[clamav-users] false postive Email.Trojan-393
Hi, some users reported a false postive with Email.Trojan-393 is this wide known ? Best Regards MfG Robert Schetterer -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] Clam AV Integration with Thunderbird
Am 08.01.2017 um 16:35 schrieb A6: > Hi i was just wondering if it is possible to integrate ClamAV with > thunderbird in a way so that any mail & attatchments i receive will be > automatically scanned for viruses? see https://addons.mozilla.org/de/thunderbird/addon/clamdrib-lin/?src=search > > ___ > clamav-users mailing list > clamav-users@lists.clamav.net > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml Best Regards MfG Robert Schetterer -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64 Schleißheimer Straße 26/MG, 80333 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Scanning IMAP traffic without user credential storage
Am 26.07.2017 um 11:21 schrieb Beeblebrox: > Hello. > How can I setup IMAP incoming email scanning via ClamAV on a LAN gateway. > Most devices on the LAN are mobiles. I would prefer to not store or configure > user email credentials on the gateway and have the auth mechanism work > directly from device to main server (ex: gmail). > > Can the scanning be done in-fligth, or do I need to use an email proxy for > this? The only thing I could think of is using a TLS proxy. > > Other Preferences: > * POP3 is not used (an IMAP-only solution is OK). > * Support for TLS connection. Preference: query & close (not keep-alive). > * Handoff to ClamAV, then process message based on scan result. > * If proxy is required, Transparent, Lightweight, Non-Caching. > * Platform: FreeBSD 11-Stable with Jailed ClamAV, clamd listening for > incoming scan requests. > > Thanks & Regards. > reading this might help http://www.fim.uni-linz.ac.at/diplomarbeiten/Diplomarbeit_Macskasi.pdf Best Regards MfG Robert Schetterer -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64 Schleißheimer Straße 26/MG, 80333 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [Clamav-users] Question of clamav/clamav-milter
Giorgio Bellussi schrieb: > James Kosin wrote: >> Giorgio Bellussi wrote: >>> Javier Lopez wrote: >>>> Hi community, >>>> >>>> >>> man clamav-milter: >>> >>> ... >>> -Q, --quarantine=EMAILADDRESS >>> If this e-mail address is given, messages containing a virus or >>> worm are redirected to it. >>> >>> ... >>> >>> WBR >>> >>> G >>> ___ >> That is from the old clamav-milter man page. >> Clamav-milter >= 0.95.1 >> has a very slim number of options... >> >> James >> >> >> >> >> >> ___ >> Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net >> http://www.clamav.net/support/ml > > I apologize. I forgot to "double check before posting" (R)... > > It seems that beginning from 0.95 this option isn't more available. > A chance we have is to configure milter to "quarantine" the infected > message (OnInfected Quarantine);in this case sendmail stores the > quarantined message in its queue but doesn't consider it for delivery. > (sendmail op.ps|pdf §2.3.6). > Postfix freezes the quarantined message in the "hold queue" (postfix 2.6 > or later). not true , works also with postfix 2.5.5 and maybe before ( not tested ) > > WBR > > G > > > ___ > Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net > http://www.clamav.net/support/ml -- Best Regards MfG Robert Schetterer Germany/Munich/Bavaria ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Question of clamav/clamav-milter
Giorgio Bellussi schrieb: > Robert Schetterer wrote: >> Giorgio Bellussi schrieb: >>> James Kosin wrote: >>>> Giorgio Bellussi wrote: >>>>> Javier Lopez wrote: >>>>>> Hi community, >>>>>> >>>>>> >>>>> man clamav-milter: >>>>> >>>>> ... >>>>> -Q, --quarantine=EMAILADDRESS >>>>> If this e-mail address is given, messages containing a virus or >>>>> worm are redirected to it. >>>>> >>>>> ... >>>>> >>>>> WBR >>>>> >>>>> G >>>>> ___ >>>> That is from the old clamav-milter man page. >>>> Clamav-milter >= 0.95.1 >>>> has a very slim number of options... >>>> >>>> James >>>> >>>> >>>> >>>> >>>> >>>> ___ >>>> Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net >>>> http://www.clamav.net/support/ml >>> I apologize. I forgot to "double check before posting" (R)... >>> >>> It seems that beginning from 0.95 this option isn't more available. >>> A chance we have is to configure milter to "quarantine" the infected >>> message (OnInfected Quarantine);in this case sendmail stores the >>> quarantined message in its queue but doesn't consider it for delivery. >>> (sendmail op.ps|pdf §2.3.6). >>> Postfix freezes the quarantined message in the "hold queue" (postfix 2.6 >>> or later). >> not true , works also with postfix 2.5.5 >> and maybe before ( not tested ) >> >>> WBR >>> >>> G >>> >>> >>> ___ >>> Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net >>> http://www.clamav.net/support/ml >> > I re-apologize (as stated in my previous post). (yes, it's my bad habit) > I believed to what I read here: http://www.postfix.org/MILTER_README.html > G there is no failure in http://www.postfix.org/MILTER_README.html you missinterpreted it --snip Milter error handling The milter_default_action parameter specifies how Postfix handles Milter application errors. The default action is to respond with a temporary error status, so that the client will try again later. Specify "accept" if you want to receive mail as if the filter does not exist, and "reject" to reject mail with a permanent status. The "quarantine" action is like "accept" but freezes the message in the "hold" queue, and is available with Postfix 2.6 or later. /etc/postfix/main.cf: # What to do in case of errors? Specify accept, reject, tempfail, # or quarantine (Postfix 2.6 or later). milter_default_action = tempfail this means the option quarantine is new with postfix 2.6 with milter_default_action so this would happen if any milter has a problem by whatever reason thats not the same as quarantine in clamav-milter, thats the quarantine function of the clamav-milter itself > > ___ > Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net > http://www.clamav.net/support/ml -- Best Regards MfG Robert Schetterer Germany/Munich/Bavaria ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Did Clamd REALLY crash ?
Dennis Peterson schrieb: > Robert wrote: > >> Would this then cause clamdwatch to assume Clamd had crashed >> and restart it accordingly ?? >> >> >> If I'm way off base here, be merciful > > Change the logic so that clamdwatch alerts only after two or more failures to > connect. There's lots of reasons why a single failure can trigger an alert. > > dp > ___ > Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net > http://www.clamav.net/support/ml you may use monit to restart clam, work here like charme http://mmonit.com/monit/ http://susewiki.org/index.php?title=Monit i use something like this with monit /etc/monitrc # Clamavd: (virus scan daemon) # check process clamavd with pidfile /var/lib/clamav/clamd.pid start program = "/etc/init.d/clamd start" stop program = "/etc/init.d/clamd stop" #if failed unix /var/run/clamav/clamd.ctl then restart if failed host localhost port 3310 then restart group virus depends clamavd_init depends clamavd_bin check file clamavd_init with path /etc/init.d/clamd group virus check file clamavd_bin with path /usr/sbin/clamd group virus it also usefull with freshclam, postgrey, spamd, serveral milters monit can alert you via mail by doing actions, also does logging to syslog as well as clam should do it, so there should be no problem to notice about crashes -- Best Regards MfG Robert Schetterer Germany/Munich/Bavaria ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] clamav and postfix setup options
Richard Chapman schrieb: > I am looking for basic setup instructions for scanning incoming postfix > 2.3.3. mail with clamav 0.95.1. > I have checked both faq and archive - but still have basic questions - > such as: > 1) Do I use the clamavpmilter or procmail. or both. > 2) If I use both - how doi I invoke the milter with procmail. > > I currently have spamassassin scannhing the incoming email via procmail > - and I assume the clamav setup would be similar. Or is the milter a > completely different approach? > > Can anyone point me to setup instructions - or other guuidance. > > Thanks > Richard > > > > > > mail with clamav 0.95.1 / clamav / > ___ > Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net > http://www.clamav.net/support/ml Hi, 2.3.3 i think was the first version with milter i think http://www.postfix.org/MILTER_README.html --snip Milter protocol version As Postfix is not built with the Sendmail libmilter library, you may need to configure the Milter protocol version that Postfix should use. The default version is 6 (before Postfix 2.6 the default version is 2). /etc/postfix/main.cf: # Postfix ≥ 2.6 milter_protocol = 6 # 2.3 ≤ Postfix ≤ 2.5 milter_protocol = 2 --snip dont know if its really a good idea to use milter with that version you should upgrade anyway to recent stable 2.6.2, i used milters from 2.4.x wihout any problems if you use clamav milter its a before queue filter so need for procmail you can also use after queue filter with clamd and clamsmtp ( which i would recommend if you dont want to change version ) http://memberwebs.com/stef/software/clamsmtp/ you may chain it with spampd http://www.worlddesign.com/Content/rd/mta/spampd/spampd.htm ( or use amavis-new ) no need for procmail here too, procmail is working as lda in most older setups as/with filter language , you can do clam checks or/and spamassassin checks there too before deliver in a local mailbox but this isnt done anymore these days that are better solutions around, i only use it for internal low traffic mailservers which do getmail from outside mailservers i wouldnt recommend procmail anymore a better choice is i.e using dovecot lda and sieve -- Best Regards MfG Robert Schetterer Germany/Munich/Bavaria ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] ClamAV update auf 0.95.2
Udo Stifter schrieb: > Hallo, > > zur Zeit nutze ich ClamAV 0.95.1 auf meinem PowerMac G4 (933 MHz, > 1.25 GB SDRAM, Mav OS X 10.4.11). > Seit einigen Tagen meldet freshclam folgende Fehler: > -- > ClamAV update process started at Wed Jun 17 21:45:00 2009 > WARNING: Your ClamAV installation is OUTDATED! > WARNING: Local version: 0.95.1 Recommended version: 0.95.2 > DON'T PANIC! Read http://www.clamav.net/support/faq > main.cld is up to date (version: 51, sigs: 545035, f-level: 42, > builder: sven) > Downloading daily-9466.cdiff [100%] > ERROR: chdir_tmp: Can't create directory ./clamav- > f2e7533e176a61f5a916c398ddacf497 > WARNING: Incremental update failed, trying to download daily.cvd > Downloading daily.cvd [100%] > daily.cvd updated (version: 9478, sigs: 30118, f-level: 43, builder: > ccordes) > WARNING: Your ClamAV installation is OUTDATED! > WARNING: Current functionality level = 42, recommended = 43 > DON'T PANIC! Read http://www.clamav.net/support/faq > Database updated (575153 signatures) from database.clamav.net (IP: > 130.59.10.36) > Clamd successfully notified about the update. > > Leider ist die Website http://www.clamav.net/support/faq nicht > wirklich hilfreich für mich. > Wer kann mir helfen, das Update auf meinem PowerMac durchzuführen? > > Udo > > > ___ > Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net > http://www.clamav.net/support/ml Hallo Udo, da gab es ein Problem mit einer der Signaturen das bereits behoben sein sollte, du solltest hier englisch schreiben -- Best Regards MfG Robert Schetterer Germany/Munich/Bavaria ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] clamav-milter with postfix
Jerry schrieb: > I am about to set up a new installation of Postfix and clamav-milter on > a FreeBSD-7.2 system. On my present system I have clamsmtp installed. I > was thinking that clamav-milter might be a better choice. > > Can anyone supply me with a basic template for getting clamav-milter > working with Postfix? I have the latest version of Postfix-2.6x and > clamav installed. no problem here works fine install and setup you find in postfix clamav examples files and faqs > > also, am I correct in assuming that clamav-milter will only add a > header to the the infected email but not modify the SUBJECT: line? > > Thanks! > question of taste, i reject infected mails with the virus signature name but you may also quarantaine it in the hold queue for human inspection later -- Best Regards MfG Robert Schetterer Germany/Munich/Bavaria ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Feedback on clamav + sanesecurity experience
Am 20.07.2010 20:35, schrieb Laurence MOINDROT: > Hi Everyone, > > We are currently using clamav (0.96.1), spamassassin (3.3.1), > greylisting (4.2.5) and sendmail (8.14.4) on our mailserver's cluster > (OS : freeBSD 8.0) at the University of Strasbourg. This antispam and > antivirus solution was quiet sure until last month. > We've been having intensive phishing's issues for one month and we are > considering using sanesecurity'signatures to improve the situation. > > We would appreciate any feedback on your experience using clamav with > sanesecurity. works nice , use sanesecurity lists with low false positves rate you can choose them within the download script on their website, i use them with milter at last you should use all native antispam options in sendmail too ( no idea from sendmail, but i mean such thing like reject unknown domain in postfix etc) > > Thank's in advance. > Regards. > Laurence Moindrot > -- > University of Strasbourg > IT Service > ___ > Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net > http://www.clamav.net/support/ml -- Best Regards MfG Robert Schetterer Germany/Munich/Bavaria ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
[Clamav-users] stopping Can't resolve LocalNet hostname unknown
Hi, can i stop failure message Can't resolve LocalNet hostname unknown without loosing other usefull debug infos? -- Best Regards MfG Robert Schetterer Germany/Munich/Bavaria ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] ClamAV and Mal/Phish-A
Am 10.12.2010 20:01, schrieb TAN BUI: > > We are running ClamAV 96.5 on Slamd64 machines with freshclam > running every hour to update the virus database; Besides the > official ClamAV database, we also download those from > Sanesecurity, SecurityInfo, MalwarePatrol once a day.The > servers run sendmail 8.14.3 with mimedefang 2.66 calling ClamAV. > All messages are scanned and delivered if they are virus-free; > if detected as virus-laden, the messages will be quarantined in > a specific sub-directory on the same mail servers where we can > retrieve to examine, if necessary. > > Some users have their mail forwarded to an account on another > system where Sophos is being used. Since October 28, we have > been notified by the mail administrator of that system some > messages forwarded from our mail servers are detected by > Sophos (running on their mail server) as infected with > Mal/Phish-A . Unfortunately, we do not have the infected > messages since they are considered "clean" by ClamAV on > our mail servers and their mail server does not keep a copy > of infected messages. > > We are wondering if anyone else also experience this kind of > problem. As ClamAV et al. name viruses differently from Sophos, > we don`t know for sue if ClamAV is detecting Mal/Phish-A . > > Thank you very much for all your help/suggestions. > > Tan Bui > Concordia University > Montreal, Quebec > Canada > ___ > Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net > http://www.clamav.net/support/ml i would say this is expected, different scanners different virus-spam dbs, it will ever happen sometimes at last fowarding mail isnt a very good idea these days for serveral reasons ( spf etc ) if you have good connections to the postmasters of the forward reciept mail servers talk to them to trust your mails and dont scan them again in real there will be always such stuff ( false -positive ), for sure it should be rare as it could be -- Best Regards MfG Robert Schetterer Germany/Munich/Bavaria ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Clamd - false positives hash
Am 30.05.2011 19:55, schrieb cas...@gmail.com: > Hi, > > Today I got our third PUA.* false positive. > (PUA.Script.PDF.EmbeddedJS) > (PUA.OLE.EmbeddedPDF) > (PUA.OLE.EmbeddedPDF) > > Hashs identified by clamscan --detect-pua --debug are now in our local.ign2. > > E-mail attached files were identified as virus but, when tested with another > antivirus, nothing were detected. > > Files are confidencial, so, we can't share them. > > We are using ClamAV 0.97, with freshclam. > > > Are more people getting this behaviour? > > > Thank you. > > Best regards, > > Cássio > ___ > Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net > http://www.clamav.net/support/ml yes i confirm false positives with PUA.Script.PDF.EmbeddedJS i disabled pua -- Best Regards MfG Robert Schetterer Germany/Munich/Bavaria ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] eicar-like phishing test signature?
Am 06.09.2011 11:55, schrieb Matus UHLAR - fantomas: > Hello, > > does clamav include any signature used to test phishing mail? > there is gtube antispam test sig http://spamassassin.apache.org/gtube/ -- Best Regards MfG Robert Schetterer Germany/Munich/Bavaria ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Phishing and ClamAV
Am 20.10.2011 13:29, schrieb Török Edwin: > On 10/20/2011 01:59 PM, Ivan Ivanov wrote: >> Hello, >> >> I am newbie with ClamAV and I am trying to improve phising accurance on an >> e-mail server installation. >> Unfortunatley I as not able to understand how to do that in details. Should >> I use daily.pdb or phising signatures are included already in another >> databases? >> It appears that even after enblening using of phishing signatures in >> clamd.conf freshclam does not download daily.pdb. > > daily.pdb is included inside daily.cvd already. > > Best regards, > --Edwin > ___ > Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net > http://www.clamav.net/support/ml additional you may use the sigs from http://sanesecurity.com/ specially with clamav-milter this helps a lot rejecting pishing and spam on smtp income level -- Best Regards MfG Robert Schetterer Germany/Munich/Bavaria ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
[clamav-users] ZIP/Bredolab.A!Camelot
Hi, just was informed that some mails with ZIP/Bredolab.A!Camelot slipped through up2date clamav gateway , detected by Microsoft Forefront the sender is deutschepost.de ever someone an idea to that ? -- Best Regards MfG Robert Schetterer ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] ZIP/Bredolab.A!Camelot
Am 20.07.2012 17:41, schrieb Steve Basford: > >> Hi, just was informed that some mails with >> ZIP/Bredolab.A!Camelot >> >> slipped through up2date clamav gateway , detected by >> Microsoft Forefront > > > Hi, > > Did they slip past the Sanesecurity phish.ndb/rogue.hdb ones too? > > Cheers, > > Steve > Sanesecurity > > ___ > Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net > http://www.clamav.net/support/ml > Hi Steve ,yes they did, last update 2012-07-20 11:54 /var/lib/clamav/phish.ndb 2012-07-20 17:55 /var/lib/clamav/rogue.hdb -- Best Regards MfG Robert Schetterer ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] ZIP/Bredolab.A!Camelot
Am 20.07.2012 18:02, schrieb Joel Esler: > On Jul 20, 2012, at 11:22 AM, Robert Schetterer wrote: > >> Hi, just was informed that some mails with >> ZIP/Bredolab.A!Camelot >> >> slipped through up2date clamav gateway , detected by >> Microsoft Forefront >> >> the sender is deutschepost.de >> ever >> >> someone an idea to that ? > > If you have the files, can you upload them to ClamAV.net and then send the > md5s back to the list so we can take a look? sorry i dont quarantaine with milter, and have got no example from Forefront perhaps i will hold them until flood goes on > > -- > Joel Esler > Senior Research Engineer, VRT > OpenSource Community Manager > Sourcefire > ___ > Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net > http://www.clamav.net/support/ml > -- Best Regards MfG Robert Schetterer ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] ZIP/Bredolab.A!Camelot
Am 20.07.2012 22:44, schrieb Robert Schetterer: > Am 20.07.2012 18:02, schrieb Joel Esler: >> On Jul 20, 2012, at 11:22 AM, Robert Schetterer >> wrote: >> >>> Hi, just was informed that some mails with >>> ZIP/Bredolab.A!Camelot >>> >>> slipped through up2date clamav gateway , detected by >>> Microsoft Forefront >>> >>> the sender is deutschepost.de >>> ever >>> >>> someone an idea to that ? >> >> If you have the files, can you upload them to ClamAV.net and then send the >> md5s back to the list so we can take a look? > > sorry i dont quarantaine with milter, and have got no example > from Forefront > > perhaps i will hold them until flood goes on no more further mails such kind were logged latest all got rejected by rbls but i contact the exchange admin to upload a sample here http://cgi.clamav.net/sendvirus.cgi > >> >> -- >> Joel Esler >> Senior Research Engineer, VRT >> OpenSource Community Manager >> Sourcefire >> ___________ >> Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net >> http://www.clamav.net/support/ml >> > > -- Best Regards MfG Robert Schetterer ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] ZIP/Bredolab.A!Camelot
Am 20.07.2012 22:53, schrieb Robert Schetterer: > Am 20.07.2012 22:44, schrieb Robert Schetterer: >> Am 20.07.2012 18:02, schrieb Joel Esler: >>> On Jul 20, 2012, at 11:22 AM, Robert Schetterer >>> wrote: >>> >>>> Hi, just was informed that some mails with >>>> ZIP/Bredolab.A!Camelot >>>> >>>> slipped through up2date clamav gateway , detected by >>>> Microsoft Forefront >>>> >>>> the sender is deutschepost.de >>>> ever >>>> >>>> someone an idea to that ? >>> >>> If you have the files, can you upload them to ClamAV.net and then send the >>> md5s back to the list so we can take a look? >> >> sorry i dont quarantaine with milter, and have got no example >> from Forefront >> >> perhaps i will hold them until flood goes on > > no more further mails such kind were logged > latest all got rejected by rbls > but i contact the exchange admin to upload a sample here > > http://cgi.clamav.net/sendvirus.cgi >> >>> >>> -- >>> Joel Esler >>> Senior Research Engineer, VRT >>> OpenSource Community Manager >>> Sourcefire >>> ___ >>> Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net >>> http://www.clamav.net/support/ml >>> >> >> > > Hi , it seems its got detected now as Suspect.Trojan.Generic.FD-1 -- Best Regards MfG Robert Schetterer ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] Is there a way to download old clamAV cvd file from 2007, 2009, 2011 etc.?
Am 04.02.2013 19:52, schrieb Kaushik Vaidyanathan: > Hi > > I was wondering if there is a way to access clamAV databases (main.cvd and > daily.cvd) which were released in 2007, 2009 etc.. > > Thank you! > ___ > Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net > http://www.clamav.net/support/ml > i am not sure just an idea but check download dvd/cd isos http://old-releases.ubuntu.com/releases/ install it on some vm then install the clam debs a starting signature data base should be included Best Regards MfG Robert Schetterer -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer Aufsichtsratsvorsitzender: Joerg Heidrich ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
[Clamav-users] db.de.clamav.net Can't connect
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi @ll, since yesterday i have problems with update mirror db.de.clamav.net is this a known problem, should i change the mirror? some grep from mail log pr 11 23:53:40 postmailer freshclam[28032]: Trying host db.de.clamav.net (194.77.146.139)... Apr 11 23:53:40 postmailer freshclam[28032]: nonblock_connect: connect(): fd=6 errno=103: Software caused connection abort Apr 11 23:53:40 postmailer freshclam[28032]: Can't connect to port 80 of host db.de.clamav.net (IP: 194.77.146.139) Apr 11 23:53:40 postmailer freshclam[28032]: Ignoring mirror 195.246.234.199 (due to previous errors) Apr 11 23:53:40 postmailer freshclam[28032]: Trying host db.de.clamav.net (213.174.32.130)... Apr 11 23:53:40 postmailer freshclam[28032]: connect_error: getsockopt(SO_ERROR): fd=6 error=111: Connection refused Apr 11 23:53:40 postmailer freshclam[28032]: Can't connect to port 80 of host db.de.clamav.net (IP: 213.174.32.130) Apr 11 23:53:40 postmailer freshclam[28032]: Trying host db.de.clamav.net (217.115.136.166)... Apr 11 23:53:40 postmailer freshclam[28032]: nonblock_connect: connect(): fd=6 errno=103: Software caused connection abort Apr 11 23:53:40 postmailer freshclam[28032]: Can't connect to port 80 of host db.de.clamav.net (IP: 217.115.136.166) Apr 11 23:53:40 postmailer freshclam[28032]: Ignoring mirror 217.160.141.39 (due to previous errors) Apr 11 23:53:40 postmailer freshclam[28032]: getpatch: Can't download daily-3073.cdiff from db.de.clamav.net Apr 11 23:53:40 postmailer freshclam[28032]: Retrieving http://db.de.clamav.net/daily-3073.cdiff - -- Mit freundlichen Gruessen Best Regards Robert Schetterer https://www.schetterer.org Munich/Bavaria/Germany -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFGHV0mfGH2AvR16oERAgxUAJoDgfJee0gf8C97P+eLQkXF8rluiACeJ6Ti hoqBs3vvpRobPF7ZF2Ffz68= =b0I2 -END PGP SIGNATURE- ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] db.de.clamav.net Can't connect
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 jacusy schrieb: > Robert Schetterer schrieb: >> Hi @ll, >> since yesterday i have problems with update mirror >> db.de.clamav.net is this a known problem, should i change the mirror? > Form me db.at.clamav.net worked fine, and .de. did not at all. > ___ > Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net > http://lurker.clamav.net/list/clamav-users.html > Jep i see db.at.clamav.net works fine - -- Mit freundlichen Gruessen Best Regards Robert Schetterer https://www.schetterer.org Munich/Bavaria/Germany -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFGHWFXfGH2AvR16oERAnKpAKCJXdXiKwvCpY+zmsxMxvnYF14qIQCeOUm3 NVqQjs4iRakTyAB2dLJGwSM= =FjBy -END PGP SIGNATURE- ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Clamdmon.sh
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Xavier Beaudouin schrieb: > Hi ! > >> I am amazed at the number of people here that apparently not using >> SOMETHING to monitor clamd. Esp. when the developers include a nice >> script to check and restart clamd. > > Montioring sensitive service is a normal process in a production > environement IMHO. > >> I run three different mail servers and quickly found clamdmon and just a >> bit of PERL programming created a means of being notified of an issue. >> Yes, you have to have a means of being notified 'out of band'. But if >> you are serious about uptime, you need to know promptly when a mail >> server is not processing email and at that point you cann't depend on >> that email server to tell you it's broken. > > As several administrators I know a general tool like monit can do this job > very well and even restart clamd when it is blocked with a biiig mail > sometimes. > > There is even examples on monit website to show how to do that. > > /Xavier > ___ > Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net > http://lurker.clamav.net/list/clamav-users.html > hi, it wasnt needed to monitor clamav in the past, your right monit does a very good job - -- Mit freundlichen Gruessen Best Regards Robert Schetterer https://www.schetterer.org Munich/Bavaria/Germany -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFGHftrfGH2AvR16oERAqp5AKCGGDwqjViwvmy5ChxSSFdVBKjMEQCeJL6v hjsCaXiw1CBITrSNgZzy/hw= =4NVk -END PGP SIGNATURE- ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] Phishing.Heuristics.Email.SpoofedDomain
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi @ll can someone explain this virus type Phishing.Heuristics.Email.SpoofedDomain this mail looks good , on a first look, seems to be amazon promotion, also spf record are fine - -- Mit freundlichen Gruessen Best Regards Robert Schetterer https://www.schetterer.org Germany -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFGl1CbfGH2AvR16oERAgULAJ94S2eMCt9sAVuPbnr3X7YzT2N7owCdGIpj UtBE1aGtggNFSWmY0AlKmzo= =qqnP -END PGP SIGNATURE- ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Phishing.Heuristics.Email.SpoofedDomain
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Török Edvin schrieb: > On 7/13/07, Robert Schetterer <[EMAIL PROTECTED]> wrote: >> -BEGIN PGP SIGNED MESSAGE- >> Hash: SHA1 >> >> Hi @ll >> >> can someone explain this virus type >> >> Phishing.Heuristics.Email.SpoofedDomain > > PhishingScanURLs BOOL > Scan URLs found in mails for phishing attempts using > heuristics. This will classify "Possibly Unwanted" phishing > emails as Phishing.Heuristics.Email.* > Default: yes >> this mail looks good , on a first look, >> >> seems to be amazon promotion, also spf record are fine > > Sent by amazon, or some 3rdparty? > > Submit it as a false positive at http://cgi.clamav.net/sendvirus.cgi > > --Edwin > ___ > Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net > http://lurker.clamav.net/list/clamav-users.html > Hi Edvin, thx for explain to me this mail looks good i will submit it to http://cgi.clamav.net/sendvirus.cgi perhaps your eyes will see more than mine - -- Mit freundlichen Gruessen Best Regards Robert Schetterer https://www.schetterer.org Germany -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFGl1hFfGH2AvR16oERAhGWAJ9mnesCZ2yL3R6qBYHnjT/YKPhuxwCcC9su GK4b9cyeAkOa8E1YoFgQUSc= =Ac0E -END PGP SIGNATURE- ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Phishing.Heuristics.Email.SpoofedDomain
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Török Edvin schrieb: > On 7/13/07, Robert Schetterer <[EMAIL PROTECTED]> wrote: >> -BEGIN PGP SIGNED MESSAGE- >> Hash: SHA1 >> >> Hi @ll >> >> can someone explain this virus type >> >> Phishing.Heuristics.Email.SpoofedDomain > > PhishingScanURLs BOOL > Scan URLs found in mails for phishing attempts using > heuristics. This will classify "Possibly Unwanted" phishing > emails as Phishing.Heuristics.Email.* > Default: yes >> this mail looks good , on a first look, >> >> seems to be amazon promotion, also spf record are fine > > Sent by amazon, or some 3rdparty? > > Submit it as a false positive at http://cgi.clamav.net/sendvirus.cgi > > --Edwin > ___ > Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net > http://lurker.clamav.net/list/clamav-users.html > Submited it as false positve, i think the Problem results out of using lots amazon.de urls in the body but comming from amazon.com servers - -- Mit freundlichen Gruessen Best Regards Robert Schetterer https://www.schetterer.org Germany -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFGl1sIfGH2AvR16oERAp7kAJ4scLmLzK9AIVAnXelxlXOiPljXBACffjSA 5WkEZtT/78b+S+fcVSfj0tA= =XdgV -END PGP SIGNATURE- ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] JS.Downloader-37 what is this
Hi all, where can i find a description to JS.Downloader-37 some customer programmer says this is not really a virus or a security Problem if it so is there a way to make clamscan ignore such type of stuff -- Best Regards MfG Robert Schetterer Germany/Munich/Bavaria ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] JS.Downloader-37 what is this
aCaB schrieb: > Robert Schetterer wrote: >> Hi all, >> where can i find a description to JS.Downloader-37 >> some customer programmer says this is not really a virus >> or a security Problem >> if it so >> is there a way to make clamscan ignore such type of stuff > > Report the FP here. > http://cgi.clamav.net/sendvirus.cgi > Make sure you mark it as False Positive. > > -aCaB > ___ > Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net > http://lurker.clamav.net/list/clamav-users.html thx for the url, but i am more interested in a description what JS.Downloader-37 is and why it was mark as a security risk -- Best Regards MfG Robert Schetterer Germany/Munich/Bavaria ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] Trojan.Downloader.JS.Agent-1 jquery.js java script lib
Hi @ll, since yesterday update two older files on my sharedweb where marked as virus Submission-ID: 2142059 Sender: Virus Total Submission notes: Signature by Michael Cichosz Added: Trojan.Downloader.JS.Agent-1 these are jquery.js which is a widly spreaded java script lib is there really a security problem with it ? and where can i find related info too me it looks like false positve -- Best Regards MfG Robert Schetterer Germany/Munich/Bavaria ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] Description Trojan.VB-2953
Hi @ll, where kann i find a description about Trojan.VB-2953 -- Best Regards MfG Robert Schetterer Germany/Munich/Bavaria ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Description Trojan.VB-2953
Robert Schetterer schrieb: > Hi @ll, > where kann i find > a description about Trojan.VB-2953 > sorry i slipped into German should be where can i find a description about Trojan.VB-2953 -- Best Regards MfG Robert Schetterer Germany/Munich/Bavaria ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Description Trojan.VB-2953
Ian Eiloart schrieb: > > --On 6 June 2008 11:03:22 +0200 Robert Schetterer <[EMAIL PROTECTED]> > wrote: > >> Robert Schetterer schrieb: >>> Hi @ll, >>> where kann i find >>> a description about Trojan.VB-2953 >>> >> sorry i slipped into German >> should be >> >> where can i find a description >> about Trojan.VB-2953 > > We have punctuation in English, and you should say "description of", not > "description about" so it should be: > > "Where can I find a description of Trojan.VB-2953?" > > Sorry to be pedantic, but you started it, and I couldn't resist. ;^) > > its a pitty , that you didnt answer real the question, if you find any other bugs you may keep it *g -- Best Regards MfG Robert Schetterer Germany/Munich/Bavaria ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Description Trojan.VB-2953
Dennis Peterson schrieb: > Robert Schetterer wrote: >> Ian Eiloart schrieb: >>> --On 6 June 2008 11:03:22 +0200 Robert Schetterer <[EMAIL PROTECTED]> >>> wrote: >>> >>>> Robert Schetterer schrieb: >>>>> Hi @ll, >>>>> where kann i find >>>>> a description about Trojan.VB-2953 >>>>> >>>> sorry i slipped into German >>>> should be >>>> >>>> where can i find a description >>>> about Trojan.VB-2953 >>> We have punctuation in English, and you should say "description of", not >>> "description about" so it should be: >>> >>> "Where can I find a description of Trojan.VB-2953?" >>> >>> Sorry to be pedantic, but you started it, and I couldn't resist. ;^) >>> >>> >> its a pitty , that you didnt answer real the question, >> if you find any other bugs you may keep it *g >> >> > > In the directory where your ClamAV databases are: > > $ grep Trojan.VB-2953 * > > daily.cld:23552:399636e1cf123faa9dc0c1c1ed9a4a52:Trojan.VB-2953 > > > dp > > ___ > Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net > http://lurker.clamav.net/list/clamav-users.html i allready know this, what i am looking for is a description of the malware functions in the virus -- Best Regards MfG Robert Schetterer Germany/Munich/Bavaria ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Large increase in mail viruses?
fchan schrieb: > Hi, > I don't know if your seeing this also but since Monday July 28, 2008 > I seen double and more in viruses caught by clamav in my mail server. > My daily average has been about 100 viruses for our mail server for > the last 8 months but since Monday July 28, 2008 my daily average has > increased from 200 to 300 and still increasing. The two "popular" > viruses on my mail server are Email.Phishing.Bank-42 and > Email.PornTeaser-1. > I'm checking if anyone else seen this increase or they are just have > "fun" with my mail server. > > Frank > ___ > Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net > http://www.clamav.net/support/ml its the same here Email.Phishing.Bank-42 Email.PornTeaser-1 very popular *g -- Best Regards MfG Robert Schetterer Germany/Munich/Bavaria ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] commit many virus
Aron schrieb: > Hi there, > I would like to commit many virus that clamav cannot discover at this > moment,what should I do? > I've already know the names of them by using other antivirus software. > > Regards, > Aron Xu > ___ > Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net > http://www.clamav.net/support/ml http://cgi.clamav.net/sendvirus.cgi should work -- Best Regards MfG Robert Schetterer Germany/Munich/Bavaria ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Malware submission / Virustotal
Karsten Bräckelmann schrieb: > Recent flood of (German only?) Trojan.Agent malware, partly slipping by > ClamAV. So I now am submitting samples where I spot 'em... > > By doing so, two questions came up: > > (a) After testing the sample message with Virustotal, should I even > bother submitting it from clamav.net, too? If memory serves me > correctly, these samples are being forwarded to the ClamAV sig team > anyway. Just couldn't find any note on the websites... > > (b) When submitting on clamav.net I opted in for "notify me" and "stay > anonymous". However, I didn't get any notification about yesterdays > sample, which already has been added to the sigs. How comes, is this > broken? > > Thanks in advance for any insight, that might help speed up the process > and not waste our sig teams time unnecessarily. > > guenther > > Hi Karsten, just for may interest, i dont see a significant grow of german maleware in mail, i use clamav-milter with http://www.sanesecurity.com/clamav/ and i dont know something slipping through ( investigated the quarantaine dir ) on 5 realy big mailserver with over hundert domains ( mostly german ) an over 3000 mailboxes, after all it would only be evil if real viri bypass but as its some kind of spam ( pishing etc ) its checked from spamassassin and marked too in my setups perhaps you should tune up antispam features in your mailserver in general to block incoming bots before getting to clamav-antivir stage that should raise down the maleware rate in any case so where do your info come from ? -- Best Regards MfG Robert Schetterer Germany/Munich/Bavaria ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Malware submission / Virustotal
Karsten Bräckelmann schrieb: > On Sun, 2008-10-26 at 10:22 +0100, Robert Schetterer wrote: >> Karsten Bräckelmann schrieb: >>> Recent flood of (German only?) Trojan.Agent malware, partly slipping by >>> ClamAV. So I now am submitting samples where I spot 'em... >>> >>> By doing so, two questions came up: > > [ Yet unanswered sample submission best-practice questions snipped. ] > >> Hi Karsten, >> just for may interest, i dont see >> a significant grow of german maleware in mail, >> i use clamav-milter with >> http://www.sanesecurity.com/clamav/ >> and i dont know something slipping through >> ( investigated the quarantaine dir ) >> on 5 realy big mailserver with over hundert domains ( mostly german ) >> an over 3000 mailboxes, > > OK, here's a rough sketch, no hard numbers. Also, please note that I am > NOT a mail admin with a lot of users. The numbers below represent pretty > much me, and me only. :) > > This started Fri and seems to have ceased by today already. I received > like 40 of these a day, with half of them slipping by ClamAV on Fri. > Usually I don't even get anything near 40 malware mails a *week*. That's > why I believe the term "flood" is justified. > > (Talking about malware, attached archives containing Windows > executables, mind you. This does not include the bulk of pestering > phishes. And yes, I do use the SaneSecurity phish sigs.) > > >> after all it would only be evil if real viri bypass >> but as its some kind of spam ( pishing etc ) its >> checked from spamassassin and marked too in my setups >> perhaps you should tune up antispam features in your mailserver > > SpamAssassin is tuned rather well, thanks. :) In fact, you probably > should know me from the SA mailing list, Robert. ;) > > And indeed, all of them scored around 15+, none slipped by SA. This > however is a consequence of using the same botnet. ClamAV still didn't > recognize the malware. > > > I didn't complain. And my post was not about ClamAV not catching them, > either. I asked about sample submission best-practices and avoiding > unnecessary workload -- which remains unanswered. > > >> in general to block incoming bots before getting to clamav-antivir stage >> that should raise down the maleware rate in any case > > I don't block at SMTP stage for various reasons. One being, that I need > the spam corpus. > > Anyway, while this gets slightly off-topic, most of these did hit > Spamhaus XBL (sic) or at least PBL. That might explain why you didn't > see them. > > >> so where do your info come from ? > > Straight from my mail in-stream. :) Plus some general knowledge about > botnets and their specific, identifying patterns, regarding some of the > statements above. > > thats how life plays, everyone has its own spam, so your personal targetted i was just wondering about some new viri/spam flood which didnt pass to me *g -- Best Regards MfG Robert Schetterer Germany/Munich/Bavaria ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Sanesecurity.com download disabled
Steve Basford schrieb: > Hi All, > > My webhost disabled sanesecurity.com due to high cpu usage, they could > only give me the following infomation which doesn't mean a lot to me, > but does this sound high? > > Swap: 4096564k total, 408264k used, 3688300k free, 801468k cached > > PID USER PR NI VIRT RES SHR S %CPU %MEMTIME+ COMMAND > 713 16 0 000 Z 0.8 0.0 0:00.10 [php] > 692 18 0 18416 7376 4660 D 0.7 0.4 0:00.10 /usr/php4/bin/php > 844 16 0 51184 12m 9736 R 0.7 0.6 0:00.06 /usr/php4/bin/php > 599 18 0 18416 7364 4664 D 0.6 0.4 0:00.10 /usr/php4/bin/php > 614 18 0 18416 7308 4632 D 0.6 0.4 0:00.09 /usr/php4/bin/php > 666 16 0 51184 28m 25m R 0.6 1.4 0:00.09 /usr/php4/bin/php > 671 16 0 51184 35m 33m R 0.6 1.8 0:00.09 /usr/php4/bin/php > 673 16 0 51184 36m 33m R 0.6 1.8 0:00.09 /usr/php4/bin/php > 675 16 0 51184 29m 27m R 0.6 1.5 0:00.08 /usr/php4/bin/php > 759 18 0 18416 7376 4660 D 0.6 0.4 0:00.09 /usr/php4/bin/php > 846 16 0 51184 10m 8532 R 0.6 0.5 0:00.05 /usr/php4/bin/php > 847 16 0 51184 13m 11m R 0.6 0.7 0:00.05 > /usr/php4/bin/php > 627 wdmxfam 18 0 49412 4528 3384 D 0.5 0.2 0:00.04 > /usr/php4/bin/php > 636 18 0 49412 4472 3352 D 0.5 0.2 0:00.04 /usr/php4/bin/php > 637 18 0 18416 7308 4632 D 0.5 0.4 0:00.09 /usr/php4/bin/php > 640 18 0 18416 7376 4660 D 0.5 0.4 0:00.09 /usr/php4/bin/php > 644 18 0 49412 4472 3352 D 0.5 0.2 0:00.04 /usr/php4/bin/php > 646 18 0 49412 4528 3380 D 0.5 0.2 0:00.04 /usr/php4/bin/php > > As as result, I've had to disable the download URL Rotator script, as I'm > guessing that's the script that's causing the problem > (http://www.ljscripts.com/freescripts/) Can anyone recommend a free URL > Rotator script other that the above one. > > I'm basically thinking that the problem is because I'm using a shared web > host package... and should be using a dedicated server host, due to the > number of users running the url script?? > > Sorry this is rushed... currently doing my normal day job :) > > Cheers in advance for any help, > > Steve > Sanesecurity > > ___ > Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net > http://www.clamav.net/support/ml Hi Steve using loadbalancers, mirrors dediacated root servers etc should solve your Problem these top messages dont give info enough to analyse whats happening web server logs would be better but i think , you have wild running http clients which procced in starting lots of new process requests, after all you shouldnt use php4 anymore, its not longer security supported and maybe the script you use has known bugs so these are trying hacks or your site is targetted cause sanesecurity.com gives spammers a hard time perhaps cheap dns loadbalancing will solve your problem ( if you allready have mirrors ) as a workaround you may also use some loadbalancing software like balance on a root host to spread to mirrors what are doing with the script exactly? is it only for your website, and not for your clam db ? I download your antivir db via rsync script three times a day that works nice -- Best Regards MfG Robert Schetterer Germany/Munich/Bavaria ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Sanesecurity Announcement
Steve Basford schrieb: > 14/12/08 > > Sanesecurity signatures are no longer being updated or distributed due > to extremely high server resource usage, which appears to be from a > distributed denial of service attack (DDoS). I've moved server hosts > twice (which takes time) and both times have resulted in the site being > suspended. > > As many of you know, I produce the signatures and run the site, in my > spare time and with Christmas approaching I’m finding my spare time is > currently limited. > > Hopefully this won’t be the end of the signatures and I’m hoping that > they may return in the New Year. > > May I take this opportunity to thank everyone who has helped this > project, either by providing samples, bandwidth, download scripts or > donating. > > Thanks and sorry to let you all down. > > Steve > Sanesecurity > > > ___ > Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net > http://www.clamav.net/support/ml Hi Steve, mail to me offlist maybe i can help in mirror or something else -- Best Regards MfG Robert Schetterer Germany/Munich/Bavaria ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] squid + clamd performance pointers anyone
da...@davidwbrown.name schrieb: > Hello Steve, I found a .PDF @visolve.com that discusses Squid-cache > performance tuning guidelines. I don't have the link :-(. Regards, David. > > Steve Holdoway wrote .. >> As per title, it works, but it's just so slow... I've got a quad core xeon, >> 2GB >> and loads of disk space available. Can anyone point me to any resources to >> help >> me get the best out of the server - google's not helping ): >> >> Cheers, >> >> Steve >> -- >> Steve Holdoway >> ___ >> Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net >> http://www.clamav.net/support/ml >> >> >> >> ___ >> Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net >> http://www.clamav.net/support/ml Hi, realtime proxy virus scanning is heavy by nature, but your described machine shouldnt have any problems in cpu etc for hundreds of users ( if i doesnt any other heavy jobs parallel ) the real question is what antivirus application do you use with squid as there are many i.e SCAVR HAVP SquidClamAv, Squidwall etc some of them have performance issuses or need detailed config i.e dont scant jpgs etc i had best results with http://c-icap.sourceforge.net/ and clam beating others in performance without special performance tuning for squid after all questions related should go to the squid mail list -- Best Regards MfG Robert Schetterer Germany/Munich/Bavaria ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Blog about the Active Malware Report System
and how to do so. >> >> All suggestions for future blog entries are welcome - please let me know >> any ideas you have. >> >> -Nigel >> >> -- >> Nigel Horne, nigel.ho...@sourcefire.com >> Director of Product Management (ClamAV), Sourcefire, >> http://www.sourcefire.com >> +1 301 518 7944 or +1 706 705 4022 FAX: +44 870 705 9334 ICQ: 20252325 >> >> ClamAV is a registered trademark of Sourcefire Inc. >> ___ >> Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net >> http://www.clamav.net/support/ml >> >> >> >> ___ >> Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net >> http://www.clamav.net/support/ml -- Best Regards MfG Robert Schetterer Germany/Munich/Bavaria ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
[Clamav-users] old milter with 0.95
Hi,i noticed i have to update to 0.95 by security issuses but i dont wanna change milters on many mailsservers if not needed. Is there a chance using old clamav-milter setups ( i. with commandline options ) and clamd 0.95. ( guess i read so in the list ) If yes are there any online faqs about it? -- Best Regards MfG Robert Schetterer Germany/Munich/Bavaria ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] old milter with 0.95 / test with 0.95 milter gave can't read SMFIC_BODYEOB reply packet header
aCaB schrieb: > Robert Schetterer wrote: >> Hi,i noticed i have to update to 0.95 by security issuses >> but i dont wanna change milters on many mailsservers if not needed. >> Is there a chance using old clamav-milter setups ( i. with commandline >> options ) and clamd 0.95. ( guess i read so in the list ) >> If yes are there any online faqs about it? > > Hi Robert, > your best option is probably to run clamav-milter from 0.94.2 against a > 0.95(.1) clamd. > > -acab > ___ > Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net > http://www.clamav.net/support/ml Yes in deed, but how, i setup clam 0.95 new milter and tried, seeing eicar is not recoginzied tried other virus mail files but now i am seeing can't read SMFIC_BODYEOB reply packet header and the milter dies after recognizing it -- Best Regards MfG Robert Schetterer Germany/Munich/Bavaria ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
[Clamav-users] test with 0.95 milter gave can't read SMFIC_BODYEOB reply packet header
Robert Schetterer schrieb: > aCaB schrieb: >> Robert Schetterer wrote: >>> Hi,i noticed i have to update to 0.95 by security issuses >>> but i dont wanna change milters on many mailsservers if not needed. >>> Is there a chance using old clamav-milter setups ( i. with commandline >>> options ) and clamd 0.95. ( guess i read so in the list ) >>> If yes are there any online faqs about it? >> Hi Robert, >> your best option is probably to run clamav-milter from 0.94.2 against a >> 0.95(.1) clamd. >> >> -acab >> ___ >> Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net >> http://www.clamav.net/support/ml > > Yes in deed, but how, > i setup clam 0.95 new milter > and tried, seeing eicar is not recoginzied > tried other virus mail files but now i am seeing > can't read SMFIC_BODYEOB reply packet header > and the milter dies after recognizing it > disabling LogInfected Full seems to fix the crash hold action in postfix 2.5.5 with quarantaine works, but i think it would be better to store them in the filesystem as it was an option in the old milter maybe this can be reenabled as optionale in the conf -- Best Regards MfG Robert Schetterer Germany/Munich/Bavaria ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] clamav-milter 0.95
Ed Kasky schrieb: > Any idea when a new release can be expected? My 0.95 milter install > has found nothing since upgrading and was quarantining between 8 and > 20 weekly (small company) since my first installation. > > Our stats from the last 5 weeks: > > http://www.wrenkasky.com/cgi-bin/virus/display.pl?number > > Ed > >> Author: <mailto:lyubom...@cablebg.net>Lyubomir Russev >> Date: 2009-04-04 03:242009-04-04 10:24 -700UTC >> To: <mailto:clamav-users@lists.clamav.net>ClamAV users ML >> Subject: Re: [Clamav-users] clamav-milter 0.95 >> Hi! >> >> This is a confirmed bud of 0.95 clamav-milter. Fix to be expected soon: >> >> See: >> <https://wwws.clamav.net/bugzilla/show_bug.cgi?id=1531>https://wwws.clamav.net/bugzilla/show_bug.cgi?id=1531 >> >> >> >> Regards, >> Lyubomir >> - Original Message - >> From: "Steffan Henke" <<mailto:hen...@evendi.de>hen...@evendi.de> >> To: <<mailto:clamav-users@lists.clamav.net>clamav-users@lists.clamav.net> >> Sent: Saturday, April 04, 2009 12:49 PM >> Subject: [Clamav-users] clamav-milter 0.95 >> >> >>> I tried to upgrade my previous 0.94 installation and have issues with the >>> new milter, although I went through the docs, eg. at >>> >> <http://lurker.clamav.net/message/20081205.152347.a7d7c9ee.en.html>http://lurker.clamav.net/message/20081205.152347.a7d7c9ee.en.html >> >> >>> I installed clamav-0.95-1.el4.rf.src.rpm , removed >>> /etc/sysconfig/clamav-milter and modified my /etc/clamav-milter.conf. >>> However, sendmail does not access the milter properly, no matter if I use >>> local: or inet: mode. >>> To avoid any permission issues, I use >>> >>> MilterSocket inet:<mailto:7...@127.0.0.1>7...@127.0.0.1 >>> >>> in my conf and access that port in my sendmail.mc via >>> INPUT_MAIL_FILTER(`clamav', >> `S=inet:<mailto:7...@127.0.0.1>7...@127.0.0.1, F=, T=S:4m;R:4m')dnl >>> - but the Eicar test string isn't detected, all messages pass. >>> The port is open: >>> telnet localhost 7357 >>> Trying 127.0.0.1... >>> Connected to localhost. >>> Escape character is '^]'. >>> >>> and sendmail complains immediately once I shutdown the milter, but no >>> emails get scanned. >>> clamd is up and running, both accessible via socket and on port 3310. >>> >>> I noticed the announcement that the "old" milter is included in the 0.95 >>> tarball - are there any instructions how to compile that one ? A >>> configure --enable-milter doesn't build the old milter, only the new one. > > > ... > > Randomly Generated Quote (1144 of 1520): > Talk does not cook rice. -Ancient Proverb > ___ > Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net > http://www.clamav.net/support/ml Hi , what are you trying to say, isnt your milter working ? Or are you only suprised no to get any viri? you may test your inst with http://www.gfi.com/emailsecuritytest/ until eicar is catched did you try disabling LogInfected Full ? you can try compile from cvs version, perhaps your Problem is allready fixed http://www.clamav.net/snapshot/clamav-devel-latest.tar.gz i just finished implement new milter and it works with postfix 2.5.5 -- Best Regards MfG Robert Schetterer Germany/Munich/Bavaria ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Safebrowsing db outdated?
Henrik K schrieb: > No new version in 3 days, what's up? > > Btw has anyone had actual hits with 0.95.1 (now that it checks plain text > urls)? No luck here.. > > Cheers, > Henrik > ___ > Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net > http://www.clamav.net/support/ml I was easter holidays? nobody worked ? -- Best Regards MfG Robert Schetterer Germany/Munich/Bavaria ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] "Virus Infected" Message for recipient
Hi, you can use for send a message to i.e postmaster etc i.e in clamd.conf # Execute a command when virus is found. In the command string %v will # be replaced with the virus name. # Default: no #VirusEvent /usr/local/bin/send_sms 123456789 "VIRUS ALERT: %v" but i agree i also miss functions of the old milter behave Dan Metcalf schrieb: > I also came across the same issue. Of course I Reject the messages, but for > my own personal domain I like to have the notices of infected email go > through to the intended local recipient just to keep track of things. > > James Kosin mentioned the backscatter with faked sender addresses, but we > aren't looking to return the email notice to the sender. I just want to > send a notice to the local recipient that the message was not accepted due > to a virus. > > Dan > > - Original Message - > From: "martinnitram" > To: > Sent: Wednesday, April 29, 2009 8:39 AM > Subject: [Clamav-users] "Virus Infected" Message for recipient > > >> At clamav 0.94, it can config clamav-milter that send a "Virus Infected" >> notify email to recipient when a virus scanned. But from 0.95.1, the >> milter >> only had 'Blackhole' option that direct drop the virus email without any >> user notification like 0.94. Is that had any option for milter at 0.95.1 >> to >> do this? Thank. >> -- >> View this message in context: >> http://www.nabble.com/%22Virus-Infected%22-Message-for-recipient-tp23296120p23296120.html >> Sent from the clamav-users mailing list archive at Nabble.com. >> >> ___ >> Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net >> http://www.clamav.net/support/ml > > ___ > Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net > http://www.clamav.net/support/ml -- Best Regards MfG Robert Schetterer Germany/Munich/Bavaria ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] "Virus Infected" Message for recipient
Robert Schetterer schrieb: > Hi, you can use > for send a message to i.e postmaster etc > > i.e in clamd.conf > > # Execute a command when virus is found. In the command string %v will > # be replaced with the virus name. > # Default: no > #VirusEvent /usr/local/bin/send_sms 123456789 "VIRUS ALERT: %v" > > but i agree i also miss functions of the old milter behave > > Dan Metcalf schrieb: >> I also came across the same issue. Of course I Reject the messages, but for >> my own personal domain I like to have the notices of infected email go >> through to the intended local recipient just to keep track of things. >> >> James Kosin mentioned the backscatter with faked sender addresses, but we >> aren't looking to return the email notice to the sender. I just want to >> send a notice to the local recipient that the message was not accepted due >> to a virus. >> >> Dan >> >> - Original Message - >> From: "martinnitram" >> To: >> Sent: Wednesday, April 29, 2009 8:39 AM >> Subject: [Clamav-users] "Virus Infected" Message for recipient >> >> >>> At clamav 0.94, it can config clamav-milter that send a "Virus Infected" >>> notify email to recipient when a virus scanned. But from 0.95.1, the >>> milter >>> only had 'Blackhole' option that direct drop the virus email without any >>> user notification like 0.94. Is that had any option for milter at 0.95.1 >>> to >>> do this? Thank. >>> -- >>> View this message in context: >>> http://www.nabble.com/%22Virus-Infected%22-Message-for-recipient-tp23296120p23296120.html >>> Sent from the clamav-users mailing list archive at Nabble.com. >>> >>> ___ >>> Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net >>> http://www.clamav.net/support/ml >> ___ >> Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net >> http://www.clamav.net/support/ml > > i apologize too for top posting *g -- Best Regards MfG Robert Schetterer Germany/Munich/Bavaria ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] "Virus Infected" Message for recipient
Dennis Peterson schrieb: > Robert Schetterer wrote: > >> i apologize too for top posting *g >> >> > > And for failure to prune unnecessary parts of the message? > > dp > ___ > Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net > http://www.clamav.net/support/ml i like this nonsense educations discussions in mailing lists *g there are so many therories of how to post like people in the world if you find grammer mistakes keep it *g -- Best Regards MfG Robert Schetterer Germany/Munich/Bavaria ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
[Clamav-users] unclear whitelist syntax clamav-milter an logging ClamAV 0.95.1
Hi all i have ClamAV 0.95.1 Whitelist /etc/clamav-milter-whitelist in /etc/clamav-milter.conf in Whitelist /etc/clamav-milter-whitelist i have i.e "From:r...@example.server.com" is this the right syntax ? ( i think i read it changed) i dont get any entry that it wasnt scanned in the verbose clamav-milter.log or clamd.log or mail.log and headers show example mail from whitelisted was scanned i think its my fault with whitelist syntax can someone enlight me? -- Best Regards MfG Robert Schetterer Germany/Munich/Bavaria ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] unclear whitelist syntax clamav-milter an logging ClamAV 0.95.1
Robert Schetterer schrieb: > Hi all > i have ClamAV 0.95.1 > Whitelist /etc/clamav-milter-whitelist > in /etc/clamav-milter.conf > > in Whitelist /etc/clamav-milter-whitelist > i have > i.e > "From:r...@example.server.com" > is this the right syntax ? ( i think i read it changed) > i dont get any entry that it wasnt scanned in the verbose > clamav-milter.log or clamd.log or mail.log > and headers show example mail from whitelisted was scanned > i think its my fault with whitelist syntax > can someone enlight me? it look like if i use nail/mailx for sending the from address is r...@server.domain.de (root) thats why simple From:r...@server.domain.de does not work, i think i have to use a regex for this but which anyone an idea? -- Best Regards MfG Robert Schetterer Germany/Munich/Bavaria ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] ClamAV Central Management tools
Am 16.10.2018 um 18:36 schrieb Mike Pmike: > Hello. > We are looking for ClamAV Central Management tools . > The main thing is to be able to see an overview of the AV status on the > our Ubuntu hosts so if there are any issues for instance definitions out > of date or a threat detected, dashboards and real-time/historical > reporting , centralized deployment of the software and policies. > Is there any tool available for this? > Thanks. > BR, > Mike Div monitors should be fine to code for such things like monit, munin, xymon, icinga, nagios , zabbix etc > > > ___ > clamav-users mailing list > clamav-users@lists.clamav.net > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml > Best Regards MfG Robert Schetterer -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64 Schleißheimer Straße 26/MG, 80333 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
