[clamav-users] false positive on MBL_85256034.UNOFFICIAL with Google Drive links
Olivier
Olivier.Nicole at cs.ait.ac.th
Fri Apr 30 04:09:33 UTC 2021
"G.W. Haywood via clamav-users" <clamav-users at lists.clamav.net> writes:
> Hi there,
>
> On Thu, 29 Apr 2021, Robert Kudyba wrote:
>
>> ... no error(s) when I just ran it manually.
>
> There are lots of things in the script which look likely to cause
> issues, so I'd have expected something:
>
> 1. Is your Perl interpreter in /usr/local/bin/? It's often in usr/bin/.
This is FreeBSD, perl is not into the system anymore, so it belongs to /usr/local.
>
> 2. The environment is likely to be different when the script runs via
> freshclam from when it runs at the command line,
It is not run by freshclam but by clamav-unofficial-sigs.sh.
> and it's usually bad
> form in scripts to rely on the environment anyway, so in any script of
> this kind I'd use full paths to executables. For example on my system
> these would be
>
> /bin/chown
> /usr/bin/logger
> and
> /usr/local/bin/clamdscan
Agreed, but the script was written in hast to solve a pressent issue, so
I had not been that careful.
Note chown is the Perl function and logger should have been written
using some Perl module, but I was in a hurry :)
>
> but what are they on yours? I'd also use full paths everywhere else
> instead of relative paths. Things can go wrogn ervy kuiqly.
>
> 3. What is uid 110 on your system? On my clamd server it's 'sshd'.
> This means that if I were to run it as root as it is, the script would
> change ownership of the modified files to the wrong user (which would
> break future updates unless root did them) and for other users fail.
110:110 is the anti-virus user (for historical reason, I was running
Kaspersky for FreeBSD at some stage and the user was hard coded in the anti-cirus).
> 4. People store the ClamAV databases in different places. The script
> makes assumptions about them, have you changed them in the script to
> suit your system, or do you have or have you the needed directories?
> /var/db/clamav-unofficial-sigs/post-control/
> /var/db/clamav/
That is all FreeBSD standard places.
> 5. The script does no error checking at all. It's good practice in
> scripts to check the return values of functions which provide them,
> such as 'chdir', 'link', 'unlink', 'chown' and (especially) 'open'.
Agreed too. I usually do it when I have time. Though Perl is pretty
resilient if a file is missing :)
>
>> Is there a sigtool command I can use to check that it worked? I can
>> compare this against another server that I have yet to install this.
>
> sigtool --find-sigs <deleted_signature_name>
>
> should give you an idea of what's happened.
>
> As I warned already, do be careful with this stuff.
The script is provided as is, people are welcome to modify and twist as
they see fit :)
Best regards,
Olivier
--
More information about the clamav-users
mailing list