[clamav-users] Slow reload

Bowie Bailey Bowie_Bailey at BUC.com
Thu Mar 21 16:21:45 EDT 2019


On 3/21/2019 3:14 PM, Alessandro Vesely via clamav-users wrote:
> On Thu 21/Mar/2019 15:05:59 +0100 Bowie Bailey wrote:
>> $ pkg-config --atleast-version=0.101.0 libclamav --print-errors
>> Package libclamav was not found in the pkg-config search path.
>> Perhaps you should add the directory containing `libclamav.pc'
>> to the PKG_CONFIG_PATH environment variable
>> No package 'libclamav' found
>>
>> Once I found that file (in /usr/local/lib64/pkgconfig) and added the directory to the
>> config path, I was able to complete the configure and make without any further errors.
>
> Hm.. that way pkg-config couldn't find itself?
>
>
>> When I ran "make check", it failed on 11 of 12 tests.  I was able to fix most of the
>> tests by adding '/usr/local/lib64' to the LD_LIBRARY_PATH so it could find
>> libclamav.so.  I assume I'll need to make a similar change somewhere when I add the
>> filter to Courier.
>
> Or you might add it to ld.so.conf?  Otherwise, you may try building with CFLAGS=-Wl,-rpath,/usr/local/lib64 and check ldd.  The issue is the ability to have libraries of different versions simultaneously installed on the same system.  See e.g.:
> https://unix.stackexchange.com/questions/356624/why-isnt-usr-local-lib-on-the-library-path-by-default

Adding it to ld.so.conf worked once I figured out I had to run ldconfig to load the
changes.

>
> At that point, the top of the header should be plenty of virus_header's (one for each invocation):
>
> ale at pcale:~/tmp/courier/avfilter/svn/tests/testsuite.dir/09$ head eicar.mail
> ClamAV-Found: Eicar-Test-Signature.UNOFFICIAL Eicar-Test-Signature.UNOFFICIAL
> Old-ClamAV-Found: Eicar-Test-Signature.UNOFFICIAL Eicar-Test-Signature.UNOFFICIAL
> Old-ClamAV-Found: Eicar-Test-Signature.UNOFFICIAL Eicar-Test-Signature.UNOFFICIAL
>   Eicar-Test-Signature.UNOFFICIAL
> From: author at example.com
> To: victim at example.net
> Subject: test message
> Virus-Header: what does this mean?
> MIME-Version: 1.0
> Content-Type: multipart/mixed; boundary="=_1_1553193777_12188"

And here's the problem.  SecuriteInfo has their own Eicar signatures, so ClamAV found
those first and not the one you were expecting.  My header looks like this:

ClamAV-Found: SecuriteInfo.com.Eicar-Test-Signature.UNOFFICIAL
  SecuriteInfo.com.Eicar-Test-Signature-4.UNOFFICIAL
  SecuriteInfo.com.Eicar-Test-Signature-2.UNOFFICIAL
  Eicar-Test-Signature.UNOFFICIAL
  SecuriteInfo.com.Eicar-Test-Signature.UNOFFICIAL
  SecuriteInfo.com.Eicar-Test-Signature-4.UNOFFICIAL
  SecuriteInfo.com.Eicar-Test-Signature-2.UNOFFICIAL
  Eicar-Test-Signature.UNOFFICIAL

Not sure why everything is duplicated...

> And hence:
>
> ale at pcale:~/tmp/courier/avfilter/svn/tests/testsuite.dir/09$ egrep '^ClamAV-Found: Eicar' eicar.mail | wc -l
> 1
>
> Instead, at yours wc wrote "0".  Why?
>
>> 9. testsuite.at:540: 9. per-virus behavior (testsuite.at:540): FAILED (testsuite.at:612)
>>
>> Suggestions?
>>
> I'd guess something must have gone wrong in the testsuite script.  In the testsuite, wc is $WC, after a definition in tests/atlocal, but egrep was not checked during configure, so maybe it should have been grep -E or similar.  Is that the culprit?

No, egrep works fine once the regex is adjusted to match the header.

I guess I should have specified that I'm running this on CentOS 7, not that it
matters at this point.

Looks like everything is working now.  I'll try integrating it with Courier
tomorrow.  If I just want to reject any email that is flagged by ClamAV, I shouldn't
need to adjust the default config, right?

-- 
Bowie


More information about the clamav-users mailing list