ClamAV 0.97.6 Copfilter 2.0.91beta1 und 2.0.91beta3 Packet

This forum is for all copfilter version 2 support related questions in English. (IPCop version 2)
karesmakro
Site Admin
Posts: 1280
Joined: 09 Dec 2009 21:17

ClamAV 0.97.6 Copfilter 2.0.91beta1 und 2.0.91beta3 Packet

Post by karesmakro »

ClamAV 0.97.6 Update avaliable with C-ICAP 0.2.1 and recompiled HAVP-0.92a
Changelog: https://github.com/vrtadmin/clamav-deve ... mav-0.97.6

This update contents C-ICAP 0.2.1, with using clamd-socket per default for performance reasons. Please note the update installer instruction on executing, which will describe, how to deactivate this option!

Download Copfilter 2.0.91beta1:
http://www.it-connect-unix.de/copfilter ... ackage.tgz
md5sum: af4954567380b0298110e339853081fe

Uploaded again, because the havp binary was missing!
Download Copfilter 2.0.91beta3:
http://www.it-connect-unix.de/copfilter ... ackage.tgz
md5sum: 010656e785d9d8d6fe40d6b6bf9155b1

Install:

Code: Select all

tar xzf update-package.tgz
cd update-package
./install
regards
Last edited by karesmakro on 19 Sep 2012 00:24, edited 1 time in total.
Reason: updated md5sum

g7nbp
Posts: 10
Joined: 26 Sep 2012 13:53

Re: ClamAV 0.97.6 Copfilter 2.0.91beta1 und 2.0.91beta3 Pack

Post by g7nbp »

After updating to latest 0.97.6 I see some false positive c-icap reports for some sites with an odd virus name

VIRUS FOUND
You tried to upload/download a file that contains the virus: Write Failed
The HTTP location is: http://www.ebuyer.com/

For more information contact your system administrator.

This message was generated by C-ICAP service: virus_scan
Clamav antivirus engine: 0976/15401

I have verified that the url is safe via several other scanners.

Rolling back to the previous 0.97.5 from backups resolves the problem. Re-installing reproduces it.

Having grep'd the assorted 3rd party signature files for human readable text, I cannot locate the string "write failed" in any of them, so tend to think this is a bug rather than a rouge sig file giving a false positive.

What further tests can I run to confirm this?

--
Chris W.

karesmakro
Site Admin
Posts: 1280
Joined: 09 Dec 2009 21:17

Re: ClamAV 0.97.6 Copfilter 2.0.91beta1 und 2.0.91beta3 Pack

Post by karesmakro »

Hello g7nbp and welcome to copfilter forum!

I think, there was no virus found! Instead there is probably a permission problem, which leads to this false positive.
Which copfilter version are you running and can you please take a look in the log files clamd.log and icap_server.log (perhaps you'll find something in squid access.log)?

regards

g7nbp
Posts: 10
Joined: 26 Sep 2012 13:53

Re: ClamAV 0.97.6 Copfilter 2.0.91beta1 und 2.0.91beta3 Pack

Post by g7nbp »

copfilter 2.0.91beta3

I should mention that only a very small number of sites are effected - testing the eicar site etc correctly identifies the testfile. Other sites are fine.

I previously checked all the logs mentioned for any signs of problems but there isnt much thats conclusive.

clamd.log:
Thu Sep 27 21:25:22 2012 -> +++ Started at Thu Sep 27 21:25:22 2012
Thu Sep 27 21:25:22 2012 -> clamd daemon 0.97.6 (OS: linux-gnu, ARCH: i386, CPU: i686)
Thu Sep 27 21:25:22 2012 -> Running as user spam (UID 1001, GID 1002)
Thu Sep 27 21:25:22 2012 -> Log file size limited to 15728640 bytes.
Thu Sep 27 21:25:22 2012 -> Reading databases from /var/log/copfilter/default/opt/clamav/virdb
Thu Sep 27 21:25:22 2012 -> Not loading PUA signatures.
Thu Sep 27 21:25:22 2012 -> Bytecode: Security mode set to "TrustSigned".
Thu Sep 27 21:25:30 2012 -> Loaded 1617045 signatures.
Thu Sep 27 21:25:32 2012 -> LOCAL: Unix socket file /var/log/copfilter/default/opt/clamav/var/run/clamd.socket
Thu Sep 27 21:25:32 2012 -> LOCAL: Setting connection queue length to 30
Thu Sep 27 21:25:32 2012 -> Limits: Global size limit set to 104857600 bytes.
Thu Sep 27 21:25:32 2012 -> Limits: File size limit set to 26214400 bytes.
Thu Sep 27 21:25:32 2012 -> Limits: Recursion level limit set to 16.
Thu Sep 27 21:25:32 2012 -> Limits: Files limit set to 10000.
Thu Sep 27 21:25:32 2012 -> Archive support enabled.
Thu Sep 27 21:25:32 2012 -> Archive: Blocking encrypted archives.
Thu Sep 27 21:25:32 2012 -> Algorithmic detection enabled.
Thu Sep 27 21:25:32 2012 -> Portable Executable support enabled.
Thu Sep 27 21:25:32 2012 -> ELF support enabled.
Thu Sep 27 21:25:32 2012 -> Mail files support enabled.
Thu Sep 27 21:25:32 2012 -> OLE2 support enabled.
Thu Sep 27 21:25:32 2012 -> PDF support enabled.
Thu Sep 27 21:25:32 2012 -> HTML support enabled.
Thu Sep 27 21:25:32 2012 -> Heuristic: precedence enabled
Thu Sep 27 21:25:32 2012 -> Self checking every 3600 seconds.
Thu Sep 27 21:25:32 2012 -> Set stacksize to 8454144
Thu Sep 27 21:40:10 2012 -> Reading databases from /var/log/copfilter/default/opt/clamav/virdb
Thu Sep 27 21:40:20 2012 -> Database correctly reloaded (1617292 signatures)
Thu Sep 27 21:45:09 2012 -> Reading databases from /var/log/copfilter/default/opt/clamav/virdb
Thu Sep 27 21:45:24 2012 -> Database correctly reloaded (1617408 signatures)

and associated freshclam.log
ClamAV update process started at Thu Sep 27 21:45:00 2012
main.cvd is up to date (version: 54, sigs: 1044387, f-level: 60, builder: sven)
Downloading daily-15402.cdiff [100%]
Downloading daily-15403.cdiff [100%]
Downloading daily-15404.cdiff [100%]
Downloading daily-15405.cdiff [100%]
Downloading daily-15406.cdiff [100%]
Downloading daily-15407.cdiff [100%]
Downloading daily-15408.cdiff [100%]
daily.cld updated (version: 15408, sigs: 268510, f-level: 63, builder: guitar)
bytecode.cld is up to date (version: 190, sigs: 36, f-level: 63, builder: neo)
Database updated (1312933 signatures) from database.clamav.net (IP: 217.135.32.99)
Clamd successfully notified about the update.
ClamAV 0.97.6/15408/Wed Sep 26 23:51:09 2012

I have url filter enabled - the last Active Blacklist update Shalla's Blacklist Last Update: 27. Sep 20:52
(after problems noticed)


My 3rd party list is:
Securiteinfo databases:
Sep 24 10:24 securiteinfo.hdb
Aug 21 10:07 secinfoelf.hdb
Sep 2 10:25 secinfohtm.hdb
Feb 10 2012 secinfooff.hdb
Aug 16 09:12 secinfopdf.hdb
Aug 21 10:26 secinfosh.hdb

Sanesecurity databases:
Jul 19 09:40 spam.ldb
Jul 19 09:40 spamimg.hdb
Sep 27 21:40 rogue.hdb

OITC databases:
Sep 27 21:40 wmal.hdb

MalwarePatrol database:
Sep 25 00:10 mbl.ndb

I have tried disabling the 3rd party sigs and removing the virdbs and restarting and this has no effect

At a loss now to see where the problem is coming from

icap_server.log
Thu Sep 27 21:45:24 2012, 5885/3076069056, Clamav virus database reload command received
Thu Sep 27 22:06:44 2012, 5885/3028704112, VIRUS DETECTED: Write Failed , http client ip: 192.168.0.199, http user: -, http url: http://www.ebuyer.com/


squid access.log
1348783604.501 350 192.168.0.199 TCP_MISS/403 1328 GET http://www.ebuyer.com/ - DIRECT/89.107.41.30 text/html

Im out of ideas ??

karesmakro
Site Admin
Posts: 1280
Joined: 09 Dec 2009 21:17

Re: ClamAV 0.97.6 Copfilter 2.0.91beta1 und 2.0.91beta3 Pack

Post by karesmakro »

There was a change in the c-icap configuration file in this update. Please can you change the setting in /var/log/copfilter/default/opt/c_icap/etc/virus_scan.conf

Code: Select all

virus_scan.UseClamd on
to

Code: Select all

virus_scan.UseClamd off
restart the c-icap service and repeat your tests?

g7nbp
Posts: 10
Joined: 26 Sep 2012 13:53

Re: ClamAV 0.97.6 Copfilter 2.0.91beta1 und 2.0.91beta3 Pack

Post by g7nbp »

Tested, No Change. The site is still reported as having "Write Failed"

edit: Most other sites are not effected. Whatever the problem is is specific to just a very few websites.
Last edited by g7nbp on 28 Sep 2012 12:58, edited 1 time in total.

g7nbp
Posts: 10
Joined: 26 Sep 2012 13:53

Re: ClamAV 0.97.6 Copfilter 2.0.91beta1 und 2.0.91beta3 Pack

Post by g7nbp »

Another site effected which checks out safe is http://everythingrf.com - same virus message "Write Failed"

Fri Sep 28 08:51:53 2012, 26977/2899786608, VIRUS DETECTED: Write Failed , http client ip: 192.168.0.12, http user: -, http url: http://www.ebuyer.com/
Fri Sep 28 09:09:26 2012, 25090/2883009392, VIRUS DETECTED: Write Failed , http client ip: 192.168.0.199, http user: -, http url: http://www.everythingrf.com/

Apart from google ad services, there is little commonality between the source code / images for the two sites


edit: two more "write failed" blocks just spotted:
Fri Sep 28 09:37:28 2012, 25091/2849454960, VIRUS DETECTED: Write Failed , http client ip: 192.168.0.20, http user: -, http url: http://people.directory.live.com/people/abcore
Fri Sep 28 09:50:01 2012, 25091/2874620784, VIRUS DETECTED: Write Failed , http client ip: 192.168.0.45, http user: -, http url: http://www.dailypost.co.uk/sport-news/w ... -31922261/

(Its a reasonably high volume network so these false positives represent a very small fraction of traffic so far)

karesmakro
Site Admin
Posts: 1280
Joined: 09 Dec 2009 21:17

Re: ClamAV 0.97.6 Copfilter 2.0.91beta1 und 2.0.91beta3 Pack

Post by karesmakro »

You checked, you have enough disc space and memory?
please provide

Code: Select all

free
and

Code: Select all

df -h
Didn't saw this behaviour until yet, but I will have a try at evening!

g7nbp
Posts: 10
Joined: 26 Sep 2012 13:53

Re: ClamAV 0.97.6 Copfilter 2.0.91beta1 und 2.0.91beta3 Pack

Post by g7nbp »

Also: adding everythingrf.com to the Virus Scan exception's for destinations box in the c-icap page and saving and restarting has no effect, the url is still virus scanned and reported as having a virus. (cache cleared on browser and squid before checking).

g7nbp
Posts: 10
Joined: 26 Sep 2012 13:53

Re: ClamAV 0.97.6 Copfilter 2.0.91beta1 und 2.0.91beta3 Pack

Post by g7nbp »

karesmakro wrote:You checked, you have enough disc space and memory?
please provide

Code: Select all

free
and

Code: Select all

df -h
Didn't saw this behaviour until yet, but I will have a try at evening!
yes lots - its not a small box we are talking about here

root@gatekeeper:/var # free
total used free shared buffers cached
Mem: 2074864 1898244 176620 0 89864 1354664
-/+ buffers/cache: 453716 1621148
Swap: 262136 0 262136

The box never hits swap

root@gatekeeper:/var # df -h
Filesystem Size Used Avail Use% Mounted on
tmpfs 1014M 72K 1014M 1% /dev
/dev/sda1 755M 421M 297M 59% /
/dev/sda2 229G 1.4G 216G 1% /var/log
tmpfs 1014M 151M 863M 15% /tmp
shm 1014M 0 1014M 0% /dev/shm

Post Reply