[Clamav-users] make error
Hi list. I am using Redhat 8, exim-4.22, SA-2.55 & clamav-0.60. I have performed configure, make & make install. When I type clamd, I get the error below: LibClamAV Error: cl_loaddbdir(): Can't open directory /var/lib/clamav Any ideas as to what went wrong would be appreciated. Regards, Tom Kinghorn --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
RE: [Clamav-users] Permissions denied
When starting clamd, I am getting errors in my /var/log/clamav.log. +++ Started at Mon Sep 22 07:11:48 2003 Log file size limited to 1048576 bytes. Running as user qmailq (UID 1006, GID 1003) Reading databases from /usr/local/share/clamav Protecting against 7846 viruses. ERROR: bind() error: Permission denied I am running clamav as qmailq. Here are the permissions on files: -rw-r--r-- 1 qmailq qmail 1215 Sep 22 07:11 /var/log/clamd.log -rw-r--r-- 1 qmailq qmail 5585 Sep 22 07:12 /var/log/freshclam.log -r-xr-xr-x 1 root wheel 22132 Sep 21 19:00 /usr/local/bin/clamdscan -r-xr-xr-x 1 root wheel 34708 Sep 21 19:00 /usr/local/bin/clamscan -r-xr-xr-x 1 root wheel 33548 Sep 21 19:00 /usr/local/sbin/clamd am I missing anything? Thanks! - Jeff --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] RE: clamd and daemontools
Bastiaan van der Put wrote: > Hi, > > I tried it... > > doesnt it : defunct? > > [clamd ] > > also svc -d doesnt stop clamd? Please read this thread: http://news.gmane.org/onethread.php?group=gmane.comp.security.virus.clamav.user&root=%3C689CD4F4-E482-11D7-9771-000393DC8E02%40oakley.nyi.net%3E For a complete clamd/daemontools install solution. -- Jesse Guardiani, Systems Administrator WingNET Internet Services, P.O. Box 2605 // Cleveland, TN 37320-2605 423-559-LINK (v) 423-559-5145 (f) http://www.wingnet.net --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] clamav-devel-20030922
Why is it that clamav-devel-20030922 does not install if there is no viruses.db in /path/to/clamav ? Isn't it just supposed to create some defaults??? -Wash -- Odhiambo Washington <[EMAIL PROTECTED]> "The box said 'Requires Wananchi Online Ltd. www.wananchi.com Windows 95, NT, or better,' Tel: +254 2 313985-9 +254 2 313922 so I installed FreeBSD." GSM: +254 72 743223 +254 733 744121 This sig is McQ! :-) I've given up reading books; I find it takes my mind off myself. --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
RE: [Clamav-users] Permissions denied
At 08:52 22/09/2003 -0500, you wrote: ERROR: bind() error: Permission denied This permission denied error is a result of an attempt to bind to a local or TCP socket. If you're using a Unix Domain Socket, check the LocalSocket entry in your clamav.conf file. You'll need to ensure that the location specified can be written to by the user who is running clamd (in your case qmailq) Cheers, Joel => Joel Sing | [EMAIL PROTECTED] | 0419 577 603 <= "I'm not worried about Artificial Intelligence, when they invent Artificial Stupidiy, then I'll be scared. I'm sorry Dave, I don't feel like doing that." ~Unknown --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
RE: [Clamav-users] RE: UPDATE81.exe getting thru
Hmmm, I think you are right. I didn't notice the 0 length file originally, as outlook had blocked the attachment. I can't remember how to make outlook show me these files, so I forwarded the message to another account. Outlook warned me that the attachment might be unsafe and blah blah and I said yes to do it anyway. When the email arrived on the other end it doesn't list the .exe as an attachment. (If I look @ the source, it's still there in the MIME headers). So it looks like you're right, the attachment is 0 length. Thx k -Original Message- From: Antony Stone [mailto:[EMAIL PROTECTED] Sent: Saturday, September 20, 2003 12:29 To: [EMAIL PROTECTED] Subject: Re: [Clamav-users] RE: UPDATE81.exe getting thru The zero-length attachments on Gibe.F emails I've seen so far have all had .exe extensions, so they get blocked by my server (although for a different reason) just the same as the real ones. --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
RE: [Clamav-users] Permissions denied
is it just a directory that the clamd daemon writes to? or is it a file? -Original Message- From: Joel Sing [mailto:[EMAIL PROTECTED] Sent: Monday, September 22, 2003 9:34 AM To: [EMAIL PROTECTED] Subject: RE: [Clamav-users] Permissions denied At 08:52 22/09/2003 -0500, you wrote: >ERROR: bind() error: Permission denied This permission denied error is a result of an attempt to bind to a local or TCP socket. If you're using a Unix Domain Socket, check the LocalSocket entry in your clamav.conf file. You'll need to ensure that the location specified can be written to by the user who is running clamd (in your case qmailq) Cheers, Joel => Joel Sing | [EMAIL PROTECTED] | 0419 577 603 <= "I'm not worried about Artificial Intelligence, when they invent Artificial Stupidiy, then I'll be scared. I'm sorry Dave, I don't feel like doing that." ~Unknown --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] Swen
Hello, I'm receiving many messages with a attached file saying that is from Microsoft Corporation. I think it should be the Swen virus. Should I send these files to someone to analyse it and make the vaccine? Ronan --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Clamd and logrotate
Tomasz Kojm wrote: Clamd doesnt handle SIGHUP signal to reopen log file, so cooperation with logrotate is poor. This should be easy to fix it, ask Tomasz about it. Oh Kristof, I completely forgot about it. Will fix it on Friday. Done. I'm updating CVS right now. On CVS-20030918 it doesnt working. New file is not created and logging continues to old file. Petr Mon Sep 22 08:02:53 2003 -> SelfCheck: Integrity OK Mon Sep 22 09:02:59 2003 -> SelfCheck: Database status OK. Mon Sep 22 09:02:59 2003 -> SelfCheck: Integrity OK Mon Sep 22 09:37:01 2003 -> SIGHUP catched: log file re-opened. Mon Sep 22 09:37:01 2003 -> ERROR: accept() failed. Mon Sep 22 10:03:06 2003 -> SelfCheck: Database status OK. Mon Sep 22 10:03:06 2003 -> SelfCheck: Integrity OK Mon Sep 22 10:27:33 2003 -> SIGHUP catched: log file re-opened. Mon Sep 22 10:27:33 2003 -> ERROR: accept() failed. Mon Sep 22 10:30:44 2003 -> SIGHUP catched: log file re-opened. Mon Sep 22 10:30:44 2003 -> ERROR: accept() failed. Mon Sep 22 10:36:57 2003 -> SIGHUP catched: log file re-opened. Mon Sep 22 10:36:57 2003 -> ERROR: accept() failed. Mon Sep 22 10:41:52 2003 -> SIGHUP catched: log file re-opened. Mon Sep 22 10:41:52 2003 -> ERROR: accept() failed. Mon Sep 22 10:43:16 2003 -> SIGHUP catched: log file re-opened. Mon Sep 22 10:43:16 2003 -> ERROR: accept() failed. Mon Sep 22 11:03:12 2003 -> SelfCheck: Database status OK. Mon Sep 22 11:03:12 2003 -> SelfCheck: Integrity OK --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Swen
On Mon, 22 Sep 2003 at 13:50:57 -0300, Ronan Lucio wrote: > Hello, > > I'm receiving many messages with a attached file saying > that is from Microsoft Corporation. > > I think it should be the Swen virus. > Should I send these files to someone to analyse it and > make the vaccine? > > Ronan Oh, no, please don't do it. ClamAV has the signature for Swen (it's alias of Gibe.F) for a couple of days yet. Still, users submit samples, which makes a mess :-( . Folks, please, always make sure that you've got the current database before submitting a sample. When so, and ClamAV doesn't detect a virus in obviously infected file, then submit a sample, not earlier. -- Tomasz Papszun SysAdm @ TP S.A. Lodz, Poland | And it's only [EMAIL PROTECTED] http://www.lodz.tpsa.pl/ | ones and zeros. --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] running for qmail
Hi, Does anyone have an idea if it is possible to use clamav directly from a dot-qmail file or maybe with maildrop (i.e. without using any virus handler)? Can someone hint on this? I have user level access to the system. With warm regards, -Payal -- For GNU/Linux Success Stories and Articles visit: http://payal.staticky.com --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] appledouble
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Sunday 21 Sep 2003 8:50 pm, Flinn Mueller wrote: > LibClamAV Warning: Unsupported multipart format `appledouble' Appledouble is covered by RFC1740. I understand it to be used to transport BinHex files. > Any plan on supporting this type of format? I'll have a look into it. > Regards, > Flinn - -Nigel - -- Nigel Horne. Arranger, Composer, Conductor, Typesetter. Owner of the brass band group of the Internet. ICQ#20252325 [EMAIL PROTECTED] http://www.bandsman.co.uk/music.htm -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE/byzcOv/MqfDWaY8RApAVAJoDwGM/1f2RJXLh1CDPTbecK6jEsACgwXVl lewfpiOcZiNdDbraTaZELM0= =GkyM -END PGP SIGNATURE- --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] clam 20030922 and clamav-milter
Why clam and clamav-milter with newest base don't detect gibe-f virus? Jacol --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Swen
Tomasz, > Oh, no, please don't do it. > > ClamAV has the signature for Swen (it's alias of Gibe.F) for a couple of > days yet. So, I think it should not be working properly because I received some viruses today morning and the viruses database is updated 2 times a day. Ronan --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Swen
On Monday 22 September 2003 5:50 pm, Ronan Lucio wrote: > Hello, > > I'm receiving many messages with a attached file saying > that is from Microsoft Corporation. > > I think it should be the Swen virus. > Should I send these files to someone to analyse it and > make the vaccine? These also appear to be zero length files - no virus present, nothing to analyse. Antony. -- Most people have more than the average number of legs. --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Swen
On Mon, 22 Sep 2003 at 14:43:24 -0300, Ronan Lucio wrote: > Tomasz, > > > Oh, no, please don't do it. > > > > ClamAV has the signature for Swen (it's alias of Gibe.F) for a couple of > > days yet. > > So, I think it should not be working properly because I received > some viruses today morning and the viruses database is updated > 2 times a day. > > Ronan Just to make sure: please zip it with password "virus" and send it to my address in the sig below. -- Tomasz Papszun SysAdm @ TP S.A. Lodz, Poland | And it's only [EMAIL PROTECTED] http://www.lodz.tpsa.pl/ | ones and zeros. --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Swen
Tomasz, > Just to make sure: please zip it with password "virus" and send it to my > address in the sig below. Sorry, it was my mistake. As Antony said. The files had 0 Kb of size. So, it's supposed to not contain virus. BTW, I don't know why do these files have size 0 Kb, since ClamAV don't remove the viruses. Anyway, It don't be Clam's blame. Thank's Ronan --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] Better informations
I also could detect that ClamAV is catching Gibe virus since Sep/19: 2003-09-18 (Exploit.IFrame.Gen) = 17 2003-09-18 (JS.FortNight.2) = 3 2003-09-18 (Joke.Schmilz) = 2 2003-09-18 (Trojan.Dropper.C) = 48 2003-09-18 (W32/Magistr.A) = 1 2003-09-18 (W97M/[EMAIL PROTECTED]) = 1 2003-09-18 (Worm.BugBear.B) = 9 2003-09-18 (Worm.Gibe.F) = 2 2003-09-18 (Worm/Klez.H) = 16 2003-09-19 (Exploit.IFrame.Gen) = 64 2003-09-19 (JS.FortNight.2) = 2 2003-09-19 (JS/Fortnight.B.1) = 1 2003-09-19 (Trojan.Dropper.C) = 32 2003-09-19 (W32/Magistr.B) = 1 2003-09-19 (W32/Magistr.B1) = 1 2003-09-19 (Worm.BugBear.B) = 4 2003-09-19 (Worm.Gibe.F) = 125 2003-09-19 (Worm.Holar-H) = 2 2003-09-19 (Worm.Sobig.F) = 1 2003-09-19 (Worm/Klez.H) = 14 2003-09-20 (Exploit.IFrame.Gen) = 59 2003-09-20 (JS.FortNight.2) = 1 2003-09-20 (JS/Fortnight.B.1) = 5 2003-09-20 (Trojan.Dropper.C) = 6 2003-09-20 (W32/Magistr.B) = 1 2003-09-20 (W95/Hybris.PI.002) = 1 2003-09-20 (Worm.BugBear.B) = 4 2003-09-20 (Worm.Gibe.F) = 113 2003-09-20 (Worm/Klez.H) = 8 2003-09-21 (Exploit.IFrame.Gen) = 52 2003-09-21 (JS.FortNight.2) = 1 2003-09-21 (Trojan.Dropper.C) = 11 2003-09-21 (W97/Marker) = 1 2003-09-21 (Worm.BugBear.B) = 3 2003-09-21 (Worm.Gibe.F) = 106 2003-09-21 (Worm.Sobig.F) = 1 2003-09-21 (Worm/Klez.H) = 7 2003-09-22 (Exploit.IFrame.Gen) = 109 2003-09-22 (JS.FortNight.2) = 1 2003-09-22 (JS/Fortnight.B.1) = 1 2003-09-22 (Trojan.Dropper.C) = 88 2003-09-22 (Worm.BugBear.B) = 2 2003-09-22 (Worm.Gibe.F) = 252 2003-09-22 (Worm/Klez.H) = 9 Regards, Ronan --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] clamscan chokes on this email
hi! live virus sample in: http://rana.dyndns.org/mbox.txt i'm using clamscan version 20030829, and when i do 'clamscan --mbox' on the aforementioned, i get: clamscan: message.c:739: decodeLine: Assertion `strlen(line) <= 76' failed. Aborted it seems that the encoding has one corrupt line (one additional char at the end of one line). Nonetheless, Outlook Express happily delivers an infected executable. Once extracted, the executable is detected by clamscan as Worm.Gibe.F regards, René --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Swen
On Mon, 22 Sep 2003 at 15:13:27 -0300, Ronan Lucio wrote: > Tomasz, > > > Just to make sure: please zip it with password "virus" and send it to my > > address in the sig below. > > Sorry, it was my mistake. > As Antony said. The files had 0 Kb of size. > > So, it's supposed to not contain virus. > > BTW, I don't know why do these files have size 0 Kb, since > ClamAV don't remove the viruses. Some possible reasons are: - the virus may not work "correctly" and may sometimes send empty attachment, - these may be remnants (fragments) left by some improperly configured AV scanners which empty (makes size=0) infected attachment but forward the rest of a message. Though I'm not sure of this. > Anyway, It don't be Clam's blame. Nice to hear it :-) . -- Tomasz Papszun SysAdm @ TP S.A. Lodz, Poland | And it's only [EMAIL PROTECTED] http://www.lodz.tpsa.pl/ | ones and zeros. --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] clamav-devel much more stable
FYI: I am running clamav-devel on our mail gateway for more than three days without a single problem. It finally seems to become a more stable piece of software. I run it on OpenBSD 3.3 sparc64. - mb --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] clamscan chokes on this email
On Mon, 2003-09-22 at 19:40, René Bellora wrote: > hi! > > live virus sample in: http://rana.dyndns.org/mbox.txt > > i'm using clamscan version 20030829, and when i do 'clamscan --mbox' > on the aforementioned, i get: > > clamscan: message.c:739: decodeLine: Assertion `strlen(line) <= 76' failed. > Aborted > > it seems that the encoding has one corrupt line (one additional char at the end of > one line). Nonetheless, Outlook > Express happily delivers an infected executable. Once extracted, the > executable is detected by clamscan as Worm.Gibe.F I'm running the same version and $ clamscan -V clamscan / ClamAV version 20030829 $ wget http://rana.dyndns.org/mbox.txt 20:38:51 (12.50 KB/s) - `mbox.txt' saved [145294/145294] $ clamscan mbox.txt mbox.txt: Exploit.IFrame.Gen FOUND --- SCAN SUMMARY --- Known viruses: 9641 Scanned directories: 0 Scanned files: 1 Infected files: 1 Data scanned: 0.12 MB I/O buffer size: 131072 bytes Time: 0.200 sec (0 m 0 s) $ clamscan -m mbox.txt clamscan: message.c:739: decodeLine: Assertion `strlen(line) <= 76' failed. Aborted but $ ./clamav-devel-20030922/clamscan/clamscan -m mbox.txt LibClamAV Warning: Illegal character <è> in base64 encoding mbox.txt: Exploit.IFrame.Gen FOUND --- SCAN SUMMARY --- Known viruses: 9641 Scanned directories: 0 Scanned files: 1 Infected files: 1 Data scanned: 0.00 MB I/O buffer size: 131072 bytes Time: 0.218 sec (0 m 0 s) $ ./clamav-devel-20030922/clamscan/clamscan mbox.txt mbox.txt LibClamAV Warning: Illegal character <è> in base64 encoding mbox.txt: Worm.Gibe.F FOUND --- SCAN SUMMARY --- Known viruses: 9641 Scanned directories: 0 Scanned files: 1 Infected files: 1 Data scanned: 0.10 MB I/O buffer size: 131072 bytes Time: 0.235 sec (0 m 0 s) so different results using different options and clamscan versions... with the exact same virus database. Regards, Miguel Dias > > regards, > René > > > > > --- > This sf.net email is sponsored by:ThinkGeek > Welcome to geek heaven. > http://thinkgeek.com/sf > ___ > Clamav-users mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/clamav-users signature.asc Description: This is a digitally signed message part
Re: [Clamav-users] clamav-devel much more stable
Just installed clamav-devel-20030922 myself. Lets hope it's stable at my OpenBSD box as well :) Wouter Marc Balmer wrote: FYI: I am running clamav-devel on our mail gateway for more than three days without a single problem. It finally seems to become a more stable piece of software. I run it on OpenBSD 3.3 sparc64. - mb --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
RE: [Clamav-users] running for qmail
::Hi, ::Does anyone have an idea if it is possible to use clamav directly from ::a dot-qmail file or maybe with maildrop (i.e. without using any ::virus handler)? :: ::Can someone hint on this? I have user level access to the system. :: ::With warm regards, ::-Payal Clamscan has no delivery mechanism so you have to use some type of maildir aware application, such as maildrop (like you mentioned). I have written a shell script wrapper for clamscan (more specifically clamdscan/clamd) that I call from maildrop... If you want to see the maildrop script message me offline as it isn't 100% relevant to this list. The wrapper is available at: http://mail.ala.net/spam/ It is reasonably documented via comments and is highly FBSD specific with regard to file locations, and not terribly secure... I added some chmod and some other things to be some what secure... but I am by no means a program security expert. It works for me, but I have heard fro a friend that runs it in a linux enviroment that it doesn't work for him. I can't comment on the linux portablity as I haven't had time to troubleshoot it for him. If you find that it doesn't work in Linux for you and are a hacker... make it work and I will include the changes in the original script. Feel free to use it. Tom Walsh Network Administrator http://www.ala.net/ --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] LogSyslog not working?
Hi folks, I've got clamd (from clamav-0.60) running fine on a FreeBSD 4.8 system. It's set up to log to a clamd.log file, which works fine. However, after uncommenting LogSyslog in clamav.conf and restarting clamd, I still am not seeing any log messages go to syslog. Any ideas on why this wouldn't work? What facility/priority should it be using when it starts up or finds a virus? Thanks. --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] clamav-milter+sendmail-8.12.9
More information about the problem. When I run the clamd with Debug options (and LogTime), I get this output to logfile. From the timestamps you can see, why I think this is a problem. Mon Sep 22 10:23:08 2003 -> +++ Started at Mon Sep 22 10:23:08 2003 Mon Sep 22 10:23:08 2003 -> Log file size limited to 1048576 bytes. Mon Sep 22 10:23:08 2003 -> Verbose logging activated. Mon Sep 22 10:23:08 2003 -> Running as user clamav (UID 600, GID 600) Mon Sep 22 10:23:08 2003 -> Reading databases from /opt/wasalab/share/clamav Mon Sep 22 10:23:08 2003 -> Protecting against 9640 viruses. Mon Sep 22 10:23:08 2003 -> Unix socket file /var/clamav/clamd.sock Mon Sep 22 10:23:08 2003 -> Setting connection queue length to 15 Mon Sep 22 10:23:08 2003 -> Listening daemon: PID: 1126 Mon Sep 22 10:23:08 2003 -> Maximal number of threads: 5 Mon Sep 22 10:23:08 2003 -> Archive: Archived file size limit set to 10485760 by tes. Mon Sep 22 10:23:08 2003 -> Archive: Recursion level limit set to 5. Mon Sep 22 10:23:08 2003 -> Archive: Files limit set to 1000. Mon Sep 22 10:23:08 2003 -> Archive support enabled. Mon Sep 22 10:23:08 2003 -> Mail files support enabled. Mon Sep 22 10:23:08 2003 -> ThreadWatcher: Started in process 1129 Mon Sep 22 10:23:08 2003 -> Self checking every 3600 seconds. Mon Sep 22 10:23:09 2003 -> Timeout set to 180 seconds. Mon Sep 22 10:23:09 2003 -> SelfCheck: Database status OK. Mon Sep 22 10:23:09 2003 -> SelfCheck: Integrity OK Mon Sep 22 10:27:02 2003 -> Session 1 stopped due to timeout. Mon Sep 22 10:30:05 2003 -> Session 2 stopped due to timeout. Mon Sep 22 10:33:11 2003 -> Session 1 stopped due to timeout. Mon Sep 22 10:36:16 2003 -> stream: Worm.Gibe.F FOUND Mon Sep 22 10:38:09 2003 -> Session 1 stopped due to timeout. Mon Sep 22 10:41:12 2003 -> Session 2 stopped due to timeout. Mon Sep 22 10:44:22 2003 -> Session 1 stopped due to timeout. Mon Sep 22 10:47:28 2003 -> Session 0 stopped due to timeout. Mon Sep 22 10:50:48 2003 -> Session 3 stopped due to timeout. Mon Sep 22 10:52:16 2003 -> Session 0 stopped due to timeout. And at this stage, the clamd is not accepting connections, or scanning mails Currently I have updated to sendmail-8.12.10, because of the things found from previous sendmail. But the problem persists. I am also running spamassassin (and have tried without), which keeps running couple weeks without any problems. Is there a way to get more debug output from the clamd, other than enabling the Debug -flag in configuration file? yours, -- Tommi Rintalapuhelin: 044-767 7770 WasaLab Oy web: http://www.wasalab.fi/ PL 365 käyntios: Wolffintie 36 F2 65101 VAASA 65200 VAASA --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] Worm.Gibe.F
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I have an updated database, however trashscan failed to detect an exe as the Worm.Gibe.F (which I verified clamav could see it using http://www.gietl.com/test-clamav/ (see below results) "File is valid, and was successfully uploaded. clamav scans the file ... Clamav-Output: /tmp/phpq0LapZ: Worm.Gibe.F FOUND And found something: Worm.Gibe.F Since clamav already recognizes the content you submitted there is no reason to resubmit it." Also see the attached header info from the infected email... You can see the X-Virus-Scan: header showing the scanner did run. My scanner has detected Gibe.F before as well, which adds to my confusion... % cat /var/log/clamav.log |grep -i gibe /home/thrawn/tmp/TrashScan-18891/attach/INSTALLATION26.exe: Worm.Gibe.F FOUND /home/thrawn/tmp/TrashScan-18935/attach/Update.exe: Worm.Gibe.F FOUND /home/thrawn/tmp/TrashScan-20309/attach/installer169.exe: Worm.Gibe.F FOUND /home/thrawn/tmp/TrashScan-25614/attach/Upgrade49.exe: Worm.Gibe.F FOUND /home/thrawn/tmp/TrashScan-26054/attach/Installation.exe: Worm.Gibe.F FOUND Ray Slakinski Begin forwarded message: From: "MS Internet System" <[EMAIL PROTECTED]> Date: Mon Sep 22, 2003 3:52:40 PM Canada/Eastern To: " " <[EMAIL PROTECTED]> Subject: Message Return-Path: <[EMAIL PROTECTED]> Received: from ia-rad.interall.com.br (ia-rad.interall.com.br [200.246.5.21]) by core.sdf1.net (8.12.9/8.12.9) with ESMTP id h8MK9ZMs027865 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO) for <[EMAIL PROTECTED]>; Mon, 22 Sep 2003 16:09:38 > -0400 Received: from vohujqiy (server.novacki.com.br [200.246.5.146]) by ia-rad.interall.com.br (8.12.8/8.12.8) with SMTP id h8MJqenL022845; Mon, 22 Sep 2003 16:52:42 -0300 Message-Id: <[EMAIL PROTECTED]> Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="huxfevza" X-Virus-Scan: Scanned by TrashScan v0.08 running on core.sdf1.net X-Spam-Status: No, hits=3.3 required=6.0 tests=FRIEND_AT_PUBLIC,HTML_50_60,MICROSOFT_EXECUTABLE, MIME_HTML_ONLY,MIME_SUSPECT_NAME,RCVD_IN_OSIRUSOFT_COM version=2.55 X-Spam-Level: *** X-Spam-Checker-Version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp) Status: -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.3 (Darwin) iD8DBQE/b1uHA8nDipmVlmkRAvSsAJsGhv+US/Ti+OGOrC6g4ZdGLdHFOQCguPR/ an90zWUNeWgaNSaTz5SBmcE= =Gfb2 -END PGP SIGNATURE- --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] clamav-milter+sendmail-8.12.9
Yes, the clamd is running, but something like this: clamav 11691 11689 0 Sep17 ?00:00:00 [clamd ] -- Tommi Rintalapuhelin: 044-767 7770 WasaLab Oy web: http://www.wasalab.fi/ PL 365 käyntios: Wolffintie 36 F2 65101 VAASA 65200 VAASA On Sat, 20 Sep 2003, Nigel Horne wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > On Friday 19 Sep 2003 6:41 am, Tommi Rintala wrote: > > > There is one entry like this (mail.log): > > > > Sep 18 04:17:10 mega clamav-milter[14321]: Expected port information from > > clamd, got 'Session(1): Time out ERROR ' > > Sep 18 04:17:10 mega sm-mta[14312]: h8I1FXBF014312: Milter: from=<>, > > reject=451 4.7.1 Please try again later > > Is clamd still running? I know you said you had no errors from it, but check with > "ps -el | fgrep clam" > > - -Nigel > > > - -- > Nigel Horne. Arranger, Composer, Typesetter. > NJH Music, Barnsley, UK. ICQ#20252325 > [EMAIL PROTECTED] http://www.bandsman.co.uk > -BEGIN PGP SIGNATURE- > Version: GnuPG v1.2.1 (GNU/Linux) > > iD8DBQE/a+1phTUd3VwpF6IRAqjUAJ9bH/QiZ5yJGRHhd4jruVVYDJ5ucgCgkbWx > YKOlbFNnCQw/5TtnVDf169c= > =1+Yu > -END PGP SIGNATURE- > > > > --- > This sf.net email is sponsored by:ThinkGeek > Welcome to geek heaven. > http://thinkgeek.com/sf > ___ > Clamav-users mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/clamav-users > --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] make error
Hi Tom, When I type clamd, I get the error below: LibClamAV Error: cl_loaddbdir(): Can't open directory /var/lib/clamav Any ideas as to what went wrong would be appreciated. It's looking for the virus signature databases (viruses.db and viruses.db2) - does /var/lib/clamav exist? If so, is it accessible to the user whom you're running 'clamd' as? Additionally, you may have changed the install location either via the '--with-dbdir' option to configure or within the clamav.conf configuration file. Hope this helps. Cheers, Joel => Joel Sing | [EMAIL PROTECTED] | 0419 577 603 <= "I'm not worried about Artificial Intelligence, when they invent Artificial Stupidiy, then I'll be scared. I'm sorry Dave, I don't feel like doing that." ~Unknown --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] Re: clamav-devel much more stable
I had issues today using (20030921) on 3.3 i386. Clamd became unresponsive, and I had to kill the process. I also had issues with freshclam crashing, which led to me patching freshclam so that it will run under daemontools. We are promised a a stable release by the end of September, so hopefully I can get the port into the tree by 3.5 ;) Regards, Flinn On Monday, September 22, 2003, at 02:59 PM, Marc Balmer wrote: FYI: I am running clamav-devel on our mail gateway for more than three days without a single problem. It finally seems to become a more stable piece of software. I run it on OpenBSD 3.3 sparc64. - mb --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] clamd dies
In my next port I will release with variables (CLAMUSER and CLAMGROUP ) sepcifically for users to set. The reason you have to chown a few things is because the install script has _clamd hardcoded into it. This will also change to CLAMUSER and CLAMGROUP. Regards, Flinn On Tuesday, September 16, 2003, at 03:54 PM, Lynn Duerksen wrote: -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tomasz Kojm Sent: Tuesday, September 16, 2003 10:23 AM To: [EMAIL PROTECTED] Subject: Re: [Clamav-users] clamd dies I have not seen anyone with a solution so far for my Postfix-Spamassassin-Openbsd3.3-Amavisd-new setup. On the latest version freshclam even bombs now. Run the following script from crontab Freshclam bombs ? Can't believe ;) Although it does not happen as often as clamd on occasion it does need to be restarted. It had gone 11 days without needing restarting but this morning it needed restarting twice in 1 hour. I still wonder if it has to do with running amavisd in chroot jail under user amavisd. Is there a guide somewhere for running it in chroot jail. I have gotten all kinds of advice from different sources and I usually have to do some tweaking of each to make it work. I know that the OpenBSD port has the user "_clamd" coded into the port. I modify the Makefile and set it to user amavisd but still have to come back and chown on some files and directories that were set to user "_clamd". My log of restarts: -- -- checkclam log grep "restarting" -- -- Sep 4 22:30:01 restarting clamd daemon Sep 5 09:30:01 restarting clamd daemon Sep 5 14:30:01 restarting freshclam daemon Sep 5 15:00:01 restarting freshclam daemon Sep 5 20:30:01 restarting clamd daemon Sep 9 22:00:01 restarting clamd daemon Sep 10 21:30:01 restarting clamd daemon Sep 11 11:00:01 restarting clamd daemon Sep 14 21:30:01 restarting clamd daemon Sep 16 10:00:02 restarting freshclam daemon Sep 16 10:30:01 restarting freshclam daemon> -- -- end checkclam log -- -- My clamav.conf settings -- -- clamav.conf -- -- LogFile /var/amavisd/var/log/clamd.log LogTime LogVerbose PidFile /var/run/clamd.pid DataDirectory /var/amavisd/usr/local/share/clamav LocalSocket /var/amavisd/clamd.sock MaxConnectionQueueLength 30 MaxThreads 10 MaxDirectoryRecursion 15 User amavisd ArchiveMaxFileSize 10M ArchiveMaxRecursion 5 ArchiveMaxFiles 1000 -- -- end clamav.conf -- -- --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] running for qmail
On Mon, 22 Sep 2003 15:26:02 -0500 Tom Walsh wrote: Hi Tom [cut] > I have written a shell script wrapper for clamscan (more specifically > clamdscan/clamd) that I call from maildrop... If you want to see the > maildrop script message me offline as it isn't 100% relevant to this > list. > > The wrapper is available at: > > http://mail.ala.net/spam/ I get a permission denied error why I try to download from: http://mail.ala.net/spam/clamscan.sh -- Anand Buddhdev http://anand.org --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Worm.Gibe.F
On Mon, 22 Sep 2003 at 16:28:51 -0400, Ray Slakinski wrote: > > I have an updated database, however trashscan failed to detect an exe > as the Worm.Gibe.F (which I verified clamav could see it using > http://www.gietl.com/test-clamav/ (see below results) > [...] Trashscan's config could be the reason. See a thread started with this message: From: Mike Silbersack Subject: [Clamav-users] One reason Gibe.F isn't being detected Message-ID: <[EMAIL PROTECTED]> Date: Sat, 20 Sep 2003 00:25:59 -0500 (CDT) Replacing metamail with uudeview helped the sender. -- Tomasz Papszun SysAdm @ TP S.A. Lodz, Poland | And it's only [EMAIL PROTECTED] http://www.lodz.tpsa.pl/ | ones and zeros. --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Worm.Gibe.F
Switched to uudeview, lets see how that goes :) Its funny if I forward the virus to another account clamav gets it... so I hope uudeview is the answer. Ray On Monday, September 22, 2003, at 04:48 PM, Tomasz Papszun wrote: On Mon, 22 Sep 2003 at 16:28:51 -0400, Ray Slakinski wrote: I have an updated database, however trashscan failed to detect an exe as the Worm.Gibe.F (which I verified clamav could see it using http://www.gietl.com/test-clamav/ (see below results) [...] Trashscan's config could be the reason. See a thread started with this message: From: Mike Silbersack Subject: [Clamav-users] One reason Gibe.F isn't being detected Message-ID: <[EMAIL PROTECTED]> Date: Sat, 20 Sep 2003 00:25:59 -0500 (CDT) Replacing metamail with uudeview helped the sender. -- Tomasz Papszun SysAdm @ TP S.A. Lodz, Poland | And it's only [EMAIL PROTECTED] http://www.lodz.tpsa.pl/ | ones and zeros. --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
RE: [Clamav-users] running for qmail
::I get a permission denied error why I try to download from: :: ::http://mail.ala.net/spam/clamscan.sh :: Sorry about that... I copied over the latest version, and of course, didn't alter the permissions... Should be all set. Tom Walsh --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] Trouble compiling clamav-milter...
Under RedHat 9, after ./configure --sysconfdir=/etc --enable-milter make clean all I got: ... Making all in clamav-milter make[1]: Entering directory `/usr/local/clamav-0.60/clamav-milter' make[1]: Nothing to be done for `all'. make[1]: Leaving directory `/usr/local/clamav-0.60/clamav-milter' ... The 'all' target doesn't seem right. If I go to the clamav-milter director and try: make clamav-milter I get: make clamav-milter /bin/sh ../libtool --mode=link gcc -g -O2 -o clamav-milter -L../libclamav -L/usr/lib/libmilter -lmilter -lpthread gcc -g -O2 -o clamav-milter -L/usr/local/clamav-0.60/libclamav -L/usr/lib/libmilter -lmilter -lpthread /usr/lib/gcc-lib/i386-redhat-linux/3.2.2/../../../crt1.o(.text+0x18): In function `_start': ../sysdeps/i386/elf/start.S:77: undefined reference to `main' collect2: ld returned 1 exit status make: *** [clamav-milter] Error 1 Any help? thanx --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] Hello All
Hello _ Get MSN 8 Dial-up Internet Service FREE for one month. Limited time offer-- sign up now! http://join.msn.com/?page=dept/dialup --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] running for qmail
On Mon, Sep 22, 2003 at 03:26:02PM -0500, Tom Walsh wrote: > > I have written a shell script wrapper for clamscan (more specifically > clamdscan/clamd) that I call from maildrop... If you want to see the > maildrop script message me offline as it isn't 100% relevant to this list. I will check the wrapper NOW :) Can you please mail me the script you ar taking about? Thanks a lot and bye. With warm regards, -Payal -- "Visit GNU/Linux Success Stories" http://payal.staticky.com Guest-Book Section Updated. --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] Can ClamAV scan inside MIME messages?
When I scan a MIME message using ClamAV, can I just feed the raw message into ClamAV, or do I have to use ripmime first to extract the individual attachments into files first? I've tested a virus message I received, by scanning first the whole MIME message, then just the attachment. ClamAV detected a virus in both cases, but it detected a *different* virus! Whole MIME message: Exploit.IFrame.Gen FOUND Just the attachment: Worm.Gibe.F FOUND --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Can ClamAV scan inside MIME messages?
On Tuesday, September 23, 2003, at 12:13 AM, Philip Mak wrote: When I scan a MIME message using ClamAV, can I just feed the raw message into ClamAV, or do I have to use ripmime first to extract the individual attachments into files first? No you don't have to use ripmime. I've tested a virus message I received, by scanning first the whole MIME message, then just the attachment. ClamAV detected a virus in both cases, but it detected a *different* virus! There are actually two viruses in the mail. Whole MIME message: Exploit.IFrame.Gen FOUND Just the attachment: Worm.Gibe.F FOUND --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] LogSyslog not working?
* Jim B <[EMAIL PROTECTED]> [20030922 23:37]: wrote: > Hi folks, > > I've got clamd (from clamav-0.60) running fine on a FreeBSD 4.8 system. > It's set up to log to a clamd.log file, which works fine. > > However, after uncommenting LogSyslog in clamav.conf and restarting clamd, > I still am not seeing any log messages go to syslog. > > Any ideas on why this wouldn't work? What facility/priority should it be > using when it starts up or finds a virus? You can try this in syslog.conf: !clamd *.* /var/log/scanner.log ..and see if that brings up something Of course you must kill -1 `cat /var/run/syslog.pid` -Wash -- Odhiambo Washington <[EMAIL PROTECTED]> "The box said 'Requires Wananchi Online Ltd. www.wananchi.com Windows 95, NT, or better,' Tel: +254 2 313985-9 +254 2 313922 so I installed FreeBSD." GSM: +254 72 743223 +254 733 744121 This sig is McQ! :-) The assertion that "all men are created equal" was of no practical use in effecting our separation from Great Britain and it was placed in the Declaration not for that, but for future use. -- Abraham Lincoln --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Can ClamAV scan inside MIME messages?
On Tue, Sep 23, 2003 at 12:34:41AM -0400, Flinn Mueller wrote: > On Tuesday, September 23, 2003, at 12:13 AM, Philip Mak wrote: > > >When I scan a MIME message using ClamAV, can I just feed the raw > >message into ClamAV, or do I have to use ripmime first to extract the > >individual attachments into files first? > > No you don't have to use ripmime. Actually, I just found a message where if I clamscan the whole message, it claims the message is clean, but if I save the attachment file and clamscan that, it finds a virus. So I'm guessing ripmime is needed. --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] Is this a safe use of /tmp?
Is this a safe way to use /tmp? Or is it vulnerable to the local symlink attack where another user on the system predicts the filename I am going to create, and makes a symlink using that name and does nasty things? TIME=$(/bin/date "+%s") FILE="/tmp/clamscan.$TIME.$PPID.orig" DIR="/tmp/clamscan.$TIME.$PPID" /bin/touch $FILE /bin/chmod 600 $FILE /bin/mkdir $DIR /bin/chmod 700 $DIR I'm writing a shell script that wraps clamscan for use with maildrop. It's a modification of the one that Tom Walsh posted on Aug 20. His script doesn't address local security concerns since no one has shell accounts on his system, but that's not the case on mine, so I'm trying to fix that. --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] clamscan chokes on this email
René Bellora wrote: hi! live virus sample in: http://rana.dyndns.org/mbox.txt i'm using clamscan version 20030829, and when i do 'clamscan --mbox' on the aforementioned, i get: clamscan: message.c:739: decodeLine: Assertion `strlen(line) <= 76' failed. Aborted it seems that the encoding has one corrupt line (one additional char at the end of one line). Nonetheless, Outlook Express happily delivers an infected executable. Once extracted, the executable is detected by clamscan as Worm.Gibe.F Your clamav binary is too old. If you look at the ChangeLog (from a current source tarball, or sf.net ViewCVS, there were some serious fixes made in september. According to Tomasz, there will be a new release in september. Thomas --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Can ClamAV scan inside MIME messages?
Philip Mak wrote: On Tue, Sep 23, 2003 at 12:34:41AM -0400, Flinn Mueller wrote: On Tuesday, September 23, 2003, at 12:13 AM, Philip Mak wrote: When I scan a MIME message using ClamAV, can I just feed the raw message into ClamAV, or do I have to use ripmime first to extract the individual attachments into files first? No you don't have to use ripmime. Actually, I just found a message where if I clamscan the whole message, it claims the message is clean, but if I save the attachment file and clamscan that, it finds a virus. So I'm guessing ripmime is needed. No. clam has it's own de-MIMe code. You have to use the --mbox option in clamscan, or enable the ScanMail switch in your clamav.conf for clamd. Thomas -- Thomas Lamy Technik & Softwareentwicklung Ingolstadt Online GmbH -- Ihr drahtloser Weg ins Internet --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
