Re: [Clamav-users] Virus not detected on Linux/MacOSX
>> > ./clamscan/.libs/clamscan file.exe >> > Linux Wally 2.6.18-53.1.6.el5 #1 SMP Wed Jan 23 11:28:47 EST 2008 >> > x86_64 x86_64 x86_64 GNU/Linux >> > MD5(file.exe)= e7e7dc7981a4089cdcb42d32247dc6e0 >> > ClamAV 0.94/8284/Thu Sep 18 18:54:57 2008 >> > file.exe: OK >> > >> > --- SCAN SUMMARY --- >> > Known viruses: 428321 >> > Engine version: 0.94 >> > Scanned directories: 0 >> > Scanned files: 1 >> > Infected files: 0 >> > Data scanned: 0.00 MB >> > Time: 0.869 sec (0 m 0 s) Suggestion: Change "file.exe: OK" to "file.exe: not scanned - exceeds max-filesize" Change "Scanned files: 1" to "Scanned files: 0" and add a new count to the summary "Not scanned: 1". That will show that clamscan is doing exactly what it has been told to do, while protecting the OP from i) forgetting that there is a max-filesize default (as it's been years since he last saw it) and ii) forgetting that files now need to be checked for size before checking them for threats (as ridiculously large files are now considered to be normal data). Moray. "To err is human. To purr, feline" http://members.aol.com/edgwddirk ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
[Clamav-users] Email header parsing
Good morning, I have local signatures (local.ndb) define. One of my rules is not allways matched because the UA or MTA may generate/modify different headers. I have defined a match on: application/zip; name="testdu28.zip" But emails are sometimes generated with: ...application/zip; name="testdu28.zip" Both headers are identical as far as email is concerned because a line that starts with a space means a continuation of the previous line in an email header. Unfortunately, from what I have seen clamd does not try to do header concatenation. Is there an option to tell clamd to concatenate headers? Thanks in advance for your answer. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
[Clamav-users] Unable To Run Freshclam...still
I am still unable to run /usr/bin/freshclam. This happened to me before and then it eventually started working again for a little but now has come back for some reason. I really want to understand and figure this out. Here is what I get and also nothing appears in the logs from what I can tell: mail:/var/log/clamav# freshclam ERROR: Problem with internal logger (UpdateLogFile = /var/log/clamav/freshclam.log). mail:/var/log/clamav# tail freshclam.log daily.cld is up to date (version: 8307, sigs: 33389, f-level: 35, builder: ccordes) -- Received signal: wake up ClamAV update process started at Mon Sep 22 10:25:48 2008 main.cld is up to date (version: 48, sigs: 399264, f-level: 35, builder: sven) Downloading daily-8308.cdiff [100%] daily.cld updated (version: 8308, sigs: 33402, f-level: 35, builder: arnaud) Database updated (432666 signatures) from db.local.clamav.net (IP: 64.142.100.50) Clamd successfully notified about the update. -- As you can see below, my /var/log/clamav directory has proper permissions: drwxr-xr-x 2 amavis amavis 4096 2008-09-21 06:25 clamav Then in that directory: mail:/var/log/clamav# ls -l total 112 -rw-r- 1 amavis adm 3401 2008-09-22 10:29 clamav.log -rw-r- 1 amavis adm 23918 2008-09-21 06:25 clamav.log.1 -rw-r- 1 amavis adm 3063 2008-09-14 06:25 clamav.log.2.gz -rw-r- 1 amavis adm 10196 2008-09-22 10:25 freshclam.log -rw-r- 1 amavis adm 60461 2008-09-21 06:25 freshclam.log.1 -rw-r- 1 amavis adm 2718 2008-09-14 06:25 freshclam.log.2.gz Can someone please help me understand and resolve this issue? -- Carlos Williams ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Unable To Run Freshclam...still
your logs are owned by amavis? On Mon, Sep 22, 2008 at 10:08 AM, Carlos Williams <[EMAIL PROTECTED]>wrote: > I am still unable to run /usr/bin/freshclam. This happened to me > before and then it eventually started working again for a little but > now has come back for some reason. I really want to understand and > figure this out. > > Here is what I get and also nothing appears in the logs from what I can > tell: > > mail:/var/log/clamav# freshclam > ERROR: Problem with internal logger (UpdateLogFile = > /var/log/clamav/freshclam.log). > mail:/var/log/clamav# tail freshclam.log > daily.cld is up to date (version: 8307, sigs: 33389, f-level: 35, > builder: ccordes) > -- > Received signal: wake up > ClamAV update process started at Mon Sep 22 10:25:48 2008 > main.cld is up to date (version: 48, sigs: 399264, f-level: 35, builder: > sven) > Downloading daily-8308.cdiff [100%] > daily.cld updated (version: 8308, sigs: 33402, f-level: 35, builder: > arnaud) > Database updated (432666 signatures) from db.local.clamav.net (IP: > 64.142.100.50) > Clamd successfully notified about the update. > -- > > As you can see below, my /var/log/clamav directory has proper permissions: > > drwxr-xr-x 2 amavis amavis 4096 2008-09-21 06:25 clamav > > Then in that directory: > > mail:/var/log/clamav# ls -l > total 112 > -rw-r- 1 amavis adm 3401 2008-09-22 10:29 clamav.log > -rw-r- 1 amavis adm 23918 2008-09-21 06:25 clamav.log.1 > -rw-r- 1 amavis adm 3063 2008-09-14 06:25 clamav.log.2.gz > -rw-r- 1 amavis adm 10196 2008-09-22 10:25 freshclam.log > -rw-r- 1 amavis adm 60461 2008-09-21 06:25 freshclam.log.1 > -rw-r- 1 amavis adm 2718 2008-09-14 06:25 freshclam.log.2.gz > > Can someone please help me understand and resolve this issue? > > -- > Carlos Williams > ___ > Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net > http://www.clamav.net/support/ml > -- http://www.volatileminds.net ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Unable To Run Freshclam...still
Brandon Perry wrote: > your logs are owned by amavis? > > On Mon, Sep 22, 2008 at 10:08 AM, Carlos Williams <[EMAIL PROTECTED]>wrote: > >> mail:/var/log/clamav# ls -l >> total 112 >> -rw-r- 1 amavis adm 3401 2008-09-22 10:29 clamav.log >> -rw-r- 1 amavis adm 23918 2008-09-21 06:25 clamav.log.1 >> -rw-r- 1 amavis adm 3063 2008-09-14 06:25 clamav.log.2.gz >> -rw-r- 1 amavis adm 10196 2008-09-22 10:25 freshclam.log >> -rw-r- 1 amavis adm 60461 2008-09-21 06:25 freshclam.log.1 >> -rw-r- 1 amavis adm 2718 2008-09-14 06:25 freshclam.log.2.gz >> >> Can someone please help me understand and resolve this issue? That and amavis is the ONLY user allowed to write to the files (besides the root user). James signature.asc Description: OpenPGP digital signature ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Unable To Run Freshclam...still
On Mon, Sep 22, 2008 at 12:06 PM, James Kosin <[EMAIL PROTECTED]> wrote: > Brandon Perry wrote: >> your logs are owned by amavis? I followed this guide for how to configure permissions on Debian for Clamav. http://www200.pair.com/mecham/spam/clamav-amavisd-new.html Did I do something wrong or miss something? > That and amavis is the ONLY user allowed to write to the files (besides > the root user). What should the permissions be? ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Unable To Run Freshclam...still
ClamAV can't write to the logs because they don't have the permissions. You missed this part it looks like: *The text illustrated above must match the LocalSocket parameter you found in clamd.conf.* Edit amavisd.conf to match what you found in clamd.conf if it is different. This "clamd.ctl" is the file that is shared between the two programs and the reason we have problems. Now open up the clamd.conf file again (mine is /etc/clamav/clamd.conf) Below is illustrated the items in the file we are interested in: LocalSocket /var/run/clamav/clamd.ctl User clamav LogFile /var/log/clamav/clamav.log PidFile /var/run/clamav/clamd.pid DatabaseDirectory /var/lib/clamav/ We need to edit this file and change: User clamav *to* User amavis On Mon, Sep 22, 2008 at 11:53 AM, Carlos Williams <[EMAIL PROTECTED]>wrote: > On Mon, Sep 22, 2008 at 12:06 PM, James Kosin <[EMAIL PROTECTED]> > wrote: > > Brandon Perry wrote: > >> your logs are owned by amavis? > > I followed this guide for how to configure permissions on Debian for > Clamav. > > http://www200.pair.com/mecham/spam/clamav-amavisd-new.html > > Did I do something wrong or miss something? > > > That and amavis is the ONLY user allowed to write to the files (besides > > the root user). > > What should the permissions be? > ___ > Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net > http://www.clamav.net/support/ml > -- http://www.volatileminds.net ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] How important are file extensions?
Alejandro Pedraza wrote: >>> Does clamav have a mechanism to find out a file is an archive without >>> relying on its extension? For example does it know it has to unzip a >>> zipped file even if its extension was changed to a random one >>> different than .zip ? >>> >> ClamAV doesn't rely on file extensions. It uses magic numbers, special >> signatures and heuristics to detect file types. >> > > Excellent. Thanks for the fast reply. > > -- Alejandro > ___ > Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net > http://www.clamav.net/support/ml > > Somewhat off topic but does someone here know if there's a standard file extension that represents a null program. What I mean is that we rename some attachment suffixes to .txt but this causes some problems with some applications. We'd like to rename the attachments with another suffix, one that will never be used for an application (present or future). Does anyone know if a standard suffix has been created for just this purpose? -- Roberto Ullfig - [EMAIL PROTECTED] ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] How important are file extensions?
Roberto Ullfig wrote: > Somewhat off topic but does someone here know if there's a standard file > extension that represents a null program. What I mean is that we rename > some attachment suffixes to .txt but this causes some problems with some > applications. We'd like to rename the attachments with another suffix, > one that will never be used for an application (present or future). Does > anyone know if a standard suffix has been created for just this purpose? Not to my knowledge. I proposed a MIME-Type and suffix for this, but the RFC editors didn't think it was a good idea. I wanted a type of something like application/binary-blob and a filename exension something like .BLOB with the specification that MUAs and other software MUST NOT offer to do anything with the data except save it to disk. The RFC editors sympathized with my goals, but did not believe it would be possible to force all the implementers to obey the restriction. Mickey$oft, in particular, likes to associate files with programs based on filenames, MIME types, weird heuristics, black magic, and sacrificed chickens. (I still can't believe businesses actually put up with Windoze cr*p) Regards, David. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Unable To Run Freshclam...still
On Mon, Sep 22, 2008 at 12:56 PM, Brandon Perry <[EMAIL PROTECTED]> wrote: > ClamAV can't write to the logs because they don't have the permissions. You > missed this part it looks like: > *The text illustrated above must match the LocalSocket parameter you found > in clamd.conf.* > Edit amavisd.conf to match what you found in clamd.conf if it is different. > This "clamd.ctl" is the file that is shared between the two programs and the > reason we have problems. > Now open up the clamd.conf file again (mine is /etc/clamav/clamd.conf) > Below is illustrated the items in the file we are interested in: > > LocalSocket /var/run/clamav/clamd.ctl > User clamav > LogFile /var/log/clamav/clamav.log > PidFile /var/run/clamav/clamd.pid > DatabaseDirectory /var/lib/clamav/ > Here is what I found in /etc/clamav/clamd.conf LocalSocket /var/run/clamav/clamd.ctl User amavis LogFile /var/log/clamav/clamav.log PidFile /var/run/clamav/clamd.pid DatabaseDirectory /var/lib/clamav *Obviously that file contains much more config data however I assume above is what is relevant to this issue I am having* > We need to edit this file and change: > User clamav > *to* > User amavis It already is 'amavis' ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Unable To Run Freshclam...still
Hmmm, something is very strange here because with no changes made to any config or permissions modified, I am now able to run 'freshclam' with out any errors as I was having in my 1st example. All I simply did was 'restart' the daemon running 'freshclam': mail:/etc# /etc/init.d/clamav-freshclam restart Stopping ClamAV virus database updater: freshclam. Starting ClamAV virus database updater: freshclam. mail:/etc# freshclam ClamAV update process started at Mon Sep 22 13:13:42 2008 main.cld is up to date (version: 48, sigs: 399264, f-level: 35, builder: sven) daily.cld is up to date (version: 8308, sigs: 33402, f-level: 35, builder: arnaud) What do you guys thing? Is my system still configured incorrectly? I know its working now but chances are I will have this problem all over again shortly and I don't know the cause of this. If it was incorrect configuration, I would like to resolve this and understand it. Any help is greatly appreciated. If I need to post anything else to help better understand what is going on. Thanks all! ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Unable To Run Freshclam...still
What might be happening is two different apps with two different permissions are writing to the files. when the second app writes to the files, its permissions keep the first app (freshclam) from writing to the logs. On Mon, Sep 22, 2008 at 12:16 PM, Carlos Williams <[EMAIL PROTECTED]>wrote: > Hmmm, something is very strange here because with no changes made to > any config or permissions modified, I am now able to run 'freshclam' > with out any errors as I was having in my 1st example. All I simply > did was 'restart' the daemon running 'freshclam': > > mail:/etc# /etc/init.d/clamav-freshclam restart > Stopping ClamAV virus database updater: freshclam. > Starting ClamAV virus database updater: freshclam. > mail:/etc# freshclam > ClamAV update process started at Mon Sep 22 13:13:42 2008 > main.cld is up to date (version: 48, sigs: 399264, f-level: 35, builder: > sven) > daily.cld is up to date (version: 8308, sigs: 33402, f-level: 35, > builder: arnaud) > > What do you guys thing? Is my system still configured incorrectly? I > know its working now but chances are I will have this problem all over > again shortly and I don't know the cause of this. If it was incorrect > configuration, I would like to resolve this and understand it. Any > help is greatly appreciated. If I need to post anything else to help > better understand what is going on. > > Thanks all! > ___ > Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net > http://www.clamav.net/support/ml > -- http://www.volatileminds.net ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Unable To Run Freshclam...still
On Mon, Sep 22, 2008 at 1:24 PM, Brandon Perry <[EMAIL PROTECTED]> wrote: > What might be happening is two different apps with two different permissions > are writing to the files. when the second app writes to the files, its > permissions keep the first app (freshclam) from writing to the logs. So what is the best course of action here? Obviously 'amavis' is the middle man for 'Postfix' and 'Clamav' so I am not sure what I need to do with my current configuration to fix this. Obviously something is not right here, I just am not sure what that is. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Unable To Run Freshclam...still
try taking amavis out of the picture and see what happens. On Mon, Sep 22, 2008 at 12:33 PM, Carlos Williams <[EMAIL PROTECTED]>wrote: > On Mon, Sep 22, 2008 at 1:24 PM, Brandon Perry > <[EMAIL PROTECTED]> wrote: > > What might be happening is two different apps with two different > permissions > > are writing to the files. when the second app writes to the files, its > > permissions keep the first app (freshclam) from writing to the logs. > > So what is the best course of action here? Obviously 'amavis' is the > middle man for 'Postfix' and 'Clamav' so I am not sure what I need to > do with my current configuration to fix this. Obviously something is > not right here, I just am not sure what that is. > ___ > Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net > http://www.clamav.net/support/ml > -- http://www.volatileminds.net ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Virus not detected on Linux/MacOSX
Quoting fchan <[EMAIL PROTECTED]>: > Remember not everyone that uses clamav is not an expert so for They don't have to be an expert, they just have to read and configure the configuration file for their needs. > someone that is new to clamav thinks that every file that went > through clamav would be scanned for malware would be incorrect and > they have a possibility of opening an infected file. I think a Yes, but they should have read the configuration file, and change it to meet their needs. If they didn't, well, that is their fault. > message or warning that a file that was too large passed through > clamav without being scanned would be nice so one can take > appropriate action. That is my opinion. First, it is not too large to pass through clamav, the user decided they didn't want it to pass through, or the user was negligent in configuring it. Second, I would support such an output only when using the scanner in "debug" mode... Would be very useful when debugging, to see such a message. In normal mode, I see no reason to force this on the author against their will. Even in debug mode, it is up to the author, but I do think it would be useful in debug mode... -- Eric Rostetter The Department of Physics The University of Texas at Austin Go Longhorns! ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] How important are file extensions?
At 09:59 22-09-2008, Roberto Ullfig wrote: >Somewhat off topic but does someone here know if there's a standard file >extension that represents a null program. What I mean is that we rename >some attachment suffixes to .txt but this causes some problems with some >applications. We'd like to rename the attachments with another suffix, >one that will never be used for an application (present or future). Does >anyone know if a standard suffix has been created for just this purpose? File associations is a Microsoft concept. There are a few reserved names for devices but no standards for file extensions. Regards, -sm ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] How important are file extensions?
On Mon, 22 Sep 2008, SM wrote: > At 09:59 22-09-2008, Roberto Ullfig wrote: > >Somewhat off topic but does someone here know if there's a standard file > >extension that represents a null program. > File associations is a Microsoft concept. There are a few reserved > names for devices but no standards for file extensions. Strictly speaking, most 'standard' file extensions are three or four characters. If you want to be sure you pick something no one else is likely to choose, then just go big: your.filename.nullprogram is quite legal and unambiguous. :) - Charles ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
