AIX Open Source

 View Only
Expand all | Collapse all

New version of ClamAV needed

  • 1.  New version of ClamAV needed

    Posted Thu February 10, 2022 09:13 AM
    Receiving Warnings that ClamAV is out of date when updating the ClamAV database but the system is running the latest version in the AIX Toolbox.

    Please update the version of ClamAV in the AIX Toolbox.

    # /opt/freeware/bin/freshclam -F
    ClamAV update process started at Thu Feb 10 08:04:05 2022
    WARNING: Your ClamAV installation is OUTDATED!
    WARNING: Local version: 0.102.2 Recommended version: 0.103.5
    DON'T PANIC! Read https://www.clamav.net/documents/upgrading-clamav

    root@awx:/home #/opt/freeware/bin/dnf info clamav
    Last metadata expiration check: 0:11:10 ago on Thu Feb 10 07:44:23 CST 2022.
    Installed Packages
    Name : clamav
    Version : 0.102.2
    Release : 1
    Architecture : ppc
    Size : 16 M
    Source : clamav-0.102.2-1.src.rpm
    Repository : @System
    From repo : AIX_Toolbox
    Summary : Antivirus Toolkit
    URL : http://www.clamav.net
    License : GPL-2.0-only
    Description : ClamAV is an antivirus engine designed for detecting trojans,
    : viruses, malware and other malicious threats. It is the de-facto
    : standard for mail gateway scanning. It provides a multi-threaded
    : scanning daemon, command line utilities for on-demand file scanning,
    : and a tool for automatic signature updates. The core ClamAV library
    : provides numerous file format detection mechanisms, file unpacking
    : support, archive support, and multiple signature languages for
    : detecting threats.

    Thank you for your help!

    Stan

    ------------------------------
    Stanley
    ------------------------------


  • 2.  RE: New version of ClamAV needed

    Posted Thu February 10, 2022 09:49 AM
    Thanks for reporting. We will update it ASAP.

    ------------------------------
    Ayappan P
    ------------------------------



  • 3.  RE: New version of ClamAV needed

    Posted Wed March 09, 2022 06:16 AM
    Do you have an ETA for the delivery of version 0.103 to the AIX Toolbox

    ------------------------------
    Hector Speight
    ------------------------------



  • 4.  RE: New version of ClamAV needed

    Posted Mon March 14, 2022 01:16 PM
    The new version of ClamAV has new dependencies so it is taking time for us.
    We are working on the building new dependencies and newer version of package.
    Also there are some internal process. Our target is by end of this month or early next month.

    ------------------------------
    SANKET RATHI
    ------------------------------



  • 5.  RE: New version of ClamAV needed

    Posted Mon March 14, 2022 01:32 PM
    Thanks for the update

    ------------------------------
    Hector Speight
    ------------------------------



  • 6.  RE: New version of ClamAV needed

    Posted Mon May 02, 2022 09:14 AM
    Can we have an update on the release date of a new version of ClamAV?

    Thank you!

    Stan Speegle

    ------------------------------
    Stanley
    ------------------------------



  • 7.  RE: New version of ClamAV needed

    Posted Wed May 04, 2022 11:50 AM
    Hi Stanley, 
    We have built the new ClamAV and will upload in couple of days. 
    Hopefully you will have it by end of this week.

    ------------------------------
    SANKET RATHI
    ------------------------------



  • 8.  RE: New version of ClamAV needed

    Posted Mon May 09, 2022 03:46 AM
    clamav-0.104.2-1 is now available on AIX toolbox. You can use dnf/yum to update to latest level.

    ------------------------------
    SANKET RATHI
    ------------------------------



  • 9.  RE: New version of ClamAV needed

    Posted Thu May 12, 2022 01:53 PM
    Thank you for the new version of clamav. It installed with out any issues but I am receiving out of memory errors when scanning some files.

    Have you seen this issue before? The LPAR has plenty of RAM 10GB and there are no errors in the errpt.

    root@mh-p9-nim:/tmp #/opt/freeware/bin/clamscan -rv /opt/freeware/lib64/python3.7/ensurepip/_bundled/
    Loading: 16s, ETA: 0s [========================>] 8.62M/8.62M sigs
    Compiling: 6s, ETA: 0s [========================>] 41/41 tasks

    Scanning /opt/freeware/lib64/python3.7/ensurepip/_bundled/pip-20.1.1-py2.py3-none-any.whl
    calloc_problem: Not enough space
    LibClamAV Error: cli_calloc(): Can't allocate memory (60126208 bytes).
    LibClamAV Error: cli_ac_init: Can't allocate memory for data->lsigsuboff_(last|first)[0]
    /opt/freeware/lib64/python3.7/ensurepip/_bundled/pip-20.1.1-py2.py3-none-any.whl: Can't allocate memory ERROR
    Scanning /opt/freeware/lib64/python3.7/ensurepip/_bundled/setuptools-47.1.0-py3-none-any.whl
    calloc_problem: Not enough space
    LibClamAV Error: cli_calloc(): Can't allocate memory (60126208 bytes).
    LibClamAV Error: cli_ac_init: Can't allocate memory for data->lsigsuboff_(last|first)[0]
    /opt/freeware/lib64/python3.7/ensurepip/_bundled/setuptools-47.1.0-py3-none-any.whl: Can't allocate memory ERROR

    ----------- SCAN SUMMARY -----------
    Known viruses: 8616419
    Engine version: 0.104.2
    Scanned directories: 1
    Scanned files: 0
    Infected files: 0
    Total errors: 2
    Data scanned: 6.65 MB
    Data read: 1.97 MB (ratio 3.37:1)
    Time: 30.898 sec (0 m 30 s)

     These could just be normal errors on these files but I would like to know why,

    Thank you,

    Stan

    ------------------------------
    Stanley
    ------------------------------



  • 10.  RE: New version of ClamAV needed

    Posted Fri May 13, 2022 01:51 AM
    While running on my system I did not see any issue.
    It could be that in your system it needs to allocate more memory and probably ulimit is not enough.
    Can you try setting ulimit of data to unlimited and test.

    $ ulimit -d unlimited 


    ------------------------------
    SANKET RATHI
    ------------------------------



  • 11.  RE: New version of ClamAV needed

    IBM Champion
    Posted Fri May 13, 2022 04:54 AM
    Sanket,

    Many thanks for the updated clamAV which I've installed without any issues.

    When running clamscan, however, I'm getting an "Invalid instruction" message, please see below.

    Scanning /opt/freeware/bin/yumdownloader
    /opt/freeware/bin/yumdownloader: OK
    /opt/freeware/bin/zcat: Symbolic link
    /opt/freeware/bin/zcmp: Symbolic link
    /opt/freeware/bin/zdiff: Symbolic link
    /opt/freeware/bin/zegrep: Symbolic link
    /opt/freeware/bin/zfgrep: Symbolic link
    /opt/freeware/bin/zforce: Symbolic link
    /opt/freeware/bin/zgrep: Symbolic link
    Scanning /opt/freeware/bin/zip
    Illegal instruction(coredump)
    # oslevel -s
    7100-05-07-2038
    # freeware/bin/clamscan -V
    ClamAV 0.104.2/26539/Thu May 12 04:04:41 2022
    #​

    Let me know if you need any additional info.

    Many thanks, Steve

    ------------------------------
    Steve Munday
    AIX, IBM i, HMC, PowerVM
    ------------------------------



  • 12.  RE: New version of ClamAV needed

    Posted Mon May 16, 2022 01:34 PM
    Hi Steve,
    Can you please come up with a smaller test case or instruction to reproduce issue.
    On my system I could not find issue when scanning zip

    
    # ls -l /opt/freeware/bin/zip
    -rwxr-xr-x    1 root     system       243733 Nov 28 2019  /opt/freeware/bin/zip
    
    
    # /opt/freeware/bin/clamscan -rv /opt/freeware/bin/zip
    Loading:    21s, ETA:   0s [========================>]    8.62M/8.62M sigs
    Compiling:   5s, ETA:   0s [========================>]       41/41 tasks
    
    Scanning /opt/freeware/bin/zip
    /opt/freeware/bin/zip: OK
    
    ----------- SCAN SUMMARY -----------
    Known viruses: 8616419
    Engine version: 0.104.2
    Scanned directories: 0
    Scanned files: 1
    Infected files: 0
    Data scanned: 0.48 MB
    Data read: 0.23 MB (ratio 2.07:1)
    Time: 27.244 sec (0 m 27 s)
    Start Date: 2022:05:16 12:23:05
    End Date:   2022:05:16 12:23:32
    
    
    #​


    ------------------------------
    SANKET RATHI
    ------------------------------



  • 13.  RE: New version of ClamAV needed

    Posted Tue May 17, 2022 09:54 AM
    Hi Steve, 
    We are not able to recreate your issue. 
    Can you use --debug option, probably that will provide some details about the issue.

    ------------------------------
    SANKET RATHI
    ------------------------------



  • 14.  RE: New version of ClamAV needed

    IBM Champion
    Posted Tue May 17, 2022 12:25 PM
    Sanket,

    Here's the final section of the --debug.

    LibClamAV debug: Checking realpath of /opt/freeware/bin/yumdownloader
    Scanning /opt/freeware/bin/yumdownloader
    LibClamAV debug: Recognized ASCII text
    LibClamAV debug: cache_check: 521c0049290d5f1109bbcacf312a2a39 is negative
    LibClamAV debug: matcher_run: performing regex matching on full map: 0+13476(13476) >= 13476
    LibClamAV debug: hashtab: Freeing hashset, elements: 0, capacity: 0
    LibClamAV debug: in cli_scanscript()
    LibClamAV debug: matcher_run: performing regex matching on full map: 0+9959(9959) >= 9959
    LibClamAV debug: matcher_run: performing regex matching on full map: 0+9959(9959) >= 9959
    LibClamAV debug: hashtab: Freeing hashset, elements: 0, capacity: 0
    LibClamAV debug: hashtab: Freeing hashset, elements: 0, capacity: 0
    LibClamAV debug: cli_magic_scan_desc: returning 0  at line 4857
    LibClamAV debug: cache_add: 521c0049290d5f1109bbcacf312a2a39 (level 0)
    /opt/freeware/bin/yumdownloader: OK
    /opt/freeware/bin/zcat: Symbolic link
    /opt/freeware/bin/zcmp: Symbolic link
    /opt/freeware/bin/zdiff: Symbolic link
    /opt/freeware/bin/zegrep: Symbolic link
    /opt/freeware/bin/zfgrep: Symbolic link
    /opt/freeware/bin/zforce: Symbolic link
    /opt/freeware/bin/zgrep: Symbolic link
    LibClamAV debug: Checking realpath of /opt/freeware/bin/zip
    Scanning /opt/freeware/bin/zip
    LibClamAV debug: Recognized binary data
    LibClamAV debug: cache_check: 30cd9c5d5aab19d33065757272ed4456 is negative
    LibClamAV debug: in cli_check_mydoom_log()
    LibClamAV debug: Matched signature for file type ZIP-SFX at 213500
    LibClamAV debug: matcher_run: performing regex matching on full map: 123072+120661(243733) >= 243733
    LibClamAV debug: hashtab: Freeing hashset, elements: 0, capacity: 0
    LibClamAV debug: CL_TYPE_ZIPSFX signature found at 213500
    LibClamAV debug: in cli_unzip_single
    LibClamAV debug: cli_unzip: local header - ZMDNAME:0:archive?  (y/n): :1680696684:1735289203:20612073:29513:0:1
    LibClamAV debug: CDBNAME:CL_TYPE_ZIP:1735289203:archive?  (y/n): :1735289203:1680696684:0:0:543236211:0
    LibClamAV debug: cli_unzip: local header - extra out of file
    PuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYIllegal instruction(coredump)
    amrasteve1:/opt/freeware/bin#
    ​


    Thanks, Steve

    ------------------------------
    Steve Munday
    AIX, IBM i, HMC, PowerVM
    ------------------------------



  • 15.  RE: New version of ClamAV needed

    Posted Fri May 13, 2022 09:48 AM
    I se the the ulimit -d to unlimited

    #ulimit -aS
    time(seconds) unlimited
    file(blocks) unlimited
    data(kbytes) unlimited
    stack(kbytes) 32768
    memory(kbytes) 32768
    coredump(blocks) 2097151
    nofiles(descriptors) 2000
    threads(per process) unlimited
    processes(per user) 128

    #ulimit -aH
    time(seconds) unlimited
    file(blocks) unlimited
    data(kbytes) unlimited
    stack(kbytes) 4194304
    memory(kbytes) unlimited
    coredump(blocks) unlimited
    nofiles(descriptors) unlimited
    threads(per process) unlimited
    processes(per user) 128

    The clamscan errors with a Segmentation fault and core dumps on the pip-20.1.1-py2.py3-none-any.whl file.

    #/opt/freeware/bin/clamscan -rv /opt/freeware/lib64/python3.7/ensurepip/_bundled/
    Loading: 16s, ETA: 0s [========================>] 8.62M/8.62M sigs
    Compiling: 6s, ETA: 0s [========================>] 41/41 tasks

    Scanning /opt/freeware/lib64/python3.7/ensurepip/_bundled/pip-20.1.1-py2.py3-none-any.whl
    Segmentation fault(coredump)

    Thank you for your help!

    Stan

    ------------------------------
    Stanley
    ------------------------------



  • 16.  RE: New version of ClamAV needed

    Posted Mon May 16, 2022 01:28 PM
    Thank you Stanley for reporting issue.
    We will look into it.

    ------------------------------
    SANKET RATHI
    ------------------------------



  • 17.  RE: New version of ClamAV needed

    IBM Champion
    Posted Mon May 16, 2022 02:00 PM
    Edited by Steve Munday Mon May 16, 2022 02:00 PM
    Sanket,

    I did an explicit scan of ../zip and that worked fine.  I then did a scan of /home forgetting there was loads and loads of stuff within it HOWEVER it worked.

    ----------- SCAN SUMMARY -----------
    Known viruses: 8616496
    Engine version: 0.104.2
    Scanned directories: 338
    Scanned files: 3080
    Infected files: 0
    Data scanned: 5909.82 MB
    Data read: 49311.02 MB (ratio 0.12:1)
    Time: 425.992 sec (7 m 5 s)
    Start Date: 2022:05:16 13:39:44
    End Date: 2022:05:16 13:46:50
    #

    I then ran the below which also worked:

    # an -rv /opt/freeware/bin/z* <
    Loading: 19s, ETA: 0s [========================>] 8.62M/8.62M sigs
    Compiling: 5s, ETA: 0s [========================>] 41/41 tasks

    Scanning /usr/opt/rpm/bin/zcat
    /usr/opt/rpm/bin/zcat: OK
    Scanning /usr/opt/rpm/bin/zcmp
    /usr/opt/rpm/bin/zcmp: OK
    Scanning /usr/opt/rpm/bin/zdiff
    /usr/opt/rpm/bin/zdiff: OK
    Scanning /usr/opt/rpm/bin/zegrep
    /usr/opt/rpm/bin/zegrep: OK
    Scanning /usr/opt/rpm/bin/zfgrep
    /usr/opt/rpm/bin/zfgrep: OK
    Scanning /usr/opt/rpm/bin/zforce
    /usr/opt/rpm/bin/zforce: OK
    Scanning /opt/freeware/bin/zip
    /opt/freeware/bin/zip: OK
    Scanning /opt/freeware/bin/zipcloak
    /opt/freeware/bin/zipcloak: OK
    Scanning /opt/freeware/bin/zipdetails
    /opt/freeware/bin/zipdetails: OK
    Scanning /opt/freeware/bin/zipgrep_64
    /opt/freeware/bin/zipgrep_64: OK
    Scanning /opt/freeware/bin/zipgrep_32
    /opt/freeware/bin/zipgrep_32: OK
    Scanning /opt/freeware/bin/zipgrep_64
    /opt/freeware/bin/zipgrep_64: OK
    Scanning /opt/freeware/bin/zipinfo_64
    /opt/freeware/bin/zipinfo_64: OK
    Scanning /opt/freeware/bin/zipinfo_32
    /opt/freeware/bin/zipinfo_32: OK
    Scanning /opt/freeware/bin/zipinfo_64
    /opt/freeware/bin/zipinfo_64: OK
    Scanning /opt/freeware/bin/zipnote
    /opt/freeware/bin/zipnote: OK
    Scanning /opt/freeware/bin/zipsplit
    /opt/freeware/bin/zipsplit: OK
    Scanning /usr/opt/rpm/bin/zless
    /usr/opt/rpm/bin/zless: OK
    Scanning /usr/opt/rpm/bin/zmore
    /usr/opt/rpm/bin/zmore: OK
    Scanning /usr/opt/rpm/bin/znew
    /usr/opt/rpm/bin/znew: OK

    ----------- SCAN SUMMARY -----------
    Known viruses: 8616496
    Engine version: 0.104.2
    Scanned directories: 0
    Scanned files: 20
    Infected files: 0
    Data scanned: 1.95 MB
    Data read: 1.13 MB (ratio 1.72:1)
    Time: 25.639 sec (0 m 25 s)
    Start Date: 2022:05:16 13:53:41
    End Date: 2022:05:16 13:54:06
    #

    Observation
    If you notice the below there are no references to symlinks and it worked.

    Scanning /usr/opt/rpm/bin/zforce
    /usr/opt/rpm/bin/zforce: OK
    Scanning /opt/freeware/bin/zip
    /opt/freeware/bin/zip: OK

    If I a scan of all the objects in the ../bin directory we see references to symlinks and it fails.

    /opt/freeware/bin/yumdownloader: OK
    /opt/freeware/bin/zcat: Symbolic link
    /opt/freeware/bin/zcmp: Symbolic link
    /opt/freeware/bin/zdiff: Symbolic link
    /opt/freeware/bin/zegrep: Symbolic link
    /opt/freeware/bin/zfgrep: Symbolic link
    /opt/freeware/bin/zforce: Symbolic link
    /opt/freeware/bin/zgrep: Symbolic link
    Scanning /opt/freeware/bin/zip
    Illegal instruction(coredump)

    Many thanks, Steve

    ------------------------------
    Steve Munday
    AIX, IBM i, HMC, PowerVM
    ------------------------------



  • 18.  RE: New version of ClamAV needed

    Posted Mon May 16, 2022 02:24 PM
    The clamscan of /opt/freeware/bin shows the soft links without an issue and no errors.

    I didn't see the oslevel of the system.

    The system is at AIX 7200-05-03-2148
    #oslevel -s
    7200-05-03-2148
    #/opt/freeware/bin/clamscan -rv /opt/freeware/bin
    Loading: 16s, ETA: 0s [========================>] 8.62M/8.62M sigs
    Compiling: 6s, ETA: 0s [========================>] 41/41 tasks

    [ Just showing the last of the files that were scanned. ]


    Scanning /opt/freeware/bin/zip
    /opt/freeware/bin/zip: OK
    Scanning /opt/freeware/bin/zipcloak
    /opt/freeware/bin/zipcloak: OK
    /opt/freeware/bin/zipgrep: Symbolic link
    Scanning /opt/freeware/bin/zipgrep_32
    /opt/freeware/bin/zipgrep_32: OK
    Scanning /opt/freeware/bin/zipgrep_64
    /opt/freeware/bin/zipgrep_64: OK
    /opt/freeware/bin/zipinfo: Symbolic link
    Scanning /opt/freeware/bin/zipinfo_32
    /opt/freeware/bin/zipinfo_32: OK
    Scanning /opt/freeware/bin/zipinfo_64
    /opt/freeware/bin/zipinfo_64: OK
    Scanning /opt/freeware/bin/zipnote
    /opt/freeware/bin/zipnote: OK
    Scanning /opt/freeware/bin/zipsplit
    /opt/freeware/bin/zipsplit: OK
    /opt/freeware/bin/zless: Symbolic link
    /opt/freeware/bin/zmore: Symbolic link
    /opt/freeware/bin/znew: Symbolic link

    ----------- SCAN SUMMARY -----------
    Known viruses: 8616496
    Engine version: 0.104.2
    Scanned directories: 1
    Scanned files: 314
    Infected files: 0
    Data scanned: 109.82 MB
    Data read: 61.89 MB (ratio 1.77:1)
    Time: 32.927 sec (0 m 32 s)
    Start Date: 2022:05:16 13:12:31
    End Date: 2022:05:16 13:13:04



    ------------------------------
    Stanley
    ------------------------------



  • 19.  RE: New version of ClamAV needed

    Posted Mon May 16, 2022 04:47 PM

    FYI, I tested a scan, with debug.

    # clamscan  --debug -rv
    LibClamAV debug: cache_add: da7b7f8a189c660a5679cd59892df84f (level 0)
    LibClamAV debug: cli_unzip: extracted to /tmp//20220516_144635-scantem.0a4c11e5af/clamav-d7eb047ec6b6c6b56ef617a989f96a92.tmp
    LibClamAV debug: in cli_magic_scan_desc_type (recursion_level: 0/17)
    LibClamAV debug: Recognized MS-EXE/DLL file
    LibClamAV debug: cache_check: a32a382b8a5a906e03a83b4f3e5b7a9b is negative
    LibClamAV debug: cli_peheader: SizeOfHeader is not aligned to the SectionAlignment
    calloc_problem: Not enough space
    LibClamAV Error: cli_calloc(): Can't allocate memory (51374336 bytes).
    LibClamAV Error: cli_ac_init: Can't allocate memory for data->lsigsuboff_(last|first)[0]
    LibClamAV debug: hashtab: Freeing hashset, elements: 0, capacity: 0
    LibClamAV debug: Descriptor[7]: scanraw error Can't allocate memory
    LibClamAV debug: cli_magic_scan_desc: returning 20  at line 4857
    LibClamAV debug: matcher_run: performing regex matching on full map: 492288+90799(583087) >= 583087
    LibClamAV debug: hashtab: Freeing hashset, elements: 0, capacity: 0
    LibClamAV debug: cli_magic_scan_desc: returning 20  at line 4857
    /opt/freeware/lib64/python3.7/ensurepip/_bundled/unpack/setuptools/winfiles/zip/setuptools-47.1.0-py3-none-any.whl: Can't allocate memory ERROR
    LibClamAV debug: Cleaning up phishcheck
    LibClamAV debug: Freeing phishcheck struct
    LibClamAV debug: Phishcheck cleaned up
    

    Next, I unpacked the two zip files:

    • pip-20.1.1-py2.py3-none-any.whl
    • setuptools-47.1.0-py3-none-any.whl

    I tested only those unpacked directories, and found errors all occur with Windows binaries.

      96768 /opt/freeware/lib64/python3.7/ensurepip/unpack/pip/_vendor/distlib/t32.exe
      105984 /opt/freeware/lib64/python3.7/ensurepip/unpack/pip/_vendor/distlib/t64.exe
       90112 /opt/freeware/lib64/python3.7/ensurepip/unpack/pip/_vendor/distlib/w32.exe
       99840 /opt/freeware/lib64/python3.7/ensurepip/unpack/pip/_vendor/distlib/w64.exe
       65536 /opt/freeware/lib64/python3.7/ensurepip/unpack/setuptools/cli-32.exe
       74752 /opt/freeware/lib64/python3.7/ensurepip/unpack/setuptools/cli-64.exe
       65536 /opt/freeware/lib64/python3.7/ensurepip/unpack/setuptools/cli.exe
       65536 /opt/freeware/lib64/python3.7/ensurepip/unpack/setuptools/gui-32.exe
       75264 /opt/freeware/lib64/python3.7/ensurepip/unpack/setuptools/gui-64.exe
       65536 /opt/freeware/lib64/python3.7/ensurepip/unpack/setuptools/gui.exe
    

    I tested with another windows binary file

    • /opt/freeware/lib64/python3.7/distutils/command/wininst-10.0.exe

    and get the same memory errors. So the cli_calloc errors seem related to Windows executables. issue with Windows files in this environment.

    If I set ulimit -d unlimited, I no longer get the errors. I have matched Stanley's ulimit settings, but do not get a core dump.

    Stanley, can you collect a stack trace for the core dump:

    # dbx /opt/freeware/bin/clamscan <path_to_core_file>
    (dbx) where
    <stack trace>
    (dbx) quit
    

    This might give an idea of the failing code.



    ------------------------------
    Jan Harris
    AIX Development Support (Liaison to the AIX Toolbox for Open Source)
    IBM (Contract)
    Austin TX
    ------------------------------



  • 20.  RE: New version of ClamAV needed

    Posted Tue May 17, 2022 08:29 AM
    I scanned /opt/freeware with clamscan and it scanned lots of files then core dumped.

    /opt/freeware/lib/python2.7/site-packages/pip/_vendor/distlib/scripts.pyc: OK
    Scanning /opt/freeware/lib/python2.7/site-packages/pip/_vendor/distlib/t32.exe
    /opt/freeware/lib/python2.7/site-packages/pip/_vendor/distlib/t32.exe: OK
    Scanning /opt/freeware/lib/python2.7/site-packages/pip/_vendor/distlib/t64.exe
    Segmentation fault(coredump)

    I ran the dbx on the core file with this output.

    #dbx /opt/freeware/bin/clamscan /tmp/core
    Type 'help' for help.
    Core file "/tmp/core" program "clamscan_64" does not match current program (ignored)
    reading symbolic information ...
    (dbx) where
    ustart() at 0x9fffffff00011b4
    (dbx) quit

    I hope this helps!

    Thank you for your assistance!

    ------------------------------
    Stanley
    ------------------------------



  • 21.  RE: New version of ClamAV needed

    Posted Tue May 17, 2022 09:22 AM
    Hi, Stanley
    So it is core dumping scanning these Windows executables. 
    I still cannot generate a core.

    Can you run dbx again, but use the 64 bit binary:

    # dbx /opt/freeware/bin/clamscan_64 /tmp/core
    (dbx) where
    <...>
    (dbx) quit
    Also, share any non-private output from env command ( I omit host/ip info in following example)

    # env | egrep -v "SSH| `uname -n`| `host \`hostname\`| cut -f3 -d\" \"`"


    ​​​

    ------------------------------
    Jan Harris
    AIX Development Support (Liaison to the AIX Toolbox for Open Source)
    IBM (Contract)
    Austin TX
    ------------------------------



  • 22.  RE: New version of ClamAV needed

    Posted Tue May 17, 2022 11:03 AM
    Here is the information using dbx on the core file. There are other errors that were in the output but it is a lot of data.

    I can up load the complete output if needed.

    Hopefully this points to where the issue is for scanning the files with the new clamav.

    #dbx /opt/freeware/bin/clamscan_64 /tmp/core
    Type 'help' for help.
    warning: The core file is truncated. You may need to increasethe ulimit
    for file and coredump, or free some space on the filesystem.
    [using memory image in /tmp/core]
    reading symbolic information ...

    Segmentation fault in util.move at 0x90000000061b838 ($t1)
    0x90000000061b838 (move+0x38) 90040000 stw r0,0x0(r4)
    (dbx) where
    util.move(??, ??) at 0x90000000061b838
    pow.pow(??, ??, ??, ??) at 0x90000000061ffcc
    internal error: unexpected value 120 at line 5201 in file stabstring.c
    internal error: 1283-228 expected char ',', found 's__LC_locale:,1088,64;__meth_ptr:150,1152,64;__data_ptr:150,1216,64;;'
    internal error: 1283-228 expected char ',', found '__LC_locale:,1088,64;__meth_ptr:150,1152,64;__data_ptr:150,1216,64;;'
    internal error: 1283-228 expected char ';', found '_LC_locale:,1088,64;__meth_ptr:150,1152,64;__data_ptr:150,1216,64;;'
    internal error: unexpected value 44 at line 5201 in file stabstring.c
    internal error: 1283-228 expected char ',', found '1088,64;__meth_ptr:150,1152,64;__data_ptr:150,1216,64;;'
    internal error: unexpected value 120 at line 5201 in file stabstring.c
    internal error: unexpected value 120 at line 5201 in file stabstring.c
    internal error: 1283-228 expected char ',', found 's_LC_locale_objhdl:,128,64;;'
    internal error: 1283-228 expected char ',', found '_LC_locale_objhdl:,128,64;;'
    internal error: 1283-228 expected char ';', found 'LC_locale_objhdl:,128,64;;'
    internal error: unexpected value 44 at line 5201 in file stabstring.c
    internal error: 1283-228 expected char ',', found '128,64;;'
    internal error: unexpected value 120 at line 5201 in file stabstring.c
    internal error: unexpected value 120 at line 5201 in file stabstring.c
    internal error: unexpected value 120 at line 5201 in file stabstring.c
    internal error: unexpected value 120 at line 5201 in file stabstring.c


    #env | egrep -v "SSH| `uname -n`| `host \`hostname\`| cut -f3 -d\" \"`"
    _=/usr/bin/env
    LANG=en_US
    LOGIN=root
    CLCMD_PASSTHRU=1
    PATH=/usr/bin:/etc:/usr/sbin:/usr/ucb:/usr/bin/X11:/sbin:/usr/java8_64/jre/bin:/usr/java8_64/bin:/opt/freeware/bin
    LC__FASTMSG=true
    LOGNAME=root
    MAIL=/usr/spool/mail/root
    LOCPATH=/usr/lib/nls/loc
    USER=root
    AUTHSTATE=compat
    DISPLAY=localhost:10.0
    SHELL=/usr/bin/ksh
    ODMDIR=/etc/objrepos
    HOME=/
    TERM=xterm
    MAILMSG=[YOU HAVE NEW MAIL]
    PWD=/tmp
    TZ=CST6CDT
    A__z=! LOGNAME
    NLSPATH=/usr/lib/nls/msg/%L/%N:/usr/lib/nls/msg/%L/%N.cat:/usr/lib/nls/msg/%l.%c/%N:/usr/lib/nls/msg/%l.%c/%N.cat


    #ulimit -aS
    time(seconds) unlimited
    file(blocks) unlimited
    data(kbytes) unlimited
    stack(kbytes) 32768
    memory(kbytes) 32768
    coredump(blocks) 2097151
    nofiles(descriptors) 2000
    threads(per process) unlimited
    processes(per user) 128

    #ulimit -aH
    time(seconds) unlimited
    file(blocks) unlimited
    data(kbytes) unlimited
    stack(kbytes) 4194304
    memory(kbytes) unlimited
    coredump(blocks) unlimited
    nofiles(descriptors) unlimited
    threads(per process) unlimited
    processes(per user) 128

    Thank you!

    ------------------------------
    Stanley
    ------------------------------



  • 23.  RE: New version of ClamAV needed

    Posted Tue May 17, 2022 09:53 AM
    Hi Stanley
    You can disregard my request for new dbx.  I talked to Sanket today, and they have  been able to reproduce  the core.
    I suspect this is because their lpar has 64bit architecture.

    I will let him continue to update this thread now to avoid redundancies!

    ------------------------------
    Jan Harris
    AIX Development Support (Liaison to the AIX Toolbox for Open Source)
    IBM (Contract)
    Austin TX
    ------------------------------



  • 24.  RE: New version of ClamAV needed

    Posted Tue May 17, 2022 09:53 AM
    We could recreate it in our local environment. We are looking at the issue.

    ------------------------------
    SANKET RATHI
    ------------------------------



  • 25.  RE: New version of ClamAV needed

    Posted Fri May 20, 2022 07:18 AM

    We have found the solution for one problem, we are looking into second problem.



    ------------------------------
    Neha Jain
    ------------------------------



  • 26.  RE: New version of ClamAV needed

    Posted Tue June 21, 2022 08:21 AM
    Hi Team,

    Can we have an update on the ClamAV issues that were discovered and the progress that has been made?
    Is there an estimated time a new release will be available?

    Thank you for working on this!

    Stan


    ------------------------------
    Stanley
    ------------------------------



  • 27.  RE: New version of ClamAV needed

    Posted Wed June 22, 2022 06:25 AM
    Hi Stanley,

    We have found a solution for 1st problem (Segmentation fault(coredump)) and found a workaround for 2nd problem (Illegal instruction(coredump)), we will update a new version in a couple of days. For the 2nd problem, we have reported a bug in the ClamAV forum.


    ------------------------------
    Neha Jain
    ------------------------------



  • 28.  RE: New version of ClamAV needed

    Posted Tue July 12, 2022 09:04 AM
    Hi Team,

    Can we have an update on the ClamAV issues and when we may have a new version released?

    Thank you for working on this!

    Stan

    ------------------------------
    Stanley
    ------------------------------



  • 29.  RE: New version of ClamAV needed

    Posted Tue July 12, 2022 09:14 AM
    Hi Stanley,

    We have a new version of clamav(0.104.2-2) in the toolbox please start using it.

    ------------------------------
    Neha Jain
    ------------------------------



  • 30.  RE: New version of ClamAV needed

    IBM Champion
    Posted Tue July 12, 2022 12:24 PM
    Team:

    I downloaded 0.104.2-2 and my original coredump issue has now gone away, thanks for resolving.

    Checking the clamAV docs I see that 0.105.0 is now available.


    Many thanks, Steve

    ------------------------------
    Steve Munday
    AIX, IBM i, HMC, PowerVM
    ------------------------------



  • 31.  RE: New version of ClamAV needed

    Posted Fri July 29, 2022 04:03 AM
      |   view attached
    Hi Support,

    I have installed clamav_0.104.2-2.aix7.1 in AIX 7.1 and ran the fullscan getting an "Illegal instruction(coredump)" message, please see below.

    ========== putty log ==========
    /usr/java5/jre/bin/libhealthcenter.so: OK
    Scanning /usr/java5/jre/bin/libhprof.a
    /usr/java5/jre/bin/libhprof.a: OK
    Scanning /usr/java5/jre/bin/libinstrument.a
    /usr/java5/jre/bin/libinstrument.a: OK
    Scanning /usr/java5/jre/bin/libiverel23.so
    Illegal instruction(coredump)

    ========== putty log (debug) ==========
    /usr/java5/jre/bin/libhprof.a: OK
    LibClamAV debug: Checking realpath of /usr/java5/jre/bin/libinstrument.a
    Scanning /usr/java5/jre/bin/libinstrument.a
    LibClamAV debug: Recognized binary data
    LibClamAV debug: cache_check: 7da04a54183485b66b9dae36e0963a89 is negative
    LibClamAV debug: in cli_check_mydoom_log()
    LibClamAV debug: matcher_run: performing regex matching on full map: 0+117118(117118) >= 117118
    LibClamAV debug: hashtab: Freeing hashset, elements: 0, capacity: 0
    LibClamAV debug: matcher_run: performing regex matching on full map: 0+117118(117118) >= 117118
    LibClamAV debug: hashtab: Freeing hashset, elements: 0, capacity: 0
    LibClamAV debug: cli_magic_scan_desc: returning 0 at line 4857
    LibClamAV debug: cache_add: 7da04a54183485b66b9dae36e0963a89 (level 0)
    /usr/java5/jre/bin/libinstrument.a: OK
    LibClamAV debug: Checking realpath of /usr/java5/jre/bin/libiverel23.so
    Scanning /usr/java5/jre/bin/libiverel23.so
    LibClamAV debug: Recognized binary data
    LibClamAV debug: cache_check: 075d0f1b27fa6d81890e42259aae3c90 is negative
    LibClamAV debug: in cli_check_mydoom_log()
    LibClamAV debug: Matched signature for file type ZIP-SFX at 73536
    LibClamAV debug: matcher_run: performing regex matching on full map: 0+122299(122299) >= 122299
    LibClamAV debug: hashtab: Freeing hashset, elements: 0, capacity: 0
    LibClamAV debug: CL_TYPE_ZIPSFX signature found at 73536
    LibClamAV debug: in cli_unzip_single
    LibClamAV debug: cli_unzip: local header - ZMDNAME:0:($:14376:11304:0:0:0:1
    LibClamAV debug: CDBNAME:CL_TYPE_ZIP:11304:($:11304:14376:0:0:0:0
    Illegal instruction(coredump)

    ------------------------------
    Vangogh Goh
    ------------------------------

    Attachment(s)

    zip
    putty_21072022153744.zip   1.07 MB 1 version


  • 32.  RE: New version of ClamAV needed

    Posted Tue August 02, 2022 02:25 AM

    Hi Vangogh,

    Please share the stack details.


    Thanks,
    Neha



    ------------------------------
    Neha Jain
    ------------------------------



  • 33.  RE: New version of ClamAV needed

    Posted Tue August 02, 2022 04:33 AM
    Hi Neha,

    I have scheduled a cronjob to full scan the whole directories and files on AIX as below command :

    # Set unlimited size of the data area for clamscan
    ulimit -d unlimited
    ulimit -c unlimited
    ulimit -m unlimited
    ulimit -n unlimited
    ulimit -s unlimited

    # Run the full scan of whole directories and files
    LDR_CNTRL=MAXDATA=0xA0000000@DSA /opt/freeware/bin/clamscan -rv --exclude-dir=/proc --tempdir=/tmp /

    Then the scan result is always break at same file and occur "Illegal instruction(coredump)" as below :

    ========== putty log ==========
    /usr/java5/jre/bin/libhealthcenter.so: OK
    Scanning /usr/java5/jre/bin/libhprof.a
    /usr/java5/jre/bin/libhprof.a: OK
    Scanning /usr/java5/jre/bin/libinstrument.a
    /usr/java5/jre/bin/libinstrument.a: OK
    Scanning /usr/java5/jre/bin/libiverel23.so
    Illegal instruction(coredump)
    ========== putty log ==========

    I had try just scan the "/usr" folder and the scan result is properly (scan successful and completed).

    Only run the full scan on whole directories and files it always break at this file "/usr/java5/jre/bin/libiverel23.so". The full scan time around need 1x hours.

    Could you please help to found out and fix the problem? Thanks

    Attached the log FYI.

    ------------------------------
    Vangogh Goh
    ------------------------------

    Attachment(s)

    gz
    clamav_fullscan_log.tar.gz   6.33 MB 1 version
    txt
    putty_debuglog.txt   120 KB 1 version
    zip
    putty_21072022153744.zip   1.07 MB 1 version


  • 34.  RE: New version of ClamAV needed

    Posted Tue August 02, 2022 06:23 AM

    Hi Vangogh,

    We need stack details and a core file.
    You can try it after setting the core path.

    set core path 
    mkdir /core
    syscorepath -p /core
    run the operation
    Analyze core

    cd /core
    gdb /opt/freeware/bin/clamscan core_file
    where
    or dbx /opt/freeware/bin/clamscan core_file
    where
    if you see extra output lines in dbx try below command
    dbx /opt/freeware/bin/clamscan core_file >core_stack_details
    where

    Please provide the stack details.

    Thanks,
    Neha



    ------------------------------
    Neha Jain
    ------------------------------



  • 35.  RE: New version of ClamAV needed

    Posted Tue August 02, 2022 10:44 PM
      |   view attached
    Hi Neha,

    Attached the core_stack_details log file.  Thanks.


    ------------------------------
    Vangogh Goh
    ------------------------------

    Attachment(s)

    zip
    core_stack_details.zip   18 KB 1 version


  • 36.  RE: New version of ClamAV needed

    Posted Thu August 04, 2022 07:07 AM
    Hi Vangogh,

    Looking into it.

    Thanks,
    Neha

    ------------------------------
    Neha Jain
    ------------------------------



  • 37.  RE: New version of ClamAV needed

    Posted Tue August 16, 2022 11:10 PM
    Hi Neha,

    How is the investigation?  Any update?  Thanks.

    ------------------------------
    Vangogh Goh
    ------------------------------



  • 38.  RE: New version of ClamAV needed

    Posted Thu August 18, 2022 02:04 AM

    Hi Vangogh,

    Your core issue is similar to the core reported by steve, both cores are in the same file but at a different location.

    For this I have reported a bug in the community (Illegal instruction(coredump) during clamscan · Issue #617 · Cisco-Talos/clamav (github.com))

    I have added a workaround for this issue and we will upload a new version by today or tomorrow.

    Thanks,
    Neha



    ------------------------------
    Neha Jain
    ------------------------------



  • 39.  RE: New version of ClamAV needed

    Posted Tue July 12, 2022 12:51 PM
    Hi Team,

    I think the issues that were seen before are solved.

    Completed a test scan with zero errors!

    ----------- SCAN SUMMARY -----------
    Known viruses: 8621833
    Engine version: 0.104.2
    Scanned directories: 690
    Scanned files: 169702
    Infected files: 0
    Data scanned: 29174.82 MB
    Data read: 428631.91 MB (ratio 0.07:1)
    Time: 6568.720 sec (109 m 28 s)
    Start Date: 2022:07:12 09:50:31
    End Date: 2022:07:12 11:40:00
     
    Thank you for working to solve this issue!


    Stan

    ------------------------------
    Stanley
    ------------------------------