[clamav-users] false positive on MBL_85256034.UNOFFICIAL with Google Drive links
Robert Kudyba
rkudyba at fordham.edu
Thu Apr 29 16:02:23 UTC 2021
>
> 1. Is your Perl interpreter in /usr/local/bin/? It's often in usr/bin/.
>
Thanks I saw that after the fact, indeed /usr/bin in Fedora
2. The environment is likely to be different when the script runs via
> freshclam from when it runs at the command line, and it's usually bad
> form in scripts to rely on the environment anyway, so in any script of
> this kind I'd use full paths to executables. For example on my system
> these would be
>
> /bin/chown
> /usr/bin/logger
> and
> /usr/local/bin/clamdscan
>
> but what are they on yours? I'd also use full paths everywhere else
> instead of relative paths. Things can go wrogn ervy kuiqly.
>
/usr/bin for the all 3
> 3. What is uid 110 on your system? On my clamd server it's 'sshd'.
> This means that if I were to run it as root as it is, the script would
> change ownership of the modified files to the wrong user (which would
> break future updates unless root did them) and for other users fail.
>
Yes caught those after the fact and updated the script accordingly
4. People store the ClamAV databases in different places. The script
> makes assumptions about them, have you changed them in the script to
> suit your system, or do you have or have you the needed directories?
> /var/db/clamav-unofficial-sigs/post-control/
> /var/db/clamav/
>
Different on ours:
/var/lib/clamav-unofficial-sigs/dbs-mbl/
And I went ahead and created
/var/lib/clamav-unofficial-sigs/dbs-mbl/post-control
and not sure why we have a test dir:
/var/lib/clamav-unofficial-sigs/test
5. The script does no error checking at all. It's good practice in
> scripts to check the return values of functions which provide them,
> such as 'chdir', 'link', 'unlink', 'chown' and (especially) 'open'.
>
Anything off the top of your head I can add?
> Is there a sigtool command I can use to check that it worked? I can
> > compare this against another server that I have yet to install this.
>
> sigtool --find-sigs <deleted_signature_name>
>
> should give you an idea of what's happened.
The signature does not exist when I run this command.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20210429/55a87a9a/attachment.htm>
More information about the clamav-users
mailing list