[clamav-users] false positive on MBL_85256034.UNOFFICIAL with Google Drive links
G.W. Haywood
clamav at jubileegroup.co.uk
Thu Apr 29 15:22:13 UTC 2021
Hi there,
On Thu, 29 Apr 2021, Robert Kudyba wrote:
> ... no error(s) when I just ran it manually.
There are lots of things in the script which look likely to cause
issues, so I'd have expected something:
1. Is your Perl interpreter in /usr/local/bin/? It's often in usr/bin/.
2. The environment is likely to be different when the script runs via
freshclam from when it runs at the command line, and it's usually bad
form in scripts to rely on the environment anyway, so in any script of
this kind I'd use full paths to executables. For example on my system
these would be
/bin/chown
/usr/bin/logger
and
/usr/local/bin/clamdscan
but what are they on yours? I'd also use full paths everywhere else
instead of relative paths. Things can go wrogn ervy kuiqly.
3. What is uid 110 on your system? On my clamd server it's 'sshd'.
This means that if I were to run it as root as it is, the script would
change ownership of the modified files to the wrong user (which would
break future updates unless root did them) and for other users fail.
4. People store the ClamAV databases in different places. The script
makes assumptions about them, have you changed them in the script to
suit your system, or do you have or have you the needed directories?
/var/db/clamav-unofficial-sigs/post-control/
/var/db/clamav/
5. The script does no error checking at all. It's good practice in
scripts to check the return values of functions which provide them,
such as 'chdir', 'link', 'unlink', 'chown' and (especially) 'open'.
> Is there a sigtool command I can use to check that it worked? I can
> compare this against another server that I have yet to install this.
sigtool --find-sigs <deleted_signature_name>
should give you an idea of what's happened.
As I warned already, do be careful with this stuff.
--
73,
Ged.
More information about the clamav-users
mailing list