ClamAV unofficial rules?

Forum for getting help with Project Gamera, Spamassassin, Clamav, qmail-scanner and other anti-spam tools.
scott
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 8355
Joined: Wed Dec 31, 1969 8:00 pm
Location: earth
Contact:

Unread post by scott »

nope, its all built in
Griffith
Forum User
Forum User
Posts: 95
Joined: Tue Dec 07, 2004 1:32 pm

Unread post by Griffith »

Will it be built in for gamera to, or should we use the script provided by sanesecurity community?
faris
Long Time Forum Regular
Long Time Forum Regular
Posts: 2321
Joined: Thu Dec 09, 2004 11:19 am

Unread post by faris »

Scott/Mike,

How automatic is automatic?

I only have this in /var/clamav

Code: Select all

-rw-r--r--   1 clamav clamav     7727 Jan 20 12:15 ASL-h.ndb
-rw-r--r--   1 clamav clamav     4079 Jan 20 12:15 ASL.hdb
-rw-r--r--   1 clamav clamav    19474 May 17  2008 MSRBL-Images.hdb
-rw-r--r--   1 clamav clamav   236339 May 16  2008 MSRBL-SPAM.ndb
-rw-r--r--   1 clamav clamav  3560960 Jan 21 03:10 daily.cld
-rw-r--r--   1 clamav clamav 40598016 Oct 23 03:10 main.cld
-rw-r--r--   1 clamav clamav 18462921 Nov 26 18:37 main.cvd
-rw-------   1 clamav clamav      416 Jan 21 11:18 mirrors.dat
-rw-r--r--   1 clamav clamav      229 Dec 17 05:51 phish.ndb
-rw-r--r--   1 clamav clamav      211 Dec 17 05:51 phish.ndb-bak
-rw-r--r--   1 clamav clamav      172 Dec 16 09:34 phish.ndb.gz
-rw-r--r--   1 clamav clamav      229 Dec 17 05:51 scam.ndb
-rw-r--r--   1 clamav clamav      211 Dec 17 05:51 scam.ndb-bak
-rw-r--r--   1 clamav clamav      171 Dec 16 09:34 scam.ndb.gz
Note the dates.

And from the sanesecurity site I note that I should have junk.ndb, spear.ndb, lott.ndb and a few others too.

I have done an asl -u recently and it did supposedly update clamav rules.
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
faris
Long Time Forum Regular
Long Time Forum Regular
Posts: 2321
Joined: Thu Dec 09, 2004 11:19 am

Unread post by faris »

Ah! I see the latest clamav from the asl-2 repo has an updated update script.

Just ran it and I see we are back to normal on the "UNOFFICIAL" hits.

Brilliant!

Faris.
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
scott
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 8355
Joined: Wed Dec 31, 1969 8:00 pm
Location: earth
Contact:

Unread post by scott »

You can run the updater manually too:

/usr/bin/clamav_updater.sh

I ended up rewriting the whole thing after goofing around with the other ones out there.
hostingguy
Forum Regular
Forum Regular
Posts: 661
Joined: Mon Oct 29, 2007 6:51 pm

Unread post by hostingguy »

I get an invalid user error when I that script

Code: Select all

# /usr/bin/clamav_updater.sh
=================================
SaneSecurity SCAM Database Update
=================================

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0   202    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0

==================================
SaneSecurity PHISH Database Update
==================================

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0   202    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
==========================
MSRBL SPAM Database Update
==========================

===========================
MSRBL IMAGE Database Update
===========================
chown: `qscand:qscand': invalid user
I dont have the qmail scanner installed so I am guessing that is a normal thing to not have those but shouldnt the update script be able to run without it ?
scott
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 8355
Joined: Wed Dec 31, 1969 8:00 pm
Location: earth
Contact:

Unread post by scott »

You might have the older clamav, the new one looks like this:

[root@www installer]# /usr/bin/clamav_updater.sh
Updating Securiteinfo Databases: VX Securityinfo Honeynet
Updating malware.com.br Databases: MBL
Updating MSRBL Databases: Images Spam
Updating Sanesecurity Databases: junk lott phish rouge scam spamming spear
hostingguy
Forum Regular
Forum Regular
Posts: 661
Joined: Mon Oct 29, 2007 6:51 pm

Unread post by hostingguy »

You are correct, I updated and now I see the output you mentioned - so problem solved (at least for me anyways)
faris
Long Time Forum Regular
Long Time Forum Regular
Posts: 2321
Joined: Thu Dec 09, 2004 11:19 am

Unread post by faris »

Oops. there's a buglet in /usr/bin/clamav_updater.sh for Centos4/rhel4

I noticed that my /var/clamav directory and all its contents were myteriously being set to be owned by clamav even after I manually change them to qscand. (I've obviously also set the User and Database owner to be qscand in both /etc/freshclam.conf and /etc/cland.conf).

After looking into /etc/cron.daily/freshclam, which I found was correctly setting /var/clamav to qscand, I discovered the problem was in /usr/bin/clamav_updater.sh

In this section of code.....:

Code: Select all


if [ -f /etc/clamd ]; then
clam_user=$(awk '/^User/ {print $2}' /etc/clamd.conf)
else
clam_user="clamav"
fi

....there's a typo in the first line, which should be

Code: Select all


if [ -f /etc/clamd.conf ]; then

The bug is preventing /usr/bin/freshclam from updating the virus sigs.

I've raised a case in the portal but I thought it would be worth letting people know here too - you don't want out of date virus sigs!.

Faris.

Edited: changed the "/usr/sbin/clamav_updater.sh" in my original post to the correct path of /usr/bin/clamav_updater.sh
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
Kalimari
Forum Regular
Forum Regular
Posts: 526
Joined: Wed Jan 02, 2008 3:21 pm
Location: United Kingdom

Unread post by Kalimari »

Nice one faris. I noticed a few weird errors and wondered what was causing this... You've saved me a LOT of searching around :D
hostingguy
Forum Regular
Forum Regular
Posts: 661
Joined: Mon Oct 29, 2007 6:51 pm

Unread post by hostingguy »

Yeah I noticed a bunch of new errors today after updating to the latest clamd yesterday - may just be coincidental

Code: Select all


Jan 23 07:09:45 domain psmon[3508]: Failed to spawn 'clamd' with '/sbin/service clamd restart'

Jan 23 07:08:53 domain clamd[4533]: reload db failed: Malformed database

Jan 23 07:08:53 domain clamd[4533]: Terminating because of a fatal error.
scott
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 8355
Joined: Wed Dec 31, 1969 8:00 pm
Location: earth
Contact:

Unread post by scott »

fixed in SVN, should be out later today
faris
Long Time Forum Regular
Long Time Forum Regular
Posts: 2321
Joined: Thu Dec 09, 2004 11:19 am

Unread post by faris »

Looks like it is in the repo now.

Errr... cough...this is the kind of thing that needs an Announcement.

Um...I'm a journo. Maybe I could help? You send the bare minimum of detail to me, and I translate into English? Or something?

Faris.
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
breun
Long Time Forum Regular
Long Time Forum Regular
Posts: 2813
Joined: Sat Aug 20, 2005 9:30 am
Location: The Netherlands

Unread post by breun »

What needs an announcement here exactly? The fact that a bug in the ClamAV rule updater was fixed? In that case I don't agree. That's what changelogs are for. I'd reserve announcements for bigger issues.
Lemonbit Internet Dedicated Server Management
scott
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 8355
Joined: Wed Dec 31, 1969 8:00 pm
Location: earth
Contact:

Unread post by scott »

Sure, stick around on #plesk on irc.freenode.net, thats probably the best way to coordinate this.
Post Reply