[clamav-users] running freshclam and 3rd party/clamav-unofficial-sigs.sh owner name changes occasionally

Robert Kudyba rkudyba at fordham.edu
Wed Aug 25 01:21:11 UTC 2021 

>
>
> On Thu, 15 Jul 2021, Robert Kudyba wrote:
>

Here we are Aug 24


> >> ... do you have that log?
> >
> > Uploaded at ...
>
> Nothing remarkable there.  Presumably you're aware of this warning
> in that log?
>

See https://storm.cis.fordham.edu/~rkudyba/aug24

At 5:14 AM the problem started happening and cron has:

Aug 24 05:14:01 storm CROND[537748]: (clamav) CMD ([ -x
/usr/local/sbin/clamav-unofficial-sigs.sh ] && /usr/bin/bash
/usr/local/sbin/clamav-unofficial-sigs.sh)

Aug 24 05:14:03 storm CROND[537718]: (clamav) CMDEND ([ -x
/usr/local/sbin/clamav-unofficial-sigs.sh ] && /usr/bin/bash
/usr/local/sbin/clamav-unofficial-sigs.sh)
Aug 24 05:15:01 storm CROND[538116]: (root) CMD (/bin/date >> $FILE ;
/bin/ls -l /var/lib/clamav >> $FILE)

>
> If it's the same OS distribution you should be able to compare the
> configurations, see what they both put in the logs etc.  The command
>
> clamconf -n
>
> would be very useful for that but there are other configs as well.
>

clamconf -n

Checking configuration files in /etc


Config file: clamd.d/scan.conf

------------------------------

LogFile = "/var/log/clamd.log"

TCPSocket = "3310"

TCPAddr = "127.0.0.1"

User = "clamav"

PhishingScanURLs disabled

HeuristicScanPrecedence = "yes"

AlertBrokenExecutables = "yes"

AlertBrokenMedia = "yes"

AlertEncrypted = "yes"

AlertEncryptedArchive = "yes"

AlertEncryptedDoc = "yes"

AlertOLE2Macros = "yes"

AlertPhishingSSLMismatch = "yes"

AlertPartitionIntersection = "yes"

MaxScanTime = "350000"

MaxScanSize = "157286400"

MaxFileSize = "31457280"


Config file: freshclam.conf

---------------------------

LogFileMaxSize = "262144000"

LogRotate = "yes"

UpdateLogFile = "/var/log/freshclam.log"

DatabaseOwner = "clamav"

DatabaseMirror = "database.clamav.net"

ConnectTimeout = "60"

ReceiveTimeout = "60"


Config file: mail/clamav-milter.conf

------------------------------------

LogFile = "/var/log/clamav-milter.log"

LogTime = "yes"

LogVerbose = "yes"

User = "clamilt"

ClamdSocket = "tcp:127.0.0.1:3310"

MilterSocket = "inet:6666"

AddHeader = "Add"

Whitelist = "/etc/mail/clamav-milter-whitelist.conf"


Software settings

-----------------

Version: 0.103.3

Optional features supported: MEMPOOL IPv6 AUTOIT_EA06 BZIP2 LIBXML2 PCRE2
ICONV JSON


Database information

--------------------

Database directory: /var/lib/clamav

[3rd Party] badmacro.ndb: 621 sigs

[3rd Party] shelter.ldb: 49 sigs

[3rd Party] CVE-2013-0074.yar: 22 sigs

[3rd Party] foxhole_js.cdb: 48 sigs

[3rd Party] rfxn.yara: 11527 sigs

[3rd Party] urlhaus.ndb: 5445 sigs

[3rd Party] malware.expert.ndb: 1 sig

[3rd Party] sanesecurity.ftm: 170 sigs

[3rd Party] CVE-2013-0422.yar: 25 sigs

[3rd Party] sigwhitelist.ign2: 12 sigs

[3rd Party] junk.ndb: 55801 sigs

[3rd Party] jurlbl.ndb: 5650 sigs

[3rd Party] phish.ndb: 28047 sigs

[3rd Party] rogue.hdb: 1005 sigs

[3rd Party] scam.ndb: 12747 sigs

[3rd Party] spamimg.hdb: 200 sigs

[3rd Party] CVE-2015-1701.yar: 30 sigs

[3rd Party] spamattach.hdb: 14 sigs

[3rd Party] blurl.ndb: 2194 sigs

[3rd Party] CVE-2015-2426.yar: 49 sigs

[3rd Party] malwarehash.hsb: 771 sigs

[3rd Party] CVE-2015-2545.yar: 76 sigs

[3rd Party] foxhole_generic.cdb: 212 sigs

[3rd Party] CVE-2015-5119.yar: 22 sigs

[3rd Party] foxhole_filename.cdb: 2612 sigs

[3rd Party] CVE-2016-5195.yar: 40 sigs

[3rd Party] winnow_malware.hdb: 293 sigs

[3rd Party] winnow_extended_malware_links.ndb: 1 sig

[3rd Party] winnow_malware_links.ndb: 133 sigs

[3rd Party] MiscreantPunch099-Low.ldb: 1199 sigs

[3rd Party] winnow_extended_malware.hdb: 245 sigs

[3rd Party] safebrowsing.gdb: 49126 sigs

[3rd Party] winnow.attachments.hdb: 182 sigs

[3rd Party] CVE-2017-11882.yar: 66 sigs

[3rd Party] winnow_bad_cw.hdb: 1 sig

[3rd Party] EK_BleedingLife.yar: 112 sigs

[3rd Party] bofhland_cracked_URL.ndb: 40 sigs

[3rd Party] WShell_ASPXSpy.yar: 21 sigs

[3rd Party] bofhland_malware_URL.ndb: 4 sigs

[3rd Party] WShell_Drupalgeddon2_icos.yar: 26 sigs

[3rd Party] bofhland_phishing_URL.ndb: 72 sigs

[3rd Party] CVE-2010-0805.yar: 19 sigs

[3rd Party] bofhland_malware_attach.hdb: 1836 sigs

[3rd Party] CVE-2018-20250.yar: 22 sigs

[3rd Party] hackingteam.hsb: 435 sigs

[3rd Party] CVE-2018-4878.yar: 39 sigs

[3rd Party] porcupine.ndb: 6622 sigs

[3rd Party] bank_rule.yar: 11 sigs

[3rd Party] phishtank.ndb: 9388 sigs

[3rd Party] EMAIL_Cryptowall.yar: 52 sigs

[3rd Party] porcupine.hsb: 208 sigs

[3rd Party] scam.yar: 35 sigs

[3rd Party] securiteinfo.ign2: 86 sigs

[3rd Party] JJencode.yar: 19 sigs

[3rd Party] securiteinfo.hdb: 159918 sigs

[3rd Party] interserver256.hdb: 3626 sigs

[3rd Party] securiteinfoold.hdb: 3525608 sigs

[3rd Party] interservertopline.db: 161 sigs

[3rd Party] javascript.ndb: 43708 sigs

main.cvd: version 61, sigs: 6607162, built on Wed Jul 14 22:39:10 2021

[3rd Party] securiteinfohtml.hdb: 55106 sigs

[3rd Party] CVE-2010-0887.yar: 22 sigs

[3rd Party] securiteinfoascii.hdb: 98410 sigs

daily.cld: version 26272, sigs: 1968128, built on Mon Aug 23 04:21:13 2021

[3rd Party] securiteinfopdf.hdb: 3408 sigs

[3rd Party] CVE-2010-1297.yar: 20 sigs

[3rd Party] securiteinfoandroid.hdb: 84401 sigs

[3rd Party] rfxn.ndb: 2039 sigs

[3rd Party] rfxn.hdb: 12932 sigs

daily.cvd: version 26209, sigs: 3992031, built on Tue Jun 22 07:07:55 2021

[3rd Party] malware.expert.hdb: 1 sig

[3rd Party] malware.expert.ldb: 1 sig

[3rd Party] foxhole_js.ndb: 4 sigs

[3rd Party] CVE-2012-0158.yar: 27 sigs

[3rd Party] winnow_spam_complete.ndb: 26 sigs

[3rd Party] whitelist.fp: 3081 sigs

[3rd Party] winnow.complex.patterns.ldb: 3 sigs

[3rd Party] Sanesecurity_spam.yara: 46 sigs

[3rd Party] jurlbla.ndb: 1388 sigs

[3rd Party] lott.ndb: 2335 sigs

[3rd Party] spam.ldb: 2 sigs

[3rd Party] spear.ndb: 1 sig

[3rd Party] spearl.ndb: 1 sig

[3rd Party] malware.expert.fp: 1 sig

[3rd Party] scamnailer.ndb: 1 sig

bytecode.cvd: version 333, sigs: 92, built on Mon Mar  8 10:21:51 2021

[3rd Party] winnow_phish_complete_url.ndb: 54 sigs

[3rd Party] malwarepatrol.db: 9180 sigs

[3rd Party] Sanesecurity_sigtest.yara: 54 sigs

[3rd Party] email_Ukraine_BE_powerattack.yar: 33 sigs

[3rd Party] Email_fake_it_maintenance_bulletin.yar: 29 sigs

[3rd Party] Email_quota_limit_warning.yar: 31 sigs

Total number of signatures: 16770754


Platform information

--------------------

uname: Linux 5.12.14-300.fc34.x86_64 #1 SMP Wed Jun 30 18:30:21 UTC 2021
x86_64

OS: linux-gnu, ARCH: x86_64, CPU: x86_64

zlib version: 1.2.11 (1.2.11), compile flags: a9

platform id: 0x0a217c7c08000000020b0201


Build information

-----------------

GNU C: 11.2.1 20210728 (Red Hat 11.2.1-1) (11.2.1)

CPPFLAGS: -I/usr/include/libprelude

CFLAGS: -O2 -flto=auto -ffat-lto-objects -fexceptions -g
-grecord-gcc-switches -pipe -Wall -Werror=format-security
-Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS
-specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong
-specs=/usr/lib/rpm/redhat/redhat-annobin-cc1  -m64  -mtune=generic
-fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection
-D_LARGEFILE_SOURCE
-D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64

CXXFLAGS: -O2 -flto=auto -ffat-lto-objects -fexceptions -g
-grecord-gcc-switches -pipe -Wall -Werror=format-security
-Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS
-specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong
-specs=/usr/lib/rpm/redhat/redhat-annobin-cc1  -m64  -mtune=generic
-fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection

LDFLAGS: -Wl,-z,relro -Wl,--as-needed -Wl,-z,now
-specs=/usr/lib/rpm/redhat/redhat-hardened-ld  -lprelude

Configure: '--build=x86_64-redhat-linux-gnu'
'--host=x86_64-redhat-linux-gnu' '--program-prefix='
'--disable-dependency-tracking' '--prefix=/usr' '--exec-prefix=/usr'
'--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc'
'--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64'
'--libexecdir=/usr/libexec' '--localstatedir=/var'
'--sharedstatedir=/var/lib' '--mandir=/usr/share/man'
'--infodir=/usr/share/info' '--enable-milter' '--disable-clamav'
'--disable-static' '--disable-zlib-vcheck' '--disable-unrar'
'--enable-id-check' '--enable-dns' '--with-dbdir=/var/lib/clamav'
'--with-group=clamupdate' '--with-user=clamupdate' '--disable-rpath'
'--disable-silent-rules' '--enable-clamdtop' '--enable-prelude'
'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu'
'CXX=g++' 'CXXFLAGS=-O2 -flto=auto -ffat-lto-objects -fexceptions -g
-grecord-gcc-switches -pipe -Wall -Werror=format-security
-Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS
-specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong
-specs=/usr/lib/rpm/redhat/redhat-annobin-cc1  -m64  -mtune=generic
-fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection'
'LDFLAGS=-Wl,-z,relro -Wl,--as-needed -Wl,-z,now
-specs=/usr/lib/rpm/redhat/redhat-hardened-ld' 'CC=gcc' 'CFLAGS=-O2
-flto=auto -ffat-lto-objects -fexceptions -g -grecord-gcc-switches -pipe
-Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2
-Wp,-D_GLIBCXX_ASSERTIONS -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1
-fstack-protector-strong -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1  -m64
-mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection
-fcf-protection' 'LT_SYS_LIBRARY_PATH=/usr/lib64:'
'PKG_CONFIG_PATH=:/usr/lib64/pkgconfig:/usr/share/pkgconfig'

sizeof(void*) = 8
Engine flevel: 124, dconf: 124

>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20210824/efad0530/attachment.htm>

More information about the clamav-users mailing list