Re: [Clamav-users] Re: SCO.a not being caught at all
Try clamscan rather than clamdscan. I was having a similar problem and it started working when I used clamscan rather than clamdscan. I assumed it was a config issue on my part, but On Tue, 2004-01-27 at 12:05, Erik Bourget wrote: > I have no idea how this mail got so messed up, heh. I guess I'll try again. > > Hey, > > Clam does catch other viruses but is failing to catch this sco.a thing for > some reason. Does anyone have any insight? > > The only two kinds of malware caught this morning are Worm.Gibe.F and > Exploit.IFrame.Gen, in case that's symptomatic of something. > > I'm using clamav 0.65 from the debian packages distributed on the site. > > Clamav is being run from a .qmail file as: > | /usr/bin/clamdscan -; [ $? != 1 ] || exit 99 > | /usr/bin/spamc -d filtercluster1 | /usr/bin/maildrop > > freshclam just now updated to: > > -rw-r--r--1 clamav clamav 48969 Jan 27 11:31 daily.cvd > -rw-r--r--1 clamav clamav1037239 Jan 27 11:31 main.cvd > > ClamAV update process started at Tue Jan 27 11:29:12 2004 > main.cvd updated (version: 19, sigs: 19987, f-level: 1, builder: ddm) > daily.cvd updated (version: 108, sigs: 593, f-level: 1, builder: ddm) > Database updated (20580 signatures) from database.clamav.net (195.70.36.141). > > Scanning a saved e-mail that Symantec flags correctly: > > # clamdscan - < virus > stream: OK > > clamav.conf file: > LocalSocket /var/run/clamd.ctl > ScanArchive > StreamSaveToDisk > ArchiveMaxRecursion 5 > ArchiveMaxFiles 1000 > ArchiveMaxFileSize 10M > ThreadTimeout 180 > MaxThreads 5 > MaxConnectionQueueLength 15 > PidFile /var/run/clamd.pid > DataDirectory /var/lib/clamav/ > SelfCheck 3600 > > > > > --- > The SF.Net email is sponsored by EclipseCon 2004 > Premiere Conference on Open Tools Development and Integration > See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. > http://www.eclipsecon.org/osdn > ___ > Clamav-users mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/clamav-users -- Go to http://www.digium.com/index.php?menu=documentation and look at the "Unofficial Links" section. This section has links to a wide variety of 3rd party Asterisk related pages. My page is the "Asterisk Resource Pages". BTEL Consulting 504-899-1387 or 850-484-4545 or 877-677-9643 --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Re: SCO.a not being caught at all
Yay! I'm not crazy! On Wed, 2004-01-28 at 08:23, Dirk Meyer wrote: > Eric Wieling schrieb:, > > > Try clamscan rather than clamdscan. I was having a similar problem and > > it started working when I used clamscan rather than clamdscan. I > > assumed it was a config issue on my part, but > > I Verified on 3 diffrent systems (cvs 2004-01-20 running) > clamscan detects, clamdscan not. > > When I stop clamd and strat it again it works. > > Problem: > after freshclam updates, clamddon#t catch the new signatures. > > Question: > How can I verifiy clamd runs with new signatures? > So this problem can be tracked down? > > kind regards Dirk > > - Dirk Meyer, Im Grund 4, 34317 Habichtswald, Germany > - [EMAIL PROTECTED],[EMAIL PROTECTED],[EMAIL PROTECTED] > > > --- > The SF.Net email is sponsored by EclipseCon 2004 > Premiere Conference on Open Tools Development and Integration > See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. > http://www.eclipsecon.org/osdn > ___ > Clamav-users mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/clamav-users -- Go to http://www.digium.com/index.php?menu=documentation and look at the "Unofficial Links" section. This section has links to a wide variety of 3rd party Asterisk related pages. My page is the "Asterisk Resource Pages". BTEL Consulting 504-899-1387 or 850-484-4545 or 877-677-9643 --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] Potential hack for password protected zip files
In libclamav/scanners.c around line 424 add between the "free(buff);"
and the "return ret;":
if(files == 1) {
cli_dbgmsg("Zip -> empty zip file!\n");
*virname = "Empty.Zip";
ret = CL_VIRUS;
}
That section of code will now look like this:
free(buff);
if(files == 1) {
cli_dbgmsg("Zip -> empty zip file!\n");
*virname = "Empty.Zip";
ret = CL_VIRUS;
}
return ret;
}
It's a horrible little hack, but I'm making the assumption here that an
empty zip file is treated as a virus and a password protected zip file
will appear to contain no files. The counter "files" seems to be off by
one.
--
Eric Wieling <[EMAIL PROTECTED]>
BTEL Consulting
---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] Problem with clamscan .vs. clamdscan
I'm having a problem where clamscan does not detect an encrypted .zip
file, but clamdscan does. Does anyone have any suggestions?
[EMAIL PROTECTED] tmp]# /usr/bin/clamdscan --tempdir=/tmp -r -i bob.zip
/tmp/bob.zip: Encrypted.Zip FOUND
--- SCAN SUMMARY ---
Infected files: 1
Time: 0.002 sec (0 m 0 s)
[EMAIL PROTECTED] tmp]# /usr/bin/clamscan --tempdir=/tmp -r -i bob.zip
--- SCAN SUMMARY ---
Known viruses: 21192
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 0.00 MB
I/O buffer size: 131072 bytes
Time: 3.306 sec (0 m 3 s)
[EMAIL PROTECTED] tmp]# clamscan --version
clamscan / ClamAV version 0.70
[EMAIL PROTECTED] tmp]# clamdscan --version
clamdscan / ClamAV version 0.70
[EMAIL PROTECTED] tmp]# grep Encr /etc/clam*.conf
/etc/clamav.conf:# Mark encrypted archives as viruses (Encrypted.Zip, Encrypted.RAR).
/etc/clamav.conf:ArchiveBlockEncrypted
/etc/clamd.conf:# Mark encrypted archives as viruses (Encrypted.Zip, Encrypted.RAR).
/etc/clamd.conf:ArchiveBlockEncrypted
[EMAIL PROTECTED] tmp]# grep Stream /etc/clam*.conf
/etc/clamav.conf:StreamSaveToDisk
/etc/clamav.conf:StreamMaxLength 16M
/etc/clamd.conf:StreamSaveToDisk
/etc/clamd.conf:StreamMaxLength 16M
[EMAIL PROTECTED] tmp]# grep User /etc/clam*.conf
/etc/clamav.conf:User root
/etc/clamd.conf:User root
[EMAIL PROTECTED] tmp]# find / -name "clam*.conf" -print
/etc/clamav.conf
/etc/clamd.conf
[EMAIL PROTECTED] tmp]# whereis clamscan
clamscan: /usr/bin/clamscan /usr/share/man/man1/clamscan.1.bz2
[EMAIL PROTECTED] tmp]# whereis clamdscan
clamdscan: /usr/bin/clamdscan /usr/share/man/man1/clamdscan.1.bz2
[EMAIL PROTECTED] tmp]#
--
Eric Wieling * BTEL Consulting * 504-899-1387 x2111
"In a related story, the IRS has recently ruled that the cost of Windows
upgrades can NOT be deducted as a gambling loss."
---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Problem with clamscan .vs. clamdscan
On Fri, 2004-04-23 at 08:40, Stephen Gran wrote:
> use /usr/bin/clamscan --tempdir=/tmp -r -i --block-encrypted bob.zip
Any idea why the config file setting to enable blocking encrypted files
is not working?
--Eric
--
Eric Wieling * BTEL Consulting * 504-899-1387 x2111
"In a related story, the IRS has recently ruled that the cost of Windows
upgrades can NOT be deducted as a gambling loss."
---
This SF.net email is sponsored by: The Robotic Monkeys at ThinkGeek
For a limited time only, get FREE Ground shipping on all orders of $35
or more. Hurry up and shop folks, this offer expires April 30th!
http://www.thinkgeek.com/freeshipping/?cpg=12297
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Problem with clamscan .vs. clamdscan
On Fri, 2004-04-23 at 10:47, Stephen Gran wrote: > On Fri, Apr 23, 2004 at 09:26:04AM -0500, Eric Wieling said: > > On Fri, 2004-04-23 at 08:40, Stephen Gran wrote: > > > use /usr/bin/clamscan --tempdir=/tmp -r -i --block-encrypted bob.zip > > > > Any idea why the config file setting to enable blocking encrypted files > > is not working? > > Because clamscan doesn't read clamav.conf. What DOES read clamav.conf? --Eric -- Eric Wieling * BTEL Consulting * 504-899-1387 x2111 "In a related story, the IRS has recently ruled that the cost of Windows upgrades can NOT be deducted as a gambling loss." --- This SF.net email is sponsored by: The Robotic Monkeys at ThinkGeek For a limited time only, get FREE Ground shipping on all orders of $35 or more. Hurry up and shop folks, this offer expires April 30th! http://www.thinkgeek.com/freeshipping/?cpg=12297 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Problem with clamscan .vs. clamdscan
On Fri, 2004-04-23 at 14:40, Stephen Gran wrote: > > What DOES read clamav.conf? > > clamd, clamdscan, and clamav-milter. freshclam also looks at it to find > out how to notify clamd if you have it set to notify clamd after updates. > It _is_ in the various docs, you know :) The RPM I'm using has a clamd.conf, freshclam.conf, and clamav.conf so I must have assumed that the rest of the programs used clamav.conf, and must have assumed that clamdscan and clamscan both read the same config file. Maybe it's because I use spamassassin and "spamassassin" and "spamc" (the daemon client) try to act the same way and try to be drop-in replacements for each other. I just assumed that clamscan and clamdscan tried to be drop in replacements for each other as well. --Eric -- Eric Wieling * BTEL Consulting * 504-899-1387 x2111 "In a related story, the IRS has recently ruled that the cost of Windows upgrades can NOT be deducted as a gambling loss." --- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
RE: [Clamav-users] Sasser Worm Virus not shown with sigtool
It would be nice if clamscan, clamd, freshclam, sigtool, etc printed out the full path of the database files they are using (maybe only if -v is specified?). That would help people track down what's happening. --Eric -- Eric Wieling * BTEL Consulting * 504-899-1387 x2111 "In a related story, the IRS has recently ruled that the cost of Windows upgrades can NOT be deducted as a gambling loss." --- This SF.Net email is sponsored by Sleepycat Software Learn developer strategies Cisco, Motorola, Ericsson & Lucent use to deliver higher performing products faster, at low TCO. http://www.sleepycat.com/telcomwpreg.php?From=osdnemail3 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Maybe a virus Sober.P
Dennis Peterson wrote: My webmail is configured to use our standard smtp servers for all inbound/outbound mail. It really isn't all that difficult. I think they mean webmail systems that are not on your network and that you don't manage. i.e. Hotmail. ___ http://lurker.clamav.net/list/clamav-users.html
