scan rum freeses on long filenames

Sergey,

Please open a terminal window, and type "clamtk" (no quotes). Then run the scan that is causing problems.

This way, we can see if there are any error messages coming up. If there are, please post them back here.

Thanks,
Dave M

Dear Dave!

Thanks for the reply!

The messages are:

sergey@probook4520s:~> clamtk
*** unhandled exception in callback:
*** couldn't fork: Слишком длинный список аргументов
*** ignoring at /usr/lib/ClamTk/GUI.pm line 553.
sergey@probook4520s:~>

The translation is:
*** couldn't fork: Too long list of arguments

Just for case I attach the mentioned file.

Also, I did a few more tests:
- if I do
su root
clamtk

then GUI interface appears and all scans work properly including "whole computer"
But this is what I expect from ClamTk program - to work automatically, without my manual efforts.

Also, regarding the case I mentioned in initial bug info:
- having seen (on GUI frontend) which directories cause the problem I tried to pack then into .tar archive deleting in such a way the "longest" places
- it gave some result - next scan run stopped on another place... again, if to make it "shorter" it passed too... until the next place...
So, really looks like a too-long-names problem, but the same modules work fine having ClamTk started under root...
But if the problem is with permissions then why it works with "shorter" directories?

Also, signatures are not updating using the ordinary way, so I had to run
su root
clamtk
then configured update schedule, then it works, and GUI sees them even being started under usual user.

Before I used Ubuntu 10.04 LTS on a desktop PC, there ClamTk works perfectly, but I had to use SUSE SLED preinstalled on my laptop because of the hardware drivers that I can't find in .deb. And here doesn't work :(

Best regards,
Sergey Murzin

> Sergey,
>
> Please open a terminal window, and type "clamtk" (no quotes). Then run
> the scan that is causing problems.
>
> This way, we can see if there are any error messages coming up. If
> there are, please post them back here.
>
> Thanks,
> Dave M
>

Sergey,

I'm not sure what to do about this. The message "Argument list too long" is in regards to a kernel limitation. I'm wondering if the kernel used with SUSE SLED is too old, since this is not supposed to be a problem with newer kernels.

One workaround could be for me to rewrite the scanning portion to have ClamAV scan a list of filenames from a file rather than the way it is done now.

I'll keep playing with this and see what happens... Just wanted to post something back.

Thanks,
Dave M

Dear Dave!

First of all I'm quit surprised that you're spending time for this issue
during the weekend. So, thank you for that and respect!

Secondly, some notes regarding SuSE:
- I started with Linux from Ubuntu 10.04 LTS - there ClamTk installes
from standard repository and works perfectly;
- then on my laptop I HAD to use SuSE because one was installed on
factory - due to quit poor support of hardware drivers for Linux I
wasn't able to keep working with Ubuntu here;
- so, I just mirror my linux experience to SuSE using known software for
the purposes I need;
- in particular - even to install Clamtk I had to perform lot of job,
first having installed lot of perl libraries manually (to let rpm
install it) and then had to download one source module and putting it
into needed folder (to let ClamTk run). Again - I did not get any rpm
error messages, but I got system errors like "reference to ...
module...cannot find, line..." and so on.

Now about the issue:
- speaking about me its not a critical problem, at least I can split
scan for different folders, use root privileges to run scan then study
logs under root etc (I wrote you that ClamTk works being started after
su root);
- but if you are interesting rather in making ClamTk more "independent"
from OS version then (after your last message I really believe that)
before rewriting any parts of software I would first ask for another
questions:
Why rpm installs ClamTk package without checking if all needed perl
modules are installed?
...and correspondingly...
"How to check if ClamTk has all needed media for proper work"?
After answering this questions we'd be able to split somehow where are
ClamTk errors, but were are ClamTk installation errors.

Probably I need to send you some apologizes because I did not note
mentioned installation problems before, but, as one of my favorite
humorists sad: I wanna be as clever as my wife "after" :)
However, from my side I'm ready to provide you with any needed
information regarding the issue, spend time for experiments etc, so
please do not hesitate to ask me whatever you need.

finally, the kernel version is 2.6.32.36-0.5-pae

Best regards,
Sergey

> Sergey,
>
> I'm not sure what to do about this. The message "Argument list too
> long" is in regards to a kernel limitation. I'm wondering if the kernel
> used with SUSE SLED is too old, since this is not supposed to be a
> problem with newer kernels.
>
> One workaround could be for me to rewrite the scanning portion to have
> ClamAV scan a list of filenames from a file rather than the way it is
> done now.
>
> I'll keep playing with this and see what happens... Just wanted to post
> something back.
>
> Thanks,
> Dave M
>

Sergey,

The Debian and Ubuntu builds should install properly because they are built either by myself or by the official Debian maintainer (he is the smart one, not me :). My question is: where did you get the rpm for SUSE? If the dependencies are not satisfied, then we need to let the packager know. I do not build the SUSE rpms, but I would be happy to contact the person who did and let them know its dependencies need to be updated. Personally, I build the Fedora and CentOS rpms, as well as some of the Debian/Ubuntu debs, so those should be okay. It sounds to me like the SUSE rpm needs to be updated.

Now as to the other problem... I do not know for sure, but it could be that SUSE is allowing a smaller amount of memory to regular users, but allowing root to have as much as it needs. The kernel version should be recent enough, so that is probably not the problem. Does it have enough memory?

I could probably re-write how the scanning is accomplished... instead of the current method, save a list of the files to be scanned to a file, and then read the file. If I have time today, I will rewrite it and see if that fixes the issue.

respectfully
dave

Dear Dave!

Please excuse me for the delay with the answer.

I guess I have more than enough memory = 3GB minus small part for video (128 I guess).

Now Inform you about the rpm details:

- I tried to use several sources hoping one of them will work, but every one had equal effect - now I cannot say it for sure (which one), but usually my preference is to use this source, because it offers "one click installation"
http://software.opensuse.org/search?q=clamtk&baseproject=SUSE%3ASLE-11%3ASP1&lang=ru&exclude_debug=true

- also, among my browser's logs I found the link to those perl file I used that was missing AFTER rpm reported that all dependencies are satisfied:
http://cpan.uwinnipeg.ca/htdocs/Carp-Clan/Carp/Clan.pm.html

- in general I think that "perl" problem is the most obvious in the case we discuss: SuSE doesn't have Perl as a standard part of the system, but Ubuntu has, so I really think that we face the situation when every problem is not because of ClamTk, not because of Kernel, but because of some problems between Perl and kernel or inside Perl.
To prove the last idea I could say that trying to install screenlets I used in Ubuntu, here in SuSE I got lost among lots of missing things... so to get on-desktop weather forecast I like I finally used another programm - but screenlets also use perl!

Just for case in this respect: clamav version is 0.97-45.1 (i586), is was part of the SuSE installed on the factory.

And one more problem I previously forgot to tell you about (please excuse me once again):
- my Clamtk cannot update the signatures after this process is scheduled in ClamTk
- but being started under root it works!
- after the signatures are updated under root, I can see user's version updated as well
So, its a one more case when the same program gets needed rights in Ubuntu, but doesn't get in SuSE (I say it doing manually - freshclam works only like sudo freshclam)!
(so, my way to solve all problems together is to use:
- ClamTk scheduled under root to perform a whole PC scan and signatures update
- user's interface I use to scan what I need upon necessities
- the disadvantage in such case is to go to root every time I want to check logs
- and my wish for you in this respect is rather to allow ClamTk to use whole set of cron possibilities, but not only daily schedule)

I hope the information I gave to use could help you to clarify the reason of the problem and may be to find some way (hopefully, more or less simple) to fix it.
And you still don't have to hesitate asking me for any assistance :)

Best regards,
Sergey Murzin

> Sergey,
>
> The Debian and Ubuntu builds should install properly because they are
> built either by myself or by the official Debian maintainer (he is the
> smart one, not me :). My question is: where did you get the rpm for
> SUSE? If the dependencies are not satisfied, then we need to let the
> packager know. I do not build the SUSE rpms, but I would be happy to
> contact the person who did and let them know its dependencies need to be
> updated. Personally, I build the Fedora and CentOS rpms, as well as
> some of the Debian/Ubuntu debs, so those should be okay. It sounds to
> me like the SUSE rpm ...

Sergey,

Here are the dependencies of the first clamtk package I saw on the link you provided:
clamav >= 0.88
clamav-db
perl
perl(LWP::UserAgent)
perl(File::Find::Rule)
perl(Date::Calc)
perl(Gtk2)
perl(Locale::gettext)
perl(Net::DNS)
zenity
rpmlib(PayloadFilesHavePrefix) <= 4.0-1
rpmlib(CompressedFileNames) <= 3.0.4-1
/usr/bin/perl
rpmlib(PayloadIsLzma) <= 4.4.2-1

I'm not sure who is maintaining that version, but sending the maintainer this link might help him/her:
http://clamtk.sourceforge.net/clamtk.spec

Regarding the signature updates... can you hit Ctrl-W and tell me which option you have selected? If you have automatic updates scheduled, the updates you run as a user will not be seen. So, if you would like to update signatures yourself, you would need to select "Manual" (Вручную), and then you should see those updates.

respectfully
dave

Dear Dave!

Starting from the 2-nd point (signatures):
I meant that:
- I scheduled update in Automatic mode under user
- several days I checked if ClamTk performs the update - NO (old date in
GUI window)
- but if I did it manually in terminal (sudo freshclam) then I got fresh
signatures and then ClamTk saw them (reported them with fresh dates in
usual GIU window under user)
- so, I understood in a way that ClamTk under user has not enough rights
to start freshclam - THIS WAS the problem I meant
- then I switched update to Manual in ClamTk under user, BUT switched it
to Automatic in ClamTk under root
- so, now I see regularly equally fresh signatures dates in both ClamTk:
user's as well as root's

I didn't get what you wrote properly - this is like it should be or not?

> If you have automatic updates scheduled, the
> updates you run as a user will not be seen.

As for dependencies of the package...
I see quit simple way to check if the problems we discuss are in ClamTk
or not (to avoid you keep on thinking what's wrong in ClamTk especially
if everything is OK there :) ) :

- I could delete ClamTk together with some perl packages and those .pm
file I reported you about

- if you have proper .rpm packages with ClamTk then I would try to
install it and see which dependencies it requres

- either alone or with your help/advice I would install needed Perl
packages (or even better a perl repository from where all of them could
be installed automatically)

The aim is to check if the story with missing perl file will be repeated
or not after rpm will be satisfied with all dependencies (I'm not so
familiar with linux, but I believe that this is wrong if rpm reports OK,
but then something is missing).

If the problem with file will appear then lets fix it "somehow in a
right way", i.e. by installing one more perl package, but not by single
file copying.

And then we could see for sure if ClamTk works properly on SuSE SLED.
If yes - then you (or me - up to you) could report to SuSE about their
"wrong way" to resolve dependencies (I guess regarding perl modules
mostly).
If not - then you'd really have to think about what's wrong with ClamTk.

So, what do you think about?

Best regards,
Sergey

> Sergey,
>
> Here are the dependencies of the first clamtk package I saw on the link you provided:
> clamav >= 0.88
> clamav-db
> perl
> perl(LWP::UserAgent)
> perl(File::Find::Rule)
> perl(Date::Calc)
> perl(Gtk2)
> perl(Locale::gettext)
> perl(Net::DNS)
> zenity
> rpmlib(PayloadFilesHavePrefix) <= 4.0-1
> rpmlib(CompressedFileNames) <= 3.0.4-1
> /usr/bin/perl
> rpmlib(PayloadIsLzma) <= 4.4.2-1
>
> I'm not sure who is maintaining that version, but sending the maintainer this link might help him/her:
> http://clamtk.sourceforge.net/clamtk.spec
>
> Regarding the signature updates... can you hit Ctrl-W and tell me which
> option you have selected? If you have automatic updates scheduled, the
> updates you run as a user will not be seen.

> So, if you would like to
> update signatures yourself, you would need to select "Manual" (Вручную),
> and then you should see those updates.
>
> respectfully
> dave
>

Sergey,

The good news is that I installed openSUSE just to see what would happen when I installed ClamTk. It worked right out of the box. However, I installed 11.4, and not SLED 11.1... I had trouble downloading that one. So there could be differences between the two.

Also, I did reach the maintainer. It turns out it is the same maintainer I spoke to two years ago. :) Anyway, he is going to research this as soon as he can, and maybe he can help us out with the dependencies.

The problem with the AV signatures is this: Just updating signatures requires root privileges. This is not my choice - it is the way ClamAV (and Linux) is. So, by default, the "automatic" signatures is for root to update the signatures. That should happen automatically. For the user to download signatures, we have to store the signatures in his home directory, where he has permissions. ClamTk needs to know where to look for them. It's confusing to me, and I write it... :) I agree with you that things should be easier, and I'm always open for suggestions.

Anyway, hopefully the SUSE maintainer will contact me soon, and maybe we can fix everything. We can always hope.

respectfully
dave

Dear Dave!

I did not get properly why SuSE supports so many versions with single 11
number. I saw on lot of chats that they work quit differently and even
saw some advices like "use 11.1 or 11.2 packages for SLED, but not 11.3
or 11.4". Maybe there some very serious marketing reasons, but it looks
like SuSE and open SuSE are quit different systems.

However, here in Ukraine lot of people rather use Ubuntu, but in the
same time computer dealers sale either Windows7 or SuSE SLED.
SLED really looks like quit professional thing, especially assuming that
most part of users are not programmers, so "Windows-like" or GUI- things
they accept much better. BUT... maybe because of marketing reasons they
made it "as different as possible" to be apart form free OpenSuSE ones.
In this respect I could say that:
- I didn't need to install anything else trying to perform my daily jobs
on PC - everything needed I had already working
- BUT: repositories list was completely empty, so every thing I wanted
to install to investigate (or use the same thing that I like in Ubuntu)
I had to investigate first then add repositories then install, then do
everything again if any problem occurs

So, that means then we'll need to try the result of the maintainer you
mentioned on my PC (your OpenSuSe is not enough :) ). However, I'm ready
to wait then to act in this respect!

As for the signatures:
- I see what you mean
- my opinion is that being a super-programmer I wouldn't need ClamTk at
all, just because everything I need I would configure with ClamAV
- but I'm not a such one, as well as many other users, moreover, me and
they really like obtained from Windows approach - it should be some GUI
tool to check if everything OK, without any efforts and so on. Ii mean a
way when any user could 1) install some program then 2) call to sysadmin
if this program produces error message. That's it!
- in this respect I would think about certain as clear as possible and
as simple as possible instruction regarding how to configure ClamTk in a
way to be like described above (signatures are updates, whole PC is
checked etc). BTW: this is a disadvantage of any program' help I ever
saw: they rather explain how to press buttons than how to get the aims
users need. I'm publisher of B2B guidebooks, so I definitely know how a
practical guidebook should look like and what consist of :)

>From my side (if you share my opinion) I would offer 2 things:
1) help you (from point of view of user who'd then read it) to improve
you help support of ClamTk project
2) then translate it to 2 languages I know: Russian and Ukrainian

BTW: I went to ClamTk translations site and finalized ua- and ru-
translations. In fact UA is a specific case:
- everybody who knows ua knows ru as well
- ca. 50% of people in UA prefer ru for everyday conversation
- so, ua translation is rather question of respect to ua-native part of
society but an obligatory thing to launch UA market
- exactly the same situation is with Byelorussia's language
(This is because 1500 years ago it was single old-russian country with
center in Kiev - Kiev's Russia. Then step by step center moved to Moscow
(that is 850 years old) and Kiev became more ...

Dear Dave!

To add some more info for you to consider I've made the following
experiment:

1) since my last letter to you I got 2 updates for clamtk as well as 1
update for clamav, python and few more things (SUSE update service)
So, I tested our problem again and ... it still exists

Please look at screen-shot named clamtk-suse... to see clamtk window
together with most probable folder that affect the problem (I think that
message in clamtk window doesn't point exactly to the "guilty" one
because of certain delay between what happens and what is described - in
this respect also read similar note to next screen-shot)

2) as far as I installed:
- VirtulBox
- Ubuntu 10-02-2 LTS as VM
- clamtk from standard software manager on Ubuntu
so, I tried how it works there:
- copied my longest folder /home/sergey/Documents/PD..... to Ubuntu with
exactly the same path (same username there)
- started clamtk to see...

The problem is exactly the same:
- being started under user clamtk stops somewhere inside that folder
- being started under root clamtk makes everything properly
The only difference is that:
- SUSE: "sudo clamtk" doesn't work - system says cannot start interface,
but if "su root" then "clamtk" works
- Ubuntu - right opposite: "su root" produces system error message, but
"sudo clamtk" starts clamtk under root (but some why it assume user's
directory as a home one)
Also, I did not copy all other, shorter folders to ubuntu, so in fact:
- SUSE has home directory ca. 100GB
- ubuntu - ca.2GB

FORGOT TO SAY: in all tests I started "Home directory" by mouse clicking
in clamtk window, before that I configured clamtk to perform recursive
scans.

Some extra tests:
1) if I delete longest sub-folder (part of my long folder) to
trash-basket then clamtk stops on trash-basket
2) if I delete it completely then clamtk works properly
3) if I delete everything except it then clamtk again stops on this
sub-folder
(please see 2-nd screen-shot attached - I had to make it 2 times:
- 1-st time the folder clamtl reported about in the window before stop
wasn't the right one - after I deleted everything except it then
everything worked properly
- 2-nd time I left another, longer folder - clamtk stopped on it, so I
opened in nautilus window some of sub-folders with quit long names to
let you see)

So, if you ask me what I think :) :

1) next week I'll try to perform exactly the same experiment on ubuntu
desktop in the office on another desktop PC, not on VM (we work since
Tuesday next week) then will let you know the result - its just to be
sure that "clear, not VM's ubuntu has the same effect"

2) you might "repeat" my long names (for that I gave you screen-shots of
nautilus) to see how clamtk operates with so long names on YOUR system

3) also, it might be a problem with:
- Cyrillic names I use (all my folders "were born" under Windowa XP, but
I never had problems with them neither in XP nor in linux) - Cyrillic
means not only Russian ones, but Ukrainian as well (5 unique letters
that are missing in Russian)
- "lost" XP files like "~$filename" - starting .doc or .xls file MS
Office leaves a copy named in described way, but if any problem occurs
then Windows XP doesn't ...

Sergey,

Well, this is interesting. I created a directory with a very long name with no Cyrillic characters, and everything was fine. Then I created a directory with a large mix of Cyrillic characters and spaces, and then weird stuff started happening... First, it's not scanning all the files in the directory. Second, it's not reporting them as "viruses" even though they are...

I definitely need to investigate this more... please give me some more time. :) I think you are right - something is weird here. I was going to send a screenshot, but I think you know what it looks like already... :)

respectfully
dave

A HA! I figured it out - it is a bad regular expression on my part.

If you want to test it, I can either email a copy to try out, or just do this:

Type "locate GUI.pm" - it should be in /usr/share/perl5/vendor_perl/ClamTk/GUI.pm, but might be different on your system.

As root, open that file with gedit or your favorite text editor. Go to line (approximately) 1073, where it reads:

        if (/(.*?): (.*?) FOUND/) {

and change it to:

        if (/(.*?): ([^:]+) FOUND/) {

And then all is well. Guess I have to work on releasing 4.34 now... it was poor coding on my part.

Anyway, please let me know if that works, or if you would like me to email you a working copy.

respectfully
dave

Dear Dave!

I would like to send you congratulations, but I can't...

I've made what you wrote, but result is the same.

I've double-checked:
- single GUI.pm file in the system is in /usr/share/ClamTk
- please see it attached with the changes made

This is SUSE.

In next couple of hours I'll make all the same on Ubuntu then will let
you know.

Best regards,
Sergey Murzin

> A HA! I figured it out - it is a bad regular expression on my part.
>
> If you want to test it, I can either email a copy to try out, or just do
> this:
>
> Type "locate GUI.pm" - it should be in
> /usr/share/perl5/vendor_perl/ClamTk/GUI.pm, but might be different on
> your system.
>
> As root, open that file with gedit or your favorite text editor. Go to
> line (approximately) 1073, where it reads:
>
> if (/(.*?): (.*?) FOUND/) {
>
> and change it to:
>
> if (/(.*?): ([^:]+) FOUND/) {
>
> And then all is well. Guess I have to work on releasing 4.34 now... it
> was poor coding on my part.
>
> Anyway, please let me know if that works, or if you would like me to
> email you a working copy.
>
> respectfully
> dave
>

Sergey,

Can you check again where the .pm files go? I think on SUSE they should be under /usr/lib/ClamTk.

Can you try (as root) to move the GUI.pm to /usr/lib/ClamTk?

mv GUI.pm /usr/lib/ClamTk/

respectfully
dave

Dear Dave!

Yes, exactly where you wrote - see attached screen-shot.

I wrote you - this is the only copy of GUI.pm in the system (SUSE).

Also. I checked on Ubuntu - same result despite another version of
GUI.pm (needed part of the script is on another place) - see attached
file as well (after the correction).

Best regards,
Sergey

> Sergey,
>
> Can you check again where the .pm files go? I think on SUSE they should
> be under /usr/lib/ClamTk.
>
> Can you try (as root) to move the GUI.pm to /usr/lib/ClamTk?
>
> mv GUI.pm /usr/lib/ClamTk/
>
> respectfully
> dave
>

Dear Dave!

BTW: On Ubuntu I get similar error message in the terminal (your 1-st
reaction for the bug report was to ask me about this message):

sergey@ubuntu:~$ clamtk > /home/sergey/clamtk.log
*** unhandled exception in callback:
*** couldn't fork: Слишком длинный список аргументов
   (too long list of arguments)
*** at /usr/bin/clamtk line 43
*** ignoring at /usr/share/perl5/ClamTk/GUI.pm line 485.

I would recommend you to put attention to:
1) The message wasn't changed after the change of GUI.pm
2) Did you get the same error message when you got error on your system
before the change?

Best regards,
Sergey Murzin

> Sergey,
>
> Can you check again where the .pm files go? I think on SUSE they should
> be under /usr/lib/ClamTk.
>
> Can you try (as root) to move the GUI.pm to /usr/lib/ClamTk?
>
> mv GUI.pm /usr/lib/ClamTk/
>
> respectfully
> dave
>

Sergey,

Hmmm... now I'm confused. :) I'm not sure if there are one or two problems.

That message probably means the scanner does not want so many files at one time. Currently, it is limited to 255, but maybe that is too much. If you're up for experimenting, try this:

Approximately line 990 in GUI.pm, you'll see this:

  if ( scalar(@send) == 255 ) {

Try changing the number "255" to 100 or 155, and then save it and run again.

respectfully
dave

Dear Dave!

BINGO!

Congratulations!

The problem disappeared after change to 100 files (i tried on Ubuntu
because it takes less time - 2GB instead of 100GB on SUSE to scan).

You know, I see some logic in this point:
- 255 files
- 255 - standard length of MS-DOS string type that most part of files
fits into
- but 255*255 = 64K that means that longer file names (if not 1 but
really lot of files with long names) would overflow 64K buffer.
So, if perl uses 64K buffer to get these parameters then... good reason
to get a problem.

So, now the questions are (if the case is really with 64K buffer):
1) how "exclusive" is my case (but maybe there are even worse cases
especially applying linux as a workstations, not like home PCes)?
2) which limit to use depending on the answer for 1-st question?
3) does any way to "measure" the length of data you pass to perl exist?
4) how longer time it will take if to pass 1, 2 or 4 files per time
(unfortunately I don't know the maximum length of file in linux, but I
mean to respect "the worst case")?
These are question not to answer, but to think about :)

In my case so long names are because (these is my thinking regarding
question #1):
- first standard /home/user
- then I need some how to sort my departments: customer service, product
management etc
- (here in the future it should be division by markets)
- then products itself: planned, existing etc
- then product by product itself
- then product parts: basic works, updates
- every part consists of manuscripts, editors work etc
- some product are with CD attached, so complete structure of CD should
be as well - this is 255 character quit often itself
Then what if I'll establish subsidiaries? Another product types?
I worry I'll need to restrict the mentioned parameter to 64 :)

Beat regards,
Sergey Murzin

> Sergey,
>
> Hmmm... now I'm confused. :) I'm not sure if there are one or two
> problems.
>
> That message probably means the scanner does not want so many files at
> one time. Currently, it is limited to 255, but maybe that is too much.
> If you're up for experimenting, try this:
>
> Approximately line 990 in GUI.pm, you'll see this:
>
> if ( scalar(@send) == 255 ) {
>
> Try changing the number "255" to 100 or 155, and then save it and run
> again.
>
> respectfully
> dave
>

Forgot to ask:
- how it worked under root - longer buffer?

regards,SM

Dear Dave!

I've found one more problem, this time you don't need to think about :)

If you'll look again on 2 screen-shots I sent you (suse vs ubuntu) then
please put eye on middle down part of clamtk window - russian messages
are different: "threads detected" vs "viruses found".

I would ask you just to confirm which of them is right (I think ubuntu's
one - "viruses found"). So, then I will able to check ru and ua
translation packages on clamtk translations file. Then you will able to
instruct those who manage the translations to trust to these changes (if
any in fresh translation) - my nick name there - is my native - Sergey
Murzin.

Best regards,
Sergey Murzin

Sergey,

Great! So everything is working?

I don't remember when I changed it - probably several versions ago. I think I didn't like the word "viruses", because there are so many kinds of things like viruses, trojans, exploits, etc... anyway, the new phrase should be "threats found". "Viruses" is too generic.

Speaking of translations, I did add one new line here:
https://translations.launchpad.net/clamtk

The phrase "Scan for viruses..." is actually for the clamtk.desktop file.

See, good news. :)

respectfully
dave

Dear Dave!

So, it works on SUSE as well. Thank you very much! Now I can use it in a
useful way (even without waiting for next update) and you know the way
to fix the bug for the future. Great!

As for the wording threads/viruses:
- I got the point
- then its not needed to change the translations - "threads" are there
- you might think about more info to provide with clamtk to make it even
more useful for the users:

For your consideration I can give you shortly another approach that is
used in Windows anti-virus Kasperskiy:
1) "virus found" is executable file infected by virus (they see
separately body of the file with body of the virus attached), so being
started it will definitely damage another files, crash system, whatever
else. So, their program tries different options:
- repair it automatically
- delete (automatically or if repair is not successful)
2) "thread detected" is an another story: they see signature but cannot
decide what is it: virus or just a script/fragment that looks like a
virus. Quit often it might be macros, .pdf, or another not-executable
file. Correspondingly, program produces warning messages and options
are:
- quarantine
- deletion
- ignorance
BTW: single tread detected by clamtk on my SUSE was exactly .pdf
provided for Win-7 certification utility - on this file it was written
"might be treated as a thread by ...this and this... anti-virus
systems".

However, reason of this info I write to you is:
- let say clamav is for developers or experienced system administrators
- but clamtk as a way to be protected for middle and low level users,
and they will never study any clamav's help/usage/restrictions
- so, for them it would be great to provide more of general-level info
together with advices regarding what to do and how to manage different
cases using clamtk
In another words, don't expect users to be quit experienced regarding
virus protection, but educate them a little bit, then you'll get them
loyal to your program!
Please consider this as a friendly advice of an already loyal user :)

Best regards,
Sergey Murzin

> Sergey,
>
> Great! So everything is working?
>
> I don't remember when I changed it - probably several versions ago. I
> think I didn't like the word "viruses", because there are so many kinds
> of things like viruses, trojans, exploits, etc... anyway, the new phrase
> should be "threats found". "Viruses" is too generic.
>
> Speaking of translations, I did add one new line here:
> https://translations.launchpad.net/clamtk
>
> The phrase "Scan for viruses..." is actually for the clamtk.desktop
> file.
>
> See, good news. :)
>
> respectfully
> dave
>

Dear Dave!

Trying to tune my anti-virus protection I detected quit strange
situation (all data I represent are obtained after all adjustments we've
made, i.e. I analyze logs of successfully finished scans):

1) under root - WHOLE PC - was scanned automatically being scheduled for
daily scans:
- 26 (threads?/viruses?) infected files found (most part of them are
in /home/sergey, i.e. inside the home directory) with exact kind of
virus specified
- in the list only problem files are listed
- all characters are written in a right way (Cyrillic as well)
- however, clamtk window reports "never" regarding infected files ever
found

2) under user(=sergey) - HOME FOLDER - was scanned manually while
testing our adjustments to the module text:
- clamtk reported 0 threads found (despite clamtk under root found 26
problems!!!)
- one can see very long list of files (but not a complete list of
scanned files, just ca.100-200 files) without any data regarding why
they are in the list
- Cyrillic character are not readable

Having written all above I asked myself: so what is the problem:
root/user or background/GIU?
So, I performed 2 more tests:
3) run clamtk under root and tell to scan Folder-Sergey, i.e. home
directory for user. Te result is OK, i.e. no viruses found.
4) open clamtk under user, schedule scan of home directory for +5
minutes after, close clamtk, wait (looking for PC business indicator to
see activities)... - The result is 18 viruses!!! - please see one more
screen attached clamtk-user-background

So, being started in background mode scan finds viruses, but under GIU -
not. I've investigated the difference - on the practice in background
mode clamtk doesn't work at all, cron schedules run of clamscan instead
of. So, that means that clamtk doesn't find viruses?

Maybe there is some logic in what I get, but how to get one to
understand?
Or we face one more bug?

Best regards,
Sergey Murzin

Dear Dave!

To add more data to my previous letter I made similar test on ubuntu:

- being scanned manually as Home directory it did not find any viruses

- then I start as a scheduled task (run line copied from cron in the
terminal):

sergey@ubuntu:~$ clamscan --database=/home/sergey/.clamtk/db
--detect-pua -i -r /home/sergey
--exclude-dir=/home/sergey/.clamtk/viruses --log=
$HOME/.clamtk/history/$(date +%b-%d-%Y).log 2>/dev/null
/home/sergey/.mozilla/firefox/xb1bk5bk.default/Cache/C21F7B3Cd01:
PUA.Script.Packed-2 FOUND

----------- SCAN SUMMARY -----------
Known viruses: 973134
Engine version: 0.96.5
Scanned directories: 406
Scanned files: 3005
Infected files: 1
Data scanned: 716.71 MB
Data read: 634.62 MB (ratio 1.13:1)
Time: 101.003 sec (1 m 41 s)
sergey@ubuntu:~$

In general the same result like on SUSE, but what is strange:
- despite here as well clamscan sees virus while clamtk not
- it found only 1 virus among firefox files while could find those 4
viruses that SUSE reported in /home/sergey/documments - because I putted
this folder as it is to Ubuntu as well (you can see these 4 lines in
last screen-shot from my previous letter)

Best regards,
Sergey Murzin

Sergey,

<quote>
1) "virus found" is executable file infected by virus (they see
separately body of the file with body of the virus attached), so being
started it will definitely damage another files, crash system, whatever
else. So, their program tries different options:
- repair it automatically
- delete (automatically or if repair is not successful)
</quote>
ClamAV does not attempt to repair files, so this is not currently an option. I believe this stems from their belief that a file is probably not trusted once infected.
ClamTk used to have a delete or quarantine automatically function, but this proved dangerous - what if it is a false positive? That's why we let the user decide.

<quote>
2) "thread detected" is an another story: they see signature but cannot decide what is it
</quote>
I think ClamAV does have some heuristics now - these should show up in the window if detected.

I think your main point is that we need some good documentation for users, and I agree. I started writing documentation several times, but never finished. :) Maybe today would be a good day to start that... :)

Sergey,

<quote>
In general the same result like on SUSE, but what is strange:
- despite here as well clamscan sees virus while clamtk not
- it found only 1 virus among firefox files while could find those 4
viruses that SUSE reported
</quote>

I think the differences you are spotting is because ClamTk will often avoid certain directories: mostly typical mail directories (like .thunderbird or .evolution) and sometimes even .mozilla directories. This is because parsing mail is a difficult thing to do. In Linux, mail files are typically just one file. So, if any part of it has a detected "virus" or something AND you quarantine or delete it, you just deleted the whole thing. That would be bad. I talk about this on the FAQ page:
http://clamtk.sourceforge.net/faq.html#inbox

respectfully
dave

Dear Dave!

Thanks for the reply, I got your point.

BUT

The problem is in confusing users (me at least :) )...

I test some folder using ClamTk in manual mode, then I get some result.
OK. If I trust to this result then I schedule ClamTk to perform it
regularly.
But it gives ANOTHER result! So I'm confused! I do believe, whatever
kind of possible results (only viruses / viruses + threads / whatever
else) but they MUST BE EQUAL using the same program!
>From developer's point of view I guess that the point is to use EXACTLY
THE SAME options using clamscan from GUI and from cron.

Another approach is to name different things in a different ways:
- use "GUI"-start of ClamTk to see only viruses and see results
immediately right on Clamtk' window
- use scheduler to launch ANOTHER possibility - standard clamscan's scan
that MIGHT give another result, then don't forget to check it regularly
in log-files
Such approach could add logic to what people see at least and, it would
be perfect, if new help system you started to write again could EXPLAIN
these differences.

Also, it would be perfect to have 2 more possibilities:
- to see some sign right on GUI window if any log-files obtained from
cron-clamscan report about viruses (or a message in system tray for such
a case) - I still believe that "install and forget" is a right approach
for average user, so it should be some reminder/notifier for case of
virus detected under background mode
- it would be beautiful would ClamTk allow different schedules per
different folders: mail, working folders, samba folders, downloads etc -
daily scan is OK; but linux packages, long archives, very long music and
video folders etc - less frequently (1/week, 1/months I think).
Speaking about me (for example): complete test of my laptop takes 2
hours, and my single chance is to restrict the scanning by certain areas
only - so I have to choose: either security or usefulness. And don't
forget that many of scheduled "long scans" on a laptop do not have
chances to be finalized due to mobile style of their owners.

Please don't think I press to you regarding this staff :) I just show
you "another" point of view and hope it might be useful for you.

However, I wish you to come to a quit simple and clear solution. And I
keep my promise to help with editing/translating of new help content
then.

Best regards,
Sergey Murzin

> Sergey,
>
> <quote>
> In general the same result like on SUSE, but what is strange:
> - despite here as well clamscan sees virus while clamtk not
> - it found only 1 virus among firefox files while could find those 4
> viruses that SUSE reported
> </quote>
>
> I think the differences you are spotting is because ClamTk will often avoid certain directories: mostly typical mail directories (like .thunderbird or .evolution) and sometimes even .mozilla directories. This is because parsing mail is a difficult thing to do. In Linux, mail files are typically just one file. So, if any part of it has a detected "virus" or something AND you quarantine or delete it, you just deleted the whole thing. That would be bad. I talk about this on the FAQ page:
> http://clamtk.sourceforge.net/faq.html#inbox
>
> respectfu...

<quote>
I still believe that "install and forget" is a right approach
for average user, so it should be some reminder/notifier for case of
virus detected under background mode
</quote>
I think this is an excellent idea and have been thinking about it over the last few days - probably inspired by your comments. It is possible to do it; maybe we can add it in soon.

<quote>
Please don't think I press to you regarding this staff :)
</quote>
I appreciate any feedback from you and others, whether it is good or bad. :) I can only test things so far, so I rely on inputs to fix things.

Honestly though, I am thinking that after seven years, it is time for someone else to do this. It is probably time for someone good to take it over. Or maybe just drop it altogether, I haven't decided yet.

In the meanwhile, keep the feedback coming. :)

respectfully
dave