Clamav not catching sober.ag

wkdwich

Well-Known Member
Apr 11, 2005
105
0
166
I am getting swamped, my clients are getting swamped.. in 4 hours I got almost 40 of these nasty buggers and I don't know where to turn so here I am..

WHM 10.8.0 cPanel 10.8.1-C29
Fedora i686 - WHM X v3.1.0
VPS
Exim 4.52, Spamassassin & Clamav

SOBER.AG is the only one that seems to be coming through. The host tech tells me if he does a direct scan it catches the worm, but if left to it's normal courses it doesn't.

The virus definitions are current:
ClamAV update process started at Wed Nov 30 01:10:53 2005
daily.cvd updated (version: 1198, sigs: 1667, f-level: 6, builder: diego)
Database updated (41292 signatures) from database.clamav.net (IP: 64.186.250.53)

I did some major poking at the Exim forums and many are having the same issue, but none specifically state they are CPanel users so I am leery of using the one suggestion that worked for one guy on a different strain of the SOBER worm

> http://lurker.clamav.net/message/20051121.222443.3451b99d.en.html
>
> Can you go read this and tell me if it apples???


this thread suggests:
The key is that "clamscan --detect-broken" is not the default clamd operation
and probably the same goes for the milter.

Fix it by editing /etc/clamd.conf, make sure that the following are set:

DisableDefaultScanOptions {{someone else says NO do not enble this one}}
DetectBrokenExecutables

The orginal poster states no change turing either of these on

the orginal poster says this suggestion did the trick:
> I would suggest using the following config in your case (it's based on
> the one you have sent here):
>
> LogFileMaxSize 0 {{Defualt is 1 mine is commented out}}
> LogTime {{commented out}}
> LogClean {{commented out}}
> LogSyslog {{commented out}}
> LogFacility LOG_LOCAL7 {{commneted out default = LOG_LOCAL6}}
> PidFile /var/clamav/clamd.pid {{commented out}}
> TemporaryDirectory /tmp {{commented out}}
> FixStaleSocket {{ACTIVE}}
> TCPSocket 3310 {{commented out}}
> TCPAddr 127.0.0.1 <http://127.0.0.1> {{commented out}}
> MaxConnectionQueueLength 20 {{commented out default 15}}
> StreamMaxLength 2M {{commented out default 10M}}
> MaxThreads 30 {{commented out defualt 10}}
> ReadTimeout 60 {{commented out default 120}}
> MaxDirectoryRecursion 10 {{commented out default 15}}
> SelfCheck 1800 {{commented out default 1800}}
> User clamav {{commented out}}
> ArchiveMaxFileSize 1M {{commented out default 10M}}
> ArchiveMaxRecursion 8 {{commented out default 5}}
> ArchiveMaxFiles 1000 {{commented out default 1000}}
> ArchiveMaxCompressionRatio 250 {{commented out default 250}}
>

The further in the thread:
The problem was that the signature directory of the FreeBSD port has
changed from /usr/local/share/clamav to /var/db/clamav, but I didn't
update the freshclam.conf so freshclam downloaded the sigs to the old
directory which isn't used anymore. I changed the directory in
freshclam.conf and it works now.

[email protected] [/etc]# whereis clamav
clamav: /usr/include/clamav.h /usr/local/clamav /usr/share/clamav

my freshcalm.conf:

# Path to the database directory.
# WARNING: It must match clamd.conf's directive!
# Default: hardcoded (depends on installation options)
#DatabaseDirectory /var/lib/clamav

I have had issues in the past with Clamav out of date notices and the only way I could figure out how to correct and update was to uninstall clamavconnector and reinstall it
Name: clamavconnector
Author: cPanel Inc.
Installed Version: 0.87-1.3
Version: 0.87-1.3


So the point here is Clam is working just not on all 8 cylinders.. anyone have any suggestions here to help??

thanks