Koozali.org: home of the SME Server

Obsolete Releases => SME Server 7.x => Topic started by: darmasanthi on February 07, 2009, 01:26:27 PM

Title: ClamAV
Post by: darmasanthi on February 07, 2009, 01:26:27 PM

Hi All,
Our iBays has contain many viruses (Win32.Sality.AE - Detected by Symantec Corporate),
but Symantec can not clean and deleted the virus, also with ClamAV on SME 7.4
(ClamAV Version :0.94.2/8963/Sat Feb 7 13:53:02 2009)

How to eliminated this problem?

regards,
darmasanthi

Title: Re: ClamAV
Post by: Stefano on February 07, 2009, 08:09:33 PM

hi

please read the man page of clamscan.. you can call it with some switches and clean/delete infected files

HTH
ciao

Stefano

Title: Re: ClamAV
Post by: darmasanthi on February 08, 2009, 09:48:23 AM

I had been trying following the manual,
but the clamscan can not detected the virus, also can not remove the virus,
when the cmlamscan is scanning the files with virus infected, the progress is "OK" - it's mean no virus
but when we check the ibays with Symantec, it's found the Win.32 Sality. AE Viruses ...

regards,
darmasanthi

Title: Re: ClamAV
Post by: Stefano on February 08, 2009, 09:51:59 AM

well... in this case, please check the infected files with another av different from symantec: it could be a false positive.

alsp, be sure your server is fully updated

ciao
Stefano

Title: Re: ClamAV
Post by: darmasanthi on February 08, 2009, 10:31:19 AM

here is the preview for clamscan process :

iles/ibays/programs/files/ciqhvh.exe: OK
/home/e-smith/files/ibays/programs/files/wpeucs.pif: OK
/home/e-smith/files/ibays/programs/files/kifylm.exe: OK
/home/e-smith/files/ibays/programs/files/jvket.exe: OK
/home/e-smith/files/ibays/programs/files/vnypkl.pif: OK
/home/e-smith/files/ibays/programs/files/qcwu.pif: OK
/home/e-smith/files/ibays/programs/files/qrwfla.exe: OK
/home/e-smith/files/ibays/programs/files/xwool.exe: OK
/home/e-smith/files/ibays/programs/files/brcug.pif: OK
/home/e-smith/files/ibays/programs/files/xrwklq.pif: OK
/home/e-smith/files/ibays/programs/files/fsdbjx.pif: OK
/home/e-smith/files/ibays/programs/files/bxof.pif: OK
/home/e-smith/files/ibays/programs/files/dtxc.cmd: OK
/home/e-smith/files/ibays/programs/files/gvmu.cmd: OK
/home/e-smith/files/ibays/programs/files/vuynoo.pif: OK


and, we has trying another antivirus programs, .. the result is same as symantec report

regards,
darmasanthi

Title: Re: ClamAV
Post by: Stefano on February 08, 2009, 10:46:40 AM

Hi..

how did you run clamscan?

if symantec and other AVs but not clamav report these files as virus, you should report to clamav site/developers.. but it sounds a bit strange

anyway, go to console and do

Code: [Select]

cd /home/e-smith/files/ibays/programs/files/
rm -rf *.pif
rm -rf  *.cmd
rm *.exe

last command will ask you to confirm deletion for each file.. so if you have good exe, you will not delete them

HTH
ciao
Stefano

Title: Re: ClamAV
Post by: darmasanthi on February 08, 2009, 11:07:19 AM

Hi Stefano,
we got his error :
....

[root@primsvr files]# rm -rf *.pif
-bash: /bin/rm: Argument list too long

...
rgds

Title: Re: ClamAV
Post by: Stefano on February 08, 2009, 11:20:07 AM

Quote from: darmasanthi on February 08, 2009, 11:07:19 AM

Hi Stefano,
we got his error :
....

[root@primsvr files]# rm -rf *.pif
-bash: /bin/rm: Argument list too long

...
rgds

ok..

then use this

Code: [Select]

find . -type f -name *.pif -exec rm -f {} \;

it should do the job

ah, naturally, you should check your client pcs and disconnect them from the server and from internet.. re-connect them only when you are sure that they are not infected

ciao
Stefano

Title: Re: ClamAV
Post by: asandoz on March 17, 2009, 05:17:06 PM

Hi,
I'got the same problem with the sality virus on ibays, i tried to add the veto files to samba configuration but i can't,  I try to stop that type of files but I got this error
//etc/samba/smb.conf: 1 fragment generated errors
 at /sbin/e-smith/expand-template line 45

ERROR in /etc/e-smith/templates-custom//etc/smb.conf/10globals: Program fragment delivered error <<syntax error at /etc/e-smith/templates-custom//etc/smb.conf/10globals line 19, at EOF>> at template line 19

the line I add is
veto files = /*.exe/*.pif/*.com/*.cmd/*.vbs/*.{*}/
I  can't understand the error.
Can someone please  help me.
Ciao
Sandro

Title: Re: ClamAV
Post by: Stefano on March 18, 2009, 08:52:38 AM

Ciao Sandro

[OT] passa anche in italiano, grazie[/OT]

I think the problem is the last rule.. { and } are reserved characters and should be escaped.

BTW, blocking files would not solve your problem IMO

HTH
Ciao
Stefano

Title: Re: ClamAV
Post by: asandoz on March 19, 2009, 08:42:51 AM

Grazie
I think to use this rule temporariry until I can calean the infected pc.

Ciao
Sandro

Title: Re: ClamAV
Post by: Stefano on March 19, 2009, 08:53:10 AM

Quote from: asandoz on March 19, 2009, 08:42:51 AM

Grazie
I think to use this rule temporariry until I can calean the infected pc.

Ciao
Sandro

well.. the infected one should be disconnected immediately from the lan.. is it still connected? :-|

ciao
Stefano che ti aspetta "di la" ;-)