On Fri, 31 Aug 2007 12:00:31 +0200, clamav-users-request wrote > Send clamav-users mailing list submissions to > clamav-users@lists.clamav.net > > To subscribe or unsubscribe via the World Wide Web, visit > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users > or, via email, send a message with subject or body 'help' to > [EMAIL PROTECTED] > > You can reach the person managing the list at > [EMAIL PROTECTED] > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of clamav-users digest..." > > Today's Topics: > > 1. Temporary quarantine file creation failed (Clam user) > 2. Re: Temporary quarantine file creation failed (Nigel Horne) > 3. strange problem? (Berindeie Teodor) > 4. Maintain its own clamAv DB (Urban Loesch) > 5. Re: Maintain its own clamAv DB (Arnaud Jacques) > 6. Re: Subject: False Positive about > Phishing.Heuristics.Email.SSL-Spoof (Jean-Marc Pigeon) > 7. Re: Maintain its own clamAv DB (Urban Loesch) > 8. Re: Script update (Bill Landry) > 9. Re: 0.91 - high load under solaris ([EMAIL PROTECTED]) > 10. Sourcefire acquires ClamAV (Paul Kosinski) > 11. Donors (was Re: Sourcefire acquires ClamAV) (David F. Skoll) > 12. Re: 0.91 - high load under solaris ([EMAIL PROTECTED]) > 13. Re: Donors (was Re: Sourcefire acquires ClamAV) (Beppe Di Maio) > > 14. Re: Donors (was Re: Sourcefire acquires ClamAV) (David F. Skoll) > 15. Re: 0.91 - high load under solaris ([EMAIL PROTECTED]) > 16. Re: Sourcefire acquires ClamAV (Dennis Peterson) > 17. Re: 0.91 - high load under solaris (Bill Landry) > > ---------------------------------------------------------------------- > > Message: 1 > Date: Thu, 30 Aug 2007 13:49:16 +0200 (METDST) > From: Clam user <[EMAIL PROTECTED]> > Subject: [Clamav-users] Temporary quarantine file creation failed > To: clamav-users@lists.clamav.net > Message-ID: > <[EMAIL PROTECTED]> > Content-Type: TEXT/PLAIN; charset=US-ASCII > > Hello, > > during high loads, this occurs > (lack of newline as in the original message) : > > -- > Temporary quarantine file /clamav/quarantine/msg.{00810 > creation failed/clamav/quarantine/msg.{00810: File exists > -- > > Using ClamAV 0.90.2 on HP-UX 11.11 > > Has anyone had this problem, if yes - how did you solve it? > > Thanks in advance, > //D > > ------------------------------ > > Message: 2 > Date: Thu, 30 Aug 2007 13:12:53 +0100 > From: Nigel Horne <[EMAIL PROTECTED]> > Subject: Re: [Clamav-users] Temporary quarantine file creation failed > To: ClamAV users ML <clamav-users@lists.clamav.net> > Message-ID: <[EMAIL PROTECTED]> > Content-Type: text/plain; charset="iso-8859-1" > > Clam user wrote: > > Hello, > > > > during high loads, this occurs > > (lack of newline as in the original message) : > > > > -- > > Temporary quarantine file /clamav/quarantine/msg.{00810 > > creation failed/clamav/quarantine/msg.{00810: File exists > > -- > > > > Using ClamAV 0.90.2 on HP-UX 11.11 > > > > Has anyone had this problem, if yes - how did you solve it? > > This has been discussed before and was found to be a problem with HP- > UX. You need to get a bug fix from HP. > > > > > Thanks in advance, > > //D > > ------------------------------ > > Message: 3 > Date: Thu, 30 Aug 2007 15:28:11 +0300 (EEST) > From: "Berindeie Teodor" <[EMAIL PROTECTED]> > Subject: [Clamav-users] strange problem? > To: clamav-users@lists.clamav.net > Message-ID: > <[EMAIL PROTECTED]> > Content-Type: text/plain;charset=iso-8859-1 > > I have in clamd.log: > Thu Aug 30 15:00:13 2007 -> +++ Started at Thu Aug 30 15:00:13 2007 > Thu Aug 30 15:00:13 2007 -> clamd daemon 0.91.2 (OS: linux-gnu, ARCH: > i386, CPU: i686) > Thu Aug 30 15:00:13 2007 -> Running as user root (UID 0, GID 0) > Thu Aug 30 15:00:13 2007 -> Log file size limited to 1048576 bytes. > > Thu Aug 30 15:00:13 2007 -> Reading databases from /opt/clamav/share/clamav > Thu Aug 30 15:00:16 2007 -> Loaded 149757 signatures. > > and I have in fresclam.log: > ClamAV update process started at Thu Aug 30 14:21:19 2007 > main.cvd is up to date (version: 44, sigs: 133163, f-level: 20, builder: > sven) > Downloading daily-4108.cdiff [100%] > daily.inc updated (version: 4108, sigs: 16438, f-level: 21, builder: > aeriana) Database updated (149601 signatures) from db.ro.clamav.net (IP: > 192.129.4.120) > > Whay that: > clamd.log > Loaded 149757 signatures > and > freshclam.log > Loaded 149757 signatures > > ------------------------------ > > Message: 4 > Date: Thu, 30 Aug 2007 14:09:48 +0200 > From: Urban Loesch <[EMAIL PROTECTED]> > Subject: [Clamav-users] Maintain its own clamAv DB > To: clamav-users@lists.clamav.net > Message-ID: <[EMAIL PROTECTED]> > Content-Type: text/plain; charset=ISO-8859-1; format=flowed > > Hi, > > I'm new to this list. > I would like to maintain my own virus and phishing database. > > Do you know how can I do that? Is there some HOW-TO or something > else? > > I'm using Version 91.2. > > Thanks and regards > Urban Loesch > > ------------------------------ > > Message: 5 > Date: Thu, 30 Aug 2007 16:04:08 +0200 > From: Arnaud Jacques <[EMAIL PROTECTED]> > Subject: Re: [Clamav-users] Maintain its own clamAv DB > To: ClamAV users ML <clamav-users@lists.clamav.net> > Message-ID: <[EMAIL PROTECTED]> > Content-Type: text/plain; charset="iso-8859-1" > > Hello, > > > I would like to maintain my own virus and phishing database. > > Do you know how can I do that? Is there some HOW-TO or something > > else? > > http://www.clamav.net/doc/latest/signatures.pdf > > -- > Cordialement / Best regards, > > Arnaud Jacques > Consultant S?curit? > SecuriteInfo.com > http://www.securiteinfo.com > http://www.securiteinfo.net > > ------------------------------ > > Message: 6 > Date: Thu, 30 Aug 2007 10:41:46 -0400 > From: Jean-Marc Pigeon <[EMAIL PROTECTED]> > Subject: Re: [Clamav-users] Subject: False Positive about > Phishing.Heuristics.Email.SSL-Spoof > To: Doug Andrews <[EMAIL PROTECTED]> > Cc: clamav-users@lists.clamav.net > Message-ID: <[EMAIL PROTECTED]> > Content-Type: text/plain; charset=UTF-8 > > On Thu, 2007-08-30 at 15:42 +0200, Doug Andrews wrote: > > Hi Jean-Marc, > > I am seeing the same problem - did you manage to resolve this? > > I'd appreciate any advice you can give. > > Thanks, > The only way for us to resolve the problem was > to remove the CL_DB_PHISHING_URLS > from the scanning "standard option" > > We have our own tool directly calling the clamav lib such > I can't give you specific beside our own. > > Never got reply from the clamav team and > didn't find anything in 91.2 changelog. > > From my standpoint the issue is still open > (and it is a rather annoying one). > > > > Doug > > Selfcateringhols > > > > Author: Jean-Marc Pigeon > > Date: 2007-07-19 15:142007-07-19 13:14 +200UTC > > To: ClamAV users ML > > Subject: [Clamav-users] False Positive about > > Phishing.Heuristics.Email.SSL-Spoof > > > > Bonjour > > > > Got an official E-mail from network solution > > which was detected as phishing.Heuristics.Email.SSL-Spoof. > > > > I know I can set the configuration flag Off, but my concern > > is more about the Phishing SSL-Spoof detection, either > > clamav is code is "wrong" or Network solution is "Wrong" > > > > Unfortunately I can't provide the e-mail contents (mail > > was rejected), here are the local logs.. > > > > 22:52:37 MENID: XXXXXXXXXXXXXX-20785dc642507 > > +00 Clip: [205.178.190.228]/<mrelay2.networksolutions.com> > > +00 M-From: <[EMAIL PROTECTED]> > > +00 MRCPT: 250 XXXXXXXXXXXXXXXXXXXXXXX > > Address Accepted > > +00 E-From: [EMAIL PROTECTED] > > +00 Subject: Reset Password Request > > +00 Message-Id: [EMAIL PROTECTED] > > +00 VIRUS=<Phishing.Heuristics.Email.SSL-Spoof> > > +01 Spam-lvl: 0.2 > > +01 MsgInf: size=5912,n_error=0 > > +01 RCPT: Rejected XXXXXXXXXXXXXXXXXXXX > > > > > > Is there somebody else getting the same problem?, will > > the spoofing detection code "fixed"? (if it can?) > > > > Thanks... > > -- > > A bient?t > > ========================================================================== > > Jean-Marc Pigeon Internet: [EMAIL > > PROTECTED] > > SAFE Inc. Phone: (514) 493-4280 > > Fax: (514) 493-1946 > > Clement, 'a kiss solution' to get rid of SPAM (at last) > > Clement' Home base <"http://www.clement.safe.ca";> > > ========================================================================== > -- > A bient?t > ========================================================================== > Jean-Marc Pigeon Internet: [EMAIL PROTECTED] > SAFE Inc. Phone: (514) 493-4280 > Fax: (514) 493-1946 > Clement, 'a kiss solution' to get rid of SPAM (at last) > Clement' Home base <"http://www.clement.safe.ca";> > ========================================================================== > > ------------------------------ > > Message: 7 > Date: Thu, 30 Aug 2007 17:34:05 +0200 > From: Urban Loesch <[EMAIL PROTECTED]> > Subject: Re: [Clamav-users] Maintain its own clamAv DB > To: clamav-users@lists.clamav.net > Message-ID: <[EMAIL PROTECTED]> > Content-Type: text/plain; charset=ISO-8859-1; format=flowed > > Thanks > Urban > > Arnaud Jacques wrote: > > Hello, > > > >> I would like to maintain my own virus and phishing database. > >> Do you know how can I do that? Is there some HOW-TO or something > >> else? > > > > http://www.clamav.net/doc/latest/signatures.pdf > > > > ------------------------------ > > Message: 8 > Date: Thu, 30 Aug 2007 09:42:15 -0700 > From: Bill Landry <[EMAIL PROTECTED]> > Subject: Re: [Clamav-users] Script update > To: ClamAV users ML <clamav-users@lists.clamav.net> > Message-ID: <[EMAIL PROTECTED]> > Content-Type: text/plain; charset=ISO-8859-1 > > Arnaud Jacques wrote: > > Hello Bill, > > > >>> ftp.inetmsg.com/pub/unoffical-sigs.sh > > Corrected file name: ftp.inetmsg.com/pub/unofficial-sigs.sh > > > Great job ! It's working fine ! > > Thanks! > > >>> supports downloads from 4 different signature providers (SaneSecurity, > >>> MSRBL, SecurityInfo, and Malware Block List). > > Btw, it is SecuriteInfo.com not SecurityInfo : frenchies here ;) > > I should have realized that base on the VX download URL. I'll > correct this in the next update... > > Bill > > ------------------------------ > > Message: 9 > Date: Thu, 30 Aug 2007 12:35:00 -0500 > From: [EMAIL PROTECTED] > Subject: Re: [Clamav-users] 0.91 - high load under solaris > To: ClamAV users ML <clamav-users@lists.clamav.net> > Message-ID: <[EMAIL PROTECTED]> > Content-Type: text/plain; charset=ISO-8859-1; format=flowed > > -- T?r?k Edvin said the following on 8/12/07 3:26 PM: > > > > It would be mroe useful if you could get a backtrace of all running threads. > > Use a debugger (like gdb) to do that. > > In case of gdb, just attach to the running process, and do a 'thread > > apply all bt'. > > > > I'm noticing hang issues again with 0.91.2 on Solaris 10 x86. It > doesn't appear to be associated with a particularly malformed > message because when it starts hanging, if I restart it, things > resume normally for a while. The incoming queue clears out. > > Just recently I happened to be checking the incoming queue and > noticed this: > > 7F10A960A 15939 Thu Aug 30 10:49:59 [EMAIL PROTECTED] > (host mf2.utdallas.edu[10.110.20.30] said: 451 4.5.0 Error in > processing, id=22597-01-42, virus_scan FAILED: virus_scan: ALL VIRUS > SCANNERS FAILED: ClamAV-clamd av-scanner FAILED: CODE(0x8134730) Too > many retries to talk to /var/amavis/clamd.sock (timed out) at (eval > 58) line 310. at (eval 58) line 511.; ClamAV-clamscan av-scanner > FAILED: /usr/local/bin/clamscan collect_results - reading aborted: > timed out at /opt/amavisd/amavisd line 2778. at (eval 58) line 511. > (in reply to end of DATA command)) > [EMAIL PROTECTED] > > I tried the gdb bt bit, but doesn't show the stack trace that I'm > used to seeing: > > # gdb /usr/local/sbin/clamd 22426 > GNU gdb 6.5 > Copyright (C) 2006 Free Software Foundation, Inc. > GDB is free software, covered by the GNU General Public License, and > you are welcome to change it and/or distribute copies of it under > certain conditions. Type "show copying" to see the conditions. There > is absolutely no warranty for GDB. Type "show warranty" for > details. This GDB was configured as "i386-pc-solaris2.10"... > Attaching to program `/local/sbin/clamd', process 22426 Retry #1: > Retry #2: Retry #3: Retry #4: [New LWP 1] 0xfebf0857 in ?? () > (gdb) thread apply all bt > > Thread 11 (LWP 13): > #0 0xfebf047b in ?? () > #1 0xfebeab3b in ?? () > #2 0x00000000 in ?? () > > .... > > And a bunch more of that. I know when clam is compiled gcc is > supplied the -g, so not sure why all the "??". > > This gdb session was done in the global zone. Not sure if it'll work > in the zone where clamd is actually running, but I'll try that next time. > > Amos > > ------------------------------ > > Message: 10 > Date: Thu, 30 Aug 2007 15:10:19 -0400 > From: Paul Kosinski <[EMAIL PROTECTED]> > Subject: [Clamav-users] Sourcefire acquires ClamAV > To: clamav-users@lists.clamav.net > Message-ID: <[EMAIL PROTECTED]> > Content-Type: text/plain; charset=US-ASCII > > There is another aspect to the acquisition of ClamAV that seems not > to have been discussed. What happens to the people who made monetary > donations to the ClamAV project? (I am not in this group, as I never > quite got around to it.) > > I would imagine that many people who donated to ClamAV did so in the > hope of ensuring the continued availability of Open Source anti-virus > technology. Now they have become unwitting investors. Of course, they > did get a FOSS ClamAV up till now and into the indefinite future, and > without donations ClamAV might have not survived, so they did get a > "return on investment". But will they get a monetary ROI? Should they? > > I think this may become an issue for all Open Source projects. Will > people be less willing to donate to them in the future? What might be > a "code of conduct" for FOSS projects? > > BTW, the ClamAV Website *still* has a "donate money" Web page (as of > 30 Aug 2007). > > ------------------------------ > > Message: 11 > Date: Thu, 30 Aug 2007 16:09:55 -0400 > From: "David F. Skoll" <[EMAIL PROTECTED]> > Subject: [Clamav-users] Donors (was Re: Sourcefire acquires ClamAV) > To: ClamAV users ML <clamav-users@lists.clamav.net> > Message-ID: <[EMAIL PROTECTED]> > Content-Type: text/plain; charset=ISO-8859-1 > > Paul Kosinski wrote: > > > There is another aspect to the acquisition of ClamAV that seems not > > to have been discussed. What happens to the people who made monetary > > donations to the ClamAV project? (I am not in this group, as I never > > quite got around to it.) > > My company (Roaring Penguin Software Inc.) made a reasonably large > donation to the ClamAV development group a while back. I did not expect > any "ROI" or quid-pro-quo. I also doubt there's any legal responsibility > on Sourcefire's part related to these donations. It was pretty > clear that all your donation bought you was a "thank you". > > However, I will be quite upset if Sourcefire takes Clam proprietary and/or > starts charging for timely virus updates, and I will request my money > back (on moral, not legal, grounds.) > > Regards, > > David. > > ------------------------------ > > Message: 12 > Date: Thu, 30 Aug 2007 15:40:59 -0500 (CDT) > From: [EMAIL PROTECTED] > Subject: Re: [Clamav-users] 0.91 - high load under solaris > To: ClamAV users ML <clamav-users@lists.clamav.net> > Message-ID: <[EMAIL PROTECTED]> > Content-Type: text/plain; charset="x-unknown" > > On Thu, 30 Aug 2007, [EMAIL PROTECTED] wrote: > > > I'm noticing hang issues again with 0.91.2 on Solaris 10 x86. It doesn't > > appear to be associated with a particularly malformed message because > > when it starts hanging, if I restart it, things resume normally for a > > while. The incoming queue clears out. > > Here's some more. > > [Switching to Thread 1 (LWP 1)] > 0xfebf0857 in _so_accept () from /lib/libc.so.1 > (gdb) thread apply all bt > > Thread 22 (Thread 39 ): > #0 0xfebf047b in __lwp_park () from /lib/libc.so.1 > #1 0xfebe9463 in mutex_lock_queue () from /lib/libc.so.1 > #2 0xfebe9cff in slow_lock () from /lib/libc.so.1 > #3 0xfebe9df5 in mutex_lock_impl () from /lib/libc.so.1 > #4 0xfebe9f01 in pthread_mutex_lock () from /lib/libc.so.1 > #5 0xfeb92f1d in malloc () from /lib/libc.so.1 > #6 0xfebb400d in match_re_C () from /lib/libc.so.1 > #7 0xfebb50e2 in match_re_C () from /lib/libc.so.1 > #8 0xfebb5359 in match_re_C () from /lib/libc.so.1 > #9 0xfebb4db2 in match_re_C () from /lib/libc.so.1 > #10 0xfebb50e2 in match_re_C () from /lib/libc.so.1 > > ... a whole ton of these ... > > #237 0xfebb50e2 in match_re_C () from /lib/libc.so.1 > #238 0xfebb4db2 in match_re_C () from /lib/libc.so.1 > #239 0xfebb50e2 in match_re_C () from /lib/libc.so.1 > #240 0xfebb4ba1 in match_re_C () from /lib/libc.so.1 > #241 0xfebb3e2c in __regexec_C () from /lib/libc.so.1 > #242 0xfebb86ec in regexec () from /lib/libc.so.1 > #243 0xfef5600b in isURL (pchk=0x4d, URL=0xfebe9463 "\203?\b\211E?\203? \004u\0053?\211E?j") at phishcheck.c:980 > #244 0xfef56c0d in phishingScan (m=0xd3241b0, dir=0xd15b858 "/var/amavis/clamd/clamav-2aa4fcc017ade96ab716e5d94a6dd92d", ctx=0xfe99d800, > hrefs=0xfe99b140) at phishcheck.c:1210 > #245 0xfef1cf11 in checkURLs (mainMessage=0xd3241b0, mctx=0xfe99d000, rc=0xfe99b25c, is_html=1) at mbox.c:3903 > #246 0xfef1eaaa in parseEmailBody (messageIn=0xd3241b0, textIn=0x0, mctx=0xfe99d000, recursion_level=0) at mbox.c:2037 > #247 0xfef20b86 in cli_mbox (dir=0xd15b858 "/var/amavis/clamd/clamav- 2aa4fcc017ade96ab716e5d94a6dd92d", desc=0, ctx=0xfe99d800) at mbox.c:1400 > #248 0xfef17d51 in cli_scanmail (desc=35, ctx=0xfe99d800) at scanners.c:1644 > #249 0xfef153fc in cli_magic_scandesc (desc=35, ctx=0xfe99d800) at scanners.c:1973 > #250 0xfef19510 in cl_scandesc (desc=35, virname=0x4d, scanned=0x4d, engine=0xfebe9463, limits=0x4d, options=77) at scanners.c:2114 > #251 0xfef1956e in cl_scanfile (filename=0xd32cc38 "/var/amavis/tmp/amavis- 20070830T151955-29751/parts/p002", virname=0xfe99d99c, scanned=0x0, > engine=0xac4ba38, limits=0x8047d90, options=9783) at scanners.c:2142 > #252 0x080583b4 in dirscan (dirname=0xfe99db19 "/var/amavis/tmp/amavis- 20070830T151955-29751/parts", virname=0xfe99d99c, scanned=0x0, > engine=0xac4ba38, limits=0x8047d90, options=9783, > copt=0x806f8f8, odesc=34, reclev=0xfe99d998, type=1, multi_pool=0x0) > at scanner.c:214 > #253 0x08058886 in scan (filename=0xfe99db19 "/var/amavis/tmp/amavis- 20070830T151955-29751/parts", scanned=0x0, engine=0xac4ba38, > limits=0x8047d90, options=9783, copt=0x806f8f8, odesc=34, > type=1) at scanner.c:359 > #254 0x08056857 in command (desc=34, engine=0xac4ba38, limits=0x8047d90, options=9783, copt=0x806f8f8, timeout=120) at session.c:154 > #255 0x08056f5e in scanner_thread (arg=0xd2e9e38) at server-th.c:105 > #256 0x08056c9e in thrmgr_worker (arg=0xa0b4d18) at thrmgr.c:235 > #257 0xfebf013d in _thr_setup () from /lib/libc.so.1 > #258 0xfebf0420 in L3_doit () from /lib/libc.so.1 > #259 0xfe880000 in ?? () > #260 0x00000000 in ?? () > > Thread 21 (Thread 38 (LWP 38)): > #0 0xfebf047b in __lwp_park () from /lib/libc.so.1 > #1 0xfebe9463 in mutex_lock_queue () from /lib/libc.so.1 > #2 0xfebe9cff in slow_lock () from /lib/libc.so.1 > #3 0xfebe9df5 in mutex_lock_impl () from /lib/libc.so.1 > #4 0xfebe9f01 in pthread_mutex_lock () from /lib/libc.so.1 > #5 0xfeb939f2 in free () from /lib/libc.so.1 > #6 0xfebb586b in match_re_C () from /lib/libc.so.1 > ---Type <return> to continue, or q <return> to quit--- > #7 0xfebb4db2 in match_re_C () from /lib/libc.so.1 > #8 0xfebb50e2 in match_re_C () from /lib/libc.so.1 > #9 0xfebb50e2 in match_re_C () from /lib/libc.so.1 > > .... > > ------------------------------ > > Message: 13 > Date: Thu, 30 Aug 2007 23:09:11 +0200 > From: "Beppe Di Maio" <[EMAIL PROTECTED]> > Subject: Re: [Clamav-users] Donors (was Re: Sourcefire acquires > ClamAV) > To: "ClamAV users ML" <clamav-users@lists.clamav.net> > Message-ID: > <[EMAIL PROTECTED]> > Content-Type: text/plain; charset=ISO-8859-1 > > Reasonably large translates into...? > > On 8/30/07, David F. Skoll <[EMAIL PROTECTED]> wrote: > > Paul Kosinski wrote: > > > > > There is another aspect to the acquisition of ClamAV that seems not > > > to have been discussed. What happens to the people who made monetary > > > donations to the ClamAV project? (I am not in this group, as I never > > > quite got around to it.) > > > > My company (Roaring Penguin Software Inc.) made a reasonably large > > donation to the ClamAV development group a while back. I did not expect > > any "ROI" or quid-pro-quo. I also doubt there's any legal responsibility > > on Sourcefire's part related to these donations. It was pretty clear that > > all your donation bought you was a "thank you". > > > > However, I will be quite upset if Sourcefire takes Clam proprietary and/or > > starts charging for timely virus updates, and I will request my money > > back (on moral, not legal, grounds.) > > > > Regards, > > > > David. > > ------------------------------ > > Message: 14 > Date: Thu, 30 Aug 2007 17:47:04 -0400 > From: "David F. Skoll" <[EMAIL PROTECTED]> > Subject: Re: [Clamav-users] Donors (was Re: Sourcefire acquires > ClamAV) > To: ClamAV users ML <clamav-users@lists.clamav.net> > Message-ID: <[EMAIL PROTECTED]> > Content-Type: text/plain; charset=ISO-8859-1 > > Beppe Di Maio wrote: > > > Reasonably large translates into...? > > I believe it was $1000, but I'd have to check to be sure. > > -- > David. > > ------------------------------ > > Message: 15 > Date: Thu, 30 Aug 2007 22:13:43 -0500 > From: [EMAIL PROTECTED] > Subject: Re: [Clamav-users] 0.91 - high load under solaris > To: ClamAV users ML <clamav-users@lists.clamav.net> > Message-ID: <[EMAIL PROTECTED]> > Content-Type: text/plain; charset=ISO-8859-1; format=flowed > > -- [EMAIL PROTECTED] said the following on 8/30/07 3:40 PM: > > On Thu, 30 Aug 2007, [EMAIL PROTECTED] wrote: > > > >> I'm noticing hang issues again with 0.91.2 on Solaris 10 x86. It doesn't > >> appear to be associated with a particularly malformed message because > >> when it starts hanging, if I restart it, things resume normally for a > >> while. The incoming queue clears out. > > > > Here's some more. > > > > [Switching to Thread 1 (LWP 1)] > > 0xfebf0857 in _so_accept () from /lib/libc.so.1 > > (gdb) thread apply all bt > > > > Hmm... previously I had this in the amavisd-new conf file: > > @keep_decoded_original_maps = (new_RE( > qr'^MAIL$', # retain full original message > qr'^MAIL-UNDECIPHERABLE$', > qr'^(ASCII(?! cpio)|text|uuencoded|xxencoded|binhex)'i, > # qr'^Zip archive data', # don't trust Archive::Zip > )); > > It's my understanding that the above was necessary in order to take > advantage of the SaneSecurity sigs. Well, after the earlier hangs, I > changed it back to this: > > @keep_decoded_original_maps = (new_RE( > # qr'^MAIL$', # retain full original message > qr'^MAIL-UNDECIPHERABLE$', > qr'^(ASCII(?! cpio)|text|uuencoded|xxencoded|binhex)'i, > # qr'^Zip archive data', # don't trust Archive::Zip > )); > > and man the load on clamd has dropped enormously. I saw the remark > about having the '^MAIL$' line uncommented would be slower, but the > difference is so wildly extreme. Even when the traffic was rather > low, before clamd was always at the top in terms of cpu utilization. > Now it's barely taking any cpu time at all. Naturally the time of > day is a factor, but we'll see for sure tomorrow. > > Amos > > ------------------------------ > > Message: 16 > Date: Thu, 30 Aug 2007 20:22:21 -0700 > From: Dennis Peterson <[EMAIL PROTECTED]> > Subject: Re: [Clamav-users] Sourcefire acquires ClamAV > To: ClamAV users ML <clamav-users@lists.clamav.net> > Message-ID: <[EMAIL PROTECTED]> > Content-Type: text/plain; charset=ISO-8859-1; format=flowed > > Paul Kosinski wrote: > > There is another aspect to the acquisition of ClamAV that seems not > > to have been discussed. What happens to the people who made monetary > > donations to the ClamAV project? (I am not in this group, as I never > > quite got around to it.) > > I'm one of those who donated cash and nothing will happen to me. I'm > fine, thanks for asking. > > dp > > ------------------------------ > > Message: 17 > Date: Thu, 30 Aug 2007 20:51:02 -0700 > From: Bill Landry <[EMAIL PROTECTED]> > Subject: Re: [Clamav-users] 0.91 - high load under solaris > To: ClamAV users ML <clamav-users@lists.clamav.net> > Message-ID: <[EMAIL PROTECTED]> > Content-Type: text/plain; charset=ISO-8859-1 > > [EMAIL PROTECTED] wrote the following on 8/30/2007 8:13 PM -0800: > > -- [EMAIL PROTECTED] said the following on 8/30/07 3:40 PM: > > > >> On Thu, 30 Aug 2007, [EMAIL PROTECTED] wrote: > >> > >> > >>> I'm noticing hang issues again with 0.91.2 on Solaris 10 x86. It doesn't > >>> appear to be associated with a particularly malformed message because > >>> when it starts hanging, if I restart it, things resume normally for a > >>> while. The incoming queue clears out. > >>> > >> Here's some more. > >> > >> [Switching to Thread 1 (LWP 1)] > >> 0xfebf0857 in _so_accept () from /lib/libc.so.1 > >> (gdb) thread apply all bt > >> > >> > > > > Hmm... previously I had this in the amavisd-new conf file: > > > > @keep_decoded_original_maps = (new_RE( > > qr'^MAIL$', # retain full original message > > qr'^MAIL-UNDECIPHERABLE$', > > qr'^(ASCII(?! cpio)|text|uuencoded|xxencoded|binhex)'i, > > # qr'^Zip archive data', # don't trust Archive::Zip > > )); > > > > It's my understanding that the above was necessary in order to take > > advantage of the SaneSecurity sigs. Well, after the earlier hangs, I > > changed it back to this: > > > > @keep_decoded_original_maps = (new_RE( > > # qr'^MAIL$', # retain full original message > > qr'^MAIL-UNDECIPHERABLE$', > > qr'^(ASCII(?! cpio)|text|uuencoded|xxencoded|binhex)'i, > > # qr'^Zip archive data', # don't trust Archive::Zip > > )); > > > > and man the load on clamd has dropped enormously. I saw the remark about > > having the '^MAIL$' line uncommented would be slower, but the difference > > is so wildly extreme. Even when the traffic was rather low, before clamd > > was always at the top in terms of cpu utilization. Now it's barely > > taking any cpu time at all. Naturally the time of day is a factor, but > > we'll see for sure tomorrow. > > > > > > Not all SaneSecurity signatures need to see the full message. If I > recall correctly, it's only the mail file type (designated by :4: in > the signature) that need to see the headers and body together. > Anyway, as you had it set above, you were both decoding all of the > message parts and sending them to the virus scanner(s) individually > for scanning and then sending the entire message as a whole to the > scanner(s) for scanning, as well. If you are running amavisd-new > 2.5.1 or newer, you can always set $bypass_decode_parts=1, which > will disable all MIME decoding and simply send the entire message to > the virus scanner(s) for scanning. For more info, see the thread > starting at: > > http://marc.info/?l=amavis-user&m=117985356008613&w=2 > > I've been running this way for about 3 months now, and have had no > problems. ClamAV, and many other scanners, do a good job of decoding > messages on their own. > > Bill > > ------------------------------ > > _______________________________________________ > clamav-users mailing list > clamav-users@lists.clamav.net > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users > > End of clamav-users Digest, Vol 35, Issue 29 > ********************************************
-- Anderson Clei Supervisor de Redes LinkExpress _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
