Bug 361921 - [PATCH] Extra unrecognized clamav-milter lines
[PATCH] Extra unrecognized clamav-milter lines
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: logwatch (Show other bugs)
7
All Linux
low Severity low
: ---
: ---
Assigned To: Ivana Varekova
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-11-01 10:56 EDT by Derek Atkins
Modified: 2007-11-30 17:12 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-11-06 09:39:21 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Derek Atkins 2007-11-01 10:56:30 EDT
Description of problem:

I recently upgraded a server from FC4 to F7 and now I'm getting tons of
unrecognized clamav output lines in my daily log reports.  In particular, I get
lines like:

 **Unmatched Entries**
 /tmp/clamav-9e1f83d4b9b64fbb175a994c03a1c3aa/msg.vNhKS6: Worm.Mydoom.M FOUND 

Version-Release number of selected component (if applicable):

logwatch-7.3.4-6.fc7
clamav-milter-0.91.2-2.fc7

How reproducible:

It happens every day.

Steps to Reproduce:
1. Enable clamav-milter
2. Wait for some worm to hit you
3. Read the logwatch
  
Actual results:

 Infected messages:
    W32.Cuter: 5 Message(s)
    W32.Sality.Q-1: 3 Message(s)
    Worm.Mydoom.M: 114 Message(s)
 
 **Unmatched Entries**
 /tmp/clamav-9e1f83d4b9b64fbb175a994c03a1c3aa/msg.vNhKS6: Worm.Mydoom.M FOUND 
 /tmp/clamav-9e1f83d4b9b64fbb175a994c03a1c3aa/msg.auRBm7: Worm.Mydoom.M FOUND 
 [snip]

Expected results:

no unmatched entries...

Additional info:

This patch (untested at this point; I'll know tomorrow) might fix it:

--- /usr/share/logwatch/scripts/services/clamav-milter~ 2007-04-13 09:51:58.0000
00000 -0400
+++ /usr/share/logwatch/scripts/services/clamav-milter  2007-11-01 10:45:06.0000
00000 -0400
@@ -28,6 +28,8 @@
       $DaemonStop++;
    } elsif (($ThisLine =~ /^Starting/)) {
       $DaemonStart++;
+   } elsif (($ThisLine =~ m#^/tmp/clamav-#)) {
+     # Do not care about this
    } else {
       push @OtherList,$ThisLine;
    }
Comment 1 Ivana Varekova 2007-11-06 05:35:39 EST
Please could you send me a grep from your /var/log/maillog file which where will
be these logs. 
Comment 2 Derek Atkins 2007-11-06 08:38:15 EST
Does it come from maillog or /var/log/clamav-milter?  Sure, I can give you a
grep; what exactly do you want me to grep for?
Comment 3 Derek Atkins 2007-11-06 08:42:19 EST
My clamd.milter file has entries like:

/tmp/clamav-b96e0a005b2be94e/msg.vMfLUI: Worm.Mytob.V FOUND
/tmp/clamav-b96e0a005b2be94e/msg.zDn967: Worm.Mytob.V FOUND
LibClamAV Warning: Not reloading database until idle - waiting for 1 children
LibClamAV Warning: Not accepting inputs at the moment
LibClamAV Warning: Not accepting inputs at the moment
LibClamAV Warning: Waiting for 0 children until databae reload

My /var/log/maillog has entries like:

Nov  4 09:27:38 cvs clamav-milter[2865]:
/tmp/clamav-9e1f83d4b9b64fbb175a994c03a1c3aa/msg.NC9OnG: Worm.Mydoom.M FOUND 
Nov  4 09:27:38 cvs clamav-milter[2865]: lA4ERbF4012304:
/tmp/clamav-9e1f83d4b9b64fbb175a994c03a1c3aa/msg.NC9OnG: Worm.Mydoom.M
Intercepted virus from <noreply@gnucash.org> to gnucash-user 
Nov  4 09:27:41 cvs clamav-milter[2865]:
/tmp/clamav-9e1f83d4b9b64fbb175a994c03a1c3aa/msg.sHwz9v: Worm.Mydoom.M FOUND 
Nov  4 09:27:41 cvs clamav-milter[2865]: lA4EReWj012312:
/tmp/clamav-9e1f83d4b9b64fbb175a994c03a1c3aa/msg.sHwz9v: Worm.Mydoom.M
Intercepted virus from <MAILER-DAEMON@lists.gnucash.org> to gnucash-user 
Nov  4 09:31:47 cvs clamav-milter[2865]: Database has changed, loading updated
database 
Nov  4 09:31:51 cvs clamav-milter[2865]: Loaded ClamAV 0.91.2/4672/Sun Nov  4
06:38:42 2007 
Nov  4 09:31:51 cvs clamav-milter[2865]: ClamAV: Protecting against 164207 viruses 
Comment 4 Ivana Varekova 2007-11-06 09:39:21 EST
Thanks. Fixed in logwatch-7.3.6-11.fc9.

Note You need to log in before you can comment on or make changes to this bug.