[Clamav-users] Virus propagated via Net Video feeds
Hi All: I thought someone would be interested in responding to the article posted on slashdot. I have been viewing net videos within OSX and it behaved exactly as the report noted as after viewing some net video. I had recently updated clamav with the current db info available. Is there a way to work this out? Here's the link: http://it.slashdot.org/it/07/10/02/1614246.shtml ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] VirusEvent Options
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi Sean: My own experience with Clamav has been that it clearly identifies the location of a virus during a scan. However if you want to know the details of file access (who or what did something unusual and when) you may be better off with having both Tripwire and Clamav working on your system. Tripwire is a security system and would handle the details. Tripwire would have to become aware of Clamav and it's function but once that's been done your system would be pretty tight as Tripwire educated you what else needed to be shut down or ports locked so that your system is secure. The reporting capacity of OST surpasses that of Clamav and can provide details (such as you requested) which Clamav is not designed for, not that I noticed any way. Everyone is familiar with the commercial version of Tripwire which is very useful however as this is also Open Source Tripwire (OST). OST and Clamav together could be very useful combination. It is here: http://sourceforge.net/projects/tripwire/ Of course, like any open source project OST can be recompiled to run on PowerPC systems such as the Cell. Here's some more information for your consideration: http://www.tripwire.com/products/enterprise/ ost/http://www.tripwire.com/products/enterprise/ost/ On Oct 16, 2007, at 1:11 PM, Sean McGlynn wrote: > Hello, > > I am looking for better information when notified by ClamAV that a > virus has been detected. Thus far I have VirusEvent /bin/echo > "VIRUS ALERT: ClamAV found %v." | /bin/mail -s "ClamAV Virus > Detection" -r ClamAV [EMAIL PROTECTED], which basically > tells me that a particular virus was detected. It would be far > more useful if the notification included where the file resided, > and perhaps who was attempting to access the file. > > Is there a way establish and include this information in the virus > detection notification? > > Thank you. > > > > __ > __ > Fussy? Opinionated? Impossible to please? Perfect. Join Yahoo!'s > user panel and lay it on us. http://surveylink.yahoo.com/gmrs/ > yahoo_panel_invite.asp?a=7 > ___ > Help us build a comprehensive ClamAV guide: visit http:// > wiki.clamav.net > http://lurker.clamav.net/list/clamav-users.html > -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.6.3 (Build 3017) Comment: Secured via PGP Charset: US-ASCII wj8DBQFHFQGQlJjrgZpcO+0RAiKaAKC4TpcAUZpzSlSoorFcvkOaNp+ViwCcC+ob qlnuxxOtjPM7OvnpN4FZODc= =i0x9 -END PGP SIGNATURE- ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Quarantine Infected Files Discovered by Clamuko
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Having a script parse the log file is not the problem. The documentation addressing the details of Clamav explain clearly that removing the infected file or files are the difficulty especially as the infected files may be key components or data files of email clients and/or other sensitive applications. It is never a good idea to have a script do a task which requires introspective analysis. In brief, do you really want to destroy an application you may need, to remove a virus or infection you don't? As each client or sensitive application implements it's task there cannot be a one task script or method which will work across all situations without risking damage to the working application. Unfortunately the people writing the infections know this as well; there is no way to automate an appropriately intelligent strategy for every real-world contingency. However, if one tasks time as a careful perhaps as a medical surgeon the chance may be good that you can remove the infection and if necessary reinstall or rebuild the application anew. On Oct 16, 2007, at 1:43 PM, Sean McGlynn wrote: > I read in another post that the only way to quarantine an infected > file that is discovered during an on access scan (i.e. via Clamuko) > it to write a script that would parse the log file for the location > of the infected file and then move it or delete it as desired. Is > this correct? If not, what is the appropriate method. If so, does > anyone have a good script already written that will perform this > function. > > Thank you much. -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.6.3 (Build 3017) Comment: Secured via PGP Charset: US-ASCII wj8DBQFHFQWGlJjrgZpcO+0RAsFJAKCixJl7gfukLHKm1JimdA/FQHhYFwCeKf4M tbWJD+Mu7a/8b56jR0F69dQ= =N7RH -END PGP SIGNATURE- ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Quarantine Infected Files Discovered by Clamuko
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I came across this paper which could be useful. Here it is: http://www.fsl.cs.sunysb.edu/docs/avfs-security04/index.html#tthFtNtAAB On Oct 16, 2007, at 3:10 PM, Sean McGlynn wrote: > Thank you for your reply. > > I appreciate your point, but in our environment the directories > being scanned are user directories where only data files are > stored. There is no risk to applications or other running processes. > > > - Original Message ---- > From: Derick Centeno <[EMAIL PROTECTED]> > To: ClamAV users ML > Sent: Tuesday, October 16, 2007 2:39:58 PM > Subject: Re: [Clamav-users] Quarantine Infected Files Discovered by > Clamuko > > > * PGP Signed by an unmatched address: 10/16/07 at 14:40:06 > > Having a script parse the log file is not the problem. The > documentation addressing the details of Clamav explain clearly that > removing the infected file or files are the difficulty especially as > the infected files may be key components or data files of email > clients and/or other sensitive applications. > > It is never a good idea to have a script do a task which requires > introspective analysis. In brief, do you really want to destroy an > application you may need, to remove a virus or infection you don't? > As each client or sensitive application implements it's task there > cannot be a one task script or method which will work across all > situations without risking damage to the working application. > Unfortunately the people writing the infections know this as well; > there is no way to automate an appropriately intelligent strategy for > every real-world contingency. > > However, if one tasks time as a careful perhaps as a medical surgeon > the chance may be good that you can remove the infection and if > necessary reinstall or rebuild the application anew. > > On Oct 16, 2007, at 1:43 PM, Sean McGlynn wrote: > >> I read in another post that the only way to quarantine an infected >> file that is discovered during an on access scan (i.e. via Clamuko) >> it to write a script that would parse the log file for the location >> of the infected file and then move it or delete it as desired. Is >> this correct? If not, what is the appropriate method. If so, does >> anyone have a good script already written that will perform this >> function. >> >> Thank you much. > > > * Derick Centeno <[EMAIL PROTECTED]> > * 0xC2AF471C:0x9A5C3BED(L) > > ___ > Help us build a comprehensive ClamAV guide: visit http:// > wiki.clamav.net > http://lurker.clamav.net/list/clamav-users.html > > > > __ > __ > Yahoo! oneSearch: Finally, mobile search > that gives answers, not web links. > http://mobile.yahoo.com/mobileweb/onesearch?refer=1ONXIC > ___ > Help us build a comprehensive ClamAV guide: visit http:// > wiki.clamav.net > http://lurker.clamav.net/list/clamav-users.html > -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.6.3 (Build 3017) Comment: Secured via PGP Charset: US-ASCII wj8DBQFHFTBPlJjrgZpcO+0RAt2OAKDXLJvLq8UmnCANjQr4E8+B6cgerQCfYz3l 4HIKfaK1f0FpmYyg5sv1yLo= =YVpg -END PGP SIGNATURE- ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] Md5 verif error
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi: I initiated a folder scan to which Clam AV responded: MD5 verification error What does that mean and how can I correct it? Thanks. -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.6.3 (Build 3017) Comment: Secured via PGP Charset: US-ASCII wj8DBQFHKeznlJjrgZpcO+0RAjItAKD6pgxzkGyPTDUxVAszs/5ARQSgugCeNvDQ 2Rt20+K0d7U1b0dXx8NJATc= =8Lve -END PGP SIGNATURE- ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] I need to refute a 'security expert'
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi Jim: For OS X the clamav engine works with the interface provided by clamXav. You can take a look at that page here: http://www.clamxav.com/ Whenever I'm in OS X, I never fail to be amazed at all the windows virii, trojans and God knows what attempting to enter via email which clamxav consistently stops and warns me of. As I can set clamxav to scan particular folders such as files appearing on my desktop (whether they be a new flash drive or downloaded file, I don't have to worry if I missed something because the email clients I use aren't running at the moment. As much as I appreciate the Mac the real powerhouse doing all the real work is BSD Unix. So not only does Clamav run in OS X, one can make the statement that if clamav works under OS X it will also work under BSD. I can also state that I run a rather specialized variant of Linux uniquely designed for PowerPC systems known as Yellow Dog Linux. Clamav runs fine there to and has done so for years. Here's the neat thing though, as YDL runs across a very wide family of PowerPC systems, this also means that whatever can run YDL (and this includes the PS3), can also run clamav. As appealing as that may be, what is really enticing is the email client Claws Mail, which upon compilation from source will run very smoothly within YDL. Beyond that there is a plug-in for Claws Mail which talks to the clamav engine utilizing, amongst other things, the new anti-phishing technology which was recently built into the engine. This plugin, as well as others, are active and fully available within YDL. Claws Mail does work within Windows, just as clamav does. In fact, if Windows users would retire whatever the email client they have for Claws Mail they could be liberated from most of the problems they now endure. The clamav plugin within Claws Mail is standard together with OpenPGP and other plugins; interested parties can refer here for more details: http://www.claws-mail.org/ On Fri, 16 Nov 2007 15:18:10 -0600 [EMAIL PROTECTED] wrote: > > > [EMAIL PROTECTED] wrote on 11/16/2007 02:52:34 PM: > > > [EMAIL PROTECTED] wrote: > > > Hello all. > > > > > > We've had some consultant make the spurious claim that Clam AV > > only scans for 'windows viruses' and is really only useful for > > 'scanning email'. > > > Despite the fact that I know this to be patently false, is there > > documentation out there I can slap him with that clearly indicates > > that the virus > > > defs are for any platform, Linux, windows, Unix, Mac OS X, etc. ? > > I can prove that it scans the file system just by sprinkling a few > > test viri things > > > out in the file system. Hard to argue with that sort of evidence. > > > > > > The rest of it, well, now it's personal. > > > > > As much as I like ClamAV and rely on it for scanning mail before it gets > > to our Exchange server, I wouldn't use it as my primary Windows > > solution. There are too many hooks necessary to get real-time scanning, > > internal Exchange scanning, and so on. The proper thing, in my opinion, > > is to build a multi-layer defense, using ClamAV on the MX servers > > checking incoming mail, and then using a different product on the > > Windows machines. This way, you get two different teams working on > > malware definitions, two different ways of looking a things, and two > > different timing cycles to make it more likely one of them will catch > > whatever's coming in. > > > > In our case, we use ClamAV on the MX servers and run Symantec Corporate > > on the Windows servers, Windows desktops, and the Exchange server. > > > > I certainly understand the personal bit. Isn't it amazing how they'll > > pay attention to an outsider and discount everything you say? > > I wouldn't even be in this situation, except that Symantec AV for Linux is a > little too fussy about kernel levels and the like to pass muster. > > We're builing a fairly massive vignette/orcale/apache et al environment and > the Symantec product is kernel level rigid. It's like we will support > 2.4.16-252. Not 251. Not 253 JUST 251. So we apply maintenance that involves > the kernal, which we did for some oracle/vignette level set requirements and > SAV stopped doing on access scanning and all the other stuff we wanted it > for. Just because the kernel level nudged up slightly. > > So I dusted off my Clam AV setup that I built for Linux on z/Series, created > a front end, and through some NFS magic, and automount, I scan all the linux > server file systems from a single point, and let ONE server do all the heavy > lifting. > > Is it perfect? no. Is it working? Yes. > > > ___ > Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net > http://lurker.clamav.net/list/clamav-users.html == "If I were not a physicist, I would probably be a musician. I often think in music. I live my daydreams in mu
Re: [Clamav-users] Unknown Signature
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I'm sure that you're aware that you can also switch that function off by merely commenting out those lines. On Nov 19, 2007, at 3:10 PM, Noel Jones wrote: > Timothy Sumner wrote: >> Hi Clam Users, >> >> Could anyone help me to find out more information about this >> signature >> Phishing.Heuristics.Email.HexURL >> >> I can't see it in my /var/lib/clamav anywhere? >> >> I switched off Phishing in the clamd.conf and it still didn't >> allow the >> messages through. >> >> PhishingSignatures no >> PhishingScanURLs no >> >> Kind regards, >> >> Tim > > There isn't an actual signature, rather clamav has detected a > hex-encoded URL that smells rather phishy. > > To disable these heuristics based signatures in > clamd/clamdscan, set > PhishingScanURLs no > in clamd.conf and then stop/start clamd. > > To disable them in "clamscan", use the command line option > "--no-phishing-scan-urls" > > If you're using a tool other than clamscan or clamdscan, ie. > something that accesses libclamav directly, check with the > supplier of that tool. > > -- > Noel Jones > ___ > Help us build a comprehensive ClamAV guide: visit http:// > wiki.clamav.net > http://lurker.clamav.net/list/clamav-users.html You should avoid making yourself too clear even in your explanations. - -- Baltasar Gracian, Spanish philosopher 1601-1658 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (Darwin) iD8DBQFHQe8yFvoPHRAQim0RAm7gAJ9gBjsvjSaB8QQ/1H6DqJwg8pTFGACeP+X2 e99rCc+fMH2pIrFjT2phmMY= =ixsr -END PGP SIGNATURE- ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Unknown Signature
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 This is one of those little annoying logic problems one may have come across in examining truth tables and like conundrums within a philosophy class. I'll admit to the probability that I could be wrong. I'll explain my thoughts though regarding why I believe I'm right. Each of the two statements does something unique. One scans for signatures, default yes. The other scans URLs, also default yes. Each option is unique and not sequential or parallel or otherwise related to one or the other choice. Following my own reasoning, I comment them out. I expect that as a result that the signatures are not scanned because the option is not enabled. Similarly I also expect that the scans for URLs will not take place, as that option is not enabled. As far as the program is concerned, there is no option because it sees none and so these particular options cannot be processed. In other words, for the program, the option doesn't exist. Again I'm not at all confident on the point, I'm merely attempting to reason it through. Allow me to consider the invocation of scanning signatures as the explanation discussing it is more explicit. It states "With this option enabled..." Again my choice is that this option is commented out. I don't see a mechanism whereby the program can make any decision regarding it because it cannot see it. In my thinking, the program merely moves onto another command it can act upon. As it cannot act on what it cannot see, no action by the program can be taken other than passing it by. Just because I don't see a mechanism doesn't mean there isn't one, perhaps I'm splitting hairs. In any case, I'll certainly reconsider the point but I'd certainly like to understand the mechanisms better. Currently I don't see the way the source is written as being similar to Boolean statements involving EITHER, AND or OR statements; in my view, the options to invoke these and other commands are not written that way, in my current understanding. I look forward to learning more, thanks for the opportunity. On Nov 19, 2007, at 3:21 PM, Dennis Peterson wrote: > Derick Centeno wrote: >> -BEGIN PGP SIGNED MESSAGE- >> Hash: SHA1 >> >> I'm sure that you're aware that you can also switch that function off >> by merely commenting out those lines. > > My 0.91.2 sample clamd.conf file says: > > # With this option enabled ClamAV will try to detect phishing > attempts by using > # signatures. > # Default: yes > #PhishingSignatures yes > > # Scan URLs found in mails for phishing attempts using heuristics. > # Default: yes > #PhishingScanURLs yes > > > That doesn't agree with your statement. > > dp > > > ___ > Help us build a comprehensive ClamAV guide: visit http:// > wiki.clamav.net > http://lurker.clamav.net/list/clamav-users.html You should avoid making yourself too clear even in your explanations. - -- Baltasar Gracian, Spanish philosopher 1601-1658 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (Darwin) iD4DBQFHQgZAFvoPHRAQim0RAodyAJsGWI67eNAutrVgnU16i7bGP8davgCYvfYm 60WkmxsL38GzGfC7eJ9x/Q== =ijih -END PGP SIGNATURE- ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] I need to refute a 'security expert'
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Which is why my primary system is not OS X, but rather Yellow Dog Linux (YDL)! I don't run Parallels or any windows OS within OS X as I always understood that as OS X got bigger, running a guest OS would make it slower still. And of course, what you stated is very true; OS X is susceptible to infection. The Mac community has been very fortunate but I'm not sure how long that will last. In any case, it's not my worry as I'll eventually be moving onto to the Cell anyway where I can continue to run YDL and explore technical interests which are not possible on Intel or other systems. I believe that no one has to put up with Windows or OS X, if they don't wish to. I'm sure that if the issue was considered thoroughly a good amount of work could be switched to open source programs and Linux. Also if more understood that better processing capacity within any architecture is possible within Linux perhaps that might be a solid argument enabling us to become more efficient and minimize waste. On Nov 19, 2007, at 12:41 PM, Dennis Peterson wrote: > Gerard wrote: >>> On November 19, 2007 at 11:43AM Dennis Peterson wrote: >> >>> Before the widespread use of Fusion and Parallels in the Mac this >>> wasn't too much of >>> a problem. Virtual machines have now made it more important to >>> keep the OS X file >>> system clean, now. It's just a matter of time before someone >>> writes a virus that >>> allows a Windows virtual machine to screw with the Mac host. >> >> Or vice versa. >> >> > > Guests os's are always at the mercy of the host. > > dp > ___ > Help us build a comprehensive ClamAV guide: visit http:// > wiki.clamav.net > http://lurker.clamav.net/list/clamav-users.html You should avoid making yourself too clear even in your explanations. - -- Baltasar Gracian, Spanish philosopher 1601-1658 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (Darwin) iD8DBQFHQgbpFvoPHRAQim0RAv4IAJ0XKLCFTKhlkQA7pZ0dc+8LF3V1yQCbBtTY LgYHLnw+WoxK+WNqCCVoeOg= =49ql -END PGP SIGNATURE- ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] I need to refute a 'security expert'
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Ok... what I don't get is the reference to Solaris and OS X. On Nov 19, 2007, at 5:06 PM, Dennis Peterson wrote: > Derick Centeno wrote: >> -BEGIN PGP SIGNED MESSAGE- >> Hash: SHA1 >> >> Which is why my primary system is not OS X, but rather Yellow Dog >> Linux (YDL)! > > This highlights the big gripe I have with Linux. You can't even > talk about it without > immediately indicating which vendor's Linux. It is the most > fragmented open source > project in history. There is no point in even including Linux in > the name. Yellow Dog > OS says it all. Fedora says it all. Suse says it all. Etc. Limited > interoperability, > significant maintenance differences, and oh lordy don't get me > going on KDE/Gnome > issues :). None of this has anything to do with ClamAV though. > > dp .. who is happy with Solaris and OS X for the one butt to kick > principle they offer > ___ > Help us build a comprehensive ClamAV guide: visit http:// > wiki.clamav.net > http://lurker.clamav.net/list/clamav-users.html You should avoid making yourself too clear even in your explanations. - -- Baltasar Gracian, Spanish philosopher 1601-1658 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (Darwin) iD8DBQFHQhxRFvoPHRAQim0RAgdAAJwIxpyD9EXVEvFBYCn/U02znhDWxQCfUBQx 65ClOD0wSu59IRP0uSbfQ6A= =RSMY -END PGP SIGNATURE- ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Unknown Signature
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Thanks Noel. I've got to do more thinking on your explanation but I wanted to express appreciation for your time. On Mon, 19 Nov 2007 16:08:06 -0600 Noel Jones <[EMAIL PROTECTED]> wrote: > Derick Centeno wrote: > > -BEGIN PGP SIGNED MESSAGE- > > Hash: SHA1 > > > > This is one of those little annoying logic problems one may have come > > across in examining truth tables and like conundrums within a > > philosophy class. I'll admit to the probability that I could be > > wrong. I'll explain my thoughts though regarding why I believe I'm > > right. > > > > Each of the two statements does something unique. One scans for > > signatures, default yes. The other scans URLs, also default yes. > > Each option is unique and not sequential or parallel or otherwise > > related to one or the other choice. > > > > Following my own reasoning, I comment them out. I expect that as a > > result that the signatures are not scanned because the option is not > > enabled. Similarly I also expect that the scans for URLs will not > > take place, as that option is not enabled. > > > > Sorry, this isn't a truth table, it's a program configuration > file. > > As noted in the documentation, the default value is "yes" [1]. > There is no difference in program behavior between > commenting out a value that defaults "yes" and explicitly > setting it to "yes" in the config file. > > > [1] There is another discussion that the default should be > "no", but that doesn't really have any bearing on this > particular discussion. The default is currently "yes", so set > it explicitly to "no" in clamd.conf if you don't want this > feature enabled. > > == "If I were not a physicist, I would probably be a musician. I often think in music. I live my daydreams in music. I see my life in terms of music. ... I get most joy in life out of music." "What Life Means to Einstein: An Interview by George Sylvester Viereck," for the October 26, 1929 issue of The Saturday Evening Post. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFHRFzENEKmdDLMbSsRAlkVAJ9RE3uApaO9bHllKd6oDaeibucxCACdHBbM m+PijeUJGLHKIVGph83xNnk= =hVd6 -END PGP SIGNATURE- ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] What's this? I can't believe it!
The point raised by Dennis is extremely relevant to this thread. The exception of course is Linux which runs on the PowerPC or Cell architecture. Only in that environment would Linux executables have no effect as the infecting executables are designed for Linux and Windows running on Intel compatibles and utilize specific functions, register processing and calls to the Intel and compatible processor. Keeping in mind that there are emulators of all kinds, including even a Linux emulator which functions within Windows, all of them share one characteristic, they either run on Intel or emulate Intel. All of these are susceptible to these infections and other malware. This is a pretty monstrous headache for the current computer system marketplace which seems to function nearly entirely by relying on one processor. I can hear the overwhelming sigh from many experts repeating to themselves regarding this predicament, "I told them... long ago". To which the only response now is, "Oh well..." The solution which Bill Maidment recommended earlier in this thread may be the only reasonable approach for users of Intel systems to implement. If I was using an Intel system I'd have to agree with him, better safe "than scorched." All the best... On Jan 20, 2008 6:46 PM, Sarocet <[EMAIL PROTECTED]> wrote: > Dennis Peterson wrote: > > Nobody has actually tested the files to see if they are Windows > executables that I've > > seen. It is entirely possible they could be Linux executables. File > extensions don't > > mean much on a Linux system but it seems from this thread a great way to > pass around > > Linux viruses is to tack on a .exe extension and a lot of people will > ignore them to > > their great peril. > > > > dp > Well, if you ignore the file i don't see how it's going to run. > Moreover, it's less likely you will write ./Foo.exe as > you're already assuming by the extension that it wouldn't work, so why > do it? > ___ > Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net > http://lurker.clamav.net/list/clamav-users.html > ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] What's this? I can't believe it!
Happily, Brandon, no one knows everything anymore! The IT field has experienced this uncomfortable reality for a growing number of years now, and most likely it will get worse despite the effort to sell all kinds of certifications, re-training programs, etc. As far as experience is concerned, we each can augment our experiences via mailing lists such as this and other resources which are easily available via the Net or elsewhere. Regarding attacking the architecture itself, this is rare but not unheard of. The more common approach however is utilizing the design of the architecture as an assisting tool of the attacking system. For instance, a documented flaw within the architecture design or even standard processing procedure can be utilized, invoked or implemented by the designer of the virii or malware to his/her purpose. The real problem however is that the marketplace has become dependent on one architecture, namely Intel and compatibles. Years ago, at least there were a variety of different relatively available architectures within the marketplace which a consumer could use -- PowerPC, Sun, etc. (Note: As Sun recently announced that it become strictly software company, even that slim option of acquiring Sun hardware will not be a viable choice much longer). These other architectures provided improvements upon the Intel design that were very advanced and still remain useful -- if one knows how to implement these strengths within Linux. These formally available architectures, due to their construction were different enough that viral and other malware relying upon Intel specific features couldn't function as intended. Linux is a phenomenal OS, however given the reality of virii and malware Linux is further protected if it's on a different architecture, in my opinion. Currently the only remaining competing architecture commonly available within the marketplace is the Cell within the PS3 which will run Linux. Yes, there may be people writing malware for different architectures, but doing so is difficult, also the amount of people it would affect is so small that the malware designer would really have to be seriously deranged to invest his/her own time to pursue that path. Of course, the wisest approach is to be skilled enough to handle anything. This is mostly a goal, than something actually to be achieved but keeping it as a continuing challenge is also a strong defense and deterrent. All the best... On Jan 20, 2008 10:53 PM, Brandon Perry <[EMAIL PROTECTED]> wrote: > That still seems a bit "over-the-top". Sure, better safe than sorry, but > I wouldn't just blindly delete any exe that I come into contact with > (via email or otherwise). Especially on Linux, you can get archives > zipped into an exe format that are unzipped via unzip -a. That is quite > a common format in the Windows world, and I haven seen a few times > within the Linux world also. Magic numbers can't tell it is an archive, > so you would think it is just a regular binary, but I know for a fact > Dell does many of their drivers in this format. > > With the whole Intel thing, even through emulation, this could be a > stretched argument. Sure, there are architecture-independent viruses, > but I haven't heard of a virus that can attack on any platform through > the architecture itself. I am sure that in the future, these will be > common, but I don't think this is something that we should be worrying > about now. Please correct me if I am wrong in saying this as I am not > pretending to know everything about the virus infections, this is just > from experience. > > On Sun, 2008-01-20 at 19:51 -0500, Derick Centeno wrote: > > The point raised by Dennis is extremely relevant to this thread. The > > exception of course is Linux which runs on the PowerPC or Cell > > architecture. Only in that environment would Linux executables have no > > effect as the infecting executables are designed for Linux and Windows > > running on Intel compatibles and utilize specific functions, register > > processing and calls to the Intel and compatible processor. > > > > Keeping in mind that there are emulators of all kinds, including even a > > Linux emulator which functions within Windows, all of them share one > > characteristic, they either run on Intel or emulate Intel. All of these > are > > susceptible to these infections and other malware. > > > > This is a pretty monstrous headache for the current computer system > > marketplace which seems to function nearly entirely by relying on one > > processor. I can hear the overwhelming sigh from many experts repeating > to > > themselves regarding this predicament, "I told them... long ago". To > which > > the only response now is, "Oh well..." > >
Re: [Clamav-users] What's this? I can't believe it!
You don't need to use those old programs. You could access many traditional Unix editors from within Terminal. Within Terminal you can access both vi and vim. If you are very familiar with Darwin within OS X you can establish Administrative status such that you can also use sudo within Terminal and activate the use of vi/vim within Admintrative mode which means you can access and use serious and advanced features of vi/vim which goes way beyond what Hexedit, Resedit or Apple's programming environment is capable of. You need to have a solid understanding of modifying bashrc and vim so that you can instruct vim to activate advanced features by accessing bashrc first. If you are truly interested in vim go to http://www.vim.org/ to learn more. Keep in mind that vim/vi have been qualified as true a Turing system or program. Of course should you get into serious programming you may find that OS X falls short regarding what is possible to do as it is designed to be a client system. If you want to get into server programming which vim is capable of you'll either have to purchase OS X Server (from Apple) or partition your HD and install Linux. Linux is both a server and a client system, and you can program freely for either one within the General Public License designation. All the best... On 1/22/08, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > > In macintosh there are two programs, Hxedit and Resedit, which let you see > the contents of a file without opening it, Hexedit especially which > converts > the binary into text. I have always used these programmes with suspect > files. > The ones in Windows are named so but do not do what the mac software does. > Are there any similar programmes in Linux? > Cheers > ___ > Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net > http://lurker.clamav.net/list/clamav-users.html > ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] amavisd-new clamav
Hi Andrea: Just as a shortcut next with yum do: yum install "postfix*" or yum install "amavisd-new*" or yum install "clamav*" Note: the asterisk does the job of telling yum to find any permutations/spelling variations which follow after the *. Doing this saves some typing and liberates you from using rpm as rpm is invoked from within yum anyway. Invoking and installing via rpm again is being redundant to no purpose especially as yum has self-check and cross-check features which rpm doesn't know about. Yum is designed to do the rpm package analyses for you. Regarding the .conf files, do: $whereis clamd.conf or #whereis clamd.conf Simply for your information those files are installed in /etc or elsewhere (I'm not in my Linux system right now so I can't be specific). Use whereis for more info. All the best... On 1/23/08, Andrea Bencini <[EMAIL PROTECTED]> wrote: > > ...again > I installed FC8 and then, with command yum, I installed > yum install postfix > and > > yum install amavisd-new > It installed amavisd-new-2.5.2-2.fc8 and the dependencies: > clamav-data-0.92-6.fc8 > clamav-filesystem-0.92-6.fc8 > clamav-lib-0.92-6.fc8 > clamav-server-0.92-6.fc8 > clamav-server-sysv-0.92-6.fc8 > > Then I installed with rpm > rpm -ivh clamav-0.92-6.fc8.i386.rpm > > Now I am looking for clamd.conf and freshclam.conf, but I don't found > them. > What do I have to do? Which rpm package are them in? > I would like to follow the path of rpm and yum. > > Can you help me? > Thanks > Andrea > ___ > Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net > http://lurker.clamav.net/list/clamav-users.html > ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] clamav rpm package
Buono Serra, Andrea! One of the other ways clamav is installed is by downloading the source and compiling it. As clamav compiles it builds and installs the various .conf files. However if you install clamav via yum or rpm chances are the .conf files will not be installed but will have to be constructed. As I stated before you can cross-check the facts to determine whether .conf files have been installed for you by running either: $whereis fleshclam.conf or anything else you are searching for. Now this is the tricky point. The .conf files are installed with the most useful commands commented out and are therefore unavailable for execution. You must un-comment the commands within the .conf files to have them executed; this is done by removing the # symbol before each line. Be sure to read the clamav manual and other documentation regarding activating various command functions. Lastly, keep in mind that the higher the version number you are using of clamav (or anything else) that signifies the most current version of that program. Remember that although it's always nice to have the latest version of something, it is also quite possible that the latest version of a particular program or package will conflict with the standard or official release packages of the version of Linux which you happen to have installed. The safe way around this challenge as a user of that official Linux release is to only do installations using yum where yum.conf points to the official release and update packages for that Linux variant, and you choose to refrain from using rpm until you become clearer or have better understanding regarding what packages the version of Linux you use are constructed and built. Should you in your research discover that you installed a package using rpm which you should not have used, then you can extract or remove that package by doing (for example): # rpm -e clamav-0.92-33.fc8.i386.rpm As an example suppose the immediately above rpm package is what I want removed. After this removal is completed, I'll need to make sure that the accepted version of clamav for the version of Linux I'm using is properly installed. This can mean reinstalling the correct package by using yum, again I repeat make sure that yum.conf is pointing or directed to the right rpm packages for the release of the version of Linux you are using. All the best... On 1/23/08, Andrea Bencini <[EMAIL PROTECTED]> wrote: > > clamav-0.92-6.fc8.i386.rpm and clamav-0.91.2-3.fc8.i386.rpm packages > haven't clamd.conf and freshclam.conf files. > clamav-0.92-33.fc8.i386.rpm package has clamd.conf and freshclam.conffiles. > Why are there these differences? > > Thanks > Andrea > > ___ > Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net > http://lurker.clamav.net/list/clamav-users.html > ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] help, can't compile clamav-0.92 ("gcc bug")
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 An option which works on Linux and may work within the Terminal is to order or command the gcc compiler to NOT use compiler optimizations. Try this: $ CFLAGS="-O0" ./configure On Sun, 27 Jan 2008 19:27:38 +0900 "Matthias Schmidt" <[EMAIL PROTECTED]> wrote: > Am/On Tue, 18 Dec 2007 05:14:40 + schrieb/wrote Robert: > > > > >On 17 Dec 2007, at 19:15, fchan wrote: > > > >> Hi, > >> I have the same thing happening a my MacBookPro. I get this message > >> also: > >> checking for gcc bug PR28045... configure: error: your compiler has > >> gcc PR28045 bug, use a different compiler, see > >> http://gcc.gnu.org/bugzilla/show_bug.cgi?id=28045 > >> > >> I'm using xcode_2.4.1_8m and I'm downloading xcode_3.0 to hopefully > >> resolve this issue and hopefully that Apple updated gcc on this newer > >> xcode. Any other Mac people seen this issue? > >> > >> Thank you, > >> Frank > > > > > >Just got the same error running os x 10.4.11 (ppc). > >Haven't tried under 10.5 yet... > >Re-installed clam 0.91.2 and all is well again. > > I have the last version of XCode installed under Leopard. > Just wanted to install on a 10.5.1 Server 0.92 and get the same error > after running configure. > > Do I need to install gcc 4.2.2? > Can that just be downloaded and installed? > > Thanks and all the best > > Matthias > > ___ > Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net > http://lurker.clamav.net/list/clamav-users.html == "If I were not a physicist, I would probably be a musician. I often think in music. I live my daydreams in music. I see my life in terms of music. ... I get most joy in life out of music." "What Life Means to Einstein: An Interview by George Sylvester Viereck," for the October 26, 1929 issue of The Saturday Evening Post. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFHnKSiNEKmdDLMbSsRAhWYAKC0banGVkBbi+eYW7xa7rb4LptgaACeJzJn mWlJusX+/TEaf9blcismxXk= =RUuV -END PGP SIGNATURE- ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Problem with clamav on Linux
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 After clamav has been compiled you've got to read the manual and follow the instructions for modifying the .conf files so that when various clamav processes run they'll refer to the functions or commands you activated by uncommenting the code! Specifically the command sequence for accessing the clam log file is controlled by modifying the settings in the .conf files! Setting the .conf files to function as you'd like is a bit of intricate work so make sure you understand the manual! Best of luck! On Sun, 27 Jan 2008 21:18:37 +0700 "Quỳnh H Nguyễn" <[EMAIL PROTECTED]> wrote: > Hello, > > I'm very newbie in Linux, but I learn much to install a complete Linux > system. > > However, antivirus is one of the most important for a current server. And I > choose ClamAV to deploy an antivirus for server and mail server too. > > I did following the instruction from clamav.net via "yum install" command. > It install all things... and I set the service clamd to start automatically > when system starting. > > clamd service start ok, it show [OK] when system boot. When I check port > 3310 by command: "sudo lsof -i:3310", there is not any clamd program is > listenning at this port. I tried to use command: "service clamd start" and > it say [OK] too. And the clamd log: > > Mon Jan 28 04:21:29 2008 -> +++ Started at Mon Jan 28 04:21:29 2008 > Mon Jan 28 04:21:29 2008 -> clamd daemon 0.92 (OS: linux-gnu, ARCH: i386, > CPU: i386) > Mon Jan 28 04:21:29 2008 -> Running as user clamav (UID 100, GID 101) > Mon Jan 28 04:21:29 2008 -> Log file size limit disabled. > Mon Jan 28 04:21:29 2008 -> Reading databases from /var/clamav > Mon Jan 28 04:21:29 2008 -> ERROR: Unable to open file or directory > I had try again with the command "clamd", and wait for 5 seconds, then use > "sudo lsof -i:3310" again. I see that there is a clamd is listenning: > > COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME > clamd 5142 clamav5u IPv4 13550 TCP > localhost.localdomain:dyna-access (LISTEN) > So is there any problem? Could you please to help me to start the clamd > service at the boot successful? Too hard to understand. > > I can not start service by use command: "service clamd start", but the > service is available by using command: "clamd". > > Thank you very much! > ___ > Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net > http://lurker.clamav.net/list/clamav-users.html == "If I were not a physicist, I would probably be a musician. I often think in music. I live my daydreams in music. I see my life in terms of music. ... I get most joy in life out of music." "What Life Means to Einstein: An Interview by George Sylvester Viereck," for the October 26, 1929 issue of The Saturday Evening Post. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFHnLmHNEKmdDLMbSsRAnd1AKCtbPCLsIVw3zCgNvOQscgIpKWMgwCfSlwm uIYt/QhCYOaWuA/lxlV9MuQ= =xGpH -END PGP SIGNATURE- ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] A small survey about limits (Oversized.Zip and friends)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi aCaB: Since you've clarified your meaning, I can state that I don't use those features. On Jan 29, 2008, at 12:07 PM, aCaB wrote: > James Kosin wrote: >> Maybe, put a warning in the email message clarifying that the file >> could >> not be checked by clamav instead of flagging as an 'Oversized.Zip' >> virus. This may be more useful for the receiver and sender to >> know than >> to actually cause an annoying DoS prevention. > > Hey James, > Thanks for the feedback. > Yeh, that the idea behind Oversized and friends. > But that, of course, requires the clamav output to be postprocessed. > > So to tune my question (sorry if i wasn't clear in the first place)... > Is anybody doing that in real life? That is, do you want us to keep > such > a "feature"? > > Thanks, > -aCaB > ___ > Help us build a comprehensive ClamAV guide: visit http:// > wiki.clamav.net > http://lurker.clamav.net/list/clamav-users.html -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (Darwin) iD8DBQFHn2ulsfbwCDodg+ARAmDJAJ48RxhqzmtXXPwBQFBSbaP8LEynIQCg1tcR y/qWCUA3JrKYkgCuQQaUUDA= =aklY -END PGP SIGNATURE- ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] support for ClamxAV
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 You can go here: http://www.clamxav.com/ and sign up for the mailing list from there. All the best... On Feb 4, 2008, at 9:30 AM, Jan B wrote: > I have a Mac. Where do I find support for ClamxAV? > > --Jan > ___ > Help us build a comprehensive ClamAV guide: visit http:// > wiki.clamav.net > http://lurker.clamav.net/list/clamav-users.html -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (Darwin) iD8DBQFHp5rmsfbwCDodg+ARAksAAJ9WHMT1xDL77rsLPGrpFr3W1z/THACfRMP0 tCO9xt4dsgJzXwIki+Rz7bc= =uVZh -END PGP SIGNATURE- ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Multi-OS Scanning
Yes. It notifies you of the virii's presence and identifies it's location. It leaves you the option to remove it yourself; this protects some email programs by allowing a person to refine the procedure of removal without resorting to a brute-force extraction which clamav is capable of. Clamav's behavior can be modified according to user's/system administrators needs. Within Linux, one has access to modify the settings of the .conf files which are utilized by different components of clamav (freshclam and clamd). On Mon, 17 Mar 2008 14:44:34 -0400 Tyler <[EMAIL PROTECTED]> wrote: > > Does ClamAV for Linux detect a Windows or Mac virus? Is the virus database > the same no matter what platform the scanner is running on so that viruses > intended for a system other than the one the scanner is running on will be > detected? signature.asc Description: PGP signature ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Memory usage for clamd is huge
On Sun, 30 Mar 2008 15:14:38 +0200 Sarocet <[EMAIL PROTECTED]> wrote: > Dennis Peterson wrote: > > I think he's suggesting that he'd prefer you not mail him because of > > your idiot policy on outgoing virus scanning. I agree with him. I'm sure > > I'm not the only one who would blacklist you right now because of your > > policy if we knew your outgoing smtp IP. > > > Scanning outgoing email is not something i think such useful and it's a > nuisance for its users, > but how does it deserve for a smtp ban? > > > PS: Note that he didn't explicitely said he was scanning outgoing mail. It's unfortunate that this thread moved quickly to such a heat that the fellow who intitiated it with a basic query decided to quit this list. I'm in agreement with the other pros who voiced their opinion regarding enforcement of sensible procedures. However the better approach with this individual may have been to ask more details regarding his setup and present a reasoned alternative to his approach for his consideration -- not threaten him with a ban. My own approach would have been to explain why a ban would be justified should a workable alternative not be employed. The lost opportunity here was to explain why any person using an unprotected system is a risk to themselves and others. There are a lot more people using systems in all kinds of ways whom didn't acquire the knowledge base or skill set of the pros here and elsewhere. This venue doesn't have to be a school; it should however be a resource where persons of any skill level may approach and learn something useful without risk of being torched, scalded or otherwise impugned. Tolerance with reasoned restraint are not weaknesses; it is the first requirement for pros to become better teachers and better listeners. signature.asc Description: PGP signature ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] accept file .exe
On Fri, 4 Apr 2008 16:14:02 -0600 "Instituto de Ingenieria Área de Sistemas Unix/Linux" <[EMAIL PROTECTED]> wrote: > hi, > what i have to make in amavisd.conf > for accept files .exe? > thanks > ___ > Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net > http://lurker.clamav.net/list/clamav-users.html Doing this exposes your system or systems. There have been several discussions in this list regarding strategies so that exactly what you propose to do, is avoided. === "If I were not a physicist, I would probably be a musician. I often think in music. I live my daydreams in music. I see my life in terms of music. ... I get most joy in life out of music." "What Life Means to Einstein: An Interview by George Sylvester Viereck," for the October 26, 1929 issue of The Saturday Evening Post. signature.asc Description: PGP signature ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
