[Clamav-users] clamav-milter (or clamd) occasionally missing viruses?
I've noticed that occasionally clamav-milter (from my perspective) misses some viruses, although subsequently decoding (base64) the file and then running clamscan on the .zip does successfully find the virus. My understanding of the clamav package is that clamav-milter passes the information to clamd, gets the result from clamd, and then subsequently passes the result code back to sendmail. The last time this happened (about two weeks ago), it passed about 30 viruses through (although it still caught the other 90%). Rebooting the machine immediately fixed the problem. This time, it's only passed 2 instances (of SCO.A) through, but still is catching the other 99% of SCO.A. I'd like to try troubleshooting this problem while the machine is in it's current state, so I can try to figure out if the problem is with the specific data stream or if the problem is perhaps with the machine (or clamd/clamav-milter). (I do have two more lines of defense, so I'm OK with a degraded state for now.) Is there any way to easily pass these files to spamass-milter to be checked again (to see if the problem is randomly occurring)? Thanks -ron I'm running the feb 20 snapshot-- yes, I know I can and should upgrade. If I can make the problem happen on demand, and then upgrade and have the problem go away, then I'll be more comfortable. --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
RE: [Clamav-users] Occasionally missing viruses
> On Fri, 05 Mar 2004 at 10:57:12 -0800, Dominic Mazzoni wrote: > > I'm also having the problem that Ron Snyder reported yesterday, > > Ron's problem regarded milter if I saw correctly, so it may > be something > diferent. Anyway... I thought it was milter related, but now I'm not sure. It may just be the way that the milter is designed. They way I captured the samples that got through was to modify an extension munging script that we have on our MX gateway, so that any message that had the base64 signature of a zip file got copied to a special directory. I've then been checking that directory every so often for zip files that look suspicious. The three zipped files that got through all came as bounced messages, but because the bounce message headers don't have proper mime headers, the base64 encoded virus doesn't properly show up as an attachment. I am presuming that this is why clamav-milter isn't finding it, as well as the reason why clamscan --mbox doesn't find it either. (I know it is actually Sco.A because if I go through the steps to actually decode it, clamscan does recognize it.) So I guess my concerns are resolved, as long as clamav-milter and clamscan are actually supposed to be ignoring encoded files that don't have proper mime parts. -ron > > > where clamscan will mark a file as OK, but if I extract the > > attachment (just by base64-decoding it, NOT by unzipping it too), > > then clamscan properly recognizes the virus (in this case, SCO.A). > > > > Actually clamscan seems to be having this problem with every > > single SCO.A virus I get, though I'm not sure it's limited to > > just this one. > > > > I saved the email (directly out of my Imap Maildir) as "email", > > and the zip attachment (containing SCO.A) as "document.zip". > > Here's what I get with clamscan (version 0.67, after running > > freshclam): > > > > > clamscan email > > email: OK > > One _must_ use option --mbox (-m) with clamscan to scan mail files! > > > Any suggestions? Note that clamscan is successfully finding other > > viruses in my inbox, but it's missing all of the SCO ones, as > > This is a little strange (I mean: that it finds other viruses without > --mbox) but some viruses are detectable even without enabling > --mbox, so > it's possible. > > > far as I can tell. I have over 200 of them saved in a separate > > directory and clamscan misses all of those. > > Just use --mbox and tell us what happens. > > -- > Tomasz Papszun SysAdm @ TP S.A. Lodz, Poland | And it's only > [EMAIL PROTECTED] http://www.lodz.tpsa.pl/ | ones and zeros. > [EMAIL PROTECTED] http://www.ClamAV.net/ A GPL virus scanner > > > --- > This SF.Net email is sponsored by: IBM Linux Tutorials > Free Linux tutorial presented by Daniel Robbins, President and CEO of > GenToo technologies. Learn everything from fundamentals to system > administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click > ___ > Clamav-users mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/clamav-users > --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
RE: [Clamav-users] FreshClam fail to connect database.clamav.net
Just want to pipe in with another opinion/question-- have there been more A records added for database.clamav.net recently? Freshclam had been working just fine for me for several weeks just started reporting the same problems that Seve reported. When I started debugging the problem (using dig) I paid attention to the "truncated results" notice that dig gave. This is caused because the amount of information was too big to fit in a udp packet, and tcp dns packets were restricted from going through the firewall. Once tcp packets were allowed through the firewall, freshclam started working again. -ron > > > Had the same yesterday on a fresh install of 0.67-1 - turned out to be > DNS - edit your /etc/resolv.conf to nameservers that work. > Use host or dig > to test your nameservers you are resolving from. > > Jaap > --- > Outgoing mail is certified Virus Free. > Checked by AVG anti-virus system (http://www.grisoft.com). > Version: 6.0.611 / Virus Database: 391 - Release Date: 2004/03/03 > > > > > --- > This SF.Net email is sponsored by: IBM Linux Tutorials > Free Linux tutorial presented by Daniel Robbins, President and CEO of > GenToo technologies. Learn everything from fundamentals to system > administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click > ___ > Clamav-users mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/clamav-users > --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
RE: [Clamav-users] PB: ClamAV works but doesn't detect viruses
> I have a different issue: ALL the tests from testvirus.org
> are detected, but my virus log is very slow: I am talking
> about 1-2 catches per day. Does that mean, that my clamav is
> not working, or I am in an extremely "safe" area of Internet(-:)?
>
> I wonder, what others' virus logs look like?
Looks to me like viruses are equal to about 10% of the regularly accepted
email. (The viruses are not counted as "accepted" email.)
[EMAIL PROTECTED] log]# for i in maillog.? ; do echo $i; grep
'clamfi_eom.*FOUND' $i | awk '{print $9}' | sort | uniq -c; echo -n
"messages accepted for delivery" ;grep queued $i | wc -l;done
maillog.1
8 W32.Magistr.A
1 Worm.Bagle.Gen-1
6 Worm.Bagle.Gen-zippwd
1 Worm.Klez.H
74 Worm.Mydoom.F
92 Worm.SCO.A
202 Worm.SomeFool.Gen-1
12 Worm.SomeFool.Gen-2
35 Worm.SomeFool.I
messages accepted for delivery 4470
maillog.2
57 W32.Magistr.A
9 Worm.Bagle.Gen-1
9 Worm.Bagle.Gen-zippwd
1 Worm.Klez.H
59 Worm.Mydoom.F
1 Worm.Mydoom.I
96 Worm.SCO.A
2 Worm.Sober.D
199 Worm.SomeFool.Gen-1
2 Worm.SomeFool.Gen-2
messages accepted for delivery 4779
maillog.3
6 Worm.Bagle.Gen-1
14 Worm.Bagle.Gen-zippwd
1 Worm.Dumaru.A
6 Worm.Gibe.F
1 Worm.Klez.H
67 Worm.Mydoom.F
130 Worm.SCO.A
120 Worm.SomeFool.Gen-1
5 Worm.SomeFool.Gen-2
messages accepted for delivery 3268
maillog.4
4 Worm.Bagle.Gen-1
10 Worm.Bagle.Gen-zippwd
1 Worm.BugBear.B
2 Worm.Dumaru.A
2 Worm.Gibe.F
80 Worm.Mydoom.F
84 Worm.SCO.A
114 Worm.SomeFool.Gen-1
2 Worm.SomeFool.Gen-2
messages accepted for delivery 3162
maillog.5
1 Worm.Bagle.A3
4 Worm.Bagle.Gen-1
1 Worm.Bagle.Gen-2
21 Worm.Bagle.Gen-zippwd
3 Worm.Gibe.F
2 Worm.Klez.H
72 Worm.Mydoom.F
41 Worm.SCO.A
240 Worm.SomeFool.Gen-1
1 Worm.SomeFool.Gen-2
messages accepted for delivery 4954
maillog.6
22 Worm.Bagle.F-zippwd-2
16 Worm.Bagle.Gen-1
4 Worm.Bagle.Gen-2
5 Worm.Bagle.Gen-zippwd
1 Worm.Dumaru.A
2 Worm.Gibe.F
2 Worm.Klez.H
45 Worm.Mydoom.F
104 Worm.SCO.A
332 Worm.SomeFool.Gen-1
3 Worm.SomeFool.Gen-2
messages accepted for delivery 5924
maillog.7
1 Worm.Bagle.A3
2 Worm.Bagle.E
328 Worm.Bagle.F-zippwd-2
1 Worm.Bagle.F-zippwd-3
15 Worm.Bagle.Gen-1
2 Worm.Bagle.Gen-2
18 Worm.Bagle.J
2 Worm.Bagle.K
1 Worm.BugBear.B
1 Worm.Klez.H
53 Worm.Mydoom.F
4 Worm.Mydoom.H
112 Worm.SCO.A
2 Worm.Sober.C1
4 Worm.SomeFool
42 Worm.SomeFool.B
11 Worm.SomeFool.B.2
173 Worm.SomeFool.D
62 Worm.SomeFool.Gen-1
10 Worm.SomeFool.Gen-2
messages accepted for delivery 6210
maillog.8
2 Worm.Bagle.A3
9 Worm.Bagle.E
4 Worm.Bagle.F
1 Worm.Bagle.F-zippwd
33 Worm.Bagle.F-zippwd-2
2 Worm.Gibe.F
29 Worm.Mydoom.F
106 Worm.SCO.A
5 Worm.SomeFool
24 Worm.SomeFool.B
210 Worm.SomeFool.B-petite
28 Worm.SomeFool.D
messages accepted for delivery 6124
---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users
RE: [Clamav-users] Malformed CVD header detected {Scanned}
Jo Mills wrote: > packets for DNS sometime on Monday afternoon. I'll sort out > some DNS servers > from our ISP and (yet again!) work around the IT > guys. (Trog helped As an IT guy myself, I'd like to respectfully suggest that you let your IT team know that you've noticed a change in behavior and think you have pinned down the cause. It may very well be that someone who thought they knew what they were doing broke something, and they'll put things back the way they were. (It may also be that they really did know what they were doing, and that you shouldn't route around them.) (Of course, maybe you were already planning on doing this...) Thanks, -ron --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
RE: [Clamav-users] Clamav failes to update {Scanned}
Dns answers have been too big for udp packets, so query gets redone as tcp.
Some firewalls (or fw admins) block tcp dns requests. (Although I would have
expected to see a "server failed" type of message rather than "non-existent
host".) Something to investigate, anyway.
> -Original Message-
> From: SW [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, March 23, 2004 9:22 PM
> To: Clamav
> Subject: [Clamav-users] Clamav failes to update {Scanned}
>
>
> I have clamav antivirus installed but a few days ago, it
> stopped getting updated because I can't seem to resolve
> 'database.clamav.net' and I'm not sure what the problem is.
> It seems I can resolve other sites, including clamav.net but
> not the database.clamav.net. Can someone help?
>
> Here is what I get w/ nslookup:
>
> $ nslookup database.clamav.net
> Server: ns1.wppi.net
> Address: 68.166.149.45
>
> *** ns1.wppi.net can't find database.clamav.net: Non-existent
> host/domain
>
> But, I can get to clamav.net:
>
> $ nslookup clamav.net
> Server: ns1.wppi.net
> Address: 68.166.149.45
>
> Non-authoritative answer:
> Name:clamav.net
> Address: 66.35.250.210
>
>
>
>
>
> -
> WPPi.com|WPPi.Net
> -
> http://www.wppi.com | http://www.wppi.net
> -
> WPPi.com & WPPi.Net MailScanner Signature
> This message has been scanned for viruses
> and dangerous content by WPPi MailScanner,
> and has been found to be clean.
> -
>
>
>
> ---
> This SF.Net email is sponsored by: IBM Linux Tutorials
> Free Linux tutorial presented by Daniel Robbins, President
> and CEO of GenToo technologies. Learn everything from
> fundamentals to system
> administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
> ___
> Clamav-users mailing list
> [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/clamav-users
>
---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users
RE: [Clamav-users] Exploit-ObjectData trojan
Here are two different captures of what the thing looks like (including the '=' at the end of the line). These are appended to "normal" spammy looking emails. (I've replaced 'object data' with 'x' so that it doesn't hit virus filters.) which decode to (respectively) http://&#= 119;ww.fatbonusc&#= 97;sino.com/pag^A= 01;.php"> http://www&= #46;bwpapagoinn.&#= 99;om/page.php" width=3D= "14" height=3D"14"> Using this handy one-liner that I got from Bob Apthorpe on spamassassin-users cat sample_spam.txt | spamassassin -d | \ perl -MHTML::Entities -pe 'decode_entities($_);' | less I've got plenty of samples, and was trying to figure out how to write a signature for them, but am in the middle of a firewall emergency. -ron > -Original Message- > From: Kevin W. Gagel [mailto:[EMAIL PROTECTED] > Sent: Friday, May 21, 2004 8:16 AM > To: [EMAIL PROTECTED] > Subject: Re: [Clamav-users] Exploit-ObjectData trojan > > > Not only does ClamAV seem to miss it but so does uvscan. I > have ClamAV and > uvscan both scan email here. My Virscan Enterprise 7.1 > catches these all the > time. I just haven't had time to investigate fully. > > > - Original Message Follows - > From: "Jona Tallieu" <[EMAIL PROTECTED]> > To: [EMAIL PROTECTED] > Subject: [Clamav-users] Exploit-ObjectData trojan > Date: Fri, 21 May 2004 11:15:50 +0200 > > > > Hi all, > > > > It seems Clam does not detect following trojan, which our McAfee > > engine did detect: > > > > Exploit-ObjectData trojan > > > > http://vil.nai.com/vil/content/v_100715.htm > > > > Is this normal? > > > > > > Thnx. > > > > J. > > > > > > --- > > This SF.Net email is sponsored by: Oracle 10g > > Get certified on the hottest thing ever to hit the > market... Oracle 10g. > > Take an Oracle 10g class now, and we'll give you the exam FREE. > > http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click > > ___ > > Clamav-users mailing list > > [EMAIL PROTECTED] > > https://lists.sourceforge.net/lists/listinfo/clamav-users > > > Kevin W. Gagel > Network Administrator > (250) 561-5848 local 448 > (250) 562-2131 local 448 > > -- > The College of New Caledonia, Visit us at http://www.cnc.bc.ca > Virus scanning is done on all incoming and outgoing email. > -- > > > --- > This SF.Net email is sponsored by: Oracle 10g > Get certified on the hottest thing ever to hit the market... > Oracle 10g. > Take an Oracle 10g class now, and we'll give you the exam FREE. > http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click > ___ > Clamav-users mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/clamav-users > --- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] Suspicious?
I've been getting some persistent emails that I thought were just spams, but out of curiosity I decided to wget some of the links from the spam. After a redirect or two, this is the html that was retrieved: http://www.linemovie.com/line/user2/msxml20.cab#version=1,0,0,1"; VIEWASTEXT width=0 height=0> I'm not up on all of the exploits for the browsers, but I'm suspicious of this because it looks to me like it's trying to hide at the top left of the screen. I've downloaded the .cab file and clamav doesn't see anything wrong with it. Google doesn't find any answers about the clsid string in use. Ideas? Should I seek counseling for being too paranoid, or is this actually an unknown threat? Thanks, -ron --- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
RE: [Clamav-users] Re: Suspicious?
> I've found a few bits of spy/adware that everything missed. > You can download > a trial at www.norman.com . > > I should say that I don't have any connection with this > company except as a > end user. > > Below is a example of what it reports. > > Cheers, > Patrick > > ALARM: > Virus infected: > Virus name: 'W32/Downloader' [ General information ] Patrick, thanks for checking that file (I presume it was the cab file you checked), and confirming my suspicions. The sand box does sound like a handy tool, and the mention of it got me to wondering what other tools exist for checking to see what a virus tries to do to a system. (That's a general question to the list.) (I couldn't find any way to download the Sand Box from Norman-- is it only available as part of the AV, or am I just looking in the wrong places? All I could see is Norman talking about the Sand Box, but nothing about how to get it.) Thanks again for scanning the file-- you didn't say if you'd submitted it to clamav, so I submitted it this morning (#3622). An interesting (to me!) data point-- after several weeks of receiving the email that led me to the .cab file, it stopped yesterday (the day after I mention what I'd found on the list), and I'm now receiving a new email format. I believe it's the same type of attack, but haven't found the payload yet. -ron --- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
RE: [Clamav-users] Re: Re: Suspicious?
> Sorry for the confusion. Sandbox is part of Norman's AV > product, and not a > separate product. Ah, OK. I'll take a look at that then. > Also I never scanned the cab file yesterday I just posted a > report from a > earlier infection I had. I did this just to illustrate the > type of info you > get when it finds something suspicious. OK. I guess there's no way to update a ClamAV submission with new information. > from http://www.linemovie.com/link/user2/update/winmsg2k_1.exe > It may also attempt to get the same file from > http://www.linkno1.com/link/update/winmsg2k_1.exe > I tried to get this file from both servers, but it was not there. Poking around a bit at www.linemovie.com and looking at the source for the index page (retrieved via wget and viewed with vi), let me to http://www.abcroot.com/line/user1/update/winmsg2k_1.exe , which also seems to have a full copy of whatever this thing is. (Although the winmsg2k*.exe files retrieved from both sites are different. Possibly just a difference between the 'user1' and 'user2'.) > As I said, I only used 'strings' so although the info here is > correct, some > of my conclusions may not be. I would however suggest you check your > registry and do a search for the mentioned files including > winmsg2k_1.exe. Patrick, thanks again for doing all that you have. I'm pretty sure my system is safe, since I've only been looking at this stuff from my linux mail gateway. :) I am however concerned about any folks in my network that may have allowed the original email to get their machine infected because they don't make use of the spamassassin tags (which has been tagging the email as spam all along), and also have the preview pane enabled. Doing a google search on the clsid 65431623-C69F-410E-A392-6360366CAC19 leads me to believe that this virus/worm/whatever has been out there since the end of March-- there are google usenet hits for Mar 31, 2004 . For anybody else who is inclined to take a look at this as well-- www.linemovie.com seems to be some kind of central distribution point for desktops that are trying to infect themselves. On a hunch, I ran wget against several similar urls, and each url hands out different (but similar) files. http://www.linemovie.com/line/user1/msxml20.cab http://www.linemovie.com/line/user3/msxml20.cab http://www.linemovie.com/line/user4/msxml20.cab http://www.linemovie.com/line/user5/msxml20.cab http://www.linemovie.com/line/user6/msxml20.cab http://www.linemovie.com/link/user6/msxml20.cab -ron I am now more than ever very interested in putting web proxies in front of all internet connections, and having clamav w/mod_proxy scan all incoming web content-- at least this way when I recognize a risk faster than the commercial scanners do I can create my own signatures. --- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
RE: [Clamav-users] Re: Freshclam not responding
> Following my own question of Tue, 2004-06-01 at 15:05, in > which I wrote: > > I have been using Clamav 0.70 without problem for some time > but without > > warning freshclam recently stopped responding. No error > message except > > the usual notification that I had no digital signature, > which is another > > problem which I have not solved but am not too concerned > about at this > > stage. The link just stopped responding. There were a spate of these a couple of months back when the database started getted hosted at a lot of places and they all received dns records. When the udp dns response comes back, it can't all fit in the packet so your dns resolver is supposed to query again via tcp. If your firewall has recently been modified to not allow tcp dns queries, you would probably see just what you are seeing above. To narrow down the problem further (and eliminate either dns or clamav), try doing the dns query from wherever freshclam is running. -ron --- This SF.Net email is sponsored by the new InstallShield X. >From Windows to Linux, servers to mobile, InstallShield X is the one installation-authoring solution that does it all. Learn more and evaluate today! http://www.installshield.com/Dev2Dev/0504 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
RE: [Clamav-users] Re: Freshclam not responding
> > To narrow down the problem further (and eliminate either > dns or clamav), try > > doing the dns query from wherever freshclam is running. > > I tried disabling my firewall with no effect. > > "host database.clamav.net" attracted: > "truncated, retrying in TCP mode, > timed out -no servers could be reached". This message is telling you that when the resolver tried to do the lookup in tcp mode (because there was too much information for the udp response), something got in the way. There are a lot of "somethings" that could be causing the problem, but I think you can rule out a problem with clamav at this point. If your host is resolving via your own dns server, there may be some firewalling (or configuration issues) getting in the way of your dns server being able to do a query via tcp. Are the nameservers listed in /etc/resolv.conf in your control, or do they belong to your isp? > Sorry, but I don't understand what a DNS query means. I am > incidentally > running SuSE 9.1 Pro on a desktop (no network). if you do a 'dig database.clamav.net' or a 'host database.clamav.net', do you get useful answers? (Something that looks like this (output from dig): ; <<>> DiG 9.2.1 <<>> database.clamav.net ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64172 ;; flags: qr rd ra; QUERY: 1, ANSWER: 13, AUTHORITY: 5, ADDITIONAL: 0 ;; QUESTION SECTION: ;database.clamav.net. IN A ;; ANSWER SECTION: database.clamav.net.5 IN CNAME db.local.clamav.net. db.local.clamav.net.6907IN CNAME db.other.clamav.net. db.other.clamav.net.5 IN A 213.73.255.243 db.other.clamav.net.5 IN A 24.244.193.21 db.other.clamav.net.5 IN A 64.18.103.6 db.other.clamav.net.5 IN A 65.75.154.69 db.other.clamav.net.5 IN A 80.69.67.3 db.other.clamav.net.5 IN A 129.64.99.170 db.other.clamav.net.5 IN A 193.1.219.100 db.other.clamav.net.5 IN A 209.8.40.140 db.other.clamav.net.5 IN A 209.204.175.217 db.other.clamav.net.5 IN A 212.31.160.239 db.other.clamav.net.5 IN A 212.113.16.74 ;; AUTHORITY SECTION: clamav.net. 7200IN NS ns3.clamav.net. clamav.net. 7200IN NS ns4.clamav.net. clamav.net. 7200IN NS ns5.clamav.net. clamav.net. 7200IN NS ns1.oltrelinux.com. clamav.net. 7200IN NS ns2.oltrelinux.com. ;; Query time: 195 msec ;; SERVER: 10.68.5.162#53(10.68.5.162) ;; WHEN: Wed Jun 2 14:46:52 2004 ;; MSG SIZE rcvd: 363 * end of dig output *** freshclam needs the records that have the 'A' in the 4th column-- if you are not getting those records, it's probably because there's still some kind of restriction against tcp dns queries. -ron --- This SF.Net email is sponsored by the new InstallShield X. >From Windows to Linux, servers to mobile, InstallShield X is the one installation-authoring solution that does it all. Learn more and evaluate today! http://www.installshield.com/Dev2Dev/0504 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
RE: [Clamav-users] Re: Freshclam not responding {Scanned}
> Does this tell you anything more? Others have said that my > firewall is > blocking port 53, but the problem persists when I turn the firewall > off. This is strange since SuSE ship Clamav with the OS. Perhaps I > should take it up with them. Who controls the nameserver is listed in your /etc/resolv.conf? Do you control it, or does it belong to your ISP? It's certainly possible that the nameserver isn't configured to allow tcp queries (or responses). > In the meantime, is there a command specifically to test the port? And > if positive to unblock it. I see no way through the GUI. Can you telnet to port 53 of each of your nameservers (listed in /etc/resolv.conf)? $ telnet 10.68.5.162 53 Trying 10.68.5.162... Connected to mydns.example.com (10.68.5.162). Escape character is '^]'. ^] telnet> q Connection closed. That tells me that there isn't any firewalling or other restrictions on a tcp connection that dns would be using. If you get "Connection refused" or if it just hangs there forever then we've got to dig deeper. If you are able to connect to port 53 of your nameservers, I would think that the problem probably lies with your dns servers and that for some reason they don't have the capability to do tcp queries. If you can't connect to port 53 like this, verify that your firewall rules (I'm assuming that your firewall is iptables based on the machine that is running clamav-- please let us know if that's an incorrect assumption) are turned off by doing "iptables -L" it should look something like this: [EMAIL PROTECTED] root]# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain RH-Lokkit-0-50-INPUT (0 references) target prot opt source destination (Having your firewall rules turned off certainly isn't the preferred method of operation, which I'm sure you're aware of. It does allow us to isolate the problem a little quicker however.) -ron --- This SF.Net email is sponsored by the new InstallShield X. >From Windows to Linux, servers to mobile, InstallShield X is the one installation-authoring solution that does it all. Learn more and evaluate today! http://www.installshield.com/Dev2Dev/0504 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
RE: [Clamav-users] Re: Freshclam not responding {Scanned}
> > Who controls the nameserver is listed in your > /etc/resolv.conf? Do you > > control it, or does it belong to your ISP? It's certainly > possible that the > > nameserver isn't configured to allow tcp queries (or responses). > Sorry, how do I check that? My name servers as listed are > 212.67.96.129 & 130. > > > Can you telnet to port 53 of each of your nameservers (listed in > > /etc/resolv.conf)? > No. It tries and then hangs. I'm definitely not the greatest at reading iptables rules, but I didn't see anything there that looked to me like your firewalls rules are blocking anything. I'm also going to guess that you don't control the nameservers listed in your /etc/resolv.conf, and that they belong to your ISP. I think that you may need to call the tech support number for your ISP in order to have them examine their configuration-- it's possible that they are blocking tcp queries or replies. I saw some recommendations late last week to put more specific entries into your freshclam.conf file, so that your machines doesn't have to try the tcp dns request. That's a good idea, and should definitely get you up and running. -ron --- This SF.Net email is sponsored by: GNOME Foundation Hackers Unite! GUADEC: The world's #1 Open Source Desktop Event. GNOME Users and Developers European Conference, 28-30th June in Norway http://2004/guadec.org ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
RE: [Clamav-users] ClamAV 0.72 Released
> Yep that was it. So I need to stop freshclam and clamd before > logrotate > and start them after logrotate? What a bore! Or log to syslog instead of directly to a file? -ron --- This SF.Net email is sponsored by: GNOME Foundation Hackers Unite! GUADEC: The world's #1 Open Source Desktop Event. GNOME Users and Developers European Conference, 28-30th June in Norway http://2004/guadec.org ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
RE: [Clamav-users] The dreaded undefined reference to `smfi_opens ocket' with clamav-0.86.1 on FreeBSD 5.2.1 and sendmail-8.13.3
> > Ran into this one myself today.. > > > > cd SENDMAILSRC/libmilter > > ./Build > > make install > > > > then run make on clamav > > > > James > > That's the first thing I did when the error popped up. I > recognized the > calback as I had been working on another milter on another > box and had > been studying the API. No joy. Where is your libmilter.a file getting installed to? Do you by any chance have more than one? It's been a while since I've done much programming, but it looks to me like you're getting an error at link time so I don't think the header files are the problem. Any chance your libmilter.a file isn't actually getting installed where the linker can find it for clamav-milter? ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] clamav-milter "sort of" ignoring --quarantine-dir
clamav-milter is "sort of" ignoring the quarantine directory because it's creating the daily directories, I'm just not finding any files in them. I've got two mail filtering gateways that both have the same versions of sendmail+clamav+clamav-milter+spamassassin, and as near as I can tell all of the config files are identical. For some reason, ONE of the scanning machines isn't leaving the caught viruses in my quarantine directory. When I started tracking down what was happening, I noticed that the $QUARANTINE/050826 (for example) directory is getting created, and the mtime on that directory even changes to when a virus was last caught. The virus email just isn't in that directory-- it's apparently being left in /var/tmp. The only difference that I can find between the two machines is that the machine that is misbehaving has /tmp and /var/tmp on different filesystems, and the machine that is doing what I want has /tmp and /var/tmp on the same filesystem. Has anybody else seen this? It seems to only have started for me with the most recent upgrade of clamav and clamav-milter. Working machine: [EMAIL PROTECTED] ~]# ls -al /etc/sysconfig/clam* /etc/rc.d/init.d/clam* /etc/clamd.conf /usr/sbin/clamav-milter -rw-r--r-- 1 root root 8156 Jul 25 02:05 /etc/clamd.conf -rwxr-xr-x 1 root root 1160 May 12 2004 /etc/rc.d/init.d/clamav-milter -rwxr-xr-x 1 root root 1046 May 12 2004 /etc/rc.d/init.d/clamd -rw-r--r-- 1 root root 308 Aug 26 17:45 /etc/sysconfig/clamav-milter -rwxr-xr-x 1 root root 29 Jul 25 02:05 /usr/sbin/clamav-milter [EMAIL PROTECTED] ~]# md5sum /etc/sysconfig/clam* /etc/rc.d/init.d/clam* /etc/clamd.conf 1cf1ac87554941ee9a383c31a8d6fb58 /etc/sysconfig/clamav-milter ce00b19718a0df57c88bff097d7e0a84 /etc/rc.d/init.d/clamav-milter 11eae95b40949edffe783e4cbd1ffbbd /etc/rc.d/init.d/clamd c97858de2c7305183f337140210d8924 /etc/clamd.conf Not-working machine: [EMAIL PROTECTED] caught-viruses]# ls -al /etc/sysconfig/clam* /etc/rc.d/init.d/clam* /etc/clamd.conf /usr/sbin/clamav-milter; md5sum /etc/sysconfig/clam* /etc/rc.d/init.d/clam* /etc/clamd.conf -rw-r--r-- 1 root root 8156 Jul 25 02:05 /etc/clamd.conf -rwxr-xr-x 1 root root 1160 May 12 2004 /etc/rc.d/init.d/clamav-milter -rwxr-xr-x 1 root root 1046 May 12 2004 /etc/rc.d/init.d/clamd -rw-r--r-- 1 root root 308 Aug 25 15:11 /etc/sysconfig/clamav-milter -rwxr-xr-x 1 root root 29 Jul 25 02:05 /usr/sbin/clamav-milter 1cf1ac87554941ee9a383c31a8d6fb58 /etc/sysconfig/clamav-milter ce00b19718a0df57c88bff097d7e0a84 /etc/rc.d/init.d/clamav-milter 11eae95b40949edffe783e4cbd1ffbbd /etc/rc.d/init.d/clamd c97858de2c7305183f337140210d8924 /etc/clamd.conf [EMAIL PROTECTED] caught-viruses]# clamd --version ClamAV 0.86.2/1041/Thu Aug 25 20:01:20 2005 [EMAIL PROTECTED] caught-viruses]# clamav-milter --version ClamAV version 0.86.2, clamav-milter version 0.86 [EMAIL PROTECTED] caught-viruses]# grep -i quarantine /etc/sysconfig/clam* /etc/rc.d/init.d/clam* /etc/clamd.conf /etc/sysconfig/clamav-milter: --quarantine-dir=/tmp/caught-viruses \ [EMAIL PROTECTED] caught-viruses]# ls -ld /tmp/caught-viruses/ drwx-- 5 clamav root 4096 Aug 26 02:02 /tmp/caught-viruses/ [EMAIL PROTECTED] caught-viruses]# grep clamav /etc/mail/sendmail.cf Xclmilter, S=local:/var/run/clamav/clamav-milter.sock, F=,T=S:4m;R:4m The ownership, perms, and sendmail.cf settings are the same on both machines. Any ideas as to what else I should be looking at? As I mentioned above, the only thing I can find different between the two systems is that the working machine has /var and /var/tmp on the same filesystem, and the non-working machine has them on two different filesystems. Thanks, -ron ___ http://lurker.clamav.net/list/clamav-users.html
