Atomicorp

Posted: **Tue Jan 20, 2009 6:41 pm**

nope, its all built in

Posted: **Wed Jan 21, 2009 4:26 am**

Will it be built in for gamera to, or should we use the script provided by sanesecurity community?

Posted: **Wed Jan 21, 2009 7:28 am**

Scott/Mike,

How automatic is automatic?

I only have this in /var/clamav

-rw-r--r--   1 clamav clamav     7727 Jan 20 12:15 ASL-h.ndb
-rw-r--r--   1 clamav clamav     4079 Jan 20 12:15 ASL.hdb
-rw-r--r--   1 clamav clamav    19474 May 17  2008 MSRBL-Images.hdb
-rw-r--r--   1 clamav clamav   236339 May 16  2008 MSRBL-SPAM.ndb
-rw-r--r--   1 clamav clamav  3560960 Jan 21 03:10 daily.cld
-rw-r--r--   1 clamav clamav 40598016 Oct 23 03:10 main.cld
-rw-r--r--   1 clamav clamav 18462921 Nov 26 18:37 main.cvd
-rw-------   1 clamav clamav      416 Jan 21 11:18 mirrors.dat
-rw-r--r--   1 clamav clamav      229 Dec 17 05:51 phish.ndb
-rw-r--r--   1 clamav clamav      211 Dec 17 05:51 phish.ndb-bak
-rw-r--r--   1 clamav clamav      172 Dec 16 09:34 phish.ndb.gz
-rw-r--r--   1 clamav clamav      229 Dec 17 05:51 scam.ndb
-rw-r--r--   1 clamav clamav      211 Dec 17 05:51 scam.ndb-bak
-rw-r--r--   1 clamav clamav      171 Dec 16 09:34 scam.ndb.gz

Note the dates.

And from the sanesecurity site I note that I should have junk.ndb, spear.ndb, lott.ndb and a few others too.

I have done an asl -u recently and it did supposedly update clamav rules.

Posted: **Thu Jan 22, 2009 3:00 pm**

Ah! I see the latest clamav from the asl-2 repo has an updated update script.

Just ran it and I see we are back to normal on the "UNOFFICIAL" hits.

Brilliant!

Faris.

Posted: **Thu Jan 22, 2009 3:16 pm**

You can run the updater manually too:

/usr/bin/clamav_updater.sh

I ended up rewriting the whole thing after goofing around with the other ones out there.

Posted: **Thu Jan 22, 2009 4:21 pm**

I get an invalid user error when I that script

Code: Select all

# /usr/bin/clamav_updater.sh
=================================
SaneSecurity SCAM Database Update
=================================

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0   202    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0

==================================
SaneSecurity PHISH Database Update
==================================

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0   202    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
==========================
MSRBL SPAM Database Update
==========================

===========================
MSRBL IMAGE Database Update
===========================
chown: `qscand:qscand': invalid user

I dont have the qmail scanner installed so I am guessing that is a normal thing to not have those but shouldnt the update script be able to run without it ?

Posted: **Thu Jan 22, 2009 6:32 pm**

You might have the older clamav, the new one looks like this:

[root@www installer]# /usr/bin/clamav_updater.sh
Updating Securiteinfo Databases: VX Securityinfo Honeynet
Updating malware.com.br Databases: MBL
Updating MSRBL Databases: Images Spam
Updating Sanesecurity Databases: junk lott phish rouge scam spamming spear

Posted: **Thu Jan 22, 2009 6:34 pm**

You are correct, I updated and now I see the output you mentioned - so problem solved (at least for me anyways)

Posted: **Fri Jan 23, 2009 7:41 am**

Oops. there's a buglet in /usr/bin/clamav_updater.sh for Centos4/rhel4

I noticed that my /var/clamav directory and all its contents were myteriously being set to be owned by clamav even after I manually change them to qscand. (I've obviously also set the User and Database owner to be qscand in both /etc/freshclam.conf and /etc/cland.conf).

After looking into /etc/cron.daily/freshclam, which I found was correctly setting /var/clamav to qscand, I discovered the problem was in /usr/bin/clamav_updater.sh

In this section of code.....:

Code: Select all


if [ -f /etc/clamd ]; then
clam_user=$(awk '/^User/ {print $2}' /etc/clamd.conf)
else
clam_user="clamav"
fi

....there's a typo in the first line, which should be

Code: Select all


if [ -f /etc/clamd.conf ]; then

The bug is preventing /usr/bin/freshclam from updating the virus sigs.

I've raised a case in the portal but I thought it would be worth letting people know here too - you don't want out of date virus sigs!.

Faris.

Edited: changed the "/usr/sbin/clamav_updater.sh" in my original post to the correct path of /usr/bin/clamav_updater.sh

Posted: **Fri Jan 23, 2009 9:41 am**

Nice one faris. I noticed a few weird errors and wondered what was causing this... You've saved me a LOT of searching around

Posted: **Fri Jan 23, 2009 1:28 pm**

Yeah I noticed a bunch of new errors today after updating to the latest clamd yesterday - may just be coincidental

Code: Select all


Jan 23 07:09:45 domain psmon[3508]: Failed to spawn 'clamd' with '/sbin/service clamd restart'

Jan 23 07:08:53 domain clamd[4533]: reload db failed: Malformed database

Jan 23 07:08:53 domain clamd[4533]: Terminating because of a fatal error.

Posted: **Fri Jan 23, 2009 2:30 pm**

fixed in SVN, should be out later today

Posted: **Sat Jan 24, 2009 8:02 am**

Looks like it is in the repo now.

Errr... cough...this is the kind of thing that needs an Announcement.

Um...I'm a journo. Maybe I could help? You send the bare minimum of detail to me, and I translate into English? Or something?

Faris.

Posted: **Sat Jan 24, 2009 1:06 pm**

What needs an announcement here exactly? The fact that a bug in the ClamAV rule updater was fixed? In that case I don't agree. That's what changelogs are for. I'd reserve announcements for bigger issues.

Posted: **Sat Jan 24, 2009 2:15 pm**

Sure, stick around on #plesk on irc.freenode.net, thats probably the best way to coordinate this.

Atomicorp

ClamAV unofficial rules?