[clamav-users] ClamAVPlugin

Mon Feb 22 00:12:34 UTC 2021

> Hi there,
> 
> On Sun, 21 Feb 2021, Joe Acquisto-j4 wrote:
> 
>> As it happens Suse Leap 15.2 has clamAV and ClamAV-milter provided
>> as was suggested earlier.
>>
>> I think I followed and have stuff running.  Working is another question.
> 
> A few simple checks:
> 
> 1. Do you have the clamd daemon running?  Is its logging configured?

clamd is running.  I thought I read id does not have to be as calmd-milter is
capable of running mail scans without.  But I could be mistaken.

Logging is enabled and is shows results of the PING test similar to below:

> 2. Can you get clamd to reply to a PING?  Here's my laptop talking to my
>     clamd server, you might want to use a Unix socket, or IP 127.0.0.1
>     and port 3310 depending on your configuration:
> 

Seems quite leisurely, but it does come back, eventually.

myhost:~ # clamd zPING
Sun Feb 21 18:34:45 2021 -> !TCP: Cannot bind to [127.0.0.1]:3310: Address already in use
Sun Feb 21 18:34:45 2021 -> !LOCAL: Socket file /var/run/clamav/clamd-socket is in use by another process.
Sun Feb 21 18:34:45 2021 -> *Closing the main socket.

I am a bit perplexed by this as I am pretty sure I had the port set correctly a while back.  Well, gotta fix that
at least.

> 
> 3. Can you scan things with the 'clamdscan' command?  Note the 'd' in
> 'clamdscan'.  Don't use 'clamscan', because that doesn't use clamd.

myhost:~ # clamdscan eicar.txt
/root/eicar.txt: lstat() failed: Permission denied. ERROR

> 
> 4. Is clamd logging anything?  If you've set up logging in clamd.conf
> it should log things when you scan with clamdscan,

If you mean clamd.log, see above.
If you mean clamavmilter.log it only logs that it started.

> 5. Anything interesting in the Postfix logs?  Can you increase the
>     logging verbosity?

Nothing "new" far as I can tell.

> 6. What happens if you mail to yourself something containing the
>     EICAR test file?  Check all your log files as well as looking
>     for mail headers etc.

That has proven difficult as every place I have an email client out in
the great wilderness, has strict checking and blocks EICAR when
I try.  Even ssh and telnet are blocked in the terminal sessions.
I have a pretty good relationship with one of them and they 
will humor me from time to time, but, don't want to wear it out.

I've resorted to a site that purports to send EICAR test email
"as a public service" sort of thing, in the past.
. 
> 7. Please also let us have the output of
> 
> clamconf -n
> 
> which with luck will be fewer than a hundred lines.
> 

Checking configuration files in /etc

Config file: clamd.conf
-----------------------
LogFile = "/var/log/clamd.log"
LogTime = "yes"
LogClean = "yes"
LogSyslog = "yes"
LogFacility = "LOG_MAIL"
LogVerbose = "yes"
PidFile = "/var/run/clamav/clamd.pid"
LocalSocket = "/var/run/clamav/clamd-socket"
TCPSocket = "3310"
TCPAddr = "127.0.0.1"
User = "vscan"
DetectPUA = "yes"
HeuristicScanPrecedence = "yes"

Config file: freshclam.conf
---------------------------
LogTime = "yes"
LogSyslog = "yes"
LogFacility = "LOG_MAIL"
LogVerbose = "yes"
PidFile = "/var/run/clamav/freshclam.pid"
UpdateLogFile = "/var/log/freshclam.log"
DatabaseMirror = "database.clamav.net"

Config file: clamav-milter.conf
-------------------------------
LogFile = "/var/log/clamav-milter.log"
LogSyslog = "yes"
LogFacility = "LOG_MAIL"
PidFile = "/run/clamav/clamav-milter.pid"
ClamdSocket = "unix:/run/clamav/clamd-socket"
MilterSocket = "/run/clamav/clamav-milter-socket"
AddHeader = "Add"
LogClean = "Basic"

Software settings
-----------------
Version: 0.103.0
Optional features supported: MEMPOOL IPv6 AUTOIT_EA06 BZIP2 LIBXML2 PCRE2 ICONV JSON RAR

Database information
--------------------
Database directory: /var/lib/clamav
main.cvd: version 59, sigs: 4564902, built on Mon Nov 25 08:56:15 2019
bytecode.cld: version 332, sigs: 93, built on Wed Feb 17 16:06:23 2021
daily.cld: version 26087, sigs: 4008904, built on Sun Feb 21 07:10:19 2021
Total number of signatures: 8573899

Platform information
--------------------
uname: Linux 5.3.18-lp152.63-default #1 SMP Mon Feb 1 17:31:55 UTC 2021 (98caa86) x86_64
OS: linux-gnu, ARCH: x86_64, CPU: x86_64
zlib version: 1.2.11 (1.2.11), compile flags: a9
platform id: 0x0a2179790800000000070500

Build information
-----------------
GNU C: 7.5.0 (7.5.0)
CPPFLAGS:
CFLAGS: -fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -g -fstack-protector -fPIE -fno-strict-aliasing -DFP_64BIT  -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64
CXXFLAGS: -fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -g -fstack-protector -fPIE -fno-strict-aliasing -std=gnu++98
LDFLAGS: -pie
Configure: '--host=x86_64-suse-linux-gnu' '--build=x86_64-suse-linux-gnu' '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/lib' '--localstatedir=/var' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--disable-dependency-tracking' '--disable-clamav' '--disable-static' '--with-dbdir=/var/lib/clamav' '--with-user=vscan' '--with-group=vscan' '--enable-milter' '--enable-check' '--enable-clamdtop' '--disable-zlib-vcheck' '--disable-timestamps' '--disable-yara' '--with-system-libmspack' 'build_alias=x86_64-suse-linux-gnu' 'host_alias=x86_64-suse-linux-gnu' 'CXXFLAGS=-fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -g -fstack-protector -fPIE -fno-strict-aliasing -std=gnu++98' 'LDFLAGS=-pie' 'CFLAGS=-fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -g -fstack-protector -fPIE -fno-strict-aliasing -DFP_64BIT' 'PKG_CONFIG_PATH=:/usr/lib64/pkgconfig:/usr/share/pkgconfig'
sizeof(void*) = 8
Engine flevel: 121, dconf: 121

> 
> 73,
> Ged.
> 

Oh, I wonder if the OS upgrade grabbed the ports on the QT?  I'll have to look into that.
After I look into how to look into that, if you get my drift.   After a few months I need to 
retrain the idle brain.

Also wondering in main.cf (postfix) is the only place I need to add Clamav directives.  
master.cf has a spot for Spamassassin as a "filter" and commented out stuff for 
amavis.  So, my puzzlements grows more profound as  . . . umm . . . something.

joe a.