ClamAV libclamav MEW PE File Integer Overflow Vulnerability

Discussion in 'General' started by till, Dec 19, 2007.

  1. till

    till Super Moderator Staff Member ISPConfig Developer

    A integer overflow vulnerability in clamav has been found:

    http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=634

    We are preparing a new ISPConfig version with the latest ClamAV. As a temporary workaround, you should disable the scanning of PE files:

    Edit the file:

    /home/admispconfig/ispconfig/tools/clamav/bin/clamassassin

    and change the line:

    CLAMSCANOPT="--no-summary --stdout"

    To:

    CLAMSCANOPT="--no-summary --stdout --no-pe"
     
  2. jbravo

    jbravo New Member

    I think most people use clamdscan and should edit clamd config file to get:

    And restart clamd service with log check:

    EDIT: Bug already fixed - at least in SLES10SP1 with clamav patch (clamav-0.92-0.2).

    --
    GreetZ .:JbRaVo:.
     
    Last edited: Dec 24, 2007
  3. till

    till Super Moderator Staff Member ISPConfig Developer

    Clamscan and not Clamdscan is the default in all ISPConfig installations if you have not patched ISPConfig manually!
     
  4. jbravo

    jbravo New Member

    Ofcourse, but i'm sure You know that most of us use daemonized version because of performance issues.
    Anyway thanks for information - i've changed my ClamAV configuration on other servers too:)

    --
    GreetZ .:JbRaVo:.
     
  5. SamTzu

    SamTzu Member HowtoForge Supporter

    Didn't take them long to start using this bug.
    My server had serious performance issues before I found out about this.

    How do I disable ClamAV in ISPConfig?


    Sam
     
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    Disabling is not nescessary as you can see in the post above and this bug in clamav has nothing to do with performance.

    If you want to disable clamav, go to the email user settings and disable the checkbox for the antivirus scan.
     
  7. SamTzu

    SamTzu Member HowtoForge Supporter

    How come I'm still getting a lot of processes from the same users even after the "quick fix"?
    I don't recall there being so many clamscans before.

    Sam
     
  8. till

    till Super Moderator Staff Member ISPConfig Developer

  9. SamTzu

    SamTzu Member HowtoForge Supporter

    Are you sure about that, Till?

    My Apache service kept crashing after a while.
    And this started at the same time the clamscan went mad.


    Sam
     
  10. till

    till Super Moderator Staff Member ISPConfig Developer

    Yes, please see the link in my post above.
     
  11. SamTzu

    SamTzu Member HowtoForge Supporter

    Odd.

    I'm still getting lines like this...
    12443 user-2a 25 0 28540 25m 2024 R 3.3 5.1 0:14.82 /home/admispconfig/ispconfig/tools/clamav/bin/clamscan --no-summary --stdout --no-pe -

    Even after removing the Antivirus: tab from this particular user user-2a.

    Why is that?
     
  12. till

    till Super Moderator Staff Member ISPConfig Developer

    It may take some time until the config files get rewritten when your server is under high load.
     
  13. SamTzu

    SamTzu Member HowtoForge Supporter

    It's been several hours now. Still those accounts are using clamscan.
    Is there a way to stop/disable clamscan on the whole server?
     
  14. SamTzu

    SamTzu Member HowtoForge Supporter

    It's odd.
    ISPConfig control panel is running at normal speed. Only apache web services get affected by the many clamscan services running mad.
     
  15. SamTzu

    SamTzu Member HowtoForge Supporter

    The only way I could gain control off the situation was to manually remove the offending mail accounts folder. Even though I had removed the mail account from ISPConfig it did not remove the account for several hours and finally I just removed it by hand.

    Obviously something was done to the users mail settings on that particular folder. (Probably spam?)

    Anyway situation under control for now. :D

    In the future if ClamAV goes haywire is there a way to bypass/disable it on the server for all the users?
     

Share This Page