[clamav-users] running freshclam and 3rd party/clamav-unofficial-sigs.sh owner name changes occasionally

Robert Kudyba rkudyba at fordham.edu
Sat Oct 10 04:18:10 UTC 2020 

>
> > Oct 09 04:15:56 Checking for urlhaus updates...
> > Oct 09 04:15:56 Checking for updated urlhaus database file: urlhaus.ndb
> > Oct 09 04:15:56 Testing updated urlhaus database file: urlhaus.ndb
> > Oct 09 04:15:56 Clamscan reports urlhaus urlhaus.ndb database integrity
> tested good
> > Oct 09 04:15:56 Successfully updated urlhaus production database file:
> urlhaus.ndb
> > Oct 09 04:15:56 Update(s) detected, reloading ClamAV databases
> > Oct 09 04:15:56 ClamAV databases reloading
> > Oct 09 04:15:56 Issue tracker :
> https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_extremeshok_clamav-2Dunofficial-2Dsigs_issues&d=DwICAg&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=WaUuzrJtD_PKZ2pBpU-pfAEoxGBj-_rNdSJwvcK9NiI&s=mMxE841bG6uyKmN8KcULOvoeE948yxFA9Mo2udC0y_U&e=
> > Oct 09 04:15:56       Powered By
> https://urldefense.proofpoint.com/v2/url?u=https-3A__eXtremeSHOK.com&d=DwICAg&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=WaUuzrJtD_PKZ2pBpU-pfAEoxGBj-_rNdSJwvcK9NiI&s=7LlLO6tKn_1eYqKp_e8nViWQ6BAjCFkMgYzNFvigtfs&e=
> >*Oct 09 05:14:02 ERROR: clam database directory (clam_dbs) not writable
> /var/lib/clamav*
>
> Looks clear that the urlhaus db was updated OK.  Does the unofficial
> update script normally take an hour to run on your system?!  The one
> we use usually takes just a few minutes.
>

My bad in trying to economize my post here's the entire update-related
entry:
Oct 09 04:14:01 Preparing Databases
Oct 09 04:14:01 Fri 09 Oct 2020 04:14:01 AM EDT - Pausing database file
updates for 114 seconds...
Oct 09 04:15:55 Fri 09 Oct 2020 04:15:55 AM EDT - Pause complete, checking
for new database files...
Oct 09 04:15:55 Sanesecurity Database File Updates
Oct 09 04:15:55 2 hours have not yet elapsed since the last Sanesecurity
update check
Oct 09 04:15:55 No update check was performed at this time
Oct 09 04:15:55 Next check will be performed in approximately 1 hour(s), 6
minute(s)
Oct 09 04:15:55 SecuriteInfo Database File Updates
Oct 09 04:15:55 4 hours have not yet elapsed since the last SecuriteInfo
update check
Oct 09 04:15:55 No update check was performed at this time
Oct 09 04:15:55 Next check will be performed in approximately 3 hour(s), 6
minute(s)
Oct 09 04:15:55 LinuxMalwareDetect Database File Updates
Oct 09 04:15:55 Checking for LinuxMalwareDetect updates...
Oct 09 04:15:56 No LinuxMalwareDetect database file updates found
Oct 09 04:15:56 MalwarePatrol Database File Updates
Oct 09 04:15:56 24 hours have not yet elapsed since the last malwarepatrol
update check
Oct 09 04:15:56 No update check was performed at this time
Oct 09 04:15:56 Next check will be performed in approximately 7 hour(s), 0
minute(s)
Oct 09 04:15:56 Yara-Rules Database File Updates
Oct 09 04:15:56 Checking for urlhaus updates...
Oct 09 04:15:56 Checking for updated urlhaus database file: urlhaus.ndb
Oct 09 04:15:56 Testing updated urlhaus database file: urlhaus.ndb
Oct 09 04:15:56 Clamscan reports urlhaus urlhaus.ndb database integrity
tested good
Oct 09 04:15:56 Successfully updated urlhaus production database file:
urlhaus.ndb
Oct 09 04:15:56 Update(s) detected, reloading ClamAV databases
Oct 09 04:15:56 ClamAV databases reloading


> > ... perhaps I should contact the ExtremeSHOK contributors ...
>
> I'd have said so, yes.
>

well they may have an idea but I'm starting to think it's not related to
their script. After all the username clamupdate does not come from their
script.

>
> > perhaps there's some debug option that I'm not aware of?
>
> It's just a shell script, you could edit it to put debugging things in
> there if you're comfortable with hacking shell scripts.  Does it give
> usage help if run with no arguments?  Does it have the '-i' option?
>

Indeed I see some options here:
https://github.com/extremeshok/clamav-unofficial-sigs

So next time it happens I can try some of these:
-v, --verbose Be verbose, enabled when not run under cron
-i, --information Output system and configuration information for viewing
or possible debugging purposes
-t, --test-database Clamscan integrity test a specific database file eg:
'-t filename.ext' (do not include file path)
--check-clamav If ClamD status check is enabled and the socket path is
correctly specifiedthen (sic) test to see if clamd is running or not

Here's what the -i option returns:
su - clamav -s /bin/bash -c '/usr/local/sbin/clamav-unofficial-sigs.sh -i'
################################################################################
 eXtremeSHOK.com ClamAV Unofficial Signature Updater
 Version: v7.0.1 (2020-01-25)
 Required Configuration Version: v91
 Copyright (c) Adrian Jon Kriel :: admin at extremeshok.com
################################################################################
Loading config: /etc/clamav-unofficial-sigs/master.conf
Loading config: /etc/clamav-unofficial-sigs/os.conf
Loading config: /etc/clamav-unofficial-sigs/user.conf

*** SCRIPT INFORMATION ***
clamav-unofficial-sigs.sh 7.0.1 (2020-01-25)
Master.conf Version: 91
Minimum required config: 91
*** SYSTEM INFORMATION ***
Linux ourserver 5.7.15-200.fc32.x86_64 #1 SMP Tue Aug 11 16:36:14 UTC 2020
x86_64 x86_64 x86_64 GNU/Linux
*** CLAMSCAN LOCATION & VERSION ***
/usr/bin/clamscan
ClamAV 0.103.0/25952/Fri Oct  9 09:52:40 2020
*** RSYNC LOCATION & VERSION ***
/usr/bin/rsync
rsync  version 3.2.3  protocol version 31
*** CURL LOCATION & VERSION ***
/usr/bin/curl
curl 7.69.1 (x86_64-redhat-linux-gnu) libcurl/7.69.1 OpenSSL/1.1.1g-fips
zlib/1.2.11 brotli/1.0.7 libidn2/2.3.0 libpsl/0.21.0 (+libidn2/2.3.0)
libssh/0.9.5/openssl/zlib nghttp2/1.41.0
*** GPG LOCATION & VERSION ***
/usr/bin/gpg
gpg (GnuPG) 2.2.20
*** DIRECTORY INFORMATION ***
Working Directory: /var/lib/clamav-unofficial-sigs
Clam Database Directory: /var/lib/clamav
Configuration Directory: /etc/clamav-unofficial-sigs


> > ... I do see:
> > systemctl status clam
> > clamav-clamonacc.service        clamav-unofficial-sigs.service
> > clamd.service
> > clamav-freshclam.service        clamav-unofficial-sigs.timer
> > clam-freshclam.service
> > clamav-milter.service           clamd at scan.service
> > clamonacc.service
>
> I don't use any of that stuff, I like to know what's going on.  It
> might be worth disabling all the service frippery and starting the
> daemons from the command line to see if it behaves any differently.
>

Well systemd is so ingrained in most Linux distributions and the
convenience of starting on reboot is helpful, as all's I need is for our
long-time professor who still has his non-Gmail related email address on
various lists, have a problem getting to his email box, and contacting me
on Xmas eve (like he did last year) as emails are held back as ClamAV isn't
running properly.

Frippery! Ha another one you made me look up.


>
> > I see Fangfrisch <
> https://urldefense.proofpoint.com/v2/url?u=https-3A__rseichter.github.io_fangfrisch_&d=DwICAg&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=WaUuzrJtD_PKZ2pBpU-pfAEoxGBj-_rNdSJwvcK9NiI&s=7eiHTwe_wlDQm90JBW-6Fudyd4iyBYqMk6hAJzxCDtM&e=
> >is being
> > maintained as an alternative. Haven't tried it yet.
>
> It might not be time to throw out the baby just yet, before swapping
> one lot of unknowns for another lot of unknowns I'd definitely try a
> bit of investigative work.  After all other people use this stuff.  If
> extra logging, disabling services etc don't lead you anywhere it might
> be worth purging and reinstalling all the implicated packages.


 Might be a good idea to purge if I can't figure this out.

Thanks for all you do in this list!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20201010/ea3df53a/attachment.htm>

More information about the clamav-users mailing list