Update for additional ClamAV signature files (SOLVED)

This forum is for all copfilter support related questions in English.
karesmakro
Site Admin
Posts: 1280
Joined: 09 Dec 2009 21:17

Re: Update for additional ClamAV signature files

Post by karesmakro » 01 Jan 2012 22:36

it should be databases! Mist

Code: Select all

if [ ! -d /tmp/clamdatabases ]; then
    mkdir /tmp/clamdatabases
    chmod -R 777 /tmp/clamdatabases
fi
sorry for that!

ShelbyGT500
Posts: 846
Joined: 13 May 2010 22:37
Location: FRANCE

Re: Update for additional ClamAV signature files

Post by ShelbyGT500 » 01 Jan 2012 23:12

Hi,

There is the folderclamdatabases. :)
But it is empty.

I've tried a manual update, but there is no change.

Regards.

karesmakro
Site Admin
Posts: 1280
Joined: 09 Dec 2009 21:17

Re: Update for additional ClamAV signature files

Post by karesmakro » 01 Jan 2012 23:53

Nothing changed?
Can you inspect the /tmp folder for *.locked files again!

Can not say for sure, when the databases was updated last time!

I remember fist time using the sigs, after creating this directory, the sigs worked!

regards

ShelbyGT500
Posts: 846
Joined: 13 May 2010 22:37
Location: FRANCE

Re: Update for additional ClamAV signature files

Post by ShelbyGT500 » 02 Jan 2012 00:14

Hi,
karesmakro wrote:Nothing changed?
No, and there is no new file in the tmp folder.

I think i will reinstall the 3rd Party Sigs 0.55.3 file tomorrow.

Regards.

Severus
Site Admin
Posts: 457
Joined: 10 Dec 2009 07:01
Location: Nürnberg - Germany

Re: Update for additional ClamAV signature files

Post by Severus » 02 Jan 2012 03:41

First: What about the logfiles crondaily.log, cronhourly.log and cron4hourly.log? Any message of evidence inside them?
Second: Are there any databases set to on er havp on the Antivirus site of copfilter? Maybe they are all set to off accidentically?
Third: The /tmp/clamdatabases directory is created by installation and will not be deleted by any program file. Inf deleted this must have been done manually.
Regards Severus

ShelbyGT500
Posts: 846
Joined: 13 May 2010 22:37
Location: FRANCE

Re: Update for additional ClamAV signature files

Post by ShelbyGT500 » 02 Jan 2012 17:14

Hi Severus,
Severus wrote:First: What about the logfiles crondaily.log, cronhourly.log and cron4hourly.log? Any message of evidence inside them?
I've posted a comment with theses logs: posting.php?mode=reply&f=3&t=671#pr3265
Severus wrote: Second: Are there any databases set to on er havp on the Antivirus site of copfilter? Maybe they are all set to off accidentically?
No, they are all set to on.
Severus wrote:Third: The /tmp/clamdatabases directory is created by installation and will not be deleted by any program file. Inf deleted this must have been done manually.
Yes it has been done manually : posting.php?mode=reply&f=3&t=671#pr3265

I've unistalled and installed 3rd party sigs 0.55.3.
Now, there are files in tmp/clamdatabases folder.

But I've only update for sanesecurity, and malware patrol.
I've no update on antivirus gui for adrew lewis, OITC, Bill Landry, sanesecurite,....May be due to server problems clamav as stated Karesmakro.I'll wait 2-3 days to see if database are updating.

Note for next update of 3rd sigs file : It is always necessary to change the file /home/httpd/cgi-bin/copfilter_antivirus.cgi in line 1018 when you install 3rd sigs (or line 681 if not) , for f-prot update.(viewtopic.php?f=3&t=616#p2943).


EDIT 1
I've done another try :
root@ipcop:~ # /var/log/copfilter/default/opt/tools/bin/cron.hourly
root@ipcop:~ # /var/log/copfilter/default/opt/tools/bin/cron.daily
[CET] 2012-01-02 16:21:47
backing up current databases... done
searching for updates...
--2012-01-02 16:21:48-- http://clamav.securiteinfo.com/securiteinfo.hdb
Resolving clamav.securiteinfo.com... 88.191.121.122
Connecting to clamav.securiteinfo.com|88.191.121.122|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 5431431 (5.2M) [text/plain]
Saving to: “/tmp/clamdatabases/securiteinfo.hdb”
100%[======================================>] 5,431,431 642K/s in 8.3s
2012-01-02 16:21:56 (637 KB/s) - “/tmp/clamdatabases/securiteinfo.hdb” saved [5431431/5431431]
--2012-01-02 16:21:56-- http://clamav.securiteinfo.com/honeynet.hdb
Resolving clamav.securiteinfo.com... 88.191.121.122
Connecting to clamav.securiteinfo.com|88.191.121.122|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 32171 (31K) [text/plain]
Saving to: “/tmp/clamdatabases/honeynet.hdb”
100%[======================================>] 32,171 --.-K/s in 0.1s
2012-01-02 16:21:56 (265 KB/s) - “/tmp/clamdatabases/honeynet.hdb” saved [32171/32171]
--2012-01-02 16:21:56-- http://clamav.securiteinfo.com/securiteinfobat.hdb
Resolving clamav.securiteinfo.com... 88.191.121.122
Connecting to clamav.securiteinfo.com|88.191.121.122|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 84548 (83K) [text/plain]
Saving to: “/tmp/clamdatabases/secinfobat.hdb”
100%[======================================>] 84,548 408K/s in 0.2s
2012-01-02 16:21:57 (408 KB/s) - “/tmp/clamdatabases/secinfobat.hdb” saved [84548/84548]
--2012-01-02 16:21:57-- http://clamav.securiteinfo.com/securiteinfodos.hdb
Resolving clamav.securiteinfo.com... 88.191.121.122
Connecting to clamav.securiteinfo.com|88.191.121.122|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 281702 (275K) [text/plain]
Saving to: “/tmp/clamdatabases/secinfodos.hdb”
100%[======================================>] 281,702 550K/s in 0.5s
2012-01-02 16:21:57 (550 KB/s) - “/tmp/clamdatabases/secinfodos.hdb” saved [281702/281702]
--2012-01-02 16:21:57-- http://clamav.securiteinfo.com/securiteinfoelf.hdb
Resolving clamav.securiteinfo.com... 88.191.121.122
Connecting to clamav.securiteinfo.com|88.191.121.122|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 53913 (53K) [text/plain]
Saving to: “/tmp/clamdatabases/secinfoelf.hdb”
100%[======================================>] 53,913 347K/s in 0.2s
2012-01-02 16:21:58 (347 KB/s) - “/tmp/clamdatabases/secinfoelf.hdb” saved [53913/53913]
--2012-01-02 16:21:58-- http://clamav.securiteinfo.com/securiteinfohtml.hdb
Resolving clamav.securiteinfo.com... 88.191.121.122
Connecting to clamav.securiteinfo.com|88.191.121.122|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1323114 (1.3M) [text/plain]
Saving to: “/tmp/clamdatabases/secinfohtm.hdb”
100%[======================================>] 1,323,114 620K/s in 2.1s
2012-01-02 16:22:00 (620 KB/s) - “/tmp/clamdatabases/secinfohtm.hdb” saved [1323114/1323114]
--2012-01-02 16:22:00-- http://clamav.securiteinfo.com/securiteinfooffice.hdb
Resolving clamav.securiteinfo.com... 88.191.121.122
Connecting to clamav.securiteinfo.com|88.191.121.122|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 216626 (212K) [text/plain]
Saving to: “/tmp/clamdatabases/secinfooff.hdb”
100%[======================================>] 216,626 527K/s in 0.4s
2012-01-02 16:22:00 (527 KB/s) - “/tmp/clamdatabases/secinfooff.hdb” saved [216626/216626]
--2012-01-02 16:22:00-- http://clamav.securiteinfo.com/securiteinfopdf.hdb
Resolving clamav.securiteinfo.com... 88.191.121.122
Connecting to clamav.securiteinfo.com|88.191.121.122|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 369731 (361K) [text/plain]
Saving to: “/tmp/clamdatabases/secinfopdf.hdb”
100%[======================================>] 369,731 570K/s in 0.6s
2012-01-02 16:22:01 (570 KB/s) - “/tmp/clamdatabases/secinfopdf.hdb” saved [369731/369731]
--2012-01-02 16:22:01-- http://clamav.securiteinfo.com/securiteinfosh.hdb
Resolving clamav.securiteinfo.com... 88.191.121.122
Connecting to clamav.securiteinfo.com|88.191.121.122|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 24651 (24K) [text/plain]
Saving to: “/tmp/clamdatabases/secinfosh.hdb”
100%[======================================>] 24,651 --.-K/s in 0.09s
2012-01-02 16:22:01 (257 KB/s) - “/tmp/clamdatabases/secinfosh.hdb” saved [24651/24651]
updates downloaded...
checking for corrupted databases... done...
restart of clamd suspended...
no newer files available. Nothing updated!
restart of clamd suspended...
[CET] 2012-01-02 16:22:02
______________________________________________________________________________________________________________________________


root@ipcop:~ # /var/log/copfilter/default/opt/tools/bin/cron.4hourly
[CET] 2012-01-02 16:24:19
backing up current databases... done
searching for updates...
--2012-01-02 16:24:20-- http://www.malware.com.br/cgi/submit?ac ... clamav_ext
Resolving http://www.malware.com.br... 72.14.190.204
Connecting to http://www.malware.com.br|72.14.190.204|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/plain]
Saving to: “STDOUT”
[ <=> ] 286,059 160K/s in 1.7s
2012-01-02 16:24:22 (160 KB/s) - written to stdout [286059]
updates downloaded...
checking for corrupted databases... done...
reloading databases...
clamd running with pid 30191 30190 30189
1 databases correctly updated...
[CET] 2012-01-02 16:24:24
_______________________________________________________________________________________________________________________________


I've received an e-mail :Copfilter has updated the MalwarePatrol databases for CLAMAV
Antivirus Gui Has not been updated. I will wait for automatic udate.


Regards.

Severus
Site Admin
Posts: 457
Joined: 10 Dec 2009 07:01
Location: Nürnberg - Germany

Re: Update for additional ClamAV signature files

Post by Severus » 03 Jan 2012 00:37

Strange, indeed!
My home machine detects updates for all kind of databases except Andrew Lewis and CRDF (and, of course, MSRBL).
All other kind of databases has at least one file updated on Jan 2.
Any evidence in the messages file?
Severus

ShelbyGT500
Posts: 846
Joined: 13 May 2010 22:37
Location: FRANCE

Re: Update for additional ClamAV signature files

Post by ShelbyGT500 » 04 Jan 2012 23:13

Hi,

I still have not update in addition to those of SECURITEINFO.
the tmp/clamdatabases folder only contains:
secinfobat.hdb
securiteinfo.hdb
honeynet.hdb
secinfodos.hdb
secinfoelf.hdb
secinfohtm.hdb
secinfooff.hdb
secinfopdf.hdb
secinfosh.hdb

I reinstalled several times 3rd party sigs file, but witout result.
Is it necessary to reinstall copfilter or is there another solution ?

Regards .
Last edited by ShelbyGT500 on 06 Jan 2012 00:28, edited 2 times in total.

Severus
Site Admin
Posts: 457
Joined: 10 Dec 2009 07:01
Location: Nürnberg - Germany

Re: Update for additional ClamAV signature files

Post by Severus » 05 Jan 2012 16:34

Well, pleas have a look at the file
/var/log/copfilter/default/etc/global_settings
to proof all entries starting with "THRDP_" end with "=on" or "=havp".
Otherwise ensure the file rsync is present in /usr/bin/
If this all is ok the files provided by Sanesecurity must be downloaded.
As I could see in your posts mbl and Securiteinfo files are downloaded correctly.
Please check if the databases in the directory /var/log/copfilter/default/opt/clamav/virdb/ are the same as in /tmp/clamdatabases/ to ensure the update process runs correctly.
The AntiVirus GUI for 3rd-party databases shoult be displayed correctly if the databases are updated.
Only the databeses downloded by freshclam use the CURRENTVERSION file for display.
Severus

ShelbyGT500
Posts: 846
Joined: 13 May 2010 22:37
Location: FRANCE

Re: Update for additional ClamAV signature files

Post by ShelbyGT500 » 05 Jan 2012 21:48

Hi Severus,
Severus wrote:Well, pleas have a look at the file
/var/log/copfilter/default/etc/global_settings
to proof all entries starting with "THRDP_" end with "=on" or "=havp".
It's OK:
THRDP_CRDFAM_ENABLE=havp
THRDP_HONEYNET_ENABLE=havp
THRDP_INET_ENABLE=havp
THRDP_JUNK_ENABLE=havp
THRDP_JURLBLA_ENABLE=havp
THRDP_JURLBL_ENABLE=havp
THRDP_LOTT_ENABLE=havp
THRDP_LW_IMAGE_ENABLE=havp
THRDP_LW_SCAM_ENABLE=havp
THRDP_MAIL_NOTIF_ENABLE=on
THRDP_MBL_ENABLE=havp
THRDP_MSRBL_IMAGES_ENABLE=havp
THRDP_MSRBL_SPAM_ENABLE=havp
THRDP_PHISH_ENABLE=havp
THRDP_ROGUE_ENABLE=havp
THRDP_SCAMNAILER_ENABLE=havp
THRDP_SCAM_ENABLE=havp
THRDP_SECINFOBAT_ENABLE=havp
THRDP_SECINFODOS_ENABLE=havp
THRDP_SECINFOELF_ENABLE=havp
THRDP_SECINFOHTM_ENABLE=havp
THRDP_SECINFOOFF_ENABLE=havp
THRDP_SECINFOPDF_ENABLE=havp
THRDP_SECINFOSH_ENABLE=havp
THRDP_SECURITEINFO_ENABLE=havp
THRDP_SHOW_GUI_ENABLE=on
THRDP_SPAMATTACH_ENABLE=havp
THRDP_SPAMIMG_ENABLE=havp
THRDP_SPAM_ENABLE=havp
THRDP_SPEARL_ENABLE=havp
THRDP_SPEAR_ENABLE=havp
THRDP_WATTACH_ENABLE=havp
THRDP_WMAL_ENABLE=havp
THRDP_WPATT_ENABLE=havp
THRDP_WPHSH_ENABLE=havp
THRDP_WSPAM_ENABLE=havp

Severus wrote:Otherwise ensure the file rsync is present in /usr/bin/
If this all is ok the files provided by Sanesecurity must be downloaded.
rsync is present.But i've not files from Sanesecurity.
Severus wrote:As I could see in your posts mbl and Securiteinfo files are downloaded correctly.
Please check if the databases in the directory /var/log/copfilter/default/opt/clamav/virdb/ are the same as in /tmp/clamdatabases/ to ensure the update process runs correctly.
Only Securiteinfo files, and Malwarepatrol files are downloaded correctly.

It"s OK. In the directory /var/log/copfilter/default/opt/clamav/virdb/, there are:
bytecode.cld
daily.cld
honeynet.hdb
main.cld
mbl.ndb
mirrors.dat
safebrowsing.cld
secinfobat.hdb
secinfodos.hdb
secinfoelf.hdb
secinfohtm.hdb
secinfooff.hdb
secinfopdf.hdb
secinfosh.hdb
securiteinfo.hdb
sigwightlist.ign2.


in /tmp/clamdatabases/, there are :
honeynet.hdb
mbl.ndb
secinfobat.hdb
secinfodos.hdb
secinfoelf.hdb
secinfohtm.hdb
secinfooff.hdb
secinfopdf.hdb
secinfosh.hdb
securiteinfo.hdb

Severus wrote:The AntiVirus GUI for 3rd-party databases shoult be displayed correctly if the databases are updated.
Only the databeses downloded by freshclam use the CURRENTVERSION file for display.
The AntiVirus GUI for 3rd-party databases isn't displayed for other databases.

EDIT
I do not want to spend time on this problem, I've reinstalled copfilter, and it's OK .
Thank you for your help.

Regards

Post Reply