Lots of Virus detection after 6.6.1 Update

Hi he_Agent,

Not sure if this is related but here is the release note of the new AV:

ReadyNAS OS 6: Antivirus Update

Any updates on your end?

Regards,

Hello,

after a reboot and the installation of the update everything worked fine the last few days. No more 5% messages and the daily virus updates were installed correctly.

Thx for your help

Hello again,

after a few days of silence it started again right now. First 20% free and shortly after that 30%. In this time I changed nothing. The Antivirus detection alerts are back again too.

Mon Jan 23 2017 14:11:02    
System: Antivirus scanner found a threat (Heuristics.Broken.Executable) in the file /tmp/clamav-adff1f24c0bbc4e0eeb59c3dda5dffc7.tmp (deleted). Please delete the infected file soon if automatic delete setting is not enabled.
Mon Jan 23 2017 14:10:55    
System: Antivirus scanner found a threat (Heuristics.Broken.Executable) in the file /tmp/clamav-52688c412f91b358b0346de0f90f88a4.tmp (deleted). Please delete the infected file soon if automatic delete setting is not enabled.
Mon Jan 23 2017 14:07:04    
Volume: Less than 30% of volume media's capacity is free. NETGEAR recommends that you add capacity to maintain current performance levels. Continuous protection snapshots will be deleted when volume free space is less than 5%.
Mon Jan 23 2017 11:07:27    
Volume: Less than 20% of volume media's capacity is free. Performance on volume media will degrade if additional capacity is consumed. NETGEAR recommends that you add capacity to avoid performance degradation.
Sun Jan 22 2017 15:39:50    
System: Antivirus scanner definition file was updated to 57.22929.
Sat Jan 21 2017 15:40:51    
System: Antivirus scanner definition file was updated to 57.22923.
Fri Jan 20 2017 15:26:29    
System: Antivirus scanner definition file was updated to 57.22917.

Hi the_Agent,

Could you kindly send your logs.

How do I send all logs to ReadyNAS Community moderators?

Regards,

same here.

Got 1000+ Virus warnings til now... readynas is still sending up to 10 mails per minute.

Di Jan 24 2017 9:39:09	
System: Der Virenschutzscanner hat eine Gefahr ({DetectType}:Swf.Exploit.CVE_2016_4178-1) in der Datei /tmp/clamav-e0916b288087f774c1b281d6a428c3c4.tmp/nocomment.html (deleted) entdeckt. Löschen Sie die Datei, die vom Virus befallen ist.
Di Jan 24 2017 9:39:03	
System: Der Virenschutzscanner hat eine Gefahr ({DetectType}:Swf.Exploit.CVE_2016_4178-1) in der Datei /tmp/clamav-ca67c2e47e03f00044f40393a9c36399.tmp/nocomment.html (deleted) entdeckt. Löschen Sie die Datei, die vom Virus befallen ist.
Di Jan 24 2017 9:38:55	
System: Der Virenschutzscanner hat eine Gefahr ({DetectType}:Swf.Exploit.CVE_2016_4178-1) in der Datei /tmp/clamav-861e3c93068486b3fc7dffbfe7d35ec3.tmp/nocomment.html (deleted) entdeckt. Löschen Sie die Datei, die vom Virus befallen ist.
Di Jan 24 2017 9:38:49	
System: Der Virenschutzscanner hat eine Gefahr ({DetectType}:Swf.Exploit.CVE_2016_4178-1) in der Datei /tmp/clamav-0402e490e3f084f823cdd693f395e736.tmp/nocomment.html (deleted) entdeckt. Löschen Sie die Datei, die vom Virus befallen ist.
Di Jan 24 2017 9:38:43	
System: Der Virenschutzscanner hat eine Gefahr ({DetectType}:Swf.Exploit.CVE_2016_4178-1) in der Datei /tmp/clamav-7cf98f14f3fa9c44ae9b32799c7fa5e9.tmp/nocomment.html (deleted) entdeckt. Löschen Sie die Datei, die vom Virus befallen ist.

Should i deactivate the antivirus-service?

---

@ThiloS wrote:

Should i deactivate the antivirus-service?

---

I would.

I've done it immediately, there is obviously something wrong with it.

Hi the_Agent,

I will be sending your post to our subject matter experts as an inquiry. I will let you know if we get updates.

Regards,

in my case the following procedure helped:

Deactivating the AntiVirus-service.

Restarting the ReadyNas.

Activating the AV-service again. 

Now there are no new warnings about any viruses...?!

Well - at least the machine is running proper again.

Hello ThiloS,

followed your instructions but shortly after the the reactivation of Antivirus, the messages started to come in again:

Thu Jan 26 2017 11:07:45    
System: Antivirus scanner found a threat (Heuristics.Broken.Executable) in the file /tmp/clamav-a9644d6f9858afe8268856743cbb4294.tmp (deleted). Please delete the infected file soon if automatic delete setting is not enabled.
Thu Jan 26 2017 11:07:40    
System: Antivirus scanner found a threat (Heuristics.Broken.Executable) in the file /tmp/clamav-7e4ec20ad581164a2b1db43a68a80a61.tmp (deleted). Please delete the infected file soon if automatic delete setting is not enabled.
Thu Jan 26 2017 8:16:35    
System: Antivirus scanner definition file was updated to 57.22948.
Thu Jan 26 2017 8:14:41    
System: ReadyNASOS background service started.
Thu Jan 26 2017 8:13:19    
System: The system is rebooting.

I believe there is a fix for this coming in the next firmware release.

Hi,

Engineering has identified a cause for the issues reported on the community.  The root cause is that ClamAV uses up the /tmp directory space when scanning files transferred over SAMBA.  The symptom is especially acute in models that have small RAM and low CPU bandwidth.

A possible fix has been identified and is being tested.

There may be other issues.  Engineering is still in the process of investigating.

NETGEAR may release a beta version of the software next week here on the community site.

Thank you for your patience,

Doug

Thanks, I will test the beta as soon as it is out.

I was having trouble disabling the AV scanner for the moment. There is a window of opportunity right after the system is rebooted where disabling the AV appears to work. A subsequent reboot shows the AV still disabled. I did this because the AV appears to be at the heart of a constellation of errors included failed network access to the shares for my users. The system behaves as if it is severly overtasked.

Disabling the AV has thus far alleviated my troubles with the NAS. I will update as soon as it becomes available.

It is worth noting that my SSH was also on and would not disable. Attempting to disable it immediately after the reboot resolved the issues for this service as well and I was able to disable it.

Your reboot will have installed a recent Netgear patch relating to AV I believe (not a full fix sadly)

I am really starting to HATE these netgear boxes... Netgar updates causing much grief & aggervation .... since upgrading the box is so slow & cant access shared drives ... im gonna lose it + i had to turn off thge anti-virus 

First, you disabled the AV and it is still slow?!

I'll agree it is disconcerting running without AV and it was incredibly annoying trying to troubleshoot around my active users. However, at this price point I haven't found anything else that does the job. Not for me anyways - not in the network environment I am embedded in. I have a massive IPS sitting on top of me that I have no control over. I have to work with-in their rules and across several layers of defense. Both ends are designed to treat each other as external networks. It is incredibly annoying but then again I don't have to manage that monster. All I have to do is keep my 2 itty bitty NAS units talking and accessible to the users (and on rare occasions accessible to Netgear admins). I'll take that deal.

I don't have many issues and this is only the second time in years that I've had trouble I couldn't fix in less than an hour. Most people appeared to update with out a problem. Curse our bad luck for being in the minority this time.

---

@douglas_cheung wrote:
NETGEAR may release a beta version of the software next week here on the community site.

---

At this stage we'd be looking at possibly next week now rather than releasing a beta just before the weekend.

Thanks for your patience.

---

@mdgm wrote:

---

@douglas_cheung wrote:
NETGEAR may release a beta version of the software next week here on the community site.

---

At this stage we'd be looking at possibly next week now rather than releasing a beta just before the weekend.

 

---

In my opinion that's a good call.  Friday releases always make me a bit nervous.

the anti-virus feature on these NAS devices is a real hastle...  even with the update, i am afraid to turn it back on!  

Then I will update and let you know how things go. 

Of course, if I am understanding you correctly, your machine was still slow even after disabling the AV. If that is true then your situation seems different than mine so and my success or failure might not be a good measure for you. I suppose it is better than nothing.

Are you sure the AV disabled? With mine it would come back on after the next reboot but I eventually got it to stay off.

I guess I am the odd man out. A Friday update means I have all weekend to get things right again if there are problems with out users getting in the way.

I think Weds. is ideal.  There's two days where development is available for early adopters, and you have some idea by the weekend on where the release stands.

For anyone run into the slowness issue after enabling AntiVirus in 6.6.1, here is a work-around before the beta or official firmware with the fix is available: 

1. Turn on SSH service through the Admin Page and SSH into ReadyNAS
2. Remove or comment out the lines starting with OnAccessExcludePath in file /etc/clamav/clamd.conf, save it.
3. Restart the clamav by running this command: systemctl restart clamav-daemon

Note that this clamd.conf configuration file will be overwritten again if re-enabling Anti-Virus, so above steps need to be re-done in that case.