#] #] ********************* #] "$d_SysMaint"'security/virus: clamscan notes.txt' # www.BillHowell.ca 21Jan2012 initial, 24Dec2020 new file, 04Feb2024 merged # view in text editor, using constant-width font (eg courier), tabWidth = 3 #48************************************************48 #24************************24 # Table of Contents, generate with : # $ grep "^#]" "$d_SysMaint"'security/virus: clamscan notes.txt' | sed "s/^#\]/ /" # ********************* "$d_SysMaint"'security/virus: clamscan notes.txt' ToDos : +-----+ 04Feb2024 [clamav, not installed? 04Feb2024 search "Linux Mint Debian Edition and what is the virus scanner?" 28Mar2021 script to cut Thunderbird email folders and find text portion with virus 28Mar2021 clamscan stuck in d_PROJECTS 24Jan2021 Computer virus scans 24Dec2020 download virus examples 01Sep2018 crontab -> freshclam frequency 30Aug2018 Install clamav (via Software Manager) on LMDE2 09Jun2017 11:43 freshclam update failures 31Jan2016 freshclam >7 day out of date 28Sep2013 Weekly scan : 09Sep2013 couldn't find clamAV!! 22Jan2012 ToDos - need script to pick out infected files from a clamscan 21Jan2012 clamscan options #24************************24 # Setup etc freshclam updates are [specified, edited] in the anacron sh : $ kwrite "/media/bill/PROJECTS/System_maintenance/Linux/cron & anacron daily Howell.txt" $ sudo 01Sep2018 - freshclam may also be updated via a root crontab? but it's NOT in /etc/crontab freshclam view log : $ sudo cat "/var/log/clamav/freshclam.log" To download a virus sample : FireFox menu -> Preferences -> Privacy & Security -> Security : x Deceptive Content and Dangerous Software Protection x Block dangerous and deceptive content (Learn more) x Block dangerous downloads x Warn you about unwanted and uncommon software >> temporarily uncheck "Block dangerous downloads" & see what happens >> OK - works! DANGEROUS!!! Don't forget to reset FireFox "Block dangerous downloads" when done!!!! +-----+ Quick notes : 29Mar2021 WEIRD! Even if clamsacan finds viruses in a folder, when the folder is split into text files for each email, no viruses show up!!??!!???! 29Mar2021 folders with "Heuristics.Phishing.Email.SpoofedDomain FOUND" - these are probably OK +-----+ key infected : "/media/bill/Virus_samples" /media/bill/Virus_samples/Ikarus viruses/eicar_com.zip: Win.Test.EICAR_HDB-1 FOUND /media/bill/Virus_samples/Ikarus viruses/eicar.com: Win.Test.EICAR_HDB-1 FOUND /media/bill/Virus_samples/infected/210328/z_Archive: Email.Phishing.VOF1-6314019-0 FOUND /media/bill/Virus_samples/infected/210328/Trash: Win.Trojan.Generickd-395 FOUND #] ToDos : 24Dec2020 download more virus samples 24Dec2020 splt email folders to find email with virus #] +-----+ 24************************24 #08********08 #] ??Feb2024 #08********08 #] ??Feb2024 #08********08 #] ??Feb2024 #08********08 #] ??Feb2024 #08********08 #] ??Feb2024 #08********08 #] 04Feb2024 change diff_it() handling of FOUND viruses change : beval 'diff "'"$p_history"'" "'"$p_current"'" --suppress-common-lines | grep "'"^>"'" | sed "'"s/^>\ //"'" | sort -u >"'"$p_temp"'" ' to : grep 'FOUND' "$p_log" | sort -u >"$p_current" >> incomplete - finish next scan no vuruses found? suspicious... 08********08 #] 04Feb2024 [clamav, not installed? 08:57$ man clamscan No manual entry for clamscan ~ 09:55$ man clamav No manual entry for clamav ~ >> can I still use Software Manager to download? yes - it WASN'T installed!!?? 11:26$ bash "$d_bin""virus - clamscan.sh" 4February2024 11h26m, start of virus - clamscan.sh +-----+ excludes to avoid HUGE redundancy!! change to : clam_it() { dScan="$1" dExc1="$2" dExc2="$3" date_ddmmmyyyy_hms=$(date +"%0e%0b%0Y %0kh%0Mm%0Ss") becho '+-----+' becho "$date_ddmmmyyyy_hms, $dScan" beval 'clamscan >>"'"$p_log"'" -ri --bell --exclude-dir="'"$dExc1"'" --exclude-dir="'"$dExc2"'" "'"$dScan"'" ' } clam_all() { date_ddmmmyyyy_hms=$(date +"%0e%0b%0Y %0kh%0Mm%0Ss") header # dScan dExc1 dExc2 clam_it "/home/bill/" "/home/bill/web/" "/home/bill/PROJECTS/" clam_it "$d_web" "z_Archive/" "z_Old/" clam_it "$d_PROJECTS" "z_Archive/" "z_Old/" #clam_it "$d_Midas" clam_it "/media/bill/Virus_samples" footer } 14:45$ bash "$d_bin""virus - clamscan.sh" 04Feb2024 14h45m06s, start of virus - clamscan.sh +-----+ 04Feb2024 14h45m06s, /home/bill/ clamscan >>"/home/bill/web/bin/virus - clamscan log.txt" -ri --bell --exclude-dir="/home/bill/web/" --exclude-dir="/home/bill/PROJECTS/" "/home/bill/" 08********08 #] 04Feb2024 search "Linux Mint Debian Edition and what is the virus scanner?" still clamav : https://www.debian.org/doc/manuals/securing-debian-manual/ch08s08.en.html Debian currently provide clamav as the only antivirus scanning software in the main official distribution and it also provides multiple interfaces to build gateways with antivirus capabilities for different protocols. [56] If you use this last package and are running an official Debian, the database will not be updated with security updates. You should either use clamav-freshclam, clamav-getfiles to generate new clamav-data packages or update from the maintainers location: deb http://people.debian.org/~zugschlus/clamav-data/ / deb-src http://people.debian.org/~zugschlus/clamav-data/ / Debian GNU/Linux currently provides the following tools for building antivirus environments: http://www.clamav.net, provided since Debian sarge (3.1 release). Packages are provided both for the virus scanner (clamav) for the scanner daemon (clamav-daemon) and for the data files needed for the scanner. Since keeping an antivirus up-to-date is critical for it to work properly there are two different ways to get this data: clamav-freshclam provides a way to update the database through the Internet automatically and clamav-data which provides the data files directly. [56] mailscanner an e-mail gateway virus scanner and spam detector. Using sendmail or exim as its basis, it can use more than 17 different virus scanning engines (including clamav). libfile-scan-perl which provides File::Scan, a Perl extension for scanning files for viruses. This modules can be used to make platform independent virus scanners. http://www.sourceforge.net/projects/amavis, provided in the package amavis-ng and available in sarge, which is a mail virus scanner which integrates with different MTA (Exim, Sendmail, Postfix, or Qmail) and supports over 15 virus scanning engines (including clamav, File::Scan and openantivirus). http://packages.debian.org/sanitizer, a tool that uses the procmail package, which can scan email attachments for viruses, block attachments based on their filenames, and more. http://packages.debian.org/amavis-postfix, a script that provides an interface from a mail transport agent to one or more commercial virus scanners (this package is built with support for the postfix MTA only). exiscan, an e-mail virus scanner written in Perl that works with Exim. blackhole-qmail a spam filter for Qmail with built-in support for Clamav. +--+ https://forums.linuxmint.com/viewtopic.php?t=305503 Re: Scan for virus on demand Post by Pjotr » Sat Nov 16, 2019 5:16 am Installing antivirus makes your desktop Linux less secure: https://easylinuxtipsproject.blogspot.com/p/security.html So I definitely recommend to stick to virustotal. Note that Google-owned virustotal scans with dozens of AV engines simultaneously, so its detection score is the highest by far. Tip: 10 things to do after installing Linux Mint 21.3 Virginia Keep your Linux Mint healthy: Avoid these 10 fatal mistakes Twitter: twitter.com/easylinuxtips All in all, horse sense simply makes sense. Pjotr >> Pjotr seems a bit blase : low probability doesn't help if you are already infected? still - only advice I've seen besides blah-blah +--+ https://easylinuxtipsproject.blogspot.com/p/security.html Security in Linux Mint and Ubuntu: an Explanation and Some Tips Latest update for this article: January 6th, 2024 author: pjotr An extremely short summary of the best security practice in Linux Mint is this: - Use good passwords. - Install updates as soon as they become available. - Only install software from the official software sources of Linux Mint and Ubuntu. - Don't install antivirus (yes, really!). - Don't install Windows emulators like Wine. - Enable the firewall. - Above all: use your common sense. You can turn on the firewall : a. Launch a terminal window. b. Copy/paste the following command line into the terminal: sudo ufw enable Press Enter. Type your password when prompted. In Ubuntu this remains entirely invisible, not even dots will show when you type it, that's normal. I n Mint this has changed: you'll see asterisks when you type. Press Enter again. Uncomplicated Firewall (ufw) has a sensible set of default settings (profile), which are fine for the vast majority of home users. So unless you have special wishes: you're done! c. With this command line you can check the current status of the firewall: sudo ufw status verbose Press Enter. When it's enabled, the output should resemble this: pjotr@netbook:~$ sudo ufw status verbose [sudo] password for pjotr: Status: active Logging: on (low) Default: !!**deny (incoming)**!!, allow (outgoing) disabled (routed) New profiles: skip pjotr@netbook:~$ 08********08 #] 28Mar2021 script to cut Thunderbird email folders and find text portion with virus mkdir /media/bill/Virus_samples/infected/210328 >> copied infected email folders here Use QNial!!! I did complex things with IJCNN mass emails "$d_Qndfs""virus - find email with virus.ndf" 29Mar2021 folders with "Heuristics.Phishing.Email.SpoofedDomain FOUND" these are probably OK folder_split_emails (link d_Thunderbird 'Climate.sbd/People.sbd/Dobler, Sacha') (link d_temp 'emails/') >> this folder showes two email in Thunderbird, but only one extracted! folder_split_emails probably drops last email? YES! I fixed it This looks like an unknown redirection, but it probably legitimate and no threat. folder_split_emails (link d_Thunderbird 'Charity.sbd/John O'Sullivan - PSI') (link d_temp 'emails/') these should be addressed : +-----+ /home/bill/Thunderbird/n4caryuo.default/Mail/Local Folders/Purchases.sbd/Books.sbd/Amazon.sbd/z_Archive: Email.Phishing.VOF1-6314019-0 FOUND folder_split_emails (link d_Thunderbird 'Purchases.sbd/Books.sbd/Amazon.sbd/z_Archive') (link d_temp 'emails/') $ clamscan -ri --bell '/home/bill/Thunderbird/n4caryuo.default/Mail/Local Folders/Purchases.sbd/Books.sbd/Amazon.sbd/z_Archive' /home/bill/Thunderbird/n4caryuo.default/Mail/Local Folders/Purchases.sbd/Books.sbd/Amazon.sbd/z_Archive: Email.Phishing.VOF1-6314019-0 FOUND ----------- SCAN SUMMARY ----------- Known viruses: 8516193 Engine version: 0.102.4 Scanned directories: 0 Scanned files: 1 Infected files: 1 Data scanned: 0.80 MB Data read: 8.48 MB (ratio 0.09:1) Time: 18.822 sec (0 m 18 s) qnial> folder_split_emails (link d_Thunderbird 'Purchases.sbd/Books.sbd/Amazon.sbd/z_Archive') (link d_temp 'emails/') >> None found!???!!!??? +-----+ /home/bill/Thunderbird/n4caryuo.default/Mail/mail.billhowell.ca/Trash: Win.Trojan.Generickd-395 FOUND folder_split_emails (link d_Thunderbird '/home/bill/Thunderbird/n4caryuo.default/Mail/mail.billhowell.ca/Trash') (link d_temp 'emails/') $ clamscan -ri --bell '/media/bill/ramdisk/emails/' ----------- SCAN SUMMARY ----------- Known viruses: 8516193 Engine version: 0.102.4 Scanned directories: 1 Scanned files: 329 Infected files: 0 Data scanned: 21.19 MB Data read: 7.78 MB (ratio 2.72:1) Time: 24.989 sec (0 m 24 s) /media/bill/ramdisk/emails $ clamscan -ri --bell '/home/bill/Thunderbird/n4caryuo.default/Mail/mail.billhowell.ca/Trash' /home/bill/Thunderbird/n4caryuo.default/Mail/mail.billhowell.ca/Trash: Win.Trojan.Generickd-395 FOUND qnial> move_contaminated_emails "$d_temp"'emails/' '"/media/bill/Virus_samples/infected/"' ----------- SCAN SUMMARY ----------- Known viruses: 8516193 Engine version: 0.102.4 Scanned directories: 0 Scanned files: 1 Infected files: 1 Data scanned: 0.15 MB Data read: 4.66 MB (ratio 0.03:1) Time: 17.234 sec (0 m 17 s) >> interesting - the virus doesn't show up when the emails are split off into separate text files Onll direct analysis show it >>copy folder to VIRUS, then delete 08********08 #] 28Mar2021 clamscan stuck in d_PROJECTS +-----+ scan... 28March2021 10h36m, /media/bill/Dell2/PROJECTS/ clamscan >>"/media/bill/Dell2/Website - raw/bin/virus - clamscan log.txt" -ri --bell "/media/bill/Dell2/PROJECTS/" LibClamAV Warning: [Bytecode JIT]: Bytecode run timed out, timeout flag set LibClamAV Warning: [Bytecode JIT]: recovered from error LibClamAV Warning: [Bytecode JIT]: JITed code intercepted runtime error! LibClamAV Warning: Bytecode 51 failed to run: CL_ETIMEOUT: Time limit reached LibClamAV Warning: [Bytecode JIT]: Bytecode run timed out, timeout flag set LibClamAV Warning: [Bytecode JIT]: recovered from error LibClamAV Warning: [Bytecode JIT]: JITed code intercepted runtime error! LibClamAV Warning: Bytecode 73 failed to run: CL_ETIMEOUT: Time limit reached LibClamAV Warning: [Bytecode JIT]: Bytecode run timed out, timeout flag set LibClamAV Warning: [Bytecode JIT]: recovered from error LibClamAV Warning: [Bytecode JIT]: JITed code intercepted runtime error! LibClamAV Warning: Bytecode 73 failed to run: CL_ETIMEOUT: Time limit reached >> as of 15:58 still stck there!!! (almost 5.5 hours!) >> HAH! just as I wrote this 15:59, it went to d_webRaw search for reasons later... OK done +-----+ types # 2 Eicar-Test-Signature FOUND 1 /media/bill/Virus_samples/Ikarus viruses/eicar_com.zip 1 /media/bill/Virus_samples/Ikarus viruses/eicar.com 4 Heuristics.Phishing.Email.SpoofedDomain FOUND 7 /home/bill/Thunderbird/n4caryuo.default/Mail/Local Folders/Climate.sbd/People.sbd/Dobler, Sacha 64 /home/bill/Thunderbird/n4caryuo.default/Mail/Local Folders/Charity.sbd/John O'Sullivan - PSI 1 Email.Phishing.VOF1-6314019-0 FOUND 1 /home/bill/Thunderbird/n4caryuo.default/Mail/Local Folders/Purchases.sbd/Books.sbd/Amazon.sbd 1 Win.Trojan.Generickd-395 FOUND 1 /home/bill/Thunderbird/n4caryuo.default/Mail/mail.billhowell.ca/Trash Uh Oh! doesn't have any emails showing in my Thunderbird Charity.sbd folder - only in 7_Newsgroups slow? : /home/bill/Thunderbird/n4caryuo.default/Mail/Local Folders/Charity.sbd/John O'Sullivan - PSI >> I might have moved them all? >> Or did clamscan quarantine the whole folder? >> check other infected folders : 2/2 still there : /media/bill/Virus_samples/Ikarus viruses/ 72.2 kB Climate.sbd/People.sbd/Dobler, Sacha 943.5 kB Purchases.sbd/Books.sbd/Amazon.sbd 4.9 kB mail.billhowell.ca/Trash So other folders are still there. Why not "Charity.sbd/John O'Sullivan - PSI"? OOPS! I screwed up, I was looking at "PSI International", not "John O'Sullivan - PSI" eliminated redundancy 08********08 #] 24Jan2021 Computer virus scans All viruses are in /home/bill/, mostly 67 viruses in PSI International emails, but also Amazon & virus inventory ToDo for later - recover & inventory viruses 24January2021 19h36m, /home/bill clamscan >>"/media/bill/Dell2/PROJECTS/bin/virus - clamscan log.txt" -ri --bell "/home/bill" /home/bill/Thunderbird/n4caryuo.default/Mail/Local Folders/System_maintenance.sbd/a_Phishing scams: Win.Malware.Upatre-11421 FOUND /home/bill/Thunderbird/n4caryuo.default/Mail/Local Folders/Purchases.sbd/Books.sbd/Amazon.sbd/z_Archive: Email.Phishing.VOF1-6314019-0 FOUND /home/bill/Thunderbird/n4caryuo.default/Mail/Local Folders/Charity.sbd/John O'Sullivan - PSI: Heuristics.Phishing.Email.SpoofedDomain FOUND ... /home/bill/Thunderbird/n4caryuo.default/Mail/mail.billhowell.ca/Trash: Win.Trojan.Generickd-395 FOUND ----------- SCAN SUMMARY ----------- Known viruses: 8725473 Engine version: 0.102.4 Scanned directories: 8582 Scanned files: 105888 Infected files: 4 Data scanned: 15073.12 MB Data read: 14518.76 MB (ratio 1.04:1) Time: 6187.248 sec (103 m 7 s) +-----+ 24January2021 21h21m, end of virus - clamscan.sh 08********08 #] 24Dec2020 download virus examples >> I can't download? -clamscan virus protection maybe? How do I turn off clamav for a short while? man clamav - nyet man clamscan search "Linux clamscan and how do I turn it off?" "Linux clamscan and how do I disable it?" >> Hmmm, can't find that option FireFox menu -> Preferences -> Privacy & Security -> Security : x Deceptive Content and Dangerous Software Protection x Block dangerous and deceptive content (Learn more) x Block dangerous downloads x Warn you about unwanted and uncommon software >> temporarily uncheck "Block dangerous downloads" & see what happens >> OK - works! DANGEROUS!!! Don't forget to reset FireFox "Block dangerous downloads" when done!!!! +-----+ /media/bill/HOWELL_BASE/virus examples/Ikarus viruses/eicar_com.zip The EICAR test virus is not a real virus. It is a DOS program created by the European Institute for Computer Antivirus Research, which only displays the message “EICAR-STANDARD-ANTIVIRUS-TEST-FILE” on the screen and then terminates itself. The aim of test viruses is to test the functions of an anti-malware program or to see how the program behaves when a virus is detected. Download the desired test file to your PC. If your network security does not already prevent the download of the file, the local antivirus program should start working when trying to save or execute the file. Since the Eicar test virus is the only standardized way to monitor antivirus programs “live” at work without endangering yourself, it is likely that all programs will recognize the file. However, it says nothing about the detection or other protection capabilities of the software. If the file is not detected by your virus scanner, it is advisable to investigate the reason for this, for example to detect possible malfunctions. https://www.ikarussecurity.com/wp-content/downloads/eicar_com.zip +----+ https://zeltser.com/malware-sample-sources/ Malware researchers frequently seek malware samples to analyze threat techniques and develop defenses. In addition to downloading samples from known malicious URLs, researchers can obtain malware samples from the following free sources: ANY.RUN: Registration required Contagio Malware Dump: Curated, password required CAPE Sandbox Das Malwerk Hatching Triage: Registration required Hybrid Analysis: Registration required InQuest Malware Samples on GitHub KernelMode.info: Registration required MalShare: Registration required MalwareBazaar MalwareSamples Malware-Feed: Curated Malware DB Objective-See Collection: Mac malware PacketTotal: Malware inside downloadable PCAP files PhishingKitTracker: Phishing sites source code PolySwarm: Registration required SNDBOX: Registration required SoReL-20M: 10M defanged malware samples (see notes) theZoo aka Malware DB URLhaus: Links to live sites hosting malware VirusBay: Registration required VirusShare: Registration required VirusSign: Registration required Virus and Malware Samples: Includes APT, registration required vx-underground Yomi: Registration required +-----+ focus for now on any.run >> download to : /media/bill/Virus_samples/any.run/ I got kicked out after repeat warnings of large number of downloads (5 per short time frame) 08********08 23Dec2020 Timeout error : https://security.stackexchange.com/questions/220909/clamav-bytecode-run-timed-out Searching for these messages quickly leads to posts like this. Basically: you are scanning huge data and it runs in a timeout while scanning since there was a timeout configured. If you want to extend the timeout you can do on the command line as documented. – Steffen Ullrich Nov 9 '19 at 6:21 https://unix.stackexchange.com/questions/193059/warnings-errors-when-running-clamav-clamscan-scanning-3tb-hard-drive Here is the new command: clamscan -r -i --remove --max-filesize=4000M --max-scansize=4000M --bytecode-timeout=190000 /DATA1 Note: I also upgraded the servers memory to 8GB, I'm not sure if clamscan loads the file to memory when it's being scanned but one post said that much and if so that is another consideration. share improve this answer follow edited Apr 15 '15 at 0:58 answered Apr 9 '15 at 12:03 somethingSomething >> WRONG! What happed to old viruses? OK /home/bill/Thunderbird/n4caryuo.default/Mail/Local Folders/a_Phishing scams: Win.Malware.Upatre-11421 FOUND ? /home/bill/Thunderbird/n4caryuo.default/Mail/Local Folders/System_maintenance.sbd/a_Phishing scams: Win.Malware.Upatre-11421 FOUND T /home/bill/Thunderbird/n4caryuo.default/Mail/mail.billhowell.ca/Trash: Win.Trojan.Agent-1428649 FOUND OK /media/bill/HOWELL_BASE/System_maintenance/viruses quarantined/.tar: Unix.Malware.Agent-1415284 FOUND F /media/bill/PROJECTS/System_maintenance/security/viruses quarantined/.tar: Unix.Malware.Agent-1415284 FOUND >> I had moved the directory, so the discrepancy is OK T /media/bill/HOWELL_BASE/Thunderbird/n4caryuo.default/Mail/mail.billhowell.ca/Trash: Win.Trojan.Agent-1428649 FOUND T= trash, which would have been deleted F= found ?= not really found! or I moved? This leaves unaccounted : /home/bill/Thunderbird/n4caryuo.default/Mail/Local Folders/Inbox: Win.Malware.Generic-9777076-0 FOUND /home/bill/Thunderbird/n4caryuo.default/Mail/Local Folders/Purchases.sbd/Amazon.sbd/z_Archive: Email.Phishing.VOF1-6314019-0 FOUND /media/bill/HOWELL_BASE/Thunderbird/n4caryuo.default/Mail/Local Folders/00_Newsgroups slow.sbd/Principia Scientific.sbd/z_Old: Heuristics.Phishing.Email.SpoofedDomain FOUND /media/bill/HOWELL_BASE/Thunderbird/n4caryuo.default/Mail/Local Folders/Charity.sbd/John O'Sullivan - PSI: Heuristics.Phishing.Email.SpoofedDomain FOUND /media/bill/HOWELL_BASE/Thunderbird/n4caryuo.default/Mail/Local Folders/Investments.sbd/MBNA: Heuristics.Phishing.Email.SpoofedDomain FOUND /media/bill/HOWELL_BASE/Thunderbird/n4caryuo.default/Mail/Local Folders/z_Old/Inbox: Win.Trojan.Agent-1136914 FOUND This directory was removed : /media/bill/SWAPPER/Website - raw/Software programming & code/System_maintenance/security/viruses quarantined/.tar: Unix.Malware.Agent-1415284 FOUND I need a script to save all emails in an infected Thunderbird folder as separate files. Probably have optrs in my ijcnn mass email coding. 08********08 # /home/bill/System_maintenance/clamscan_infected/clamscan_contaminated_script # www.BillHowell.ca created 20Oct2013 # work on contaminated file - especially to split up Thunderbird folders to isolate bad email/files # 1. start with on infected file at a time (should be in $dir_base) # 2. copy file to $dir_safe (looks weird - but clamscan moves contaminated files, NOT safe ones!) # 3. IF contaminated file is text (eg EMAIL!), using text editor - split file into MANY parts, # saving each part in $dir_safe # 4. run from terminal as superuser (sudo -i) : # # bash /home/bill/System_maintenance/clamscan_infected/clamscan_contaminated_script # 5. once [phish, virus, trojan horse, worm, etc] found, move contaminated part (or whole file) to IOMEGA_HDD/Viruses etc - Clamscan # 6. reconstruct original text or email folder if that was the file type (minus infected part, of course # Note that Thunderbird and AE extraction plugin DON'T actually delete emails or attachments! - so it's hard to get rid of junk! # freshclam downloads database to default directory # It's very tricky to delete a folder!! # A. From within Thunderbird : # 1. Check only ONE T-Bird email folder at a time! # 2. Create a sub-folder /Local Folders/a_Clamscan/ # 3. Take note of the number of emails in # 4. MOVE (not copy!) all good emails from [files_safe, files_toTest_1 or 2] to /Local Folders/a_Clamscan/ # 5. MOVE (not copy!) all bad emails from [ files_toTest_1 or 2] to /Local Folders/a_Clamscan/files_infected # 6. MOVE any subfolders from original to the newly created # /Local Folders/a_Clamscan/ # 7. CHECK that the number of emails in... " original = good + contaminated ..." # 8. DELETE # 9. Close down Thunderbird!! # B. From within Dolphin fileManager /home/bill/.thunderbird/n4caryuo.default/Mail/Local Folders/ ... / # 1. Check that [.msf file, mail files, subdirectories] associated with have been deleted # (actually, this appears to be the case normally, but for now a check is warranted until I have more experience) # C. Back to Thunderbird - # 1. Start Thunderbird up again # 2. Move /Local Folders/a_Clamscan/ to its appropriate place in the TBird folders # 3. Close Thunderbrd, then start up again to allow files to be updated # D. Dolphin fileManager # 1. Double check .msf & mail files in Dolphin dir_base="/home/bill/System_maintenance/clamscan_infected/" dir_safe=$dir_base"files_safe/" dir_test=$dir_base"files_to_test/" file_script=$dir_base"clamscan_contaminated_script" file_log=$dir_base"clamscan_contaminated_log.txt" echo "" echo "" echo "**********************************************************" echo $file_script " -> starting virus location routine, Date = " `date` echo >>$file_log "" echo >>$file_log "" echo >>$file_log "*******************************************************" echo >>$file_log $file_script " -> starting virus location, Date = " `date` echo >>$file_log "" echo "" echo "cd " $dir_safe echo >>$file_log "" echo >>$file_log "cd " $dir_safe cd $dir_safe # don't need freshclam update for this - as will usually follow full clamscan echo "" echo "didn't start freshclam... no need for cleanup" echo >>$file_log "" echo >>$file_log "didn't start freshclam... no need for cleanup" #freshclam >>$file_log # don't need recursion as only $dir_safe itself is checked echo "" echo "starting... clamscan >>$file_log -i --bell --move=$dir_test echo >>$file_log "" echo >>$file_log "starting... clamscan >>$file_log -i --bell --move=$dir_test clamscan >>$file_log -iv --bell --phishing-ss=yes --phishing-cloak=yes --move=$dir_test $dir_safe echo "" echo "**********************************************************" echo "" echo "" ****************************** #] 01Sep2018 crontab -> freshclam frequency It's dumb to do this every hour - it hasn't even been activated for 1.5 years!! change to once per day +-----+ # /media/bill/PROJECTS/System_maintenance/Linux/crontab_howell.txt # www.BillHowell.ca 30Aug2018 * 10 * * * /usr/local/bin/freshclam --quiet +-----+ m h d m w https://www.wikihow.com/Set-up-a-Crontab-File-on-Linux m minute h hour d day of month m month 1-12 w weekday 0-7, Sun,Mon, etc (Sunday = 0 = 7) It is easy to remember if you think of the way one would say a date: Wednesday, July 29, at 10:30, then reverse the order. see "/media/bill/PROJECTS/System_maintenance/Linux/cron notes.txt" for procedure to change crontab *************************** #] 30Aug2018 Install clamav (via Software Manager) on LMDE2 setup using document : /media/bill/PROJECTS/System_maintenance/security/clamAV antivirus doc.pdf $ sudo freshclam [sudo] password for bill: Thu Aug 30 21:01:34 2018 -> ClamAV update process started at Thu Aug 30 21:01:34 2018 Thu Aug 30 21:01:34 2018 -> main.cvd is up to date (version: 58, sigs: 4566249, f-level: 60, builder: sigmgr) Thu Aug 30 21:01:34 2018 -> daily.cvd is up to date (version: 24888, sigs: 2069774, f-level: 63, builder: neo) Thu Aug 30 21:01:34 2018 -> bytecode.cvd is up to date (version: 327, sigs: 91, f-level: 63, builder: neo) +-----+ $ groupadd clamav groupadd: group 'clamav' already exists $ clamd The program 'clamd' is currently not installed. To run 'clamd' please ask your administrator to install the package 'clamav-daemon' clamd: command not found I skipped : 3.6 Running unit tests $ clamd ERROR: Can't open /var/log/clamav/clamav.log in append mode (check permissions!). ERROR: Can't initialize the internal logger >> I had to install (via Software Manager) : +-----+ Clamav-daemon Anti-virus utility for unix - scanner daemon Score: Clam AntiVirus is an anti-virus toolkit for Unix. The main purpose of this software is the integration with mail servers (attachment scanning). The package provides a flexible and scalable multi-threaded daemon in the clamav-daemon package, a command-line scanner in the clamav package, and a tool for automatic updating via the Internet in the clamav-freshclam package. The programs are based on libclamav, which can be used by other software. This package contains the daemon featuring: - fast, multi-threaded daemon; - easy integration with MTA's; - support for on-access scanning; - remote scanning; - able to be run supervised by daemon. Details: Version: 0.100.1+dfsg-0+deb8u1 Size: 266KB to download, 979KB of disk space required +-----+ $ sudo clamd Thu Aug 30 22:04:30 2018 -> !LOCAL: Socket file /var/run/clamav/clamd.ctl is in use by another process. Setup freshclam.log $ sudo touch /var/log/freshclam.log ~ $ sudo chmod 600 /var/log/freshclam.log ~ $ sudo chown clamav /var/log/freshclam.log ~ >> NUTS!! wrong directory!!! $ sudo rm /var/log/freshclam.log $ sudo chmod 600 /var/log/clamav/freshclam.log ~ $ sudo chown clamav /var/log/clamav/freshclam.log ~ >> OK My conf file : /etc/clamav/[clamd.conf, freshclam.conf] $ sudo kwrite /etc/clamav/clamd.conf >> jibberish to me - leave it for now $ sudo kwrite /etc/clamav/freshclam.conf UpdateLogFile /var/log/clamav/freshclam.log >> initial setup had it here, so it's OK Am I a member of group clamav? https://www.cyberciti.biz/faq/linux-list-all-members-of-a-group/ $ grep 'grpup-name-here' /etc/group So : $ grep 'clamavre' /etc/group clamav:x:133: >> who the heck is x:133 ?? >> leave for later search "Linux Mint crontab and where is it?" https://tecadmin.net/crontab-in-linux-with-20-examples-of-cron-schedule/ To view crontab entries of current user use the following command. $ crontab -l no crontab for bill $ sudo crontab -l no crontab for root man crontab $ sudo ls /var/spool/cron/crontabs ~ >> none! https://www.unixmen.com/add-cron-jobs-linux-unix/ good reference - guy knows better what he is talking about, more general, but still half-way edit new file "/media/bill/PROJECTS/System_maintenance/security/crontab_howell.txt" +-----+ # /media/bill/PROJECTS/System_maintenance/security/crontab_howell.txt # www.BillHowell.ca 30Aug2018 49 * * * * /usr/local/bin/freshclam --quiet +-----+ $ crontab "/media/bill/PROJECTS/System_maintenance/security/crontab_howell.txt" >> OK, no feedback so must be good? $ sudo cat /var/log/clamav/freshclam.log +-----+ [sudo] password for bill: Thu Aug 30 20:45:04 2018 -> -------------------------------------- Thu Aug 30 20:45:04 2018 -> freshclam daemon 0.100.1 (OS: linux-gnu, ARCH: x86_64, CPU: x86_64) Thu Aug 30 20:45:04 2018 -> ClamAV update process started at Thu Aug 30 20:45:04 2018 Thu Aug 30 20:46:39 2018 -> Downloading main.cvd [100%] Thu Aug 30 20:46:48 2018 -> main.cvd updated (version: 58, sigs: 4566249, f-level: 60, builder: sigmgr) Thu Aug 30 20:47:37 2018 -> Downloading daily.cvd [100%] Thu Aug 30 20:47:43 2018 -> daily.cvd updated (version: 24888, sigs: 2069774, f-level: 63, builder: neo) Thu Aug 30 20:47:44 2018 -> Downloading bytecode.cvd [100%] Thu Aug 30 20:47:45 2018 -> bytecode.cvd updated (version: 327, sigs: 91, f-level: 63, builder: neo) Thu Aug 30 20:47:50 2018 -> Database updated (6636114 signatures) from db.local.clamav.net (IP: 104.16.185.138) Thu Aug 30 20:47:50 2018 -> ERROR: NotifyClamd: Can't find or parse configuration file /etc/clamav/clamd.conf Thu Aug 30 20:47:50 2018 -> -------------------------------------- Thu Aug 30 21:01:34 2018 -> -------------------------------------- Thu Aug 30 21:01:34 2018 -> ClamAV update process started at Thu Aug 30 21:01:34 2018 Thu Aug 30 21:01:34 2018 -> main.cvd is up to date (version: 58, sigs: 4566249, f-level: 60, builder: sigmgr) Thu Aug 30 21:01:34 2018 -> daily.cvd is up to date (version: 24888, sigs: 2069774, f-level: 63, builder: neo) Thu Aug 30 21:01:34 2018 -> bytecode.cvd is up to date (version: 327, sigs: 91, f-level: 63, builder: neo) Thu Aug 30 21:47:50 2018 -> Received signal: wake up Thu Aug 30 21:47:50 2018 -> ClamAV update process started at Thu Aug 30 21:47:50 2018 Thu Aug 30 21:47:50 2018 -> main.cvd is up to date (version: 58, sigs: 4566249, f-level: 60, builder: sigmgr) Thu Aug 30 21:47:50 2018 -> daily.cvd is up to date (version: 24888, sigs: 2069774, f-level: 63, builder: neo) Thu Aug 30 21:47:50 2018 -> bytecode.cvd is up to date (version: 327, sigs: 91, f-level: 63, builder: neo) Thu Aug 30 21:47:50 2018 -> -------------------------------------- +-----+ >> This has already been running? Closest mirrors for freshclam updates : http://www.iana.org/cctld/cctld-whois.htm goes to : https://www.iana.org/domains/root/db >> totally incomprehensible!??? leave it for now ... seems to be getting data anyways? Check tomorrow to see if it is actually working - could run clamscan directly to check. ******************* #] 09Jun2017 11:43 freshclam update failures In file "/var/log/clamav/freshclam.log" gives error : Fri Jun 9 11:25:39 2017 -> Update failed. Your network may be down or none of the mirrors listed in /etc/clamav/freshclam.conf is working. Check http://www.clamav.net/doc/mirrors-faq.html for possible reasons. >> This might be OK >> Updates fail when internet connect is off, but others still wok when on. Configuration file "/etc/clamav/freshclam.conf" shows sites : +-----+ # Automatically created by the clamav-freshclam postinst # Comments will get lost when you reconfigure the clamav-freshclam package DatabaseOwner clamav UpdateLogFile /var/log/clamav/freshclam.log LogVerbose false LogSyslog false LogFacility LOG_LOCAL6 LogFileMaxSize 0 LogRotate true LogTime true Foreground false Debug false MaxAttempts 5 DatabaseDirectory /var/lib/clamav DNSDatabaseInfo current.cvd.clamav.net ConnectTimeout 30 ReceiveTimeout 30 TestDatabases yes ScriptedUpdates yes CompressLocalDatabase no SafeBrowsing false Bytecode true # Check for new database 24 times a day Checks 24 DatabaseMirror db.local.clamav.net DatabaseMirror database.clamav.net +-----+ *************** #] 31Jan2016 freshclam >7 day out of date $ sudo freshclam ERROR: /var/log/clamav/freshclam.log is locked by another process ERROR: Problem with internal logger (UpdateLogFile = /var/log/clamav/freshclam.log) http://askubuntu.com/questions/636851/how-to-stop-automatic-freshclam-execution How to stop automatic freshclam execution Terrance edited Jun 16 '15 at 16:44, answered Jun 15 '15 at 21:04 That is the freshclam daemon running that is causing that error message. If you check the log, tail -10 /var/log/clamav/freshclam.log you will probably see updates for the freshclam as early as today. As long as you're seeing updates, everything should be fine. If you want to change the intervals to the freshclam daemon, type in the following from a terminal window: sudo dpkg-reconfigure clamav-freshclam then step through the setup. I then checked /var/log/clamav/freshclam.log >> Has already updated twice today - but only starting 10:15 as earlier auto-updates failed >> But clamav ran at 08:13 **************************************** #] 28Sep2013 Weekly scan : run from terminal as superuser (sudo -i) : # bash /home/bill/bin/clamscan_script **************************************** #] 09Sep2013 couldn't find clamAV!! After one hell of a run-around (Synaptic Package manager couldn't find clamAV!! - had to click on "provided packages" or something like that!) used apt-cache search clamav (NO sudo!) script file /home/bill/bin/clamscan_script problems with permissions for freshclam log file /var/log/clamav/freshclam.log - changed group to rw in Konsole terminal, manually typed : clamscan >/home/bill/bin/clamscan_output.txt -ri --bell --move=/home/bill/clamscan_infected i.e. at present the script file doesn't work... But I found in /home/bill/ 15 worms, trojans, phishing **************************************** #] 22Jan2012 ToDos - need script to pick out infected files from a clamscan I need to write a nial (or a system script) program to pick out infected files from a clamscan, add them to a daed logfile, and "quarantine" them (no access or put in a special directory). I also need email & download scanning, BEFORE a file gets into my systems! **************************************** #] 21Jan2012 clamscan options Options: -l flogfilename specifies the logfile (don't use - useless junk on screen! -r recursive into target directory To scan bill's stuff: cd /home/bill clamscan >"/home/bill/System maintenance/ClamAV Virus scans/clamscan_log.txt" -r To find indications of viruses: When a virus is found its name is printed between the filename: and FOUND strings. In case of archives the scanner depends on libclamav and only prints the first virus found within an archive See for log files: /var/log/clamav clamav is run automatically all of the time - 24 times/day!!! (once per hour) 12 weeks of log files (each having all days for the week) are retained. But the updates seem to have problems finding updates on the web: Update failed. Your network may be down or none of the mirrors listed in /etc/clamav/freshclam.conf is working. Check http://www.clamav.net/support/mirror-problem for possible reasons. To find programs: whereis clamscan clamscan: /usr/bin/clamscan /usr/hare/man/man1/clamscan.1.gz whereis freshclam freshclam: /usr/bin/freshclam /usr/share/man/man1/freshclam.1.gz To get Nautilus filemanager in "admin" mode: gksudo nautilus ************************** # enddoc