MAJOR - All files detected as {CAV}lstat()

[jcarnus]

All in the title

[jcarnus]

Seems to be linked to #58

maldet(9229): {scan} setting nice scheduler priorities for all operations: cpunice 19 , ionice 6
maldet(9229): {scan} file list completed in 1s, found 45 files...
maldet(9229): {scan} found clamav binary at /usr/bin/clamdscan, using clamav scanner engine...
maldet(9229): {scan} scan of /home/* (45 files) in progress...
maldet(9229): {scan} clamscan returned an error, check /usr/local/maldetect/logs/clamscan_log for more details!
maldet(9229): {scan} processing scan results for hits: 45 hits 0 cleaned
maldet(9229): {scan} scan completed on /home/*: files 45, malware hits 45, cleaned hits 0, time 1s

[lgonzalez-silen]

I see in the clamd.log

WARNING: lstat() failed on: fileabc

for every file while a maldet -a is going on. I also saw in the shell

maldet(8397): {scan} found clamav binary at /usr/bin/clamdscan, using clamav scanner engine...
maldet(8397): {scan} scan of /home (29137 files) in progress...
maldet(8397): {scan} processing scan results for hits: 1234 hits 0 cleaned

The first time this happened I chickened out and killed the process. Then I reviewed conf.maldet and saw that quarantine_hits=0, which is great, so I'm running it again. Same behavior showing a lot of hits and lstat fails...

[rfxn]

What OS version? (cat /etc/redhat-release)
What clamav version (clamd -V)
can you run a quick scan with sh -x (e.g: sh -x maldet -co quarantine_hits=0 -a /some/path > /root/debug.maldet 2>&1 /root/debug.maldet) and send me the debug output

[jcarnus]

Issue is because clamdscan cannot scan file because if
Acces Denied - Error.
Result is file is considered as virus because of acess and maldet delete it

[lgonzalez-silen]

My scan finished with lots of false positives and one command not found (see below)

CentOS release 6.7 (Final)
ClamAV 0.98.4/20927/Fri Sep 18 12:41:20 2015

maldet(8397): {scan} processing scan results for hits: 15196 hits 0 cleaned
maldet(8397): {scan} scan completed on /home: files 29137, malware hits 15196, cleaned hits 0, time 1702s
maldet(8397): {scan} scan report saved, to view run: maldet --report 150919-0928.8397
maldet(8397): {scan} quarantine is disabled! set quarantine_hits=1 in conf.maldet or to quarantine results run: maldet -q 150919-0928.8397
/usr/local/maldetect/internals/functions: line 1165: -s: command not found
maldet(8397): {alert} sent scan report to root@localhost

[rfxn]

I need the debug output file from my sample command above, debug.maldet:
sh -x maldet -co quarantine_hits=0 -a /some/path > /root/debug.maldet 2>&1 /root/debug.maldet

[lgonzalez-silen]

I ran it and was inspecting/sanitizing. :-)

Where should I send the file?

[rfxn]

ryan at rfxn.com please

[rfxn]

An update has been pushed out to resolve this issue. Please run 'maldet -d' to update to the latest release.

Further, if you got bitten by this in any way, you can use the 'maldet -e list' command to review scan result summary, the scan session id with false positive hits can be restored in its entirety with:
maldet --restore SCANID

Thank you for the feedback!

[jcarnus]

Are you sure update push ?

maldet- d change nothing...

Jérémy

Le 19/09/2015 11:41, Ryan MacDonald a écrit :

An update has been pushed out to resolve this issue. Please run
'maldet -d' to update to the latest release.

Further, if you got bitten by this in any way, you can use the 'maldet
-e list' command to review scan result summary, the scan session id
with false positive hits can be restored in its entirety with:
maldet --restore SCANID

Thank you for the feedback!

—
Reply to this email directly or view it on GitHub
#59 (comment).

Jérémy Carnus

[captainwasabi]

verified, I'm not picking up a new drop either.

[captainwasabi]

got a new drop

[lgonzalez-silen]

Not getting {CAV}Access hits any longer, thanks!

I still get a bunch of WARNING: lstat() failed on: in the clamd log when the scan runs, but everything seems ok.

[niladam]

Any news on this ? I'm also being affected by this..however my errors are like this:

Linux Malware Detect v1.5
            (C) 2002-2015, R-fx Networks <proj@rfxn.com>
            (C) 2015, Ryan MacDonald <ryan@rfxn.com>
This program may be freely redistributed under the terms of the GNU GPL v2

maldet(968): {scan} signatures loaded: 10822 (8908 MD5 / 1914 HEX / 0 USER)
maldet(968): {scan} building file list for Jupiter-child/, this might take awhile...
maldet(968): {scan} setting nice scheduler priorities for all operations: cpunice 19 , ionice 6
maldet(968): {scan} file list completed in 0s, found 5266 files...
maldet(968): {scan} found clamav binary at /usr/bin/clamdscan, using clamav scanner engine...
maldet(968): {scan} scan of Jupiter-child/ (5266 files) in progress...
maldet(968): {scan} clamscan returned an error, check /usr/local/maldetect/logs/clamscan_log for more details!

maldet(968): {scan} scan completed on Jupiter-child/: files 5266, malware hits 0, cleaned hits 0, time 7s
maldet(968): {scan} scan report saved, to view run: maldet --report 150923-1459.968

And the clamscan says:

Sep 23 15:03:12 whm clamscan start
Sep 23 15:03:12 whm executed: /bin/nice -n 19 /usr/bin/ionice -c2 -n 6 /usr/bin/clamdscan --max-filesize=5M --max-scansize=5M -d /usr/local/maldetect/tmp/.runtime.user.2565.hdb -d /usr/local/maldetect/tmp/.runtime.user.2565.ndb  -r --infected --no-summary -f /usr/local/maldetect/tmp/.find.2565
WARNING: Ignoring unsupported option --max-filesize
WARNING: Ignoring unsupported option --max-scansize
WARNING: Ignoring unsupported option --database (-d)
WARNING: Ignoring unsupported option --database (-d)
WARNING: Ignoring unsupported option --recursive (-r)
Sep 23 15:03:12 whm clamscan end
Sep 23 15:03:12 whm clamscan end

Also, the number of files is very wrong. The number is actually 5 files.