Re: [Clamav-users] Nude links on www.clamav.org
can i make a contribution of clamav.org.za? ... or whateva u think is the best we're an ISP using clamav, and i would also like to make my contribution Nigel Kukard (Chief Executive Officer) Lando Technologies Africa (Pty) Ltd [EMAIL PROTECTED] www.lando.co.za Tel: 083 399 5822 Fax: 086 1100036 Hoheisen Park Bellville, Cape Town National Internet Service Provider The best language to use is the language that was designed for what you want to use it for - 1997 = Disclaimer -- The contents of this message and any attachments are intended solely for the addressee's use and may be legally privileged and/or confidential information. This message may not be retained, distributed, copied or used if you are not he addressee of this message. If this message was sent to you in error, please notify the sender immediately by reply e-mail and then destroy the message and any copies thereof. Opinions, conclusions and other information in this message may be personal to the sender and is not that of Lando Technologies Africa or any of it's subsideries, associated companies or principals and is therefore not endorsed by any of the Lando groups of companies. Due to e-maill communication being insecure, Lando groups of companies do not guarantee confidentiality, security, accuracy or performance of the e-mail. Any liability for viruses is excluded to the fullest extent. On Thu, Dec 11, 2003 at 01:11:17PM -0500, Stewart MacLund wrote: > Mark Mielke said: > > What about clamav.com, clamav.cc, clamav.ca, clamav.tv, ...? > > Stepping up to provide my contribution for a lovely VirusScanner - > > clamav.ca is now registered, and i pointed www.clamav.ca and clamav.ca to > 66.35.250.210 and MX records to mail.oltrelinux.com. and mail.tzone.it. > with 10 and 20 preference, respectively. > > It's pending .ca approval right now, and should be active in the next > couple of days. > > Someone might want to update the mail server to accept the .ca. > > As another contribution - if anyone who runs the site would like to open > up rsync for one or two of my servers for the .ca domain, i'm down with > that. Email me privately, if you wish, and we'll talk about it. > essentially, i'd rsync the website down to two servers here in the great > white north, and do a double www.clamav.ca record. > > Let me know! > > > Sundie... > pgp0.pgp Description: PGP signature
Re: [Clamav-users] Solaris 8 Unzipping Issue
I have LOTS of samples, whre can i send them to? On Fri, Jan 23, 2004 at 10:27:56PM +0100, Tomasz Kojm wrote: > On Thu, 22 Jan 2004 15:40:17 -0600 > Sean Tempesta <[EMAIL PROTECTED]> wrote: > > > Basically, the error exim receives from clam is: > > /var/spool/exim/scan/1AjmNJ-0007VL-Jw/1AjmNJ-0007VL-Jw-0.com: Zip > > module failure. ERROR > > Please send me some sample that causes clamscan to generate this error. > If this is an issue with all zip files please send me complete info of > your system (architecture, full output from ./configure, etc.). > > Best regards, > Tomasz Kojm > -- > oo. [EMAIL PROTECTED] www.ClamAV.net > (\/)\. http://www.clamav.net/gpg/tkojm.gpg > \..._ 0DCA5A08407D5288279DB43454822DC8985A444B > //\ /\Fri Jan 23 21:59:06 CET 2004 pgp0.pgp Description: PGP signature
[Clamav-users] new virus definition library
How can i add my own virus definition to the clamav library? I've tried to fiddle with CVD def files to no avail, it always wants a signing server. Could someone please let me know in a step by step manner how to create my own little virus def file so I can block viruses and send the sigs to you guys. -Nigel Kukard pgp0.pgp Description: PGP signature
[Clamav-users] ClamAV 0.67 memory leak
Anyone seen this... 3843 ?S 0:00 clamd 3846 ?S 0:01 \_ clamd 3847 ?S 0:03 \_ clamd when i cat the /proc/3843/status file... Name: clamd State: S (sleeping) Tgid: 3843 Pid:3843 PPid: 1 TracerPid: 0 Uid:0 0 0 0 Gid:0 0 0 0 FDSize: 32 Groups: 0 VmSize: 210900 kB VmLck: 0 kB VmRSS: 22940 kB VmData: 209128 kB VmStk:16 kB VmExe:36 kB VmLib: 1672 kB pgp0.pgp Description: PGP signature
Re: [Clamav-users] ClamAV 0.67 memory leak
sorry, its 0.67. seems the VM kills it when it uses up all the RAM, couldn't this be other peoples problems aswell? I mean i see quite a few people saying clamd just dies? On Wed, Mar 03, 2004 at 12:42:48AM +0100, Thomas Lamy wrote: > Nigel Kukard schrieb: > > >Anyone seen this... > > > > 3843 ?S 0:00 clamd > > 3846 ?S 0:01 \_ clamd > > 3847 ?S 0:03 \_ clamd > > > >when i cat the /proc/3843/status file... > > > >Name: clamd > >State: S (sleeping) > >Tgid: 3843 > >Pid:3843 > >PPid: 1 > >TracerPid: 0 > >Uid:0 0 0 0 > >Gid:0 0 0 0 > >FDSize: 32 > >Groups: 0 > >VmSize: 210900 kB > >VmLck: 0 kB > >VmRSS: 22940 kB > >VmData: 209128 kB > >VmStk:16 kB > >VmExe:36 kB > >VmLib: 1672 kB > > > > > Which version exactly (I guess it's 0.67 release, but better save...), > on which OS/Distribution ? > I've not seen huge mem leaks in clam since it's 0.65 days, and I tend to > check this every now and then with "valgrind". > > Thomas > > pgp0.pgp Description: PGP signature
Re: [Clamav-users] ClamAV 0.67 memory leak
> >>Nigel Kukard schrieb: > >> > >> > >>>Anyone seen this... > >>> > >>>3843 ?S 0:00 clamd > >>>3846 ?S 0:01 \_ clamd > >>>3847 ?S 0:03 \_ clamd > >>> > >>>when i cat the /proc/3843/status file... > >>> > >>>Name: clamd > >>>State: S (sleeping) > >>>Tgid: 3843 > >>>Pid:3843 > >>>PPid: 1 > >>>TracerPid: 0 > >>>Uid:0 0 0 0 > >>>Gid:0 0 0 0 > >>>FDSize: 32 > >>>Groups: 0 > >>>VmSize: 210900 kB > >>>VmLck: 0 kB > >>>VmRSS: 22940 kB > >>>VmData: 209128 kB > >>>VmStk:16 kB > >>>VmExe:36 kB > >>>VmLib: 1672 kB > >>> > >>> > >> > >>Which version exactly (I guess it's 0.67 release, but better save...), > >>on which OS/Distribution ? > >>I've not seen huge mem leaks in clam since it's 0.65 days, and I tend to > >>check this every now and then with "valgrind". > >> > >>Thomas > >> > >sorry, its 0.67. seems the VM kills it when it uses up all the RAM, > >couldn't this be other peoples problems aswell? I mean i see quite a few > >people saying clamd just dies? > > > Yes, but that's another issue which is supposed to be finally fixed in > CVS; a new release candidate should pop up soon. So it has been fixed? > > Again, which Distro/Version and kernel? Did you compile from source or > do you use some binary (from where)? > kernel 2.4.24, custom designed distro compiled from source. -Nigel pgp0.pgp Description: PGP signature
Re: [Clamav-users] Re: Simple patch for dealing with password zipfiles
ivs-milter (http://freshmeat.net/projects/ivsmilter/) has had this feature since design date. On Mon, Mar 08, 2004 at 11:03:55AM -0500, Brett Simpson wrote: > >>> [EMAIL PROTECTED] 3/4/2004 5:35:34 PM >>> > > Nope, that won't work. Besides blocking purely based on name we also run > > 'file' on the attachments and block based on the type of file returned by > > 'file'. So, a windows executable renamed from foo.exe to foo.txt will > > still be caught as a banned 'exe' file - blocking only based on the name > > would be way too primitive. > > How did you impliment this? I like the idea of checking the file to see if the > extension matches what is returned by the file command. > > Brett > > pgp0.pgp Description: PGP signature
Re: [Clamav-users] sendmail devel?
> > > Security issues aside, postfix is significantly simpler to setup and > > > maintain than sendmail and deals just fine with heavy loads. It might be > > > slightly less flexible, but for 99% of all users I'd say it's more than > > > flexible enough. > > > > If you know what you're doing with mail, sendmail isn't hard to setup. > > My sendmail.mc has only 58 non-comment lines, which isn't exactly > > terrifying. > > > I agree, but for the inexperienced admin Postfix is usually simpler. > Both are nice MTAs. > Postfix doesn't implement something like milter, does it? This in my eyes is a serious drawback if you want to run 3rd party opensource plugins which add cool features. but again... maybe someone can point me in the direction of a plugin api for postfix? -Nigel pgp0.pgp Description: PGP signature
Re: [Clamav-users] URL.Spoof.gen
I third it! Frank Elsner wrote: On Wed, 22 Dec 2004 15:13:09 +0300 Odhiambo Washington wrote: * [EMAIL PROTECTED] <[EMAIL PROTECTED]> [20041222 15:11]: wrote: danke für deine eamil Where is the list moderator? I second your cry. This address - [EMAIL PROTECTED] - please ban it! Or is it just me getting the crap from it? You are not alone. --Frank Elsner ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users signature.asc Description: OpenPGP digital signature ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [clamav-users] klez detection dropped after Iframe rule added.
most klez infections use the IFrame exploit, so infact the IFrame Exploit will match before the klez one. what we do is break up the email into all the mime peices, decode them and scan the individual portions, most of the time clamscan picks up both iframe & klez, iframe being the first mime part of the message... so as i can see being picked up first? On Fri, 14 Feb 2003 [EMAIL PROTECTED] wrote: > > clamd usually catches between 100-160 klez infections per day on e-mail to > our domain. > The day the Exploit.IFrame and Exploit.IFrame.HTML rules were added, only > 64 were caught (our rules update at 11am, and 11pm EST). > Today, only 26 klez were caught. > > I highly doubt all those klez infections magically got cleaned up at the > same time that these new rules were added. > > However, Exploit.IFrame.HTML cause 86 violations today, and if those were > actually klez, then all the klez crap is likely still getting caught. > > I'm just hoping to verify with someone that knows the Exploit.IFrame.HTML > rule and klez that this is the case (klez still being caught, just > identified differently). > And if that is the case, then I'm wondering if there's a way to get the > klez rule to match first so that these appear to be identified more > accurately/appropriately. > > Thanks in advance, > -- > Josh I. > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > -- Nigel Kukard (Chief Executive Officer) Lando Technologies Africa (Pty) Ltd [EMAIL PROTECTED] www.lando.co.za Tel: 083 399 5822 Fax: 086 1100036 Hoheisen Park Bellville, Cape Town National Internet Service Provider The best language to use is the language that was designed for what you want to use it for - 1997 = Disclaimer -- The contents of this message and any attachments are intended solely for the addressee's use and may be legally privileged and/or confidential information. This message may not be retained, distributed, copied or used if you are not he addressee of this message. If this message was sent to you in error, please notify the sender immediately by reply e-mail and then destroy the message and any copies thereof. Opinions, conclusions and other information in this message may be personal to the sender and is not that of Lando Technologies Africa or any of it's subsideries, associated companies or principals and is therefore not endorsed by any of the Lando groups of companies. Due to e-maill communication being insecure, Lando groups of companies do not guarantee confidentiality, security, accuracy or performance of the e-mail. Any liability for viruses is excluded to the fullest extent. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [clamav-users] klez detection dropped after Iframe rule added.
That is perfectly as it should work :) there is infact 2 "viruses", one a dangerous exploit and the other a virus in the mails you scanning. it should pick both up, cause the mail is infected with both IFrame exploit is also used with alot of the NEW NEW viruses, so this protects you if a new one comes out today, which uses the iframe exploit to execute it. On Fri, 14 Feb 2003, jef moskot wrote: > On Fri, 14 Feb 2003, Nigel Kukard wrote: > > most klez infections use the IFrame exploit, so infact the IFrame Exploit > > will match before the klez one. what we do is break up the email into all > > the mime peices, decode them and scan the individual portions, most of the > > time clamscan picks up both iframe & klez, iframe being the first mime part > > of the message... > > That's exactly the sort of thing i've been seeing. > > Example: > /var/log/amavis/amavis-02459327/parts/msg-55339-1.html: Exploit.IFrame.HTML FOUND > /var/log/amavis/amavis-02459327/parts/msg-55339-2.pif: Worm/Klez.H FOUND > /var/log/amavis/amavis-02459327/parts/msg-55339-3.txt: OK > > I was a little curious about it, but I'm glad to see that that's how it's > supposed to work. > > Jeffrey Moskot > System Administrator > [EMAIL PROTECTED] > > > ----- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > -- Nigel Kukard (Chief Executive Officer) Lando Technologies Africa (Pty) Ltd [EMAIL PROTECTED] www.lando.co.za Tel: 083 399 5822 Fax: 086 1100036 Hoheisen Park Bellville, Cape Town National Internet Service Provider The best language to use is the language that was designed for what you want to use it for - 1997 = Disclaimer -- The contents of this message and any attachments are intended solely for the addressee's use and may be legally privileged and/or confidential information. This message may not be retained, distributed, copied or used if you are not he addressee of this message. If this message was sent to you in error, please notify the sender immediately by reply e-mail and then destroy the message and any copies thereof. Opinions, conclusions and other information in this message may be personal to the sender and is not that of Lando Technologies Africa or any of it's subsideries, associated companies or principals and is therefore not endorsed by any of the Lando groups of companies. Due to e-maill communication being insecure, Lando groups of companies do not guarantee confidentiality, security, accuracy or performance of the e-mail. Any liability for viruses is excluded to the fullest extent. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [clamav-users] Clam Antivirus Performance
Chris, I totally agree, I actually have a copy of about 15,000 viruses that I got from a friend of mine... most of which clam doesn't detect, the only problem I have is I need an automated way to generate the sigs. Sigtool (i think its called) isn't that clever at the moment, the second it can grab patterns... i'll be contributing ALOT!, btw, patternFinder is a java prog and our high end server distro doesn't at present support running of this type of app :( -NIgel On 1 Apr 2003, Chris van Meerendonk wrote: > This is not an answer to your question, sorry for that... > We've created a setup which scans with a commercial scanner and also > with ClamAV. Whenever our commercial scanner finds a virus that ClamAV > doesn't recognize we automaticaly 'contribute' it to ClamAV. This way > ClamAV hopefully 'learns' the lates virussess in a short time. It would > be nice if more people could create such a setup since we don't get all > virussess... > > Regards, > > Chris > > On Tue, 2003-04-01 at 14:10, Magnus Sundberg wrote: > > Hi, > > I while ago, I read an article that stated that opensource anti-virus > > scanners did not catch any of the recent viruses. > > From scanning the archive this seems to not be true. > > Does anybody know of any comparisons between Clam anti virus and other > > commercial solutions? > > What is your subjective opinion? > > > > /Magnus > > > > > > > > > > - > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > -- Nigel Kukard (Chief Executive Officer) Lando Technologies Africa (Pty) Ltd [EMAIL PROTECTED] www.lando.co.za Tel: 083 399 5822 Fax: 086 1100036 Hoheisen Park Bellville, Cape Town National Internet Service Provider The best language to use is the language that was designed for what you want to use it for - 1997 = Disclaimer -- The contents of this message and any attachments are intended solely for the addressee's use and may be legally privileged and/or confidential information. This message may not be retained, distributed, copied or used if you are not he addressee of this message. If this message was sent to you in error, please notify the sender immediately by reply e-mail and then destroy the message and any copies thereof. Opinions, conclusions and other information in this message may be personal to the sender and is not that of Lando Technologies Africa or any of it's subsideries, associated companies or principals and is therefore not endorsed by any of the Lando groups of companies. Due to e-maill communication being insecure, Lando groups of companies do not guarantee confidentiality, security, accuracy or performance of the e-mail. Any liability for viruses is excluded to the fullest extent. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [clamav-users] Clamd with Clamav-Milter, Sendmail 8.12.9 timeout lockup?
There is 2 buffer overrun possibilities which can cause assert()'s to be triggered, which takes down clamav-milter. I've sent patches through to Nigel Horne concerning this. You can also try our fork of clamav-milter which is a standalone package... ivs-milter, http://freshmeat.net/projects/ivsmilter I wouldn't classify it as stable, but it is running in production use at an ISP which processes about 1 million emails a day. -Nigel Kukard On Fri, Jul 11, 2003 at 10:34:22AM +0200, Ludek Finstrle wrote: > > To add to this thread. > > > > It seems to hang on quite a few (not all) Session TimeOuts and ALL > > 'WARNING: ScanStream: Size exceeded' events > > I have same problem. I have low traffic and this situation come when > too e-mails is coming at the same time. BTW isn't it problem on SMP > machines? > > I have RH 7.2, sendmail 8.11.6-25.72, clamav 0.60 and clamav-milter 0.55. > > Luf > pgp0.pgp Description: PGP signature
Re: [clamav-users] Clamd with Clamav-Milter, Sendmail 8.12.9 timeout lockup?
Attached.
-Nigel
> > There is 2 buffer overrun possibilities which can cause assert()'s to be
> > triggered, which takes down clamav-milter.
> >
> > I've sent patches through to Nigel Horne concerning this.
>
> I must have missed them. Please resend.
>
> - -Nigel
>
diff -c --new-file --recursive clamav-0.60_vanilla/clamav-milter/clamav-milter.c
clamav-0.60_milterfixes/clamav-milter/clamav-milter.c
*** clamav-0.60_vanilla/clamav-milter/clamav-milter.c Tue May 30 01:17:00 2000
--- clamav-0.60_milterfixes/clamav-milter/clamav-milter.c Thu Jul 10 08:22:20
2003
***
*** 925,933
syslog(LOG_NOTICE, "clean message from %s", privdata->from);
} else {
char **to;
! char err[1024];
FILE *sendmail;
/*
* TODO: check that clamd didn't crash (WIFSIGNALED(status))
*/
--- 925,935
syslog(LOG_NOTICE, "clean message from %s", privdata->from);
} else {
char **to;
! char *err;
FILE *sendmail;
+ int i;
+
/*
* TODO: check that clamd didn't crash (WIFSIGNALED(status))
*/
***
*** 935,949
syslog(LOG_NOTICE, mess);
snprintf(err, sizeof(err), "Intercepted virus from: %s to:",
privdata->from);
! ptr = strchr(err, '\0');
! /* TODO: check for buffer overrun in err[] */
! for(to = privdata->to; *to; to++) {
! ptr = strrcpy(ptr, " ");
ptr = strrcpy(ptr, *to);
}
- assert(strlen(err) < sizeof(err));
-
if(use_syslog)
syslog(LOG_NOTICE, err);
#ifdefCL_DEBUG
--- 937,963
syslog(LOG_NOTICE, mess);
snprintf(err, sizeof(err), "Intercepted virus from: %s to:",
privdata->from);
!
! /*
!* Setup err as a list of recipients
!*/
! i = 1024;
! err = (char *) malloc(i);
! ptr = err;
!
! for (to = privdata->to; *to; to++) {
! /*
!* Re-alloc if we run out of buffer space
!*/
! if (ptr + 5 + strlen(*to) >= err + i) {
! i += 1024;
! realloc(err,i);
! }
! ptr = strrcpy(ptr, "");
ptr = strrcpy(ptr, *to);
+ ptr = strrcpy(ptr, "\n");
}
if(use_syslog)
syslog(LOG_NOTICE, err);
#ifdefCL_DEBUG
***
*** 978,983
--- 992,998
smfi_setreply(ctx, "550", "5.7.1", "Virus detected by ClamAV -
http://clamav.elektrapro.com";);
rc = SMFIS_REJECT;
+ free(err);
}
clamfi_cleanup(ctx);
***
*** 1117,1127
va_list argp;
va_start(argp, format);
! vsprintf(output, format, argp);
va_end(argp);
len = strlen(output);
- assert(len <= sizeof(output));
ptr = output;
}
#ifdefCL_DEBUG
--- 1132,1141
va_list argp;
va_start(argp, format);
! vsnprintf(output, BUFSIZ, format, argp);
va_end(argp);
len = strlen(output);
ptr = output;
}
#ifdefCL_DEBUG
pgp0.pgp
Description: PGP signature
