BUG: ClamAV 0.104.0 does not work
BUG: ClamAV 0.104.0 does not work
After updating ClamAV to version 0.104.0, hMail stopped communicating with the antivirus program.
"ERROR" 9352 "2021-09-19 00: 09: 06.565" "Severity: 3 (Medium), Code: HM5406, Source: ClamAVVirusScanner :: Scan, Description: Protocol error. Unexpected response: UNKNOWN COMMAND
After returning to version 0.103.3, everything is OK. There is probably a change in the communication protocol in the new version of ClamAV (?)
"ERROR" 9352 "2021-09-19 00: 09: 06.565" "Severity: 3 (Medium), Code: HM5406, Source: ClamAVVirusScanner :: Scan, Description: Protocol error. Unexpected response: UNKNOWN COMMAND
After returning to version 0.103.3, everything is OK. There is probably a change in the communication protocol in the new version of ClamAV (?)
Re: BUG: ClamAV 0.104.0 does not work
Geez, would you really think
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup
- jimimaseye
- Moderator
- Posts: 10053
- Joined: 2011-09-08 17:48
Re: BUG: ClamAV 0.104.0 does not work
No, I wouldnt. I seriously doubt it.
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829
Re: BUG: ClamAV 0.104.0 does not work
Looks like there were a lot of changes in 0.104. Not surprising there would be errors on the windows side. I looked quickly and saw several windows issues with paths on github and the mailing list.
I would give it some time before upgrading. Better yet, send clamav log entries to the mailing list or post an issue on github. If they don't know about an issue, they won't be able to fix it.
I would give it some time before upgrading. Better yet, send clamav log entries to the mailing list or post an issue on github. If they don't know about an issue, they won't be able to fix it.
Re: BUG: ClamAV 0.104.0 does not work
Looks like 0.104.0 doesn't need special builds to run as service on Windows
Code: Select all
clamd and freshclam are now available as Windows services. To install and run them, use the --install-service option and net start [name] command.
Special thanks to Gianluigi Tiesi for his original work on this feature.
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup
Re: BUG: ClamAV 0.104.0 does not work
I tried that as the first thing that came to my mind. Unfortunately, the result is the same.RvdH wrote: ↑2021-09-19 15:23Looks like 0.104.0 doesn't need special builds to run as service on Windows
Code: Select all
clamd and freshclam are now available as Windows services. To install and run them, use the --install-service option and net start [name] command. Special thanks to Gianluigi Tiesi for his original work on this feature.
Re: BUG: ClamAV 0.104.0 does not work
The error seems to be triggered here
https://github.com/hmailserver/hmailser ... er.cpp#L71
ClamAV Issues
https://github.com/Cisco-Talos/clamav/issues
https://github.com/hmailserver/hmailser ... er.cpp#L71
ClamAV Issues
https://github.com/Cisco-Talos/clamav/issues
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup
Re: BUG: ClamAV 0.104.0 does not work
Changelog says northing about a breaking change in how clamd should work, except for maybe:
Added the %f format string option to the ClamD VirusEvent feature to insert the file path of the scan target when a virus-event occurs. This supplements the VirusEvent %v option which prints the signature (virus) name. The ClamD VirusEvent feature also provides two environment variables, $CLAM_VIRUSEVENT_FILENAME and $CLAM_VIRUSEVENT_VIRUSNAME for a similar effect.
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup
Re: BUG: ClamAV 0.104.0 does not work
Any solution?
I also get the same "UNKNOWN COMMAND".
ClamAV 0.104.0
Thanks.
I also get the same "UNKNOWN COMMAND".
ClamAV 0.104.0
Thanks.
Re: BUG: ClamAV 0.104.0 does not work
You should really ask ClamAV people, apparently they have changed something that breaks compatibility
https://github.com/Cisco-Talos/clamav
https://github.com/Cisco-Talos/clamav
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup
Re: BUG: ClamAV 0.104.0 does not work
31.01.2022 and clamav 104.2 still SAME ERROR
can someone do a help ?
can someone do a help ?
Re: BUG: ClamAV 0.104.0 does not work
RvdH wrote: ↑2021-10-13 15:36You should really ask ClamAV people, apparently they have changed something that breaks compatibility
https://github.com/Cisco-Talos/clamav
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation
https://www.hmailserver.com/documentation
-
- New user
- Posts: 14
- Joined: 2009-12-29 12:34
Re: BUG: ClamAV 0.104.0 does not work
hMailServer is using the command "STREAM" as shown here https://github.com/hmailserver/hmailser ... er.cpp#L64
It was deprecated and has been deleted now. The right command should be "INSTREAM" now, as shown in the manpage: https://manpages.debian.org/testing/cla ... .8.en.html
So hMailServer must be updated here to get this work again.
It was deprecated and has been deleted now. The right command should be "INSTREAM" now, as shown in the manpage: https://manpages.debian.org/testing/cla ... .8.en.html
So hMailServer must be updated here to get this work again.
Re: BUG: ClamAV 0.104.0 does not work
Did you start an issue on hMaislerver's github ?
If not, can you please...
If not, can you please...
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation
https://www.hmailserver.com/documentation
-
- New user
- Posts: 14
- Joined: 2009-12-29 12:34
Re: BUG: ClamAV 0.104.0 does not work
Re: BUG: ClamAV 0.104.0 does not work
Question is, will that change break backwards compatibility?
With what version that INSTREAM command was introduced?
Why on earth they decided the delete it? They could just leave STREAM command there as alias for INSTREAM command
With what version that INSTREAM command was introduced?
Why on earth they decided the delete it? They could just leave STREAM command there as alias for INSTREAM command
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup
-
- New user
- Posts: 14
- Joined: 2009-12-29 12:34
Re: BUG: ClamAV 0.104.0 does not work
I already answered your questions on GitHub: https://github.com/hmailserver/hmailserver/issues/420
We should discuss it there.
For record, this is my answer:
We should discuss it there.
For record, this is my answer:
Hello @RvdHout,
it's marked as deprecated since February 11th 2009: https://github.com/Cisco-Talos/clamav/c ... b19bc9dR50
The commands are slightly different: INSTREAM acceptes the data on the same communication port, whereas STREAM just send a new temporary port for the data to send to.
Since the INSTREAM command has been added 2009 too, there is no problem for backward compatibility. So all ClamAV versions since 0.95 should work with INSTREAM.
Re: BUG: ClamAV 0.104.0 does not work
I think there is more to it then just changing STREAM with INSTREAM
Prior 0.104.x clamav reported the PORT to connect to
After that HMS send the STREAM command over port 1483
The CLAMAV would reply back with another stream on port 1081:
With this INSTREAM change the whole PORT part seems to be to be left out, which result in HMS failing with the UNKNOWN COMMAND error
Prior 0.104.x clamav reported the PORT to connect to
Code: Select all
PORT 1483
stream: OK
The CLAMAV would reply back with another stream on port 1081:
Code: Select all
PORT 1081
stream: Eicar-Signature FOUND
With this INSTREAM change the whole PORT part seems to be to be left out, which result in HMS failing with the UNKNOWN COMMAND error
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup
Re: BUG: ClamAV 0.104.0 does not work
Thx, i'm gonna play with this....lets see where it gets melord_dragonus wrote: ↑2022-02-09 11:15I already answered your questions on GitHub: https://github.com/hmailserver/hmailserver/issues/420
We should discuss it there.
For record, this is my answer:Hello @RvdHout,
it's marked as deprecated since February 11th 2009: https://github.com/Cisco-Talos/clamav/c ... b19bc9dR50
The commands are slightly different: INSTREAM acceptes the data on the same communication port, whereas STREAM just send a new temporary port for the data to send to.
Since the INSTREAM command has been added 2009 too, there is no problem for backward compatibility. So all ClamAV versions since 0.95 should work with INSTREAM.
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup
- jimimaseye
- Moderator
- Posts: 10053
- Joined: 2011-09-08 17:48
Re: BUG: ClamAV 0.104.0 does not work
Also, even though STREAM is "deprecated" since 2009 it still continued to work up to 0.103. So what change was done in v0.104 that wasnt there in 0.103? You say
The man page quoted still references STREAM as 'deprecated' since 2009 but (as we have identified) it was still being allowed until 0.103 (so deprecated meaning officially unsupported but not removed usually for legacy connectivity). Can I ask where you see documentation or the evidence of it finally being removed in 0.104? (Im not doubting you, just curious on where the evidence is found. This makes things easier to understand).lord_dragonus wrote: ↑2022-02-08 19:34It was deprecated and has been deleted now. The right command should be "INSTREAM" now, as shown in the manpage: https://manpages.debian.org/testing/cla ... .8.en.html
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829
-
- New user
- Posts: 14
- Joined: 2009-12-29 12:34
Re: BUG: ClamAV 0.104.0 does not work
Sure, it has been deleted February 25th 2021 within this commit: https://github.com/Cisco-Talos/clamav/c ... 246bf6f99ajimimaseye wrote: ↑2022-02-09 11:30[...] Can I ask where you see documentation or the evidence of it finally being removed in 0.104? (Im not doubting you, just curious on where the evidence is found. This makes things easier to understand).
See the comment of the commit:
[...] Also remove deprecated STREAM command.
Re: BUG: ClamAV 0.104.0 does not work
Quick solution, stick with 0.103.5
I think this whole function has to be rewritten using socket(s) to be able to support 0.104.x
I think this whole function has to be rewritten using socket(s) to be able to support 0.104.x
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup
Re: BUG: ClamAV 0.104.0 does not work
I have two versions of ClamAV.pm in my SpamAssassin ./lib/file/scan folder from way back when I was getting it up running and I just noticed I'm using the STREAM version.
NOTE: ClamAV integration in SpamAssassin includes a DIFFERENT ClamAV.pm stored with the ClamAV.cf in the ./etc directory. The ClamAV.pm in the ./lib/file/scan originate from CPAN (presumeably).
So I cut out the Perl sub that does the actual STREAM'ing from both versions.
Version 1.95 by unknown at unknown date
ClamAV.pm,v 1.8 2004/09/17 22:07:51 cfaber
NOTE: ClamAV integration in SpamAssassin includes a DIFFERENT ClamAV.pm stored with the ClamAV.cf in the ./etc directory. The ClamAV.pm in the ./lib/file/scan originate from CPAN (presumeably).
So I cut out the Perl sub that does the actual STREAM'ing from both versions.
Version 1.95 by unknown at unknown date
Code: Select all
sub streamscan {
my $self = shift;
my $data = shift;
if(@_){ #don't join unless needed [cpan #78769]
$data = join q{},($data,@_);
}
$self->_seterrstr;
my $conn = $self->_get_connection || return;
$self->_send($conn, "nINSTREAM\n");
$self->_send($conn, pack("N", length($data)));
$self->_send($conn, $data);
$self->_send($conn, pack("N", 0));
chomp(my $r = $conn->getline);
my @return;
if($r =~ /stream:\ (.+)\ FOUND/ix){
@return = ('FOUND', $1);
} else {
@return = ('OK');
}
$conn->close;
return @return;
}
Code: Select all
sub streamscan {
my ($self) = shift;
my $data = join '', @_;
$self->_seterrstr;
my $conn = $self->_get_connection || return;
$self->_send($conn, "STREAM\n");
chomp(my $response = $conn->getline);
my @return;
if($response =~ /^PORT (\d+)/){
if((my $c = $self->_get_tcp_connection($1))){
$self->_send($c, $data);
$c->close;
chomp(my $r = $conn->getline);
if($r =~ /stream: (.+) FOUND/i){
@return = ('FOUND', $1);
} else {
@return = ('OK');
}
} else {
$conn->close;
return;
}
}
$conn->close;
return @return;
}
SørenR.
Woke is Marxism advancing through Maoist cultural revolution.
Woke is Marxism advancing through Maoist cultural revolution.
-
- New user
- Posts: 14
- Joined: 2009-12-29 12:34
Re: BUG: ClamAV 0.104.0 does not work
It's not necessary to rewrite the whole function. The only thing is, that the data have to be send directly to the main port, instead of opening another port and sending it to this port. And of course, the command have to be changed. Thanks to @SorenR for posting the old and new example. It should help to edit the function quickly.
Sure, the "Quick solution" works, but only until September 14th 2023. It's the EOL date for the 0.103.x version and as of this date it's forbidden to download database updates. (That was my problem with the 0.102.x after January 3rd 2022)
Source: https://docs.clamav.net/faq/faq-eol.htm ... ort-matrix
Re: BUG: ClamAV 0.104.0 does not work
OK, if you think it is that easy i expect your (working!) pull request later today (it is open source you all know, right?)lord_dragonus wrote: ↑2022-02-09 15:43It's not necessary to rewrite the whole function. The only thing is, that the data have to be send directly to the main port, instead of opening another port and sending it to this port. And of course, the command have to be changed. Thanks to @SorenR for posting the old and new example. It should help to edit the function quickly.
Sure, the "Quick solution" works, but only until September 14th 2023. It's the EOL date for the 0.103.x version and as of this date it's forbidden to download database updates. (That was my problem with the 0.102.x after January 3rd 2022)
Source: https://docs.clamav.net/faq/faq-eol.htm ... ort-matrix
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup
Re: BUG: ClamAV 0.104.0 does not work
Note... pack("N", length($data))SorenR wrote: ↑2022-02-09 15:22Version 1.95 by unknown at unknown dateClamAV.pm,v 1.8 2004/09/17 22:07:51 cfaberCode: Select all
sub streamscan { my $self = shift; my $data = shift; if(@_){ #don't join unless needed [cpan #78769] $data = join q{},($data,@_); } $self->_seterrstr; my $conn = $self->_get_connection || return; $self->_send($conn, "nINSTREAM\n"); $self->_send($conn, pack("N", length($data))); $self->_send($conn, $data); $self->_send($conn, pack("N", 0)); chomp(my $r = $conn->getline); my @return; if($r =~ /stream:\ (.+)\ FOUND/ix){ @return = ('FOUND', $1); } else { @return = ('OK'); } $conn->close; return @return; }
Code: Select all
sub streamscan { my ($self) = shift; my $data = join '', @_; $self->_seterrstr; my $conn = $self->_get_connection || return; $self->_send($conn, "STREAM\n"); chomp(my $response = $conn->getline); my @return; if($response =~ /^PORT (\d+)/){ if((my $c = $self->_get_tcp_connection($1))){ $self->_send($c, $data); $c->close; chomp(my $r = $conn->getline); if($r =~ /stream: (.+) FOUND/i){ @return = ('FOUND', $1); } else { @return = ('OK'); } } else { $conn->close; return; } } $conn->close; return @return; }
https://perldoc.perl.org/functions/pack
"N" -> An unsigned long (32-bit) in "network" (big-endian) order.
SørenR.
Woke is Marxism advancing through Maoist cultural revolution.
Woke is Marxism advancing through Maoist cultural revolution.
Re: BUG: ClamAV 0.104.0 does not work
What on earth do i have to do with perl code?SorenR wrote: ↑2022-02-09 17:12Note... pack("N", length($data))SorenR wrote: ↑2022-02-09 15:22Version 1.95 by unknown at unknown dateClamAV.pm,v 1.8 2004/09/17 22:07:51 cfaberCode: Select all
sub streamscan { my $self = shift; my $data = shift; if(@_){ #don't join unless needed [cpan #78769] $data = join q{},($data,@_); } $self->_seterrstr; my $conn = $self->_get_connection || return; $self->_send($conn, "nINSTREAM\n"); $self->_send($conn, pack("N", length($data))); $self->_send($conn, $data); $self->_send($conn, pack("N", 0)); chomp(my $r = $conn->getline); my @return; if($r =~ /stream:\ (.+)\ FOUND/ix){ @return = ('FOUND', $1); } else { @return = ('OK'); } $conn->close; return @return; }
Code: Select all
sub streamscan { my ($self) = shift; my $data = join '', @_; $self->_seterrstr; my $conn = $self->_get_connection || return; $self->_send($conn, "STREAM\n"); chomp(my $response = $conn->getline); my @return; if($response =~ /^PORT (\d+)/){ if((my $c = $self->_get_tcp_connection($1))){ $self->_send($c, $data); $c->close; chomp(my $r = $conn->getline); if($r =~ /stream: (.+) FOUND/i){ @return = ('FOUND', $1); } else { @return = ('OK'); } } else { $conn->close; return; } } $conn->close; return @return; }
https://perldoc.perl.org/functions/pack
"N" -> An unsigned long (32-bit) in "network" (big-endian) order.
Geez, come on... i can post perfectly working C# code, but does that solve anything?
the problem is the wrapper function ClamAVVirusScanner::Scan within HMS, which uses boost and translate that into working c++ for reading the returned data using a single connection
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup
Re: BUG: ClamAV 0.104.0 does not work
You are not the only one reading this forum and you want people to get involved so chill out. I posted the Perl examples to give people a sense of how much needs to be changed.RvdH wrote: ↑2022-02-09 17:17What on earth do i have to do with perl code?SorenR wrote: ↑2022-02-09 17:12Note... pack("N", length($data))SorenR wrote: ↑2022-02-09 15:22Version 1.95 by unknown at unknown dateClamAV.pm,v 1.8 2004/09/17 22:07:51 cfaberCode: Select all
sub streamscan { my $self = shift; my $data = shift; if(@_){ #don't join unless needed [cpan #78769] $data = join q{},($data,@_); } $self->_seterrstr; my $conn = $self->_get_connection || return; $self->_send($conn, "nINSTREAM\n"); $self->_send($conn, pack("N", length($data))); $self->_send($conn, $data); $self->_send($conn, pack("N", 0)); chomp(my $r = $conn->getline); my @return; if($r =~ /stream:\ (.+)\ FOUND/ix){ @return = ('FOUND', $1); } else { @return = ('OK'); } $conn->close; return @return; }
Code: Select all
sub streamscan { my ($self) = shift; my $data = join '', @_; $self->_seterrstr; my $conn = $self->_get_connection || return; $self->_send($conn, "STREAM\n"); chomp(my $response = $conn->getline); my @return; if($response =~ /^PORT (\d+)/){ if((my $c = $self->_get_tcp_connection($1))){ $self->_send($c, $data); $c->close; chomp(my $r = $conn->getline); if($r =~ /stream: (.+) FOUND/i){ @return = ('FOUND', $1); } else { @return = ('OK'); } } else { $conn->close; return; } } $conn->close; return @return; }
https://perldoc.perl.org/functions/pack
"N" -> An unsigned long (32-bit) in "network" (big-endian) order.
Geez, come on... i can post perfectly working C# code, but does that solve anything?
the problem is the wrapper function ClamAVVirusScanner::Scan within HMS, which uses boost and translate that into working c++ for reading the returned data using a single connection
I personally is struggeling to "translate" the Perl pack function to something useable in C++. I think I need to use intrin.h (already used by VC) and probably ... "unsigned long _byteswap_ulong(unsigned long value);" ???
SørenR.
Woke is Marxism advancing through Maoist cultural revolution.
Woke is Marxism advancing through Maoist cultural revolution.
Re: BUG: ClamAV 0.104.0 does not work
But yet you quoted it (and posted the same code once more!) and posted it in a direct response after my message, weird...
Anyway, we have until September 14th 2023 to figure this out, it's gonna be OK by then (i hope)
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup
-
- New user
- Posts: 14
- Joined: 2009-12-29 12:34
Re: BUG: ClamAV 0.104.0 does not work
@SorenR: Thank you very much for the examples and the explanation of the perl code, this will help me!
@RvdH: I don't have a testbed yet, but I will create one next weekend. I will then send you the pull request.
@RvdH: I don't have a testbed yet, but I will create one next weekend. I will then send you the pull request.
Re: BUG: ClamAV 0.104.0 does not work
Sending Int32 as Big Endian (Network order) ??? Still trying to figure out the Perl pack function ...
NB. This is C#...INSTREAM
It is mandatory to prefix this command with n or z.
Scan a stream of data. The stream is sent to clamd in chunks, after INSTREAM, on the same socket on which the command was sent. This avoids the overhead of establishing new TCP connections and problems with NAT. The format of the chunk is: '<length><data>' where <length> is the size of the following data in bytes expressed as a 4 byte unsigned integer in network byte order and <data> is the actual chunk. Streaming is terminated by sending a zero-length chunk. Note: do not exceed StreamMaxLength as defined in clamd.conf, otherwise clamd will reply with INSTREAM size limit exceeded and close the connection.
Code: Select all
using System;
public class Example
{
public static void Main()
{
int value = 12345678;
byte[] bytes = BitConverter.GetBytes(value);
Console.WriteLine(BitConverter.ToString(bytes));
if (BitConverter.IsLittleEndian)
Array.Reverse(bytes);
Console.WriteLine(BitConverter.ToString(bytes));
// Call method to send byte stream across machine boundaries.
// Receive byte stream from beyond machine boundaries.
Console.WriteLine(BitConverter.ToString(bytes));
if (BitConverter.IsLittleEndian)
Array.Reverse(bytes);
Console.WriteLine(BitConverter.ToString(bytes));
int result = BitConverter.ToInt32(bytes, 0);
Console.WriteLine("Original value: {0}", value);
Console.WriteLine("Returned value: {0}", result);
}
}
// The example displays the following output on a little-endian system:
// 4E-61-BC-00
// 00-BC-61-4E
// 00-BC-61-4E
// 4E-61-BC-00
// Original value: 12345678
// Returned value: 12345678
SørenR.
Woke is Marxism advancing through Maoist cultural revolution.
Woke is Marxism advancing through Maoist cultural revolution.
Re: BUG: ClamAV 0.104.0 does not work
Here is a complete clamav client wrapper written in C#SorenR wrote: ↑2022-02-10 00:20Sending Int32 as Big Endian (Network order) ??? Still trying to figure out the Perl pack function ...
NB. This is C#...INSTREAM
It is mandatory to prefix this command with n or z.
Scan a stream of data. The stream is sent to clamd in chunks, after INSTREAM, on the same socket on which the command was sent. This avoids the overhead of establishing new TCP connections and problems with NAT. The format of the chunk is: '<length><data>' where <length> is the size of the following data in bytes expressed as a 4 byte unsigned integer in network byte order and <data> is the actual chunk. Streaming is terminated by sending a zero-length chunk. Note: do not exceed StreamMaxLength as defined in clamd.conf, otherwise clamd will reply with INSTREAM size limit exceeded and close the connection.Code: Select all
using System; public class Example { public static void Main() { int value = 12345678; byte[] bytes = BitConverter.GetBytes(value); Console.WriteLine(BitConverter.ToString(bytes)); if (BitConverter.IsLittleEndian) Array.Reverse(bytes); Console.WriteLine(BitConverter.ToString(bytes)); // Call method to send byte stream across machine boundaries. // Receive byte stream from beyond machine boundaries. Console.WriteLine(BitConverter.ToString(bytes)); if (BitConverter.IsLittleEndian) Array.Reverse(bytes); Console.WriteLine(BitConverter.ToString(bytes)); int result = BitConverter.ToInt32(bytes, 0); Console.WriteLine("Original value: {0}", value); Console.WriteLine("Returned value: {0}", result); } } // The example displays the following output on a little-endian system: // 4E-61-BC-00 // 00-BC-61-4E // 00-BC-61-4E // 4E-61-BC-00 // Original value: 12345678 // Returned value: 12345678
https://github.com/michaelhans/Clamson/ ... #L238-L294
htonl is the equivalent for "network-byte-order" in c++ as it seems
You use either (newline escaped/delimited)
Code: Select all
nINSTREAM\n
Code: Select all
zINSTREAM\0
1. send the INSTREAM command: zINSTREAM\0, or nINSTREAM\n
2. send <length> (big endian, 4 bytes)
3. send the chunk of data corresponding to the above length
4. repeat at 2 as long as you have more blocks to send
5. send a 0-length block to mark end of stream
6. get response
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup
Re: BUG: ClamAV 0.104.0 does not work
Hmm... Something's fishy...RvdH wrote: ↑2022-02-10 09:36Here is a complete clamav client wrapper written in C#
https://github.com/michaelhans/Clamson/ ... #L238-L294
htonl is the equivalent for "network-byte-order" in c++ as it seems
You use either (newline escaped/delimited)or (zero escaped/delimited)Code: Select all
nINSTREAM\n
workflow:Code: Select all
zINSTREAM\0
1. send the INSTREAM command: zINSTREAM\0, or nINSTREAM\n
2. send <length> (big endian, 4 bytes)
3. send the chunk of data corresponding to the above length
4. repeat at 2 as long as you have more blocks to send
5. send a 0-length block to mark end of stream
6. get response
ClamAV log:
Code: Select all
Thu Feb 10 12:40:20 2022 -> WARNING: INSTREAM: Size limit reached, (requested: 842019123, max: 26214400)
Thu Feb 10 12:40:20 2022 -> WARNING: INSTREAM: Size limit reached, (requested: 842019123, max: 26214400)
Code: Select all
VirusScanningResult
ClamAVVirusScanner::Scan(const String &hostName, int primaryPort, const String &sFilename)
{
LOG_DEBUG("Connecting to ClamAV virus scanner...");
int streamPort = 0;
TimeoutCalculator calculator;
SynchronousConnection commandConnection(calculator.Calculate(IniFileSettings::Instance()->GetClamMinTimeout(), IniFileSettings::Instance()->GetClamMaxTimeout()));
if (!commandConnection.Connect(hostName, primaryPort))
{
return VirusScanningResult(_T("ClamAVVirusScanner::Scan"),
Formatter::Format("Unable to connect to ClamAV server at {0}:{1}.", hostName, primaryPort));
}
if (!commandConnection.Write("nINSTREAM\n"))
return VirusScanningResult("ClamAVVirusScanner::Scan", "Unable to write STREAM command.");
AnsiString readData;
// Send the file on the stream socket.
File oFile;
if (!oFile.Open(sFilename, File::OTReadOnly))
{
String sErrorMsg = Formatter::Format("Could not send file {0} via socket since it does not exist.", sFilename);
return VirusScanningResult("ClamAVVirusScanner::Scan", sErrorMsg);
}
const int STREAM_BLOCK_SIZE = 4096;
const int maxIterations = 100000;
for (int i = 0; i < maxIterations; i++)
{
std::shared_ptr<ByteBuffer> pBuf = oFile.ReadChunk(STREAM_BLOCK_SIZE);
if (!pBuf)
break;
// Send the request.
if (!commandConnection.Write(to_string(htonl(sizeof(*pBuf)))))
return VirusScanningResult("ClamAVVirusScanner::Scan", "Unable to write data to stream port.");
if (!commandConnection.Write(*pBuf))
return VirusScanningResult("ClamAVVirusScanner::Scan", "Unable to write data to stream port.");
}
if (!commandConnection.Write(to_string(htonl(0))))
return VirusScanningResult("ClamAVVirusScanner::Scan", "Unable to write data to stream port.");
if (!commandConnection.ReadUntil("\n", readData))
return VirusScanningResult("ClamAVVirusScanner::Scan", "Unable to read response (after streaming).");
readData.TrimRight("\n");
// Parse the response and see if a virus was reported.
try
{
const regex expression("^stream.*: (.*) FOUND$");
cmatch what;
if(regex_match(readData.c_str(), what, expression))
{
LOG_DEBUG("Virus detected: " + what[1]);
return VirusScanningResult(VirusScanningResult::VirusFound, String(what[1]));
}
else
{
LOG_DEBUG("No virus detected: " + readData);
return VirusScanningResult(VirusScanningResult::NoVirusFound, Formatter::Format("Result: {0}", readData));
}
}
catch (std::runtime_error &) // regex_match will throw runtime_error if regexp is too complex.
{
return VirusScanningResult("ClamAVVirusScanner::Scan", "Unable to parse regular expression.");
}
}
if (!commandConnection.Write(to_string(htonl(sizeof(*pBuf)))))
SørenR.
Woke is Marxism advancing through Maoist cultural revolution.
Woke is Marxism advancing through Maoist cultural revolution.
Re: BUG: ClamAV 0.104.0 does not work
What if you LOG_DEBUG that value? Just the check if it holds proper values...not behind my PC right now, so can not check
LOG_DEBUG(Formatter::Format("big endian, 4 bytes: {0}", to_string(htonl(sizeof(*pBuf)))));
LOG_DEBUG(Formatter::Format("big endian, 4 bytes: {0}", to_string(htonl(sizeof(*pBuf)))));
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup
Re: BUG: ClamAV 0.104.0 does not work
Chunk size is 4096 (int), 4096 in hex is "0x1000" and Big Endian should be "0x0001" No ??
SørenR.
Woke is Marxism advancing through Maoist cultural revolution.
Woke is Marxism advancing through Maoist cultural revolution.
Re: BUG: ClamAV 0.104.0 does not work
Hmm....
Code: Select all
"DEBUG" 4020 "2022-02-10 13:28:39.698" "Connecting to ClamAV virus scanner..."
"DEBUG" 4020 "2022-02-10 13:28:39.701" "big endian, 4 bytes: {0} 201326592"
"DEBUG" 4020 "2022-02-10 13:28:39.719" "No virus detected: INSTREAM size limit exceeded. ERROR"
"DEBUG" 4020 "2022-02-10 13:28:39.723" "Connecting to ClamAV virus scanner..."
"DEBUG" 4020 "2022-02-10 13:28:39.725" "big endian, 4 bytes: {0} 201326592"
"DEBUG" 4020 "2022-02-10 13:28:39.751" "No virus detected: INSTREAM size limit exceeded. ERROR"
SørenR.
Woke is Marxism advancing through Maoist cultural revolution.
Woke is Marxism advancing through Maoist cultural revolution.
Re: BUG: ClamAV 0.104.0 does not work
Would the problem not be to_string()?
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup
Re: BUG: ClamAV 0.104.0 does not work
I think I'm mixing apples and pears...
LOG_DEBUG("size of *pBuf " + to_string(sizeof(pBuf)));
Code: Select all
"DEBUG" 2916 "2022-02-10 13:38:28.703" "size of *pBuf 12"
Code: Select all
const int STREAM_BLOCK_SIZE = 4096;
std::shared_ptr<ByteBuffer> pBuf = oFile.ReadChunk(STREAM_BLOCK_SIZE);
SørenR.
Woke is Marxism advancing through Maoist cultural revolution.
Woke is Marxism advancing through Maoist cultural revolution.
Re: BUG: ClamAV 0.104.0 does not work
I have the same trouble since my upgrade of clamAV in the 0.104.2.0 version : I get a UNKNOWN RESPOND when I make a test of ClamAV in hMailServer.
So I also upgrated to the last hMailServer version (5.6. , but still the same trouble.
Finally I came back to my previous ClamAV version (0.102.2.0), which was working well.
But in this version the freshclam doesn't work anymore, so the virus signature are no more updated.
Does anyone find a solution ?
So I also upgrated to the last hMailServer version (5.6. , but still the same trouble.
Finally I came back to my previous ClamAV version (0.102.2.0), which was working well.
But in this version the freshclam doesn't work anymore, so the virus signature are no more updated.
Does anyone find a solution ?
Re: BUG: ClamAV 0.104.0 does not work
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup
Re: BUG: ClamAV 0.104.0 does not work
I've been running the INSTREAM mod (my version) for almost 1 week now on two servers with 0.103.3. No issues so far.
This weekend I'll be upgrading to 0.104.x 64-bit.
SørenR.
Woke is Marxism advancing through Maoist cultural revolution.
Woke is Marxism advancing through Maoist cultural revolution.
Re: BUG: ClamAV 0.104.0 does not work
Me to, custom 5.7.x build, the only thing that bothers me is the 1 line difference between 5.6.x. and 5.7.x that don't compute (you probably know what i am taking about, i adapted your union approach)SorenR wrote: ↑2022-02-18 22:50I've been running the INSTREAM mod (my version) for almost 1 week now on two servers with 0.103.3. No issues so far.
This weekend I'll be upgrading to 0.104.x 64-bit.
Maybe make a PR?
I already stated i won't be making a PR as the guy requesting it, said it was easy fix....so i'm waiting for his efforts and PR (and as i am still on 103.5 i have no immediate demand for it)
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup
Re: BUG: ClamAV 0.104.0 does not work
the 0.103.5 version works well !
Thanks RvdH !
Re: BUG: ClamAV 0.104.0 does not work
well 0.103.5 has now expired and cant find a 0.103.6 so tried to switch to ClamAV from https://www.clamav.net/downloads#otherversions win32 to be exact I get the UNKNOWN ERROR when I test ClamAV. Has this issue been fixed yet just curious if I need to switch up something here.
Re: BUG: ClamAV 0.104.0 does not work
https://www.hmailserver.com/forum/viewt ... 38#p237938Cyberslog wrote: ↑2022-05-07 18:53well 0.103.5 has now expired and cant find a 0.103.6 so tried to switch to ClamAV from https://www.clamav.net/downloads#otherversions win32 to be exact I get the UNKNOWN ERROR when I test ClamAV. Has this issue been fixed yet just curious if I need to switch up something here.
SørenR.
Woke is Marxism advancing through Maoist cultural revolution.
Woke is Marxism advancing through Maoist cultural revolution.
Re: BUG: ClamAV 0.104.0 does not work
Excellent work! Thank you!SorenR wrote: ↑2022-05-07 23:52https://www.hmailserver.com/forum/viewt ... 38#p237938Cyberslog wrote: ↑2022-05-07 18:53well 0.103.5 has now expired and cant find a 0.103.6 so tried to switch to ClamAV from https://www.clamav.net/downloads#otherversions win32 to be exact I get the UNKNOWN ERROR when I test ClamAV. Has this issue been fixed yet just curious if I need to switch up something here.
Re: BUG: ClamAV 0.104.0 does not work
ClamAV people keep pushing out new version/branches as mushrooms, as of 2022-05-03 we now have 0.103.6, 0.104.3 and new 0.105.0 to choose from, but a decent change-log is to much to ask i guess
For vanilla hMailserver 5.6.x you need 0.103.x, for 0.104.x and/or 0.105.x you need this (.46) mod/alternate build
For vanilla hMailserver 5.6.x you need 0.103.x, for 0.104.x and/or 0.105.x you need this (.46) mod/alternate build
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup
Re: BUG: ClamAV 0.104.0 does not work
Looks like this is as close as can be found: https://github.com/Cisco-Talos/clamav/c ... b36fa70ae9. Also, I noted that v105 is destined to be a 1.0 release! https://github.com/Cisco-Talos/clamav/c ... a4f37109c9RvdH wrote: ↑2022-05-11 20:15ClamAV people keep pushing out new version/branches as mushrooms, as of 2022-05-03 we now have 0.103.6, 0.104.3 and new 0.105.0 to choose from, but a decent change-log is to much to ask i guess
For vanilla hMailserver 5.6.x you need 0.103.x, for 0.104.x and/or 0.105.x you need this (.46) mod/alternate build
Thanks for your work RvdH!
Re: BUG: ClamAV 0.104.0 does not work
0.103.6Cyberslog wrote: ↑2022-05-07 18:53well 0.103.5 has now expired and cant find a 0.103.6 so tried to switch to ClamAV from https://www.clamav.net/downloads#otherversions win32 to be exact I get the UNKNOWN ERROR when I test ClamAV. Has this issue been fixed yet just curious if I need to switch up something here.
https://oss.netfarm.it/clamav/
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup
Re: BUG: ClamAV 0.104.0 does not work
RvdH wrote: ↑2022-06-17 08:530.103.6Cyberslog wrote: ↑2022-05-07 18:53well 0.103.5 has now expired and cant find a 0.103.6 so tried to switch to ClamAV from https://www.clamav.net/downloads#otherversions win32 to be exact I get the UNKNOWN ERROR when I test ClamAV. Has this issue been fixed yet just curious if I need to switch up something here.
https://oss.netfarm.it/clamav/