AIX Open Source

AIX Open Source

Share your experiences and connect with fellow developers to discover how to build and manage open source software for the AIX operating system

 View Only
Back to discussions
Expand all | Collapse all

New version of ClamAV needed

  • 1.  New version of ClamAV needed

    Posted Thu February 10, 2022 09:13 AM
    Receiving Warnings that ClamAV is out of date when updating the ClamAV database but the system is running the latest version in the AIX Toolbox.

    Please update the version of ClamAV in the AIX Toolbox.

    # /opt/freeware/bin/freshclam -F
    ClamAV update process started at Thu Feb 10 08:04:05 2022
    WARNING: Your ClamAV installation is OUTDATED!
    WARNING: Local version: 0.102.2 Recommended version: 0.103.5
    DON'T PANIC! Read https://www.clamav.net/documents/upgrading-clamav

    root@awx:/home #/opt/freeware/bin/dnf info clamav
    Last metadata expiration check: 0:11:10 ago on Thu Feb 10 07:44:23 CST 2022.
    Installed Packages
    Name : clamav
    Version : 0.102.2
    Release : 1
    Architecture : ppc
    Size : 16 M
    Source : clamav-0.102.2-1.src.rpm
    Repository : @System
    From repo : AIX_Toolbox
    Summary : Antivirus Toolkit
    URL : http://www.clamav.net
    License : GPL-2.0-only
    Description : ClamAV is an antivirus engine designed for detecting trojans,
    : viruses, malware and other malicious threats. It is the de-facto
    : standard for mail gateway scanning. It provides a multi-threaded
    : scanning daemon, command line utilities for on-demand file scanning,
    : and a tool for automatic signature updates. The core ClamAV library
    : provides numerous file format detection mechanisms, file unpacking
    : support, archive support, and multiple signature languages for
    : detecting threats.

    Thank you for your help!

    Stan

    ------------------------------
    Stanley
    ------------------------------


  • 2.  RE: New version of ClamAV needed

    Posted Thu February 10, 2022 09:49 AM
    Thanks for reporting. We will update it ASAP.

    ------------------------------
    Ayappan P
    ------------------------------

    Original Message


  • 3.  RE: New version of ClamAV needed

    Posted Wed March 09, 2022 06:16 AM
    Do you have an ETA for the delivery of version 0.103 to the AIX Toolbox

    ------------------------------
    Hector Speight
    ------------------------------

    Original Message


  • 4.  RE: New version of ClamAV needed

    Posted Mon March 14, 2022 01:16 PM
    The new version of ClamAV has new dependencies so it is taking time for us.
    We are working on the building new dependencies and newer version of package.
    Also there are some internal process. Our target is by end of this month or early next month.

    ------------------------------
    SANKET RATHI
    ------------------------------

    Original Message


  • 5.  RE: New version of ClamAV needed

    Posted Mon March 14, 2022 01:32 PM
    Thanks for the update

    ------------------------------
    Hector Speight
    ------------------------------

    Original Message


  • 6.  RE: New version of ClamAV needed

    Posted Mon May 02, 2022 09:14 AM
    Can we have an update on the release date of a new version of ClamAV?

    Thank you!

    Stan Speegle

    ------------------------------
    Stanley
    ------------------------------

    Original Message


  • 7.  RE: New version of ClamAV needed

    Posted Wed May 04, 2022 11:50 AM
    Hi Stanley, 
    We have built the new ClamAV and will upload in couple of days. 
    Hopefully you will have it by end of this week.

    ------------------------------
    SANKET RATHI
    ------------------------------

    Original Message


  • 8.  RE: New version of ClamAV needed

    Posted Mon May 09, 2022 03:46 AM
    clamav-0.104.2-1 is now available on AIX toolbox. You can use dnf/yum to update to latest level.

    ------------------------------
    SANKET RATHI
    ------------------------------

    Original Message


  • 9.  RE: New version of ClamAV needed

    Posted Thu May 12, 2022 01:53 PM
    Thank you for the new version of clamav. It installed with out any issues but I am receiving out of memory errors when scanning some files.

    Have you seen this issue before? The LPAR has plenty of RAM 10GB and there are no errors in the errpt.

    root@mh-p9-nim:/tmp #/opt/freeware/bin/clamscan -rv /opt/freeware/lib64/python3.7/ensurepip/_bundled/
    Loading: 16s, ETA: 0s [========================>] 8.62M/8.62M sigs
    Compiling: 6s, ETA: 0s [========================>] 41/41 tasks

    Scanning /opt/freeware/lib64/python3.7/ensurepip/_bundled/pip-20.1.1-py2.py3-none-any.whl
    calloc_problem: Not enough space
    LibClamAV Error: cli_calloc(): Can't allocate memory (60126208 bytes).
    LibClamAV Error: cli_ac_init: Can't allocate memory for data->lsigsuboff_(last|first)[0]
    /opt/freeware/lib64/python3.7/ensurepip/_bundled/pip-20.1.1-py2.py3-none-any.whl: Can't allocate memory ERROR
    Scanning /opt/freeware/lib64/python3.7/ensurepip/_bundled/setuptools-47.1.0-py3-none-any.whl
    calloc_problem: Not enough space
    LibClamAV Error: cli_calloc(): Can't allocate memory (60126208 bytes).
    LibClamAV Error: cli_ac_init: Can't allocate memory for data->lsigsuboff_(last|first)[0]
    /opt/freeware/lib64/python3.7/ensurepip/_bundled/setuptools-47.1.0-py3-none-any.whl: Can't allocate memory ERROR

    ----------- SCAN SUMMARY -----------
    Known viruses: 8616419
    Engine version: 0.104.2
    Scanned directories: 1
    Scanned files: 0
    Infected files: 0
    Total errors: 2
    Data scanned: 6.65 MB
    Data read: 1.97 MB (ratio 3.37:1)
    Time: 30.898 sec (0 m 30 s)

     These could just be normal errors on these files but I would like to know why,

    Thank you,

    Stan

    ------------------------------
    Stanley
    ------------------------------

    Original Message


  • 10.  RE: New version of ClamAV needed

    Posted Fri May 13, 2022 01:51 AM
    While running on my system I did not see any issue.
    It could be that in your system it needs to allocate more memory and probably ulimit is not enough.
    Can you try setting ulimit of data to unlimited and test.

    $ ulimit -d unlimited 


    ------------------------------
    SANKET RATHI
    ------------------------------

    Original Message


  • 11.  RE: New version of ClamAV needed

    Posted Fri May 13, 2022 04:54 AM
    Sanket,

    Many thanks for the updated clamAV which I've installed without any issues.

    When running clamscan, however, I'm getting an "Invalid instruction" message, please see below.

    Scanning /opt/freeware/bin/yumdownloader
/opt/freeware/bin/yumdownloader: OK
/opt/freeware/bin/zcat: Symbolic link
/opt/freeware/bin/zcmp: Symbolic link
/opt/freeware/bin/zdiff: Symbolic link
/opt/freeware/bin/zegrep: Symbolic link
/opt/freeware/bin/zfgrep: Symbolic link
/opt/freeware/bin/zforce: Symbolic link
/opt/freeware/bin/zgrep: Symbolic link
Scanning /opt/freeware/bin/zip
Illegal instruction(coredump)
# oslevel -s
7100-05-07-2038
# freeware/bin/clamscan -V
ClamAV 0.104.2/26539/Thu May 12 04:04:41 2022
#​

    Let me know if you need any additional info.

    Many thanks, Steve


  • 12.  RE: New version of ClamAV needed

    Posted Mon May 16, 2022 01:34 PM
    Hi Steve,
    Can you please come up with a smaller test case or instruction to reproduce issue.
    On my system I could not find issue when scanning zip

    
# ls -l /opt/freeware/bin/zip
-rwxr-xr-x    1 root     system       243733 Nov 28 2019  /opt/freeware/bin/zip


# /opt/freeware/bin/clamscan -rv /opt/freeware/bin/zip
Loading:    21s, ETA:   0s [========================>]    8.62M/8.62M sigs
Compiling:   5s, ETA:   0s [========================>]       41/41 tasks

Scanning /opt/freeware/bin/zip
/opt/freeware/bin/zip: OK

----------- SCAN SUMMARY -----------
Known viruses: 8616419
Engine version: 0.104.2
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 0.48 MB
Data read: 0.23 MB (ratio 2.07:1)
Time: 27.244 sec (0 m 27 s)
Start Date: 2022:05:16 12:23:05
End Date:   2022:05:16 12:23:32


#​


    ------------------------------
    SANKET RATHI
    ------------------------------

    Original Message


  • 13.  RE: New version of ClamAV needed

    Posted Tue May 17, 2022 09:54 AM
    Hi Steve, 
    We are not able to recreate your issue. 
    Can you use --debug option, probably that will provide some details about the issue.

    ------------------------------
    SANKET RATHI
    ------------------------------

    Original Message


  • 14.  RE: New version of ClamAV needed

    Posted Tue May 17, 2022 12:25 PM
    Sanket,

    Here's the final section of the --debug.

    LibClamAV debug: Checking realpath of /opt/freeware/bin/yumdownloader
Scanning /opt/freeware/bin/yumdownloader
LibClamAV debug: Recognized ASCII text
LibClamAV debug: cache_check: 521c0049290d5f1109bbcacf312a2a39 is negative
LibClamAV debug: matcher_run: performing regex matching on full map: 0+13476(13476) >= 13476
LibClamAV debug: hashtab: Freeing hashset, elements: 0, capacity: 0
LibClamAV debug: in cli_scanscript()
LibClamAV debug: matcher_run: performing regex matching on full map: 0+9959(9959) >= 9959
LibClamAV debug: matcher_run: performing regex matching on full map: 0+9959(9959) >= 9959
LibClamAV debug: hashtab: Freeing hashset, elements: 0, capacity: 0
LibClamAV debug: hashtab: Freeing hashset, elements: 0, capacity: 0
LibClamAV debug: cli_magic_scan_desc: returning 0  at line 4857
LibClamAV debug: cache_add: 521c0049290d5f1109bbcacf312a2a39 (level 0)
/opt/freeware/bin/yumdownloader: OK
/opt/freeware/bin/zcat: Symbolic link
/opt/freeware/bin/zcmp: Symbolic link
/opt/freeware/bin/zdiff: Symbolic link
/opt/freeware/bin/zegrep: Symbolic link
/opt/freeware/bin/zfgrep: Symbolic link
/opt/freeware/bin/zforce: Symbolic link
/opt/freeware/bin/zgrep: Symbolic link
LibClamAV debug: Checking realpath of /opt/freeware/bin/zip
Scanning /opt/freeware/bin/zip
LibClamAV debug: Recognized binary data
LibClamAV debug: cache_check: 30cd9c5d5aab19d33065757272ed4456 is negative
LibClamAV debug: in cli_check_mydoom_log()
LibClamAV debug: Matched signature for file type ZIP-SFX at 213500
LibClamAV debug: matcher_run: performing regex matching on full map: 123072+120661(243733) >= 243733
LibClamAV debug: hashtab: Freeing hashset, elements: 0, capacity: 0
LibClamAV debug: CL_TYPE_ZIPSFX signature found at 213500
LibClamAV debug: in cli_unzip_single
LibClamAV debug: cli_unzip: local header - ZMDNAME:0:archive?  (y/n): :1680696684:1735289203:20612073:29513:0:1
LibClamAV debug: CDBNAME:CL_TYPE_ZIP:1735289203:archive?  (y/n): :1735289203:1680696684:0:0:543236211:0
LibClamAV debug: cli_unzip: local header - extra out of file
PuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYIllegal instruction(coredump)
amrasteve1:/opt/freeware/bin#
​


    Thanks, Steve


  • 15.  RE: New version of ClamAV needed

    Posted Fri May 13, 2022 09:48 AM
    I se the the ulimit -d to unlimited

    #ulimit -aS
    time(seconds) unlimited
    file(blocks) unlimited
    data(kbytes) unlimited
    stack(kbytes) 32768
    memory(kbytes) 32768
    coredump(blocks) 2097151
    nofiles(descriptors) 2000
    threads(per process) unlimited
    processes(per user) 128

    #ulimit -aH
    time(seconds) unlimited
    file(blocks) unlimited
    data(kbytes) unlimited
    stack(kbytes) 4194304
    memory(kbytes) unlimited
    coredump(blocks) unlimited
    nofiles(descriptors) unlimited
    threads(per process) unlimited
    processes(per user) 128

    The clamscan errors with a Segmentation fault and core dumps on the pip-20.1.1-py2.py3-none-any.whl file.

    #/opt/freeware/bin/clamscan -rv /opt/freeware/lib64/python3.7/ensurepip/_bundled/
    Loading: 16s, ETA: 0s [========================>] 8.62M/8.62M sigs
    Compiling: 6s, ETA: 0s [========================>] 41/41 tasks

    Scanning /opt/freeware/lib64/python3.7/ensurepip/_bundled/pip-20.1.1-py2.py3-none-any.whl
    Segmentation fault(coredump)

    Thank you for your help!

    Stan

    ------------------------------
    Stanley
    ------------------------------

    Original Message


  • 16.  RE: New version of ClamAV needed

    Posted Mon May 16, 2022 01:28 PM
    Thank you Stanley for reporting issue.
    We will look into it.

    ------------------------------
    SANKET RATHI
    ------------------------------

    Original Message


  • 17.  RE: New version of ClamAV needed

    Posted Mon May 16, 2022 02:00 PM
    Edited by Steve Munday Mon May 16, 2022 02:00 PM
    Sanket,

    I did an explicit scan of ../zip and that worked fine.  I then did a scan of /home forgetting there was loads and loads of stuff within it HOWEVER it worked.

    ----------- SCAN SUMMARY -----------
    Known viruses: 8616496
    Engine version: 0.104.2
    Scanned directories: 338
    Scanned files: 3080
    Infected files: 0
    Data scanned: 5909.82 MB
    Data read: 49311.02 MB (ratio 0.12:1)
    Time: 425.992 sec (7 m 5 s)
    Start Date: 2022:05:16 13:39:44
    End Date: 2022:05:16 13:46:50
    #

    I then ran the below which also worked:

    # an -rv /opt/freeware/bin/z* <
    Loading: 19s, ETA: 0s [========================>] 8.62M/8.62M sigs
    Compiling: 5s, ETA: 0s [========================>] 41/41 tasks

    Scanning /usr/opt/rpm/bin/zcat
    /usr/opt/rpm/bin/zcat: OK
    Scanning /usr/opt/rpm/bin/zcmp
    /usr/opt/rpm/bin/zcmp: OK
    Scanning /usr/opt/rpm/bin/zdiff
    /usr/opt/rpm/bin/zdiff: OK
    Scanning /usr/opt/rpm/bin/zegrep
    /usr/opt/rpm/bin/zegrep: OK
    Scanning /usr/opt/rpm/bin/zfgrep
    /usr/opt/rpm/bin/zfgrep: OK
    Scanning /usr/opt/rpm/bin/zforce
    /usr/opt/rpm/bin/zforce: OK
    Scanning /opt/freeware/bin/zip
    /opt/freeware/bin/zip: OK
    Scanning /opt/freeware/bin/zipcloak
    /opt/freeware/bin/zipcloak: OK
    Scanning /opt/freeware/bin/zipdetails
    /opt/freeware/bin/zipdetails: OK
    Scanning /opt/freeware/bin/zipgrep_64
    /opt/freeware/bin/zipgrep_64: OK
    Scanning /opt/freeware/bin/zipgrep_32
    /opt/freeware/bin/zipgrep_32: OK
    Scanning /opt/freeware/bin/zipgrep_64
    /opt/freeware/bin/zipgrep_64: OK
    Scanning /opt/freeware/bin/zipinfo_64
    /opt/freeware/bin/zipinfo_64: OK
    Scanning /opt/freeware/bin/zipinfo_32
    /opt/freeware/bin/zipinfo_32: OK
    Scanning /opt/freeware/bin/zipinfo_64
    /opt/freeware/bin/zipinfo_64: OK
    Scanning /opt/freeware/bin/zipnote
    /opt/freeware/bin/zipnote: OK
    Scanning /opt/freeware/bin/zipsplit
    /opt/freeware/bin/zipsplit: OK
    Scanning /usr/opt/rpm/bin/zless
    /usr/opt/rpm/bin/zless: OK
    Scanning /usr/opt/rpm/bin/zmore
    /usr/opt/rpm/bin/zmore: OK
    Scanning /usr/opt/rpm/bin/znew
    /usr/opt/rpm/bin/znew: OK

    ----------- SCAN SUMMARY -----------
    Known viruses: 8616496
    Engine version: 0.104.2
    Scanned directories: 0
    Scanned files: 20
    Infected files: 0
    Data scanned: 1.95 MB
    Data read: 1.13 MB (ratio 1.72:1)
    Time: 25.639 sec (0 m 25 s)
    Start Date: 2022:05:16 13:53:41
    End Date: 2022:05:16 13:54:06
    #

    Observation
    If you notice the below there are no references to symlinks and it worked.

    Scanning /usr/opt/rpm/bin/zforce
    /usr/opt/rpm/bin/zforce: OK
    Scanning /opt/freeware/bin/zip
    /opt/freeware/bin/zip: OK

    If I a scan of all the objects in the ../bin directory we see references to symlinks and it fails.

    /opt/freeware/bin/yumdownloader: OK
    /opt/freeware/bin/zcat: Symbolic link
    /opt/freeware/bin/zcmp: Symbolic link
    /opt/freeware/bin/zdiff: Symbolic link
    /opt/freeware/bin/zegrep: Symbolic link
    /opt/freeware/bin/zfgrep: Symbolic link
    /opt/freeware/bin/zforce: Symbolic link
    /opt/freeware/bin/zgrep: Symbolic link
    Scanning /opt/freeware/bin/zip
    Illegal instruction(coredump)

    Many thanks, Steve


  • 18.  RE: New version of ClamAV needed

    Posted Mon May 16, 2022 02:24 PM
    The clamscan of /opt/freeware/bin shows the soft links without an issue and no errors.

    I didn't see the oslevel of the system.

    The system is at AIX 7200-05-03-2148
    #oslevel -s
    7200-05-03-2148
    #/opt/freeware/bin/clamscan -rv /opt/freeware/bin
    Loading: 16s, ETA: 0s [========================>] 8.62M/8.62M sigs
    Compiling: 6s, ETA: 0s [========================>] 41/41 tasks

    [ Just showing the last of the files that were scanned. ]


    Scanning /opt/freeware/bin/zip
    /opt/freeware/bin/zip: OK
    Scanning /opt/freeware/bin/zipcloak
    /opt/freeware/bin/zipcloak: OK
    /opt/freeware/bin/zipgrep: Symbolic link
    Scanning /opt/freeware/bin/zipgrep_32
    /opt/freeware/bin/zipgrep_32: OK
    Scanning /opt/freeware/bin/zipgrep_64
    /opt/freeware/bin/zipgrep_64: OK
    /opt/freeware/bin/zipinfo: Symbolic link
    Scanning /opt/freeware/bin/zipinfo_32
    /opt/freeware/bin/zipinfo_32: OK
    Scanning /opt/freeware/bin/zipinfo_64
    /opt/freeware/bin/zipinfo_64: OK
    Scanning /opt/freeware/bin/zipnote
    /opt/freeware/bin/zipnote: OK
    Scanning /opt/freeware/bin/zipsplit
    /opt/freeware/bin/zipsplit: OK
    /opt/freeware/bin/zless: Symbolic link
    /opt/freeware/bin/zmore: Symbolic link
    /opt/freeware/bin/znew: Symbolic link

    ----------- SCAN SUMMARY -----------
    Known viruses: 8616496
    Engine version: 0.104.2
    Scanned directories: 1
    Scanned files: 314
    Infected files: 0
    Data scanned: 109.82 MB
    Data read: 61.89 MB (ratio 1.77:1)
    Time: 32.927 sec (0 m 32 s)
    Start Date: 2022:05:16 13:12:31
    End Date: 2022:05:16 13:13:04



    ------------------------------
    Stanley
    ------------------------------

    Original Message


  • 19.  RE: New version of ClamAV needed

    Posted Mon May 16, 2022 04:47 PM

    FYI, I tested a scan, with debug.

    # clamscan  --debug -rv
LibClamAV debug: cache_add: da7b7f8a189c660a5679cd59892df84f (level 0)
LibClamAV debug: cli_unzip: extracted to /tmp//20220516_144635-scantem.0a4c11e5af/clamav-d7eb047ec6b6c6b56ef617a989f96a92.tmp
LibClamAV debug: in cli_magic_scan_desc_type (recursion_level: 0/17)
LibClamAV debug: Recognized MS-EXE/DLL file
LibClamAV debug: cache_check: a32a382b8a5a906e03a83b4f3e5b7a9b is negative
LibClamAV debug: cli_peheader: SizeOfHeader is not aligned to the SectionAlignment
calloc_problem: Not enough space
LibClamAV Error: cli_calloc(): Can't allocate memory (51374336 bytes).
LibClamAV Error: cli_ac_init: Can't allocate memory for data->lsigsuboff_(last|first)[0]
LibClamAV debug: hashtab: Freeing hashset, elements: 0, capacity: 0
LibClamAV debug: Descriptor[7]: scanraw error Can't allocate memory
LibClamAV debug: cli_magic_scan_desc: returning 20  at line 4857
LibClamAV debug: matcher_run: performing regex matching on full map: 492288+90799(583087) >= 583087
LibClamAV debug: hashtab: Freeing hashset, elements: 0, capacity: 0
LibClamAV debug: cli_magic_scan_desc: returning 20  at line 4857
/opt/freeware/lib64/python3.7/ensurepip/_bundled/unpack/setuptools/winfiles/zip/setuptools-47.1.0-py3-none-any.whl: Can't allocate memory ERROR
LibClamAV debug: Cleaning up phishcheck
LibClamAV debug: Freeing phishcheck struct
LibClamAV debug: Phishcheck cleaned up

    Next, I unpacked the two zip files:

    • pip-20.1.1-py2.py3-none-any.whl
    • setuptools-47.1.0-py3-none-any.whl

    I tested only those unpacked directories, and found errors all occur with Windows binaries.

      96768 /opt/freeware/lib64/python3.7/ensurepip/unpack/pip/_vendor/distlib/t32.exe
  105984 /opt/freeware/lib64/python3.7/ensurepip/unpack/pip/_vendor/distlib/t64.exe
   90112 /opt/freeware/lib64/python3.7/ensurepip/unpack/pip/_vendor/distlib/w32.exe
   99840 /opt/freeware/lib64/python3.7/ensurepip/unpack/pip/_vendor/distlib/w64.exe
   65536 /opt/freeware/lib64/python3.7/ensurepip/unpack/setuptools/cli-32.exe
   74752 /opt/freeware/lib64/python3.7/ensurepip/unpack/setuptools/cli-64.exe
   65536 /opt/freeware/lib64/python3.7/ensurepip/unpack/setuptools/cli.exe
   65536 /opt/freeware/lib64/python3.7/ensurepip/unpack/setuptools/gui-32.exe
   75264 /opt/freeware/lib64/python3.7/ensurepip/unpack/setuptools/gui-64.exe
   65536 /opt/freeware/lib64/python3.7/ensurepip/unpack/setuptools/gui.exe

    I tested with another windows binary file

    • /opt/freeware/lib64/python3.7/distutils/command/wininst-10.0.exe

    and get the same memory errors. So the cli_calloc errors seem related to Windows executables. issue with Windows files in this environment.

    If I set ulimit -d unlimited, I no longer get the errors. I have matched Stanley's ulimit settings, but do not get a core dump.

    Stanley, can you collect a stack trace for the core dump:

    # dbx /opt/freeware/bin/clamscan <path_to_core_file>
(dbx) where
<stack trace>
(dbx) quit

    This might give an idea of the failing code.



    ------------------------------
    Jan Harris
    AIX Development Support (Liaison to the AIX Toolbox for Open Source)
    IBM (Contract)
    Austin TX
    ------------------------------

    Original Message


  • 20.  RE: New version of ClamAV needed

    Posted Tue May 17, 2022 08:29 AM
    I scanned /opt/freeware with clamscan and it scanned lots of files then core dumped.

    /opt/freeware/lib/python2.7/site-packages/pip/_vendor/distlib/scripts.pyc: OK
    Scanning /opt/freeware/lib/python2.7/site-packages/pip/_vendor/distlib/t32.exe
    /opt/freeware/lib/python2.7/site-packages/pip/_vendor/distlib/t32.exe: OK
    Scanning /opt/freeware/lib/python2.7/site-packages/pip/_vendor/distlib/t64.exe
    Segmentation fault(coredump)

    I ran the dbx on the core file with this output.

    #dbx /opt/freeware/bin/clamscan /tmp/core
    Type 'help' for help.
    Core file "/tmp/core" program "clamscan_64" does not match current program (ignored)
    reading symbolic information ...
    (dbx) where
    ustart() at 0x9fffffff00011b4
    (dbx) quit

    I hope this helps!

    Thank you for your assistance!

    ------------------------------
    Stanley
    ------------------------------

    Original Message


  • 21.  RE: New version of ClamAV needed

    Posted Tue May 17, 2022 09:22 AM
    Hi, Stanley
    So it is core dumping scanning these Windows executables. 
    I still cannot generate a core.

    Can you run dbx again, but use the 64 bit binary:

    # dbx /opt/freeware/bin/clamscan_64 /tmp/core
    (dbx) where
    <...>
    (dbx) quit
    Also, share any non-private output from env command ( I omit host/ip info in following example)

    # env | egrep -v "SSH| `uname -n`| `host \`hostname\`| cut -f3 -d\" \"`"


    ​​​

    ------------------------------
    Jan Harris
    AIX Development Support (Liaison to the AIX Toolbox for Open Source)
    IBM (Contract)
    Austin TX
    ------------------------------

    Original Message


  • 22.  RE: New version of ClamAV needed

    Posted Tue May 17, 2022 11:03 AM
    Here is the information using dbx on the core file. There are other errors that were in the output but it is a lot of data.

    I can up load the complete output if needed.

    Hopefully this points to where the issue is for scanning the files with the new clamav.

    #dbx /opt/freeware/bin/clamscan_64 /tmp/core
    Type 'help' for help.
    warning: The core file is truncated. You may need to increasethe ulimit
    for file and coredump, or free some space on the filesystem.
    [using memory image in /tmp/core]
    reading symbolic information ...

    Segmentation fault in util.move at 0x90000000061b838 ($t1)
    0x90000000061b838 (move+0x38) 90040000 stw r0,0x0(r4)
    (dbx) where
    util.move(??, ??) at 0x90000000061b838
    pow.pow(??, ??, ??, ??) at 0x90000000061ffcc
    internal error: unexpected value 120 at line 5201 in file stabstring.c
    internal error: 1283-228 expected char ',', found 's__LC_locale:,1088,64;__meth_ptr:150,1152,64;__data_ptr:150,1216,64;;'
    internal error: 1283-228 expected char ',', found '__LC_locale:,1088,64;__meth_ptr:150,1152,64;__data_ptr:150,1216,64;;'
    internal error: 1283-228 expected char ';', found '_LC_locale:,1088,64;__meth_ptr:150,1152,64;__data_ptr:150,1216,64;;'
    internal error: unexpected value 44 at line 5201 in file stabstring.c
    internal error: 1283-228 expected char ',', found '1088,64;__meth_ptr:150,1152,64;__data_ptr:150,1216,64;;'
    internal error: unexpected value 120 at line 5201 in file stabstring.c
    internal error: unexpected value 120 at line 5201 in file stabstring.c
    internal error: 1283-228 expected char ',', found 's_LC_locale_objhdl:,128,64;;'
    internal error: 1283-228 expected char ',', found '_LC_locale_objhdl:,128,64;;'
    internal error: 1283-228 expected char ';', found 'LC_locale_objhdl:,128,64;;'
    internal error: unexpected value 44 at line 5201 in file stabstring.c
    internal error: 1283-228 expected char ',', found '128,64;;'
    internal error: unexpected value 120 at line 5201 in file stabstring.c
    internal error: unexpected value 120 at line 5201 in file stabstring.c
    internal error: unexpected value 120 at line 5201 in file stabstring.c
    internal error: unexpected value 120 at line 5201 in file stabstring.c


    #env | egrep -v "SSH| `uname -n`| `host \`hostname\`| cut -f3 -d\" \"`"
    _=/usr/bin/env
    LANG=en_US
    LOGIN=root
    CLCMD_PASSTHRU=1
    PATH=/usr/bin:/etc:/usr/sbin:/usr/ucb:/usr/bin/X11:/sbin:/usr/java8_64/jre/bin:/usr/java8_64/bin:/opt/freeware/bin
    LC__FASTMSG=true
    LOGNAME=root
    MAIL=/usr/spool/mail/root
    LOCPATH=/usr/lib/nls/loc
    USER=root
    AUTHSTATE=compat
    DISPLAY=localhost:10.0
    SHELL=/usr/bin/ksh
    ODMDIR=/etc/objrepos
    HOME=/
    TERM=xterm
    MAILMSG=[YOU HAVE NEW MAIL]
    PWD=/tmp
    TZ=CST6CDT
    A__z=! LOGNAME
    NLSPATH=/usr/lib/nls/msg/%L/%N:/usr/lib/nls/msg/%L/%N.cat:/usr/lib/nls/msg/%l.%c/%N:/usr/lib/nls/msg/%l.%c/%N.cat


    #ulimit -aS
    time(seconds) unlimited
    file(blocks) unlimited
    data(kbytes) unlimited
    stack(kbytes) 32768
    memory(kbytes) 32768
    coredump(blocks) 2097151
    nofiles(descriptors) 2000
    threads(per process) unlimited
    processes(per user) 128

    #ulimit -aH
    time(seconds) unlimited
    file(blocks) unlimited
    data(kbytes) unlimited
    stack(kbytes) 4194304
    memory(kbytes) unlimited
    coredump(blocks) unlimited
    nofiles(descriptors) unlimited
    threads(per process) unlimited
    processes(per user) 128

    Thank you!

    ------------------------------
    Stanley
    ------------------------------

    Original Message


  • 23.  RE: New version of ClamAV needed

    Posted Tue May 17, 2022 09:53 AM
    Hi Stanley
    You can disregard my request for new dbx.  I talked to Sanket today, and they have  been able to reproduce  the core.
    I suspect this is because their lpar has 64bit architecture.

    I will let him continue to update this thread now to avoid redundancies!

    ------------------------------
    Jan Harris
    AIX Development Support (Liaison to the AIX Toolbox for Open Source)
    IBM (Contract)
    Austin TX
    ------------------------------

    Original Message


  • 24.  RE: New version of ClamAV needed

    Posted Tue May 17, 2022 09:53 AM
    We could recreate it in our local environment. We are looking at the issue.

    ------------------------------
    SANKET RATHI
    ------------------------------

    Original Message


  • 25.  RE: New version of ClamAV needed

    Posted Fri May 20, 2022 07:18 AM

    We have found the solution for one problem, we are looking into second problem.



    ------------------------------
    Neha Jain
    ------------------------------

    Original Message


  • 26.  RE: New version of ClamAV needed

    Posted Tue June 21, 2022 08:21 AM
    Hi Team,

    Can we have an update on the ClamAV issues that were discovered and the progress that has been made?
    Is there an estimated time a new release will be available?

    Thank you for working on this!

    Stan


    ------------------------------
    Stanley
    ------------------------------

    Original Message


  • 27.  RE: New version of ClamAV needed

    Posted Wed June 22, 2022 06:25 AM
    Hi Stanley,

    We have found a solution for 1st problem (Segmentation fault(coredump)) and found a workaround for 2nd problem (Illegal instruction(coredump)), we will update a new version in a couple of days. For the 2nd problem, we have reported a bug in the ClamAV forum.


    ------------------------------
    Neha Jain
    ------------------------------

    Original Message


  • 28.  RE: New version of ClamAV needed

    Posted Tue July 12, 2022 09:04 AM
    Hi Team,

    Can we have an update on the ClamAV issues and when we may have a new version released?

    Thank you for working on this!

    Stan

    ------------------------------
    Stanley
    ------------------------------

    Original Message


  • 29.  RE: New version of ClamAV needed

    Posted Tue July 12, 2022 09:14 AM
    Hi Stanley,

    We have a new version of clamav(0.104.2-2) in the toolbox please start using it.

    ------------------------------
    Neha Jain
    ------------------------------

    Original Message


  • 30.  RE: New version of ClamAV needed

    Posted Tue July 12, 2022 12:24 PM
    Team:

    I downloaded 0.104.2-2 and my original coredump issue has now gone away, thanks for resolving.

    Checking the clamAV docs I see that 0.105.0 is now available.


    Many thanks, Steve


  • 31.  RE: New version of ClamAV needed

    Posted Fri July 29, 2022 04:03 AM
      |   view attached
    Hi Support,

    I have installed clamav_0.104.2-2.aix7.1 in AIX 7.1 and ran the fullscan getting an "Illegal instruction(coredump)" message, please see below.

    ========== putty log ==========
    /usr/java5/jre/bin/libhealthcenter.so: OK
    Scanning /usr/java5/jre/bin/libhprof.a
    /usr/java5/jre/bin/libhprof.a: OK
    Scanning /usr/java5/jre/bin/libinstrument.a
    /usr/java5/jre/bin/libinstrument.a: OK
    Scanning /usr/java5/jre/bin/libiverel23.so
    Illegal instruction(coredump)

    ========== putty log (debug) ==========
    /usr/java5/jre/bin/libhprof.a: OK
    LibClamAV debug: Checking realpath of /usr/java5/jre/bin/libinstrument.a
    Scanning /usr/java5/jre/bin/libinstrument.a
    LibClamAV debug: Recognized binary data
    LibClamAV debug: cache_check: 7da04a54183485b66b9dae36e0963a89 is negative
    LibClamAV debug: in cli_check_mydoom_log()
    LibClamAV debug: matcher_run: performing regex matching on full map: 0+117118(117118) >= 117118
    LibClamAV debug: hashtab: Freeing hashset, elements: 0, capacity: 0
    LibClamAV debug: matcher_run: performing regex matching on full map: 0+117118(117118) >= 117118
    LibClamAV debug: hashtab: Freeing hashset, elements: 0, capacity: 0
    LibClamAV debug: cli_magic_scan_desc: returning 0 at line 4857
    LibClamAV debug: cache_add: 7da04a54183485b66b9dae36e0963a89 (level 0)
    /usr/java5/jre/bin/libinstrument.a: OK
    LibClamAV debug: Checking realpath of /usr/java5/jre/bin/libiverel23.so
    Scanning /usr/java5/jre/bin/libiverel23.so
    LibClamAV debug: Recognized binary data
    LibClamAV debug: cache_check: 075d0f1b27fa6d81890e42259aae3c90 is negative
    LibClamAV debug: in cli_check_mydoom_log()
    LibClamAV debug: Matched signature for file type ZIP-SFX at 73536
    LibClamAV debug: matcher_run: performing regex matching on full map: 0+122299(122299) >= 122299
    LibClamAV debug: hashtab: Freeing hashset, elements: 0, capacity: 0
    LibClamAV debug: CL_TYPE_ZIPSFX signature found at 73536
    LibClamAV debug: in cli_unzip_single
    LibClamAV debug: cli_unzip: local header - ZMDNAME:0:($:14376:11304:0:0:0:1
    LibClamAV debug: CDBNAME:CL_TYPE_ZIP:11304:($:11304:14376:0:0:0:0
    Illegal instruction(coredump)

    ------------------------------
    Vangogh Goh
    ------------------------------

    Attachment(s)

    zip
    putty_21072022153744.zip   1.07 MB 1 version
    Original Message


  • 32.  RE: New version of ClamAV needed

    Posted Tue August 02, 2022 02:25 AM

    Hi Vangogh,

    Please share the stack details.


    Thanks,
    Neha



    ------------------------------
    Neha Jain
    ------------------------------

    Original Message


  • 33.  RE: New version of ClamAV needed

    Posted Tue August 02, 2022 04:33 AM
    Hi Neha,

    I have scheduled a cronjob to full scan the whole directories and files on AIX as below command :

    # Set unlimited size of the data area for clamscan
    ulimit -d unlimited
    ulimit -c unlimited
    ulimit -m unlimited
    ulimit -n unlimited
    ulimit -s unlimited

    # Run the full scan of whole directories and files
    LDR_CNTRL=MAXDATA=0xA0000000@DSA /opt/freeware/bin/clamscan -rv --exclude-dir=/proc --tempdir=/tmp /

    Then the scan result is always break at same file and occur "Illegal instruction(coredump)" as below :

    ========== putty log ==========
    /usr/java5/jre/bin/libhealthcenter.so: OK
    Scanning /usr/java5/jre/bin/libhprof.a
    /usr/java5/jre/bin/libhprof.a: OK
    Scanning /usr/java5/jre/bin/libinstrument.a
    /usr/java5/jre/bin/libinstrument.a: OK
    Scanning /usr/java5/jre/bin/libiverel23.so
    Illegal instruction(coredump)
    ========== putty log ==========

    I had try just scan the "/usr" folder and the scan result is properly (scan successful and completed).

    Only run the full scan on whole directories and files it always break at this file "/usr/java5/jre/bin/libiverel23.so". The full scan time around need 1x hours.

    Could you please help to found out and fix the problem? Thanks

    Attached the log FYI.

    ------------------------------
    Vangogh Goh
    ------------------------------

    Attachment(s)

    gz
    clamav_fullscan_log.tar.gz   6.33 MB 1 version
    txt
    putty_debuglog.txt   120 KB 1 version
    zip
    putty_21072022153744.zip   1.07 MB 1 version
    Original Message


  • 34.  RE: New version of ClamAV needed

    Posted Tue August 02, 2022 06:23 AM

    Hi Vangogh,

    We need stack details and a core file.
    You can try it after setting the core path.

    set core path 
    mkdir /core
    syscorepath -p /core
    run the operation
    Analyze core
    cd /core
    gdb /opt/freeware/bin/clamscan core_file
    where
    or dbx /opt/freeware/bin/clamscan core_file
    where
    if you see extra output lines in dbx try below command
    dbx /opt/freeware/bin/clamscan core_file >core_stack_details
    where

    Please provide the stack details.

    Thanks,
    Neha



    ------------------------------
    Neha Jain
    ------------------------------

    Original Message


  • 35.  RE: New version of ClamAV needed

    Posted Tue August 02, 2022 10:44 PM
      |   view attached
    Hi Neha,

    Attached the core_stack_details log file.  Thanks.

    ------------------------------
    Vangogh Goh
    ------------------------------

    Attachment(s)

    zip
    core_stack_details.zip   18 KB 1 version
    Original Message


  • 36.  RE: New version of ClamAV needed

    Posted Thu August 04, 2022 07:07 AM
    Hi Vangogh,

    Looking into it.

    Thanks,
    Neha

    ------------------------------
    Neha Jain
    ------------------------------

    Original Message


  • 37.  RE: New version of ClamAV needed

    Posted Tue August 16, 2022 11:10 PM
    Hi Neha,

    How is the investigation?  Any update?  Thanks.

    ------------------------------
    Vangogh Goh
    ------------------------------

    Original Message


  • 38.  RE: New version of ClamAV needed

    Posted Thu August 18, 2022 02:04 AM

    Hi Vangogh,

    Your core issue is similar to the core reported by steve, both cores are in the same file but at a different location.

    For this I have reported a bug in the community (Illegal instruction(coredump) during clamscan · Issue #617 · Cisco-Talos/clamav (github.com))

    I have added a workaround for this issue and we will upload a new version by today or tomorrow.

    Thanks,
    Neha



    ------------------------------
    Neha Jain
    ------------------------------

    Original Message


  • 39.  RE: New version of ClamAV needed

    Posted Tue July 12, 2022 12:51 PM
    Hi Team,

    I think the issues that were seen before are solved.

    Completed a test scan with zero errors!

    ----------- SCAN SUMMARY -----------
    Known viruses: 8621833
    Engine version: 0.104.2
    Scanned directories: 690
    Scanned files: 169702
    Infected files: 0
    Data scanned: 29174.82 MB
    Data read: 428631.91 MB (ratio 0.07:1)
    Time: 6568.720 sec (109 m 28 s)
    Start Date: 2022:07:12 09:50:31
    End Date: 2022:07:12 11:40:00
     
    Thank you for working to solve this issue!


    Stan

    ------------------------------
    Stanley
    ------------------------------

    Original Message


  • 40.  RE: New version of ClamAV needed

    Posted Wed January 15, 2025 12:20 AM

    Hello Team

    It seems that the new version of clamscan ClamAV version 1:1.0.7-2.ppc) crashes on AIX 7.2.5 when scanning MS-EXE/DLL files, or ZIP files containing MS-EXE/DLL . 

    Here is my case:

    Operating System:
    7200-05-03-2148


    Calmscan with Debug:

    /opt/freeware/bin/clamscan -a -v --debug /var/ibm/InstallationManager/bundles/plugins/com.ibm.ws.check.os.v80_8.0.5024.20230413_1800.jar
    LibClamAV debug: cli_unzip: extracted to /tmp//20241129_085235-scantemp.d8bb60574b/clamav-3e3ae4da1f2fb23b210acbd87058075c.tmp
LibClamAV debug: in cli_magic_scan_desc_type (recursion_level: 0/17)
LibClamAV debug: Recognized MS-EXE/DLL file
LibClamAV debug: fmap_aging: kernel hates you
LibClamAV debug: fmap_aging: kernel hates you
LibClamAV debug: clean_cache_check: 703bd677778f2a1ba1eb4338bac3b868 is negative
LibClamAV debug: Descriptor[4]: Continuing after file scan resulted with: No viruses detected
LibClamAV debug: fmap_aging: kernel hates you
LibClamAV debug: cli_peheader: SizeOfHeader is not aligned to the SectionAlignment
LibClamAV debug: versioninfo_cb: type: 10, name: 1, lang: 409, rva: 6f158
LibClamAV debug: cli_peheader: parsing version info @ rva 6f158 (1/1)
LibClamAV debug: VersionInfo (6cada): 'CompanyName'='Microsoft Corporation' - VI:43006f006d00700061006e0079004e0061006d006500000000004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e000000
LibClamAV debug: VersionInfo (6cb26): 'FileDescription'='Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.34.31931' - VI:460069006c0065004400650073006300720069007000740069006f006e00000000004d006900630072006f0073006f00660074002000560069007300750061006c00200043002b002b00200032003000310035002d003200300032003200200052006500640069007300740072006900620075007400610062006c00650020002800780036003400290020002d002000310034002e00330034002e003300310039003300310000000000
LibClamAV debug: VersionInfo (6cbd6): 'FileVersion'='14.34.31931.0' - VI:460069006c006500560065007200730069006f006e0000000000310034002e00330034002e00330031003900330031002e0030000000
LibClamAV debug: VersionInfo (6cc12): 'InternalName'='setup' - VI:49006e007400650072006e0061006c004e0061006d0065000000730065007400750070000000
LibClamAV debug: VersionInfo (6cc3e): 'LegalCopyright'='Copyright (c) Microsoft Corporation. All rights reserved.' - VI:4c006500670061006c0043006f007000790072006900670068007400000043006f007000790072006900670068007400200028006300290020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e000000
LibClamAV debug: VersionInfo (6ccd6): 'OriginalFilename'='VC_redist.x64.exe' - VI:4f0072006900670069006e0061006c00460069006c0065006e0061006d0065000000560043005f007200650064006900730074002e007800360034002e006500780065000000
LibClamAV debug: VersionInfo (6cd22): 'ProductName'='Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.34.31931' - VI:500072006f0064007500630074004e0061006d006500000000004d006900630072006f0073006f00660074002000560069007300750061006c00200043002b002b00200032003000310035002d003200300032003200200052006500640069007300740072006900620075007400610062006c00650020002800780036003400290020002d002000310034002e00330034002e003300310039003300310000000000
LibClamAV debug: VersionInfo (6cdca): 'ProductVersion'='14.34.31931.0' - VI:500072006f006400750063007400560065007200730069006f006e000000310034002e00330034002e00330031003900330031002e0030000000
LibClamAV debug: in asn1_check_mscat (offset: 25455776)
LibClamAV debug: in asn1_parse_mscat
LibClamAV debug: asn1_parse_mscat: 2 embedded certificates collected
LibClamAV debug: asn1_parse_mscat: Indirectly trusting embedded cert based on Trusted.CA.Microsoft-7350512-0
LibClamAV debug: asn1_parse_mscat: Indirectly trusting embedded cert based on (no name)
LibClamAV debug: asn1_parse_mscat: authenticatedAttributes successfully parsed and verified
LibClamAV debug: asn1_parse_mscat: RFC3161 timestamping countersignature detected but parsing them is not currently supported
LibClamAV debug: asn1_parse_mscat: unauthenticatedAttributes successfully parsed
LibClamAV debug: asn1_parse_mscat: no countersignature and signing certificate has expired
LibClamAV debug: Matched signature for file type PE
LibClamAV debug: Matched signature for file type PE
LibClamAV debug: cli_ac_scanbuff: VI match for offset 6cada
LibClamAV debug: cli_ac_scanbuff: VI match for offset 6cada
LibClamAV debug: Matched signature for file type CAB-SFX at 463360
LibClamAV debug: Matched signature for file type CAB-SFX at 650568
LibClamAV debug: fmap_aging: kernel hates you
LibClamAV debug: fmap_aging: kernel hates you
LibClamAV debug: fmap_aging: kernel hates you
LibClamAV debug: fmap_aging: kernel hates you
LibClamAV debug: fmap_aging: kernel hates you
LibClamAV debug: fmap_aging: kernel hates you
LibClamAV debug: fmap_aging: kernel hates you
LibClamAV debug: fmap_aging: kernel hates you
LibClamAV debug: fmap_aging: kernel hates you
LibClamAV debug: matcher_run: performing regex matching on full map: 25352832+113184(25466016) >= 25466016
LibClamAV debug: matcher_run: performing regex matching on full map: 25352832+113184(25466016) >= 25466016
LibClamAV debug: fmap_aging: kernel hates you
LibClamAV debug:
LibClamAV debug: cli_pcre_report: PCRE2 Execution Report:
LibClamAV debug: cli_pcre_report: running regex /BL[\W_][\w]{0,16}\.exe/ returns -1
LibClamAV debug: cli_pcre_report: no match found
LibClamAV debug: cli_pcre_report: PCRE Execution Report End
LibClamAV debug:
LibClamAV debug:
LibClamAV debug: cli_pcre_report: PCRE2 Execution Report:
LibClamAV debug: cli_pcre_report: running regex /(Case|Paiement|dossier|remit|inquiry|proforma|bestellung).{0,20}\.(exe|scr)/ returns -1
LibClamAV debug: cli_pcre_report: no match found
LibClamAV debug: cli_pcre_report: PCRE Execution Report End
LibClamAV debug:
LibClamAV debug:
LibClamAV debug: cli_pcre_report: PCRE2 Execution Report:
LibClamAV debug: cli_pcre_report: running regex /\b(FedEx|DHL|US?PS).{0,100}\.(exe|scr|js)/ returns -1
LibClamAV debug: cli_pcre_report: no match found
LibClamAV debug: cli_pcre_report: PCRE Execution Report End
LibClamAV debug:
LibClamAV debug:
LibClamAV debug: cli_pcre_report: PCRE2 Execution Report:
LibClamAV debug: cli_pcre_report: running regex /(CANON|NIKON|photo|img|IMG|pic|SHOT|swift|EPSON)[a-z\d]{1,20}\.js/ returns -1
LibClamAV debug: cli_pcre_report: no match found
LibClamAV debug: cli_pcre_report: PCRE Execution Report End
LibClamAV debug:
LibClamAV debug:
LibClamAV debug: cli_pcre_report: PCRE2 Execution Report:
LibClamAV debug: cli_pcre_report: running regex /SKMBT[\W_][\w]{0,16}\.exe/ returns -1
LibClamAV debug: cli_pcre_report: no match found
LibClamAV debug: cli_pcre_report: PCRE Execution Report End
LibClamAV debug:
LibClamAV debug: hook lsig id 1 matched (bc 26)
LibClamAV debug: Running bytecode 'BC.Win.Virus.Ransom-9157.{A,B}' (id: 37) for logical signature match.
LibClamAV debug: Bytecode 37: executing in interpreter mode
LibClamAV debug: bytecode: registered ctx variable at 11dc49af0 (+256) id 6
LibClamAV debug: bytecode: registered ctx variable at 9000000050245fe (+2) id 2
LibClamAV debug: bytecode: registered ctx variable at 114639cf0 (+256) id 1
LibClamAV debug: bytecode: registered ctx variable at fffffffffff8128 (+4) id 5
LibClamAV debug: bytecode: registered ctx variable at fffffffffff8630 (+648) id 4
LibClamAV debug: bytecode: registered ctx variable at 1100ddc90 (+96) id 7
LibClamAV debug: fmap_aging: kernel hates you
LibClamAV debug: interpreter bytecode run finished in 136us, after executing 416 opcodes
LibClamAV debug: previous tempfile had 0 bytes
LibClamAV debug: Bytecode 'BC.Win.Virus.Ransom-9157.{A,B}' (id: 37) returned code: 0
LibClamAV debug: hook lsig id 4 matched (bc 49)
LibClamAV debug: Running bytecode 'BC.Win.Virus.Virut-7001009-0.{}' (id: 88) for logical signature match.
LibClamAV debug: Bytecode 88: executing in interpreter mode
LibClamAV debug: bytecode: registered ctx variable at 11dc4a6f0 (+256) id 6
LibClamAV debug: bytecode: registered ctx variable at 9000000050245fe (+2) id 2
LibClamAV debug: bytecode: registered ctx variable at 11463a8f0 (+256) id 1
LibClamAV debug: bytecode: registered ctx variable at fffffffffff8128 (+4) id 5
LibClamAV debug: bytecode: registered ctx variable at fffffffffff8630 (+648) id 4
LibClamAV debug: bytecode: registered ctx variable at 1102dff70 (+872) id 7
LibClamAV debug: fmap_aging: kernel hates you
LibClamAV debug: fmap_aging: kernel hates you
LibClamAV debug: interpreter bytecode run finished in 127us, after executing 3306 opcodes
LibClamAV debug: previous tempfile had 0 bytes
LibClamAV debug: Bytecode 'BC.Win.Virus.Virut-7001009-0.{}' (id: 88) returned code: 0
LibClamAV debug: groupicon_cb: scanning group 1
LibClamAV debug: cli_scanicon: icon group @6ca28
LibClamAV debug: cli_scanicon: Icongrp @6f148 - 32x32x8 - (id=1, rsvd=1, planes=0, palcnt=0, sz=8a8)
LibClamAV debug: parseicon: Bitmap - 32x32x8
Memory fault


    ------------------------------
    Caius Ion Duca
    ------------------------------

    Original Message


  • 41.  RE: New version of ClamAV needed

    Posted Wed January 15, 2025 11:46 PM

    Hi @Caius Ion Duca

    Did you try setting "ulimit -d unlimited" and "ulimit -m unlimited" and then check? I remember someone had a similar issue which was resolved with it. 



    ------------------------------
    Aditya Kamath
    ------------------------------

    Original Message


  • 42.  RE: New version of ClamAV needed

    Posted Thu January 16, 2025 05:10 AM
    Edited by Caius Ion Duca Thu January 16, 2025 05:11 AM

    Hello @Aditya Kamath 

    Yes, I executed the command ulimit -d unlimited -m unlimited -n unlimited -s unlimited prior to running clamscan.

    Up until November 2024, we were using ClamAV version 0.103.11 on our AIX systems, during which no errors occurred when scanning Windows files.



    ------------------------------
    Caius Ion Duca
    ------------------------------

    Original Message


  • 43.  RE: New version of ClamAV needed

    Posted Thu January 16, 2025 07:45 AM

    hi @Caius Ion Duca

    I downloaded a sample jar file and ran clamscan. Things work in my LPAR.

    # clamscan plugins/com.ibm.ws.pak.internal.nl2a_1.0.11.v201307291942.jar
    LibClamAV Warning: **************************************************
    LibClamAV Warning: ***  The virus database is older than 7 days!  ***
    LibClamAV Warning: ***   Please update it as soon as possible.    ***
    LibClamAV Warning: **************************************************
    Loading:    25s, ETA:   0s [========================>]    8.70M/8.70M sigs       
    Compiling:   5s, ETA:   0s [========================>]       41/41 tasks 
     
    /var/cust_test/plugins/com.ibm.ws.pak.internal.nl2a_1.0.11.v201307291942.jar: OK
     
    ----------- SCAN SUMMARY -----------
    Known viruses: 8699041
    Engine version: 1.0.7
    Scanned directories: 0
    Scanned files: 1
    Infected files: 0
    Data scanned: 0.13 MB
    Data read: 0.02 MB (ratio 6.80:1)
    Time: 31.930 sec (0 m 31 s)
    Start Date: 2025:01:16 06:36:38



    I want to understand more. What is the output of df -h??


    ------------------------------
    Aditya Kamath
    ------------------------------

    Original Message


  • 44.  RE: New version of ClamAV needed

    Posted Thu January 16, 2025 11:00 AM

    Hi @Aditya Kamath 

    Clamscan crashes only when scanning MS-EXE/DLL files.

    For JAR archives, clamscan crashes when it encounters MS-EXE/DLL files inside. It extracts the JAR archive and scans each file, but fails specifically when processing MS-EXE files.

    Note: I mentioned JAR archives only to clarify how MS-EXE files appear on AIX.


    Here is the output from debug to clamscan:

    bClamAV debug: cli_unzip: extracted to /tmp//20241129_085235-scantemp.d8bb60574b/clamav-3e3ae4da1f2fb23b210acbd87058075c.tmp
LibClamAV debug: in cli_magic_scan_desc_type (recursion_level: 0/17)
LibClamAV debug: Recognized MS-EXE/DLL file


    And, after that follow the details related to the scanned file:

    LibClamAV debug: fmap_aging: kernel hates you
LibClamAV debug: fmap_aging: kernel hates you
LibClamAV debug: clean_cache_check: 703bd677778f2a1ba1eb4338bac3b868 is negative
LibClamAV debug: Descriptor[4]: Continuing after file scan resulted with: No viruses detected
LibClamAV debug: fmap_aging: kernel hates you
LibClamAV debug: cli_peheader: SizeOfHeader is not aligned to the SectionAlignment
LibClamAV debug: versioninfo_cb: type: 10, name: 1, lang: 409, rva: 6f158
LibClamAV debug: cli_peheader: parsing version info @ rva 6f158 (1/1)
LibClamAV debug: VersionInfo (6cada): 'CompanyName'='Microsoft Corporation' - VI:43006f006d00700061006e0079004e0061006d006500000000004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e000000
LibClamAV debug: VersionInfo (6cb26): 'FileDescription'='Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.34.31931' - VI:460069006c0065004400650073006300720069007000740069006f006e00000000004d006900630072006f0073006f00660074002000560069007300750061006c00200043002b002b00200032003000310035002d003200300032003200200052006500640069007300740072006900620075007400610062006c00650020002800780036003400290020002d002000310034002e00330034002e003300310039003300310000000000
LibClamAV debug: VersionInfo (6cbd6): 'FileVersion'='14.34.31931.0' - VI:460069006c006500560065007200730069006f006e0000000000310034002e00330034002e00330031003900330031002e0030000000
LibClamAV debug: VersionInfo (6cc12): 'InternalName'='setup' - VI:49006e007400650072006e0061006c004e0061006d0065000000730065007400750070000000
LibClamAV debug: VersionInfo (6cc3e): 'LegalCopyright'='Copyright (c) Microsoft Corporation. All rights reserved.' - VI:4c006500670061006c0043006f007000790072006900670068007400000043006f007000790072006900670068007400200028006300290020004d006900630072006f0073006f0066007400200043006f00720070006f0072006100740069006f006e002e00200041006c006c0020007200690067006800740073002000720065007300650072007600650064002e000000
LibClamAV debug: VersionInfo (6ccd6): 'OriginalFilename'='VC_redist.x64.exe' - VI:4f0072006900670069006e0061006c00460069006c0065006e0061006d0065000000560043005f007200650064006900730074002e007800360034002e006500780065000000
LibClamAV debug: VersionInfo (6cd22): 'ProductName'='Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.34.31931' - VI:500072006f0064007500630074004e0061006d006500000000004d006900630072006f0073006f00660074002000560069007300750061006c00200043002b002b00200032003000310035002d003200300032003200200052006500640069007300740072006900620075007400610062006c00650020002800780036003400290020002d002000310034002e00330034002e003300310039003300310000000000
LibClamAV debug: VersionInfo (6cdca): 'ProductVersion'='14.34.31931.0' - VI:500072006f006400750063007400560065007200730069006f006e000000310034002e00330034002e00330031003900330031002e0030000000
LibClamAV debug: in asn1_check_mscat (offset: 25455776)

    In conclusion, my error is similar to what was mentioned in POST 19, from @Jan Harris, on Mon May 16, 2022 04:47 PM. 



    ------------------------------
    Caius Ion Duca
    ------------------------------

    Original Message


  • 45.  RE: New version of ClamAV needed

    Posted Fri January 17, 2025 12:42 AM

    Hi @Caius Ion Duca

    Thank you for reporting this issue.

    >Note: I mentioned JAR archives only to clarify how MS-EXE files appear on AIX.
    What you said is correct. 

    I have also reproduced the issue from my end. 
    LibClamAV debug: searching for unrar: /opt/freeware/lib/libclamunrar_iface.a not found
    LibClamAV debug: searching for unrar: /opt/freeware/lib/libclamunrar_iface..a not found
    LibClamAV debug: Cannot dlopen libclamunrar_iface:      0509-022 Cannot load module /opt/freeware/lib/libclamunrar_iface..a.
            0509-026 System error: A file or directory in the path name does not exist. - unrar support unavailable
    g: cli_scanicon: icon group @3860
    LibClamAV debug: cli_scanicon: Icongrp @40f8 - 32x32x4 - (id=2, rsvd=1, planes=16, palcnt=0, sz=2e8)
    LibClamAV debug: parseicon: Bitmap - 32x32x4
    Segmentation fault (core dumped)

    The clamav code in all versions >= 1, have undergone changes that are not AIX friendly. 

    In particular, over here. [https://github.com/Cisco-Talos/clamav/blob/main/libclamav/others.c#L302]

    A lot of things in that function will not work in AIX since we have a different way to handle shared libraries and LIBPATH. 

    I will work with the community to permanently fix this issue, backport the changes to 1.0.7, and release a 1.0.7-3 version in this quarter.

    I will also communicate the same in the github issue you have opened. 

    In the mean time, you can downgrade ClamAV and use the older version. 

    Thank you once again and appreciate your effort to help us understand the issue. Going forward, will ensure this is tested, before release. 

    Regards,



    ------------------------------
    Aditya Kamath
    ------------------------------

    Original Message


  • 46.  RE: New version of ClamAV needed

    Posted Fri January 17, 2025 04:40 AM

    Hi @Aditya Kamath 

    I'm glad I could help!

    Thank you for your suggestion. Unfortunately, we cannot downgrade ClamAV due to security compliance requirements, specifically CVE-2024-20505,  which requires using at least version 1.0.7.

    We will await a fix from the community.


    However, as a potential workaround, the error can be avoided by disabling archive scanning using the --scan-archive=no option. 

    On AIX, archives are most likely to contain Windows files.


    Thank you for your effort, and I look forward to further updates.



    ------------------------------
    Caius Ion Duca
    ------------------------------

    Original Message


  • 47.  RE: New version of ClamAV needed

    Posted Wed January 22, 2025 08:03 AM

    Hi @Caius Ion Duca

    Update: We have fixed the issue in Clamav. I will update in the open source community. We need to make sure we use libc's pow() and not bsd's pow() function that caused the core dump.

    I will rebuild ClamAV, and you can expect the update by next week. 

    Attaching the log after the fix,

    #  clamscan -v -r /var/cust_test/plugins/com.ibm.cic.agent.core.nativeInstallAdapter.win32_1.3.6.v20240828_2044/os/win32/x86/DotNetHandler.exe 
    Loading:    26s, ETA:   0s [========================>]    8.70M/8.70M sigs       
    Compiling:   5s, ETA:   0s [========================>]       41/41 tasks 
     
    Scanning /var/cust_test/plugins/com.ibm.cic.agent.core.nativeInstallAdapter.win32_1.3.6.v20240828_2044/os/win32/x86/DotNetHandler.exe
    /var/cust_test/plugins/com.ibm.cic.agent.core.nativeInstallAdapter.win32_1.3.6.v20240828_2044/os/win32/x86/DotNetHandler.exe: OK
     
    ----------- SCAN SUMMARY -----------
    Known viruses: 8704059
    Engine version: 1.5.0-devel-20250122
    Scanned directories: 0
    Scanned files: 1
    Infected files: 0
    Data scanned: 0.02 MB
    Data read: 0.02 MB (ratio 1.00:1)
    Time: 33.800 sec (0 m 33 s)
    Start Date: 2025:01:22 06:52:19
    End Date:   2025:01:22 06:52:53



    ------------------------------
    Aditya Kamath
    ------------------------------

    Original Message


  • 48.  RE: New version of ClamAV needed

    Posted Wed January 22, 2025 05:12 PM

    Hi @Aditya Kamath ,

    Thank you for the update and for fixing the issue in ClamAV. I appreciate your efforts in resolving the core dump issue.
    I'm glad to see the successful scan log with no issues.

    I'm looking forward to the updated ClamAV version. and test it once it's available.

    Thank you again for your prompt resolution and for keeping me informed.

    Best regards, Caius Ion Duca



    ------------------------------
    Caius Ion Duca
    ------------------------------

    Original Message


  • 49.  RE: New version of ClamAV needed

    Posted Thu January 30, 2025 03:42 PM

    Hi @Aditya Kamath ,
    I hope you had a good week.  
    Do you have news about the fixed for Clamav 1.0.7? 
     
    Thank you



    ------------------------------
    Caius Ion Duca
    ------------------------------

    Original Message


  • 50.  RE: New version of ClamAV needed

    Posted Fri January 31, 2025 12:27 AM

    Hi @Caius Ion Duca

    Good Morning. 

    I have completed the testing and given clamav-1.0.7-3 to upload as well. We should see it by Friday evening or, at the latest, by Monday evening. 

    Do let me know once you update if it is okay.

    Regards,
    Aditya.



    ------------------------------
    Aditya Kamath
    ------------------------------

    Original Message


  • 51.  RE: New version of ClamAV needed

    Posted Mon February 03, 2025 05:06 AM

    @Caius Ion DucaKindly check now.



    ------------------------------
    Aditya Kamath
    ------------------------------

    Original Message


  • 52.  RE: New version of ClamAV needed

    Posted Wed February 05, 2025 07:16 AM

    Here is the translation:

    Hi @Aditya Kamath

    I've updated ClamAV to 1.0.7-3 using @AIX_Toolbox_72 and scanned the file that was previously causing errors. Everything looks good now, the scan is working correctly.
    I'll start a full system scan and get back to you with feedback.

    Scanning /tmp/clamtest/com.ibm.ws.check.os.v80_8.0.5024.20230413_1800.jar

    ----------- SCAN SUMMARY -----------
    Known viruses: 8704130
    Engine version: 1.0.7
    Scanned directories: 0
    Scanned files: 1
    Infected files: 0
    Data scanned: 84.78 MB
    Data read: 49.76 MB (ratio 1.70:1)
    Time: 157.188 sec (2 m 37 s)
    Start Date: 2025:02:05 13:05:46
    End Date:   2025:02:05 13:08:23

    Thanks for your efforts in helping me resolve this issue!



    ------------------------------
    Caius Ion Duca
    ------------------------------

    Original Message


  • 53.  RE: New version of ClamAV needed

    Posted Mon February 17, 2025 12:23 PM
    Hello

    As promised, I am returning with the final tests for scanning the entire system (AIX).
    I successfully conducted tests on Clamav 1.0.7-3 on the whole system, addressing scanning errors related to MS-EXE files.
    After updating to version 1.0.7-3, the issue was resolved, and subsequent scans showed no errors!
    Thank you for the help.


    ------------------------------
    Caius Ion Duca
    ------------------------------

    Original Message


  • 54.  RE: New version of ClamAV needed

    Posted Tue February 18, 2025 01:01 AM
    Edited by Aditya Kamath Tue February 18, 2025 02:13 AM

    Okay.



    ------------------------------
    Aditya Kamath
    ------------------------------

    Original Message