[prev in list] [next in list] [prev in thread] [next in thread]
List: clamav-users
Subject: Re: [clamav-users] Scan reports
From: Andrew C Aitchison <clamav () aitchison ! me ! uk>
Date: 2022-05-31 14:14:02
Message-ID: 8857c79-c6ed-cdf4-4df8-1e156c19f915 () aitchison ! me ! uk
[Download RAW message or body]
On Tue, 31 May 2022, John Paul Guay wrote:
> Hi Andrew,
>
> Initially we had an issue where we were using v0.102.4 and noticed this
> stopped working January 4th, 2022. We thought it was an issue with our
> proxy since we couldn't download the virus database (we have whitelisted
> sites since we're a high profile federal department in the Canadian
> government) but after further investigation we realized it was because our
> version of ClamAV was no longer supported. We upgraded our Master server to
> 0.103.6 and are now able to download the virus database daily.
>
> Okay, here's what I have so far. We have a script that runs daily on each
> agent. Here is the script:
>
> [root@seti*** ClamAV-scan-scripts]# cat daily_scan
> #!/bin/bash
> LOGFILE="/var/log/clamav/seti***-clamav-$(date +'%Y-%m-%d').log";
> #EMAIL_MSG="Please see the log file attached.";
> #EMAIL_FROM="clamav-daily@example.com";
> #EMAIL_TO="username@example.com";
> #DIRTOSCAN="/var/www /var/vmail";
> DIRTOSCAN="/ /disk /disk2";
>
> for S in ${DIRTOSCAN}; do
> DIRSIZE=$(du -sh "$S" 2>/dev/null | cut -f1);
>
> echo "Starting a daily scan of "$S" directory.
> Amount of data to be scanned is "$DIRSIZE".";
>
> # clamscan -ri "$S" >> "$LOGFILE";
> clamscan -ri --exclude=/root/quarantine --exclude=^/sys
> --max-scansize=500M --move=/root/quarantine "$S" >> "$LOGFILE";
> chmod 644 "$LOGFILE"
>
> # get the value of "Infected lines"
> MALWARE=$(tail "$LOGFILE"|grep Infected|cut -d" " -f3);
>
> # if the value is not equal to zero, send an email with the log file
> attached
> if [ "$MALWARE" -ne "0" ];then
> # using heirloom-mailx below
> echo "$EMAIL_MSG"|mail -a "$LOGFILE" -s "Malware Found" -r "$EMAIL_FROM"
> "$EMAIL_TO";
> fi
> done
>
> exit 0
> ______________________________________
Unusual to have *** in a variable for a filename.
My bash does not behave differently with one or three stars
(unless I set globstar, and that only needs **)
> This generates a log file with the following info:
>
> [root@seti*** clamav]# cat seti***-clamav-2022-05-31.log
>
> ----------- SCAN SUMMARY -----------
> Known viruses: 8617062
> Engine version: 0.102.4
> Scanned directories: 34535
> Scanned files: 264418
> Infected files: 0
> Data scanned: 19818.75 MB
> Data read: 20187.30 MB (ratio 0.98:1)
> Time: 4818.083 sec (80 m 18 s)
>
> ----------- SCAN SUMMARY -----------
> Known viruses: 8617062
> Engine version: 0.102.4
> Scanned directories: 7
> Scanned files: 0
> Infected files: 0
> Data scanned: 0.00 MB
> Data read: 0.00 MB (ratio 0.00:1)
> Time: 22.803 sec (0 m 22 s)
>
> ----------- SCAN SUMMARY -----------
> Known viruses: 8617062
> Engine version: 0.102.4
> Scanned directories: 0
> Scanned files: 0
> Infected files: 0
> Data scanned: 0.00 MB
> Data read: 0.00 MB (ratio 0.00:1)
> Time: 22.697 sec (0 m 22 s)
>
> ____________________________________
>
> Then on the Master Server we have 2 bash scripts that run. The first script
> gathers all of the log files from each agent:
>
> [root@seti*** scripts]# cat rsync_clam.sh
> #/usr/bin/sh
> # This is a script to copy files from one host to a group of hosts
>
> # There are three variables accepted via commandline
> # $1 = first parameter (/source_path/source_filename)
> # $2 = second parameter (/target_directory/)
> # $3 = third paramter (file that contains list of hosts)
>
> SOURCEFILE=/var/log/clamav/seti*-clamav-2022*.log
> TARGETDIR=/disk/ClamAV_scan_reports
> HOSTFILE=/home/padmin/scripts/servers.txt
>
> if [ -f $SOURCEFILE ]
> then
> printf "File found, preparing to transfer\n"
> while read server
> do
> # scp -p $SOURCEFILE ${server}:$TARGETDIR
> rsync -zar --remove-source-files padmin@$server:$SOURCEFILE $TARGETDIR
> done < $HOSTFILE
> else
> printf "File \"$SOURCEFILE\" not found\n"
> exit 0
> fi
> exit 0
> _________________________________
>
> The second script mergers the results into one log file on the master:
>
> [root@seti*** scripts]# cat merge_scan_report.sh
> #!/bin/bash
> LOGFILE="/disk/ClamAV_scan_reports/daily_virus_scan_report-$(date
> +'%Y-%m-%d')" ;
> more /disk/ClamAV_scan_reports/*.log | cat >> "$LOGFILE" ;
>
> rm -rf /disk/ClamAV_scan_reports/seti*.log ;
>
> exit 0
> ________________________________
Given that the problem started at the year-change, the definition
of SOURCEFILE concerns me.
*** When did you update it for this year ? ***
I admit that most of my logging is only single lines, but is there
a good reason not to use an existing network logging tool
like syslog, rsyslog or possibly systemd-journald.
In my experience they are usually much better debugged than
home-grown scripts (the only millennium-bugs that caught me were
ones I had written).
> Everything was working and generating the results and merging to the master
> until January 1st of this year:
>
> -rw-r--r-- 1 root root 12369 Dec 27 07:10
> daily_virus_scan_report-2021-12-27
> -rw-r--r-- 1 root root 11564 Dec 28 07:10
> daily_virus_scan_report-2021-12-28
> -rw-r--r-- 1 root root 13172 Dec 29 07:10
> daily_virus_scan_report-2021-12-29
> -rw-r--r-- 1 root root 12369 Dec 30 07:10
> daily_virus_scan_report-2021-12-30
> -rw-r--r-- 1 root root 10434 Dec 31 07:10
> daily_virus_scan_report-2021-12-31
> -rw-r--r-- 1 root root 0 Jan 1 07:10
> daily_virus_scan_report-2022-01-01
> -rw-r--r-- 1 root root 0 Jan 2 07:10
> daily_virus_scan_report-2022-01-02
> -rw-r--r-- 1 root root 0 Jan 3 07:10
> daily_virus_scan_report-2022-01-03
> -rw-r--r-- 1 root root 0 Jan 4 07:10
> daily_virus_scan_report-2022-01-04
>
> -rw-r--r-- 1 root root 0 May 31 07:10
> daily_virus_scan_report-2022-05-31
>
> This is where we're at and I don't know what to check to see where it
> stopped working.
>
> Any guidance would be greatly appreciated.
>
> Thanks
>
> JP
>
> On Tue, May 31, 2022 at 7:32 AM John Paul Guay <johnpaulguay2@gmail.com>
> wrote:
>
>> Thanks for replying Andrew. I realize I didn't provide much regarding the
>> needle or the haystack. I will gather as much info as possible and will
>> update this thread shortly.
>>
>> JP
>>
>> On Tue, May 31, 2022 at 7:28 AM Andrew C Aitchison <clamav@aitchison.me.uk>
>> wrote:
>>
>>> On Tue, 31 May 2022, John Paul Guay via clamav-users wrote:
>>>
>>>> Hello,
>>>>
>>>> I'm new to ClamAV and I need help to fix our master server so it will
>>> scan
>>>> each agent daily. I work in a federal department in government and I've
>>>> been working in our lab environment. We had a consultant who had setup
>>> our
>>>> ClamAV to scan all of our Linux VM's and he left good documentation but
>>>> nothing on the issue we've encountered now. Everything was working fine,
>>>> which I thought, but something "broke" and now it doesn't do the daily
>>>> scans of each agent and send the report to the master. It was working
>>> until
>>>> January 1st, 2022. I'm not sure if anything changed between last year
>>> and
>>>> this year and this year but I need to get this fixed ASAP. I realize
>>> this
>>>> doesn't provide much details but I can provide anything you need. If I
>>> can
>>>> get a conversation opened with someone who knows what they're doing
>>> when it
>>>> comes to ClamAV, that would be great!
>>>
>>> Hmm. Do you have a message somewhere saying that something broke ?
>>> If so can we have that please, and where you found it.
>>>
>>> Without that much, our first problem is to find the haystack,
>>> never mind the needle, and that is unlikely to benefit from knowledge
>>> of ClamAV.
>>>
>>> Can you find out whether the master is supposed to request each scan,
>>> or whether the VMs/agents start the scans on their own initiative ?
>>>
>>> Which platforms are in use could help too - all of them, as we don't know
>>> which machine broke.
>>>
>>> --
>>> Andrew C. Aitchison Kendal, UK
>>> andrew@aitchison.me.uk
--
Andrew C. Aitchison Kendal, UK
andrew@aitchison.me.uk
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation
https://docs.clamav.net/#mailing-lists-and-chat
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic