Hello,

I hope this is the official repo? I've noticed ClamAV is not blocking encrypted 7z archives:

# clamscan --version
ClamAV 0.98.7/20949/Wed Sep 30 16:30:18 2015

Testing encrypted zip:

# clamscan --block-encrypted=yes test.zip 
test.zip: Heuristics.Encrypted.Zip FOUND

----------- SCAN SUMMARY -----------
Known viruses: 4013914
Engine version: 0.98.7
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.00 MB
Data read: 0.07 MB (ratio 0.00:1)
Time: 9.000 sec (0 m 9 s)

So encrypted zip files are being blocked, that's OK.

Now an encrypted 7z archive:

# clamscan --block-encrypted=yes test.7z  
test.7z: OK

----------- SCAN SUMMARY -----------
Known viruses: 4013914
Engine version: 0.98.7
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 0.07 MB
Data read: 0.07 MB (ratio 1.00:1)
Time: 9.017 sec (0 m 9 s)

test.7z was not detected by ClamAV as an encrypted archive, but:

# p7zip -d test.7z 

7-Zip (A) [64] 9.20  Copyright (c) 1999-2010 Igor Pavlov  2010-11-18
p7zip Version 9.20 (locale=en_US,Utf16=on,HugeFiles=on,8 CPUs)

Processing archive: test.7z

Enter password (will not be echoed) :

Our product uses the ClamAV daemon to scan files. We encourage our customers to create a RAM Disk, and set the folder where files to be scanned are place to it in order to improve performance.
We have noticed that from ClamAV versions 0.103.0 and above the daemon returns the following scan result:
O:\\MALCORE_FILES\\resources\\oms_testfile: Failed to determine real path: Unknown error. ERROR

In the ClamAV logs the following can be seen:

Mon Jun 21 10:05:47 2021 -> WARNING: Failed to determine real path for: O:\MALCORE_FILES\resources\oms_testfile
Mon Jun 21 10:05:47 2021 -> Quarantine of the file may fail if file path contains symlinks.
Mon Jun 21 10:05:47 2021 -> O:\MALCORE_FILES\resources\oms_testfile: OK

The oms_testfile is a basic text file.

To reproduce the issue, create a RAM Disk as described here: https://onlinehelp.opswat.com/corev4/2.6._Special_installation_options.html (Step 1)
Place a file on the RAM Disk
Send a scan request to clamd to scan the file on the RAM Disk

The clamd.conf file is dynamically created with the default content of:

FixStaleSocket yes
Foreground yes
ExitOnOOM yes
AlgorithmicDetection yes
PCREMatchLimit 0
ScanArchive no
DetectPUA no
ScanPDF no
DatabaseDirectory <dynamically determined>
TCPSocket <dynamically determined>
TCPAddr 127.0.0.1
MaxScanSize 0
MaxFileSize 0
TemporaryDirectory <dynamically determined>

Suppose you have a 64bit-only architecture, your compiler is llvm/clang,
and you want to install clamav on a path of your own.

The following triggers an error:

./configure --prefix=/my/path <...>

clang: error: unsupported option '-print-multi-os-directory'
clang: error: no input files

There is a problem with clamav's configurator, because we do not need
the result of "gcc -print-multi-os-directory". In fact, we set the default
libdir implicitly, when setting the custom prefix, but the configurator
ignored the custom value.

• Ref. ChangeLog:

Mon Oct 20 17:23:12 EEST 2008 (edwin)

• aclocal.m4, configure, configure.in, m4/acinclude.m4,
  m4/lib-prefix.m4: use -print-multi-os-directory to set default
  libdir (bb #1240)
• WARNING: On a 64-bit multiarch OS, this will by
  default install libclamav into /usr/local/lib64, if your system uses
  /usr/local/lib for 32bit apps. If the system uses /usr/local/lib
  for 64-bit apps and lib32 for 32bit apps, there is no change (unless
  you use -m32).
• Ref. configure --help

--prefix=PREFIX install architecture-independent files in PREFIX [/usr/local]
--exec-prefix=EPREFIX install architecture-dependent files in EPREFIX [PREFIX]
--libdir=DIR object code libraries [EPREFIX/lib]

To solve the problem from the command line, it is sufficient to specify libdir again:

./configure --prefix=/my/path --libdir=/my/path/lib <...>

Is there anyway or target to force clamav to inspect ignored types. For example.. If I wanted to detect the EXE inside of EPS in the word doc described here http://casual-scrutiny.blogspot.in/2016/02/cve-2015-2545-itw-emet-evasion.html I could do something like the following. But it appears that PostScript is always ignored because it is CL_TYPE_IGNORED in libclamav/filetypes_int.h "0:0:252150532d41646f62652d:PostScript:CL_TYPE_ANY:CL_TYPE_IGNORED". Is there anyway to force scanning of this filetype or this signature without recompiling clamav?

MiscreantPunch.AsciiEXEinEPS.Common.CVE-2015-2545.Construct;Target:0;(0);2525426f756e64696e67426f78_34643561_3534363836393733323037303732366636373732363136643230::i

head -1 FL9364.tmp.bin
%!PS-Adobe-3.0
coz@3d0:~/Downloads/clam-punch$ clamscan --debug -d miscreantpunch099.ldb FL9364.tmp.bin
LibClamAV debug: searching for unrar, user-searchpath: /usr/lib
LibClamAV debug: searching for unrar: libclamunrar_iface.so.7.1.1 not found
LibClamAV debug: searching for unrar: libclamunrar_iface.so.7 not found
LibClamAV debug: searching for unrar: libclamunrar_iface.so not found
LibClamAV debug: searching for unrar: libclamunrar_iface.a not found
LibClamAV debug: Cannot dlopen libclamunrar_iface: file not found - unrar support unavailable
LibClamAV debug: Initialized 0.99 engine
LibClamAV debug: Initializing phishcheck module
LibClamAV debug: Phishcheck: Compiling regex: ^ (http|https|ftp:(//)?)?[0-9]{1,3}(.[0-9]{1,3}){3}[/?:]? *$
LibClamAV debug: Phishcheck module initialized
LibClamAV debug: Bytecode initialized in JIT mode
LibClamAV debug: Initializing engine->root[0]
LibClamAV debug: Initialising AC pattern matcher of root[0]
LibClamAV debug: cli_initroots: Initializing BM tables of root[0]
LibClamAV debug: Initializing engine->root[1]
LibClamAV debug: Initialising AC pattern matcher of root[1]
LibClamAV debug: cli_initroots: Initializing BM tables of root[1]
LibClamAV debug: Initializing engine->root[2]
LibClamAV debug: Initialising AC pattern matcher of root[2]
LibClamAV debug: Initializing engine->root[3]
LibClamAV debug: Initialising AC pattern matcher of root[3]
LibClamAV debug: Initializing engine->root[4]
LibClamAV debug: Initialising AC pattern matcher of root[4]
LibClamAV debug: Initializing engine->root[5]
LibClamAV debug: Initialising AC pattern matcher of root[5]
LibClamAV debug: Initializing engine->root[6]
LibClamAV debug: Initialising AC pattern matcher of root[6]
LibClamAV debug: Initializing engine->root[7]
LibClamAV debug: Initialising AC pattern matcher of root[7]
LibClamAV debug: Initializing engine->root[8]
LibClamAV debug: Initialising AC pattern matcher of root[8]
LibClamAV debug: Initializing engine->root[9]
LibClamAV debug: Initialising AC pattern matcher of root[9]
LibClamAV debug: Initializing engine->root[10]
LibClamAV debug: Initialising AC pattern matcher of root[10]
LibClamAV debug: Initializing engine->root[11]
LibClamAV debug: Initialising AC pattern matcher of root[11]
LibClamAV debug: Initializing engine->root[12]
LibClamAV debug: Initialising AC pattern matcher of root[12]
LibClamAV debug: Initializing engine->root[13]
LibClamAV debug: Initialising AC pattern matcher of root[13]
LibClamAV debug: Initializing engine->root[14]
LibClamAV debug: Initialising AC pattern matcher of root[14]
LibClamAV debug: miscreantpunch099.ldb loaded
LibClamAV debug: Loaded 148 filetype definitions
LibClamAV debug: Using filter for trie 0
LibClamAV debug: Matcher[0]: GENERIC: AC sigs: 343 (reloff: 1, absoff: 0) BM sigs: 0 (reloff: 0, absoff: 0) PCREs: 0 (reloff: 0, absoff: 0) maxpatlen 109
LibClamAV debug: Using filter for trie 1
LibClamAV debug: Matcher[1]: PE: AC sigs: 8 (reloff: 0, absoff: 0) BM sigs: 0 (reloff: 0, absoff: 0) PCREs: 0 (reloff: 0, absoff: 0) maxpatlen 12
LibClamAV debug: Matcher[2]: OLE2: AC sigs: 153 (reloff: 0, absoff: 0) BM sigs: 0 (reloff: 0, absoff: 0) PCREs: 11 (reloff: 0, absoff: 0) maxpatlen 58 (ac_only mode)
LibClamAV debug: Matcher[3]: HTML: AC sigs: 0 (reloff: 0, absoff: 0) BM sigs: 0 (reloff: 0, absoff: 0) PCREs: 0 (reloff: 0, absoff: 0) maxpatlen 0 (ac_only mode)
LibClamAV debug: Using filter for trie 4
LibClamAV debug: Matcher[4]: MAIL: AC sigs: 0 (reloff: 0, absoff: 0) BM sigs: 0 (reloff: 0, absoff: 0) PCREs: 0 (reloff: 0, absoff: 0) maxpatlen 0 (ac_only mode)
LibClamAV debug: Matcher[5]: GRAPHICS: AC sigs: 0 (reloff: 0, absoff: 0) BM sigs: 0 (reloff: 0, absoff: 0) PCREs: 0 (reloff: 0, absoff: 0) maxpatlen 0 (ac_only mode)
LibClamAV debug: Matcher[6]: ELF: AC sigs: 0 (reloff: 0, absoff: 0) BM sigs: 0 (reloff: 0, absoff: 0) PCREs: 0 (reloff: 0, absoff: 0) maxpatlen 0 (ac_only mode)
LibClamAV debug: Using filter for trie 7
LibClamAV debug: Matcher[7]: ASCII: AC sigs: 0 (reloff: 0, absoff: 0) BM sigs: 0 (reloff: 0, absoff: 0) PCREs: 0 (reloff: 0, absoff: 0) maxpatlen 0 (ac_only mode)
LibClamAV debug: Matcher[8]: NOT USED: AC sigs: 0 (reloff: 0, absoff: 0) BM sigs: 0 (reloff: 0, absoff: 0) PCREs: 0 (reloff: 0, absoff: 0) maxpatlen 0 (ac_only mode)
LibClamAV debug: Matcher[9]: MACH-O: AC sigs: 0 (reloff: 0, absoff: 0) BM sigs: 0 (reloff: 0, absoff: 0) PCREs: 0 (reloff: 0, absoff: 0) maxpatlen 0 (ac_only mode)
LibClamAV debug: Matcher[10]: PDF: AC sigs: 0 (reloff: 0, absoff: 0) BM sigs: 0 (reloff: 0, absoff: 0) PCREs: 0 (reloff: 0, absoff: 0) maxpatlen 0 (ac_only mode)
LibClamAV debug: Matcher[11]: FLASH: AC sigs: 60 (reloff: 0, absoff: 0) BM sigs: 0 (reloff: 0, absoff: 0) PCREs: 0 (reloff: 0, absoff: 0) maxpatlen 64 (ac_only mode)
LibClamAV debug: Matcher[12]: JAVA: AC sigs: 21 (reloff: 0, absoff: 0) BM sigs: 0 (reloff: 0, absoff: 0) PCREs: 0 (reloff: 0, absoff: 0) maxpatlen 77 (ac_only mode)
LibClamAV debug: Matcher[13]: INTERNAL: AC sigs: 0 (reloff: 0, absoff: 0) BM sigs: 0 (reloff: 0, absoff: 0) PCREs: 0 (reloff: 0, absoff: 0) maxpatlen 0 (ac_only mode)
LibClamAV debug: Matcher[14]: OTHER: AC sigs: 0 (reloff: 0, absoff: 0) BM sigs: 0 (reloff: 0, absoff: 0) PCREs: 0 (reloff: 0, absoff: 0) maxpatlen 0 (ac_only mode)
LibClamAV debug: Dynamic engine configuration settings:
LibClamAV debug: --------------------------------------
LibClamAV debug: Module PE: On
LibClamAV debug: * Submodule PARITE: On
LibClamAV debug: * Submodule KRIZ: On
LibClamAV debug: * Submodule MAGISTR: On
LibClamAV debug: * Submodule POLIPOS: On
LibClamAV debug: * Submodule MD5SECT: On
LibClamAV debug: * Submodule UPX: On
LibClamAV debug: * Submodule FSG: On
LibClamAV debug: * Submodule SWIZZOR: * Off **
LibClamAV debug: * Submodule PETITE: On
LibClamAV debug: * Submodule PESPIN: On
LibClamAV debug: * Submodule YC: On
LibClamAV debug: * Submodule WWPACK: On
LibClamAV debug: * Submodule NSPACK: On
LibClamAV debug: * Submodule MEW: On
LibClamAV debug: * Submodule UPACK: On
LibClamAV debug: * Submodule ASPACK: On
LibClamAV debug: * Submodule CATALOG: On
LibClamAV debug: * Submodule DISABLECERT: ** Off **
LibClamAV debug: * Submodule DUMPCERT: ** Off **
LibClamAV debug: * Submodule MATCHICON: On
LibClamAV debug: Module ELF: On
LibClamAV debug: Module MACHO: On
LibClamAV debug: Module ARCHIVE: On
LibClamAV debug: * Submodule RAR: On
LibClamAV debug: * Submodule ZIP: On
LibClamAV debug: * Submodule GZIP: On
LibClamAV debug: * Submodule BZIP: On
LibClamAV debug: * Submodule ARJ: On
LibClamAV debug: * Submodule SZDD: On
LibClamAV debug: * Submodule CAB: On
LibClamAV debug: * Submodule CHM: On
LibClamAV debug: * Submodule OLE2: On
LibClamAV debug: * Submodule TAR: On
LibClamAV debug: * Submodule CPIO: On
LibClamAV debug: * Submodule BINHEX: On
LibClamAV debug: * Submodule SIS: On
LibClamAV debug: * Submodule NSIS: On
LibClamAV debug: * Submodule AUTOIT: On
LibClamAV debug: * Submodule ISHIELD: On
LibClamAV debug: * Submodule 7zip: On
LibClamAV debug: * Submodule ISO9660: On
LibClamAV debug: * Submodule DMG: On
LibClamAV debug: * Submodule XAR: On
LibClamAV debug: * Submodule HFSPLUS: On
LibClamAV debug: * Submodule XZ: On
LibClamAV debug: * Submodule PASSWD: On
LibClamAV debug: Module DOCUMENT: On
LibClamAV debug: * Submodule HTML: On
LibClamAV debug: * Submodule RTF: On
LibClamAV debug: * Submodule PDF: On
LibClamAV debug: * Submodule SCRIPT: On
LibClamAV debug: * Submodule HTMLSKIPRAW: On
LibClamAV debug: * Submodule JSNORM: On
LibClamAV debug: * Submodule SWF: On
LibClamAV debug: Module MAIL: On
LibClamAV debug: * Submodule MBOX: On
LibClamAV debug: * Submodule TNEF: On
LibClamAV debug: Module OTHER: On
LibClamAV debug: * Submodule UUENCODED: On
LibClamAV debug: * Submodule SCRENC: On
LibClamAV debug: * Submodule RIFF: On
LibClamAV debug: * Submodule JPEG: On
LibClamAV debug: * Submodule CRYPTFF: On
LibClamAV debug: * Submodule DLP: On
LibClamAV debug: * Submodule MYDOOMLOG: On
LibClamAV debug: * Submodule PREFILTERING: On
LibClamAV debug: * Submodule PDFNAMEOBJ: On
LibClamAV debug: * Submodule PRTNINTXN: On
LibClamAV debug: Module PHISHING On
LibClamAV debug: * Submodule ENGINE: On
LibClamAV debug: * Submodule ENTCONV: On
LibClamAV debug: Module BYTECODE On
LibClamAV debug: * Submodule INTERPRETER: On
LibClamAV debug: * Submodule JIT X86: On
LibClamAV debug: * Submodule JIT PPC: On
LibClamAV debug: * Submodule JIT ARM: ** Off **
LibClamAV debug: Module STATS Off
LibClamAV debug: Module PCRE On
LibClamAV debug: * Submodule SUPPORT: On
LibClamAV debug: * Submodule OPTIONS: On
LibClamAV debug: * Submodule GLOBAL: On
LibClamAV debug: pool memory used: 7.034 MB
LibClamAV debug: No bytecodes loaded, not running builtin test
LibClamAV debug: in cli_magic_scandesc (reclevel: 0/16)
LibClamAV debug: Recognized PostScript file
LibClamAV debug: cache_check: 181d0d3dd05618fb3fd056c2c79cf741 is negative
LibClamAV debug: cli_magic_scandesc: returning 0 at line 2541
LibClamAV debug: cache_add: 181d0d3dd05618fb3fd056c2c79cf741 (level 0)
FL9364.tmp.bin: OK
LibClamAV debug: Cleaning up phishcheck
LibClamAV debug: Freeing phishcheck struct
LibClamAV debug: Phishcheck cleaned up

----------- SCAN SUMMARY -----------
Known viruses: 90
Engine version: 0.99
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 0.00 MB
Data read: 0.46 MB (ratio 0.00:1)
Time: 0.008 sec (0 m 0 s)

###################Trim PostScript line 1

head -1 FL9364.tmp.bin
%%BoundingBox: 36 36 576 756

coz@3d0:~/Downloads/clam-punch$ clamscan --debug -d miscreantpunch099.ldb FL9364.tmp.bin
LibClamAV debug: searching for unrar, user-searchpath: /usr/lib
LibClamAV debug: searching for unrar: libclamunrar_iface.so.7.1.1 not found
LibClamAV debug: searching for unrar: libclamunrar_iface.so.7 not found
LibClamAV debug: searching for unrar: libclamunrar_iface.so not found
LibClamAV debug: searching for unrar: libclamunrar_iface.a not found
LibClamAV debug: Cannot dlopen libclamunrar_iface: file not found - unrar support unavailable
LibClamAV debug: Initialized 0.99 engine
LibClamAV debug: Initializing phishcheck module
LibClamAV debug: Phishcheck: Compiling regex: ^ (http|https|ftp:(//)?)?[0-9]{1,3}(.[0-9]{1,3}){3}[/?:]? *$
LibClamAV debug: Phishcheck module initialized
LibClamAV debug: Bytecode initialized in JIT mode
LibClamAV debug: Initializing engine->root[0]
LibClamAV debug: Initialising AC pattern matcher of root[0]
LibClamAV debug: cli_initroots: Initializing BM tables of root[0]
LibClamAV debug: Initializing engine->root[1]
LibClamAV debug: Initialising AC pattern matcher of root[1]
LibClamAV debug: cli_initroots: Initializing BM tables of root[1]
LibClamAV debug: Initializing engine->root[2]
LibClamAV debug: Initialising AC pattern matcher of root[2]
LibClamAV debug: Initializing engine->root[3]
LibClamAV debug: Initialising AC pattern matcher of root[3]
LibClamAV debug: Initializing engine->root[4]
LibClamAV debug: Initialising AC pattern matcher of root[4]
LibClamAV debug: Initializing engine->root[5]
LibClamAV debug: Initialising AC pattern matcher of root[5]
LibClamAV debug: Initializing engine->root[6]
LibClamAV debug: Initialising AC pattern matcher of root[6]
LibClamAV debug: Initializing engine->root[7]
LibClamAV debug: Initialising AC pattern matcher of root[7]
LibClamAV debug: Initializing engine->root[8]
LibClamAV debug: Initialising AC pattern matcher of root[8]
LibClamAV debug: Initializing engine->root[9]
LibClamAV debug: Initialising AC pattern matcher of root[9]
LibClamAV debug: Initializing engine->root[10]
LibClamAV debug: Initialising AC pattern matcher of root[10]
LibClamAV debug: Initializing engine->root[11]
LibClamAV debug: Initialising AC pattern matcher of root[11]
LibClamAV debug: Initializing engine->root[12]
LibClamAV debug: Initialising AC pattern matcher of root[12]
LibClamAV debug: Initializing engine->root[13]
LibClamAV debug: Initialising AC pattern matcher of root[13]
LibClamAV debug: Initializing engine->root[14]
LibClamAV debug: Initialising AC pattern matcher of root[14]
LibClamAV debug: miscreantpunch099.ldb loaded
LibClamAV debug: Loaded 148 filetype definitions
LibClamAV debug: Using filter for trie 0
LibClamAV debug: Matcher[0]: GENERIC: AC sigs: 343 (reloff: 1, absoff: 0) BM sigs: 0 (reloff: 0, absoff: 0) PCREs: 0 (reloff: 0, absoff: 0) maxpatlen 109
LibClamAV debug: Using filter for trie 1
LibClamAV debug: Matcher[1]: PE: AC sigs: 8 (reloff: 0, absoff: 0) BM sigs: 0 (reloff: 0, absoff: 0) PCREs: 0 (reloff: 0, absoff: 0) maxpatlen 12
LibClamAV debug: Matcher[2]: OLE2: AC sigs: 153 (reloff: 0, absoff: 0) BM sigs: 0 (reloff: 0, absoff: 0) PCREs: 11 (reloff: 0, absoff: 0) maxpatlen 58 (ac_only mode)
LibClamAV debug: Matcher[3]: HTML: AC sigs: 0 (reloff: 0, absoff: 0) BM sigs: 0 (reloff: 0, absoff: 0) PCREs: 0 (reloff: 0, absoff: 0) maxpatlen 0 (ac_only mode)
LibClamAV debug: Using filter for trie 4
LibClamAV debug: Matcher[4]: MAIL: AC sigs: 0 (reloff: 0, absoff: 0) BM sigs: 0 (reloff: 0, absoff: 0) PCREs: 0 (reloff: 0, absoff: 0) maxpatlen 0 (ac_only mode)
LibClamAV debug: Matcher[5]: GRAPHICS: AC sigs: 0 (reloff: 0, absoff: 0) BM sigs: 0 (reloff: 0, absoff: 0) PCREs: 0 (reloff: 0, absoff: 0) maxpatlen 0 (ac_only mode)
LibClamAV debug: Matcher[6]: ELF: AC sigs: 0 (reloff: 0, absoff: 0) BM sigs: 0 (reloff: 0, absoff: 0) PCREs: 0 (reloff: 0, absoff: 0) maxpatlen 0 (ac_only mode)
LibClamAV debug: Using filter for trie 7
LibClamAV debug: Matcher[7]: ASCII: AC sigs: 0 (reloff: 0, absoff: 0) BM sigs: 0 (reloff: 0, absoff: 0) PCREs: 0 (reloff: 0, absoff: 0) maxpatlen 0 (ac_only mode)
LibClamAV debug: Matcher[8]: NOT USED: AC sigs: 0 (reloff: 0, absoff: 0) BM sigs: 0 (reloff: 0, absoff: 0) PCREs: 0 (reloff: 0, absoff: 0) maxpatlen 0 (ac_only mode)
LibClamAV debug: Matcher[9]: MACH-O: AC sigs: 0 (reloff: 0, absoff: 0) BM sigs: 0 (reloff: 0, absoff: 0) PCREs: 0 (reloff: 0, absoff: 0) maxpatlen 0 (ac_only mode)
LibClamAV debug: Matcher[10]: PDF: AC sigs: 0 (reloff: 0, absoff: 0) BM sigs: 0 (reloff: 0, absoff: 0) PCREs: 0 (reloff: 0, absoff: 0) maxpatlen 0 (ac_only mode)
LibClamAV debug: Matcher[11]: FLASH: AC sigs: 60 (reloff: 0, absoff: 0) BM sigs: 0 (reloff: 0, absoff: 0) PCREs: 0 (reloff: 0, absoff: 0) maxpatlen 64 (ac_only mode)
LibClamAV debug: Matcher[12]: JAVA: AC sigs: 21 (reloff: 0, absoff: 0) BM sigs: 0 (reloff: 0, absoff: 0) PCREs: 0 (reloff: 0, absoff: 0) maxpatlen 77 (ac_only mode)
LibClamAV debug: Matcher[13]: INTERNAL: AC sigs: 0 (reloff: 0, absoff: 0) BM sigs: 0 (reloff: 0, absoff: 0) PCREs: 0 (reloff: 0, absoff: 0) maxpatlen 0 (ac_only mode)
LibClamAV debug: Matcher[14]: OTHER: AC sigs: 0 (reloff: 0, absoff: 0) BM sigs: 0 (reloff: 0, absoff: 0) PCREs: 0 (reloff: 0, absoff: 0) maxpatlen 0 (ac_only mode)
LibClamAV debug: Dynamic engine configuration settings:
LibClamAV debug: --------------------------------------
LibClamAV debug: Module PE: On
LibClamAV debug: * Submodule PARITE: On
LibClamAV debug: * Submodule KRIZ: On
LibClamAV debug: * Submodule MAGISTR: On
LibClamAV debug: * Submodule POLIPOS: On
LibClamAV debug: * Submodule MD5SECT: On
LibClamAV debug: * Submodule UPX: On
LibClamAV debug: * Submodule FSG: On
LibClamAV debug: * Submodule SWIZZOR: * Off **
LibClamAV debug: * Submodule PETITE: On
LibClamAV debug: * Submodule PESPIN: On
LibClamAV debug: * Submodule YC: On
LibClamAV debug: * Submodule WWPACK: On
LibClamAV debug: * Submodule NSPACK: On
LibClamAV debug: * Submodule MEW: On
LibClamAV debug: * Submodule UPACK: On
LibClamAV debug: * Submodule ASPACK: On
LibClamAV debug: * Submodule CATALOG: On
LibClamAV debug: * Submodule DISABLECERT: ** Off **
LibClamAV debug: * Submodule DUMPCERT: ** Off **
LibClamAV debug: * Submodule MATCHICON: On
LibClamAV debug: Module ELF: On
LibClamAV debug: Module MACHO: On
LibClamAV debug: Module ARCHIVE: On
LibClamAV debug: * Submodule RAR: On
LibClamAV debug: * Submodule ZIP: On
LibClamAV debug: * Submodule GZIP: On
LibClamAV debug: * Submodule BZIP: On
LibClamAV debug: * Submodule ARJ: On
LibClamAV debug: * Submodule SZDD: On
LibClamAV debug: * Submodule CAB: On
LibClamAV debug: * Submodule CHM: On
LibClamAV debug: * Submodule OLE2: On
LibClamAV debug: * Submodule TAR: On
LibClamAV debug: * Submodule CPIO: On
LibClamAV debug: * Submodule BINHEX: On
LibClamAV debug: * Submodule SIS: On
LibClamAV debug: * Submodule NSIS: On
LibClamAV debug: * Submodule AUTOIT: On
LibClamAV debug: * Submodule ISHIELD: On
LibClamAV debug: * Submodule 7zip: On
LibClamAV debug: * Submodule ISO9660: On
LibClamAV debug: * Submodule DMG: On
LibClamAV debug: * Submodule XAR: On
LibClamAV debug: * Submodule HFSPLUS: On
LibClamAV debug: * Submodule XZ: On
LibClamAV debug: * Submodule PASSWD: On
LibClamAV debug: Module DOCUMENT: On
LibClamAV debug: * Submodule HTML: On
LibClamAV debug: * Submodule RTF: On
LibClamAV debug: * Submodule PDF: On
LibClamAV debug: * Submodule SCRIPT: On
LibClamAV debug: * Submodule HTMLSKIPRAW: On
LibClamAV debug: * Submodule JSNORM: On
LibClamAV debug: * Submodule SWF: On
LibClamAV debug: Module MAIL: On
LibClamAV debug: * Submodule MBOX: On
LibClamAV debug: * Submodule TNEF: On
LibClamAV debug: Module OTHER: On
LibClamAV debug: * Submodule UUENCODED: On
LibClamAV debug: * Submodule SCRENC: On
LibClamAV debug: * Submodule RIFF: On
LibClamAV debug: * Submodule JPEG: On
LibClamAV debug: * Submodule CRYPTFF: On
LibClamAV debug: * Submodule DLP: On
LibClamAV debug: * Submodule MYDOOMLOG: On
LibClamAV debug: * Submodule PREFILTERING: On
LibClamAV debug: * Submodule PDFNAMEOBJ: On
LibClamAV debug: * Submodule PRTNINTXN: On
LibClamAV debug: Module PHISHING On
LibClamAV debug: * Submodule ENGINE: On
LibClamAV debug: * Submodule ENTCONV: On
LibClamAV debug: Module BYTECODE On
LibClamAV debug: * Submodule INTERPRETER: On
LibClamAV debug: * Submodule JIT X86: On
LibClamAV debug: * Submodule JIT PPC: On
LibClamAV debug: * Submodule JIT ARM: ** Off **
LibClamAV debug: Module STATS Off
LibClamAV debug: Module PCRE On
LibClamAV debug: * Submodule SUPPORT: On
LibClamAV debug: * Submodule OPTIONS: On
LibClamAV debug: * Submodule GLOBAL: On
LibClamAV debug: pool memory used: 7.034 MB
LibClamAV debug: No bytecodes loaded, not running builtin test
LibClamAV debug: in cli_magic_scandesc (reclevel: 0/16)
LibClamAV debug: Recognized ASCII text
LibClamAV debug: cache_check: 05a2384b77e3f26024b761531f6c394a is negative
LibClamAV debug: hashtab: Freeing hashset, elements: 0, capacity: 0
LibClamAV debug: MiscreantPunch.DocEXEinEPS.Common.CVE-2015-2545.Construct.UNOFFICIAL found
LibClamAV debug: FP SIGNATURE: 05a2384b77e3f26024b761531f6c394a:488749:MiscreantPunch.DocEXEinEPS.Common.CVE-2015-2545.Construct.UNOFFICIAL
LibClamAV debug: cli_magic_scandesc: returning 1 at line 2541
FL9364.tmp.bin: MiscreantPunch.DocEXEinEPS.Common.CVE-2015-2545.Construct.UNOFFICIAL FOUND
LibClamAV debug: Cleaning up phishcheck
LibClamAV debug: Freeing phishcheck struct
LibClamAV debug: Phishcheck cleaned up

----------- SCAN SUMMARY -----------
Known viruses: 90
Engine version: 0.99
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.46 MB
Data read: 0.46 MB (ratio 1.00:1)
Time: 0.011 sec (0 m 0 s)

https://www.virustotal.com/ru/file/77a2097cb6ca81604a67c9706a32a5e9eac0318753cb0ea5e9a2aba62b69d245/analysis/1427446740/

Virus http://filebin.ca/1wFcQ34teLwl/5604189256balanc.zip

Hi,

the current version from the website is missing in the repository again. (see #44, #15)

The changelog in the tarball from the website differs from the one in the git repository (master and 0.99.2 branch):

--- ChangeLog   2016-05-09 15:45:46.645272919 +0200
+++ clamav-0.99.2/ChangeLog 2016-04-22 17:02:18.000000000 +0200
@@ -1,3 +1,177 @@
+Thu, 22 Apr 2016 12:45:00 -0500 (Steven Morgan)
+------------------------------------------
+ * ClamAV 0.99.2 release.
+
+Thu, 31 Mar 2016 17:07:39 -0400 (Kevin Lin)
+------------------------------------------
+ * 7z: fix for FolderStartPackStreamIndex array index heck
+
+Tue, 29 Mar 2016 16:18:51 -0400 (Steven Morgan)
+------------------------------------------
+ * bb11547 - print all CDBNAME entries for a zip file when using the
+   -z flag.
+
+Tue, 2 Sep 2014 22:44:41 +0200 (Sebastian Andrzej Siewior)
+------------------------------------------
+ * try to minimize the err cleanup path
+
+Tue, 2 Sep 2014 22:44:14 +0200 (Sebastian Andrzej Siewior)
+------------------------------------------
+ * clamunrar: notice if unpacking comment failed
+
+Wed, 23 Mar 2016 16:39:52 -0400 (Steven Morgan)
+------------------------------------------
+ * bb9042 - signature manual update.
+
+Wed, 23 Mar 2016 16:14:42 -0400 (Kevin Lin)
+------------------------------------------
+ * bb#11396 - use temp var for realloc to prevent pointer loss. Patch by
+   Bill Parker.
+
+Wed, 23 Mar 2016 15:49:56 -0400 (Kevin Lin)
+------------------------------------------
+ * bb#11397 - fix debug VI hex truncation
+
+Wed, 23 Mar 2016 15:38:21 -0400 (Kevin Lin)
+------------------------------------------
+ * bb#11398 - freshclam: avoid random data in mirrors.dat. Patch by
+   Tomasz Kojm.
+
+Wed, 23 Mar 2016 15:28:51 -0400 (Kevin Lin)
+------------------------------------------
+ * libclamav: print raw certificate metadata
+
+Wed, 23 Mar 2016 14:16:00 -0400 (Kevin Lin)
+------------------------------------------
+ * bb#11529 - freshclam manager check return code of strdup. Patch by
+   Sebastian A. Siewior.
+
+Tue, 22 Mar 2016 16:21:59 -0400 (Kevin Lin)
+------------------------------------------
+ * bb#11261 - additional suppress IP notification when using proxy
+
+Tue, 22 Mar 2016 12:54:52 -0400 (Kevin Lin)
+------------------------------------------
+ * bb#10983 - fix download and verification of *.cld through PrivateMirrors
+
+Mon, 21 Mar 2016 11:21:08 -0400 (Kevin Lin)
+------------------------------------------
+ * bb#11261 - suppress IP notification when using proxy
+
+Mon, 21 Mar 2016 11:20:01 -0400 (Kevin Lin)
+------------------------------------------
+ * bb#11543 - remove redundant mempool assignment
+
+Thu, 17 Mar 2016 11:49:26 -0400 (Kevin Lin)
+------------------------------------------
+ * bb#11003 - divide out dumpcerts output for better readability
+
+Wed, 16 Mar 2016 15:42:35 -0400 (Kevin Lin)
+------------------------------------------
+ * bb#11003 - fix dconf and option handling for nocert and dumpcert
+
+Mon, 14 Mar 2016 16:07:45 -0400 (Mickey Sola)
+------------------------------------------
+ * bb11463 - patch by Jim Morris to increase clamd's soft file descriptor to
+   its potential maximum on 64-bit systems
+
+Mon, 14 Mar 2016 17:12:20 -0400 (Steven Morgan)
+------------------------------------------
+ * Move libfreshclam config to m4/reorganization.
+
+Fri, 11 Mar 2016 13:32:31 -0700 (andrey mirtchovski)
+------------------------------------------
+ * adding libfreshclam
+
+Sun, 13 Mar 2016 23:27:23 -0400 (Tom Judge)
+------------------------------------------
+ * Add 'cdb' datafile to sigtools list of datafile types.
+
+Fri, 11 Mar 2016 16:02:22 -0500 (Steven Morgan)
+------------------------------------------
+ * bb11526 - NULL pointer check. Patch by Bill Parker.
+
+Fri, 11 Mar 2016 15:48:01 -0500 (Steven Morgan)
+------------------------------------------
+ * bb11524 - malloc() NULL pointer check. Patch by Bill Parker.
+
+Thu, 10 Mar 2016 18:26:33 -0500 (Steven Morgan)
+------------------------------------------
+ * bb1436 - clamscan 'block-macros' option. Patch by Kai Risku.
+
+Wed, 9 Mar 2016 17:07:06 -0500 (Kevin Lin)
+------------------------------------------
+ * bb#11514 - initialize cpio name buffer
+
+Wed, 9 Mar 2016 16:43:03 -0500 (Kevin Lin)
+------------------------------------------
+ * bb#11514 - initialize mspack decompression buffers
+
+Wed, 9 Mar 2016 12:15:16 -0500 (Kevin Lin)
+------------------------------------------
+ * bb#11514 - prevent memory allocations on used pointers (folder objects)
+
+Tue, 8 Mar 2016 16:04:21 -0500 (Kevin Lin)
+------------------------------------------
+ * bb#11514 - prevent memory allocations on used pointers (boolvectors)
+
+Tue, 8 Mar 2016 14:37:20 -0500 (Kevin Lin)
+------------------------------------------
+ * bb#11514 - initialize ARJ metadata structures
+
+Tue, 8 Mar 2016 14:37:01 -0500 (Kevin Lin)
+------------------------------------------
+ * bb#11514 - change cli_malloc with cli_calloc
+
+Mon, 7 Mar 2016 16:25:10 -0500 (Kevin Lin)
+------------------------------------------
+ * bb#11514 - check packSizes prior to dereference
+
+Mon, 7 Mar 2016 16:10:09 -0500 (Kevin Lin)
+------------------------------------------
+ * bb#11514 - fixed inconsistent folder state on failure
+
+Mon, 7 Mar 2016 15:11:08 -0500 (Kevin Lin)
+------------------------------------------
+ * bb#11514 - pre-check on (*unpackSizes) dereference
+
+Mon, 7 Mar 2016 13:56:42 -0500 (Kevin Lin)
+------------------------------------------
+ * bb11514 - fix on pre-checks on dereferenced array
+
+Fri, 4 Mar 2016 16:57:14 -0500 (Kevin Lin)
+------------------------------------------
+ * bb11514 - pre-checks on dereferenced array size values (not =0)
+
+Wed, 2 Mar 2016 13:57:03 -0500 (Mickey Sola)
+------------------------------------------
+ * bb-11514 - adding sanity checks to 7z header parsing
+
+Tue, 1 Mar 2016 12:43:01 -0500 (Kevin Lin)
+------------------------------------------
+ * bb#11514 - fixed mew source read issue
+
+Fri, 4 Mar 2016 17:05:01 -0500 (Steven Morgan)
+------------------------------------------
+ * bb11188 - Upgrade to use libtool 2.4.6 for ClamAV building: fixes issues
+   with MacOSX 10.10 and 10.11.
+
+Tue, 1 Mar 2016 12:34:48 -0500 (Kevin Lin)
+------------------------------------------
+ * bb#11513 - documentation update on targets
+
+Mon, 29 Feb 2016 16:58:19 -0500 (Kevin Lin)
+------------------------------------------
+ * filetype consistency
+
+Mon, 29 Feb 2016 11:34:25 -0500 (Kevin Lin)
+------------------------------------------
+ * move llvm option flag handling to new m4 file
+
+Wed, 24 Feb 2016 13:29:42 -0500 (Kevin Lin)
+------------------------------------------
+ * hwp5.x: fix for streams without names
+
 Wed, 24 Feb 2016 18:45:00 -0500 (Steven Morgan)
 ------------------------------------------
  * ClamAV 0.99.1 release build.
@@ -10,14 +184,44 @@
 ------------------------------------------
  * libclamav: yara: avoid unaliged access to 64bit variable

-Thu, 11 Feb 2016 15:56:47 -0500 (Mickey Sola)
+Fri, 19 Feb 2016 16:16:39 -0500 (Mickey Sola)
 ------------------------------------------
- * bb11455 - patch by Mark Allan to add show-progress option to freshclam.
+ * bb11496 - adding signal handling to clamav-milter to allow for socket
+   removal and cleanup at close
+
+Thu, 18 Feb 2016 11:44:54 -0500 (Kevin Lin)
+------------------------------------------
+ * hwp3.x: enable password cancelling of parsing
+
+Wed, 17 Feb 2016 18:12:58 -0500 (Steven Morgan)
+------------------------------------------
+ * Kick out yara rules containing single byte subpatterns.

 Tue, 16 Feb 2016 14:15:18 -0500 (Kevin Lin)
 ------------------------------------------
  * added 'CustomXML' as trigger for likely OOXML

+Tue, 16 Feb 2016 12:04:14 -0500 (Kevin Lin)
+------------------------------------------
+ * fix make check issue with llvm builds with assertion
+
+Thu, 11 Feb 2016 15:56:47 -0500 (Mickey Sola)
+------------------------------------------
+ * bb11455 - patch by Mark Allan to add show-progress option to freshclam.
+
+Tue, 9 Feb 2016 13:46:13 -0500 (Mickey Sola)
+------------------------------------------
+ * bb10568 - patch from Andreas Cadhalpun to add systemd support for
+   clamd and freshclam
+
+Mon, 8 Feb 2016 11:28:42 -0500 (Kevin Lin)
+------------------------------------------
+ * PCRE2 support
+
+Mon, 8 Feb 2016 11:25:43 -0500 (Kevin Lin)
+------------------------------------------
+ * clamconf: reports usage of PCRE2
+
 Tue, 3 Feb 2016 17:30:00 -0500 (Steven Morgan)
 ------------------------------------------
  * ClamAV 0.99.1 beta1 release.

Note that it also differs in older entries before the 0.99.1 release build. Shouldn't only new changes added on the top?

Can you maybe add some checks to your release procedure to ensure that the source code is in the git repository?

Thanks,
Alex

The SHUTDOWN command should be disabled by default. At the moment you cannot run clamd in a production environment. Anybody can kill the process from outside to prevent it from doing its job. Using a proxy to block SHUTDOWN commands or installing clamd on every server instance is complicated or rather no option. At least there should be a way to disable this command, maybe in the configuration file.

Describe the bug

Our freshclam process is trying to updates the signature through a mirror server.

The connexion must go through a proxy

freshclam seems to make a HTTP call with the verb CONNECT on port 80

However the proxy only allow CONNECT call on port 443

┌─────────────┐                                     ┌─────────────────┐             ┌─────────────┐
│             │                                     │                 │             │             │
│  ClamAV     │  CONNECT proxy-server.org:80 HTTP   │      PROXY      │             │  Database   │
│  freshclam  ├────────────────────────────────────►│  port 443 only  ├────────────►│             │
└─────────────┘                                     └─────────────────┘             └─────────────┘

Is it possible to configure the port ?

Dear,

What is supported file types in clamav?
How i can detect Encrypted files?
How i can detect Password-Protected files?
How i can detect Destroyed files?
How i can detect Binded files?

Thanks

apt-get upgrade does not detect recommended version: 0.103.3:

systemctl stop clamav-freshclam.service

freshclam

Sun Jul 4 20:17:50 2021 -> ClamAV update process started at Sun Jul 4 20:17:50 2021
Sun Jul 4 20:17:50 2021 -> ^Your ClamAV installation is OUTDATED!
Sun Jul 4 20:17:50 2021 -> ^Local version: 0.103.2 Recommended version: 0.103.3
Sun Jul 4 20:17:50 2021 -> DON'T PANIC! Read https://www.clamav.net/documents/upgrading-clamav
Sun Jul 4 20:17:50 2021 -> daily.cld database is up-to-date (version: 26221, sigs: 3993342, f-level: 63, builder: raynman)
Sun Jul 4 20:17:50 2021 -> main.cvd database is up-to-date (version: 59, sigs: 4564902, f-level: 60, builder: sigmgr)
Sun Jul 4 20:17:50 2021 -> bytecode.cld database is up-to-date (version: 333, sigs: 92, f-level: 63, builder: awillia2)

systemctl start clamav-freshclam.service

apt-get update

Hit:1 http://us.archive.ubuntu.com/ubuntu focal InRelease
Hit:2 http://us.archive.ubuntu.com/ubuntu focal-updates InRelease
Hit:3 http://us.archive.ubuntu.com/ubuntu focal-backports InRelease
Hit:4 http://us.archive.ubuntu.com/ubuntu focal-security InRelease
Reading package lists... Done

apt-get upgrade

Reading package lists... Done
Building dependency tree
Reading state information... Done
Calculating upgrade... Done
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

clamconf -n

Checking configuration files in /etc/clamav

Config file: clamd.conf

PreludeAnalyzerName = "ClamAV"
LogFileMaxSize = "4294967295"
LogTime = "yes"
LogRotate = "yes"
ExtendedDetectionInfo = "yes"
LocalSocket = "/var/run/clamav/clamd.ctl"
LocalSocketGroup = "clamav"
LocalSocketMode = "666"
MaxConnectionQueueLength = "15"
MaxThreads = "12"
ReadTimeout = "180"
SendBufTimeout = "200"
SelfCheck = "3600"
User = "clamav"
BytecodeTimeout = "60000"
MaxScanTime = "120000"
PCREMatchLimit = "10000"
PCRERecMatchLimit = "5000"
*** AllowSupplementaryGroups is DEPRECATED ***

Config file: freshclam.conf

LogFileMaxSize = "4294967295"
LogTime = "yes"
LogRotate = "yes"
UpdateLogFile = "/var/log/clamav/freshclam.log"
Checks = "24"
DatabaseMirror = "db.local.clamav.net", "database.clamav.net"
MaxAttempts = "5"

clamav-milter.conf not found

Software settings

Version: 0.103.2
Optional features supported: MEMPOOL IPv6 FRESHCLAM_DNS_FIX AUTOIT_EA06 BZIP2 LIBXML2 PCRE2 ICONV JSON RAR

Database information

Database directory: /var/lib/clamav
main.cvd: version 59, sigs: 4564902, built on Mon Nov 25 07:56:15 2019
bytecode.cld: version 333, sigs: 92, built on Mon Mar 8 09:21:51 2021
daily.cld: version 26221, sigs: 3993342, built on Sun Jul 4 06:09:25 2021
Total number of signatures: 8558336

Platform information

uname: Linux 5.4.0-77-generic #86-Ubuntu SMP Thu Jun 17 02:35:03 UTC 2021 x86_64
OS: linux-gnu, ARCH: x86_64, CPU: x86_64
Full OS version: Ubuntu 20.04.2 LTS
zlib version: 1.2.11 (1.2.11), compile flags: a9
platform id: 0x0a217b7b0800000000090300

Build information

GNU C: 9.3.0 (9.3.0)
CPPFLAGS: -Wdate-time -D_FORTIFY_SOURCE=2
CFLAGS: -g -O2 -fdebug-prefix-map=/build/clamav-TW4JTf/clamav-0.103.2+dfsg=. -fstack-protector-strong -Wformat -Werror=format-security -Wall -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64
CXXFLAGS: -g -O2 -fdebug-prefix-map=/build/clamav-TW4JTf/clamav-0.103.2+dfsg=. -fstack-protector-strong -Wformat -Werror=format-security -Wall -D_FILE_OFFSET_BITS=64
LDFLAGS: -Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,-z,now -Wl,--as-needed
Configure: '--build=x86_64-linux-gnu' '--prefix=/usr' '--includedir=/usr/include' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--sysconfdir=/etc' '--localstatedir=/var' '--disable-silent-rules' '--libdir=/usr/lib/x86_64-linux-gnu' '--runstatedir=/run' '--disable-maintainer-mode' '--disable-dependency-tracking' 'CFLAGS=-g -O2 -fdebug-prefix-map=/build/clamav-TW4JTf/clamav-0.103.2+dfsg=. -fstack-protector-strong -Wformat -Werror=format-security -Wall -D_FILE_OFFSET_BITS=64' 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2' 'CXXFLAGS=-g -O2 -fdebug-prefix-map=/build/clamav-TW4JTf/clamav-0.103.2+dfsg=. -fstack-protector-strong -Wformat -Werror=format-security -Wall -D_FILE_OFFSET_BITS=64' 'LDFLAGS=-Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,-z,now -Wl,--as-needed' '--with-dbdir=/var/lib/clamav' '--sysconfdir=/etc/clamav' '--disable-clamav' '--disable-unrar' '--enable-milter' '--enable-dns-fix' '--with-libjson' '--with-system-libmspack' '--with-libcurl=/usr' '--with-gnu-ld' '--with-systemdsystemunitdir=/lib/systemd/system' 'build_alias=x86_64-linux-gnu' 'OBJCFLAGS=-g -O2 -fdebug-prefix-map=/build/clamav-TW4JTf/clamav-0.103.2+dfsg=. -fstack-protector-strong -Wformat -Werror=format-security'
sizeof(void*) = 8
Engine flevel: 123, dconf: 123

issue

clamonacc from packaged rpm 103.2 up to 104/dev under load (i.e. when beeing deployed by ansible) during start fails to OnAccessIncludePath existing directory claiming it does not exist. this failure is not detected as the process doesn't terminate. this bug is possibly causing clamav on-access to not perform under any Linux for < 5.1 kernel.

ClamInotif: could not watch path - no such file or directory

next steps / brainstorming / todo

• blocked by or related to clamonacc fatal error #184
• reduce watchpoints to /usr /home /tmp
• start clamonacc without systemd
• compile dev/0.104 on centos8 and explore reproduction (fio?)
• reproduction steps

proposed fixes to clamonacc

1. terminate clamonacc upon ERROR: ClamInotif: could not watch path '/home', No such file or directory
2. ???

observations

• manual systemctl restart clamav-clamonacc.service will succeed 100% watch /home (cannot reproduce)
• molecule verify will only work ~ 2 out of 11 times when /usr is watched
• said test succeeds under fedora33+4, fails centos7+8 (most likely because kernel <5.1 using inotify)
• if /usr is not watched we pass eicar test reliably (much less fileio)
• setenforce 0 # no effect
• ulimit -n # 100000
• happens with --stream and --fdpass
• max_user_watches = 500k

symptomes

Jun 29 20:08:24 centos7 clamonacc: ERROR: ClamInotif: could not watch path '/home', No such file or directory
Jun 29 23:18:55 centos8 clamonacc[14434]: ERROR: ClamInotif: could not watch path '/home', No such file or directory
Jun 30 10:40:47 centos8 clamonacc[23644]: ERROR: ClamInotif: could not watch path '/tmp', No such file or directory

/etc/clamd.d/clamd.conf

LocalSocket /run/clamd.scan/clamd.sock

TemporaryDirectory /tmp/clamav

OnAccessExcludeUname clamscan
OnAccessExtraScanning yes

OnAccessIncludePath /boot
OnAccessIncludePath /etc
OnAccessIncludePath /home
OnAccessIncludePath /media
OnAccessIncludePath /mnt
OnAccessIncludePath /opt
OnAccessIncludePath /root
OnAccessIncludePath /tmp
OnAccessIncludePath /usr
OnAccessIncludePath /var

# onaccess_exclude_default_paths
OnAccessExcludePath /var/lib/rsyslog
OnAccessExcludePath /var/lib/clamav-unofficial-sigs
OnAccessExcludePath /var/log
OnAccessExcludePath /var/spool/quarantine

/etc/systemd/system/clamav-clamonacc.service

[Unit]
Description = ClamAV On-Access Notifier
After = clamav-clamd.service syslog.target network.target
Requires = clamav-clamd.service

[Service]
Type = simple
ExecStart = /usr/sbin/clamonacc -F --config-file=/etc/clamd.d/clamd.conf --move=/var/spool/quarantine --fdpass --verbose

# workaround for https://gitlab.com/goshansp/clamav_onaccess/-/issues/5
ExecStop = /bin/kill -s SIGKILL $MAINPID
SuccessExitStatus = SIGKILL SIGTERM

[Install]
WantedBy = multi-user.target

Please let me know if there is anything to be tested.

Debian does not enable fanotify-based blocking by default, and is unlikely to do that anytime soon out of performance concerns for the average user that doesn't make use of it (See: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=690737).

It would be nice if there was a way for debian users to have read-blocking scanning without having to compile a kernel with this option; though I recognize there aren't many elegant options available to do this.

For many security environments having on-access scanning is important, but not as important as having a commercially supported kernel configuration. A failover option would allow debian servers to have both.

An example use case where read-blocking would apply. (debian jessie):

1. apt-get install clamav-daemon
2. mkdir /mnt/example /mnt/quarantine
3. Set clamd.conf options:
   • OnAccessIncludePath /mnt/example
   • VirusEvent mv $CLAM_VIRUSEVENT_FILENAME /mnt/quarantine
   • ScanOnAccess true
4. cd /mnt/example && wget https://secure.eicar.org/eicar.com.txt
5. systemctl restart clamav-daemon
6. cat eicar.com.txt

Notice that the file will be moved, but only after getting the contents of the file.

I noticed this during inspection:

In 0.98.4, I see that libclamav/dconf.c:cli_dconf_load() does this comparison:

    if(!strncmp(buffer, "MACHO:", 4) && chkflevel(buffer, 2)) {
        if(sscanf(buffer + 4, "0x%x", &val) == 1) {

I believe that the author mean ("MACHO:", 5) in the strncmp(), and "buffer + 5" in the sscanf().

Hi,
Any support for installing Clamd as a windows service on Windows 2012 coming soon?

If you compile clamav using clang instead of gcc,
you will be presented with a rather long list of
possibly exploitable weaknesses of the source code.

Our official bug tracking system is:

https://bugzilla.clamav.net

Please submit any bugs there.

If you need to ask a question, please do so on the ClamAV Mailing lists

To Submit malware, please visit our website and fill out the form there.

727 → → → → if(fullline[fulllinelength - 2] == ';')

In the following example fulllinelength is pointing out-of-bounds of fullline:

echo QlpoOTFBWSZTWch8U74AAZ3f0IAQQEIAGAsABAAvo5wAQAAAAggAIACJBSqIDQANNNApVQAAB6nqGD8xenmhM6E0cKEyoTeyoTjobSJihPlCb2CJkia6ExQmx4oTNCYImWtmhObNtoTso0YFVjp0EmrV7fxdyRThQkMh8U74 | base64 -d | bunzip2 -c > testcase

In handle_df if strlen(str) is zero, a NULL byte will be written to the adjacent buffer: str[len-1] = '\0';

Repro.bzip2.base64:

QlpoOTFBWSZTWX3YLFQAAk+fjpBAAAUBABAADCBcAAEAABAACAAIIABQoaaYABFFHqDRtTTUyNUl
wAC2KC4q13sZyEKqMGR9CIEBbFBftax+LuSKcKEg+7BYqA==

Hello,

I have a CentOS VPS Server. I have install EPEL : http://download.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm

And then installed clamav. But when I do a freshclam it always says that my version is 0.98.5 which is OUTDATED and latest version is 0.98.6

But it is not upgrading itself to the latest one...

Please solve this issue.
Thanks in advance.....

Feature Request OnAccessRWOnly

During integration of clamonacc via Ansible Role ClamAV we've come across some performance challenges. Comparing ClamAV to commercial antimalware we are looking for an option to scan write-operations only. Hence it would be beneficial for clamonacc flexibility if it was possible to limit the scanning to write- or read-operations via configuration option. The feature is needed for RHEL7 / Kernel 3.10

Proposed Feature

Introduction of additional configuration parameter for config file clamd.conf i.e. OnAccessRWOnly = write (or read)

Funding

Our customer is FOSS aware and will most likely require performance optimization for clamonacc to pass evaluation. Please advice if you know of a commercial developer who can offer the implementation. We'll be happy to arrange for funding and I welcome any help we get.

Describe the bug

Missing documentation for CURL_CA_BUNDLE option to customize the CA bundle path.

How to reproduce the problem

Grep the clamav source for "CURL_CA_BUNDLE". It only appears in the code and in the NEWS.md file.

Documentation for how (and why) to use the CURL_CA_BUNDLE environment variable should be added to the freshclam and clamsubmit man pages. It would probably be good to reference it in the application --help output as well. And it should be added to the freshclam FAQ in case users run into certificate problems. See https://lists.clamav.net/pipermail/clamav-users/2021-June/011382.html

The version tag is missing again. Could you please push it to the repo.

Try to cross compile clamav-0.98.7, get the following error:
libclamav/bytecode_detect.c:242: error: 'os_generic' undeclared (first use in this function)

I do not find the enum defined in enum os_kind_conf. The only close meaning enum I find is os_unknown. Should it be os_unknown rather than os_generic?

I want to compile and run from git clamav folder I dont want to install it , is it possible to do this

Although my mail server (Modoboa) doesn't report it, the log on that machine issued a warning which tells you to go to a particular webpage for further information. Thing is, that page 404s. The warning text needs to be updated with the replaced target.

Jun 29 13:02:59 mail freshclam[1830]: Tue Jun 29 13:02:59 2021 -> Received signal: wake up
Jun 29 13:02:59 mail freshclam[1830]: Tue Jun 29 13:02:59 2021 -> ClamAV update process started at Tue Jun 29 13:02:59 2021
Jun 29 13:02:59 mail freshclam[1830]: Tue Jun 29 13:02:59 2021 -> ^Your ClamAV installation is OUTDATED!
Jun 29 13:02:59 mail freshclam[1830]: Tue Jun 29 13:02:59 2021 -> ^Local version: 0.103.2 Recommended version: 0.103.3
Jun 29 13:02:59 mail freshclam[1830]: Tue Jun 29 13:02:59 2021 -> DON'T PANIC! Read https://www.clamav.net/documents/upgrading-clamav
Jun 29 13:02:59 mail freshclam[1830]: Tue Jun 29 13:02:59 2021 -> daily.cld database is up-to-date (version: 26216, sigs: 3992662, f-level: 63, builder: raynman)
Jun 29 13:02:59 mail freshclam[1830]: Tue Jun 29 13:02:59 2021 -> main.cvd database is up-to-date (version: 59, sigs: 4564902, f-level: 60, builder: sigmgr)
Jun 29 13:02:59 mail freshclam[1830]: Tue Jun 29 13:02:59 2021 -> bytecode.cvd database is up-to-date (version: 333, sigs: 92, f-level: 63, builder: awillia2)

In wwunpack, a heap out-of-bounds write can occur with little control over the written value (scounts is the number of sections):

224     exe[pe+6]=(uint8_t)scount;
225     exe[pe+7]=(uint8_t)(scount>>8);

Repro (bzip compressed & base64 encoded):

QlpoOTFBWSZTWTpaKPwAAm5//////93///3//+///f////f//+9h/6/89P/+7e7+fVv/0AR7wN10
W4amicaIpk0KemU9RH6oZlPKNPU8TSGjIaeU9TT0g2oepoaDR6hoA0aBkD1NAHinqHqaANqAaNNN
Gho9RoaaPU9QBp6mg9Q9QaeptQyBFT0TVMZE3qaR6Jpmg0CPTEE00xkTJpgARkyYGgNAAgNDTRgQ
wABBgE0aZMAmAAAAIwm0J6mIqeTEmp5Ayk/I1NTynqbIm1MjJ6g9TIGGoABoAyMg0aZBo0GjTTTI
ZAGjRoABoAAB6mjRiNAAAA0aIGmmhpoA0GgAAaAMgYQAAAAAABpoAAaBpoAA00AAAAaMQAAABoNA
NAYpI00mUw01PTKaaANBk0Gg0NBo00AGgZNADQAAAABoAAAAAAAaAAAAAAAA1CegybX2w0Qeiegg
M0/0I4mtPEGIY15GxX1WkpWiC5MVMJFa83oSijSGmbcajXKN3z02+YQ9RIptA/aIaRMNdVO0YSEC
LYQEgIaDknlGjI4Jk2m7uylST7ouR1G8AlMYwkmTjpBogZFY5EiInSEJGgREGCw0tCI6caLsKOcd
z9y/zb9sMQlWBiQeskEBm1LogbSTYa8gDMI55xhIjEPVnmS13YBNIatAbVECCjZEIWEZKqWVHGxr
URGKz7A6RDUXwGpd02EGqSgKpFsImELShEQEqoxF4gaYnksw2Z/SBhXU65dGp1+IpoCUyuKw9udS
zbypsCfFsm/wShUwgbFjPA4VgtsZakMKlz+YXZiCLQxHBKvNYcuoZjDTnjKyn1CjMBDsOvtG05dB
m3Bylc4Qg4EoKZExCIWnxKcrXKBTEYmoQ4PyiOBaV7ygi4n37ZQUakhdxKAECZwsG+IXOzeInAME
ULFDr2o5LIGg+W3TzNPQbD/CYV3Pzl6a1FVQBB5jVevutkopx245zFuXzMuyEw0QtquOe37I6YEG
BFDJf0SLnVLJiAJ3Wuye+3yagPtVOuoRl1SNUmvIVsj3Aec3F3EsbMguCaih7JiyUogiwQxu9YUR
G9gsnr3uTXNTgdsc6eEQO2IiFvGBYQK2iBNtJsiwiZURHjWVPKGRavzD4qpHYl+4QKnZ7N6u38iZ
0BJU9YXAEDMVAJf1l7Gj/i87VO8LjHAIDFznjd80RCWbmexIkm3VHFdaRdU3D5QHiA7Po2rasg5e
QJnXo6suCqxDomfFMYkwW8IgMl0I6822ed6iAsJc/PoSOM81IzEvlEpxvrEuaahWbgkV6MqJKkZr
azMutDyYAIAqyJ+CJnFy6kPD94qBYrbNwRa4ekrNFqvX+dpBfgAFA7tEEB/+GDeu5mHHi9bG0NRr
it1HDT8IAWlEpAEtBCQcpTJgdlyeQANVRASBHCgPRqHJLtymnwUdEesqLZBMiiALfGNx/LntTPvU
AMWiRCINzRDAEaGbaD73KKjWy9CUKeYvjcpQ3YINu7D0rKVOx7rouYLJ+5vH1IcCS2uuZVwkYSob
AoU0kUSAPSfVIki7G8piHxkZye7lWuj6LD2y1f3+SDrIELv0MlznjdfyNpLPKWlAJlAXb1MYzJtq
Oxl1I8SJ7UQOjpqFE043hbGAQkqcJYaB7QskBLSjlHhnLEQ68c6QCmRTCppE3cko7i7yCxFZheya
KuMAhaHkpmpWlmMMP7ghsbsnj6wwHup0k+DWQZBFVsDdW2Zy8ZKOK42ZZrqo+Qb6HQIHA0Bw7hxA
5uIQGIA4jBguaAAGXMC6VmcqKIACBNDj1JeLYzcBM5ZYSQHRAx2A6xwqt7qifekfycGeb8tKQIog
8A8UosowIOEJgqBzs8BgJhq6ayKe78R6IiIZVmUSaDKqZhwI9wcZsDeIgCtZwycIr8DmlCEbU0R9
sJ06Ix8QDFIg7E4pWjjN+2sWmI3YrKaC7hXKW55SP0Tqc3CsPSb0AYHktBuRqB/ZHn+Ywq2R/CRA
kSxcaiUmngX3HitEus2vZlGJAKHK9cJjueRMUNrJkS59nSHESmlcsbe00b21jTU2QJeMmWVHejWR
+H9Nu9WZ32kX7pLamTCmKKBEuYCu9SGSRQku9l6+lNev7WD/dIapg8u4ICoVJeOfrCUH7GgxHKRo
fzKN8sF9IO3eg78yYH5TvLeRFqX840oSFAotlNp4baURj08/PQ6aoEUlXVfdhoq/ENVZ8DSoBxrk
yM2rbBw6xNtNpW4gjlxhWvp0auapTBmLfVHMM2fQVwxmIyovXMqUicpGJBvlGB4gcl3YbAEzxBCo
1HBiBWQkGJ3+jP8+00Wcqr5dTq4Zj4Y2Yxg2lf+LuSKcKEgdLRR+AA==

Describe the bug

On Debian/Ubuntu 20.04+ files with cryptic names get written in / (unix root):

-rw-r-----   1 root root     0 Jun  8 13:54 ''$'\006''1'$'\375\226\035''V'
-rw-r-----   1 root root    23 Jun  8 15:24 ''$'\020''hS|NV'
-rw-r-----   1 root root     0 Jun  6 19:09 '"̓]'$'\026''V'
-rw-r-----   1 root root    23 Jun  7 19:09 ''$'\232''(0'$'\336''HV'
-rw-r-----   1 root root    23 Jun 14 13:54 ''$'\242\257''g'$'\212\n''V'
-rw-r-----   1 root root    23 Mär 23 09:18 ''$'\245\034''NP$V'
-rw-r-----   1 root root     0 Jun 12 13:09 ''$'\273\337''u'$'\234\213''U'
-rw-r-----   1 root root     0 Jun 12 00:24 ''$'\275''闹'$'\303''U'
-rw-r-----   1 root root    23 Jun 14 07:54 ''$'\277''Е'$'\236\352''U'
-rw-r-----   1 root root    23 Jun  4 17:39 ''$'\350\020''@'$'\264''7V'
-rw-r-----   1 root root     0 Jun 12 05:39 ''$'\350\035''4'$'\320''}U'

Each file with 23Byte contains the string

ClamScanQueue: stopped

On my system following packages are installed:

clamav-base/groovy-updates,groovy-updates,groovy-security,groovy-security,now 0.103.2+dfsg-0ubuntu0.20.10.2 all [installed,automatic]
clamav-daemon/groovy-updates,groovy-security,now 0.103.2+dfsg-0ubuntu0.20.10.2 amd64 [installed]
clamav-freshclam/groovy-updates,groovy-security,now 0.103.2+dfsg-0ubuntu0.20.10.2 amd64 [installed]
clamdscan/groovy-updates,groovy-security,now 0.103.2+dfsg-0ubuntu0.20.10.2 amd64 [installed]
libclamav9/groovy-updates,groovy-security,now 0.103.2+dfsg-0ubuntu0.20.10.2 amd64 [installed,automatic]

clamav-deamon is running as systemd service (starts as root but drops to user clamav via clamd.conf)
clamonacc is running as systemd service (starts as root and stays root and streams files to clamd)
some clamdscan executions are scheduled via cron (starts as root and uses fdpass)

How to reproduce the problem

systemctl restart clamonacc.service (contents of that service file see below)
have --log in the service file

Is this thing actually possible with any ClamAV version?

This is my understanding of the current situation:

The only way to have recursive OnAccess is with OnAccessMountPath, which plays together with DDD

versions of ClamAV before 0.99 don't have DDD. Using OnAccessIncludePath also requires OnAccessDisableDDD, and will only keep track of the immediate directory specified by OnAccessIncludePath.

Due to this commit, adding the following code

if (!optget(tharg->opts, "OnAccessNotifyOnly")->enabled && !optget(tharg->opts, "OnAccessMountPath")->enabled) {
        logg("ScanOnAccess: preventing access attempts on malicious files.\n");
        fan_mask |= FAN_ACCESS_PERM | FAN_OPEN_PERM;
     } else {
        logg("ScanOnAccess: notifying only for access attempts.\n");

the !optget(tharg->opts, "OnAccessMountPath")->enabled) will disable access prevention when OnAccessMountPath is configured. Conversely access prevention works with OnAccessIncludePath+OnAccessDisableDDD, but this will only have non-recursive OnAccess protection.

Hi,

For those concerned with the development of clamav, first thank you for such a great app and great job!

I'd like to ask that the clamav developers PLEASE consider adding in ./configure --options so that the end-user can compile clamav as just a basic on demand scanner, for the $HOME user, that might typically only want to use clamav to scan with on occassion.

I personally only need clamav as an on demand scanner to scan my files, folders and box on ocassion.

I hope the developers will PLEASE really consider this and add in options in the future.

In the meantime I edited the Makefile.am and changed it like this;

SUBDIRS = libltdl libclamav clamscan freshclam sigtool clamconf database docs etc test clambc unit_tests

Would that for now statisfy for the basics of just having an on demand scanner, or is there something else I can remove?

Thank you for your time and consideration! :)

Hi,

the new version is announced on the website and is available as tar.gz on sourceforge, but it is missing here in the repo. There is no tag, link for the previous versions and the branch called 0.98.6 differs with the source code available in the tar.gz even when looking at the Changelog.

--- ChangeLog   2015-01-29 18:44:58.386436724 +0100
+++ clamav-0.98.6/ChangeLog 2014-12-18 22:43:18.000000000 +0100
@@ -1,3 +1,35 @@
+
+Tue Dec 16 16:21:40 2014 EDT (swebb)
+-------------------------------------
+bb#11215 - Change a variable to be an unsigned int to compensate for
+   compiler optimization issue with crafted petite file. Fix
+   suggested by Sebastian Andrzej Siewior.
+
+Fri Dec 12 14:33:41 2014 EDT (klin)
+-----------------------------------
+Added missing break statements(FireAmp #12710) to correct handling of
+   prescan callback return code.
+
+Fri Dec 5 15:26:06 2014 EDT (smorgan)
+-------------------------------------
+bb#11216 - add boundary checks for fuzzed upack file. This issue
+   was reported by Sebastian Andrzej Siewior. CVE-2014-9328.
+
+Thu Dec 4 18:29:17 2014 EDT (klin)
+-----------------------------------
+bb#11212 - fixed section boundary mismatch in MEW unpacker. This issue
+   was identified by Felix Groebert of the Google Security Team.
+
+Thu Dec 4 08:43:43 2014 EDT (swebb)
+-------------------------------------
+bb#11213 - Enforce bounds checking before integer overflow in upx files.
+   This issue was reported by Kevin Szkudlapski of Quarkslab.
+
+Tue Dec 2 15:15:55 2014 EDT (swebb)
+-------------------------------------
+bb#11210: Apply a basic fix for y0da crafted file. This issue was
+   identified by Felix Groebert of the Google Security Team.
+
 Fri, 21 Nov 2014 15:55:12 EDT (swebb)
 -------------------------------------
 bb#11194: Include OpenSSL's headers after the local headers

Did you maybe forget to push to the repo?

3.2.8 Subsignature Modifiers
ClamAV (clamav-0.99) supports a number of additional subsignature modifiers
for logical signatures. This is done by specifying ’::’ followed by a number of
characters representing the desired options.

clamscan blows up with the examples provided in the docs...

clamav-nocase-A;Target:0;0&1;41414141/i;424242424242/i
-matches ’AAAA’(nocase) and ’BBBBBB’(nocase)

should be in the format of...

clamav-nocase-A;Target:0;0&1;41414141::i;424242424242::i
-matches ’AAAA’(nocase) and ’BBBBBB’(nocase)

Cross post at the clamav-devel mail-list. I'm was forked source code in the master branch at version 0.98.1.

Hello All,

I found incorrect code on the sub-project LLVMjit. It cannot built a source code success because using std::make_pair<std::string, jit_code_entry*>(Buffer, JITCodeEntry); in line 146. Follow line of code as file name is JITDebugRegister.cpp.

FnMap[F] = std::make_pair<std::string, jit_code_entry*>(Buffer, JITCodeEntry);

It should be example code below.

FnMap[F] = std::pair<std::string, jit_code_entry*>(Buffer, JITCodeEntry);

In declaration variable FnMap[F] is type definition declares as below in the file name JITDebugRegister.h

typedef DenseMap< const Function*, std::pair<std::string, jit_code_entry*> > RegisteredFunctionsMap;

FnMap[F] must lvalue received the value std::pair<std::string, jit_code_entry*>(Buffer, JITCodeEntry); more std::map<T,T2>().Thus,source code use std::pair<T,T2>() instead std::make_pair(). Program will compiler source code success.

Example fixed bug in line 14 from my gits: https://gist.github.com/Chatsiri/11295674

Project build source code in Microsoft Visual Studio 2013 (Version 12.0.21005.1 REL), Windows 7
Repository : https://github.com/vrtadmin/clamav-devel

Best Regards,
R.Chatsiri.

issue

clamonacc dev/104 crashes with below ERROR when a folder like i.e. clamav.git-repo is copied and we aproach of about ~10000 files opened. this issue occurs on all kernel versions. the default ulimit=1024 needs to be raised for this to occur.

ERROR: Clamonacc: clamonacc has experienced a fatal error, if you continue to see this error, please run clamonacc with --verbose and report the issue and crash report to the developers

reproduction steps

# raise root ulimit
[vagrant@rhel8 ~]$ sudo vim /etc/security/limits.conf # add following two lines 
root    soft    nofile  100000
root    hard    nofile  100000

# verify root ulimit
[vagrant@centos7 git]$ sudo su -
[root@centos7 ~]# ulimit -n
100000


# starting clamonacc
[vagrant@rhel8 ~]$ sudo git/clamav-devel/build/clamonacc/clamonacc -F --config-file=/etc/clamd.d/clamd.conf --stream --verbose

# wrecking havoc:
[vagrant@rhel8 ~]$ git clone https://github.com/Cisco-Talos/clamav.git
[vagrant@rhel8 ~]$ cp clamav-devel target_git_folder -r
[vagrant@rhel8 ~]$ cat /proc/sys/fs/file-nr
# repeat above folder copy until it `signal 11` around 11k

conf

TCPSocket 3310
TCPAddr 127.0.0.1
TemporaryDirectory /tmp/clamav
OnAccessExcludeUname clamscan
OnAccessIncludePath /home
OnAccessIncludePath /usr
OnAccessIncludePath /etc
DatabaseDirectory /var/lib/clamav

furher observations

• red hat 8 + Fedora 34 (ulimit 100k / max_user_watches = 500k). this issue can be reproduced
• cannot reproduce when clamav 103.2/103.3 installed from rpm on centos 8 or fedora 34.
• $ git clone https://github.com/Cisco-Talos/clamav.git does not cause crash (tried: 4x no crash)
• after a crash, proper termination (ctrl-c) sometimes impossible, maybe related to https://gitlab.com/goshansp/ansible-role-clamav/-/issues/5
• possibly related to no such file or directory #186 ?
• after the crash sometimes one can ctrl-c out, sometimes until segfault ... sometimes a kill -9 from other terminal needed.

log

ClamFanotif: attempting to feed consumer queue
Clamonacc: onas_clamonacc_exit(), signal 11
ERROR: Clamonacc: clamonacc has experienced a fatal error, if you continue to see this error, please run clamonacc with --verbose and report the issue and crash report to the developers            
Clamonacc: attempting to stop ddd thread ...
ClamInotif: onas_ddd_exit()
ClamInotif: stopped
Clamonacc: attempting to stop event consumer thread ...
ClamScanQueue: onas_scan_queue_exit()

Please let me know if there's anything for me to test. Any advice appreciated. Thanks.

Hi,

compiled the 0.99 version and installed it.
I use Ubuntu 14.04. The OnAccess feature do nothing:

$ cat ~/TestFile
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

Thats my Config:

$ clamconf | grep On
OfficialDatabaseOnly disabled
ExitOnOOM disabled
ScanOnAccess = "yes"
OnAccessMountPath = "/"
OnAccessIncludePath = "/home"
OnAccessExcludePath disabled
OnAccessExcludeUID disabled
OnAccessMaxFileSize = "10485760"
OnAccessDisableDDD = "yes"
OnAccessPrevention = "yes"
OnAccessExtraScanning = "yes"
DevACOnly disabled
OnUpdateExecute disabled
OnErrorExecute disabled
OnOutdatedExecute disabled

Hello

I installed clamav as mentioned in the section 3.2 Installing on shell account, using the following commands

 ./configure --prefix=/home/user/programming/clamav --disable-clamav
 make 
 make install 

As you see it doesn't work for me.

./clamscan ~
LibClamAV Error: cl_load(): No such file or directory: /home/user/programming/clamav/share/clamav
ERROR: Can't get file status

----------- SCAN SUMMARY -----------
Known viruses: 0
Engine version: devel-20151207
Scanned directories: 0
Scanned files: 0
Infected files: 0
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 0.011 sec (0 m 0 s)

Describe the bug

--gen-json does nothing

libjson is installed, libjson-dev is installed

How to reproduce the problem

clamscan --gen-json . in a folder containing eicar.com

Checking configuration files in /etc/clamav

Config file: clamd.conf
-----------------------
PreludeAnalyzerName = "ClamAV"
LogFile = "/var/log/clamav/clamav.log"
LogFileMaxSize = "4294967295"
LogTime = "yes"
LogRotate = "yes"
ExtendedDetectionInfo = "yes"
LocalSocket = "/var/run/clamav/clamd.ctl"
LocalSocketGroup = "clamav"
LocalSocketMode = "666"
MaxConnectionQueueLength = "15"
MaxThreads = "12"
ReadTimeout = "180"
SendBufTimeout = "200"
SelfCheck = "3600"
User = "clamav"
BytecodeTimeout = "60000"
MaxScanTime = "120000"
PCREMatchLimit = "10000"
PCRERecMatchLimit = "5000"

Config file: freshclam.conf
---------------------------
LogFileMaxSize = "4294967295"
LogTime = "yes"
LogRotate = "yes"
UpdateLogFile = "/var/log/clamav/freshclam.log"
Checks = "1"
PrivateMirror = "rhn-cap-allen-2.cisco.com"
MaxAttempts = "5"
ScriptedUpdates disabled
ReceiveTimeout = "30"
*** SafeBrowsing is DEPRECATED ***

clamav-milter.conf not found

Software settings
-----------------
Version: 0.103.2
Optional features supported: MEMPOOL IPv6 FRESHCLAM_DNS_FIX AUTOIT_EA06 BZIP2 LIBXML2 PCRE ICONV JSON JIT

Database information
--------------------
Database directory: /var/lib/clamav
bytecode.cvd: version 331, sigs: 94, built on Thu Sep 19 12:12:33 2019
main.cvd: version 59, sigs: 4564902, built on Mon Nov 25 08:56:15 2019
daily.cvd: version 26025, sigs: 4332551, built on Tue Dec 22 07:51:35 2020
Total number of signatures: 8897547

Platform information
--------------------
uname: Linux 5.4.12-050412-generic #202001141531 SMP Tue Jan 14 20:35:00 UTC 2020 x86_64
OS: linux-gnu, ARCH: x86_64, CPU: x86_64
Full OS version: Ubuntu 18.04.3 LTS
zlib version: 1.2.11 (1.2.11), compile flags: a9
Triple: x86_64-pc-linux-gnu
CPU: generic, Little-endian
platform id: 0x0a217b7b0807050001070500

Build information
-----------------
GNU C: 7.5.0 (7.5.0)
GNU C++: 7.5.0 (7.5.0)
CPPFLAGS: -Wdate-time -D_FORTIFY_SOURCE=2
CFLAGS: -g -O2 -fdebug-prefix-map=/build/clamav-ol9PT3/clamav-0.103.2+dfsg=. -fstack-protector-strong -Wformat -Werror=format-security -Wall -D_FILE_OFFSET_BITS=64  -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64
CXXFLAGS: -g -O2 -fdebug-prefix-map=/build/clamav-ol9PT3/clamav-0.103.2+dfsg=. -fstack-protector-strong -Wformat -Werror=format-security -Wall -D_FILE_OFFSET_BITS=64
LDFLAGS: -Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,-z,now -Wl,--as-needed
Configure: '--build=x86_64-linux-gnu' '--prefix=/usr' '--includedir=/usr/include' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--sysconfdir=/etc' '--localstatedir=/var' '--disable-silent-rules' '--libdir=/usr/lib/x86_64-linux-gnu' '--libexecdir=/usr/lib/x86_64-linux-gnu' '--runstatedir=/run' '--disable-maintainer-mode' '--disable-dependency-tracking' 'CFLAGS=-g -O2 -fdebug-prefix-map=/build/clamav-ol9PT3/clamav-0.103.2+dfsg=. -fstack-protector-strong -Wformat -Werror=format-security -Wall -D_FILE_OFFSET_BITS=64' 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2' 'CXXFLAGS=-g -O2 -fdebug-prefix-map=/build/clamav-ol9PT3/clamav-0.103.2+dfsg=. -fstack-protector-strong -Wformat -Werror=format-security -Wall -D_FILE_OFFSET_BITS=64' 'LDFLAGS=-Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,-z,now -Wl,--as-needed' '--with-dbdir=/var/lib/clamav' '--sysconfdir=/etc/clamav' '--disable-clamav' '--disable-unrar' '--enable-milter' '--enable-dns-fix' '--with-libjson' '--with-system-libmspack' '--with-libcurl=/usr' '--with-gnu-ld' '-with-system-llvm=/usr/bin/llvm-config-3.9' '--with-llvm-linking=dynamic' '--with-systemdsystemunitdir=/lib/systemd/system' 'build_alias=x86_64-linux-gnu' 'OBJCFLAGS=-g -O2 -fdebug-prefix-map=/build/clamav-ol9PT3/clamav-0.103.2+dfsg=. -fstack-protector-strong -Wformat -Werror=format-security'
sizeof(void*) = 8
Engine flevel: 123, dconf: 123

Hello,

Could you please help me to add "CL_SCAN_FILE_PROPERTIES" option to clamdscan?

I want to detect macros into files. I have just opportunity to use clamdscan in my project. I have found the next page http://blog.clamav.net/2014/11/intro-to-collection-and-analysis-of.html. In this page, author has described how to use clamscan for detecting file properties. I have tried to add it to clamdscan but it did not work.

Thanks,
Yurii

rijndaelSetupEncrypt seems broken. It is called via rijndaelSetupDecrypt and aes_decrypt. The key is a stack unsigned char[16] from decrypt_any. However in rijndaelSetupEncrypt the key is indexed with offset 20 on line 744 of rijndael.c. Possibly this could be used to leak information from the stack but at least it is a Denial-of-Service.

Backtrace:
#0  rijndaelSetupEncrypt (rk=0x7ffffffecac0, key=0x7ffffffecf20 "@P\257\230\264\247\344oa\033\270Wr\ar\311=", keybits=40) at rijndael.c:717
#1  0x00000000008b5de6 in rijndaelSetupDecrypt (rk=0x7ffffffecac0, key=0x7ffffffecf20 "@P\257\230\264\247\344oa\033\270Wr\ar\311=", keybits=40) at rijndael.c:810
#2  0x00000000006a4281 in aes_decrypt (in=0x7ffff7e0e0df "0%PDF-2.\r-obj1 0 objFie/Standard/O(\24
4\340M۱3\313\020\334v8", length=0x7ffffffed8d0, q=0x61b00001f180 '\276' <repeats 200 times>..., key=0x7ffffffecf20 "@P\257\230\264\247\344oa\033\270Wr\ar\311=", key_n=5, has_iv=1) at pdf.c:703

Repro (base64 -d, bunzip2):

QlpoOTFBWSZTWdXmH58AAXV//9MGSrRD4/pFP2PbGH+z32AEIyBABMAoBKhIAC1CAghBQAH4AAOD
INGgDJpiGmgyDEMIGgNGJiNAAAcGQaNAGTTENNBkGIYQNAaMTEaAAATVUiEymCfqCeg0jTAj0Cek
9T0Riep6g2iPKeFNiaGnqhwZBo0AZNMQ00GQYhhA0BoxMRoAAPbGlGKVNuPwjFHUjSjgjjjfjrR1
Y+MdlS9cYeWO0rFhK24+yMUZI4Y1o1Y340Y1I0o6UasdyP6jMj6Y144Y042I8kcuN2PCTFGpK04y
xmJsxha0rWla8ascEZsbkZI9E/TBhgsKrtyvfHqleiMcrCjXjYjMjvSu3HfjJHKj4RzI2ozo2I+q
PXGKNeM+NKPlGfGOPVHPjnRjjZjCOpGZGKS2Y2o/aMsd6PyjsRhG5JeKN6OvGKN2MdG9H1xoR7I0
Y3KOXG5GfGdHRjHH3R047MbscEZsaEcEaEY4zY341IyR1o90YRhHPjijkjmRjjjjpRxRvRyR744o
2o4o5Iyx+MdiNuOGP+jjjxR8IyR4YyxtR8Y04+ca0bEZY+cZY24/8XckU4UJDV5h+fA=

Describe the bug

Freshclam stops downloading (and updating clamav database) after ~20days of run. This happens on all our servers. Restart of freshclam has to be done.
Freshclam runs as a daemon freshclam -d and /etc/clamd.conf has LocalSocket /tmp/clamd.sock.
No error is logged, it just stops logging and updating the DB.
strace -p <freshclam_pid> logs approx. each second

strace: Process 28424 attached
restart_syscall(<... resuming interrupted read ...>) = 0
rt_sigaction(SIGPIPE, NULL, {sa_handler=SIG_IGN, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x7f4b0d2cc8f0}, 8) = 0
rt_sigaction(SIGPIPE, {sa_handler=SIG_IGN, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x7f4b0d2cc8f0}, NULL, 8) = 0
poll([{fd=9, events=POLLIN|POLLPRI|POLLRDNORM|POLLRDBAND}], 1, 0) = 0 (Timeout)
rt_sigaction(SIGPIPE, {sa_handler=SIG_IGN, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x7f4b0d2cc8f0}, NULL, 8) = 0
poll([{fd=9, events=POLLIN}, {fd=6, events=POLLIN}], 2, 1000) = 0 (Timeout)
rt_sigaction(SIGPIPE, NULL, {sa_handler=SIG_IGN, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x7f4b0d2cc8f0}, 8) = 0
rt_sigaction(SIGPIPE, {sa_handler=SIG_IGN, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x7f4b0d2cc8f0}, NULL, 8) = 0
poll([{fd=9, events=POLLIN|POLLPRI|POLLRDNORM|POLLRDBAND}], 1, 0) = 0 (Timeout)
rt_sigaction(SIGPIPE, {sa_handler=SIG_IGN, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x7f4b0d2cc8f0}, NULL, 8) = 0
poll([{fd=9, events=POLLIN}, {fd=6, events=POLLIN}], 2, 1000) = 0 (Timeout)
rt_sigaction(SIGPIPE, NULL, {sa_handler=SIG_IGN, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x7f4b0d2cc8f0}, 8) = 0
rt_sigaction(SIGPIPE, {sa_handler=SIG_IGN, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x7f4b0d2cc8f0}, NULL, 8) = 0
poll([{fd=9, events=POLLIN|POLLPRI|POLLRDNORM|POLLRDBAND}], 1, 0) = 0 (Timeout)
rt_sigaction(SIGPIPE, {sa_handler=SIG_IGN, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x7f4b0d2cc8f0}, NULL, 8) = 0
poll([{fd=9, events=POLLIN}, {fd=6, events=POLLIN}], 2, 1000) = 0 (Timeout)
rt_sigaction(SIGPIPE, NULL, {sa_handler=SIG_IGN, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x7f4b0d2cc8f0}, 8) = 0
rt_sigaction(SIGPIPE, {sa_handler=SIG_IGN, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x7f4b0d2cc8f0}, NULL, 8) = 0
poll([{fd=9, events=POLLIN|POLLPRI|POLLRDNORM|POLLRDBAND}], 1, 0) = 0 (Timeout)
rt_sigaction(SIGPIPE, {sa_handler=SIG_IGN, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x7f4b0d2cc8f0}, NULL, 8) = 0
poll([{fd=9, events=POLLIN}, {fd=6, events=POLLIN}], 2, 1000) = 0 (Timeout)
rt_sigaction(SIGPIPE, NULL, {sa_handler=SIG_IGN, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x7f4b0d2cc8f0}, 8) = 0
rt_sigaction(SIGPIPE, {sa_handler=SIG_IGN, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x7f4b0d2cc8f0}, NULL, 8) = 0
poll([{fd=9, events=POLLIN|POLLPRI|POLLRDNORM|POLLRDBAND}], 1, 0) = 0 (Timeout)
rt_sigaction(SIGPIPE, {sa_handler=SIG_IGN, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x7f4b0d2cc8f0}, NULL, 8) = 0
poll([{fd=9, events=POLLIN}, {fd=6, events=POLLIN}], 2, 1000) = 0 (Timeout)
rt_sigaction(SIGPIPE, NULL, {sa_handler=SIG_IGN, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x7f4b0d2cc8f0}, 8) = 0
rt_sigaction(SIGPIPE, {sa_handler=SIG_IGN, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x7f4b0d2cc8f0}, NULL, 8) = 0
poll([{fd=9, events=POLLIN|POLLPRI|POLLRDNORM|POLLRDBAND}], 1, 0) = 0 (Timeout)
rt_sigaction(SIGPIPE, {sa_handler=SIG_IGN, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x7f4b0d2cc8f0}, NULL, 8) = 0
poll([{fd=9, events=POLLIN}, {fd=6, events=POLLIN}], 2, 1000) = 0 (Timeout)
rt_sigaction(SIGPIPE, NULL, {sa_handler=SIG_IGN, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x7f4b0d2cc8f0}, 8) = 0
rt_sigaction(SIGPIPE, {sa_handler=SIG_IGN, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x7f4b0d2cc8f0}, NULL, 8) = 0
poll([{fd=9, events=POLLIN|POLLPRI|POLLRDNORM|POLLRDBAND}], 1, 0) = 0 (Timeout)
rt_sigaction(SIGPIPE, {sa_handler=SIG_IGN, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x7f4b0d2cc8f0}, NULL, 8) = 0
poll([{fd=9, events=POLLIN}, {fd=6, events=POLLIN}], 2, 1000) = 0 (Timeout)
rt_sigaction(SIGPIPE, NULL, {sa_handler=SIG_IGN, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x7f4b0d2cc8f0}, 8) = 0
rt_sigaction(SIGPIPE, {sa_handler=SIG_IGN, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x7f4b0d2cc8f0}, NULL, 8) = 0
poll([{fd=9, events=POLLIN|POLLPRI|POLLRDNORM|POLLRDBAND}], 1, 0) = 0 (Timeout)
rt_sigaction(SIGPIPE, {sa_handler=SIG_IGN, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x7f4b0d2cc8f0}, NULL, 8) = 0
poll([{fd=9, events=POLLIN}, {fd=6, events=POLLIN}], 2, 1000) = 0 (Timeout)
rt_sigaction(SIGPIPE, NULL, {sa_handler=SIG_IGN, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x7f4b0d2cc8f0}, 8) = 0
rt_sigaction(SIGPIPE, {sa_handler=SIG_IGN, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x7f4b0d2cc8f0}, NULL, 8) = 0
poll([{fd=9, events=POLLIN|POLLPRI|POLLRDNORM|POLLRDBAND}], 1, 0) = 0 (Timeout)
rt_sigaction(SIGPIPE, {sa_handler=SIG_IGN, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x7f4b0d2cc8f0}, NULL, 8) = 0
poll([{fd=9, events=POLLIN}, {fd=6, events=POLLIN}], 2, 1000^Cstrace: Process 28424 detached
<detached ...>

How to reproduce the problem

Error occures after ~20 days periodically.

Checking configuration files in /etc

Config file: clamd.conf

TemporaryDirectory = "/tmp"
LocalSocket = "/tmp/clamd.sock"
TCPSocket = "3310"
TCPAddr = "212.24.139.173", "2001:67c:15a0:4000::b"
MaxConnectionQueueLength = "16000"
StreamMaxLength = "25165824"
MaxThreads = "64"
ReadTimeout = "20"
MaxQueue = "128"
MaxDirectoryRecursion = "8"
FollowFileSymlinks = "yes"
Foreground = "yes"
User = "clamav"
BytecodeTimeout = "2000"
DetectPUA = "yes"
IncludePUA = "Spy", "Scanner", "RAT"
PhishingScanURLs disabled
AlertPhishingSSLMismatch = "yes"
MaxScanSize = "25165824"
MaxRecursion = "8"
MaxFiles = "2000"

Config file: freshclam.conf

Foreground = "yes"
Checks = "50"
DatabaseMirror = "db.DE.ipv6.clamav.net", "database.clamav.net"
DatabaseCustomURL = "http://ftp.swin.edu.au/sanesecurity/sanesecurity.ftm", "http://ftp.swin.edu.au/sanesecurity/sigwhitelist.ign2", "http://ftp.swin.edu.au/sanesecurity/junk.ndb", "http://ftp.swin.edu.au/sanesecurity/jurlbl.ndb", "http://ftp.swin.edu.au/sanesecurity/phish.ndb", "http://ftp.swin.edu.au/sanesecurity/rogue.hdb", "http://ftp.swin.edu.au/sanesecurity/scam.ndb", "http://ftp.swin.edu.au/sanesecurity/blurl.ndb", "http://ftp.swin.edu.au/sanesecurity/badmacro.ndb", "http://ftp.swin.edu.au/sanesecurity/foxhole_generic.cdb", "http://ftp.swin.edu.au/sanesecurity/foxhole_filename.cdb", "http://ftp.swin.edu.au/sanesecurity/winnow_malware.hdb", "http://ftp.swin.edu.au/sanesecurity/winnow_malware_links.ndb", "http://ftp.swin.edu.au/sanesecurity/bofhland_cracked_URL.ndb", "http://ftp.swin.edu.au/sanesecurity/bofhland_malware_URL.ndb", "http://ftp.swin.edu.au/sanesecurity/bofhland_phishing_URL.ndb", "http://ftp.swin.edu.au/sanesecurity/bofhland_malware_attach.hdb", "http://signatures.virusfree.cz/virusfree.ldb", "http://signatures.virusfree.cz/virusfree.cdb", "http://signatures.virusfree.cz/virusfree.ign2", "http://signatures.virusfree.cz/virusfree.virus.hsb", "http://signatures.virusfree.cz/virusfree.white.wdb"

clamav-milter.conf not found

Software settings

Version: 0.103.2
Optional features supported: MEMPOOL IPv6 AUTOIT_EA06 BZIP2 LIBXML2 PCRE2 ICONV JSON RAR

Database information

Database directory: /var/lib/clamav
[3rd Party] sanesecurity.ftm: 170 sigs
[3rd Party] sigwhitelist.ign2: 11 sigs
[3rd Party] junk.ndb: 60306 sigs
[3rd Party] jurlbl.ndb: 2600 sigs
[3rd Party] phish.ndb: 28042 sigs
[3rd Party] rogue.hdb: 478 sigs
[3rd Party] scam.ndb: 12747 sigs
[3rd Party] blurl.ndb: 4006 sigs
[3rd Party] badmacro.ndb: 621 sigs
[3rd Party] foxhole_generic.cdb: 212 sigs
[3rd Party] foxhole_filename.cdb: 2613 sigs
[3rd Party] winnow_malware.hdb: 293 sigs
[3rd Party] winnow_malware_links.ndb: 133 sigs
[3rd Party] bofhland_cracked_URL.ndb: 40 sigs
[3rd Party] bofhland_malware_URL.ndb: 4 sigs
[3rd Party] bofhland_phishing_URL.ndb: 72 sigs
[3rd Party] bofhland_malware_attach.hdb: 1836 sigs
[3rd Party] virusfree.virus.hsb: 1332 sigs
[3rd Party] virusfree.white.wdb: 77 sigs
[3rd Party] virusfree.ldb: 252 sigs
[3rd Party] virusfree.cdb: 115 sigs
[3rd Party] virusfree.ign2: 24 sigs
daily.cld: version 26188, sigs: 3985498, built on Tue Jun 1 13:07:16 2021
bytecode.cld: version 333, sigs: 92, built on Mon Mar 8 16:21:51 2021
main.cvd: version 59, sigs: 4564902, built on Mon Nov 25 14:56:15 2019
Total number of signatures: 8666476

Platform information

uname: Linux 5.10.5-gentoo-x86_64 #1 SMP Thu Jan 7 12:38:46 CET 2021 x86_64
OS: linux-gnu, ARCH: x86_64, CPU: x86_64
zlib version: 1.2.11 (1.2.11), compile flags: a9
platform id: 0x0a217b7b0800000000090300

Build information

GNU C: 9.3.0 (9.3.0)
CPPFLAGS:
CFLAGS: -O2 -pipe -fno-strict-aliasing -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64
CXXFLAGS: -O2 -pipe
LDFLAGS: -Wl,-O1 -Wl,--as-needed
Configure: '--prefix=/usr' '--build=x86_64-pc-linux-gnu' '--host=x86_64-pc-linux-gnu' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--datadir=/usr/share' '--sysconfdir=/etc' '--localstatedir=/var/lib' '--disable-dependency-tracking' '--disable-silent-rules' '--docdir=/usr/share/doc/clamav-0.103.2' '--htmldir=/usr/share/doc/clamav-0.103.2/html' '--with-sysroot=/' '--libdir=/usr/lib64' '--enable-bzip2' '--disable-clamonacc' '--enable-clamdtop' '--enable-ipv6' '--disable-milter' '--disable-check' '--with-xml' '--with-iconv' '--with-libjson=/usr' '--disable-libclamav-only' '--with-libcurl' '--with-system-libmspack' '--cache-file=/var/tmp/portage/app-antivirus/clamav-0.103.2/work/clamav-0.103.2/config.cache' '--disable-experimental' '--disable-static' '--disable-zlib-vcheck' '--enable-id-check' '--with-dbdir=/var/lib/clamav' '--with-zlib' '--disable-llvm' '--enable-openrc' '--runstatedir=/run' 'build_alias=x86_64-pc-linux-gnu' 'host_alias=x86_64-pc-linux-gnu' 'CXXFLAGS=-O2 -pipe' 'LDFLAGS=-Wl,-O1 -Wl,--as-needed' 'CFLAGS=-O2 -pipe'
sizeof(void*) = 8
Engine flevel: 123, dconf: 123

Attachments

If applicable, add screenshots to help explain your problem.

If the issue is reproducible only when scanning a specific file, attach it to the ticket.

Feature Request

While extending OnAccessIncludePath to cover as much of the Linux filesystem as possible, finer granularity than the currently used OnAccessExcludePath is required. I. e. one objective of this Ansible Role is to achieve feature parity with commercial anti malware products. Hence it would be beneficial for clamonacc flexibility if it was possible to apply a finer set of exclusion rules. The feature is requested for RHEL7 / Kernel 3.10

Examples of Exlusions

• Filename (i.e. underwhateverpath.log)
• File Path (i.e. /usr/lib64/ld-2.33.so)
• File Suffix (i.e. *.log)

Proposed Feature Addition

All the above exclusions could be addressed using regex. Implementation of a configuration parameter i.e. OnAccessExcludeRegex would greatly improve granularity for exclusions for clamonacc.

Funding

Our customer is FOSS aware and will most likely require finer granularity for clamonacc to pass evaluation. Please advice if you know of a commercial developer who can offer a pricetag for the implementation. We'll be happy to arrange for funding and I welcome any help we get.

We have been using cvdupdate( cvdupdate.py) as lambda service in AWS to download the required files into s3 bucket once per day.
Even though the frequency is once per day in all the environments(4) , we have been blocked by cloudflare.
We are also using the latest official docker image and using the S3 bucket as our hosted PrivateMirror.
We have confirmed from the logs that freshclam uses the S3 PrivateMirror we have hosted.

Please help on why we have been blocked , running 4 requests/day.

The repositories vrtadmin/clamav-devel, vrtadmin/clamav-faq and vrtadmin/clamav-bytecode-compiler should be moved to the clamav organisation to make it obvious that one has found the official repository. To do this, make sure that you own the clamav organisation and go to https://github.com/vrtadmin/clamav-devel/settings, click "Transfer" and follow the instructions.

621 → → *dst = '\0'; here a out-of-bounds write 1 occurs with static byte NULL.

Repro (base64 -d and bunzip2 compressed):

QlpoOTFBWSZTWUkizMQAAAV/2cAgQAAJAkHKZLBQwUAPr+FwCWABARAQAAgAQAGsAHESaGjIaaAD
QAaAAMZDIaDQaNAGgAaGCapFKekAAANAPU0yNMgaUBoAAAAAAGlhxjzlOugOMRgh6ZYiHIgOgT4l
WhGUFVtzquTBP4QyS8micKiZip6MVV7pGYVGKnLgK1gykySaSZBV+daxEwpLKr5YX9wHZg4lJZxg
q10gq5nDerNGYFhXRkq2pN5SlrKX3wkm8Uqbgqw+uIt7ia0HTkWpVyyq1wKSxUV48hVuJiTAVYkw
psppJmgVaBVy2FXXlBLeWYCszKJhTCkssEykV0YGkmFMwjMRYSl1ZOIKv2CrXXBV/Obl1dvZBV29
2Crv/6CAbOfCIxgREQA/F3JFOFCQSSLMxA==

Folks,

I've seen some weird behaviour with clamdscan on Mac OS X. Using --fdpass, errors are generated that certain files can't be scanned, even when running clamdscan as root. But without --fdpass, the files apparently can be streamed to the socket and scanned just fine.

I'm not sure where to start looking for what I should be testing, to see if --fdpass works correctly on Mac OS X. Any and all advice or assistance is appreciated.

For now, we're assuming that --fdpass doesn't work correctly on Mac OS X but does work fine on Ubuntu Linux, so we're running slightly different versions of the script to call clamdscan. But we'd like to understand what is going on and why.

Thanks!

have the ability to fine tune the PUA detection I just recently built a custom live ISO image for my family including ClamAV after running a scan in Windows 7 using McAfee we then scanned the windows drive from the LiveOS using ClamAV
McAfee 229168 total scanned 0 threats
ClamAV 187125 total scanned (3503749 signatures loaded) 2204 threats detected
almost all of them were PUAs
now I know that McAfee is most likely not a good scanner to use (its not looked at with high regards in my circle of IT guys)
I will try and test against Avast and a few others to see a broader range of results to compare with.
also why is there such a big difference in the total number of scanned files? McAfee also scanned the registry and boot sector but I have no idea what would be the cause of the large difference in files. as far as I know Clam scanned everything on the drive but if it helps I will post the used options here
clamscan --recursive --verbose --detect-pua=yes /media/UUID_NUM
where UUID_NUM is the UUID of the mounted drive

Hi,
I'm Vietnamese, my English is not good :)
I'm using Clamav 0.98.5, when I build a CUD file with steps follow:
- Step1: run "sigtool --build newdat.cud --unsigned" command
- Step2: enter "version number:"
- Step3: enter "Builder name:"
Then, the sigtool output error that: "Can't get builder name".

I reviewed your code, and found out bug follow:

• In 0.98.5 version:
  if((pt = getenv("SIGNDUSER")))
  {
  strncpy(builder, pt, sizeof(builder));
  builder[sizeof(builder)-1]='\0';
  }
  else
  {
  mprintf("Builder name: ");
  if(scanf("%32s", builder) == EOF || !pt)
  {
  mprintf("!build: Can't get builder name\n");
  free(dblist2);
  return -1;
  }
  }
  ==> I think: if (pt = getenv("SIGNDUSER")) == FALSE, mean is pt = NULL, so if(scanf("%32s", builder) == EOF || !pt) is always true, and program always "return -1"
• In 0.98.1 version:
  if((pt = getenv("SIGNDUSER")))
  {
  strncpy(builder, pt, sizeof(builder));
  builder[sizeof(builder)-1]='\0';
  }
  else
  {
  mprintf("Builder name: ");
  if(scanf("%32s", pt) == EOF || !pt)
  {
  mprintf("!build: Can't get builder name\n");
  free(dblist2);
  return -1;
  }
  }
  ==> with this version, program builds CUD file successfully!

:) I wish you fix this bug as soon as possible, thanks!

the --enable-milter flag should allow a path to the location of libmilter to be specified, as is done with openssl, etc.

I wish to scan files that are bigger then 4GB. For example video files.

I noticed clamav is limited (code based on 32bit?). So, is there a workaround or maybe this feature is under development?

In autoit.c:585 a new buffer is alloced. In the repro example UNP.csize is 2. However, a subsequent readint32 on line 598 reads out-of-bounds of the allocated buffer.

Repro.example.bzip2.base64:

QlpoOTFBWSZTWcOp+lAAAZL////34cXzZumP+3+7t/////////x6+nf1dV3c2UfNafvP0ANW3t3d
27cpbOAZKTRJ6ag/Sn6kaZNqGmIeiAMI9IHogDT1GmmT0mmmjQybUPTSZogNAYRiAaZNGjTRhBpo
zTQTwoNEpqaGRoI2pgmRgepN6kxomEYTIyYmCYAARgJkYQyMRkYA0TIZDRowmGgBMmQwEiVKeoDI
DQMIAAABpk0AA0NADIAaGgGIMQAaDQAAAAABkAaAIBkGgAZNMQaaA0ZMmCZGjQyGgANGQaMIZDJk
YIaADQaYgMEaA0GgBoABIqQmhNABk9QGgNGgD1NNBkA0ANAAAD1AHqBiDRoaAAANAGg0APUBo2o0
MVpBWyOqVBTFU6CS0GsPy56G1cuFehIBqaCQYBgwCJigM8hJFjYrC0H7iAl7pACJO/jV6qKR1l5h
aJ0FwX+Jaymo5DvoVorjXnQBYimOrAdoS+KlEvXGlqQKg1RVAlDRcYviv0gkBJC0qZJIMDGuKoeG
M5AckqoA+zLVULCkJJV6YTzPR0I3bRiEZUeWG2EGyGkmvzIky0mJeZn/svafMZd5BidEeEuoIsUR
U4rREFbEzB/zSXjoiqgJMKkxUBcj7pchQ6YxQ3MHNiVpqnFID00IIHFTlRqWMfkp+40K2/OoVVZC
Mq7KQbA2AYXpogaAtzSJtoNewW7YorQEvO2UidqeeU4wQVjbQNobSTYBZ56F9FR0ioKG1SJmUVFQ
ltLw9LgOnNnage+wPcuDzz3sAZEAzRX1D+Uj5gzhWOlaM3TGFc4TGAZcWxpxDFPc3+GPgoWKesJk
pitXThW6eb4UoNYdAgnLUTz5dgrIwYMwZmDGhsx42EIgYUTGwcENtDG0MbGMbGSTHVAkg1NDGxc8
hBIYA2JBUBNBXfcprb6ZWRCjCnjq+x/UmguIMG0JsG0NpsGMHs4hgNttgdjt9oBKxNCJIENKACRz
KeNMei71NeciznSws6I50/ONCRKaQiGgKVibBNgeVwS4AFWtCcKqDMohBQ0eEnshYBwisCTMNUlJ
Cpu7XK0IV8YDGNpsE2CwrCGkT7IaTHKYq2YmjZtMA+MBUrKTqAGD4QS0jCCkQ1kpUlpgL+x5qJek
/thGvIyYFiGthqGTNnAo4w91EDUpXJSw3vyWMVlEJox4Vk4tjQECiKH+6AhLpKCyn7FRK1om43kv
mfCWFsIob9h/GiUwpUPtsc+GpnMLMhIoV6/cjwtPOjgTFP/GrBGebVoO6r+UCsF6JMs8YQ5UDPCK
EBvUMEZaZ3AKoFKh2eyYXSzENUHMbQRaN8wsjA5pU/wuFABU5YpjKgLu2RNBeILNgInLKgDkoPSZ
8CE2tGJyahpNP3B8cYbyje/OLbsrJIcOJemGIr557AzLeL2Xsm8c6PaifRFmyjVAt1VC6eP/+LuS
KcKEhh1P0oA=