ClamAV Alert about new config version

Upstream has released a testing RPM: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2020-b86f54cbf1

If you want to try:

yum --enablerepo=epel-testing update clamav-unofficial-sigs

Please report the karma to bodhi!

I hope the problem will be solved soon because I’ve been flooded with alerts all weekend.

No more Alert here so far. Seems to work.
Edit: manual update. epel-rpm not tested.

Please can the Nethesis team consider having some sort of “status dashboard” for their products.

This problem with ClamAV must be affecting lots of people and has caused some users to install packages that have broken their systems. If Nethesis could have a status pages of “current issues” and what’s being done to fix them it might help prevent users damaging their systems.

It seems to me as though the ClamAV issue is due to upstream software, which requires a fix from upstream that will eventually be rolled out to Nethserver. My solution is to “wait for the fix and delete the spam email”.

e.g. this is what my internet provider has for their systems https://aastatus.net/

(Even a simple news feed might be helpful).

Many thanks
Bob

@bobtskutter, don’t get me wrong, but a status page is meant to report incidents that have an impact on the availability of a service.

In this case, there have been no availability issues.
While annoying, we simply have received a lot of emails about a “supposed” non-existent problem, think of that like spam.

I didn’t like that spam, I tried to avoid the issue and find a way to protect us from future mistakes.
The only option that came to my mind needs a lot of resources and I think that we could work together with “upstream” to avoid future problems.

tnx, it seems to work

To people who’s concerned about stockpiling of useless messages: create a rule to throw them to trash.

What commands did you run exactly for this solution?
You say you followed upgrade instructions for 6.1, downloaded files, and copied files into right directories, but I don’t see those instructions there. I ran the following commands as it shows, and I still get the email message;

wget https://raw.githubusercontent.com/extremeshok/clamav-unofficial-sigs/master/clamav-unofficial-sigs.sh -O /usr/local/sbin/clamav-unofficial-sigs.sh && chmod 755 /usr/local/sbin/clamav-unofficial-sigs.sh
wget https://raw.githubusercontent.com/extremeshok/clamav-unofficial-sigs/master/config/master.conf -O /etc/clamav-unofficial-sigs/master.conf
/usr/local/sbin/clamav-unofficial-sigs.sh --force

No Warnings since I did this 2 hours ago, Thank you!

Sorry @flatspin, I’ve marked my post as solution since upstream has the correct fix.

The update should land soon on EPEL.

I think this is the easier way.

I did:

wget https://raw.githubusercontent.com/extremeshok/clamav-unofficial-sigs/master/clamav-unofficial-sigs.sh
wget https://raw.githubusercontent.com/extremeshok/clamav-unofficial-sigs/master/config/master.conf 
chmod 755 clamav-unofficial-sigs.sh

Then copied clamav-unofficial-sigs.sh to /usr/sbin and master.conf to /etc/clamav-unofficial-sigs.
After that i had to do sh /usr/sbin/clamav-unofficial-sigs.sh --force

Your welcome!

Hi,

it seems good so far. But this problem after the dayly virusscan is the same like yesterday:

Scan Jan 27 12:30:01 2020
Scanned Folder: //var/lib/clamav/rfxn.yara: Php.Exploit.C99-23 FOUND
/var/lib/clamav-unofficial-sigs/dbs-lmd/sigpack.tgz: Php.Exploit.C99-23 FOUND
/var/lib/clamav-unofficial-sigs/dbs-lmd/rfxn.yara: Php.Exploit.C99-23 FOUND

----------- SCAN SUMMARY -----------
Known viruses: 6561649
Engine version: 0.101.5
Scanned directories: 25608
Scanned files: 147292
Infected files: 3
Data scanned: 21736.71 MB
Data read: 16733.96 MB (ratio 1.30:1)
Time: 1975.858 sec (32 m 55 s)

Is that a real virus or a mistake related to the problem?

What can i do to become the system clean?

Regards

Uwe

Sorry @giacomo not working for me and additionally I have an update problem now

failure: repodata/repomd.xml from sb-base: [Errno 256] No more mirrors to try. https://u2.nethserver.com/stable/7.7.1908/base/x86_64/repodata/repomd.xml: [Errno 14] HTTPS Error 403 - Forbidden https://u3.nethserver.com/stable/7.7.1908/base/x86_64/repodata/repomd.xml: [Errno 14] HTTPS Error 403 - Forbidden

any ideas?

The community is aware about epel update issues, but not really when we have tested the upgrade and seen a broken rpm. One recent example, fail2ban was broken by the email notification action, the service was down after the upgrade.

Imagine the number of rpm tests we have to do.

When the update comes from epel-testing, we have 15days to test and report.

This is not relevant to nethserver, but also valid for any centos/rhel products

What is not working for you? The upstream fix? Are you sure you have installed the right RPM?
Other upstream users are reporting that everything has been fixed with the package from epel-testing.

No, I can’t reproduce on a clean machine. Are you sure the subscription is still valid?
Since this is not relevant to this thread, feel free to open a new one or send me a private message if you think that you have problems with a valid subscription.

That´s it, my subscription expired on 21st- sorry my fault…

No it’s our fault: we should have sent a reminder by mail
I hope to have time to implement it during this year!

Hi@all,

today i received this message again.

Scan Jan 28 12:30:01 2020
Scanned Folder: //var/lib/clamav/rfxn.yara: Php.Exploit.C99-23 FOUND
/var/lib/clamav-unofficial-sigs/dbs-lmd/sigpack.tgz: Php.Exploit.C99-23 FOUND
/var/lib/clamav-unofficial-sigs/dbs-lmd/rfxn.yara: Php.Exploit.C99-23 FOUND

Is that a real virus or not?

Regards

Uwe

No. The filesystem scan should avoid scanning the virus signatures database.