Re: [Clamav-users] New varient of password compressed virus

2004-03-15 Thread Odhiambo Washington 
* Fajar A. Nugraha <[EMAIL PROTECTED]> [20040315 06:20]: wrote:
> Michael Torrie wrote:
> 
> >In another escalation of the arms war, the latest variant of
> >password-encrypted archive virus now distributes itself in an encrypted
> >rar file, and the password is an attached bitmap to eliminate the
> >possibility of using the password in the body of the message to open the
> >archive in antivirus programs.
> >
> > 
> >
> An interesting fact on ChangeLog:
> 
> Thu Mar 11 21:50:32 CET 2004 (tk)
> -
>  * libclamav: rar: added support for encrypted archive (Encrypted.RAR)
>  detection
> 

Tomasz is really upto this!! Thanks Tomasz (Kojm).


> >At his rate, I give e-mail another year of usefulness.  So much for the
> >usefulness of attachments too.  Thanks a lot spammers and virus
> >writers.  The good news is we'll have to replace SMTP with a better,
> >more robust, and more secure system.


> Changing a well-known system is hard. I'm trying to replace telnet with 
> ssh and ftp with sftp for some time now, for a small community, and still 
> haven't 100% successfull.
> Mainly due to the fact that most user still use M$ Win and it don't have 
> builtin clients for ssh or sftp.

Just get them putty.exe for ssh then close the telnet port.
Where you download putty.exe, there are other FREE clients.



cheers
   - wash 
+--+-+
Odhiambo Washington . WANANCHI ONLINE LTD (Nairobi, KE)  |
  . 1ere Etage, Loita Hse, Loita St.,  |
GSM: (+254) 722 743 223 . # 10286, 00100 NAIROBI |
GSM: (+254) 733 744 121 . (+254) 020 313 985 - 9 |
+-+--+
"Oh My God! They killed init! You Bastards!"  
 --from a /. post


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] Re: New varient of password compressed virus

2004-03-15 Thread Virgo Pärna 
On Sat, 13 Mar 2004 13:48:58 -0700, Michael Torrie <[EMAIL PROTECTED]> wrote:
> password-encrypted archive virus now distributes itself in an encrypted
> rar file, and the password is an attached bitmap to eliminate the
> 

How does it create this rar archive? Does this virus use rar
installed in infected computer, if there is any, or carries it also
some rar executable or it downloads rar from Internet?  

-- 
Virgo Pärna 
[EMAIL PROTECTED]



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] Problems with cron job and bash script

2004-03-15 Thread Hayo Schmidt 
I am trying to run clamscan from a cron job. I have written a bash 
script for that, which i attached below. I am sorry it is in german 
language an not in polish.

The batch works fine when i start it from the command line. freshclam 
returns 52, because it can't handle the Microsoft NTLM proxy and 
clamscan returns 0 or 1.

Running as a cron job, both programs return 127 and also there is no 
logging output from the programs. Is this a clamav problem or is the 
script buggy?

I am using clamscan 0.67-1 on a United Linux 1.0.

Hayo Schmidt

---
#!/bin/bash
echo ClamScanne nach Viren...
echo Starte Scannen >> /var/log/clam.log
date >> /var/log/clam.log
export RESULT=0

freshclam -v --log-verbose --log=/var/log/clam.log
echo freshclam gibt $? zurueck. >> /var/log/clam.log
clamscan -i -r --log-verbose --move=/QUARANTINE --log=/var/log/clam.log 
/pub

export RESULT=$?
case $RESULT in
0)
   echo /pub ist virenfrei.
   echo "/pub ist virenfrei." | /usr/bin/mail -s "virenfrei" root
   echo /pub ist virenfrei. >> /var/log/clam.log
   ;;
1)
   echo Viren in /pub gefunden!
   echo "Viren in /pub gefunden!" | /usr/bin/mail -s "VIREN ALARM" root
   echo Viren in /pub gefunden! >> /var/log/clam.log
   ;;
*)
   echo clamscan gibt $RESULT zurueck.
   echo "clamscan gibt was falsches zurueck (/pub)." | mail -s 
"clamscan mit $RESULT abgebrochen" root
   echo "clamscan gibt $RESULT zurueck (/pub)." >> /var/log/clam.log
   ;;
esac

clamscan -i -r --log-verbose --move=/QUARANTINE --log=/var/log/clam.log 
/home

export RESULT=$?
case $RESULT in
0)
   echo /home ist virenfrei.
   echo /home ist virenfrei. | /usr/bin/mail -s "virenfrei" root
   echo /home ist virenfrei. >> /var/log/clam.log
   ;;
1)
   echo Viren in /home gefunden!
   echo Viren in /home gefunden! | /usr/bin/mail -s "VIREN ALARM" root
   echo Viren in /home gefunden! >> /var/log/clam.log
   ;;
*)
   echo clamscan gibt $RESULT zurueck.
   echo "clamscan gibt was falsches zurueck (/home)." | /usr/bin/mail 
-s "clamscan mit $RESULT abgebrochen" root
   echo "clamscan gibt $RESULT zurueck (/home)." >> /var/log/clam.log
   ;;
esac

echo Fertig mit Viren scannen. \($RESULT\)
echo Fertig mit Viren scannen. \($RESULT\)  >> /var/log/clam.log
exit $RESULT


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] OpenBSD clamav Port (0.67-1) RAR Files

2004-03-15 Thread Helmut Schneider 
Hi,

seems that the clamav Port (0.67-1) has problems with RAR Files (e.g. Bagle.N):

[EMAIL PROTECTED]:/root# /usr/local/bin/clamscan ./first_part.rar
./first_part.rar: RAR module failure.
./first_part.rar: OK

--- SCAN SUMMARY ---
Known viruses: 20477
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 0.04 MB
I/O buffer size: 131072 bytes
Time: 0.822 sec (0 m 0 s)
[EMAIL PROTECTED]:/root# unrar x ./first_part.rar

UNRAR 2.50 freeware  Copyright (c) 1993-99 Eugene Roshal


Extracting from ./first_part.rar

Enter password for ygosdtyp.exe: 21174


ygosdtyp.exe already exists. Overwrite it ?  Yes/No/All/Rename/Quit y

Extracting  ygosdtyp.exe Ok
All OK
[EMAIL PROTECTED]:/root# /usr/local/bin/clamscan ./ygosdtyp.exe
./ygosdtyp.exe: Worm.Bagle.N FOUND

--- SCAN SUMMARY ---
Known viruses: 20477
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.02 MB
I/O buffer size: 131072 bytes
Time: 0.915 sec (0 m 0 s)
[EMAIL PROTECTED]:/root#

Tips?

Thanks, Helmut

--
Please do not feed my mailbox, Swen already got that job


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id70&alloc_id638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] ./configure options

2004-03-15 Thread Justin 
I'm compiling the latest clam-devel on a 3 new boxes right now.  I'm was 
planning on using the same configure options from my other RH9 server 
that's running clam-devel-20040211.  After looking at those configure 
options I used with that release I'm left with questions about the 
necessity of a couple of those options:

./configure --prefix=/usr/local --sysconfdir=/etc/clamav
--localstatedir=/var --disable-clamuko CPPFLAGS= LDFLAGS=-L/usr/include/
db4 --no-create --no-recursion

Why have I defined CPPFLAGS and LDFLAGS?  Why am I using --no-create
and--no-recursion?  I don't even remember using those two options (nor do
Iknow what they do) and I don't recall having to define CPPFLAGS or
LDFLAGSfor clam to compile.  My shell history also doesn't show this
configure line.  Any ideas?  Everything procediing CPPFLAGS is what I
usually compile clam with.  This is rather odd.

Thanks
 Justin




---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] LibClamAV Error: !Can't open /dev/urandom.

2004-03-15 Thread Edward W. Ray 
Sorry, though it was in the e-mail.

RH 9 Linux system running clamv v0.67

[EMAIL PROTECTED] root]# ls -l /dev/urandom 
crwxr-xr-x1 root root   1,   9 Mar  9 17:22 /dev/urandom 

 wget http://heanet.dl.sourceforge.net/sourceforge/clamav/clamav-0.67.tar.gz

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Fajar A.
Nugraha
Sent: Sunday, March 14, 2004 10:00 PM
To: [EMAIL PROTECTED]
Subject: Re: [Clamav-users] LibClamAV Error: !Can't open /dev/urandom.

Edward W. Ray wrote:

>When I started ClamAV I got the following errors:
>
>[EMAIL PROTECTED] tmp]# /etc/init.d/clamd start Starting ClamAV...
>LibClamAV Error: !Can't open /dev/urandom.
>  
>
It would help if you mention:
-   Your OS/version
-   Your clamav version
-   permission of /dev/urandom, and what user you're running clamav as
-   how you get clamav (e.g. rpm, deb, binary .tar.gz, compile from 
source, etc)

Regards,

Fajar


---
This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial
presented by Daniel Robbins, President and CEO of GenToo technologies. Learn
everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] clamdscan - Some processes still hanging

2004-03-15 Thread Robert Blayzor 
clamdscan / ClamAV version devel-20040312
FreeBSD 4.9

I'm still seeing clamdscan processes "hang" every now and then.  They
eventually exit but only after a VERY long time. 5+ minutes usually. (maybe
on the thread timeout value).  I've checked our logs and it almost always
happens when the database reloads new defs or shortly there after.

It hung for shortly after loading the database upon scanning the following
small files...

Mon Mar 15 07:23:13 2004:25444: File: msg-25444-1.txt (375 bytes)
Mon Mar 15 07:23:13 2004:25444: File: msg-25444-2.html (2094 bytes)
Mon Mar 15 07:23:13 2004:25444: File: msg-25444-3.jpg (335896 bytes)


>From our email handler debug:

Mon Mar 15 07:23:13 2004:25444: ClamAV version devel-20040312
Mon Mar 15 07:23:13 2004:25444: Running /usr/local/bin/clamdscan --stdout
Mon Mar 15 07:30:24 2004:25444: Reaper - pid: 25445 exited
Mon Mar 15 07:30:24 2004:25444: Result was  0
Mon Mar 15 07:30:24 2004:25444: Child exiting

As you can see it took almost seven minutes for clamdscan to exit from the
time it was called.

Clip from the clamd syslog when this happened:

Mar 15 07:21:12 mx1-a clamd[5474]: /var/tmp/scavs/5505/0/msg-25408-2.zip:
Worm.SomeFool.Gen-2 FOUND
Mar 15 07:23:11 mx1-a clamd[5474]: SelfCheck: Database modification
detected. Forcing reload.
Mar 15 07:23:11 mx1-a clamd[5474]: Reading databases from
/usr/local/share/clamav
Mar 15 07:30:23 mx1-a clamd[5474]: Database correctly reloaded (20478
viruses) 
Mar 15 08:06:42 mx1-a clamd[5474]: /var/tmp/scavs/25593/0/msg-26623-3.zip:
Encrypted.Zip FOUND


--
Robert Blayzor, BOFH
INOC, LLC
[EMAIL PROTECTED]
PGP: http://www.inoc.net/~dev/
Key fingerprint = 1E02 DABE F989 BC03 3DF5  0E93 8D02 9D0B CB1A A7B0

Please excuse me, I have to circuit an AC line through my head to get this
database working.




---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] queries about clamscan

2004-03-15 Thread Jeff Ramsey 
On Mar 14, 2004, at 10:56 PM, simon dcunha wrote:

Hi,

I have recently installed clamscan and is workin finebut i do have a
couple of queries and apprecite your help.
1) I need to check when my linux mail server which uses sendmail 
recives
any infected mail can i check it with clamav so that it will clean or
delete the email and if it can be done HOW??

2) If any local user sends a infected email can clamav detect it before
the sendmail can send it out to the recipent
Thanks and regards

simon





---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

There are many ways to integrate clamscan with Sendmail. Some of the 
more documented ones are AmavisD & clam-milter. If you use one of these 
interfaces, clamav, or AmavisD is called directly by Sendmail, so the 
message should not be able to be sent to the recipient without being 
scanned. In proof on my point, when I was setting it up, I had a 
permissions problem that would not allow the amavisd user to read the 
message from sendmail, and it did not send messages at all, it just 
queued them. If your mailserver gets backed up, it should queue 
messages until it gets caught up. If this is happening too often, you 
may need an upgrade for your server or another server. If you set up 
freshclam, your virus DB should stay up to date, within a two hour 
window.

Jeff Ramsey
MIS Administrator
Tubafor Mill, Inc.


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] clamdscan - Some processes still hanging

2004-03-15 Thread Trog 
On Mon, 2004-03-15 at 14:49, Robert Blayzor wrote:

> Mar 15 07:23:11 mx1-a clamd[5474]: Reading databases from
> /usr/local/share/clamav
> Mar 15 07:30:23 mx1-a clamd[5474]: Database correctly reloaded (20478
> viruses) 

It actually took 7 mins to reload the sig database - that is very
strange.

All threads are stopped *before* the "Reading databases ..." message.
All that happens after that is to reset the database statistics
structure and reload the sig database.

Anything strange in your setup? Like NFS? Odd disk setup? It's running
out of memory/disk/cpu resource?

-trog



signature.asc
Description: This is a digitally signed message part

[Clamav-users] Ladmar virus?

2004-03-15 Thread Keith Murphy 
I'm suddenly seeing this:

clamscan Notepad.exe
Notepad.exe: W32.Ladmar.A FOUND
when run against C:\WINDOWS\Notepad.exe on several Win98 workstations. 
I don't see any recent updates that involve this virus, but I'm dubious 
about whether multiple workstations really are infected with this.  A 
recent McAfee doesn't detect anything either.

Can't find *any* information about this virus on the web.

Thanks for any help.



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] OpenBSD clamav Port (0.67-1) RAR Files

2004-03-15 Thread Helmut Schneider 
Helmut Schneider wrote:

> seems that the clamav Port (0.67-1) has problems with RAR Files (e.g.
> Bagle.N): 

To avoid missunderstandings, I know the file is pwd, but clamav does not recognize the 
virus within the archive (maybe a DB problem)...

Please do not feed my mailbox, Swen already got that job


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id70&alloc_id638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Ladmar virus?

2004-03-15 Thread Denis De Messemacker 
On Mon, Mar 15, 2004 at 10:01:00AM -0600, Keith Murphy wrote :
> I'm suddenly seeing this:
> 
> clamscan Notepad.exe
> Notepad.exe: W32.Ladmar.A FOUND
> 
> when run against C:\WINDOWS\Notepad.exe on several Win98 workstations. 
> I don't see any recent updates that involve this virus, but I'm dubious 
> about whether multiple workstations really are infected with this.  A 
> recent McAfee doesn't detect anything either.
> 
> Can't find *any* information about this virus on the web.
> 
> Thanks for any help.
> 

Please submit this executable in the web submission interface as 'false
virus'. Then we will process it shortly.

Thanks,

/ddm

-- 
Denis De Messemacker
GnuPG Key-ID: 0x02787880
[EMAIL PROTECTED]   http://www.e-labs.org
[EMAIL PROTECTED]   http://www.ClamAV.net - A GPL virus scanner


pgp0.pgp
Description: PGP signature

Re: [Clamav-users] clamdscan - Some processes still hanging

2004-03-15 Thread Robert Blayzor 
On 3/15/04 10:35 AM, "Trog" <[EMAIL PROTECTED]> wrote:
 
> It actually took 7 mins to reload the sig database - that is very
> strange.
> 
> All threads are stopped *before* the "Reading databases ..." message.
> All that happens after that is to reset the database statistics
> structure and reload the sig database.
> 
> Anything strange in your setup? Like NFS? Odd disk setup? It's running
> out of memory/disk/cpu resource?

Actually yes.  We have the database on an NFS server.  Neither the box or
the NFS server are anywhere near capacity.  Plenty of RAM, network speed and
CPU cycles available.  No warning or error messages in any of the kernel
logs and the boxes seem to be performing properly.  I can find no reason why
the process would just take 7 minutes to read the file... Several other
things lightly access the NFS server at that time and don't have any issues.

Are there other problems using NFS?  Should we not have clamd read the
definitions off the NFS directly and maybe look at rsyncing them to the
proper place on local disk?  I can't imagine why we'd need to do this,
especially if you have several other boxes that run clamd.  Having to run
freshclam on them all individually would seem like a waste.  Suggestions?

--
Robert Blayzor, BOFH
INOC, LLC
[EMAIL PROTECTED]
PGP: http://www.inoc.net/~dev/
Key fingerprint = 1E02 DABE F989 BC03 3DF5  0E93 8D02 9D0B CB1A A7B0

A Life? Cool! Where can I download one of those from?




---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] W32.Beable@mm!rar getting through?

2004-03-15 Thread Kevin Hanser 



We just recently got 
a message sent to us that's infected w/the [EMAIL PROTECTED] virus (that's what 
norton/symantec calls it).  For some reason, clamAV doesn't seem to be 
catching this virus.  I ran a saved copy of the message thru the online 
clamAV @ http://www.gietl.com/test-clamav/ and 
it didn't detect it either.  However, when I scan the saved message file on 
my windoze pc using Norton AV, it detects the virus!
 
Any idea why ClamAV 
is letting this through  I've been impressed w/the speed @ which the 
virus DB is kept up to date, so this is a strange anomaly 
indeed...
 
thx!!
 
k

[Clamav-users] Great surprise!!! CLAMAV is showing virus into Notepad.exe on Windows 98 CD provided by Microsoft.

2004-03-15 Thread chirag gandhi 
I have successfully installed CLAMAV into my machine
into Linux and updated its virus database. For
checking it's efficiency I mounted my windows drive
and performed scanning on it using clamscan.
Surprisingly, I got a virus warning into notepad.exe
it was showing infected by W32.Ladmar.A. However, I am
already having Norton Corporate Edition with latest
updation installed into my windows. So, I went to
windows and checked notepad.exe for virus using
norton. Norton had not shown any virus, but CLAMAV is
showing into linux. I had also checked virus on
notepad.exe extracted from the Windows .cab file from
the CD provided by the Microsoft. Still CLAMAV is
showing virus warning. 

On the URL 

http://clamav.ozforces.com/database/viruses.db2

virus signature for W32.Ladmar.A is present into
notepad.exe. So, whether the virus present into
notepad.exe or CLAMAV's virus database contains wrong
signature.

Thanks,
Chirag Gandhi


__
Do you Yahoo!?
Yahoo! Mail - More reliable, more storage, less spam
http://mail.yahoo.com


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] MIME problem?

2004-03-15 Thread Stuart Mycock 

Hi all,

RAV caught a bounced message sample containing Worm.SomeFool.Gen-2
(Netsky.B) but neither clamd or 'clamdscan --mbox' could find the infection,
I presume this is an issue with the MIME handling?

When I rip out the attachment manually it detects the virus fine.

Shall I submit the sample anyway? I don't want to waste anyone's time if
this is something that's already being dealt with?

I run 0.67-1 in production but have also tried an mbox scan with
clamav-devel-20040315.

Cheers,

Stuart.



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] Embedded EICAR handling

2004-03-15 Thread Martin A. Brooks 
Hi

One of our clients uses a multiple vendor AV solution (clam included) and 
has found an interesting scenario.  They get sent signature updates and 
fixes from NAI which are sent as a non-passworded zip file.  The zip file 
typically contains a single binary file and a text "readme" type file.

Part of the text file is a boilerplate  set of instructions on how to make 
an EICAR test file.  Clam detects this signature and marks the file as 
being infected.  NAI and Norton AV do not.

I'm undecided as to which action is correct and would therefore appreciate 
other opinions.

Regards

Martin A. Brooks, Clues Ltd.
http://www.clues.ltd.uk/


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] FreeBSD and log rotation

2004-03-15 Thread Bart Silverstrim 
I'm running clamscan / ClamAV version 0.67-1 on FreeBSD 4.9 (clamav 
from ports collection), using clamd to scan incoming email for viruses. 
 I have seen some people on the list say that clamd will stop working 
if the maximum logfile size is hit?

Is there anyone using newsyslog to rotate the logs for clamd, and if so 
what is  your conf file line to do it?  Is there something that has to 
be changed in clamav.conf also?

Thanks,
-Bart


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Load

2004-03-15 Thread Scott Ryan 
Sorted the problem out - it appears that clamscan will fork new
processes everytime it is called by the qmail scanner - I switched to
using clamdscan which uses the clamd daemon. 

It has halved the original load to average of 1-3 ...



On Fri, 2004-03-12 at 23:47, Jeremy Kitchen wrote:
> On Fri, 2004-03-12 at 04:18, Scott Ryan wrote:
> > Hello all, I have upgraded clamav from 0.55 to 0.67-1 so I can now catch
> > the bagle-passwd worm. It works and it catches the virus, but I have
> > noticed a significant increase in the load on the machine. I am running
> > qmail on a 6cpu Xeon P3 700 with 4Gb RAM. I am also running spam
> > assassin.
> > 
> > Is this load increase normal (from 4-5 average to 9-11 average) or is
> > there something i can do to drop the overhead?
> 
> if you're using qmail-scanner, that's normal.  I was doing some load
> testing on a customer's mail cluster and brought the system load to over
> 75, yet the system was completely responsive to everything.  It was as
> if the machine was idle.  And you are using a far more powerful machine
> than this was :)
> 
> -Jeremy


signature.asc
Description: This is a digitally signed message part

[Clamav-users] Bagle.N Virus cannot be detected by local clamscan

2004-03-15 Thread Ling Ho 
Hi

One of my user (and possibly another) received a mail with an attachment
Document.zip and password in a jpeg file. McAfee detected it as Bagle.N and
ClamAV website site detected it as Worm.Bagle.Gen-zippwd-2 . However, when I ran
clamscan on my Linux mail server with update 185, it doesn't detect the mail.
185 is the latest update I have at this point. The clamscan version is 0.65 .

Anyone has this problem?

Thanks
...
ling



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Bagle.N Virus cannot be detected by local clamscan

2004-03-15 Thread Mike Cathey 
On Mon, 2004-03-15 at 14:06, Ling Ho wrote:
> Anyone has this problem?

Try with --mbox

Cheers,

Mike



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Embedded EICAR handling

2004-03-15 Thread Andy Fiddaman 


On Mon, 15 Mar 2004, Martin A. Brooks wrote:
; Part of the text file is a boilerplate  set of instructions on how to make
; an EICAR test file.  Clam detects this signature and marks the file as
; being infected.  NAI and Norton AV do not.
;
; I'm undecided as to which action is correct and would therefore appreciate
; other opinions.

Clam's behaviour is incorrect because the Eicar test file page
(http://www.eicar.org/anti_virus_test_file.htm) states:
"Any anti-virus product that supports the test file should detect it in any
file providing that the file starts with the following 68 characters, and is
exactly 68 bytes long:"

I don't know whether the limitation is in Clam's current database format or
in the current signature.

Andy




---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] pipechk: [kegger:clamav-virus-list] (fwd)

2004-03-15 Thread clamav 

Has the Ladmar.A virus been merged as a different virus?  The count went 
down by 1 and Ladmar was removed.  Any ideas?

-- 
Eric Wheeler
Vice President
National Security Concepts, Inc.
PO Box 3567
Tualatin, OR 97062

http://www.nsci.us/
Voice: (503) 293-7656
Fax:   (503) 885-0770


-- Forwarded message --
Date: Mon, 15 Mar 2004 12:14:56 -0800 (PST)
To: [EMAIL PROTECTED]
From: root <[EMAIL PROTECTED]>
Subject: pipechk: [kegger:clamav-virus-list]

pipechk v.14 copyright (c) 2001-2002 Eric Wheeler, all rights reserved.
--- diff output of kegger:clamav-virus-list (2 seconds) ---
40447d40446
< W32.Ladmar.A



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] W32.Beable@mm!rar getting through?

2004-03-15 Thread Tomasz Kojm 
On Mon, 15 Mar 2004 12:35:17 -0500
"Kevin Hanser" <[EMAIL PROTECTED]> wrote:

> We just recently got a message sent to us that's infected w/the
> [EMAIL PROTECTED] virus (that's what norton/symantec calls it).  For
> some reason, clamAV doesn't seem to be catching this virus.  I ran a
> saved copy of the message thru the online clamAV @
> http://www.gietl.com/test-clamav/ and it didn't detect it either.
> However, when I scan the saved message file on my windoze pc using
> Norton AV, it detects the virus!
>  
> Any idea why ClamAV is letting this through  I've been impressed
> w/the speed @ which the virus DB is kept up to date, so this is a
> strange anomaly indeed...
>  
> thx!!

Consider submitting that sample on our website...

-- 
   oo. Tomasz Kojm <[EMAIL PROTECTED]>
  (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg
 \..._ 0DCA5A08407D5288279DB43454822DC8985A444B
   //\   /\  Mon Mar 15 21:19:10 CET 2004


pgp0.pgp
Description: PGP signature

[Clamav-users] RE: msg-Private data not null

2004-03-15 Thread Alex S Moore 
Been having problems lately.  Using clamav-milter on Solaris 9 with version
0.67-1 (whatever the latest release is).  It has been working brilliantly
for months.  Recently, I started getting a mail.warning message: ClamAv:
Private data not NULL.  After this starts, the thread count continues to
grow and I start getting timeouts.

I built the clamav pkg from CVS source a few minutes ago and the same thing
is still occurring.  clamd.log shows no sign of a problem.  Here is the log
from the last startup to see what options I am using:

Mon Mar 15 14:35:54 2004 -> +++ Started at Mon Mar 15 14:35:54 2004
Mon Mar 15 14:35:54 2004 -> Log file size limited to 1048576 bytes.
Mon Mar 15 14:35:54 2004 -> Running as user clamav (UID 111, GID 111)
Mon Mar 15 14:35:54 2004 -> Reading databases from /opt/csw/share/clamav
Mon Mar 15 14:35:56 2004 -> Protecting against 20482 viruses.
Mon Mar 15 14:35:56 2004 -> Unix socket file
/opt/csw/share/clamav/clamd.sock
Mon Mar 15 14:35:56 2004 -> Setting connection queue length to 15
Mon Mar 15 14:35:56 2004 -> Archive: Archived file size limit set to
10485760 bytes.
Mon Mar 15 14:35:56 2004 -> Archive: Recursion level limit set to 5.
Mon Mar 15 14:35:56 2004 -> Archive: Files limit set to 1000.
Mon Mar 15 14:35:56 2004 -> Archive: Compression ratio limit set to 200.
Mon Mar 15 14:35:56 2004 -> Archive support enabled.
Mon Mar 15 14:35:56 2004 -> RAR support disabled.
Mon Mar 15 14:35:56 2004 -> Mail files support enabled.
Mon Mar 15 14:35:56 2004 -> OLE2 support disabled.
Mon Mar 15 14:35:56 2004 -> Self checking every 3600 seconds.


Help?
Alex


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Great surprise!!! CLAMAV is showing virus into Notepad.exe on Windows 98 CD provided by Microsoft.

2004-03-15 Thread Bit Fuzzy 
Which versions are you seeing this under?

I've tested notepad.exe from 98, ME, and XP Pro and show no virus result for
it.

It is possible that the files are indeed infected.

My suggestion before writing it off as an error on ClamAV's part, is to take
the win machine in question and perform a webscan via trendmicro, norton, or
mcafee

KenC

- Original Message - 
From: "chirag gandhi" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday, March 15, 2004 11:01 AM
Subject: [Clamav-users] Great surprise!!! CLAMAV is showing virus into
Notepad.exe on Windows 98 CD provided by Microsoft.


> I have successfully installed CLAMAV into my machine
> into Linux and updated its virus database. For
> checking it's efficiency I mounted my windows drive
> and performed scanning on it using clamscan.
> Surprisingly, I got a virus warning into notepad.exe
> it was showing infected by W32.Ladmar.A. However, I am
> already having Norton Corporate Edition with latest
> updation installed into my windows. So, I went to
> windows and checked notepad.exe for virus using
> norton. Norton had not shown any virus, but CLAMAV is
> showing into linux. I had also checked virus on
> notepad.exe extracted from the Windows .cab file from
> the CD provided by the Microsoft. Still CLAMAV is
> showing virus warning.
>
> On the URL
>
> http://clamav.ozforces.com/database/viruses.db2
>
> virus signature for W32.Ladmar.A is present into
> notepad.exe. So, whether the virus present into
> notepad.exe or CLAMAV's virus database contains wrong
> signature.
>
> Thanks,
> Chirag Gandhi
>
>
> __
> Do you Yahoo!?
> Yahoo! Mail - More reliable, more storage, less spam
> http://mail.yahoo.com
>
>
> ---
> This SF.Net email is sponsored by: IBM Linux Tutorials
> Free Linux tutorial presented by Daniel Robbins, President and CEO of
> GenToo technologies. Learn everything from fundamentals to system
> administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
> ___
> Clamav-users mailing list
> [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/clamav-users



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] MIME problem?

2004-03-15 Thread Thomas Lamy 
Stuart Mycock schrieb:

Hi all,

RAV caught a bounced message sample containing Worm.SomeFool.Gen-2
(Netsky.B) but neither clamd or 'clamdscan --mbox' could find the infection,
I presume this is an issue with the MIME handling?
When I rip out the attachment manually it detects the virus fine.

Shall I submit the sample anyway? I don't want to waste anyone's time if
this is something that's already being dealt with?
I run 0.67-1 in production but have also tried an mbox scan with
clamav-devel-20040315.
Cheers,

Stuart.

Please submit the raw message either to me or to Nigel Horne 
([EMAIL PROTECTED]) for examination.

Thank you!

Thomas Lamy

---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] Bagle.N Virus cannot be detected by local clam scan

2004-03-15 Thread McDonald, Dan 
From: Ling Ho [mailto:[EMAIL PROTECTED]
>One of my user (and possibly another) received a mail with an attachment
>Document.zip and password in a jpeg file. McAfee detected it as Bagle.N and
>ClamAV website site detected it as Worm.Bagle.Gen-zippwd-2 . However, when
I ran
>clamscan on my Linux mail server with update 185, it doesn't detect the
mail.
>185 is the latest update I have at this point. The clamscan version is 0.65
.

You need clamav 0.67, and if you are using amavis-new, you have to either
patch it or hack it to scan the "raw" mail file in addition to the parts.


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] Bagle.N Virus cannot be detected by local clamscan

2004-03-15 Thread Jim Maul 


> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of Ling Ho
> Sent: Monday, March 15, 2004 2:06 PM
> To: [EMAIL PROTECTED]
> Subject: [Clamav-users] Bagle.N Virus cannot be detected by local
> clamscan
> 
> 
> Hi
> 
> One of my user (and possibly another) received a mail with an attachment
> Document.zip and password in a jpeg file. McAfee detected it as 
> Bagle.N and
> ClamAV website site detected it as Worm.Bagle.Gen-zippwd-2 . 
> However, when I ran
> clamscan on my Linux mail server with update 185, it doesn't 
> detect the mail.
> 185 is the latest update I have at this point. The clamscan 
> version is 0.65 .
> 

I believe upgrading to 0.67 will solve this problem.

Jim


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Embedded EICAR handling

2004-03-15 Thread Martin A. Brooks 
At 20:02 15/03/2004, you wrote:
Clam's behaviour is incorrect because the Eicar test file page
(http://www.eicar.org/anti_virus_test_file.htm) states:
"Any anti-virus product that supports the test file should detect it in any
file providing that the file starts with the following 68 characters, and is
exactly 68 bytes long:"
If anyone's interested, I've put a copy of this text file here:

http://www.clues.ltd.uk/nai.txt

Regards

Martin A. Brooks, Clues Ltd.
http://www.clues.ltd.uk/


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Bagle.N Virus cannot be detected by localclamscan

2004-03-15 Thread redragon 
forgive me if this sounds silly.

I completely understand the problem with the password protected archives but
would like to make a suggestion.

Can we take confirmed protected zips and md5sum them and have that sum added
to av database?

Granted I dont really have any idea how the signature system works cause I
just haven't had the time to pry into it (one day!!) but is this a
possibility for detecting the password protected archives?

Carl

- Original Message -
From: "Mike Cathey" <[EMAIL PROTECTED]>
To: "Clamav-users" <[EMAIL PROTECTED]>
Sent: Monday, March 15, 2004 1:51 PM
Subject: Re: [Clamav-users] Bagle.N Virus cannot be detected by
localclamscan


> On Mon, 2004-03-15 at 14:06, Ling Ho wrote:
> > Anyone has this problem?
>
> Try with --mbox
>
> Cheers,
>
> Mike
>
>
>
> ---
> This SF.Net email is sponsored by: IBM Linux Tutorials
> Free Linux tutorial presented by Daniel Robbins, President and CEO of
> GenToo technologies. Learn everything from fundamentals to system
> administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
> ___
> Clamav-users mailing list
> [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/clamav-users
>



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Bagle.N Virus cannot be detected by local clamscan

2004-03-15 Thread Ling C. Ho 
Found that clamdscan/clamd was able to detect the virus. My amavis-new 
setup was using clamscan, not clamd. Now that I changed to clamd, the 
virus can be detected properly. I probably need to update the clamscan 
myself, not rely on Fedora site.
Sorry for the earlier post.

Thanks
...
ling
Ling Ho wrote:

Hi

One of my user (and possibly another) received a mail with an attachment
Document.zip and password in a jpeg file. McAfee detected it as Bagle.N and
ClamAV website site detected it as Worm.Bagle.Gen-zippwd-2 . However, when I ran
clamscan on my Linux mail server with update 185, it doesn't detect the mail.
185 is the latest update I have at this point. The clamscan version is 0.65 .
Anyone has this problem?

Thanks
...
ling


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users
 



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Bagle.N Virus cannot be detected by localclamscan

2004-03-15 Thread Antony Stone 
On Monday 15 March 2004 9:49 pm, redragon wrote:

> I completely understand the problem with the password protected archives
> but would like to make a suggestion.
>
> Can we take confirmed protected zips and md5sum them and have that sum
> added to av database?

They are not the same each time.

Antony.

-- 
This email was created using 100% recycled electrons.

 Please reply to the list;
   please don't CC me.



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] W32.Beable@mm!rar getting through?

2004-03-15 Thread Kevin Hanser 
I'd love to submit the sample :)

I just need some help in doing it, since I'm not sure exactly how to do
it.  What I currently have is a MIME-encoded message that has the virus
attachment in it.  Do I submit the entire message, or just the
attachment?

If someone could give me a quick submission howto for newbie submitters,
that'd be great :)

Thx

k 

-Original Message-
From: Tomasz Kojm [mailto:[EMAIL PROTECTED] 
Sent: Monday, March 15, 2004 15:22
To: [EMAIL PROTECTED]
Subject: Re: [Clamav-users] [EMAIL PROTECTED] getting through?

On Mon, 15 Mar 2004 12:35:17 -0500
"Kevin Hanser" <[EMAIL PROTECTED]> wrote:

> We just recently got a message sent to us that's infected w/the 
> [EMAIL PROTECTED] virus (that's what norton/symantec calls it).  For 
> some reason, clamAV doesn't seem to be catching this virus.  I ran a 
> saved copy of the message thru the online clamAV @ 
> http://www.gietl.com/test-clamav/ and it didn't detect it either.
> However, when I scan the saved message file on my windoze pc using 
> Norton AV, it detects the virus!
>  
> Any idea why ClamAV is letting this through  I've been impressed 
> w/the speed @ which the virus DB is kept up to date, so this is a 
> strange anomaly indeed...
>  
> thx!!

Consider submitting that sample on our website...

-- 
   oo. Tomasz Kojm <[EMAIL PROTECTED]>
  (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg
 \..._ 0DCA5A08407D5288279DB43454822DC8985A444B
   //\   /\  Mon Mar 15 21:19:10 CET 2004



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id70&alloc_id638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] pipechk: [kegger:clamav-virus-list] (fwd)

2004-03-15 Thread Kevin Spicer 
On Mon, 2004-03-15 at 20:20, [EMAIL PROTECTED] wrote:
> 
> Has the Ladmar.A virus been merged as a different virus?  The count went 
> down by 1 and Ladmar was removed.  Any ideas?
> 
It was temporarily removed due to a false positive.  You can keep track
of additions and removals by subscribing to the clamav-virusdb list, or
by checking the archive at
http://news.gmane.org/gmane.comp.security.virus.clamav.virusdb 

(Also in the case of this false positive there was a discussion about it
on this list a few hours ago).




BMRB International 
http://www.bmrb.co.uk
+44 (0)20 8566 5000
_
This message (and any attachment) is intended only for the 
recipient and may contain confidential and/or privileged 
material.  If you have received this in error, please contact the 
sender and delete this message immediately.  Disclosure, copying 
or other action taken in respect of this email or in 
reliance on it is prohibited.  BMRB International Limited 
accepts no liability in relation to any personal emails, or 
content of any email which does not directly relate to our 
business.




---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] W32.Beable@mm!rar getting through?

2004-03-15 Thread Jason Balicki 

>If someone could give me a quick submission howto for newbie 
>submitters,
>that'd be great :)

Go here:

http://www.nervous.it/~nervous/cgi-bin/sendvirus.cgi

It's really self-explanitory after that.

--J(K)



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Bagle.N Virus cannot be detected by local clamscan

2004-03-15 Thread Ling C. Ho 
Hi

SOrry, didn't see this post before I post a reply to my own post.
The --mbox option seems to work for clamscan too.
Thanks Mike.

...
ling
Mike Cathey wrote:

On Mon, 2004-03-15 at 14:06, Ling Ho wrote:
 

Anyone has this problem?
   

Try with --mbox

Cheers,

Mike



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users
 



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] pipechk: [kegger:clamav-virus-list] (fwd)

2004-03-15 Thread Daniel J McDonald 
On Mon, 2004-03-15 at 14:20, [EMAIL PROTECTED] wrote:
> Has the Ladmar.A virus been merged as a different virus?  The count went 
> down by 1 and Ladmar was removed.  Any ideas?

It's been picking up false positives.
-- 
Daniel J McDonald <[EMAIL PROTECTED]>
Austin Energy



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] Scanning LAN for virus activity?

2004-03-15 Thread Michael St. Laurent 
I was reading about the String module for iptables in Linux Journal over the
weekend and it occured to me that this could be used for scanning the LAN
for the presence of an infected system.

Does anyone know if such a tool exists?  We're seeing *much* higher network
activity lately than in the past and it makes me nervous.

-- 
Michael St. Laurent
Hartwell Corporation


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Embedded EICAR handling

2004-03-15 Thread Tomasz Kojm 
On Mon, 15 Mar 2004 20:02:49 + (GMT)
Andy Fiddaman <[EMAIL PROTECTED]> wrote:

> 
> 
> On Mon, 15 Mar 2004, Martin A. Brooks wrote:
> ; Part of the text file is a boilerplate  set of instructions on how
> to make; an EICAR test file.  Clam detects this signature and marks
> the file as; being infected.  NAI and Norton AV do not.
> ;
> ; I'm undecided as to which action is correct and would therefore
> appreciate; other opinions.
> 
> Clam's behaviour is incorrect because the Eicar test file page
> (http://www.eicar.org/anti_virus_test_file.htm) states:
> "Any anti-virus product that supports the test file should detect it
> in any file providing that the file starts with the following 68
> characters, and is exactly 68 bytes long:"
> 
> I don't know whether the limitation is in Clam's current database
> format or in the current signature.

Hopefully that will be fixed in 0.80.

-- 
   oo. Tomasz Kojm <[EMAIL PROTECTED]>
  (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg
 \..._ 0DCA5A08407D5288279DB43454822DC8985A444B
   //\   /\  Tue Mar 16 00:00:56 CET 2004


pgp0.pgp
Description: PGP signature

Re: [Clamav-users] Scanning LAN for virus activity?

2004-03-15 Thread Antony Stone 
On Monday 15 March 2004 10:46 pm, Michael St. Laurent wrote:

> I was reading about the String module for iptables in Linux Journal over
> the weekend and it occured to me that this could be used for scanning the
> LAN for the presence of an infected system.

The String match in netfilter is not that great - it has too many limitations 
which cause it to fail to match things you would like (the most obvious of 
which are that it can't match strings split across packet boundaries, and it 
can only match the literal content of packets, so if a packet contains 
compressed data (eg: a gzipped http response) it won't match what you think 
that data represents).

A better starting point for this sort of thing would be Snort, since this is 
designed to deal with packet contents, and raise alerts on the basis of what 
it finds - the String match in netfilter is much more of an add-on to a tool 
which really works at a much lower layer than the application data you're 
interested in.

Regards,

Antony.

-- 
RTFM may be the appropriate reply, but please specify exactly which FM to R.

 Please reply to the list;
   please don't CC me.



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Ladmar virus?

2004-03-15 Thread Laurent Wacrenier 
Denis De Messemacker wrote:
> On Mon, Mar 15, 2004 at 10:01:00AM -0600, Keith Murphy wrote :
> > I'm suddenly seeing this:
> > 
> > clamscan Notepad.exe
> > Notepad.exe: W32.Ladmar.A FOUND

(...)
 
> Please submit this executable in the web submission interface as 'false
> virus'. Then we will process it shortly.

I'm unsure that Microsoft Notepad.exe may be copied without to break
some copyright.



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Bagle.N Virus cannot be detected by localclamscan

2004-03-15 Thread Daniel J McDonald 
On Mon, 2004-03-15 at 15:49, redragon wrote:
> forgive me if this sounds silly.
> 
> I completely understand the problem with the password protected archives but
> would like to make a suggestion.
> 
> Can we take confirmed protected zips and md5sum them and have that sum added
> to av database?

Nope.  Each zip file is created on the fly and encrypted with a random
password.

-- 
Daniel J McDonald <[EMAIL PROTECTED]>
Austin Energy



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Bagle.N Virus cannot be detected by localclamscan

2004-03-15 Thread Mike Cathey 
On Mon, 2004-03-15 at 16:49, redragon wrote:
> Granted I dont really have any idea how the signature
> system works cause I just haven't had the time to pry
> into it (one day!!) but is this a possibility for
> detecting the password protected archives?

No.  The md5sum of passworded zips would be different for
every password that was used.

Cheers,

Mike



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] FAO. List admins -- clamav-announce

2004-03-15 Thread Kevin Spicer 

Would it be possible for posts to clamav-announce to be cross-posted
here please.  I imagine I'm not the only one here that didn't know about
0.68.

Cross posting to the users list seems to be fairly common among other
projects (it makes sense that anyone on the users list is going to want
to know about new releases).






BMRB International 
http://www.bmrb.co.uk
+44 (0)20 8566 5000
_
This message (and any attachment) is intended only for the 
recipient and may contain confidential and/or privileged 
material.  If you have received this in error, please contact the 
sender and delete this message immediately.  Disclosure, copying 
or other action taken in respect of this email or in 
reliance on it is prohibited.  BMRB International Limited 
accepts no liability in relation to any personal emails, or 
content of any email which does not directly relate to our 
business.




---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] RE: msg-Private data not null

2004-03-15 Thread Alex S Moore 
On Mon, 15 Mar 2004 14:45:27 -0600
Alex S Moore <[EMAIL PROTECTED]> wrote:

> Been having problems lately.  Using clamav-milter on Solaris 9 with
> version 0.67-1 (whatever the latest release is).  It has been working
> brilliantly for months.  Recently, I started getting a mail.warning
> message: ClamAv: Private data not NULL.  After this starts, the thread
> count continues to grow and I start getting timeouts.

I have not seen anything like this.  Now I am getting messages like:
Mar 15 17:13:57 mcsun1 clamav-milter[22196]: [ID 801443 mail.notice] hit
max-children limit (118 >= 2): waiting for some to exit

The only times that I have had this message, it was legit and the numbers
were like (4 >= 2), not (118 >= 2) and it straightened out when the load
decreased.  My mail arrives from POP3 accounts using fetchmail every 10
minutes or so.  The volume is only 450 - 500 messages a day.

I know of no changes that I did that could have this affect.  In fact, this
server rarely changes.

Help! Alex


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Scanning LAN for virus activity?

2004-03-15 Thread Lucas Albers 
use something like:
acidlab to detect scans,
or nessus/sara to activelly scan your network for particular vulnerabilities.

Michael St. Laurent said:
> I was reading about the String module for iptables in Linux Journal over
> the
> weekend and it occured to me that this could be used for scanning the LAN
> for the presence of an infected system.
>
> Does anyone know if such a tool exists?  We're seeing *much* higher
> network
> activity lately than in the past and it makes me nervous.
>
> --
> Michael St. Laurent
> Hartwell Corporation
>
>
> ---
> This SF.Net email is sponsored by: IBM Linux Tutorials
> Free Linux tutorial presented by Daniel Robbins, President and CEO of
> GenToo technologies. Learn everything from fundamentals to system
> administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
> ___
> Clamav-users mailing list
> [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/clamav-users
>


-- 
Luke Computer Science System Administrator
Security Administrator,College of Engineering
Montana State University-Bozeman,Montana



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] FAO. List admins -- clamav-announce

2004-03-15 Thread Antony Stone 
On Monday 15 March 2004 11:29 pm, Kevin Spicer wrote:

> Would it be possible for posts to clamav-announce to be cross-posted
> here please.  I imagine I'm not the only one here that didn't know about
> 0.68.

I'm subscribed on clamav-announce as well as this list, and not only did I not 
know about 0.68, but I didn't know about 0.70 either, which I've just found 
after going to the website after seeing Kevin's posting...

> Cross posting to the users list seems to be fairly common among other
> projects (it makes sense that anyone on the users list is going to want
> to know about new releases).

I agree.   What are the current stable / development versions please?

Antony.

-- 
Wanted: telepath.   You know where to apply.

 Please reply to the list;
   please don't CC me.



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] New varient of password compressed virus

2004-03-15 Thread Lucas Albers 
Fajar A. Nugraha said:
> An interesting fact on ChangeLog:
>
> Thu Mar 11 21:50:32 CET 2004 (tk)
> -
>   * libclamav: rar: added support for encrypted archive (Encrypted.RAR)
>  detection
>

To make an obvious statement.
Clamav should add encrypted compression detection support for all formats
it supports.
As we will see more variants...
-- 
Luke Computer Science System Administrator
Security Administrator,College of Engineering
Montana State University-Bozeman,Montana



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] password protected zip file

2004-03-15 Thread Jonathan Trott 
Tomasz Kojm <[EMAIL PROTECTED]> wrote on 12/03/2004 00:07:01:

> On Thu, 11 Mar 2004 12:49:36 +1100
> Jonathan Trott <[EMAIL PROTECTED]> wrote:
> 
> > At the moment, if you put any virus inside an encrypted zip file, 
> > clamav reports that there isn't a virus in there, which is a false 
> > negative. Better to report that it couldn't be scanned than there 
> > wasn't a virus in there.
> 
> No, that's definitely not a false negative. Password protected viruses
> are not dangerous (and not interesting to us) as long as they don't
> distribute the password. But anyway you should check the
> --detect-encrypted option (CVS).

How can you determine that the password is being distributed with the 
message? How about the situation where a malicious hacker is trying to 
introduce a trojan into the network via email that contains a password 
protected zip file with the trojan inside? There wouldn't be a "password 
in the email" signature for that situation and clamav would have passed it 
as clean! Clamav should (as I assume the CVS option now does) report that 
the file could not be scanned, and let who/whatever has called clamav 
process the file as it sees fit. Do anything but report it as a clean 
file.
Thanks,
JT


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] Password Protected files and options..

2004-03-15 Thread Tim B 
Ok,

I see now that .68 is out, and .70rc is out as well.

Right now I'm actually relying on the fact that clamscan coredumps on 
some rar files and exits with a nice exit code as it crashes which seems 
to have prevented some of the passing through of the new rar encrypted 
viruses.

Would it possible to get a special exit code if clamscan finds an 
encrypted or corrupt archive file for the next release?  Possibly .71?

So it would be something like this:
0 - Clean
1 - Virus Found
2 - Unscannable or password protected archive


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] LibClamAV Error: !Can't open /dev/urandom.

2004-03-15 Thread Fajar A. Nugraha 
Edward W. Ray wrote:

Sorry, though it was in the e-mail.

RH 9 Linux system running clamv v0.67

[EMAIL PROTECTED] root]# ls -l /dev/urandom 
crwxr-xr-x1 root root   1,   9 Mar  9 17:22 /dev/urandom 

 

I can't say much about 0.67, but I know that I'm running the latest CVS 
snapshot
version on Fedora Core 1 and it works great.
Try RPM packages. If that doesn't work, try 
http://www.clamav.net/snapshot/clamav-devel-latest.tar.gz.
Many problems were fixed in CVS. Perhaps this is one of them.

Incase it matters (which shouldn't), my /dev/urandom is
crw-r--r--1 root root   1,   9 Mar 15 16:48 /dev/urandom
Regards,

Fajar

---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] OpenBSD clamav Port (0.67-1) RAR Files

2004-03-15 Thread Fajar A. Nugraha 
Helmut Schneider wrote:

seems that the clamav Port (0.67-1) has problems with RAR Files (e.g.
Bagle.N): 
   

To avoid missunderstandings, I know the file is pwd, but clamav does not recognize the virus within the archive (maybe a DB problem)...

 

Sometimes the signatures were created using the complete mail, so 
clamscan won't recognize the attachment alone but it will recognize
the complete mail.

If you use clamscan, you can work around RAR errors using
   --unrar[=FULLPATH]   Enable support for .rar files
But since the RARs are password-protected, it's useless.
My suggestion is try feeding the complete virus mail to clamscan 
(instead of just the attachment), and see if it works.

Regards,

Fajar

---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] clamdscan - Some processes still hanging

2004-03-15 Thread Fajar A. Nugraha 
Robert Blayzor wrote:

Having to run
freshclam on them all individually would seem like a waste.  Suggestions?
 

Local mirror? Just have one primary freshclam download *.cvd to the root 
directory of
your local webserver. Then setup other freshclams to point to that 
webserver
(with DatabaseMirror directive). To reduce lag, you could setup the 
secondary freshclams
to check your local mirror more often (e.g. once every 30 minutues).

Regards,

Fajar

---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] RE: msg-Private data not null

2004-03-15 Thread Fajar A. Nugraha 
Alex S Moore wrote:

Help! 

Since clamd's log isn't showing any problems, my gues is that it's 
clamav-milter or
clamd's ScanMail problem.

clamav FAQ still states *

A rogue mail locks up clamd when scanned and stops it from responding. 
What can I do?*

   Disable the ScanMail directive in clamav.conf. Our internal mail
   scanner is still in high development. You'd better rely upon the
   mime handling function of an external program (like qmail-scanner,
   exiscan, etc.) 

So my suggestion is use another unpacker (or "glue") like amavis or mail 
scanner.

Regards,

Fajar



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Problems with clamd

2004-03-15 Thread Doug Hardie 
On Mar 8, 2004, at 13:18, Doug Hardie wrote:

After a review of clamd/session.c and the developers forum archives I 
know what the cause of my problem is, but not necessarily why.  The 
version that works (clamd / ClamAV version devel-20040209', 
clamav-milter version '0.66m) does not use either poll or select.  At 
least neither is called directly.  All of the later versions use 
select and they fail - when calling poll.  So I suspect that on my 
system select is calling poll.  However, the time field is getting 
set to zero when the source code clearly indicates that it should be 
non-zero.  The time field is reset to a constant after each select 
call.  Recompiling with no optimization does not change the outcome 
so its not likely to be an overlay either.  I am guessing that 
haveing quite a number of threads active may be too much for select 
which may be getting them confused.  However, thats a wild guess.  I 
have no idea how to check that out.

Granted I am only working with one OS type/version, but it appears to 
me that neither the poll or select is reuqired.  The accept seems to 
handle the situation fine by itself.
The above should have included both session.c and scanner.c.
I have been playing with .70rc and have finally found a way to create 
the problems above on a test system.  Its bizarre, but what I do is 
feed all the source to FreeBSD to clamdscan and wait until top shows 
virtually no idle time.  Stopping the feed leaves clamd running and 
eating up all the processor.  Then I can run gdb on it.  It shows some 
(but not all) of the threads are hung around line 282 of cl_rndnum in 
others.c.  It is trying to read /dev/urandom and appears to be getting 
back zero bytes (or possibly a -1) and just sits in that loop forever.  
I can't imagine why urandom is failing as it doesn't seem to fail in 
any other application.  Unfortunately, I was not able on the first try 
to figure out how to print out bread.  gdb kept saying it didn't exist. 
 I am tempted to insert the statement:

 if (bread <= 0) break;

after the read statement but down't know what side affects that might 
cause.  I'll probably give it a try and see what breaks.



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] RE: msg-Private data not null

2004-03-15 Thread Alex S Moore 
On Tue, 16 Mar 2004 09:32:37 +0700
"Fajar A. Nugraha" <[EMAIL PROTECTED]> wrote:

> clamav FAQ still states *
> 
> A rogue mail locks up clamd when scanned and stops it from responding. 
> What can I do?*
> 
> Disable the ScanMail directive in clamav.conf. Our internal mail
> scanner is still in high development. You'd better rely upon the
> mime handling function of an external program (like qmail-scanner,
> exiscan, etc.) 
> 
> So my suggestion is use another unpacker (or "glue") like amavis or mail 
> scanner.

Yes, good point.  This is the first time that I have run into this.  I have
MIMEDefang on another box.  MIMEDefang should meet the requirements.

Thanks, Alex


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] clamav very slow when scanning files with mostly 0xff

2004-03-15 Thread James 
I'm currently using clamav 0.67, and I'm seeing clamav taking a long time 
scanning files with mostly 0xFFs.  

Normally the time it takes to scan a file is not a problem but once a while we 
receive a large mostly white picture, and instead of the usual minute or so 
to scan a file, it takes 20+ mins to scan it.   This is happening on both 
linux on intel and  solaris on sparcs.

Just as a data point, I used clamscan to scan a 1M data file with random data 
and it took 3.6 sec, but a 1M file of all 0xFF's took 21 sec.

Has anyone else seen this problem?  

James



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Problems with clamd

2004-03-15 Thread Doug Hardie 
On Mar 15, 2004, at 18:44, Doug Hardie wrote:

On Mar 8, 2004, at 13:18, Doug Hardie wrote:

After a review of clamd/session.c and the developers forum archives 
I know what the cause of my problem is, but not necessarily why.  
The version that works (clamd / ClamAV version devel-20040209', 
clamav-milter version '0.66m) does not use either poll or select.  
At least neither is called directly.  All of the later versions use 
select and they fail - when calling poll.  So I suspect that on my 
system select is calling poll.  However, the time field is getting 
set to zero when the source code clearly indicates that it should be 
non-zero.  The time field is reset to a constant after each select 
call.  Recompiling with no optimization does not change the outcome 
so its not likely to be an overlay either.  I am guessing that 
haveing quite a number of threads active may be too much for select 
which may be getting them confused.  However, thats a wild guess.  I 
have no idea how to check that out.

Granted I am only working with one OS type/version, but it appears 
to me that neither the poll or select is reuqired.  The accept seems 
to handle the situation fine by itself.
The above should have included both session.c and scanner.c.
I have been playing with .70rc and have finally found a way to create 
the problems above on a test system.  Its bizarre, but what I do is 
feed all the source to FreeBSD to clamdscan and wait until top shows 
virtually no idle time.  Stopping the feed leaves clamd running and 
eating up all the processor.  Then I can run gdb on it.  It shows some 
(but not all) of the threads are hung around line 282 of cl_rndnum in 
others.c.  It is trying to read /dev/urandom and appears to be getting 
back zero bytes (or possibly a -1) and just sits in that loop forever. 
 I can't imagine why urandom is failing as it doesn't seem to fail in 
any other application.  Unfortunately, I was not able on the first try 
to figure out how to print out bread.  gdb kept saying it didn't 
exist.  I am tempted to insert the statement:

 if (bread <= 0) break;

after the read statement but down't know what side affects that might 
cause.  I'll probably give it a try and see what breaks.
With that change clamd withstood the barrage of source thrown at it and 
returned eventually to zero CPU utilization.  If it would be of any 
help/interest I could put some form of logging in that check and see 
what the return was.



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] FreeBSD and log rotation

2004-03-15 Thread Odhiambo Washington 
* Bart Silverstrim <[EMAIL PROTECTED]> [20040316 01:46]: wrote:
> I'm running clamscan / ClamAV version 0.67-1 on FreeBSD 4.9 (clamav 
> from ports collection), using clamd to scan incoming email for viruses. 

I also run on FreeBSD 4.9-STABLE, but I have been running CVS code for
ages now. Interestingly, I have only had very very minor problems, so
I am extremely happy with ClamAV.


>  I have seen some people on the list say that clamd will stop working 
> if the maximum logfile size is hit?

Well, that was discussed, but they also gave solutions with the use of
logrotate.


> Is there anyone using newsyslog to rotate the logs for clamd, and if so 
> what is  your conf file line to do it?

BTW, there are new versions on the website, so go for them. There is an
entry in the Changelog from the CVS checkout I just did a few minutes
ago:


Tue Feb 17 17:09:24 GMT 2004 (trog)
---
  * clamd: SIGHUP re-open log file support


With that, I believe you could do the following in newsyslog.conf:

/var/log/clamav/clamd.log exim:mail 640  7 *@T00  Z /var/run/clamd.pid 1

> Is there something that has to be changed in clamav.conf also?

Yes, the PidFile specification must much the one you specify above.
I run clamd as user exim, in group mail. YMMV.

PS: I use daemontools to monitor clamd, and I use other methods to
rotate my log file, so don't blame me if the above approach makes
your box to go up in flames ;)



cheers
   - wash 
+--+-+
Odhiambo Washington . WANANCHI ONLINE LTD (Nairobi, KE)  |
  . 1ere Etage, Loita Hse, Loita St.,  |
GSM: (+254) 722 743 223 . # 10286, 00100 NAIROBI |
GSM: (+254) 733 744 121 . (+254) 020 313 985 - 9 |
+-+--+
"Oh My God! They killed init! You Bastards!"  
 --from a /. post


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] Where is the "sock" file

2004-03-15 Thread Dilip M 
Hi,

I have these RPMS installed .
# rpm -qa|grep clam
clamav-devel-0.67-1
clamav-0.67-1
Where is the "sock" file ?

I searched the whole system,no where i found socket file for clamav.

-Thanks
-Dilip


--
I was born intelligent  education ruined me.

---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Where is the "sock" file

2004-03-15 Thread Odhiambo Washington 
* Dilip M <[EMAIL PROTECTED]> [20040316 09:10]: wrote:
> Hi,
> 
> I have these RPMS installed .
> # rpm -qa|grep clam
> clamav-devel-0.67-1
> clamav-0.67-1
> 
> 
> Where is the "sock" file ?

What is a "sock" file?
Do you have a file clamav.conf??



cheers
   - wash 
+--+-+
Odhiambo Washington . WANANCHI ONLINE LTD (Nairobi, KE)  |
  . 1ere Etage, Loita Hse, Loita St.,  |
GSM: (+254) 722 743 223 . # 10286, 00100 NAIROBI |
GSM: (+254) 733 744 121 . (+254) 020 313 985 - 9 |
+-+--+
"Oh My God! They killed init! You Bastards!"  
 --from a /. post


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Where is the "sock" file

2004-03-15 Thread Dilip M 
On Tue, 16 Mar 2004 09:11:40 +0300, Odhiambo Washington 
<[EMAIL PROTECTED]> wrote:

* Dilip M <[EMAIL PROTECTED]> [20040316 09:10]: wrote:
Hi,

I have these RPMS installed .
# rpm -qa|grep clam
clamav-devel-0.67-1
clamav-0.67-1
Where is the "sock" file ?
What is a "sock" file?
Do you have a file clamav.conf??

I'm talking about "socket" file ?
Is there a way to coonect to CLAM using socket ??
--
I was born intelligent  education ruined me.

---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Problem in install ClamAV

2004-03-15 Thread Muhammad Kashif Muneer 
Dear Sir,

I have checked both points that u mentioned but did not find any of
them. I have conf file in /usr/local/etc/clamav.conf
In this file I have entry
LocalSocket /tmp/clamd

I also check the location of /var/run but did not find folder clamav. It
means installation did not create clamav.sock file and did not creat
folder in /var/run. 

The socket file is not generated by installation script. Now what I can
do.

Muhammad Kashif Muneer
Manager M.I.S.
Punjab Beverages Co. (Pvt.) Ltd.


-Original Message-
From: Thomas Carrié [mailto:[EMAIL PROTECTED] 
Sent: Sunday, March 14, 2004 8:56 PM
To: [EMAIL PROTECTED]; Muhammad Kashif Muneer
Subject: Re: [Clamav-users] Problem in install ClamAV

Le Dimanche 14 Mars 2004 12:45, Muhammad Kashif Muneer a écrit :
> Dear Sir,
>
> I have install ClamAV on my Redhat Linux 9.0 box. But I got problem in
> installing it as mail scanner. Clamd is working fine and clamscan is
> also working but in startup boot log it displays the error
> Missing socket file

Some checks

Be sure that you have line like this "LocalSocket
/var/run/clamav/clamd.ctl" 
in /etc/clamav.conf and that the folder /var/run/clamav/ exists.

> And mail scanner did not work. I have install it by following
prodcedure
> ./configure
> make
> make install
>
> Can any body tell me what will be problem
>
> Muhammad Kashif Muneer
> Manager M.I.S.
> Punjab Beverages Co. (Pvt.) Ltd.
>
>
> ---
> Outgoing mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.567 / Virus Database: 358 - Release Date: 24/01/2004

-- 

Thomas Carrié
Identité GPG : 0285ED14

http://www.adullact.org/IMG/pdf/doc-157.pdf
http://www.lebars.org/sec/tcpa-faq.fr.html
http://www.pimientolinux.com/peru2ms/villanueva_to_ms.html
http://petition.eurolinux.org/pr/fr/pr17.html
http://aful.org/publi/articles/gilmore-copy-protection.html

---
Incoming mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.567 / Virus Database: 358 - Release Date: 24/01/2004
 


Muhammad Kashif Muneer
Manager M.I.S.
Punjab Beverages Co. (Pvt.) Ltd.



---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.567 / Virus Database: 358 - Release Date: 24/01/2004
 



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id70&alloc_id638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Ladmar virus?

2004-03-15 Thread Tomasz Kojm 
On Mon, 15 Mar 2004 10:01:00 -0600
Keith Murphy <[EMAIL PROTECTED]> wrote:

> I'm suddenly seeing this:
> 
> clamscan Notepad.exe
> Notepad.exe: W32.Ladmar.A FOUND

Fixed - please run freshclam.

-- 
   oo. Tomasz Kojm <[EMAIL PROTECTED]>
  (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg
 \..._ 0DCA5A08407D5288279DB43454822DC8985A444B
   //\   /\  Mon Mar 15 20:52:00 CET 2004


pgp0.pgp
Description: PGP signature

[Clamav-users] sendmail does not use clamav ?!

2004-03-15 Thread Andrei Bucur 
i have:
clamav 0.70 + sendmail 8.12.11 ... both with milter
clamscan detects OK

clamav seems to work:
Proto RefCnt Flags   Type   State I-Node Path
unix  2  [ ACC ] STREAM LISTENING 20612
/var/clamd/clamd-milter.sock
unix  2  [ ACC ] STREAM LISTENING 20318  /var/run/clamd.sock

i add next lines in sendmail.mc:
INPUT_MAIL_FILTER(`clmilter',`S=local:/var/clamd/clamd-milter.sock,F=,
T=S:4m;R:4m')dnl
define(`confINPUT_MAIL_FILTERS', `clmilter')

...generate sendmail.cf  restart sendmail
in log files no errors !

when i testing my clamav+sendmail ... NOT WORKING !
sendmail not use clamav or what ?

10x



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Where is the "sock" file

2004-03-15 Thread Fajar A. Nugraha 
Dilip M wrote:

On Tue, 16 Mar 2004 09:11:40 +0300, Odhiambo Washington 
<[EMAIL PROTECTED]> wrote:

I have these RPMS installed .
# rpm -qa|grep clam
clamav-devel-0.67-1
clamav-0.67-1
Where is the "sock" file ?


I'm talking about "socket" file ?
Is there a way to coonect to CLAM using socket ??

Some package maintainers split clamav into several packages. Try look 
for clamav-clamd or something similar.
If you can't find that, compile yourself from source (it's easy on Linux).
The socket location is configured on /etc/clamav.conf or 
/usr/local/etc/clamav.conf (look for "LocalSocket" directive).
Don't forget to start clamd.

Regards,

Fajar

---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Where is the "sock" file

2004-03-15 Thread Odhiambo Washington 
* Dilip M <[EMAIL PROTECTED]> [20040316 09:52]: wrote:
> On Tue, 16 Mar 2004 09:11:40 +0300, Odhiambo Washington 
> <[EMAIL PROTECTED]> wrote:
> 
> >* Dilip M <[EMAIL PROTECTED]> [20040316 09:10]: wrote:
> >>Hi,
> >>
> >>I have these RPMS installed .
> >># rpm -qa|grep clam
> >>clamav-devel-0.67-1
> >>clamav-0.67-1
> >>
> >>
> >>Where is the "sock" file ?
> >
> >What is a "sock" file?
> >Do you have a file clamav.conf??
> >
> >
> I'm talking about "socket" file ?
> Is there a way to coonect to CLAM using socket ??


Very much! Go slowly and read the installation docs. The answers are
there. That is why I asked you if you even have a file called
clamav.conf. The fact that you are asking this question shows that
you obviously haven't read anything to do with install, or if you
did, you were in a great hurry, which is not good for you in the long
run.
I know soon someone here is gonna tell you to RTM. Badly enough, I
happen to have just done it;(


cheers
   - wash 
+--+-+
Odhiambo Washington . WANANCHI ONLINE LTD (Nairobi, KE)  |
  . 1ere Etage, Loita Hse, Loita St.,  |
GSM: (+254) 722 743 223 . # 10286, 00100 NAIROBI |
GSM: (+254) 733 744 121 . (+254) 020 313 985 - 9 |
+-+--+
"Oh My God! They killed init! You Bastards!"  
 --from a /. post


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Problem in install ClamAV

2004-03-15 Thread Fajar A. Nugraha 
Muhammad Kashif Muneer wrote:

Dear Sir,

I have checked both points that u mentioned but did not find any of
them. I have conf file in /usr/local/etc/clamav.conf
In this file I have entry
LocalSocket /tmp/clamd
I also check the location of /var/run but did not find folder clamav. It
means installation did not create clamav.sock file and did not creat
folder in /var/run. 

 

It seems that you want to use clamav-milter, a program that "glues" clamav
to sendmail.
In that case try reading

http://clamav.or.id/snapshot/docs/html/node28.html

(the doc pages of www.clamav.net are a little outdated).
You could also find recent documentation on "docs"
folder on clamav source.
also read INSTALL file on clamav-milter directory
on source package.
In short, running ./configure && make && make install is
not enough
Regards,

Fajar

---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users