From: "Massimo S." Received: from [192.168.100.201] (HELO mail.2rosenthals.com) by 2rosenthals.com (CommuniGate Pro SMTP 5.4.10) with ESMTPS id 8110695 for ecs-isp@2rosenthals.com; Thu, 12 Oct 2023 14:44:51 -0400 Received: from secmgr-va.2rosenthals.com ([50.73.8.217]:57631 helo=mail2.2rosenthals.com) by mail.2rosenthals.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1qr0fp-0006IK-0L for ecs-isp@2rosenthals.com; Thu, 12 Oct 2023 14:44:41 -0400 Received: from mail2.quasarbbs.net ([80.86.52.115]:10147) by mail2.2rosenthals.com with esmtp (Exim 4.96) (envelope-from ) id 1qr0fZ-0003Ph-18 for ecs-isp@2rosenthals.com; Thu, 12 Oct 2023 14:44:28 -0400 X-SASI-Hits: BODY_SIZE_6000_6999 0.000000, BODY_SIZE_7000_LESS 0.000000, CTE_7BIT 0.000000, HTML_00_01 0.050000, HTML_00_10 0.050000, IN_REP_TO 0.000000, LEGITIMATE_SIGNS 0.000000, MSGID_SAMEAS_FROM_HEX_844412 0.100000, MSG_THREAD 0.000000, REFERENCES 0.000000, REPLYTO_SAMEAS_FROM 0.000000, SENDER_NO_AUTH 0.000000, SUSP_DH_NEG 0.000000, TO_IN_SUBJECT 0.500000, URI_WITH_PATH_ONLY 0.000000, __ANY_URI 0.000000, __BODY_NO_MAILTO 0.000000, __BODY_VOICEMAIL 0.000000, __BOUNCE_CHALLENGE_SUBJ 0.000000, __BOUNCE_NDR_SUBJ_EXEMPT 0.000000, __COURIER_PHRASE 0.000000, __CP_URI_IN_BODY 0.000000, __CT 0.000000, __CTE 0.000000, __CT_TEXT_PLAIN 0.000000, __DQ_NEG_DOMAIN 0.000000, __DQ_NEG_HEUR 0.000000, __DQ_NEG_IP 0.000000, __EXTORTION_MALWARE 0.000000, __FORWARDED_MSG 0.000000, __FRAUD_BADTHINGS 0.000000, __FRAUD_URGENCY 0.000000, __FROM_DOMAIN_NOT_IN_BODY 0.000000, __FROM_NAME_NOT_IN_ADDR 0.000000, __FROM_NAME_NOT_IN_BODY 0.000000, __FUR_HEADER 0.000000, __HAS_FROM 0.000000, __HAS_MSGID 0.000000, __HAS_REFERENCES 0.000000, __HAS_REPLYTO 0.000000, __HEADER_ORDER_FROM 0.000000, __HTTPS_URI 0.000000, __INVOICE_MULTILINGUAL 0.000000, __IN_REP_TO 0.000000, __IOC_PHRASE 0.000000, __MAIL_CHAIN 0.000000, __MIME_BOUND_CHARSET 0.000000, __MIME_TEXT_ONLY 0.000000, __MIME_TEXT_P 0.000000, __MIME_TEXT_P1 0.000000, __MIME_VERSION 0.000000, __MOZILLA_USER_AGENT 0.000000, __MSGID_HEX_844412 0.000000, __MULTIPLE_URI_TEXT 0.000000, __NO_HTML_TAG_RAW 0.000000, __REFERENCES 0.000000, __REPLYTO_SAMEAS_FROM_ACC 0.000000, __REPLYTO_SAMEAS_FROM_ADDY 0.000000, __REPLYTO_SAMEAS_FROM_DOMAIN 0.000000, __SANE_MSGID 0.000000, __SCAN_D_NEG 0.000000, __SCAN_D_NEG2 0.000000, __SCAN_D_NEG_HEUR 0.000000, __SCAN_D_NEG_HEUR2 0.000000, __SUBJ_ALPHA_END 0.000000, __SUBJ_ALPHA_NEGATE 0.000000, __SUBJ_REPLY 0.000000, __SUBJ_SHORT 0.000000, __TO_IN_SUBJECT 0.000000, __TO_MALFORMED_2 0.000000, __TO_NAME 0.000000, __TO_NAME_DIFF_FROM_ACC 0.000000, __TO_REAL_NAMES 0.000000, __URI_IN_BODY 0.000000, __URI_IN_BODY_HTTP_X10 0.000000, __URI_MAILTO 0.000000, __URI_NOT_IMG 0.000000, __URI_NO_WWW 0.000000, __URI_NS 0.000000, __URI_WITH_PATH 0.000000, __USER_AGENT 0.000000, __WEBINAR_PHRASE 0.000000 X-SASI-Probability: 10% X-SASI-RCODE: 200 X-SASI-Version: Antispam-Engine: 5.1.4, AntispamData: 2023.10.12.181816 X-SASI-Hits: BODY_SIZE_6000_6999 0.000000, BODY_SIZE_7000_LESS 0.000000, CTE_7BIT 0.000000, HTML_00_01 0.050000, HTML_00_10 0.050000, IN_REP_TO 0.000000, LEGITIMATE_SIGNS 0.000000, MSGID_SAMEAS_FROM_HEX_844412 0.100000, MSG_THREAD 0.000000, REFERENCES 0.000000, REPLYTO_SAMEAS_FROM 0.000000, SUSP_DH_NEG 0.000000, TO_IN_SUBJECT 0.500000, URI_WITH_PATH_ONLY 0.000000, __ANY_URI 0.000000, __AUTH_RES_PASS 0.000000, __BODY_NO_MAILTO 0.000000, __BODY_VOICEMAIL 0.000000, __BOUNCE_CHALLENGE_SUBJ 0.000000, __BOUNCE_NDR_SUBJ_EXEMPT 0.000000, __COURIER_PHRASE 0.000000, __CP_URI_IN_BODY 0.000000, __CT 0.000000, __CTE 0.000000, __CT_TEXT_PLAIN 0.000000, __DQ_NEG_DOMAIN 0.000000, __DQ_NEG_HEUR 0.000000, __DQ_NEG_IP 0.000000, __EXTORTION_MALWARE 0.000000, __FORWARDED_MSG 0.000000, __FRAUD_BADTHINGS 0.000000, __FRAUD_URGENCY 0.000000, __FROM_DOMAIN_NOT_IN_BODY 0.000000, __FROM_NAME_NOT_IN_ADDR 0.000000, __FROM_NAME_NOT_IN_BODY 0.000000, __FUR_HEADER 0.000000, __HAS_FROM 0.000000, __HAS_MSGID 0.000000, __HAS_REFERENCES 0.000000, __HAS_REPLYTO 0.000000, __HEADER_ORDER_FROM 0.000000, __HTTPS_URI 0.000000, __INVOICE_MULTILINGUAL 0.000000, __IN_REP_TO 0.000000, __IOC_PHRASE 0.000000, __MAIL_CHAIN 0.000000, __MIME_BOUND_CHARSET 0.000000, __MIME_TEXT_ONLY 0.000000, __MIME_TEXT_P 0.000000, __MIME_TEXT_P1 0.000000, __MIME_VERSION 0.000000, __MOZILLA_USER_AGENT 0.000000, __MSGID_HEX_844412 0.000000, __MULTIPLE_URI_TEXT 0.000000, __NO_HTML_TAG_RAW 0.000000, __REFERENCES 0.000000, __REPLYTO_SAMEAS_FROM_ACC 0.000000, __REPLYTO_SAMEAS_FROM_ADDY 0.000000, __REPLYTO_SAMEAS_FROM_DOMAIN 0.000000, __SANE_MSGID 0.000000, __SCAN_D_NEG 0.000000, __SCAN_D_NEG2 0.000000, __SCAN_D_NEG_HEUR 0.000000, __SCAN_D_NEG_HEUR2 0.000000, __SUBJ_ALPHA_END 0.000000, __SUBJ_ALPHA_NEGATE 0.000000, __SUBJ_REPLY 0.000000, __SUBJ_SHORT 0.000000, __TO_IN_SUBJECT 0.000000, __TO_MALFORMED_2 0.000000, __TO_NAME 0.000000, __TO_NAME_DIFF_FROM_ACC 0.000000, __TO_REAL_NAMES 0.000000, __URI_IN_BODY 0.000000, __URI_IN_BODY_HTTP_X10 0.000000, __URI_MAILTO 0.000000, __URI_NOT_IMG 0.000000, __URI_NO_WWW 0.000000, __URI_NS 0.000000, __URI_WITH_PATH 0.000000, __USER_AGENT 0.000000, __WEBINAR_PHRASE 0.000000 X-SASI-Probability: 10% X-SASI-RCODE: 200 X-SASI-Version: Antispam-Engine: 5.1.4, AntispamData: 2023.10.12.181816 Received: from [192.168.10.199] (dtp [192.168.10.199]) by srv2 (Weasel v2.849) for ; Thu, 12 Oct 2023 20:44:24 Reply-To: ml@ecomstation.it Subject: Re: [eCS-ISP] ClamAV To: eCS ISP Mailing List References: Organization: eComStation dot it Message-ID: <9a271cbd-a308-e9f9-abda-5bc8eebb4c1b@ecomstation.it> Date: Thu, 12 Oct 2023 20:44:21 +0200 User-Agent: Mozilla/5.0 (OS/2; U; Warp 4.5; it-IT; rv:1.7.13) Gecko/20060424 Thunderbird/1.0.8 Mnenhy/0.7.4.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=iso-8859-15; format=flowed Content-Language: it-IT Content-Transfer-Encoding: 7bit Il 12/10/2023 18:39, Steven Levine ha scritto: > In , on 10/12/23 > at 10:27 AM, "Massimo S." said: > > Hi Massimo, > >> they do not work from wget or curl > > I'm starting to get the impression that the links we are finding are > stale. > > I'm not sure it's possible to use wget or curl anymore. > > The reason for the curl failure is obvious if you think to look at the > content of the downloaded web page. How to avoid the failure is less > obvious. :-) > >> http://db.local.clamav.net/main.cvd >> http://db.local.clamav.net/daily.cvd > > Where did you get these URLs from? On my currently partially working > ClamAV setup (ClamAV 0.103.6), freshclam is attempting to download i searched online: https://askubuntu.com/questions/1280581/how-to-offline-update-clamav-database > https://database.clamav.net/daily.cvd > > which fails because OpenSSL cannot find a certificate and complains: > > * error setting certificate verify locations: CAfile: > /etc/ssl/cacert.pem CApath: none > > Did you get this failure and if so what did you do to correct it? i don't get the same error i get this from freshclam: etc.. WARNING: downloadPatch: Can't download daily-26075.cdiff from https://database.clamav.net/daily-26075.cdiff WARNING: downloadFile: file not found: https://database.clamav.net/daily-26075.cdiff WARNING: downloadPatch: Can't download daily-26075.cdiff from https://database.clamav.net/daily-26075.cdiff WARNING: Incremental update failed, trying to download daily.cvd WARNING: Stderr output from database load : realloc_problem: Not enough memory [...] X:\USR\LOCAL\CLAMAV\BIN\FRESHCLAM.EXE ERROR: Database load killed by signal 9 ERROR: Database test FAILED. ERROR: Unexpected error when attempting to update daily: Test failed ERROR: Database update process failed: Test failed ERROR: Update failed. >> with wget i can use every option, but i still get: >> wget https://db.local.clamav.net/daily.cvd --no-check-certificate > >> --2023-10-12 10:17:33-- https://db.local.clamav.net/daily.cvd >> Risoluzione di db.local.clamav.net (db.local.clamav.net)... >> 104.16.219.84, 104.16.218.84 Connessione a db.local.clamav.net >> (db.local.clamav.net)|104.16.219.84|:443... connesso. AVVERTIMENTO: >> impossibile verificare il certificato di db.local.clamav.net, rilasciato >> da "CN=Cloudflare Inc ECC CA-3,O=Cloudflare\\, Inc.,C=US": >> Impossibile verificare localmente l'autorit dell'emittente. Richiesta >> HTTP inviata, in attesa di risposta... 403 Forbidden 2023-10-12 10:17:33 >> ERRORE 403: Forbidden. > > Wget fails a bit differently here: > >> wget https://db.local.clamav.net/daily.cvd --no-check-certificate > --2023-10-12 09:01:55-- https://db.local.clamav.net/daily.cvd Resolving > db.local.clamav.net (db.local.clamav.net)... 104.16.218.84, 104.16.219.84 > Connecting to db.local.clamav.net > (db.local.clamav.net)|104.16.218.84|:443... connected. HTTP request sent, > awaiting response... 403 Forbidden > 2023-10-12 09:01:56 ERROR 403: Forbidden. > > For some reason, I don't get the certificate failure. > > I get the same forbidden error attempting to wget > https://database.clamav.net/daily.cvd. > >> of course i've the latest wget (check with yum updated wget) > > Just to be sure, does wget --version report: > > GNU Wget 1.21.3 built on os2-emx. doh :-) no.. here it say 1.20.3 i tried again yum update, but it don't find any update >> i can only download them from my pc with the browser, but i don't think >> this is an option > > Why not? I've not tried this yet. manual updates?? > The ClamAV folks provide a cfgupdate tool which I've not tracked down or > tested. > >> i put the new signatures on the old ClamAV 0.102.0 i started clamscan and >> the server freezed :-( > > Clamscan 0.103.6 to the level I've tested it here works fine with the > 0.102.0 signatures Paul shipped. > > ----------- SCAN SUMMARY ----------- > Known viruses: 4566249 > Engine version: 0.103.6 > Scanned directories: 8 > Scanned files: 158 > Infected files: 0 > Data scanned: 23.64 MB > Data read: 16.32 MB (ratio 1.45:1) > Time: 43.756 sec (0 m 43 s) > Start Date: 2023:10:11 12:57:28 > End Date: 2023:10:11 12:58:12 > > I plan to try with a larger set of files. > >> damn me, during production hour here (10,23 AM) > > Ooops. :-) i use SPE to low down priority of clamav (on server1 the one that freezed) maybe this could create issues? eg. spe r-10 clamscan --database=X:\usr\local\clamav\share\clamav -r --quiet --exclude=MSGLIST.DAT --exclude=DOMAIN.* --exclude=*.### --move=Y:\quarantine -lclamav_day.log X:\weasel\MailRoot\mymaildomain.it' on server2 where i'm testing 0.103.6 i've tried to use clamscan with the "main" signatures and it worked but if i add daily signatures and sanesecurity* i get this: LibClamAV Warning: ************************************************** LibClamAV Warning: *** The virus database is older than 7 days! *** LibClamAV Warning: *** Please update it as soon as possible. *** LibClamAV Warning: ************************************************** realloc_problem: Not enough memory LibClamAV Error: cli_realloc(): Can't re-allocate memory to 1417784 bytes. LibClamAV Error: cli_ac_addpatt: Can't realloc ac_listtable LibClamAV Error: cli_parse_add(): Problem adding signature (3). LibClamAV Error: Problem parsing database at line 49161 LibClamAV Error: Can't load daily.ldb: Can't allocate memory LibClamAV Error: cli_tgzload: Can't load daily.ldb LibClamAV Error: Can't load d:\usr\local\clamav\share\clamav/daily.cld: Malformed database LibClamAV Error: cli_loaddbdir(): error loading database d:\usr\local\clamav\share\clamav/daily.cld ERROR: Malformed database LIBC PANIC!! _um_free_maybe_lock: Tried to free block twice - block=0dbc0cd8 lock=0x1 pid=0x23df ppid=0x23de tid=0x0001 slot=0x008c pri=0x0200 mc=0x0000 ps=0x0010 X:\USR\LOCAL\CLAMAV\BIN\CLAMSCAN.EXE * 11/07/21 21:44 336.436.224 124 a--- daily.cld 10/10/23 11:37 61 124 a--- freshclam.dat 11/07/21 21:46 307.403.264 124 a--- main.cld 15/08/17 12:20 117.892.267 124 a--- main.cvd 10/10/23 8:59 4.461.491 124 a--- phish.ndb 10/10/23 8:59 1.951.611 124 a--- scam.ndb massimo > > > Steven >