ClamAV not working

J

jlixfeld

Verified User
Joined
Jun 1, 2009
Messages
60
I've been troubleshooting exim paniclog messages from my DA 1.50.1 installation pertaining to clamd problems:

Code: 
2016-06-19 03:57:19 1bEXbQ-0004Fa-Ve malware acl condition: clamd [127.0.0.1]:3310 : unable to read from socket (Connection timed out)

All the clam bits are running:

Code: 
# ps xa|grep -i clam
11849 ?        Ssl    0:08 /usr/local/sbin/clamd --foreground=yes
11862 ?        Ss     0:00 /usr/local/bin/freshclam -d
20679 pts/1    S+     0:00 grep -i clam

I enabled logging for clamd and freshclam, and I'm now able to see that the processes don't throw any errors when they start:

Code: 
# service clamd restart ; service freshclam restart && tail -n 100 -f /var/log/mail.log | grep clam
Jun 19 09:28:38 hosting1 clamd[11821]: Waiting for all threads to finish
Jun 19 09:28:38 hosting1 clamd[11821]: Shutting down the main socket.
Jun 19 09:28:38 hosting1 clamd[11821]: Pid file removed.
Jun 19 09:28:38 hosting1 clamd[11821]: --- Stopped at Sun Jun 19 09:28:38 2016
Jun 19 09:28:38 hosting1 clamd[11821]: Closing the main socket.
Jun 19 09:28:38 hosting1 freshclam[11834]: Update process terminated
Jun 19 09:28:38 hosting1 clamd[11849]: Received 0 file descriptor(s) from systemd.
Jun 19 09:28:38 hosting1 clamd[11849]: clamd daemon 0.99.2 (OS: linux-gnu, ARCH: x86_64, CPU: x86_64)
Jun 19 09:28:38 hosting1 clamd[11849]: Log file size limited to 1048576 bytes.
Jun 19 09:28:38 hosting1 clamd[11849]: Reading databases from /usr/local/share/clamav
Jun 19 09:28:38 hosting1 clamd[11849]: Not loading PUA signatures.
Jun 19 09:28:38 hosting1 clamd[11849]: Bytecode: Security mode set to "TrustSigned".
Jun 19 09:28:38 hosting1 freshclam[11860]: Current working dir is /usr/local/share/clamav
Jun 19 09:28:38 hosting1 freshclam[11862]: freshclam daemon 0.99.2 (OS: linux-gnu, ARCH: x86_64, CPU: x86_64)
Jun 19 09:28:38 hosting1 freshclam[11862]: Max retries == 3
Jun 19 09:28:38 hosting1 freshclam[11862]: ClamAV update process started at Sun Jun 19 09:28:38 2016
Jun 19 09:28:38 hosting1 freshclam[11862]: Using IPv6 aware code
Jun 19 09:28:38 hosting1 freshclam[11862]: Querying current.cvd.clamav.net
Jun 19 09:28:38 hosting1 freshclam[11862]: TTL: 1730
Jun 19 09:28:38 hosting1 freshclam[11862]: Software version from DNS: 0.99.2
Jun 19 09:28:38 hosting1 freshclam[11862]: main.cvd version from DNS: 57
Jun 19 09:28:38 hosting1 freshclam[11862]: main.cvd is up to date (version: 57, sigs: 4218790, f-level: 60, builder: amishhammer)
Jun 19 09:28:38 hosting1 freshclam[11862]: daily.cvd version from DNS: 21752
Jun 19 09:28:38 hosting1 freshclam[11862]: daily.cld is up to date (version: 21752, sigs: 312364, f-level: 63, builder: neo)
Jun 19 09:28:38 hosting1 freshclam[11862]: bytecode.cvd version from DNS: 281
Jun 19 09:28:38 hosting1 freshclam[11862]: bytecode.cld is up to date (version: 281, sigs: 51, f-level: 63, builder: neo)
Jun 19 09:28:38 hosting1 freshclam[11862]: --------------------------------------
Jun 19 09:28:45 hosting1 clamd[11849]: Loaded 4525812 signatures.
Jun 19 09:28:47 hosting1 clamd[11849]: TCP: Bound to [127.0.0.1]:3310
Jun 19 09:28:47 hosting1 clamd[11849]: TCP: Setting connection queue length to 200
Jun 19 09:28:47 hosting1 clamd[11849]: Limits: Global size limit set to 104857600 bytes.
Jun 19 09:28:47 hosting1 clamd[11849]: Limits: File size limit set to 26214400 bytes.
Jun 19 09:28:47 hosting1 clamd[11849]: Limits: Recursion level limit set to 16.
Jun 19 09:28:47 hosting1 clamd[11849]: Limits: Files limit set to 10000.
Jun 19 09:28:47 hosting1 clamd[11849]: Limits: Core-dump limit is 0.
Jun 19 09:28:47 hosting1 clamd[11849]: Limits: MaxEmbeddedPE limit set to 10485760 bytes.
Jun 19 09:28:47 hosting1 clamd[11849]: Limits: MaxHTMLNormalize limit set to 10485760 bytes.
Jun 19 09:28:47 hosting1 clamd[11849]: Limits: MaxHTMLNoTags limit set to 2097152 bytes.
Jun 19 09:28:47 hosting1 clamd[11849]: Limits: MaxScriptNormalize limit set to 5242880 bytes.
Jun 19 09:28:47 hosting1 clamd[11849]: Limits: MaxZipTypeRcg limit set to 1048576 bytes.
Jun 19 09:28:47 hosting1 clamd[11849]: Limits: MaxPartitions limit set to 50.
Jun 19 09:28:47 hosting1 clamd[11849]: Limits: MaxIconsPE limit set to 100.
Jun 19 09:28:47 hosting1 clamd[11849]: Limits: MaxRecHWP3 limit set to 16.
Jun 19 09:28:47 hosting1 clamd[11849]: Limits: PCREMatchLimit limit set to 10000.
Jun 19 09:28:47 hosting1 clamd[11849]: Limits: PCRERecMatchLimit limit set to 5000.
Jun 19 09:28:47 hosting1 clamd[11849]: Limits: PCREMaxFileSize limit set to 26214400.
Jun 19 09:28:47 hosting1 clamd[11849]: Archive support enabled.
Jun 19 09:28:47 hosting1 clamd[11849]: Algorithmic detection enabled.
Jun 19 09:28:47 hosting1 clamd[11849]: Portable Executable support enabled.
Jun 19 09:28:47 hosting1 clamd[11849]: ELF support enabled.
Jun 19 09:28:47 hosting1 clamd[11849]: Mail files support enabled.
Jun 19 09:28:47 hosting1 clamd[11849]: OLE2 support enabled.
Jun 19 09:28:47 hosting1 clamd[11849]: PDF support enabled.
Jun 19 09:28:47 hosting1 clamd[11849]: SWF support enabled.
Jun 19 09:28:47 hosting1 clamd[11849]: HTML support enabled.
Jun 19 09:28:47 hosting1 clamd[11849]: XMLDOCS support enabled.
Jun 19 09:28:47 hosting1 clamd[11849]: HWP3 support enabled.
Jun 19 09:28:47 hosting1 clamd[11849]: Self checking every 600 seconds.
Jun 19 09:28:47 hosting1 clamd[11849]: Listening daemon: PID: 11849
Jun 19 09:28:47 hosting1 clamd[11849]: MaxQueue set to: 100

ClamAV was built using CB 2.0 and exim.conf seems to have ClamAV based stuff in there; I'm presuming it's complete; I haven't touched the config except to add local_part_suffix for virtual_aliases_nostar:, virtual_user: and virtual_aliases:, all of which works fine otherwise:

Code: 
# cat /etc/exim.conf | grep -A5 -B5 -i clam
# SpamBlockerTechnology* powered exim.conf, Version 4.4.2
# Dec 5, 2015
# Exim configuration file for DirectAdmin
# Requires exim.pl as distributed by DirectAdmin here:
# http://files.directadmin.com/services/exim.pl version 21 or higher
# ClamAV optional
# SpamAssassin optional
# Dovecot/IMAP Mandatory
# *SpamBlockerTechnology is a Trademark of NoBaloney Internet Services:
# http://www.nobaloney.net
#
--

#EDIT#1:
# primary_hostname =
smtp_active_hostname = ${if exists{/etc/virtual/helo_data}{${lookup{$interface_address}iplsearch{/etc/virtual/helo_data}{$value}{$primary_hostname}}}{$primary_hostname}}

#EDIT#2-CLAMAV:
# av_scanner = clamd:/var/run/clamav/clamd
.include_if_exists /etc/exim.clamav.load.conf

#Block Cracking variables
.include_if_exists /etc/exim.blockcracking/variables.conf

#Easy Spam Figher variables
--


######################################
# ACL CHECK MESSAGE
######################################
# ACL that is used after the DATA command (ClamAV)
acl_check_message:
  accept  condition = ${if eq{$acl_m_is_whitelisted}{1}{1}{0}}

  .include_if_exists /etc/exim.easy_spam_fighter/check_message.conf

#EDIT#46:
.include_if_exists /etc/exim.clamav.conf

  ## accept without checking if in skip_av_domains
  # accept condition =${if and {{def:acl_m0}{def:acl_m0}} {true}{false}}

  ## deny if email contains malformed MIME header
  # deny message = CLAM_MALFORMED_MIME
  # demime = *
  # condition = ${if >{$demime_errorlevel}{2}{1}{0}}

  ## deny if email containing virus or other harmful content
  # deny message = CLAM_HAS_VIRUS
  # demime = *
  # malware = *

  ## deny  if email contains an attachment of type we don't accept.
  # deny message = CLAM_BAD_ATTACHMENT
  # demime = bat:com:pif:prf:scr:vbs:html

  ## Accept but put warning into headers if message over 1000k
  # warn message = CLAM_SKIPPED
  # condition = ${if >={$message_size}{1000k} {1}{0}}

  # warn message = CLAM_CLEAN

  ## The end of the acl_check_message acl (ClamAV)
  ## Do NOT comment out the line below or all messages will be denied.
  accept


##################################################################################

/etc/exim.clamav.load.conf
Code: 
# cat /etc/exim.clamav.load.conf
#1.0
av_scanner = clamd:127.0.0.1 3310

/etc/exim.clamav.conf
Code: 
# cat /etc/exim.clamav.conf
#1.2
deny
  message = This message contains a virus or other harmful content ($malware_name)
  malware = */defer_ok/tmo=10s
  log_message = Message from $sender_host_address denied - virus of harmful content ($malware_name)

warn
  message = X-Antivirus-Scanner: Clean mail though you should still use an Antivirus
#

I sent myself a EICAR test message from: http://www.aleph-tec.com/eicar/index.php, but ClamAV didn't even seem to fire.

Code: 
# grep -i eicar /var/log/exim/mainlog
2016-06-19 09:05:56 1bEcQG-0002cH-KK <= [email protected] H=batch.outbound.your-site.com [205.233.73.32] P=esmtps X=TLSv1.2:AECDH-AES256-SHA:256 CV=no S=2661 [email protected] T="EICAR anti-virus test file:" from <[email protected]> for jason-aleph-tech.com - at - lixfeld.ca
2016-06-19 09:05:56 1bEcQG-0002cG-KK <= [email protected] H=batch.outbound.your-site.com [205.233.73.32] P=esmtps X=TLSv1.2:AECDH-AES256-SHA:256 CV=no S=2439 [email protected] T="EICAR anti-virus test file:" from <[email protected]> for jason-aleph-tech.com - at - lixfeld.ca
2016-06-19 09:05:56 1bEcQG-0002cI-KK <= [email protected] H=batch.outbound.your-site.com [205.233.73.32] P=esmtps X=TLSv1.2:AECDH-AES256-SHA:256 CV=no S=4652 [email protected] T="EICAR anti-virus test file:" from <[email protected]> for jason-aleph-tech.com - at - lixfeld.ca
2016-06-19 09:05:59 1bEcQG-0002cR-O2 <= [email protected] U=mail P=spam-scanned S=2899 [email protected] T="EICAR anti-virus test file:" from <[email protected]> for jason-aleph-tech.com - at - lixfeld.ca
2016-06-19 09:05:59 1bEcQG-0002cR-O2 => jason <jason-aleph-tech.com - at - lixfeld.ca> F=<[email protected]> R=virtual_user T=dovecot_lmtp_udp S=3100 C="250 2.0.0 <jason - at - lixfeld.ca> 2u1cFbeYZlc8JgAARPuFGw Saved"
2016-06-19 09:05:59 1bEcQG-0002cG-KK => jason-aleph-tech.com <jason-aleph-tech.com - at - lixfeld.ca> F=<[email protected]> R=spamcheck_director T=spamcheck S=2770
2016-06-19 09:06:00 1bEcQG-0002cf-Pp <= [email protected] U=mail P=spam-scanned S=5159 [email protected] T="EICAR anti-virus test file:" from <[email protected]> for jason-aleph-tech.com - at - lixfeld.ca
2016-06-19 09:06:00 1bEcQG-0002cf-Pp => jason <jason-aleph-tech.com - at - lixfeld.ca> F=<[email protected]> R=virtual_user T=dovecot_lmtp_udp S=5399 C="250 2.0.0 <jason - at - lixfeld.ca> tJKCA7iYZlduJwAARPuFGw Saved"
2016-06-19 09:06:00 1bEcQG-0002cI-KK => jason-aleph-tech.com <jason-aleph-tech.com - at - lixfeld.ca> F=<[email protected]> R=spamcheck_director T=spamcheck S=5030
2016-06-19 09:06:00 1bEcQG-0002cV-O5 <= [email protected] U=mail P=spam-scanned S=3121 [email protected] T="EICAR anti-virus test file:" from <[email protected]> for jason-aleph-tech.com - at - lixfeld.ca
2016-06-19 09:06:00 1bEcQG-0002cV-O5 => jason <jason-aleph-tech.com - at - lixfeld.ca> F=<[email protected]> R=virtual_user T=dovecot_lmtp_udp S=3328 C="250 2.0.0 <jason - at - lixfeld.ca> 9mHpKbiYZld2JwAARPuFGw Saved"
2016-06-19 09:06:00 1bEcQG-0002cH-KK => jason-aleph-tech.com <jason-aleph-tech.com - at - lixfeld.ca> F=<[email protected]> R=spamcheck_director T=spamcheck S=2992

Is EICAR not a reasonable way to test ClamAV? Or is something perhaps broken/missing in my config?

I'm not quite sure where to look, so if anyone has any pointers, I'd be grateful.

Thanks in advance!
 
Last edited:
Hi,

The contents of that file was included in my original post, although I recognize that it might not have been clear unless one were to read all the code included within. I modified my original post to separate the config file outputs so they are more clear, so if you look again, you will see that it does in fact exist, and it's contents are there too.
 
Oh sorry, yes i didn't read all the code, just tought was the exim.conf file :)

Anyway, has ClamAV been installed via CB?
What's the output of command: netstat -pantu | grep 3310
Has exim been restarted? (try it just in case) ;)
Why the clamav process have the foreground option? Did you set that in the init script?

Regards
 
Last edited:
Yes, it was installed by CB 2.0 (also mentioned in the original post :p)

Code: 
root@hosting1:/var/spool/exim/db# netstat -pantu | grep 3310
tcp        0      0 127.0.0.1:3310          0.0.0.0:*               LISTEN      11849/clamd
root@hosting1:/var/spool/exim/db#

Exim was restarted, yes, many times. Not directly as an attempt to solve this particular issue, but over system reboots, etc.

Ironically enough, I just restarted Exim a moment ago for a different reason, but sent another EICARS after I read your above reply, however still, clamd was nowhere to be found, with the exception of a successful self check:

Code: 
Jun 20 08:40:57 hosting1 clamd[11849]: SelfCheck: Database status OK.

Not sure if it's relevant, but spamc can't seem to connect to ::1, but I presume it connects over IPv4 in subsequent attempts, so I don't think it's related, or even relevant, but I could be wrong?
 
Well the conf try to 127.0.0.1 which is IPv4, otherwise it was localhost or even ::1

That's very strange, is there any menthion of ClamAV on the email header you receive?

Like: X-Antivirus-Scanner: Clean mail though you should still use an Antivirus

Also, make sure you are testing from different server! On same server the spam/virus check are skipped, you should be able to see this line when it happen
PrimaryMX: Accepted email from trusted host. Hint: This skips spam scanning so make sure other host is not vulnerable

Regards
 
Wow! It's there in the header:

Code: 
X-Antivirus-Scanner: Clean mail though you should still use an Antivirus

I didn't even think to look at headers because I didn't see any clam reference in the logs. I assumed that the EICAR string would cause the message to be blocked, but it didn't, so that certainly threw me off the trail too!

Ok, false alarm then :)
 
Now comes the interesting part, do you receive the file correctly from another server?

It should find the EICAR Virus and block it anyway!

Regards
 
I tried 4 other servers. Among them, iCloud and Gmail. Of those 4, only gmail seems to block it.
 
Ok, i did receive the notification e-mail but none of the email with the attached virus.

This is because i use external databases to also check viruses and i got this in the exim mainlog:

Code: 
2016-06-20 17:03:44 1bF0jo-0006IK-8F H=batch.outbound.your-site.com [205.233.73.32] X=TLSv1:DHE-RSA-AES256-SHA:256 CV=no F=<[email protected]> rejected after DATA: Message from 205.233.73.32 denied - virus of harmful content (Sanesecurity.Foxhole.Zip_com.UNOFFICIAL)
2016-06-20 17:09:23 1bF0pH-0006tJ-4V H=batch.outbound.your-site.com [205.233.73.32] X=TLSv1:DHE-RSA-AES256-SHA:256 CV=no F=<[email protected]> rejected after DATA: Message from 205.233.73.32 denied - virus of harmful content (Sanesecurity.Foxhole.Zip_com.UNOFFICIAL)
2016-06-20 17:09:52 1bF0pk-0006xi-BF <= [email protected] H=batch.outbound.your-site.com [205.233.73.32] P=esmtps X=TLSv1:DHE-RSA-AES256-SHA:256 CV=no S=2372 [email protected] T="EICAR anti-virus test file:" from <[email protected]> for [email protected]

So the external database is blocking the virus in the zip file.

I tryed to make me send just the file not zipped and in txt format but apparently i'm not either receiving or rejecting those email, i don't know if is actually sending those or not honestly.

When you do receive those email do you have the attachment? Please keep in mind that clamav shouldn't be able to scan the zip files correctly, so, at least for the standard and the txt one, do you receive them attached?

Regards
 
I do get them as attachments, yes.

I don't actually get the text version either; same as you, nothing in the logs for those ones at all. Must be an issue on the sending side.

So if I'm understanding what you are saying, ClamAV cannot open zip files at all? So only files attached natively will be scanned?
 
Yep!

You can use additional database with those commands:

Code: 
wget -O /usr/local/share/clamav/foxhole_all.cdb http://ftp.swin.edu.au/sanesecurity/foxhole_all.cdb
service clamd restart 
service freshclam restart

Those would allow you to stop also the zipped content (it actually look for specific file extensions in the zip files).

Regards
 
Last edited:
Is there anything else I need to do to activate that new db? It doesn't seem to be recognized on restart:

Code: 
Jun 20 11:44:17 hosting1 clamd[11849]: Waiting for all threads to finish
Jun 20 11:44:17 hosting1 clamd[11849]: Shutting down the main socket.
Jun 20 11:44:17 hosting1 clamd[11849]: Pid file removed.
Jun 20 11:44:17 hosting1 clamd[11849]: --- Stopped at Mon Jun 20 11:44:17 2016
Jun 20 11:44:17 hosting1 clamd[11849]: Closing the main socket.
Jun 20 11:44:18 hosting1 clamd[310]: Received 0 file descriptor(s) from systemd.
Jun 20 11:44:18 hosting1 clamd[310]: clamd daemon 0.99.2 (OS: linux-gnu, ARCH: x86_64, CPU: x86_64)
Jun 20 11:44:18 hosting1 clamd[310]: Log file size limited to 1048576 bytes.
Jun 20 11:44:18 hosting1 clamd[310]: Reading databases from /usr/local/share/clamav
Jun 20 11:44:18 hosting1 clamd[310]: Not loading PUA signatures.
Jun 20 11:44:18 hosting1 clamd[310]: Bytecode: Security mode set to "TrustSigned".
Jun 20 11:44:25 hosting1 clamd[310]: Loaded 4532786 signatures.
Jun 20 11:44:25 hosting1 freshclam[11862]: Update process terminated
Jun 20 11:44:25 hosting1 freshclam[323]: Current working dir is /usr/local/share/clamav
Jun 20 11:44:25 hosting1 freshclam[325]: freshclam daemon 0.99.2 (OS: linux-gnu, ARCH: x86_64, CPU: x86_64)
Jun 20 11:44:25 hosting1 freshclam[325]: Max retries == 3
Jun 20 11:44:25 hosting1 freshclam[325]: ClamAV update process started at Mon Jun 20 11:44:25 2016
Jun 20 11:44:25 hosting1 freshclam[325]: Using IPv6 aware code
Jun 20 11:44:25 hosting1 freshclam[325]: Querying current.cvd.clamav.net
Jun 20 11:44:25 hosting1 freshclam[325]: TTL: 969
Jun 20 11:44:25 hosting1 freshclam[325]: Software version from DNS: 0.99.2
Jun 20 11:44:25 hosting1 freshclam[325]: main.cvd version from DNS: 57
Jun 20 11:44:25 hosting1 freshclam[325]: main.cvd is up to date (version: 57, sigs: 4218790, f-level: 60, builder: amishhammer)
Jun 20 11:44:25 hosting1 freshclam[325]: daily.cvd version from DNS: 21759
Jun 20 11:44:25 hosting1 freshclam[325]: daily.cld is up to date (version: 21759, sigs: 319338, f-level: 63, builder: neo)
Jun 20 11:44:25 hosting1 freshclam[325]: bytecode.cvd version from DNS: 281
Jun 20 11:44:25 hosting1 freshclam[325]: bytecode.cld is up to date (version: 281, sigs: 51, f-level: 63, builder: neo)
Jun 20 11:44:25 hosting1 freshclam[325]: --------------------------------------
Jun 20 11:44:26 hosting1 clamd[310]: TCP: Bound to [127.0.0.1]:3310
Jun 20 11:44:26 hosting1 clamd[310]: TCP: Setting connection queue length to 200
Jun 20 11:44:26 hosting1 clamd[310]: Limits: Global size limit set to 104857600 bytes.
Jun 20 11:44:26 hosting1 clamd[310]: Limits: File size limit set to 26214400 bytes.
Jun 20 11:44:26 hosting1 clamd[310]: Limits: Recursion level limit set to 16.
Jun 20 11:44:26 hosting1 clamd[310]: Limits: Files limit set to 10000.
Jun 20 11:44:26 hosting1 clamd[310]: Limits: Core-dump limit is 0.
Jun 20 11:44:26 hosting1 clamd[310]: Limits: MaxEmbeddedPE limit set to 10485760 bytes.
Jun 20 11:44:26 hosting1 clamd[310]: Limits: MaxHTMLNormalize limit set to 10485760 bytes.
Jun 20 11:44:26 hosting1 clamd[310]: Limits: MaxHTMLNoTags limit set to 2097152 bytes.
Jun 20 11:44:26 hosting1 clamd[310]: Limits: MaxScriptNormalize limit set to 5242880 bytes.
Jun 20 11:44:26 hosting1 clamd[310]: Limits: MaxZipTypeRcg limit set to 1048576 bytes.
Jun 20 11:44:26 hosting1 clamd[310]: Limits: MaxPartitions limit set to 50.
Jun 20 11:44:26 hosting1 clamd[310]: Limits: MaxIconsPE limit set to 100.
Jun 20 11:44:26 hosting1 clamd[310]: Limits: MaxRecHWP3 limit set to 16.
Jun 20 11:44:26 hosting1 clamd[310]: Limits: PCREMatchLimit limit set to 10000.
Jun 20 11:44:26 hosting1 clamd[310]: Limits: PCRERecMatchLimit limit set to 5000.
Jun 20 11:44:26 hosting1 clamd[310]: Limits: PCREMaxFileSize limit set to 26214400.
Jun 20 11:44:26 hosting1 clamd[310]: Archive support enabled.
Jun 20 11:44:26 hosting1 clamd[310]: Algorithmic detection enabled.
Jun 20 11:44:26 hosting1 clamd[310]: Portable Executable support enabled.
Jun 20 11:44:26 hosting1 clamd[310]: ELF support enabled.
Jun 20 11:44:26 hosting1 clamd[310]: Mail files support enabled.
Jun 20 11:44:26 hosting1 clamd[310]: OLE2 support enabled.
Jun 20 11:44:26 hosting1 clamd[310]: PDF support enabled.
Jun 20 11:44:26 hosting1 clamd[310]: SWF support enabled.
Jun 20 11:44:26 hosting1 clamd[310]: HTML support enabled.
Jun 20 11:44:26 hosting1 clamd[310]: XMLDOCS support enabled.
Jun 20 11:44:26 hosting1 clamd[310]: HWP3 support enabled.
Jun 20 11:44:26 hosting1 clamd[310]: Self checking every 600 seconds.
Jun 20 11:44:26 hosting1 clamd[310]: Listening daemon: PID: 310
Jun 20 11:44:26 hosting1 clamd[310]: MaxQueue set to: 100

Code: 
# ls -al /usr/local/share/clamav/foxhole_all.cdb_new
-rw-r--r-- 1 clamav clamav 8657 May 31 05:52 /usr/local/share/clamav/foxhole_all.cdb_new
 
There it is!

Code: 
Jun 20 13:36:28 hosting1 clamd[7501]: instream(127.0.0.1@52661): Sanesecurity.Foxhole.Zip_com.UNOFFICIAL(dcd9eefa0ca4fbe41c23eab80dab43dc:2683) FOUND
Jun 20 13:36:29 hosting1 clamd[7501]: instream(127.0.0.1@52662): Sanesecurity.Foxhole.Zip_com.UNOFFICIAL(c7a575bea90f7de13b5b92949c6dc09a:4674) FOUND

Thanks so much for your help!!
 
You must log in or register to reply here.
Back
Top