LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices


Reply
  Search this Thread
Old 02-28-2008, 04:58 AM   #1
adymcc
Member
 
Registered: Dec 2006
Posts: 31

Rep: Reputation: 17
Clam Anti Virus and vmlinuz


Hi all,

I'm posting this as I cannot see anyone else listing this as an issue. I have installed Clam AV on a RedHat 5.1 workstation and when running a full scan (Clam AV running as root) I get the following:

#clamdscan /
//boot/vmlinuz-2.6.18-53.el5: Broken.Executable FOUND

This does not happen if I scan with 'clamscan', also this can be stopped by hashing out the config file entry "DetectBrokenExecutables yes" but I don't want to start reducing the functionality.

Anyone got any ideas?

Here's the info,

/var/log/messages:

Feb 28 09:45:36 redhattest01 clamd[8582]: No stats for Database check - forcing reload
Feb 28 09:45:36 redhattest01 clamd[8582]: Reading databases from /var/clamav
Feb 28 09:45:40 redhattest01 clamd[8582]: //boot/vmlinuz-2.6.18-53.el5: Broken.Executable FOUND
Feb 28 09:45:46 redhattest01 clamd[8582]: Client disconnected
Feb 28 09:45:48 redhattest01 clamd[8582]: Database correctly reloaded (389324 signatures)


Clam Version: ClamAV 0.92.1 (fully updated)

System: Linux redhattest01.domain 2.6.18-53.el5 #1 SMP Wed Oct 10 16:34:02 EDT 2007 i686 i686 i386 GNU/Linux

Version: Red Hat Enterprise Linux Client release 5.1 (Tikanga)

clamd.conf: [root@redhattest01 init.d]# cat /etc/clamd.conf
##
## Example config file for the Clam AV daemon
## Please read the clamd.conf(5) manual before editing this file.
##


# Comment or remove the line below.
#Example

# Uncomment this option to enable logging.
# LogFile must be writable for the user running daemon.
# A full path is required.
# Default: disabled
LogFile /var/log/clamav/clamd.log

# By default the log file is locked for writing - the lock protects against
# running clamd multiple times (if want to run another clamd, please
# copy the configuration file, change the LogFile variable, and run
# the daemon with --config-file option).
# This option disables log file locking.
# Default: no
#LogFileUnlock yes

# Maximum size of the log file.
# Value of 0 disables the limit.
# You may use 'M' or 'm' for megabytes (1M = 1m = 1048576 bytes)
# and 'K' or 'k' for kilobytes (1K = 1k = 1024 bytes). To specify the size
# in bytes just don't use modifiers.
# Default: 1M
LogFileMaxSize 0

# Log time with each message.
# Default: no
LogTime yes

# Also log clean files. Useful in debugging but drastically increases the
# log size.
# Default: no
#LogClean yes

# Use system logger (can work together with LogFile).
# Default: no
LogSyslog yes

# Specify the type of syslog messages - please refer to 'man syslog'
# for facility names.
# Default: LOG_LOCAL6
#LogFacility LOG_MAIL

# Enable verbose logging.
# Default: no
#LogVerbose yes

# This option allows you to save a process identifier of the listening
# daemon (main thread).
# Default: disabled
PidFile /var/run/clamav/clamd.pid

# Optional path to the global temporary directory.
# Default: system specific (usually /tmp or /var/tmp).
TemporaryDirectory /var/tmp

# Path to the database directory.
# Default: hardcoded (depends on installation options)
DatabaseDirectory /var/clamav

# The daemon works in a local OR a network mode. Due to security reasons we
# recommend the local mode.

# Path to a local socket file the daemon will listen on.
# Default: disabled (must be specified by a user)
LocalSocket /tmp/clamd.socket

# Remove stale socket after unclean shutdown.
# Default: yes
FixStaleSocket yes

# TCP port address.
# Default: no
TCPSocket 3310

# TCP address.
# By default we bind to INADDR_ANY, probably not wise.
# Enable the following to provide some degree of protection
# from the outside world.
# Default: no
TCPAddr 127.0.0.1

# Maximum length the queue of pending connections may grow to.
# Default: 15
MaxConnectionQueueLength 30

# Clamd uses FTP-like protocol to receive data from remote clients.
# If you are using clamav-milter to balance load between remote clamd daemons
# on firewall servers you may need to tune the options below.

# Close the connection when the data size limit is exceeded.
# The value should match your MTA's limit for a maximum attachment size.
# Default: 10M
#StreamMaxLength 20M

# Limit port range.
# Default: 1024
#StreamMinPort 30000
# Default: 2048
#StreamMaxPort 32000

# Maximum number of threads running at the same time.
# Default: 10
MaxThreads 50

# Waiting for data from a client socket will timeout after this time (seconds).
# Value of 0 disables the timeout.
# Default: 120
ReadTimeout 300

# Waiting for a new job will timeout after this time (seconds).
# Default: 30
#IdleTimeout 60

# Maximum depth directories are scanned at.
# Default: 15
#MaxDirectoryRecursion 20

# Follow directory symlinks.
# Default: no
#FollowDirectorySymlinks yes

# Follow regular file symlinks.
# Default: no
#FollowFileSymlinks yes

# Perform a database check.
# Default: 1800 (30 min)
#SelfCheck 600

# Execute a command when virus is found. In the command string %v will
# be replaced with the virus name.
# Default: no
#VirusEvent /usr/local/bin/send_sms 123456789 "VIRUS ALERT: %v"

# Run as another user (clamd must be started by root for this option to work)
# Default: don't drop privileges
###User clamav

# Initialize supplementary group access (clamd must be started by root).
# Default: no
###AllowSupplementaryGroups yes

# Stop daemon when libclamav reports out of memory condition.
#ExitOnOOM yes

# Don't fork into background.
# Default: no
#Foreground yes

# Enable debug messages in libclamav.
# Default: no
#Debug yes

# Do not remove temporary files (for debug purposes).
# Default: no
#LeaveTemporaryFiles yes

# Detect Possibly Unwanted Applications.
# Default: no
#DetectPUA yes

# In some cases (eg. complex malware, exploits in graphic files, and others),
# ClamAV uses special algorithms to provide accurate detection. This option
# controls the algorithmic detection.
# Default: yes
#AlgorithmicDetection yes


##
## Executable files
##

# PE stands for Portable Executable - it's an executable file format used
# in all 32 and 64-bit versions of Windows operating systems. This option allows
# ClamAV to perform a deeper analysis of executable files and it's also
# required for decompression of popular executable packers such as UPX, FSG,
# and Petite.
# Default: yes
ScanPE yes

# Executable and Linking Format is a standard format for UN*X executables.
# This option allows you to control the scanning of ELF files.
# Default: yes
ScanELF yes

# With this option clamav will try to detect broken executables (both PE and
# ELF) and mark them as Broken.Executable.
# Default: no
DetectBrokenExecutables yes


##
## Documents
##

# This option enables scanning of OLE2 files, such as Microsoft Office
# documents and .msi files.
# Default: yes
ScanOLE2 yes

# This option enables scanning within PDF files.
# Default: no
#ScanPDF yes


##
## Mail files
##

# Enable internal e-mail scanner.
# Default: yes
ScanMail yes

# If an email contains URLs ClamAV can download and scan them.
# WARNING: This option may open your system to a DoS attack.
# Never use it on loaded servers.
# Default: no
#MailFollowURLs no

# Recursion level limit for the mail scanner.
# Default: 64
#MailMaxRecursion 128

# With this option enabled ClamAV will try to detect phishing attempts by using
# signatures.
# Default: yes
#PhishingSignatures yes

# Scan URLs found in mails for phishing attempts using heuristics.
# Default: yes
#PhishingScanURLs yes

# Use phishing detection only for domains listed in the .pdb database. It is
# not recommended to have this option turned off, because scanning of all
# domains may lead to many false positives!
# Default: yes
#PhishingRestrictedScan yes

# Always block SSL mismatches in URLs, even if the URL isn't in the database.
# This can lead to false positives.
#
# Default: no
#PhishingAlwaysBlockSSLMismatch no

# Always block cloaked URLs, even if URL isn't in database.
# This can lead to false positives.
#
# Default: no
#PhishingAlwaysBlockCloak no
 
Old 02-28-2008, 05:07 AM   #2
pwc101
Senior Member
 
Registered: Oct 2005
Location: UK
Distribution: Slackware
Posts: 1,847

Rep: Reputation: 128Reputation: 128
These threads from the clamwin forum seem to suggest that it's just ClamAV being slightly overly cautious.

http://forums.clamwin.com/viewtopic.php?p=3286
particularly http://forums.clamwin.com/viewtopic....ken+executable which includes a response from one of the site admins.
 
Old 02-28-2008, 05:45 AM   #3
adymcc
Member
 
Registered: Dec 2006
Posts: 31

Original Poster
Rep: Reputation: 17
OK thanks pwc101, so this is "normal behaviour" for this type of file but seems strange that the "DetectBrokenExecutables yes" is set by default!

Thank you,
 
Old 02-28-2008, 05:53 AM   #4
pwc101
Senior Member
 
Registered: Oct 2005
Location: UK
Distribution: Slackware
Posts: 1,847

Rep: Reputation: 128Reputation: 128
That might be Red Hat changing the default settings. It seems my compiled version has the DetectBrokenExecutables option commented out by default (admittedly it is slightly outdated (0.91.2)).
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Is clam anti-virus a decent product HGeneAnthony Linux - Software 8 04-29-2006 06:01 PM
LXer: Microsoft Anti-Spyware Deleting Norton Anti-Virus LXer Syndicated Linux News 0 02-13-2006 05:31 AM
Clam Anti-Virus jspaceman Slackware 3 03-28-2005 11:57 AM
Boot virus or Anti-Virus? AVG Free Anti-Virus Software problems SparceMatrix Linux - Security 9 08-02-2004 03:35 PM
Clam Anti-Virus database down? jspaceman Linux - Software 3 03-23-2004 03:53 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Software

All times are GMT -5. The time now is 06:04 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration