Discussion:
[clamav-users] FW: Problem with setup
(too old to reply)
Philip Andersson
2016-05-25 06:54:55 UTC
Permalink
Date: Tue, 24 May 2016 19:17:42 +0200
Subject: Re: [clamav-users] Problem with setup
The Eicar virus is stopped, a colleague of mine tested it, but this pdf virus is still slinking through CVE-2010-1240.
I know that this virus is old but because of old systems on end users it is still a risk. It picks it up in clamdscan though as noted before. Cant see socket output right now but the regular output is dead silent. Only start up things and database updates. The last row is the clamdscan output. Runs the same output-file.
Tue May 24 12:45:30 2016 -> +++ Started at Tue May 24 12:45:30 2016
Tue May 24 12:45:30 2016 -> Received 0 file descriptor(s) from systemd.
Tue May 24 12:45:30 2016 -> clamd daemon 0.99.2 (OS: linux-gnu, ARCH: x86_64, CPU: x86_64)
Tue May 24 12:45:30 2016 -> Log file size limited to 104857600 bytes.
Tue May 24 12:45:30 2016 -> Reading databases from /program/clamav_new/database
Tue May 24 12:45:30 2016 -> Not loading PUA signatures.
Tue May 24 12:45:30 2016 -> Bytecode: Security mode set to "TrustSigned".
Tue May 24 12:45:38 2016 -> Loaded 4383889 signatures.
Tue May 24 12:45:39 2016 -> TCP: Bound to [0.0.0.0]:3310
Tue May 24 12:45:39 2016 -> TCP: Setting connection queue length to 200
Tue May 24 12:45:39 2016 -> LOCAL: Unix socket file /tmp/clamd.socket
Tue May 24 12:45:39 2016 -> LOCAL: Setting connection queue length to 200
Tue May 24 12:45:39 2016 -> Limits: Global size limit set to 104857600 bytes.
Tue May 24 12:45:39 2016 -> Limits: File size limit set to 41943040 bytes.
Tue May 24 12:45:39 2016 -> Limits: Recursion level limit set to 16.
Tue May 24 12:45:39 2016 -> Limits: Files limit set to 10000.
Tue May 24 12:45:39 2016 -> Limits: MaxEmbeddedPE limit set to 10485760 bytes.
Tue May 24 12:45:39 2016 -> Limits: MaxHTMLNormalize limit set to 10485760 bytes.
Tue May 24 12:45:39 2016 -> Limits: MaxHTMLNoTags limit set to 2097152 bytes.
Tue May 24 12:45:39 2016 -> Limits: MaxScriptNormalize limit set to 5242880 bytes.
Tue May 24 12:45:39 2016 -> Limits: MaxZipTypeRcg limit set to 1048576 bytes.
Tue May 24 12:45:39 2016 -> Limits: MaxPartitions limit set to 50.
Tue May 24 12:45:39 2016 -> Limits: MaxIconsPE limit set to 100.
Tue May 24 12:45:39 2016 -> Limits: MaxRecHWP3 limit set to 16.
Tue May 24 12:45:39 2016 -> Limits: PCREMatchLimit limit set to 10000.
Tue May 24 12:45:39 2016 -> Limits: PCRERecMatchLimit limit set to 5000.
Tue May 24 12:45:39 2016 -> Limits: PCREMaxFileSize limit set to 26214400.
Tue May 24 12:45:39 2016 -> Archive support enabled.
Tue May 24 12:45:39 2016 -> Algorithmic detection enabled.
Tue May 24 12:45:39 2016 -> Portable Executable support enabled.
Tue May 24 12:45:39 2016 -> ELF support enabled.
Tue May 24 12:45:39 2016 -> Mail files support enabled.
Tue May 24 12:45:39 2016 -> OLE2 support enabled.
Tue May 24 12:45:39 2016 -> PDF support enabled.
Tue May 24 12:45:39 2016 -> SWF support enabled.
Tue May 24 12:45:39 2016 -> HTML support enabled.
Tue May 24 12:45:39 2016 -> XMLDOCS support enabled.
Tue May 24 12:45:39 2016 -> HWP3 support enabled.
Tue May 24 12:45:39 2016 -> Self checking every 600 seconds.
Tue May 24 12:55:54 2016 -> SelfCheck: Database status OK.
Tue May 24 13:13:18 2016 -> SelfCheck: Database status OK.
Tue May 24 13:23:18 2016 -> SelfCheck: Database status OK.
Tue May 24 13:33:18 2016 -> SelfCheck: Database status OK.
Tue May 24 13:43:18 2016 -> SelfCheck: Database status OK.
Tue May 24 13:53:18 2016 -> SelfCheck: Database status OK.
Tue May 24 13:58:29 2016 -> /nfshome/66118710/clam/cybercom_pentest2.pdf: Win.Trojan.MSShellcode-7(0fefca28d5c5509397979d86c4e8d1cb:95307) FOUND
$/program/clamav_new/clamav/bin/clamdscan -c /program/clamav_new/clamav/etc/clamd-A1.conf /nfshome/66118710/clam/cybercom_pentest2.pdf
/nfshome/66118710/clam/cybercom_pentest2.pdf: Win.Trojan.MSShellcode-7 FOUND
----------- SCAN SUMMARY -----------
Infected files: 1
Time: 0.047 sec (0 m 0 s)
Date: Tue, 24 May 2016 16:52:22 +0200
Subject: Re: [clamav-users] Problem with setup
I know that the setup have work before, but the test virus is new and the clamav version is new. The plugins is written by me and used in small MTS application.
I am not reading the log-file but the output stream from clamd, its two different things.
I just wonder how the clamd is missing a virus that clamdscan picks up when using the same settings and same database.
Is there a difference in the way they work?
_________
You could have saved us all a lot of time, if only you had given us that
information up-front.
With the new ClamAV Version - does it detect the standard Eicar Test
Virus? (Sent in an attachment as eg. Eicar.com)
Could you provide the output from the ClamD when injecting the infected
PDF file. (All output please - log and socket)
Also the output from Clamscan processing the same file would be useful.
Best regards
Michael
_______________________________________________
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
_______________________________________________
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Philip Andersson
2016-05-25 09:06:45 UTC
Permalink
I got some new information. The test files came from cybercom and all other test files they sent to us was blocked. I think that clamd removes the virus and reports OK back and translates the stream from PDF 1.4 to PDF 1.5. Because if I open the two files in hexeditors their headers is not the same and the row containing the virus is gone. Could clamd have done this?
Date: Wed, 25 May 2016 08:54:55 +0200
Subject: [clamav-users] FW: Problem with setup
Date: Tue, 24 May 2016 19:17:42 +0200
Subject: Re: [clamav-users] Problem with setup
The Eicar virus is stopped, a colleague of mine tested it, but this pdf virus is still slinking through CVE-2010-1240.
I know that this virus is old but because of old systems on end users it is still a risk. It picks it up in clamdscan though as noted before. Cant see socket output right now but the regular output is dead silent. Only start up things and database updates. The last row is the clamdscan output. Runs the same output-file.
Tue May 24 12:45:30 2016 -> +++ Started at Tue May 24 12:45:30 2016
Tue May 24 12:45:30 2016 -> Received 0 file descriptor(s) from systemd.
Tue May 24 12:45:30 2016 -> clamd daemon 0.99.2 (OS: linux-gnu, ARCH: x86_64, CPU: x86_64)
Tue May 24 12:45:30 2016 -> Log file size limited to 104857600 bytes.
Tue May 24 12:45:30 2016 -> Reading databases from /program/clamav_new/database
Tue May 24 12:45:30 2016 -> Not loading PUA signatures.
Tue May 24 12:45:30 2016 -> Bytecode: Security mode set to "TrustSigned".
Tue May 24 12:45:38 2016 -> Loaded 4383889 signatures.
Tue May 24 12:45:39 2016 -> TCP: Bound to [0.0.0.0]:3310
Tue May 24 12:45:39 2016 -> TCP: Setting connection queue length to 200
Tue May 24 12:45:39 2016 -> LOCAL: Unix socket file /tmp/clamd.socket
Tue May 24 12:45:39 2016 -> LOCAL: Setting connection queue length to 200
Tue May 24 12:45:39 2016 -> Limits: Global size limit set to 104857600 bytes.
Tue May 24 12:45:39 2016 -> Limits: File size limit set to 41943040 bytes.
Tue May 24 12:45:39 2016 -> Limits: Recursion level limit set to 16.
Tue May 24 12:45:39 2016 -> Limits: Files limit set to 10000.
Tue May 24 12:45:39 2016 -> Limits: MaxEmbeddedPE limit set to 10485760 bytes.
Tue May 24 12:45:39 2016 -> Limits: MaxHTMLNormalize limit set to 10485760 bytes.
Tue May 24 12:45:39 2016 -> Limits: MaxHTMLNoTags limit set to 2097152 bytes.
Tue May 24 12:45:39 2016 -> Limits: MaxScriptNormalize limit set to 5242880 bytes.
Tue May 24 12:45:39 2016 -> Limits: MaxZipTypeRcg limit set to 1048576 bytes.
Tue May 24 12:45:39 2016 -> Limits: MaxPartitions limit set to 50.
Tue May 24 12:45:39 2016 -> Limits: MaxIconsPE limit set to 100.
Tue May 24 12:45:39 2016 -> Limits: MaxRecHWP3 limit set to 16.
Tue May 24 12:45:39 2016 -> Limits: PCREMatchLimit limit set to 10000.
Tue May 24 12:45:39 2016 -> Limits: PCRERecMatchLimit limit set to 5000.
Tue May 24 12:45:39 2016 -> Limits: PCREMaxFileSize limit set to 26214400.
Tue May 24 12:45:39 2016 -> Archive support enabled.
Tue May 24 12:45:39 2016 -> Algorithmic detection enabled.
Tue May 24 12:45:39 2016 -> Portable Executable support enabled.
Tue May 24 12:45:39 2016 -> ELF support enabled.
Tue May 24 12:45:39 2016 -> Mail files support enabled.
Tue May 24 12:45:39 2016 -> OLE2 support enabled.
Tue May 24 12:45:39 2016 -> PDF support enabled.
Tue May 24 12:45:39 2016 -> SWF support enabled.
Tue May 24 12:45:39 2016 -> HTML support enabled.
Tue May 24 12:45:39 2016 -> XMLDOCS support enabled.
Tue May 24 12:45:39 2016 -> HWP3 support enabled.
Tue May 24 12:45:39 2016 -> Self checking every 600 seconds.
Tue May 24 12:55:54 2016 -> SelfCheck: Database status OK.
Tue May 24 13:13:18 2016 -> SelfCheck: Database status OK.
Tue May 24 13:23:18 2016 -> SelfCheck: Database status OK.
Tue May 24 13:33:18 2016 -> SelfCheck: Database status OK.
Tue May 24 13:43:18 2016 -> SelfCheck: Database status OK.
Tue May 24 13:53:18 2016 -> SelfCheck: Database status OK.
Tue May 24 13:58:29 2016 -> /nfshome/66118710/clam/cybercom_pentest2.pdf: Win.Trojan.MSShellcode-7(0fefca28d5c5509397979d86c4e8d1cb:95307) FOUND
$/program/clamav_new/clamav/bin/clamdscan -c /program/clamav_new/clamav/etc/clamd-A1.conf /nfshome/66118710/clam/cybercom_pentest2.pdf
/nfshome/66118710/clam/cybercom_pentest2.pdf: Win.Trojan.MSShellcode-7 FOUND
----------- SCAN SUMMARY -----------
Infected files: 1
Time: 0.047 sec (0 m 0 s)
Date: Tue, 24 May 2016 16:52:22 +0200
Subject: Re: [clamav-users] Problem with setup
I know that the setup have work before, but the test virus is new and the clamav version is new. The plugins is written by me and used in small MTS application.
I am not reading the log-file but the output stream from clamd, its two different things.
I just wonder how the clamd is missing a virus that clamdscan picks up when using the same settings and same database.
Is there a difference in the way they work?
_________
You could have saved us all a lot of time, if only you had given us that
information up-front.
With the new ClamAV Version - does it detect the standard Eicar Test
Virus? (Sent in an attachment as eg. Eicar.com)
Could you provide the output from the ClamD when injecting the infected
PDF file. (All output please - log and socket)
Also the output from Clamscan processing the same file would be useful.
Best regards
Michael
_______________________________________________
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
_______________________________________________
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
_______________________________________________
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Loading...