Re: [Clamav-users] clamav-milter problem
* Alikhani <[EMAIL PROTECTED]> [20040110 09:47]: wrote: > Hi all > I am new that use clamav on my server suse-smp. > I install clamav.0-65 , when I use this command : > /usr/local/sbin/clamav-milter -blo /var/run/clmilter.sock > it saya > You must select server type (local/TCP) in /usr/local/etc/clamav.conf > > What must I do ? "You must select server type (local/TCP) in /usr/local/etc/clamav.conf" ;) Look at that file and comment out the line that has: TCPSocket 3310 (My recommendation). YMMV. cheers - wash +--+-+ Odhiambo Washington . WANANCHI ONLINE LTD (Nairobi, KE) | . 1ere Etage, Loita Hse, Loita St., | GSM: (+254) 722 743 223 . # 10286, 00100 NAIROBI | GSM: (+254) 733 744 121 . (+254) 020 313 985 - 9 | +-+--+ "Oh My God! They killed init! You Bastards!" --from a /. post smime.p7s Description: S/MIME cryptographic signature
Re: [Clamav-users] pretty basic question - clamscan vs clamdscan
At 01:11 PM 1/9/2004, Tomasz Papszun wrote: A gigantic difference (as shown in my previous message) is caused by wasting much time for launching the program (clamscan) and loading a database into memory (while clamd has it loaded _already_). But when you scan many files at once, you execute clamscan only once, so supremacy of clamdscan is lesser. Theoretically, with a number of files going to infinity, a duration of clamscan is reaching a duration of clamdscan. Now you could ask: "But why does clamdscan run longer that clamscan?! I understand that the times can be similar, but clamdscan longer?!". Read on :-) . > three times as many viruses as clamscan (that's weird in itself, since all > the messages in the quarantine were put there by clamscan!) Not so weird, in fact. First of all we must remember that clamdscan is a clamd client, so unless we use command line options, scanning with clamdscan will use these options which are set in clamav.conf. For instance, you may have set in clamav.conf ScanMail and ScanArchive. Of course using more features requires more time and resources. That's why clamdscan can run longer than clamscan! And your second question: "Why did clamdcan find 33 viruses, while clamscan found only 11?!". The answer is the same: clamdscan is a clamd client! If you have set ScanMail in clamav.conf, then clamdscan tries harder when searching for viruses. So it can find infections also in email messages, not only in raw binary files! thanks for your reply - and to the others who posted in this thread as well. i have a much better understanding now of all this. and it sure is great to no longer be faced with throwing even more iron at the problem! Paul Theodoropoulos http://www.anastrophe.com --- This SF.net email is sponsored by: Perforce Software. Perforce is the Fast Software Configuration Management System offering advanced branching capabilities and atomic changes on 50+ platforms. Free Eval! http://www.perforce.com/perforce/loadprog.html ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] pretty basic question - clamscan vs clamdscan
Hasn't there been problems with the stability of clamd for a long time? Are those problems solved now? I use MailScanner and it sends batches of files to scan so the speed difference is negligible and I don't have to worry about if clamd has stopped. Anyway, I find that it takes more time for SpamAssassin to check a message than it takes to virus scan it. /Peter Bonivart --Unix lovers do it in the Sun Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.25-14, SpamAssassin 2.61 + DCC 1.2.21, ClamAV 0.65 + GMP [EMAIL PROTECTED] wrote: thanks for your reply - and to the others who posted in this thread as well. i have a much better understanding now of all this. and it sure is great to no longer be faced with throwing even more iron at the problem! --- This SF.net email is sponsored by: Perforce Software. Perforce is the Fast Software Configuration Management System offering advanced branching capabilities and atomic changes on 50+ platforms. Free Eval! http://www.perforce.com/perforce/loadprog.html ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] Mimail Virus
I found out that ClamAV does not always recognize the Mimail virus, instead it is reported as "Seriously Broken Zip", which may be correct, but doesn't really identify the virus itself... How can this be avoided? I would like to get the virus name instead of the information of a broken ZIP? Regards, Phil. --- This SF.net email is sponsored by: Perforce Software. Perforce is the Fast Software Configuration Management System offering advanced branching capabilities and atomic changes on 50+ platforms. Free Eval! http://www.perforce.com/perforce/loadprog.html ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Mimail Virus
On Saturday 10 January 2004 6:49 pm, Philipp Grosswiler wrote: > I found out that ClamAV does not always recognize the Mimail virus, > instead it is reported as "Seriously Broken Zip", which may be correct, > but doesn't really identify the virus itself... > > How can this be avoided? I would like to get the virus name instead of > the information of a broken ZIP? That depends on how broken it is. Beyond a certain amount of loss of the complete virus, there isn't enough left to know what it was supposed to be, and besides, if what you've got isn't the complete Mimail virus, it shouldn't be labelled to suggest that it is. If what you have is a damaged piece of viral code, does it really matter which virus it was before it got damaged? Antony. -- Anything that improbable is effectively impossible. - Murray Gell-Mann, Novel Prizewinner in Physics Please reply to the list; please don't CC me. --- This SF.net email is sponsored by: Perforce Software. Perforce is the Fast Software Configuration Management System offering advanced branching capabilities and atomic changes on 50+ platforms. Free Eval! http://www.perforce.com/perforce/loadprog.html ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] pretty basic question - clamscan vs clamdscan
Tomasz Papszun wrote: On Fri, 09 Jan 2004 at 12:07:16 -0800, [EMAIL PROTECTED] wrote: $ clamscan Worm.Yaha.Y.msg Worm.Yaha.Y.msg: OK --- SCAN SUMMARY --- Known viruses: 19802 Scanned directories: 0 Scanned files: 1 Infected files: 0 Data scanned: 0.08 Mb I/O buffer size: 131072 bytes Time: 0.718 sec (0 m 0 s) $ clamdscan Worm.Yaha.Y.msg /tmp/Worm.Yaha.Y.msg: Worm.Yaha.Y FOUND --- SCAN SUMMARY --- Infected files: 1 Time: 0.026 sec (0 m 0 s) As you can see, clamscan didn't find a virus in the mail message, but clamdscan did! I've been following this thread and I'm trying to get my head around the different options for running clamav with qmail-scanner-queue.pl: 1- Call clamscan for each mail message: The surest method, but slow. 2- Call clamdscan, which needs to have the clamd daemon running: Much faster but clamd dies every so often. So we need the perl script, clamdwatch, contributed by Mike running every minute as a cron job. Is this a correct summary of what's been discussed? On the Clamav site, in the clamd_supervised doc page, there's an explanation and scripts for managing clamd with the service mechanism of daemontools. Is this a reasonable alternative to the clamdwatch script running as a cron job? Thanks, --Micha --- This SF.net email is sponsored by: Perforce Software. Perforce is the Fast Software Configuration Management System offering advanced branching capabilities and atomic changes on 50+ platforms. Free Eval! http://www.perforce.com/perforce/loadprog.html ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Mimail Virus
Philipp Grosswiler wrote: I found out that ClamAV does not always recognize the Mimail virus, instead it is reported as "Seriously Broken Zip", which may be correct, but doesn't really identify the virus itself... How can this be avoided? I would like to get the virus name instead of the information of a broken ZIP? H. Hope with clamav you'll get ANY (even RANDOM like 'bla-bla-bla') information INSTEAD of virus in ur mail ;) Regards, Phil. --- This SF.net email is sponsored by: Perforce Software. Perforce is the Fast Software Configuration Management System offering advanced branching capabilities and atomic changes on 50+ platforms. Free Eval! http://www.perforce.com/perforce/loadprog.html ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] pretty basic question - clamscan vs clamdscan
Micha, On Sat, 2004-01-10 at 14:04, Micha Silver wrote: > So we need the perl script, > clamdwatch, contributed by Mike running every minute as a cron job. To be honest, I've only had clamd die ~3 times in almost a year of production use. I don't consider this acceptable, but the alternatives I've looked at start at $10k/year and move up from there. I'm assuming the development team will be able to resolve the problem shortly--especially if we can get more debugging info to them. You probably don't need to run the script every minute, that's just what I'm doing. The side benefit is that you should immediately know if anything ever goes awry with the virus database (since the script actually requests a RAWSCAN of itself and contains the EICAR pattern). > Is this a reasonable alternative to the clamdwatch script > running as a cron job? Good question. It sounds like some of the people having problems with clamd crashing aren't actually seeing the master process die. See the ml archives for more info. If this is the case, then I would think that running clamd under daemon tools wouldn't help them. Can someone verify this? Don't get me wrong. I like daemontools and run several other daemons under it's 'supervision' (mydns, freeradius, dnscache, etc). Cheers, Mike --- This SF.net email is sponsored by: Perforce Software. Perforce is the Fast Software Configuration Management System offering advanced branching capabilities and atomic changes on 50+ platforms. Free Eval! http://www.perforce.com/perforce/loadprog.html ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] pretty basic question - clamscan vs clamdscan
At 11:04 AM 1/10/2004, Micha Silver wrote: Tomasz Papszun wrote: On Fri, 09 Jan 2004 at 12:07:16 -0800, [EMAIL PROTECTED] wrote: please be attentive to attributions. I wrote none of the text in this message, though it is attributed to me above. $ clamscan Worm.Yaha.Y.msg Worm.Yaha.Y.msg: OK --- SCAN SUMMARY --- Known viruses: 19802 Scanned directories: 0 Scanned files: 1 Infected files: 0 Data scanned: 0.08 Mb I/O buffer size: 131072 bytes Time: 0.718 sec (0 m 0 s) $ clamdscan Worm.Yaha.Y.msg /tmp/Worm.Yaha.Y.msg: Worm.Yaha.Y FOUND --- SCAN SUMMARY --- Infected files: 1 Time: 0.026 sec (0 m 0 s) As you can see, clamscan didn't find a virus in the mail message, but clamdscan did! I've been following this thread and I'm trying to get my head around the different options for running clamav with qmail-scanner-queue.pl: 1- Call clamscan for each mail message: The surest method, but slow. 2- Call clamdscan, which needs to have the clamd daemon running: Much faster but clamd dies every so often. So we need the perl script, clamdwatch, contributed by Mike running every minute as a cron job. Is this a correct summary of what's been discussed? On the Clamav site, in the clamd_supervised doc page, there's an explanation and scripts for managing clamd with the service mechanism of daemontools. Is this a reasonable alternative to the clamdwatch script running as a cron job? Thanks, --Micha Paul Theodoropoulos http://www.anastrophe.com --- This SF.net email is sponsored by: Perforce Software. Perforce is the Fast Software Configuration Management System offering advanced branching capabilities and atomic changes on 50+ platforms. Free Eval! http://www.perforce.com/perforce/loadprog.html ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
RE: [Clamav-users] Mimail Virus
> That depends on how broken it is. I guess that's the problem with this virus. It is so badly written. > Beyond a certain amount of loss of the complete virus, there > isn't enough left to know what it was supposed to be, and besides, if what > you've got isn't the complete Mimail virus, it shouldn't be labelled to suggest that it is. > > If what you have is a damaged piece of viral code, does it really matter which > virus it was before it got damaged? In some cases, yes. I am having a statistics where I would like to know which virus it was instead of "Seriously Broken Zip". I don't think that's a bad thing, but why shouldn't it possible to have a signature of this damaged virus? Regards, Phil. --- This SF.net email is sponsored by: Perforce Software. Perforce is the Fast Software Configuration Management System offering advanced branching capabilities and atomic changes on 50+ platforms. Free Eval! http://www.perforce.com/perforce/loadprog.html ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Mimail Virus
On Saturday 10 January 2004 8:48 pm, Philipp Grosswiler wrote: > > That depends on how broken it is. > > I guess that's the problem with this virus. It is so badly written. > > > If what you have is a damaged piece of viral code, does it really > > matter which virus it was before it got damaged? > > In some cases, yes. I am having a statistics where I would like to know > which virus it was instead of "Seriously Broken Zip". I don't think > that's a bad thing, but why shouldn't it possible to have a signature of > this damaged virus? If you want a signature which will match something specific, you can always create your own - check the clamav sigtool, and remember that clamscan will use any/all the .db and .db? files it finds in /usr/local/share/clamav, so just put your own signature/s into a special file in this directory (I think it uses them in alphabetic order, so name yours to come before "viruses" to make sure your signature gets checked before the generic one). Antony. -- The words "e pluribus unum" on the Great Seal of the United States are from a poem by Virgil entitled "Moretum", which is about cheese and garlic salad dressing. Please reply to the list; please don't CC me. --- This SF.net email is sponsored by: Perforce Software. Perforce is the Fast Software Configuration Management System offering advanced branching capabilities and atomic changes on 50+ platforms. Free Eval! http://www.perforce.com/perforce/loadprog.html ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] pretty basic question - clamscan vs clamdscan
On Sat, 10 Jan 2004 21:04:50 +0200 Micha Silver <[EMAIL PROTECTED]> wrote: > faster but clamd dies every so often. So we need the perl script, Which version of clamd ? Best regards, Tomasz Kojm -- oo. [EMAIL PROTECTED] www.ClamAV.net (\/)\. http://www.clamav.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Sat Jan 10 23:28:09 CET 2004 pgp0.pgp Description: PGP signature
RE: [Clamav-users] pretty basic question - clamscan vs clamdscan
> -Original Message- > From: Tomasz Kojm [mailto:[EMAIL PROTECTED] > Sent: Sunday, January 11, 2004 12:30 AM > To: [EMAIL PROTECTED] > Subject: Re: [Clamav-users] pretty basic question - clamscan > vs clamdscan > > > On Sat, 10 Jan 2004 21:04:50 +0200 > Micha Silver <[EMAIL PROTECTED]> wrote: > > > faster but clamd dies every so often. So we need the perl script, > > Which version of clamd ? I have installed 0.65 > > Best regards, > Tomasz Kojm > -- > oo. [EMAIL PROTECTED] www.ClamAV.net > (\/)\. http://www.clamav.net/gpg/tkojm.gpg > \..._ 0DCA5A08407D5288279DB43454822DC8985A444B > //\ /\Sat Jan 10 23:28:09 CET 2004 > --- This SF.net email is sponsored by: Perforce Software. Perforce is the Fast Software Configuration Management System offering advanced branching capabilities and atomic changes on 50+ platforms. Free Eval! http://www.perforce.com/perforce/loadprog.html ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
