Re: [Clamav-users] can clamav kill Win32 PE virus?
On Sun, 2 Sep 2007, [EMAIL PROTECTED] wrote: > Dear all: > I am a Fedora 7 user running ClamAV to protect my data on my PC > (though they're extremely rare). However today I ran into problems. My > girlfriend uses a WinXP system, which became severely infected by > viruses. Now she is going to make a system clean-up. The plan is: > > S1. Copy all her important data to a portable media; > S2. Re-format her entire file system (thus destroying everything) and > re-install WinXP; > S3. While she's doing 2, I scan the portable media using ClamAV on my > computer, and (possibly) remove the viruses which might have been > 'backed-up' along with her regular files; > S4. Copy the (possible) ClamAV-scanned data back to her computer. > > The problem is that whether Step 3 can be realized. I don't know > whether ClamAV is able to detect Win32 PE viruses. I'm fairly > confident that the PE viruses could not infect my system but I'm not > sure whether I can detect them. > > I know the above procedure is rather absurd... However I haven't came > up with other ideas. The situation is that she will stick to WinXP and > I cannot afford a Win32 antivirus software, and worst I'm not familiar > with Windows. > > I appreciate your suggestions. > > Cong > > PS. If you find my English bad, please pardon me --- I'm not a native > Englihs speaker. Thank you for your patience. > ___ > Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net > http://lurker.clamav.net/list/clamav-users.html > The Micro$ disk format program doesn't completely nuke a hard drive. Use your Fedora system and badblocks to nuke her drive to brand new drive status. The Micro$ format program lifts some data off the drive, does it's formating thingy and puts the info back down on to the drive. The 8 megabyte section beyond the Micro$ partiton is replaced exactly like it was before the re-format. After you scan and remove the nasty stuff on her drive, just copy her critical data back on to her freshly installed drive. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] 0.91 - high load under solaris
On 30 Aug 2007, at 21:40, [EMAIL PROTECTED] wrote: > On Thu, 30 Aug 2007, [EMAIL PROTECTED] wrote: > >> I'm noticing hang issues again with 0.91.2 on Solaris 10 x86. It >> doesn't >> appear to be associated with a particularly malformed message because >> when it starts hanging, if I restart it, things resume normally for a >> while. The incoming queue clears out. > > Here's some more. > > [Switching to Thread 1 (LWP 1)] > 0xfebf0857 in _so_accept () from /lib/libc.so.1 > (gdb) thread apply all bt > > Thread 22 (Thread 39): > #0 0xfebf047b in __lwp_park () from /lib/libc.so.1 > #1 0xfebe9463 in mutex_lock_queue () from /lib/libc.so.1 > #2 0xfebe9cff in slow_lock () from /lib/libc.so.1 > #3 0xfebe9df5 in mutex_lock_impl () from /lib/libc.so.1 > #4 0xfebe9f01 in pthread_mutex_lock () from /lib/libc.so.1 > #5 0xfeb92f1d in malloc () from /lib/libc.so.1 > #6 0xfebb400d in match_re_C () from /lib/libc.so.1 > #7 0xfebb50e2 in match_re_C () from /lib/libc.so.1 > #8 0xfebb5359 in match_re_C () from /lib/libc.so.1 Same problem I saw. The regexp built by the PhishingScanURLs option appears to upset the Solaris regexp library, but not the Linux or OSX versions. I've got a more serious look at the problem on my list of jobs to do, but for now I just turned the option off. ian ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] 0.91 - high load under solaris
-- Ian G Batten said the following on 9/3/07 10:50 AM: > On 30 Aug 2007, at 21:40, [EMAIL PROTECTED] wrote: > >> On Thu, 30 Aug 2007, [EMAIL PROTECTED] wrote: >> >>> I'm noticing hang issues again with 0.91.2 on Solaris 10 x86. It >>> doesn't >>> appear to be associated with a particularly malformed message because >>> when it starts hanging, if I restart it, things resume normally for a >>> while. The incoming queue clears out. >> Here's some more. >> >> [Switching to Thread 1 (LWP 1)] >> 0xfebf0857 in _so_accept () from /lib/libc.so.1 >> (gdb) thread apply all bt >> >> Thread 22 (Thread 39): >> #0 0xfebf047b in __lwp_park () from /lib/libc.so.1 >> #1 0xfebe9463 in mutex_lock_queue () from /lib/libc.so.1 >> #2 0xfebe9cff in slow_lock () from /lib/libc.so.1 >> #3 0xfebe9df5 in mutex_lock_impl () from /lib/libc.so.1 >> #4 0xfebe9f01 in pthread_mutex_lock () from /lib/libc.so.1 >> #5 0xfeb92f1d in malloc () from /lib/libc.so.1 >> #6 0xfebb400d in match_re_C () from /lib/libc.so.1 >> #7 0xfebb50e2 in match_re_C () from /lib/libc.so.1 >> #8 0xfebb5359 in match_re_C () from /lib/libc.so.1 > > Same problem I saw. The regexp built by the PhishingScanURLs option > appears to upset the Solaris regexp library, but not the Linux or OSX > versions. I've got a more serious look at the problem on my list of > jobs to do, but for now I just turned the option off. I'm not sure why, but when I commented out the qr'^MAIL$' below, the problem went away. Hasn't reappeared since. Perhaps that option is only called when the full message is scanned? How are you calling clamd? @keep_decoded_original_maps = (new_RE( qr'^MAIL$', # retain full original message qr'^MAIL-UNDECIPHERABLE$', qr'^(ASCII(?! cpio)|text|uuencoded|xxencoded|binhex)'i, # qr'^Zip archive data', # don't trust Archive::Zip )); Since I'm using amavisd-new, as Bill Landry stated I could always try $bypass_decode_parts=1 and leave the qr'^MAIL$' thing commented out. The downside, though, is that I couldn't do attachment / file type blocking using amavisd-new. So for now I have qr'^MAIL$' commented out and things seem to be stable. Amos ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] 0.91 - high load under solaris
-- Henrik Krohns said the following on 9/3/07 11:02 AM: > On Mon, Sep 03, 2007 at 04:50:40PM +0100, Ian G Batten wrote: >> Same problem I saw. The regexp built by the PhishingScanURLs option >> appears to upset the Solaris regexp library, but not the Linux or OSX >> versions. I've got a more serious look at the problem on my list of >> jobs to do, but for now I just turned the option off. > > I wonder if it could be fixed by just compiling with (posix)PCRE instead? Hmmm... like with Postfix Interesting idea. Might reduce platform dependency issues a bit, maybe? Amos ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] 0.91 - high load under solaris
I just subscribed to this list, this seems like the thread related to my problem. If not, please direct me to it. I've been seeing Clamd lock up the mail system and sometimes crash several times over the last couple of days. I have a copy of one of the messages that caused this along with the crash log here: http://interstellar.com/temp/amavis-20070903T054236-08542/ OS X Server 10.4.10 Clamd 0.91.2 I'm in the process of moving the mail and web server over to a new Linux system, so hopefully this won't follow the move. Any suggestions welcome. -- Jerry Durand, Durand Interstellar, Inc. www.interstellar.com tel: +1 408 356-3886, USA toll free: 1 866 356-3886 Skype: jerrydurand ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] 0.91 - high load under solaris
At 05:28 PM 9/3/2007, Jerry Durand wrote: >I just subscribed to this list, this seems like the thread related to >my problem. If not, please direct me to it. > >I've been seeing Clamd lock up the mail system and sometimes crash >several times over the last couple of days. > >I have a copy of one of the messages that caused this along with the >crash log here: > >http://interstellar.com/temp/amavis-20070903T054236-08542/ > >OS X Server 10.4.10 >Clamd 0.91.2 > >I'm in the process of moving the mail and web server over to a new >Linux system, so hopefully this won't follow the move. Any >suggestions welcome. > >-- >Jerry Durand, Durand Interstellar, Inc. www.interstellar.com >tel: +1 408 356-3886, USA toll free: 1 866 356-3886 >Skype: jerrydurand This isn't directly related to your clamav problem, but you might want to configure postfix to reject mail when your own domain name or IP is used in the HELO command from unauthenticated clients outside your local network. Such a rule would have rejected this mail. This is a very safe restriction with 0% false positive (assuming you set $mynetworks correctly in postfix). See the postfix-users list archives for examples, or feel free to ask there if you need detailed advice. -- Noel Jones ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] 0.91 - high load under solaris
On Mon, 2007-09-03 at 22:09 -0500, Noel Jones wrote: > This isn't directly related to your clamav problem, but you might > want to configure postfix to reject mail when your own domain name or > IP is used in the HELO command from unauthenticated clients outside > your local network. Such a rule would have rejected this mail. > This is a very safe restriction with 0% false positive (assuming you > set $mynetworks correctly in postfix). > Thanks, not sure how I missed that. > See the postfix-users list archives for examples, or feel free to ask > there if you need detailed advice. > I already had some other offenders listed, just forgot to add all our domains. -- Jerry Durand, Durand Interstellar, Inc. Los Gatos, California, USA, www.interstellar.com tel: +1.408.356.3886, USA: 866-356-3886, Skype: jerrydurand ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] GPG, attachments and clamav-milter 0.91.2
I am regularly able to elicit this reaction from clamav-milter 0.91.2 by receiving a small (~150Kb) GPG-encrypted message with an attachment from Gmail. Anybody else seen this? aurora45% grep "out of memory" /var/log/maillog Aug 29 22:12:21 aurora sm-mta[2091]: l7U5CKqv002091: SYSERR(root): out of memory: Cannot allocate memory Aug 29 22:18:33 aurora sm-mta[2167]: l7U5IWul002167: SYSERR(root): out of memory: Cannot allocate memory Sep 3 22:06:06 aurora sm-mta[56290]: l84564j5056290: SYSERR(root): out of memory: Cannot allocate memory -peter ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
