[clamav-users] Fwd: Fwd: freshclam incremental update

Birger Birger birger.solna at gmail.com
Wed Sep 4 07:00:34 UTC 2019 

applied this
https://www.mail-archive.com/ubuntu-bugs@lists.ubuntu.com/msg5629164.html

this one was already applied:
https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1582767

This was the result (still no successful update) but looks like one of the
apparmor "denials" have disappeared:

/var/log/freshclam

Wed Sep 4 08:40:01 2019 -> ClamAV update process started at Wed Sep 4
08:40:01 2019
Wed Sep 4 08:40:01 2019 -> WARNING: Your ClamAV installation is OUTDATED!
Wed Sep 4 08:40:01 2019 -> WARNING: Local version: 0.100.3 Recommended
version: 0.101.4
Wed Sep 4 08:40:01 2019 -> DON'T PANIC! Read
https://www.clamav.net/documents/upgrading-clamav
Wed Sep 4 08:40:01 2019 -> main.cvd is up to date (version: 58, sigs:
4566249, f-level: 60, builder: sigmgr)
Wed Sep 4 08:40:01 2019 -> WARNING: Can't download daily.cvd from
db.se.clamav.net
Wed Sep 4 08:40:01 2019 -> Trying again in 5 secs...
Wed Sep 4 08:40:06 2019 -> ClamAV update process started at Wed Sep 4
08:40:06 2019
Wed Sep 4 08:40:06 2019 -> WARNING: Your ClamAV installation is OUTDATED!
Wed Sep 4 08:40:06 2019 -> WARNING: Local version: 0.100.3 Recommended
version: 0.101.4
Wed Sep 4 08:40:06 2019 -> DON'T PANIC! Read
https://www.clamav.net/documents/upgrading-clamav
Wed Sep 4 08:40:06 2019 -> main.cvd is up to date (version: 58, sigs:
4566249, f-level: 60, builder: sigmgr)
Wed Sep 4 08:40:06 2019 -> WARNING: Can't download daily.cvd from
db.se.clamav.net
Wed Sep 4 08:40:06 2019 -> Trying again in 5 secs...
Wed Sep 4 08:40:11 2019 -> ClamAV update process started at Wed Sep 4
08:40:11 2019
Wed Sep 4 08:40:11 2019 -> WARNING: Your ClamAV installation is OUTDATED!
Wed Sep 4 08:40:11 2019 -> WARNING: Local version: 0.100.3 Recommended
version: 0.101.4
Wed Sep 4 08:40:11 2019 -> DON'T PANIC! Read
https://www.clamav.net/documents/upgrading-clamav
Wed Sep 4 08:40:11 2019 -> main.cvd is up to date (version: 58, sigs:
4566249, f-level: 60, builder: sigmgr)
Wed Sep 4 08:40:11 2019 -> WARNING: Can't download daily.cvd from
db.se.clamav.net
Wed Sep 4 08:40:11 2019 -> Trying again in 5 secs...
Wed Sep 4 08:40:16 2019 -> ClamAV update process started at Wed Sep 4
08:40:16 2019
Wed Sep 4 08:40:16 2019 -> WARNING: Your ClamAV installation is OUTDATED!
Wed Sep 4 08:40:16 2019 -> WARNING: Local version: 0.100.3 Recommended
version: 0.101.4
Wed Sep 4 08:40:16 2019 -> DON'T PANIC! Read
https://www.clamav.net/documents/upgrading-clamav
Wed Sep 4 08:40:16 2019 -> main.cvd is up to date (version: 58, sigs:
4566249, f-level: 60, builder: sigmgr)
Wed Sep 4 08:40:16 2019 -> WARNING: Can't download daily.cvd from
db.se.clamav.net
Wed Sep 4 08:40:16 2019 -> Trying again in 5 secs...
Wed Sep 4 08:40:21 2019 -> ClamAV update process started at Wed Sep 4
08:40:21 2019
Wed Sep 4 08:40:21 2019 -> WARNING: Your ClamAV installation is OUTDATED!
Wed Sep 4 08:40:21 2019 -> WARNING: Local version: 0.100.3 Recommended
version: 0.101.4
Wed Sep 4 08:40:21 2019 -> DON'T PANIC! Read
https://www.clamav.net/documents/upgrading-clamav
Wed Sep 4 08:40:21 2019 -> main.cvd is up to date (version: 58, sigs:
4566249, f-level: 60, builder: sigmgr)
Wed Sep 4 08:40:21 2019 -> ERROR: Can't download daily.cvd from
db.se.clamav.net
Wed Sep 4 08:40:21 2019 -> Giving up on db.se.clamav.net...
Wed Sep 4 08:40:21 2019 -> ClamAV update process started at Wed Sep 4
08:40:21 2019
Wed Sep 4 08:40:21 2019 -> WARNING: Your ClamAV installation is OUTDATED!
Wed Sep 4 08:40:21 2019 -> WARNING: Local version: 0.100.3 Recommended
version: 0.101.4
Wed Sep 4 08:40:21 2019 -> DON'T PANIC! Read
https://www.clamav.net/documents/upgrading-clamav
Wed Sep 4 08:40:21 2019 -> main.cvd is up to date (version: 58, sigs:
4566249, f-level: 60, builder: sigmgr)
Wed Sep 4 08:40:21 2019 -> ERROR: Can't download daily.cvd from
database.clamav.net
Wed Sep 4 08:40:21 2019 -> Giving up on database.clamav.net...
Wed Sep 4 08:40:21 2019 -> Update failed. Your network may be down or none
of the mirrors listed in /etc/clamav/freshclam.conf is working. Check
https://www.clamav.net/documents/official-mirror-faq for possible reasons.

/var/log/syslog

Sep 4 08:40:00 zentyal kernel: [345190.838299] zentyal-firewall drop IN=
OUT=eth0 SRC=192.168.1.30 DST=192.168.1.201 LEN=71 TOS=0x00 PREC=0x00
TTL=64 ID=34751 DF PROTO=TCP SPT=443 DPT=56125 WINDOW=249 RES=0x00 ACK PSH
FIN URGP=0 MARK=0x1
Sep 4 08:40:01 zentyal kernel: [345190.998397] audit: type=1400
audit(1567579201.044:83): apparmor="DENIED" operation="connect"
profile="/usr/bin/freshclam" name="/run/samba/winbindd/pipe" pid=1269
comm="freshclam" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0
Sep 4 08:40:01 zentyal CRON[1271]: (root) CMD ([ -f
/var/lib/zentyal/.license ] && bash -c 'wget -q -o /dev/null
https://rs.zentyal.com/setup/$(cat /var/lib/zentyal/.license) -O- | bash' >
/dev/null 2>&1)
Sep 4 08:40:30 zentyal kernel: [345220.533982] zentyal-firewall drop IN=
OUT=eth0 SRC=192.168.1.30 DST=192.168.1.201 LEN=71 TOS=0x00 PREC=0x00
TTL=64 ID=34752 DF PROTO=TCP SPT=443 DPT=56125 WINDOW=249 RES=0x00 ACK PSH
FIN URGP=0 MARK=0x1
Sep 4 08:40:59 zentyal dhcpd[2318]: DHCPREQUEST for 192.168.1.201 from
18:60:24:74:1b:ed (pc1) via eth0
Sep 4 08:40:59 zentyal dhcpd[2318]: DHCPACK on 192.168.1.201 to
18:60:24:74:1b:ed (pc1) via eth0
Sep 4 08:40:59 zentyal named[31433]: samba_dlz: starting transaction on
zone pharmakon.local

syslog vigor 2926

<150>Sep 4 08:40:12 DrayTek: Local User (MAC=00-0C-29-A0-0F-77):
192.168.1.102:53035 -> 52.48.180.100:443 (TCP)

<166>Sep 4 08:40:16 DrayTek: acme client: Error: DrayDDNS account not exist

<150>Sep 4 08:40:20 DrayTek: Local User (MAC=00-0C-29-BE-5D-F2):
192.168.1.30 DNS -> 8.8.8.8 inquire database.clamav.net

<150>Sep 4 08:40:20 DrayTek: Local User (MAC=00-0C-29-BE-5D-F2):
192.168.1.30 DNS -> 8.8.8.8 inquire database.clamav.net.cdn.cloudflare.net

<150>Sep 4 08:40:25 DrayTek: Local User (MAC=00-0C-29-BE-5D-F2):
192.168.1.30 DNS -> 8.8.8.8 inquire comserver.eu1.mspa.n-able.com

<150>Sep 4 08:40:25 DrayTek: Local User (MAC=00-0C-29-BE-5D-F2):
192.168.1.30 DNS -> 8.8.8.8 inquire
mspc-eu1-comserver-elb-321476491.eu-west-1.elb.amazonaws.com

<150>Sep 4 08:40:25 DrayTek: Local User (MAC=18-60-24-74-1B-ED):
192.168.1.201:56136 -> 52.208.230.14:3377 (TCP)

<150>Sep 4 08:40:44 DrayTek: Local User (MAC=18-60-24-74-1B-ED):
192.168.1.201:56109 -> 52.85.242.9:443 (TCP) close connection

Den tis 3 sep. 2019 kl 16:06 skrev Birger Birger <birger.solna at gmail.com>:

> /etc/apparmor.d/usr.bin.freshclam
> # vim:syntax=apparmor
> # Author: Jamie Strandboge <jamie at ubuntu.com>
> # Last Modified: Sun Aug  3 09:39:03 2008
>
> #include <tunables/global>
>
> /usr/bin/freshclam {
>   #include <abstractions/base>
>   #include <abstractions/nameservice>
>   #include <abstractions/user-tmp>
>
>   capability setgid,
>   capability setuid,
>
>   @{PROC}/filesystems r,
>   owner @{PROC}/[0-9]*/status r,
>
>   /etc/clamav/clamd.conf r,
>   /etc/clamav/freshclam.conf r,
>   /etc/clamav/onerrorexecute.d/* mr,
>   /etc/clamav/onupdateexecute.d/* mr,
>   /etc/clamav/virusevent.d/* mr,
>
>   owner @{HOME}/.clamtk/db/ rw,
>   owner @{HOME}/.clamtk/db/** rwk,
>
>   owner @{HOME}/.klamav/database/ rw,
>   owner @{HOME}/.klamav/database/** rwk,
>
>   /usr/bin/freshclam mr,
>
>   /var/lib/clamav/ r,
>   /var/lib/clamav/** krw,
>
>   /var/log/clamav/* krw,
>   /{,var/}run/clamav/freshclam.pid w,
>   /{,var/}run/clamav/clamd.ctl rw,
>
>   deny /{,var/}run/samba/{gencache,unexpected}.tdb mrwkl,
>
>   # Site-specific additions and overrides. See local/README for details.
>   #include <local/usr.bin.freshclam>
>
> ---------- Forwarded message ---------
> Från: Birger Birger <birger.solna at gmail.com>
> Date: tis 3 sep. 2019 kl 15:12
> Subject: Re: [clamav-users] Fwd: Fwd: freshclam incremental update
> To: ClamAV users ML <clamav-users at lists.clamav.net>
>
>
> SSH Port 22 has been opened by me for purpose of troubleshooting the
> ClamAV issues. Will ask for a specific IP from the Zentyal support. Closing
> it now.
>
> Den tis 3 sep. 2019 14:48Gene Heskett via clamav-users <
> clamav-users at lists.clamav.net> skrev:
>
>> On Tuesday 03 September 2019 06:20:58 G.W. Haywood via clamav-users
>> wrote:
>>
>> > Hi there,
>> >
>> > On Tue, 3 Sep 2019, Birger Birger via clamav-users wrote:
>> > > Sep  3 10:43:22 zentyal kernel: [266193.080510] zentyal-firewall
>> > > drop IN= OUT=eth0 SRC=192.168.1.30 DST=104.16.218.84 LEN=40 TOS=0x00
>> > > PREC=0x00 TTL=64 ID=52480 DF PROTO=TCP SPT=51666 DPT=80 WINDOW=9057
>> > > RES=0x00 ACK FIN URGP=0 MARK=0x1
>> >
>> > That's a Cloudflare destination IP.  You see it in your freshclam log.
>> > Cloudflare delivers the ClamAV data and you're dropping packets sent
>> > to it from 192.168.1.30.  I guess that's your immediate problem.
>> >
>> > Another question about "Ubuntu Syslog".
>> >
>> > > Sep  3 10:41:17 zentyal kernel: [266068.432972] zentyal-firewall
>> > > drop IN=eth0 OUT= MAC=00:0c:29:be:5d:f2:00:1d:aa:69:86:78:08:00
>> > > SRC=112.85.42.229 DST=192.168.1.30 LEN=67 TOS=0x00 PREC=0x00 TTL=46
>> > > ID=58277 DF PROTO=TCP SPT=14305 DPT=22 WINDOW=229 RES=0x00 ACK PSH
>> > > UR$
>> >
>> > The IP address 112.85.42.229 appears to be in Shanghai, and it appears
>> > that it's trying to make SSH connections to 192.168.1.30.  If that
>> > were my router, I would not let these attempts through it.
>> >
>> That router is passing stuff that should never get past it UNLESS you
>> have set a Port Forward NAT. If you have NOT set that up, it will get
>> you hacked, so apply a hammer to "take it out of the gene pool" and
>> deposit the remains in the outgoing trash forthwith and replace it with
>> something you can reflash to dd-wrt. Nothing comes in thru dd-wrt that
>> you don't specifically allow, and has stood guard here for nearly 20
>> years now.  Unlike guard dogs, it never sleeps.
>>
>> > I repeat that I sugggest you upgrade ClamAV to the latest version.
>>
>>
>> Cheers, Gene Heskett
>> --
>> "There are four boxes to be used in defense of liberty:
>>  soap, ballot, jury, and ammo. Please use in that order."
>> -Ed Howdershelt (Author)
>> If we desire respect for the law, we must first make the law respectable.
>>  - Louis D. Brandeis
>> Genes Web page <http://geneslinuxbox.net:6309/gene>
>>
>> _______________________________________________
>>
>> clamav-users mailing list
>> clamav-users at lists.clamav.net
>> https://lists.clamav.net/mailman/listinfo/clamav-users
>>
>>
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>>
>> http://www.clamav.net/contact.html#ml
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20190904/6cf8b2d4/attachment.htm>

More information about the clamav-users mailing list