ClamAV 0.97.6 Copfilter 2.0.91beta1 und 2.0.91beta3 Packet

This forum is for all copfilter version 2 support related questions in English. (IPCop version 2)
karesmakro
Site Admin
Posts: 1280
Joined: 09 Dec 2009 21:17

Re: ClamAV 0.97.6 Copfilter 2.0.91beta1 und 2.0.91beta3 Pack

Post by karesmakro » 28 Sep 2012 13:19

O.k. thanks so far! I will have some tests in the evening, so I will show, if I can reproduce this behaviour.

g7nbp
Posts: 10
Joined: 26 Sep 2012 13:53

Re: ClamAV 0.97.6 Copfilter 2.0.91beta1 und 2.0.91beta3 Pack

Post by g7nbp » 28 Sep 2012 13:30

Many thanks!

g7nbp
Posts: 10
Joined: 26 Sep 2012 13:53

Re: ClamAV 0.97.6 Copfilter 2.0.91beta1 und 2.0.91beta3 Pack

Post by g7nbp » 28 Sep 2012 18:04

OK... Ive been looking at this on and off during the day...

Just to give some perspective as to how specific this is, todays access log shows 93,000+ http requests, (A relatively quiet day! 6x this is not unusual) :

# cat /var/log/squid/access.log | wc
93186 931860 18935629

of those this was the traffic that raised an FP:

# cat /var/log/copfilter/default/log/icap_server.log | grep "Write Failed" | wc
45 945 7615


Just 45! - So Normally I wouldn't call this a big deal, but two of the sites that are effected are primary visit sites for the users.

An update of the unique effected urls found to date is:

Fri Sep 28 09:50:01 2012, 25091/2874620784, VIRUS DETECTED: Write Failed , http client ip: 192.168.0.45, http user: -, http url: http://www.dailypost.co.uk/sport-news/w ... -31922261/
Fri Sep 28 13:08:53 2012, 22703/2882366320, VIRUS DETECTED: Write Failed , http client ip: 192.168.0.199, http user: -, http url: http://www.everythingrf.com/
Fri Sep 28 13:09:39 2012, 22704/2882366320, VIRUS DETECTED: Write Failed , http client ip: 192.168.0.199, http user: -, http url: http://www.ebuyer.com/
Fri Sep 28 13:28:03 2012, 30585/2823646064, VIRUS DETECTED: Write Failed , http client ip: 192.168.0.12, http user: -, http url: http://cdn.widgets.spongecell.com/crossdomain.xml
Fri Sep 28 15:28:37 2012, 903/2865589104, VIRUS DETECTED: Write Failed , http client ip: 192.168.0.20, http user: -, http url: http://people.directory.live.com/people/abcore

Ive had a good look at all of them, and really cant see much commonality at all as to why they would be triggering a problem. Size, content and media are all different (one url is a pure XML feed). Each URL is 100% reproduceable - ie there are no occasions when it works, results are consistent. As commented, system resources on the server that is running it are barely touched.

I have installed a disk image of the machine (recent snapshot) and updated to the latest version of clam and can reproduce the same results on a second box, so this is not limited to a specific machine. (though may be specifc to the install as it is a clone)

There are no problems with creating temp files etc.

Ive grepped ALL the other logs outside the copfilter part of the tree and cant find any "write fail" warnings elsewhere.

As far as I can tell virus / phishing blocking is working normally for SMTP / POP3.

There have been blacklist, 3rd party sigs and clam sig updates throughout the day without change.

The problem was first noted before this mornings houskeeping.

Im not sure if that narrows it down any.

karesmakro
Site Admin
Posts: 1280
Joined: 09 Dec 2009 21:17

Re: ClamAV 0.97.6 Copfilter 2.0.91beta1 und 2.0.91beta3 Pack

Post by karesmakro » 28 Sep 2012 19:53

Thank you very much for your deep inspect!
Meanwhile I'm able to reproduce this issue and I'm trying to find out, why this happens.
I'll be back with more informations soon.

as I saw, I think the issue comes from c-icap self, which has problems with compressed objects ...

regards

karesmakro
Site Admin
Posts: 1280
Joined: 09 Dec 2009 21:17

Re: ClamAV 0.97.6 Copfilter 2.0.91beta1 und 2.0.91beta3 Pack

Post by karesmakro » 09 Oct 2012 14:00

So, we are a step further! There was a bug in c-icap and I have a patch for this. I'll go to try this on evening and if all is o.k., I'll go to prepare an update for Copfilter.

karesmakro
Site Admin
Posts: 1280
Joined: 09 Dec 2009 21:17

Re: ClamAV 0.97.6 Copfilter 2.0.91beta1 und 2.0.91beta3 Pack

Post by karesmakro » 11 Oct 2012 19:47

C-ICAP has been fixed now and is also avaliable for Copfilter 2.0.91beta3 now!
This package includes some fixes for copfilter_c-icap and check-c_icap-update-time.sh, too

If you made your own settings for c-icap.conf or virus_scan.conf, please make a backup before installing this update!

http://www.it-connect-unix.de/copfilter ... VN_927.tgz
md5sum: 538a564ac595c9cf1525e273e5eb7977

Code: Select all

tar -xzvf copfilter-2.0.91beta3_c-icap_SVN_927.tgz
cd copfilter-2.0.91beta3_c-icap_SVN_927
./install

g7nbp
Posts: 10
Joined: 26 Sep 2012 13:53

Re: ClamAV 0.97.6 Copfilter 2.0.91beta1 und 2.0.91beta3 Pack

Post by g7nbp » 17 Oct 2012 22:39

Confirmed as a fix on multiple systems. (sorry for slow response - busy weekend and testing here before wider rollout!)

Many thanks for work on this.

Post Reply