An ongoing problem with ClamAV

[ron]

Hello guys,

In the last couple of weeks we had several incidents of viruses passing through proxmox only to be stopped by our exchange AV (I'm talking executables within ".zip" files, not phishing texts). I suspect the incidents are related to an error ClamAV gives me whenever I try to manually freshclam it.

attached are:
1. screenshot of the given error
2. example of a virus mail which went through proxmox (this particular one contained an executable).
3. screenshot of our exchange AV statistics .

How can I deal with this issue? do you need any more details?

thanks, Ron.

 

[messerle]

I have the same problems ... mainly with

Trojan:Win32/Emold.gen!C

and also ClamAV Error:

ERROR: Problem with internal logger (UpdateLogFile = /var/log/clamav/freshclam.log).

any ideas?

t'x
Chris

 

[tom]

Hello guys,

In the last couple of weeks we had several incidents of viruses passing through proxmox only to be stopped by our exchange AV (I'm talking executables within ".zip" files, not phishing texts). I suspect the incidents are related to an error ClamAV gives me whenever I try to manually freshclam it.

attached are:
1. screenshot of the given error
2. example of a virus mail which went through proxmox (this particular one contained an executable).
3. screenshot of our exchange AV statistics .

How can I deal with this issue? do you need any more details?

thanks, Ron.

Try stop/start of the freshclam service and then try manual update - Configuration/Virus detector/ClamAV and check if you got the actual patterns. How old was your database?

can you provide such a "virus" zip file, maybe a download link for us?
thanks,

 

[ron]

Hi Tom,
the server has been restarted a few times since the problem first occurred, sometimes it works on the first try (and gives me an error on the second try), and sometimes not.

attached are a few virus examples, the password to the archives is proxmox.

 

[tom]

Hi Tom,
the server has been restarted a few times since the problem first occurred, sometimes it works on the first try (and gives me an error on the second try), and sometimes not.

attached are a few virus examples, the password to the archives is proxmox.

thanks. I tested these files, all recognized by the actual clamAV.

again:
1. Restart the freshclam service (via web interface, not the server)
2. Configuration/Virus detector/ClamAV and check if you got the actual patterns. is it working or not?
3. How old was your database before?

 

[ron]

The thing is, my ClamAV signature databases were already up to date when the viruses got through.
daily.cvd gets succesfully automatically updated a few times every day.

My databases are, at the moment, up to date. when I click "update" - freshclam fails (see screenshot). when I click "save" and THEN "update" - freshclam succeeds (see screenshot).

Maybe there is a permission problem? or a problem with the service itself?

 

[messerle]

Daily: 8190 before - 8192 afer restarting freshclam and update ...

chris

 

[dietmar]

Maybe there is a permission problem? or a problem with the service itself?

The service is running, so you already have the newest database.

There is just an issue with the manual update via web interface - this does not work sometimes - we will fix that in the next release.

- Dietmar

 

[ron]

Well, if it's just a matter of manual update - then it's not a big deal (although the error also occurs when trying to update using SSH). I was worried that this error might be just a symptom of a bigger, more critical problem (i.e. viruses passing through proxmox).

 

[dietmar]

then it's not a big deal (although the error also occurs when trying to update using SSH)

The proplem occurs when two freshclam instances are running (the daemon in the background and the manually started process).

 

[messerle]

I was worried that this error might be just a symptom of a bigger, more critical problem (i.e. viruses passing through proxmox).

daily 09 Sep 2008 01-02 +0000 8196 17356

attached virus wasn't detecded

 

[steel]

I am also experiencing the problem with viruses passing through ClamAV on Proxmox, when ClamAV itself offers detection for the files in question. The definitions appear to sufficiently up to date on Proxmox. I'll keep a hold of anything making it through now, which is being detected by a stand alone ClamAV scanner. Is it ok to upload the virus infected files to the forum as a post attachment? Maybe as a password protected zip file?

 

[tom]

daily 09 Sep 2008 01-02 +0000 8196 17356

attached virus wasn't detecded

the zip is password protected.

 

[tom]

I am also experiencing the problem with viruses passing through ClamAV on Proxmox, when ClamAV itself offers detection for the files in question. The definitions appear to sufficiently up to date on Proxmox. I'll keep a hold of anything making it through now, which is being detected by a stand alone ClamAV scanner. Is it ok to upload the virus infected files to the forum as a post attachment? Maybe as a password protected zip file?

yes, provide the zip file in this forum.

 

[messerle]

password: proxmox for eTicket_K2.doc.exe.zip

(sorry, wasn't sure if password protection worked)

chris

 

[tom]

password: proxmox for eTicket_K2.doc.exe.zip

(sorry, wasn't sure if password protection worked)

chris

thanks, exe files should be blocked also by dangerous files rule.

we did a few tests and it seems that the new ClamAV 0.94 works better. We started testing/integration and I assume we will release a hotfix next week.

 

[messerle]

thanks, exe files should be blocked also by dangerous files rule.

exe file was original zipped ...
blocking zip files isn't a good idea

 

[ron]

After a few more viruses went clean through proxmox this morning, I downgraded to version 2.1 . so far so good, I started receiving alerts about blocked viruses again (2.2 was also configured to alert me, but it didn't) and viruses count on exchange server AV is static.

freshclaming yields one of two results: "updating", or "already up to date". no errors, no need to click "save", works perfect.

I am at no position to make declarations, you guys obviously know linux way better then I do, but I do think there is something wrong somewhere in the scanning mechanism of version 2.2 (and still, I don't rule out the possibilty that something was defective in my specific installation).

 

[tom]

After a few more viruses went clean through proxmox this morning, I downgraded to version 2.1 . so far so good, I started receiving alerts about blocked viruses again (2.2 was also configured to alert me, but it didn't) and viruses count on exchange server AV is static.

freshclaming yields one of two results: "updating", or "already up to date". no errors, no need to click "save", works perfect.

I am at no position to make declarations, you guys obviously know linux way better then I do, but I do think there is something wrong somewhere in the scanning mechanism of version 2.2 (and still, I don't rule out the possibilty that something was defective in my specific installation).

downgrading is not really a solution, we are working to release a new ClamAV package, you can expect it next week.

just to mention: we also offer a second virus scanner (Kaspersky), but this has to be licensed, see pricelist

 

[steel]

I have just had another virus slip through Proxmox. The status page shows 8215, which matches the latest version listed as being available on the ClamAV website.

Running the file through an online checker shows the virus as currently being detected by ClamAV.

The virus in question has been attached to the post. (I have wrapped the original zip attachment inside another zip file protected with the password 'infected')