On 9/4/07, [EMAIL PROTECTED] < [EMAIL PROTECTED]> wrote: > > Send clamav-users mailing list submissions to > clamav-users@lists.clamav.net > > To subscribe or unsubscribe via the World Wide Web, visit > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users > or, via email, send a message with subject or body 'help' to > [EMAIL PROTECTED] > > You can reach the person managing the list at > [EMAIL PROTECTED] > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of clamav-users digest..." > > > Today's Topics: > > 1. Re: can clamav kill Win32 PE virus? ([EMAIL PROTECTED]) > 2. Re: 0.91 - high load under solaris (Ian G Batten) > 3. Re: 0.91 - high load under solaris (Henrik Krohns) > 4. Re: 0.91 - high load under solaris ([EMAIL PROTECTED]) > 5. Re: 0.91 - high load under solaris ([EMAIL PROTECTED]) > 6. Re: 0.91 - high load under solaris (Jerry Durand) > 7. Re: 0.91 - high load under solaris (Noel Jones) > 8. Re: 0.91 - high load under solaris (Jerry Durand) > 9. GPG, attachments and clamav-milter 0.91.2 ([EMAIL PROTECTED]) > 10. Re: GPG, attachments and clamav-milter 0.91.2 (Nigel Horne) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Mon, 3 Sep 2007 08:46:31 -0500 (CDT) > From: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]> > Subject: Re: [Clamav-users] can clamav kill Win32 PE virus? > To: ClamAV users ML <clamav-users@lists.clamav.net> > Message-ID: <[EMAIL PROTECTED]> > Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed > > > On Sun, 2 Sep 2007, [EMAIL PROTECTED] wrote: > > > Dear all: > > I am a Fedora 7 user running ClamAV to protect my data on my PC > > (though they're extremely rare). However today I ran into problems. My > > girlfriend uses a WinXP system, which became severely infected by > > viruses. Now she is going to make a system clean-up. The plan is: > > > > S1. Copy all her important data to a portable media; > > S2. Re-format her entire file system (thus destroying everything) and > > re-install WinXP; > > S3. While she's doing 2, I scan the portable media using ClamAV on my > > computer, and (possibly) remove the viruses which might have been > > 'backed-up' along with her regular files; > > S4. Copy the (possible) ClamAV-scanned data back to her computer. > > > > The problem is that whether Step 3 can be realized. I don't know > > whether ClamAV is able to detect Win32 PE viruses. I'm fairly > > confident that the PE viruses could not infect my system but I'm not > > sure whether I can detect them. > > > > I know the above procedure is rather absurd... However I haven't came > > up with other ideas. The situation is that she will stick to WinXP and > > I cannot afford a Win32 antivirus software, and worst I'm not familiar > > with Windows. > > > > I appreciate your suggestions. > > > > Cong > > > > PS. If you find my English bad, please pardon me --- I'm not a native > > Englihs speaker. Thank you for your patience. > > _______________________________________________ > > Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net > > http://lurker.clamav.net/list/clamav-users.html > > > > The Micro$ disk format program doesn't completely nuke a hard drive. > Use your Fedora system and badblocks to nuke her drive to brand new drive > status. The Micro$ format program lifts some data off the drive, does > it's formating thingy and puts the info back down on to the drive. The 8 > megabyte section beyond the Micro$ partiton is replaced exactly like it > was before the re-format. After you scan and remove the nasty stuff on > her drive, just copy her critical data back on to her freshly installed > drive. > > > ------------------------------ > > Message: 2 > Date: Mon, 3 Sep 2007 16:50:40 +0100 > From: Ian G Batten <[EMAIL PROTECTED]> > Subject: Re: [Clamav-users] 0.91 - high load under solaris > To: ClamAV users ML <clamav-users@lists.clamav.net> > Message-ID: <[EMAIL PROTECTED]> > Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed > > > On 30 Aug 2007, at 21:40, [EMAIL PROTECTED] wrote: > > > On Thu, 30 Aug 2007, [EMAIL PROTECTED] wrote: > > > >> I'm noticing hang issues again with 0.91.2 on Solaris 10 x86. It > >> doesn't > >> appear to be associated with a particularly malformed message because > >> when it starts hanging, if I restart it, things resume normally for a > >> while. The incoming queue clears out. > > > > Here's some more. > > > > [Switching to Thread 1 (LWP 1)] > > 0xfebf0857 in _so_accept () from /lib/libc.so.1 > > (gdb) thread apply all bt > > > > Thread 22 (Thread 39 ): > > #0 0xfebf047b in __lwp_park () from /lib/libc.so.1 > > #1 0xfebe9463 in mutex_lock_queue () from /lib/libc.so.1 > > #2 0xfebe9cff in slow_lock () from /lib/libc.so.1 > > #3 0xfebe9df5 in mutex_lock_impl () from /lib/libc.so.1 > > #4 0xfebe9f01 in pthread_mutex_lock () from /lib/libc.so.1 > > #5 0xfeb92f1d in malloc () from /lib/libc.so.1 > > #6 0xfebb400d in match_re_C () from /lib/libc.so.1 > > #7 0xfebb50e2 in match_re_C () from /lib/libc.so.1 > > #8 0xfebb5359 in match_re_C () from /lib/libc.so.1 > > Same problem I saw. The regexp built by the PhishingScanURLs option > appears to upset the Solaris regexp library, but not the Linux or OSX > versions. I've got a more serious look at the problem on my list of > jobs to do, but for now I just turned the option off. > > ian > > > > ------------------------------ > > Message: 3 > Date: Mon, 3 Sep 2007 19:02:42 +0300 > From: Henrik Krohns <[EMAIL PROTECTED]> > Subject: Re: [Clamav-users] 0.91 - high load under solaris > To: clamav-users@lists.clamav.net > Message-ID: <[EMAIL PROTECTED]> > Content-Type: text/plain; charset=us-ascii > > On Mon, Sep 03, 2007 at 04:50:40PM +0100, Ian G Batten wrote: > > > > On 30 Aug 2007, at 21:40, [EMAIL PROTECTED] wrote: > > > > > On Thu, 30 Aug 2007, [EMAIL PROTECTED] wrote: > > > > > >> I'm noticing hang issues again with 0.91.2 on Solaris 10 x86. It > > >> doesn't > > >> appear to be associated with a particularly malformed message because > > >> when it starts hanging, if I restart it, things resume normally for a > > >> while. The incoming queue clears out. > > > > > > Here's some more. > > > > > > [Switching to Thread 1 (LWP 1)] > > > 0xfebf0857 in _so_accept () from /lib/libc.so.1 > > > (gdb) thread apply all bt > > > > > > Thread 22 (Thread 39 ): > > > #0 0xfebf047b in __lwp_park () from /lib/libc.so.1 > > > #1 0xfebe9463 in mutex_lock_queue () from /lib/libc.so.1 > > > #2 0xfebe9cff in slow_lock () from /lib/libc.so.1 > > > #3 0xfebe9df5 in mutex_lock_impl () from /lib/libc.so.1 > > > #4 0xfebe9f01 in pthread_mutex_lock () from /lib/libc.so.1 > > > #5 0xfeb92f1d in malloc () from /lib/libc.so.1 > > > #6 0xfebb400d in match_re_C () from /lib/libc.so.1 > > > #7 0xfebb50e2 in match_re_C () from /lib/libc.so.1 > > > #8 0xfebb5359 in match_re_C () from /lib/libc.so.1 > > > > Same problem I saw. The regexp built by the PhishingScanURLs option > > appears to upset the Solaris regexp library, but not the Linux or OSX > > versions. I've got a more serious look at the problem on my list of > > jobs to do, but for now I just turned the option off. > > I wonder if it could be fixed by just compiling with (posix)PCRE instead? > > > > ------------------------------ > > Message: 4 > Date: Mon, 03 Sep 2007 17:08:24 -0500 > From: [EMAIL PROTECTED] > Subject: Re: [Clamav-users] 0.91 - high load under solaris > To: ClamAV users ML <clamav-users@lists.clamav.net> > Message-ID: <[EMAIL PROTECTED]> > Content-Type: text/plain; charset=ISO-8859-1; format=flowed > > > > -- Ian G Batten said the following on 9/3/07 10:50 AM: > > On 30 Aug 2007, at 21:40, [EMAIL PROTECTED] wrote: > > > >> On Thu, 30 Aug 2007, [EMAIL PROTECTED] wrote: > >> > >>> I'm noticing hang issues again with 0.91.2 on Solaris 10 x86. It > >>> doesn't > >>> appear to be associated with a particularly malformed message because > >>> when it starts hanging, if I restart it, things resume normally for a > >>> while. The incoming queue clears out. > >> Here's some more. > >> > >> [Switching to Thread 1 (LWP 1)] > >> 0xfebf0857 in _so_accept () from /lib/libc.so.1 > >> (gdb) thread apply all bt > >> > >> Thread 22 (Thread 39 ): > >> #0 0xfebf047b in __lwp_park () from /lib/libc.so.1 > >> #1 0xfebe9463 in mutex_lock_queue () from /lib/libc.so.1 > >> #2 0xfebe9cff in slow_lock () from /lib/libc.so.1 > >> #3 0xfebe9df5 in mutex_lock_impl () from /lib/libc.so.1 > >> #4 0xfebe9f01 in pthread_mutex_lock () from /lib/libc.so.1 > >> #5 0xfeb92f1d in malloc () from /lib/libc.so.1 > >> #6 0xfebb400d in match_re_C () from /lib/libc.so.1 > >> #7 0xfebb50e2 in match_re_C () from /lib/libc.so.1 > >> #8 0xfebb5359 in match_re_C () from /lib/libc.so.1 > > > > Same problem I saw. The regexp built by the PhishingScanURLs option > > appears to upset the Solaris regexp library, but not the Linux or OSX > > versions. I've got a more serious look at the problem on my list of > > jobs to do, but for now I just turned the option off. > > I'm not sure why, but when I commented out the qr'^MAIL$' below, the > problem went away. Hasn't reappeared since. Perhaps that option is only > called when the full message is scanned? How are you calling clamd? > > @keep_decoded_original_maps = (new_RE( > qr'^MAIL$', # retain full original message > qr'^MAIL-UNDECIPHERABLE$', > qr'^(ASCII(?! cpio)|text|uuencoded|xxencoded|binhex)'i, > # qr'^Zip archive data', # don't trust Archive::Zip > )); > > Since I'm using amavisd-new, as Bill Landry stated I could always try > $bypass_decode_parts=1 and leave the qr'^MAIL$' thing commented out. The > downside, though, is that I couldn't do attachment / file type blocking > using amavisd-new. So for now I have qr'^MAIL$' commented out and things > seem to be stable. > > Amos > > > > > > ------------------------------ > > Message: 5 > Date: Mon, 03 Sep 2007 17:11:22 -0500 > From: [EMAIL PROTECTED] > Subject: Re: [Clamav-users] 0.91 - high load under solaris > To: ClamAV users ML <clamav-users@lists.clamav.net> > Message-ID: <[EMAIL PROTECTED]> > Content-Type: text/plain; charset=ISO-8859-1; format=flowed > > -- Henrik Krohns said the following on 9/3/07 11:02 AM: > > On Mon, Sep 03, 2007 at 04:50:40PM +0100, Ian G Batten wrote: > >> Same problem I saw. The regexp built by the PhishingScanURLs option > >> appears to upset the Solaris regexp library, but not the Linux or OSX > >> versions. I've got a more serious look at the problem on my list of > >> jobs to do, but for now I just turned the option off. > > > > I wonder if it could be fixed by just compiling with (posix)PCRE > instead? > > Hmmm... like with Postfix.... Interesting idea. Might reduce platform > dependency issues a bit, maybe? > > Amos > > > > ------------------------------ > > Message: 6 > Date: Mon, 03 Sep 2007 15:28:16 -0700 > From: Jerry Durand <[EMAIL PROTECTED]> > Subject: Re: [Clamav-users] 0.91 - high load under solaris > To: ClamAV users ML <clamav-users@lists.clamav.net> > Message-ID: <[EMAIL PROTECTED]> > Content-Type: text/plain; charset=us-ascii; format=flowed > > I just subscribed to this list, this seems like the thread related to > my problem. If not, please direct me to it. > > I've been seeing Clamd lock up the mail system and sometimes crash > several times over the last couple of days. > > I have a copy of one of the messages that caused this along with the > crash log here: > > http://interstellar.com/temp/amavis-20070903T054236-08542/ > > OS X Server 10.4.10 > Clamd 0.91.2 > > I'm in the process of moving the mail and web server over to a new > Linux system, so hopefully this won't follow the move. Any > suggestions welcome. > > -- > Jerry Durand, Durand Interstellar, Inc. www.interstellar.com > tel: +1 408 356-3886, USA toll free: 1 866 356-3886 > Skype: jerrydurand > > > > ------------------------------ > > Message: 7 > Date: Mon, 03 Sep 2007 22:09:47 -0500 > From: Noel Jones <[EMAIL PROTECTED]> > Subject: Re: [Clamav-users] 0.91 - high load under solaris > To: ClamAV users ML <clamav-users@lists.clamav.net> > Message-ID: <[EMAIL PROTECTED]> > Content-Type: text/plain; charset="us-ascii"; format=flowed > > At 05:28 PM 9/3/2007, Jerry Durand wrote: > >I just subscribed to this list, this seems like the thread related to > >my problem. If not, please direct me to it. > > > >I've been seeing Clamd lock up the mail system and sometimes crash > >several times over the last couple of days. > > > >I have a copy of one of the messages that caused this along with the > >crash log here: > > > >http://interstellar.com/temp/amavis-20070903T054236-08542/ > > > >OS X Server 10.4.10 > >Clamd 0.91.2 > > > >I'm in the process of moving the mail and web server over to a new > >Linux system, so hopefully this won't follow the move. Any > >suggestions welcome. > > > >-- > >Jerry Durand, Durand Interstellar, Inc. www.interstellar.com > >tel: +1 408 356-3886, USA toll free: 1 866 356-3886 > >Skype: jerrydurand > > This isn't directly related to your clamav problem, but you might > want to configure postfix to reject mail when your own domain name or > IP is used in the HELO command from unauthenticated clients outside > your local network. Such a rule would have rejected this mail. > This is a very safe restriction with 0% false positive (assuming you > set $mynetworks correctly in postfix). > > See the postfix-users list archives for examples, or feel free to ask > there if you need detailed advice. > > -- > Noel Jones > > > > ------------------------------ > > Message: 8 > Date: Mon, 03 Sep 2007 22:42:06 -0700 > From: Jerry Durand <[EMAIL PROTECTED]> > Subject: Re: [Clamav-users] 0.91 - high load under solaris > To: ClamAV users ML <clamav-users@lists.clamav.net> > Message-ID: <[EMAIL PROTECTED]> > Content-Type: text/plain > > On Mon, 2007-09-03 at 22:09 -0500, Noel Jones wrote: > > > This isn't directly related to your clamav problem, but you might > > want to configure postfix to reject mail when your own domain name or > > IP is used in the HELO command from unauthenticated clients outside > > your local network. Such a rule would have rejected this mail. > > This is a very safe restriction with 0% false positive (assuming you > > set $mynetworks correctly in postfix). > > > > Thanks, not sure how I missed that. > > > See the postfix-users list archives for examples, or feel free to ask > > there if you need detailed advice. > > > > I already had some other offenders listed, just forgot to add all our > domains. > > -- > Jerry Durand, Durand Interstellar, Inc. > Los Gatos, California, USA, www.interstellar.com > tel: +1.408.356.3886, USA: 866-356-3886, Skype: jerrydurand > > > > ------------------------------ > > Message: 9 > Date: Mon, 3 Sep 2007 23:20:57 -0700 > From: [EMAIL PROTECTED] > Subject: [Clamav-users] GPG, attachments and clamav-milter 0.91.2 > To: clamav-users@lists.clamav.net > Message-ID: <[EMAIL PROTECTED]> > Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed > > > I am regularly able to elicit this reaction from clamav-milter 0.91.2 > by receiving a small (~150Kb) GPG-encrypted message with an > attachment from Gmail. Anybody else seen this? > > aurora45% grep "out of memory" /var/log/maillog > Aug 29 22:12:21 aurora sm-mta[2091]: l7U5CKqv002091: SYSERR(root): > out of memory: Cannot allocate memory > Aug 29 22:18:33 aurora sm-mta[2167]: l7U5IWul002167: SYSERR(root): > out of memory: Cannot allocate memory > Sep 3 22:06:06 aurora sm-mta[56290]: l84564j5056290: SYSERR(root): > out of memory: Cannot allocate memory > > -peter > > > ------------------------------ > > Message: 10 > Date: Tue, 04 Sep 2007 08:16:10 +0100 > From: Nigel Horne <[EMAIL PROTECTED]> > Subject: Re: [Clamav-users] GPG, attachments and clamav-milter 0.91.2 > To: ClamAV users ML <clamav-users@lists.clamav.net> > Message-ID: <[EMAIL PROTECTED]> > Content-Type: text/plain; charset="iso-8859-1" > > [EMAIL PROTECTED] wrote: > > I am regularly able to elicit this reaction from clamav-milter 0.91.2 > > by receiving a small (~150Kb) GPG-encrypted message with an > > attachment from Gmail. Anybody else seen this? > > > > aurora45% grep "out of memory" /var/log/maillog > > Aug 29 22:12:21 aurora sm-mta[2091]: l7U5CKqv002091: SYSERR(root): > > out of memory: Cannot allocate memory > > What operating system? > Please send me a copy of an email that reproduces the problem. > > > > -peter > > -Nigel > > ------------------------------ > > _______________________________________________ > clamav-users mailing list > clamav-users@lists.clamav.net > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users > > > End of clamav-users Digest, Vol 36, Issue 4 > ******************************************* >
-- Cheers, Hoong Tat _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
