Re: [Clamav-users] clamd dieing again, got some debug information.
On Mon, 2004-06-21 at 18:35, Christopher X. Candreva wrote: > Segmentation Fault Please test with current CVS (as of now). Thanks -trog signature.asc Description: This is a digitally signed message part
Re: [Clamav-users] [Fwd: memory hog in 0.72 and 0.73]
On Wed, 23 Jun 2004 at 17:40:19 -0300, René Bellora wrote: > i found the offending email. It's a 134mb email. It contains a 100mb > file. If i scan the file alone, memory consumption reaches 13mb. If i > scan the raw email, the memory consumption reaches 360mb. Any I don't consider a 134 mb email as big ;-) . I don't even believe that 1 b (1 bit) is divisible into 1 thousand parts (1 mb means 1 milibit) :-| . I _do_ consider a 134 MB email as big, though. -- Tomasz Papszun SysAdm @ TP S.A. Lodz, Poland | And it's only [EMAIL PROTECTED] http://www.lodz.tpsa.pl/iso/ | ones and zeros. [EMAIL PROTECTED] http://www.ClamAV.net/ A GPL virus scanner --- This SF.Net email sponsored by Black Hat Briefings & Training. Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] /etc/cron.daily/freshclam exited with return code 1
On 24.06.2004, at 03:21, Todd Lyons wrote: Philipp Ringli wanted us to know: + /usr/bin/freshclam --quiet --datadir=/var/lib/clamav --log=/var/log/clamav/freshclam.log Run it from the commandline like this: /usr/bin/freshclam --datadir=/var/lib/clamav --log=/var/log/clamav/freshclam.log You can also add --verbose into that line. Here's what it looks like on mine: smtp1 conf # /usr/bin/freshclam --datadir="/var/lib/clamav" \ --log="/var/log/clamav/freshclam.log" --log-verbose --verbose \ --daemon-notify="/etc/clamav.conf" Current working dir is /var/lib/clamav Max retries == 3 ClamAV update process started at Wed Jun 23 18:21:00 2004 Connected to database.clamav.net (64.69.64.158). Reading CVD header (main.cvd): OK main.cvd is up to date (version: 23, sigs: 21096, f-level: 2, builder: ddm) Connected to database.clamav.net (64.69.64.158). Reading CVD header (daily.cvd): OK daily.cvd is up to date (version: 367, sigs: 970, f-level: 2, builder: diego) Freeing option list...done smtp1 conf # vdir -d /var/lib/clamav drwxr-xr-x2 clamav clamav 4096 Jun 23 05:10 /var/lib/clamav smtp1 conf # vdir -d /var/log/clamav drwxr-xr-x2 clamav clamav 4096 Jun 16 17:18 /var/log/clamav Good luck! -- Regards... Todd todd, i did that and i get this: [EMAIL PROTECTED] /]# /usr/bin/freshclam --datadir=/var/lib/clamav --log=/var/log/clamav/freshclam.log --verbose Current working dir is /var/lib/clamav ClamAV update process started at Thu Jun 24 11:25:06 2004 Connected to database.clamav.net (212.31.160.239). Reading CVD header (main.cvd): OK main.cvd is up to date (version: 23, sigs: 21096, f-level: 2, builder: ddm) Connected to database.clamav.net (212.31.160.239). Reading CVD header (daily.cvd): OK daily.cvd is up to date (version: 367, sigs: 970, f-level: 2, builder: diego) [EMAIL PROTECTED] /]# vdir -d /var/lib/clamav drwxr-xr-x2 clamav clamav 4096 Jun 24 04:02 /var/lib/clamav [EMAIL PROTECTED] /]# vdir -d /var/log/clamav drwxr-xr-x2 clamav clamav 4096 Jun 1 04:02 /var/log/clamav but i still get email notification from my server: + LOG_FILE=/var/log/clamav/freshclam.log + '[' '!' -f /var/log/clamav/freshclam.log ']' + /usr/bin/freshclam --quiet --datadir=/var/lib/clamav --log=/var/log/clamav/freshclam.log (no like that because of the set -x) questions: 1. why am i getting the above email? nothing seems to be wrong, or is there? 2. where could i edit the email address this is sent to? sorry for the newbish questions... cheers, phil --- This SF.Net email sponsored by Black Hat Briefings & Training. Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] /etc/cron.daily/freshclam exited with return code 1
On Thu, 24 Jun 2004 at 11:32:15 +0200, Philipp Ringli wrote: > > todd, > > i did that and i get this: > > [EMAIL PROTECTED] /]# /usr/bin/freshclam --datadir=/var/lib/clamav > --log=/var/log/clamav/freshclam.log --verbose > Current working dir is /var/lib/clamav > ClamAV update process started at Thu Jun 24 11:25:06 2004 > Connected to database.clamav.net (212.31.160.239). > Reading CVD header (main.cvd): OK > main.cvd is up to date (version: 23, sigs: 21096, f-level: 2, builder: > ddm) > Connected to database.clamav.net (212.31.160.239). > Reading CVD header (daily.cvd): OK > daily.cvd is up to date (version: 367, sigs: 970, f-level: 2, builder: > diego) > > > but i still get email notification from my server: > + LOG_FILE=/var/log/clamav/freshclam.log > + '[' '!' -f /var/log/clamav/freshclam.log ']' > + /usr/bin/freshclam --quiet --datadir=/var/lib/clamav > --log=/var/log/clamav/freshclam.log > (no like that because of the set -x) > > questions: > 1. why am i getting the above email? nothing seems to be wrong, or is > there? > 2. where could i edit the email address this is sent to? > > sorry for the newbish questions... > Philipp, Ad 1) If I understand correctly, you succeeded in getting rid of errors and warnings like "Cron <[EMAIL PROTECTED]> nice -n 19 run-parts /etc/cron.daily run-parts: /etc/cron.daily/freshclam exited with return code 1 error: Ignoring xdm.rpmnew, because of .rpmnew ending" and "run-parts: component /etc/cron.daily/.freshclam.swp is not an=20 executable plain file". And now you just don't want to get emails about updating database, right? So in your /etc/cron/daily/freshclam add redirecting output to /dev/null Add to the last part of command ">/dev/null" or even ">/dev/null 2>&1" (but you'd better receive errors when something goes wrong, so use the first form). E.g.: /usr/bin/freshclam \ --quiet \ --datadir=/var/lib/clamav \ --log=$LOG_FILE >/dev/null Ad 2) You can try to redirect output to mail to a particular user. Maybe this will work: /usr/bin/freshclam \ --quiet \ --datadir=/var/lib/clamav \ --log=$LOG_FILE | mail someuser Of course remove "set -x" as it was needed only for debugging. -- Tomasz Papszun SysAdm @ TP S.A. Lodz, Poland | And it's only [EMAIL PROTECTED] http://www.lodz.tpsa.pl/iso/ | ones and zeros. [EMAIL PROTECTED] http://www.ClamAV.net/ A GPL virus scanner --- This SF.Net email sponsored by Black Hat Briefings & Training. Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] clamd dieing again, got some debug information.
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Thu, 24 Jun 2004, Trog wrote:
> On Mon, 2004-06-21 at 18:35, Christopher X. Candreva wrote:
> > Segmentation Fault
> Please test with current CVS (as of now).
> Thanks
> -trog
Before proceeding I have to appoligise in advance for this email.
yesterday I became aware that our nightly virus scan of our main file
server was dieing at some point during it's scan. I should have caught on
to it earlier but have been really busy and have taken (script) steps to
make sure this sort of thing gets a bigger red flag. the following problem
also invloves a coinfidential Word document (if such a thing actually
exists) so I can't give you the file that caused the problem. Hopefully
however I can make up for these embarrassments by providing you with all I
could find out about the problem.
My first clue (that I noticed) was core files appearing at approx 5:20 in
the morning. I tracked it down to the virus scan cron job.
/usr/local/bin/clamscan -r -i /public
The first one started appearing around the start of June 2004.
This corresponded to when I upgraded this particular box to ClamAV 0.72
I nailed it down to one Word 97 doc the was causing the above command to
Seg Fault - Sig 11.
I quarantined the file and manually ran the cron job again, no problems. I
also updated my script to falg any failure of clamscan to provide a report
of it's final result. I know it's my fault that I failed to realise the
report was missing in the cron email by hey I'm human and snowed under.
Its a matter of survival at the minute.
Recalling a clamd dieing thread on this list I wondered if I had stumbled
upon a similar problem but happening with clamscan.
I therefore checked out a CVS snapshot 20/06/2004 at 11:10 am BST onto my
devel-box (AMD Athlone running mandrake 9.2 non-stock)
built it with debug and and scanned the word file. Result - no problem and
file was clean.
then I used the stable build that was actually installed on the machine.
ClamAV-0.71 - Again Result no problem and file was clean.
I then configured stable build 0.73 (which is the version installed on
the fiel server that had the original problem) with debug and ran that -
Result CORE DUMP
I then did the same for ClamAV-0.72 - Result CORE DUMP
Summary :
ClamAV-0.71 : Okay
ClamAV-0.72 : Bug appeared
ClamAV-0.73 : Bug still in
clamav-devel : Bug fixed.
Hence the reason for this email. You appear to have fixed the problem and
this is now verified on a file other than the one you were wokring on.
Although I should have picked this up earlier and I can't send you the
confidential document that caused the problem I want to help so :-
I hope I can help in some way by sending you the debug output from the
various ClamAV versions invloved :-
- -
ClamAV-0.71
LibClamAV debug: Loading databases from /usr/local/share/clamav
LibClamAV debug: Loading /usr/local/share/clamav/daily.cvd
LibClamAV debug: /usr/local/share/clamav/daily.cvd: CVD file detected
LibClamAV debug: in cli_cvdload()
LibClamAV debug: MD5(.tar.gz) = 0ed8af09ec51f2b748a47b70004e487b
LibClamAV debug: Decoded signature: 0ed8af09ec51f2b748a47b70004e487b
LibClamAV debug: Digital signature is correct.
LibClamAV debug: in cli_untgz()
LibClamAV debug: Unpacking /home/jim/tmp/clamav-af31046a87829d3c/COPYING
LibClamAV debug: Unpacking /home/jim/tmp/clamav-af31046a87829d3c/viruses.db2
LibClamAV debug: Loading databases from /home/jim/tmp/clamav-af31046a87829d3c
LibClamAV debug: Loading /home/jim/tmp/clamav-af31046a87829d3c/viruses.db2
LibClamAV debug: Initializing trie.
LibClamAV debug: Loading /usr/local/share/clamav/main.cvd
LibClamAV debug: /usr/local/share/clamav/main.cvd: CVD file detected
LibClamAV debug: in cli_cvdload()
LibClamAV debug: MD5(.tar.gz) = 2afa38b2ececc44e99e396f97e94adef
LibClamAV debug: Decoded signature: 2afa38b2ececc44e99e396f97e94adef
LibClamAV debug: Digital signature is correct.
LibClamAV debug: in cli_untgz()
LibClamAV debug: Unpacking /home/jim/tmp/clamav-c77e9a5b022c1c96/COPYING
LibClamAV debug: Unpacking /home/jim/tmp/clamav-c77e9a5b022c1c96/viruses.db
LibClamAV debug: Loading databases from /home/jim/tmp/clamav-c77e9a5b022c1c96
LibClamAV debug: Loading /home/jim/tmp/clamav-c77e9a5b022c1c96/viruses.db
LibClamAV debug: Recognized OLE2 container file
LibClamAV debug: in cli_scanole2()
LibClamAV debug: in cli_ole2_extract()
LibClamAV debug:
Magic: 0xLibClamAV debug: d0LibClamAV debug: cfLibClamAV debug:
11LibClamAV debug: e0LibClamAV debug: a1LibClamAV debug: b1LibClamAV debug:
1aLibClamAV debug: e1LibClamAV debug:
LibClamAV debug: CLSID: {LibClamAV debug: 0 LibClamAV debug: 0
LibClamAV debug: 0 LibClamAV debug: 0 LibClamAV debug: 0 LibClamAV debug: 0 LibClamAV
debug: 0 LibClamAV debug: 0 LibClamAV debug: 0 LibClamAV debug: 0 LibClamAV debug: 0
LibClamAV debug: 0 LibClamAV debug: 0 LibClamAV debug: 0 LibClamAV debug: 0 LibClamAV
[Clamav-users] no socket mode on SuSE 9.1
Title: no socket mode on SuSE 9.1 Hi, I've just made a fresh installation of SuSE 9.1 and installed clamav. I changed the default SuSE clamav.conf to use a local socket but whatever I use clamavd won't start. Without sockets it works. SuSE currently distributes version 0.70 which is not the latest. I installed version 0.73 but it fails, too. Any idea? Best regards, Olly
[Clamav-users] Not catching W32.Netsky.P ???
I have ClamAV 0.71 installed on RHES3 and updated to the latest definitions as of 06/24/2004. I don't know the AV signature file version number, but it's protecting against 22076 viruses. This is integrated as a mail filter using SendMail, SpamAssassin & MIMEDefang and seems to be working correctly as the combination is correctly detecting and handling many infected e-mails. The problem is that it's not detecting [EMAIL PROTECTED] (name as detected by Symantec Anti Virus). Why? I would submit a sample, but Symantec AV is deleting the infected attachments as soon as it encounters them. Thanks for the assistance! Ken Morley --- This SF.Net email sponsored by Black Hat Briefings & Training. Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] clamav and smtp-vilter: not scan for certain domains
> I am using smtp-vilter-1.1.4 and ClamAV0.73 on OpenBSD-3.5 > Is there any way to customise smtp-vilter or ClamAV > so mails from certain domain are scanned for virus? > Or mails from certain domain are NOT scanned for virus? I dont't know about smtp-vilter, but calmav-milter may do this by --local option with small change to the source. 1. --local IP addresses are hardcoded, so edit this for force scan addresses. 2. other IP addresses also scaned by following line return SMFIS_CONTINUE; therefore chage this to return SMFIS_ACCEPT; I like to not scan inbound mail but force scan outbound mail from our SMTP server. But I don't know it is possible under MILTER, so I use above --local option instead. SAITOU Toshihide --- This SF.Net email sponsored by Black Hat Briefings & Training. Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Not catching W32.Netsky.P ???
Ken Morley wrote: I have ClamAV 0.71 installed on RHES3 and updated to the latest definitions as of 06/24/2004. I don't know the AV signature file version number, but it's protecting against 22076 viruses. This is integrated as a mail filter using SendMail, SpamAssassin & MIMEDefang and seems to be working correctly as the combination is correctly detecting and handling many infected e-mails. The problem is that it's not detecting [EMAIL PROTECTED] (name as detected by Symantec Anti Virus). Why? I would submit a sample, but Symantec AV is deleting the infected attachments as soon as it encounters them. Thanks for the assistance! Ken Morley Clamav named netsky somefool. Be sure to upgrade to newest clamav, 0.71 is a tad old. Regards, Niek --- This SF.Net email sponsored by Black Hat Briefings & Training. Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] Help Setup Newbie Please
Hello - Fresh newbie meat here for the first time - Be gentle please... I'm using procmail to call clamassassin, which calls clamscan. I'm getting X- headers added by clamav, but I'm not detecting the EICAR string in emails. I'm using ClamAV v0.73 obtained and installed via the Debian Sid distro. I have several questions: 1. If I run clamscan from the console in the directory containing the EICAR string, it -IS- properly detected. Why is it not being detected in email? I read somewhere that email scanning has to be enabled in clamav.conf - but I don't even have that file! Whywouldn't I? I did run the config script. In /etc/clamav, I have freshclam.conf, but not clamav.conf, and I don't find it elsewhere on the system. 2. I don't seem to have anything related to clamd - Why? How to run clamd? My system has no knowledge of clamd or clamdscan. Differences between running clamd vs clamscan? I have a low volume machine. Thanks a bunch - Anxious to get it going! - John --- This SF.Net email sponsored by Black Hat Briefings & Training. Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Help Setup Newbie Please
> Hello - Fresh newbie meat here for the first time - Be gentle please... > > I'm using procmail to call clamassassin, which calls clamscan. I'm > getting X- headers added by clamav, but I'm not detecting the EICAR > string in emails. I'm using ClamAV v0.73 obtained and installed via the > Debian Sid distro. I have several questions: > > 1. If I run clamscan from the console in the directory containing the > EICAR string, it -IS- properly detected. Why is it not being detected > in email? I read somewhere that email scanning has to be enabled in > clamav.conf - but I don't even have that file! Whywouldn't I? I did > run the config script. In /etc/clamav, I have freshclam.conf, but not > clamav.conf, and I don't find it elsewhere on the system. clamav.conf is used by clamd for configuration parameters. Try running clamscan --mbox to get the detection. It _may_ not work because of the definition of EICAR, which IIRC is fairly strict and has the "virus" starting at the very beginning of the file. It should work with clamscan --mbox with EICAR attached, as opposed to being in the body of the message. > 2. I don't seem to have anything related to clamd - Why? How to run > clamd? My system has no knowledge of clamd or clamdscan. Differences > between running clamd vs clamscan? I have a low volume machine. Clamd is probably not necessary on a low-volume machine, but it allows faster scanning through local Unix sockets, or for shared scanning via TCP sockets. You should be ok to run clamscan --mbox; if you notice a slowdown in mail, look for .deb's with clamd (assuming that, like some distributions, they have been separately packaged.) > Thanks a bunch - Anxious to get it going! - John Good luck! --Seth --- This SF.Net email sponsored by Black Hat Briefings & Training. Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Help Setup Newbie Please
Hanford, Seth wrote: clamav.conf is used by clamd for configuration parameters. Try running clamscan --mbox to get the detection. It _may_ not work because of the definition of EICAR, which IIRC is fairly strict and has the "virus" starting at the very beginning of the file. It should work with clamscan --mbox with EICAR attached, as opposed to being in the body of the message. Well, clamscan is being called from the Clamassassin script. Are you saying I should call clamscan with the --mbox option in that script? 2. I don't seem to have anything related to clamd - Why? How to run clamd? My system has no knowledge of clamd or clamdscan. Differences between running clamd vs clamscan? I have a low volume machine. Clamd is probably not necessary on a low-volume machine, but it allows faster scanning through local Unix sockets, or for shared scanning via TCP sockets. You should be ok to run clamscan --mbox; if you notice a slowdown in mail, look for .deb's with clamd (assuming that, like some distributions, they have been separately packaged.) Maybe I should try starting with an original clamav download instead of using apt-get and whatever comes with the Debian dist. Isn't it a problem that I don't even have clamav.conf?? I'll see if I get any other responses/ideas before proceeding. THANKS! - John --- This SF.Net email sponsored by Black Hat Briefings & Training. Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] /etc/cron.daily/freshclam exited with return code 1
Philipp Ringli wanted us to know: >i did that and i get this: > >[EMAIL PROTECTED] /]# /usr/bin/freshclam --datadir=/var/lib/clamav >--log=/var/log/clamav/freshclam.log --verbose >Current working dir is /var/lib/clamav That's good. It means it can access /var/lib/clamav and the files inside of it. >ClamAV update process started at Thu Jun 24 11:25:06 2004 >Connected to database.clamav.net (212.31.160.239). >Reading CVD header (main.cvd): OK >main.cvd is up to date (version: 23, sigs: 21096, f-level: 2, builder: >ddm) >Connected to database.clamav.net (212.31.160.239). >Reading CVD header (daily.cvd): OK >daily.cvd is up to date (version: 367, sigs: 970, f-level: 2, builder: >diego) The files that it compared seem to be ok. >[EMAIL PROTECTED] /]# vdir -d /var/lib/clamav >drwxr-xr-x2 clamav clamav 4096 Jun 24 04:02 /var/lib/clamav >[EMAIL PROTECTED] /]# vdir -d /var/log/clamav >drwxr-xr-x2 clamav clamav 4096 Jun 1 04:02 /var/log/clamav Both of those look good. What's in /var/log/clamav/freshclam.log? Is it possible that it's owned by root:root instead of clamav:clamav? >+ LOG_FILE=/var/log/clamav/freshclam.log >+ '[' '!' -f /var/log/clamav/freshclam.log ']' >+ /usr/bin/freshclam --quiet --datadir=/var/lib/clamav >--log=/var/log/clamav/freshclam.log >(no like that because of the set -x) >questions: >1. why am i getting the above email? nothing seems to be wrong, or is >there? >2. where could i edit the email address this is sent to? Thomaz answered both of these. -- Regards... Todd They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. --Benjamin Franklin Linux kernel 2.6.3-8mdkenterprise 2 users, load average: 0.00, 0.05, 0.05 --- This SF.Net email sponsored by Black Hat Briefings & Training. Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Help Setup Newbie Please
Quoting John Fleming <[EMAIL PROTECTED]>: Hanford, Seth wrote: clamav.conf is used by clamd for configuration parameters. Try running clamscan --mbox to get the detection. It _may_ not work because of the definition of EICAR, which IIRC is fairly strict and has the "virus" starting at the very beginning of the file. It should work with clamscan --mbox with EICAR attached, as opposed to being in the body of the message. Well, clamscan is being called from the Clamassassin script. Are you saying I should call clamscan with the --mbox option in that script? I believe that was what he was referring to, yes. 2. I don't seem to have anything related to clamd - Why? How to run clamd? My system has no knowledge of clamd or clamdscan. Differences between running clamd vs clamscan? I have a low volume machine. Clamd is probably not necessary on a low-volume machine, but it allows faster scanning through local Unix sockets, or for shared scanning via TCP sockets. You should be ok to run clamscan --mbox; if you notice a slowdown in mail, look for .deb's with clamd (assuming that, like some distributions, they have been separately packaged.) Maybe I should try starting with an original clamav download instead of using apt-get and whatever comes with the Debian dist. Isn't it a problem that I don't even have clamav.conf?? I'll see if I get any other responses/ideas before proceeding. THANKS! - John I am using clamscan on a machine which gets about 500-600 messages/day without any problems. It typically takes about 1-3 seconds to scan each message so this is good for me. Since clamscan does not use clamav.conf, it really isnt a problem that you dont have a clamav.conf. I suspect apt-get has clamscan and clamd/clamdscan as seperate packages and you only got the clamscan one. since clamscan works when ran manually i dont think it is necessary to to download the standard dist from clamav. It sounds like more of a configuration problem with clamassassin than anything else. I have never used clamassassin however, so i cant verify this. Perhaps someone with more knowledge of this program can help. Jim --- This SF.Net email sponsored by Black Hat Briefings & Training. Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Help Setup Newbie Please
John, On Thu, 2004-06-24 at 14:18, John Fleming wrote: > Maybe I should try starting with an original clamav download instead of > using apt-get and whatever comes with the Debian dist. Isn't it a > problem that I don't even have clamav.conf?? I'll see if I get any > other responses/ideas before proceeding. THANKS! - John Check out people.debian.org/~sgran/. Cheers, Mike --- This SF.Net email sponsored by Black Hat Briefings & Training. Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Scans mail but never finds virus
That discard is another external helper and rule combination that runs after the ClamAV helper that basically takes messages with certain file extensions and moves them to another quarantine folder. It is designed as a safety incase virus checkers miss the file or new virus come out before definitions are updated - the most common virus file types are automatically quarantined. However, that rule runs on a much lower priority than ClamAV on the mail server and only comes into play after the messages is deemed safe by ClamAV. In this case (and in all cases now), ClamAV determines ALL messages are safe, even those with virus attached to them. In my log below, that message was missed by Clam but caught because the virus had a .pif file attachment and the rule determined it suspicious. Chad On Jun 21, 2004, at 9:11 PM, [EMAIL PROTECTED] wrote: 15:56:33.49 2 LOCALRULES(chad) [490316] rule(Dangerous Attachment) discarded the message 15:56:33.49 2 ACCOUNT(chad) [490316] delivered 15:56:33.49 2 DEQUEUER [490316] LOCAL(chad) delivered I have absolutely no idea about the filter you use, but you can see from the above lines in your log, it's telling you it deleted the message, but still delivers it to your account. Matt --- This SF.Net email sponsored by Black Hat Briefings & Training. Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Is this possible? (clamdscan on one server, clamd on another)
On Thursday 24 Jun 2004 21:33, Thomas Jackson wrote: > Sounds like the perfect job for an email gateway. That's why I run clamav-milter on one machine and clamd on another. Indeed clamav-milter can load balance between more than one clamd server. -Nigel -- Nigel Horne. Arranger, Composer, Typesetter. NJH Music, Barnsley, UK. ICQ#20252325 [EMAIL PROTECTED] http://www.bandsman.co.uk --- This SF.Net email sponsored by Black Hat Briefings & Training. Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Is this possible? (clamdscan on one server, clamd on another)
Sounds like the perfect job for an email gateway. --- This SF.Net email sponsored by Black Hat Briefings & Training. Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] [Fwd: memory hog in 0.72 and 0.73]
On Thu, Jun 24, 2004 at 11:03:18AM +0200, Tomasz Papszun wrote: > On Wed, 23 Jun 2004 at 17:40:19 -0300, René Bellora wrote: > > i found the offending email. It's a 134mb email. It contains a 100mb > > file. If i scan the file alone, memory consumption reaches 13mb. If i > > scan the raw email, the memory consumption reaches 360mb. Any > > ... > I _do_ consider a 134 MB email as big, though. > But clamd should still be able to scan that without needing 3M RAM per 1M filesize (roughly that what was implied). Other AVs grow to a max size and then don't get any bigger - I asume they scan the file using a "window" of some description - to keep resource requirements down? -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 --- This SF.Net email sponsored by Black Hat Briefings & Training. Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] clamscan via stdin
Do you know why this happens? Thanks. [EMAIL PROTECTED] ~/downloads $ cat message.scr | clamscan - stdin: Worm.SomeFool.P FOUND --- SCAN SUMMARY --- Known viruses: 22079 Scanned directories: 0 Scanned files: 1 Infected files: 1 Data scanned: 0.03 MB I/O buffer size: 131072 bytes Time: 0.394 sec (0 m 0 s) [EMAIL PROTECTED] ~/downloads $ zip message.zip message.scr adding: message.scr (deflated 4%) [EMAIL PROTECTED] ~/downloads $ cat message.zip | clamscan - stdin: OK --- SCAN SUMMARY --- Known viruses: 22079 Scanned directories: 0 Scanned files: 1 Infected files: 0 Data scanned: 0.02 MB I/O buffer size: 131072 bytes Time: 0.348 sec (0 m 0 s) [EMAIL PROTECTED] ~/downloads $ clamscan message.zip message.zip: Worm.SomeFool.P FOUND --- SCAN SUMMARY --- Known viruses: 22079 Scanned directories: 0 Scanned files: 1 Infected files: 1 Data scanned: 0.03 MB I/O buffer size: 131072 bytes Time: 0.352 sec (0 m 0 s) --- This SF.Net email sponsored by Black Hat Briefings & Training. Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] no socket mode on SuSE 9.1
Schoenwaelder Oliver wrote: Hi, I've just made a fresh installation of SuSE 9.1 and installed clamav. I changed the default SuSE clamav.conf to use a local socket but whatever I use clamavd won't start. Without sockets it works. SuSE currently distributes version 0.70 which is not the latest. I installed version 0.73 but it fails, too. Did you mean install from source? If not, try that. Most likely permission error, or an old (stale) socket. Clamd's log for file or syslog should provide more hints what to do. You should also be able to use my precompiled linux static binary on http://clamav.or.id . It does not have fancy startup script, installs on /usr/local. Should work on any linux i386. Regards, Fajar --- This SF.Net email sponsored by Black Hat Briefings & Training. Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
