[clamav-users] LibClamAV Error

Mon Dec 14 15:19:43 UTC 2020

Hello,

- It's update daily. I did it mannually now:

ClamAV update process started at Mon Dec 14 16:14:53 2020
daily database available for update (local version: 26016, remote 
version: 26017)
Current database is 1 version behind.

- The "long reports" are mails I'm getting when the cronjobs run. It's 
the "output to the screen when you run the clamscan"

- clamd daemon it's running. I think it's because run with exim or 
anything similar. It's the default installation on Directadmin servers. 
I didn't change the socket.

- I didn't check individual files, I just check the /home directories 
where viruses could be. If there are possible virus, I preffer to delete 
them.

El 14/12/2020 a las 11:36, G.W. Haywood via clamav-users escribió:
> Hi there,
> 
> On Mon, 14 Dec 2020, Aitor Serra Martín wrote:
> 
>> El 13/12/2020 a las 12:41, G.W. Haywood via clamav-users escribió:
> 
>>> (a) your version of ClamAV:
> 
>> Version 0.103.0.
> 
> OK.
> 
>>> (b) how and when it was installed:
>> was installing using custombuild scripts from Directa Admin control 
>> panel.
> 
> I do not know what that is, but I guess you did not compile ClamAV 
> yourself?
> 
>>> (c) exactly which databases you are using:
> 
>> ClamAV 0.103.0/26016/Sun Dec 13 15:31:03 2020
> 
> OK.
> 
>>> (d) how you are keeping the databases up to date:
> 
>> I think it's done daily by frescam
> 
> Check the logs to make sure.  You should be doing that routinely.
> 
>>> (e) how long you have been using ClamAV:
> 
>> 2 years in some servers
> 
> OK.
> 
>>> (f) whether or not it otherwise behaves as you would expect:
> 
>> It still clean files but give long reports with the error commented 
>> several times.
> 
> Where are these "long reports"?  Are they in the log files, or are
> they output to your screen when you run the 'clamscan' command?
> 
>>> (g) your ClamAV configuration - the output of 'clamconf -n':
> 
>> ...
>> Config file: clamd.conf
>> -----------------------
>> PidFile = "/var/run/clamd/clamd.pid"
>> TCPSocket = "3310"
>> TCPAddr = "127.0.0.1"
> 
> Is the clamd daemon running?
> Are you using it for anything?
> Why are you using a TCP socket instead of the default filesystem socket?
> 
>> Config file: freshclam.conf
>> ---------------------------
>> LogSyslog = "yes"
>> PidFile = "/var/run/clamd/freshclam.pid"
>> DatabaseMirror = "database.clamav.net"
> 
> I see nothing in your freshclam.conf which will update the rfxn databases.
> 
>> Database information
>> --------------------
>> Database directory: /usr/local/share/clamav
>> daily.cld: version 26016, sigs: 4401988, built on Sun Dec 13 15:31:03 
>> 2020
>> bytecode.cvd: version 331, sigs: 94, built on Thu Sep 19 18:12:33 2019
>> main.cvd: version 59, sigs: 4564902, built on Mon Nov 25 14:56:15 2019
> 
> OK
> 
>> [3rd Party] rfxn.hdb: 12926 sigs
>> [3rd Party] rfxn.yara: 11527 sigs
>> [3rd Party] rfxn.ndb: 2039 sigs
> 
> Are these databases being updated?  If so, how?  Check the timestamps
> on the files in the database directory and the freshclam logs.
> 
>> (h) exactly what you are scanning - sample(s) which give the error:
>>
>> /usr/local/bin/clamscan -ri --remove /home2-81/*
> 
> This is the answer to my question (i) below.  I meant please provide
> samples of files which give the error message when scanned.  Please do
> not try to attach samples to a message sent to the mailing list; place
> files somewhere on the Web, and provide links to them in your message.
> 
>>> (i) exactly how you are scanning it - let us see the command line(s) 
>>> and/or script.
> 
>> The same command.
> 
> What user runs this command?
> 
> The --remove option is dangerous.  If there are false positives, it
> may remove files which should not have been removed.  Are you happy
> with that?
> 