Additional ClamAV signature files

This forum is for all copfilter support related questions in English.
ShelbyGT500
Posts: 846
Joined: 13 May 2010 22:37
Location: FRANCE

Re: Additional ClamAV signature files

Post by ShelbyGT500 » 11 Feb 2012 23:07

Hi Severus,

Thank you for your work! ;)

For next release, because a bug with F-Prot update, i think it is necessary to modify line 1030 in home/httpd/cgi-bin/copfilter_antivirus.cgi: viewtopic.php?f=3&t=616#p2943

Code: Select all

if ( -e "${copfilter_swroot}/opt/f-prot/default/fpscand" ) {
to

Code: Select all

if ( -e "${copfilter_swroot}/opt/f-prot/default/fpscan" || -e "${copfilter_swroot}/opt/f-prot/default/fpscand" ) {
Regards.

Severus
Site Admin
Posts: 457
Joined: 10 Dec 2009 07:01
Location: Nürnberg - Germany

Re: Additional ClamAV signature files

Post by Severus » 12 Feb 2012 07:11

You're right. Thanks! :o
Done.
Severus

Severus
Site Admin
Posts: 457
Joined: 10 Dec 2009 07:01
Location: Nürnberg - Germany

Re: Additional ClamAV signature files

Post by Severus » 21 Feb 2012 02:01

New versions released!

Current version for

IPCop 1.4.x with copfilter up to 0.85.2 and IPCop 1.9.x/2.0.0 with copfilter lower than 2.0.90: 0.55.2.3

IPCop 1.4.x with copfilter 0.85.3 or higher and IPCop 2.x.x with copfilter 2.0.90: 0.55.3.3

changes:
added 3 new bofhland databases: bofhland_cracked_URL.ndb, bofhland_malware_URL.ndb, bofhland_phishing_URL.ndb


Copfilter releases 2.0.91 and higher have this mod by default.

More on viewtopic.php?p=486#p486
Severus

ShelbyGT500
Posts: 846
Joined: 13 May 2010 22:37
Location: FRANCE

Re: Additional ClamAV signature files

Post by ShelbyGT500 » 21 Feb 2012 20:35

Hi Severus,

Thank You. ;)

Regards.

ShelbyGT500
Posts: 846
Joined: 13 May 2010 22:37
Location: FRANCE

Re: Additional ClamAV signature files

Post by ShelbyGT500 » 25 Feb 2012 13:39

Hi Severus,

I reinstalled IPCOP and copfilter V1 .85.3beta5 because i found the CPU usage per day was important (10 % all the time), and that was not the case before.
I installed the 3rd sigs 0.55.3.3 with the new 3 new bofhland databases: bofhland_cracked_URL.ndb, bofhland_malware_URL.ndb, bofhland_phishing_URL.ndb.

The CPU usage per day is always important, with all databases enabled (havp) .
I done a try with bothland databases disabled, and the CPU usage is now normal:

Image


EDIT 1: my settings in HAVP Gui
Enable ClamAV Virus Scanner in HAVP HTTP Scanning Proxy: on
Enable ClamAV Virus Scanner in Library Mode: off

EDIT2 :
I forgot, it is the same problem with Disk access:
Image

Is that increasing of CPU usage and disk access with Bothland sigs expected ?

Regards.

Severus
Site Admin
Posts: 457
Joined: 10 Dec 2009 07:01
Location: Nürnberg - Germany

Re: Additional ClamAV signature files

Post by Severus » 25 Feb 2012 22:21

Sorry!
Running the same havp settings with all 3P databases CPU and hdd usage is quite normal.
RAM usage (3 GB) 65% including cache and 35% without cache.
Nothing remarkable, I guess.
Severus

ShelbyGT500
Posts: 846
Joined: 13 May 2010 22:37
Location: FRANCE

Re: Additional ClamAV signature files

Post by ShelbyGT500 » 25 Feb 2012 23:21

Hi Severus,

I installed IPCOP and Copfilter Yesterday, and i had the same problem with my previous installation.

It seems there is an update process running all the time :

in 3pmodify.log:
there is an update every 5 minutes:

[CET] 2012-02-25 09:25:52
______________________________________________________________________________________________________________________________
added for new use with clamd only:
3 Sanesecurity databases: bofcrack.ndb, bofmal.ndb, bofphsh.ndb
[CET] 2012-02-25 09:30:53
______________________________________________________________________________________________________________________________
added for new use with clamd only:
3 Sanesecurity databases: bofcrack.ndb, bofmal.ndb, bofphsh.ndb
[CET] 2012-02-25 09:35:52
______________________________________________________________________________________________________________________________
added for new use with clamd only:
3 Sanesecurity databases: bofcrack.ndb, bofmal.ndb, bofphsh.ndb
[CET] 2012-02-25 09:40:00
______________________________________________________________________________________________________________________________
added for new use with clamd only:
3 Sanesecurity databases: bofcrack.ndb, bofmal.ndb, bofphsh.ndb
[CET] 2012-02-25 09:46:00
______________________________________________________________________________________________________________________________
added for new use with clamd only:
3 Sanesecurity databases: bofcrack.ndb, bofmal.ndb, bofphsh.ndb
[CET] 2012-02-25 09:50:55

in cron.hourly log:

[CET] 2012-02-25 09:40:00
backing up current databases... done
searching for updates...
/var/log/copfilter/default/opt/tools/bin/cron.hourly: line 1: /usr/bin/rsync: No such file or directory
/var/log/copfilter/default/opt/tools/bin/cron.hourly: line 1: /usr/bin/rsync: No such file or directory
/var/log/copfilter/default/opt/tools/bin/cron.hourly: line 1: /usr/bin/rsync: No such file or directory

updates downloaded...
checking for corrupted databases... done...
restart of clamd suspended...
no newer files available. Nothing updated!
restart of clamd suspended...
[CET] 2012-02-25 09:40:53
______________________________________________________________________________________________________________________________
[CET] 2012-02-25 09:45:00
backing up current databases... done
searching for updates...
/var/log/copfilter/default/opt/tools/bin/cron.hourly: line 1: /usr/bin/rsync: No such file or directory
/var/log/copfilter/default/opt/tools/bin/cron.hourly: line 1: /usr/bin/rsync: No such file or directory
/var/log/copfilter/default/opt/tools/bin/cron.hourly: line 1: /usr/bin/rsync: No such file or directory
updates downloaded...
checking for corrupted databases... done...
restart of clamd suspended...
no newer files available. Nothing updated!
restart of clamd suspended...
[CET] 2012-02-25 09:46:00
______________________________________________________________________________________________________________________________
[CET] 2012-02-25 09:50:00
backing up current databases... done
searching for updates...
/var/log/copfilter/default/opt/tools/bin/cron.hourly: line 1: /usr/bin/rsync: No such file or directory
/var/log/copfilter/default/opt/tools/bin/cron.hourly: line 1: /usr/bin/rsync: No such file or directory
/var/log/copfilter/default/opt/tools/bin/cron.hourly: line 1: /usr/bin/rsync: No such file or directory
updates downloaded...
checking for corrupted databases... done...
restart of clamd suspended...
no newer files available. Nothing updated!
restart of clamd suspended...
[CET] 2012-02-25 09:50:55


I've a similar problem with a new install of IPCOP and Copfilter V2: viewtopic.php?f=9&t=704#p3495

EDIT1: Bothland sigs are enabled
Here is the process list:
root@ipcop:~ # ps -x
Warning: bad ps syntax, perhaps a bogus '-'? See http://procps.sf.net/faq.html
PID TTY STAT TIME COMMAND
1 ? S 0:05 init [3]
2 ? S 0:00 [keventd]
3 ? SN 0:00 [ksoftirqd_CPU0]
4 ? S 0:00 [kswapd]
5 ? S 0:02 [bdflush]
6 ? S 0:00 [kupdated]
11 ? S 0:00 [scsi_eh_0]
12 ? S 0:00 [scsi_eh_1]
16 ? S 0:03 [kjournald]
41 ? S 0:00 [khubd]
60 ? S 0:00 [kjournald]
61 ? S 0:29 [kjournald]
290 ? Ss 0:00 /usr/sbin/dhcpcd -N -R eth1 -L /var/ipcop/dhcpc -h ipcop
327 ? Ss 0:00 /usr/sbin/fcron
577 ? Ss 0:00 /usr/sbin/httpd
15496 ? Ss 0:06 /var/log/copfilter/default/opt/mail-spamassassin/default/bin/spamd -d -i 127.0.0.1 -m 8
20922 tty1 Ss+ 0:00 /sbin/mingetty tty1
20923 tty2 Ss+ 0:00 /sbin/mingetty tty2
20924 tty3 Ss+ 0:00 /sbin/mingetty tty3
20925 tty4 Ss+ 0:00 /sbin/mingetty tty4
20926 tty5 Ss+ 0:00 /sbin/mingetty tty5
20927 tty6 Ss+ 0:00 /sbin/mingetty tty6
14470 ? Ss 0:00 /usr/sbin/squid -D
20398 ? Ss 0:00 /var/log/copfilter/default/opt/monit/default/bin/monit -I -c /var/log/copfilter/default/
20400 ? S 0:00 /var/log/copfilter/default/opt/monit/default/bin/monit -I -c /var/log/copfilter/default/
20988 ? S 0:00 /usr/bin/perl /var/ipcop/guardian/bin/guardian.pl
9709 ? Ss 0:00 /usr/sbin/sshd
9851 ? Ss 0:00 sshd: root@pts/0
9868 pts/0 Ss 0:00 -bash
10063 ? S 0:00 /var/log/copfilter/default/opt/monit/default/bin/monit -I -c /var/log/copfilter/default/
10154 pts/0 R+ 0:00 ps -x
root@ipcop:~ #




Regards.

karesmakro
Site Admin
Posts: 1280
Joined: 09 Dec 2009 21:17

Re: Additional ClamAV signature files

Post by karesmakro » 27 Feb 2012 19:51

It seems, that rsync was not installed, when you installed the 3rd Sigs!
go to your downloaded 3rd Sigs folder -> programs and copy the rsync binary to /usr/bin

ShelbyGT500
Posts: 846
Joined: 13 May 2010 22:37
Location: FRANCE

Re: Additional ClamAV signature files

Post by ShelbyGT500 » 27 Feb 2012 23:20

Hi Kare,
karesmakro wrote:go to your downloaded 3rd Sigs folder -> programs and copy the rsync binary to /usr/bin
Done, with a modification of permissions for rsync, and it's OK. :D

Regards.

karesmakro
Site Admin
Posts: 1280
Joined: 09 Dec 2009 21:17

Re: Additional ClamAV signature files

Post by karesmakro » 27 Feb 2012 23:53

ShelbyGT500 wrote:Done, with a modification of permissions for rsync
Allow me one question, do you extract the package on a windows machine and copy the file(s) afterwards to IPCop?
The permission of rsync was okay in the package!
If so, this is absolutely no good idea! Please always extract (and/or modify) packages/files on IPCop, this prevents many many problems ;)

Post Reply