Possible problem with older versions of ClamAV (0.96-0.96.3)

[mccharlet]

Hi,

I have received a Clamav-announce

Quote:

Dear users,

ClamAV versions older than 0.96.4 are affected by a bug in the logical
signature parser, which can make them load and mishandle signatures
designed for newer engines. As a result, these versions may generate
incorrect detections, leading to false positive alerts.

If you're running one of these releases, we strongly advise to upgrade it.

Thank you,

The version using by ispconfig 2.2.37 is 0.96.1

A new version of ispconfig with last version is scheduled or how to upgrade clamav

Thanks

[falko]

Download ClamAV 0.97 to your server, and then run these commands from within the folder where you stored the downloaded ClamAV file:

Code:

CLAMAV=clamav-0.97

APPLICATION_NAME=ispconfig
INSTALL_ROOT=/root/${APPLICATION_NAME}
INSTALL_ROOT_TMP=${INSTALL_ROOT}_tmp
COMPILE_DIR=`pwd`
ARCH=`uname -m`

tar xvfz ${CLAMAV}.tar.gz

cd ${CLAMAV}
./configure --prefix=/home/adm${APPLICATION_NAME}/${APPLICATION_NAME}/tools/clamav --sysconfdir=/home/adm${APPLICATION_NAME}/${APPLICATION_NAME}/tools/clamav/etc --with-user=adm${APPLICATION_NAME} --with-group=adm${APPLICATION_NAME} --disable-clamav --disable-bzip2 --disable-zlib-vcheck
if [ $? != 0 ]; then
  ./configure --prefix=/home/adm${APPLICATION_NAME}/${APPLICATION_NAME}/tools/clamav --sysconfdir=/home/adm${APPLICATION_NAME}/${APPLICATION_NAME}/tools/clamav/etc --with-user=adm${APPLICATION_NAME} --with-group=adm${APPLICATION_NAME} --disable-clamav --disable-bzip2 --disable-zlib-vcheck --disable-gcc-vcheck CFLAGS="-O0"
fi
make
make install
cp -f COPYING /home/adm${APPLICATION_NAME}/${APPLICATION_NAME}/tools/clamav/
cd ${COMPILE_DIR}
cp -f clamav.conf /home/adm${APPLICATION_NAME}/${APPLICATION_NAME}/tools/clamav/etc/clamav.conf
cp -f freshclam.conf /home/adm${APPLICATION_NAME}/${APPLICATION_NAME}/tools/clamav/etc/freshclam.conf
rm -f /home/adm${APPLICATION_NAME}/${APPLICATION_NAME}/tools/clamav/etc/clamd.conf
cd /home/adm${APPLICATION_NAME}/${APPLICATION_NAME}/tools/clamav/etc/
ln -s clamav.conf clamd.conf
cd ${COMPILE_DIR}

[commentator]

Hi,

Thanks for your howto
got some errors:

Code:

server1:/tmp/clamav-0.97# cd ${COMPILE_DIR}
server1:/tmp# cp -f clamav.conf /home/adm${APPLICATION_NAME}/${APPLICATION_NAME}/tools/clamav/etc/clamav.conf
cp: cannot stat `clamav.conf': No such file or directory
server1:/tmp# cp -f freshclam.conf /home/adm${APPLICATION_NAME}/${APPLICATION_NAME}/tools/clamav/etc/freshclam.conf
cp: cannot stat `freshclam.conf': No such file or directory
server1:/tmp# rm -f /home/adm${APPLICATION_NAME}/${APPLICATION_NAME}/tools/clamav/etc/clamd.conf
server1:/tmp# cd /home/adm${APPLICATION_NAME}/${APPLICATION_NAME}/tools/clamav/etc/
server1:/home/admispconfig/ispconfig/tools/clamav/etc# ln -s clamav.conf clamd.conf
server1:/home/admispconfig/ispconfig/tools/clamav/etc# cd ${COMPILE_DIR}

[falko]

Sorry, I forgot to mention that you need to create these two files manually in your ${COMPILE_DIR}:

clamav.conf:

Code:

##
## Example config file for the Clam AV daemon
## Please read the clamav.conf(5) manual before editing this file.
##


# Comment or remove the line below.
#Example

# Uncomment this option to enable logging.
# LogFile must be writable for the user running the daemon.
# Full path is required.
#LogFile /tmp/clamd.log

# By default the log file is locked for writing - the lock protects against
# running clamd multiple times (if want to run another clamd, please
# copy the configuration file, change the LogFile variable, and run
# the daemon with --config-file option). That's why you shouldn't uncomment
# this option.
#LogFileUnlock

# Maximal size of the log file. Default is 1 Mb.
# Value of 0 disables the limit.
# You may use 'M' or 'm' for megabytes (1M = 1m = 1048576 bytes)
# and 'K' or 'k' for kilobytes (1K = 1k = 1024 bytes). To specify the size
# in bytes just don't use modifiers.
#LogFileMaxSize 2M

# Log time with an each message.
#LogTime

# Use system logger (can work together with LogFile).
#LogSyslog

# Enable verbose logging.
#LogVerbose

# This option allows you to save the process identifier of the listening
# daemon (main thread).
#PidFile /var/run/clamd.pid

# Path to a directory containing .db files.
# Default is the hardcoded directory (mostly /usr/local/share/clamav,
# it depends on installation options).
#DataDirectory /var/lib/clamav

# The daemon works in local or network mode. Currently the local mode is
# recommended for security reasons.

# Path to the local socket. The daemon doesn't change the mode of the
# created file (portability reasons). You may want to create it in a directory
# which is only accessible for a user running daemon.
LocalSocket /home/admispconfig/ispconfig/temp/clamd

# Remove stale socket after unclean shutdown.
#FixStaleSocket

# TCP port address.
#TCPSocket 3310

# TCP address.
# By default we bind to INADDR_ANY, probably not wise.
# Enable the following to provide some degree of protection
# from the outside world.
#TCPAddr 127.0.0.1

# Maximum length the queue of pending connections may grow to.
# Default is 15.
#MaxConnectionQueueLength 30

# When activated, input stream (see STREAM command) will be saved to disk before
# scanning - this allows scanning within archives.
#StreamSaveToDisk

# Close the connection if this limit is exceeded.
#StreamMaxLength 10M

# Maximal number of a threads running at the same time.
# Default is 5, and it should be sufficient for a typical workstation.
# You may need to increase threads number for a server machine.
#MaxThreads 10

# Thread (scanner - single task) will be stopped after this time (seconds).
# Default is 180. Value of 0 disables the timeout. SECURITY HINT: Increase the
# timeout instead of disabling it.
#ThreadTimeout 500

# Maximal depth the directories are scanned at.
MaxDirectoryRecursion 15

# Follow a directory symlinks.
# SECURITY HINT: You should have enabled directory recursion limit to
# avoid potential problems.
#FollowDirectorySymlinks

# Follow regular file symlinks.
#FollowFileSymlinks

# Do internal checks (eg. check the integrity of the database structures)
# By default clamd checks itself every 3600 seconds (1 hour).
#SelfCheck 600

# Execute a command when virus is found. In the command string %v and %f will
# be replaced by the virus name and the infected file name respectively.
#
# SECURITY WARNING: Make sure the virus event command cannot be exploited,
#                    eg. by using some special file name when %f is used.
#                    Always use a full path to the command.
#                    Never delete/move files with this directive !
#VirusEvent /usr/local/bin/send_sms 123456789 "VIRUS ALERT: %f: %v"

# Run as selected user (clamd must be started by root).
# By default it doesn't drop privileges.
User admispconfig

# Initialize the supplementary group access (for all groups in /etc/group
# user is added in. clamd must be started by root).
#AllowSupplementaryGroups

# Don't fork into background. Useful in debugging.
#Foreground

# Enable debug messages in libclamav.
#Debug

##
## Mail support
##

# Uncomment this option if you are planning to scan mail files.
ScanMail 1

##
## Archive support
##


# Comment this line to disable scanning of the archives.
ScanArchive 1


# By default the built-in RAR unpacker is disabled by default because the code
# terribly leaks, however it's probably a good idea to enable it.
#ScanRAR


# Options below protect your system against Denial of Service attacks
# with archive bombs.

# Files in archives larger than this limit won't be scanned.
# Value of 0 disables the limit.
# WARNING: Due to the unrarlib implementation, whole files (one by one) in RAR
#           archives are decompressed to the memory. That's why never disable
#           this limit (but you may increase it of course!)
# ArchiveMaxFileSize 10M
MaxScanSize  10M

# Archives are scanned recursively - e.g. if Zip archive contains RAR file,
# the RAR file will be decompressed, too (but only if recursion limit is set
# at least to 1). With this option you may set the recursion level.
# Value of 0 disables the limit.
# ArchiveMaxRecursion 5
MaxRecursion 5

# Number of files to be scanned within archive.
# Value of 0 disables the limit.
# ArchiveMaxFiles 1000
MaxFiles 1000

# Use slower decompression algorithm which uses less memory. This option
# affects bzip2 decompressor only.
#ArchiveLimitMemoryUsage

##
## Clamuko settings
## WARNING: This is experimental software. It is very likely it will hang
##            up your system !!!
##

# Enable Clamuko. Dazuko (/dev/dazuko) must be configured and running.
#ClamukoScanOnLine

# Set access mask for Clamuko.
ClamukoScanOnOpen 1
ClamukoScanOnClose 1
ClamukoScanOnExec 1

# Set the include paths (all files in them will be scanned). You can have
# multiple ClamukoIncludePath options, but each directory must be added
# in a seperate option. All subdirectories are scanned, too.
ClamukoIncludePath /home
#ClamukoIncludePath /students

# Set the exclude paths. All subdirectories are also excluded.
#ClamukoExcludePath /home/guru

# Limit the file size to be scanned (probably you don't want to scan your movie
# files ;))
# Value of 0 disables the limit. 1 Mb should be fine.
ClamukoMaxFileSize 1M

# Enable archive support. It uses the limits from clamd section.
# (This option doesn't depend on ScanArchive, you can have archive support
# in clamd disabled).
# ClamukoScanArchive

freshclam.conf:

Code:

##
## Example config file for freshclam
## Please read the freshclam.conf(5) manual before editing this file.
## This file may be optionally merged with clamd.conf.
##


# Comment or remove the line below.
#Example

# Path to the database directory.
# WARNING: It must match clamd.conf's directive!
# Default: hardcoded (depends on installation options)
#DatabaseDirectory /var/lib/clamav

# Path to the log file (make sure it has proper permissions)
# Default: disabled
#UpdateLogFile /var/log/freshclam.log

# Enable verbose logging.
# Default: disabled
#LogVerbose

# Use system logger (can work together with UpdateLogFile).
# Default: disabled
LogSyslog 1

# Specify the type of syslog messages - please refer to 'man syslog'
# for facility names.
# Default: LOG_LOCAL6
LogFacility LOG_MAIL

# This option allows you to save the process identifier of the daemon
# Default: disabled
#PidFile /var/run/freshclam.pid

# By default when started freshclam drops privileges and switches to the
# "clamav" user. This directive allows you to change the database owner.
# Default: clamav (may depend on installation options)
#DatabaseOwner clamav

# Initialize supplementary group access (freshclam must be started by root).
# Default: disabled
#AllowSupplementaryGroups

# Use DNS to verify virus database version. Freshclam uses DNS TXT records
# to verify database and software versions. With this directive you can change
# the database verification domain.
# Default: enabled, pointing to current.cvd.clamav.net
#DNSDatabaseInfo current.cvd.clamav.net

# Uncomment the following line and replace XY with your country
# code. See http://www.iana.org/cctld/cctld-whois.htm for the full list.
# Default: There is no default, which results in an error when running freshclam
#DatabaseMirror db.XY.clamav.net

# database.clamav.net is a round-robin record which points to our most 
# reliable mirrors. It's used as a fall back in case db.XY.clamav.net is 
# not working. DO NOT TOUCH the following line unless you know what you
# are doing.
DatabaseMirror database.clamav.net

# How many attempts to make before giving up.
# Default: 3 (per mirror)
#MaxAttempts 5

# Number of database checks per day.
# Default: 12 (every two hours)
#Checks 24

# Proxy settings
# Default: disabled
#HTTPProxyServer myproxy.com
#HTTPProxyPort 1234
#HTTPProxyUsername myusername
#HTTPProxyPassword mypass

# Send the RELOAD command to clamd.
# Default: disabled
#NotifyClamd
# By default it uses the hardcoded configuration file but you can force an
# another one.
#NotifyClamd /config/file/path

# Run command after successful database update.
# Default: disabled
#OnUpdateExecute command
OnUpdateExecute chmod -R 755 /home/admispconfig/ispconfig/tools/clamav/share/clamav

# Run command when database update process fails.
# Default: disabled
#OnErrorExecute command

# Don't fork into background.
# Default: disabled
#Foreground

# Enable debug messages in libclamav.
# Default: disabled
#Debug

You can create these files manually now in /home/admispconfig/ispconfig/tools/clamav/etc/, and everything should be fine.

[commentator]

also:
restart ispconfigserver

[becks87]

Hi all!
I have another problem with my ClamAV 096.1 on Ubuntu 10.04. I found a few days before that i had enabled antivirus modul on ispconfig 2 for a few users. Then after they started using it, server started to slow down and i found dosens of zombie clamav processes which had eated all my memory and CPU time. I had to kill them manually to free up resources and server started to come back slowly to functioning and speed up. After that i found that my memory usage was dropped down approx. to 200 megs by all other processes which then increased to near 1 gigs (as it is normal) as time passed. Is there any solution to solve it? Does clamav have any easier update process? I think i will disable the av modul in ispconfig 2 GUI if the problem is not resolvable quickly. Thanks for any help!

[falko]

You can try to use clamd with ISPConfig 2: http://www.howtoforge.com/forums/showthread.php?t=46558