[Clamav-users] Re: password .zips

[Jonathan Mergy]

Thanks. The clamav way is fine w/me.
I can also go the amavisd route (glad I updated it a few days ago).

Which version for clamav ? I'm at .68-1

[EMAIL PROTECTED] mergy]$ clamscan -V
clamscan / ClamAV version 0.68-1
[EMAIL PROTECTED] mergy]$ 





jonathan mergy
[EMAIL PROTECTED]



Tomasz Kojm <[EMAIL PROTECTED]>

Sent by: [EMAIL PROTECTED]
03/18/04 07:08 PM




Please respond to
[EMAIL PROTECTED]





To
[EMAIL PROTECTED]


cc



Subject
Re: [Clamav-users] (newbie
on list - don't hit me) -> password .zips








On Fri, 19 Mar 2004 13:57:09 +1100
Jonathan Trott <[EMAIL PROTECTED]> wrote:

> 
> On Thu, 18 Mar 2004 13:31:41 -0800, "Jonathan Mergy" <[EMAIL PROTECTED]>
> 
> wrote:
> 
> > I just joined the list and have been using clamav with my
> > postfix/amavisd/spamasassin system for a while now.
> >
> > I read some items in the list archives about the passworded zip

> > problems.
> > What is the status on this and how can I help?
> As long as you are using amavisd-new-20030616-p8 you can add the 
> following setting to block all encrypted archives:
> 
> $banned_filename_re = new_RE(
>    qr'^UNDECIPHERABLE$',  # is or contains any undecipherable
>    components
> );

No need for that. ClamAV is able to detect encrypted archives created by
Bagle.

-- 
   oo    .         Tomasz Kojm <[EMAIL PROTECTED]>
  (\/)\.         http://www.ClamAV.net/gpg/tkojm.gpg
     \..._         0DCA5A08407D5288279DB43454822DC8985A444B
       //\   /\          
   Fri Mar 19 04:07:47 CET 2004
[attachment "attdt904.dat" deleted by Jonathan Mergy/US/natus]

ForwardSourceID:NT000241C6
   

[Clamav-users] clamd, minor bug with logging

[Sergey]

Hello.

I known what clamd have 2 bugs. 

I can't say more about first (I sent some
information about it to bugs#clamav.net some
days ago and to Nigel Horne today), but first
explore second: some logged messages have not
"\n". Log examples:

Thu Mar 18 18:06:06 2004 -> ERROR: pthread_create failedThu Mar 18 18:06:06 2004 -> 
ERROR: pthread_create failedThu Mar 18 18:06:06 2004 -> ERROR: pthread_create failed

Tue Mar 16 18:52:25 2004 -> ERROR: accept() failed: Too many open filesTue Mar 16 
18:52:25 2004 -> ERROR: accept() failed: Too many open filesTue Mar 16 18:52:25 2004 
-> ERROR: accept() failed: Too many open files

-- 
Regards,
Sergey



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] pthreads instability?

[Sergey]

On Friday 19 March 2004 04:45, Todd Lyons wrote:

> On a stock RedHat 9.0 box (3 boxen load balanced) with updated kernel
> (2.4.20-20.9smp), I have stability problems with clamd.
> 
> I'm using sendmail -> clamav-milter -> clamd.  Our mail servers accept
> about 50K mail per day (each box), of which about 35K gets rejected by
> spamassassin before it ever reaches clamav.  It seems that clamd runs
> between 1-3 hours and then dies with a segfault.

Possible it's similar with my problem... What is in clamd.log at this 
time ? 

I my logs:
Tue Mar 16 18:52:25 2004 -> ERROR: accept() failed: Too many open files
on 2.2 kernel and
Thu Mar 18 18:06:06 2004 -> ERROR: pthread_create failed
on 2.4 kernel

mail traffic is similar too (sometimes it more one message per second;
middle in day about 100K)

-- 
Regards,
Sergey



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Re: password .zips

[Bo-Lina teknisk support]

Im using the latest ClamAv from CVS. 
"2004-03-18"
How do I change so ClamAv either scans or removes 
password protected zip files?
 
And is there anny solution out for the "RAR module 
failure" ?

  - Original Message - 
  From: 
  Jonathan Mergy 
  
  To: [EMAIL PROTECTED] 
  
  Sent: Friday, March 19, 2004 8:20 
AM
  Subject: [Clamav-users] Re: password 
  .zips
  Thanks. The clamav way is fine 
  w/me. I can also go the amavisd route (glad I updated it a few days 
  ago). Which version for clamav ? 
  I'm at .68-1 [EMAIL PROTECTED] 
  mergy]$ clamscan -V clamscan / ClamAV 
  version 0.68-1 [EMAIL PROTECTED] 
  mergy]$ jonathan mergy[EMAIL PROTECTED] 
  


  Tomasz Kojm <[EMAIL PROTECTED]> 
Sent by: [EMAIL PROTECTED] 

03/18/04 07:08 PM 

  
  

  Please respond 
  to[EMAIL PROTECTED]
  

  
  

  To
[EMAIL PROTECTED] 
  

  cc

  

  Subject
Re: [Clamav-users] 
  (newbie on list - don't hit me) -> password 
  .zips

  
  

On Fri, 19 Mar 2004 13:57:09 +1100Jonathan Trott 
  <[EMAIL PROTECTED]> wrote:> > On Thu, 18 Mar 2004 
  13:31:41 -0800, "Jonathan Mergy" <[EMAIL PROTECTED]>> > 
  wrote:> > > I just joined the list and have been using clamav 
  with my> > postfix/amavisd/spamasassin system for a while 
  now.> >> > I read some items in the list archives about 
  the passworded zip > > problems.> > What is the status on 
  this and how can I help?> As long as you are using 
  amavisd-new-20030616-p8 you can add the > following setting to block 
  all encrypted archives:> > $banned_filename_re = new_RE(> 
     qr'^UNDECIPHERABLE$',  # is or contains any 
  undecipherable>    components> );No need for 
  that. ClamAV is able to detect encrypted archives created 
  byBagle.--   oo    .       
    Tomasz Kojm <[EMAIL PROTECTED]> (\/)\.   
        http://www.ClamAV.net/gpg/tkojm.gpg    
  \..._         
  0DCA5A08407D5288279DB43454822DC8985A444B      //\   /\ 
               Fri Mar 19 04:07:47 CET 
  2004[attachment "attdt904.dat" deleted by Jonathan Mergy/US/natus] 
  ForwardSourceID:NT000241C6   
 

Re: [Clamav-users] SFX-RAR files

[daniele]

with 0.68 all ok
thanks

- Original Message -
From: "Thomas Lamy" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, March 18, 2004 11:49 AM
Subject: Re: [Clamav-users] SFX-RAR files


> daniele schrieb:
>
> > From: "Michael L Torrie" <[EMAIL PROTECTED]>
> >
> >>On Wed, 2004-03-17 at 06:51, Tomasz Kojm wrote:
> >>
> >>>On Wed, 17 Mar 2004 12:53:43 +0100
> >>>"daniele" <[EMAIL PROTECTED]> wrote:
> >>>
> I've installed clamav-0.60 and also 0.65 , but when sendmail must send
> a message with file .exe creates with winrar 3.x, it doesen't permite
> the operation because founds a trojan.orcamento virus in in the
> archive (not if created with winrar 2.x)
> >>>
> >>>Update your database !
> >>
>  > I've upgrade the database...but it doesn't change
>  >
>
> Then please submit one of those files on http://www.clamav.net/ and mark
> them as false positive.
>
> Thank you
> Thomas
>
>
> ---
> This SF.Net email is sponsored by: IBM Linux Tutorials
> Free Linux tutorial presented by Daniel Robbins, President and CEO of
> GenToo technologies. Learn everything from fundamentals to system
> administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
> ___
> Clamav-users mailing list
> [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/clamav-users



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] amavis installed, no more mails

[pi]

Hi,

I try to use amavis with postfix.
1st try, no more mail transmitted to the local mailboxes so I decide to configure
after trying to configure amavis for my domaine (wehowski.com), I can no more start 
amavis.
here are the messages I receive when I try to start the service.
Starting Mail Virus Scanner (amavisd): Error in config file /etc/amavisd.conf:
Global symbol "@localhost" requires explicit package name at /etc/amavisd.conf line 
463.
Global symbol "@domaine" requires explicit package name at /etc/amavisd.conf line 496.
Global symbol "@domaine" requires explicit package name at /etc/amavisd.conf line 497.
Global symbol "@domaine" requires explicit package name at /etc/amavisd.conf line 498.
Here are the lines "I suppose" to be concerned

@local_domains_acl = ( "domaine.pw", 'wehowski.com' );  # $mydomain and its subdomains

$virus_admin = "[EMAIL PROTECTED]";   # line 463

$mailfrom_notify_admin = "[EMAIL PROTECTED]"; # line496
$mailfrom_notify_recip = "[EMAIL PROTECTED]"; # line497
$mailfrom_notify_spamadmin = "[EMAIL PROTECTED]"; # line498
Cam someone help?

Phil



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] amavis installed, no more mails

[Marcel de Reuver]

> -Original Message-
> From: pi [mailto:[EMAIL PROTECTED]
> Sent: Friday, March 19, 2004 11:13 AM
> To: [EMAIL PROTECTED]
> Subject: [Clamav-users] amavis installed, no more mails
>
>
> Hi,
>
> I try to use amavis with postfix.
> 1st try, no more mail transmitted to the local mailboxes so I
> decide to configure
>
> after trying to configure amavis for my domaine
> (wehowski.com), I can no more start amavis.
> here are the messages I receive when I try to start the service.
>
>
> Starting Mail Virus Scanner (amavisd): Error in config file
/etc/amavisd.conf:
> Global symbol "@localhost" requires explicit package name at
/etc/amavisd.conf line 463.


> $virus_admin = "[EMAIL PROTECTED]"; # line 463

You have to escape the "@" in your emailaddress:
$virus_admin = "[EMAIL PROTECTED]"; # line 463



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] SFX-RAR files

[Tomasz Kojm]

On Fri, 19 Mar 2004 11:01:55 +0100
"daniele" <[EMAIL PROTECTED]> wrote:

> with 0.68 all ok
> thanks

Please don't top-post.

The only technical problem with your old clamav version was the outdated
database.

-- 
   oo. Tomasz Kojm <[EMAIL PROTECTED]>
  (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg
 \..._ 0DCA5A08407D5288279DB43454822DC8985A444B
   //\   /\  Fri Mar 19 11:38:40 CET 2004


pgp0.pgp
Description: PGP signature

Re: [Clamav-users] clamd, minor bug with logging

[Tomasz Kojm]

On Fri, 19 Mar 2004 13:21:51 +0400
Sergey <[EMAIL PROTECTED]> wrote:

> Hello.
> 
> I known what clamd have 2 bugs. 
> 
> I can't say more about first (I sent some
> information about it to bugs#clamav.net some
> days ago and to Nigel Horne today), but first
> explore second: some logged messages have not
> "\n". Log examples:
> 
> Thu Mar 18 18:06:06 2004 -> ERROR: pthread_create failedThu Mar 18
> 18:06:06 2004 -> ERROR: pthread_create failedThu Mar 18 18:06:06 2004
> -> ERROR: pthread_create failed
> 
> Tue Mar 16 18:52:25 2004 -> ERROR: accept() failed: Too many open
> filesTue Mar 16 18:52:25 2004 -> ERROR: accept() failed: Too many open
> filesTue Mar 16 18:52:25 2004 -> ERROR: accept() failed: Too many open
> files

Please report all bugs to [EMAIL PROTECTED] and not on the users mailing
list.

-- 
   oo. Tomasz Kojm <[EMAIL PROTECTED]>
  (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg
 \..._ 0DCA5A08407D5288279DB43454822DC8985A444B
   //\   /\  Fri Mar 19 11:48:51 CET 2004


pgp0.pgp
Description: PGP signature

[Clamav-users] reject=451 4.7.1 Please try again later

[Andrei Bucur]

Hi,

when i receive bigger mails i got the folowing error:

reject=451 4.7.1 Please try again later

please help !
thank u


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] reject=451 4.7.1 Please try again later

[Krzysztof Snopek]

On Fri, 19 Mar 2004, Andrei Bucur wrote:

> when i receive bigger mails i got the folowing error:
>
> reject=451 4.7.1 Please try again later

I can see same things in my logs. It's sendmail
8.12.10+clamd+clamav-milter v 0.70-rc on Solaris9 (sparc).
It happens only for few sender adresses (always the same),
other mail is accepted/rejected properly. And not necessarily for
big messages - it happens for small too. After enabling syslog
I found lines like below :

-
Mar 19 13:37:36 topaz sendmail[17387]: [ID 801593 mail.info]
i2JCZI63017387: from=<...>, size=1970869, class=0,
nrcpts=1, msgid=<[EMAIL PROTECTED]>, proto=ESMTP,
daemon=MTA-v4, relay= ...
Mar 19 13:37:36 topaz clamav-milter[17382]: [ID 910239 mail.error] write
failure to clamd
Mar 19 13:37:36 topaz sendmail[17387]: [ID 801593 mail.info]
i2JCZI63017387: Milter: data, reject=451 4.7.1 Please try again later
Mar 19 13:37:36 topaz sendmail[17387]: [ID 801593 mail.info]
i2JCZI63017387: to=<>, delay=00:02:17, pri=2000869,
stat=Please try again later
-

I've found in clamav-milter.c this "write failure to clamd"; it's in
clamfi_send() function, just after calling checkClamd(). It appears
like checking if clamd is alive ? But it is, next mail form another
sender is properly received...
Can't understand it, maybe Nigel could explain ?

Krzysztof Snopek


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] amavis installed, NOW mails

[pi]

Thanks for your answer.

I already began to receive "infected mails"  ;-)
I put them in a special mailbox. It works perfectly.
At this time, I'd like the recipient to be warned of a quarantined mail. 
I tried many things but I never succeeded to except if I also warn the 
sender. (what I don't want)

Any idea .

Phil



Marcel de Reuver wrote:

You have to escape the "@" in your emailaddress:
$virus_admin = "[EMAIL PROTECTED]"; # line 463
 





---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Troubles with recent clamav's

[Robert Blayzor]

On 3/18/04 5:40 PM, "Doug Hardie" <[EMAIL PROTECTED]> wrote:

> My quick look at the code behind --disable-urandom gave me the
> impression that it only disabled the test for urandom and forced clamd
> to use urandom.  Thats why I manually deleted the define.  I guess I
> will have to look a bit closer.  That would be easier to remember when
> moving to a new version.

>From what I read through configure is that when using --disable-urandom it
reverts back to using just rand().  Since I did this, our servers have been
running 14+ hours without a single hang and all the databases seem to have
loaded with a second or two instead of multiple minutes.

I'm hoping that this urandom problem is addressed in the future.  I'm not
exactly sure of what the problem is and why clamd hangs, disabling
/dev/urandom should not be the fix, but rather the workaround.

--
Robert Blayzor, BOFH
INOC, LLC
[EMAIL PROTECTED]
PGP: http://www.inoc.net/~dev/
Key fingerprint = 1E02 DABE F989 BC03 3DF5  0E93 8D02 9D0B CB1A A7B0

Design: The activity of preparing for a design review.




---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] reject=451 4.7.1 Please try again later

[Nigel Horne]

> Mar 19 13:37:36 topaz clamav-milter[17382]: [ID 910239 mail.error] write
> failure to clamd

That reads to me that clamd has gone away

-Nigel

-- 
Nigel Horne. Arranger, Composer, Typesetter.
NJH Music, Barnsley, UK.  ICQ#20252325
[EMAIL PROTECTED] http://www.bandsman.co.uk



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] reject=451 4.7.1 Please try again later

[Sergey]

On Friday 19 March 2004 16:12, Andrei Bucur wrote:

> when i receive bigger mails i got the folowing error:
> 
> reject=451 4.7.1 Please try again later 
> 
> please help !

I write about it 25/02/2004 10:56. I not set purpose to check
all mails and I use --dont-scan-on-error

-- 
Regards,
Sergey



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] reject=451 4.7.1 Please try again later

[Andrei Bucur]

no ... it's alive -- that's the BIG problem !
- Original Message - 
From: "Nigel Horne" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, March 19, 2004 3:44 PM
Subject: Re: [Clamav-users] reject=451 4.7.1 Please try again later


>
> > Mar 19 13:37:36 topaz clamav-milter[17382]: [ID 910239 mail.error] write
> > failure to clamd
>
> That reads to me that clamd has gone away
>
> -Nigel
>
> -- 
> Nigel Horne. Arranger, Composer, Typesetter.
> NJH Music, Barnsley, UK.  ICQ#20252325
> [EMAIL PROTECTED] http://www.bandsman.co.uk
>
>
>
> ---
> This SF.Net email is sponsored by: IBM Linux Tutorials
> Free Linux tutorial presented by Daniel Robbins, President and CEO of
> GenToo technologies. Learn everything from fundamentals to system
> administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
> ___
> Clamav-users mailing list
> [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/clamav-users
>
>



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] reject=451 4.7.1 Please try again later

[Andrei Bucur]

yes that's it 

thank u Sergey
- Original Message - 
From: "Sergey" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, March 19, 2004 3:45 PM
Subject: Re: [Clamav-users] reject=451 4.7.1 Please try again later


> On Friday 19 March 2004 16:12, Andrei Bucur wrote:
> 
> > when i receive bigger mails i got the folowing error:
> > 
> > reject=451 4.7.1 Please try again later 
> > 
> > please help !
> 
> I write about it 25/02/2004 10:56. I not set purpose to check
> all mails and I use --dont-scan-on-error
> 
> -- 
> Regards,
> Sergey
> 
> 
> 
> ---
> This SF.Net email is sponsored by: IBM Linux Tutorials
> Free Linux tutorial presented by Daniel Robbins, President and CEO of
> GenToo technologies. Learn everything from fundamentals to system
> administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
> ___
> Clamav-users mailing list
> [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/clamav-users
> 
> 


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] Re: amavis installed, NOW mails

[Wolfgang Cernohorsky]

pi wrote:

> At this time, I'd like the recipient to be warned of a quarantined mail. 
> I tried many things but I never succeeded to except if I also warn the 
> sender. (what I don't want)

I think, today 99,9% of mails with viruses or worms contain no usefull
information for our recipients, so to warn them is nearly senseless.

just my 2 cents.

Wolfgang



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] reject=451 4.7.1 Please try again later

[Tomasz Kojm]

On Fri, 19 Mar 2004 13:44:02 +
Nigel Horne <[EMAIL PROTECTED]> wrote:

> 
> > Mar 19 13:37:36 topaz clamav-milter[17382]: [ID 910239 mail.error]
> > write failure to clamd
> 
> That reads to me that clamd has gone away

Try to increase the MaxThreads and MaxConnectionQueueLength values.

-- 
   oo. Tomasz Kojm <[EMAIL PROTECTED]>
  (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg
 \..._ 0DCA5A08407D5288279DB43454822DC8985A444B
   //\   /\  Fri Mar 19 15:45:19 CET 2004


pgp0.pgp
Description: PGP signature

Re: [Clamav-users] cannot update

[david]

Hi

Thanks for your help.

However, last night I uninstalled clam, and installed as source.

The real problem is that the first time round I had not read the 
instructions properly..doh!

Anyway the problem is now sorted.

Again thanks for your kind help.

David

Krištof Petr wrote:

david wrote:

I installed version clamav-0.67-1 as an rpm.

However upon trying to update I get this...

ClamAV update process started at Tue Mar 16 18:42:49 2004
SECURITY WARNING: NO SUPPORT FOR DIGITAL SIGNATURES
Reading CVD header (main.cvd): OK
ERROR: Can't open new file ./e456f6640da6112f to write
open: Permission denied 


Update to version 0.70rc, please.

Than edit /etc/freshclam.conf, especialy line
DatabaseOwner user_what_running_freshclam
and do 'chown -R user_what_running_freshclam /var/lib/clamav/'

Petr



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users




---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] why don't detect

[Korchmenuk Nickolay]

Hi

On Thu, 18 Mar 2004 13:09:13 +
Nigel Horne <[EMAIL PROTECTED]> wrote:

> On Thursday 18 Mar 2004 7:23 am, Korchmenuk Nickolay wrote:
> > I've 11 e-mails like that with SCO.A, Netsky, I-Frame.exploit etc.
> Please send to me, the more samples the better!
You can download samples from 
www.nyck.kiev.ua/clamav/


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] reject=451 4.7.1 Please try again later

[Andrei Bucur]

Try to increase the MaxThreads and MaxConnectionQueueLength values.

i did:
MaxThreads 25
MaxConnectionQueueLength 30  

same error !

- Original Message - 
From: "Tomasz Kojm" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, March 19, 2004 4:46 PM
Subject: Re: [Clamav-users] reject=451 4.7.1 Please try again later




---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Re: amavis installed, NOW mails

[Laurent Wacrenier]

Le Ven 19 mar 15:41:34 2004, Wolfgang Cernohorsky écrit:
> > At this time, I'd like the recipient to be warned of a quarantined mail. 
> > I tried many things but I never succeeded to except if I also warn the 
> > sender. (what I don't want)
> 
> I think, today 99,9% of mails with viruses or worms contain no usefull
> information for our recipients, so to warn them is nearly senseless.

You're right, but some users reject the idea that theyre email may be
deleted without warning. If you want to send warning, it's better to
notify the recipient than the 99,9% of time innocent sender.

Once the users see how many virus or virus notifications they recieve,
they quickly ask theyre admin to drop them all. So, the best thing to
do is to offer three choises : keep the detected virus, send a
notification or drop quietly.

The notification is be the best default. The users don't recieve the
virus and they are seeing that the admin take care of theyre mailboxes
:-)


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id70&alloc_id638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] Postmaster bounces and such.

[Robert Schmidt]

We tend to forward the postmaster account off our each of our mail
servers to other central servers that the admins read it on. If the
postmaster account receives a virus (they are fairly popular addresses
for spam and virus email) they will try to forward it on. The problem is
if that central server is using ClamAV it will bounce the message back
to the originating server.

It would be fine if the originating server never got the virus in the
first place, but we have to run ClamAV in an "accept on time-out" mode
in case the milter has disappeared, so it is quite possible that viruses
end up on the machine.

This wouldn't be so bad except that sendmail doesn't like it when
postmaster is undeliverable and will stop processing the rest of the
mail queue.

Any general ideas? One idea was adding using "nobodyreturn" in the
sendmail PrivacyOptions.

Or is there a way (or a plan) to make ClamAV per-user configurable so we
can just accept all postmaster mail? We use clamav-milter, I suppose
that is a consideration as well. Some other milters could possibly
handle it differently...


Thanks all. (and special thanks to Nigel who has been working on a bug
to fix a memory consumption issue that will really help us out).


-- 
Robert Schmidt -- UNIX Tech Support
[EMAIL PROTECTED]
MC1021 519-888-4567 x6453



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] why don't detect

[Nigel Horne]

Thanks, I'll have a look at them ASAP.

-Nigel

On Friday 19 Mar 2004 3:01 pm, Korchmenuk Nickolay wrote:
> Hi
>
> On Thu, 18 Mar 2004 13:09:13 +
>
> Nigel Horne <[EMAIL PROTECTED]> wrote:
> > On Thursday 18 Mar 2004 7:23 am, Korchmenuk Nickolay wrote:
> > > I've 11 e-mails like that with SCO.A, Netsky, I-Frame.exploit etc.
> >
> > Please send to me, the more samples the better!
>
> You can download samples from
> www.nyck.kiev.ua/clamav/
>
>
> ---
> This SF.Net email is sponsored by: IBM Linux Tutorials
> Free Linux tutorial presented by Daniel Robbins, President and CEO of
> GenToo technologies. Learn everything from fundamentals to system
> administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
> ___
> Clamav-users mailing list
> [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/clamav-users

-- 
Nigel Horne. Arranger, Composer, Typesetter.
NJH Music, Barnsley, UK.  ICQ#20252325
[EMAIL PROTECTED] http://www.bandsman.co.uk



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] reject=451 4.7.1 Please try again later

[Spike Ilacqua]

I was seeing those to, they seem to go with a message:

clamav-milter[55529]: write failure to clamd

I added "--dont-scan-on-error" to the clamav-milter args, which stopped
the rejections, but obviously doesn't solve the underlying problem.

MaxThreads is 1000 and MaxConnectionQueueLength 100 (it's a busy mail
server).  I think it has something to do with the particular message,
because the same message will fail more than once if deferred by the
milter.

I'm running 67l (the latest in the ports collection) on FreeBSD 4.9.

->Spike


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] pthreads instability?

[Todd Lyons]

On Fri, 2004-03-19 at 01:41, Sergey wrote:

> > On a stock RedHat 9.0 box (3 boxen load balanced) with updated kernel
> > (2.4.20-20.9smp), I have stability problems with clamd.
> Possible it's similar with my problem... What is in clamd.log at this 
> time ? 
> I my logs:
> Tue Mar 16 18:52:25 2004 -> ERROR: accept() failed: Too many open files
> on 2.2 kernel and
> Thu Mar 18 18:06:06 2004 -> ERROR: pthread_create failed
> on 2.4 kernel

Mine looked different than that (this was before I enabled verbose
logging and it hasn't messed up since).  Here's from box #1:
stream: Worm.Mydoom.F FOUND
stream: Worm.Bagle.Gen-1 FOUND
Session 1 stopped due to timeout.
Segmentation fault :-( Bye..

And here's a little later on on the same box:
Session 2 stopped due to timeout.
stream: Worm.Bagle.Gen-1 FOUND
stream: Worm.SomeFool.Gen-2 FOUND
SelfCheck: Database status OK.
Segmentation fault :-( Bye..

Here's from box #3:
Session 2 stopped due to timeout.
Session 0 stopped due to timeout.
Session 3 stopped due to timeout.
Segmentation fault :-( Bye..

And a little later on on the same box:
Session 0 stopped due to timeout.
stream: Worm.SomeFool.Gen-1 FOUND
Session 2 stopped due to timeout.
stream: Worm.SomeFool.Gen-1 FOUND
Segmentation fault :-( Bye..

Since I've started my testing, I've made the logging much more verbose
than above and used the LD_ASSUME_KERNEL environment variable setting. 
The system has been running solidly for 19 hours now.  If I was a
betting man, I'd say that the environment variable fixed things, but I
have to also acknowledge that it never segfaulted while I was debugging
with the verbose logging.  So technically it could be either one.  Like
I said though, my money is on the environment variable.

> mail traffic is similar too (sometimes it more one message per second;
> middle in day about 100K)

Here's what my boxen are doing loadwise:
Inbound per day totals:
Mar 18 -> 55284
Delivered, both local and aliases:
Mar 18 -> 7199
Refused by remote systems:
Mar 18 -> 5480
Queued and probably delivered later:
Mar 18 -> 17
Detected and rejected as spam
Mar 18 -> 23498
Detected and rejected as virus
Mar 18 -> 205
Refused/Dropped due to remote system errors:
Mar 18 -> 992

I note that the spam levels dropped tremendously yesterday.  I was
rejecting about 35K a day.  That's because spammers on Wednesday started
using accented a e i o and u characters and SpamAssassin doesn't catch
those with its current definitions (SA 2.63) which seem to be primarily
English only.

Blue skies...   Todd



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] amavis installed, no more mails

[Todd Lyons]

On Fri, 2004-03-19 at 02:13, pi wrote:

> $virus_admin = "[EMAIL PROTECTED]";   # line 463

$virus_admin = '[EMAIL PROTECTED]';

> $mailfrom_notify_admin = "[EMAIL PROTECTED]"; # line496
> $mailfrom_notify_recip = "[EMAIL PROTECTED]"; # line497
> $mailfrom_notify_spamadmin = "[EMAIL PROTECTED]"; # line498

$mailfrom_notify_admin = '[EMAIL PROTECTED]';   # line496
$mailfrom_notify_recip = '[EMAIL PROTECTED]';   # line497
$mailfrom_notify_spamadmin = '[EMAIL PROTECTED]';   # line498

@ is used to define an array in perl.  Since you have in it double
quotes, perl is trying to interpret arrays @localhost and @domaine. 
Either change it to single quotes as I have shown above or escape the @
by doing \@, as in:

$mailfrom_notify_spamadmin = "[EMAIL PROTECTED]";   # line498

Blue skies...   Todd



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] Postmaster bounces and such.

[Jim Maul]

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of Robert
> Schmidt
> Sent: Friday, March 19, 2004 11:06 AM
> To: [EMAIL PROTECTED]
> Subject: [Clamav-users] Postmaster bounces and such.
> 
> 
> We tend to forward the postmaster account off our each of our mail
> servers to other central servers that the admins read it on. If the
> postmaster account receives a virus (they are fairly popular addresses
> for spam and virus email) they will try to forward it on. The problem is
> if that central server is using ClamAV it will bounce the message back
> to the originating server.
>

Why are you bouncing mail back to the server?

Jim


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Re: amavis installed, NOW mails

[pi]

Okay,
so, how do I stop those messages ?
I don't know I did the first time   :-((
I have the following parameters

$final_virus_destiny  = D_DISCARD;  # (defaults to D_BOUNCE)
#$warnvirussender = 1;  # (defaults to false (undef))
Phil

Wolfgang Cernohorsky wrote:

pi wrote:

 

At this time, I'd like the recipient to be warned of a quarantined mail. 
I tried many things but I never succeeded to except if I also warn the 
sender. (what I don't want)
   

I think, today 99,9% of mails with viruses or worms contain no usefull
information for our recipients, so to warn them is nearly senseless.
just my 2 cents.

Wolfgang
 





---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] qmail-scanner 1.21 and ClamAV .67 or .70

[Steve Schofield]

I'm trying to get Q/S 1.21 and ClamAV working on FreeBSD 4.9.  I get the
following errors
I've verified the permissions on /var/spool/qmailscan, verified the
softlimit without success.
The clamd process is running when this error comes up.  Any help would be
appreciated. Note the q/s 1.20 and clam .65 worked fine for months.  Just
the enhancements for password zip files is reason enough to upgrade.

run
/usr/local/bin/clamdscan -r --disable-summary --max-recursion=10 --max-space
=100  /var/spool/qmailscan/tmp/mx.adminblogs.com1079
Fri, 19 Mar 2004 12:41:17 -0500:351: --output of clamdscan was:
/var/spool/qmailscan/tmp/mx.adminblogs.com1079718077470351: Can't access the
file ERROR

Steve Schofield
[EMAIL PROTECTED]



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] pthreads instability?

[Trog]

On Fri, 2004-03-19 at 17:33, Todd Lyons wrote:
> On Fri, 2004-03-19 at 01:41, Sergey wrote:
> 
> > > On a stock RedHat 9.0 box (3 boxen load balanced) with updated kernel
> > > (2.4.20-20.9smp), I have stability problems with clamd.
> > Possible it's similar with my problem... What is in clamd.log at this 
> > time ? 
> > I my logs:
> > Tue Mar 16 18:52:25 2004 -> ERROR: accept() failed: Too many open files
> > on 2.2 kernel and
> > Thu Mar 18 18:06:06 2004 -> ERROR: pthread_create failed
> > on 2.4 kernel
> 
> Mine looked different than that (this was before I enabled verbose
> logging and it hasn't messed up since).  Here's from box #1:
> stream: Worm.Mydoom.F FOUND
> stream: Worm.Bagle.Gen-1 FOUND
> Session 1 stopped due to timeout.
> Segmentation fault :-( Bye..
> 

update to .70rc or currrent CVS

-trog




---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] memory leak in 0.70-rc

[Kelsey Cummings]

It's in clamd.  Compiled and running on RH 7.3.

Same behavior is shown on a couple of servers.  Right now, RSS is at 366M,
it went all the way to 2.9GB on one of my servers before I noticed it.  

It's being used to scan for viruses via MimeDefang.

Is this a known problem?  

Config:

ArchiveMaxCompressionRatio 200
ArchiveMaxFiles 1000
ArchiveMaxFileSize 10M
ArchiveMaxRecursion 5
ClamukoIncludePath /home
ClamukoMaxFileSize 1M
ClamukoScanArchive
ClamukoScanOnClose
ClamukoScanOnExec
ClamukoScanOnOpen
FixStaleSocket
Foreground
LocalSocket /opt/clamav/spool/clamd.sock
LogSyslog
MaxConnectionQueueLength 30
MaxDirectoryRecursion 15
MaxThreads 100
ScanArchive
ScanMail
ScanOLE2
SelfCheck 300
User mailnull

configured by ./configure, generated by GNU Autoconf 2.53,
  with options \"'--with-user=mailnull' '--with-group=mailnull' 
'--prefix=/opt/clamav-0.70-rc' '--enable-bigstack' '--disable-clamuko'\"


-- 
Kelsey Cummings - [EMAIL PROTECTED]   sonic.net, inc.
System Administrator  2260 Apollo Way
707.522.1000 (Voice)  Santa Rosa, CA 95407
707.547.2199 (Fax)http://www.sonic.net/
Fingerprint = D5F9 667F 5D32 7347 0B79  8DB7 2B42 86B6 4E2C 3896


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] qmail-scanner 1.21 and ClamAV .67 or .70

[Jim Maul]

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of Steve
> Schofield
> Sent: Friday, March 19, 2004 1:22 PM
> To: [EMAIL PROTECTED]
> Subject: [Clamav-users] qmail-scanner 1.21 and ClamAV .67 or .70
>
>
> I'm trying to get Q/S 1.21 and ClamAV working on FreeBSD 4.9.  I get the
> following errors
> I've verified the permissions on /var/spool/qmailscan, verified the
> softlimit without success.
> The clamd process is running when this error comes up.  Any help would be
> appreciated. Note the q/s 1.20 and clam .65 worked fine for months.  Just
> the enhancements for password zip files is reason enough to upgrade.
>
> run
> /usr/local/bin/clamdscan -r --disable-summary --max-recursion=10
> --max-space
> =100  /var/spool/qmailscan/tmp/mx.adminblogs.com1079
> Fri, 19 Mar 2004 12:41:17 -0500:351: --output of clamdscan was:
> /var/spool/qmailscan/tmp/mx.adminblogs.com1079718077470351: Can't
> access the
> file ERROR
>

Clamd uses /etc/clamav.conf in which there is a setting to specify which
user clamd runs as.  It may be that clamd is running as clamav and your
/var/spool/qmailscan dir is owned by qscand.

Jim



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] pthreads instability?

[Sergey]

On Saturday 20 March 2004 00:04, Sergey wrote:

> Fri Mar 19 23:43:44 2004 -> ERROR: ScanStream: Can't write to temporary file.

sorry, "temporary file" is my mistake.

-- 
Regards,
Sergey



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] pthreads instability?

[Sergey]

On Friday 19 March 2004 23:12, Trog wrote:

> > > Tue Mar 16 18:52:25 2004 -> ERROR: accept() failed: Too many open files
> > > on 2.2 kernel and
> > >Thu Mar 18 18:06:06 2004 -> ERROR: pthread_create failed
> > > on 2.4 kernel

> update to .70rc or currrent CVS

Bug present in clamav-devel-20040317 snapshot.
clamd/clamav-milter stoped on last 24 hours (clamd log;
I add \n manualy):

Errors begin about 02:00

Fri Mar 19 02:32:32 2004 -> ERROR: ScanStream: accept timeout.
Fri Mar 19 02:32:33 2004 -> ERROR: pthread_create failed
Fri Mar 19 02:32:33 2004 -> ERROR: ScanStream: accept timeout.
Fri Mar 19 02:32:34 2004 -> ERROR: pthread_create failed
Fri Mar 19 02:32:35 2004 -> ERROR: pthread_create failed

Fri Mar 19 02:33:33 2004 -> ERROR: ScanStream: accept timeout.
Fri Mar 19 02:33:34 2004 -> ERROR: pthread_create failed
Fri Mar 19 02:33:34 2004 -> ERROR: pthread_create failed
Fri Mar 19 02:33:36 2004 -> ERROR: pthread_create failed
Fri Mar 19 02:33:36 2004 -> SelfCheck: Database status OK.
Fri Mar 19 02:33:37 2004 -> ERROR: accept() failed: Too many open files
Fri Mar 19 02:33:37 2004 -> ERROR: accept() failed: Too many open files
Fri Mar 19 02:33:37 2004 -> ERROR: accept() failed: Too many open files
Fri Mar 19 02:33:38 2004 -> ERROR: accept() failed: Too many open files

!! NO Segmentation fault in log before. In 10:15:24 I restart clamav-milter:

Mar 19 10:15:24 av clamav-milter[28064]: clamd / ClamAV version devel-20040318, 
clamav-milter version 0.70

and...

Fri Mar 19 03:24:24 2004 -> ERROR: ScanStream: accept timeout.
Fri Mar 19 03:24:24 2004 -> ERROR: ScanStream: accept timeout.
Fri Mar 19 04:02:02 2004 -> SelfCheck: Database modification detected. Forcing reload.
Fri Mar 19 04:02:02 2004 -> Reading databases from /var/lib/clamav
Fri Mar 19 04:02:03 2004 -> Database correctly reloaded (20514 viruses)
Fri Mar 19 10:15:24 2004 -> SelfCheck: Database status OK.
Fri Mar 19 10:15:25 2004 -> Accepted connection on port 33664, fd 1010
Fri Mar 19 10:15:26 2004 -> Accepted connection on port 59578, fd 1014
Fri Mar 19 10:15:27 2004 -> Accepted connection on port 35401, fd 1018
Fri Mar 19 10:15:27 2004 -> Accepted connection on port 59476, fd 1022
Fri Mar 19 10:15:27 2004 -> ERROR: accept() failed: Too many open files
Fri Mar 19 10:15:28 2004 -> stream: Unable to open file or directory. ERROR
Fri Mar 19 10:15:28 2004 -> Accepted connection on port 15338, fd 1010
Fri Mar 19 10:15:29 2004 -> Segmentation fault :-( Bye..
Fri Mar 19 10:15:29 2004 -> ERROR: accept() failed: Too many open files
Fri Mar 19 10:15:29 2004 -> ERROR: accept() failed: Too many open files
Fri Mar 19 10:15:30 2004 -> ERROR: accept() failed: Too many open files
Fri Mar 19 10:15:30 2004 -> ERROR: accept() failed: Too many open files
Fri Mar 19 10:15:30 2004 -> ERROR: accept() failed: Too many open files
Fri Mar 19 10:15:31 2004 -> Segmentation fault :-( Bye..
Fri Mar 19 10:15:31 2004 -> ERROR: accept() failed: Too many open files
Fri Mar 19 10:15:32 2004 -> ERROR: accept() failed: Too many open files
Fri Mar 19 10:15:33 2004 -> ERROR: accept() failed: Too many open files

I restart clamd and clamav-milter, while it work...

psss... :

cat clamd.log |grep ERROR

Fri Mar 19 10:31:06 2004 -> ERROR: ScanStream: accept timeout.
Fri Mar 19 10:31:07 2004 -> ERROR: ScanStream: accept timeout.
Fri Mar 19 10:31:07 2004 -> ERROR: ScanStream: accept timeout.
Fri Mar 19 10:31:07 2004 -> ERROR: ScanStream: accept timeout.
Fri Mar 19 22:22:45 2004 -> ERROR: ScanStream: accept timeout.
Fri Mar 19 23:43:44 2004 -> ERROR: ScanStream: Can't write to temporary file.
Fri Mar 19 23:43:46 2004 -> stream: Unable to create temporary directory. ERROR
Fri Mar 19 23:43:48 2004 -> ERROR: ScanStream: Can't write to temporary file.
Fri Mar 19 23:43:48 2004 -> stream: Unable to create temporary directory. ERROR
Fri Mar 19 23:43:48 2004 -> ERROR: ScanStream: Can't write to temporary file.

-- 
Regards,
Sergey



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] sendmail out of memory after enabling clmilter

[Steven Stern]

Pardon if this has been discussed in the archives.  I searched on various
keywords with either no luck or too many hits to be useful. 

I've installed clam 0.70RC and clam-mailter 0.70RC from the RPMs onto a system
running Fedora Core 1 with sendmail 8.12.10.

clamav runs fine, but when I put the milter into the equation, it disables
sendmail:

this is in /var/log/messages

Mar 19 13:37:19 ciscy clamav-milter: ClamAv, mi_rd_cmd: read returned -1:
Connection reset by peer

At the same time in /var/log/maillog

Mar 19 13:32:07 ciscy sm-msp-queue[17080]: starting daemon (8.12.10):
[EMAIL PROTECTED]:00:00
Mar 19 13:37:19 ciscy sendmail[17107]: i2JJbJF6017107: SYSERR(root): out of
memory: Cannot allocate memory

The milter is invoked as (commented out for now)

dnl #
dnl # this enables the clamAV mailter
dnl #
dnl # INPUT_MAIL_FILTER(`clmilter',`S=local:/var/run/clamav/clmilter.sock,F=,
T=S:4m;R:4m')dnl
dnl # define(`confINPUT_MAIL_FILTERS', `clmilter')

The appropriate processes seem to be running

# ps -ef |grep clam
clamav   17615 1  0 14:18 ?00:00:00 /usr/sbin/clamd
clamav   17637 1  0 14:18 ?00:00:00 /usr/sbin/clamav-milter
--max-children=10 --force-scan --quiet --dont-log-clean --server=localhost
local:/var/run/clamav/clamav-milter.sock

--
   Steve
   


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id70&alloc_id638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] clamd and logging to /dev/stdout

[Andrej Trobentar]

Hello all,

I'm trying to set up clamd with multilog. I have followed the post 
located on 
http://www.mail-archive.com/[EMAIL PROTECTED]/msg06804.html, 
but if I set LogFile to /dev/stdout and do a "svc -d /service/clamd ; 
svc -u /service/clamd" I get a zombie process (Z flag in "ps ax"). If I 
ommit the LogFile (or use LogSyslog) everything works fine. My 
clamav.conf looks like this :

LogFile /dev/stdout
LocalSocket /tmp/clamd
TCPAddr 127.0.0.1
StreamSaveToDisk
MaxThreads 20
MaxDirectoryRecursion 15
User qscand
Foreground
ScanMail
ScanArchive
ScanRAR
ArchiveMaxFileSize 10M
ArchiveMaxRecursion 5
ArchiveMaxFiles 1000
ArchiveMaxCompressionRatio 200
I'm using ClamAV version 0.67-1, RH 7.3, kernel 2.6.3. What am I doing 
wrong?

Thanks in advice and have a nice day,

	Andrej.

---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] Postmaster bounces and such.

[Robert Schmidt]

On Fri, 2004-03-19 at 12:51, Jim Maul wrote:
> > We tend to forward the postmaster account off our each of our mail
> > servers to other central servers that the admins read it on. If the
> > postmaster account receives a virus (they are fairly popular addresses
> > for spam and virus email) they will try to forward it on. The problem is
> > if that central server is using ClamAV it will bounce the message back
> > to the originating server.
> >
> 
> Why are you bouncing mail back to the server?
> 

We bounce messages that have viruses. We decided that was the least bad
thing to do with mail that has viruses. All notification options have
downsides and we thought this was the least bad. What do you do?


-- 
Robert Schmidt -- UNIX Tech Support
[EMAIL PROTECTED]
MC1021 519-888-4567 x6453



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Postmaster bounces and such.

[Sergey]

On Friday 19 March 2004 21:51, Jim Maul wrote:

> > for spam and virus email) they will try to forward it on. The problem is
> > if that central server is using ClamAV it will bounce the message back
> > to the originating server.
> >
> 
> Why are you bouncing mail back to the server?

Because he (for example) have alias:
postmaster: [EMAIL PROTECTED]
for collect mail errors from any servers in one certain mail account.

-- 
Regards,
Sergey



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Troubles with recent clamav's

[Doug Hardie]

On Mar 19, 2004, at 05:17, Robert Blayzor wrote:

On 3/18/04 5:40 PM, "Doug Hardie" <[EMAIL PROTECTED]> wrote:

My quick look at the code behind --disable-urandom gave me the
impression that it only disabled the test for urandom and forced clamd
to use urandom.  Thats why I manually deleted the define.  I guess I
will have to look a bit closer.  That would be easier to remember when
moving to a new version.

From what I read through configure is that when using 
--disable-urandom it
reverts back to using just rand().  Since I did this, our servers have 
been
running 14+ hours without a single hang and all the databases seem to 
have
loaded with a second or two instead of multiple minutes.

I'm hoping that this urandom problem is addressed in the future.  I'm 
not
exactly sure of what the problem is and why clamd hangs, disabling
/dev/urandom should not be the fix, but rather the workaround.
Well, I went back and rebuilt clamd with --disable-urandom and thats 
exactly what it does.  It comments out the define of C_URANDOM.  I 
don't quite see how it does that yet, but thats not important.  It make 
clamd stable for me.  I agree that not checking for errors in the read 
statement is incorrect, but the workaround does work.



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Postmaster bounces and such.

[Ryan Moore]

Robert Schmidt wrote:


It would be fine if the originating server never got the virus in the
first place, but we have to run ClamAV in an "accept on time-out" mode
in case the milter has disappeared, so it is quite possible that viruses
end up on the machine.
I don't have any problems with the milter itself crashing, but clamd 
dies every other day or so it seems, but that problem was worked around 
by running clamdwatch.pl in a cronjob every minute. I'm not sure how you 
could check to make sure the milter itself hasn't gone to sleep, but it 
might be possible

--
Ryan Moore
--
Perigee.net Corporation
704-849-8355 (sales)
704-849-8017 (tech)
www.perigee.net


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Postmaster bounces and such.

[Antony Stone]

On Friday 19 March 2004 9:21 pm, Robert Schmidt wrote:

> We bounce messages that have viruses.

That sounds like a terrible idea.

The number of viruses which do not have forged sender addresses these days is 
so small that you can ignore them.

If you bounce the rest, you are sending unwanted and irrelevant emails to 
innocent users who didn't send anything to you, and who will regard your 
bounce messages basically as spam.

Well, that's my 2p, anyway.

Regards,

Antony.

-- 
Your work is both good and original.  Unfortunately the parts that are good 
aren't original, and the parts that are original aren't good.

 - Samuel Johnson

 Please reply to the list;
   please don't CC me.



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] sendmail: clmilter.sock is unsafe

[Steven Stern]

I've made some progress. The sendmail out of memory stuff is gone, but now
sendmail is complaining that the clmilter.sock is unsafe.  I've Googled myself
into a tizzy, but can't find a fix.


These errors are in /var/log/maillog.

Mar 19 15:22:45 ciscy sendmail[18114]: i2JLMjNR018114: Milter (clmilter):
local socket name /var/run/clamav/clmilter.sock unsafe
Mar 19 15:22:45 ciscy sendmail[18114]: i2JLMjNR018114: Milter (clmilter): to
error state

This is how the milter is referenced in sendmail.mc

INPUT_MAIL_FILTER(`clmilter',`S=local:/var/run/clamav/clmilter.sock,F=,
T=S:4m;R:4m')dnl
define(`confINPUT_MAIL_FILTERS', `clmilter')

The mailter and daemon seem to be running as expected 

# ps -ef |grep clam
clamav   17615 1  0 14:18 ?00:00:00 /usr/sbin/clamd
clamav   17637 1  0 14:18 ?00:00:00 /usr/sbin/clamav-milter
--max-children=10 --force-scan --quiet --dont-log-clean --server=localhost
local:/var/run/clamav/clamav-milter.sock

The milter config file follows:

[/etc/sysconfig]# more clamav-milter
CLAMAV_FLAGS="--max-children=10 --force-scan --quiet --dont-log-clean
--server=localhost local:/var/run/clamav/clamav-milter.sock"

The director and run files seem apropriately secured:

# ls -ld /var/run/clamav/
drwx-T  2 clamav clamav 4096 Mar 19 14:18 /var/run/clamav/

# ls -l /var/run/clamav/
total 4
srwx--  1 clamav clamav 0 Mar 19 14:18 clamav-milter.sock
-rwx--  1 clamav clamav 5 Mar 19 14:18 clamd.pid
srwx--  1 clamav clamav 0 Mar 19 14:18 clamd.sock

I've also tried changing the directory security to

drwxr--r--  2 clamav root 4096 Mar 19 15:37 clamav

--
   Steve
   


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id70&alloc_id638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] reject=451 4.7.1 Please try again later

[Krzysztof Snopek]

On Fri, 19 Mar 2004, Nigel Horne wrote:

>
> > Mar 19 13:37:36 topaz clamav-milter[17382]: [ID 910239 mail.error] write
> > failure to clamd
>
> That reads to me that clamd has gone away

No, it's still alive, as I said, next mails are received properly.
Andrei Bucur says the same.
Krzysztof Snopek


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] reject=451 4.7.1 Please try again later

[Krzysztof Snopek]

On Fri, 19 Mar 2004, Spike Ilacqua wrote:

> server).  I think it has something to do with the particular message,
> because the same message will fail more than once if deferred by the
> milter.

Right, I saw single message from particular address rejected many times,
while other mail is accepted without problems.

Krzysztof Snopek


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Postmaster bounces and such.

[jef moskot]

On Fri, 19 Mar 2004, Antony Stone wrote:
> If you bounce the rest, you are sending unwanted and irrelevant emails to
> innocent users who didn't send anything to you, and who will regard your
> bounce messages basically as spam.

Worse than that, if the virus is still attached, you're now sending it to
someone who might not have otherwise received it.  You're helping to
spread the infection.

Jeffrey Moskot
System Administrator
[EMAIL PROTECTED]


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Postmaster bounces and such.

[Robert Schmidt]

On Fri, 2004-03-19 at 17:01, jef moskot wrote:
> Worse than that, if the virus is still attached, you're now sending it to
> someone who might not have otherwise received it.  You're helping to
> spread the infection.

When I say bounce I mean reject. We try not to accept them. But
sometimes we end up accepting them and they will "bounce" back. If we
warn sender we will often be sending messages to people who have been
spoofed (it will always go to the sender's email address). If we warn
recipient then they will flood us asking for information about email
that has been sent to them.

Rejection is fairly popular, but it is a game of hot potato. Someone's
smtp server has the message and will need to deal with it. It is bad
practice to drop messages in the round file and not tell anyone about
it.

-- 
Robert Schmidt -- UNIX Tech Support
[EMAIL PROTECTED]
MC1021 519-888-4567 x6453



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] sendmail: clmilter.sock is unsafe: I AM AN IDIOT

[Steven Stern]

I am an idiot.

The sock file was defined with one name in sendmail.mc and another in the
configuration file for the milter itself. I made them the same and sendmail is
happy.


so what's supposed to happen when it detects a virus? When I send myself a
message with eicar.com attached,  this header gets added, but nothing is done:

X-Virus-Scanned: clamd / ClamAV version 0.70rc, clamav-milter version 0.70


clamav-milter is started with these parms:

/usr/sbin/clamav-milter -lo --max-children=10 --force-scan --quiet
--dont-log-clean --server=localhost local:/var/run/clamav/clamav-milter.sock

--
   Steve
   


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id70&alloc_id638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Postmaster bounces and such.

[Damian Menscher]

On Fri, 19 Mar 2004, Antony Stone wrote:
> On Friday 19 March 2004 9:21 pm, Robert Schmidt wrote:
>
> > We bounce messages that have viruses.
>
> That sounds like a terrible idea.

Depends on what he meant by "bounce".  These days, I find it useful to
distinguish between "reject" and "send notification".

> The number of viruses which do not have forged sender addresses these days is
> so small that you can ignore them.
>
> If you bounce the rest, you are sending unwanted and irrelevant emails to
> innocent users who didn't send anything to you, and who will regard your
> bounce messages basically as spam.

I'll readily agree that creating new notification messages is just
stupid.  Rejecting the message (with a 550 status, for example) is the
best thing to do.  This leaves it up to the machine sending the virus to
generate a bounce.  Given that the sender is almost always the infected
machine, no bounce will be generated.  This has the (minor) downside
that messages that came through a relay first will generate a bounce
(from the relay) to an innocent third party.  On the other hand, it has
the (major) upside that it is robust against false positives, while
minimizing the number of bounce messages being passed around.

Damian Menscher
-- 
-=#| Physics Grad Student & SysAdmin @ U Illinois Urbana-Champaign |#=-
-=#| 488 LLP, 1110 W. Green St, Urbana, IL 61801 Ofc:(217)333-0038 |#=-
-=#| <[EMAIL PROTECTED]> www.uiuc.edu/~menscher/ Fax:(217)333-9819 |#=-
-=#| The above opinions are not necessarily those of my employers: |#=-
-=#| UIUC CITES Security Group || Beckman Imaging Technology Group |#=-


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] Postmaster bounces and such.

[Jim Maul]

> On Fri, 2004-03-19 at 12:51, Jim Maul wrote:
>> > We tend to forward the postmaster account off our each of our mail
>> > servers to other central servers that the admins read it on. If the
>> > postmaster account receives a virus (they are fairly popular addresses
>> > for spam and virus email) they will try to forward it on. The problem
>> is
>> > if that central server is using ClamAV it will bounce the message back
>> > to the originating server.
>> >
>>
>> Why are you bouncing mail back to the server?
>>
>
> We bounce messages that have viruses. We decided that was the least bad
> thing to do with mail that has viruses. All notification options have
> downsides and we thought this was the least bad. What do you do?
>

The message gets quarantined and no one is notified.  When most virii sent
are not from actual people, why even bother bouncing the message?

Jim


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] sendmail: clmilter.sock is unsafe: I AM AN IDIOT

[Ryan Moore]

Steven Stern wrote:
I am an idiot.

The sock file was defined with one name in sendmail.mc and another in the
configuration file for the milter itself. I made them the same and sendmail is
happy.
so what's supposed to happen when it detects a virus? When I send myself a
message with eicar.com attached,  this header gets added, but nothing is done:
X-Virus-Scanned: clamd / ClamAV version 0.70rc, clamav-milter version 0.70

clamav-milter is started with these parms:

/usr/sbin/clamav-milter -lo --max-children=10 --force-scan --quiet
--dont-log-clean --server=localhost local:/var/run/clamav/clamav-milter.sock
--
   Steve
   
You probably want the -b option to reject the DATA phase of the SMTP 
session if the milter detects a virus.

-
Ryan Moore
--
Perigee.net Corporation
704-849-8355 (sales)
704-849-8017 (tech)
www.perigee.net
---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] New version of clamav for windows

[Brian Bruns]

Hello all,

Its been a while, but I just uploaded a completely new build of clamav for
Windows.  Its based off of today's CVS.

http://www.sosdg.org/clamav-win32

I still haven't gotten the DLL version to build or work properly (ie:
cygclamav-90.dll thing, or whatever its called).

This version also includes the latest virusdb, and should be somewhat stable.
-- 
Brian Bruns
The Summit Open Source Development Group
Open Solutions For A Closed World / Anti-Spam Resources
http://www.sosdg.org

The Abusive Hosts Blocking List
http://www.ahbl.org



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] reject=451 4.7.1 Please try again later

[Tomasz Kojm]

On Fri, 19 Mar 2004 22:48:05 +0100 (CET)
Krzysztof Snopek <[EMAIL PROTECTED]> wrote:

> On Fri, 19 Mar 2004, Nigel Horne wrote:
> 
> >
> > > Mar 19 13:37:36 topaz clamav-milter[17382]: [ID 910239 mail.error]
> > > write failure to clamd
> >
> > That reads to me that clamd has gone away
> 
> No, it's still alive, as I said, next mails are received properly.
> Andrei Bucur says the same.

We need more details to reproduce the problem - could you please catch
some problematic mails ?

-- 
   oo. Tomasz Kojm <[EMAIL PROTECTED]>
  (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg
 \..._ 0DCA5A08407D5288279DB43454822DC8985A444B
   //\   /\  Fri Mar 19 23:57:37 CET 2004


pgp0.pgp
Description: PGP signature

Re: [Clamav-users] Troubles with recent clamav's

[Tomasz Kojm]

On Fri, 19 Mar 2004 13:27:46 -0800
Doug Hardie <[EMAIL PROTECTED]> wrote:

> Well, I went back and rebuilt clamd with --disable-urandom and thats 
> exactly what it does.  It comments out the define of C_URANDOM.  I 
> don't quite see how it does that yet, but thats not important.  It
> make clamd stable for me.  I agree that not checking for errors in the
> read statement is incorrect, but the workaround does work.

The CVS version no longer supports /dev/urandom:

Sat Mar 20 00:16:26 CET 2004 (tk)
-
  * libclamav: cl_gentemp(): do not use /dev/urandom

-- 
   oo. Tomasz Kojm <[EMAIL PROTECTED]>
  (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg
 \..._ 0DCA5A08407D5288279DB43454822DC8985A444B
   //\   /\  Sat Mar 20 00:18:51 CET 2004


pgp0.pgp
Description: PGP signature

Re: [Clamav-users] sendmail: clmilter.sock is unsafe

[Steven Stern]

On Fri, 19 Mar 2004 18:25:25 -0500 (EST), Pat Masterson <[EMAIL PROTECTED]>
wrote:

>Stve, I had the same problem, and do this in my start script:
>rm /var/run/clamav/clmilter.sock
>chmod 777 /var/run/clamav/
>=> start milter here <=
>chmod 755 /var/run/clamav/
>=> start sendmail here <=
>
>And nobody complains. -pat

I finally got it to work:

ls -ld /var/run/clamav
drwxr-xr-x  2 clamav root 4096 Mar 19 16:31 /var/run/clamav

ls -l /var/run/clam*
total 4
srwx--  1 clamav clamav 0 Mar 19 16:11 clamav-milter.sock
-rw-rw  1 clamav clamav 5 Mar 19 16:31 clamd.pid
srwxrwxrwx  1 clamav clamav 0 Mar 19 16:31 clamd.sock

Sendmail gets all barfy if the directory is group writable. The key was
changing the ownership of the directory from root to clamav.
--
   Steve
   


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id70&alloc_id638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] pthreads instability?

[Todd Lyons]

On Fri, 2004-03-19 at 12:04, Sergey wrote:

> Fri Mar 19 10:15:31 2004 -> ERROR: accept() failed: Too many open files
> Fri Mar 19 10:15:32 2004 -> ERROR: accept() failed: Too many open files
> Fri Mar 19 10:15:33 2004 -> ERROR: accept() failed: Too many open files

How do your numbers compare to this:

# cat /proc/sys/fs/file-{nr,max}
40503413209708
209708

> Fri Mar 19 23:43:44 2004 -> ERROR: ScanStream: Can't write to temporary file.
> Fri Mar 19 23:43:46 2004 -> stream: Unable to create temporary directory. ERROR
> Fri Mar 19 23:43:48 2004 -> ERROR: ScanStream: Can't write to temporary file.
> Fri Mar 19 23:43:48 2004 -> stream: Unable to create temporary directory. ERROR
> Fri Mar 19 23:43:48 2004 -> ERROR: ScanStream: Can't write to temporary file.

Are you out of harddrive space? (df -h)  Maybe out of inodes? (df -i) 
Has this box been checked lately to see if it's been rooted?

Blue skies...   Todd



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Postmaster bounces and such.

[Steven Stern]

On Fri, 19 Mar 2004 16:20:38 -0600 (CST), Damian Menscher <[EMAIL PROTECTED]>
wrote:


>
>I'll readily agree that creating new notification messages is just
>stupid.  Rejecting the message (with a 550 status, for example) is the
>best thing to do.  This leaves it up to the machine sending the virus to
>generate a bounce.  Given that the sender is almost always the infected
>machine, no bounce will be generated.  This has the (minor) downside
>that messages that came through a relay first will generate a bounce
>(from the relay) to an innocent third party.  On the other hand, it has
>the (major) upside that it is robust against false positives, while
>minimizing the number of bounce messages being passed around.
>


How do I set sendmail and/or the milter to reject the message with a 550?
Right now, the message just seems to disappear and a message goes into root's
mailbox.
--
   Steve
   


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id70&alloc_id638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] sendmail: clmilter.sock is unsafe: I AM AN IDIOT

[Steven Stern]

On Fri, 19 Mar 2004 17:51:11 -0500, Ryan Moore <[EMAIL PROTECTED]> wrote:


>
>You probably want the -b option to reject the DATA phase of the SMTP 
>session if the milter detects a virus.
>
I added the -b option to clamav-milter.

As root, i typed " cat eircar.com | mail steve -s test "

Sendmail didn't like it. There's got to be more to it, I think.

Mar 19 17:47:32 ciscy sendmail[20091]: i2JNlWJw020091: from=root, size=97,
class=0, nrcpts=1, msgid=<[EMAIL PROTECTED]>,
[EMAIL PROTECTED]
Mar 19 17:47:32 ciscy sendmail[20093]: i2JNlWSR020093:
from=<[EMAIL PROTECTED]>, size=398, class=0, nrcpts=1,
msgid=<[EMAIL PROTECTED]>, proto=ESMTP,
daemon=MTA, relay=ciscy.sterndata.com [127.0.0.1]
Mar 19 17:47:32 ciscy sendmail[20093]: i2JNlWSR020093: Milter: data,
reject=550 5.7.1 Virus detected by ClamAV - http://www.clamav.net

 OK, the milter sets the 550 code

Mar 19 17:47:32 ciscy sendmail[20093]: i2JNlWSR020093:
to=<[EMAIL PROTECTED]>, delay=00:00:00, pri=30398, stat=Virus detected
by ClamAV - http://www.clamav.net
Mar 19 17:47:32 ciscy sendmail[20091]: i2JNlWJw020091: to=steve, ctladdr=root
(0/0), delay=00:00:00, xdelay=00:00:00, mailer=relay, pri=30097,
relay=[127.0.0.1] [127.0.0.1], dsn=5.0.0, stat=Service unavailable
Mar 19 17:47:32 ciscy sendmail[20091]: i2JNlWJw020091: i2JNlWJx020091: DSN:
Service unavailable
Mar 19 17:47:32 ciscy sendmail[20093]: i2JNlWST020093: from=<>, size=2019,
class=0, nrcpts=1, msgid=<[EMAIL PROTECTED]>,
proto=ESMTP, daemon=MTA, relay=ciscy.sterndata.com [127.0.0.1]
Mar 19 17:47:32 ciscy sendmail[20093]: i2JNlWST020093: Milter: data,
reject=550 5.7.1 Virus detected by ClamAV - http://www.clamav.net
Mar 19 17:47:32 ciscy sendmail[20093]: i2JNlWST020093:
to=<[EMAIL PROTECTED]>, delay=00:00:00, pri=32019, stat=Virus detected
by ClamAV - http://www.clamav.net
Mar 19 17:47:32 ciscy sendmail[20091]: i2JNlWJx020091: to=root,
delay=00:00:00, xdelay=00:00:00, mailer=relay, pri=31121, relay=[127.0.0.1]
[127.0.0.1], dsn=5.0.0, stat=Service unavailable
Mar 19 17:47:32 ciscy sendmail[20091]: i2JNlWJx020091: i2JNlWK0020091: return
to sender: Service unavailable

 but sendmail doesn't know what to do with it but we can see the virus
file contines to get passed around, getting passed through the milter again

Mar 19 17:47:32 ciscy sendmail[20093]: i2JNlWSV020093: from=<>, size=3690,
class=0, nrcpts=1, msgid=<[EMAIL PROTECTED]>,
proto=ESMTP, daemon=MTA, relay=ciscy.sterndata.com [127.0.0.1]
Mar 19 17:47:32 ciscy sendmail[20093]: i2JNlWSV020093: Milter: data,
reject=550 5.7.1 Virus detected by ClamAV - http://www.clamav.net
Mar 19 17:47:32 ciscy sendmail[20093]: i2JNlWSV020093:
to=<[EMAIL PROTECTED]>, delay=00:00:00, pri=33690, stat=Virus
detected by ClamAV - http://www.clamav.net
Mar 19 17:47:32 ciscy sendmail[20091]: i2JNlWK0020091: to=postmaster,
delay=00:00:00, xdelay=00:00:00, mailer=relay, pri=32145, relay=[127.0.0.1]
[127.0.0.1], dsn=5.0.0, stat=Service unavailable
Mar 19 17:47:32 ciscy sendmail[20091]: i2JNlWJx020091: Losing
./qfi2JNlWJx020091: savemail panic
Mar 19 17:47:32 ciscy sendmail[20091]: i2JNlWJx020091: SYSERR(root): savemail:
cannot save rejected email anywhere

*** and it's gone
--
   Steve
   


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id70&alloc_id638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] sendmail: clmilter.sock is unsafe: I AM AN IDIOT

[Steven Stern]

On Fri, 19 Mar 2004 17:55:03 -0600, Steven Stern
<[EMAIL PROTECTED]> wrote:

>

It works appropriately if the mail comes from an external server. I'm leaving
-b in place and will see how it goes for a while.
--
   Steve
   


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id70&alloc_id638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] sendmail: clmilter.sock is unsafe: I AM AN IDIOT

[Ryan Moore]

Steven Stern wrote:
On Fri, 19 Mar 2004 17:55:03 -0600, Steven Stern
<[EMAIL PROTECTED]> wrote:


It works appropriately if the mail comes from an external server. I'm leaving
-b in place and will see how it goes for a while.
--
   Steve
   


Yea thats how we do it here, I wasn't thinking mail being delivered 
locally (or how it would handle that). Our sendmail box is just a relay 
gateway for a few rbls and milters before being passed onto 
spamassassin/amavisd and a pop3 server.

--
Ryan Moore
--
Perigee.net Corporation
704-849-8355 (sales)
704-849-8017 (tech)
www.perigee.net


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Postmaster bounces and such.

[jef moskot]

On Fri, 19 Mar 2004, Robert Schmidt wrote:
> When I say bounce I mean reject.

That's better, but still makes the problem worse.  At the very least, you
should filter out rejections from worms.

> It is bad practice to drop messages in the round file and not tell
> anyone about it.

Not if the message was not sent out by a human, but by an automatic system
designed to cause problems (which get exacerbated by rejections that
cause nothing but added traffic and confusion).

Jeffrey Moskot
System Administrator
[EMAIL PROTECTED]


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] clamd and logging to /dev/stdout

[Tomasz Kojm]

On Fri, 19 Mar 2004 21:43:03 +0100
Andrej Trobentar <[EMAIL PROTECTED]> wrote:

> Hello all,
> 
> I'm trying to set up clamd with multilog. I have followed the post 
> located on 
> http://www.mail-archive.com/[EMAIL PROTECTED]/msg06804.html,
> 
> but if I set LogFile to /dev/stdout and do a "svc -d /service/clamd ; 
> svc -u /service/clamd" I get a zombie process (Z flag in "ps ax"). If
> I ommit the LogFile (or use LogSyslog) everything works fine. My 
> clamav.conf looks like this :

Attached you will find a patch from Alexandre Biancalana
 which adds support for logging to stdout. It's
still waiting for revision and inclusion, but you might like to try it
(please let me know if it works).

-- 
   oo. Tomasz Kojm <[EMAIL PROTECTED]>
  (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg
 \..._ 0DCA5A08407D5288279DB43454822DC8985A444B
   //\   /\  Sat Mar 20 03:08:08 CET 2004


stdout-log.patch
Description: Binary data


pgp0.pgp
Description: PGP signature

Re: [Clamav-users] Clamd randomly hanging then eventually continuing

[Tomasz Kojm]

On Wed, 17 Mar 2004 22:49:37 -0500
Robert Blayzor <[EMAIL PROTECTED]> wrote:

> I am running devel snapshot 20040415 on FreeBSD 4.9.
> 
> I'm having a problem with clamd, the process randomly hanging on
> either reloading the database and sometimes scanning mbox files.  It's
> very strange.  When the processes hangs clamd is using 99.9% of the
> CPU (so says top) until it eventually releases and continues several
> minutes later.

Please configure clamav with --disable-urandom or better checkout CVS.

-- 
   oo. Tomasz Kojm <[EMAIL PROTECTED]>
  (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg
 \..._ 0DCA5A08407D5288279DB43454822DC8985A444B
   //\   /\  Sat Mar 20 03:13:59 CET 2004


pgp0.pgp
Description: PGP signature

Re: [Clamav-users] Owner gets overwritten during installation

[Tomasz Kojm]

On Wed, 17 Mar 2004 15:35:28 +0100
Wolfgang Cernohorsky <[EMAIL PROTECTED]> wrote:

> After updating to v0.70-rc I've noticed, that the owner of the
> database directories (/usr/local/share/clamav on my linux box) changes
> to clamav but clamav runs on my box under user amavisd, so do
> freshclam - this cause permission problems when a new database update
> comes in.

Just run clamav's configure with --with-user=amavisd

-- 
   oo. Tomasz Kojm <[EMAIL PROTECTED]>
  (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg
 \..._ 0DCA5A08407D5288279DB43454822DC8985A444B
   //\   /\  Sat Mar 20 03:28:15 CET 2004


pgp0.pgp
Description: PGP signature