Topic: clamav scan finds viruses in /tmp for deleted user

[raem]

I have Jespers clamav contrib installed, It runs a scan and reports viruses in /tmp related to a deleted users email account. The files or user do not exist, the user was deleted some months ago.
grep michell /home/e-smith/accounts shows nothing
and the user account is not shown under /users....
Can anybody explain what clamav is actually finding ?

/tmp/clamav-8769232fcbb27254/home/e-smith/files/users/michell/Maildir/new/1030956315.16932.server: Exploit.IFrame.Gen FOUND
/tmp/clamav-8769232fcbb27254/home/e-smith/files/users/michell/Maildir/new/1031144071.30674.server: Worm.Klez.H FOUND
/tmp/clamav-8769232fcbb27254/home/e-smith/files/users/michell/Maildir/new/1031213979.2211.server: Worm.Klez.H FOUND
/tmp/clamav-8c317c4b0b158d68/home/e-smith/files/users/michell/Maildir/new/1030956315.16932.server: Exploit.IFrame.Gen FOUND
/tmp/clamav-8c317c4b0b158d68/home/e-smith/files/users/michell/Maildir/new/1031144071.30674.server: Worm.Klez.H FOUND
/tmp/clamav-8c317c4b0b158d68/home/e-smith/files/users/michell/Maildir/new/1031213979.2211.server: Worm.Klez.H FOUND
/tmp/clamav-952e72a39dfa2eed/home/e-smith/files/users/michell/Maildir/new/1030956315.16932.server: Exploit.IFrame.Gen FOUND
/tmp/clamav-952e72a39dfa2eed/home/e-smith/files/users/michell/Maildir/new/1031144071.30674.server: Worm.Klez.H FOUND
/tmp/clamav-952e72a39dfa2eed/home/e-smith/files/users/michell/Maildir/new/1031213979.2211.server: Worm.Klez.H FOUND

[jackl]

Ray,
I'm not sure on this but I think Clam copies stuff to /tmp/clamav to scan it. While the user files may have been deleted there could be hidden copies in the /tmp/clamav folder still.

Regards,
Jack

[raem]

Thanks Jack

I did think something like that but couldn't see any.
There is a /tmp/clamav-partial directory but no files inside it
ls -al shows nothing
I cannot see any files using mc either (which I believe shows hidden files).

There are no files named like (or anything like) those in the scan report.

Is there any other way to show hidden files I'm unaware of ?

I deleted the folder /tmp/clamav-partial yesterday and the same report shows up the following day, still showing viruses found in the non existent users MailDir/.... , or more correctly it's saying the viruses are found in files in the /tmp/clamav-........ folder.

Anybody else seen this at all or known what's causing it ?

Thanks

[raem]

I should add that at the same time I receive the scan report I also receive a Warning report from LibClamAV.
I assume it's related but what does it mean ?

I did search here and there are only a couple of results, but neither sheds any light on the issue.

LibClamAV Warning: Ignoring empty field in " charset="
LibClamAV Warning: Ignoring empty field in " charset="
LibClamAV Warning: Ignoring empty field in " charset="
LibClamAV Warning: Ignoring empty field in " charset="
LibClamAV Warning: Ignoring empty field in " charset="
LibClamAV Warning: Multipart MIME message contains no boundaries
LibClamAV Warning: Ignoring empty field in " Content-Type: "
LibClamAV Warning: Ignoring empty field in " charset="
LibClamAV Warning: Ignoring empty field in " charset="
LibClamAV Warning: Ignoring empty field in " charset="
LibClamAV Warning: Ignoring empty field in " charset="
LibClamAV Warning: Ignoring empty field in " charset="

[jackl]

Ray,

Run clamscan from command line on \tmp with the "--remove" option or the "move=directory" option and -r for recursive scan on sub directories this way you can delete or move these files to somewhere else.
hope this may be of help.
The reported files look like remnants from unpacked compressed files that were never deleted after a scan.
Regards
Jack

ps the LibClamAV Warning: Multipart MIME message contains no boundaries, I get some of these messages myself, it looks as though certain email messages generate these errors, as deleting some old emails I found you could reduce the number and type of errors reported. I even think they may be a way to suppress them altogether but I hav'nt found it yet.

[raem]

jack

Thanks for the suggestions, I tried them all but basically clamscan is not finding any infected files when run manually.
When it runs automatically based on settings in the antivirus panel, for the last 3 evenings it still finds the same 9 infected messages though ??

> Run clamscan from command line on \tmp with the "--> remove" option or the "move=directory" option
> and -r for recursive scan on sub directories

clamscan -r /tmp
/tmp/session_mm_apache0.sem: Empty file.
/tmp/sess_775ebac71e7fa9458c446282bd5814cb: OK
/tmp/sess_8e8199d6119ba8d2c0612c247f936eaa: OK......
........
........
/tmp/sess_4f0659901f7e3c070eb2382bbe2c8d70: OK
/tmp/sess_bd25c54e40c8883a94841949439263dd: OK

----------- SCAN SUMMARY -----------
Known viruses: 32466
Scanned directories: 3
Scanned files: 133
Infected files: 0
Data scanned: 0.04 MB
I/O buffer size: 131072 bytes
Time: 0.521 sec (0 m 0 s)


> The reported files look like remnants from
> unpacked compressed files that were never deleted > after a scan.

That makes sense, but where are the hiding now, they are certainly not visible using ls -al, and don't get detected in manual scans.

I wondered if the report data was stuck in a log file or a script ?
/var/log/clamav/clamscan.log & older versions of the log file shows
--------------------------------------
Scan started: Mon Apr  4 00:00:01 2005

with different dates but the same details as originally posted
ie 9 infected files found

[jackl]

Ray,
This is baffling.The script that runs from crontab is /etc/clamscan
The parameters contained in it are:
(
exec nice /usr/bin/clamscan --recursive \--infected --stdout --log /var/log/clamav/clamscan.log \--tar --tgz --unzip --unrar --unace --unarj --zoo --lha --jar\
    /
) | /bin/mail -s "[hostname] Clam Antivirus Scan Results - date" admin@mydomain.com


Perhaps if you set --remove option temporarily and run this script manually and see what happens.
If this doesn't work remove the compression options --tar --tgz... etc. as these are the only extra options different from your manual scan (pureley as a test)
My bet it is one of the compression parameters that is somehow causing the positive virus reports, hopefully the --remove will solve the problem and we need not worry why this is so.

Regards
Jack

ps best make a copy of clamscan script first

[raem]

Jack
Thanks again for your pointers

My /etc/clamscan script is the same as yours, just set to scan different folders ie /users.

I ran the clamscan manually & it did not find the infected files. I ran the script & it DID find the infected files, still not visible though.

Then I added the --move=directory option to the script and scanned again and it moved the infected files to another folder and they are now visible.

I just deleted them !!

I assume --remove would have done the same job.
Thanks for your help, much appreciated.