Hi there, On Wed, 29 Aug 2012, Jonathan Ryshpan wrote:
... thank you very much for your time and attention.
Shucks. :)
I've been getting a vast quantity of spam lately;
Can you give us some numbers? Did this change suddenly or not? Is pacbell.net your only mail service provider? Are you running any specialized anti-spam software or do you rely on your provider and your mail client? All sorts of things can affect your prominence on spammers' radar, have you recently joined any (other) mailing lists? To put things into context, here at this domain at present we normally see between five and ten thousand attempts to send spam to us per day. That's been a fairly constant statistic for several years, but at times in the past the figure has suddenly (in hours) jumped to many tens of thousands. The domain has been public for fourteen years and so every spammer who wants to try his luck has tried it by now, and a few of them have tried using it in forged messages. The first couple of times that happened it took our mail servers down but we've learned how to cope with that now. If we did not use a selection of very robust defences then email would be of no use to us at all because we would not be able to discern the real messages. As it happens ClamAV is one of the defences, but as it is (as you have found) fairly demanding of resources, it is deferred until late in the mail scanning process when almost all the junk has already been weeded out by other, less hungry processes. Even so it does filter out a useful amount of unwanted mail, primarily through the use of the third-party databases for scams, phishing etc. Viruses are really not an issue for us, and as an anti-virus tool I personally would't give ClamAV top marks. My own experience is that ClamAV gives many more false positives than most of the other virus scanners. Give a few files to Jotti's Malware Scan, for example, see how it compares.
also a message bounce from a server warning me that I had sent a virus.
That's not so good, but the message might just be false. Can we see it? Please feel free to contact me privately about it if you wish, although you might need to work some to get a private message through to me from your present ISP. :)
So I want to scan my whole system for viruses, etc.
Not a bad idea under the circumstances, but the vast majority of the malicious software which you're scanning for does not affect Linux boxes at all, so you're wasting a large fraction of your processor cycles and possibly your time by scanning for threats which are not threats to your system. It does seem possible, even if it is unlikely, that your system might have been compromised. Have you seen any processes running which you didn't expect to be running? Any unexplained resource consumption? Have you seen files changing in your system that you didn't expect to change? Have you looked for information about things like rootkits? If your machine were in fact sending out malicious software I would expect you to be able to see a larger than normal volume of outgoing traffic. Have you tried any means of monitoring the traffic on your Internet connection? If you do suspect that the machine is compromised then the responsible thing to do is disconnect it from the Internet until such time as it has been properly checked over and confirmed healthy.
The system is not a server; I run it fairly carefully and don't think I have any malware, except for a modest number of messages in some very large (too large) mail archives, most of which contain attachments which I've probably never opened, and which shouldn't have infected anything else except the small number of executables I have in ~/bin, since I always run as an ordinary user when reading my mail.
Do you have a firewall between the machine and the Internet? Have you done anything to harden the machine against attack? Are you running a Webserver? Even though you say the machine is not a server there may be numerous potentially vulnerable services running on it. As it is a Linux system, if it has been compromised then I think it is at least as likely that it was through some insecure process connected to the Internet as it was through something in your mail. Having said that, haven't seen a compromised Linux box for about a decade. I only *ever* saw two, both had the (now infamous) Red Hat ftp vulnerability. There are always a number of privilege escalation vulnerabilities in Linux boxes, every week several come through on the security lists that I'm subscribed to and although the majority are in software that I would never run (like PHP!), some of them do give cause for concern. So I'm afraid the fact that you're being sensible about logging in without root privileges doesn't quite let you off that particular hook.
Nevertheless a virus scan seems to be in order. I've run a few so far; they have all taken a very long time, mostly because I didn't realize I needed to --exclude the "system" directories /proc, /sys, and /dev. The same error has made the results very difficult to interpret.
You could take an editor to the output files, but it might be easier to just do the scans again. :)
I'm running using tee because this gives me a very rough idea how the scan is coming along; a "#" option to get the same result would be better, but (hey!) I didn't write this, and shouldn't complain. For long runs like this I like to combine stdout and stderr so as to get a very rough idea which stdout lines the stderr lines refer to.
There are ways of doing what you want to do without modifying tools. I don't know what you mean by a "#" option. You can almost always pipe the output of unix command line tools to a file and then 'tail' the file in some way if you want to see what's been happening. For example tail -f logfile will show you the last few lines of the file and update the screen as the logfile grows. You can stop the tail process, and start another one, at will. It won't affect the logfile. There's also 'less', I usually use less -S logfile and then press F (capital F) to watch the file as it's being written. You can leave an xterm running in a window with the processes runing in it and do other stuff in other terminals while the scan progresses. You can run several independent scans at once, and still use the box for other jobs if you have the horsepower. -- 73, Ged. _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
