Re: [Clamav-users] Question of clamav/clamav-milter
On Wed, 2009-06-03 at 16:00 -0500, Javier Lopez wrote: > Hi community, > > I would like to know if there is a way to send the e-mail messages that > were clasified by clamav as "Infected Message" to a particulary e-mail > account automatically as they are detected. Yes. Using amavisd-new, I can create a quarantine action of sending to a different e-mail address. Other solutions might apply, depending on your environment. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] SubmitDetectionStats Error
On Mon, 2009-11-23 at 12:37 +0100, Luca Gibelli wrote: > maybe we could just start with a dedicated twitter account > (clamav_infrastructure or something similar) where I could post updates > regarding planned downtimes & similar stuff. > I've seen other projects doing the same. I'd be happy to see it in the same twitter feed as the pattern updates. -- Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX www.austinenergy.com ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] lstat() failed: Permission denied. ERROR
On Mon, 2009-12-21 at 13:02 -0300, Lima Union wrote: > Hi all! I'm getting the following error message while try to run clamdscan: > > $ clamdscan eicar.txt > eicar.txt: lstat() failed: Permission denied. ERROR clamdscan runs with the permissions of the daemon user. You probably want to do something like: $ cat eicar.txt | clamdscan -- Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX www.austinenergy.com ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] "Cannot prepare for JIT..."
On Mon, 2010-10-18 at 14:51 -0400, jef moskot wrote: > On Mon, 18 Oct 2010, Török Edwin wrote: > > You can apply this patch (that will be in 0.96.4): > > http://git.clamav.net/gitweb?p=clamav-devel.git;a=blobdiff_plain;f=libclamav/bytecode_nojit.c;h=66d385d6a2b2f2f6afc4440a53ae87b9cae8c38b;hp=ec961a9d1bc6e3d274e664f9eb9afe4992f7757f;hb=670adde2bc4e4ba2f3b96c6ed551a3c8312693d9;hpb=cfe6b4a2163170ebf062db50c6fde8f818fe8a02 > > OK, I must admit that I have no idea what to do with that thing. It's a pretty straight-forward patch. Delete two lines and add three from one one... > I > installed git on my (FreeBSD) machine, but it seems massive and > complicated. Presumably, all I want to do is replace some text. Just grab the patch (use wget or any brower to open it) then apply it to the source using patch and re-compile. If you are building your clamav from rpm, then it's pretty easy to add a patch like this to a specfile... -- Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX www.austinenergy.com ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Zip module failure ERROR
On Wed, 2007-03-07 at 20:01 +0200, Török Edvin wrote: > On 3/7/07, Don Drake <[EMAIL PROTECTED]> wrote: > > I'm running 0.90.1 and started to get a bunch of these messages when > > scanning PDF's (usually inside a zip file). > > > > I have unzipped the .zip files containing the PDF's, and tried scanning > > those manually and I get the same error. I use clamdscan (with 'ScanPDF > > yes' in my config) and even tried clamscan and I get the same error. > > > > It only occurs on certain PDF's, I tried scanning a few other PDF's that I > > have on my server without errors. > > Are the PDFs corrupted? I.e. can you open them in a PDF reader without errors? I can open my example in a PDF reader without errors. > > > > > I have an example PDF, can I send that to a developer off-list? > > Open a bugreport on bugzilla, and attach the example. attach it to bugid 396, which I opened yesterday for the same cause. -- Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX Austin Energy http://www.austinenergy.com ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Zip module failure ERROR
On Thu, 2007-03-08 at 16:54 +0100, Ralf Hildebrandt wrote: > * Don Drake <[EMAIL PROTECTED]>: > > > I would, but I'm getting the following error in Bugzilla: > > > > You are not authorized to access bug #396. > > I wonder why that is -- it's a stupid idea IMHO. > I believe all bugs are coded as security issues until they are reviewed and marked as non-security issues. I don't have the privilege to flip the security bit to off to make the bug public (since I am merely a reporter, not a developer). ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] no virus scanning after manual ClamAV update
On Thu, 2007-03-08 at 10:47 +0100, "Sebastian Gäde" wrote: > Hi! > > I installed Fedora Core 4 including amavisd-new 2.4.2 and ClamAV > 0.88.7. Everything worked fine, mails sent via postfix were checked by > ClamAV. > Since the ClamAV version is outdated, I updated to a newer version > 0.90.1 (rpms from http://crash.fce.vutbr.cz/crash-hat/4/clamav/) and > now I have the problem, that the script clamd.amavisd which starts the > clamd for amavis doesn't run: > > /etc/init.d/clamd.amavisd: line 7: /usr/share/clamav/clamd-wrapper: > Datei oder Verzeichnis nicht gefunden [file or directory not found] > > So the clamd doesn't start and mails are not checked: > > Mar 8 10:00:06 mailgate amavis[2032]: (02032-04) (!) ClamAV-clamd: > Can't connect to UNIX socket /var/spool/amavisd/clamd.sock: Datei oder > Verzeichnis nicht gefunden, retrying (2) > [...] > Mar 8 10:00:12 mailgate amavis[2032]: (02032-04) (!!) WARN: all > primary virus scanners failed, considering backups > > Does anyone know how to fix the startup script and to reconnect > amavisd and ClamAV? You need to edit the new /etc/clamd.conf file. More than likely one of two things happened: 1. clamd.conf was properly noted as a configuration file, and there is a clamd.conf.rpmnew file in the directory with new default settings that you need to merge with your old clamd.conf file (note that all options now are binary rather than just an option name, so "allowsupplementarygroups yes" instead of just "allowsupplementarygroups". With the illegal syntax, clamd just won't run, and the socket won't be created. 2. clamd.conf was either not noted as a configuration file, or was left as default, and the new clamd.conf file provided by the RPM puts the clamd.sock file in a different location. In either case, cleaning up clamd.conf and restarting clamd will fix your problem. > > Thanks > Sebastian -- Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX Austin Energy http://www.austinenergy.com ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Freshclam not updating
On Thu, 2007-03-08 at 10:41 -0500, Kaplan, Andrew H. wrote: > Hi there -- > Starting freshclam: ERROR: Parse error at line 44: Option > AllowSupplementaryGroups requires boolean argument. > > > What change(s) do I need to make to what file(s) in order to correct this > problem, and ensure that freshclam does update properly? Thanks. Instead of AllowSupplementaryGroups make it AllowSupplementaryGroups yes You will probably need to read through the whole freshclam.conf and clamd.conf file to make those changes. -- Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX Austin Energy http://www.austinenergy.com ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Starting clamd at boot time
On Fri, 2007-03-09 at 14:07 +0200, Souza Simbota wrote: > I followed a guide on how I should start clamd at boot time using the script > that in /contrib dir. But when I try to ran /etc/init.d/clamd start I get an > error message: > > > > Starting clamd: execvp: No such file or directory Check that /etc/init.d/clamd refers to an image in the same location that you installed it. You might have put clamd in /usr/local/sbin, and the init.d file might be referring to /usr/sbin, as an example. -- Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX Austin Energy http://www.austinenergy.com ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Upgrade to .90? - Update
On Mon, 2007-03-12 at 09:55 -0700, Kevin W. Gagel wrote: > - Original Message - > >So, its been a few days. How is everyone feeling about the new version? > >I've hesitated to upgrade just yet. I've seen alot of feedback indicating > >problems and very little about smooth and great upgrades. > > > >What's the general concensous - You can't upgrade fast enough or Stay > >where you are? > > Well, > > It's been a week or two since I upgraded to .9.0.1 and I have not seen any > of the problems that were reported in the .9.0 version. Ditto. I've been running 0.90.1 for 7 days on Mandriva Corporate Server Linux, have scanned about 200,000 emails in that time, and only consumed about 1 and a half hours of CPU. clamav4005 1 0 Mar06 ?01:29:23 clamd -c /etc/clamd.conf Aside from the zip error that Nigel claims to have fixed in SVN, this has been a near flawless upgrade. > Thank you to all who answered my original email and to the ClamAV crew for > the hard work you put into this effort. -- Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX Austin Energy http://www.austinenergy.com ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] Re: 0.90.1 freshclam error
On Tue, 2007-03-13 at 17:55 +, Robert Isaac wrote: > >Robert Isaac schrieb: > >> /etc/cron.daily/freshclam: > >> > >> connect(): Permission denied > >> > >> What did I miss out? > > > >Seems as if you have notify-clamd enabled and maybe you have set wrong > >permissions/rights on the socket-"file". > > > >Sven > > clamd.conf is shown 644 root:root, should it be 644 clamav:clamav? That's not the problem. /var/lib/clamav/clamd.socket, or wherever you have put it, is the likely issue. -- Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX Austin Energy http://www.austinenergy.com ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Problem With Upgrade From 0.88.7
On Thu, 2007-04-12 at 16:26 -0500, Jim Goode wrote: > I am currently running version 0.88.7 on SME 6.0.1-01 (built on Red Hat > 7.x). > [EMAIL PROTECTED] tmp]# rpm -qa | grep clam > clamav-es-libs-0.88.7-es01 > clamav-es-0.88.7-es01 > > I downloaded: > [EMAIL PROTECTED] tmp]# ls -l *.rpm > -rw-r--r--1 root root 779061 Mar 10 07:35 > clamav-0.90.1-4.rh7.rf.i386.rpm [...] > Running: > [EMAIL PROTECTED] tmp]# rpm -Uvh clamav-db-0.90.1-4.rh7.rf.i386.rpm > clamav-devel-0.90.1-4.rh7.rf.i386.rpm clamav-0.90.1-4.rh7.rf.i386.rpm > clamd-0.90.1-4.rh7.rf.i386.rpm > > produces the following output: > Preparing...### > [100%] > file /etc/freshclam.conf from install of clamav-0.90.1-4.rh7.rf conflicts > with file from package clamav-es-0.88.7-es01 [...] > > Does this mean the upgrade is not capable of taking place? Not precisely. > Do I need to > uninstall 0.88 before installing 0.90? Either that, or grab the SRPM and add a few Obsoletes: lines. > I've been through all the pages of > the clamav wiki and most of the archives and haven't discovered any clues to > this issue. Thanks, in advance, for whatever help you can provide, Because it is not a clamav issue per se, rather a packaging problem. You are replacing a package named clamav-es with a package named clamav, and rpm doesn't realize that they are the same. The only way it could know would be using the Obsoletes: tag in the rpm itself, but you can only fiddle with a specfile in a SRPM... -- Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX Austin Energy http://www.austinenergy.com ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] AV server
On Tue, 2007-04-24 at 16:40 -0400, Christopher S Arnold wrote: > I am following the faq on serving the cvd files from a local server so that > each client doesn’t have to download them from the clamav servers? I have > edited /etc/clamd.conf to say DatabaseDirectory /srv/www/htdocs/ and > also edited the freshclam.conf file to say the same thing. When i try to run > freshclam, i get this error: > ERROR: getfile: Can't create new file ./clamav-somelonghexnumber in > /srv/www/htdocs/ > Hint: The database directory must be writable for UID 65 or GID 107 > ERROR: Can't download main.cvd from database.clamav.net > LibClamAV Error: Database directory: /srv/www/htdocs not locked > > How do i make the folder writable for UID 65 or GID 107? $user> sudo chgrp 107 /srv/www/htdocs $user> sudo chmod g+wx /srv/www/htdocs > And how do i lock the /srv/www/htdocs/ folder so only clamav > and its hosts that will be downloading the DB can get to it? In your vhost config in apache: > permit from ip.address.of.client permit from ip.address.of.anotherclient permit from ip.address.of.stillanotherclient deny from all > Thanks for any help > > Chris > > ___ > Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net > http://lurker.clamav.net/list/clamav-users.html -- Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX Austin Energy http://www.austinenergy.com ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Build rpm of 0.90
On Thu, 2007-05-31 at 14:59 +0200, Salvatore wrote: > + cp -pr AUTHORS BUGS COPYING ChangeLog FAQ INSTALL NEWS README TODO > /var/tmp/clamav-0.90.2-root/usr/share/doc/clamav-0.90.2 > cp: impossibile fare stat di `TODO': No such file or directory Remove TODO from your list of files in the %doc section and it should do fine. While you are at it, upgrade to 0.90.3 ;-) -- Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX Austin Energy http://www.austinenergy.com ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] scan taking too long
I've had really good success with clamav for a few years now, but I've had a message stuck in my queue for a week: Aug 3 14:54:08 sa postfix/lmtp[25237]: 9A1381196: to=<[EMAIL PROTECTED]>, relay=127.0.0.1[127.0.0.1]:10025, delay=363983, delays=363554/0.02/0/428, dsn=4.5.0, status=deferred (host 127.0.0.1[127.0.0.1] said: 451 4.5.0 Error in processing, id=25448-06, virus_scan FAILED: virus_scan: ALL VIRUS SCANNERS FAILED: ClamAV-clamd av-scanner FAILED: CODE(0x804bbac) Exceeded allowed time at (eval 50) line 309. at (eval 50) line 511.; ClamAV-clamscan av-scanner FAILED: /usr/bin/clamscan collect_results - reading aborted: timed out at /usr/sbin/amavisd line 2812. at (eval 50) line 511. (in reply to end of DATA command)) There are no logs worth mentioning in clamd.log, but here they are for the same time period: Fri Aug 3 14:25:57 2007 -> SelfCheck: Database status OK. Fri Aug 3 14:55:58 2007 -> SelfCheck: Database status OK. Fri Aug 3 15:09:02 2007 -> /var/lib/amavis/tmp/amavis-20070803T150749-27061/parts/p002: Worm.Mydoom.AV FOUND Fri Aug 3 15:25:59 2007 -> SelfCheck: Database status OK. Fri Aug 3 15:26:51 2007 -> /var/lib/amavis/tmp/amavis-20070803T152640-28273/parts/p001: HTML.Phishing.Pay-203 FOUND The message contains a pdf: []$ sudo postcat -q 9A1381196 | grep Content-Type: Content-Type: multipart/mixed; Content-Type: multipart/alternative; Content-Type: text/plain; Content-Type: text/html; Content-Type: application/pdf; It appears to be rather large: []$ sudo postcat -q 9A1381196 | wc 118520 118856 9113939 And it takes a long time when run interactively: []$ sudo postcat -q 9A1381196 | clamscan - stdin: OK --- SCAN SUMMARY --- Known viruses: 142140 Engine version: 0.91.1 Scanned directories: 0 Scanned files: 1 Infected files: 0 Data scanned: 25.20 MB Time: 488.716 sec (8 m 8 s) from the content, it appears to be marketing anyway, so it's not critical, but advice on what to do with it would be appreciated. -- Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX Austin Energy http://www.austinenergy.com ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Non-Windows Malware
On Sat, 2008-12-06 at 17:29 -0800, Dennis Peterson wrote: > Derek Currie wrote: > > On Dec 6, 2008, at 12/06, 7:26 PM, Dennis Peterson wrote: > > > >> There is > >> no naming standard. > > > > Again with the misinformation. There is, in fact, a naming standard, Prove it. > > and an organization designated to provide those names. Whether an > > anti-malware provider chooses to use the official name is up to them. > > > > I'll let you find that standardized naming organization on your own. > > Homework. > > > > Sheesh. Must be a low pressure day.. > > I have a bad feeling you're referring to CME. Probably not, there is only on OSX virus listed on CME, CME-4 is known to clamav as Trojan.Leap.A. The project has also been dead for two years. Now, back on topic. I'm certain that if I were to submit a copy of the W.A.N.K worm, that the clamav people would be happy to create a signature and distribute it, even though there probably hasn't been a production Vax/VMS system susceptible to it in a decade. It's not a lack of desire for OSX malware, merely a lack of samples. And the sample submission process is well known - you can submit samples straight to the clamav project, or to virustotal, or jotti. -- Dan McDonald, CCIE #2495, CISSP# 78281, CNX www.austinenergy.com ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] test for SafeBrowsing?
On Tue, 2009-03-17 at 16:59 +0200, Török Edwin wrote: > On 2009-03-17 16:57, McDonald, Dan wrote: > > On Tue, 2009-03-17 at 14:08 +, Steve Basford wrote: > > > >>> Is there a test string I can use to see if the SafeBrowsing code is > >>> working properly? I've just set up 0.95RC2 with SafeBrowsing enabled. > >>> I've sent an EICAR and detected that, and scanned > >>> the /usr/share/doc/clamav-0.95/test/ directory to find ClamAV-Test-File, > >>> but I would like to see a SafeBrowsing hit > >>> > >> Does this email work?... (the site in the url is down but still in the > >> list) > >> > >> http://pastebin.com/m13232c54 > > > > I replaced the URL with one from the stopbadware.org topten that showed > > up on http://www.google.com/safebrowsing/diagnostic?site=http:// > > That e-mail was passed through to my mailbox. > > > > Try using for the URL. Ok, that works: Tue Mar 17 11:06:48 2009 -> /var/lib/amavis/tmp/amavis-20090317T040537-05454/parts/p002: Safebrowsing.Suspected-malware_safebrowsing.clamav.net FOUND > > Best regards, > --Edwin > ___ > Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net > http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] test for SafeBrowsing?
On Sat, 2009-03-28 at 17:03 +, Mark wrote: > -Original Message- > From: clamav-users-boun...@lists.clamav.net > [mailto:clamav-users-boun...@lists.clamav.net] On Behalf Of McDonald, Dan > Sent: donderdag 19 maart 2009 15:14 > To: clamav-users@lists.clamav.net > Subject: Re: [Clamav-users] test for SafeBrowsing? > > I tried all topsites URLs from http://www.stopbadware.org/home/topsites, > but I can't get any URL to match. :( Were you putting the URL's in bare, or enclosing them in ? Apparently, clamav has trouble finding bare uris. I managed to find 3 hits in the wild last week, out of about 181,000 messages. The messages were all identical > > You'd think someone at Google had the foresight to provide a test-URL. -- Daniel J McDonald, CCIE #2495, CISSP #78281, CNX Austin Energy http://www.austinenergy.com ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] ClamAV vs Commercial Products
On Mon, 2003-12-01 at 14:00, Joshua French wrote: > Hello, > > I am trying to find out the difference(s) between ClamAV's virus db and > any given commercial product. In the latter, I've noted that they have > covered 70-80k viruses, whereas ClamAV has somewhere around 10k in its > definitions. > > Is this an apples and oranges comparison? Not really. Maybe Granny-Smiths and Romes, but certainly it is the correct order of magnitude. The difference is in the aim of the product. ClamAV is focused primarily on e-mail-bourne viruses. It specializes in providing signatures for fast-breaking-havoc-producing viruses, and doesn't have a lot of the historical DOS boot sector type viri. For completeness sake, they will eventually be added. As a priority, I hope the viri database administrators will concentrate on late-breaking viri and leave the historical oddities for when they are bored. > Does ClamAV's 10k not include > variants in it's numbers, but does in fact cover them? > > If anyone can provide some info regarding this, that would be most > appreciated. -- Daniel J McDonald <[EMAIL PROTECTED]> Austin Energy --- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] virus FOUND stats
On Tue, 2003-12-16 at 07:25, Sancho2k.net Lists wrote: > Fisher wrote: > > > I use mrtg to record the traffic of the viruses and spam. Have not > > tested yet but looks working. > > Do you have scripts you could share? > > For that matter, does anybody? I use the following cron job to keep track of viruses caught by Clamav using amavis-new: 0 12 * * 1-5 grep -o -P 'INFECTED.+?\)' /var/log/mail/info | sort | uniq -c | /bin/mail -s "`uname -n` weekly virus counts" I have not yet written anything to pull those stats into mrtg. What I'd really like would be the stats that I get from pflogsum tossed into mrtg. If anyone has a relatively fast way of doing those sorts of stats, please let me know. > > DS > > > > > Internet Helpdesk wrote: > > > >> Does someone already have a script that tallies up the viri found > >> according > >> to the clamd log file & prints the number found during a time period & > >> also > >> reports the top 5 or top 10 for that time period? > >> > >> I'll come up with one myself, if needed of course, but no sense in > >> re-inventing the wheel, right? > >> > >> -Troy > >> > >> > >> > >> --- > >> This SF.net email is sponsored by: IBM Linux Tutorials. > >> Become an expert in LINUX or just sharpen your skills. Sign up for IBM's > >> Free Linux Tutorials. Learn everything from the bash shell to sys admin. > >> Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click > >> ___ > >> Clamav-users mailing list > >> [EMAIL PROTECTED] > >> https://lists.sourceforge.net/lists/listinfo/clamav-users > >> > >> > > > > > > > > > > --- > > This SF.net email is sponsored by: IBM Linux Tutorials. > > Become an expert in LINUX or just sharpen your skills. Sign up for IBM's > > Free Linux Tutorials. Learn everything from the bash shell to sys admin. > > Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click > > ___ > > Clamav-users mailing list > > [EMAIL PROTECTED] > > https://lists.sourceforge.net/lists/listinfo/clamav-users > > > --- > This SF.net email is sponsored by: IBM Linux Tutorials. > Become an expert in LINUX or just sharpen your skills. Sign up for IBM's > Free Linux Tutorials. Learn everything from the bash shell to sys admin. > Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click > ___ > Clamav-users mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/clamav-users -- Daniel J McDonald <[EMAIL PROTECTED]> Austin Energy --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
RE: [Clamav-users] pretty basic question - clamscan vs clamdscan
On Fri, 2004-01-09 at 12:18, Jim Maul wrote: > > On Fri, 9 Jan 2004 [EMAIL PROTECTED] wrote: > > > > > i installed clamav via the instructions quite a long time ago. > > i run it via > > > qmail-scanner. clamd is running, and messages are scanned by > > clamscan. so > > > where does clamdscan come in?? there's very little mention of > > clamdscan in > > > > Use clandscan instead of clanscan to have mail scaned by clamd. > > > > The difference between up and down is that one is up and one is down. > Very profound, and not very helpful. Why bother answering if the answer > in no way provides any explanation? I don't believe the previous responder answered without giving sufficient information, but try this: clamd loads the virus database once and provides back-end support to clamdscan, irrespective of how many times clamdscan is invoked. clamscan has to parse the virus database each time clamscan starts up. -- Daniel J McDonald <[EMAIL PROTECTED]> Austin Energy --- This SF.net email is sponsored by: Perforce Software. Perforce is the Fast Software Configuration Management System offering advanced branching capabilities and atomic changes on 50+ platforms. Free Eval! http://www.perforce.com/perforce/loadprog.html ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] type of viruses being added to database
On Mon, 2004-01-12 at 12:20, jef moskot wrote: > On Mon, 12 Jan 2004, Tomasz Papszun wrote: > > Added are viruses which users submitted to us :-) . Or found by us. > > Well, yes, obviously, but could you maybe take a recent representative > update and give us an idea of what the added viruses are like? Just so > that we get an approximate feeling of what's going on. are you on the clamav-virusdb mailing list? That would let you know pretty quickly. Tomasz Kojm sent out an update on Saturday with about 200 old viruses (main 15) Denis De Messemacker sent out an update of about 50 newer viri (daily 84) Diego d'Ambra sent out an update of 5 hot viruses (Dropper.Xombe.A, Trojan.Xombe.A, HTML_CITIFRAUD.A, and another damaged Swen) (daily 83). > > For example, you mentioned that the newest threats are added the most > quickly, but I don't know if the last time you added an ancient virus was > today or six months ago. > > I'm not asking for precise figures, just something a little more concrete > than "we add old and new viruses". > > Jeffrey Moskot > System Administrator > [EMAIL PROTECTED] > > > --- > This SF.net email is sponsored by: Perforce Software. > Perforce is the Fast Software Configuration Management System offering > advanced branching capabilities and atomic changes on 50+ platforms. > Free Eval! http://www.perforce.com/perforce/loadprog.html > ___ > Clamav-users mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/clamav-users -- Daniel J McDonald <[EMAIL PROTECTED]> Austin Energy --- This SF.net email is sponsored by: Perforce Software. Perforce is the Fast Software Configuration Management System offering advanced branching capabilities and atomic changes on 50+ platforms. Free Eval! http://www.perforce.com/perforce/loadprog.html ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] problem in updating virus db
On Tue, 2004-01-13 at 07:41, Abyot Asalefew wrote: > I have installed gmp-4.1.2 for 32 bit ABI support according to clamav > documentation. You also need libgmp-devel, or whatever the development library package is called on your distribution (on Mandrake it is libgmp3-devel) . After that is installed you have to recompile the freshclam binary. > > > - Original Message - > From: Peter Bonivart <[EMAIL PROTECTED]> > Date: Monday, January 12, 2004 9:20 pm > Subject: Re: [Clamav-users] problem in updating virus db > > > I'm just wondering if you have GMP on your machine? It's needed to > > verify the signatures of the new database files introduced with 0.65. > > > > /Peter Bonivart -- Daniel J McDonald <[EMAIL PROTECTED]> Austin Energy --- This SF.net email is sponsored by: Perforce Software. Perforce is the Fast Software Configuration Management System offering advanced branching capabilities and atomic changes on 50+ platforms. Free Eval! http://www.perforce.com/perforce/loadprog.html ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Trying to revert to v0.60 because I can't use v0.65
On Tue, 2004-01-13 at 12:16, Lloyd Albin wrote: > . When I > tried reverting to clamav 0.60 it chatches the viruses until you to the > first freshclam and then it won't catch any viruses using qmail-scanner > but it will catch them from the shell prompt using clamscan. If I do a > make install, it then starts catching viruses again. How do I fix this? Make certain you remove all of the 6.5 freshclam binaries. There are installed in a different place now, and your path may be finding the 6.5 one before the 6.0 one. -- Daniel J McDonald, CCIE 2495, CNX Austin Energy --- This SF.net email is sponsored by: Perforce Software. Perforce is the Fast Software Configuration Management System offering advanced branching capabilities and atomic changes on 50+ platforms. Free Eval! http://www.perforce.com/perforce/loadprog.html ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Logrotate won't restart clamd
On Mon, 2004-02-02 at 07:27, Tomasz Papszun wrote: > On Mon, 02 Feb 2004 at 14:03:55 +0100, Krištof Petr wrote: > > Tomasz Kojm wrote: > The current logfile is _moved_ to other filename, not removed (deleted). Initially, yes, but a SIGHUP is done to make the application re-open the log files. Then the original log file is compressed, which essentially deletes the old file. -- Daniel J McDonald, CCIE 2495, CNX Austin Energy --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] freshclam as non-privileged user?
Prior to upgrading to clamav 0.66, I have been running freshclam with the same unprivileged user that runs clamd. However, it has stopped working: [EMAIL PROTECTED] clamav]$ freshclam ERROR: LOGGER: Can't open file /var/log/clamav/freshclam.log to write. ERROR: Problem with internal logger. [EMAIL PROTECTED] log]$ exit [EMAIL PROTECTED] clamav]# freshclam ClamAV update process started at Thu Feb 12 17:07:24 2004 Reading CVD header (main.cvd): OK main.cvd is up to date (version: 19, sigs: 19987, f-level: 1, builder: ddm) Reading CVD header (daily.cvd): OK Downloading daily.cvd [*] daily.cvd updated (version: 127, sigs: 688, f-level: 1, builder: tkojm) Database updated (20675 signatures) from database.clamav.net (152.66.249.132). Clamd successfully notified about the update. [EMAIL PROTECTED] clamav]# Root has no problem. Is that limitation by design or accident? -- Daniel J McDonald, CCIE 2495, CNX Austin Energy --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps & Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] freshclam as non-privileged user?
On Thu, 2004-02-12 at 18:24, Jim Maul wrote: > > Prior to upgrading to clamav 0.66, I have been running freshclam with > > the same unprivileged user that runs clamd. However, it has stopped > > working: > > [EMAIL PROTECTED] clamav]$ freshclam > > ERROR: LOGGER: Can't open file /var/log/clamav/freshclam.log to write. > > ERROR: Problem with internal logger. > > > > does the "unprivileged user" have access to write to /var/log/clamav/ ?? > Nope. It did not have write permission under 0.65 either. -- Daniel J McDonald <[EMAIL PROTECTED]> Austin Energy --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps & Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] freshclam as non-privileged user?
On Fri, 2004-02-13 at 08:22, Nigel Horne wrote: > On Friday 13 Feb 2004 1:58 pm, Daniel J McDonald wrote: > > > > does the "unprivileged user" have access to write to /var/log/clamav/ ?? > > > > Nope. It did not have write permission under 0.65 either. > > 0.65 did not correctly drop priveliges, so it tended to run as root at many sites. > This > has been fixed in 0.66 Ok. I'll twiddle Mandrake's MSEC so it won't trample the owner of the file and allow it to write logs as the non-privileged user. That probably needs to be added to the SPEC file for the RPM as well, but I don't know enough about RPM building to do that. -- Daniel J McDonald <[EMAIL PROTECTED]> Austin Energy --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps & Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] clamav-virusdb dead?
On Thu, 2004-02-19 at 10:27, Jesper Juhl wrote: > Hi, > > I just went to > http://sourceforge.net/mailarchive/forum.php?forum=clamav-virusdb and > recieved the message > Either your mailing list name was misspelled or your mailing list has not > been archived yet. If this list has just been created, please retry in 2-4 > hours Sourceforge's mail lists have been a little flaky lately - I've seen that on multiple projects. I am getting updates about new virus signatures, so I don't think that is the issue. > > > Has the list been closed? > > > /Jesper Juhl > > > > --- > SF.Net is sponsored by: Speed Start Your Linux Apps Now. > Build and deploy apps & Web services for Linux with > a free DVD software kit from IBM. Click Now! > http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click > ___ > Clamav-users mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/clamav-users -- Daniel J McDonald <[EMAIL PROTECTED]> Austin Energy --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps & Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] pipechk: [kegger:clamav-virus-list] (fwd)
On Mon, 2004-03-15 at 14:20, [EMAIL PROTECTED] wrote: > Has the Ladmar.A virus been merged as a different virus? The count went > down by 1 and Ladmar was removed. Any ideas? It's been picking up false positives. -- Daniel J McDonald <[EMAIL PROTECTED]> Austin Energy --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Bagle.N Virus cannot be detected by localclamscan
On Mon, 2004-03-15 at 15:49, redragon wrote: > forgive me if this sounds silly. > > I completely understand the problem with the password protected archives but > would like to make a suggestion. > > Can we take confirmed protected zips and md5sum them and have that sum added > to av database? Nope. Each zip file is created on the fly and encrypted with a random password. -- Daniel J McDonald <[EMAIL PROTECTED]> Austin Energy --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] freshclam and long DNS responses
Just a heads up to all of you paranoid folks who don't allow TCP based DNS queries from your mail servers: The record for database.clamav.net is now too big to fit in a UDP response, so you will have to open up tcp to your DNS servers in order to resolve it and find a mirror for freshclam to work. -- Daniel J McDonald <[EMAIL PROTECTED]> Austin Energy --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Spam/Virus stats using mrtg
On Fri, 2004-04-02 at 14:47, Chris Meadors wrote:
> On Fri, 2004-04-02 at 14:33 -0500, John Madden wrote:
>
> > > #!/bin/sh
> > > VIRCOUNT=`grep -c FOUND /wherever/is/your/clamd.log`
> >
> > I blend in a little perl to print per-virus totals sorted by name:
> >
> > grep VIRUS /var/log/messages | perl -e 'while(<>){ $_ =~ /VIRUS:(.*)\)/;
> > $v = $1; $hash{$v}++;} foreach $x (sort(keys(%hash))){ print "$x:
> > $hash{$x} \n";}'
> >
> > (Note that this is taken from syslog while using amavisd, not clamd's log.)
>
> Here is one for the clamd.log in just shell, Perl would probably handle
> this a bit better, and not have to run through the file for every virus
> name, but this works for me:
>
> for VIRUS in $(grep FOUND clamd.log | cut -d ':' -f 4 | cut -d ' ' -f 2 | sort |
> uniq); do
> echo -n "$VIRUS: "
> grep -c "$VIRUS" clamd.log
> done
Seems a tad repetitive:
grep FOUND clamd.log | cut -d \ -f 2 | sort | uniq -c
I'm sure someone could swap the final order for you...
--
Daniel J McDonald <[EMAIL PROTECTED]>
Austin Energy
---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Worm.SomeFool.R - what happened to Q?
On Fri, 2004-04-02 at 16:53, B.K. DeLong wrote: > Did we skip from SomeFool.P to SomeFool.R ? What happened to SomeFool.Q ? After getting level 1 alerts from Homeland Security on SomeFool.Q, I received about 6 per day at this electric utility with 1400 mailboxes. Meanwhile, SomeFool.P, for which there was no alert, cranked in about 100 per day. Naturally, clamav caught them all. -- Daniel J McDonald, CCIE 2495, CNX Austin Energy --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Re: Don't Understand
On Tue, 2004-04-06 at 02:45, Rmi Goyard wrote: > Thanks guys > Now Clamav seems to work. > I'm trying now use it witth Amavisd-new The easiest thing to do is to run amavis-new and clamd under the same user. Since you will upgrade clamav more often than amavis, it's probably easiest to run the amavis daemon as clamav rather than the other way around. > and when i start amavisd in debug > mode, i try to send a test email using telnet on 10024 i've got an error > that tell me can't access the file in the /var/lib/amavis/tmp directory, > ownership of this directory is set to user/group amavis. > Do my clamav user/group have to have a read access on this directory, if yes > could you tell me how to set it . > And then as i think i have to learn more on how to define rights under a > linux system, could you told me a good tutorial of this. > thanks before. -- Daniel J McDonald <[EMAIL PROTECTED]> Austin Energy --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] clamav.conf
On Fri, 2004-04-09 at 06:28, Mike van Vugt wrote: > Hello, > > Keep getting the message below over and over again. Have you edited /etc/clamav/clamav.conf? Lots of important things there you need to set up. > I am new to Linux > and having a hard time to get this working. I want to uninstall Clamav > and start over again. Can anyone tell me how to uninstall??? How did you install it the first time? If you used an RPM - just # rpm -e clamav If you installed from source, then you'll have to hunt down the pieces and pull them out. -- Daniel J McDonald <[EMAIL PROTECTED]> Austin Energy --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Problems after upgraded to 0.70-1 (from 0.70-rc1)
On Mon, 2004-04-19 at 10:13, Mimmus wrote: > I currently use Sendmail+ClamAV+Sendmail Milter. > I just upgraded to 0.70-1 from 0.70-rc1, using RPM packages, but many > viruses are going through. > > Is there any basic configuration I'm missing? whenever you upgrade clamav, you must immediately run freshclam. > > Thanks > Mimmus > > > > > > --- > This SF.Net email is sponsored by: IBM Linux Tutorials > Free Linux tutorial presented by Daniel Robbins, President and CEO of > GenToo technologies. Learn everything from fundamentals to system > administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click > ___ > Clamav-users mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/clamav-users -- Daniel J McDonald <[EMAIL PROTECTED]> Austin Energy --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Recommendation RedHat replacement
On Mon, 2004-05-10 at 13:57, Bora wrote:
> Sorry, this may not be appropriate to post here, but I know many of you are
> using RH and are figuring new options as they are no longer offering free
> download for RH 7, 8 and 9.
>
> So the question is do you recommend moving to? SuSE, Mandrake? I want to use
> something similar so I don't have to learn new tools and admin task.
Mandrake is very similar, but be certain to read about MSEC, as it will
surprise you ("but, I *know* I changed the permission on that file, just
1 hour ago... Oh, MSEC changed it for me...)
You could also go for whitebox linux
>
> Thanks,
> BK
>
>
>
> ---
> This SF.Net email is sponsored by Sleepycat Software
> Learn developer strategies Cisco, Motorola, Ericsson & Lucent use to
> deliver higher performing products faster, at low TCO.
> http://www.sleepycat.com/telcomwpreg.php?From=osdnemail3
> ___
> Clamav-users mailing list
> [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/clamav-users
--
Daniel J McDonald <[EMAIL PROTECTED]>
Austin Energy
---
This SF.Net email is sponsored by Sleepycat Software
Learn developer strategies Cisco, Motorola, Ericsson & Lucent use to
deliver higher performing products faster, at low TCO.
http://www.sleepycat.com/telcomwpreg.php?From=osdnemail3
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] clamav and postfix
On Thu, 2004-04-29 at 12:33, Faustino Benitez wrote: > Hi: > > I have a question about the setup of clamav and postfix: > > Use two instances of postfix is the only way to integrate clamav with > postfix? No, you can run amavis-new and have one instance with two sets of options. Or, theoretically, you can run the most recent postfix with the amavis-agent, which supposedly has milter-like properties. I'm not inclined to go that route. The nice thing about running through postfix twice is that you get to accept mail with a 250 OK and then toss them in the trash. Very handy for both viri and spam. > > Thanks. > > fausto > > > > --- This SF.Net > email is sponsored by: Oracle 10g Get certified on the hottest thing > ever to hit the market... Oracle 10g. Take an Oracle 10g class now, > and we'll give you the exam FREE. > http://ads.osdn.com/?ad_id149&alloc_id66&op=click > ___ Clamav-users mailing > list [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/clamav-users -- Daniel J McDonald <[EMAIL PROTECTED]> Austin Energy --- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] clamav and postfix
On Thu, 2004-04-29 at 14:26, jjolet wrote: > check out amavis-new. it's what I use. runs clam and spamassassin on > every mail. Note, this is my home server, VERY low volume. I'm not > sure what load would look like on a heavily loaded system I do about 20K mails/day through my amavis-new box, about half of which is SPAM or viral; load average is 0.2 clamd helps a lot. -- Daniel J McDonald <[EMAIL PROTECTED]> Austin Energy --- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] oops....
On Fri, 2004-04-30 at 12:21, Ken Goods wrote: > Should have said I'm running clamav-0.70rc-1.i386.rpm Is there a newer > version than this? > Yes, clamav-0.70 (not the release candidate) is out. -- Daniel J McDonald <[EMAIL PROTECTED]> Austin Energy --- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] freshclam without 'net access?
On Mon, 2004-05-03 at 15:12, Steve Brorens wrote: > Some of the boxes I have running ClamAV will be behind behind > restrictive firewalls. > They receive smtp email, and can do DNS calls, but have no http/80 > access to the > internet. I *do* have ssh access though from the outside, and could > schedule a task > to ssh in twice daily... > > How would you update the clam db in this case? Run freshclam on a machine that does have www access from a cron job, say at 47 minutes past the hour on odd hours. Schedule an rsync with the filter box at 57 minutes past the hour. On the hour clamd will check to see if the .cvd files have changed - just in case freshclam failed to notify clamd for whatever reason. sample crontab entries: 47 1-23/2 * * * freshclam --quiet 57 1-23/2 * * * rsync -rtlzqe ssh --delete /var/lib/clamav/*.cvd filter.ip.addr:/var/lib/clamav/ -- Daniel J McDonald, CCIE 2495, CNX Austin Energy --- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Numbers of viruses
On Tue, 2004-05-04 at 10:46, Russ Phillips wrote: > Hi, > > I have a query. Most commercial AV software claims to catch something > like 70,000+ viruses. On the other hand, ClamAV claims to catch 20,000+ > viruses. > > Why the difference? Is it because McAfee, Sophos et al consider each and > every variant to be a different virus, and ClamAV doesn't? Not often. > Or does > ClamAV not detect some older viruses? Or something else? ClamAV has not been focusing on detecting older viruses. Instead, it is ideal for detecting late-breaking and fast-spreading viruses/worms/trojans and what-not. The clamav team has been making great strides in picking up the older viruses - they recently released (.07-rc1) an OLE engine to detect macro viruses, and they added two new signature writers to work on the backlog of macro-viruses in their library. I don't think clamav will ever get completely "caught up" with the old, but they will detect most of the new outbreaks before anyone else. > > I ask because I'm planning to deploy ClamAV at work, and I want to be > able to give my boss an honest answer when he asks (as he's bound to) > why ClamAV doesn't catch as many viruses as McAfee. > -- Daniel J McDonald <[EMAIL PROTECTED]> Austin Energy --- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] not in gzip format
On Fri, 2004-07-02 at 08:13, ghooton wrote: > When I try to install clamav I get thefollowing : > [EMAIL PROTECTED] ~]$ zcat clamav-0.74.tar.gz | tar xvf - > zcat: clamav-0.74.tar.gz: not in gzip format Some browsers automatically gunzip files when you download them. -- Daniel J McDonald, CCIE 2495, CNX Austin Energy --- This SF.Net email sponsored by Black Hat Briefings & Training. Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] ClamAV upgrade
On Fri, 2004-07-02 at 12:06, Tony Chang wrote: > I was wondering if there were any particular issues I should be > concerned with when upgrading clam from 0.65 on FreeBSD 4.8 to 0.74. Make certain that either the old libraries/binaries are deleted or overwritten. Lots of folks have problems because the binaries have ended up in different parts of the search path and sometimes an old one pops up instead of the current one. > Is > this a relatively pain free process? I will be making backups of > everything, but this will be the first time I've done anything with clam > in a production environment, so I'd still like any advice anyone is > willing to provide. If it were me, I'd do a make uninstall for 0.65 first, then a make install for 0.74. Since I've got an RPM based system now, it does that for me, but when building form source that's the cleanest way to make certain you don't have any 0.65 flotsam lying about. Always run freshclam after the upgrade before you start the mail daemon! -- Daniel J McDonald <[EMAIL PROTECTED]> Austin Energy --- This SF.Net email sponsored by Black Hat Briefings & Training. Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
RE: [Clamav-users] ClamAV upgrade
On Tue, 2004-07-06 at 12:23, Tony Chang wrote: > Hey Guys, > > Thanks a lot for all the help. I'm kind of running into a brain freeze > here (not enough coffee). I've deinstalled, and then re-installed > clamav. Everything looks fine, the right processes are started. Is > there a manual way of testing whether or not clamd and freshclam are > working? I'm on a secondary MX, and taking down the primary MX to test > this isn't feasible. I just need to verify that freshclam is indeed > getting new definitions, and clamd is indeed checking files for viruses. If you built it from source, there are some sample viruses on the test subdirectory. And EICAR is pretty easy to find on the web. > > I've tried using mutt, both from command line and interactive mode. > However, neither of my attempts show up in exim's mainlog, or clamd.log. Telnet to the box on port 25, like so: [EMAIL PROTECTED] telnet localhost 25 Trying 127.0.0.1... Connected to localhost (127.0.0.1). Escape character is '^]'. 220 mj.obfuscated.com ESMTP helo mj.obfuscated.com 250 mj.obfuscated.com mail from: <[EMAIL PROTECTED]> 250 Ok rcpt to: <[EMAIL PROTECTED]> 250 Ok data 354 End data with . From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Manual Test $CEl... Your test virus here. . 250 Ok: queued as B4256187515 quit 221 Bye Connection closed by foreign host. Then check your logs. -- Daniel J McDonald <[EMAIL PROTECTED]> Austin Energy --- This SF.Net email sponsored by Black Hat Briefings & Training. Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Freshclam - bizarre behaviour
On Mon, 2004-07-12 at 15:04, Brian Morrison wrote: > After a hiccough with connectivity where I needed to change the > resolv.conf server order and subsequently reverse it, I found that > freshclam was failing with an error like this: > > ERROR: Connection with clamav.database.net (IP: ???) failed. The A rr for database.clamav.net is too big to fit in a UDP datagram, so your DNS server has to allow TCP based queries in order to resolve the name. -- Daniel J McDonald, CCIE 2495, CNX Austin Energy --- This SF.Net email sponsored by Black Hat Briefings & Training. Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Freshclam - bizarre behaviour
On Mon, 2004-07-12 at 17:10, Brian Morrison wrote: > On Mon, 12 Jul 2004 15:59:32 -0500 in > [EMAIL PROTECTED] Daniel > J McDonald <[EMAIL PROTECTED]> wrote: > > > On Mon, 2004-07-12 at 15:04, Brian Morrison wrote: > > > ERROR: Connection with clamav.database.net (IP: ???) failed. > > The A rr for database.clamav.net is too big to fit in a UDP datagram, > > so your DNS server has to allow TCP based queries in order to resolve > > the name. > Ah right. Well I run bind here, but I don't explicitly tell it to allow > TCP queries, at least not that I know about :) No, but you might have to check your firewall rules, both on the DNS server and externally protecting it... -- Daniel J McDonald, CCIE 2495, CNX Austin Energy --- This SF.Net email sponsored by Black Hat Briefings & Training. Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] [clamav-users]stats about clamav
On Tue, 2004-07-20 at 07:16, deborah malka wrote: > I want to generate statistics about clamav : how many > requests or mails infected ? I'm using amavis-stats, which dumps that information into a set of rrd's, and makes very pretty graphs. -- Daniel J McDonald <[EMAIL PROTECTED]> Austin Energy --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Worm.Bagle.AG (or something) sending empty zip files?
On Tue, 2004-07-20 at 13:31, henry j. mason wrote: > greetings clamav.users; > > i use clamav 0.70-4 on debian 3.0 stable/testing, with > amavisd-new-20030616. one of my customers has been complaining > of recieving what they claim are Worm.Bagle.AG emails, but > when they forward them to me, they contain nothing but an > image file with a number in it (the 'zip password', apparently) > and an *empty* unencrypted zip file. Yup. My boss got a couple of them, then I got one. It contains the following: --eugcyhgbudjduewlztxz Content-Type: application/octet-stream; name="Doll.zip" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="Doll.zip" --eugcyhgbudjduewlztxz-- clearly not a threat from a zero-length file. > clamav has been catching lots of Worm.Bagle.AG, ever since it > has appeared on the scene, I've only caught a hundred or so, I've captured about 500 Bagle.AF.2's, though, in the past 24 hours. > and this is the first real report > i have of anything slipping by it. of course, since the zip > files in all cases so far have been actually empty, this does > not represent a serious threat, just an annoyance. indeed, i'm > not sure how clamav can be expected to block something that > does not in fact contain a virus :> But it looks like a virus, and people get perturbed. That was the issue with the SCO.A-DAM worm, but this is much harder to discern, as there is nothing that can be pulled out as a signature. I think, in amavis-new-20040701, you can block on combinations of attachments, so you could ban .bmp files that occur in the same e-mail as a .zip But I only know that from glancing through the release notes, not any practical application or specific details. I am putting off playing with amavis-new-20040701 until spamassassin 3.0 is officially released. > > has anyone else encountered this? i can easily see a poorly > written virus sending out botched copies of itself. -- Daniel J McDonald <[EMAIL PROTECTED]> Austin Energy --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] libbz2?
On Tue, 2004-07-20 at 15:35, A.R.S. KA9QLQ Alvin Koffman wrote: > Where can I get libbz2? Here's rom my atempt > > [EMAIL PROTECTED] Download]# [EMAIL PROTECTED] clam]# rpm -ivh *.rpm > warning: clamav-0.74-1mdk.i586.rpm: V3 DSA signature: NOKEY, key ID d535d889 > error: Failed dependencies: > devel(libbz2) is needed by libclamav1-devel-0.74-1mdk > devel(libgmp) is needed by libclamav1-devel-0.74-1mdk Why are you installing libclamav1-devel? Are you linking other packages to it? I haven't needed that package yet. > I went to mdk 10 by the way you should be able to: urpmi libbz2-devel libgmp-devel and it will install automagically. -- Daniel J McDonald, CCIE 2495, CNX Austin Energy --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Re: Worm.Bagle.AG (or something) sending empty zip files?
On Tue, 2004-07-20 at 16:07, Tomasz Kojm wrote: > On Tue, 20 Jul 2004 16:23:21 -0400 > You can use this signature (the latest CVS version is required): Speaking of CVS versions - any idea when the next release of clam will be forthcoming? There are quite a few "latest CVS needed" signatures now. I'll probably rebuild my mail filters from scratch when spamassassin 3.0 is released (about two weeks to go, based on the wiki notes and the progress in bugzilla) If I knew where the clamav release fit into the picture I might adjust my time frame a bit to take advantage of the next release -- Daniel J McDonald, CCIE 2495, CNX Austin Energy --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] ClamAV update from .70 to .75
On Fri, 2004-07-23 at 08:52, Jeffrey Kroll wrote: > Can someone please assist me in upgrading .70 to .75 on a production > machine. This is the first time I have ever done this and I want to ‘ > watch ‘ someone upgrade it on my mailserver. The cleanest process would be: unpack the old distribution: tar -zxf clamav-0.70.tar.gz run configure cd clamav-0.70 ./configure Unpack the new distribution: cd .. tar -zxf clamav-0.75.tar.gz run configure: cd clamav-0.75 ./configure compile it: make become root stop qmail stop qmailscan uninstall the existing clamav stuff: cd ../clamav-0.70 make uninstall install the new stuff: cd ../clamav-0.75 make install restart clamd run freshclam start qmailscan start qmail There are lots of other variations, but that one will work pretty well. > > > > It’s a FreeBSD 5.2.1 with Qmail, Qmailscan, SA, ClamAV > > > > ~Jeffrey Kroll -- Daniel J McDonald, CCIE 2495, CNX Austin Energy --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] upgrade
On Tue, 2004-07-27 at 12:54, Jona Tallieu wrote: > Just upgraded to 0.75 on OSX 10.3. > But when I forgot the ./, I get this: > mail:/usr/local/bin root# clamscan --version > clamscan / ClamAV version 0.70 You probably have 0.70 installed in /usr/local/bin and 0.75 in /usr/bin Yo need to remove all of the existing 0.70 before putting 0.75 in production. -- Daniel J McDonald <[EMAIL PROTECTED]> Austin Energy --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
RE: [Clamav-users] ClamAV 0.75 assertion failure (reproducible)
On Fri, 2004-07-30 at 08:42, Christopher X. Candreva wrote: > On Fri, 30 Jul 2004, Nigel Horne wrote: > > > > > > assert(m->base64chars == 0); > > > > This was fixed in 0.75-1, please update. > > This might be a silly question, but does 0.75-1 have all the fixes No, just a few critical ones. > from CVS ? (Specificly the Solaris crashing ?) That one is there: * libclamav/mbox.c: Fix crash when debugging on SPARC -- Daniel J McDonald <[EMAIL PROTECTED]> Austin Energy --- This SF.Net email is sponsored by OSTG. Have you noticed the changes on Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now, one more big change to announce. We are now OSTG- Open Source Technology Group. Come see the changes on the new OSTG site. www.ostg.com ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Mydoom.M
On Fri, 2004-07-30 at 14:27, Arthur Kerpician wrote: > Hi, > 1. I'm running ClamAV-0.73 on RH9 machine (qmail) and made all the > updates, 0.73 doesn't support mangled MIME encoding. That was added in 0.75. You probably want to upgrade to 0.75.1 at this point. -- Daniel J McDonald <[EMAIL PROTECTED]> Austin Energy --- This SF.Net email is sponsored by OSTG. Have you noticed the changes on Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now, one more big change to announce. We are now OSTG- Open Source Technology Group. Come see the changes on the new OSTG site. www.ostg.com ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] script to generate virus statistics
On Mon, 2004-08-02 at 10:15, Julio E. Gonzalez P. wrote: > I just want to share this bash script to generate virus statistics. I > know is not perfect, but do the work. Seems a bit extreme... [EMAIL PROTECTED] mcdonalddj]$ crontab -l # DO NOT EDIT THIS FILE - edit the master and reinstall. 0 12 * * 1-5 grep -o -P 'INFECTED.+?\)' /var/log/mail/info | sort | uniq -c | /bin/mail -s "`uname -n` weekly virus counts" [EMAIL PROTECTED] I imagine it could be improved using logtail... It gives me a heads up at noon what's going on with viral activity. I keep much more granular logs using amavis-stats -- Daniel J McDonald <[EMAIL PROTECTED]> Austin Energy --- This SF.Net email is sponsored by OSTG. Have you noticed the changes on Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now, one more big change to announce. We are now OSTG- Open Source Technology Group. Come see the changes on the new OSTG site. www.ostg.com ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] clamd cannot connect to Unix socket
On Mon, 2004-08-09 at 10:50, Jim wrote: > I am using clamav deamon with amavis and I am getting a lot of these > error messages in maill.log > > > > Aug 9 08:51:12 mail amavis[22421]: (22421-05) Clam Antivirus-clamd: > Can't connect to UNIX socket /var/run/amavis/clamd.ctl: No such file or > directory, retrying (3) Is that what you have in clamd.conf? If not, you need to change your amavisd.conf file to match (or clamd.conf and restart clamd - whichever they need to match) > > > What is strange is that that even though these messages are still being > printed clam is still working and stopping viruses amavis tries clamdscan, if it fails it tries clamscan. -- Daniel J McDonald <[EMAIL PROTECTED]> Austin Energy --- This SF.Net email is sponsored by OSTG. Have you noticed the changes on Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now, one more big change to announce. We are now OSTG- Open Source Technology Group. Come see the changes on the new OSTG site. www.ostg.com ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Idea for more timely virusdb updates
On Tue, 2004-08-10 at 12:40, Christopher X. Candreva wrote: > If people can't check for database updates more often than once an hour, > then there is a pressing need. [...] > If only 1.3% of every update is actually needed, and people only downloaded > what they needed, the traffic on the mirrors would drop from 120gig/month to > 1.6 gig/month. > > If I am completely off by a factor of 10 -- say only 10% of every update > is actually needed, traffic on the mirrors drops from 120gig to 12gig. That's one of the things that seems to be driving the size of daily.cvd up - updating main.cvd entails a massive distribution of files to the world. Perhaps a tiered approach to the update files, with main.cvd, monthly.cvd, weekly.cvd, daily.cvd, and hot.cvd The advantage there is that the really big update could be distributed very seldom - perhaps only with new code (the code generally has to be upgraded every few months to deal with a new threat anyway). If you had overlapping signatures between the files, you could add a fuzzy-factor into freshclam that it might not bring down the latest weekly/monthly if the other files overlap completely. That would distribute the load on the freshclam servers for the larger updates, and there would just be the very small daily.cvd (and perhaps hot.cvd) downloads. I like the idea of using DNS to signal the change - maybe just for hot.cvd. so, whenever a major virus breakout occurs, the new sig would be added to hot.cvd and the DNS TXT record changed. 10,000 users pulling down a 2-3K file is not terribly hard for a server with decent bandwidth -- Daniel J McDonald, CCIE 2495, CNX Austin Energy --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Where to download latest virus samples
On Tue, 2004-08-10 at 19:08, Zoong Pham wrote: > Where can I download samples of the new virus Just create a mail box and give the address to a few clueless friends. You should have plenty of viruses in a matter of hours. > and test my ClamAV? the eicar signature is best for simple testing. See http://www.eicar.org/anti_virus_test_file.htm -- Daniel J McDonald <[EMAIL PROTECTED]> Austin Energy --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Newbie: Clamav and Sendmail milter config
On Tue, 2004-08-24 at 10:04, Randall Perry wrote: > on 8/24/04 9:59 AM, Dennis Peterson at [EMAIL PROTECTED] wrote: > > > The J-Chkmilter permits disabling scanning based on > > IP/Net/Domain for such things as trusted servers - we handle a lot of > > machine generated mail that need not be scanned, for example, and that is > > mapped out of the filtering process. > > This is a little off topic, but I'm interested in using Spamassassin, but > would like to limit scanning to users who have opted-in to spam checking. Is > there a filter that can check mail by username or group association? Amavis-new. All manner of tools for differentiating between users by querying mysql, ldap, or files. Integrates clamav as well as spamassassin... -- Daniel J McDonald <[EMAIL PROTECTED]> Austin Energy --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] LibClamAV Warning: Not all attachments will be scanned
Checking my virus quarantine and came across: $ clamscan --mbox --stdout virus-20040831-* [...] virus-20040831-102553-18818-02-12: Worm.Bagle.N FOUND LibClamAV Warning: Not all attachments will be scanned LibClamAV Warning: Not all attachments will be scanned LibClamAV Warning: Not all attachments will be scanned virus-20040831-102843-20225-01-18: OK virus-20040831-103636-18818-02-44: Worm.SomeFool.I FOUND [...] virus-20040831-102843-20225-01-18 contains a midi file (which is why I block it) and other fluff - is that the message that is not being scanned? The warning messages are sent to stderr instead of stdout - I normally grep for the OK messages and manually review them. Incidentally, I've gotten a number of .chm files lately in a unicode message. Clamav hasn't twigged on them, but I ban them with amavis-new anyway. Are there any known exploits with .chm files, or is that just another way to move SPAM around? -- Daniel J McDonald, CCIE 2495, CNX Austin Energy --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=5047&alloc_id=10808&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] List Down
On Tue, 2004-08-31 at 13:17, Chris Jett wrote: > Is the list down? I haven't gotten any list messages since this > morning... No, merely slow. It only took 4 hours to be delivered to me. What do you want? Back in the bad old days we only got mail once a month, over a 1200 baud modem, in the snow, uphill both ways! And you're complaining about a 4-hour delay? Young whippersnapper! ;-) -- Daniel J McDonald, CCIE 2495, CNX Austin Energy --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=5047&alloc_id=10808&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] List Down
On Wed, 2004-09-01 at 16:11, Jeff Wimmer wrote: > 300 baud telephone cup modem here.then 1200when I got 2400 and the > screen scrolled by faster than I could read, I KNEW I was in tall cotton > then.:-) Right, I remember complaining about our 300 baud modems in high school, talking to a PDP-11/70. The teacher brought out some 110 baud modems from a closet and threatened us with them... But we didn't have e-mail then. The first mail gateway I managed was DEC All-IN-1 to Western Union Easylink, over a 1200 baud modem, with a two to three day turnaround to most of the customers we served. That would have been in about 1989. No e-mail viruses back then... No spam either. -- Daniel J McDonald, CCIE 2495, CNX Austin Energy --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=5047&alloc_id=10808&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Re: [Clamav-users] configure doesn´t see the gmp library ?
On Mon, 2004-09-06 at 13:44, Claudio Adra wrote: > > -- > The package I installed is gmp-4.1.3 from www.swox.com/gmp > Still not recognizing gmp functions > (Sorry, it was an error when I wrote "libgmp") you need the -devel package. On Mandrake it's called gmp3-devel-4... the "main" package will have the run-time binaries, but when compiling your own code you need the -devel packages with source code and headers so they can be linked into the image. -- Daniel J McDonald, CCIE 2495, CNX Austin Energy --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=5047&alloc_id=10808&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Virii in archived file passing through
On Wed, 2004-09-08 at 11:15, Nicolas Aulas wrote: > I'm running clamav 0.75.1 (up to date) with amavisd-new and virii in > archived file are not detected as mydoom.o (instruction.zip) or sobig.e > (document.zip). Strange is'nt it ? What version of amavis-new? are you using the $bypass_decode_parts feature? If you are running an older amavis-new, have you patched it recently? I'm using clamav 0.75.1, amavis-new 20030616-P8 (with custom patches) and nothing gets by. Yes I do plan to upgrade soon - probably when SpamAssassin 3.0 is officially released (and hopefully clamav 0.80 will be released around then too!). I might even put it on Mandrake 10.1 pre-2... -- Daniel J McDonald, CCIE 2495, CNX Austin Energy --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=5047&alloc_id=10808&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Virus Distribution
On Wed, 2004-09-08 at 15:52, Doug Hardie wrote: > Those certainly could be it, but it is unusual compared with the other > viruses we see daily. I wonder if there is more to this one than has > been foun yet. I've noticed that Zafi.B is most often spread through backscatter. So, perhaps you are seeing spikes when an infected machine hits a particularly poorly configured spam filter. -- Daniel J McDonald <[EMAIL PROTECTED]> Austin Energy --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=5047&alloc_id=10808&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Re: Clamav-users digest, Vol 1 #974 - 12 msgs
On Thu, 2004-09-09 at 03:59, Nicolas Aulas wrote: > Le 8/09/04 21:37, « [EMAIL PROTECTED] » > <[EMAIL PROTECTED]> a écrit : > > What version of amavis-new? > > I'm running amavisd-new 20030616-9.p10 not patched You might try P10 - Mark was fiddling around with the zip routines at that time. I though P9 was supposed to work just fine, but... > > are you using the $bypass_decode_parts feature? If you are running an > > older amavis-new, have you patched it recently? > > The $bypass_decode_parts feature is commented (so false by default) Good - that's the way it should be. -- Daniel J McDonald <[EMAIL PROTECTED]> Austin Energy --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=5047&alloc_id=10808&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] virus spreading by modssl-users mlist
On Thu, 2004-09-09 at 09:33, Maurizio Marini wrote: > Hi there > i've already posted this last week: > this morning i received this very suspiciuous email: > > >Lovely animals Yeah, that's Worm.Bagel.AK -- Daniel J McDonald <[EMAIL PROTECTED]> Austin Energy --- This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 Project Admins to receive an Apple iPod Mini FREE for your judgement on who ports your project to Linux PPC the best. Sponsored by IBM. Deadline: Sept. 13. Go here: http://sf.net/ppc_contest.php ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Memory
g execution > > See any operating system documentation about shared libraries for more > information, such as the ld(1) and ld.so(8) manual pages. > > -- > test -z "/usr/include" || mkdir -p -- . "/usr/include" > /usr/bin/install -c -m 644 'clamav.h' '/usr/include/clamav.h' Making > install in clamscan test -z "/usr/bin" || mkdir -p -- . "/usr/bin" > >/bin/sh ../libtool --mode=install /usr/bin/install -c 'clamscan' > '/usr/bin/clamscan' > /usr/bin/install -c .libs/clamscan /usr/bin/clamscan > make[2]: Nothing to be done for `install-data-am'. > Making install in clamd > test -z "/usr/sbin" || mkdir -p -- . "/usr/sbin" >/bin/sh ../libtool --mode=install /usr/bin/install -c 'clamd' > '/usr/sbin/clamd' > /usr/bin/install -c .libs/clamd /usr/sbin/clamd > make[2]: Nothing to be done for `install-data-am'. > Making install in clamdscan > test -z "/usr/bin" || mkdir -p -- . "/usr/bin" >/bin/sh ../libtool --mode=install /usr/bin/install -c 'clamdscan' > '/usr/bin/clamdscan' > /usr/bin/install -c .libs/clamdscan /usr/bin/clamdscan > make[2]: Nothing to be done for `install-data-am'. > Making install in freshclam > test -z "/usr/bin" || mkdir -p -- . "/usr/bin" >/bin/sh ../libtool --mode=install /usr/bin/install -c 'freshclam' > '/usr/bin/freshclam' > /usr/bin/install -c .libs/freshclam /usr/bin/freshclam > make[2]: Nothing to be done for `install-data-am'. > Making install in sigtool > test -z "/usr/bin" || mkdir -p -- . "/usr/bin" >/bin/sh ../libtool --mode=install /usr/bin/install -c 'sigtool' > '/usr/bin/sigtool' > /usr/bin/install -c .libs/sigtool /usr/bin/sigtool > make[2]: Nothing to be done for `install-data-am'. > Making install in database > /bin/sh ../mkinstalldirs /usr/share/clamav > Making install in docs > make[2]: Nothing to be done for `install-exec-am'. > test -z "/usr/share/man/man1" || mkdir -p -- . "/usr/share/man/man1" > /usr/bin/install -c -m 644 './man/clamscan.1' > '/usr/share/man/man1/clamscan.1' > /usr/bin/install -c -m 644 './man/freshclam.1' > '/usr/share/man/man1/freshclam.1' > /usr/bin/install -c -m 644 './man/sigtool.1' > '/usr/share/man/man1/sigtool.1' > /usr/bin/install -c -m 644 './man/clamdscan.1' > '/usr/share/man/man1/clamdscan.1' > test -z "/usr/share/man/man5" || mkdir -p -- . "/usr/share/man/man5" > /usr/bin/install -c -m 644 './man/clamav.conf.5' > '/usr/share/man/man5/clamav.conf.5' > /usr/bin/install -c -m 644 './man/freshclam.conf.5' > '/usr/share/man/man5/freshclam.conf.5' > test -z "/usr/share/man/man8" || mkdir -p -- . "/usr/share/man/man8" > /usr/bin/install -c -m 644 './man/clamd.8' > '/usr/share/man/man8/clamd.8' > /usr/bin/install -c -m 644 './man/clamav-milter.8' > '/usr/share/man/man8/clamav-milter.8' > Making install in etc > /bin/sh ../mkinstalldirs /usr/etc > Making install in clamav-milter > test -z "/usr/sbin" || mkdir -p -- . "/usr/sbin" > test -z "/usr/share/man/man8" || mkdir -p -- . "/usr/share/man/man8" > test -z "/usr/bin" || mkdir -p -- . "/usr/bin" > /usr/bin/install -c 'clamav-config' '/usr/bin/clamav-config' test -z > "/usr/lib/pkgconfig" || mkdir -p -- . "/usr/lib/pkgconfig" > > /usr/bin/install -c -m 644 'libclamav.pc' > '/usr/lib/pkgconfig/libclamav.pc' > > > > > --__--__-- > > ___ > Clamav-users mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/clamav-users > > > End of Clamav-users Digest -- Daniel J McDonald <[EMAIL PROTECTED]> Austin Energy --- This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 Project Admins to receive an Apple iPod Mini FREE for your judgement on who ports your project to Linux PPC the best. Sponsored by IBM. Deadline: Sept. 13. Go here: http://sf.net/ppc_contest.php ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Upgrade clamav on Debian and now service creates error when starting
On Thu, 2004-09-09 at 13:37, Jim wrote: > After I upgraded clamav via apt-get I now get an error during restart of > /etc/init.d/clamav-daemon. > > This is on a debian system and the error created is: > /etc/init.d/clamav-daemon restart > Restarting clamav daemon: clamdERROR: Parse error at line 10: Unknown > option ThreadTimeout. This item was renamed from ThreadTimeout to ReadTimeout between 0.6x and 0.7x Just edit line 10 of /etc/clamav/clamav.conf with: vi /etc/clamav/clamav.conf 10G2x~:wq -- Daniel J McDonald, CCIE 2495, CNX Austin Energy --- This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 Project Admins to receive an Apple iPod Mini FREE for your judgement on who ports your project to Linux PPC the best. Sponsored by IBM. Deadline: Sept. 13. Go here: http://sf.net/ppc_contest.php ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Banned file type is not there!!
On Thu, 2004-09-09 at 18:52, Sean Hafeez wrote: > Hi, I have a client trying to send us Premavara files (scheduling > drawings) however it get bounced with this error. The thing is that > there is not an .exe file attached Remember, amavis-new relies on file(1) to determine the file type. I've been dropping some e-mails that start with the word HURRY, because file(1) matches that as a human68k executable. So... extract your message and run file(1) to see what it thinks... > and if he zip's the file we get the > same error. Yes. Amavis-new unzips the files and looks at the attachments. > The message has been quarantined as: >/var/amavisd/quarantine/virus-20040909-095702-17085-07 go grab it and look carefully - you will match some magic-header from file(1). You can either tweak magic or change the way amavis-new parses the output from file(1) -- Daniel J McDonald, CCIE 2495, CNX Austin Energy --- This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 Project Admins to receive an Apple iPod Mini FREE for your judgement on who ports your project to Linux PPC the best. Sponsored by IBM. Deadline: Sept. 13. Go here: http://sf.net/ppc_contest.php ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] Mandrake RPMs?
Anyone got a working clamav 0.80rc2 SRPM for Mandrake? I've worked on it for a while and haven't been able to get it all correct, and don't really have the time to re-engineer a wheel... -- Daniel J McDonald, CCIE # 2495, CNX Austin Energy [EMAIL PROTECTED] --- This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 Project Admins to receive an Apple iPod Mini FREE for your judgement on who ports your project to Linux PPC the best. Sponsored by IBM. Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] More log information
On Wed, 2004-10-13 at 11:49 +0200, Cali Federico wrote: > Hi all, > is it possible to have detailed information ( such as sender, recipients,virus > type/name etc) > in the clamad.log when a virus is detected ? > I'd like know this information in order to produce virus detecting statistics. Clamav by itself doesn't know this information. I use AMaViS-new, which does log all of that. -- Daniel J McDonald, CCIE # 2495, CNX Austin Energy [EMAIL PROTECTED] ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Re: R: More log information
On Wed, 2004-10-13 at 15:53 +0200, Wolfgang Cernohorsky wrote: > Cali Federico wrote: > > > I'm using: > > - postfix > > - AMaViS-new > > - ClamAV > > > > Do you know some tools that allow to obtain statistics about viruses detected. > You can try "amavis-stats"[1] if you like graphs, e.g. > http://rekudos.net/amavis-stats/node/view/7. and pflogsumm if you don't want graphs. I use both. http://jimsun.linxnet.com/postfix_contrib.html -- Daniel J McDonald, CCIE # 2495, CNX Austin Energy [EMAIL PROTECTED] ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Bagle.AP
On Thu, 2004-09-30 at 18:37 +0200, Filbert wrote: > Hi, > > The Bagle.AP (dd 29/09/2004) is only recognized by clamd 0.80rc3 (according to > the message from the site below) and not by 0.75.1. I caught Bagle.AP for three days with 0.75-1 before upgrading to 0.80rc3... ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Virus count
On Fri, 2004-10-01 at 11:36 -0700, [EMAIL PROTECTED] wrote: > Does anyone know how many viruses we should be catching? I seem to > remember having >40k and now we're at ~25k with 0.80rc3. Ideas? > > >> Database correctly reloaded (25384 viruses) This is the correct number. if you had 40K before, you had old virus patterns from pre 0.60 days that never were cleaned up. ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Virus count
On Fri, 2004-10-01 at 12:31 -0700, [EMAIL PROTECTED] wrote: > On Fri, 1 Oct 2004, Ryan Moore wrote: > > > > Yea, same count here. They probably have another file in their database > > directory or something. > > > > This is what we have. Should some of 'em be removed? > These two don't belong... The first one is a temp file that probably can be deleted, depending on how old it is (more than a day - kill it). The second is an old-style file that certainly should be. > ca3a946c1c51338c17424e66095263fa /var/lib/clamav/clamav-84cd742373f2ac28 > d44c89708c4d00bcc6cacedbd24dbfd6 /var/lib/clamav/viruses.db2 > -- Daniel J McDonald, CCIE # 2495, CNX Austin Energy [EMAIL PROTECTED] ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Virus count
On Fri, 2004-10-01 at 21:53 +0200, Bogusław Brandys wrote: > Hi, > > > Ryan Moore wrote: > > Dennis Skinner wrote: > > > >> HmmI have 24618 well, I've got 24688. 511 just came out [EMAIL PROTECTED] root]# freshclam ClamAV update process started at Fri Oct 1 15:27:09 2004 main.cvd is up to date (version: 27, sigs: 23982, f-level: 2, builder: tomek) Downloading daily.cvd [*] daily.cvd updated (version: 511, sigs: 706, f-level: 2, builder: ccordes) Database updated (24688 signatures) from db.US.clamav.net (67.18.205.218). Clamd successfully notified about the update. > > However a few days ago I submitted about 1800 malware samples not > recognized by ClamAV so expect more additions in spare time of > maintainers ;-) (anyway a lot of Macro viruses was there, what about > them ?) 26 of them released in 511... -- Daniel J McDonald, CCIE # 2495, CNX Austin Energy [EMAIL PROTECTED] ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] GMP-Devel - Where?
On Mon, 2004-10-04 at 15:09 -0400, Scott Rothgaber wrote: > On Jim's suggestion, I went looking for GMP-Devel. It does not appear to > be available anywhere in non-RPM format. I also searched the list > archives and didn't see any clear answers. If I built GMP from source, > is -devel included? Yes, when building from source, the header files are saved so that you can compile other things with the same library. The "load the -devel" answer applies to RPM based Linux distributions. I don't know what the solution is for FreeBSD. ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Mail filter
On Wed, 2004-10-06 at 23:31 +0200, xavier mas wrote: > Hi list! > > I just installed Klamav onto my Mandrake 10.0 Community OS, Klamav is an on-access scanning tool, not supported by this list. > and seems (from > my newbie viewpoint) it works very well. Although, I'm very much interested > in having the mail filter checking out all the incoming e-mail in real time. There are many ways to do this, depending on which MTA you use. > I try with receiving the test files included for testing, but nothing > happens. I guess my sendmail app does'nt have this feature compiled. you need to install clamav-milter and configure it appropriately to dis- infect mail coming through sendmail. > > Could someone confirm me wheter I'm wrong or not, and how to solve it? -- Daniel J McDonald, CCIE # 2495, CNX Austin Energy [EMAIL PROTECTED] ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Freshclam Error
On Thu, 2004-10-07 at 09:37 -0500, Richard Humphrey wrote: > Ever since upgrading to 8.0 rc1 I have been getting the following > error when running freshclam. > > # freshclam > ClamAV update process started at Thu Oct 7 09:39:32 2004 > ERROR: Can't query current.cvd.clamav.net > Reading CVD header (main.cvd): OK > main.cvd is up to date (version: 27, sigs: 23982, f-level: 2, builder: tomek) > ERROR: Can't query current.cvd.clamav.net > Reading CVD header (daily.cvd): OK > daily.cvd is up to date (version: 519, sigs: 859, f-level: 2, builder: trog) > > > Any ideas what is going on? You don't have access to do DNS queries? [EMAIL PROTECTED] mcdonalddj]$ dig +short current.cvd.clamav.net txt "0.80rc3:27:519:1097155814" That tells you: 1. What the latest released version of clamav code is (0.80rc3) 2. What the latest release of the main.cvd virus database is (27) 3. What the latest release of the daily.cvd virus database is (51) 4. Unix epoch time of the most recent change: [EMAIL PROTECTED] mcdonalddj]$ perl -e 'print time()-1097155814' 4990 or, about 8 hours ago ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] MaxCompressionRatio
On Fri, 2004-10-08 at 17:34 +0200, Scott Ryan wrote: > Does this setting determine the number of files that it will scan in > an archive or is it the amount of archived files that it will decompress and > scan inside an archive? no. > Or maybe I have missed it completely and it means something else The compression ratio is the size of the original file divided by the size of the compressed file. So, if you had a 20gigabyte BMP file that was all the same color blue, you could probably compress that down to less than 1K, and the compression ratio would be ~ 20 million. That makes an attractive way to send mail bombs, but the MaxCompressionRatio allows you to stop that sort of thing from breaking your filter. -- Daniel J McDonald, CCIE # 2495, CNX Austin Energy [EMAIL PROTECTED] ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Error in latest update to Database
On Mon, 2004-10-18 at 18:44 +0200, Graham Dodd wrote: > On the latest update to the signatures I saw this in the log file > WARNING: Your ClamAV installation is OUTDATED - please update immediately ! > WARNING: Current functionality level = 2, required = 3 Database updated > I'm running 0.75.1, so I'm wondering why I have this entry in the log as > 0.80 only got released in the last few days Because there are a significant number of signatures that require 0.80, so this is a prompt to get you to upgrade. -- Daniel J McDonald, CCIE # 2495, CNX Austin Energy [EMAIL PROTECTED] ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
[Clamav-users] OT - embedded message/rfc822 mimeparts in messages on this list
Am I the only one who sees several of the posters with embedded: Content-Type: message/rfc822 that includes embedded text/plain attachments. Evolution opens them up with only one extra step, but if I'm stuck with Outlook (or worse, OWA) you have to open three levels of attachments to read the text of the e-mail. Just started when we switched from sourceforge to Luca's mailman server. If I'm the only one seeing it I'll troubleshoot my amavis-new config to see if it is doing something bizarre... ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Old ClamAV workaround
On Mon, 2004-10-25 at 08:00 -0400, Bart Silverstrim wrote: > On Oct 24, 2004, at 3:29 PM, Mark Adams wrote: > When you only install programs from source, how do you know when > upgrading them that there aren't remnants of binaries or libraries > scattered around the OS? Well designed programs have a "make uninstall" option. So, you would go back to the orignial source, run make uninstall, then make install on the new source. > So when using > source compiles, I have this ingrained flinch towards the idea of just > running a compile and installing the results then trying to do an > upgrade if there's no version control, etc. built into it (which I > suppose is why RPM and apt-get and all the other packagers are so > popular...supposedly they help prevent conflicts from upgrades) Right, which is why I've taken to building SRPMs for every package I install if there is no pre-built one. it's not terribly difficult, just time consuming. For Mandrake users, you can usually snag the SRPM for a recent version from cooker or plf and update the source for a new version in just a couple of minutes. For clam 0.80 there were extensive changes to the config files, so it took me a good week to get all of the config patches the way I wanted them. ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Config update signature
On Mon, 2004-10-25 at 21:10 +0200, Salvatore Basso wrote: > Now for schedule update, default is: > > /etc/cron.daily/freshclam > > .. therefore the update is to do every day, but if I want to schedule > update every hour (and no every day) I must move the file freshcleam > from directory /etc/cron.daily/ to /etc/cron.hourly ?? yes, and please add the line: sleep $[ 900 + $RANDOM % 1800 ] before the freshclam statement. That will randomize the time that you check so that not everyone hits the update servers at the same instant. -- Daniel J McDonald, CCIE # 2495, CNX Austin Energy [EMAIL PROTECTED] ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Upgrade to 0.8 issue
On Fri, 2004-11-05 at 08:36 -0700, Carl Horne wrote: > Hi, > > I have been using exim, exiscan, spamassassin, and clamav for while > now. I have done a number of upgrades to each of them including clamav > to keep up with changes. I have not been able to get clamav 0.80 to > work. The exim error I keep getting is (unable to read from ClamAV > socket). I have searched around the internet and found others that have > had the same problem but I haven't seen a post on a fix. One of the > post said that it started with 0.8R3 and R2 was fine. Anyway can anyone > help me? I have reproduced the issue on Linux and Solaris. Make certain the name of the socket in clamd.conf matches your exim config file, and that the appropriate permissions are in place. ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
RE: [Clamav-users] ClamAV should not try to detect phishing andother social engineering attacks
On Mon, 2004-11-15 at 08:26 -0500, jef moskot wrote: > The average admin is most likely very pleased with the ClamAV team's > decision to block phishing attacks (or at least the incredibly prevelant > ones). Yes, absolutely. The poor **cough cough** exchange 5.5 **cough cough** servers that I protect are much happier without phishing attacks. I do run uribl checking against the PH list to kill off more of them, but belts and suspenders for malware is my motto. But then again, I'm such a mean censor that I kill off all of those cute e-mails with sound-tracks... Never yet saw an e-mail with a midi attachment that was business related > Personally, I don't think much of SpamCop, but I do see that as Julian's > most compelling argument. I think that warrants a ClamAV option, but I > also think it would be ill-advised to use it. So, Julian should use Amavis-new, add spamcop reporters to the virus-lover's lookup list, and be done. I'm sure there is a way to make the virus-lover's list only hit true on particular virus patterns - at least there was discussion of that sort of feature on the ML about six months ago, and there have been three new versions since then And the rest of us can just watch our statistics go up and grin with glee. -- Daniel J McDonald, CCIE # 2495, CNX Austin Energy [EMAIL PROTECTED] ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] zlib 1.2.2 released
On Mon, 2004-11-15 at 13:49 +, Nigel Horne wrote: > FC3 ships with 1.2.1, and RH have yet to issue an update... ditto for Mandrake 10.1 I think that might change if the zlib team would update http://www.gzip.org/zlib which is described as the "canonical URL" ... -- Daniel J McDonald, CCIE # 2495, CNX Austin Energy [EMAIL PROTECTED] ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
RE: [Clamav-users] ClamAV should not try to detect phishing and other social engineering attacks
On Mon, 2004-11-15 at 18:00 +0100, Julian Mehnle wrote: > Brian Morrison [EMAIL PROTECTED] wrote: > > What I am suggesting is that, because you appear to have a requirement > > that is significantly different from nearly everyone else that has > > responded in this thread, > What I don't understand is that no one seems to be willing to discuss my > proposal of making the signature database modular, i.e. offer social > engineering attack signatures separately from technical attack ones for > download and installation. That would solve my and others' problem > nicely, and would take _nothing_ away from those who don't care what > ClamAV detects. Ah, then we would have all manner of classifications - is it social? Is it Adware? Is it a trojan? Does it promulgate via IRC? or ...? But then the signature writers would have to tag all of the viruses, and decide which of the 47 classes (or multiple, semi-overlapping classes) to split them all into, instead of slamming out a sig to catch the latest mail worm that just killed your network. And, that would require a new format for the signatures - starting off by classifying all 28K legacy signatures, creating a new format that allows people to select the classes they want, going through a 2-month beta period and probably a one-year "upgrade period" where they have to maintain two distinct formats... And the reason for this effort? So you can report e-mail as spam? Because you have sophisticated users who like poking fun at phishers? Doesn't sound like a useful or simple solution to me. And don't you think there are other people with unprotected boxes who will get the phishes and report them? Or are you the key to the spamcop network, and without your input the system will collapse? clamav kills bad things - that's good, and I'd like it to be able to continue to kill bad things in the same expedient manner that it has in the past. -- Daniel J McDonald, CCIE # 2495, CNX Austin Energy [EMAIL PROTECTED] ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
[Clamav-users] clamav enabled proxy?
Before I go re-inventing the wheel... Is anyone using clamav on a web/ftp proxy, and if so, which? ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] uninstalling issues
On Mon, 2004-11-29 at 15:19 -0600, David Green wrote: > Subject: Cron <[EMAIL PROTECTED]> /usr/local/bin/freshclam --quiet > --daemon-notify -l /var/log/clam-update.log > shell-init: could not get current directory: getcwd: cannot access > parent directories: Permission denied > /bin/sh: line 1: /usr/local/bin/freshclam: No such file or directory > > But there is nothing in the crontab file related to this. Any ideas? /etc/cron.hourly/freshclam ? -- Daniel J McDonald, CCIE # 2495, CNX Austin Energy [EMAIL PROTECTED] ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] NotifyClamd command doesn't work
On Tue, 2004-11-30 at 09:13 -0600, Sasa Stupar wrote: # Send the RELOAD command to clamd. # Default: disabled NotifyClamd # By default it uses the hardcoded configuration file but you can force an # another one. #NotifyClamd /config/file/path Try setting your config file path manually, e.g: NotifyClamd /etc/clamd.conf -- Daniel J McDonald, CCIE # 2495, CNX Austin Energy [EMAIL PROTECTED] ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Virus Tests from www.testvirus.org
On Wed, 2004-12-01 at 20:37 +0100, Gianmarco Giovannelli wrote: > At 20.17 01/12/2004, you wrote: > >Gianmarco Giovannelli wrote: > > > >> I know, but what if I want to consider them by default undesiderable ? > >> I think clamav-milter should do the job quite easily. > >> If it found such attachment it threat like a virus name : > >> UNAUTHORIZED ATTACH TYPE > >> Stop... :-) > > > > > > That is what a content filter is for. > > ok, I know this, I am using noattach right now, that is doing his job quite > well. > I am only trying to understand if it is possible to do with a single > program (clamav-milter) the job of two programs (clamav-milter and noattach). I think that would be a bad feature for clamav. after all, you might want to scan a windows directory with the software, not just e-mail, and some pifs are actually useful. I kill off that sort of thing using amavis-new. -- Daniel J McDonald, CCIE # 2495, CNX Austin Energy [EMAIL PROTECTED] ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Virus naming
On Fri, 2004-12-17 at 10:56 -0700, Carnegie, Martin wrote: > Hello all, > > Yep another newbie question. > > We are currently looking at switching to Clamav from Symantec SMTP and > there is one feature that I really like from Symantec that I cannot find > in Clamav (at least I cannot find). This is the ability to identify > mass-mailing viruses based on the name of the virus detected. For > example the W32.Beagle (or Bagle) from Symantec shows up as > [EMAIL PROTECTED] This means that can then drop any messages with the > @mm instead of just removing the attachment and sending on to the > client. I'd suggest dropping them all. Other than a few word-macro viruses, most everything still in the wild spoofs the sender address. And, because of excessive backscatter, nobody believes anyone else's virus scanner anyway, so it's best to just bit-bucket them. -- Daniel J McDonald, CCIE # 2495, CNX Austin Energy [EMAIL PROTECTED] ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] 3rd attempt to send this!
On Tue, 2004-12-21 at 20:36 +, Nigel Horne wrote: > Please do not send any more messages to [EMAIL PROTECTED] covering > > 1) knowbot > 2) Unparsed header (1) > > Both of these have been addressed for a long time in CVS. How stable is CVS these days? Are we approaching a 0.81? There was a "can only find it with CVS" virus in Daily 636: #Submission: 7454-web #Sender: Tamas Roth #Submitted virus name: Bagz #Submission notes: Worm.Bagz.E found using current CVS. Better email #detection. #Added: No ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] clamav-milter man page description of --noreject
On Tue, 2004-12-28 at 11:32 -0500, Christopher X. Candreva wrote: > It is not immediately obvious why, if you are NOT generating new bounce > e-mails (which no one should be doing), you should also be silently > discarding viruses instead of returning a 550/554 error code. > > It would seem to me that if you aren't generating bounces, you would WANT > to return a 550/554 in the SMTP transaction, so any valid senders would know > that their mail was not accepted. That's still back-scatter, just one relay removed. If Lucy is infected, and sends mail with Mary's return address through Lucy's usual mail relay, then when the relay gets a 554 it will send the DSN back to Mary, often including the virus. Mary then gets infected and starts sending mail with Joe's return address Best to just smile and say "thanks" while you drop it all in the memory hole. -- Daniel J McDonald, CCIE # 2495, CNX Austin Energy [EMAIL PROTECTED] ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] DNS behind a firewall
On Wed, 2004-12-29 at 17:09 +0100, Lempin Grégory wrote: > > > frehclam -v > ERROR: Can't query current.cvd.clamav.net > What is the error : ERROR: Can't query current.cvd.clamav.net > freshclam checks a txt record via DNS as a low-impact way of checking the most recent version number: [EMAIL PROTECTED] mcdonalddj]$ dig current.cvd.clamav.net txt ; <<>> DiG 9.3.0 <<>> current.cvd.clamav.net txt ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60317 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 ;; QUESTION SECTION: ;current.cvd.clamav.net.IN TXT ;; ANSWER SECTION: current.cvd.clamav.net. 862 IN TXT "0.80:28:645:1104334141" ;; Query time: 189 msec ;; WHEN: Wed Dec 29 10:12:35 2004 ;; MSG SIZE rcvd: 133 For some reason, that DNS request is failing from your system. -- Daniel J McDonald, CCIE # 2495, CNX Austin Energy [EMAIL PROTECTED] ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
RE: [Clamav-users] freshclam
On Thu, 2005-01-06 at 14:33 +0100, Gwyll Gwyllin wrote: > But not now ... > > It was a conversion error ... The ? Sign should be a smiley, but it reach > you in a wrong format ... M$ Outlook rulez :S Hopefully you have found the problem- an older version of freshclam in /usr/local/bin or some such in the search path ahead of /usr/bin/freshclam which probably is the correct version. -- Daniel J McDonald, CCIE # 2495, CNX Austin Energy [EMAIL PROTECTED] ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
