Hi All,
I'm using ClamAV together with Mercury on a Windows
XP box and v 0.95 works great so far. Now I wanted to upgrade to
0.97.7 but I can't get it working. If I start clamd manually in a
shell, I can see that it is coming up "normal" and the process is
visible in the task manager. The first mail is scanned OK and if it
contains a virus attachment, clamd detects it. So far, so good. But
from that moment on, it stops working and every next call is not
processed anymore. No idea what is going on... I tried to activate
logs but the log does not say much. Is there is way to increase the
log level to get more information?
I tried something else:
I started clamd in one shell window and opened another shell to
connect with telnet and 127.0.0.1 3310 and it gets connected.
Pressing any key, I get UNKNOWN COMMAND and telnet exits. If I
repeat this test, I can key in as much as I like, the UNKNOWN
COMMAND error message does not appear anymore and telnet keeps
running. If I do this with the OK working 0.95 installation, I get
UNKNOWN COMMAND every time and telnet always exits after that.
I think it is something specific to this windows machine because the
telnet test shows the v0.95 behavior on every other machine I tested
with.
Log output:
<small><small>Sat Mar 16 23:12:35 2013 -> +++ Started at Sat Mar
</small></small>
16 23:12:35 2013
Sat Mar 16 23:12:35 2013 -> clamd daemon 0.97.7 (OS: win32,
ARCH: i386, CPU: i386)
Sat Mar 16 23:12:35 2013 -> Log file size limited to 1048576
bytes.
Sat Mar 16 23:12:35 2013 -> Reading databases from
c:\Programme\Tools\ClamAV_0.97.7\data
Sat Mar 16 23:12:35 2013 -> Not loading PUA signatures.
Sat Mar 16 23:12:35 2013 -> Bytecode: Security mode set to
"TrustSigned".
Sat Mar 16 23:12:42 2013 -> Loaded 2005376 signatures.
Sat Mar 16 23:12:43 2013 -> TCP: Bound to address 127.0.0.1
on port 3310
Sat Mar 16 23:12:43 2013 -> TCP: Setting connection queue
length to 200
Sat Mar 16 23:12:43 2013 -> Limits: Global size limit set to
104857600 bytes.
Sat Mar 16 23:12:43 2013 -> Limits: File size limit set to
26214400 bytes.
Sat Mar 16 23:12:43 2013 -> Limits: Recursion level limit set
to 16.
Sat Mar 16 23:12:43 2013 -> Limits: Files limit set to 10000.
Sat Mar 16 23:12:43 2013 -> Archive support enabled.
Sat Mar 16 23:12:43 2013 -> Algorithmic detection enabled.
Sat Mar 16 23:12:43 2013 -> Portable Executable support
enabled.
Sat Mar 16 23:12:43 2013 -> ELF support enabled.
Sat Mar 16 23:12:43 2013 -> Detection of broken executables
enabled.
Sat Mar 16 23:12:43 2013 -> Mail files support enabled.
Sat Mar 16 23:12:43 2013 -> OLE2 support enabled.
Sat Mar 16 23:12:43 2013 -> PDF support enabled.
Sat Mar 16 23:12:43 2013 -> HTML support enabled.
Sat Mar 16 23:12:43 2013 -> Self checking every 600 seconds.
Sat Mar 16 23:12:43 2013 -> Listening daemon: PID: 532
Sat Mar 16 23:12:43 2013 -> MaxQueue set to: 100
Sat Mar 16 23:13:24 2013 -> instream(127.0.0.1@27033):
Exploit.Fnstenv_mov-1 FOUND
Any idea what this could be or how I can track this down?
btw: Turning off Windows Firewall does not make any difference.
Thanks a lot!
Konrad