# clamav no longer timestamps log entries

## Moriah

My copy of clamav was updated sometime in the recent past to:

```
*  app-antivirus/clamav

      Latest version available: 0.90.3

      Latest version installed: 0.90.3

      Size of files: 12,203 kB

      Homepage:      http://www.clamav.net/

      Description:   Clam Anti-Virus Scanner

      License:       GPL-2

```

and now it no longer timestamps log entries.  prior to a reboot last Monday, it timestamped log entries, like this:

```
Mon Jul  9 03:00:17 2007 -> /tmp/clamav-7a102f9324489aa7/msg.4dzpSN: OK

Mon Jul  9 03:06:52 2007 -> /tmp/clamav-7a102f9324489aa7/msg.UwQwDc: Email.Phishing.RB-1137 FOUND

Mon Jul  9 03:07:31 2007 -> /tmp/clamav-7a102f9324489aa7/msg.0thWel: OK

Mon Jul  9 03:08:05 2007 -> /tmp/clamav-7a102f9324489aa7/msg.OXn9b8: OK

```

but now the log looks like this:

```
l6D3i0Ah002539: clean message from <a-adambe@academixer.com>

l6D3jS0f002734: clean message from <qpvfduw7e@concordefense.com>

l6D3kXwv002921: clean message from <SBYNPOLJCG@hotmail.com>

l6D3lSnx003039: /tmp/clamav-076b4748afa2883de4e638f9b1f03058/msg.qL17Jn: Email.Phishing.RB-1301 Intercepted virus from <co

rporateservice.ref53891804135111.cm@nationalcity.com> to rj

l6D3o8iX003508: clean message from <clamav@eli.elilabs.com>

```

My /etc/clamd.conf file looks like this:

```
##

## Example config file for the Clam AV daemon

## Please read the clamd.conf(5) manual before editing this file.

##

# Comment or remove the line below.

# Example

# Uncomment this option to enable logging.

# LogFile must be writable for the user running daemon.

# A full path is required.

# Default: disabled

LogFile /var/log/clamav/clamd.log

# By default the log file is locked for writing - the lock protects against

# running clamd multiple times (if want to run another clamd, please

# copy the configuration file, change the LogFile variable, and run

# the daemon with --config-file option).

# This option disables log file locking.

# Default: no

#LogFileUnlock yes

# Maximum size of the log file.

# Value of 0 disables the limit.

# You may use 'M' or 'm' for megabytes (1M = 1m = 1048576 bytes)

# and 'K' or 'k' for kilobytes (1K = 1k = 1024 bytes). To specify the size

# in bytes just don't use modifiers.

# Default: 1M

#LogFileMaxSize 2M

LogFileMaxSize 200M

# Log time with each message.

# Default: no

LogTime yes

# Also log clean files. Useful in debugging but drastically increases the

# log size.

# Default: no

LogClean yes

# Use system logger (can work together with LogFile).

# Default: no

#LogSyslog yes

# Specify the type of syslog messages - please refer to 'man syslog'

# for facility names.

# Default: LOG_LOCAL6

#LogFacility LOG_MAIL

# Enable verbose logging.

# Default: no

#LogVerbose yes

# This option allows you to save a process identifier of the listening

# daemon (main thread).

# Default: disabled

PidFile /var/run/clamav/clamd.pid

# Optional path to the global temporary directory.

# Default: system specific (usually /tmp or /var/tmp).

#TemporaryDirectory /var/tmp

# Path to the database directory.

# Default: hardcoded (depends on installation options)

#DatabaseDirectory /var/lib/clamav

# The daemon works in a local OR a network mode. Due to security reasons we

# recommend the local mode.

# Path to a local socket file the daemon will listen on.

# Default: disabled (must be specified by a user)

LocalSocket /var/run/clamav/clamd.sock

# Remove stale socket after unclean shutdown.

# Default: no

#FixStaleSocket yes

# TCP port address.

# Default: no

#TCPSocket 3310

# TCP address.

# By default we bind to INADDR_ANY, probably not wise.

# Enable the following to provide some degree of protection

# from the outside world.

# Default: no

#TCPAddr 127.0.0.1

# Maximum length the queue of pending connections may grow to.

# Default: 15

#MaxConnectionQueueLength 30

# Clamd uses FTP-like protocol to receive data from remote clients.

# If you are using clamav-milter to balance load between remote clamd daemons

# on firewall servers you may need to tune the options below.

# Close the connection when the data size limit is exceeded.

# The value should match your MTA's limit for a maximum attachment size.

# Default: 10M

#StreamMaxLength 20M

# Limit port range.

# Default: 1024

#StreamMinPort 30000

# Default: 2048

#StreamMaxPort 32000

# Maximum number of threads running at the same time.

# Default: 10

#MaxThreads 20

# Waiting for data from a client socket will timeout after this time (seconds).

# Value of 0 disables the timeout.

# Default: 120

#ReadTimeout 300

# Waiting for a new job will timeout after this time (seconds).

# Default: 30

#IdleTimeout 60

# Maximum depth directories are scanned at.

# Default: 15

#MaxDirectoryRecursion 20

# Follow directory symlinks.

# Default: no

#FollowDirectorySymlinks yes

# Follow regular file symlinks.

# Default: no

#FollowFileSymlinks yes

# Perform a database check.

# Default: 1800 (30 min)

#SelfCheck 600

# Execute a command when virus is found. In the command string %v will

# be replaced with the virus name.

# Default: no

#VirusEvent /usr/local/bin/send_sms 123456789 "VIRUS ALERT: %v"

# Run as another user (clamd must be started by root to make this option

# working).

# Default: don't drop privileges

User clamav

# Initialize supplementary group access (clamd must be started by root).

# Default: no

#AllowSupplementaryGroups no

# Stop daemon when libclamav reports out of memory condition.

#ExitOnOOM yes

# Don't fork into background.

# Default: no

#Foreground yes

# Enable debug messages in libclamav.

# Default: no

#Debug yes

# Do not remove temporary files (for debug purposes).

# Default: no

#LeaveTemporaryFiles yes

# In some cases (eg. complex malware, exploits in graphic files, and others),

# ClamAV uses special algorithms to provide accurate detection. This option

# controls the algorithmic detection.

# Default: yes

#AlgorithmicDetection yes

##

## Executable files

##

# PE stands for Portable Executable - it's an executable file format used

# in all 32 and 64-bit versions of Windows operating systems. This option allows

# ClamAV to perform a deeper analysis of executable files and it's also

# required for decompression of popular executable packers such as UPX, FSG,

# and Petite.

# Default: yes

#ScanPE yes

# Executable and Linking Format is a standard format for UN*X executables.

# This option allows you to control the scanning of ELF files.

# Default: yes

#ScanELF yes

# With this option clamav will try to detect broken executables (both PE and

# ELF) and mark them as Broken.Executable.

# Default: no

#DetectBrokenExecutables yes

##

## Documents

##

# This option enables scanning of OLE2 files, such as Microsoft Office

# documents and .msi files.

# Default: yes

#ScanOLE2 yes

# This option enables scanning within PDF files.

# Default: no

#ScanPDF yes

##

## Mail files

##

# Enable internal e-mail scanner.

# Default: yes

#ScanMail yes

# If an email contains URLs ClamAV can download and scan them.

# WARNING: This option may open your system to a DoS attack.

#      Never use it on loaded servers.

# Default: no

#MailFollowURLs no

# Recursion level limit for the mail scanner.

# Default: 64

#MailMaxRecursion 128

# With this option enabled ClamAV will try to detect phishing attempts by using

# signatures.

# Default: yes

#PhishingSignatures yes

# Scan urls found in mails for phishing attempts.

# (available in experimental builds only) 

# Default: yes

#PhishingScanURLs yes

# Use phishing detection only for domains listed in the .pdb database. It is

# not recommended to have this option turned off, because scanning of all

# domains may lead to many false positives!

# (available in experimental builds only)

# Default: yes

#PhishingRestrictedScan yes

# Always block SSL mismatches in URLs, even if the URL isn't in the database.

# This can lead to false positives.

# (available in experimental builds only)

#

# Default: no

#PhishingAlwaysBlockSSLMismatch no

# Always block cloaked URLs, even if URL isn't in database.

# This can lead to false positives.

# (available in experimental builds only)

#

# Default: no

#PhishingAlwaysBlockCloak no

##

## HTML

##

# Perform HTML normalisation and decryption of MS Script Encoder code.

# Default: yes

#ScanHTML yes

##

## Archives

##

# ClamAV can scan within archives and compressed files.

# Default: yes

#ScanArchive yes

# The options below protect your system against Denial of Service attacks

# using archive bombs.

# Files in archives larger than this limit won't be scanned.

# Value of 0 disables the limit.

# Default: 10M

#ArchiveMaxFileSize 15M

# Nested archives are scanned recursively, e.g. if a Zip archive contains a RAR

# file, all files within it will also be scanned. This options specifies how

# deeply the process should be continued.

# Value of 0 disables the limit.

# Default: 8

#ArchiveMaxRecursion 10

# Number of files to be scanned within an archive.

# Value of 0 disables the limit.

# Default: 1000

#ArchiveMaxFiles 1500

# If a file in an archive is compressed more than ArchiveMaxCompressionRatio

# times it will be marked as a virus (Oversized.ArchiveType, e.g. Oversized.Zip)

# Value of 0 disables the limit.

# Default: 250

#ArchiveMaxCompressionRatio 300

# Use slower but memory efficient decompression algorithm.

# only affects the bzip2 decompressor.

# Default: no

#ArchiveLimitMemoryUsage yes

# Mark encrypted archives as viruses (Encrypted.Zip, Encrypted.RAR).

# Default: no

#ArchiveBlockEncrypted no

# Mark archives as viruses (e.g. RAR.ExceededFileSize, Zip.ExceededFilesLimit)

# if ArchiveMaxFiles, ArchiveMaxFileSize, or ArchiveMaxRecursion limit is

# reached.

# Default: no

#ArchiveBlockMax no

# Enable support for Sensory Networks' NodalCore hardware accelerator.

# Default: no

#NodalCoreAcceleration yes

##

## Clamuko settings

## WARNING: This is experimental software. It is very likely it will hang

##       up your system!!!

##

# Enable Clamuko. Dazuko (/dev/dazuko) must be configured and running.

# Default: no

#ClamukoScanOnAccess yes

# Set access mask for Clamuko.

# Default: no

#ClamukoScanOnOpen yes

#ClamukoScanOnClose yes

#ClamukoScanOnExec yes

# Set the include paths (all files inside them will be scanned). You can have

# multiple ClamukoIncludePath directives but each directory must be added

# in a seperate line.

# Default: disabled

#ClamukoIncludePath /home

#ClamukoIncludePath /students

# Set the exclude paths. All subdirectories are also excluded.

# Default: disabled

#ClamukoExcludePath /home/bofh

# Don't scan files larger than ClamukoMaxFileSize

# Value of 0 disables the limit.

# Default: 5M

#ClamukoMaxFileSize 10M

```

For several years I have been running a cron job that analyzes the clamd log file and produces graphs of bad stuff in the email traffic.  This no longer works because it needs the timestamp.  I can work around a change in the format by hacking the scripts, but I must have the timestamp; I cannot work around it absence.

Does anybody know how to get the timestamps back in the clamav log file?

Thanks!    :Very Happy: 

----------

## magic919

Maybe this bit?

LogTime yes

But you have that....  Maybe you can try the newly released version 0.91 first.

----------

## Moriah

Is that version available as an ebuild thru protage yet?  I thought I had the latest version.    :Surprised: 

----------

## magic919

Yes, it is.  But you'll find it on ~x86.

----------

## Moriah

Looking at the first field of each log line, it appears that these "crypto-strings" are monotonicly increasing in lexicographic sort order, which leads me to believe that these strings are somehow related to time -- maybe tics since the epoch, in some base64 code?  Weird.  Maybe they just blew it and wrote out the tics raw, but I would have expected some garbagey control characters in there somewhere in that case.  Maybe they just used the wrong format control character?    :Confused: 

----------

