Topic: ClamAV

[darmasanthi]

Hi All,
Our iBays has contain many viruses (Win32.Sality.AE - Detected by Symantec Corporate),
but Symantec can not clean and deleted the virus, also with ClamAV on SME 7.4
(ClamAV Version :0.94.2/8963/Sat Feb 7 13:53:02 2009)

How to eliminated this problem?

regards,
darmasanthi

[Stefano]

hi

please read the man page of clamscan.. you can call it with some switches and clean/delete infected files

HTH
ciao

Stefano

[darmasanthi]

I had been trying following the manual,
but the clamscan can not detected the virus, also can not remove the virus,
when the cmlamscan is scanning the files with virus infected, the progress is "OK" - it's mean no virus
but when we check the ibays with Symantec, it's found the Win.32 Sality. AE Viruses ...

regards,
darmasanthi

[Stefano]

well... in this case, please check the infected files with another av different from symantec: it could be a false positive.

alsp, be sure your server is fully updated

ciao
Stefano

[darmasanthi]

here is the preview for clamscan process :

iles/ibays/programs/files/ciqhvh.exe: OK
/home/e-smith/files/ibays/programs/files/wpeucs.pif: OK
/home/e-smith/files/ibays/programs/files/kifylm.exe: OK
/home/e-smith/files/ibays/programs/files/jvket.exe: OK
/home/e-smith/files/ibays/programs/files/vnypkl.pif: OK
/home/e-smith/files/ibays/programs/files/qcwu.pif: OK
/home/e-smith/files/ibays/programs/files/qrwfla.exe: OK
/home/e-smith/files/ibays/programs/files/xwool.exe: OK
/home/e-smith/files/ibays/programs/files/brcug.pif: OK
/home/e-smith/files/ibays/programs/files/xrwklq.pif: OK
/home/e-smith/files/ibays/programs/files/fsdbjx.pif: OK
/home/e-smith/files/ibays/programs/files/bxof.pif: OK
/home/e-smith/files/ibays/programs/files/dtxc.cmd: OK
/home/e-smith/files/ibays/programs/files/gvmu.cmd: OK
/home/e-smith/files/ibays/programs/files/vuynoo.pif: OK


and, we has trying another antivirus programs, .. the result is same as symantec report

regards,
darmasanthi

[Stefano]

Hi..

how did you run clamscan?

if symantec and other AVs but not clamav report these files as virus, you should report to clamav site/developers.. but it sounds a bit strange

anyway, go to console and do

Code: [Select]

cd /home/e-smith/files/ibays/programs/files/
rm -rf *.pif
rm -rf  *.cmd
rm *.exe

last command will ask you to confirm deletion for each file.. so if you have good exe, you will not delete them

HTH
ciao
Stefano

[darmasanthi]

Hi Stefano,
we got his error :
....

[root@primsvr files]# rm -rf *.pif
-bash: /bin/rm: Argument list too long

...
rgds

[Stefano]

Hi Stefano,
we got his error :
....

[root@primsvr files]# rm -rf *.pif
-bash: /bin/rm: Argument list too long

...
rgds

ok..

then use this

Code: [Select]

find . -type f -name *.pif -exec rm -f {} \;

it should do the job

ah, naturally, you should check your client pcs and disconnect them from the server and from internet.. re-connect them only when you are sure that they are not infected

ciao
Stefano

[asandoz]

Hi,
I'got the same problem with the sality virus on ibays, i tried to add the veto files to samba configuration but i can't,  I try to stop that type of files but I got this error
//etc/samba/smb.conf: 1 fragment generated errors
 at /sbin/e-smith/expand-template line 45

ERROR in /etc/e-smith/templates-custom//etc/smb.conf/10globals: Program fragment delivered error <<syntax error at /etc/e-smith/templates-custom//etc/smb.conf/10globals line 19, at EOF>> at template line 19

the line I add is
veto files = /*.exe/*.pif/*.com/*.cmd/*.vbs/*.{*}/
I  can't understand the error.
Can someone please  help me.
Ciao
Sandro

[Stefano]

Ciao Sandro

[OT] passa anche in italiano, grazie[/OT]

I think the problem is the last rule.. { and } are reserved characters and should be escaped.

BTW, blocking files would not solve your problem IMO

HTH
Ciao
Stefano

[asandoz]

Grazie
I think to use this rule temporariry until I can calean the infected pc.

Ciao
Sandro

[Stefano]

Grazie
I think to use this rule temporariry until I can calean the infected pc.

Ciao
Sandro

well.. the infected one should be disconnected immediately from the lan.. is it still connected?

ciao
Stefano che ti aspetta "di la"