ClamAV is installed on my CentOS box. I edited the conf file and assumed all is well. Clearly it isn't.
Every day I see in logwatch that my signatures are updated, and the database notified, but if I try to scan a file manually it tells me that my signatures are 55 days old.
I tried looking at a how-to, in the hope of identifying the problem, but it is hopelessly out of date, and I reached the stage where it seemed that following it any further risked my installation.
Can someone please give me a quick run-down of the things I should check. Clearly freshclam is running, but that's about all I know for certain.
Thanks
Anne
Anne Wilson wrote:
ClamAV is installed on my CentOS box. I edited the conf file and assumed all is well. Clearly it isn't.
Every day I see in logwatch that my signatures are updated, and the database notified, but if I try to scan a file manually it tells me that my signatures are 55 days old.
I tried looking at a how-to, in the hope of identifying the problem, but it is hopelessly out of date, and I reached the stage where it seemed that following it any further risked my installation.
Can someone please give me a quick run-down of the things I should check. Clearly freshclam is running, but that's about all I know for certain.
first, enable rpmforge repo then... yum install clamav
then, run freshclam, and also put it in a daily or weekly cron job to automatically update
now, clamscan, or start clamd, or whatever
Every day I see in logwatch that my signatures are updated, and the database notified, but if I try to scan a file manually it tells me that my signatures are 55 days old.
I think clamscan looks for the db files in a compiled-in default location of /usr/local/share/clamav and doesn't consult the clamd.conf or freshclam.conf files (after all, why would it?)
I fixed it up by symlinking my confgured DatabaseDirectory to where clamscan expected to find things.
HTH
Simon
Simon Banton wrote:
Every day I see in logwatch that my signatures are updated, and the database notified, but if I try to scan a file manually it tells me that my signatures are 55 days old.
I think clamscan looks for the db files in a compiled-in default location of /usr/local/share/clamav and doesn't consult the clamd.conf or freshclam.conf files (after all, why would it?)
It does at least open freshclam.conf (which means that that one must be *readable* by the user running clamscan:
admin@mail-gw-3:~$strace -eopen clamscan open("/etc/ld.so.cache", O_RDONLY) = 3 open("/usr/lib/libclamav.so.4", O_RDONLY) = 3 open("/lib/tls/libpthread.so.0", O_RDONLY) = 3 open("/lib/tls/libc.so.6", O_RDONLY) = 3 open("/usr/lib/libz.so.1", O_RDONLY) = 3 open("/usr/lib/libbz2.so.1", O_RDONLY) = 3 open("/usr/lib/sse2/libgmp.so.3", O_RDONLY) = 3 open("/usr/lib/libclamunrar_iface.so.4", O_RDONLY) = 3 open("/usr/lib/libclamunrar.so.4", O_RDONLY) = 3 open("/etc/freshclam.conf", O_RDONLY) = 3 open("/var/clamav/daily.cld", O_RDONLY) = 3
Cheers,
Ralph
At 13:16 +0200 17/6/08, Ralph Angenendt wrote:
It does at least open freshclam.conf
True, but then it goes on to look in its compiled in location too:
open("/etc/freshclam.conf", O_RDONLY) = 3 open("/var/lib/clamav/daily.cld", O_RDONLY) = 3 open("/usr/local/share/clamav/daily.cld", O_RDONLY) = 3 open("/usr/local/share/clamav/daily.cld", O_RDONLY) = 3 open("/usr/local/share/clamav", O_RDONLY|O_NONBLOCK|O_LARGEFILE|O_DIRECTORY) = 3 open("/usr/local/share/clamav/main.cvd", O_RDONLY) = 4
Cheers S.
Simon Banton wrote:
At 13:16 +0200 17/6/08, Ralph Angenendt wrote:
It does at least open freshclam.conf
True, but then it goes on to look in its compiled in location too:
open("/etc/freshclam.conf", O_RDONLY) = 3 open("/var/lib/clamav/daily.cld", O_RDONLY) = 3 open("/usr/local/share/clamav/daily.cld", O_RDONLY) = 3 open("/usr/local/share/clamav/daily.cld", O_RDONLY) = 3 open("/usr/local/share/clamav", O_RDONLY|O_NONBLOCK|O_LARGEFILE|O_DIRECTORY) = 3 open("/usr/local/share/clamav/main.cvd", O_RDONLY) = 4
It doesn't here:
admin@mail-gw-3:~$strace -eopen clamscan open("/etc/ld.so.cache", O_RDONLY) = 3 open("/usr/lib/libclamav.so.4", O_RDONLY) = 3 open("/lib/tls/libpthread.so.0", O_RDONLY) = 3 open("/lib/tls/libc.so.6", O_RDONLY) = 3 open("/usr/lib/libz.so.1", O_RDONLY) = 3 open("/usr/lib/libbz2.so.1", O_RDONLY) = 3 open("/usr/lib/sse2/libgmp.so.3", O_RDONLY) = 3 open("/usr/lib/libclamunrar_iface.so.4", O_RDONLY) = 3 open("/usr/lib/libclamunrar.so.4", O_RDONLY) = 3 open("/etc/freshclam.conf", O_RDONLY) = 3 open("/var/clamav/daily.cld", O_RDONLY) = 3 open("/var/clamav", O_RDONLY|O_NONBLOCK|O_LARGEFILE|O_DIRECTORY) = 3 open("/var/clamav/main.cvd", O_RDONLY) = 4 open("/tmp/clamav-56d503ba1cf89b51cfc1483052997d0e/COPYING", O_WRONLY|O_CREAT|O_TRUNC
Ralph
At 16:43 +0200 17/6/08, Ralph Angenendt wrote:
Is your copy installed from rpm/yum or compiled from source?
Mine's the latter.
rpmforge.
Ah - looking more deeply, my source was configured without --with-dbdir=/var/lib/clamav which is why it defaulted to looking in /usr/local/share/clamav
Now rebuilt with the --with-dbdir option, and everything's looking in the correct place.
S.
On Tuesday 17 June 2008 15:43, Ralph Angenendt wrote:
Simon Banton wrote:
At 14:48 +0200 17/6/08, Ralph Angenendt wrote:
It doesn't here:
Is your copy installed from rpm/yum or compiled from source? Mine's the latter.
rpmforge.
I should have said - mine is rpmforge, too.
Anne
On Tuesday 17 June 2008 12:16, Ralph Angenendt wrote:
Simon Banton wrote:
Every day I see in logwatch that my signatures are updated, and the database notified, but if I try to scan a file manually it tells me that my signatures are 55 days old.
I think clamscan looks for the db files in a compiled-in default location of /usr/local/share/clamav and doesn't consult the clamd.conf or freshclam.conf files (after all, why would it?)
It does at least open freshclam.conf (which means that that one must be *readable* by the user running clamscan:
admin@mail-gw-3:~$strace -eopen clamscan open("/etc/ld.so.cache", O_RDONLY) = 3 open("/usr/lib/libclamav.so.4", O_RDONLY) = 3 open("/lib/tls/libpthread.so.0", O_RDONLY) = 3 open("/lib/tls/libc.so.6", O_RDONLY) = 3 open("/usr/lib/libz.so.1", O_RDONLY) = 3 open("/usr/lib/libbz2.so.1", O_RDONLY) = 3 open("/usr/lib/sse2/libgmp.so.3", O_RDONLY) = 3 open("/usr/lib/libclamunrar_iface.so.4", O_RDONLY) = 3 open("/usr/lib/libclamunrar.so.4", O_RDONLY) = 3 open("/etc/freshclam.conf", O_RDONLY) = 3 open("/var/clamav/daily.cld", O_RDONLY) = 3
freshclam.conf was root:root, so I've fixed that. Running your strace command gives me
strace -eopen clamscan open("/etc/ld.so.cache", O_RDONLY) = 3 open("/usr/lib/libclamav.so.4", O_RDONLY) = 3 open("/lib/libpthread.so.0", O_RDONLY) = 3 open("/lib/libc.so.6", O_RDONLY) = 3 open("/usr/lib/libclamunrar_iface.so.4", O_RDONLY) = 3 open("/usr/lib/libbz2.so.1", O_RDONLY) = 3 open("/usr/lib/sse2/libgmp.so.3", O_RDONLY) = 3 open("/usr/lib/libz.so.1", O_RDONLY) = 3 open("/usr/lib/libclamunrar.so.4", O_RDONLY) = 3 open("/etc/freshclam.conf", O_RDONLY) = 3 open("/var/clamav/daily.cld", O_RDONLY) = 3 open("/var/clamav", O_RDONLY|O_NONBLOCK|O_LARGEFILE|O_DIRECTORY) = 3 open("/var/clamav/main.cvd", O_RDONLY) = 4 open("/tmp/clamav-7c516bc61aa49e497301e91e0930f6c5/COPYING", O_WRONLY|O_CREAT| O_TRUNC, 0666) = 6 open("/tmp/clamav-7c516bc61aa49e497301e91e0930f6c5/main.info", O_WRONLY| O_CREAT|O_TRUNC, 0666) = 6 open("/tmp/clamav-7c516bc61aa49e497301e91e0930f6c5/main.db", O_WRONLY|O_CREAT| O_TRUNC, 0666) = 6 open("/tmp/clamav-7c516bc61aa49e497301e91e0930f6c5/main.hdb", O_WRONLY| O_CREAT|O_TRUNC, 0666) = 6 open("/tmp/clamav-7c516bc61aa49e497301e91e0930f6c5/main.mdb", O_WRONLY| O_CREAT|O_TRUNC, 0666) = 6 open("/tmp/clamav-7c516bc61aa49e497301e91e0930f6c5/main.ndb", O_WRONLY| O_CREAT|O_TRUNC, 0666) = 6 open("/tmp/clamav-7c516bc61aa49e497301e91e0930f6c5/main.zmd", O_WRONLY| O_CREAT|O_TRUNC, 0666) = 6 open("/tmp/clamav-7c516bc61aa49e497301e91e0930f6c5/main.fp", O_WRONLY|O_CREAT| O_TRUNC, 0666) = 6 open("/tmp/clamav-7c516bc61aa49e497301e91e0930f6c5", O_RDONLY|O_NONBLOCK| O_LARGEFILE|O_DIRECTORY) = 5 open("/tmp/clamav-7c516bc61aa49e497301e91e0930f6c5/main.zmd", O_RDONLY) = 6 open("/tmp/clamav-7c516bc61aa49e497301e91e0930f6c5/main.mdb", O_RDONLY) = 6 open("/tmp/clamav-7c516bc61aa49e497301e91e0930f6c5/main.db", O_RDONLY) = 6 open("/tmp/clamav-7c516bc61aa49e497301e91e0930f6c5/main.ndb", O_RDONLY) = 6 open("/tmp/clamav-7c516bc61aa49e497301e91e0930f6c5/main.fp", O_RDONLY) = 6 open("/tmp/clamav-7c516bc61aa49e497301e91e0930f6c5/main.hdb", O_RDONLY) = 6 open("/tmp/clamav-7c516bc61aa49e497301e91e0930f6c5", O_RDONLY|O_NONBLOCK| O_LARGEFILE|O_DIRECTORY) = 5 open("/proc/meminfo", O_RDONLY) = 3 open("/root", O_RDONLY|O_NONBLOCK|O_LARGEFILE|O_DIRECTORY) = 3 open("/root/.xauthXN80U8", O_RDONLY) = 4 /root/.xauthXN80U8: OK open("/root/.viminfo", O_RDONLY) = 4 /root/.viminfo: OK open("/root/.bash_profile", O_RDONLY) = 4 /root/.bash_profile: OK open("/root/iptables.orig", O_RDONLY) = 4 /root/iptables.orig: OK open("/root/iptables.txt~", O_RDONLY) = 4 /root/iptables.txt~: OK open("/root/iptables.txt", O_RDONLY) = 4 /root/iptables.txt: OK open("/root/scan.txt", O_RDONLY) = 4 /root/scan.txt: OK open("/root/.DCOPserver_borg2.lydgate.net__0", O_RDONLY) = 4 /root/.DCOPserver_borg2.lydgate.net__0: OK open("/root/.serverauth.3061", O_RDONLY) = 4 /root/.serverauth.3061: OK open("/root/.seaudit", O_RDONLY) = 4 /root/.seaudit: OK open("/root/.bashrc", O_RDONLY) = 4 /root/.bashrc: OK open("/root/.audacity", O_RDONLY) = 4 /root/.audacity: OK open("/root/.rnd", O_RDONLY) = 4 /root/.rnd: OK open("/root/.xauthhEtrij", O_RDONLY) = 4 /root/.xauthhEtrij: OK open("/root/.cshrc", O_RDONLY) = 4 /root/.cshrc: OK open("/root/.mcoprc", O_RDONLY) = 4 /root/.mcoprc: OK open("/root/.fonts.conf", O_RDONLY) = 4 /root/.fonts.conf: OK open("/root/.serverauth.3072", O_RDONLY) = 4 /root/.serverauth.3072: OK open("/root/.tcshrc", O_RDONLY) = 4 /root/.tcshrc: OK open("/root/install.log.syslog", O_RDONLY) = 4 /root/install.log.syslog: OK open("/root/.xauthOUZGv0", O_RDONLY) = 4 /root/.xauthOUZGv0: OK open("/root/.Xauthority", O_RDONLY) = 4 /root/.Xauthority: OK open("/root/install.log", O_RDONLY) = 4 /root/install.log: OK open("/root/.bash_logout", O_RDONLY) = 4 /root/.bash_logout: OK open("/root/.serverauth.3046", O_RDONLY) = 4 /root/.serverauth.3046: OK open("/root/.xauthSTMbGw", O_RDONLY) = 4 /root/.xauthSTMbGw: OK open("/root/anaconda-ks.cfg", O_RDONLY) = 4 /root/anaconda-ks.cfg: OK open("/root/.serverauth.3169", O_RDONLY) = 4 /root/.serverauth.3169: OK open("/root/.lesshst", O_RDONLY) = 4 /root/.lesshst: OK open("/root/.ICEauthority", O_RDONLY) = 4 /root/.ICEauthority: OK open("/root/.bash_history", O_RDONLY) = 4 /root/.bash_history: OK
----------- SCAN SUMMARY ----------- Known viruses: 315716 Engine version: 0.93.1 Scanned directories: 1 Scanned files: 31 Infected files: 0 Data scanned: 0.05 MB Time: 4.950 sec (0 m 4 s)
The message about signatures being ancient comes from ClamTK virus scanner. Maybe there's some connection there that needs fixing?
I'm totally naive on this, so bear with me, please :-)
Anne
Anne Wilson wrote:
freshclam.conf was root:root, so I've fixed that. Running your strace command gives me
strace -eopen clamscan open("/etc/freshclam.conf", O_RDONLY) = 3 open("/var/clamav/daily.cld", O_RDONLY) = 3 open("/var/clamav", O_RDONLY|O_NONBLOCK|O_LARGEFILE|O_DIRECTORY) = 3 open("/var/clamav/main.cvd", O_RDONLY) = 4
So it opened freshclam.conf and then proceeded to read the database which is kept fresh by freshclam.
The message about signatures being ancient comes from ClamTK virus scanner. Maybe there's some connection there that needs fixing?
I have no idea about ClamTK - so yes, that might be the problem. No idea where that looks >:)
Cheers,
Ralph
On Wednesday 18 June 2008 12:36:20 Ralph Angenendt wrote:
Anne Wilson wrote:
freshclam.conf was root:root, so I've fixed that. Running your strace command gives me
strace -eopen clamscan open("/etc/freshclam.conf", O_RDONLY) = 3 open("/var/clamav/daily.cld", O_RDONLY) = 3 open("/var/clamav", O_RDONLY|O_NONBLOCK|O_LARGEFILE|O_DIRECTORY) = 3 open("/var/clamav/main.cvd", O_RDONLY) = 4
So it opened freshclam.conf and then proceeded to read the database which is kept fresh by freshclam.
The message about signatures being ancient comes from ClamTK virus scanner. Maybe there's some connection there that needs fixing?
I have no idea about ClamTK - so yes, that might be the problem. No idea where that looks >:)
OK, thanks. I'll do some googling. As far as I can remember, it was installed along with the rest from rpmforge. I'm certain I didn't download it from any other than my installed repos.
As far as you can tell, then, clamav is working correctly? That's a comfort. Thanks for your help.
Anne
Not to move anyone to another package, but to offer another route if you want to consider it.
An option other than ClamAV is AVG, it works well, and is easy to install.
Grisoft has a Linux version of their AVG Virus Software The free version can be downloaded here
ftp://ftp.grisoft.cz/pub/softw/70free/setup/
They have a complete line of Anti-Virus Software for both the MS and Linux worlds, I have used both version for years an like it much more than Symantic ( Norton ) - McAfee etc.. It doesn't wind it's way down into the heart of the OS, it is very stable and in my mind one of the best Anti Virus packages out. If you prefer a paid version, theirs is a very cost effective product with flavors to suit all applications and sizes.
More information can be had at http://www.grisoft.com if looking for a one off copy of a basic AV for your Windows machine, then http://free.grisoft.com The free versions don't include all of the bells and whistles but work very well, run and update automatically.
john plemons
Anne Wilson wrote:
ClamAV is installed on my CentOS box. I edited the conf file and assumed all is well. Clearly it isn't.
Every day I see in logwatch that my signatures are updated, and the database notified, but if I try to scan a file manually it tells me that my signatures are 55 days old.
I tried looking at a how-to, in the hope of identifying the problem, but it is hopelessly out of date, and I reached the stage where it seemed that following it any further risked my installation.
Can someone please give me a quick run-down of the things I should check. Clearly freshclam is running, but that's about all I know for certain.
Thanks
Anne _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
No virus found in this incoming message. Checked by AVG. Version: 8.0.100 / Virus Database: 270.3.0/1505 - Release Date: 6/16/2008 7:20 AM
On Tuesday 17 June 2008 14:52:30 John Plemons wrote:
Not to move anyone to another package, but to offer another route if you want to consider it.
An option other than ClamAV is AVG, it works well, and is easy to install.
Grisoft has a Linux version of their AVG Virus Software The free version can be downloaded here
ftp://ftp.grisoft.cz/pub/softw/70free/setup/
They have a complete line of Anti-Virus Software for both the MS and Linux worlds, I have used both version for years an like it much more than Symantic ( Norton ) - McAfee etc.. It doesn't wind it's way down into the heart of the OS, it is very stable and in my mind one of the best Anti Virus packages out. If you prefer a paid version, theirs is a very cost effective product with flavors to suit all applications and sizes.
More information can be had at http://www.grisoft.com if looking for a one off copy of a basic AV for your Windows machine, then http://free.grisoft.com The free versions don't include all of the bells and whistles but work very well, run and update automatically.
I'll be checking out all the other suggestions, but I'll also look at this, thanks.
Anne
On Tue, Jun 17, 2008 at 6:52 AM, John Plemons john@mavin.com wrote:
Not to move anyone to another package, but to offer another route if you want to consider it.
An option other than ClamAV is AVG, it works well, and is easy to install.
Grisoft has a Linux version of their AVG Virus Software The free version can be downloaded here
ftp://ftp.grisoft.cz/pub/softw/70free/setup/
Just to add my plug here - I've been using AVG Free on Win for a long, long time, and I've been really pleased with it. Their recent update from 7.5 to 8.0 is badly advertised (from the update page it /looks/ like you have to /pay/ for the new version, but from the above link, there is aplace to get it for free. This is particularly good because the old version will no longer work after June 25, so I get to upgrade everything before then.
Now if I could just convince the Win addicts in my family to go to CentOS, we could dispense with that altogether (except for the VMWare guests), but I don't have everywhere yet in which to put everything....
mhr
-
Anne Wilson -
Dennis McLeod -
John Plemons -
John R Pierce -
MHR -
Ralph Angenendt -
Simon Banton