Clayton Keller | 1 Dec 17:46 2010
Picon

SCAN Command Results

Since upgrading to 0.96.5 I've seen different results with the SCAN 
command..

In my initial testing I did not see this behavior, however it has been 
occurring off and on this morning.

Not in every instance of the results returned by the SCAN command, but 
some will include the md5sum and size of the file being scanned in the 
results.

# clamdscan -V
ClamAV 0.96.5/12346/Wed Dec  1 10:16:47 2010

"Eicar-Test-Signature(44d88612fea8a8f36de82e1278abb02f:68) FOUND"

But on other scans it returns just the signature name:

"Eicar-Test-Signature FOUND"

I have not seen this behavior with the 0.96.4 version, only sporadically 
since the upgrade on a test machine to 0.96.5.

The command passed to the socket is "SCAN /path/to/file"

The file itself is populated with the eicar test string prior to the 
SCAN command being given.

I did not see anything in the clamdoc related to the output of the MD5 
and file size, nor did I see anything mentioned in the changelog.

(Continue reading)

Török Edwin | 1 Dec 18:16 2010
Picon

Re: SCAN Command Results

On Wed, 01 Dec 2010 10:46:41 -0600
Clayton Keller <inetadmin <at> ruraltel.net> wrote:

> Since upgrading to 0.96.5 I've seen different results with the SCAN 
> command..

See the discussion on clamav-devel, there are 2 bugs: the hash reply
that shouldn't be there (only if you use the proto, not clamdscan), and
the random loss of hash.

--Edwin
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Clayton Keller | 1 Dec 18:18 2010
Picon

Re: SCAN Command Results

On 12/1/2010 11:16 AM, Török Edwin wrote:
> On Wed, 01 Dec 2010 10:46:41 -0600
> Clayton Keller<inetadmin <at> ruraltel.net>  wrote:
>
>> Since upgrading to 0.96.5 I've seen different results with the SCAN
>> command..
>
> See the discussion on clamav-devel, there are 2 bugs: the hash reply
> that shouldn't be there (only if you use the proto, not clamdscan), and
> the random loss of hash.
>

Thank you. I will take a look at the archives.
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Clayton Keller | 1 Dec 18:29 2010
Picon

Re: SCAN Command Results

On 12/1/2010 11:18 AM, Clayton Keller wrote:
> On 12/1/2010 11:16 AM, Török Edwin wrote:
>> On Wed, 01 Dec 2010 10:46:41 -0600
>> Clayton Keller<inetadmin <at> ruraltel.net> wrote:
>>
>>> Since upgrading to 0.96.5 I've seen different results with the SCAN
>>> command..
>>
>> See the discussion on clamav-devel, there are 2 bugs: the hash reply
>> that shouldn't be there (only if you use the proto, not clamdscan), and
>> the random loss of hash.
>>
>
> Thank you. I will take a look at the archives.

I'll give the individual time to file a bug, but I can provide 
additional info if needed.

Thanks again Edwin.

_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Andreas Schulze | 2 Dec 14:32 2010
Picon

handling encrypted pdf

Hello,

I use clamavs option to mark encrypted archives as virus.
For policy reasons I like to handle password protected pdf
in the same was like password protected zip archive.

The intention is to categorize content, which is known to be passwordprotected
and therefore is known to be unscanable for virusscanners.
In this context it shouldn't matter if it's a password prozected archive
or pdf.

Thats why I wrote a little patch:

Index: dv-clamav-0.96.5/libclamav/pdf.c
===================================================================
--- dv-clamav-0.96.5.orig/libclamav/pdf.c       2010-12-02 13:21:02.000000000 +0100
+++ dv-clamav-0.96.5/libclamav/pdf.c    2010-12-02 13:47:56.000000000 +0100
 <at>  <at>  -1087,6 +1087,12  <at>  <at> 
     }
     size -= offset;

+    if ((pdf.flags & (1 << ENCRYPTED_PDF)) && DETECT_ENCRYPTED) {
+        cli_dbgmsg("cli_pdf: Encrypted PDF found.\n");
+        *ctx->virname = "Encrypted.Pdf";
+        return CL_VIRUS;
+    }
+
     pdf.size = size;
     pdf.map = fmap_need_off(map, offset, size);
     pdf.startoff = offset;
(Continue reading)

Török Edwin | 2 Dec 15:33 2010
Picon

Re: handling encrypted pdf

On Thu, 2 Dec 2010 14:32:52 +0100
Andreas Schulze <andreas.schulze <at> datev.de> wrote:

> Hello,
> 
> I use clamavs option to mark encrypted archives as virus.
> For policy reasons I like to handle password protected pdf
> in the same was like password protected zip archive.
> 
> The intention is to categorize content, which is known to be
> passwordprotected and therefore is known to be unscanable for
> virusscanners. In this context it shouldn't matter if it's a password
> prozected archive or pdf.
> 
> Thats why I wrote a little patch:
> 
> Index: dv-clamav-0.96.5/libclamav/pdf.c
> ===================================================================
> --- dv-clamav-0.96.5.orig/libclamav/pdf.c       2010-12-02
> 13:21:02.000000000 +0100 +++ dv-clamav-0.96.5/libclamav/pdf.c
> 2010-12-02 13:47:56.000000000 +0100  <at>  <at>  -1087,6 +1087,12  <at>  <at> 
>      }
>      size -= offset;
> 
> +    if ((pdf.flags & (1 << ENCRYPTED_PDF)) && DETECT_ENCRYPTED) {
> +        cli_dbgmsg("cli_pdf: Encrypted PDF found.\n");
> +        *ctx->virname = "Encrypted.Pdf";
> +        return CL_VIRUS;
> +    }
> +
(Continue reading)

Nathan Gibbs | 2 Dec 19:47 2010

CCEE 0.96.5 Patch Set Release

Clamav Common Execution Environment patch set

http://www.cmpublishers.com/oss/ccee-0.96.5.tar.gz

Enjoy :-)

--

-- 
Sincerely,

Nathan Gibbs

Systems Administrator
Christ Media
http://www.cmpublishers.com

_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
James Brown | 3 Dec 10:50 2010
Picon

Re: [Clamav-users] LibClamAV Warning: fmap_readpage: pread fail: asked for 4077 bytes <at> offset 19, got 0

Török Edwin wrote:
> On Sat, 27 Nov 2010 05:24:19 +0000
> James Brown <jbrownfirst <at> gmail.com> wrote:
> 
>> When scanning, clamscan give me the above messages of errors.
>> What could it mean?
> 
> It probably means that the file changed its size while you were
> scanning it, i.e. clamscan thought the file still had 4077 more bytes,
> but when trying to read from it, it got an end-of-file (0 bytes).
> Or it could be a bug somewhere.
> 
How can I find what it is?

> Is this error reproducible?
> 
> Best regards,
> --Edwin
> 
Yes, many times. On my home laptop and on my vds (under Debian lenny).

_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Török Edwin | 3 Dec 10:59 2010
Picon

Re: [Clamav-users] LibClamAV Warning: fmap_readpage: pread fail: asked for 4077 bytes <at> offset 19, got 0

On Fri, 03 Dec 2010 09:50:22 +0000
James Brown <jbrownfirst <at> gmail.com> wrote:

> Török Edwin wrote:
> > On Sat, 27 Nov 2010 05:24:19 +0000
> > James Brown <jbrownfirst <at> gmail.com> wrote:
> > 
> >> When scanning, clamscan give me the above messages of errors.
> >> What could it mean?
> > 
> > It probably means that the file changed its size while you were
> > scanning it, i.e. clamscan thought the file still had 4077 more
> > bytes, but when trying to read from it, it got an end-of-file (0
> > bytes). Or it could be a bug somewhere.
> > 
> How can I find what it is?

If you are running 0.96.5, then you can set 'DevLiblog yes' in
clamd.conf, set a 'LogFile /tmp/clamd.log' (or some other path), and
run a clamdscan, it will log the filename next to the warning message.

If not (or the problem doesn't occur with clamd) then run 
clamscan -rvi /path/to/directory >log 2>&1

The file causing it is the last one shown as 'Scanning' prior to the
warning message.

Best regards,
--Edwin
_______________________________________________
(Continue reading)

Jorge Valdes | 3 Dec 18:49 2010

Version 0.96.5 make check test failed


Hi,

I generally don't have problems building clamav, have beed doing this
for a while, but this is the first time I get a "clean" configure, a
clean build (only warnings) and failed one of the tests.

Just wondering if something else is missing?

Centos 5.5:
Linux mail 2.6.18-194.11.3.el5 #1 SMP Mon Aug 30 16:23:24 EDT 2010 i686
i686 i386 GNU/Linux

[root <at> mail clamav-0.96.5]# ./configure --sysconfdir=/etc
...
configure: Summary of detected features follows
              OS          : linux-gnu
              pthreads    : yes (-lpthread)
configure: Summary of miscellaneous  features
              check       : no (auto)
              clamuko     : yes
              fdpassing   : 1
              IPv6        : yes
configure: Summary of optional tools
              clamdtop    : -lncurses (auto)
              milter      : yes (disabled)
configure: Summary of engine performance features)
              release mode: yes
              jit         : yes (auto)
              mempool     : yes
(Continue reading)


Gmane