[Clamav-users] sf.net CVS repository up to date
Hi Listers, I just wanted you to know that the sf.net team has manually re-synced the CVS tree for anonymous CVS. It was freezed after a server failure on Sep 10. Thomas Original message from sf.net staff: Comment By: Jacob Moorman (moorman) Date: 2003-09-18 22:22 Greetings, The clamav project CVS repository is now properly synchronized and should be accessible via anonymous pserver CVS and ViewCVS. Should you require further assistance from the SourceForge.net team, please add a comment to this request. Thank you, Jacob Moorman Quality of Service Manager, SourceForge.net --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Email results
At 22:09 18/09/2003, Darryl W. DeLao Jr wrote: Anyone know of a way to make clamscan email you when its done scanning with the results included? pipe the results into "mail" viz:- (cd /;/usr/bin/clamscan --recursive --quarantine /var/clamav/quarantine --infected --stdout --log /var/clamav/log/clamscan.log --tar --tgz | mail -s "[`hostname`] Clam Antivirus Scan Results - `date`" root) cheers Brian -- Brian J Read www.abandonmicrosoft.co.uk www.theonlineorganiser.com www.thepersonalknowledgebase.com Moderator for Mitel SMEserver Contributions and Howtos: www.contribs.org +44 1695 723723
[Clamav-users] now what??????
Hi List. Can anyone point me n the right direction with this error in the mainlog file of exim. 2003-09-19 15:07:51 1A0KzC-FK-Lt malware acl condition: clamd: connection to 127.0.0.1, port 3310 failed (Bad file descriptor) Perhaps someone else has experienced the same issue. Thanks in advance. Regards, Tom Kinghorn --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] now what??????
Hi List. Can anyone point me n the right direction with this error in the mainlog file of exim. 2003-09-19 15:07:51 1A0KzC-FK-Lt malware acl condition: clamd: connection to 127.0.0.1, port 3310 failed (Bad file descriptor) Perhaps someone else has experienced the same issue. Thanks in advance. Regards, Tom Kinghorn --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] libclamav; segfault in exit(3) after calls to libclamav
* Tomasz Kojm <[EMAIL PROTECTED]> [20030918 19:13]: wrote: > > I'd suggest clamav-20030720. Try it and see if the same thing happens > > > > > > Any snapshots after that date (CVS) do not compile on FreeBSD 5.1-REL. > > I have tried to compile them, but they fail like so: > > Please grab the latest snapshot (or checkout the repository) because this has > been already fixed. Thanks. I have tested the one for 20030919 and seems to compile fine on 4.9-REL. My 5.1-REL box is hosed at the moment so I am not able to test on it till Monday. -Wash -- Odhiambo Washington <[EMAIL PROTECTED]> "The box said 'Requires Wananchi Online Ltd. www.wananchi.com Windows 95, NT, or better,' Tel: +254 2 313985-9 +254 2 313922 so I installed FreeBSD." GSM: +254 72 743223 +254 733 744121 This sig is McQ! :-) Sen. Danforth: "There is nothing on the face of the album which would notify you if the record has pornographic material or material glorifying violence?" Tipper Gore:"No, there is nothing that would suggest that to me." Frank Zappa:"I would say that a buzz saw blade between the guy's legs on the album cover is good indication that it's not for little Johnny." -- The Senate Commerce Committee hearing on rock lyrics, from The Village Voice, 6 Oct 1985 --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] UPDATE81.exe getting thru
Is anyone else seeing this happen ? Dee -- W.D.McKinney (Dee) | Affordable E-Mail and Internet Solutions Alaska Wireless Systems | for Schools, Libraries, Clinics & Business' http://www.akwireless.net | Call 1-907-349-4308 --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] virusdb list not functioning?
Is the virusdb list functioning? I'm not getting any updates from it. -- Jesse Guardiani, Systems Administrator WingNET Internet Services, P.O. Box 2605 // Cleveland, TN 37320-2605 423-559-LINK (v) 423-559-5145 (f) http://www.wingnet.net --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] Re: [Clamav-virusdb] Update
On Friday 19 September 2003 13:06, Diego d'Ambra wrote: > ClamAV, database updated (17:03 on 19/9/2003 GMT): viruses.db2 [...] > Submission: 386, 387, 388, 390, 391, 392, 393, 394, 396, > 397, 398, 399, 400, 401, 402, 403, 404, 405, > 406, 507, 508 > Sender: Different senders > Virus: Worm.Gibe.F > Added: No, already detected I'm not sure if I'm in that list or not (would be nice to get an email confirmation or something), but Gibe.F worms ARE slipping past my ClamAV 0.60. I have the latest definitions, and they still slip by. I have tested most of my submissions by using the web based CGI submission tool too: http://www.gietl.com/test-clamav/ -- Jesse Guardiani, Systems Administrator WingNET Internet Services, P.O. Box 2605 // Cleveland, TN 37320-2605 423-559-LINK (v) 423-559-5145 (f) http://www.wingnet.net --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
RE: [Clamav-users] UPDATE81.exe getting thru
Yes, I received a couple of these this morning, one with an attachment called Update53.exe, and another w/an attachment called Install932.exe. I'm assuming this is the new "Swen" virus I have recently heard about? (http://www.sarc.com/avcenter/venc/data/[EMAIL PROTECTED]) I have a couple of the messages if you need a copy... k -Original Message- From: W.D. McKinney [mailto:[EMAIL PROTECTED] Sent: Friday, September 19, 2003 12:48 To: [EMAIL PROTECTED] Subject: [Clamav-users] UPDATE81.exe getting thru Is anyone else seeing this happen ? Dee -- W.D.McKinney (Dee) | Affordable E-Mail and Internet Solutions Alaska Wireless Systems | for Schools, Libraries, Clinics & Business' http://www.akwireless.net | Call 1-907-349-4308 --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] testing
testing... -- Jesse Guardiani, Systems Administrator WingNET Internet Services, P.O. Box 2605 // Cleveland, TN 37320-2605 423-559-LINK (v) 423-559-5145 (f) http://www.wingnet.net --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] new virus (Sep 18th)
Howdy people, Do we have a definition for this yet? http://securityresponse.symantec.com/avcenter/venc/data/[EMAIL PROTECTED] I started receiving these yesterday at 16:50 EDT, and I have PERSONALLY received 8 different copies since then, 7 of which I forwarded to: [EMAIL PROTECTED] -- Jesse Guardiani, Systems Administrator WingNET Internet Services, P.O. Box 2605 // Cleveland, TN 37320-2605 423-559-LINK (v) 423-559-5145 (f) http://www.wingnet.net --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] RE: UPDATE81.exe getting thru
Kevin Hanser wrote: > Yes, I received a couple of these this morning, one with an attachment > called Update53.exe, and another w/an attachment called Install932.exe. > > I'm assuming this is the new "Swen" virus I have recently heard about? Yes, also Gibe-F apparently. But ClamAV's current virus def for Worm.Gibe.F seems to be faulty because it only catches about 50% of my Gibe-F viruses... -- Jesse Guardiani, Systems Administrator WingNET Internet Services, P.O. Box 2605 // Cleveland, TN 37320-2605 423-559-LINK (v) 423-559-5145 (f) http://www.wingnet.net --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] Worm.Gibe.F
Hi, when was the db updated for Worm.Gibe.F? I had it slip through 2 independant servers, one of them updates every hour... (Note to me: subscribe to clamav-virusdb!) Thomas -- Thomas Lamy Technik & Softwareentwicklung Ingolstadt Online GmbH -- Ihr drahtloser Weg ins Internet --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] RE: UPDATE81.exe getting thru
On Fri, 2003-09-19 at 13:51, Jesse Guardiani wrote: > Kevin Hanser wrote: > > > Yes, I received a couple of these this morning, one with an attachment > > called Update53.exe, and another w/an attachment called Install932.exe. > > > > I'm assuming this is the new "Swen" virus I have recently heard about? > > Yes, also Gibe-F apparently. But ClamAV's current virus def for Worm.Gibe.F > seems to be faulty because it only catches about 50% of my Gibe-F viruses... Is there a good way to stop this with clamav ? We like it's implemtation but this is not cool. Dee -- W.D.McKinney (Dee) | Affordable E-Mail and Internet Solutions Alaska Wireless Systems | for Schools, Libraries, Clinics & Business' http://www.akwireless.net | Call 1-907-349-4308 --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Email results
On Thu, 2003-09-18 at 23:30, Antony Stone wrote:
> On Thursday 18 September 2003 10:58 pm, Kevin Spicer wrote:
> > clamscan ${YOUR_OPTIONS} --stdout | grep -v OK | mail -s "Clamscan
> > results" [EMAIL PROTECTED]
>
> Achieve the same thing by including -i or --infected in ${YOUR_OPTIONS}
>
You know, I thought that there was an option that did that - but
couldn't find it in the man page. I thought it was that I had an old
version, but I just upgraded to 20030829 and its still missing. Perhaps
someone could add it.
BMRB International
http://www.bmrb.co.uk
+44 (0)20 8566 5000
_
This message (and any attachment) is intended only for the
recipient and may contain confidential and/or privileged
material. If you have received this in error, please contact the
sender and delete this message immediately. Disclosure, copying
or other action taken in respect of this email or in
reliance on it is prohibited. BMRB International Limited
accepts no liability in relation to any personal emails, or
content of any email which does not directly relate to our
business.
---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Worm.Gibe.F
Hi, Thomas Lamy wrote: when was the db updated for Worm.Gibe.F? I had it slip through 2 independant servers, one of them updates every hour... As far as I know, a couple of days ago. I'm not seeing anything get through here, running 0.60 here. Actually, that's not true. I did see one slip through, but with a blank attachment, so of course it wasn't detected. Regards, Rick --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] RE: UPDATE81.exe getting thru
On Friday 19 September 2003 11:23 pm, W.D. McKinney wrote: > On Fri, 2003-09-19 at 13:51, Jesse Guardiani wrote: > > Kevin Hanser wrote: > > > Yes, I received a couple of these this morning, one with an attachment > > > called Update53.exe, and another w/an attachment called Install932.exe. > > > > > > I'm assuming this is the new "Swen" virus I have recently heard about? > > > > Yes, also Gibe-F apparently. But ClamAV's current virus def for > > Worm.Gibe.F seems to be faulty because it only catches about 50% of my > > Gibe-F viruses... > > Is there a good way to stop this with clamav ? We like it's implemtation > but this is not cool. Please send me an example of a file which ClamAV does not detect so I can compare it against some other antivirus products. Regards, Antony. -- If the human brain were so simple that we could understand it, we'd be so simple that we couldn't. --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Worm.Gibe.F
On Friday 19 September 2003 7:09 am, Thomas Lamy wrote: > Hi, > > when was the db updated for Worm.Gibe.F? I had it slip through 2 > independant servers, one of them updates every hour... Yesterday 16:31:55 GMT Antony. -- "Note: Windows 98, Windows 98SE and Windows 95 are not affected by [MS Blaster]. However, these products are no longer supported. Users of these products are strongly encouraged to upgrade to later versions." (which are affected by MS Blaster...) http://www.microsoft.com/security/security_bulletins/ms03-026.asp --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] RE: UPDATE81.exe getting thru
On Friday 19 September 2003 11:23 pm, W.D. McKinney wrote: > On Fri, 2003-09-19 at 13:51, Jesse Guardiani wrote: > > Kevin Hanser wrote: > > > Yes, I received a couple of these this morning, one with an attachment > > > called Update53.exe, and another w/an attachment called Install932.exe. > > > > > > I'm assuming this is the new "Swen" virus I have recently heard about? > > > > Yes, also Gibe-F apparently. But ClamAV's current virus def for > > Worm.Gibe.F seems to be faulty because it only catches about 50% of my > > Gibe-F viruses... > > Is there a good way to stop this with clamav ? We like it's implemtation > but this is not cool. Looks like these are empty files with suspicious filenames. No viral content, hence not detected by ClamAV. If anyone has a non-zero-length example of Gibe.F (or Swen) which is not detected by ClamAV, please send me a copy. Regards, Antony. -- It's beautiful, man, beautiful. It's enough to make me merely hate BIND rather than loathe it with every fibre of my being. - David Cantrell --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Email results
On Friday 19 September 2003 8:11 am, Kevin Spicer wrote:
> On Thu, 2003-09-18 at 23:30, Antony Stone wrote:
> > On Thursday 18 September 2003 10:58 pm, Kevin Spicer wrote:
> > > clamscan ${YOUR_OPTIONS} --stdout | grep -v OK | mail -s "Clamscan
> > > results" [EMAIL PROTECTED]
> >
> > Achieve the same thing by including -i or --infected in ${YOUR_OPTIONS}
>
> You know, I thought that there was an option that did that - but
> couldn't find it in the man page.
Try clamscan --help
Antony.
--
I love deadlines. I love the whooshing noise they make as they go by.
- Douglas Noel Adams
---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Worm.Gibe.F
At 06:39 PM 9/19/03 -0400, Rick Macdougall wrote: Hi, Thomas Lamy wrote: when was the db updated for Worm.Gibe.F? I had it slip through 2 independant servers, one of them updates every hour... As far as I know, a couple of days ago. I'm not seeing anything get through here, running 0.60 here. Actually, that's not true. I did see one slip through, but with a blank attachment, so of course it wasn't detected. Regards, Rick --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users Not seen anything slip through here either - we trap all .exe and other executables even with the use of ClamAV and there is nothing in the antivirus folder/mailbox. Will be watching though! JPP ePaxsys Technical Support ePaxsys, Inc. http://www.epaxsys.net FRWS: http://www.frws.com Live Text Support: http://www.epaxsys.net/live-help --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
RE: [Clamav-users] RE: UPDATE81.exe getting thru
> -Original Message- > From: Jesse Guardiani [mailto:[EMAIL PROTECTED] > Sent: 19. september 2003 23:51 > To: [EMAIL PROTECTED] > Subject: [Clamav-users] RE: UPDATE81.exe getting thru > > Kevin Hanser wrote: > > > Yes, I received a couple of these this morning, one with an attachment > > called Update53.exe, and another w/an attachment called Install932.exe. > > > > I'm assuming this is the new "Swen" virus I have recently heard about? > > Yes, also Gibe-F apparently. But ClamAV's current virus def for > Worm.Gibe.F > seems to be faulty because it only catches about 50% of my Gibe-F > viruses... > There is nothing wrong with the current Worm.Gibe.F signature. There are currently many e-mail samples that contain no binary attachment (0 byte) - this might be due to some bug in the virus or a virus scanner that is "stripping" the offending part in an infected e-mail passing through it. Since the binary is completely missing it's difficult to create a signature that will catch the "damaged" versions of Gibe.F. Best regards, Diego d'Ambra --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] Re: [Clamav-virusdb] email submission for viruses?
On Friday 19 September 2003 3:47 pm, Bennett Todd wrote: > 2003-09-19T10:07:54 [EMAIL PROTECTED]: > > NOTE: This is no longer the suggested method for submitting virus > > samples. Please visit http://clamav.sourceforge.net/cgi-bin/sendvirus.cgi > > and read the news. > > This mail address will become inactive very soon, so please STOP using > > it! > > I got this when I emailed a sample to <[EMAIL PROTECTED]>, > the email address on the above-cited web page. > > Is this message bogus? No, it is not. > Is the email address changing to something else? No, it is not. > Or is email submission about to be eliminated? Yes, it is. > If people wanting to submit malware are going to have to fire up a > web browser that can do file uploads, fill out a form, and send it > off, it's possible you might get fewer samples. That's possible, yes - we'll have to see. > For sure, you won't get any more from me. How many have you submitted so far (just wondering what level of contribution we might be missing out on)? Regards, Antony. -- You can spend the whole of your life trying to be popular, but at the end of the day the size of the crowd at your funeral will be largely dictated by the weather. - Frank Skinner --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] clamav-milter+sendmail-8.12.9
Hi! I have a problem that several (hundred) clamav-milter -processes keep on running. They just seem to be left without data. This of course happened overnight. Is this an issue which is (propably) allready known? I have been following this list, but haven't seen anybody other have problem like this. Or does this mean that clamd has hanged (for some reason)? There is one entry like this (mail.log): Sep 18 04:17:10 mega clamav-milter[14321]: Expected port information from clamd, got 'Session(1): Time out ERROR ' Sep 18 04:17:10 mega sm-mta[14312]: h8I1FXBF014312: Milter: from=<>, reject=451 4.7.1 Please try again later I'm using debian 3.0 clamav-20030829, with milter enabled sendmail-8.12.9 I get lot of these errors in mail.log: Sep 19 08:14:01 mega sm-mta[25878]: h8J5A1BD025878: Milter (clmilter): timeout before data read Sep 19 08:14:01 mega sm-mta[25878]: h8J5A1BD025878: Milter (clmilter): to error state I am using this configuration: (.mc -file) INPUT_MAIL_FILTER(`clmilter', `S=local:/var/run/clmilter.sock,F=,T=S:4m;R:4m') define(`confINPUT_MAIL_FILTERS', `clmilter')dnl I get no error messages from clamd. -- Tommi Rintalapuhelin: 044-767 7770 WasaLab Oy web: http://www.wasalab.fi/ PL 365 käyntios: Wolffintie 36 F2 65101 VAASA 65200 VAASA --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] now what??????
* Thomas Kinghorn <[EMAIL PROTECTED]> [20030919 23:32]: wrote: > Hi List. > > Can anyone point me n the right direction with this error in the mainlog > file > of exim. > > 2003-09-19 15:07:51 1A0KzC-FK-Lt malware acl condition: clamd: > connection to 127.0.0.1, port 3310 failed (Bad file descriptor) > Looks like your clamd died!!! -Wash -- Odhiambo Washington <[EMAIL PROTECTED]> "The box said 'Requires Wananchi Online Ltd. www.wananchi.com Windows 95, NT, or better,' Tel: +254 2 313985-9 +254 2 313922 so I installed FreeBSD." GSM: +254 72 743223 +254 733 744121 This sig is McQ! :-) "Gee, Toto, I don't think we are in Kansas anymore." --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
