Re: [Clamav-users] clamav question

[Paul Bijnens]

On 2007-05-16 12:50, Alexandros Fragkiadakis wrote:
> hi,
> 
> i'm using mailscanner with clamav. Clamav uses its default options for
> fitering the emails so as, executable files (.exe) are not allowed but
> .zip files are allowed.
> 
> The problem is that when i zip an executable file into a zip file, the
> email is blocked.
> 
> What am i doing wrong?


Drink a coffee first?  Doing your homework?

1.  First you posted this to the postfix mailing list, which is wrong
(the word postfix doesn't even get mentioned in your problem
description).

2.  Now you posted it again to the clamav mailing list.  Here you
claim clamav blocks .exe files.  Clamav blocks nothing.  It just
scans files, including .exe's for possible virusses.  If there
is no virus in an exe-file, the file is not marked as dangerous.


> 
> In /etc/Mailscanner/filename.rules.conf:


Ah, a mailscanner question?  So wouldn't the mailscanner mailinglist
not be more suited for such questions?  (nitpicking:  the directory
is named "MailScanner" with a capital "S")


> 
> allow   \.zip$   -   -
> deny\.exe$  Windows/DOS Executable

So, I did a quick google, and found on the first page:

http://www.configserver.com/techfaq/faqlist.php?catid=5&faqid=25&page=1

which is even more than you asked for.


3. You didn't read the reply that was given on the postfix list either
which said to set "Maximum Archive Depth = 0". (The above url is
a more restrictive way to implement this, taking into account the
from and/or to.)


-- 
Paul Bijnens, xplanation Technology ServicesTel  +32 16 397.511
Technologielaan 21 bus 2, B-3001 Leuven, BELGIUMFax  +32 16 397.512
http://www.xplanation.com/  email:  [EMAIL PROTECTED]
***
* I think I've got the hang of it now:  exit, ^D, ^C, ^\, ^Z, ^Q, ^^, *
* F6, quit, ZZ, :q, :q!, M-Z, ^X^C, logoff, logout, close, bye, /bye, *
* stop, end, F3, ~., ^]c, +++ ATH, disconnect, halt,  abort,  hangup, *
* PF4, F20, ^X^X, :D::D, KJOB, F14-f-e, F8-e,  kill -1 $$,  shutdown, *
* init 0, kill -9 1, Alt-F4, Ctrl-Alt-Del, AltGr-NumLock, Stop-A, ... *
* ...  "Are you sure?"  ...   YES   ...   Phew ...   I'm out  *
***

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] eicar not detected

[Paul Bijnens]

On 2007-05-21 07:26, Benoit Schmid wrote:
> Good morning,
> 
> When I run a clamscan on a folder containing emails with different viruses.
> There is an eicar that is not detected.
> 
> Would you know why?

Because the file below is not a mail message.


> 
> The file start after this line:
> t;1179497094
> p;3
> *;4
> u;FILTER_DISCARD
> c;tcp_intranet
> (;TCP|129.194.9.224|25|129.194.16.24|46422
> );SMTP/a
> s;a ([129.194.16.24])
> h;<[EMAIL PROTECTED]>
> m;
> d;20
> *;36
> j;rfc822
> f;[EMAIL PROTECTED]
> @mbox.unige.ch:[EMAIL PROTECTED]
> 
Boundary_(ID_FlUaFePoptV3h07KbhxMAQ)
> Received: from a ([129.194.16.24])
>  by victor.unige.ch (Sun Java(tm) System Messaging Server 6.3-0.15 
> (built Feb
>  9 2007)) with ESMTP id <[EMAIL PROTECTED]> for
>  [EMAIL PROTECTED] (ORCPT [EMAIL PROTECTED]); Fri,
>  18 May 2007 16:04:54 +0200 (MEST)
> Date-warning: Date header was inserted by victor.unige.ch
> Date: Fri, 18 May 2007 16:04:53 +0200 (MEST)
> Message-id: <[EMAIL PROTECTED]>
> To: Undisclosed recipients: ;
> 
> [EMAIL PROTECTED](P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
> 
Boundary_(ID_FlUaFePoptV3h07KbhxMAQ)

When extracting the lines between the "\x01\x02Boundary"
and saving it in a file, that file is flagged with EICAR.


-- 
Paul Bijnens, xplanation Technology ServicesTel  +32 16 397.511
Technologielaan 21 bus 2, B-3001 Leuven, BELGIUMFax  +32 16 397.512
http://www.xplanation.com/  email:  [EMAIL PROTECTED]
***
* I think I've got the hang of it now:  exit, ^D, ^C, ^\, ^Z, ^Q, ^^, *
* F6, quit, ZZ, :q, :q!, M-Z, ^X^C, logoff, logout, close, bye, /bye, *
* stop, end, F3, ~., ^]c, +++ ATH, disconnect, halt,  abort,  hangup, *
* PF4, F20, ^X^X, :D::D, KJOB, F14-f-e, F8-e,  kill -1 $$,  shutdown, *
* init 0, kill -9 1, Alt-F4, Ctrl-Alt-Del, AltGr-NumLock, Stop-A, ... *
* ...  "Are you sure?"  ...   YES   ...   Phew ...   I'm out  *
***

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Virus Detection Messages - False positive or real?

[Paul Bijnens]

On 2008-03-18 10:34, [EMAIL PROTECTED] wrote:
> On a test server after a very long period of not detecting anything CLAM 
> AV started reporting that it was seeing:
> 
> /clamscan/servers/mudlake/opt/Dave/nmap-4.03.tgz: Trojan.Spy-27244 FOUND
> /clamscan/servers/mudlake/opt/Dave/nmap-4.03/mswin32/winpcap/Packet.dll: 
> Trojan.Spy-27244 FOUND
> /clamscan/servers/mudlake/opt/Dave/nmap-4.03/mswin32/winpcap/WanPacket.dll: 
> Trojan.Spy-27239 FOUND
> 
> and:
>[...]
> The files in these directories are unchanged since 2006 so I'm curious if 
> this might be a false positive.  [...]


When in doubt, I submit the files to www.virustotal.com and see what other
AV-programs think about the file.


-- 
Paul Bijnens, xplanation Technology ServicesTel  +32 16 397.511
Technologielaan 21 bus 2, B-3001 Leuven, BELGIUMFax  +32 16 397.512
http://www.xplanation.com/  email:  [EMAIL PROTECTED]
***
* I think I've got the hang of it now:  exit, ^D, ^C, ^\, ^Z, ^Q, ^^, *
* F6, quit, ZZ, :q, :q!, M-Z, ^X^C, logoff, logout, close, bye, /bye, *
* stop, end, F3, ~., ^]c, +++ ATH, disconnect, halt,  abort,  hangup, *
* PF4, F20, ^X^X, :D::D, KJOB, F14-f-e, F8-e,  kill -1 $$,  shutdown, *
* init 0, kill -9 1, Alt-F4, Ctrl-Alt-Del, AltGr-NumLock, Stop-A, ... *
* ...  "Are you sure?"  ...   YES   ...   Phew ...   I'm out  *
***
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] my mail server could not ricieve any email from outside

[Paul Bijnens]

On 2008-05-14 10:03, Phonepaseuth VONGSIPASOM wrote:
> Dear Sir or Madam,
> I have a big problem that my mail server can't receive any email from 
> outside"Internet", because the clamav is working very hard. I could see from 
> the services buy using the top command in prompt console in Linux. it has 
> shown that I took 100% of using CPU. I think my mail server have a lot of 
> viruses and the Clamav trying to clear them. I don't know how to do.
> Please help me to solve this problem.

Are you scanning with "clamscan"? If yes, then use "clamdscan" instead.
Then make sure you are using the latest version as well.

-- 
Paul Bijnens, xplanation Technology ServicesTel  +32 16 397.511
Technologielaan 21 bus 2, B-3001 Leuven, BELGIUMFax  +32 16 397.512
http://www.xplanation.com/  email:  [EMAIL PROTECTED]
***
* I think I've got the hang of it now:  exit, ^D, ^C, ^\, ^Z, ^Q, ^^, *
* F6, quit, ZZ, :q, :q!, M-Z, ^X^C, logoff, logout, close, bye, /bye, *
* stop, end, F3, ~., ^]c, +++ ATH, disconnect, halt,  abort,  hangup, *
* PF4, F20, ^X^X, :D::D, KJOB, F14-f-e, F8-e,  kill -1 $$,  shutdown, *
* init 0, kill -9 1, Alt-F4, Ctrl-Alt-Del, AltGr-NumLock, Stop-A, ... *
* ...  "Are you sure?"  ...   YES   ...   Phew ...   I'm out  *
***
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Virus Caught that is a false positive

[Paul Bijnens]

On 2008-06-22 20:34, Philippe Faure wrote:
> 
> ClamAV 0.92.1.
  [...]
> While clamscan reports the following:
> 
> "camrela_backup/Movies_on_CD_DVD_40_e-version.zip: Oversized.Zip FOUND

The handling of Oversized zip is removed in 0.93 (and replaced by
much more efficient protection against DoS attacks).
And, moreover, the current version is even 0.93.1.
Time to upgrade anyway.

-- 
Paul Bijnens, xplanation Technology ServicesTel  +32 16 397.511
Technologielaan 21 bus 2, B-3001 Leuven, BELGIUMFax  +32 16 397.512
http://www.xplanation.com/  email:  [EMAIL PROTECTED]
***
* I think I've got the hang of it now:  exit, ^D, ^C, ^\, ^Z, ^Q, ^^, *
* F6, quit, ZZ, :q, :q!, M-Z, ^X^C, logoff, logout, close, bye, /bye, *
* stop, end, F3, ~., ^]c, +++ ATH, disconnect, halt,  abort,  hangup, *
* PF4, F20, ^X^X, :D::D, KJOB, F14-f-e, F8-e,  kill -1 $$,  shutdown, *
* init 0, kill -9 1, Alt-F4, Ctrl-Alt-Del, AltGr-NumLock, Stop-A, ... *
* ...  "Are you sure?"  ...   YES   ...   Phew ...   I'm out  *
***
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] bzip2 1.0.5 for CentOS

[Paul Bijnens]

On 2008-09-05 17:11, SM wrote:
> At 01:11 05-09-2008, Tilman Schmidt wrote:
>> But even a manual "yum update" finds nothing to update. I cannot
>> imagine Redhat/CentOS neglecting to provide a patch for that
> 
> Why not? :-)
> 
> The response was that "this issue can only result in a crash of the 
> bunzip2 process, which we do not consider to have any security impact."
> 
>> vulnerability, so I am probably doing something wrong. But what?
> 
> You are not doing anything wrong.  Get a newer version of bzip2.


I believe the situation is this:

Apparently Redhat believes it is not a security bug:

https://bugzilla.redhat.com/show_bug.cgi?id=438118#c6

The crashing of bzip2 itself is not a security bug.  But clamav
(which is NOT included in the package list by RedHat) uses bzip2
to unpack an archive and assert no harmful content is inside.
Clamav cannot verify such an archive in this case.  This could be
used by a virusmaker to bypass the virusscanner on the mailserver.

There exist updated bzip2 packages for FC7 and FC8.

When some Real Paying Customer for Redhat Enterprise logs a bug, and
convinces them it *is* a security bug, then the machinery for
backporting the fix will be started, I guess, resulting in a fixed
bzip2 for the RHEL series (or is this wishful thinking?).


-- 
Paul Bijnens, xplanation Technology ServicesTel  +32 16 397.511
Technologielaan 21 bus 2, B-3001 Leuven, BELGIUMFax  +32 16 397.512
http://www.xplanation.com/  email:  [EMAIL PROTECTED]
***
* I think I've got the hang of it now:  exit, ^D, ^C, ^\, ^Z, ^Q, ^^, *
* F6, quit, ZZ, :q, :q!, M-Z, ^X^C, logoff, logout, close, bye, /bye, *
* stop, end, F3, ~., ^]c, +++ ATH, disconnect, halt,  abort,  hangup, *
* PF4, F20, ^X^X, :D::D, KJOB, F14-f-e, F8-e,  kill -1 $$,  shutdown, *
* init 0, kill -9 1, Alt-F4, Ctrl-Alt-Del, AltGr-NumLock, Stop-A, ... *
* ...  "Are you sure?"  ...   YES   ...   Phew ...   I'm out  *
***
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] bzip2 1.0.5 for CentOS

[Paul Bijnens]

On 2008-09-17 16:34, Clayton Keller wrote:
> Roberto Ullfig wrote:
>> Paul Bijnens wrote:
>>> On 2008-09-05 17:11, SM wrote:
>>>   
>>>> At 01:11 05-09-2008, Tilman Schmidt wrote:
>>>> 
>>>>> But even a manual "yum update" finds nothing to update. I cannot
>>>>> imagine Redhat/CentOS neglecting to provide a patch for that
>>>>>   
>>>> Why not? :-)
>>>>
>>>> The response was that "this issue can only result in a crash of the 
>>>> bunzip2 process, which we do not consider to have any security impact."
>>>>
>>>> 
>>>>> vulnerability, so I am probably doing something wrong. But what?
>>>>>   
>>>> You are not doing anything wrong.  Get a newer version of bzip2.
>>>> 
>>> I believe the situation is this:
>>>
>>> Apparently Redhat believes it is not a security bug:
>>>
>>> https://bugzilla.redhat.com/show_bug.cgi?id=438118#c6
>>>
>>> The crashing of bzip2 itself is not a security bug.  But clamav
>>> (which is NOT included in the package list by RedHat) uses bzip2
>>> to unpack an archive and assert no harmful content is inside.
>>> Clamav cannot verify such an archive in this case.  This could be
>>> used by a virusmaker to bypass the virusscanner on the mailserver.
>>>
>>> There exist updated bzip2 packages for FC7 and FC8.
>>>
>>> When some Real Paying Customer for Redhat Enterprise logs a bug, and
>>> convinces them it *is* a security bug, then the machinery for
>>> backporting the fix will be started, I guess, resulting in a fixed
>>> bzip2 for the RHEL series (or is this wishful thinking?).
>>>
>>>
>>>   
>> Rhetorical question: Why does it have to be a _security_ bug in order 
>> for redhat to fix it?
>>
> 
> I wanted to ask for those of you using CentOS and ClamAv-0.94 if you've 
> had any issues with bunzip2 process crashing or experiencing any issues 
> with ClamAV on these systems running the earlier version of bunzip2?

A fixed bzip2 package was released on sep 16:

See comment nr 10:

https://bugzilla.redhat.com/show_bug.cgi?id=438118#c10

https://rhn.redhat.com/errata/RHSA-2008-0893.html



-- 
Paul Bijnens, xplanation Technology ServicesTel  +32 16 397.511
Technologielaan 21 bus 2, B-3001 Leuven, BELGIUMFax  +32 16 397.512
http://www.xplanation.com/  email:  [EMAIL PROTECTED]
***
* I think I've got the hang of it now:  exit, ^D, ^C, ^\, ^Z, ^Q, ^^, *
* F6, quit, ZZ, :q, :q!, M-Z, ^X^C, logoff, logout, close, bye, /bye, *
* stop, end, F3, ~., ^]c, +++ ATH, disconnect, halt,  abort,  hangup, *
* PF4, F20, ^X^X, :D::D, KJOB, F14-f-e, F8-e,  kill -1 $$,  shutdown, *
* init 0, kill -9 1, Alt-F4, Ctrl-Alt-Del, AltGr-NumLock, Stop-A, ... *
* ...  "Are you sure?"  ...   YES   ...   Phew ...   I'm out  *
***
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] Handling of unknown configuration lines (was Re: Stop it!)

[Paul Bijnens]

On 2008-10-03 22:25, Charles Gregory wrote:
> CONCRETE SUGGESTION FOR CLAMAV DEVELOPERS (and anyone else with
> minimal script writing skills):
> 
> CLAMWATCH service. 
> Either as cron job, or constantly running monitor daemon. 
> - Checks if clamd service is running (if enabled in startup files)
> - Tests clamdscan with simple clean file and ICAR test
> - Tests clamscan with simple clean file and ICAR test
> Failure of any of these conditions results in notification
> via e-mail to frequently monitored admin account. 
> 
> A "watchdog" would not only detect failed startup, but also any possible
> random failures, including errors I've seen in previous versions where the
> daemon continues to 'run', but returns an error code to clamdscan.

I use this:

http://www.mikecathey.com/code/clamdwatch/

did save me frequently when I was running mail with clamdscan on
a server having not enough memory (and while the 0.8* clamav releases
still used lots of memory).


-- 
Paul Bijnens, xplanation Technology ServicesTel  +32 16 397.511
Technologielaan 21 bus 2, B-3001 Leuven, BELGIUMFax  +32 16 397.512
http://www.xplanation.com/  email:  [EMAIL PROTECTED]
***
* I think I've got the hang of it now:  exit, ^D, ^C, ^\, ^Z, ^Q, ^^, *
* F6, quit, ZZ, :q, :q!, M-Z, ^X^C, logoff, logout, close, bye, /bye, *
* stop, end, F3, ~., ^]c, +++ ATH, disconnect, halt,  abort,  hangup, *
* PF4, F20, ^X^X, :D::D, KJOB, F14-f-e, F8-e,  kill -1 $$,  shutdown, *
* init 0, kill -9 1, Alt-F4, Ctrl-Alt-Del, AltGr-NumLock, Stop-A, ... *
* ...  "Are you sure?"  ...   YES   ...   Phew ...   I'm out  *
***
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

[Clamav-users] SubmitDetectionStats fails frequently

[Paul Bijnens]

Yesterday, I enabled the new feature in clamav 0.94.1 for statistics
gathering.

At first, it seems to work, and I get a log message now and then like:

  SubmitDetectionStats: No new detection records found
  SubmitDetectionStats: Submitted 10 records

But about 1 in 3 times, when fleshclam tries to submit them, it reports:

  ERROR: SubmitDetectionStats: Permanent failure

Any idea how to debug and fix this?
Or shouldn't we worry?


-- 
Paul Bijnens, xplanation Technology ServicesTel  +32 16 397.511
Technologielaan 21 bus 2, B-3001 Leuven, BELGIUMFax  +32 16 397.512
http://www.xplanation.com/  email:  [EMAIL PROTECTED]
***
* I think I've got the hang of it now:  exit, ^D, ^C, ^\, ^Z, ^Q, ^^, *
* F6, quit, ZZ, :q, :q!, M-Z, ^X^C, logoff, logout, close, bye, /bye, *
* stop, end, F3, ~., ^]c, +++ ATH, disconnect, halt,  abort,  hangup, *
* PF4, F20, ^X^X, :D::D, KJOB, F14-f-e, F8-e,  kill -1 $$,  shutdown, *
* init 0, kill -9 1, Alt-F4, Ctrl-Alt-Del, AltGr-NumLock, Stop-A, ... *
* ...  "Are you sure?"  ...   YES   ...   Phew ...   I'm out  *
***
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

[Clamav-users] Bug in clamdscan/client.c 0.75

[Paul Bijnens]

In clamdscan/client.c this was changed in 0.75:
@@ -129,6 +131,15 @@
 server.sin_family = AF_INET;
 server.sin_port = htons(port);
+peer_size = sizeof(peer);
+if(getpeername(sockd, (struct sockaddr *) &peer, &peer_size) < 0) {
+   perror("getpeername()");
+   mprintf("@Can't get socket peer name.\n");
+   return -1;
+}
+
+server.sin_addr.s_addr = peer.sin_addr.s_addr;
+
 if(connect(wsockd, (struct sockaddr *) &server, sizeof(struct 
sockaddr_in)) < 0) {
close(wsockd);
perror("connect()");


If I do an strace, this happens here:
$ strace clamdscan  -  < filetotest
...
write(3, "STREAM", 6)   = 6
read(3, "PORT 10005\n", 4096)   = 11
socket(PF_INET, SOCK_STREAM, IPPROTO_IP) = 4
getpeername(3, {sin_family=AF_UNIX, path="/tmp/clamd"}, [13]) = 0
connect(4, {sin_family=AF_INET, sin_port=htons(10005), 
sin_addr=inet_addr("109.112.47.99")}}, 16)

The program tries to getpeername() to get the ip-number of the remote
site, but this happens to be a AF_UNIX socket, not a AF_INET socket!
Result: garbage in the s_addr field...
Symptoms, clamdscan just waits until timeout on the (hopefully)
not answering host.
--
Paul Bijnens, XplanationTel  +32 16 397.511
Technologielaan 21 bus 2, B-3001 Leuven, BELGIUMFax  +32 16 397.512
http://www.xplanation.com/  email:  [EMAIL PROTECTED]
***
* I think I've got the hang of it now:  exit, ^D, ^C, ^\, ^Z, ^Q, F6, *
* quit,  ZZ, :q, :q!,  M-Z, ^X^C,  logoff, logout, close, bye,  /bye, *
* stop, end, F3, ~., ^]c, +++ ATH, disconnect, halt,  abort,  hangup, *
* PF4, F20, ^X^X, :D::D, KJOB, F14-f-e, F8-e,  kill -1 $$,  shutdown, *
* kill -9 1,  Alt-F4,  Ctrl-Alt-Del,  AltGr-NumLock,  Stop-A,  ...*
* ...  "Are you sure?"  ...   YES   ...   Phew ...   I'm out  *
***

---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Bug in clamdscan/client.c 0.75

[Paul Bijnens]

Rob Mangiafico wrote:
+peer_size = sizeof(peer);
+if(getpeername(sockd, (struct sockaddr *) &peer, &peer_size) < 0) {
+   perror("getpeername()");
+   mprintf("@Can't get socket peer name.\n");
+   return -1;
+}
+
+server.sin_addr.s_addr = peer.sin_addr.s_addr;
+
Commenting out the new code (with + in front) seems to at least get things 
working on my system.

Anyone else see any drawbacks to commenting this out in 0.75 to get things 
working with Unix Sockets support for the time being? Want to upgrade to 
0.75 for the increased virus catching of certain viruses.

Rob M.
That's what I did, and it works fine.
(Actually commenting out the last line is enough.)
--
Paul Bijnens, XplanationTel  +32 16 397.511
Technologielaan 21 bus 2, B-3001 Leuven, BELGIUMFax  +32 16 397.512
http://www.xplanation.com/  email:  [EMAIL PROTECTED]
***
* I think I've got the hang of it now:  exit, ^D, ^C, ^\, ^Z, ^Q, F6, *
* quit,  ZZ, :q, :q!,  M-Z, ^X^C,  logoff, logout, close, bye,  /bye, *
* stop, end, F3, ~., ^]c, +++ ATH, disconnect, halt,  abort,  hangup, *
* PF4, F20, ^X^X, :D::D, KJOB, F14-f-e, F8-e,  kill -1 $$,  shutdown, *
* kill -9 1,  Alt-F4,  Ctrl-Alt-Del,  AltGr-NumLock,  Stop-A,  ...*
* ...  "Are you sure?"  ...   YES   ...   Phew ...   I'm out  *
***

---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Ok now wha?

[Paul Bijnens]

A.R.S. KA9QLQ Alvin Koffman wrote:
I ran this from a terminal and got
[EMAIL PROTECTED] /]# clamscan -ri /home
/home/ka9qlq/.thunderbird/default/9x8zs2cf.slt/Mail/pop.sbcglobal.yahoo.com/Inbox: 
Exploit.IFrame.Gen FOUND
/home/ka9qlq/evolution/local/Inbox/mbox: Worm.Bagle.H-zippwd-1 FOUND
/home/ka9qlq/.Mail/trash/26: Worm.Bagle.H-zippwd-1 FOUND

--- SCAN SUMMARY ---
Known viruses: 22853
Scanned directories: 1442
Scanned files: 9437
Infected files: 3
Data scanned: 5827.12 MB
I/O buffer size: 131072 bytes
Time: 11574.769 sec (192 m 54 s)
How do I tell whitch email they are? Can clam take out the infected 
emails with out messing up my inbox?
For the Trash, just empty the Trash, easy he.
A long time ago, for a completely different problem,
I wrote this little prog to split up a netscape mailbox
into separate files names F0, F1, F2,...
##
#!/usr/bin/perl -p
BEGIN {
$i = "0" unless $i;
open(STDOUT, ">F$i");
}
if (/^From /) { # Unix/netscape mailbox
++$i;
open(STDOUT, ">F$i");
$_ = ""  if m/^\.\r?$/;
}
##"
Split it up, scan each file, remove the virusses,
concatenate again, remove index file, and open again
with mozilla (or thunderbird).
On the other side, you do not get infected using Mozilla/thunderbird
when you simply look at the mail (contrary to M$Lookout).
With a little experience, you can recognize such virusses
when just looking at them (attachment around 30-69Kbytes,
exe-type or zip with a known list of types, subject, and or
message body only one or two lines ("hi", "important" etc.).
Then delete just delete them.

Thanks
Alvin
---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

--
Paul Bijnens, XplanationTel  +32 16 397.511
Technologielaan 21 bus 2, B-3001 Leuven, BELGIUMFax  +32 16 397.512
http://www.xplanation.com/  email:  [EMAIL PROTECTED]
***
* I think I've got the hang of it now:  exit, ^D, ^C, ^\, ^Z, ^Q, F6, *
* quit,  ZZ, :q, :q!,  M-Z, ^X^C,  logoff, logout, close, bye,  /bye, *
* stop, end, F3, ~., ^]c, +++ ATH, disconnect, halt,  abort,  hangup, *
* PF4, F20, ^X^X, :D::D, KJOB, F14-f-e, F8-e,  kill -1 $$,  shutdown, *
* kill -9 1,  Alt-F4,  Ctrl-Alt-Del,  AltGr-NumLock,  Stop-A,  ...*
* ...  "Are you sure?"  ...   YES   ...   Phew ...   I'm out  *
***

---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Procmailrc settings (for bounce, notify etc)

[Paul Bijnens]

Suril Patel wrote:
I have successfully got ClamAV working after configuring/tweaking everything
necessary and it works fine (so far).
However, I've changed my mind regarding some settings for virus interception
in e-mails and would like some help on the settings in
/usr/local/etc/procmailrc. At the moment, all messages containing viruses
are deleted 'quietly', i.e. the e-mail gets deleted without either party
knowing. I presume the detection is in the logs but I'd like the message not
to be delivered to me, while the sender gets a message saying "your message
was failed due to virus etc. etc." Obviously the sender should just get the
subject line or something and not the attachment. Postmaster doesn't need to
be notified.
Actually, neither need the sender be notified, because that address
is forged in 99.9% of the current virusses.  Unless you want to
contribute to the backscatter.  Read:
   http://www.postfix.org/BACKSCATTER_README.html

Here is my file as it stands - what should the settings be instead and how
can I modify the failure notice sent to the original sender?
===
TMPLOGFILE=$LOGFILE
TMPLOGABSTRACT=$LOGABSTRACT
TMPVERBOSE=$VERBOSE
LOGFILE=/var/log/procmail.clamav
LOGABSTRACT=all
VERBOSE=off
NL="
"
:0
CLAMAV=|/usr/local/bin/clamscan --disable-summary --stdout --mbox -
:0
* CLAMAV ?? .*: \/.* FOUND
{
  LOG="Possible virus ${MATCH}${NL}"
  :0 fhw
  | formail -a"X-ClamAV: ${MATCH}"
}
:0E fhw
| formail -a"X-ClamAV: clean"
:0
* ^X-ClamAV: \/.*
* ! MATCH ?? ^^clean^^
/dev/null

Wow, so I just need to forge a mail with a header 'X-ClamAV: clean' to 
pass your virusblocker.
Don't add these things to the header.   Just keep the X-ClamAV: $(MATCH)
and test for is absence.

And here is a receipe for auto-reply, if you really really want
to backscatter innocent people.
#
:0 h c
* !^FROM_DAEMON
* !^X-Loop: virusnotification
| (formail -rt -I"Precedence: junk" \
  -A"X-Loop: virusnotification" ; \
  cat /your/friendly/message ) | $SENDMAIL -oi -t
#
--
Paul Bijnens, XplanationTel  +32 16 397.511
Technologielaan 21 bus 2, B-3001 Leuven, BELGIUMFax  +32 16 397.512
http://www.xplanation.com/  email:  [EMAIL PROTECTED]
***
* I think I've got the hang of it now:  exit, ^D, ^C, ^\, ^Z, ^Q, F6, *
* quit,  ZZ, :q, :q!,  M-Z, ^X^C,  logoff, logout, close, bye,  /bye, *
* stop, end, F3, ~., ^]c, +++ ATH, disconnect, halt,  abort,  hangup, *
* PF4, F20, ^X^X, :D::D, KJOB, F14-f-e, F8-e,  kill -1 $$,  shutdown, *
* kill -9 1,  Alt-F4,  Ctrl-Alt-Del,  AltGr-NumLock,  Stop-A,  ...*
* ...  "Are you sure?"  ...   YES   ...   Phew ...   I'm out  *
***

---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] My.Doom.o

[Paul Bijnens]

Scott Ryan wrote:
I have not submitted any virii (correct word?) before, so please bear with me.
I always run latest stable, currently 0.75 and have not had any virus issues 
up until now. I am seeing a high number of mails in the below format hitting 
our mail servers.


Dear user <[EMAIL PROTECTED]>,
Your e-mail account has been used to send a large amount of spam messages 
during this week.
Obviously, your computer had been infected by a recent virus and now runs a 
hidden proxy server.
Please follow our instruction in order to keep your computer safe.
Best wishes,
The  team.

with a zip file attached containing a pif file.
I submitted the zip file only to have the message returned to me advising that 
it is not a virus, but "Binary fragment. Harmless."
Yes, it is a fragment of a virus.
It is a dead virus :-)

Symantec identify these mails as My.Doom.o and i have checked sigtool which 
identifies My.Doom.m, but not My.Doom.o - 
You could identify it, but it cannot do any harm anymore.

My question is, how do i get clamav to identify these files as a virus?

--
Paul Bijnens, XplanationTel  +32 16 397.511
Technologielaan 21 bus 2, B-3001 Leuven, BELGIUMFax  +32 16 397.512
http://www.xplanation.com/  email:  [EMAIL PROTECTED]
***
* I think I've got the hang of it now:  exit, ^D, ^C, ^\, ^Z, ^Q, F6, *
* quit,  ZZ, :q, :q!,  M-Z, ^X^C,  logoff, logout, close, bye,  /bye, *
* stop, end, F3, ~., ^]c, +++ ATH, disconnect, halt,  abort,  hangup, *
* PF4, F20, ^X^X, :D::D, KJOB, F14-f-e, F8-e,  kill -1 $$,  shutdown, *
* kill -9 1,  Alt-F4,  Ctrl-Alt-Del,  AltGr-NumLock,  Stop-A,  ...*
* ...  "Are you sure?"  ...   YES   ...   Phew ...   I'm out  *
***

---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Procmailrc settings (for bounce, notify etc)

[Paul Bijnens]

Dave Ewart wrote:
On Tuesday, 27.07.2004 at 15:27 +0200, Lionel Bouton wrote:
You might want to be more accurate than that : worms using mail for 
propagation usually fake the From header, but when clamav detects a 
virus using other means of propagation (meaning the From couldn't be 
faked by the virus), notifying the sender is useful.

Amavisd-new is configured to do this by using :
$viruses_that_fake_sender_re = new_RE(
...
qr'Worm'i,  # worms as labeled by ClamAV, Kaspersky, etc
[qr'^(EICAR|Joke\.|Junk\.)'i => 0],
[qr'^(WM97|OF97|W95/CIH-|JS/Fort)'i  => 0],
);

Interesting.
I have heard of a particular incident where a sysadmin received a "you
have sent us a virus" message, replied with the standard "hey, don't you
know that most viruses fake headers, this autoreply from you is just
adding clutter", only to then be told that, "actually, this *particular*
virus does *not* fake the headers and your system really *does* have a
virus ..."
:-)

That's why subscribing to lists like this is useful.
You learn something new everyday, like the plural of "virus"...
Next time someone tells me that "don't you know that virii fake
headers", I can correct him twice.  :-)
--
Paul Bijnens, XplanationTel  +32 16 397.511
Technologielaan 21 bus 2, B-3001 Leuven, BELGIUMFax  +32 16 397.512
http://www.xplanation.com/  email:  [EMAIL PROTECTED]
***
* I think I've got the hang of it now:  exit, ^D, ^C, ^\, ^Z, ^Q, F6, *
* quit,  ZZ, :q, :q!,  M-Z, ^X^C,  logoff, logout, close, bye,  /bye, *
* stop, end, F3, ~., ^]c, +++ ATH, disconnect, halt,  abort,  hangup, *
* PF4, F20, ^X^X, :D::D, KJOB, F14-f-e, F8-e,  kill -1 $$,  shutdown, *
* kill -9 1,  Alt-F4,  Ctrl-Alt-Del,  AltGr-NumLock,  Stop-A,  ...*
* ...  "Are you sure?"  ...   YES   ...   Phew ...   I'm out  *
***

---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Calling clamd form an email client

[Paul Bijnens]

L. Clayton Parker wrote:
Before I download clamAV, could someone tell me if it is possible to
call clamd from an email client using a "pipe to shell command" filter?
I want to us it in conjunction with the Ximian Evolution email client in
conjunction with spamassassin.
Yes, a single hyphen reads standard input:
cat file | clamdscan -
You probably need to adjust some other settings in clamav.conf
to enable parsing raw mail messages too; I don't know Evolution enough.
--
Paul Bijnens, XplanationTel  +32 16 397.511
Technologielaan 21 bus 2, B-3001 Leuven, BELGIUMFax  +32 16 397.512
http://www.xplanation.com/  email:  [EMAIL PROTECTED]
***
* I think I've got the hang of it now:  exit, ^D, ^C, ^\, ^Z, ^Q, F6, *
* quit,  ZZ, :q, :q!,  M-Z, ^X^C,  logoff, logout, close, bye,  /bye, *
* stop, end, F3, ~., ^]c, +++ ATH, disconnect, halt,  abort,  hangup, *
* PF4, F20, ^X^X, :D::D, KJOB, F14-f-e, F8-e,  kill -1 $$,  shutdown, *
* kill -9 1,  Alt-F4,  Ctrl-Alt-Del,  AltGr-NumLock,  Stop-A,  ...*
* ...  "Are you sure?"  ...   YES   ...   Phew ...   I'm out  *
***

---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Ok now wha?

[Paul Bijnens]

A.R.S. KA9QLQ Alvin Koffman wrote:
Hay Paul would you mind terribly to answer a couple questions about your 
perl script off list? If so email me at [EMAIL PROTECTED] if not no prob.
Did you receive my answer?   Or is everything solved?
--
Paul Bijnens, XplanationTel  +32 16 397.511
Technologielaan 21 bus 2, B-3001 Leuven, BELGIUMFax  +32 16 397.512
http://www.xplanation.com/  email:  [EMAIL PROTECTED]
***
* I think I've got the hang of it now:  exit, ^D, ^C, ^\, ^Z, ^Q, F6, *
* quit,  ZZ, :q, :q!,  M-Z, ^X^C,  logoff, logout, close, bye,  /bye, *
* stop, end, F3, ~., ^]c, +++ ATH, disconnect, halt,  abort,  hangup, *
* PF4, F20, ^X^X, :D::D, KJOB, F14-f-e, F8-e,  kill -1 $$,  shutdown, *
* kill -9 1,  Alt-F4,  Ctrl-Alt-Del,  AltGr-NumLock,  Stop-A,  ...*
* ...  "Are you sure?"  ...   YES   ...   Phew ...   I'm out  *
***

---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Some Mydoom.M found, not all

[Paul Bijnens]

Jona Tallieu wrote:
But in the virex logs it shows clamav is not catching all:
1452225.msg/text.zip
Found the W32/[EMAIL PROTECTED] virus !!!
So it seems that clamav 0.75 + latest signature files are not
catching all
Any ideas? Thanks!
There are version of mydoom that contain a only a piece
of the virus.  That variant is dead, and not harmful.
Is it one of those?
--
Paul Bijnens, XplanationTel  +32 16 397.511
Technologielaan 21 bus 2, B-3001 Leuven, BELGIUMFax  +32 16 397.512
http://www.xplanation.com/  email:  [EMAIL PROTECTED]
***
* I think I've got the hang of it now:  exit, ^D, ^C, ^\, ^Z, ^Q, F6, *
* quit,  ZZ, :q, :q!,  M-Z, ^X^C,  logoff, logout, close, bye,  /bye, *
* stop, end, F3, ~., ^]c, +++ ATH, disconnect, halt,  abort,  hangup, *
* PF4, F20, ^X^X, :D::D, KJOB, F14-f-e, F8-e,  kill -1 $$,  shutdown, *
* kill -9 1,  Alt-F4,  Ctrl-Alt-Del,  AltGr-NumLock,  Stop-A,  ...*
* ...  "Are you sure?"  ...   YES   ...   Phew ...   I'm out  *
***

---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Clamav and pictures

[Paul Bijnens]

Jeremy Kitchen wrote:
On a side note, a buddy of mine once showed me a company that "guaranteed" 
that when a user opened an email from them, it was tracked, when in actuality 
it was no new fangled technology, it was the same old 1x1 transparent gif 
image cgi script bullshit :)
See:   www.confirm.to

---
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Suspected Zip?

[Paul Bijnens]

Trog wrote:
It means the zip contains either a file with zero length name, or a file
thats zero bytes in length, or possibly that the unzip failed.
A file of zero bytes in length, that's completely normal to me.
False positive?
--
Paul Bijnens, XplanationTel  +32 16 397.511
Technologielaan 21 bus 2, B-3001 Leuven, BELGIUMFax  +32 16 397.512
http://www.xplanation.com/  email:  [EMAIL PROTECTED]
***
* I think I've got the hang of it now:  exit, ^D, ^C, ^\, ^Z, ^Q, F6, *
* quit,  ZZ, :q, :q!,  M-Z, ^X^C,  logoff, logout, close, bye,  /bye, *
* stop, end, F3, ~., ^]c, +++ ATH, disconnect, halt,  abort,  hangup, *
* PF4, F20, ^X^X, :D::D, KJOB, F14-f-e, F8-e,  kill -1 $$,  shutdown, *
* kill -9 1,  Alt-F4,  Ctrl-Alt-Del,  AltGr-NumLock,  Stop-A,  ...*
* ...  "Are you sure?"  ...   YES   ...   Phew ...   I'm out  *
***
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] How to report viruses (or false positives) larger than 1M?

[Paul Bijnens]

Jason Haar wrote:
The "submit sample" Web page appears to have a 1M limit on filesizes it 
will accept.

I have two false positives that are 2 and 4.5M in size and cannot submit 
them. I have even tried unpacking (actually installing) them to find the 
file that was at fault - but clamscan cannot discover a virus when it's 
unpacked (so it must be some random byte-string match that is triggered 
by the CAB file and not by the content) - so cannot make them any 
smaller to submit.
I can't judge for you, but I got what I believed a false positive
on a 20M pure text file with a name ending in ".script".
We already had experience that such a file (program generated) could
contain garbage at the end, especially in circumstances as disk full
while processing, or poweroff in the middle.  (We even have a program
that repairs the files.)
This time however, clamav categorized it as having Somefool.gen.
Our other scanner (commercial) did not detect anything.
False positive was our first thought.
But further investigation (triggered by the fact that the website
has a limit of 1M on submissions :-) ), showed that the last
part of the file was indeed a piece of an executable program (UPX
encoded).  The piece was damaged, and harmless.  Probably the reason
why our other virusscanner did not find anything.
Thanks to clamav, we found the customer, and indeed, after investigation
he was infected by Netsky.B.  Seeing the history of problems they had,
probably already since april!
Not all false positives are completely false...
--
Paul Bijnens, XplanationTel  +32 16 397.511
Technologielaan 21 bus 2, B-3001 Leuven, BELGIUMFax  +32 16 397.512
http://www.xplanation.com/  email:  [EMAIL PROTECTED]
***
* I think I've got the hang of it now:  exit, ^D, ^C, ^\, ^Z, ^Q, F6, *
* quit,  ZZ, :q, :q!,  M-Z, ^X^C,  logoff, logout, close, bye,  /bye, *
* stop, end, F3, ~., ^]c, +++ ATH, disconnect, halt,  abort,  hangup, *
* PF4, F20, ^X^X, :D::D, KJOB, F14-f-e, F8-e,  kill -1 $$,  shutdown, *
* kill -9 1,  Alt-F4,  Ctrl-Alt-Del,  AltGr-NumLock,  Stop-A,  ...*
* ...  "Are you sure?"  ...   YES   ...   Phew ...   I'm out  *
***
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] Research on ClamAV

[Paul Bijnens]

Thomas Cameron wrote:
Aw, heck, I finished it.  It only took a few minutes and I wouldn't mind
a gift certificate to Amazon!
Yes, I did too.
Funny thing is that, within a hour I received a Worm.Sober.I virus,
which seems to be a backscattered mail from amazon.com (original
source 213.22.187.170, with a forged sender "[EMAIL PROTECTED]",
which amazon refuses because of the virus content, and sends it back
to me!).
Does that mean I missed the $25 gif certificate, and this is the second
prize?  :-)
--
Paul Bijnens, XplanationTel  +32 16 397.511
Technologielaan 21 bus 2, B-3001 Leuven, BELGIUMFax  +32 16 397.512
http://www.xplanation.com/  email:  [EMAIL PROTECTED]
***
* I think I've got the hang of it now:  exit, ^D, ^C, ^\, ^Z, ^Q, F6, *
* quit,  ZZ, :q, :q!,  M-Z, ^X^C,  logoff, logout, close, bye,  /bye, *
* stop, end, F3, ~., ^]c, +++ ATH, disconnect, halt,  abort,  hangup, *
* PF4, F20, ^X^X, :D::D, KJOB, F14-f-e, F8-e,  kill -1 $$,  shutdown, *
* kill -9 1,  Alt-F4,  Ctrl-Alt-Del,  AltGr-NumLock,  Stop-A,  ...*
* ...  "Are you sure?"  ...   YES   ...   Phew ...   I'm out  *
***
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] EROR : "/var/run/clamd.sock: No such file or directory"

[Paul Bijnens]

ads nat wrote:
ads nat wrote:
/root/clamav-0.80/test: Access denied. ERROR
Please guide.
In this situation can you please guide me which
directory I should check with clamdscan?
Bad question.
"clamdscan" (note the "d" in the middle) just gives instructions
to the background process "clamd" to scan this and that file.
In the configuration file "clamd.conf" you have specified that that
background process runs as user clamav.  That user has no access
to files that are only accesible as root.
Even if you run "clamdscan" as root, the permissions do not get
magically transferred to the "clamd" daemon that will scan the file.
There are two possible solutions:
1. run "clamscan" (without a "d" in the middle) as root:
   This does not hand off the real work to a background daemon.
   The disadvantage is that the initial setup of the process, and
   and reading all the signatures takes considerable time compared
   to the scanning itself.
2. Run "clamd" as root instead as user "clamav" (edit "clamd.conf",
   and stop/start the daemon).
   Experienced unix users don't like to run too many programs with
   root priviledges to lessen damage in case of vulnerabilities in
   such programs.
Thanks for support.
0.02$ please.
--
Paul Bijnens, XplanationTel  +32 16 397.511
Technologielaan 21 bus 2, B-3001 Leuven, BELGIUMFax  +32 16 397.512
http://www.xplanation.com/  email:  [EMAIL PROTECTED]
***
* I think I've got the hang of it now:  exit, ^D, ^C, ^\, ^Z, ^Q, F6, *
* quit,  ZZ, :q, :q!,  M-Z, ^X^C,  logoff, logout, close, bye,  /bye, *
* stop, end, F3, ~., ^]c, +++ ATH, disconnect, halt,  abort,  hangup, *
* PF4, F20, ^X^X, :D::D, KJOB, F14-f-e, F8-e,  kill -1 $$,  shutdown, *
* kill -9 1,  Alt-F4,  Ctrl-Alt-Del,  AltGr-NumLock,  Stop-A,  ...*
* ...  "Are you sure?"  ...   YES   ...   Phew ...   I'm out  *
***
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] Research on ClamAV

[Paul Bijnens]

Thomas Cameron wrote:
On Fri, 2004-12-10 at 08:26 +0100, Paul Bijnens wrote:
Thomas Cameron wrote:
Aw, heck, I finished it.  It only took a few minutes and I wouldn't mind
a gift certificate to Amazon!
Yes, I did too.
Funny thing is that, within a hour I received a Worm.Sober.I virus,
which seems to be a backscattered mail from amazon.com (original
source 213.22.187.170, with a forged sender "[EMAIL PROTECTED]",
which amazon refuses because of the virus content, and sends it back
to me!).
Does that mean I missed the $25 gif certificate, and this is the second
prize?  :-)

LOL!
On a (slightly) more serious note, I didn't get the gift certificate.
Did anyone else?

I just received my gift certificate!
Honest people...  Yes, they exist.
--
Paul Bijnens, XplanationTel  +32 16 397.511
Technologielaan 21 bus 2, B-3001 Leuven, BELGIUMFax  +32 16 397.512
http://www.xplanation.com/  email:  [EMAIL PROTECTED]
***
* I think I've got the hang of it now:  exit, ^D, ^C, ^\, ^Z, ^Q, F6, *
* quit,  ZZ, :q, :q!,  M-Z, ^X^C,  logoff, logout, close, bye,  /bye, *
* stop, end, F3, ~., ^]c, +++ ATH, disconnect, halt,  abort,  hangup, *
* PF4, F20, ^X^X, :D::D, KJOB, F14-f-e, F8-e,  kill -1 $$,  shutdown, *
* kill -9 1,  Alt-F4,  Ctrl-Alt-Del,  AltGr-NumLock,  Stop-A,  ...*
* ...  "Are you sure?"  ...   YES   ...   Phew ...   I'm out  *
***
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

[Clamav-users] v0.81 suddenly says "ScanStream: accept() failed

[Paul Bijnens]

Upgraded this morning to 0.81, and suddenly I have frequently the
error message "ScanStream: accept() failed" in my logs.
I have enable verbose logging, and notice that *most of the time*
all is ok, but frequently there is an accept error:
Thu Jan 27 16:09:06 2005 -> Accepted connection on port 12586, fd 9
Thu Jan 27 16:09:07 2005 -> stream: OK
Thu Jan 27 16:09:20 2005 -> ERROR: ScanStream: accept() failed.
Thu Jan 27 16:09:42 2005 -> Accepted connection on port 26208, fd 9
Thu Jan 27 16:09:43 2005 -> stream: OK
Frequently, I mean, a 5-10 times per hour there is the error.
I've never seen that error when using 0.80 (as far as my log files go
back).  Also downgrading to 0.80 for almost two hours, never showed
that error.
The setup appears to be working, because if I mail myself a virus,
it is detected.
I can't reproduce the error either on demand (save some incoming mail
in backup folder, and let it scan again -- all works fine then).
Anyone seen something similar?
--
Paul Bijnens, XplanationTel  +32 16 397.511
Technologielaan 21 bus 2, B-3001 Leuven, BELGIUMFax  +32 16 397.512
http://www.xplanation.com/  email:  [EMAIL PROTECTED]
***
* I think I've got the hang of it now:  exit, ^D, ^C, ^\, ^Z, ^Q, F6, *
* quit,  ZZ, :q, :q!,  M-Z, ^X^C,  logoff, logout, close, bye,  /bye, *
* stop, end, F3, ~., ^]c, +++ ATH, disconnect, halt,  abort,  hangup, *
* PF4, F20, ^X^X, :D::D, KJOB, F14-f-e, F8-e,  kill -1 $$,  shutdown, *
* kill -9 1,  Alt-F4,  Ctrl-Alt-Del,  AltGr-NumLock,  Stop-A,  ...*
* ...  "Are you sure?"  ...   YES   ...   Phew ...   I'm out  *
***
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] Phishing Questions

[Paul Bijnens]

Damian Menscher wrote:
Please don't.  Phishing attempts do not automatically propagate (by 
infecting a machine and being re-sent) and therefore are generally 
one-time events.  As such, they can be trivially changed to evade any 
signature-based filter, which must obviously generate a signature 
_after_ the release of each phishing email.  As a result, blocking of 
phishing schemes is best left to anti-spam tools such as SpamAssassin. 
In contrast, once a virus (or other auto-propagating code) is released, 
the author no longer has control, so signatures can be developed.
I have a lot of those "one-time events" that clamav blocks.
On my installation, I see about the same number of phishing-mails
being block by clamav than the somefool-virus.
It certainly helps my users.
--
Paul Bijnens, XplanationTel  +32 16 397.511
Technologielaan 21 bus 2, B-3001 Leuven, BELGIUMFax  +32 16 397.512
http://www.xplanation.com/  email:  [EMAIL PROTECTED]
***
* I think I've got the hang of it now:  exit, ^D, ^C, ^\, ^Z, ^Q, F6, *
* quit,  ZZ, :q, :q!,  M-Z, ^X^C,  logoff, logout, close, bye,  /bye, *
* stop, end, F3, ~., ^]c, +++ ATH, disconnect, halt,  abort,  hangup, *
* PF4, F20, ^X^X, :D::D, KJOB, F14-f-e, F8-e,  kill -1 $$,  shutdown, *
* kill -9 1,  Alt-F4,  Ctrl-Alt-Del,  AltGr-NumLock,  Stop-A,  ...*
* ...  "Are you sure?"  ...   YES   ...   Phew ...   I'm out  *
***
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] v0.81 suddenly says "ScanStream: accept() failed

[Paul Bijnens]

Trog wrote:
What software are you using to pass requests/data to clamd?
clamscan-procfilter.pl, a little perlprog to be used in procmail
essential boiling down to
"cat themsg | clamdscan --stdout - > $tempfile",
and examining $tempfile for results.
--
Paul Bijnens, XplanationTel  +32 16 397.511
Technologielaan 21 bus 2, B-3001 Leuven, BELGIUMFax  +32 16 397.512
http://www.xplanation.com/  email:  [EMAIL PROTECTED]
***
* I think I've got the hang of it now:  exit, ^D, ^C, ^\, ^Z, ^Q, F6, *
* quit,  ZZ, :q, :q!,  M-Z, ^X^C,  logoff, logout, close, bye,  /bye, *
* stop, end, F3, ~., ^]c, +++ ATH, disconnect, halt,  abort,  hangup, *
* PF4, F20, ^X^X, :D::D, KJOB, F14-f-e, F8-e,  kill -1 $$,  shutdown, *
* kill -9 1,  Alt-F4,  Ctrl-Alt-Del,  AltGr-NumLock,  Stop-A,  ...*
* ...  "Are you sure?"  ...   YES   ...   Phew ...   I'm out  *
***
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] "ScanStream: read poll failed" error occurs with 0.81 release

[Paul Bijnens]

exo dia wrote:
I am piping e-mail via procmail, I pipe the e-mail to clamdscan
through a shell script (no milter or anything being used.)  This is
the original version of the script I am using:
http://www.everysoft.com/clamfilter.pl.txt
I noticed the same, using a similar perlscript via procmail.
I added, as trog suggested the following lines to clamd.conf
  StreamMinPort 1024
  StreamMaxPort 2048
And since then (about 5 hours ago) not seen any error anymore.
Before I saw the error 5-10 per hour.
--
Paul Bijnens, XplanationTel  +32 16 397.511
Technologielaan 21 bus 2, B-3001 Leuven, BELGIUMFax  +32 16 397.512
http://www.xplanation.com/  email:  [EMAIL PROTECTED]
***
* I think I've got the hang of it now:  exit, ^D, ^C, ^\, ^Z, ^Q, F6, *
* quit,  ZZ, :q, :q!,  M-Z, ^X^C,  logoff, logout, close, bye,  /bye, *
* stop, end, F3, ~., ^]c, +++ ATH, disconnect, halt,  abort,  hangup, *
* PF4, F20, ^X^X, :D::D, KJOB, F14-f-e, F8-e,  kill -1 $$,  shutdown, *
* kill -9 1,  Alt-F4,  Ctrl-Alt-Del,  AltGr-NumLock,  Stop-A,  ...*
* ...  "Are you sure?"  ...   YES   ...   Phew ...   I'm out  *
***
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] "ScanStream: read poll failed" error occurs with 0.81 release

[Paul Bijnens]

Trog wrote:
I guess it's a bug in the perl script you two are using, it doesn't
handle high port numbers correctly.
That could well be the case, because that system runs perl 5.6.1 (why
upgrade production systems when all works fine).
A quick check shows 65235 as highest used portnumber (with success).
But next down, port 60999 was used successfully 8 times, while all the
others only once.  Maybe a problem in the 61000-~65000 area?
Anyway, the error disappeared indeed.

-trog
On Thu, 2005-01-27 at 13:25 -0800, exo dia wrote:
Thank you Paul, I just made these changes to my clamd.conf, and
restarted clamd.  Hopefully this will correct (work around?) the
problem!  What do these settings mean (I haven't dug that far into the
source yet)?
-ed
On Thu, 27 Jan 2005 22:17:26 +0100, Paul Bijnens
<[EMAIL PROTECTED]> wrote:
exo dia wrote:

I am piping e-mail via procmail, I pipe the e-mail to clamdscan
through a shell script (no milter or anything being used.)  This is
the original version of the script I am using:
http://www.everysoft.com/clamfilter.pl.txt 

I noticed the same, using a similar perlscript via procmail.
I added, as trog suggested the following lines to clamd.conf
  StreamMinPort 1024
  StreamMaxPort 2048
And since then (about 5 hours ago) not seen any error anymore.
Before I saw the error 5-10 per hour.

___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

--
Paul Bijnens, XplanationTel  +32 16 397.511
Technologielaan 21 bus 2, B-3001 Leuven, BELGIUMFax  +32 16 397.512
http://www.xplanation.com/  email:  [EMAIL PROTECTED]
***
* I think I've got the hang of it now:  exit, ^D, ^C, ^\, ^Z, ^Q, F6, *
* quit,  ZZ, :q, :q!,  M-Z, ^X^C,  logoff, logout, close, bye,  /bye, *
* stop, end, F3, ~., ^]c, +++ ATH, disconnect, halt,  abort,  hangup, *
* PF4, F20, ^X^X, :D::D, KJOB, F14-f-e, F8-e,  kill -1 $$,  shutdown, *
* kill -9 1,  Alt-F4,  Ctrl-Alt-Del,  AltGr-NumLock,  Stop-A,  ...*
* ...  "Are you sure?"  ...   YES   ...   Phew ...   I'm out  *
***
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] "ScanStream: read poll failed" error occurs with 0.81 release

[Paul Bijnens]

Paul Bijnens wrote:
Trog wrote:
I guess it's a bug in the perl script you two are using, it doesn't
handle high port numbers correctly.

That could well be the case, because that system runs perl 5.6.1 (why
upgrade production systems when all works fine).
A quick check shows 65235 as highest used portnumber (with success).
But next down, port 60999 was used successfully 8 times, while all the
others only once.  Maybe a problem in the 61000-~65000 area?
Just finished my coffee.  It is not perl, but the OS itself.
Just doing: "nc -vvv -l -p 61000" gives "address already in use",
and that up to port 65234.   But there is no process really using it.
I think that range was used by the NAT-module in ipchains.
That machine was planned to be upgraded anyway.  (kernel 2.2.19!!
currently uptime 583 days, going back to the last powerfail that
took longer than our UPS could handle.)
Anyway, the error disappeared indeed.

--
Paul Bijnens, XplanationTel  +32 16 397.511
Technologielaan 21 bus 2, B-3001 Leuven, BELGIUMFax  +32 16 397.512
http://www.xplanation.com/  email:  [EMAIL PROTECTED]
***
* I think I've got the hang of it now:  exit, ^D, ^C, ^\, ^Z, ^Q, F6, *
* quit,  ZZ, :q, :q!,  M-Z, ^X^C,  logoff, logout, close, bye,  /bye, *
* stop, end, F3, ~., ^]c, +++ ATH, disconnect, halt,  abort,  hangup, *
* PF4, F20, ^X^X, :D::D, KJOB, F14-f-e, F8-e,  kill -1 $$,  shutdown, *
* kill -9 1,  Alt-F4,  Ctrl-Alt-Del,  AltGr-NumLock,  Stop-A,  ...*
* ...  "Are you sure?"  ...   YES   ...   Phew ...   I'm out  *
***
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] Re: ClamAV on Exchange 200x

[Paul Bijnens]

[EMAIL PROTECTED] wrote:

I will be away from the office until Monday, June 27.  If you need an
immediate response, please send your email to [EMAIL PROTECTED]


How about a virussignature matching OoO replies?




___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] LibClamAV Error: Can't create temporary file : No such file or directory

[Paul Bijnens]

[EMAIL PROTECTED] schreef:

Is there somebody can explain why i have got this message ?

My script used in root crontab is :
su - clamav -c "clamscan -r --tgz=/usr/local/bin/tar --quiet -l
logs\/clamav_`date +%y%m%d`.log /"

I don't know how to obtain the file witch is the reason of the error
message !
The whole message is :
Subject: cron

ttytype: couldn't open /dev/tty for reading
stty: : Not a typewriter


The "su - " above means that the .profile is executed.
You probably have the "stty" command in your profile.
Make that conditional:

  if -t 0
  then stty ...
  fi




LibClamAV Warning:
 LibClamAV
Warning: ***  This version of the ClamAV engine is outdated.  ***


You version is too old to recognize certain virusses.



LibClamAV Warning: *** DON'T PANIC! Read http://www.clamav.net/faq.html
*** LibClamAV Warning:
 HTTPClient/
HTTPClient/doc/
HTTPClient/doc/images/
HTTPClient/doc/images/redball.gif

HTTPClient/SocketTimeout$TimeoutEntry.class
HTTPClient/TransferEncodingModule.class
HTTPClient/UncompressInputStream.class
LibClamAV Error: Can't create temporary file : No such file or
directory LibClamAV Error: Can't create temporary file : No such file
or directory LibClamAV Error: Can't create temporary file : No such
file or directory LibClamAV Error: Can't create temporary file : No
such file or directory LibClamAV Error: Can't create temporary file :
No such file or directory LibClamAV Error: Can't create temporary file
: No such file or directory LibClamAV Error: Can't create temporary
file : No such file or directory LibClamAV Error: Can't create
temporary file : No such file or directory logout


...  -l logs\/clamav_`date +%y%m%d`.log /"

  Does that directory already exist?   Try giving the full path.


--
Paul Bijnens, XplanationTel  +32 16 397.511
Technologielaan 21 bus 2, B-3001 Leuven, BELGIUMFax  +32 16 397.512
http://www.xplanation.com/  email:  [EMAIL PROTECTED]
***
* I think I've got the hang of it now:  exit, ^D, ^C, ^\, ^Z, ^Q, F6, *
* quit,  ZZ, :q, :q!,  M-Z, ^X^C,  logoff, logout, close, bye,  /bye, *
* stop, end, F3, ~., ^]c, +++ ATH, disconnect, halt,  abort,  hangup, *
* PF4, F20, ^X^X, :D::D, KJOB, F14-f-e, F8-e,  kill -1 $$,  shutdown, *
* kill -9 1,  Alt-F4,  Ctrl-Alt-Del,  AltGr-NumLock,  Stop-A,  ...*
* ...  "Are you sure?"  ...   YES   ...   Phew ...   I'm out  *
***
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] LibclamAV - Very Slow

[Paul Bijnens]

On 2006-09-27 14:27, Alexander Hagenah wrote:

But they are as different speedy, I never expected.


You're loading and unpacking the virus database each time.
You see the same difference between "clamscan" and "clamdscan".


--
Paul Bijnens, xplanation Technology ServicesTel  +32 16 397.511
Technologielaan 21 bus 2, B-3001 Leuven, BELGIUMFax  +32 16 397.512
http://www.xplanation.com/  email:  [EMAIL PROTECTED]
***
* I think I've got the hang of it now:  exit, ^D, ^C, ^\, ^Z, ^Q, ^^, *
* F6, quit, ZZ, :q, :q!, M-Z, ^X^C, logoff, logout, close, bye, /bye, *
* stop, end, F3, ~., ^]c, +++ ATH, disconnect, halt,  abort,  hangup, *
* PF4, F20, ^X^X, :D::D, KJOB, F14-f-e, F8-e,  kill -1 $$,  shutdown, *
* init 0, kill -9 1, Alt-F4, Ctrl-Alt-Del, AltGr-NumLock, Stop-A, ... *
* ...  "Are you sure?"  ...   YES   ...   Phew ...   I'm out  *
***

___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Scanning Zip Files

[Paul Bijnens]

On 2006-10-26 12:19, Roger wrote:
> I wonder if there is a way to let clamAV do all the work, i.e when a zip
> file comes through, it opens the zip files and checks to see whether it
> has a virus, if not, it lets the message through.
> 
> If anyone can help in this regard, that would be most appreciated.

AFAIK, clamAV *does* look inside a zip file, unless you disable that
explicitly in the clamd.conf file.
See "ScanArchive".


-- 
Paul Bijnens, xplanation Technology ServicesTel  +32 16 397.511
Technologielaan 21 bus 2, B-3001 Leuven, BELGIUMFax  +32 16 397.512
http://www.xplanation.com/  email:  [EMAIL PROTECTED]
***
* I think I've got the hang of it now:  exit, ^D, ^C, ^\, ^Z, ^Q, ^^, *
* F6, quit, ZZ, :q, :q!, M-Z, ^X^C, logoff, logout, close, bye, /bye, *
* stop, end, F3, ~., ^]c, +++ ATH, disconnect, halt,  abort,  hangup, *
* PF4, F20, ^X^X, :D::D, KJOB, F14-f-e, F8-e,  kill -1 $$,  shutdown, *
* init 0, kill -9 1, Alt-F4, Ctrl-Alt-Del, AltGr-NumLock, Stop-A, ... *
* ...  "Are you sure?"  ...   YES   ...   Phew ...   I'm out  *
***

___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Viruses caught

[Paul Bijnens]

On 2007-03-03 05:52, Dennis Peterson wrote:
> This is an interesting list for what it shows. It is a list from the
> last 10,000 "viruses" caught here where there were 10 or more of a
> particular virus caught. Clearly most of them are not viruses at all but
> image spam and penny stock scams. Might be time to re-word the way the
> information is reported back to the milter. The message says it's all
> viruses.

Be careful about using clamav with the MSRBL image-spams database!!

It seems to me like detecting the image spams with clamav signatures
are not really an improvement. In fact, it is probably dangerous!

The programs generating these spams make unique images with
variations with speckles, lines, color, size, etc making the image
signature unique for each mail sent.  I still have to catch the
first real spam using the MSRBL-Image clamav signtures.
I did caught some false positives on the other hand...


>From the list below, all of the images caught are actually false
positives  (which the MSRBL people will have removed by now: they
are cleaning up the db removing all too-small images.).

You can get the image it refers to on the url:

http://store.msrbl.com/

like:  http://store.msrbl.com/0-AHL


> 
> It also shows that Steve's lists from Sane Security are continuing to
> kick some serious butt. Thanks again, Steve!
> 
> 
> countpattern
> 1233 Email.Img.Gen021.Sanesecurity.06126001
> 1182 Email.Img.Gen018.Sanesecurity.06122000
> 1053 Email.Img.Gen016.Sanesecurity.06121201
>  812 Email.Hdr.Sanesecurity.07012400
>  659 Email.Img.Gen001.Sanesecurity.0601
>  283 Html.Img.Gen013.Sanesecurity.06112900
>  197 Email.Stk.Gen298.Sanesecurity.07021504
>  196 Email.Stk.Gen294.Sanesecurity.07021500
>  191 Email.Stk.Gen299.Sanesecurity.07021505
>  180 Email.Stk.Gen297.Sanesecurity.07021503
>  175 Email.Stk.Gen295.Sanesecurity.07021501
>  173 Email.Stk.Gen300.Sanesecurity.07021506
>  169 Email.Stk.Gen296.Sanesecurity.07021502
>  140 Email.Spam.Gen253.Sanesecurity.07022303
>  139 Email.Img.Gen040.Sanesecurity.07010600
>  120 Email.Img.Gen064.Sanesecurity.07022301
>  116 Email.Spam.Gen103.Sanesecurity.07011703
>   89 Email.Img.Gen031.Sanesecurity.07010100
>   51 Email.Stk.Gen301.Sanesecurity.07021507
>   45 Html.Dipl.Gen003.Sanesecurity.07010300
>   39 Worm.Stration.pac
>   36 MSRBL-Images/0-IYC

false positive, see: http://store.msrbl.com/0-IYC

>   35 MSRBL-Images/0-OUI

false positive, see: http://store.msrbl.com/0-OUI

>   35 MSRBL-Images/0-Iwd

false positive, see: http://store.msrbl.com/0-Iwd

>   33 MSRBL-Images/0-O3Y

false positive, see: http://store.msrbl.com/0-O3Y


>   33 Html.Img.Gen037.Sanesecurity.07010501
>   29 Html.Phishing.RockGen11.Sanesecurity.07021701
>   26 Html.Phishing.Rock.Sanesecurity.06080102
>   24 Email.Stk.Gen205.Sanesecurity.07012204
>   24 Email.ImgO.Gen010.Sanesecurity.07022100
>   22 MSRBL-SPAM.BounceBack.2504
>   22 Html.Phishing.Bank.Gen818u.Sanesecurity.06062707
>   18 MSRBL-Images/0-OwI

false positive, see: http://store.msrbl.com/0-OwI

>   18 Email.Stk.Gen193.Sanesecurity.07011706
>   17 MSRBL-Images/0-OO1

false positive, see: http://store.msrbl.com/

>   16 MSRBL-SPAM.Meds.2660
>   16 Html.Phishing.Pay.Gen017.Sanesecurity.06022800
>   15 MSRBL-Images/0-OR9

...find this out for yourself...

>   15 MSRBL-Images/0-IYu
>   15 Email.Hdr.Sanesecurity.07022100
>   14 MSRBL-SPAM.SpamBlowBack.1150
>   14 MSRBL-SPAM.Bounce.URL.914
>   14 Html.Phishing.Pay.Gen001.Sanesecurity.06012700
>   14 Html.Phishing.Azon.Gen034.Sanesecurity.06112900
>   13 MSRBL-Images/0-OSE

This is first "real image" (the above were most spacer-gifs used to
position the images in webpages), but still a false positive.
See:  http://store.msrbl.com/0-OSE

>   12 Worm.Somefool.AR
>   12 HTML.Phishing.Bank-362
>   12 ClamAV-Test-File
>   11 Html.Phishing.RockGen6.Sanesecurity.06122300
>   11 Html.Phishing.Rock.Sanesecurity.06050500
>   10 MSRBL-Images/0-Ihq

And another spacer gif...  http://store.msrbl.com/0-Ihq


>   10 Html.Img.Gen034.Sanesecurity.07010302


I removed the msrbl-image database from my system, reducing the
number signatures clamav has to watch to 1/3th.
And no more false positives either as benefit.

Now trying to get fuzzy-OCR working instead...

(nevertheless I *do* appreciate the effort from the MSRBL people
fighting spam)

-- 
Paul Bijnens, xplanation Technology ServicesTel  +32 16 397.511
Technologielaan 21 bus 2, B-3001 Leuven, BELGIUMFax  +32 16 397.512
http://www.xplanation.com/  email:  [EMAIL PROTECTED]
***
* I think I've got the hang of it now:  exit, ^D, ^C, ^\, ^Z, ^Q, ^^, *
* F6, quit, ZZ, :q, :q!, M-Z, ^X^C, logoff, logout, close, bye, /bye, *
* stop

Re: [Clamav-users] Virus Encrypted.Zip

[Paul Bijnens]

On 2007-03-05 11:21, Weber, Dominik wrote:
> Hello List,
>  
> i'm using amavis, spamassassin & clamav.
> It works fine, but it should not block encrypted archives.
> Where can i stop this function ?


By reading the manual and editing the clamd.conf
file and setting:  (actually the default!)

ArchiveBlockEncrypted no

If it is clamav that is blocking the message of course.

-- 
Paul Bijnens, xplanation Technology ServicesTel  +32 16 397.511
Technologielaan 21 bus 2, B-3001 Leuven, BELGIUMFax  +32 16 397.512
http://www.xplanation.com/  email:  [EMAIL PROTECTED]
***
* I think I've got the hang of it now:  exit, ^D, ^C, ^\, ^Z, ^Q, ^^, *
* F6, quit, ZZ, :q, :q!, M-Z, ^X^C, logoff, logout, close, bye, /bye, *
* stop, end, F3, ~., ^]c, +++ ATH, disconnect, halt,  abort,  hangup, *
* PF4, F20, ^X^X, :D::D, KJOB, F14-f-e, F8-e,  kill -1 $$,  shutdown, *
* init 0, kill -9 1, Alt-F4, Ctrl-Alt-Del, AltGr-NumLock, Stop-A, ... *
* ...  "Are you sure?"  ...   YES   ...   Phew ...   I'm out  *
***

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html

Re: AW: [Clamav-users] Virus Encrypted.Zip

[Paul Bijnens]

On 2007-03-05 13:09, Weber, Dominik wrote:
> Sorry but i don't top-posted.
> I've replyed to the last message from Trog.

Top-posting != thread hijacking

http://en.wikipedia.org/wiki/Top-post


-- 
Paul Bijnens, xplanation Technology ServicesTel  +32 16 397.511
Technologielaan 21 bus 2, B-3001 Leuven, BELGIUMFax  +32 16 397.512
http://www.xplanation.com/  email:  [EMAIL PROTECTED]
***
* I think I've got the hang of it now:  exit, ^D, ^C, ^\, ^Z, ^Q, ^^, *
* F6, quit, ZZ, :q, :q!, M-Z, ^X^C, logoff, logout, close, bye, /bye, *
* stop, end, F3, ~., ^]c, +++ ATH, disconnect, halt,  abort,  hangup, *
* PF4, F20, ^X^X, :D::D, KJOB, F14-f-e, F8-e,  kill -1 $$,  shutdown, *
* init 0, kill -9 1, Alt-F4, Ctrl-Alt-Del, AltGr-NumLock, Stop-A, ... *
* ...  "Are you sure?"  ...   YES   ...   Phew ...   I'm out  *
***

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html

Re: AW: [Clamav-users] Virus Encrypted.Zip

[Paul Bijnens]

On 2007-03-05 12:51, Weber, Dominik wrote:
> ArchiveBlockEncrypted
>   Mark  encrypted  archives  as   viruses   (Encrypted.Zip,Encrypted.RAR).
>   Default: disabled 
> 
> This option is not set in my clamd.conf
> But this is the exact messages in the Report Encrypted.Zip and Encrypted.RAR.
> "ArchiveBlockEncrypted no" is the wrong syntax.
> Starting ClamAV daemon: ERROR: Parse error at line 23: Option 
> ArchiveBlockEncrypted doesn't support arguments (got 'no').

I guess that you found the above error in the clamd.log file?
Or do you get the error when running "clamscan"?

Are you 100% sure there is no old clamscan or clamd process laying around?

Make sure you're scanning with the same executable as the one
your getting the version info from.

On the other hand, in my config file the "ArchiveBlockedEncrypted"
parameter is commented out, because it *is* disabled by default.


-- 
Paul Bijnens, xplanation Technology ServicesTel  +32 16 397.511
Technologielaan 21 bus 2, B-3001 Leuven, BELGIUMFax  +32 16 397.512
http://www.xplanation.com/  email:  [EMAIL PROTECTED]
***
* I think I've got the hang of it now:  exit, ^D, ^C, ^\, ^Z, ^Q, ^^, *
* F6, quit, ZZ, :q, :q!, M-Z, ^X^C, logoff, logout, close, bye, /bye, *
* stop, end, F3, ~., ^]c, +++ ATH, disconnect, halt,  abort,  hangup, *
* PF4, F20, ^X^X, :D::D, KJOB, F14-f-e, F8-e,  kill -1 $$,  shutdown, *
* init 0, kill -9 1, Alt-F4, Ctrl-Alt-Del, AltGr-NumLock, Stop-A, ... *
* ...  "Are you sure?"  ...   YES   ...   Phew ...   I'm out  *
***

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html

Re: AW: AW: [Clamav-users] Virus Encrypted.Zip

[Paul Bijnens]

On 2007-03-05 14:51, Weber, Dominik wrote:
> On 2007-03-05 12:51, Weber, Dominik wrote:

well actually, I wrote that.

Seems my thunderbird got messed up, and the message compose
scrambled the from-to-and-maybe-some-other headers.
Very strange.  Anyone seen the problem?
I removed the msf file (usual remedy for a lot of weird problems), and
I'm me again now (unless the headers of the mail indicate otherwise).

Sorry.

-- 
Paul Bijnens, xplanation Technology ServicesTel  +32 16 397.511
Technologielaan 21 bus 2, B-3001 Leuven, BELGIUMFax  +32 16 397.512
http://www.xplanation.com/  email:  [EMAIL PROTECTED]
***
* I think I've got the hang of it now:  exit, ^D, ^C, ^\, ^Z, ^Q, ^^, *
* F6, quit, ZZ, :q, :q!, M-Z, ^X^C, logoff, logout, close, bye, /bye, *
* stop, end, F3, ~., ^]c, +++ ATH, disconnect, halt,  abort,  hangup, *
* PF4, F20, ^X^X, :D::D, KJOB, F14-f-e, F8-e,  kill -1 $$,  shutdown, *
* init 0, kill -9 1, Alt-F4, Ctrl-Alt-Del, AltGr-NumLock, Stop-A, ... *
* ...  "Are you sure?"  ...   YES   ...   Phew ...   I'm out  *
***

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Viruses caught

[Paul Bijnens]

On 2007-03-05 20:07, Dennis Peterson wrote:
> Paul Bijnens wrote:
> 
>>
>> Be careful about using clamav with the MSRBL image-spams database!!
>>
>> It seems to me like detecting the image spams with clamav signatures
>> are not really an improvement. In fact, it is probably dangerous!
>>
>> The programs generating these spams make unique images with
>> variations with speckles, lines, color, size, etc making the image
>> signature unique for each mail sent.  I still have to catch the
>> first real spam using the MSRBL-Image clamav signtures.
>> I did caught some false positives on the other hand...
> 
> How did you determine they were false positives? Their website does not
> provide a context so you can't know if what you are seeing is a web
> beacon image or a spacer.

Yes it is a spacer, and not a beacon image.

I downloaded and investigated the image.

E.g. you flagged 36 times the "MSRBL-Images/0-IYC" spam image.

You can download the offending image from:
   http://store.msrbl.com/0-IYC
and then you can see it is a:
   0-IYC: GIF image data, version 89a, 2 x 1

I even opened it in gimp, and verified there is no useful information
in these 2 pixels, having a transparant color (or what is the term?).

I even went as far as hexdumping the file, and verifying it does not
contain any spurious information.  I couldn't find anything (but I'm
not the export in gifs -- anybody may correct me).

If you can find anything harmful/spammy in it, then please educate me.


> I determine false positives very simply - If neither the sender nor the
> intended recipient do not communicate with me that a message was
> blocked, it is spam. I've never been contacted because of a message
> blocked using Sanesecurity or MSRBL lists.

Well, my users did contact me on several occasions and asked me to
investigate it.

It could become a different thing if the mail was composed of many such
tiny images, each carefully positioned, so that the total result would
be a spam message.  How long before the spammers implement that method?

But still in the above case, the 2 transparant pixels should not be
triggering such an event.
The presence of this particular gif in a mail should not flag it as
spam, just as the presence of the letters a,g,i,r,v should not flag
a text message as spam.

I leave it up to you to verify the rest of the false positives (in my
opinion, they are).


>> I removed the msrbl-image database from my system, reducing the
>> number signatures clamav has to watch to 1/3th.
>> And no more false positives either as benefit.
> 
> We're having very different experiences.

Indeed.



-- 
Paul Bijnens, xplanation Technology ServicesTel  +32 16 397.511
Technologielaan 21 bus 2, B-3001 Leuven, BELGIUMFax  +32 16 397.512
http://www.xplanation.com/  email:  [EMAIL PROTECTED]
***
* I think I've got the hang of it now:  exit, ^D, ^C, ^\, ^Z, ^Q, ^^, *
* F6, quit, ZZ, :q, :q!, M-Z, ^X^C, logoff, logout, close, bye, /bye, *
* stop, end, F3, ~., ^]c, +++ ATH, disconnect, halt,  abort,  hangup, *
* PF4, F20, ^X^X, :D::D, KJOB, F14-f-e, F8-e,  kill -1 $$,  shutdown, *
* init 0, kill -9 1, Alt-F4, Ctrl-Alt-Del, AltGr-NumLock, Stop-A, ... *
* ...  "Are you sure?"  ...   YES   ...   Phew ...   I'm out  *
***

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Viruses caught

[Paul Bijnens]

On 2007-03-07 02:16, Dennis Peterson wrote:
> Paul Bijnens wrote:
>> On 2007-03-05 20:07, Dennis Peterson wrote:
>>> Paul Bijnens wrote:
>>>
>>>> Be careful about using clamav with the MSRBL image-spams database!!
>>>>
>>>> It seems to me like detecting the image spams with clamav signatures
>>>> are not really an improvement. In fact, it is probably dangerous!
>>>>
>>>> The programs generating these spams make unique images with
>>>> variations with speckles, lines, color, size, etc making the image
>>>> signature unique for each mail sent.  I still have to catch the
>>>> first real spam using the MSRBL-Image clamav signtures.
>>>> I did caught some false positives on the other hand...
>>> How did you determine they were false positives? Their website does not
>>> provide a context so you can't know if what you are seeing is a web
>>> beacon image or a spacer.
>>
>> Yes it is a spacer, and not a beacon image.
>>
>> I downloaded and investigated the image.
>>
>> E.g. you flagged 36 times the "MSRBL-Images/0-IYC" spam image.
> 
> And you still don't know the context. If MSRBL pulled down 3000
> messages, all spam, and they all contained this image which looks for
> all the world like a web beacon to me, then that is a spam indicator.
> Just like word certain couplings are indicators of spam, so too are
> images. The image itself needn't be the spam as in image spam. It needs
> only to be a valid and repeatable indicator. I consider web beacons and
> the messages that contain them to be spam.

OK, so I just sent the decision to the msrbl mailing list:
And got this answer:


>> Is this another false positive, or is this a beacon image used by
>> spammers?
>>
>> MSRBL-Images/0-IYC
> 
> Hi,
> Thanks for the report, but this was removed from the signature file about 5 
> days ago.

So this classifies those "small" images 1x1, 1x2 etc, as false positives
by the maintainers themselves.

Leaving these out (yes, all those "too small" images were removed
from the signature files now), do you still have some hit on some image,
and if yes, which one?
In all the months I had msrbl-Images added to the list of clamav
signatures, I did not encounter one single real spam, only 6 false
positives.
But I'm not running a high traffic mail server.
I'm interested in results catching real spam on some more substantial
servers.
All the hits you got in the list you gave classify as false positives
in my opinion.



-- 
Paul Bijnens, xplanation Technology ServicesTel  +32 16 397.511
Technologielaan 21 bus 2, B-3001 Leuven, BELGIUMFax  +32 16 397.512
http://www.xplanation.com/  email:  [EMAIL PROTECTED]
***
* I think I've got the hang of it now:  exit, ^D, ^C, ^\, ^Z, ^Q, ^^, *
* F6, quit, ZZ, :q, :q!, M-Z, ^X^C, logoff, logout, close, bye, /bye, *
* stop, end, F3, ~., ^]c, +++ ATH, disconnect, halt,  abort,  hangup, *
* PF4, F20, ^X^X, :D::D, KJOB, F14-f-e, F8-e,  kill -1 $$,  shutdown, *
* init 0, kill -9 1, Alt-F4, Ctrl-Alt-Del, AltGr-NumLock, Stop-A, ... *
* ...  "Are you sure?"  ...   YES   ...   Phew ...   I'm out  *
***

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html