Re: [clamav-users] Error build clamav 0.98
* Константин Белозеров : > Hello. > > Error when building from source anti-virus in the operating system > GNU/Linux Debian 7.1 Performed make check VG=1. But to no avail. But which error are you getting? -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin Franklin http://www.charite.de Hindenburgdamm 30, 12203 Berlin Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155 ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] Error build clamav 0.98
* Константин Белозеров : > Errors are listed in log file. Would you mind pasting them here? -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin Franklin http://www.charite.de Hindenburgdamm 30, 12203 Berlin Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155 ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] Error build clamav 0.98
* Константин Белозеров : > *** > *** clamd did not detect all testfiles correctly! > *** > > SKIP: check5_clamd_vg.sh (exit: 77) > === > > *** valgrind not found, skipping test That's no error, it's merely skipping the test since you don't have valgrind installed -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin Franklin http://www.charite.de Hindenburgdamm 30, 12203 Berlin Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155 ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] An FP?
* Gene Heskett : > Greetings; > > The daily system scan is fussing about > /home/gene/src/linux-3.8.2/Documentation/usb/gadget_multi.txt: > MBL_400944.UNOFFICIAL FOUND > /home/gene/src/linux-3.12.6/Documentation/usb/gadget_multi.txt: > MBL_400944.UNOFFICIAL FOUND > /home/gene/src/linux-3.8.3/Documentation/usb/gadget_multi.txt: > MBL_400944.UNOFFICIAL FOUND > /home/gene/src/linux-3.12.9/Documentation/usb/gadget_multi.txt: > MBL_400944.UNOFFICIAL FOUND > /home/gene/src/linux-3.4.36/Documentation/usb/gadget_multi.txt: > MBL_400944.UNOFFICIAL FOUND > /home/gene/src/linux-3.0.69/Documentation/usb/gadget_multi.txt: > MBL_400944.UNOFFICIAL FOUND > /home/gene/src/linux-3.2.40/Documentation/usb/gadget_multi.txt: > MBL_400944.UNOFFICIAL FOUND > > But https://virustotal.com thinks otherwise. It's an UNOFFICIAL pattern, not a core clamav pattern -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin Franklin http://www.charite.de Hindenburgdamm 30, 12203 Berlin Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155 ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] An FP?
* Gene Heskett : > > It's an UNOFFICIAL pattern, not a core clamav pattern > > Still, is it not un-needed noise? It's obviously a FP, but calling it un-needed noise is a bit off. If the pattern were correct and would find a real virus, is it not un-needed noise? -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin Franklin http://www.charite.de Hindenburgdamm 30, 12203 Berlin Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155 ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] Bad detection rate
* Dennis Peterson : > The OP brought up several points, none of which were addressed. > > 1. Nevertheless, the detection rate of viruses, trojans, etc. is not > very good. Almost every time I submit a sample file on virustotal.com > ClamAV can not detect the virus or malware. > > 2. Up to now, I never got a notification, although "Notify me" was checked. Indeed. I also submitted quite a lot of malware and never got a notification (in years!) > 3. Why shall we not post more than two sample files per day ? I also wondered about that. -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin Franklin http://www.charite.de Hindenburgdamm 30, 12203 Berlin Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155 ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] Problem with mirrors overnight?
* Matthias Hank : > Hi, > > On Thu, Mar 17, 2016 at 12:49:11PM +, Joel Esler (jesler) wrote: > > It's possible they are overloaded. We released a new main.cvd and daily > > late last night. > > But why are always the same 3 of 13 german mirrors are probed from freshclam? > All of them are failing since last night on all of our servers. > > Probed are: > 178.63.73.246 > 84.39.110.99 > 88.198.17.100 http://lutz.donnerhacke.de/Blog/ClamAV-aktualisiert-sich-nicht-mehr -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin Franklin http://www.charite.de Hindenburgdamm 30, 12203 Berlin Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155 ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] ClamAV® blog: CRDF Joins the ClamAV Signature Partner Program!
* Joel Esler (jesler) : > > > http://blog.clamav.net/2016/07/crdf-joins-clamav-signature-partner.html Are these signatures already active? -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin Franklin http://www.charite.de Hindenburgdamm 30, 12203 Berlin Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155 ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] One final clamd Frage
* Brad Scalio : > When a clamscan is ran from cmdline or via cron is the virus signature > database checked before scanning commences It is loaded, thus the long startup time. > in a fashion that if we aren't using clamdscan then is there a need for > clamd to run, No. clamdscan together with clamd eliminated the long startup time. > does it provide any added features or functionality not already present > with freshclam + clamscan running on-demand from cronjobs? -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin Franklin http://www.charite.de Hindenburgdamm 30, 12203 Berlin Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155 ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] FP Pdf.Exploit.CVE_2016_1091-2
* Hajo Locke : > Hello, > > unfortunately we have some problems with FP Pdf.Exploit.CVE_2016_1091-2 > Customer was testing at virustotal and only clamav is finding a virus. > Unfortunately i can not do a FP-Report. All PDFs are property of costumers > and not public. I already did a FP report. It happened with PDFs from "Springer Medical". had to diable that signature. > I hope there are some additional FP-Reports from other people regarding this > virus to review this signature. Yep. -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin Franklin http://www.charite.de Hindenburgdamm 30, 12203 Berlin Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155 ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] FP Pdf.Exploit.CVE_2016_1091-2
* Al Varnell : > Has anybody submitted a PDF yet? Of course. -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin Franklin http://www.charite.de Hindenburgdamm 30, 12203 Berlin Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155 ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] FP Pdf.Exploit.CVE_2016_1091-2
* Al Varnell : > > On Wed, Nov 30, 2016 at 02:33 AM, Ralf Hildebrandt wrote: > > > > * Al Varnell : > >> Has anybody submitted a PDF yet? > > > > Of course. > > Hash? 8d62c398679ab6c7b85749eacf7a9a80 -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin Franklin http://www.charite.de Hindenburgdamm 30, 12203 Berlin Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155 ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] FP Pdf.Exploit.CVE_2016_1091-2
* Ralf Hildebrandt : > * Al Varnell : > > > > On Wed, Nov 30, 2016 at 02:33 AM, Ralf Hildebrandt wrote: > > > > > > * Al Varnell : > > >> Has anybody submitted a PDF yet? > > > > > > Of course. > > > > Hash? > > 8d62c398679ab6c7b85749eacf7a9a80 generated by md5sum -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin Franklin http://www.charite.de Hindenburgdamm 30, 12203 Berlin Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155 ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Porting LibClamAV for Android
* Bengt H. : > Unsubscribe please List-Unsubscribe: <http://lists.clamav.net/cgi-bin/mailman/options/clamav-users>, -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin Franklin http://www.charite.de Hindenburgdamm 30, 12203 Berlin Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155 ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Grizzly Steppe
* Andrew McGrath : > I'm being asked a question by our security team that I am struggling > to answer. The question is "Does ClamAV detect Grizzly Steppe?". > > I've hunted around the archives, support pages and google, but do not > see any discussion about this, could anyone comment? They probably mean the exploit code used in operation Grizzly Steppe ATP 29, APT 28, Cozybear, Fancybear, Sandworm, Sofacy etc. https://www.dhs.gov/news/2016/12/30/executive-summary-grizzly-steppe-findings-homeland-security-assistant-secretary -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin Franklin http://www.charite.de Hindenburgdamm 30, 12203 Berlin Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155 ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Win.Exploit.CVE_2016_3301-6210129-0 detected. Could this be a false positive?
* ANANT S ATHAVALE : > Hi List, > > One of the .pptx file which was attached is getting detected as VIRUS: > Win.Exploit.CVE_2016_3301-6210129-0. As it is a official document and can't > to uploaded for submission. How to manually verify? What do you want to verify? -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin Franklin https://www.charite.de Hindenburgdamm 30, 12203 Berlin Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155 ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [Clamav-users] clamd DLP(Data Loss Prevention) w/Postfix
* W S : > Folks, > > I have a simple relayer running Postfix and would like to enable ClamAV's > portion of DLP. > Does anyone knows - what I have to modify within mail.cf and master.cf ?? > I would like to quarantine emails with SSN and CC numbers (just basic ascii > digits in Subject or Body) You'd probably need to use amavisd-new -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | http://www.charite.de ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Fwd: Re: AV timeout?
* Török Edwin : > On 2011-06-29 17:01, Michael Scheidell wrote: > > > > > > On 6/29/11 9:24 AM, Michael Scheidell wrote: > >> Ok, so not just me. > >> > >> I am going to ask Ralf Hildebrandt what version of os he is using. > >> maybe we can track this down. > >> > > so, its not just on amd64, freebsd 7.3. > > he answered this: > > > >> freebsd? amd64? what version of Freebsd? > > > > Debian Linux Testing, i386! > > > > Can you ask him to attach gdb to it? > Or to run gcore ? I'll do it once it happens :) -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | http://www.charite.de ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
[clamav-users] Cannot disable BC.Exploit.CVE_2011_3412 FP
Hi!
I'm trying to disable this signature, since it's giving my FPs for
some XLS files (yes, I already submitted it as FP today):
mail2:/var/lib/clamav# sigtool --find-sigs=BC.Exploit.CVE_2011_3412
[0001114551.cbc BYTECODE]
BC.Exploit.CVE_2011_3412.{CVE_2011_3412};Engine:56-255,Target:0;(0&1);0:d0cf11e0a1b11ae1;*:1c000404
mail2:/var/lib/clamav# cat local.ign2
BC.Exploit.CVE_2011_3412.{CVE_2011_3412}
BC.Exploit.CVE_2011_3412
CVE_2011_3412
(I tried 3 different ways of disabling the signature)
I restarted clamd, but still the mails are stopped as infected:
Tue Feb 7 13:33:09 2012 ->
/var/amavis/amavis-20120207T133055-06780-qWTSSGIn/parts/p004:
BC.Exploit.CVE_2011_3412(6988ecb2df20c8d0a4f43ccdc4008136:1782277) FOUND
Tue Feb 7 13:33:09 2012 ->
/var/amavis/amavis-20120207T133055-06780-qWTSSGIn/parts/p002:
BC.Exploit.CVE_2011_3412(39fd7b52d5cde9f8599267f1eb0c5aab:1317888) FOUND
What am I doing wrong here? Running clamv 0.97.3
--
Ralf Hildebrandt Charite Universitätsmedizin Berlin
ralf.hildebra...@charite.deCampus Benjamin Franklin
http://www.charite.de Hindenburgdamm 30, 12203 Berlin
Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
Re: [clamav-users] Cannot disable BC.Exploit.CVE_2011_3412 FP
* Alain Zidouemba : > Ralf, > > We got your FP reports and will address them today. Thanks :) But the original question remains in case I need to whitelist a signature. -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin Franklin http://www.charite.de Hindenburgdamm 30, 12203 Berlin Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155 ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Cannot disable BC.Exploit.CVE_2011_3412 FP
* Bill Maidment : > > What am I doing wrong here? Running clamv 0.97.3 > > It's the same story here. We've had to switch off all bytecode rules in > the conf file. Not ideal. Sound like one cannot whitelist a bytecode signature? -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin Franklin http://www.charite.de Hindenburgdamm 30, 12203 Berlin Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155 ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Cannot disable BC.Exploit.CVE_2011_3412 FP
* Lyle Giese : > The format of local.ign is not very inituitive, IMHO. It's local.ign2 according to the docs. "Creating signatures for ClamAV" http://www.clamav.net/doc/latest/signatures.pdf 3.8 Whitelist databases To whitelist a specific signature from the database you just add its name into a local file called --> local.ign2 <-- stored inside the database directory. You can additionally follow the signature name with the MD5 of the entire database entry for this signature, eg: Eicar-Test-Signature:bc356bae4c42f19a3de16e333ba3569c In such a case, the signature will no longer be whitelisted when its entry in the database gets modified (eg. the signature gets updated to avoid false alerts). > INetMsg-SpamDomains-2m.:62019:INetMsg.SpamDomain-2w.onlinehome-server.com > > The first entry is the name of the file the definition is in(minus > the file extension). The second is the line number that the > definition is on. And the third is the name of the definition. > These fields are separated by ':' as you can see. Have you tried that for a bytecode signature? sigtool --find-sigs=BC.Exploit.CVE_2011_3412 doesn't emit a line number. Fields are not seperated with : but with ; -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin Franklin http://www.charite.de Hindenburgdamm 30, 12203 Berlin Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155 ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Unit Testing
* Jan-Pieter Cornet : > I haven't got any experience with IRIX, but I do wonder: why are you > using tits for testing purposes? That seems inappropriate. No, he's using un-tits. Everything but tits. E.g. a canary would be an un-tit. Like an undead is anything but dead. PS ;-) ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Cannot disable BC.Exploit.CVE_2011_3412 FP
* Tomasz Kojm :
> On Wed, 8 Feb 2012 11:02:54 +1100 Bill Maidment wrote:
>
> > I have manually patched 0.97.3, re-compiled, re-installed and restarted
> > clamd, but the ign2 file is still being ignored.
> >
> > [root@stiles clamav]# cat /usr/local/share/clamav/local.ign2
> > BC.Exploit.CVE_2011_3412
>
> The entry is not complete. The correct one is:
>
> BC.Exploit.CVE_2011_3412.{CVE_2011_3412}
After applying your fix, correct?
--
Ralf Hildebrandt Charite Universitätsmedizin Berlin
ralf.hildebra...@charite.deCampus Benjamin Franklin
http://www.charite.de Hindenburgdamm 30, 12203 Berlin
Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
[clamav-users] False positive submission page down (for a few days now)?
Is there an alternative way of submitting FP's? -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin Franklin http://www.charite.de Hindenburgdamm 30, 12203 Berlin Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155 ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] False positive submission page down (for a few days now)?
* Török Edwin : > On 04/19/2012 02:59 PM, Ralf Hildebrandt wrote: > > Is there an alternative way of submitting FP's? > > > > Are you using this page? > http://www.clamav.net/lang/en/sendvirus/submit-fp/ Yep. -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin Franklin http://www.charite.de Hindenburgdamm 30, 12203 Berlin Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155 ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] False positive submission page down (for a few days now)?
> I just tested and it worked fine for me. > > What's exactly the problem on your side? I keep getting: Under maintenance. Try again later. -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin Franklin http://www.charite.de Hindenburgdamm 30, 12203 Berlin Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155 ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] False positive submission page down (for a few days now)?
* Török Edwin : > On 04/19/2012 04:10 PM, Ralf Hildebrandt wrote: > > > >> I just tested and it worked fine for me. > >> > >> What's exactly the problem on your side? > > > > I keep getting: > > > > Under maintenance. Try again later. > > > > How big is the file that you're trying to upload? I'm not getting a form, all I get is "Under maintenance. Try again later." - must be a cachin issue somewhere -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin Franklin http://www.charite.de Hindenburgdamm 30, 12203 Berlin Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155 ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] False positive submission page down (for a few days now)?
> > How big is the file that you're trying to upload? > > I'm not getting a form, all I get is "Under maintenance. Try again > later." - must be a cachin issue somewhere Varnish (reverse proxy) is giving my this: $ telnet proxy.charite.de 8080 Trying 141.42.1.205... Connected to proxy.charite.de. Escape character is '^]'. GET http://cgi.clamav.net/sendfp.cgi HTTP/1.0 HTTP/1.0 503 Service Unavailable Server: Varnish Content-Type: text/html; charset=utf-8 Retry-After: 5 Content-Length: 284 Accept-Ranges: bytes Date: Thu, 19 Apr 2012 13:20:02 GMT X-Varnish: 216808379 Age: 0 X-Cache: MISS from proxy-cvk-1 Via: 1.1 varnish, 1.0 proxy-cvk-1 (squid/3.1.19-20120412-r10444) Connection: close http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"; Maintenance Under maintenance. Try again later. Connection closed by foreign host. -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin Franklin http://www.charite.de Hindenburgdamm 30, 12203 Berlin Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155 ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] False positive submission page down (for a few days now)?
> GET http://cgi.clamav.net/sendfp.cgi HTTP/1.0 > > HTTP/1.0 503 Service Unavailable > Server: Varnish > Content-Type: text/html; charset=utf-8 > Retry-After: 5 > Content-Length: 284 > Accept-Ranges: bytes > Date: Thu, 19 Apr 2012 13:20:02 GMT > X-Varnish: 216808379 > Age: 0 > X-Cache: MISS from proxy-cvk-1 > Via: 1.1 varnish, 1.0 proxy-cvk-1 (squid/3.1.19-20120412-r10444) > Connection: close This happens if I access the site via a proxy. From the proxy machine itself, I'm getting this: GET http://cgi.clamav.net/sendfp.cgi HTTP/1.0 HTTP/1.1 200 OK Server: Apache/2.2.9 (Debian) mod_ssl/2.2.9 OpenSSL/0.9.8g Vary: Accept-Encoding Content-Type: text/html; charset=ISO-8859-1 X-Cacheable: VarnishResNoCacheHost Content-Length: 2495 Accept-Ranges: bytes Date: Thu, 19 Apr 2012 13:23:34 GMT X-Varnish: 216809483 Age: 0 Via: 1.1 varnish Connection: close ... remained of page sent correctly ... The FP submission page used to work for us uptill now. Hm. -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin Franklin http://www.charite.de Hindenburgdamm 30, 12203 Berlin Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155 ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] False positive submission page down (for a few days now)?
* Török Edwin : > Can you try flushing your varnish cache, and trying again? It's your varnish cache :) (we don't have any here) I already restarted my squid servers, no change. It's very odd. -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin Franklin http://www.charite.de Hindenburgdamm 30, 12203 Berlin Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155 ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] False positive submission page down (for a few days now)?
* Ralf Hildebrandt : > * Török Edwin : > > > Can you try flushing your varnish cache, and trying again? > > It's your varnish cache :) (we don't have any here) > > I already restarted my squid servers, no change. It's very odd. Now I emptied my cache partitions as well: Still the same. -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin Franklin http://www.charite.de Hindenburgdamm 30, 12203 Berlin Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155 ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] False positive submission page down (for a few days now)?
> Does it work if you append a random GET parameter to the URL (like
> ?unused=test).
Nope, still the same. Maybe somebody configured varnish to give my IP
address range (193.175.73.20x) a 503: Service Unavailable?
$ wget -nd -S "http://cgi.clamav.net/sendfp.cgi?unused=test";
--2012-04-19 15:50:26-- http://cgi.clamav.net/sendfp.cgi?unused=test
Resolving proxy.charite.de (proxy.charite.de)... 141.42.1.205
Connecting to proxy.charite.de
(proxy.charite.de)|141.42.1.205|:8080... connected.
Proxy request sent, awaiting response...
HTTP/1.0 503 Service Unavailable
Server: Varnish
Content-Type: text/html; charset=utf-8
Retry-After: 5
Content-Length: 284
Accept-Ranges: bytes
Date: Thu, 19 Apr 2012 13:50:26 GMT
X-Varnish: 216817722
Age: 0
Via: 1.1 varnish
X-Cache: MISS from proxy-cvk-1
Connection: keep-alive
2012-04-19 15:50:27 ERROR 503: Service Unavailable.
--
Ralf Hildebrandt Charite Universitätsmedizin Berlin
ralf.hildebra...@charite.deCampus Benjamin Franklin
http://www.charite.de Hindenburgdamm 30, 12203 Berlin
Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
Re: [clamav-users] False positive submission page down (for a few days now)?
* Luca Gibelli : > Hello Ralf, > > > $ telnet proxy.charite.de 8080 > > Trying 141.42.1.205... > > Connected to proxy.charite.de. > > Escape character is '^]'. > > GET http://cgi.clamav.net/sendfp.cgi HTTP/1.0 > > we use name based virtual hosting, you must switch to HTTP/1.1 and > send a Host: header as well > > See http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html and > http://www8.org/w8-papers/5c-protocols/key/key.html > > Most likely your proxy is issuing a HTTP/1.0 request upstream? It's still not working and unfortunately your admin is not willing to check the logs to see whats being logged for my source IP. -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin Franklin http://www.charite.de Hindenburgdamm 30, 12203 Berlin Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155 ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] False positive submission page down
* G.W. Haywood : > Mt. Hildebrandt, you are being unreasonable. > > The problem has been clearly explained to you, and it is your problem > to solve. You must not expect people who are managing a Web resource > which may have many thousands of clients to solve problems for every > individual client. It "does not scale". It cannot be done. > > You need to access the Website using HTTP/1.1 not the old HTTP/1.0. I did that. > You need to ensure that the client requesting the resources tells the > host which virtual host it wishes to contact. That is the purpose of > the "Host:" header. It does that. Only from a very limited IP address range I'm getting this "Maintenance" error message. Thus my reasonable request to check the server's logs. > If your client does not send the correct headers, the software which > receives the requests cannot pass them to the right server instance > because your client has not told it which one it wants to talk to. It's not a client issue. It depends on my source IP. -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin Franklin http://www.charite.de Hindenburgdamm 30, 12203 Berlin Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155 ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] False positive submission page down (for a few days now)?
* Luca Gibelli : > Most likely your proxy is issuing a HTTP/1.0 request upstream? Could you PLEASE check the server's logs? We're definitely sending HTTP/1.1 requests with all the headers, see below: output from tcpdump: GET /sendfp.cgi HTTP/1.1 Host: cgi.clamav.net Pragma: no-cache User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/535.19 (KHTML, like Gecko) Ubuntu/12.04 Chromium/18.0.1025.168 Chrome/18.0.1025.168 Safari/535.19 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate,sdch Accept-Language: de,en;q=0.8,en-US;q=0.6 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utma=165234925.7124351.1326790435.1336028009.1336053668.11; __utmz=165234925.1326790435.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none) Via: 1.1 proxy-cbf-1 (squid/3.1.19-20120418-r10444) X-Forwarded-For: unknown Cache-Control: max-age=0 Connection: keep-alive answer: HTTP/1.1 503 Service Unavailable Server: Varnish Content-Type: text/html; charset=utf-8 Retry-After: 5 Content-Length: 284 Accept-Ranges: bytes Date: Fri, 04 May 2012 10:29:21 GMT X-Varnish: 221993613 Age: 0 Via: 1.1 varnish Connection: close -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin Franklin http://www.charite.de Hindenburgdamm 30, 12203 Berlin Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155 ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
[clamav-users] Solved: False positive submission page down (for a few days now)?
> Could you PLEASE check the server's logs? I solved it. Your server doesn't like the "X-Forwarded-For: unknown" header! See http://www.squid-cache.org/Doc/config/forwarded_for/ On our squids it was set to: forwarded_for off which results in "X-Forwarded-For: unknown" and a subsequent error page from varnish. Setting it to "delete", "on" or "truncate" make the page http://cgi.clamav.net/sendfp.cgi work again. Only "off" causes the page to fail. -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin Franklin http://www.charite.de Hindenburgdamm 30, 12203 Berlin Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155 ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Major new false positive? BC.Exploit.CVE_2012_0184
* Cedric Knight : > Hi > > I'm seeing BC.Exploit.CVE_2012_0184 hit a wide variety of attachments as > of 14:40 UTC this afternoon. Will submit a sample the usual way, but > wanted to warn that it just seems to be quite extensive. (also > possibly BC.Exploit.CVE_2012_0165). > > Anyone else seeing this? Yes, I'm also seeing a lot of FP's for BC.Exploit.CVE_2012_0184 -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin Franklin http://www.charite.de Hindenburgdamm 30, 12203 Berlin Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155 ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Major new false positive? BC.Exploit.CVE_2012_0184
* Joel Esler : > Please run Freshclam. This has already been cleared up. Thanks for the heads up. Time to release stuff from the quarantine. -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin Franklin http://www.charite.de Hindenburgdamm 30, 12203 Berlin Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155 ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Zip module failure ERROR
* Don Drake <[EMAIL PROTECTED]>: > I would, but I'm getting the following error in Bugzilla: > > You are not authorized to access bug #396. I wonder why that is -- it's a stupid idea IMHO. -- Ralf Hildebrandt (i.A. des IT-Zentrums) [EMAIL PROTECTED] Charite - Universitätsmedizin BerlinTel. +49 (0)30-450 570-155 Gemeinsame Einrichtung von FU- und HU-BerlinFax. +49 (0)30-450 570-962 IT-Zentrum Standort CBFsend no mail to [EMAIL PROTECTED] ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] OT: Sanesecurity Sigs: Important News
* Noel Jones <[EMAIL PROTECTED]>: > The "Example 1" UpdateSaneSecurity.sh appears to use "clamscan -d" to > test for a valid database before installing them in the live > directory. Didn't check the others... Unfortunately I had to rewrite that script until it worked :( The download URLs for the mirrors are incorrect and for some reason it pukes on the output of Debian's clamd --debug -- Ralf Hildebrandt (i.A. des IT-Zentrums) [EMAIL PROTECTED] Charite - Universitätsmedizin BerlinTel. +49 (0)30-450 570-155 Gemeinsame Einrichtung von FU- und HU-BerlinFax. +49 (0)30-450 570-962 IT-Zentrum Standort CBFsend no mail to [EMAIL PROTECTED] ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] OT: Sanesecurity Sigs: Important News
* René Berber <[EMAIL PROTECTED]>: > | Unfortunately I had to rewrite that script until it worked :( > | The download URLs for the mirrors are incorrect and for some reason it > | pukes on the output of Debian's clamd --debug > > Thanks for both replies. > > I'll take that script for a test. I uploaded my adapted script here: http://www.arschkrebs.de/postfix/UpdateSaneSecurity.sh -- Ralf Hildebrandt (i.A. des IT-Zentrums) [EMAIL PROTECTED] Charite - Universitätsmedizin BerlinTel. +49 (0)30-450 570-155 Gemeinsame Einrichtung von FU- und HU-BerlinFax. +49 (0)30-450 570-962 IT-Zentrum Standort CBFsend no mail to [EMAIL PROTECTED] ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] OT: Sanesecurity Sigs: Important News
* Rick Cooper <[EMAIL PROTECTED]>: > I assume (again) that you meant clamscan --debug causes an issue? What does > it do exactly that causes an issue? The output looks like this: LibClamAV debug: Loading databases from /var/lib/clamav/ LibClamAV debug: Loading databases from /var/lib/clamav//main.inc (it has a trainling slash) -- Ralf Hildebrandt (i.A. des IT-Zentrums) [EMAIL PROTECTED] Charite - Universitätsmedizin BerlinTel. +49 (0)30-450 570-155 Gemeinsame Einrichtung von FU- und HU-BerlinFax. +49 (0)30-450 570-962 IT-Zentrum Standort CBFsend no mail to [EMAIL PROTECTED] ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] need help
* Thomas Spuhler <[EMAIL PROTECTED]>: > I wish Amavis would support clamd. It does. > It's in the amavis.conf file but it > just doesn't use clamd but uses that backup clamscan and this is a > disaster. What's in the log? It uses clamd happily here... -- Ralf Hildebrandt (i.A. des IT-Zentrums) [EMAIL PROTECTED] Charite - Universitätsmedizin BerlinTel. +49 (0)30-450 570-155 Gemeinsame Einrichtung von FU- und HU-BerlinFax. +49 (0)30-450 570-962 IT-Zentrum Standort CBFsend no mail to [EMAIL PROTECTED] ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] need help
* Chuck Swiger <[EMAIL PROTECTED]>: > Amavisd-new supports clamdscan just fine. Actually, it uses it's own code, which resembles clamdscan. -- Ralf Hildebrandt (i.A. des IT-Zentrums) [EMAIL PROTECTED] Charite - Universitätsmedizin BerlinTel. +49 (0)30-450 570-155 Gemeinsame Einrichtung von FU- und HU-BerlinFax. +49 (0)30-450 570-962 IT-Zentrum Standort CBFsend no mail to [EMAIL PROTECTED] ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] need help
* Chuck Swiger <[EMAIL PROTECTED]>: > On Jul 9, 2007, at 12:17 PM, Ralf Hildebrandt wrote: > >> Amavisd-new supports clamdscan just fine. > > > > Actually, it uses it's own code, which resembles clamdscan. > > You're right-- perhaps I should have said, "it supports accessing > clamd using the same mechanism that clamdscan uses". :-) amd thus it's subject to the same limitations (e.g. amavisd-new must have right to access the clamd socket). This is the numver one problem of the amavisd-new / clamd combo. -- Ralf Hildebrandt (i.A. des IT-Zentrums) [EMAIL PROTECTED] Charite - Universitätsmedizin BerlinTel. +49 (0)30-450 570-155 Gemeinsame Einrichtung von FU- und HU-BerlinFax. +49 (0)30-450 570-962 IT-Zentrum Standort CBFsend no mail to [EMAIL PROTECTED] ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] need help
* Dennis Peterson <[EMAIL PROTECTED]>: > > amd thus it's subject to the same limitations (e.g. amavisd-new must > > have right to access the clamd socket). This is the numver one problem > > of the amavisd-new / clamd combo. > > > > Why can't you just configure clamd to run as the amavisd user? Of course you can do that. But you do have to configure something somewhere -- either clamd OR amavisd-new. -- Ralf Hildebrandt (i.A. des IT-Zentrums) [EMAIL PROTECTED] Charite - Universitätsmedizin BerlinTel. +49 (0)30-450 570-155 Gemeinsame Einrichtung von FU- und HU-BerlinFax. +49 (0)30-450 570-962 IT-Zentrum Standort CBFsend no mail to [EMAIL PROTECTED] ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] outdated version?
* Pavel Urban <[EMAIL PROTECTED]>: > Hello, > > after the last main.cvd update, I'm getting this message in my logs: > > Trying again in 5 secs... > ClamAV update process started at Sat Jul 21 10:57:22 2007 > WARNING: Your ClamAV installation is OUTDATED! > WARNING: Local version: 0.90.2 Recommended version: 0.91.1 > DON'T PANIC! Read http://www.clamav.net/support/faq ^^ Read it, will you? -- Ralf Hildebrandt (i.A. des IT-Zentrums) [EMAIL PROTECTED] Charite - Universitätsmedizin BerlinTel. +49 (0)30-450 570-155 Gemeinsame Einrichtung von FU- und HU-BerlinFax. +49 (0)30-450 570-962 IT-Zentrum Standort CBFsend no mail to [EMAIL PROTECTED] ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Missed Virus
* Jason Bennett <[EMAIL PROTECTED]>: > Hi everyone, > > We're using ClamAV on our mail gateway which is in front of our exchange > server. It's been running great for a long time and stops thousands of virus > per day for us. Lately however our McAfee which is installed on exchange > itself is picking up this virus: > > W32/Zhelatin.gen!eml > > It seems our ClamAV is not seeing it. We get a couple hundred of these a day > and they're all the same virus. > > Any ideas? False positive? By any means, submit it to the team. -- Ralf Hildebrandt (i.A. des IT-Zentrums) [EMAIL PROTECTED] Charite - Universitätsmedizin BerlinTel. +49 (0)30-450 570-155 Gemeinsame Einrichtung von FU- und HU-BerlinFax. +49 (0)30-450 570-962 IT-Zentrum Standort CBFsend no mail to [EMAIL PROTECTED] ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Missed Virus
* Ralf Hildebrandt <[EMAIL PROTECTED]>: > False positive? By any means, submit it to the team. http://www.clamav.net/sendvirus/ ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] WARNING: Suspicious recipient address blocked
* Bas van Rooijen <[EMAIL PROTECTED]>: > Yes. I'm certain ClamAV is behind it; we're using postfix with ClamAV-milter, > > - the message immediately rejected with the same error message, > - the message is also written to the clamav.log, > - if you google for the error a short discussion will come up from this > lists' archive > - you can check it easily by trying to send a message with a recipient > containing | through a clamav server of choice > > the error message is exactly 'WARNING: Suspicious recipient address blocked: > ' followed by the address in question, > i've tried a number of addresses manually but anything containing | has the > same problem. Please do show the logs. -- Ralf Hildebrandt (i.A. des IT-Zentrums) [EMAIL PROTECTED] Charite - Universitätsmedizin BerlinTel. +49 (0)30-450 570-155 Gemeinsame Einrichtung von FU- und HU-BerlinFax. +49 (0)30-450 570-962 IT-Zentrum Standort CBF send no mail to [EMAIL PROTECTED] ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] announcing ClamAV 0.94rc1
* G.W. Haywood <[EMAIL PROTECTED]>: > Hi there, > > On Mon, 18 Aug 2008, Luca Gibelli wrote: > > > ... release candidate for 0.94. > > I started to download it, but when I saw that it was going to be just > under 20 megabytes I cancelled it. That's expected. 0.90: 11.575.374 0.91: 13.026.634 0.92: 16.134.725 0.93: 20.247.322 -- Ralf Hildebrandt (i.A. des IT-Zentrums) [EMAIL PROTECTED] Charite - Universitätsmedizin BerlinTel. +49 (0)30-450 570-155 Gemeinsame Einrichtung von FU- und HU-BerlinFax. +49 (0)30-450 570-962 IT-Zentrum Standort CBF send no mail to [EMAIL PROTECTED] ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] announcing ClamAV 0.94rc1
* Dennis Peterson <[EMAIL PROTECTED]>: > > My point was that it's ten times as big as it should be > > Which begs the question: How big should it be, and why is that size > better than the one it is? > Size matters not! -- Ralf Hildebrandt (i.A. des IT-Zentrums) [EMAIL PROTECTED] Charite - Universitätsmedizin BerlinTel. +49 (0)30-450 570-155 Gemeinsame Einrichtung von FU- und HU-BerlinFax. +49 (0)30-450 570-962 IT-Zentrum Standort CBF send no mail to [EMAIL PROTECTED] ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] DNS server "blocks" database.clamav.net?
* Arancaytar : > Further investigation showed that the primary DNS server in my settings > (85.255.112.204) inexplicably resolves database.clamav.net to 127.0.0.1, > which effectively blocks the domain from being accessed. You can see > this for yourself by running nslookup database.clamav.net 85.255.112.204: > > $ nslookup database.clamav.net 85.255.112.204 > Server: 85.255.112.204 > Address: 85.255.112.204#53 Why don't you ask your ISP? -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12200 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | http://www.charite.de ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] High CPU load during startup/reload of sigs for a long time.
> 1. Does clamd scan memory during startup and/or restart?[1] The >problem seems to occur less with less committed memory in the VM. I'm not authoritative on this, but I doubt it. > 3. Does ClamAV use more than one CPU core during startup/reload? Just tried that, I don't see more then 100%, so it's merely using one core. >Because if my problem occurs, htop shows a load of more than 100% >for the ClamAV process, sometimes up to 500. Odd. Dec 28 08:06:12 proxy-cbf-2 clamd[56735]: SelfCheck: Database modification detected. Forcing reload. Dec 28 08:06:12 proxy-cbf-2 clamd[56735]: Reading databases from /var/lib/clamav ... Dec 28 08:06:24 proxy-cbf-2 clamd[56735]: Database correctly reloaded (6534998 signatures) and: Dec 28 14:07:12 proxy-cbf-2 clamd[56735]: SelfCheck: Database modification detected. Forcing reload. Dec 28 14:07:12 proxy-cbf-2 clamd[56735]: Reading databases from /var/lib/clamav Dec 28 14:07:24 proxy-cbf-2 clamd[56735]: Database correctly reloaded (6535004 signatures) so it takes about 12s on a Intel(R) Xeon(R) CPU E5-2609 v2 @ 2.50GHz on a busy proxy (physical hardware). > 5. What should be most likely the bottleneck during startup/reload, >available time on one CPU core or I/O to read sigs? I don't seem to >have any reasonable I/O when the high CPU load occurs. Maybe it's a memory issue? I've had some machines with low memeory which took a long time to reload sigs. I used "strace -c -p 2906" and issued a "kill -SIGUSR2 2906" in another window and got these stats for the reload of the signatures: % time seconds usecs/call callserrors syscall -- --- --- - - 99.670.102712 194 529 1 poll 0.240.000248 0 2096 munmap 0.080.80 0 32141 read 0.010.10 0 2094 mmap 0.000.00 0 7 write 0.000.00 037 open 0.000.00 043 close 0.000.00 032 stat 0.000.00 043 fstat 0.000.00 0 143 lseek 0.000.00 0 3 mprotect 0.000.00 0 6 brk 0.000.00 0 1 1 rt_sigreturn 0.000.00 0 4 4 ioctl 0.000.00 0 8 6 access 0.000.00 0 6 dup 0.000.00 0 341 recvmsg 0.000.00 0 1 uname 0.000.00 0 6 fcntl 0.000.00 0 6 getdents 0.000.00 0 2 getcwd 0.000.00 0 480 futex 0.000.00 0 1 restart_syscall -- --- --- - - ---- 100.000.103050 3803012 total -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin Franklin https://www.charite.de Hindenburgdamm 30, 12203 Berlin Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155 ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] High CPU load during startup/reload of sigs for a long time.
> I used "strace -c -p 2906" and issued a "kill -SIGUSR2 2906" in > another window and got these stats for the reload of the signatures: Also did a "ltrace -c -p 2906": ^C% time seconds usecs/call calls function -- --- --- - 55.85 109.107849 252564 432 pthread_cond_timedwait 7.34 14.341060 19618 731 poll 7.27 14.2110432362 6016 pthread_mutex_lock 6.30 12.31573412315734 1 cl_load 4.699.1633001522 6019 pthread_mutex_unlock 3.607.039098 16034 439 cl_scandesc_callback 2.945.747335 5747335 1 pthread_cond_wait 1.783.480168 660 5268 strncmp 0.951.865339 1865339 1 cl_engine_compile 0.951.854321 791 2344 time 0.861.679799 574 2924 pthread_cond_signal 0.801.564059 508 3075 pthread_once 0.791.551365 503 3080 pthread_getspecific 0.651.260493 478 2634 sigdelset 0.450.877795 609 1441 malloc 0.430.838784 952 881 fcntl ... -- --- --- - 100.00 195.366582 47161 total -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin Franklin https://www.charite.de Hindenburgdamm 30, 12203 Berlin Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155 ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Anyone notice any issues with clamav 0.99.2 and recent patterns?
* Karl Pielorz : > This ends up with a lot of wedged mail processes (and we slowly run out of > fd's as the process table fills up). Same here on Ubuntu 16.04 with official patterns. -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin Franklin https://www.charite.de Hindenburgdamm 30, 12203 Berlin Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155 signature.asc Description: PGP signature ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] URGENT: Clamd is wedged on multiple installations
* Reindl Harald : > sounds like an issue with the official signatures given that you are not the > first reporter and that we don't use them and have no problems Thought so. Must be a recent signature in daily.cvd. -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin Franklin https://www.charite.de Hindenburgdamm 30, 12203 Berlin Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155 signature.asc Description: PGP signature ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] URGENT: Clamd is wedged on multiple installations
* Dianne Skoll :
> Hi,
>
> Something went badly wrong with clamd recently; it's stuck with
> hundreds/thousands of open files per process and interrupting mail flow.
>
> When a scanning thread finishes, I see this in the strace output.
> (I ran clamdscan /etc/hosts as a test):
>
> [pid 3707] 02:11:01 sendto(295, "/etc/hosts: OK\n", 15, 0, NULL, 0) = 15
> [pid 3707] 02:11:01 shutdown(295, SHUT_RDWR) = 0
> [pid 3707] 02:11:01 close(295) = 0
> [pid 3707] 02:11:01 futex(0x1933c3c,
> FUTEX_WAIT_BITSET_PRIVATE|FUTEX_CLOCK_REALTIME, 387, {1516950691, 0},
> ) = -1 ETIMEDOUT (Connection timed out)
> [pid 3707] 02:11:31 futex(0x1933c10, FUTEX_WAKE_PRIVATE, 1) = 0
> [pid 3707] 02:11:31 madvise(0x7fae6affe000, 8368128, MADV_DONTNEED) = 0
> [pid 3707] 02:11:31 _exit(0) = ?
> [pid 3707] 02:11:31 +++ exited with 0 +++
clamd is leaking filedescriptors for temporary files - ls /proc/`pidof
clamd`/fd shows a
lot of:
lrwx-- 1 root root 64 Jan 26 10:38 993 ->
/tmp/clamav-736a3d0d2a944a0a79d465671fb754d5.tmp (deleted)
lrwx-- 1 root root 64 Jan 26 10:38 994 ->
/tmp/clamav-59b5548fe87bc9a454486cbe37d5c89b.tmp (deleted)
lrwx-- 1 root root 64 Jan 26 10:38 995 ->
/tmp/clamav-0e2983c3f35c37d833ea37c2867a0aba.tmp (deleted)
...
--
Ralf Hildebrandt Charite Universitätsmedizin Berlin
ralf.hildebra...@charite.deCampus Benjamin Franklin
https://www.charite.de Hindenburgdamm 30, 12203 Berlin
Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155
signature.asc
Description: PGP signature
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
Re: [clamav-users] URGENT: Clamd is wedged on multiple installations
> Arguably if a bug in the signatures can lead to such massive problems > then that is in itself a bug in the software, which might be (but > apparently so far isn't) fixed in a later version. Amen to that. -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin Franklin https://www.charite.de Hindenburgdamm 30, 12203 Berlin Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155 signature.asc Description: PGP signature ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] URGENT: Clamd is wedged on multiple installations
* maxal : > nobody of clamav/cisco reading this list? It's 7:45AM on the east coast. -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin Franklin https://www.charite.de Hindenburgdamm 30, 12203 Berlin Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155 ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] URGENT: Clamd is wedged on multiple installations
* lukn : > As ClamAV/Thalos is owned by Cisco I assume all ClamAV employees are > located in Silicon Valley area and therefore still enjoying a good > Californian night's sleep. Or maybe in Philadelphia. -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin Franklin https://www.charite.de Hindenburgdamm 30, 12203 Berlin Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155 ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] URGENT: Clamd is wedged on multiple installations
* Reindl Harald : > > > Am 26.01.2018 um 13:40 schrieb Ralf Hildebrandt: > > * maxal : > > > nobody of clamav/cisco reading this list? > > > > It's 7:45AM on the east coast > > so what - i don't get how such updates slip through at all - it's not rocket > science load them on a test-machine and fire up a script that pies a > test-corups against clamd and *read* stderr/stdout/logs for "warning" and > "error" If I had to guess: they used the beta for testing, but the release versions (both 0.99.2 and 0.99.3!) fail to operate properly... -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin Franklin https://www.charite.de Hindenburgdamm 30, 12203 Berlin Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155 signature.asc Description: PGP signature ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Announcement missing
* Joel Esler (jesler) : > You're right. That's my fault. I'll correct that here in a second after I > read through all the emails in my ClamAV folder. OK, tomorrow then :) -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin Franklin https://www.charite.de Hindenburgdamm 30, 12203 Berlin Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155 ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
[clamav-users] Question regarding SIGUSR2 and clamd
One can send SIGUSR2 to a running clamd instance to reload the signatures. But how can I (from a script) determine, if the signatures have been reloaded? I can of course try "sleep 30" which will suffice in most cases (from my experiene) but is there a script based approach apart from trying to parse the logfile? -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin Franklin https://www.charite.de Hindenburgdamm 30, 12203 Berlin Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155 signature.asc Description: PGP signature ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] [ext] Re: Question regarding SIGUSR2 and clamd
* Maarten Broekman : > You might be able to open the socket that clamd is listening on and attempt > to ping it. I forget if it replies with PONG while it's in the middle of > reloading. It's been a while since I tried to do that. Thanks: # echo PING | socat - /var/run/clamav/clamd.ctl PONG # echo RELOAD | socat - /var/run/clamav/clamd.ctl RELOADING # echo PING | socat - /var/run/clamav/clamd.ctl # echo PING | socat - /var/run/clamav/clamd.ctl PONG Yeah! -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin Franklin https://www.charite.de Hindenburgdamm 30, 12203 Berlin Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155 signature.asc Description: PGP signature ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] [ext] Re: WARNING: Local version: 0.99.4 Recommended version: 0.100.0
* Philip : > Has this been released yet by the major Distros? I'm using Debian 9 and > can't get any higher than 0.99.x Debian has 0.100: https://packages.debian.org/buster/clamav I used that source package to rebuild for my Ubuntu installaions. -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin Franklin https://www.charite.de Hindenburgdamm 30, 12203 Berlin Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155 ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] [ext] Re: Malwarepatrol false positive
* Paul Stead : > Yet another Malwarepatrol FP: > > MBL_14437114 - https://drive.google.com That's a recurring FP. Happens every week. -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin Franklin https://www.charite.de Hindenburgdamm 30, 12203 Berlin Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155 ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] [ext] MBL_17713260 false positive!
* Alex : > Another malwarepatrol fp for docs.google.com > > # sigtool --find-sigs MBL_17713260 |sigtool --decode-sigs > VIRUS NAME: MBL_17713260 > TARGET TYPE: ANY FILE > OFFSET: * > DECODED SIGNATURE: > https://docs.google.com > > I don't even know what to do anymore. Is it worth it to keep malwarepatrol? I'm wondering this as well. That stuff pops up every other day. -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin Franklin https://www.charite.de Hindenburgdamm 30, 12203 Berlin Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155 signature.asc Description: PGP signature ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] [ext] Re: MBL_17713260 false positive!
* Alex : > Hi, > > Thought I'd follow up with the response from Malwarepatrol: > > "The classification of a sample hosted on that domain, according to > MBL# 17713260 (MD5: 88a1265b2f954a1fb06b6a67f198645e9617007e), is > backed by 12 anti-virus products. Therefore, this is not a false > positive. > > There is no reason to believe that the Google infrastructure doesn't > host malware. In case you still don't want or can't block such domain, > we advise you to whitelist it before applying our block lists." Fucking idiots. -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin Franklin https://www.charite.de Hindenburgdamm 30, 12203 Berlin Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155 signature.asc Description: PGP signature ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] [ext] MBL_17713260 false positive!
* Al Varnell : > I cannot argue that malware does not show up in Google Docs which is > wide open to anybody that wants to post there, Amen to that! > as I know it has occurred. Not sure how big a problem it has become for > Google to police. I think it would be better if malwarepatrol were to > list the specific site where the malware was reportedly found, rather > than condemning the entire sub-domain. -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin Franklin https://www.charite.de Hindenburgdamm 30, 12203 Berlin Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155 signature.asc Description: PGP signature ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] [ext] What kind of mails is clam* checking? Only mails with attachments / mailflow
* Stefan Bauer :
> Dear Users,
>
> my mailflow is following:
>
> amavis -> 15-av_scanners ->
> ['ClamAV-clamd',
>\&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd.ctl"],
>qr/\bOK$/m, qr/\bFOUND$/m,
>qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ],
>
> What kind of mails are forwarded to clamd for scanning/checking?
Usually ALL mails.
> Or What kind mails are checked by clam*?
Usually ALL mails.
> Only mails with attachments?
amavis decomposes the mail into it's text parts and attachments and
usually scans the whose mail "as is" and the text parts and
attachments sperately.
> As clam* can also do URL checks and stuff, also mails withouth attachments
> can be infected.
--
Ralf Hildebrandt Charite Universitätsmedizin Berlin
ralf.hildebra...@charite.deCampus Benjamin Franklin
https://www.charite.de Hindenburgdamm 30, 12203 Berlin
Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
Re: [Clamav-users] kernel: Out of Memory:Killed process xxxxx (clamd).
* Fajar A. Nugraha <[EMAIL PROTECTED]>: > Which brings my earlier suggestion. Is there any way to put a > built-in memory limiter (not external program like softlimit) to > clamd? Why add code to clamd when a good unix-like solution already exists? -- Ralf Hildebrandt (i.A. des IT-Zentrum) [EMAIL PROTECTED] Charite - Universitätsmedizin BerlinTel. +49 (0)30-450 570-155 Gemeinsame Einrichtung von FU- und HU-BerlinFax. +49 (0)30-450 570-916 IT-Zentrum Standort CBF AIM. ralfpostfix --- This SF.Net email is sponsored by: thawte's Crypto Challenge Vl Crack the code and win a Sony DCRHC40 MiniDV Digital Handycam Camcorder. More prizes in the weekly Lunch Hour Challenge. Sign up NOW http://ad.doubleclick.net/clk;10740251;10262165;m ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] kernel: Out of Memory:Killed process xxxxx (clamd).
* Fajar A. Nugraha <[EMAIL PROTECTED]>: > Because softlimit is a hack. It is not a hack. It is common pratice to run programs using least privilege and with limited resource to prevent runaway conditions. > Because current clamd implementation is not to "die" on > memory allocation error, but sleep. It doesn't die, it's being killed by the kernel. -- Ralf Hildebrandt (i.A. des IT-Zentrum) [EMAIL PROTECTED] Charite - Universitätsmedizin BerlinTel. +49 (0)30-450 570-155 Gemeinsame Einrichtung von FU- und HU-BerlinFax. +49 (0)30-450 570-916 IT-Zentrum Standort CBF AIM. ralfpostfix --- This SF.Net email is sponsored by: thawte's Crypto Challenge Vl Crack the code and win a Sony DCRHC40 MiniDV Digital Handycam Camcorder. More prizes in the weekly Lunch Hour Challenge. Sign up NOW http://ad.doubleclick.net/clk;10740251;10262165;m ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] kernel: Out of Memory:Killed process xxxxx (clamd).
* Jason Haar <[EMAIL PROTECTED]>: > On Wed, Sep 15, 2004 at 09:58:41AM +0200, Ralf Hildebrandt wrote: > > > Because current clamd implementation is not to "die" on > > > memory allocation error, but sleep. > > > > It doesn't die, it's being killed by the kernel. > > No - clamd does a malloc and that fails. Then instead of dying (which would > be the proper thing to do IMHO), it sleeps a few microsecs and then tries to > malloc the memory again. Infinite loop occurs... Ok, THAT's bad - and should be fixed. > [people running softlimits would almost invariably also be calling clamd > under a supervise script, so if clamd died, it would be auto-restarted. > That's the condition we are trying to achieve] Yep. -- Ralf Hildebrandt (i.A. des IT-Zentrum) [EMAIL PROTECTED] Charite - Universitätsmedizin BerlinTel. +49 (0)30-450 570-155 Gemeinsame Einrichtung von FU- und HU-BerlinFax. +49 (0)30-450 570-916 IT-Zentrum Standort CBF AIM. ralfpostfix --- This SF.Net email is sponsored by: thawte's Crypto Challenge Vl Crack the code and win a Sony DCRHC40 MiniDV Digital Handycam Camcorder. More prizes in the weekly Lunch Hour Challenge. Sign up NOW http://ad.doubleclick.net/clk;10740251;10262165;m ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] kernel: Out of Memory:Killed process xxxxx (clamd).
* Trog <[EMAIL PROTECTED]>: > > Ok, THAT's bad - and should be fixed. > > If it were true it would be. Please point me at some code in clamd that > does that. That was not my claim, but the other person's. -- Ralf Hildebrandt (i.A. des IT-Zentrum) [EMAIL PROTECTED] Charite - Universitätsmedizin BerlinTel. +49 (0)30-450 570-155 Gemeinsame Einrichtung von FU- und HU-BerlinFax. +49 (0)30-450 570-916 IT-Zentrum Standort CBF AIM. ralfpostfix --- This SF.Net email is sponsored by: thawte's Crypto Challenge Vl Crack the code and win a Sony DCRHC40 MiniDV Digital Handycam Camcorder. More prizes in the weekly Lunch Hour Challenge. Sign up NOW http://ad.doubleclick.net/clk;10740251;10262165;m ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] kernel: Out of Memory:Killed process xxxxx (clamd).
* Trog <[EMAIL PROTECTED]>: > > That was not my claim, but the other person's. > > I know, I believe I correctly kept the attribution. You merely believed > it at face value. Fact: We've been running clamd for a week now, scanning 130.000 mails per week. It has not died on us, nor is it using huge amounts of memory: PID USER PR NI VIRT RES SHR S %CPU %MEMTIME+ COMMAND 1509 amavis 9 0 44084 16m 15m S 0.0 1.6 0:14.31 clamd 1510 amavis 9 0 44084 16m 15m S 0.0 1.6 0:00.30 clamd 5146 amavis 9 0 44084 16m 15m S 0.0 1.6 1:51.37 clamd 10478 amavis 9 0 44084 16m 15m S 0.0 1.6 0:02.41 clamd If it would, I'd surely report it properly. Question: Why do I see 4 clamd processes? /usr/local/etc/clamav.conf: LogFile /var/log/clamd.log LogFileMaxSize 20M LogTime LogSyslog PidFile /var/run/clamd.pid DataDirectory /var/lib/clamav LocalSocket /var/amavis/clamd FixStaleSocket MaxThreads 30 MaxDirectoryRecursion 15 User amavis ScanMail ScanArchive ArchiveMaxFileSize 10M ArchiveMaxRecursion 5 ArchiveMaxFiles 1000 -- Ralf Hildebrandt (i.A. des IT-Zentrum) [EMAIL PROTECTED] Charite - Universitätsmedizin BerlinTel. +49 (0)30-450 570-155 Gemeinsame Einrichtung von FU- und HU-BerlinFax. +49 (0)30-450 570-916 IT-Zentrum Standort CBF AIM. ralfpostfix --- This SF.Net email is sponsored by: thawte's Crypto Challenge Vl Crack the code and win a Sony DCRHC40 MiniDV Digital Handycam Camcorder. More prizes in the weekly Lunch Hour Challenge. Sign up NOW http://ad.doubleclick.net/clk;10740251;10262165;m ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Regd. ClamAV Virus protection
* Sandeep Agarwal <[EMAIL PROTECTED]>: > hello list, > > I have recently installed ClamAV on my Linux box, it > is working fine, but when i tested my mail server > against virus attach (http://www.testvirus.org/), it > successfully blocked 21 out 25 different ways of > sending virus which indeed is a good result, but was > unable to block test number 20,23,24 and 25, How does your mail server interface with clamav? -- Ralf Hildebrandt (i.A. des IT-Zentrum) [EMAIL PROTECTED] Charite - Universitätsmedizin BerlinTel. +49 (0)30-450 570-155 Gemeinsame Einrichtung von FU- und HU-BerlinFax. +49 (0)30-450 570-916 IT-Zentrum Standort CBF AIM. ralfpostfix --- This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 Project Admins to receive an Apple iPod Mini FREE for your judgement on who ports your project to Linux PPC the best. Sponsored by IBM. Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] freshclam.pid: Permission denied
* Jona Tallieu (T & T n.v.) <[EMAIL PROTECTED]>: > Hi all, > > I just upgraded from latest stable 0.75.1 to the final 0.80. > > Now, when freshclam starts, I get this in the freshclam logfile: > > ERROR: Can't save PID to file /var/clamav/freshclam.pid: Permission denied > > > The option in freshclam.conf has been disabled (default): > #PidFile /var/run/freshclam.pid The default value is being used: /var/run/freshclam.pid != /var/clamav/freshclam.pid ! -- Ralf Hildebrandt (i.A. des IT-Zentrum) [EMAIL PROTECTED] Charite - Universitätsmedizin BerlinTel. +49 (0)30-450 570-155 Gemeinsame Einrichtung von FU- und HU-BerlinFax. +49 (0)30-8445-4447 IT-Zentrum Standort CBF AIM. ralfpostfix ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Mail::ClamAV on FC2
* Gerry Doris <[EMAIL PROTECTED]>: > I have been unable to install the perl module Mail::ClamAV on either of my > Fedora Core 2 boxes. Why? -- Ralf Hildebrandt (i.A. des IT-Zentrum) [EMAIL PROTECTED] Charite - Universitätsmedizin BerlinTel. +49 (0)30-450 570-155 Gemeinsame Einrichtung von FU- und HU-BerlinFax. +49 (0)30-450 570-962 IT-Zentrum Standort CBF AIM. ralfpostfix ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Why use amavis over simscan?
* [EMAIL PROTECTED] <[EMAIL PROTECTED]>: > I'm setting up some email gateways for small businesses and was wondering > what program the people on this list would use to combine clam and > spamassassin for an email gateway. What is simscan? -- Ralf Hildebrandt (i.A. des IT-Zentrum) [EMAIL PROTECTED] Charite - Universitätsmedizin BerlinTel. +49 (0)30-450 570-155 Gemeinsame Einrichtung von FU- und HU-BerlinFax. +49 (0)30-450 570-962 IT-Zentrum Standort CBF send no mail to [EMAIL PROTECTED] ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Exploit.W32.MS05-002 False Positives
* Francis Stevens <[EMAIL PROTECTED]>: > Finally worked out how to (correctly) revert to 0.81, had to remove the > libraries in /usr/local/lib before doing the "make install" for 0.81. > I'm no longer getting the false positives, just the WARNING message from > freshclam - which I'm happy to ignore until the other issue is dealt with. > > Am I right that the MS05-002 check is built into the clamscan executable > (libclamav) an is not a true signature? Same here, what is the fix? -- Ralf Hildebrandt (i.A. des IT-Zentrum) [EMAIL PROTECTED] Charite - Universitätsmedizin BerlinTel. +49 (0)30-450 570-155 Gemeinsame Einrichtung von FU- und HU-BerlinFax. +49 (0)30-450 570-962 IT-Zentrum Standort CBF send no mail to [EMAIL PROTECTED] ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Exploit.W32.MS05-002 False Positives
* Francis Stevens <[EMAIL PROTECTED]>: > My "fix" was to go back to 0.81. Hopefully the ClamAV team will be able > to suggest a better one My point exactly. -- Ralf Hildebrandt (i.A. des IT-Zentrum) [EMAIL PROTECTED] Charite - Universitätsmedizin BerlinTel. +49 (0)30-450 570-155 Gemeinsame Einrichtung von FU- und HU-BerlinFax. +49 (0)30-450 570-962 IT-Zentrum Standort CBF send no mail to [EMAIL PROTECTED] ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Exploit.W32.MS05-002 False Positives
* Trog <[EMAIL PROTECTED]>: > You can apply the enclosed patch if you want less stringent checking. Is that in the CVS as well? -- Ralf Hildebrandt (i.A. des IT-Zentrum) [EMAIL PROTECTED] Charite - Universitätsmedizin BerlinTel. +49 (0)30-450 570-155 Gemeinsame Einrichtung von FU- und HU-BerlinFax. +49 (0)30-450 570-962 IT-Zentrum Standort CBF send no mail to [EMAIL PROTECTED] ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Exploit.W32.MS05-002 False Positives
* Francis Stevens <[EMAIL PROTECTED]>: > All the problem files I've had are Powerpoint and Word files. For the > Powerpoint files it was a common background image. Same here! -- Ralf Hildebrandt (i.A. des IT-Zentrum) [EMAIL PROTECTED] Charite - Universitätsmedizin BerlinTel. +49 (0)30-450 570-155 Gemeinsame Einrichtung von FU- und HU-BerlinFax. +49 (0)30-450 570-962 IT-Zentrum Standort CBF send no mail to [EMAIL PROTECTED] ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Long running clamscan processes...
* Tim Howell <[EMAIL PROTECTED]>: > >This is fixed in the version in CVS, though you may wish to forward > >the errant message to me to double check (as usual zip with the > >password 'virus'). > > I've just installed the CVS tarball on my test server. After make > install I tried clamscan -r clamav-devel-latest. The scan ran for > about 15 minutes and then segfaulted. Do you need me to send you any > additional information RE: the configuration? Same here, the thing suddenly crashes every now and then... -- Ralf Hildebrandt (i.A. des IT-Zentrum) [EMAIL PROTECTED] Charite - Universitätsmedizin BerlinTel. +49 (0)30-450 570-155 Gemeinsame Einrichtung von FU- und HU-BerlinFax. +49 (0)30-450 570-962 IT-Zentrum Standort CBF send no mail to [EMAIL PROTECTED] ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Long running clamscan processes...
* Tomasz Kojm <[EMAIL PROTECTED]>: > Such reports are useless to us. We need files to reproduce the problem > or at least stack backtraces. Send them to [EMAIL PROTECTED] First I need to find the core file... -- Ralf Hildebrandt (i.A. des IT-Zentrum) [EMAIL PROTECTED] Charite - Universitätsmedizin BerlinTel. +49 (0)30-450 570-155 Gemeinsame Einrichtung von FU- und HU-BerlinFax. +49 (0)30-450 570-962 IT-Zentrum Standort CBF send no mail to [EMAIL PROTECTED] ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Long running clamscan processes...
* Nigel Horne <[EMAIL PROTECTED]>: > > Same here, the thing suddenly crashes every now and then... > > What version of zlib? What is the stacktrace from gdb? Have you sent me > the errant message as requested? I haven't received it yet. Like I said, I have yet to find the corefile. -- Ralf Hildebrandt (i.A. des IT-Zentrum) [EMAIL PROTECTED] Charite - Universitätsmedizin BerlinTel. +49 (0)30-450 570-155 Gemeinsame Einrichtung von FU- und HU-BerlinFax. +49 (0)30-450 570-962 IT-Zentrum Standort CBF send no mail to [EMAIL PROTECTED] ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Long running clamscan processes...
* Ralf Hildebrandt <[EMAIL PROTECTED]>: > * Nigel Horne <[EMAIL PROTECTED]>: > > > > Same here, the thing suddenly crashes every now and then... > > > > What version of zlib? What is the stacktrace from gdb? Have you sent me > > the errant message as requested? I haven't received it yet. > > Like I said, I have yet to find the corefile. I set ulimit -c accordingly and am waiting for the next crash... -- Ralf Hildebrandt (i.A. des IT-Zentrum) [EMAIL PROTECTED] Charite - Universitätsmedizin BerlinTel. +49 (0)30-450 570-155 Gemeinsame Einrichtung von FU- und HU-BerlinFax. +49 (0)30-450 570-962 IT-Zentrum Standort CBF send no mail to [EMAIL PROTECTED] ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Long running clamscan processes...
* Nigel Horne <[EMAIL PROTECTED]>: > > I set ulimit -c accordingly and am waiting for the next crash... > > What version of zlib? ii zlib1g 1.2.2-3 compression library - runtime ii zlib1g-dev 1.2.2-3 compression library - development -- Ralf Hildebrandt (i.A. des IT-Zentrum) [EMAIL PROTECTED] Charite - Universitätsmedizin BerlinTel. +49 (0)30-450 570-155 Gemeinsame Einrichtung von FU- und HU-BerlinFax. +49 (0)30-450 570-962 IT-Zentrum Standort CBF send no mail to [EMAIL PROTECTED] ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Can phishing be considered one kind of spam ?
> > Can phishing be considered one kind of spam ? > What is the universe in and where are God's parents? 42 -- Ralf Hildebrandt (i.A. des IT-Zentrum) [EMAIL PROTECTED] Charite - Universitätsmedizin BerlinTel. +49 (0)30-450 570-155 Gemeinsame Einrichtung von FU- und HU-BerlinFax. +49 (0)30-450 570-962 IT-Zentrum Standort CBF send no mail to [EMAIL PROTECTED] ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] ClamAV -- Squid Cache Integration
* Rob MacGregor <[EMAIL PROTECTED]>: > Well, there are a number documented on the ClamAV site: > > http://www.clamav.net/3rdparty.html#proxy > > But, of course, you've already looked there :-) I checked out several of those and DansGuardian seems to be the most "complete" solution when it comes to virus scanning. -- Ralf Hildebrandt (i.A. des IT-Zentrum) [EMAIL PROTECTED] Charite - Universitätsmedizin BerlinTel. +49 (0)30-450 570-155 Gemeinsame Einrichtung von FU- und HU-BerlinFax. +49 (0)30-450 570-962 IT-Zentrum Standort CBF send no mail to [EMAIL PROTECTED] ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] libcrypto.so.4
* David Kandou <[EMAIL PROTECTED]>: > Dear all, > When I want to install clamav 0.85 (rpm version) i found that clamav need > libcrypto.so.4 installed. > Can anybody help me how to get libcrypto.so.4 ??? Install the OpenSSL libraries. -- Ralf Hildebrandt (i.A. des IT-Zentrums) [EMAIL PROTECTED] Charite - Universitätsmedizin BerlinTel. +49 (0)30-450 570-155 Gemeinsame Einrichtung von FU- und HU-BerlinFax. +49 (0)30-450 570-962 IT-Zentrum Standort CBF send no mail to [EMAIL PROTECTED] ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] oversized.zip problem
* saravanan ganapathy <[EMAIL PROTECTED]>: > Hi, > > I am using clamav-0.84 ( Debian Version) with > Dansguardian. My config looks like as follows > > ArchiveMaxRecursion 0 > ArchiveMaxFiles 0 > ArchiveMaxFileSize 0 > ArchiveMaxCompressionRatio 0 Does setting them to 0 really disable the limits? -- Ralf Hildebrandt (i.A. des IT-Zentrums) [EMAIL PROTECTED] Charite - Universitätsmedizin BerlinTel. +49 (0)30-450 570-155 Gemeinsame Einrichtung von FU- und HU-BerlinFax. +49 (0)30-450 570-962 IT-Zentrum Standort CBF send no mail to [EMAIL PROTECTED] ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] postfix and clamav
* Shannon Scott <[EMAIL PROTECTED]>: > Greetings, > I have been using postfix for a while, and would like to integrate > clamav for scanning email. > What is the best and most simple way to achieve this? amavisd-new -- Ralf Hildebrandt (i.A. des IT-Zentrums) [EMAIL PROTECTED] Charite - Universitätsmedizin BerlinTel. +49 (0)30-450 570-155 Gemeinsame Einrichtung von FU- und HU-BerlinFax. +49 (0)30-450 570-962 IT-Zentrum Standort CBF send no mail to [EMAIL PROTECTED] ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] clamav as postfix check_policy_service, not content_filter
* Christopher Cleveland <[EMAIL PROTECTED]>: > My quick review of the archive/google did not turn up any implementation > notes for using clamav as a policy rather than content filter. A policy server never gets to see the CONTENT of a mail, but merely meta information (sender, recipient, client, etc). Thus, clamav cannot work as a policy server, since the virus is in the mail... Do you by chance mean an smtpd_proxy_filter? -- Ralf Hildebrandt (i.A. des IT-Zentrums) [EMAIL PROTECTED] Charite - Universitätsmedizin BerlinTel. +49 (0)30-450 570-155 Gemeinsame Einrichtung von FU- und HU-BerlinFax. +49 (0)30-450 570-962 IT-Zentrum Standort CBFsend no mail to [EMAIL PROTECTED] ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] clamav auto scan Linux system
* Wilson Kwok <[EMAIL PROTECTED]>: > Hi, > > Can Clamav auto scan the Linux system directory, and then after scan > can send the results to email such as root, how can I do that ? clamscan / | mailx -s Result root -- Ralf Hildebrandt (i.A. des IT-Zentrums) [EMAIL PROTECTED] Charite - Universitätsmedizin BerlinTel. +49 (0)30-450 570-155 Gemeinsame Einrichtung von FU- und HU-BerlinFax. +49 (0)30-450 570-962 IT-Zentrum Standort CBFsend no mail to [EMAIL PROTECTED] ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Edit postmaster@ in email
* [EMAIL PROTECTED] <[EMAIL PROTECTED]>: > Hello all! When clamav catches a virus in an email, i have it set to > send an email to me and the "from" is from Virus Scanning > Agent<[EMAIL PROTECTED]>. What i want to do is edit that "from" > field to say something different. can someone inform me where i would > edit the "from" in the email? Thanks in advance Which program are you using to scan the mail? clamsmtpd? amavisd-new? -- Ralf Hildebrandt (i.A. des IT-Zentrums) [EMAIL PROTECTED] Charite - Universitätsmedizin BerlinTel. +49 (0)30-450 570-155 Gemeinsame Einrichtung von FU- und HU-BerlinFax. +49 (0)30-450 570-962 IT-Zentrum Standort CBFsend no mail to [EMAIL PROTECTED] ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Edit postmaster@ in email
* [EMAIL PROTECTED] <[EMAIL PROTECTED]>: > > Hello all! When clamav catches a virus in an email, i have it set to > > send an email to me and the "from" is from Virus Scanning > > Agent<[EMAIL PROTECTED]>. What i want to do is edit that "from" > > field to say something different. can someone inform me where i would > > edit the "from" in the email? Thanks in advance > > >Which program are you using to scan the mail? clamsmtpd? amavisd-new? > > Sorry about that, i am just using clamd as far as i know. I don't think so, since that just does the scanning, but doesn't handle mail -- Ralf Hildebrandt (i.A. des IT-Zentrums) [EMAIL PROTECTED] Charite - Universitätsmedizin BerlinTel. +49 (0)30-450 570-155 Gemeinsame Einrichtung von FU- und HU-BerlinFax. +49 (0)30-450 570-962 IT-Zentrum Standort CBFsend no mail to [EMAIL PROTECTED] ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Problems when i start the daemon
* Michael Fernández M. <[EMAIL PROTECTED]>: > Starting ClamAV daemon: clamdERROR: Problem with internal logger. Please > check the permissions on the /var/log/clamav/clamav.log file. > failed! > > I do not understand why if the permissions are ok. (i did not touch > them) Check if another clamav process is still running... -- Ralf Hildebrandt (i.A. des IT-Zentrums) [EMAIL PROTECTED] Charite - Universitätsmedizin BerlinTel. +49 (0)30-450 570-155 Gemeinsame Einrichtung von FU- und HU-BerlinFax. +49 (0)30-450 570-962 IT-Zentrum Standort CBFsend no mail to [EMAIL PROTECTED] ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
