Topic: Virus scanning beyond symlinks...

[christian]

I note that there are commas (",") between the ScanExcludes values. Perhaps you need commans between the ScanFilesystems values as well.

Per the rest of this thread, that shouldn't work. This is why we also changed the FAQ.

[christian]

I tried that but not adviseable on slow VPN connection. I timed out.

You could run it in the background

This is telling me it is not scanning the mnt/tracy which has about 40 gb of users files on it.

That appears to be true given your facts.

[root@shpdserver ~]# config show clamav
clamav=service
    /opt,=mnt/tracy
    ArchiveBlockEncrypted=no
    ArchiveBlockMax=no
...

You have an error here (note the line /opt,=mnt/tracy). I don't believe this has any effect but you should clean it up.

Code: [Select]

config delprop clamav "/opt,"
The fact that clamav is not complaining about /mnt/tracy is bothering me if it is in fact not scanning.

Could you print out the result of:

Code: [Select]

cat /etc/mtab
I would try to eliminate things from here:

• verify that you have the right path to the mount point
• check your log files in /var/log/ notably "messages" and logs in "clamd"
• try doing a scan with only /mnt/tracy on the scan line
• etc

[christian]

tviles,
the other thing that occurs to me as a I look at your scanned data is that there is very little on the main disks as opposed to the extra disks.

Another method to consider which may simplify your life is to mount the new disk as /home/e-smith/files. This will allow SME to work with no other mods complicated by the symlink.

The net effect is all user/ibay data is on the extra disk and SME config data and OS is on your main disk.


Christian

[tviles]

Last login: Sun Jan  4 04:10:01 2009 from pc-00249.shpd.local
[root@shpdserver ~]# cat /etc/mtab
/dev/mapper/main-root / ext3 rw,usrquota,grpquota 0 0
none /proc proc rw 0 0
none /sys sysfs rw 0 0
none /dev/pts devpts rw,gid=5,mode=620 0 0
usbfs /proc/bus/usb usbfs rw 0 0
/dev/md1 /boot ext3 rw 0 0
none /dev/shm tmpfs rw 0 0
/dev/sdf1 /mnt/jeremy ext3 rw 0 0
none /proc/sys/fs/binfmt_misc binfmt_misc rw 0 0
/dev/sdh1 /media/usbdisk1 ext3 rw,nosuid,nodev 0 0
/dev/sdg1 /mnt/tracy ext3 rw 0 0
[root@shpdserver ~]#

[tviles]

Last login: Mon Jan  5 05:00:30 2009 from pc-00249.shpd.local
[root@shpdserver ~]# config delprop clamav "/opt,"
[root@shpdserver ~]# cat /etc/mtab
/dev/mapper/main-root / ext3 rw,usrquota,grpquota 0 0
none /proc proc rw 0 0
none /sys sysfs rw 0 0
none /dev/pts devpts rw,gid=5,mode=620 0 0
usbfs /proc/bus/usb usbfs rw 0 0
/dev/md1 /boot ext3 rw 0 0
none /dev/shm tmpfs rw 0 0
/dev/sdf1 /mnt/jeremy ext3 rw 0 0
none /proc/sys/fs/binfmt_misc binfmt_misc rw 0 0
/dev/sdh1 /media/usbdisk1 ext3 rw,nosuid,nodev 0 0
/dev/sdg1 /mnt/tracy ext3 rw 0 0
[root@shpdserver ~]# config getprop clamav FilesystemScanFilesystems
/home/e-smith/files /mnt/tracy
[root@shpdserver ~]# config getprop clamav FilesystemScanExclude
/proc,/sys,/usr/share,/var
[root@shpdserver ~]# config show clamav
clamav=service
    ArchiveBlockEncrypted=no
    ArchiveBlockMax=no
    ArchiveMaxCompressionRatio=300
    Checks=24
    DNSDatabaseInfo=current.cvd.clamav.net
    DatabaseMirror=db.local.clamav.net
    Debug=no
    DetectBrokenExecutables=no
    FilesystemScan=daily
    FilesystemScanExclude=/proc,/sys,/usr/share,/var
    FilesystemScanFilesystems=/home/e-smith/files /mnt/tracy
    FilesystemScanReportTo=admin
    Foreground=yes
    HTTPProxyPassword=
    HTTPProxyPort=
    HTTPProxyServer=
    HTTPProxyUsername=
    IdleTimeout=60
    LeaveTemporaryFiles=no
    LogClean=no
    LogFileUnlock=yes
    LogTime=no
    LogVerbose=yes
    MaxAttempts=6
    MaxConnectionQueueLength=30
    MaxDirectoryRecursion=20
    MaxFileSize=15M
    MaxFiles=1500
    MaxRecursion=8
    MaxThreads=20
    Quarantine=enabled
    QuarantineDirectory=/var/spool/clamav/quarantine
    ReadTimeout=300
    ScanArchive=yes
    ScanHTML=yes
    ScanMail=yes
    ScanOLE2=yes
    ScanPE=yes
    ScanRAR=no
    SelfCheck=1800
    ShowProxySettings=no
    ShowUpdateSettings=no
    SignaturesUpdated=unknown
    UpdateNonOfficeHrs=disabled
    UpdateOfficeHrs=disabled
    UpdateWeekend=disabled
    status=enabled
[root@shpdserver ~]#

[tviles]

How do I get rid of these?

[root@shpdserver ~]#
[root@shpdserver ~]#
[root@shpdserver ~]#
[root@shpdserver ~]# cd /var
[root@shpdserver var]# cd spool/clamav
[root@shpdserver clamav]# dir
quarantine
[root@shpdserver clamav]# cd quarantine
[root@shpdserver quarantine]# dir
backup.pst  EvelynTrue[1].htm  o_Lix_o[1].htm  ptcielo[1].htm
[root@shpdserver quarantine]#

OK I just did rm -i * and that got rid of them.

[tviles]

clamd / current

last two days

2009-01-03 04:14:08.429923500 Shutting down the main socket.
2009-01-03 04:14:08.442578500 Closing the main socket.
2009-01-03 04:14:08.442586500 Socket file removed.
2009-01-03 04:14:08.442589500 --- Stopped at Sat Jan  3 04:14:08 2009
2009-01-03 04:14:18.548744500 Listening daemon: PID: 7344
2009-01-03 04:14:18.548833500 Limits: Global size limit set to 104857600 bytes.
2009-01-03 04:14:18.548837500 Limits: File size limit set to 15728640 bytes.
2009-01-03 04:14:18.548840500 Limits: Recursion level limit set to 8.
2009-01-03 04:14:18.548842500 Limits: Files limit set to 1500.
2009-01-03 04:14:18.548846500 Archive support enabled.
2009-01-03 04:14:18.548849500 Algorithmic detection enabled.
2009-01-03 04:14:18.548851500 Portable Executable support enabled.
2009-01-03 04:14:18.548854500 ELF support enabled.
2009-01-03 04:14:18.548857500 Mail files support enabled.
2009-01-03 04:14:18.548869500 OLE2 support enabled.
2009-01-03 04:14:18.548872500 PDF support enabled.
2009-01-03 04:14:18.548875500 HTML support enabled.
2009-01-03 04:14:18.548893500 Self checking every 1800 seconds.
2009-01-03 09:53:48.717576500 No stats for Database check - forcing reload
2009-01-03 09:53:48.717632500 Reading databases from /var/clamav
2009-01-03 09:53:57.356589500 Database correctly reloaded (922371 signatures)
2009-01-03 11:53:51.760044500 SelfCheck: Database modification detected. Forcing reload.
2009-01-03 11:53:51.760051500 Reading databases from /var/clamav
2009-01-03 11:54:04.267261500 Database correctly reloaded (922396 signatures)
2009-01-03 17:04:37.433091500 SelfCheck: Database status OK.
2009-01-03 19:53:55.475313500 SelfCheck: Database modification detected. Forcing reload.
2009-01-03 19:53:55.475321500 Reading databases from /var/clamav
2009-01-03 19:54:03.959591500 Database correctly reloaded (922398 signatures)
2009-01-04 00:11:00.990830500 SelfCheck: Database status OK.
2009-01-04 22:54:04.948259500 SelfCheck: Database modification detected. Forcing reload.
2009-01-04 22:54:04.961202500 Reading databases from /var/clamav
2009-01-04 22:54:56.736286500 Database correctly reloaded (922402 signatures)
2009-01-04 23:34:33.757277500 SelfCheck: Database status OK.

[tviles]

Trying this tonight. Will see in the morning.

[root@shpdserver quarantine]# rm -i *
rm: remove regular file `backup.pst'? y
rm: remove regular file `EvelynTrue[1].htm'? y
rm: remove regular file `o_Lix_o[1].htm'? y
rm: remove regular file `ptcielo[1].htm'? y
[root@shpdserver quarantine]# dir
[root@shpdserver quarantine]# cd /
[root@shpdserver /]# db configuration setprop clamav FilesystemScanFilesystems "/home/e-smith/files,/mnt/tracy"
[root@shpdserver /]# config getprop clamav FilesystemScanFilesystems
/home/e-smith/files,/mnt/tracy
[root@shpdserver /]# signal-event clamav-update

[tviles]

Got this back this morning. Will try /mnt/tracy tonight.

WARNING: Can't access file /home/e-smith/files,/mnt/tracy

----------- SCAN SUMMARY -----------
Known viruses: 923695
Engine version: 0.94.2
Scanned directories: 0
Scanned files: 0
Infected files: 0
Data scanned: 0.00 MB
Time: 16.469 sec (0 m 16 s)

[root@shpdserver ~]# db configuration setprop clamav FilesystemScanFilesystems "/mnt/tracy"                                  [root@shpdserver ~]# config getprop clamav FilesystemScanFilesystems
/mnt/tracy
[root@shpdserver ~]# signal-event clamav-update
[root@shpdserver ~]#


I also got this email.
===
=== yum reports available updates:
===

atrpms.noarch                            73-1                   smeupdates     
rsync.i386                               3.0.5-1.el4.rf         smeupdates     

Where does one go to read about these updates?

[tviles]

Results from just scanning /mnt/tracy

----------- SCAN SUMMARY -----------
Known viruses: 924277
Engine version: 0.94.2
Scanned directories: 706
Scanned files: 12201
Infected files: 0
Data scanned: 7379.47 MB
Time: 6274.663 sec (104 m 34 s)

Last login: Tue Jan  6 11:54:24 2009
[root@shpdserver ~]# df -T
Filesystem    Type   1K-blocks      Used Available Use% Mounted on
/dev/mapper/main-root
              ext3   137530456  27133348 103410972  21% /
/dev/md1      ext3      101018     28137     67665  30% /boot
none         tmpfs     1037408         0   1037408   0% /dev/shm
/dev/sdf1     ext3    70557052     86088  66886868   1% /mnt/jeremy
/dev/sdh1     ext3   153834852  46010652 100009784  32% /media/usbdisk1
/dev/sdg1     ext3   961432072  21789308 890804764   3% /mnt/tracy
[root@shpdserver ~]#

[christian]

Got this back this morning. Will try /mnt/tracy tonight.

WARNING: Can't access file /home/e-smith/files,/mnt/tracy

----------- SCAN SUMMARY -----------
Known viruses: 923695
Engine version: 0.94.2
Scanned directories: 0
Scanned files: 0
Infected files: 0
Data scanned: 0.00 MB
Time: 16.469 sec (0 m 16 s)

That's what I expected.

[christian]

In the absence of contribs, Tracy and I went off line and we determined that the issue was in the following:

[root@shpdserver ~]# config show clamav
clamav=service
...snip...
    MaxFileSize=15M
 ...snip...

Turns out that he has a number of very large files on the disks. His last post with the df -T output clued me into it but as luck would have it contribs failed before I was able to hit the post button.

Clamav has a number of parameters which decide how it will handle certain files. More info on the parameters can be found with

Code: [Select]

man clamd.conf
and they can be set via SME's db for clamav.