[Clamav-users] Virus aliases
Hello, (I am new to the list, but have scanned the archives and have been unable to find a complete answer to this, although it has been brought up once or twice ...) I'd like to be able to see the alias names for detected viruses. The clamav-virusdb announcements include aliases, but searching the mail archives is a rather haphazard way of matching up viruses with different aliases. I was originally rather alarmed because, when I first installed ClamAV last week, I did: > sigtool --list-sigs | grep -i netsky and got nothing back! My initial response was "Whoa! It's out of date ..." I use ClamAV and Sophos in series on our mail server and would like to tie up which viruses are actually the same thing ... There was a message on the archives from about three weeks ago from someone who was planning to maintain an web page listing the aliases, so my questions are: 1. Is this web page live? If so, what's the address? 2. Can the alias details be extracted from the .cvd files? If not currently, is there any way to add this detail? 3. Is searching the archives of clamav-virusdb the only way to find alias names currently? Cheers, Dave. -- Dave Ewart [EMAIL PROTECTED] Computing Manager, Epidemiology Unit, Oxford Cancer Research UK PGP: CC70 1883 BD92 E665 B840 118B 6E94 2CFD 694D E370 --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Virus aliases
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Thursday, 11.03.2004 at 13:52 +0100, Tomasz Kojm wrote: > On Thu, 11 Mar 2004 10:15:50 +0000 Dave Ewart > <[EMAIL PROTECTED]> wrote: > > > 2. Can the alias details be extracted from the .cvd files? If not > > currently, is there any way to add this detail? > > Virus aliases will be supported in signatures in the near future. Excellent news! ClamAV is a fabulous project - wish I could find some way to contribute. At the moment, all I'm managing is word-of-mouth praise etc. Cheers, Dave. - -- Dave Ewart [EMAIL PROTECTED] Computing Manager, Epidemiology Unit, Oxford Cancer Research UK PGP: CC70 1883 BD92 E665 B840 118B 6E94 2CFD 694D E370 -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFAUGlEbpQs/WlN43ARAlXXAKCxVz8Cl3kfVFmkSFKw7msX+dPwygCgwTwu X92mp+3brsZ1pLL5K9E6qxY= =I5hu -END PGP SIGNATURE- --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Problem with clamscan .vs. clamdscan
On Tuesday, 27.04.2004 at 09:38 -0400, Jim Maul wrote: > > >Because clamscan doesnt use clamav.conf!! S many people dont > > >seem to realize this. > > > > Perhaps it should to avoid any confusion! > > Perhaps, but this is not my decision. /etc/clamav.conf -> /etc/clamd.conf ? Dave. -- Dave Ewart [EMAIL PROTECTED] Computing Manager, Epidemiology Unit, Oxford Cancer Research UK PGP: CC70 1883 BD92 E665 B840 118B 6E94 2CFD 694D E370 --- This SF.net email is sponsored by: The Robotic Monkeys at ThinkGeek For a limited time only, get FREE Ground shipping on all orders of $35 or more. Hurry up and shop folks, this offer expires April 30th! http://www.thinkgeek.com/freeshipping/?cpg=12297 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Your ClamAV installation is OUTDATED
On Thursday, 29.04.2004 at 09:17 -0400, Jeff Lanzarotta wrote: > I'm getting the following error message in my /var/log/freshclam.log > file on my Mandrake 9.2 system: > > WARNING: Your ClamAV installation is OUTDATED - please update immediately ! > WARNING: Current functionality level = 1, required = 2 > > Can someone tell me what this means or where I could find out why I am > getting this? > > I have versions: > > clamscan / ClamAV version 0.70-rc > freshclam / ClamAV version 0.70-rc You should upgrade to version 0.70, I believe. Dave. -- Dave Ewart [EMAIL PROTECTED] Computing Manager, Epidemiology Unit, Oxford Cancer Research UK PGP: CC70 1883 BD92 E665 B840 118B 6E94 2CFD 694D E370 --- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Your ClamAV installation is OUTDATED
On Thursday, 29.04.2004 at 08:38 -0500, John Madden wrote: > > Update to ClamAV version 0.70 > > What are the consequences of not upgrading? I'd have to plan > downtime, There shouldn't be any need for (significant) downtime - build the new clam and install. Then restart the clam daemon, which shouldn't take more than a second or two. If you're not using the daemon, then you don't even need to do that. Dave. -- Dave Ewart [EMAIL PROTECTED] Computing Manager, Epidemiology Unit, Oxford Cancer Research UK PGP: CC70 1883 BD92 E665 B840 118B 6E94 2CFD 694D E370 --- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Procmailrc settings (for bounce, notify etc)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tuesday, 27.07.2004 at 11:32 +0100, Suril Patel wrote: > [...] I presume the detection is in the logs but I'd like the message > not to be delivered to me, while the sender gets a message saying > "your message was failed due to virus etc. etc." Obviously the sender > should just get the subject line or something and not the attachment. > [...] Don't notify the sender. You'll just be generating unnecessary mail. In the case of most virus-generated emails, which are the ones you are going to be detecting, the sender address will be faked. Therefore, any notification would go to the wrong person in any case. Log the messages by all means, delete them automatically if you wish, but don't notify anyone (except possibly your local system administrator). Dave. - -- Dave Ewart [EMAIL PROTECTED] Computing Manager, Epidemiology Unit, Oxford Cancer Research UK PGP: CC70 1883 BD92 E665 B840 118B 6E94 2CFD 694D E370 -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFBBk76bpQs/WlN43ARAoDRAKDdFf3oTw2OUbX3i4h2KiQvUg8OSgCgyO6B fNpBH773gHV9vFZF9EwcJBk= =uDk0 -END PGP SIGNATURE- --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Procmailrc settings (for bounce, notify etc)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tuesday, 27.07.2004 at 15:27 +0200, Lionel Bouton wrote: > Dave Ewart wrote the following on 07/27/2004 02:47 PM : > > >Don't notify the sender. > > > >You'll just be generating unnecessary mail. In the case of most > >virus-generated emails, which are the ones you are going to be > >detecting, the sender address will be faked. Therefore, any > >notification would go to the wrong person in any case. > > > > > > You might want to be more accurate than that : worms using mail for > propagation usually fake the From header, but when clamav detects a > virus using other means of propagation (meaning the From couldn't be > faked by the virus), notifying the sender is useful. > > Amavisd-new is configured to do this by using : > $viruses_that_fake_sender_re = new_RE( > ... > qr'Worm'i, # worms as labeled by ClamAV, Kaspersky, etc > [qr'^(EICAR|Joke\.|Junk\.)'i => 0], > [qr'^(WM97|OF97|W95/CIH-|JS/Fort)'i => 0], > ); Interesting. I have heard of a particular incident where a sysadmin received a "you have sent us a virus" message, replied with the standard "hey, don't you know that most viruses fake headers, this autoreply from you is just adding clutter", only to then be told that, "actually, this *particular* virus does *not* fake the headers and your system really *does* have a virus ..." :-) Dave. - -- Dave Ewart [EMAIL PROTECTED] Computing Manager, Epidemiology Unit, Oxford Cancer Research UK PGP: CC70 1883 BD92 E665 B840 118B 6E94 2CFD 694D E370 -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFBB1/8bpQs/WlN43ARAlHGAJ9ZBAxmvnr5ltpEVjbdnzn6BVE5FwCeIMcn j5Nj+Kze6/atgfxJOm0KIQA= =MQqi -END PGP SIGNATURE- --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] Suspected Zip?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello ClamAV users, Using 0.80rc2 ... one local user sent another a zip file containing various text files and an EXE program (compiled application from Delphi, I think). This file was blocked by ClamAV as "Suspected.Zip". Can someone explain the reasons for this? Is it simply the presence of the EXE file in the Zip archive which triggered this response? The Zip was not password-protected, or encrypted in any other way. Cheers, Dave. - -- Dave Ewart [EMAIL PROTECTED] Computing Manager, Epidemiology Unit, Oxford Cancer Research UK PGP: CC70 1883 BD92 E665 B840 118B 6E94 2CFD 694D E370 -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFBW9aYbpQs/WlN43ARAqBlAJ9saD0AQVK9YBYAhQg47FFZPZzw8gCgv0h3 TGGgyCY6bSaqTym496q6ilY= =hDkF -END PGP SIGNATURE- ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Suspected Zip?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Thursday, 30.09.2004 at 11:26 +0100, Trog wrote: > It means the zip contains either a file with zero length name, or a > file thats zero bytes in length, or possibly that the unzip failed. Hmm, yes, the unzip failed. The perl module Archive::Zip (used by AMaViS) failed to unzip this zip file, which was generated using 7-Zip. The zip file unzips correctly using other tools. Will try to get a newer version of Archive::Zip ... Thanks for the tip, Dave. - -- Dave Ewart [EMAIL PROTECTED] Computing Manager, Epidemiology Unit, Oxford Cancer Research UK PGP: CC70 1883 BD92 E665 B840 118B 6E94 2CFD 694D E370 -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFBW/jCbpQs/WlN43ARAnomAKDAcGqyQLCFRnSt0YE3CICG3lU1DgCdHzUW WB7L92lfNEj/ZhbOlVW9PrY= =uRI1 -END PGP SIGNATURE- ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Suspected Zip?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Thursday, 30.09.2004 at 12:27 +0200, Bogus??aw Brandys wrote: > Maybe unsupported zip format ? What unzip.exe says when unzipping ? That's the problem (see other post in the thread). Thanks for info. Dave. - -- Dave Ewart [EMAIL PROTECTED] Computing Manager, Epidemiology Unit, Oxford Cancer Research UK PGP: CC70 1883 BD92 E665 B840 118B 6E94 2CFD 694D E370 -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFBW/71bpQs/WlN43ARArRwAKCC71+EUPUIcODtP/9RXUjt4jg3/ACgzBRM HqNNFZESanCXxZxuHvCl18s= =Vytb -END PGP SIGNATURE- ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] delay scanning where a new virus occurs
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tuesday, 09.11.2004 at 11:20 +0100, [EMAIL PROTECTED] wrote: > i d like to know if it s possible with clamav to delay scanning new emails > with attachments for 6 hours in case of the discovery of a new virus. > > That would be for not being attacked between the time the virus is found > and the updated signature clamav is there I suspect a solution to the above would not be a ClamAV solution. You need to configure your MTA to 'hold' large messages for a specified time. I know of no way of doing this, but I imagine it's possible. One 'released' by the MTA, ClamAV would scan the messages as normal. Dave. - -- Dave Ewart [EMAIL PROTECTED] Computing Manager, Epidemiology Unit, Oxford Cancer Research UK PGP: CC70 1883 BD92 E665 B840 118B 6E94 2CFD 694D E370 -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFBkJ+AbpQs/WlN43ARAlIjAJ9ZD3oe49Uu8YchXeCGiG5BjfSKRQCgqEiK 3LRPf7kssDW6cYFrD6ZLgYM= =63TI -END PGP SIGNATURE- ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
[Clamav-users] "Mirrors are not fully synchronized."
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Freshclam seems to be giving me "ERROR: Mirrors are not fully synchronized. Please try again later." rather a lot in the last few weeks. Freshclam runs every two hours, i.e. 12 times per day, and maybe two or three per day give the above message. Is this something that needs to be fixed at my end? Dave. - -- Dave Ewart [EMAIL PROTECTED] Computing Manager, Epidemiology Unit, Oxford Cancer Research UK PGP: CC70 1883 BD92 E665 B840 118B 6E94 2CFD 694D E370 -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFCU6ThbpQs/WlN43ARAlw0AJ0fmB/ntx09ycjl+C+0HBz5f55cQgCfRZk3 PweyJQtbqjWDWo0zhME/c3Y= =PoBd -END PGP SIGNATURE- ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] "Mirrors are not fully synchronized."
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Wednesday, 06.04.2005 at 05:13 -0400, Dale Walsh wrote: > >Freshclam seems to be giving me "ERROR: Mirrors are not fully > >synchronized. Please try again later." rather a lot in the last few > >weeks. > > > >Freshclam runs every two hours, i.e. 12 times per day, and maybe two or > >three per day give the above message. > > > >Is this something that needs to be fixed at my end? > > I've checked my log going back a few days and this is not in any, I > think it may be a configuration issue, check it and if you can't figure > it out post it and perhaps someone can point out the problem to you. Well, I've not changed my config for ages, and this has only started happening very recently. I suppose it's possible that some upstream DNS issue is causing this? My freshclam.conf: UpdateLogFile /usr/local/share/clamav/clam-update.log LogVerbose DatabaseMirror database.clamav.net MaxAttempts 3 Checks 2 NotifyClamd DNSDatabaseInfo current.cvd.clamav.net # freshclam --version ClamAV 0.83/809/Tue Apr 5 19:22:26 2005 Dave. - -- Dave Ewart [EMAIL PROTECTED] Computing Manager, Epidemiology Unit, Oxford Cancer Research UK PGP: CC70 1883 BD92 E665 B840 118B 6E94 2CFD 694D E370 -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFCU6msbpQs/WlN43ARAoSNAKDuZ7igu40MyWxKBbeB8NirsWQvPQCg46gM Hfea74worv9MwLayF203F+Y= =kYKv -END PGP SIGNATURE- ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] "Mirrors are not fully synchronized."
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Thursday, 07.04.2005 at 00:55 +, Mark wrote:
> > > Freshclam seems to be giving me "ERROR: Mirrors are not fully
> > > synchronized. Please try again later." rather a lot in the last few
> > > weeks.
>
> Must be me, because I honestly do not see what the fuss is all about:
>
> asarian-host: {root} % cat freshclam.log
> Received signal 14, wake up
> ClamAV update process started at Thu Apr 7 01:38:53 2005
> main.cvd is up to date (version: 30, sigs: 31086, f-level: 4, builder:
> tkojm)
> ERROR: Mirrors are not fully synchronized. Please try again later.
> Trying again in 5 secs...
> ClamAV update process started at Thu Apr 7 01:38:59 2005
> main.cvd is up to date (version: 30, sigs: 31086, f-level: 4, builder:
> tkojm)
> daily.cvd updated (version: 810, sigs: 1455, f-level: 4, builder: ccordes)
> Database updated (32541 signatures) from db.nl.clamav.net (IP:
> 195.85.130.84)
> Clamd successfully notified about the update.
>
> As advertised, freshclam updates 5 seconds later. So, who cares??
Hmm, interesting ... I hadn't noticed that the successful updates happen
at the same time. The error I posted is the *only* message (send to
root via email) returned by 'freshclam --quiet' running from cron and I
hadn't made the connection between this happening and an update coming
through.
Will check this out more closely the next time it happens.
By the way, belittling a legitimate problem report with "Don't see what
the fuss is about" and "Who cares?" is not actually very helpful,
although your log listing *is* helpful. Just because a particular
problem might seem benign, that's no reason to ignore it. As was
posted, it seems that this error is a symptom of some of the mirrors
being unavailable, which *is* a problem, even if client updates are
ultimately getting through.
Dave.
- --
Dave Ewart
[EMAIL PROTECTED]
Computing Manager, Epidemiology Unit, Oxford
Cancer Research UK
PGP: CC70 1883 BD92 E665 B840 118B 6E94 2CFD 694D E370
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFCVkP8bpQs/WlN43ARAi5BAKDaEOuy/JYFtShUIX+S2dqTofUaEgCg3is6
zjNpSxWad5eE9AiPYt/1QMA=
=aehL
-END PGP SIGNATURE-
___
http://lurker.clamav.net/list/clamav-users.html
