RE: [Clamav-users] Re: Clamav-users digest, Vol 1 #839 - 4 msgs
> From: Gavin Aiken [mailto:[EMAIL PROTECTED]
> The only case I'm worried about is what happens if our primary MX (which is
> my box and had clamav installed) is offline for whatever reason (eg SDSL
> down), and the mail gets routed via our secondary MX machines, which are at
> Easynet and don't do any of this checking.
This is probably more of a concern than you think. There are plenty of viruses out
there that will connect to the highest-number MX, rather than the lowest - precisely
to get around the most-heavily-armored servers.
[EMAIL PROTECTED] 805.964.4554 x902
Hispanic Business Inc./HireDiversity.com Software Engineer
perl -e"map{y/a-z/l-za-k/;print}shift" "Jjhi pcdiwtg Ptga wprztg,"
---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_idG21&alloc_id040&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users
RE: [Clamav-users] My.Doom.o
> From: Jim Maul [mailto:[EMAIL PROTECTED]
> Quoting Shayne Lebrun <[EMAIL PROTECTED]>:
>
> >> I like virii - it sounds important and like something
> >> that can be on the ER equivalent for geeks...
> >
> > Perhaps, but if you were to actually pluralize it using
> Latin rules, the
> > result would be 'viri.'
> >
> >
>
> Wouldnt that be plural of man?
>
> Jim
Never thought of viri, but it makes sense...
hippopotamus -> hippopotami
radius -> radii (probably where "virii" comes from)
virus -> viri (of course!)
FWIW, Dictionary.com comes down squarely on the side of viruses:
http://dictionary.reference.com/search?q=virus - pl. viruses
http://dictionary.reference.com/search?q=viri - no terms found
http://dictionary.reference.com/search?q=virii - no terms found
http://dictionary.reference.com/search?q=viruses - 3 terms found
[EMAIL PROTECTED] 805.964.4554 x902
Hispanic Business Inc./HireDiversity.com Software Engineer
perl -e"map{y/a-z/l-za-k/;print}shift" "Jjhi pcdiwtg Ptga wprztg,"
---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_idG21&alloc_id040&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users
RE: [Clamav-users] LocalSocket Error in CLAMAV .75
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Silly Billy wrote:
> while executing this command to configure Clamav ...
>
>
> perl -pi -e "s/^LocalSocket /tmp/clamd/LocalSocket
> /var/run/clamav/clamd/g" /etc/clamav.conf
>
You're using slashes as your s/// delimeter and also as your directory separator.
Try
perl -pi -e "s(^LocalSocket /tmp/clamd/LocalSocket)(/var/run/clamav/clamd/g)"
/etc/clamav.conf
or maybe
perl -pi -e "s/^LocalSocket \/tmp\/clamd\/LocalSocket/\/var\/run\/clamav\/clamd/g"
/etc/clamav.conf
[EMAIL PROTECTED] 805.964.4554 x902
Hispanic Business Inc./HireDiversity.com Software Engineer
perl -e"map{y/a-z/l-za-k/;print}shift" "Jjhi pcdiwtg Ptga wprztg,"
-BEGIN PGP SIGNATURE-
Comment: public key http://matthew.vaneerde.com/pgp-public-key.asc
iD8DBQFBGmZiUQQr0VWaglwRAuUPAJ9HlEI4kWYr1vQ8swkn5G4RcVjgRwCeJCYp
w/TeI3UChUmrtW+6pS+PjQ0=
=Vw6X
-END PGP SIGNATURE-
---
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users
RE: [Clamav-users] contrib/init/RedHat suggested patch
Damian Menscher wrote:
> For most mailserver admins, the danger of losing our jobs
> is much greater if we tempfail all incoming mail due to a clamav crash
> than is the danger of losing our jobs due to a couple of viruses leaking
> through.
s/most/some/;
Spoken as one who has never gotten burned by a virus. Many organizations have their
strongest anti-virus protection at the perimeter. Once through ClamAV, viruses can
spread like wildfire.
[EMAIL PROTECTED] 805.964.4554 x902
Hispanic Business Inc./HireDiversity.com Software Engineer
perl -e"map{y/a-z/l-za-k/;print}shift" "Jjhi pcdiwtg Ptga wprztg,"
---
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users
RE: [Clamav-users] Downloading clam virus definition files automatically
Rajanikanth P wrote:
> Hello D.J. Fan,
>
> But i have a problem here. Assume that clam updates are published at
> 6:10 Pm. I check for new updates at 6:05 so the next time i gonna
> check is at 7:05 it just means that after 55 mins i got the updates.
> And within this 55 minutes thousands and thousands of say ..a worm
> which is in wild arrives to my mailserver and clam does not detect it
> & it passes out what do i do ?
This is where "phone-tree" solutions become interesting - the first person to hear
something calls the head of the phone tree. They call five pre-set people. Each of
those people calls five more people. Etc., etc.
Get together with five other organizations that use ClamAV. Each of you check at one
of :05, :15, ... :55. If any one of you realizes that there's a new version, tell the
other four.
[EMAIL PROTECTED] 805.964.4554 x902
Hispanic Business Inc./HireDiversity.com Software Engineer
perl -e"map{y/a-z/l-za-k/;print}shift" "Jjhi pcdiwtg Ptga wprztg,"
---
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users
RE: [Clamav-users] Downloading clam virus definition files automatically
Matthew van Eerde wrote:
> Rajanikanth P wrote:
> > Hello D.J. Fan,
> >
> > But i have a problem here. Assume that clam updates are published at
> > 6:10 Pm. I check for new updates at 6:05 so the next time i gonna
> > check is at 7:05 it just means that after 55 mins i got the updates.
> > And within this 55 minutes thousands and thousands of say ..a worm
> > which is in wild arrives to my mailserver and clam does not
> detect it
> > & it passes out what do i do ?
>
> Get together with five other organizations that use ClamAV.
> Each of you check at one of :05, :15, ... :55. If any one of
> you realizes that there's a new version, tell the other four.
A more practical solution is to do what I plan to do.
Reject anything that is a *known* virus
Accept but quarantine everything that isn't a known virus, but *looks* like a virus
(.exe, .zip, etc.) Have at least a two-hour cooling-off period to give your
definitions a chance to catch up to the virus writers - then rescan before you deliver
it to the recipient.
Pulling false positives out of quarantine is a pain - but much less of a pain than
having to clean up a network-wide infection.
[EMAIL PROTECTED] 805.964.4554 x902
Hispanic Business Inc./HireDiversity.com Software Engineer
perl -e"map{y/a-z/l-za-k/;print}shift" "Jjhi pcdiwtg Ptga wprztg,"
---
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users
RE: [Clamav-users] freshclam update and the minute of the hour
Damian Menscher wrote:
> It's really not hard to figure out the best time to update.
> Just write
> down all possible minutes, and cross off those that the average idiot
> would pick. ;)
>
> Damian Menscher
"Average idiot"s don't use freshclam. It takes a very special kind of idiot. ;)
Seriously, things like this are why /dev/random was invented.
I suggest:
1) Pick a random number X between 0 and 59. Set up a cron job (described below) to
run at X minutes past the hour, every hour.
2) Cron job, when run, does the following:
A) Pick a random number (different every time) Y between 2 and 57. Sleep Y * 60
seconds.
B) Run freshclam.
This should balance out the load quite well, if everyone does it.
[EMAIL PROTECTED] 805.964.4554 x902
Hispanic Business Inc./HireDiversity.com Software Engineer
perl -e"map{y/a-z/l-za-k/;print}shift" "Jjhi pcdiwtg Ptga wprztg,"
---
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 13. Go here: http://sf.net/ppc_contest.php
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users
RE: [Clamav-users] Scan time limits?
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Sean Hafeez wrote:
> I have a 384k line and someone is trying to send me a 100mb
> pdf. Can I
> set the time line higher or set it to just let the file thru?
:-O
My advice - get a gmail account and have them send it there.
[EMAIL PROTECTED] 805.964.4554 x902
Hispanic Business Inc./HireDiversity.com Software Engineer
perl -e"map{y/a-z/l-za-k/;print}shift" "Jjhi pcdiwtg Ptga wprztg,"
-BEGIN PGP SIGNATURE-
Comment: pub key http://matthew.vaneerde.com/pgp-public-key.asc
iD8DBQFBQhBbUQQr0VWaglwRAi6yAJkBtocaYUKBLWs8jkGWsphrPa+7mwCgh28e
SLzTct8INcLe6dKTcq31njE=
=RMF1
-END PGP SIGNATURE-
---
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 13. Go here: http://sf.net/ppc_contest.php
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users
RE: [Clamav-users] ClamAV on a Knoppix disk?
Brad Morgan wrote:
> Does anyone know if ClamAV has been packaged with any of the
> Live Linux CDs?
>
> I've got a Windows PC that keeps rebooting over and over and
> we suspect a
> virus. It would be nice to have a Live Linux CD with ClamAV that can
> freshclam somehow and then scan the PC harddrive.
Hmmm... if it's an IDE hard drive you could take it out, and put it in another machine
as a secondary drive. Then you can scan it without booting to it.
[EMAIL PROTECTED] 805.964.4554 x902
Hispanic Business Inc./HireDiversity.com Software Engineer
perl -e"map{y/a-z/l-za-k/;print}shift" "Jjhi pcdiwtg Ptga wprztg,"
---
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 13. Go here: http://sf.net/ppc_contest.php
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users
RE: [Clamav-users] Notification E-mail
Steffen Heil wrote:
> Hi
>
>> We have Clam Av installed and running. It is blocking virus e-mails
but
>> is not generating any notification.
>
> ... PLEASE only send a notification to the
> intended user, NOT to the author. This would cause lot of
> collateral damage.
With one caveat.
It is perfectly acceptable to place an explanatory message in an SMTP
REJECT message.
Something like
EHLO (hi)
MAIL FROM (ok)
RCPT TO (ok)
DATA (can't accept for delivery, contains the EICAR virus!)
If the mail is being sent by a virus, the virus will usually just give
up and go on to the next recipient server on their list. No "you sent a
virus" mail is sent to a (usually) innocent third party.
If the virus is a false positive, and is really good mail being sent by
a legitimate mail server, the sending mail server will keep the
responsibility of generating the undeliverable message.
It would be nice if the SMTP reject message was customizable - say, to
include a phone number to call in case of false positives. I didn't see
anything in the man pages for 0.75.1 - did I miss it?
[EMAIL PROTECTED] 805.964.4554 x902
Hispanic Business Inc./HireDiversity.com Software Engineer
perl -e"map{y/a-z/l-za-k/;print}shift" "Jjhi pcdiwtg Ptga wprztg,"
---
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users
RE: [Clamav-users] Notification E-mail
Nigel Horne wrote:
> On Monday 20 Sep 2004 22:45, Jonathan Pitcher wrote:
>> Is it possible to send a message onto the user that they had an
>> e-mail blocked? Or to an admin stating that [EMAIL PROTECTED] had a virus
>> sent to them?
>
> Yes it is, though the first option is not advisable. You can find how
> to by running "man clamav-milter".
It is precisely that manpage to which I was referring in my previous email. Is there
a way to customize the SMTP rejection message? This only matters for false positives.
But I'd like to provide a phone number for out-of-band conversations about false
positives.
If there is no way to do this currently, can I submit this as a feature request for
clamav-milter?
[EMAIL PROTECTED] 805.964.4554 x902
Hispanic Business Inc./HireDiversity.com Software Engineer
perl -e"map{y/a-z/l-za-k/;print}shift" "Jjhi pcdiwtg Ptga wprztg,"
---
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] bug in clamav-milter PID file handling
There seems to be a problem with clamav-milter's --pidfile option.
It successfully writes the PID to the file but then it also puts a trailing newline.
This makes it unsuitable for the standard
kill `cat /the/pidfile`
trick.
As a workaround this seems to work:
kill `head --bytes=-1 /the/pidfile`
but if the bug is fixed the workaround will delete a random process, which is never
good.
What's the best way to submit this?
[EMAIL PROTECTED] 805.964.4554 x902
Hispanic Business Inc./HireDiversity.com Software Engineer
perl -e"map{y/a-z/l-za-k/;print}shift" "Jjhi pcdiwtg Ptga wprztg,"
---
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users
RE: [Clamav-users] bug in clamav-milter PID file handling
Matthew.van.Eerde wrote: > There seems to be a problem with clamav-milter's --pidfile option. I retract this. The --pidfile option is fine. --- This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 Project Admins to receive an Apple iPod Mini FREE for your judgement on who ports your project to Linux PPC the best. Sponsored by IBM. Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
RE: [Clamav-users] bug in clamav-milter PID file handling
Doug Hardie wrote:
> On Sep 24, 2004, at 13:48, <[EMAIL PROTECTED]> wrote:
>
>> Matthew.van.Eerde wrote:
>>> There seems to be a problem with clamav-milter's --pidfile option.
>>
>> I retract this. The --pidfile option is fine.
>
>
> Line 1408 of clamav-milter.c has
>
> fprintf(fd, "%d\n", (int)getpid());
>
> which will put a \n at the end of the pid value in the pid file.
Yes but I retract my opinion that this is a problem. kill `cat clamav-milter.pid`
wasn't working, and I wrongly blamed this on the newline.
It turned out after experiment that kill $PID wasn't working either.
But killall clamav-milter worked so I'm going with that.
[EMAIL PROTECTED] 805.964.4554 x902
Hispanic Business Inc./HireDiversity.com Software Engineer
perl -e"map{y/a-z/l-za-k/;print}shift" "Jjhi pcdiwtg Ptga wprztg,"
---
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users
RE: [Clamav-users] clamav-milter + sendmail won't talk to each other
Simon Christian wrote:
> Anyway, could
> someone please give me some reasons why this error might occur.
>
> Cheers
>
> Simon
There's some confusion here.
There need to be TWO sockets. One is for clamd. The other is for clamav-milter.
sendmail.mc needs to point to the clamav-milter socket. clamav-milter needs to
produce this socket for sendmail, and also know where the clamd socket is.
It works like this:
sendmail -> clamav-milter.sock
clamav-milter -> clamd.sock
clamd scans and passes the result back to clamav-milter
clamav-milter tells sendmail what to do
sendmail.mc should have
INPUT_MAIL_FILTER(`clamav', `S=local:/var/run/clamav/milter.sock, F=T, T=S:4m;R:4m')dnl
/etc/clamav.conf (or clamd.conf for 8.x) should have
LocalSocket /var/run/clamav/clamd.sock
start clamd as
/usr/local/sbin/clamd
start clamav-milter as
/usr/local/sbin/clamav-milter -Cfq /var/run/clamav/milter.sock
FIRST start clamd, SECOND start clamav-milter, FINALLY start sendmail
[EMAIL PROTECTED] 805.964.4554 x902
Hispanic Business Inc./HireDiversity.com Software Engineer
perl -e"map{y/a-z/l-za-k/;print}shift" "Jjhi pcdiwtg Ptga wprztg,"
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
RE: [Clamav-users] Adding Virus type to the X-Virus-Flag: Yes
marvin wrote:
> Nigel Horne writes:
>
>> On Tuesday 12 Oct 2004 15:51, marvin wrote:
>>>
>>> Although it logs the virus to the /var/log/clamd.log, I would like
>>> it added to the header e.g.
>>>
>>> X-Virus-Flag: Yes - Worm.SomeFool.P
>>>
>>> Any ideas how I can achieve this ?
>>
>> Use the --advisory flag of clamav-milter.
>>
>>> Marvin
>>
>> -Nigel
>
>
> But I'm, not using sendmail.
You're not? Why? ;)
You might find it easier to get help if you provided a little more information about
what you ARE using.
Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902
Hispanic Business Inc./HireDiversity.com Software Engineer
perl -e"map{y/a-z/l-za-k/;print}shift" "Jjhi pcdiwtg Ptga wprztg,"
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
RE: [Clamav-users] Adding Virus type to the X-Virus-Flag: Yes
marvin wrote:
>>> X-Virus-Flag: Yes - Worm.SomeFool.P
>>>
>>> Any ideas how I can achieve this ?
> Replying to myself.
>
> Aack
>
> The header is inserted by the cgpav.conf program.
>
> Sorry for the faut paux.
>
> OK - But still, how can I add the virus name variable to the header
>
> X-Virus-Flag: Yes
Alas, clamav doesn't add any headers. clamav-milter does (usually... unless you do
--noxheader) but you can't tweak the headers unless you patch the clamav-milter source
code and rebuild it. Apparently cgpav adds headers too. Try "man cgpav", "man
cgpav.conf", or calling Communigate (I suspect their Pro product is not open source so
you probably can't fix it yourself if they don't offer this feature)
I reject any email with a found virus so I don't ever have to add a header with a
virus name. I use clamav-milter which does include the virus name in the REJECT
message.
Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902
Hispanic Business Inc./HireDiversity.com Software Engineer
perl -e"map{y/a-z/l-za-k/;print}shift" "Jjhi pcdiwtg Ptga wprztg,"
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
RE: [Clamav-users] Adding Virus type to the X-Virus-Flag: Yes
marvin wrote:
> cgpav is open source
Ah! That's a good thing.
You might try grep'ing the source for X-Virus-Flag to see where the header is added.
If you're lucky it will be simple to add the virus name as well.
Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902
Hispanic Business Inc./HireDiversity.com Software Engineer
perl -e"map{y/a-z/l-za-k/;print}shift" "Jjhi pcdiwtg Ptga wprztg,"
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
RE: [Clamav-users] freshclam problem
Salvatore Basso wrote:
> Hi, I have the following problem with clamav 0.75.1 on fc 2:
>
> [EMAIL PROTECTED] Archive-Zip-1.13]# /usr/local/bin/freshclam -d
> ERROR: Can't open /var/log/freshclam.log in append mode.
> ERROR: Problem with internal logger
Maybe you have another freshclam running? I don't think they can both use the same
log.
Also check permissions... as root:
touch /var/log/freshclam.log
chown clamav:clamav /var/log/freshclam.log
Not sure how this works w/logrotate
[EMAIL PROTECTED] 805.964.4554 x902
Hispanic Business Inc./HireDiversity.com Software Engineer
perl -e"map{y/a-z/l-za-k/;print}shift" "Jjhi pcdiwtg Ptga wprztg,"
---
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users
RE: [Clamav-users] Problems compiling 0.80rc3
Todd Lyons wrote:
> Kevin Old wanted us to know:
>
>> /usr/bin/ld: cannot find -lgssapi_krb5
>> ...
>> The weird part is, I've checked my /etc/ld.so.conf file and it
>> lists: /usr/kerberos/lib /usr/X11R6/lib
>> /usr/lib
>
> That is for runtime. The issue you're having is that it cannot find
> the libgssapi_krb5.so file.
> ...
> It build just fine for me, but mine is in /usr/lib instead of
> /usr/kerberos/lib.
Try
ln -s /usr/lib/kerberos/libgssapi_krb5.so /usr/lib/libgssapi_krb5.so
...
[EMAIL PROTECTED] 805.964.4554 x902
Hispanic Business Inc./HireDiversity.com Software Engineer
perl -e"map{y/a-z/l-za-k/;print}shift" "Jjhi pcdiwtg Ptga wprztg,"
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
RE: [Clamav-users] JPEG Vulnerability Question
Rodney Green wrote: > Greetings! > > I have just upgraded to the latest version of ClamAV that is said to > be able to detect the new JPEG vulnerability. I'm using ClamAV with > MailScanner to scan e-mail. How can I test to see if ClamAV is indeed > detecting the JPEG exploit? > > Thanks, > Rod sigtool --list-sigs | grep JPEG ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
RE: [Clamav-users] Problems compiling 0.80rc3
Kevin Old wrote:
>> Can I just link libgssapi_krb5.so to libgssapi_krb5.so.2 in
>> /usr/kerberos/lib?
>
> I just did this and now during make I get:
>
> /usr/bin/ld: cannot find -lkrb5
>
> Guess that didn't fix it.
>
> Any ideas?
>
> Kevin
What I meant was
For every X in /usr/kerberos/lib:
ln -s /usr/kerberos/lib/X /usr/lib/X
[EMAIL PROTECTED] 805.964.4554 x902
Hispanic Business Inc./HireDiversity.com Software Engineer
perl -e"map{y/a-z/l-za-k/;print}shift" "Jjhi pcdiwtg Ptga wprztg,"
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
RE: [Clamav-users] Detection problem?
Sasa Stupar wrote:
> Just forgot to mention that I am running Clamav 0.75.1.
>
> At 20:34 5.10.2004 +0200, you wrote:
>> I am running a clamav-milter with sendmail 8.13.0. I have made a
>> test at www.testvirus.org and two tests passed thru: #24 and #25.
>> In explanation it says that it should detect it but it doesn't. Any
>> comment on that?
24 and 25 don't contain any viruses, so clamav-milter won't detect it.
Consider something like MIMEDefang as well as clamav so you can:
Reject message/partial (24)
Reject .{clsid-goes-here} extensions (25)
[EMAIL PROTECTED] 805.964.4554 x902
Hispanic Business Inc./HireDiversity.com Software Engineer
perl -e"map{y/a-z/l-za-k/;print}shift" "Jjhi pcdiwtg Ptga wprztg,"
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
RE: [Clamav-users] freshclam
Marcus Habermehl wrote:
> ERROR: Can't open /var/log/freshclam.log in append mode.
> ERROR: Problem with internal logger.
>
> Is there a general problem with my installation of clamav?
>
> Marcus
The user you're running freshclam as doesn't have permissions to make files in /var/log
Here's what I did:
mkdir /var/log/clamav
chown clamav:clamav /var/log/clamav
tell clamd, freshclam, etc. to log to /var/log/clamav/freshclam.log,
/var/log/clamav/clamd.log, etc.
[EMAIL PROTECTED] 805.964.4554 x902
Hispanic Business Inc./HireDiversity.com Software Engineer
perl -e"map{y/a-z/l-za-k/;print}shift" "Jjhi pcdiwtg Ptga wprztg,"
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
[Clamav-users] default --checks for freshclam 0.80
The man freshclam page says that -d requires --checks. If I call freshclam -d and
don't specify --checks, what happens? Does it revert to the value specified in
/etc/freshclam.conf's Checks setting? Or does it just check once when it starts and
never check again?
I'm confused as to what the use of the Checks setting is if -d doesn't work with it.
Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902
Hispanic Business Inc./HireDiversity.com Software Engineer
perl -e"map{y/a-z/l-za-k/;print}shift" "Jjhi pcdiwtg Ptga wprztg,"
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
[Clamav-users] RE: update as soon as possible
Mitch (WebCob) wrote:
>> Hi, how do you make ClamAV update virus database as soon as possible
>> when the signature becomes ready?
>>
>> Sam.
>>
> [Mitch (bitblock)]
> Sam. Bad toad! Don't hijack threads.
>
> You can run freshclam - there is no such thing as an instant
> update - the
> latest version uses DNS records to allow more frequent
> polling, but it's
> still about 10 minutes from update til when you can download iirc...
>
> That still beats everything else out there though I think.
>
> m/
It does bring up the idea of a "push notification." If you have several mail servers
spread out over the world, you could have them check periodically in their respective
database.XY.clamav.net domains.
If any one of them found an updated definition file, they could scp it to all the
other servers. (Or use some other message-based notification.)
Or you could do something totally wild...
Perhaps a phone-tree-like system could be developed? Where a central clamav server
cluster "calls" five other servers... then each of those five call five other servers,
etc, until every interested party has received a call?
Servers could be moved closer-to-the-hub based on proven reliability. Each server
could also be placed in two different places just in case one phone-tree member is
negligent. The system is divided into five branches at the first step... servers
should be placed in two different branches, in the rare event of a first-hop caller
going down.
Just a wild idea. The DNS thing works great.
Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902
Hispanic Business Inc./HireDiversity.com Software Engineer
perl -e"map{y/a-z/l-za-k/;print}shift" "Jjhi pcdiwtg Ptga wprztg,"
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
RE: [Clamav-users] Config update signature
Salvatore Basso wrote:
> ..why this to happen also if the file 'freshcleam' is in the
> /etc/cron.daily/ and not in /etc/cron.hourly ??
> I add which I excute freshclam how demon (freshclam -d). thanks.
If you run freshclam -d then it only needs to be started ONCE (put it in init.rd, for
example)
If you run freshclam from /etc/cron.something/ then don't use the -d flag.
Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902
Hispanic Business Inc./HireDiversity.com Software Engineer
perl -e"map{y/a-z/l-za-k/;print}shift" "Jjhi pcdiwtg Ptga wprztg,"
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
RE: [Clamav-users] Config update signature
Salvatore Basso wrote:
> .. and in '/etc/init.d/' there is a file called 'freshclam' (and at
> boot of my machine start freshclam) , now in the my situation the
> file '/etc/cron.daily/freshclam' is not important ? if is this where
> I can modify the update frequency ? in what file ? thanks.
Please post results of:
cat /etc/init.d/freshclam
cat /etc/cron.daily/freshclam
cat /etc/freshclam.conf
ps -aux | grep clam
Hopefully you're not running a freshclam -d from /etc/cron.daily or you'd be running
more and more freshclam processes as days go by.
You set the update frequency in /etc/freshclam.conf as Checks - the update frequency
is )
"(Checks) times per day" for freshclam -d. If you run freshclam via cron.hourly,
leave off the -d.
Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902
Hispanic Business Inc./HireDiversity.com Software Engineer
perl -e"map{y/a-z/l-za-k/;print}shift" "Jjhi pcdiwtg Ptga wprztg,"
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
RE: [Clamav-users] Config update signature
Salvatore Basso wrote:
> [EMAIL PROTECTED] wrote:
>
>> Please post results of:
>> cat /etc/init.d/freshclam
boils down to "run freshclam -d"
>> cat /etc/cron.daily/freshclam
boils down to "remove unused files in /var/lib/clamav/"
>> cat /etc/freshclam.conf
> # Number of database checks per day.
> # Default: 12 (every two hours)
> Checks 24
OK, so it checks 24 times a day - once every hour
If you want it to check every 30 minutes, change this to 48
If you want it to check every two hours, change this to 12
>> ps -aux | grep clam
You're fine here
> Hopefully you're not running a freshclam -d from /etc/cron.daily or
> you'd be running more and more freshclam processes as days go by.
OK, this isn't happening, good
> my value is 'Checks 24', but why the update is to excute every hour ?
Um, because there are 24 hours in a day
Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902
Hispanic Business Inc./HireDiversity.com Software Engineer
perl -e"map{y/a-z/l-za-k/;print}shift" "Jjhi pcdiwtg Ptga wprztg,"
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
RE: [Clamav-users] Config update signature
Matthew.van.Eerde wrote:
>>> cat /etc/freshclam.conf
>> # Number of database checks per day.
>> # Default: 12 (every two hours)
>> Checks 24
> OK, so it checks 24 times a day - once every hour
> If you want it to check every 30 minutes, change this to 48
> If you want it to check every two hours, change this to 12
Oh, and to have your changes take effect, restart freshclam -d...
/etc/init.rd/freshclam restart
Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902
Hispanic Business Inc./HireDiversity.com Software Engineer
perl -e"map{y/a-z/l-za-k/;print}shift" "Jjhi pcdiwtg Ptga wprztg,"
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
RE: [Clamav-users] ClamAV and Exchange mailboxes...
Tim Howell wrote:
> Have any of you thought of what it would take to use Clam to scan mailboxes
> stored on an
> Exchange server?
Hmmm...
Get a list of mailboxes via LDAP
Connect to each mailbox in turn using Mail::IMAPClient
Walk through all folders in the mailbox
Download each mail item to a temporary file
Scan the file
Accumulate an infection report
Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902
Hispanic Business Inc./HireDiversity.com Software Engineer
perl -e"map{y/a-z/l-za-k/;print}shift" "Jjhi pcdiwtg Ptga wprztg,"
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
RE: [Clamav-users] ClamAV and Exchange mailboxes...
Matt wrote:
> [EMAIL PROTECTED] wrote:
>
>> Tim Howell wrote:
>>> Have any of you thought of what it would take to use Clam to scan
>>> mailboxes stored on an Exchange server?
>>
>> Hmmm...
>> Get a list of mailboxes via LDAP
>> Connect to each mailbox in turn using Mail::IMAPClient
>> Walk through all folders in the mailbox
>> Download each mail item to a temporary file
>> Scan the file
>> Accumulate an infection report
>>
>
>
> Would running ClamWin on the Exchange server be a possibility?
>
> Matt
Umm... yes... so long as you don't scan the Exchange .edb or .log files.
That's a good way to corrupt your information store. But you could presumably
run the above procedure using a Scheduled Task from the server, assuming you
installed ClamWin and Perl (and Net::LDAP, Mail::IMAPClient, etc.)
Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902
Hispanic Business Inc./HireDiversity.com Software Engineer
perl -e"map{y/a-z/l-za-k/;print}shift" "Jjhi pcdiwtg Ptga wprztg,"
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
RE: [Clamav-users] ClamAV and Exchange mailboxes...
Samuel Benzaquen wrote:
>>>> Hmmm...
>>>> Get a list of mailboxes via LDAP
>>>> Connect to each mailbox in turn using Mail::IMAPClient Walk through
>
> Doesn't that idea forces you to have everyone's password to connect
> via the IMAP server?
That would tear it.
Exchange does allow you to declare administrative accounts with complete access
to all mailboxes. But I don't know enough about IMAP to know if you can log in
to someone else's account this way.
Is there a way in that
1) Allows you to log in to a non-privileged mailbox using a privileged user
account
2) Works from Perl?
Possible candidates: IMAP, POP3, MAPI (is there a Mail::MAPI module?), DAV (I
use this to keep track of mailbox sizes)...
Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902
Hispanic Business Inc./HireDiversity.com Software Engineer
perl -e"map{y/a-z/l-za-k/;print}shift" "Jjhi pcdiwtg Ptga wprztg,"
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
RE: [Clamav-users] ClamAV should not try to detect phishingandothersocial engineering attacks
Ken Jones wrote:
> I think the thing to remember here is that we are discussing scanning
> of email. If the email is malicious, then having clamav remove it is
> a good thing in my opinion. Spam (uce/ube) that poses no threat to
> the user, and is just an anoyance is what SA should be catching.
ClamAv is marketed as an antivirus tool. I think, as you say, there is a need
for a generic anti-malware tool. But don't call it clamav.
Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902
Hispanic Business Inc./HireDiversity.com Software Engineer
perl -e"map{y/a-z/l-za-k/;print}shift" "Jjhi pcdiwtg Ptga wprztg,"
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
RE: [Clamav-users] ClamAV should not try to detect phishing andothersocial engineering attacks
Bart Silverstrim wrote:
> I find it interesting though that I've yet to hear from anyone
> commenting on my proposal to create a filter that will extract and
> convert all emails into pure text, or reformat it so only certain
> things can get through as an attachment with a pure text message so it
> would be "defanged" of scripts, web content, potential scripting
> exploits, etc...I'm honestly beginning to wonder how hard
> that would be to make and whether it may be of use for some sites.
Microsoft SMTP Server allows this via CDO.Message
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cdosys/html/_cdosys_imessage_htmlbody.asp
"When... you set the HTMLBody property, Microsoft Collaboration Data Objects
(CDO) automatically sets the TextBody property to the plain text equivalent."
Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902
Hispanic Business Inc./HireDiversity.com Software Engineer
perl -e"map{y/a-z/l-za-k/;print}shift" "Jjhi pcdiwtg Ptga wprztg,"
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
RE: defanging HTML email, was [Clamav-users] ClamAV should not try to detect phishing andothersocial engineering attacks
Peter J. Holzer wrote: > Otherwise, if it is HTML, filter it through w3m, lynx, or some other > html to text converter. This is the dangerous part. If there's going to be any way for a malignant HTML email to overflow a buffer, it's here. ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
RE: [Clamav-users] Virus Tests from www.testvirus.org
Jason Haar wrote:
> However, a lot of sites complained. They actually looked at the logs and
> they didn't like seeing that 44% of their quarantine events were "PIF
> blocked" - they wanted to know WHAT VIRUS IT WAS.
But you have the PIF in quarantine anyway. Couldn't you save CPU by
PIF-blocking the attachment, then scanning it later (during off-peak hours, or
in a nice process) to find out what virus it was?
Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902
Hispanic Business Inc./HireDiversity.com Software Engineer
perl -e"map{y/a-z/l-za-k/;print}shift" "Jjhi pcdiwtg Ptga wprztg,"
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
RE: [Clamav-users] virus incident response?
John Madden wrote:
> "well, something must be wrong with *your* virus scanner, because the
> one over *here* in *Exchange* caught it."
I think it's inherently a good thing to run multiple virus scanners from
different vendors. Sometimes ClamAV will update first, sometimes other vendors
will update first. If you scan in series you'll get the best of both worlds.
Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902
Hispanic Business Inc./HireDiversity.com Software Engineer
perl -e"map{y/a-z/l-za-k/;print}shift" "Jjhi pcdiwtg Ptga wprztg,"
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
RE: [Clamav-users] virus incident response?
John Madden wrote: >> Just stop mail with certain attachments >> (.bat/.com/.scr/.cpl/.ectect) at the door. > > Well of course, and we currently block RAR's because of the license > issues, but that doesn't help the zip file situation. ...Perhaps > amavisd can. > > John What we do: If a zip file is detected as a virus, reject the email. If a zip file is not detected as a virus, quarantine the attachment and deliver the email, with instructions on how to contact the helpdesk to retrieve the quarantined attachment. ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
[Clamav-users] clamd/freshclam/logrotate
Anyone got logrotate working sensibly with clamd.log and freshclam.log? I can
get it to rename the log files, but it seems that clamd and freshclam keep the
file descriptor open. The new logs are appending to the .log.1 file rather
than appending to the newly created .log files.
Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902
Hispanic Business Inc./HireDiversity.com Software Engineer
perl -e"map{y/a-z/l-za-k/;print}shift" "Jjhi pcdiwtg Ptga wprztg,"
___
http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] EICAR signature update: second attempt
ahellary wrote:
> i STILL cannont get either version .81 or .82 to detect any virus
Try 0.83?
> its slackware
I've got 0.83 running OK on slackware... but I had to upgrade zlib... do you
get any make errors?
Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902
Hispanic Business Inc./HireDiversity.com Software Engineer
perl -e"map{y/a-z/l-za-k/;print}shift" "Jjhi pcdiwtg Ptga wprztg,"
___
http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] Re: clamscan and blackhole errors
Keith Patton wrote:
> ahellary wrote:
>> ... on our qmail...
> Look at http://www.mimedefang.org
But MIMEDefang is a sendmail-only milter...
Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902
Hispanic Business Inc./HireDiversity.com Software Engineer
perl -e"map{y/a-z/l-za-k/;print}shift" "Jjhi pcdiwtg Ptga wprztg,"
___
http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] Disabling ScanArchive ?
Jason Byrns wrote:
> In my example case, we have a customer who is a programmer. He wants
> to (needs to) send the results of his work to one of his clients.
He should make himself a website and post his work on it, then send clients
links to the website. Oh, and he should sign his work with a certificate and
give the clients his public key so they can confirm he was the one who wrote it.
Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902
Hispanic Business Inc./HireDiversity.com Software Engineer
perl -e"map{y/a-z/l-za-k/;print}shift" "Jjhi pcdiwtg Ptga wprztg,"
___
http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] Disabling ScanArchive ?
Dennis Peterson wrote:
> Now if we can make people aware of the evils of out-of-office
> auto-responders...
I know! Why isn't there an SMTP code for this?
-> RCPT TO: <[EMAIL PROTECTED]>
<- 2?0 OK, but he's out of the office right now
-> RSET never mind then
Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902
Hispanic Business Inc./HireDiversity.com Software Engineer
perl -e"map{y/a-z/l-za-k/;print}shift" "Jjhi pcdiwtg Ptga wprztg,"
___
http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] Worm.Sober.K getting through...
Tim Howell wrote:
> Several of my users have received the virus classified by ClamAV as
> Worm.Sober.K today...
>
> How should I go about tracking this down?
Find a particular infected message and check the logs for errors or warnings
around the time the message went through
Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902
Hispanic Business Inc./HireDiversity.com Software Engineer
perl -e"map{y/a-z/l-za-k/;print}shift" "Jjhi pcdiwtg Ptga wprztg,"
___
http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] use of clamav-milter
Dennis Peterson wrote:
> It is frequently most efficient to test for spam content prior to scanning
> for viruses - there is no point in virus scanning a file if it has
> failed a spam content test. That's more than you asked but not bad to
> know.
The reverse is also true. There is no point in spam scanning a file if it has
been identified as a virus.
Of the two processes (spam scanning and virus scanning), spam scanning is more
resource-intensive (at least the way I do it) - so I virus scan first, and
spam-scan second.
Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902
Hispanic Business Inc./HireDiversity.com Software Engineer
perl -e"map{y/a-z/l-za-k/;print}shift" "Jjhi pcdiwtg Ptga wprztg,"
___
http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] use of clamav-milter
Todd Lyons wrote:
> Dennis Peterson wanted us to know:
>> But yes, no point in double-damning a message when once will do, and
>> I guess that was my point, and clearly the most efficient method
>> should be first.
>
> When a milter is configured to reject at the SMTP level, it never gets
> to the second milter in the chain. So if clamav-milter detects a
> virus, the CPU intensive content scanning process never sees the
> message (hence much lower load).
Your site policies and your data patterns also come into play. If you get
lotsa spam and hardly any viruses it may make sense to spam-scan first anyway.
We reject viruses but accept spam (tagged so users can have a "junk email"
folder) so - for us - data patterns don't enter into it.
For the record, we use MIMEDefang + SpamAssassin to spam-scan. Each MIMEDefang
thread has its own SpamAssassin object which is quite big. I've been toying
with the idea of writing a SpamAssassin::Client module to emulate spamc, but
haven't done anything serious with it. I know someone else got a working
prototype together.
Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902
Hispanic Business Inc./HireDiversity.com Software Engineer
perl -e"map{y/a-z/l-za-k/;print}shift" "Jjhi pcdiwtg Ptga wprztg,"
___
http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] Report Phishing attacks?
Sam wrote:
> On Mon, 21 Mar 2005, McDonald, Dan wrote:
>> They don't think spam, even spam with embedded java script to
>> obscure the nature of the spam, is malware. That was the
>> JS.Scramble pattern that was quite effective at killing off lots of
>> spam, but they chose to remove it, and that's their right.
>> Hopefully someone took the signature and submitted it to the
>> spamassassin crew.
>
> Is there a way to manually add this signature back in (in a way so
> that when new signatures are obtained from freshclam it's not
> over-written)? Probably not, but I thought I'd ask. :)
Sounds like a feature request to me... "can we have a user.cvd file" (in
addition to main.cvd and daily.cvd)
Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902
Hispanic Business Inc./HireDiversity.com Software Engineer
perl -e"map{y/a-z/l-za-k/;print}shift" "Jjhi pcdiwtg Ptga wprztg,"
___
http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] Report Phishing attacks?
Trog wrote:
> On Mon, 2005-03-21 at 08:49 -0800, [EMAIL PROTECTED] wrote:
>> Sounds like a feature request to me... "can we have a user.cvd file"
>> (in addition to main.cvd and daily.cvd)
>
> The features been there for a long time already. Read the
> documentation.
Relevant documentation:
http://www.clamav.net/faq.html - #23
Q: I can't wait for you to update the database! I need to use the new signature
NOW!
A: No problem, save your own signatures in a text file with .db extension. Put
it in the same dir where the .cvd files are located. ClamAV will load it after
the official .cvd files. You need not to sign the .db file.
I presume clamd needs to be HUP'd?
Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902
Hispanic Business Inc./HireDiversity.com Software Engineer
perl -e"map{y/a-z/l-za-k/;print}shift" "Jjhi pcdiwtg Ptga wprztg,"
___
http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] Report Phishing attacks?
BitFuzzy wrote:
> [EMAIL PROTECTED] wrote:
>
> The difference between what's being detected as phishing attempts is
> that they are crafted to make you believe you are at
> http://www.your-bank.com, ebay.com, paypal.com, etc. They are in most
> cases very convincing, thus not only the foolish can fall prey. (I
> know very savvy people who fell for these)
>
> The other forms, mentioned.do pose the exact same threat, however
> there is a big difference the victim here was just being gullible.
In my opinion, the difference between
1) a virus
2) a phish, a Nigerian scam, a spyware, an adware, etc.
is that viruses SPREAD - that is, they propagate themselves to others through
the infected party.
As such, there are policy decisions against viruses that are appropriate in
scenarios where such policies would be inappropriate against mere phishes.
Therefore - in my opinion - ClamAV should limit itself to detecting (and
rejecting) threats of the first kind by default. If an option is added to
detect and reject threats of the second kind, that can only be a good thing -
so long as it is an option.
Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902
Hispanic Business Inc./HireDiversity.com Software Engineer
perl -e"map{y/a-z/l-za-k/;print}shift" "Jjhi pcdiwtg Ptga wprztg,"
___
http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] Report Phishing attacks?
Julian Mehnle wrote:
> The way to combat phishing is to employ sender authentication methods
> such as SPF, DomainKeys, and public-key message cryptography.
This is unfortunately debatable. SPF, DomainKeys, cryptography, SenderID, etc.
can only work on info in the message.
Nothing stops people from registering a domain like onlinebanking.example and
then sending out - perfectly legitimately - from [EMAIL PROTECTED]
Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902
Hispanic Business Inc./HireDiversity.com Software Engineer
perl -e"map{y/a-z/l-za-k/;print}shift" "Jjhi pcdiwtg Ptga wprztg,"
___
http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] New Virus?
Niek wrote:
> On 3/31/2005 8:58 PM +0100, Jeffrey Kroll wrote:
>> You shouldn't be allowing .exe's anyway ... Its common knowledge that
>> .exe .com .bat .pif .scr
> Headers from your mail:
> X-MimeOLE: Produced By Microsoft Exchange V6.0.6249.0
> X-MS-Has-Attach:
> X-MS-TNEF-Correlator:
> Thread-Topic: [Clamav-users] New Virus?
> Thread-Index: AcU2HfVJlXoUlYzJRuC2osx2VBm8CwABWsIg
>
> Looks like you have reason to deploy security by obscurity.
FWIW recent versions of Outlook block user access to received attachments of
the form .exe .com .bat .pif .scr
Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902
Hispanic Business Inc./HireDiversity.com Software Engineer
perl -e"map{y/a-z/l-za-k/;print}shift" "Jjhi pcdiwtg Ptga wprztg,"
___
http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] remove scanner serve
Carl Thompson wrote:
> I can only get clamd to open port 3311 as a listening TCP socket.
Default is 3310, no? Why can't you open port 3310? Is there something else
already listening?
Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902
Hispanic Business Inc./HireDiversity.com Software Engineer
perl -e"map{y/a-z/l-za-k/;print}shift" "Jjhi pcdiwtg Ptga wprztg,"
___
http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] remove scanner serve
Carl Thompson wrote:
> I believe the problem is a hard code issue. The setting --server
> isn't telling clamav-milter to listen on a specified IP for
> connections its telling clamav-milter to connect to clamd on the
> specified IP thus making the INSTALL documentation in error (unless
> i'm seriously confused)
>
> Sendmail must connect to clamav-milter not clamd directly but
> clamav-milter will not listen on a TCP port it will only connect to
> clamd on a TCP port.
>
> Carl
OH...
You're correct, clamav-milter won't listen on a TCP port, only on a local
socket. This is a limitation of clamav-milter.
You could probably write a simple daemon to listen on a TCP port and then relay
all commands it hears to the socket, and all responses back to the TCP port.
But why? Why not have sendmail and clamav-milter on one machine, and tell
clamav-milter to communicate with clamd on the other machine?
Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902
Hispanic Business Inc./HireDiversity.com Software Engineer
perl -e"map{y/a-z/l-za-k/;print}shift" "Jjhi pcdiwtg Ptga wprztg,"
___
http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] remove scanner serve
Nigel Horne wrote:
> On Thursday 14 Apr 2005 01:12, [EMAIL PROTECTED] wrote:
>
>> You're correct, clamav-milter won't listen on a TCP port, only on a
>> local socket.
>
> Wrong.
*removes foot from mouth* oops, sorry...
Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902
Hispanic Business Inc./HireDiversity.com Software Engineer
perl -e"map{y/a-z/l-za-k/;print}shift" "Jjhi pcdiwtg Ptga wprztg,"
___
http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] Can phishing be considered one kind of spam ?
Brian Morrison wrote:
> When 0.90 is available it will allow you to decide whether to filter
> on different types of content, until then please don't get this list
> going on the "phishing is not spam!" discussion.
Sweet... here are my selections
[x] viruses
[x] phishing
[x] spam
[x] stupid jokes
[x] urban myths
[x] (company) will pay you $ for every person you forward this to
[x] cute puppies
[x] sob stories
...
Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902
Hispanic Business Inc./HireDiversity.com Software Engineer
perl -e"map{y/a-z/l-za-k/;print}shift" "Jjhi pcdiwtg Ptga wprztg,"
___
http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] problems after .84 upgrade
rick pim wrote:
> > Mind you I am
> > worried about the mode 777 for clamd.sock, if nothing else that
> seems > like a security breach to me.
>
> true. but it seems to do that itself:
>
> srwxrwxrwx 1 clamav clamav 0 May 3 17:06 clamd.sock=
Stop me if I'm wrong but I think that's just the way sockets work.
Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902
Hispanic Business Inc./HireDiversity.com Software Engineer
perl -e"map{y/a-z/l-za-k/;print}shift" "Jjhi pcdiwtg Ptga wprztg,"
___
http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] Re: Exit code with password protected zip file
Rick Macdougall wrote:
> René Berber wrote:
>> man clamdscan:
>> [snip]
>> RETURN CODES
>>0 : No virus found.
>>
>>1 : Virus(es) found.
>>
>>2 : An error occured.
>
> Thanks,
>
> One place I didn't look that I should have but still, is a password
> protected zip file considered an error ? I can't really allow scans
> that return a 2 to pass through (well I can but I don't think it's a
> good idea).
It depends on your policy for password-protected archives. Think of 0/1/2 as
No/Yes/Maybe (where Maybe includes the subcases "I can't tell because I can't
unencrypt the file" and "I can't tell because I wasn't able to allocate memory"
and "I can't tell because...")
You could adopt a policy that "yes, password-protected zip files can be assumed
to be viruses" with the following clamd.conf option:
ArchiveBlockEncrypted
Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902
Hispanic Business Inc./HireDiversity.com Software Engineer
perl -e"map{y/a-z/l-za-k/;print}shift" "Jjhi pcdiwtg Ptga wprztg,"
___
http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] Re: Exit code with password protected zip file
Rick Macdougall wrote:
> Yes, I understand that but I don't think a 2 should be returned for a
> password protected zip file, 2 can be returned for any error, and a
> password protected zip file should not be an error. It should be 0
> for regular use, or 1 if I enable ArchiveBlockEncrypted, it should
> never be 2.
Matter of opinion. I wish ArchiveBlockEncrypted were the default. Guess it
depends on what you use ClamAV for.
I guess an additional ArchiveIgnoreEncrypted (return 0) option would make us
both happy.
Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902
Hispanic Business Inc./HireDiversity.com Software Engineer
perl -e"map{y/a-z/l-za-k/;print}shift" "Jjhi pcdiwtg Ptga wprztg,"
___
http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] DNS server used for dynamic resolution
[EMAIL PROTECTED] wrote:
> Hi,
>
> I have a couple of hours looking on google and the lists if it has
> been asked and it beats be.
> Is there anywhere I can read about the DNS server software that
> db.local.clamav.net uses? how does it resolve name depending on the IP
> address of the client ?
>
> Thanks,
>
> -Samuel
http://www.squish.net/dnscheck/
look up "db.local.clamav.net" record type "ANY"
ns1.clamav.net 69.61.68.204BIND: 9.2.5
ns2.clamav.net 207.201.202.73 BIND: 9.2.1
ns3.clamav.net 195.70.36.141 BIND: 9.3.1
ns4.clamav.net 80.69.66.9 BIND: 9.2.3
ns5.clamav.net 213.92.8.2 BIND: 9.3.1
Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902
Hispanic Business Inc./HireDiversity.com Software Engineer
perl -e"map{y/a-z/l-za-k/;print}shift" "Jjhi pcdiwtg Ptga wprztg,"
___
http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] 0.85 & 0.81.1 tha same troubles with milter
Jim Maul wrote:
> Matt Fretwell wrote:
>> Just to test, as an ordinary user, run:
>>
>> touch /var/log/test.log
>>
>> Now why does it create the logfile as root?
>>
>
> While i get your point, it is irrelevant because it should not log in
> /var/log/ directly. It should log in /var/log/clamav/
>
> -Jim
Hopefully this will help someone. I got it off the list earlier (sorry, don't
remember who sent it to me originally:)
$ cat /etc/logrotate.d/clamav
/var/log/clamav/clamd.log {
missingok
nocompress
create 640 clamav defang
postrotate
/bin/kill -HUP `cat /var/run/clamav/clamd.pid 2> /dev/null` 2>
/dev/null || true
endscript
}
/var/log/clamav/freshclam.log {
missingok
nocompress
create 640 clamav defang
postrotate
/bin/kill -HUP `cat /var/run/clamav/freshclam.pid 2> /dev/null`
2> /dev/null || true
endscript
}
I use defang as a generic "mail administration" group, which is why that group
gets read access.
--
Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902
Hispanic Business Inc./HireDiversity.com Software Engineer
perl -e"map{y/a-z/l-za-k/;print}shift" "Jjhi pcdiwtg Ptga wprztg,"
___
http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] sober.p and german adverts?
John Jolet wrote:
>> On Tue, 17 May 2005, Matt Fretwell wrote:
>>> [EMAIL PROTECTED] wrote:
>>>> If they do have a rouge spammer on their network, they might wish
>>>> to know about it anyway.
>>>
>>> I assume that should have been rogue. ( Unless spammers have a
>>> predilection for make up :)
>>
>> Hmm. I guess aspell thinks that is a word... and probably some
>> spammers do, rofl.
> It IS a word...just not the one you wanted. swine spellchekers
On that note:
http://jobsearch.monster.com/jobsearch.asp?q=manger
--
Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902
Hispanic Business Inc./HireDiversity.com Software Engineer
perl -e"map{y/a-z/l-za-k/;print}shift" "Jjhi pcdiwtg Ptga wprztg,"
___
http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] clamd reload causing mail server to tempfail
Gack! I came in this morning to find this in my clamd.log...
Tue May 17 15:35:10 2005 -> Reading databases from /usr/local/share/clamav
Tue May 17 15:35:10 2005 -> Database correctly reloaded (34417 viruses)
LibClamAV Warning: Not reloading database until idle - waiting for 2 children
LibClamAV Warning: Waiting for 1 children until databae reload
LibClamAV Warning: Not accepting inputs at the moment
LibClamAV Warning: Not accepting inputs at the moment
LibClamAV Warning: Not accepting inputs at the moment
(last line repeats many many times...)
LibClamAV Warning: Not accepting inputs at the moment
LibClamAV Warning: Waiting for 0 children until databae reload
LibClamAV Warning: Accepting inputs again
LibClamAV Warning: Accepting inputs again
LibClamAV Warning: Accepting inputs again
(last line repeats many many times ...)
LibClamAV Warning: Accepting inputs again
Tue May 17 17:13:05 2005 -> SelfCheck: Database status OK.
Tue May 17 17:13:06 2005 -> /tmp/clamav-135326ee7c681aaa/msg.yzNKKB:
Worm.SomeFool.P FOUND
Checking the mail log between 3:35 PM and 5:13 PM reveals that all incoming
mail was tempfailed during that time (luckily I have another MX which was
accepting mail though it is configured identically :-?)
I'm using both clamav-milter and MIMEDefang (which prints directly to
clamd.sock)
This behavior is new as of 0.85.1
What could I be doing wrong and how do I fix it?
--
Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902
Hispanic Business Inc./HireDiversity.com Software Engineer
perl -e"map{y/a-z/l-za-k/;print}shift" "Jjhi pcdiwtg Ptga wprztg,"
___
http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] clamd reload causing mail server to tempfail
Damian Menscher wrote:
> On Wed, 18 May 2005 [EMAIL PROTECTED] wrote:
>> LibClamAV Warning: Not reloading database until idle - waiting for 2
>> children
>
> Could you tell us how you're running clamav-milter? Specifically, I'd
> like to know if you're using --external and your --max-children
> setting. Also, do you often hit the --max-children setting? I
> suspect that the bug occurs when reloading the database when
> max_children is hit, though that hasn't been proven yet. Perhaps
> increasing its value will help?
in /etc/rc.d/rc.clamav:
/usr/local/sbin/clamd
sleep 2
/usr/local/bin/freshclam -d
/usr/local/sbin/clamav-milter -Cfq /var/run/clamav/milter.sock
in /etc/clamd.conf:
LogFile /var/log/clamav/clamd.log
LogTime
LogSyslog
PidFile /var/run/clamav/clamd.pid
LocalSocket /var/run/clamav/clamd.sock
FixStaleSocket
MaxThreads 50
User clamav
ScanMail
ScanHTML
ScanArchive
ArchiveMaxFileSize 100M
ArchiveMaxRecursion 8
ArchiveBlockEncrypted
in /etc/freshclam.conf:
UpdateLogFile /var/log/clamav/freshclam.log
PidFile /var/run/clamav/freshclam.pid
DatabaseOwner clamav
DNSDatabaseInfo current.cvd.clamav.net
DatabaseMirror db.us.clamav.net
DatabaseMirror database.clamav.net
Checks 24
NotifyClamd
--
Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902
Hispanic Business Inc./HireDiversity.com Software Engineer
perl -e"map{y/a-z/l-za-k/;print}shift" "Jjhi pcdiwtg Ptga wprztg,"
___
http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] clamd reload causing mail server to tempfail
Matthew.van.Eerde wrote:
> Damian Menscher wrote:
>> On Wed, 18 May 2005 [EMAIL PROTECTED] wrote:
>>> LibClamAV Warning: Not reloading database until idle - waiting for 2
>>> children
>>
>> Could you tell us how you're running clamav-milter? Specifically,
>> I'd like to know if you're using --external
> /usr/local/sbin/clamav-milter -Cfq /var/run/clamav/milter.sock
Changed this to
/usr/local/sbin/clamav-milter -eCfq /var/run/clamav/milter.sock
Will advise
--
Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902
Hispanic Business Inc./HireDiversity.com Software Engineer
perl -e"map{y/a-z/l-za-k/;print}shift" "Jjhi pcdiwtg Ptga wprztg,"
___
http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] Re:Clam AV allows e-mail fromwww.webmail.us/testvirus through?
Frank Barton wrote:
>> Ken Jones wrote:
>>> On my system, only #24 and #25 make it through ... both of
>>> which don't have a test virus in them :)
> Stefaan wrote:
>> What is stopping #5 & #17 in your configuration ? Is it clamd or
>> somethingelse ? My config : messagewall, clamdmail, clamd, spamd and
>> numbers 5,17, 24 and 25 are getting trough :-(
>
> I use mimedefang with clamd, and got 5, 8, 19, 22, and 23 all the way
> through
>
> 25 got through, partially... MIMEDefang stripped off the attachment,
> but the message came through.
>
> any hints on how to firm that up a bit?
I use MIMEDefang with clamd and clamav-milter.
All but #24, #25, and #27 were recognized as the EICAR virus and rejected.
#24 was rejected as:
MIME type message/partial not accepted here
#25 was let through, but the file was quarantined (I consider this a feature)
#27 was rejected with:
virus Exploit.Zip.ModifiedHeaders detected by ClamAV - http://www.clamav.net
--
Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902
Hispanic Business Inc./HireDiversity.com Software Engineer
perl -e"map{y/a-z/l-za-k/;print}shift" "Jjhi pcdiwtg Ptga wprztg,"
___
http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] Re: Virus naming conventions?
René Berber wrote:
> Perhaps your question is more general, not only the clamav database,
> but about a taxonomy for viruses. The way I see it, when a new virus
> is found, the developers or database maintainers try to get the
> detection strings ASAP and would not like to loose time looking up
> rules for naming, which is a very different situation from say a
> biologist classifying a live virus. I think a taxonomy would not be
> welcomed and we can expect all kinds of names (dots, dashes, spaces,
> upper- lower-case, slashes, etc. don't have a meaning).
Perhaps a per-engine taxonomy is natural - indeed it seems to be inevitable!
How about a serial-number kind of taxonomy, then -
clamav.1
clamav.2
clamav.3
...
clamav.48722
...
with friendly-names being attached to the virus, AFTER the developer has
submitted into the database? After the dust has settled, there should be
plenty of time to agree on what to call each virus.
--
Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902
Hispanic Business Inc./HireDiversity.com Software Engineer
perl -e"map{y/a-z/l-za-k/;print}shift" "Jjhi pcdiwtg Ptga wprztg,"
___
http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] clamdscan vs clamscan - detection
Todd Lyons wrote:
> Odhiambo Washington wanted us to know:
>
>>> Please, set the "Debug" flag in your clamd.conf, rescan the sample,
>>> and send us the logs.
>> I cannot do that on the box where this phenomena is manifesting
>> itself because it's a production box, processing large volumes of
>> mail. I'll
>
> Very quickly, do these:
> 1) Edit /etc/clamd.conf, uncommenting the Debug option.
> 2) clamscan the file
> 3) Edit /etc/clamd.conf, commenting the Debug option.
>
> The running clamd process will never read the Debug setting since it
> doesn't get restarted. clamscan doesn't use the clamd daemon, so you
> accomplish all that is asked without having to potentially damage the
> flow of mail across your machine.
Or just use clamscan --debug?
--
Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902
Hispanic Business Inc./HireDiversity.com Software Engineer
perl -e"map{y/a-z/l-za-k/;print}shift" "Jjhi pcdiwtg Ptga wprztg,"
___
http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] clamav build for WinNT
.rp wrote:
> Is there a build anywhere that will run under NT4 ?
This is a good place to start looking:
http://www.clamav.net/binary.html#pagestart
--
Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902
Hispanic Business Inc./HireDiversity.com Software Engineer
perl -e"map{y/a-z/l-za-k/;print}shift" "Jjhi pcdiwtg Ptga wprztg,"
___
http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] Question about clamd commands
RoNNY wrote:
> I simply changed my clamd.conf so that clamd now works as a TCP socket
> instead.
Be aware there are security benefits to running as a Unix socket. For example,
if (God forbid!) a buffer overflow were ever found in clamd, it would be much
harder for a hacker to push through clamd.sock than it would be to connect to a
TCP socket.
--
Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902
Hispanic Business Inc./HireDiversity.com Software Engineer
perl -e"map{y/a-z/l-za-k/;print}shift" "Jjhi pcdiwtg Ptga wprztg,"
___
http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] odd problem w/clamd
Odhiambo Washington [EMAIL PROTECTED] wrote:
> * N Fung <[EMAIL PROTECTED]> [20050610 20:45]: wrote:
>> Problems with 0.85.1 seem to be confined to FreeBSD.
>> Anything interesting in /var/log/clamd.log?
>
>
> Liar!! Liar!!
>
> I run 0.85.1 on FreeBSD 4.11, 5.2.1, 5.3 and 5.4 and in all cases I
> don't have a problem at all. None of my machines is as high specs
> as his.
Easy, cowboy. When he says that problems are confined to FreeBSD, that does
not imply that all FreeBSD installations will have problems.
--
Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902
Hispanic Business Inc./HireDiversity.com Software Engineer
perl -e"map{y/a-z/l-za-k/;print}shift" "Jjhi pcdiwtg Ptga wprztg,"
___
http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] odd problem w/clamd
Samuel wrote:
>> From: [EMAIL PROTECTED]
>> and what of a virus zipped into a larger zip file? Since the largest
>> message we'll accept is 100M, then that's what my StreamMaxLength is
>> set at, per the comments in clamd.conf. on the other hand, it would
>> take an awfully determined virus distributed to put their virus in
>> such a large message.
>
> I guess that if you check a 100MB email message which contains
> MIME/archives that have to be converted and unpacked several times
> there could be a disk bottle neck. Maybe your are suffering from I/O
> wait and it fixes when you kill the thread that's analizing that big
> email.
Mounting /tmp as a tmpfs file system can be a real performance lifesaver for a
busy clamd setup.
--
Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902
Hispanic Business Inc./HireDiversity.com Software Engineer
perl -e"map{y/a-z/l-za-k/;print}shift" "Jjhi pcdiwtg Ptga wprztg,"
___
http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] How to use clamav-milter?
Stephen Gran wrote:
> On Wed, Jun 15, 2005 at 01:12:36PM -0400, Jim Popovitch said:
>> On Wed, 2005-06-15 at 19:53 +0300, Cevher wrote:
>>> Two questions were related. In other words i said (wanted to say)
>>> "Shall we use clamav-milter with clamd or without clamd?"
>>
>> clamav-milter connects to clamd to determine if an email contains a
>> virus.
>
> Correction:
> clamav-milter _can_ connect to clamd ...
>
> It can also do the work itself. The problem with the OP's question is
> that the answer is site policy dependant. The only answer is "it's up
> to you".
There was (still is?) a bug in recent clamav-milter thread handling that caused
it to time out if it did the work itself. I was forced to start it with
--external which passes the work to running clamd daemons.
--
Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902
Hispanic Business Inc./HireDiversity.com Software Engineer
perl -e"map{y/a-z/l-za-k/;print}shift" "Jjhi pcdiwtg Ptga wprztg,"
___
http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] ClamAV on Exchange 200x
Patrick Andry wrote:
> Does Exchange 2000 still accept mail for non-existent users, as it
> does for 5.5?
Yes. There's a non-default setting to fix this in Exchange 2003, but in 2000
and before you're stuck with it.
http://support.microsoft.com/kb/823866/#XSLTH3164121123120121120120
--
Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902
Hispanic Business Inc./HireDiversity.com Software Engineer
perl -e"map{y/a-z/l-za-k/;print}shift" "Jjhi pcdiwtg Ptga wprztg,"
___
http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] Password protected ZIP's---howto?
Johnny Stork wrote:
> From: Samuel Benzaquen [mailto:[EMAIL PROTECTED]
>> Johnny Stork:
>>>Is there any way to get clamav to handle password protected
>>> zip files? We
>>>receive and send many files as pw protected zips and since
>>deploying clamav, they have all been flagged as viruses?
>>
>>ArchiveBlockEncrypted
>> Mark encrypted archives as viruses
>> (Encrypted.Zip, Encrypted.RAR).
>> Default: disabled
> Thanks kindly, but I guess this means that they pass through without
> being scanned/checked?
ClamAV can't scan encrypted archives, because there's no way to tell it the
password. Unless the encrypted archive matches a signature in it's encrypted
form, there's no virus detection here.
It can either uniformly let through, or uniformly block, all encrypted archives.
If you want sophisticated zip file handling, consider MIMEDefang [1] and
Archive::Zip
[1] www.mimedefang.com
--
Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902
Hispanic Business Inc./HireDiversity.com Software Engineer
perl -e"map{y/a-z/l-za-k/;print}shift" "Jjhi pcdiwtg Ptga wprztg,"
___
http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] ClamAV on Exchange 200x
John Gallagher wrote:
> Depending on your active directory structure it is relatively simple
> to grab the exchange users so your mail relay can make this decision
> before passing the mail on to the exchange server. You may need to
> work on the script a little to pull aliases and mail forward info.
> Check out this link:
>
> http://www-personal.umich.edu/~malth/gaptuning/postfix/
>
> John
Here's a sendmail version:
http://www.mimedefang.org/kwiki/index.cgi?Exchange2Access
Though listed on MIMEDefang's site, it doesn't actually use MIMEDefang - it's a
generic Active Directory to sendmail access database script
There's a version for Exchange 2000 and another for Exchange 5.5
--
Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902
Hispanic Business Inc./HireDiversity.com Software Engineer
perl -e"map{y/a-z/l-za-k/;print}shift" "Jjhi pcdiwtg Ptga wprztg,"
___
http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] WARNING: Local version: 0.86 Recommended version:0.85.1
Damian wrote:
> So, if you didn't do it, and none of the other team-members did it,
> then who did? This raises an interesting issue: if an attacker
> figures out how to poison the DNS server, nobody would get updates.
Worse, an attacker could point the records to a server under their own control,
with malicious virus definitions. I'll let everyone imagine the worst-case
consequences of that.
--
Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902
Hispanic Business Inc./HireDiversity.com Software Engineer
perl -e"map{y/a-z/l-za-k/;print}shift" "Jjhi pcdiwtg Ptga wprztg,"
___
http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] WARNING: Local version: 0.86 Recommendedversion:0.85.1
Matthew van Eerde wrote:
> Damian wrote:
>> So, if you didn't do it, and none of the other team-members did it,
>> then who did? This raises an interesting issue: if an attacker
>> figures out how to poison the DNS server, nobody would get updates.
>
> Worse, an attacker could point the records to a server under their
> own control, with malicious virus definitions. I'll let everyone
> imagine the worst-case consequences of that.
Or are the virus definition update packages signed? If so, and freshclam were
to check the signature of the package before accepting the update, that would
mitigate this concern.
--
Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902
Hispanic Business Inc./HireDiversity.com Software Engineer
perl -e"map{y/a-z/l-za-k/;print}shift" "Jjhi pcdiwtg Ptga wprztg,"
___
http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] Libclamav and zip files
Eric Scopinho wrote:
> The problem is that I'm using libclamav directly (not clamd), and I
> dont't have the entire zip file. While the file is sent over the
> network, passing through my firewall, I'm catching the packets,
> storing each one and scanning using cl_scandesc from libclamav. Catch
> it?
Since you're scanning it packet-by-packet, you're going to miss some viruses
regardless of .zip-ness. In particular, if a virus definition matches a byte
sequence that is split across packets, the virus will get through.
Since you can't decompress the .zip file, you won't catch viruses that are only
recognized in their uncompressed form. Fortunately, there are some virus
patterns to match the .zip'd versions of the files. Unfortunately, viruses
that randomize their password are probably unpatternable in their compressed
form.
You might be able to do something to the effect of:
1) Recognize the initial packet of the zip file
2) Accumulate all future packets of that stream
3) Put all the packets together to get the complete zip file
4) Decompress the zip file
5) Scan the decompressed contents
--
Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902
Hispanic Business Inc./HireDiversity.com Software Engineer
perl -e"map{y/a-z/l-za-k/;print}shift" "Jjhi pcdiwtg Ptga wprztg,"
___
http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] Libclamav and zip files
Jason Haar wrote:
> However, I think you'll be out of luck. The only "network virus
> scanners" I know of are big beasts - because they effectively have to
> inline translate packets back to specific protocols (such as
> SMB/CIFS), pull the data content out, then run real AV over the fully
> formed files (or at least some largish data window). How they do that
> inline and manage to drop the session (i.e. killing the virus
> download) is a bit beyond me - I guess they rely on a RSET on the
> last packet being enough to cause the entire transfer to fail?
RSET should be enough. Unless the user is really committed to infecting
themselves, and astoundingly resourceful.
--
Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902
Hispanic Business Inc./HireDiversity.com Software Engineer
perl -e"map{y/a-z/l-za-k/;print}shift" "Jjhi pcdiwtg Ptga wprztg,"
___
http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] newbie setup question - Solaris 9 + sendmail
Jerry K wrote:
> a) since I am using sendmail, I am making the assumption that
> compiling/using libmilter is the way to go?
I went that way.
> b) if I am using ClamAV as a milter, do I need to run the clamd daemon
> or will sendmail just call libclamav.a/so?
sendmail will NOT call libclamav.a/so. You need a milter. You can use the
clamav-milter program included or the distribution, or a third-party milter
that calls clamd directly, such as MIMEDefang. I use both.
If you use clamav-milter, you still have two options. You can have
clamav-milter do the virus-checking itself, or defer to a running clamd daemon.
There have been threading problems in the past with clamav-milter doing its
own virus-checking, FYI. If you choose to defer to a running clamd daemon,
start clamav-milter with the --external flag.
> c) What is the default behavior when ClamAV receives an email with a
> virus? Does it just delete the whole email? Does it quarantine the
> file and forward the email to the user? Or is there any action,
> other than virus identification when an email arrives with an
> attached virus.
ClamAV just detects viruses. What is done with the virus is up to the calling
agent - the milter, in this case. This could include rejecting the email,
accepting the email but silently discarding it, and / or sending notification
emails to everyone and their mother.
> I did find this line in the clamd.conf file, but I don't know what
> command that I would run when a virus is found
>
> Execute a command when virus is found. In the command string
"shutdown now", for example...
> Also, from my google'ing, I came across this page
>
> http://linux-sxs.org/administration/clamav-milter.html
>
> that indicates that email's with viruses are rejected. Is this the
> only possible action? Thats OK if it is, I have just yet to run
> across the
> run across the documentation that discusses this. Or, I have over
> looked it.
It's not the only possible action, but its what I do.
> d) is ClamAV + Sendmail everything I need, once functional? I am
> asking this because several of the links that I came across while
> google'ing mentioned using ClamAV in coordination with another
> product called Amavis.
Depends. I also scan incoming email with SpamAssassin, by way of MIMEDefang's
milter.
> Also, roughly half of the user manual is filled with "Third Party
> Products". Why some of these have obvious purposed (graphing or log
> file processing), are there any of these necessary for me to get up
> and going in my environment?
No.
> TIA for any pointers or URL's where I can RTFM.
www.mimedefang.com
www.spamassassin.org
www.clamav.net
--
Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902
Hispanic Business Inc./HireDiversity.com Software Engineer
perl -e"map{y/a-z/l-za-k/;print}shift" "Jjhi pcdiwtg Ptga wprztg,"
___
http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] clamd PING
Gerard wrote:
> When I issue the command as root:
>
> clamd PING
That doesn't work. PING is not a command-line argument.
If you telnet TO THE SOCKET [1], then write "PING\n" to the socket, you should
receive "PONG\n" from the socket.
[1]Yes, on some systems you really can telnet to a socket.
--
Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902
Hispanic Business Inc./HireDiversity.com Software Engineer
perl -e"map{y/a-z/l-za-k/;print}shift" "Jjhi pcdiwtg Ptga wprztg,"
___
http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] Clamd processes and memory
Julio wrote:
> I have set clamav to scan incoming mail, and for efficiency purposes
> I have decided to use the daemon.
...
> d) Using clamscan instead of the daemon will be less efficient?
The daemon should be started at system bootup. It will take care of starting
additional daemonic threads as it sees fit.
The drop-in substitute for clamscan is clamdscan - this will talk to clamd for
you. clamdscan does require that clamd be running when you call clamdscan.
Another thing to consider is freshclam. You can run freshclam as a daemon
(freshclam -d), or periodically through cron (without the -d.) Do not run
freshclamd -d through cron or you'll be running multiple daemons and eventually
bring your machine to its knees.
--
Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902
Hispanic Business Inc./HireDiversity.com Software Engineer
perl -e"map{y/a-z/l-za-k/;print}shift" "Jjhi pcdiwtg Ptga wprztg,"
___
http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] uncompressed zip size of Zero
q# wrote:
> On Wed, Jul 27, 2005 at 02:26:06PM -0400, Jim Maul wrote:
>> I believe the OP is referring to a new technique being used by virus
>> writers where the email has a zip attachment which APPEARS to be 0
>> bytes (in the zip header) but when uncompressed, the file is in fact
>> not 0 bytes. There was a recent article about this somewhere but i
>> am unable to find the link ATM.
>
> So, It could be nice if clamav can block those files, but on my
> -devel it
> dosn't work:
>
> Can I say it's a bug?
If I may suggest, corrupt .zip files (with unreasonable zip header values)
should NOT be considered viruses by default. If there is an option to turn
this on, fine, but this is pushing the envelope a bit too far for me.
--
Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902
Hispanic Business Inc./HireDiversity.com Software Engineer
perl -e"map{y/a-z/l-za-k/;print}shift" "Jjhi pcdiwtg Ptga wprztg,"
___
http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] uncompressed zip size of Zero
q# wrote:
> $ echo 'Zip.Empty:0:*:0:0::0:1:1' > ./local/empty.zmd
Checking the documentation:
http://www.clamav.net/doc/latest/signatures.pdf
This is the "Extended signature format"
Zip.Empty - name of malware
0 - target type: 0 = any file
* - offset: * = any
0 - ?
0 - ?
- ?
0 - ?
1 - ?
1 - ?
Your sig doesn't seem to match the published doc format.
What does sigtool -i ./local/empty.zmd say?
--
Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902
Hispanic Business Inc./HireDiversity.com Software Engineer
perl -e"map{y/a-z/l-za-k/;print}shift" "Jjhi pcdiwtg Ptga wprztg,"
___
http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] uncompressed zip size of Zero
q# wrote:
> Wrong signature format: zmd != ndb
Alright - where's the documentation of the zmd database format?
Does sigtool --list-sigs | grep "Zip.Empty" have any output? That should at
least verify whether the sig is being loaded.
--
Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902
Hispanic Business Inc./HireDiversity.com Software Engineer
perl -e"map{y/a-z/l-za-k/;print}shift" "Jjhi pcdiwtg Ptga wprztg,"
___
http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] AV relay + MX backup question
Leif Neland wrote: > From: "Roger E. Rustad, Jr." <[EMAIL PROTECTED]> > >> I have a ASSP antivirus relay setup >> (assp.sourceforge.net<http://assp.sourceforge.net>) >> that's currently filtering spam and viruses for one domain. I'd like >> for it to do the same for other domains, but would like to make sure >> if (for whatever reason) the relay is down, mail still gets through. > > If you announce your MTA in the MX-records, it will get spammed, > spammers doesn't respect MX priorities, as they know that the backup > mx'es often doesn't have the same level of spamfiltering as the > primary MX. Yup. In fact, even if you don't announce your MTA in the MX-records, it will get spammed. Any open SMTP server will be portscanned. > If you can monitor the primary mx, and only open access to the backup > mx when the primary is down, you might be able to keep the spam down. There have been people that configured their backup MX to periodically check in with the primary MX and only accept connections when the primary is down. My personal preference is to load-balance two identical MX's with spam- and virus-filtering on both. That way if a box breaks the mail still flows. The mail must flow. -- Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902 Hispanic Business Inc./HireDiversity.com Software Engineer ___ http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] Sendmail X and clamav-milter
Thomas Cameron wrote: >> 2005-08-27 smX-0.0.Beta0.0 has been released. Do you have a plans >> on adaptation clamav-milter for smX ? > > What is Sendmail X? Enquiring minds want to know! http://www.sendmail.org/sm-X/ -- Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902 Hispanic Business Inc./HireDiversity.com Software Engineer ___ http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] Performance Tuning Clamd?
Ben Hockenhull wrote: > Hi there. I'm running clamd, invoked via mimefang by way of a > sendmail milter on a FreeBSD 5.x system. Normal operations work > perfectly, but I run into these situations where I get a massive > influx of mail (5k messages in short order) and run into problems > with clamd. Sendmail has some load-limiting options itself. > The short story is that mimedefang throws an error saying there's a > problem running the virus scanner, and mail tempfails. Load on the > box skyrockets (normally around 4, goes to 40+) 40... wow... > If I comment out the clamd call in mimedefang, load drops and mail > flows. I'm looking for performance tuning pointers for clamd. I'm > already planning to move to a tmpfs based Mimedefang directory in the > hopes that that will help, but would be interested in any other ideas. tmpfs for /tmp is a good idea too. I believe clamd uses that for its scanning directory and for unpacking .zip files etc. > I've searched the archives and looked at the FAQ and didn't seem to > find anything that specifically addressed performance parameters, but > would cheerfully accept pointers if I missed something. Make sure your machine has enough RAM for your load as disk I/O is a real bottleneck. Are you doing synchronous syslogging? Try asynchronous (just add a "-" in the right place in syslog.conf) -- Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902 Hispanic Business Inc./HireDiversity.com Software Engineer ___ http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] --max-children
david wrote:
> "--max-children must be given if --external is not given"
...
> "timeout must be given if --external is not given".
...
> Any clues??
Specify --external?
Here's my personal rc.clamav:
clamav_start() {
if [ -x /usr/local/sbin/clamd ]; then
echo "Starting clamd: /usr/local/sbin/clamd"
/usr/local/sbin/clamd
# give it time to start up and let the socket create itself
sleep 2
fi
if [ -x /usr/local/bin/freshclam ]; then
echo "Starting freshclam: /usr/local/bin/freshclam -d"
/usr/local/bin/freshclam -d
fi
if [ -x /usr/local/sbin/clamav-milter ]; then
echo "Starting clamav-milter: /usr/local/sbin/clamav-milter -eCfq /var/run/c
lamav/milter.sock"
/usr/local/sbin/clamav-milter -eCfq /var/run/clamav/milter.sock
# give it time to start up and let the socket create itself
sleep 2
fi
}
Note -e is --external
--
Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902
Hispanic Business Inc./HireDiversity.com Software Engineer
___
http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] --max-children
david thompson wrote: > [EMAIL PROTECTED] wrote >> david wrote: >>> "--max-children must be given if --external is not given" ... >>> "timeout must be given if --external is not given". ... >>> Any clues?? >> >> Specify --external? >> >> Here's my personal rc.clamav: snip > Thanks for your help. I do have a question or two though. > > When you write "here's my personal rc.clamav:" does this mean you are > running centos. I ask this as I have not seen this file. also in my > web searching for an answer I have not come across this file. It > looks as if it might go into /etc/rc.d. Is this true? I'm not running centos and I'm not familiar with it. I wrote rc.clamav from scratch with liberal copy/pasting from other startup files. Also there's stuff in the rc.clamav file that I didn't post. Yes, I did put it in /etc/rc.d and if you'd like I can send you a complete listing of the file offlist. What you should take from the partial listing I sent you though is there are no further than three separate clamav processes that each should have their own startup options... clamd freshclam clamav-milter However centos works, it should allow you to specify startup options for any or all of these separately. clamd is the running pool of threads that actually does the work of virus-scanning. So I start it up. All the options are set in /etc/clamd.conf so no command-line arguments are necessary freshclam is a command that checks for new virus definitions. I start it up in daemon mode with a -d option. This is only one of many methods for calling freshclam. Some people put it in their cron - if you do this, DON'T specify the -d option. If you start it up in daemon mode, the one process will check, sleep for a while, check again, sleep for a while, check again etc. ad infinitum. If you start it up in normal mode, it will check and exit. freshclam also uses /etc/clamd.conf clamav-milter is ironically the hardest of the three even though it doesn't do anything. It's just glue between sendmail and clamd. To be perfectly forthcoming, it doesn't really need clamd. You could run clamav-milter without clamd and have clamav-milter do the scanning itself. If you want it to use clamd to do the scanning, specify --external - if you want it to do the scanning itself, don't use --external. I personally like having a pool of clamd threads available for anyone to use, and I like clamav-milter to use the pre-existing pool rather than forming its own. clamav-milter uses /etc/clamd.conf to a certain extent, but has many other options that can only be specified at the command line. man clamav-milter for the gory details. -- Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902 Hispanic Business Inc./HireDiversity.com Software Engineer ___ http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] suspicious classification resulting in false postives
Chris Gauch wrote: > We are currently running ClamAV (0.86.2) in a Linux Sendmail (8.13.4) > and MIMEDefang (2.53) > our logs indicate that over 86 attachments have been > flagged as "suspicious" by ClamAV 0.86.2 over the past couple of > days. We're beginning to wonder how many of those "suspicious" > attachments were actually legit Microsoft documents. Any insight or > investigation into this issue would be greatly appreciated. Thanks. MIMEDefang has a "suspicious characters in headers" check. This is unrelated to ClamAV. A frequently-made customization to mimedefang-filter is to change action_discard to action_bounce for suspicious characters. That at least takes care of false positives. YMMV. -- Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902 Hispanic Business Inc./HireDiversity.com Software Engineer ___ http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] suspicious classification resulting in falsepostives
Jason Englander wrote: > On Fri, 9 Sep 2005, [EMAIL PROTECTED] wrote: > >> MIMEDefang has a "suspicious characters in headers" check. This is >> unrelated to ClamAV. > > ...and if you're using File::Scan > (http://cpan.perl.org/modules/by-module/File/File-Scan-1.43.tar.gz), > that also can report things as suspicious. Bingo... Fortunately, MIMEDefang allows multiple virus scanners. Fortunately, MIMEDefang logs virus detections. Unfortunately, MIMEDefang doesn't include which scanner caught the virus. -- Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902 Hispanic Business Inc./HireDiversity.com Software Engineer ___ http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] zip files and clamav-milter
Nick Golder wrote: > I am consistently seeing zip files with the Worm.Bagle.Gen-* payload > getting through the clamav-milter (clamav-0.87). The milter is at > least partially working: > X-Virus-Scanned: ClamAV version 0.87, clamav-milter version 0.87 on > xxx.xxx.xxx X-Virus-Status: Clean > Are you using --external? How does clamav-milter know when new virus definitions are available? I assume freshclam doesn't notify clamav-milter threads. -- Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902 Hispanic Business Inc./HireDiversity.com Software Engineer ___ http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] zip files and clamav-milter
Nick Golder wrote: > On 2005-09-21 09:51 -0700, [EMAIL PROTECTED] wrote: >> Are you using --external? > > Currenlty I am using LocalSocket. Using --external didn't make a > difference. Did you manually scan with clamscan or clamdscan? Try both ways. > Is clamd, via LocalSocket, being used by clamav-milter if --external > isn't being used? Right now, freshclam notifies clamd. clamd is used by clamav-milter iff --external is used. If --external is NOT used, clamav-milter does its own scanning via libclamav. In which case, the question of virus definition update notification becomes important. How/when does clamav-milter find out about virus definition updates? -- Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902 Hispanic Business Inc./HireDiversity.com Software Engineer ___ http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] clamdscan doens't recognize virus
Marco wrote (snipped:) > Hello everybody. > I'm using clam 0.87 with mimedefang. > > This is the output from clamdscan: > /tmp/photo.zip: OK > > and this is the output from clamscan: > photo.zip: Trojan.W32.PWS.Prostor.A FOUND OK, so MIMEDefang is definitely not at fault here. Hmm... Is clam 0.87 a fresh install or an upgrade or an uninstall/install? Are you using precisely this release? http://sourceforge.net/project/showfiles.php?group_id=86638&release_id=356974 -- Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902 Hispanic Business Inc./HireDiversity.com Software Engineer ___ http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] clamav-milter seems unstable with 0.87
R. Steven Rainwater wrote: > Update. I tried changing -T=0 to --timeout=0 as one person suggested > but it had no effect. For the moment, I've added a chron job that > restarts clamav-milter hourly, which is at least keeping the mail > flowing for now. If I can't come up with a solution shortly though, I > may need to downgrade back to 0.86. Have you tried running clamd and using --external on clamav-milter? -- Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902 Hispanic Business Inc./HireDiversity.com Software Engineer ___ http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] clamav-milter seems unstable with 0.87
R. Steven Rainwater wrote: > But I guess the big question now is how can determine for sure if > it's a specifically formatted email that's causing the clamav crashes > and, if so, how can I capture one of the emails? Hmmm... I know there are some "archive" milters out there that make a copy of all incoming mail they scan. Maybe that would be useful... you might install one of these archive milters, making sure it appears before clamav-milter in the list of milters... then when a thread goes haywire, check the last few emails in the archive for fishyness. -- Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902 Hispanic Business Inc./HireDiversity.com Software Engineer ___ http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] Issues with ClamAV and RedHat Enterprise 2
Damian Menscher wrote:
> On Tue, 27 Sep 2005, Michael Torrie wrote:
>>
>> Also Dag Wieers has packages (fairly up-to-date) of clamav for all
>> the RedHat distros including EL and FC.
>>
>> See http://dag.wieers.com/home-made/apt/packages.php
>
> I would recommend NOT running those RPMs, unless you do heavy
> modification of the configuration. Dag has it set to spam the spoofed
> senders (WHY IS THIS EVEN A VALID OPTION IN CLAMAV?).
Um, does he? By my reading of
http://dag.wieers.com/packages/clamav/clamav.spec
...
%{__cat} <clamav-milter.sysconfig
### Simple config file for clamav-milter, you should
### read the documentation and tweak it as you wish.
...
--noreject
...
he has it set to absorb viruses (don't reject, don't deliver, don't bounce)
--
Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902
Hispanic Business Inc./HireDiversity.com Software Engineer
___
http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] Issues with ClamAV and RedHat Enterprise 2
Damian Menscher wrote:
> On Tue, 27 Sep 2005, [EMAIL PROTECTED] wrote:
>>> Dag has it set to spam the spoofed senders
>>
>> Um, does he? By my reading of
>> http://dag.wieers.com/packages/clamav/clamav.spec
>> ...
>> --noreject
>
> Rather convenient of you to snip THE NEXT LINE:
> -obl local:%{_localstatedir}/clamav/clmilter.socket
>
> Note that the -b is short for --bounce.
Missed that one. So he has both --bounce and --noreject??? LOL
--
Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902
Hispanic Business Inc./HireDiversity.com Software Engineer
___
http://lurker.clamav.net/list/clamav-users.html
