.at:551: unset DEBUG_FILTER; $VALGRIND_AND_OPTS $AVFILTEREXEC -f
> avtest.conf  -t two.mail
> ./testsuite.at:561: unset DEBUG_FILTER; $VALGRIND_AND_OPTS $AVFILTEREXEC -f
> avtest.conf  -t two.mail
> ./testsuite.at:571: unset DEBUG_FILTER; $VALGRIND_AND_OPTS $AVFILTEREXEC -f
> avtest.conf  -t two.mail
> ./testsuite.at:582: unset DEBUG_FILTER; $VALGRIND_AND_OPTS $AVFILTEREXEC -f
> avtest.conf  -t two.mail
> ./testsuite.at:593: unset DEBUG_FILTER; $VALGRIND_AND_OPTS $AVFILTEREXEC -f
> avtest.conf  -t two.mail

Well, the above is my laziness of including multiple tests into one.


> ./testsuite.at:606: unset DEBUG_FILTER; $VALGRIND_AND_OPTS $AVFILTEREXEC -f
> avtest.conf  -t eicar.mail
> ./testsuite.at:612: egrep '^ClamAV-Found: Eicar' eicar.mail | $WC -l
> --- -   2019-03-21 09:56:42.104212351 -0400
> +++ /home/bowieb/source/avfilter-3.5/tests/testsuite.dir/at-groups/9/stdout    
> 2019-03-21 09:56:42.100299898 -0400
> @@ -1,2 +1,2 @@
> -1
> +0


That last test tests the following config setting:

    action_default drop
    virus_header ClamAV-Found
    pass Eicar-Test*

That is, drop infected messages, but if the virus is named "Eicar-Test*" just add a header field and pass the message.  The test message, eicar.mail, should actually be infected:

ale at pcale:~/tmp/courier/avfilter/svn/tests/testsuite.dir/09$ clamscan -i -d ../../small eicar.mail
eicar.mail: Eicar-Test-Signature.UNOFFICIAL FOUND

----------- SCAN SUMMARY -----------
Known viruses: 1
Engine version: 0.101.1
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 0.008 sec (0 m 0 s)


Running avfilter on that should add a header field:

ale at pcale:~/tmp/courier/avfilter/svn/tests/testsuite.dir/09$ ../../../src/tavfilter  -f avtest.conf  -t eicar.mail
250 Ok.

More verbosely:

ale at pcale:~/tmp/courier/avfilter/svn/tests/testsuite.dir/09$ sed -i '/^verbose/s/0/4/' avtest.conf
ale at pcale:~/tmp/courier/avfilter/svn/tests/testsuite.dir/09$ ../../../src/tavfilter  -f avtest.conf  -t eicar.mail
ERR: avfilter[12341]: unwritable pid dir directory /var/run/courier: Permission denied
avfilter[12341]: Virus engine version: 0.101.1 (f=102)
avfilter[12341]: Virus data version:   0
avfilter[12341]: Virus data date:      1 Jan 1970
avfilter[12341]: No. of viruses:       1
avfilter: running test on 1 files
avfilter[12341]: waiting for 1 child(ren)
INFO: avfilter: found virus "Eicar-Test-Signature.UNOFFICIAL"; specific action: pass
INFO: avfilter: found virus "Eicar-Test-Signature.UNOFFICIAL"; specific action: pass
INFO: avfilter: found virus Eicar-Test-Signature.UNOFFICIAL; final action pass; not saved
250 Ok.


At that point, the top of the header should be plenty of virus_header's (one for each invocation):

ale at pcale:~/tmp/courier/avfilter/svn/tests/testsuite.dir/09$ head eicar.mail
ClamAV-Found: Eicar-Test-Signature.UNOFFICIAL Eicar-Test-Signature.UNOFFICIAL
Old-ClamAV-Found: Eicar-Test-Signature.UNOFFICIAL Eicar-Test-Signature.UNOFFICIAL
Old-ClamAV-Found: Eicar-Test-Signature.UNOFFICIAL Eicar-Test-Signature.UNOFFICIAL
  Eicar-Test-Signature.UNOFFICIAL
From: author at example.com
To: victim at example.net
Subject: test message
Virus-Header: what does this mean?
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="=_1_1553193777_12188"

And hence:

ale at pcale:~/tmp/courier/avfilter/svn/tests/testsuite.dir/09$ egrep '^ClamAV-Found: Eicar' eicar.mail | wc -l
1

Instead, at yours wc wrote "0".  Why?

> 9. testsuite.at:540: 9. per-virus behavior (testsuite.at:540): FAILED (testsuite.at:612)
> 
> Suggestions?
> 

I'd guess something must have gone wrong in the testsuite script.  In the testsuite, wc is $WC, after a definition in tests/atlocal, but egrep was not checked during configure, so maybe it should have been grep -E or similar.  Is that the culprit?

Best
Ale
--

More information about the clamav-users mailing list