Re: [Clamav-users] What's this? I can't believe it!
Hi there, On Sun, 20 Jan 2008 umarzuki mochlis wrote: > [EMAIL PROTECTED]:~$ sudo clamscan /media/UM4R > [sudo] password for umarzuki: > /media/UM4R/g2p3s.exe: OK > /media/UM4R/t.exe: OK > /media/UM4R/smw-1.7-setup.exe: OK > /media/UM4R/autorun.inf: OK > > I believe g2p3s.exe, t.exe and autorun.inf are some sort of trojan or > something but calm doesn't seem to detect it. My personal policy is to delete all files which have names ending in ".exe", and I suggest that everyone should consider that approach. -- 73, Ged. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] What's this? I can't believe it!
On Sun, 20 Jan 2008 11:47:57 + (GMT) "G.W. Haywood" <[EMAIL PROTECTED]> wrote: [snip] > My personal policy is to delete all files which have names ending in > ".exe", and I suggest that everyone should consider that approach. Why? On a none Win32 machine, the chance of such a file causing problems is nil and on a Win32 machine using such a 'scorched earth' policy would prove catastrophic. It would seem far wiser to simply refuse such files from users you are not acquainted with and properly screen such files from users who are familiar to you. Just my 2¢. -- Gerard [EMAIL PROTECTED] I am just a nice, clean-cut Mongolian boy. Yul Brynner, 1956 signature.asc Description: PGP signature ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] What's this? I can't believe it!
On Sun, 20 Jan 2008 07:25:32 -0500, Gerard wrote > On Sun, 20 Jan 2008 11:47:57 + (GMT) > "G.W. Haywood" <[EMAIL PROTECTED]> wrote: > > [snip] > > > My personal policy is to delete all files which have names ending in > > ".exe", and I suggest that everyone should consider that approach. > > Why? On a none Win32 machine, the chance of such a file causing > problems is nil and on a Win32 machine using such a 'scorched earth' > policy would prove catastrophic. It would seem far wiser to simply > refuse such files from users you are not acquainted with and properly > screen such files from users who are familiar to you. > > Just my 2¢. > > -- > Gerard > [EMAIL PROTECTED] > > I am just a nice, clean-cut Mongolian boy. > > Yul Brynner, 1956 I prefer a scorched earth to a scorched ass! Especially with a server that is trying to protect Winoze users from their own stupidity. There are far too many users who will gladly click on anything if you tell them to. The default mimedefang filter flags almost all known executable suffixes as suspicious. If someone must send an executable file, then ask them to obfuscate the suffix according to a known plan. e.g. using fyf instead of exe And don't think you can simply zip the file, because mimedefang unzips before checking the file suffix. Just my AUD 2c + GST -- Bill Maidment Maidment Enterprises Pty Ltd www.maidment.vu Off-site consultant to Elgas Ltd ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] What's this? I can't believe it!
umarzuki mochlis wrote: > I believe g2p3s.exe, t.exe and autorun.inf are some sort of trojan or > something but calm doesn't seem to detect it. > Hi, Might be worth submitting the files to the following sites and see what other AV scanners think of it : http://www.virustotal.com/ http://virusscan.jotti.org/ Plus this site might help tell you what it actually does, when it runs, under windows: http://analysis.seclab.tuwien.ac.at/ Cheers, Steve ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] What's this? I can't believe it!
[EMAIL PROTECTED] wrote: > The exe files are Windows' executables (applications). Would they do harm to > Linux? When I tried to open an exe file I was told no application was > available. > What do you have on your pendrive? It seems to be a cross platform problem? > And Michael L Torrie is very right about vendors being afraid of lawsuits. >> >> Nobody has actually tested the files to see if they are Windows executables that I've seen. It is entirely possible they could be Linux executables. File extensions don't mean much on a Linux system but it seems from this thread a great way to pass around Linux viruses is to tack on a .exe extension and a lot of people will ignore them to their great peril. dp ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] What's this? I can't believe it!
The exe files are Windows' executables (applications). Would they do harm to Linux? When I tried to open an exe file I was told no application was available. What do you have on your pendrive? It seems to be a cross platform problem? And Michael L Torrie is very right about vendors being afraid of lawsuits. > > > Today's Topics: > >1. What's this? I can't believe it! (umarzuki mochlis) >2. Re: What's this? I can't believe it! (Brandon Perry) >3. Re: What's this? I can't believe it! (Brandon Perry) >4. Re: What's this? I can't believe it! (Joe Clements) >5. Re: What's this? I can't believe it! (Michael L Torrie) > > > -- > > Message: 1 > Date: Sun, 20 Jan 2008 10:35:28 +0800 > From: "umarzuki mochlis" <[EMAIL PROTECTED]> > Subject: [Clamav-users] What's this? I can't believe it! > To: clamav-users@lists.clamav.net > Message-ID: > <[EMAIL PROTECTED]> > Content-Type: text/plain; charset=ISO-8859-1 > > I tried to scan my pendrive and got this. > > [EMAIL PROTECTED]:~$ sudo clamscan /media/UM4R > [sudo] password for umarzuki: > /media/UM4R/g2p3s.exe: OK > /media/UM4R/t.exe: OK > /media/UM4R/smw-1.7-setup.exe: OK > /media/UM4R/autorun.inf: OK > > I believe g2p3s.exe, t.exe and autorun.inf are some sort of trojan or > something but calm doesn't seem to detect it. > > -- > Get money for each referral >> http://tinyurl.com/2pbj3p > Beta test website for money >> http://tinyurl.com/28ge49 > Get paid for each click! >> http://tinyurl.com/22th2y > > > -- > > Message: 2 > Date: Sat, 19 Jan 2008 20:53:26 -0600 > From: Brandon Perry <[EMAIL PROTECTED]> > Subject: Re: [Clamav-users] What's this? I can't believe it! > To: ClamAV users ML > Message-ID: <[EMAIL PROTECTED]> > Content-Type: text/plain > > DOes Norton/AVG/McAfee detect them? What makes you think they are > trojans? > > > On Sun, 2008-01-20 at 10:35 +0800, umarzuki mochlis wrote: >> I tried to scan my pendrive and got this. >> >> [EMAIL PROTECTED]:~$ sudo clamscan /media/UM4R >> [sudo] password for umarzuki: >> /media/UM4R/g2p3s.exe: OK >> /media/UM4R/t.exe: OK >> /media/UM4R/smw-1.7-setup.exe: OK >> /media/UM4R/autorun.inf: OK >> >> I believe g2p3s.exe, t.exe and autorun.inf are some sort of trojan or >> something but calm doesn't seem to detect it. >> > > > > -- > > Message: 3 > Date: Sat, 19 Jan 2008 21:27:58 -0600 > From: Brandon Perry <[EMAIL PROTECTED]> > Subject: Re: [Clamav-users] What's this? I can't believe it! > To: ClamAV users ML > Message-ID: <[EMAIL PROTECTED]> > Content-Type: text/plain > > Also, what version are you using? Do you have all the definitions? > > On Sun, 2008-01-20 at 10:35 +0800, umarzuki mochlis wrote: >> I tried to scan my pendrive and got this. >> >> [EMAIL PROTECTED]:~$ sudo clamscan /media/UM4R >> [sudo] password for umarzuki: >> /media/UM4R/g2p3s.exe: OK >> /media/UM4R/t.exe: OK >> /media/UM4R/smw-1.7-setup.exe: OK >> /media/UM4R/autorun.inf: OK >> >> I believe g2p3s.exe, t.exe and autorun.inf are some sort of trojan or >> something but calm doesn't seem to detect it. >> > > > > -- > > Message: 4 > Date: Sun, 20 Jan 2008 04:57:43 + > From: Joe Clements <[EMAIL PROTECTED]> > Subject: Re: [Clamav-users] What's this? I can't believe it! > To: ClamAV users ML > Message-ID: <[EMAIL PROTECTED]> > Content-Type: text/plain; charset=ISO-8859-1; format=flowed > > Brandon Perry wrote: >> Also, what version are you using? Do you have all the definitions? >> >> On Sun, 2008-01-20 at 10:35 +0800, umarzuki mochlis wrote: >> >>> I tried to scan my pendrive and got this. >>> >>> [EMAIL PROTECTED]:~$ sudo clamscan /media/UM4R >>> [sudo] password for umarzuki: >>> /media/UM4R/g2p3s.exe: OK >>> /media/UM4R/t.exe: OK >>> /media/UM4R/smw-1.7-setup.exe: OK >>> /media/UM4R/autorun.inf: OK >>> >>> I believe g2p3s.exe, t.exe and autorun.inf are some sort of trojan or >>> something but calm doesn't seem to detect it. >>> >>> >> >> ___ >> Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net >> http://lurker.clamav.net/list/clamav-users.html >> >> > autorun.inf is the standard windows pre installation proceedure. The > others do look iffy, BUT they are only iffy if proved. Zip them and send > them to your anti virus people. > > > -- > > Message: 5 > Date: Sat, 19 Jan 2008 23:41:25 -0700 > From: Michael L Torrie <[EMAIL PROTECTED]> > Subject: Re: [Clamav-users] What's this? I can't believe it! > To: ClamAV users ML > Message-ID: <[EMAIL PROTECTED]> > Content-Type: text/plain; charset=ISO-8859-1 > > umarzuki mochlis wrote: >> I tried to scan my pendrive and got this. >> >> [EMAIL PROTECTED]:~$ sudo clamscan /media/UM4R >> [sudo] password for umarzuki: >> /media/UM4R/g2p3s.exe: OK >> /media/UM4R/t.
Re: [Clamav-users] What's this? I can't believe it!
On Sun, 20 Jan 2008 15:03:14 -0700 [EMAIL PROTECTED] wrote: > The exe files are Windows' executables (applications). Would they do harm to > Linux? When I tried to open an exe file I was told no application was > available. [snip] Well, my mail server runs on linux, but most of my clients use outlook to read their mail. So, what relevance is there to the OS that clamav runs on??? Steve pgpioCy9VN206.pgp Description: PGP signature ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] What's this? I can't believe it!
Dennis Peterson wrote: > Nobody has actually tested the files to see if they are Windows executables > that I've > seen. It is entirely possible they could be Linux executables. File > extensions don't > mean much on a Linux system but it seems from this thread a great way to pass > around > Linux viruses is to tack on a .exe extension and a lot of people will ignore > them to > their great peril. > > dp Well, if you ignore the file i don't see how it's going to run. Moreover, it's less likely you will write ./Foo.exe as you're already assuming by the extension that it wouldn't work, so why do it? ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] clamav-users Digest, Vol 40, Issue 19
i don't know if it's the latest or not. I just sudo apt-get install it from ubuntu repo. Kapersky detected it. On Jan 20, 2008 7:00 PM, <[EMAIL PROTECTED]> wrote: > Send clamav-users mailing list submissions to >clamav-users@lists.clamav.net > > To subscribe or unsubscribe via the World Wide Web, visit >http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users > or, via email, send a message with subject or body 'help' to >[EMAIL PROTECTED] > > You can reach the person managing the list at >[EMAIL PROTECTED] > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of clamav-users digest..." > > > Today's Topics: > > 1. What's this? I can't believe it! (umarzuki mochlis) > 2. Re: What's this? I can't believe it! (Brandon Perry) > 3. Re: What's this? I can't believe it! (Brandon Perry) > 4. Re: What's this? I can't believe it! (Joe Clements) > 5. Re: What's this? I can't believe it! (Michael L Torrie) > > > -- > > Message: 1 > Date: Sun, 20 Jan 2008 10:35:28 +0800 > From: "umarzuki mochlis" <[EMAIL PROTECTED]> > Subject: [Clamav-users] What's this? I can't believe it! > To: clamav-users@lists.clamav.net > Message-ID: ><[EMAIL PROTECTED]> > Content-Type: text/plain; charset=ISO-8859-1 > > I tried to scan my pendrive and got this. > > [EMAIL PROTECTED]:~$ sudo clamscan /media/UM4R > [sudo] password for umarzuki: > /media/UM4R/g2p3s.exe: OK > /media/UM4R/t.exe: OK > /media/UM4R/smw-1.7-setup.exe: OK > /media/UM4R/autorun.inf: OK > > I believe g2p3s.exe, t.exe and autorun.inf are some sort of trojan or > something but calm doesn't seem to detect it. > > -- > Get money for each referral >> http://tinyurl.com/2pbj3p > Beta test website for money >> http://tinyurl.com/28ge49 > Get paid for each click! >> http://tinyurl.com/22th2y > > > -- > > Message: 2 > Date: Sat, 19 Jan 2008 20:53:26 -0600 > From: Brandon Perry <[EMAIL PROTECTED]> > Subject: Re: [Clamav-users] What's this? I can't believe it! > To: ClamAV users ML > Message-ID: <[EMAIL PROTECTED]> > Content-Type: text/plain > > DOes Norton/AVG/McAfee detect them? What makes you think they are > trojans? > > > On Sun, 2008-01-20 at 10:35 +0800, umarzuki mochlis wrote: > > I tried to scan my pendrive and got this. > > > > [EMAIL PROTECTED]:~$ sudo clamscan /media/UM4R > > [sudo] password for umarzuki: > > /media/UM4R/g2p3s.exe: OK > > /media/UM4R/t.exe: OK > > /media/UM4R/smw-1.7-setup.exe: OK > > /media/UM4R/autorun.inf: OK > > > > I believe g2p3s.exe, t.exe and autorun.inf are some sort of trojan or > > something but calm doesn't seem to detect it. > > > > > > -- > > Message: 3 > Date: Sat, 19 Jan 2008 21:27:58 -0600 > From: Brandon Perry <[EMAIL PROTECTED]> > Subject: Re: [Clamav-users] What's this? I can't believe it! > To: ClamAV users ML > Message-ID: <[EMAIL PROTECTED]> > Content-Type: text/plain > > Also, what version are you using? Do you have all the definitions? > > On Sun, 2008-01-20 at 10:35 +0800, umarzuki mochlis wrote: > > I tried to scan my pendrive and got this. > > > > [EMAIL PROTECTED]:~$ sudo clamscan /media/UM4R > > [sudo] password for umarzuki: > > /media/UM4R/g2p3s.exe: OK > > /media/UM4R/t.exe: OK > > /media/UM4R/smw-1.7-setup.exe: OK > > /media/UM4R/autorun.inf: OK > > > > I believe g2p3s.exe, t.exe and autorun.inf are some sort of trojan or > > something but calm doesn't seem to detect it. > > > > > > -- > > Message: 4 > Date: Sun, 20 Jan 2008 04:57:43 + > From: Joe Clements <[EMAIL PROTECTED]> > Subject: Re: [Clamav-users] What's this? I can't believe it! > To: ClamAV users ML > Message-ID: <[EMAIL PROTECTED]> > Content-Type: text/plain; charset=ISO-8859-1; format=flowed > > Brandon Perry wrote: > > Also, what version are you using? Do you have all the definitions? > > > > On Sun, 2008-01-20 at 10:35 +0800, umarzuki mochlis wrote: > > > >> I tried to scan my pendrive and got this. > >> > >> [EMAIL PROTECTED]:~$ sudo clamscan /media/UM4R > >> [sudo] password for umarzuki: > >> /media/UM4R/g2p3s.exe: OK > >> /media/UM4R/t.exe: OK > >> /media/UM4R/smw-1.7-setup.exe: OK > >> /media/UM4R/autorun.inf: OK > >> > >> I believe g2p3s.exe, t.exe and autorun.inf are some sort of trojan or > >> something but calm doesn't seem to detect it. > >> > >> > > > > ___ > > Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net > > http://lurker.clamav.net/list/clamav-users.html > > > > > autorun.inf is the standard windows pre installation proceedure. The > others do look iffy, BUT they are only iffy if proved. Zip them and send > them to your anti virus people. > > > -- > > Message: 5 > Date: Sat, 19 Jan 2008 23:41:25 -0700 > From: Michael L Torrie <[EMAIL PROTECTED]> > Subject: Re: [Clamav-users] What's this? I can't bel
Re: [Clamav-users] What's this? I can't believe it!
Sarocet wrote: > Dennis Peterson wrote: >> Nobody has actually tested the files to see if they are Windows executables >> that I've >> seen. It is entirely possible they could be Linux executables. File >> extensions don't >> mean much on a Linux system but it seems from this thread a great way to >> pass around >> Linux viruses is to tack on a .exe extension and a lot of people will ignore >> them to >> their great peril. >> >> dp > Well, if you ignore the file i don't see how it's going to run. > Moreover, it's less likely you will write ./Foo.exe as > you're already assuming by the extension that it wouldn't work, so why > do it? Some of us run mail equipment that sits in front of very large corporations and it is incumbent upon us to know what we have so we don't have to make excuses later. And some people, not you or I of course, are idiots and will do what ever is possible to help blackhats make a buck. dp ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] What's this? I can't believe it!
The point raised by Dennis is extremely relevant to this thread. The exception of course is Linux which runs on the PowerPC or Cell architecture. Only in that environment would Linux executables have no effect as the infecting executables are designed for Linux and Windows running on Intel compatibles and utilize specific functions, register processing and calls to the Intel and compatible processor. Keeping in mind that there are emulators of all kinds, including even a Linux emulator which functions within Windows, all of them share one characteristic, they either run on Intel or emulate Intel. All of these are susceptible to these infections and other malware. This is a pretty monstrous headache for the current computer system marketplace which seems to function nearly entirely by relying on one processor. I can hear the overwhelming sigh from many experts repeating to themselves regarding this predicament, "I told them... long ago". To which the only response now is, "Oh well..." The solution which Bill Maidment recommended earlier in this thread may be the only reasonable approach for users of Intel systems to implement. If I was using an Intel system I'd have to agree with him, better safe "than scorched." All the best... On Jan 20, 2008 6:46 PM, Sarocet <[EMAIL PROTECTED]> wrote: > Dennis Peterson wrote: > > Nobody has actually tested the files to see if they are Windows > executables that I've > > seen. It is entirely possible they could be Linux executables. File > extensions don't > > mean much on a Linux system but it seems from this thread a great way to > pass around > > Linux viruses is to tack on a .exe extension and a lot of people will > ignore them to > > their great peril. > > > > dp > Well, if you ignore the file i don't see how it's going to run. > Moreover, it's less likely you will write ./Foo.exe as > you're already assuming by the extension that it wouldn't work, so why > do it? > ___ > Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net > http://lurker.clamav.net/list/clamav-users.html > ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] clamav-users Digest, Vol 40, Issue 19
Did you do a sudo freshclam? The repos aren't the latest, but that doesn't hinder the definitions. If you didn't do sudo freshclam, then you don't have the latest definitions at all. On Mon, 2008-01-21 at 07:44 +0800, umarzuki mochlis wrote: > i don't know if it's the latest or not. I just sudo apt-get install it from > ubuntu repo. Kapersky detected it. > > On Jan 20, 2008 7:00 PM, <[EMAIL PROTECTED]> wrote: > > > Send clamav-users mailing list submissions to > >clamav-users@lists.clamav.net > > > > To subscribe or unsubscribe via the World Wide Web, visit > >http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users > > or, via email, send a message with subject or body 'help' to > >[EMAIL PROTECTED] > > > > You can reach the person managing the list at > >[EMAIL PROTECTED] > > > > When replying, please edit your Subject line so it is more specific > > than "Re: Contents of clamav-users digest..." > > > > > > Today's Topics: > > > > 1. What's this? I can't believe it! (umarzuki mochlis) > > 2. Re: What's this? I can't believe it! (Brandon Perry) > > 3. Re: What's this? I can't believe it! (Brandon Perry) > > 4. Re: What's this? I can't believe it! (Joe Clements) > > 5. Re: What's this? I can't believe it! (Michael L Torrie) > > > > > > -- > > > > Message: 1 > > Date: Sun, 20 Jan 2008 10:35:28 +0800 > > From: "umarzuki mochlis" <[EMAIL PROTECTED]> > > Subject: [Clamav-users] What's this? I can't believe it! > > To: clamav-users@lists.clamav.net > > Message-ID: > ><[EMAIL PROTECTED]> > > Content-Type: text/plain; charset=ISO-8859-1 > > > > I tried to scan my pendrive and got this. > > > > [EMAIL PROTECTED]:~$ sudo clamscan /media/UM4R > > [sudo] password for umarzuki: > > /media/UM4R/g2p3s.exe: OK > > /media/UM4R/t.exe: OK > > /media/UM4R/smw-1.7-setup.exe: OK > > /media/UM4R/autorun.inf: OK > > > > I believe g2p3s.exe, t.exe and autorun.inf are some sort of trojan or > > something but calm doesn't seem to detect it. > > > > -- > > Get money for each referral >> http://tinyurl.com/2pbj3p > > Beta test website for money >> http://tinyurl.com/28ge49 > > Get paid for each click! >> http://tinyurl.com/22th2y > > > > > > -- > > > > Message: 2 > > Date: Sat, 19 Jan 2008 20:53:26 -0600 > > From: Brandon Perry <[EMAIL PROTECTED]> > > Subject: Re: [Clamav-users] What's this? I can't believe it! > > To: ClamAV users ML > > Message-ID: <[EMAIL PROTECTED]> > > Content-Type: text/plain > > > > DOes Norton/AVG/McAfee detect them? What makes you think they are > > trojans? > > > > > > On Sun, 2008-01-20 at 10:35 +0800, umarzuki mochlis wrote: > > > I tried to scan my pendrive and got this. > > > > > > [EMAIL PROTECTED]:~$ sudo clamscan /media/UM4R > > > [sudo] password for umarzuki: > > > /media/UM4R/g2p3s.exe: OK > > > /media/UM4R/t.exe: OK > > > /media/UM4R/smw-1.7-setup.exe: OK > > > /media/UM4R/autorun.inf: OK > > > > > > I believe g2p3s.exe, t.exe and autorun.inf are some sort of trojan or > > > something but calm doesn't seem to detect it. > > > > > > > > > > > -- > > > > Message: 3 > > Date: Sat, 19 Jan 2008 21:27:58 -0600 > > From: Brandon Perry <[EMAIL PROTECTED]> > > Subject: Re: [Clamav-users] What's this? I can't believe it! > > To: ClamAV users ML > > Message-ID: <[EMAIL PROTECTED]> > > Content-Type: text/plain > > > > Also, what version are you using? Do you have all the definitions? > > > > On Sun, 2008-01-20 at 10:35 +0800, umarzuki mochlis wrote: > > > I tried to scan my pendrive and got this. > > > > > > [EMAIL PROTECTED]:~$ sudo clamscan /media/UM4R > > > [sudo] password for umarzuki: > > > /media/UM4R/g2p3s.exe: OK > > > /media/UM4R/t.exe: OK > > > /media/UM4R/smw-1.7-setup.exe: OK > > > /media/UM4R/autorun.inf: OK > > > > > > I believe g2p3s.exe, t.exe and autorun.inf are some sort of trojan or > > > something but calm doesn't seem to detect it. > > > > > > > > > > > -- > > > > Message: 4 > > Date: Sun, 20 Jan 2008 04:57:43 + > > From: Joe Clements <[EMAIL PROTECTED]> > > Subject: Re: [Clamav-users] What's this? I can't believe it! > > To: ClamAV users ML > > Message-ID: <[EMAIL PROTECTED]> > > Content-Type: text/plain; charset=ISO-8859-1; format=flowed > > > > Brandon Perry wrote: > > > Also, what version are you using? Do you have all the definitions? > > > > > > On Sun, 2008-01-20 at 10:35 +0800, umarzuki mochlis wrote: > > > > > >> I tried to scan my pendrive and got this. > > >> > > >> [EMAIL PROTECTED]:~$ sudo clamscan /media/UM4R > > >> [sudo] password for umarzuki: > > >> /media/UM4R/g2p3s.exe: OK > > >> /media/UM4R/t.exe: OK > > >> /media/UM4R/smw-1.7-setup.exe: OK > > >> /media/UM4R/autorun.inf: OK > > >> > > >> I believe g2p3s.exe, t.exe and autorun.inf are some sort of trojan or > > >> something but calm doesn't seem to detect it. > > >> > > >> > > > > > > _
Re: [Clamav-users] What's this? I can't believe it!
That still seems a bit "over-the-top". Sure, better safe than sorry, but I wouldn't just blindly delete any exe that I come into contact with (via email or otherwise). Especially on Linux, you can get archives zipped into an exe format that are unzipped via unzip -a. That is quite a common format in the Windows world, and I haven seen a few times within the Linux world also. Magic numbers can't tell it is an archive, so you would think it is just a regular binary, but I know for a fact Dell does many of their drivers in this format. With the whole Intel thing, even through emulation, this could be a stretched argument. Sure, there are architecture-independent viruses, but I haven't heard of a virus that can attack on any platform through the architecture itself. I am sure that in the future, these will be common, but I don't think this is something that we should be worrying about now. Please correct me if I am wrong in saying this as I am not pretending to know everything about the virus infections, this is just from experience. On Sun, 2008-01-20 at 19:51 -0500, Derick Centeno wrote: > The point raised by Dennis is extremely relevant to this thread. The > exception of course is Linux which runs on the PowerPC or Cell > architecture. Only in that environment would Linux executables have no > effect as the infecting executables are designed for Linux and Windows > running on Intel compatibles and utilize specific functions, register > processing and calls to the Intel and compatible processor. > > Keeping in mind that there are emulators of all kinds, including even a > Linux emulator which functions within Windows, all of them share one > characteristic, they either run on Intel or emulate Intel. All of these are > susceptible to these infections and other malware. > > This is a pretty monstrous headache for the current computer system > marketplace which seems to function nearly entirely by relying on one > processor. I can hear the overwhelming sigh from many experts repeating to > themselves regarding this predicament, "I told them... long ago". To which > the only response now is, "Oh well..." > > The solution which Bill Maidment recommended earlier in this thread may be > the only reasonable approach for users of Intel systems to implement. If I > was using an Intel system I'd have to agree with him, better safe "than > scorched." > > All the best... > > On Jan 20, 2008 6:46 PM, Sarocet <[EMAIL PROTECTED]> wrote: > > > Dennis Peterson wrote: > > > Nobody has actually tested the files to see if they are Windows > > executables that I've > > > seen. It is entirely possible they could be Linux executables. File > > extensions don't > > > mean much on a Linux system but it seems from this thread a great way to > > pass around > > > Linux viruses is to tack on a .exe extension and a lot of people will > > ignore them to > > > their great peril. > > > > > > dp > > Well, if you ignore the file i don't see how it's going to run. > > Moreover, it's less likely you will write ./Foo.exe as > > you're already assuming by the extension that it wouldn't work, so why > > do it? > > ___ > > Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net > > http://lurker.clamav.net/list/clamav-users.html > > > ___ > Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net > http://lurker.clamav.net/list/clamav-users.html ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] How to increase freshclam's log file limit
My freshclam.log only shows entries like: Log size = 11242653, max = 1048576 LOGGING DISABLED (Maximal log file size exceeded). How can I increase the max log file size? Thanks, James. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] How to increase freshclam's log file limit
On Mon, 21 Jan 2008 15:32:59 +1100, James Brown wrote
> My freshclam.log only shows entries like:
>
> Log size = 11242653, max = 1048576
> LOGGING DISABLED (Maximal log file size exceeded).
>
> How can I increase the max log file size?
>
Try putting something like this in /etc/logrotate.d/freshclam (or wherever).
This will
will stop it getting too big.
/var/log/freshclam.log {
missingok
notifempty
sharedscripts
postrotate
/etc/init.d/freshclam restart >/dev/null 2>&1 || true
endscript
}
--
Bill Maidment
Maidment Enterprises Pty Ltd
www.maidment.vu
Off-site consultant to Elgas Ltd
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] How to increase freshclam's log file limit
James Brown wrote: > My freshclam.log only shows entries like: > > Log size = 11242653, max = 1048576 > LOGGING DISABLED (Maximal log file size exceeded). > > How can I increase the max log file size? The current build of ClamAV has this in the example freshclam.conf file: # Maximum size of the log file. # Value of 0 disables the limit. # You may use 'M' or 'm' for megabytes (1M = 1m = 1048576 bytes) # and 'K' or 'k' for kilobytes (1K = 1k = 1024 bytes). # in bytes just don't use modifiers. # Default: 1M #LogFileMaxSize 2M The default as you have discovered is 1 meg. Edit your version of the installed freshclam.conf file and make the LogFileMaxSize what ever you wish. Or consider using syslog for logging and configure your log rotating tool to rotate this log appropriately. dp ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] How to increase freshclam's log file limit
James Brown wrote: > > Added the above text, but with LogFileMaxSize 0, (without the '#' of > course!). > > ran /usr/local/bin/freshclam > > still got a LOGGING DISABLED error in freshclam.log > > Thanks Dennis & Bill, Did you stop and restart freshclam (assuming you run it as a daemon)? What version of ClamAV? What do you get when you run clamconf? dp ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] How to increase freshclam's log file limit
On 21/01/2008, at 4:03 PM, Dennis Peterson wrote: > James Brown wrote: >> My freshclam.log only shows entries like: >> >> Log size = 11242653, max = 1048576 >> LOGGING DISABLED (Maximal log file size exceeded). >> >> How can I increase the max log file size? > > The current build of ClamAV has this in the example freshclam.conf > file: > > # Maximum size of the log file. > # Value of 0 disables the limit. > # You may use 'M' or 'm' for megabytes (1M = 1m = 1048576 bytes) > # and 'K' or 'k' for kilobytes (1K = 1k = 1024 bytes). > # in bytes just don't use modifiers. > # Default: 1M > #LogFileMaxSize 2M I looked for something like this, but I have nothing in the freshclam.conf file. I could not find any other freshclam.conf files on my system. (I have the text in clamd.conf). I'll add that text to freshclam.conf, and then run freshclam again. Thanks, James. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] How to increase freshclam's log file limit
On 21/01/2008, at 4:45 PM, Dennis Peterson wrote: > James Brown wrote: > >> >> Added the above text, but with LogFileMaxSize 0, (without the '#' of >> course!). >> >> ran /usr/local/bin/freshclam >> >> still got a LOGGING DISABLED error in freshclam.log >> >> Thanks Dennis & Bill, > > Did you stop and restart freshclam (assuming you run it as a daemon)? i suppose it must run as a daemon, but I can't find it in my list of running processors. Would it have another name? > > What version of ClamAV? > 0.92 > What do you get when you run clamconf? clamconf /usr/local/etc/clamd.conf: clamd directives -- LogFile = "/var/log/clamd.log" LogFileUnlock = no LogFileMaxSize = 1048576 LogTime = yes LogClean = no LogVerbose = no LogSyslog = no LogFacility = "LOG_LOCAL6" PidFile = "/var/run/clamd.pid" TemporaryDirectory not set ScanPE = yes ScanELF = yes DetectBrokenExecutables = no ScanMail = yes MailFollowURLs = no MailMaxRecursion = 64 PhishingSignatures = yes PhishingScanURLs = yes PhishingAlwaysBlockCloak = no PhishingAlwaysBlockSSLMismatch = no PhishingRestrictedScan = yes DetectPUA = no AlgorithmicDetection = yes ScanHTML = yes ScanOLE2 = yes ScanPDF = yes ScanArchive = yes ArchiveMaxFileSize = 10485760 ArchiveMaxRecursion = 8 ArchiveMaxFiles = 1000 ArchiveMaxCompressionRatio = 250 ArchiveLimitMemoryUsage = no ArchiveBlockEncrypted = no ArchiveBlockMax = no DatabaseDirectory = "/usr/local/share/clamav" TCPAddr not set TCPSocket not set LocalSocket = "/tmp/clamd.socket" MaxConnectionQueueLength = 15 StreamMaxLength = 10485760 StreamMinPort = 1024 StreamMaxPort = 2048 MaxThreads = 10 ReadTimeout = 120 IdleTimeout = 30 MaxDirectoryRecursion = 15 FollowDirectorySymlinks = no FollowFileSymlinks = no ExitOnOOM = no Foreground = no Debug = no LeaveTemporaryFiles = no FixStaleSocket = yes User not set AllowSupplementaryGroups = no SelfCheck = 1800 VirusEvent not set ClamukoScanOnAccess not set ClamukoScanOnOpen not set ClamukoScanOnClose not set ClamukoScanOnExec not set ClamukoIncludePath not set ClamukoExcludePath not set ClamukoMaxFileSize = 5242880 DevACOnly not set DevACDepth not set /usr/local/etc/freshclam.conf: freshclam directives -- LogFileMaxSize = 1048576 LogTime = no LogVerbose = no LogSyslog = no LogFacility = "LOG_LOCAL6" PidFile not set DatabaseDirectory = "/usr/local/share/clamav" Foreground = no Debug = no AllowSupplementaryGroups = no DatabaseOwner = "clamav" Checks = 12 UpdateLogFile = "/var/log/freshclam.log" DNSDatabaseInfo = "current.cvd.clamav.net" DatabaseMirror = "db.au.clamav.net" MaxAttempts = 3 ScriptedUpdates = yes HTTPProxyServer not set HTTPProxyPort not set HTTPProxyUsername not set HTTPProxyPassword not set HTTPUserAgent not set NotifyClamd = "/usr/local/etc/clamd.conf" OnUpdateExecute not set OnErrorExecute not set OnOutdatedExecute not set LocalIPAddress not set ConnectTimeout = 30 ReceiveTimeout = 30 Engine and signature databases -- Engine version: 0.92 (with experimental code) Database directory: /usr/local/share/clamav main db: Format: .inc, Version: 45, Build time: Mon Dec 10 02:50:53 2007 daily db: Format: .cvd, Version: 5505, Build time: Mon Jan 21 10:48:59 2008 Thanks, James. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] How to increase freshclam's log file limit
On 21/01/2008, at 4:03 PM, Dennis Peterson wrote: > James Brown wrote: >> My freshclam.log only shows entries like: >> >> Log size = 11242653, max = 1048576 >> LOGGING DISABLED (Maximal log file size exceeded). >> >> How can I increase the max log file size? > > > The current build of ClamAV has this in the example freshclam.conf > file: > > # Maximum size of the log file. > # Value of 0 disables the limit. > # You may use 'M' or 'm' for megabytes (1M = 1m = 1048576 bytes) > # and 'K' or 'k' for kilobytes (1K = 1k = 1024 bytes). > # in bytes just don't use modifiers. > # Default: 1M > #LogFileMaxSize 2M > > > The default as you have discovered is 1 meg. Edit your version of > the installed > freshclam.conf file and make the LogFileMaxSize what ever you wish. Added the above text, but with LogFileMaxSize 0, (without the '#' of course!). ran /usr/local/bin/freshclam still got a LOGGING DISABLED error in freshclam.log Thanks Dennis & Bill, James. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
