Re: [Clamav-users] 64bit RH ES5 Compile Error for Clamav 0.95.3
George R. Kasica wrote: I have no idea - I just followed the zlib instructions to run ./configure make make install You're getting into things I don't know - I'm no programmer here, please keep this simple, I'm just the system admin. It sounds like you installed zlib separately instead of using the package that comes with Red Hat. Is that correct? RHEL's package installs in /usr/lib and /usr/lib64, not in /usr/local/lib. It's also simpler to install. Just run "yum install zlib zlib-devel" and it'll download and install automatically, including any dependencies. -- Kelson Vibber SpeedGate Communications ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] signature names
John Rudd wrote: > But, without a coherent and explicit name convention, the rules for > doing so would be so complex as to be not be worth the effort in writing > them. In some cases, it's even ambiguous as to which of the above > categories a given message falls in to. Or, alternatively, a piece of metadata associated with each signature that indicates its category, which is returned as part of the results. Advantage: conceptually cleaner than messing with the name. Disadvantage: need to change calling methods to handle another return field; need to decide on categories; will eventually need to add categories. -- Kelson Vibber SpeedGate Communications ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] PhishingScanURLs is dreadfully slow/CPU-intensive
Tilman Schmidt wrote: > Also, OpenOffice on Linux is normally run from a non-privileged user ID, > heavily limiting the ability of any malicious macro to harm or propagate. Huh? What difference does running as a non-privileged user make when the method of infection is to spread via *documents*? It doesn't need root access to modify the user's own files. -- Kelson Vibber SpeedGate Communications ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Phishing feature defaults, naming, and 0.92
Ian Eiloart wrote: > Oh, but wait. What's going on here? You upgrade ClamAV and your > configuration changes? That shouldn't happen at all. Are you using an > installer tool that overwrites your deployed configuration? Surely not! If the defaults change, then the effective configuration can change even though the config *file* stays the same. -- Kelson Vibber SpeedGate Communications ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Clam bugs/vulns
Mark wrote: > Well, if the admin had clamav's ~/.bashrc world-writeable, then that would > indeed be quite an oversight. :) Someone can correct me if I'm wrong, but I believe the idea here would be to trick *clamav itself* into writing to its ~/.bashrc by setting up a symbolic link in a predictable, world-writable location. The scenario would be this: 1. Target file is locked down. 2. App with necessary privileges will write data to a predictable location that is *not* locked down. 3. Attacker creates a symlink in that location so that the privileged app will inadvertently overwrite the target file. 4. Attacker can either enjoy the chaos, or attempt to manipulate just what the privileged app will write. -- Kelson Vibber SpeedGate Communications ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] live CD
Robert wrote: > So, does anyone know of a live CD with an up-to-date version of the scan > engine? I don't think Clam is included directly on the Fedora 8 LiveCDs, but Fedora now has a tool for creating custom LiveCDs from the distro: http://fedoraproject.org/wiki/FedoraLiveCD/LiveCDHowTo You can probably bundle in NTFS drivers from http://rpm.livna.org -- Kelson Vibber SpeedGate Communications ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] What's this? I can't believe it!
[EMAIL PROTECTED] wrote: > No, perhaps not. But would you do a wholesale eradication of and/all > suspicious files you find on your brand new flash drive that were installed > there > by the device manufacturer? I would certainly hope so. The original point of > this was that the individual found them on their flash drive, and it > appeared they were set to auto-execute and install upon insertion of the > device into a Windex machine. Bottom line is, if it's on your removable media > and you have no idea what it is or how it got there, a modicum of concern is > called for. I've missed the earlier posts in this thread, but this makes it sound a lot like the problem encountered in this series of posts: http://isc.sans.org/diary.html?storyid=3817 -- Kelson Vibber SpeedGate Communications ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] false alarm with uploading js from wordpress
aCaB wrote: > On a side note it's rather curious that wordpress, which advertise > itself as an OSS project is actually shipping lamed/obfuscated code. > Oh well... For what it's worth, it's someone else's lamed/obfuscated code used under the GPL, and it's available in a clean form as well: http://jquery.com/ The obfuscation, in this case, is a really annoying form of compression. (95 KB for the source code vs. 29 KB for the packed script.) -- Kelson Vibber SpeedGate Communications ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] PUAs
Ian Eiloart wrote: > Anyway, can anyone think of a reason why anyone on a University Campus > would (a) have a need to transfer files in any category below, Absolutely. A lot of those categories (and examples) cover tools with legit systems administration and/or troubleshooting uses. You just wouldn't want them installed without your knowledge, or disguised as something else, or run by a malicious person/script/etc. and (b) not > have access to alternative means like sftp? I'm not so sure on that one, but from what I remember in my own University days (late 1990s), the campus network was relatively patchwork and tended to be low on network tools. Though I think even Windows 98 had at least a command-line FTP client, so I'd think anything with working email should at least be able to retrieve a file from an FTP server. -- Kelson Vibber SpeedGate Communications ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] False positive? PUA.Script.Packed-1
Tony Finch wrote: > I've advised the user to email links instead of whole pages, but I'm > wondering why jQuery is classed as a PUA - is this deliberate or is > it a false positive? I think "PUA" indicates "Potentially Unwanted (something)" -- basically code or tools that have legitimate uses, but might also be used to sneak something unwanted onto a system. There was a thread a few weeks ago where someone had a whole list of things like VNC clients, port scanners, etc. -- Kelson Vibber SpeedGate Communications ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Twitter
I checked out the Twitter feed when it was announced. I didn't find it useful, primarily because I don't feel the need to know when each update hits. That's what I use freshclam for. As far as DB updates go, the only notification I need is when freshclam fails, or when an unusually long time passes *without* an update. What I would find useful would be notices of new versions of the program itself (there are times when I'm on Twitter but not email, and vice versa), security bulletins, major virus outbreaks, etc. Something that might prompt user or admin action, or would suggest something I should keep an eye out for. David F. Skoll wrote: > "host -t txt current.cvd.clamav.net" is as easy as using twitter, and > more up-to-date besides. That depends. If you have Twitter up already, say as a desktop app or widget, you don't have to do anything. Much less type out a command with three parameters, or even run a tiny shell script that calls that command. It's like running a feed aggregator that does frequent updates. Push is always easier than pull, once it's set up. The point here doesn't seem to be, "Set up Twitter so you can follow ClamAV" so much as it's, "If you're on Twitter, here's another channel you can use to follow ClamAV." Henrik K wrote: > I can't help thinking that ClamAV staff might have something better to > do than set up such things. Ok, atleast 76 people use it.. It doesn't take that long to set up an automatic process that will post without user intervention, or link an RSS feed to the account. It probably took them less time than it took me to write this email. > How about a blog with some actual content on developing and stuff, instead > of these "hip" services? So blogs are okay now? I thought most techies still considered them to be a newfangled self-important fad not worth the neologism. :-P Besides, running a blog with, as you say, "actual content" takes a *lot* more time than setting up Twitter. I can say that from experience. -- Kelson Vibber SpeedGate Communications ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Chacking clamd
[EMAIL PROTECTED] wrote: I use RedHat9 I've just installed clamav and I've started clamd. How can I chack if the daemon is really work? Is there any test virus to send to my email? See http://www.testvirus.org -- Kelson Vibber SpeedGate Communications --- This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 Project Admins to receive an Apple iPod Mini FREE for your judgement on who ports your project to Linux PPC the best. Sponsored by IBM. Deadline: Sept. 13. Go here: http://sf.net/ppc_contest.php ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Banned file type is not there!!
Sean Hafeez wrote: A banned name (.exe) was found. BANNED CONTENTS ALERT Our content checker found banned name: .exe ... The message has been blocked because it contains a component (as a MIME part or nested within) with declared name or MIME type or contents type violating our access policy. It says it's banned based on the filename, not based on a virus, so I'd guess it's amavisd-new and not ClamAV. By any chance does the string ".exe" show up in the middle of the filename (something like Whatever.executives.blah)? -- Kelson Vibber SpeedGate Communications --- This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 Project Admins to receive an Apple iPod Mini FREE for your judgement on who ports your project to Linux PPC the best. Sponsored by IBM. Deadline: Sept. 13. Go here: http://sf.net/ppc_contest.php ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Clamav and pictures
Vladimir Potapov wrote: Every day I have received about 30 email's with pictures which have strange names( for example sevwqwso.gif, iwhfetsn.gif, qfwecqtf.jpg) and nonexistent's senders ([EMAIL PROTECTED], [EMAIL PROTECTED]). Clamav don't find any viruses in this email's . Are you sure it's not just spam? A lot of spam uses random nonexistant senders like the ones you describe, and there is an entire class of spam consisting of a single image and no text (to get around text-based filters). Can Clamav find viruses in pictures? AFAIK Clam scans all files or message parts handed to it, so as long as the signature is there, it should find it. -- Kelson Vibber SpeedGate Communications --- This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 Project Admins to receive an Apple iPod Mini FREE for your judgement on who ports your project to Linux PPC the best. Sponsored by IBM. Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Notification E-mail
Simple solution to the question of whether to send a notice: You know what virus was detected. You know whether it's a mass-mailer or something else. (starts with Worm., ends with @mm, a few specific others) Based on that, you can decide whether to reject it or discard it. -- Kelson Vibber SpeedGate Communications --- This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 Project Admins to receive an Apple iPod Mini FREE for your judgement on who ports your project to Linux PPC the best. Sponsored by IBM. Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] If you want to post/reply to the list, read this please.
Kelsey Cummings wrote: My mail sorting rules are going crazy already! And I thought I was messing something up. Mine only look for "clamav" in the List-Id header. (I route clamav-users and clamav-announce to the same folder.) They never blinked. Sometimes it's better not to be *too* specific. -- Kelson Vibber SpeedGate Communications ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Updating to clamav 8 from 7.5 on Redhat8
Patrick Boutilier wrote: On 11/03/2004 04:25 PM, tester wrote: So now i am thinking that maybe i need to uninstall .75 and then try installing .80 but i do not know how to uninstall .75 rpm -e clamav Or rather, rpm -e clamav clamav-db clamd DAG divides clamav into 4 packages (clamav, clamav-milter, clamav-db, clamd) instead of just the 2 (clamav and clamav-milter) in the default RPM spec. Unfortunately, that means if you upgrade from DAG's package to a home-grown one, you can't just use rpm -Uvh like you would in most situations. -- Kelson Vibber SpeedGate Communications ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] ClamAV should not try to detect phishing and other social engineering attacks
Bart Silverstrim wrote: I find it interesting though that I've yet to hear from anyone commenting on my proposal to create a filter that will extract and convert all emails into pure text, or reformat it so only certain things can get through as an attachment with a pure text message so it would be "defanged" of scripts, web content, potential scripting exploits, etc...I'm honestly beginning to wonder how hard that would be to make and whether it may be of use for some sites. Draconian, yet it would be extremely handy in stopping the maliciousness of viruses or spam tricks...dynamically rewriting all email to a "standard" format. I believe you can do this with Can-It Pro. http://www.roaringpenguin.com/ They're the authors of MIMEDefang. Can-It is their commercial product, and a much more thorough solution. -- Kelson Vibber SpeedGate Communications ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
[Clamav-users] Re: defanging HTML, was ClamAV should not try to detect phishing and other social engineering attacks
Peter J. Holzer wrote: I was under the impression that MIMEDefang can do this. But I'm afraid my users wouldn't like it, so I never looked into it closely. That said I think this is very easy to implement: Check if a mime entity is multipart/alternative with a text part: If it is, replace it with the text part. I know MD can do this much *very* easily -- there's a built-in function, remove_reduntant_html_parts, that you can call in filter_end. All you have to do is uncomment it in the example filter. Otherwise, if it is HTML, filter it through w3m, lynx, or some other html to text converter. This can probably be done using action_external_filter, but you still need to figure out which parts to convert and which to discard, pick a parser (as Matthew pointed out, there can be security concerns here), change the mime type, etc. -- Kelson Vibber SpeedGate Communications ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Virus naming
Carnegie, Martin wrote: This is the ability to identify mass-mailing viruses based on the name of the virus detected. For example the W32.Beagle (or Bagle) from Symantec shows up as [EMAIL PROTECTED] This means that can then drop any messages with the @mm instead of just removing the attachment and sending on to the client. Depending on who named the virus first, ClamAV will either use the "@mm" suffix or the "Worm." prefix. It's not 100% consistent, but the information is there. Because we use more than one virus scanner (with, naturally, different naming schemes), we check for @mm, Worm., and a few specific names to decide how to handle the message. (FWIW, we use MIMEDefang to integrate the scanners and discard/reject/disinfect messages.) -- Kelson Vibber SpeedGate Communications ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Sendmail Milter
Nigel Horne wrote:
On Friday 14 Jan 2005 04:30, WES wrote:
I have installed and tested ClamAV (.80-2) which starts up clamd and runs
without a problem. Also I have installed clamav-milter (.80-2).
I included in my sendmail.mc file the suggested:
INPUT_MAIL_FILTER(‘clmilter’,
‘S=local:/var/run/clamav/clmilter.sock,F=,T=S:4m;R:4m’)dnl
define(‘confINPUT_MAIL_FILTERS’, ‘clmilter’)dnl
Looks to me as though you've used the wrong opening quote character.
And closing quote character. IIRC, it should open with an ASCII
backtick (`) and close with a (vertical) ASCII apostrophe (')
--
Kelson Vibber
SpeedGate Communications
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Very good (short) Article on New Technique by VirusAuthors
Tomasz Kojm wrote: Is there some licensing issue prohibiting them from unpacking the A technical issue - the archives are encrypted. I see it's possible to use unrar as an external tool with clamscan. Is there a way to get clamd to do the same? We've been seeing a jump in "RAR module failure ERROR" messages over the last few days. (At first I thought something had broken in 0.81, since they started the same day I upgraded.) -- Kelson Vibber SpeedGate Communications ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Virus Name
Brian Morrison wrote: Well two things come to mind. It isn't ClamAV's job to block spam, only viruses and immediately identifiable deceptions like phishing attacks. ...like a trojan spread by email that, after installing itself, serves as a spam proxy? Secondly, the only clue about the path taken is in the mail headers, ClamAV is really a body scanning tool so again it isn't designed to identify the attack approach you mention. The question didn't seem to be about blocking spam sent using this approach, it seemed to be about blocking distribution of the trojan that would enable it. In other words... "Does anyone know which trojan/virus/etc. does this, and does ClamAV detect it?" -- Kelson Vibber SpeedGate Communications ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Tool to upgrade
P.V.Anthony wrote: I started with rpm. It is great as a beginner. Like what Dale Walsh said compiling is the best. Infact I started to learn how to compile because of clamav. With anti-virus software things are changing all the time and if you have to wait for an rpm, you will be late. Spend the time to learn how to compile. It is really worth the time. And the best part is that it is not difficult. Actually, you're better off learning to build your own RPMs if the distribution you're using is RPM-based. You can upgrade without worrying about old files lying around, and rolling back to the previous version is a snap. Plus if you need to replace something that comes with the OS (like Sendmail or Apache) that other packages depend on, you don't have to convince them that yes, the libraries really are there, just not in the RPM database... because they really *are* in the database, and they're the libraries you compiled, with your options, patches and optimizations, built from the newer version your distro isn't willing to package because they prefer backporting fixes to upgrading. -- Kelson Vibber SpeedGate Communications ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] [CLA-2005:928] Conectiva Security Announcement - clamav
Sam wrote: That's odd. I've subscribed to Bugtraq for years, and they are usually right on the spot with announcements liek this. .80 hasn't been current for what, two months? In this case I don't think it's BugTraq that's slow, I think it's Conectiva. The CVE already lists advisories for Gentoo and Mandrake (Jan. 31) and Trustix (Feb. 11). -- Kelson Vibber SpeedGate Communications ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] possible new virus?
Bart Silverstrim wrote: Do I want to remove the hash before DisableDefaultScanOptions in order to get the sections to work? No. This was discussed yesterday. There are options that are enabled by default, and DisableDefaultOptions wipes those and gives you a clean slate. You don't need it -- or want it! -- if you just want to enable additional features on top of the defaults. -- Kelson Vibber SpeedGate Communications ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Yum plus clamav
Sergio fernandez wrote: I am not sure if this has been asked in the past but I was wondering if there is a way to get YUM to update/upgrade clamav. Something along the lines of yum update clamav I am running FC3 with all the updates and Clamav 0.84 Cheers Dag Wieers' APT/Yum repository includes ClamAV, and he usually updates quickly: http://dag.wieers.com/home-made/apt/ -- Kelson Vibber SpeedGate Communications ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] sober.p and german adverts?
Bart Silverstrim wrote: On May 17, 2005, at 12:17 PM, Matt Fretwell wrote: Bart Silverstrim wrote: Maybe even do a reverse check to see if there's a mail server on the sending system...how many systems would break doing a check like that? The sending server isn't guaranteed to be a MX, so any DNS MX or reverse connection tests would fail. No guarantees in life :-) Actually, having separate servers for incoming and outgoing mail is quite common. That's why people have tried to devise standards like RMX, SPF, Caller-Id, Sender-Id, and Domain Keys instead of just making the simple MX check you suggest. And even *those* solutions have problems. -- Kelson Vibber SpeedGate Communications ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] sober.p and german adverts?
Matt Fretwell wrote: SAV probes are little less than content free spam. I have firewall rules for offenders who don't cache their SAV results for a reasonable amount of time. We get hammered by these non-stop. We don't have rules targeting them specifically, but the badly-behaved ones dig their own virtual graves. You see, we limit the number of concurrent connections a host can make to our mail server. Once they use up all their alloted connections on our primary MX, instead of doing something sensible, like noticing that they're trying to open a zillion simultaneous connections to the same server (all to verify the same forged address), they just drop to the next MX, use up those connections and drop to the next Eventually they get down to our ultra-low priority decoy MX that we set up to attract spammers, and they land in our tar pit. -- Kelson Vibber SpeedGate Communications ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Spam from ClamAv digest lists.
G.W. Haywood wrote: I am subscribed to both the users and development digest lists. They are spamming me. Here are the last three clamav-users Digest mails in my ClamAv mailbox: 141 May 27 [EMAIL PROTECTED] (17K) clamav-users Digest, Vol 8, Issue 111 142 May 27 [EMAIL PROTECTED] (16K) clamav-users Digest, Vol 8, Issue 112 143 May 27 [EMAIL PROTECTED] (18K) clamav-users Digest, Vol 8, Issue 112 As you can see, there are two volumes which are supposed to be Vol 8 Issue 112 but they are different. If I show you the headers from the last three issues you will see that in fact many of the messages are replicated in all of the last three issues. All I can say is, you have a strange definition of spam. It sounds to me like a glitch in the digest feature. List admins? -- Kelson Vibber SpeedGate Communications ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] scanning dll type files
Laurent Wacrenier wrote: Le Ven 17 jui 09:43:00 2005, Joanna Roman écrit: Can clamav scan dll type files ? I dont see the clamav website mention that clamav can scan dll type files. DLL as MS Windows dynamic library archives are not a compressed format and so, is not listed with them. Consired it as a ordinary binary file. To further clarify: Yes, ClamAV can scan DLL files, just as it can scan EXE files. They're ordinary files, so no special process is needed to scan them. -- Kelson Vibber SpeedGate Communications ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] For those who submitted adware/spyware samples
Niek wrote: If you want protection from ad- spyware, get anti-spyware software. I don't want to start up another flame war, but I really have to ask this question: Isn't email-borne spyware more in a virus scanner's domain than phishing is? -- Kelson Vibber SpeedGate Communications ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Question about Virus definitions
Pedro Silva wrote: During the last hours I have received several email containing the W32/Mytob-Fam (Sophos name), which were not caught by Clam. Can someone tell me why Clam is not detecting this virus? Mytob seems to mutate insanely fast. According to the clamav-virusdb list, Clam seems to be adding several signatures a day for variations of this virus. Presumably Sophos is looking for a more generic signature that catches several variants instead of looking for lots of specific signatures. -- Kelson Vibber SpeedGate Communications ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] WARNING: Your ClamAV installation is OUTDATED
Frank Sfalanga, Jr. wrote: I did have two versions. The original RPM installed to /usr/bin with the config files in /etc. The compiled version installed the binaries in /usr/local/bin and the config files in /usr/local/etc. I'm sure with all the correct ./configure switches I could override this behavior but being a neophyte I was only able to figure out and recompile with: You're probably better off removing the RPM entirely, rather than writing over its files. It's cleaner that way, and easier to keep track of what version is actually installed. -- Kelson Vibber SpeedGate Communications ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Binary packages
Dennis Peterson wrote: > Just be sure you've completely removed all the pieces of the previous > ClamAV version - you cannot depend on the package installer to do any of > this for you. Isn't that the whole point of a package manager? > This would include the executables, libraries, man pages, > docs, config files, header files, init startup files, etc. And shut down > any running clam processes before you start. I'd also examine the crontabs > to see if you have any clam processes included there. With the exceptions of running processes and manually-added crontab entries, I would expect a package manager to take care of *all* of that (and maybe even save a copy of my config files in case I wanted to reinstall). I mean, that's what you get with RPM, and people are always telling me that Debian has *better* package management. -- Kelson Vibber SpeedGate Communications ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Binary packages
Kelson wrote: > Isn't that the whole point of a package manager? Never mind -- I should have read the original post and realized he was upgrading from a manually-installed ClamAV to a pacakged version. Under that circumstance, you *do* need to manually remove everything first before installing the package. Sorry for wasting a few bits. -- Kelson Vibber SpeedGate Communications ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Somebody know where find rpm packages clamav 0.87.1 for Redhat 9 / Redhat 7.3
Dennis Peterson wrote:
Yep - a fast box can build ClamAV from source in less than 5
minutes. It's really very simple - take the leap and build it from source.
It's good for the soul.
Better yet, grab the SRPM of the release you've been using, grab the
newer ClamAV source, and build your own RPM. All you have to do is:
- Install the SRPM ("rpm -ivh whatever.src.rpm")
- Put the new ClamAV source in /usr/src/redhat/SOURCES *
- Change the version number in /usr/src/redhat/SPECS/clamav.spec
- Run "rpmbuild -ba clamav.spec" (Actually, RH 7.3 might be old enough
to have the functionality in rpm instead of rpmbuild.)
That way you get the clean install/uninstall/etc. of RPM *plus* you have
a current version that doesn't depend on someone else releasing an RPM.
* If you do this as root, it'll go into /usr/src/redhat. If you're
going to do this a lot, you'll want to look up how to set up a tree in
your home directory so you can build as yourself.
--
Kelson Vibber
SpeedGate Communications
___
http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Worm.Sober.U not being recognized
Pete 'Wolfy' Hanson wrote: Running clamscan --detect-broken finds the message, and generates no errors, but clamav-milter does not find the message when it comes in. clamd.logshows: Nov 21 14:08:18 paz clamav-milter[26450]: [ID 788897 local7.notice] jALM6n0R027652: clean message from <[EMAIL PROTECTED]> We've been detecting Worm.Sober.U here for a little over 2 hours (with daily.cvd 1182). If clamscan finds it, but clamav-milter doesn't, maybe for some reason clamd didn't load the updated database? Try restarting clamd and/or clamav-mitler (I've never used the milter, so I'm not sure what's necessary) and see if that does it. -- Kelson Vibber SpeedGate Communications ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] XF.Sic.L def is causing tons of false positives
Jan Pieter Cornet wrote: Maybe "tons" is slightly exaggerated? Out of approximately 10 million emails today, our logs show one hit for XF.Sic.L, and then another hit when that email was bounced because of the reject we gave. If their customer is trying repeatedly to send "a bunch" of files that trigger false positives on that rule, then yes, they're going to see "tons" of them -- regardless of the number of hits in anyone else's logs. -- Kelson Vibber SpeedGate Communications ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] ERROR: You must specify at least one database mirror.
At 05:59 AM 5/12/2004, Marc wrote: It could be that freshclam.conf is installed in /usr/local/etc (which is the default for clamav) after installing clamav 0.70 manually. Also, wherever it is, check the permissions on freshclam.conf and the path leading to it. It should be readable by the user that is calling freshclam. Kelson Vibber SpeedGate Communications --- This SF.Net email is sponsored by Sleepycat Software Learn developer strategies Cisco, Motorola, Ericsson & Lucent use to deliver higher performing products faster, at low TCO. http://www.sleepycat.com/telcomwpreg.php?From=osdnemail3 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Recommendation RedHat replacement
At 11:57 AM 5/10/2004, Bora wrote: Sorry, this may not be appropriate to post here, but I know many of you are using RH and are figuring new options as they are no longer offering free download for RH 7, 8 and 9. Actually, you *can* still download older versions of RH from their FTP site. Just pick a mirror and look in the pub/redhat/linux area. But I assume you meant getting updates... So the question is do you recommend moving to? SuSE, Mandrake? I want to use something similar so I don't have to learn new tools and admin task. We're keeping existing servers on Red Hat for now, and using updates from the Fedora Legacy project - www.fedoralegacy.org . Fedora Legacy intends to keep RHL 7.3 and 9 (and possibly 8) going as long as there is interest, and also to extend the update period of each Fedora Core version beyond its own official end-of-life. Another option for keeping older RHL systems running is the $5/machine/month Progeny Transition Service - http://transition.progeny.com/ As for what to put on new servers, we haven't decided yet here. I've had good experiences with Fedora Core 1 on workstations, but we'll probably avoid using it on servers for now. If you're interested, it's at http://fedora.redhat.com/ . FC1 really is Red Hat 10 renamed, so it has all the same tools you're used to, and most of the third-party packagers building for RHL have started building for Fedora Core as well. Plus it's the only distro you can upgrade a RHL system to without reinstalling. If you like the way Red Hat works, there are also several RH-based distros you can look at. The only one I've really checked out so far is White Box Enterprise Linux ( www.whiteboxlinux.org ) which is a fork of the GPL'ed code used in RHEL 3 - and since everything in Red Hat is GPL except the name and logos, it's basically the whole thing. (Well, fork isn't the best term, since the intent is to keep it as close as possible to RH without violating trademarks, copyrights, and licenses.) It uses the same packaging scheme and the same versions of everything, so third-party RPMs built for RHEL 3 should also work on WBEL. I installed it on a test box, and while I haven't done a whole lot with it, I haven't run into any problems with what I have tried. I hope this helps! Kelson Vibber SpeedGate Communications --- This SF.Net email is sponsored by Sleepycat Software Learn developer strategies Cisco, Motorola, Ericsson & Lucent use to deliver higher performing products faster, at low TCO. http://www.sleepycat.com/telcomwpreg.php?From=osdnemail3 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Ethics Question
At 08:19 PM 6/10/2004, Bit Fuzzy wrote: At this point we are looking at 2 options. 1) Block offending IP's as they occur. -- Effective, but could be aggravating to potential customers For about a month, we've been adding virus-generating IPs to a local blacklist with a 4-day expiration. It's a compromise, since it's possible for the IP to get reassigned during that time, but it has helped cut down our server load, and we've had two customers discover they were infected when they couldn't send email. Then there was the one that tried to forward a virus message to an outside consultant asking "Should we be concerned about this?" I forget whether it had come in through another channel or just before freshclam picked up the signature, but they ended up on our blacklist because of the forward. So there are risks to anything. Kelson Vibber SpeedGate Communications --- This SF.Net email is sponsored by the new InstallShield X. From Windows to Linux, servers to mobile, InstallShield X is the one installation-authoring solution that does it all. Learn more and evaluate today! http://www.installshield.com/Dev2Dev/0504 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] New virus/worm ???
At 10:58 AM 8/9/2004, Michael Brennen wrote: Just in the last few minutes I've started getting hit with several copies of a a zip packaged exe file from widely varying sources. The names are of the form 'price.*\.zip'. I've submitted a copy online and it was accepted. Anyone else seeing this? Tons of 'em. Run freshclam -- update 444 picks it up as Trojan.JS.RunMe. Kelson Vibber SpeedGate Communications --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Downloading clam virus definition files automatically
At 02:13 AM 8/20/2004, Fajar A. Nugraha wrote: Nigel Horne wrote: Is it possible to use HEAD to reduce load? I believe it already uses RANGE, so traffic wise the load is greatly reduced. Wouldn't it be more efficient to use Etags and/or If-Modified-Since and let the server issue a "304 Not Modified" response? HTTP has built-in methods to help clients avoid downloading duplicate files. (In theory, the server could issue this response without even opening the file.) Pardon me if this has been covered in one of the recent threads -- after a while they got so long that I gave up reading them. Kelson Vibber SpeedGate Communications --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Downloading clam virus definition files automatically
At 03:31 PM 8/20/2004, Rajanikanth P wrote: But i have a problem here. Assume that clam updates are published at 6:10 Pm. I check for new updates at 6:05 so the next time i gonna check is at 7:05 it just means that after 55 mins i got the updates. And within this 55 minutes thousands and thousands of say ..a worm which is in wild arrives to my mailserver and clam does not detect it & it passes out what do i do ? Another possibility: Set up a hard-to-guess email address. Subscribe it to the clamav announce list and nothing else. Don't post it, don't use it. You may even want to set it up to reject anything that doesn't come from the announce list. Then set up a cron job to check the modification time of the mailbox every few minutes. If it's newer than it was last time, run freshclam. Sure, you're at the mercy of email traffic speeds, but it'll usually get there in less than the 59-minute worst-case. Kelson Vibber SpeedGate Communications --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Triggering freshclam with procmail
Harry Phillips wrote: I was wondering if it is possible and if it is advisable to trigger freshclam when I receive a message that the daily database has been updated. I used to do this, but it's no longer necessary now that freshclam can check for updates via a DNS query. You can run it as a daemon, or hourly via cron and not put too much load on the update servers. Linking it to the mailing list no longer provides much of an advantage. ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] RE: Report infected mail to the user
Michael wrote: But you do not know the sender. You only know an address that the virus presents as the sender address. And you trust the virus... Ok, i see you must have experience. Are there really so many virussender who specify a fake REAL EXIST mail address? YES! All major email viruses do that these days. The virus makes a list of email addresses, whether from an address book, cached web pages, local documents, a Google search, etc. Many viruses just pick two of those addresses at random and use one for the sender and the other for the recipient. Others just pick the recipient and choose a likely admin address for their domain, like [EMAIL PROTECTED], [EMAIL PROTECTED], etc. -- and those often exist. -- Kelson Vibber SpeedGate Communications, ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] RE: Report infected mail to the user
Jan Pieter Cornet wrote: I believe it's way easier to do the opposite: list only viruses that do NOT fake the sender. The only ones you'd expect to find in email are things like eicar, joke and macro viruses. I just check for a small list (Mimail, Sober, etc.), plus anything that starts with "Worm." or contains "@mm". @MM is used by Norton, McAfee and others to indicate a worm that does its own mass mailing. Yeah, the criteria are slightly different -- it's looking for self-mailers and worms rather than specifically self-mailers that forge the sender -- but it does the job here. -- Kelson Vibber SpeedGate Communications, ___ http://lurker.clamav.net/list/clamav-users.html
