[Clamav-users] clamd leaking

[John Jolet]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

has anyone noticed any problems with clamd leaking memory?  I've installed the 
rpm from crash-hat and it seems to be chewing up my swap quickly.  I 
uninstalled that and built from source and it does the same thing, just a bit 
slower.  I'll have to restart clamd nightly if i really want it running.

I'm on fedora on an amd duron.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFAPhX2WIxCCpxbWU4RArDXAKCExWyOLTIaMoqqG+hRXenYq1El7ACeMUfr
RpuMIEcymMVpeq0Q7P2Jwz4=
=H5oS
-END PGP SIGNATURE-


---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id56&alloc_id438&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Couple of questions regarding ClamAV

[John Jolet]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

so you can't use the lmtp transport?
I'll just move ahead down the road i'm going and reevaluate later.
On Thursday 26 February 2004 01:24 pm, Thomas Lamy wrote:
> John Jolet wrote:
> > I have a question about thatis it documented anywhere how to get
> > clamd integrated into postfix?  all i could find was instructions on
> > doing it via amavisd-new, so that's the road i've started down, but I'd
> > prefer to do it natively via clamd, if possible.
>
> AFAIK this is not yet possible. Currently you need to define
> content_filter in postfix, which exchanges messages via any transport
> defined in master.cf. Candidates for that include the "pipe" and "smtp"
> transport (the various amavisd's use smtp), but there's nothing there
> where you can plug clam[d]scan directly.
> Second thing is postfix doesn't yet support content filtering at smtp
> level (e.g. reject virii or spam directly via "550 x" SMTP reply),
> it spools every message to disk before handing it out to a defined
> content_filter. The upcoming Postfix 2.1 will feature smtp level
> scanning, but will still need some interface application.
> I plan to write one, to get rid of amavisd-new in the first place. But
> my time is limited, so I can't promise any release date. I'll post an
> announcement here when it's ready, and hopefully it will also appear in
> clam's contrib/ directory then.
>
> Thomas
>
>
> ---
> SF.Net is sponsored by: Speed Start Your Linux Apps Now.
> Build and deploy apps & Web services for Linux with
> a free DVD software kit from IBM. Click Now!
> http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click
> ___
> Clamav-users mailing list
> [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/clamav-users
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFAPlTbWIxCCpxbWU4RAljzAJsGSR4bU8XA+PsQ2JARAo3EFJL9aQCdHmcS
8jVtTSjsfhwn7TVZbzwBW2c=
=lPFJ
-END PGP SIGNATURE-


---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Couple of questions regarding ClamAV

[John Jolet]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

I have a question about thatis it documented anywhere how to get clamd 
integrated into postfix?  all i could find was instructions on doing it via 
amavisd-new, so that's the road i've started down, but I'd prefer to do it 
natively via clamd, if possible.

On Thursday 26 February 2004 11:09 am, Tomasz Papszun wrote:
> On Thu, 26 Feb 2004 at 10:30:43 -0500, jef moskot wrote:
> > On Thu, 26 Feb 2004, Jesper Juhl wrote:
> > > clamd has died on me only once...
> >
> > Traffic at my site is still low enough that I am just using clamscan.
> > What happens when clamd dies?  Does mail continue to go through
> > unscanned, or does it start backing up in a queue?  Neither sounds very
> > good...
>
> I can't see your particular setup in this thread so I don't know if you,
> by chance, use amavisd-new.
> If yes, nothing bad happens. "Secondary scanners" are being used then,
> e.g. clamscan. This is less efficient of course when comparing with
> clamav-daemon (clamd), but mail continue to flow _scanned_. A very nice
> solution!
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFAPjsiWIxCCpxbWU4RAgOFAJ4i0it70fky8R2YGAD9li3qOF6DIwCfR8nr
aceU1HNgPhS57KXm0WSMEDo=
=SUf5
-END PGP SIGNATURE-


---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id56&alloc_id438&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Mydoom.F not in my virus defs...

[John Jolet]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

I bet it does, since yesterday i scanned an email with clamav that our 
"up-to-date" trend micro av on exchange let through :)
i chortled to the exchange admin about it, too.

On Thursday 26 February 2004 11:16 am, Kevin Hanser wrote:
> I've recently been asked if our virus scanner (clamav) detects the
> latest mydoom, Mydoom.F.  I've seen other messages on this and the
> mailscanner list that indicate that it does, but I've been unable to
> confirm it myself yet.
>
> If I do: sigtool --list-sigs | grep -i mydoom
>
> I get:
> Worm.Mydoom.B
> Worm.Mydoom.B-dll
> Worm.Mydoom.E
> Worm.Mydoom.E-unp
> Worm.MyDoom.E.UPX
>
> Is one of those MyDoom variants actually MyDoom.F (or is it called
> something else)?
>
> I checked my maillog, and it looks like my ClamAV is keeping up to date:
> Feb 26 08:01:06 pluto ClamAV-autoupdate[7919]: ClamAV updated
>
> Thanx!
>
> k
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFAPjq5WIxCCpxbWU4RAgWQAJ9uNt2Fie42fr4gHGZVQXcEn42atwCaAlT/
yxLs+32cy7UDQp/olubAY2U=
=zQC/
-END PGP SIGNATURE-


---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id56&alloc_id438&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] clamd leaking

[John Jolet]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

I'm going to watch it for a few days and see if it grows.  might be a leak in 
a shared library on fedora.  I'm not too concerned about issuing a restart 
each night.  This is just a family mail server.

On Thursday 26 February 2004 10:16 am, Ralph Angenendt wrote:
> John Jolet wrote:
> > has anyone noticed any problems with clamd leaking memory?  I've
> > installed the rpm from crash-hat and it seems to be chewing up my swap
> > quickly.  I uninstalled that and built from source and it does the
> > same thing, just a bit slower.
>
> I cannot reproduce that:
>
> vscan  342  0.0  0.9 16624 12600 ?   SFeb20   0:06
> /usr/sbin/clamd vscan  355  0.0  0.9 16624 12600 ?   SFeb20  
> 0:11 /usr/sbin/clamd vscan  356  0.0  0.9 16624 12600 ?   S   
> Feb20   0:09 /usr/sbin/clamd
>
> This is a cvs version from the beginning of February and as you can see
> it is running since February 20th :)
>
> This is on SuSE 7.3, the package has been built by myself.
>
> Ralph
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFAPinkWIxCCpxbWU4RAmdmAJ9UdZEvRIhOxjYDJDzrh5JDAqSWRwCcDEFz
oTWWmGoUv8SV8LcoqZOBU1w=
=mpJ6
-END PGP SIGNATURE-


---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id56&alloc_id438&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] clamd leaking

[John Jolet]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

clamscan / ClamAV version 0.67

On Thursday 26 February 2004 10:21 am, Thomas Lamy wrote:
> John Jolet wrote:
> > has anyone noticed any problems with clamd leaking memory?  I've
> > installed the rpm from crash-hat and it seems to be chewing up my swap
> > quickly.  I uninstalled that and built from source and it does the same
> > thing, just a bit slower.  I'll have to restart clamd nightly if i really
> > want it running.
> >
> > I'm on fedora on an amd duron.
>
> And clamscan --version reports what?
>
>
> ---
> SF.Net is sponsored by: Speed Start Your Linux Apps Now.
> Build and deploy apps & Web services for Linux with
> a free DVD software kit from IBM. Click Now!
> http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click
> ___
> Clamav-users mailing list
> [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/clamav-users
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFAPipqWIxCCpxbWU4RAq3pAJ903crL1TzQk1TCeaesLZIR/CVqWACdEaXr
wGSp9MffGz4NPaCC4DuzY48=
=Tn8p
-END PGP SIGNATURE-


---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] clamd leaking

[John Jolet]

my bad.  Turns out it's not clamd leaking.  It's kde :)
Got clamd working with postfix via amavisd.  works great (i think, 
haven't been sent a virus yet).

---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] clamd leaking

[John Jolet]

Hmmm, test #8 got through.  what have i misconfigured?  "Test #8: Eicar 
virus sent using BinHex encoding within a MIME segment "
Jesper Juhl wrote:

On Fri, 27 Feb 2004, John Jolet wrote:

 

my bad.  Turns out it's not clamd leaking.  It's kde :)
Got clamd working with postfix via amavisd.  works great (i think,
haven't been sent a virus yet).
   

The EICAR test virus is good for the purpose of testing an AV solution.
Grab it from here: http://www.eicar.org/anti_virus_test_file.htm then send
those files as attachments to yourself - clam detects it if your setup is
working.
http://www.testvirus.org/ can also be used for this purpose if you are
unable to send yourself email from an external account. On that page you
can select how the file should be attached and to what address to send it.
Great site for testing your setup.
Kind regards,

Jesper Juhl



---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users
 



---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Re: 5 from testvirus.com came through

[John Jolet]

Nigel Horne wrote:

On Friday 27 February 2004 10:27 pm, Bryce wrote:
 

Test # 17, 8, 5, 4, and 2 are making it through. I am using version .65.
What can I do to prevent this?
   

Binhex was added in 0.67, so all binhex encoded e-mails will get through
unless you upgrade.
-Nigel

 

I guess that answers my question about test 8 as well.

---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] password-protected Worm.Bagle.H

[John Jolet]

The question is how much of a problem it really is.  Are users
really that dumb?
What I'm wondering is whether the encrypted version of the
virus can be created by the unencrypted version, or whether the
encrypted versions of the virus we have seen have all been
produced by actual encrypted-zip infections.  Anyone know?
 

yes, they are.  i've gotten about 10 of those in the last 3 days.

---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] email report

[John Jolet]

On Wednesday 03 March 2004 05:01 pm, Raul Elizondo wrote:
> Hi,
>
> I am using just the clamav, and it does its job not letting viruses pass
> thru.  I tryed to install some amavis version, but couldnt make it work on
> redhat 9.  Once i saw that just the clamav stops the viruses, i just left
> it without any other program.
>
I think you missed the question...what mta do you run?  what, exactly is 
calling clamd?  for instance...i run postfix, which sends incoming mail to 
amavisd-new, which calls clamd.  clamd returns status to amavisd, and amavisd 
sends the email notification.  Sowhat mtawhat glue process...


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Is this a legitimate notice? or generated by a virus?

[John Jolet]

On Wednesday 03 March 2004 08:00 pm, Michael Torrie wrote:
> Virus.  See the latest virus notices on AV web sites.  If you uncompress
> the zip file (with the provided password), clamav will detect it.  The
> current discussion on the list has been how to handle this at the
> server, since clamav cannot scan password zip contents at present.
>
> Michael
>
I've been watching all this comment and talking to my windows-based 
co-workers.  All of this is an EXTREMELY compelling argument for 
"defense-in-depth".  Let's none of us think that any server-based av scanning 
is a "silver bullet".  Our trend-micro scanner at work is missing these as 
well.  There's no substitute for inbound scanning combined with on-access 
scanning.


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Error with clamav-milter

[John Jolet]

James Barber wrote:

Hi there,
 
I'm trying to get the clamav-milter to work with sendmail.  I've made 
all the required changes to the sendmail.cf file, but when I try to 
restart sendmail, I get the error:
"sendmail: WARNING: Xclmilter'': local socket name 
/var/clamav/clmilter.sock' missing".
 
I've verified, and the clmilter.sock file is indeed in the 
/var/clamav/clmilter.sock directory (srwxr-xr-x1 root 
root0 Mar  3 16:51 clmilter.sock).
 
Here is some info about the system:
Redhat 8.0
Kernel 2.4.18
Sendmail 8.12.5-7 (though when connecting via telnet, the version is 
8.12.8/8.12.5)
ClamAV version 0.67-1
 
I've compiled ClamAV with the --enable-milter option, and it works 
fine.  clamd starts up fine as well, and all tests seem to go 
through.  One thing I noticed is that when I execute 
"/usr/sbin/clamav-milter -blo /var/clamav/clmilter.sock", I get a 
warning: "/usr/sbin/clamav-milter: running as root is not 
recommended".  However, I can see via "ps" that it is running.
 
Is there something I missed?  Any help is appreciated.
 
Thanks,
 
James Barber
[EMAIL PROTECTED] 
doesn't sendmail need WRITE access to that socket?  unless you're 
running sendmail as root (not a prime idea), it won't have write access 
to that object.

---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] sendmail devel?

[John Jolet]

Antony Stone wrote:

On Friday 05 March 2004 7:54 pm, Jim Maul wrote:

 

 On the other hand, remove sendmail and install Postfix instead.
 

Or qmail.  Both are more secure than sendmail.
   

Is this still true?   I know sendmail had a bad history of security problems 
in its early days (but then again it has been around for a very long time).

What has sendmail's *recent* history of security problems been like?   Where 
can I see some tests showing postfix or qmail are better?

Regards,

Antony,

 

this is ot, however, we just moved our gateway mail servers from 
sendmail to postfix and saw a tremendous cpu-utilization drop.  Security 
concerns aside, postfix is (in my opinion) a heck of a lot easier to 
manage and configure.

---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Re: duh, ignore my last question

[John Jolet]

On Friday 05 March 2004 09:30 pm, Starbane wrote:
> Jim Maul wrote:
> > my apologies, it was almost 5pm on a friday and for some reason i asked
> > if sendmail supports maildirs.  musta been a brain fart cause obviously
> > thats not the mta's job.  Feel free to point and laugh.
> >
> > Thanks
> > Jim
>
> Since we're sharing, I recently spent an hour trying to figure out why
> my cron job wasn't running.
>
> Of course, after editing the job and scratching my head watching syslog,
> I eventually DID notice that crond was not running.
>
> Definitely  goes along with having to crack the case on a PC, only to
> discover the reason it wasn't POSTing was the lack of an attached power
> cable.
>
> :)
>
> ---
> This SF.Net email is sponsored by: IBM Linux Tutorials
> Free Linux tutorial presented by Daniel Robbins, President and CEO of
> GenToo technologies. Learn everything from fundamentals to system
> administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
> ___
> Clamav-users mailing list
> [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/clamav-users
(sigh) it's the little things that make this career worth it, isn't it? :)


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Re: Simple patch for dealing with password zip files

[John Jolet]

On Monday 08 March 2004 10:51 am, Jesper Juhl wrote:
--snip--
> The first "qr" block checks for double extensions like file.foo.exe and
> ban such files if the last extension is one of vbs|pif|scr|bat|com|exe|dll
> the next two "qr" blocks block files purely based on the last extension.
> The next "qr" block blocks based on the output from file(1), and the last
> "qr" block blocks based on mime type.
--snip--
This brings up an interesting point.  I've never seen a legitimate file on a 
windows box with two or more 3-character extensions.  Would it be a bad 
assumption to make?


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Logfile

[John Jolet]

Jorge Valdes wrote:

Hi,
I am very happy with clamav, and would like everyone's opinion to the 
following feature request:

clamd logs to a file and you can control the size, but when this limit 
is reached, logging stops. When this happens, an entry in the file 
says it has reached the file size limit. Since the program realize 
this, wouldn't it be better to rename the logfile automatically by 
just adding an extention (like logrotate) and create a new file?

Jorge Valdes
NOC Manager
Intercom El Salvador
[EMAIL PROTECTED]
Tel. 503-278-5068
Tel. 503-265-7070
Fax. 503-265-7025


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users
why not just run logrotate and have done with it?



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Logfile

[John Jolet]

Betsy Schwartz wrote:

At 12:41 PM 3/11/2004, John Jolet wrote:

why not just run logrotate and have done with it?


It would help if clamd took a "kill -HUP" and started a new logfile.



Betsy Schwartz
email: [EMAIL PROTECTED]
Unix Systems Administrator,CRG   voice: 
617-495-5947
Harvard Graduate School of Design fax:
617-496-5866





---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users
hmm, logrotate seems to be working just fine on my fedora box.

---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Re: Logfile

[John Jolet]

On Thursday 11 March 2004 09:48 pm, Betsy Schwartz wrote:
> When you say clamAV works with logrotate, what command are you issuing to
> get clamav to start using the new file? What I'm seeing is that it doesn't
> respond to SIGHUP but has to be killed and restarted to get it to let go of
> the old filehandle
>
>
>
> Betsy Schwartzemail:
> [EMAIL PROTECTED]
> Unix Systems Administrator,CRG   voice:
> 617-495-5947 Harvard Graduate School of Design fax:
>617-496-5866
>
>
>
>
>
> ---
> This SF.Net email is sponsored by: IBM Linux Tutorials
> Free Linux tutorial presented by Daniel Robbins, President and CEO of
> GenToo technologies. Learn everything from fundamentals to system
> administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click#
# Rotate Clam AV daemon log file
#

/var/log/clamav/clamd.log {
missingok
nocompress
copytruncate
#create 640 clamav clamav
#postrotate
#   /bin/kill -HUP `cat /var/run/clamav/clamd.pid 2> /dev/null` 2> 
/dev/null || true
#endscript
}

as you can see, the kill -HUP line is commented out.  It's being rotated:
-rw-r-  1 mailscan mailscan 17895 Mar 12 06:11 clamd.log
-rw-r-  1 mailscan mailscan 25582 Mar  7 04:02 clamd.log.1
-rw-r-  1 mailscan mailscan 29355 Feb 29 04:02 clamd.log.2
-rw-r--r--  1 mailscan mailscan 16837 Mar 12 04:02 freshclam.log
-rw-r--r--  1 mailscan mailscan  9711 Mar  7 04:02 freshclam.log.1
-rw-r--r--  1 mailscan mailscan  6607 Feb 29 04:02 freshclam.log.2
> ___
> Clamav-users mailing list
> [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/clamav-users
this is what's being run by logrotate:


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] clamassassin and procmail config

[John Jolet]

pi wrote:

Nigel Horne wrote:

On Thursday 18 Mar 2004 9:45 am, pi wrote:
 

I thought  milter was ONLY for scanmail, I use postfix.
  


Milter is for sendmail.

 

Phil
  


 

Yes, that' what I wanted to say  ;-)

What can I use with postfix?

Phil



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users
i'm using amvisd with postfix.

---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] memory leak?

[John Jolet]

If anything, i'd say it leaked less...course, i jumped from .65 to .7.

On Sunday 21 March 2004 12:38 pm, Didi Rieder wrote:
> Hi all,
>
> is it possible that there is a memory leak in clamd since version 0.68-1.
> I'm running 0.68-1 on several Solaris 8 an 9 boxes. After starting clamd it
> uses about 14Mb of memory and just 3 days later it's already about 80Mb.
> I didn't notice this behavior in previous versions.
>
> Didi


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] RPM Stability

[John Jolet]

On Friday 02 April 2004 04:22 am, WipeOut wrote:
> Hi is anyone have stability issues with Petr Kristov's RPM's ??
>
> I am running them on Fedora Core 1..
>
> The problem is when I try to use clamscan or clamdscan/clamd with my
> mail server it causes the mail server to crash.. The mail server people
> are telling me it clamav thats crashing..
>
> I am able to run clamscan and clamdscan from a command line om many
> viles and it doesn't crash..
>
> The mail server runs stable without calling clamav..
>
> Its when I try to use the two together that somthing is freaking out..
>
> I can't build a latest version from source because there are no
> compilers on the server.. Which is why I have used the RPM's..
>
> Anyone got any ideas?
>
> Thanks..
I'm running fedora core 1 with those rpms solid as a rock (mostly, some memory 
leaks somewhere, but very minor).  Certainly no mail server instability.  
Which mail server are you running.  I'm running postfix and not having any 
problems.  Of course, the mail server doesn't run clam, amavis does, but 
still...i don't see why tossing a mail at an external daemon should hose up 
the mail daemon, unless clam has a problem and hte mail server can't deal 
with not getting a response...which seems silly.


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] One seems to have sneaked by W32.BEAGLE.X

[John Jolet]

On Sun, May 16, 2004 at 05:41:11PM -0500, McKeever Chris wrote:
> ---
> Chris McKeever
> If you want to reply directly to me, please use cgmckeever--at--prupref---dot---com
> http://www.prupref.com
> Prudential Preferred Properties
> Chicago and Illinois NorthShore Real Estate Experts
> 
> On Sun, 16 May 2004 13:42 , Eric Becker <[EMAIL PROTECTED]> sent:
> 
> >>Well - in this case it was definitely from outside - and the >proxy I 
> >>wrote and use passes all email, internal or external, >through clam and
> >
> >?spam assassin and a bunch of custom rules... but thanks >:-)
> >
> >Well depending on the virus, it may be sending emails from it's own smtp
> >engine and not touching your server that is scanning your emails.  The
> >virus doesn't care or bother to use any proxy that you may have setup. 
> >It just sends out emails on it's own.  We have qmail with qmail-scanner
> >and clamav on box sitting outside our network that scans all incoming
> >mail and forwards it on to our groupwise server. I'm not sure how you're
> >setup  I.E. if clamav is actually sitting on the mailserver that's
> >storing your users' emails. If it is, then I would assume the email(s)
> >should have been caught.
> >
> >We thought the same thing had happened.  We started getting all kinds of
> >viruses emailed to our users and the "from" field appeared to be from a
> >known customer outside of our network.  Turns out that a laptop user had
> >gotten infected when he took the laptop home and was sending the virus
> >out to our users from within our network when he vpn'd in.   Just
> >because the sender field is from an external email address, doesn't mean
> >it didn't originate internally.  Most return addresses on viruses are
> >spoofed.  
> >
> >If you haven't already done so, I would look at the headers of the
> >emails with the virus. If you notice that the emails never touch the
> >server with clamav, then obviously they were never scanned.  
> 
> 
> Eric - that is exactly what happened here, since the virus has its own SMTP it was 
> just sending directly to the internal mail-server.  since that is 
> just he server, and never sends itself, I blocked all traffic except for the IP of 
> the mail gateway - at least it takes out one piece of the 
> equation if something does 'slip' through
> 
We, in fact, have smtp outbound blocked for ALL but our mail servers, for that very 
reason.  With the notable exception of our network monitoring box and the 3 or 4 
outbound smtp servers, nothing can send mail out without passing through a 
gateway.now if I could only convince them to let us run clam on the gateway


---
This SF.Net email is sponsored by: SourceForge.net Broadband
Sign-up now for SourceForge Broadband and get the fastest
6.0/768 connection for only $19.95/mo for the first 3 months!
http://ads.osdn.com/?ad_id=2562&alloc_id=6184&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Re: Trojan.Baglet?

[John Jolet]

I don't believe Symantec updates their definitions more than once a week.  
Certainly not for us poor home users.
you can update all you want, but the file won't change.
On Tuesday 31 August 2004 12:37 pm, henry j. mason wrote:
> J. Frost wrote:
> > Hy Henry,
> >
> > ...
> >
> >> infections, many of which are not detected by our Symantec
> >> NAV Corporate edition (with up to the minute definitions).
> >> i keep submitting files to Symantec, and they keep sending
> >> me back responses that, yes, my file is infected, and with
> >> the latest definitions i'll catch this latest variant.
> >
> > ...
> > Maybe the "automatic update" don't catch the actual definitions
> > (synchronisation takes some days??!)
>
>  you are correct.
>
> > Please try to update from
> > http://securityresponse.symantec.com/avcenter/download.html
>
>  i've done that. catches some, not the others.
>
> > Different to automatic?
>
>   well, yes. they release new definitions every hour.
>   of course, after i submit a new variant, the new
>   definitions catch that particular variant. but it
>   ends up being a game of whack-a-mole, and i have to
>   sit around and wait for them to update their defs
>   anyway...
>
>   this is why i want to know more about the infection
>   mechanism :> i guess it's time to break out the packet
>   sniffer.
>
>   regards,
>   henry
>
>
>
> ---
> This SF.Net email is sponsored by BEA Weblogic Workshop
> FREE Java Enterprise J2EE developer tools!
> Get your free copy of BEA WebLogic Workshop 8.1 today.
> http://ads.osdn.com/?ad_id=5047&alloc_id=10808&op=click
> ___
> Clamav-users mailing list
> [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/clamav-users


---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=5047&alloc_id=10808&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Mail filter

[John Jolet]

no, but the postfix ones will :)

On Wednesday 06 October 2004 04:47 pm, Evan Pierce wrote:
> Mandrake 10 unfortunately comes with postfix normally so sendmail
> instructions may not work for you.
>
> Evan
>
> ___
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

-- 
John Jolet
Technology Solutions
Your On-Demand IT Department
[EMAIL PROTECTED]
(512)762-0729
www.jolet.net
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] ClamAV should not try to detect phishing andother social engineering attacks

[John Jolet]

On the issue of manually reviewing the mails to submitisn't this the 
purpose of the quarantine directory?  When it detects a phishing malware, 
look at the file in the quarantine directory. 

On Sunday 14 November 2004 8:57 am, Julian Mehnle wrote:
> Matt [EMAIL PROTECTED] wrote:
> > Julian Mehnle wrote:
> > > How can I configure ClamAV not to try to detect phishing and other
> > > social engineering attacks?
> >
> > Why? Your prerogative, obviously, but I am just curious.
>
> For three reasons:
>
>  1. I consider filtering technically harmful messages for my users
> acceptable, but I think filtering social engineering to be censorship.
> I would rather educate my users.
>
>  2. While recognizing technical engineering (viruses, worms, other
> malware) automatically has proven to be feasible, I _generally_ do not
> believe in recognizing social engineering (scams, phishing, etc.)
> automatically.  Technical state of the art is far from doing that
> reliably.  Without machines being able to understand the meaning of
> text, any heuristics can only be a crook.  I am using reputation
> systems (AKA DNS blacklists) instead.
>
>  3. I am using the SpamCop reporting tool[1] to file complaints to ISPs
> about spam (which specifically includes phishing attacks) that I
> receive.  SpamCop requires spam samples to be manually checked for
> spamminess before being reported.  Thus I _do_ want to receive social
> engineering messages and classify them manually in order to report
> them to SpamCop.
>
> Tomasz Kojm [EMAIL PROTECTED] wrote:
> > Julian Mehnle <[EMAIL PROTECTED]> wrote:
> > > How can I configure ClamAV not to try to detect phishing and other
> > > social engineering attacks?
> >
> > Modify your mail scanner to pass "HTML.Phishing.*" through.
>
> Yes, I can do that.  Is there an authoritative hierarchy of signature
> names from which I can see what hierarchy branches ("HTML.Phishing.*",
> etc.) I would have to whitelist?
>
> Besides there's oviously a fundamental difference between technical
> malware and social engineering malware, so there should be a way to
> configure what to detect and what not.
>
> References:
>  1. http://www.spamcop.net/anonsignup.shtml
>
> ___
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

-- 
John Jolet
Your On-Demand IT Department
512-762-0729
[EMAIL PROTECTED]
www.jolet.net
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] ClamAV should not try to detect phishing andothersocial engineering attacks

[John Jolet]

On Sunday 14 November 2004 9:17 am, Julian Mehnle wrote:
> John Jolet [EMAIL PROTECTED] wrote:
> > On the issue of manually reviewing the mails to submitisn't this the
> > purpose of the quarantine directory?  When it detects a phishing
> > malware, look at the file in the quarantine directory.
>
> I also don't believe in quarantine directories, which have to be checked
> by admins or users anyway after all.  If I accepted messages and then
> filtered them into a quarantine directory, false positives would get lost
> without the sender being notified.  Instead I outright reject unwanted
> messages during the SMTP transaction, so the sender gets notified.  My
> users can see what messages have been rejected by skimming over a list of
> recently rejected messages once or twice a week (see an example here[1]).
> This practice has proven to work well for me and my users. :-)
>
> References:
>  1. http://julian.io.link-m.de/misc/rejected-messages
>
> ___
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
I would agree with that practice, except in this day and age of spoofed 
addresses and zombies, that bounce is (a) unlikely to be read and (b) 
unlikely even to go to the right place.   I would personally tend to a policy 
of quietly quarentining and cleaning out the directory of files > 30 days or 
so...

-- 
John Jolet
Your On-Demand IT Department
512-762-0729
[EMAIL PROTECTED]
www.jolet.net
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] ClamAV should not try to detect phishing andothersocial engineering attacks

[John Jolet]

I have to laugh and slap my knee here...as all the email I get from friends 
and acquaintances that use hotmail end up sending me pure html.not 
multipart mime with a text and html partJUST html.  Very annoying when 
saving the message as text or using mutt.

On Monday 15 November 2004 3:41 pm, [EMAIL PROTECTED] wrote:
> Bart Silverstrim wrote:
> > I find it interesting though that I've yet to hear from anyone
> > commenting on my proposal to create a filter that will extract and
> > convert all emails into pure text, or reformat it so only certain
> > things can get through as an attachment with a pure text message so it
> > would be "defanged" of scripts, web content, potential scripting
> > exploits, etc...I'm honestly beginning to wonder how hard
> > that would be to make and whether it may be of use for some sites.
>
> Microsoft SMTP Server allows this via CDO.Message
> http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cdosys/htm
>l/_cdosys_imessage_htmlbody.asp
>
> "When... you set the HTMLBody property, Microsoft Collaboration Data
> Objects (CDO) automatically sets the TextBody property to the plain text
> equivalent."
>
> Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902
> Hispanic Business Inc./HireDiversity.com Software Engineer
> perl -e"map{y/a-z/l-za-k/;print}shift" "Jjhi pcdiwtg Ptga wprztg,"
> ___
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

-- 
John Jolet
Your On-Demand IT Department
512-762-0729
[EMAIL PROTECTED]
www.jolet.net
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] ClamAV should not try to detect phishing andothersocial engineering attacks

[John Jolet]

yup.  very little email needs to be html.
On Monday 15 November 2004 7:43 pm, Todd Lyons wrote:
> John Jolet wanted us to know:
> >I have to laugh and slap my knee here...as all the email I get from
> > friends and acquaintances that use hotmail end up sending me pure
> > html.not multipart mime with a text and html partJUST html.  Very
> > annoying when saving the message as text or using mutt.
>
> Fixable in mutt with:
>
> [EMAIL PROTECTED] todd]$ grep "text/html" ~/.mailcap
> text/html; /usr/bin/lynx -dump -force_html -localhost %s; copiousoutput
>
> [EMAIL PROTECTED] todd]$ grep message-hook .muttrc
> message-hook . 'set mime_forward=no'
> message-hook '~h multipart' 'set mime_forward=ask-yes'
>
> But of course that wasn't necessarily what you were complaining about
> (reading it in mutt) as much as the fact that people are sending
> websites in html.

-- 
John Jolet
Your On-Demand IT Department
512-762-0729
[EMAIL PROTECTED]
www.jolet.net
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] borked database

[John Jolet]

I think what happened was it was removed from main, and added to daily.   Just 
a timing issue.
On 11/19/2004 10:26 pm, Damian Menscher wrote:
> On Sat, 20 Nov 2004, Tomasz Papszun wrote:
> > On Fri, 19 Nov 2004 at 20:09:06 -0600, Damian Menscher wrote:
> >> Clamd didn't find the EICAR pattern. Your virus database(s) could be
> >> borked!
> >
> > Eicar-Test-Signature was moved to daily.cvd to let us update it later
> > (because currently it causes FPs with some files), resulting in a short
> > absence.
>
> I'm confused.  If you have to change it, why not change main.cvd once,
> rather than changing main.cvd to remove it then again to put it back?
> Are we expected to check for updates to the daily.cvd more often than
> for updates to main.cvd?
>
> I guess it goes without saying (but I will anyway) that changing things
> in a way that doesn't cause clamdwatch.pl to fail would be greatly
> appreciated.  (Imagine lots of scared little sysadmins trying to figure
> out what to do when they get emails about ClamAV being "borked".  ;)
>
> Damian Menscher

-- 
John Jolet
Your On-Demand IT Department
512-762-0729
[EMAIL PROTECTED]
www.jolet.net

___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] Clam newbie questions

[John Jolet]

it's in /usr/bin on my fc2 system.

Timothy Payne ([EMAIL PROTECTED]) wrote:
>
> On Thu, 2004-12-30 at 22:48 -0600, K. Shantanu wrote:
> > * Timothy Payne <[EMAIL PROTECTED]> [041230 22:34]:
> > > I thought it might be as I saw it in another post spelled wrong.  But I
> > > have tried it both ways with no luck.
> >
> > Try it as,
> > # /usr/local/bin/freshclam
> > or
> > # locate freshclam
> >
> > Shantanu
>
> [EMAIL PROTECTED] ~]$ /usr/local/bin/freshclam
> bash: /usr/local/bin/freshclam: No such file or directory
>
> I'm using Fedora Core 3 and downloaded Clam from the site, did it
> install wrong?
>
> Tim...
> --
>_
> ASCII ribbon campaign ( )
>  - against HTML email  X
>   /
>
> ___
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>

-- 
John Jolet
Your On-Demand IT Department
512-762-0729
[EMAIL PROTECTED]
www.jolet.net


___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] announcing ClamMail, a native port of ClamAV for Windows

[John Jolet]

Luca Gibelli wrote:
Dear ClamAV users,
a native port for Microsoft Windows of Clam AntiVirus has been developed by 
Boguslaw Brandys. The source code can be downloaded at 
http://www.bransoft.com/clamav.html

The first product based on this port is ClamMail 
(http://www.bransoft.com/clammail/clammail.html) a tool that can protect PCs 
running Windows from viruses transferred via mail.

Thanks to its internal architecture, it can work with any mail client 
(Outlook, Thunderbird, Eudora, Pegasus and anything that supports the POP3 
protocol). All you need to do is install it and reconfigure your mail 
client to use ClamMail as a POP3 proxy:
- change your pop3 server to localhost
- change your username from "foo" to "foo\mail.myserver.com" where 
 mail.myserver.com is your real pop3 server.

More info are available at
http://www.bransoft.com/clammail/introduction.html
You can download the latest version from:
http://sourceforge.net/project/showfiles.php?group_id=125389
Here you can subscribe to ClamMail's mailing list:
http://lists.sourceforge.net/lists/listinfo/clammail-users
 

any intentions in the future to allow imap, as well as pop3?
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] problem with clamd

[John Jolet]

On Tue, 2005-02-15 at 16:19 +0500, abac wrote:
> hi,
> I installed the clamav-0.82.tar.gz and the webmin module for clamav,the 
> installation was successful,but now when i want to open the clamav in 
> webmin this is theerror:
> WARNING: Please fill in the location of the clamav daemon startup file 
> in the module's configuration (install the clamav daemon package if it 
> isn't already done)
> and when i run the freshclam this is the error:
> ERROR: Please edit the example config file /etc/freshclam.conf.
> ERROR: Please edit the example config file /etc/clamd.conf.
> ERROR: Can't parse the config file /etc/clamd.conf
> plz help me
> ___
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Okay, you sound like you have two (2) problems here.  did you,in fact,
edit the example config file /etc/freshclam.conf and clamd.conf like the
error said?  what are the contents of those two files.

second problem...in the webmin module config, you have to tell it the
config files are at /etc/clamd.conf, etc.

Or  webmin nuked your config files...you DID save a copy before letting
webmin loose on them, right?

___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] Disabling ScanArchive ?

[John Jolet]

they could always rename the file and include instructions to put the
name back.  bear in mind, that microsoft has started making it difficult
to impossible to get at emails with those kinds of extensions in them
using microsoft's email products.  Some versions require altering a
registry key to enable certain file names, others just require changing
some options.  While I agree, in principal, with the idea of protecting
users from their own stupidity, the historical fact is that the
three-letter extension was ALWAYS a stupid way of telling executables
from non, and the default of hiding those extensions was an even
stupider idea.

the point here, is that even if you get the filenames through the
scanner complex, the email client might block them, making users think
the SCANNER is blocking.

On Tue, 2005-02-22 at 12:09 -0600, Jason Byrns wrote:
> Trog wrote:
> > On Tue, 2005-02-22 at 11:00 -0600, Jason Byrns wrote:
> > 
> > 'Banned filename'? ClamAV doesn't do banned filenames.
> 
> So that's Amavis blocking banned file names, then?
> 
> I have no problems continuing to scan within archives, and I agree 
> that's how many viruses are now being distributed.  But I can't even 
> send password-protected zip files, if they have any banned file names 
> inside.   And the email instructions sent automatically (by Amavis 
> and/or ClamAV) say password-protected zip files will get around the 
> banned file name.
> 
> So my real question is, what if people want to email a file on the 
> banned list?  (Y'know, files like *.exe, *.pif, *.bat, *.scr, *.vbs, 
> etc)  I see archives still show you the names of files inside, even if 
> password protected.
> 
> I guess I'd rather not just stop banned files altogether.  It seems 
> sensible to block files of these types.  Requiring a password-protected 
> zip seemed like a decent way to handle it, to me.  Agreed?
> 
>  From my /etc/amavisd.conf:
>qr'.\.(exe|vbs|pif|scr|bat|cmd|com|cpl)$'i, # banned extension - basic
> 
> Or is this just a question for the Amavis guys instead?  ;)
> 
> Thanks for all the quick replies!!
> 

___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] mail delay

[John Jolet]

does that socket file exist?  does whatever user clamd is running as
have write access to it?
On Mon, 2005-04-04 at 16:29 +0200, Souza Simbota wrote:
>  
> Hello,
> 
>  
> 
> I have noticed there is a delay in my mail server operations . I tried to
> send a test mail to myself an hour ago but I haven't got it yet. I was
> checking at mail logs and came across the line below:
> 
>  
> 
> Apr  4 10:15:33 glory amavis[29973]: (29973-02) Clam Antivirus-clamd: Can't
> connect to UNIX socket /var/lib/clamav/clamd: Connection refused, retrying
> (3)
> 
>  
> 
> What could be the solutions to this?
> 
>  
> 
> Souza Simbota
> 
> Computer Land 
> 
> P/Bag 281 Blantyre
> 
> Phone: 1672646/ 1672661
> 
>  
> 
> 
> **
> Scanned by eScan Anti-Virus and Content Security Software.
> Visit http://www.mwti.net for more info on eScan and MailScan.
> **
> 
> 
> ___
> http://lurker.clamav.net/list/clamav-users.html

___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] [OT] AIX

[John Jolet]

I believe 4.1.5 is the last aix that  will load on those types of machines.
On Friday 06 May 2005 07:03 am, Timo Schoeler wrote:
> Matt Fretwell spake:
> > Matt Fretwell wrote:
> >> If anyone can possibly help out on this one, if you could please mail
> >> me off list.
> >
> >  Slight addendum. The unit is a Motorola RiscPC. Forgot that piece of
> > somewhat required info :)
> >
> >
> > Cheers,
> >
> > Matt
>
> hi,
>
> you probably mean PowerStack, which is a PReP model [1].
>
> i do have such a machine here, but i have no AIX that fits -- i only
> have AIX for G5, unfortunately.
>
> an option would be a cheap RS/6000 machine? mail me if someone wants
> one, i can get those.
>
>
> [1] -- http://en.wikipedia.org/wiki/PReP

-- 
John Jolet
Technology Solutions
Your On-Demand IT Department
512-762-0729
[EMAIL PROTECTED]
www.jolet.net
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] RE: Qmail Pre Installed Dedicated (1and1) RedHat Server and Plesk

[John Jolet]

On Thursday 12 May 2005 06:21, [EMAIL PROTECTED] wrote:
> I would be happy to implement the qmail-scanner tool, but I'm not sure how
> this would or could impact the currently installed qmail system and Plesk. 
> Also, I do not know the impact or of the qmail patch can be applied without
> hurting the pre-installed setup also.  If I knew that qmail was
> pre-installed by default than I would not fear making patches to the
> system.  I just do not want to damage the system and shutdown email by
> implementing something like this.  I know that Spam Assassin works, so
> qmail must have some means of shelling out and checking this.  If I could
> find how or where this was, I could just script ClamAV to also do this.  I
> was not sure if other have had the same or simular problem.
>
> Thanks for the reply.
>
> Quella
This may sound strange, but why not put another box in front of the qmail 
server just running as an smtp relay and virus scanner?  You don't mention 
traffic loads, but if you're not running spamassassin on the bastion box, you 
shouldn't need much of a cpu.
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] sober.p and german adverts?

[John Jolet]

Matt Fretwell wrote:
Brian Read wrote:
 

Block all mails from dynamic IP. They are 99,99% spam.
 

 

No they aren't that "rule" causes quite a few of my customers a 
headache, as the (linux) mailserver I often install sends the email 
direct, irrespective of whether there Ip is "dynamic" or "static".  Some
ISPs charge an arm and a leg for static IPs.
   

There are reasonable ISP's, (pricewise), with regards to static ranges.
There is however the fact that whether the IP's are static or dynamic,
business or domestic class, some ISP's, (mentioning no names), impose
relay restrictions by the domain part in the *sender* address, if you try
doing it the 'relay through ISP's mailhost' way. Which does leave the
choice of having the MTA connect directly to retain the correct domain
part of the senders mail address. This bumph about people shouldn't be
allowed to run a direct MTA to MTA setup unless they have static IP's is
nonsense. One might even say that it is MTA (elitism|snobbery). There are
plenty of legitimate MTA setups running on dynamic IP's. A lot of the time
they are configured in a better fashion than the service providers own
MTA's that most would have them relay through. There really is no
legitimate reason for blocking dynamic IP ranges at the outset. What
really does amaze me though, is that these are generally the admins who
will turn around and say, 'Don't block (variable), you will lose too
much legitimate mail'. Where is the logic in that? They will allow a
crappily configured multinational corporation or ISP to connect, yet not
give dynamics the slightest chance to prove their reliability.
Matt
___
http://lurker.clamav.net/list/clamav-users.html
 

This email, for instance was sent from a properly configured mta running 
antispam and antivirus scanning in BOTH directions, from a dynamic ip.  
If my wife sends email from her computer, it goes to the isp's mta, 
which does inbound only scanning.  I have several rules in place for 
postfix to force it to use my isp's mta for domains that refuse traffic 
from dynamic or "residential" ip addresses.  The price for a 
non-residential ip from my isp is nearly double that for residential.  
Do I get any added-value service for that?  No, in fact, I lose the 
ability to take faulty equipment directly to the service center for 
replacement, instead of waiting for a service call.  I think more people 
running mtas would take the tack of examining the TRAFFIC, not the IP it 
came from.  That's just laziness.
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] sober.p and german adverts?

[John Jolet]

On Monday 16 May 2005 04:43 pm, Dennis Peterson wrote:
> John Jolet said:
> > Matt Fretwell wrote:
> >
> >
> >
> > This email, for instance was sent from a properly configured mta running
> > antispam and antivirus scanning in BOTH directions, from a dynamic ip.
> > If my wife sends email from her computer, it goes to the isp's mta,
> > which does inbound only scanning.  I have several rules in place for
> > postfix to force it to use my isp's mta for domains that refuse traffic
> > from dynamic or "residential" ip addresses.  The price for a
> > non-residential ip from my isp is nearly double that for residential.
> > Do I get any added-value service for that?  No, in fact, I lose the
> > ability to take faulty equipment directly to the service center for
> > replacement, instead of waiting for a service call.  I think more people
> > running mtas would take the tack of examining the TRAFFIC, not the IP it
> > came from.  That's just laziness.
>
> Most of the spam I've gotten the last three days is from comcast.net.
> Apparently they allow their customers to send out to port 25. They should
> lock that down so that spam goes out through their own servers so they can
> feel the pain when they are blacklisted for incompetence. If you need to
> run your own stand-alone mail service you should pay the price for the
> privilege.
>
> Nobody should send mail directly unless it is filtered outbound. In fact,
> that would be a good blacklist: real-time-morons.org. I'd even toss in
> systems that NDR after the connection is closed as they have no idea at
> that point whe the sender is.
>
> dp
>
> ___
That was my point.  My mail IS filtered outbound.  So I should have to pay 
double for the privilege of controlling my own email?  How about this...I 
send an email to a client via my isp's mta.  There's a problem, but I don't 
find out about it for 5 days.  I lose business.  On the other hand, I send 
the email direct, I've got my installation set to notify me of problems after 
minutes, not days.  I can do that because I'm my only customer.  I know 
nearly every email that gets sent out and can be very responsive to problems.  
I should double my fee for that single advantage?  Not sure I buy that.  
That's a microsoft-type business plan.
-- 
John Jolet
Technology Solutions
Your On-Demand IT Department
512-762-0729
www.jolet.net
[EMAIL PROTECTED]
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] sober.p and german adverts?

[John Jolet]

One final point here, I know I, and I'm sure many of you, have seen or come 
into contact with infected exchange serverson static ip addresses.  The 
fact that it's static, or in fact, a business connection, speaks not a thing 
for the competence of the administrator, or the security of the server.  My 
point before was this:  my ip in no way says you should  trust me, I can be 
infected and misconfigured on a static ip as a dynamic one.  Also, I'm being 
penalized for microsoft's inability to engineer and distribute a secure os.  
You have every right to block whatever address ranges you want, and when I 
get the bounce, I'll add you to my transport file for postfix.  All else, 
I'll manage the queue myself.

On Tuesday 17 May 2005 06:48 am, Bart Silverstrim wrote:
> On May 16, 2005, at 5:43 PM, Dennis Peterson wrote:
> > Most of the spam I've gotten the last three days is from comcast.net.
> > Apparently they allow their customers to send out to port 25. They
> > should
> > lock that down so that spam goes out through their own servers so they
> > can
> > feel the pain when they are blacklisted for incompetence. If you need
> > to
> > run your own stand-alone mail service you should pay the price for the
> > privilege.
>
> To me, that price is learning how to do it right.  Price isn't always
> monetary.
>
> I wouldn't argue with the idea of having to tell your provider that you
> need your particular connection unfiltered and leave it unfiltered
> because you're setting up the server.
>
> I'm paying for the bandwidth of a connection.  If anything you're
> saving the ISP money in labor to maintain your mail spool, you're
> saving them disk space, and you're saving them liability...because
> you're willing to shoulder the burden yourself.  The price here is
> you're doing the administration, you're sacrificing your disk space,
> and you're sacrificing the ability to complain to them when the disk
> dies and there's not a backup and you don't have 24/7 connection
> reliability, only a "reasonable" connection.
>
> It's kinda stupid to me that you'd save them some space and time and
> liability and have to pay them for taking away a sliver of a headache,
> if all you want is a connection...and you may even be one of the small
> percentage that if you run the services yourself, you won't be on their
> tech support line.  Seems like that's the biggest "cost" for ISPs.  For
> people who are willing to learn and put work into maintaining it the
> cost of getting a "business class" connection is so high
> that...well...they'd have to be a business to get it.  Or at least get
> it and not subsist on bologna and Cheerios for meals.
>
> ___
> http://lurker.clamav.net/list/clamav-users.html

-- 
John Jolet
Technology Solutions
Your On-Demand IT Department
512-762-0729
www.jolet.net
[EMAIL PROTECTED]
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] sober.p and german adverts?

[John Jolet]

It IS  a word...just not the one you wanted.  swine spellchekers
On Tuesday 17 May 2005 05:12 pm, [EMAIL PROTECTED] wrote:
> On Tue, 17 May 2005, Matt Fretwell wrote:
> > [EMAIL PROTECTED] wrote:
> > > If they do have a rouge spammer on their network, they might wish to
> > > know about it anyway.
> >
> >  I assume that should have been rogue. ( Unless spammers have a
> > predilection for make up :)
>
> Hmm.  I guess aspell thinks that is a word... and probably some spammers
> do, rofl.
>
> ___
> http://lurker.clamav.net/list/clamav-users.html

-- 
John Jolet
Technology Solutions
Your On-Demand IT Department
512-762-0729
www.jolet.net
[EMAIL PROTECTED]
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] ERROR: Can't initialize the virus database

[John Jolet]

who is clam running as?  who owns the directories?
On Tuesday 09 August 2005 07:43 pm, Susemail wrote:
> I have just installed clamav on Suse 9.2 and 9.3 using #:apt-get install
> clamav.
> file:/var/log/apt.log:
> Mon 08 Aug 2005 07:10:33 PM HST;install;clamav;0.86.2-1.1
>
> When I run # clamscan -r -l scan.txt clamav-x.yz I get: ERROR: Can't
> initialize the virus database.
>
> I've checked the faq, mailing list and googled 'ERROR: Can't initialize the
> virus database clamav'; not enough help.
>
> How do I initialize the database?  Where do I find clamav logs and what are
> the logs called?
>
> Thanks,
> Susemail
> _______
> http://lurker.clamav.net/list/clamav-users.html

-- 
John Jolet
Technology Solutions
Your On-Demand IT Department
512-762-0729
www.jolet.net
[EMAIL PROTECTED]
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] postfix and clamav

[John Jolet]

On Dec 20, 2005, at 10:48 AM, Shannon Scott wrote:


Greetings,
I have been using postfix for a while, and would like to integrate
clamav for scanning email.
What is the best and most simple way to achieve this?
I have tried mailnees, clamfilter, clapf, and openprotect, but I  
cannot

get any of them to work ( very frustrating ).
Does anyone have any of these methods working?
Thank you for any pointers or advice.
Take care.
S


I'm using amavis-new on both a fedora core 4 and suse 10 boxes.

___
http://lurker.clamav.net/list/clamav-users.html


___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Spoofing IP Address?

[John Jolet]

On Jan 4, 2006, at 11:13 AM, Derek Lamparty wrote:





-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Tomasz Papszun
Sent: Wednesday, January 04, 2006 11:08 AM
To: clamav-users@lists.clamav.net
Subject: Re: [Clamav-users] Spoofing IP Address?

On Wed, 04 Jan 2006 at 10:35:20 -0600, Derek Lamparty wrote:

I am getting hammered by worm.sober.u-3.  What are the

characteristics

of this worm?  Can it spoof ip addresses in the mail server

logs?  I

was trying to track some of the viruses back to the

origination point

(there are a lot of them) to let our members know that they

might have

a virus.  I contacted a couple and they said that their

networks are clean.

Quite likely.
The principle is sad nowadays: you can't trust any mail
headers beyond your own mailserver's ones.

--  
 Tomasz PapszunSysAdm @ TP S.A. Lodz, Poland| And it's only

 tomek at lodz.tpsa.pl http://www.lodz.tpsa.pl/iso/ | ones and zeros.
 tomek at clamav.net   http://www.ClamAV.net/   A GPL virus scanner
___
http://lurker.clamav.net/list/clamav-users.html





I didn't know that was possible.  Huh?  Doesn't that really make RBLs
pointless?


they always were pointless.  How many times has each of us had to go  
to a maintainer of an rbl and explain that we were not, in fact,  
spammers.  and face the inevitable...prove it.  g.


Derek Lamparty

___
http://lurker.clamav.net/list/clamav-users.html


___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Spoofing IP Address?

[John Jolet]

On Jan 4, 2006, at 11:29 AM, Steven Spence wrote:


John Jolet wrote:

they always were pointless.  How many times has each of us had to  
go  to a maintainer of an rbl and explain that we were not, in  
fact,  spammers.  and face the inevitable...prove it.  g.


They are not at all pointless.  The problem is that some people build
their RBL's based on email headers and not the IP obtained from
the TCP connection.

good point.  can you give me some rbls that are known to use the tcp  
connection address instead of the headers?  Thanks.



___
http://lurker.clamav.net/list/clamav-users.html


___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] clamav-milter & sendmail: postmaster notificat ion

[John Jolet]

On Jan 6, 2006, at 11:46 AM, Chuck Swiger wrote:


Dennis Peterson wrote:

Randal, Phil said:

[ ... ]

I have.  It's very useful when a new virus variant arrives and is
detected by only one of our three virus scanners (or is blocked by
filetype alone).  If it is quarantined I can pull out the  
quarantined
copy and submit it to virusscan.jotti.org, www.virustotal.com,  
and the

Antivirus vendors.
I guess I don't understand the need to submit a detected and  
quarantined

virus to anti-virus vendors.


In other words, you quarantine anything which contains an  
attachment which ends in .exe, .com, .pif, and so forth.  I require  
my users to zip or tarball attachments before they send them.   
Doing so will catch many new viruses before the AV people have  
pushed out updated definitions.




sure, because .zip files never contain viruses.  Not sure what a  
better solution is.  Frankly, most of my clients are seeing spyware  
as a worse threat than day zero viruses.  IE just seems to seek them  
out :)


More specificly, I've found viral messages in the quarantine which  
were not recognized by ClamAV when the email went by, although a  
day or two later they generally will be.


--
-Chuck
___
http://lurker.clamav.net/list/clamav-users.html


___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Scanning outgoing mail? - was: cpu utilization suddenly over 90% all the time

[John Jolet]

On Jan 9, 2006, at 9:08 AM, John Kielkopf wrote:


Dennis Peterson wrote:


Bill Shupp said:


Thanks for the quick response.

Fajar A. Nugraha wrote:


Are you scanning all email?


Not outgoing mail (from our users), but all incoming mail, yes.



Don't you think it a bit rude to require all of us to scan your  
user's

mail for you?



For those that scan outgoing, how much has your outgoing filter  
actually caught?


I currently do scan outgoing but often wonder if it's worth the  
effort, since it's never caught a single virus.


Mine has never caught a single virus but then again, so what?   
how many need to get out to increase your liability?  Even though  
clamXav on my mac has never caught a virus, I still run it.  Why?   
because once is far too many times to get caught with my pants down.



___
http://lurker.clamav.net/list/clamav-users.html


___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Squirriel Mail clamav scanner

[John Jolet]

On Jan 9, 2006, at 9:17 AM, Bit Fuzzy wrote:

i was wondering if anyone knows of a squirriel mail plugin using  
ClamAV

to scan e-mails?


IMHO that would be over kill.

Incomming messages will be scaned via ClamAV as should messages  
being sent.

(depending on configuration)

Squirrelmail does not change how mail is sent or received. It only  
provides

a web interface to manage mail

squirrelmail does not REQUIRE the incoming mail server be the same as  
the one running squirrel, nor even under the control of the user.   
There are modules to do imap from other servers, as well as pop...at  
the user, not server level.  I can very easily see a use for clam  
scanning at the squirrelmail user level, just as you have the ability  
to do spamassassin scanning at the user level.



___
http://lurker.clamav.net/list/clamav-users.html


___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Squirriel Mail clamav scanner

[John Jolet]

On Jan 9, 2006, at 1:10 PM, Freddie Cash wrote:


On January 9, 2006 11:06 am, Jeremy Kitchen wrote:

just reject viruses at the front door, and you'll be fine.
'client-side' scanning (squirrelmail IS a client, even though it's  
run
on a server) is not a 'feature'.  Don't think you should do it  
that way
just because thunderbird does it.  The only reason thunderbird or  
kmail
have client-side virus scanning support is because some providers  
don't

do their own scanning.


Re-read your last sentence, then compare how Thunderbird accesses  
messages
from a POP server compared to how SquirrelMail accesses messages  
from a

POP server using the built-in Mail Fetch plugin (that completely
by-passes any and all mail servers at the site using SquirrelMail).
There is no functional difference, so why should one client be  
allowed to

scan messages while another isn't?

While it's not the most optimal setup, having the option to scan  
messages

in the mail client should not be frowned upon.  If your mail provider
does not scan your incoming messages, then the mail client is a good
place to scan messages.  After-all, it's the only place *you*, the
recipient, fully control access to the e-mail message.
I guess the point here (and I agree with it) is the concept of  
defense in depth.  Even if my server is scanning, why shouldn't my  
client go ahead and scan?  just think how hard viruses would have to  
work if EVERY process that touched the email scanned it for viruses,  
or other assorted malware (as deemed appropriate by the controlling  
admin)?  You are right...you shouldn't HAVE to scan at the  
client...but then again, you shouldn't HAVE to run an os that allows  
the behaviors in which viruses engage... oh, wait, there's only one  
that does

___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] anti-virus imap scanner

[John Jolet]

On Wednesday 11 January 2006 09:01, Eric Cunningham wrote:
> > So then is there an smtp server that is receiving these messages and
> > storing them locally for pickup via imap, and if so, what is the name of
> > that smtp server?
>
> I'm looking to do the same thing.  I've got a Postfix/Cyrus setup
> installed on Debian Etch and debating between ClamSMTP and Amivisd-new
> (or other recommendations?).  I'd like to use spamassassin perhaps with
> SIEVE filters with squirrelmail.  This is for my church so I'd like to
> keep away from source compiles for ease of maintainability.  We have
> approximately 30 IMAP accounts.
>
> Would ClamSMTP be sufficient?  Would Amivisd be overkill?  I found
> several listed on the Postfix website but would be interested in hearing
> what others have used and why.
I'm using postfix/amavis/spamassassin/clam on my home mail server.  Not sure 
what you mean by overkill, but it wasn't difficult to get working, and works 
well.  Running fedora core 4, and I think it was all from rpm (it's been 
running for 3 years now, so kinda hard to remember)
>
> Thanks!
>
> -eric
> _______
> http://lurker.clamav.net/list/clamav-users.html

-- 
John Jolet
Your On-Demand IT Department
512-762-0729
www.jolet.net
[EMAIL PROTECTED]
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] scanning over tcp/ip

[John Jolet]

On Thursday 12 January 2006 13:46, Bill Shupp wrote:
> Is clamdscan/clamd scanning supported over TCP/IP?  As far as I could
> tell in the documentation, there is stream support, but it's not ready
> for network connections.  My failed tests support that (clamd was
> looking for the local file, rather than the file getting passed over the
> stream).  It also appears that milter can do it, but that looks like a
> sendmail specific tool from the docs (I use qmail).
I believe it depends on whether you start it up listening to tcp, or a socket, 
right?
>
> If anyone could clarify, that would be great.  I'm looking for a way to
> offload only clamd to another system, similar to how spamc/spamd works.
>
> Thanks,
>
> Bill
> ___
> http://lurker.clamav.net/list/clamav-users.html

-- 
John Jolet
Your On-Demand IT Department
512-762-0729
www.jolet.net
[EMAIL PROTECTED]
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Is CME officially supported/supporting ClamAV?

[John Jolet]

On Feb 1, 2006, at 4:32 AM, Randal, Phil wrote:


Jason Haar wrote:


I've been watching CME (Common Malware Enumerator) starting
to take off over the past few weeks, and I've noticed CME
entries and their corresponding names used by antivirus vendors.

...and ClamAV ain't in there from what I've seen...

Is there no interest in supporting this, or am I just blind?
(the latter is quite possible ;-)

See http://cme.mitre.org/



From the CME FAQ:


"A8. How can my organization and I participate?

An integral component of the CME initiative is broad community
participation.
We strongly encourage users of anti-virus products to ask their
preferred
vendors to adopt CME identifiers. For anti-virus product vendors,
supporting
and participating in the CME initiative is a bold first step in
announcing
to your users that you want to help alleviate their confusion and
further
protect their systems and networks. Adopting the use of CME  
identifiers

is
a significant first step in establishing a consistent approach by
anti-virus
entities that will benefit users and the entire information security
community.



I fail to see how everyone using the same names protects my users any  
more than they already are by my using the best antivirus server-side  
solution out there.  Who cares what you call the virus, when norton  
only releases new signatures on wednesdays.


Contact us at [EMAIL PROTECTED] to discuss how you and your  
organization can

help
this growing anti-virus and information security initiative."

Looks like they expect the ClamAV team to contact them, not the other
way round.

Cheers,

Phil


Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK
___
http://lurker.clamav.net/list/clamav-users.html


___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Is CME officially supported/supporting ClamAV?

[John Jolet]

On Feb 1, 2006, at 9:11 AM, Daniel J McDonald wrote:


On Wed, 2006-02-01 at 17:45 +0300, Odhiambo Washington wrote:

* On 01/02/06 07:52 -0600, John Jolet wrote:


I fail to see how everyone using the same names protects my users  
any
more than they already are by my using the best antivirus server- 
side

solution out there.  Who cares what you call the virus, when norton
only releases new signatures on wednesdays.



I don't care as well!
Afterall, I can smell a rat on this CME issue, only the smell is  
still

quite not identifiable!
Some people want to control the Virus business ;)


The only reason that I care is that when there is hew and cry over a
massively destructive virus, I can point at my virus statistics and  
say
"oh, our AV calls CME-24 'worm.vb9' - we've been blocking it for  
weeks."
Then I don't have to worry about what name another group might give  
it,

and the PHB's will leave me alone for a little while longer.
has anyone ever noticed how much EXTRA work we sysadmins do for that  
reason alone?  There's a lot of cycles spent, collectively, to prove  
to management what we already know.

___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] postfix with clamav

[John Jolet]

On Feb 1, 2006, at 7:00 PM, Tom Lee wrote:


Hello,

To get postfix work clamav on fedora 4,

I installed  the following packages,

clamav-lib-0.88-1.fc4
clamav-update-0.88-1.fc4
clamav-data-0.88-1.fc4
clamav-0.88-1.fc4
clamav-server-0.88-1.fc4

and

clamsmtp-1.6-1.fc4.mf

However, I have no clue if I need all of those packages and
how to configure clamav to work with postfix?


i'm not sure about those packages...too lazy to check my fc4 box :)
however, i'm using amavis to call clam.  you put amavis in as a  
transport, and uncomment the clam parts of amavis.  amavis also calls  
spamassassin.



any suggestions?

Tom


___
http://lurker.clamav.net/list/clamav-users.html


___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] postfix with clamav

[John Jolet]

amavis has not been updated for more than one year.
is there a way to have clamav to configure to work with postfix  
with the change in  configuration file?

I searched the documentation and cannot find any thing useful.
postfix can't work directly with clam.  however, i hear good things  
about a program called "MailScanner".  I'm setting up a gentoo box to  
test it.  Don't discount amavis just because it hasn't been updated  
in over a year.  it definately does work.  And it's really not very  
hard to get working.

___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Is CME officially supported/supporting ClamAV?

[John Jolet]

I've just been asked if we're scanning for tomorrow's outbreak  
alert and still have not found anything official.  I've found in  
the mailing lists that CME-24 is synonymous with worm.vb-8 and  
worm.vb-9 but it took some digging.  I know I for one would  
appreciate it if clamav participated in the CME naming conventions  
as it would save me a lot of time.


I have yet to see so many AV vendors cooperate to this extent  
before. I've scanned several major vendor's websites for cme-24 and  
they all list among their aliases cme-24 in a prominent display.


I don't really see the harm aside from Mitre conspiracies.  Just my  
$.02

tomorrow's outbreak alert?

I don't see any harm either...just no value.  Course, I have to admit  
that I frequently have friction with bosses that task me with things  
that really add no value to the enterprise.  :)

___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] postfix with clamav

[John Jolet]

On Feb 2, 2006, at 3:23 PM, <[EMAIL PROTECTED]> wrote:


i'm not sure about those packages...too lazy to check my fc4 box :)
however, i'm using amavis to call clam.  you put amavis in as a
transport, and uncomment the clam parts of amavis.  amavis

also calls  spamassassin.




amavis has not been updated for more than one year.
is there a way to have clamav to configure to work with
postfix with the change in  configuration file?
I searched the documentation and cannot find any thing useful.



As at least one other person has mentioned, you want amavisd-new,  
not amavis
which is essentially defunct.  Amavisd-new is updated as needed,  
with new
functionality added based on community feedback, and has absolutely  
first
rate support and an extremely knowledgeable group of folks on the  
mailing
list.  I highly recommend it, as does the author of The Book of  
Postfix,

Ralf Hildebrandt.

http://www.ijs.si/software/amavisd/

Amavisd-new also integrates with SpamAssassin, DCC, vipuls-razor, and
others.

I have to say I meant amavis-new when I said amavis.  sorry to be  
unclear.

Give it a shot.

MrC




___
http://lurker.clamav.net/list/clamav-users.html


___
http://lurker.clamav.net/list/clamav-users.html

[Clamav-users] New mac virus

[John Jolet]

Does anyone know if clam (running as clamd or clamxav) on mac os X will
catch the "new" virus that's apparently propagating via aim?


___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] clamscan delete the entire mailbox

[John Jolet]

On 2/23/06 12:56 PM, "Jason Haar" <[EMAIL PROTECTED]> wrote:

> Richard Feldmann wrote:
>> 
>> It might be best to find a scanning system that checks at the smtp level,
>> rather than scanning the mailbox of the user manually. This would delete the
>> virus as it's being transferred while preserving the message, and you
>> wouldn't have the same issue of having the entire mailbox being deleted.
>>   
> That's not standard practice. Most sites not only scan as mail comes in
> via SMTP, but they also scan *nightly* the end mailstores to pick up
> viruses missed at the SMTP level (e.g. Day-Zero viruses)
> 
> Just because a message got delivered doesn't mean it doesn't have a virus...
You scan at smtp, you scan nightly at the mailstore, and you scan at the
desktop...preferably with different brand scanners.  That avoids exposure
during the "day-zero" window.


___
http://lurker.clamav.net/list/clamav-users.html