RE: [Clamav-users] Problems with False Positives for Oversized Zip.
You should check this variable on the clamav.conf file # Mark potential archive bombs as viruses (0 disables the limit) ArchiveMaxCompressionRatio 20 -Samuel - Original Message - From: "Dave Stocker" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, May 11, 2004 12:30 PM Subject: [Clamav-users] Problems with False Positives for Oversized Zip. > Hi All, > > We have seen instances where we are sending out zip files which are > picked up as virus-Oversized Zip. > Can we disable this particular option without disabling scanning of > Archives? > Typical size ~ 15Mb before compression 600Kb after compression. > > Regards, > > Dave > Is it possible that the contents are infected? Just tested 2 zip'd files reg size 170MB compressed 43MB which went through fine. --- This SF.Net email is sponsored by Sleepycat Software Learn developer strategies Cisco, Motorola, Ericsson & Lucent use to deliver higher performing products faster, at low TCO. http://www.sleepycat.com/telcomwpreg.php?From=osdnemail3 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users --- This SF.Net email is sponsored by Sleepycat Software Learn developer strategies Cisco, Motorola, Ericsson & Lucent use to deliver higher performing products faster, at low TCO. http://www.sleepycat.com/telcomwpreg.php?From=osdnemail3 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
RE: [Clamav-users] clamav-milter[xxx]: ClamAv: thread_create() failed: 11, try again
Hi, I have to say that the answer to this problem was easier than we thought. Just by adding the lines: --- ulimit -s 2048 ulimit -n 10240 --- to the init.d script that starts clamav-milter, now I can have the 1024 threads that glibc 2.2 limits. (RED HAT 7.3) The first line tells glibc to spawn threads with a 2Mb stack size (the default was 8Mb), permiting 4 times more threads. The second line tells glibc to allow 10240 file descriptors opened at the same time per process (the default was 1024 and that wasn't enough). I'll post a reply with our experience of this changes running a couple of days in production enviroment. Regards, Samuel Benzaquen Samuel Benzaquen wrote: >Hello all, > >We've installed clamav / clamav-milter on a sendmail server with HIGH >trafic. It worked well most of the time, but on peak hours (more than 400 >concurrent connections per server and 150K mail per hour) the clamav-milter >thorws these errors on the syslog and slows down the process: > >May 7 09:27:41 rs25s8 clamav-milter[6926]: ClamAv: thread_create() failed: >11, try again > > This is a libmilter error. Specificaly it occurs in listener.c when libmilter tries to spawn a thread to call the apropriate functions from your milter. >The CPU never went over 70% (1 Xeon with HT). >The RAM never went over 80% (1 Gb total + 1,5 Gb SWAP) >It just can create the thread! > >This is always when it tries to create the 257th concurrent thread of >clamav-milter. When this happens you can see thru 'ps' near 256 threads of >clamav-milter (between 250 and 256, never more). >I'm guessing it is a limit on the kernel/libraries/implementation. > > Thaty would be my guess. Why dont you try testing with a null-milter and see if you get the same results? >The system is a RedHat 7.3, kernel 2.4.20-19.7smp compiled by RedHat, >glibc-2.2.5-43. >We also tried on a Fedora Core 1, kernel 2.6.4 (downloaded and compiled), >glibc-2.3.2-101.1. > >Any help would be appreciated, > > > > --- This SF.Net email is sponsored by Sleepycat Software Learn developer strategies Cisco, Motorola, Ericsson & Lucent use to deliver higher performing products faster, at low TCO. http://www.sleepycat.com/telcomwpreg.php?From=osdnemail3 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
RE: [Clamav-users] sendmail-milter-clamav
First, when you show a config file, please omit the comment lines... It makes the mail big and doesn't give any extra info. Answering your problem, I think you are lacking one option on the sendmail.cf file. We have sendmail(8.12.11) + clamav + clamav-milter and the options we have on the sendmail.cf are: Code O InputMailFilters=clmilter Xclmilter, S=local:/var/run/clamav/clmilter.sock,F=, T=C:5s;S:10s;R:30s End I saw that you only included the second one. Regards, Samsam -Mensaje original- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] nombre de Iulian Enviado el: Jueves, 13 de Mayo de 2004 06:01 a.m. Para: [EMAIL PROTECTED] Asunto: [Clamav-users] sendmail-milter-clamav I try to install CLAMAV, on Slack 9.1, with sendmail and milter, My installation: 1. sendmail -d0 | grep MILTER on my PC: Compiled with: DNSMAP LOG MAP_REGEX MATCHGECOS MILTER MIME7TO8 MIME8TO7 2. User clamav, ...: group clamav useradd -g clamav -d /dev/null clamav mkdir /var/clamav chown clamav:clamav /var/clamav 3 Install... ./configure \ --prefix=/usr --sysconfdir=/etc --datadir=/var/clamav \ --enable-milter make make install 4. Cofig /etc/clamav.conf ... 5. Update Virus Database freshclam --quiet --stdout --datadir /var/clamav --log /var/clamav/clamav.log 6. Test cd /usr/src/clamav/test clamscan test1 -the test is OK 7. Sendmail In sendmail.cf, in section Mail Filtres Xclmilter, S=local:/var/clamav/clmilter.sock,F=, T=S:4m;R:4m 8. Start daemon clamd clamav-milter -blo /var/clamav/clmilter.sock /etc/rc.d/rc.sendmail restart -my test ls -l /var/clamav/*sock srwxrwxrwx 1 clamav clamav 0 May 13 09:17 /var/clamav/clamd.sock srwx-- 1 clamav clamav 0 May 13 09:17 /var/clamav/clmilter.sock ps -aux|grep cla clamav 920 0.0 10.2 14300 13020 ? S09:17 0:00 clamd clamav 924 0.0 0.6 4368 860 ?S09:17 0:00 clamav-milter -blo /var/clamav/clmilter.sock 9. Mail test(with file test1 , the same as point 6.) cat test1 | mail -s "Vir" root and the mail test go on my mailbox, without any problems! In my logs, no errors, warnings,...What is wrong ?! Thanks! --- This SF.Net email is sponsored by: SourceForge.net Broadband Sign-up now for SourceForge Broadband and get the fastest 6.0/768 connection for only $19.95/mo for the first 3 months! http://ads.osdn.com/?ad_id=2562&alloc_id=6184&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users --- This SF.Net email is sponsored by: SourceForge.net Broadband Sign-up now for SourceForge Broadband and get the fastest 6.0/768 connection for only $19.95/mo for the first 3 months! http://ads.osdn.com/?ad_id=2562&alloc_id=6184&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
RE: [Clamav-users] clamav-milter[xxx]: ClamAv: thread_create() failed: 11, try again
Hi, As a matter of fact, the configuration I wrote about was correct. Setting the thread stack to 2Mb solved the problem and let the system create more than 256 threads of clamav-milter (till the hard limit of glibc). Regards, Samuel Benzaquen >Hi, > >I have to say that the answer to this problem was easier than we thought. >Just by adding the lines: >--- >ulimit -s 2048 >ulimit -n 10240 >--- > >I'll post a reply with our experience of this changes running a couple of >days in production enviroment. > >Regards, > >Samuel Benzaquen --- This SF.Net email is sponsored by: SourceForge.net Broadband Sign-up now for SourceForge Broadband and get the fastest 6.0/768 connection for only $19.95/mo for the first 3 months! http://ads.osdn.com/?ad_id=2562&alloc_id=6184&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] clamav-milter[xxx]: ClamAv: thread_create() failed: 11, try again
Hello all, We've installed clamav / clamav-milter on a sendmail server with HIGH trafic. It worked well most of the time, but on peak hours (more than 400 concurrent connections per server and 150K mail per hour) the clamav-milter thorws these errors on the syslog and slows down the process: May 7 09:27:41 rs25s8 clamav-milter[6926]: ClamAv: thread_create() failed: 11, try again May 7 09:28:01 rs25s8 clamav-milter[6926]: ClamAv: thread_create() failed: 11, try again May 7 09:29:58 rs25s8 clamav-milter[6926]: ClamAv: thread_create() failed: 11, try again May 7 09:29:59 rs25s8 clamav-milter[6926]: ClamAv: thread_create() failed: 11, try again May 7 09:30:37 rs25s8 clamav-milter[6926]: ClamAv: thread_create() failed: 11, try again The CPU never went over 70% (1 Xeon with HT). The RAM never went over 80% (1 Gb total + 1,5 Gb SWAP) It just can create the thread! This is always when it tries to create the 257th concurrent thread of clamav-milter. When this happens you can see thru 'ps' near 256 threads of clamav-milter (between 250 and 256, never more). I'm guessing it is a limit on the kernel/libraries/implementation. The system is a RedHat 7.3, kernel 2.4.20-19.7smp compiled by RedHat, glibc-2.2.5-43. We also tried on a Fedora Core 1, kernel 2.6.4 (downloaded and compiled), glibc-2.3.2-101.1. Any help would be appreciated, Ing. Samuel Benzaquen CANTV, Gerencia General de la Red Gerencia de Operaciones Centralizadas de la Red Gerencia de Soporte de Aplicaciones Coordinación de Servicios Operativos NODO Chacao, Piso 1 Tel: (0212) 264-4568 [EMAIL PROTECTED] [EMAIL PROTECTED] --- This SF.Net email is sponsored by Sleepycat Software Learn developer strategies Cisco, Motorola, Ericsson & Lucent use to deliver higher performing products faster, at low TCO. http://www.sleepycat.com/telcomwpreg.php?From=osdnemail3 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] Getting virus size from signature file.
Hi, I'm trying to do a report of how clamav have reduced disk usage by blocking virus emails. What I need is the virus size. Can I get that from the signature file? Thanks, -samuel benzaquen --- This SF.Net email is sponsored by: SourceForge.net Broadband Sign-up now for SourceForge Broadband and get the fastest 6.0/768 connection for only $19.95/mo for the first 3 months! http://ads.osdn.com/?ad_id=2562&alloc_id=6184&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
RE: [Clamav-users] Getting virus size from signature file.
> On Tue, 18 May 2004, Antony Stone wrote: > > On Tuesday 18 May 2004 3:39 pm, Samuel Benzaquen wrote: > > > > > I'm trying to do a report of how clamav have reduced disk > usage by blocking > > > virus emails. > > > > Huh? That seems like a very strange measure of benefit from > blocking viruses > > to me. > > Depends on how much disk space you have to burn. We used to filter > incoming viruses to a mailbox. During an outbreak it wasn't uncommon > for it to "break" when the mailbox file hit the 2G filesize limit. > Every virus rejected means less network usage and filer space usage. Also decreases the downloading time of our clients, meaning that dial-up clients can be happy again =). When you have 2 million mail accounts, anything counts. Just yesterday, clamav rejected more than 20 Gb in virus/worm/exploit mails (> 700.000 mails). > > > What I need is the virus size. Can I get that from the signature file? > > > > No. You might be able to get an idea from some other A-V > vendors' websites, > > but I wouldn't think it's commonly listed information. > > > > Anyway, what do you want to measure the size of? The raw binary? A > > UUencoded MIME attachment? Base64? All these things and > more will be very > > different sizes. > > I'd recommend looking at http://vil.nai.com/. They have the size listed > for each virus. If you're thinking of encoded stuff (base64) then > multiply by 4/3 and add a couple K for headers. You can use > http://www.rainingfrogs.co.uk to translate from ClamAV names to NAI > names. Most of the time there are only a few viruses to worry about, so > just count the big ones (grep and wc -l are great for this) and multiply > the sizes. Should only take maybe an hour to get a fairly accurate > estimate. I actually did it using the size param from sendmail's log. Joined 'from' lines with 'FOUND' ones thru mail_id and sum the size values. > Of course, there's a catch if it was sent to a mailing list, since > you'll only see one block in your logs, but it actually prevented 10+ > people from getting it saved to their inboxes. > Didn't thought about it. Tnx =D - samuel --- This SF.Net email is sponsored by: SourceForge.net Broadband Sign-up now for SourceForge Broadband and get the fastest 6.0/768 connection for only $19.95/mo for the first 3 months! http://ads.osdn.com/?ad_id=2562&alloc_id=6184&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] freshclam: NotifyClamd or not NotifyClamd
Hi all, We've been running clamd / clamav-milter for some weeks without problems, but this morning one of the clamd processes hanged up on freshclam's notification. We have 8 RH7.3 Linux servers, running sendmail 8.12.11 + clamd / ClamAV version 0.70, clamav-milter version 0.70j. 7 out of 8 servers continued working after notification, but one hanged up and queued the clamav-milter processes. It this a NotifyClamd problem? Should I disable it and wait for clamd's auto check? Entries on syslog after clamd being notified: ... May 25 05:25:43 rs25s9 sendmail[11223]: i4P9P06h011223: Milter (clmilter): timeout before data read May 25 05:25:43 rs25s9 sendmail[11223]: i4P9P06h011223: Milter (clmilter): to error state ... May 25 05:25:56 rs25s9 clamav-milter[10867]: No data received from clamd in 120 seconds May 25 05:25:56 rs25s9 clamav-milter[10867]: Expected port information from clamd, got '' ... Thanks, Samuel Benzaquen - Don't fix it if it's not broken. But if u still want to fix it, call me. I'll break it for u. --- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
RE: [Clamav-users] freshclam: NotifyClamd or not NotifyClamd
> -Mensaje original- > De: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] nombre de Trog > Enviado el: Martes, 25 de Mayo de 2004 09:28 a.m. > Para: [EMAIL PROTECTED] > Asunto: Re: [Clamav-users] freshclam: NotifyClamd or not NotifyClamd > > > On Tue, 2004-05-25 at 13:59, Samuel Benzaquen wrote: > > Hi all, > > > > We've been running clamd / clamav-milter for some weeks without > problems, > > but this morning one of the clamd processes hanged up on freshclam's > > notification. > > > > We have 8 RH7.3 Linux servers, running sendmail 8.12.11 + clamd / ClamAV > > version 0.70, clamav-milter version 0.70j. > > > > 7 out of 8 servers continued working after notification, but > one hanged up > > and queued the clamav-milter processes. > > > > It this a NotifyClamd problem? > > Should I disable it and wait for clamd's auto check? > > Upgrade to 0.71. > > It was most likely waiting for a scanning thread to finish, which it has > to do before it can reload the sig DB. If a scanning thread fails to > finish, that indicates a bug in the scanner somewhere (which may have > been fixed already). Is there any way I can reproduce this problem? Just to see if the upgrade fixes it. > > You should try and recover the file that is has a problem scanning. How can I do that? We have no quarantine directory configured. - samuel --- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
RE: [Clamav-users] Problems with clamd in local network {Scanned}
> [mailto:[EMAIL PROTECTED] nombre de Jo Mills > Enviado el: Jueves, 27 de Mayo de 2004 07:33 a.m. > > > On Thu, May 27, 2004 at 01:06:01PM +0200, Pippi Langstrumpf wrote: > > Hi, > > > > how can i configure clamd in a local network? has > > anybody some documentation (more detailed than the the > > normal clamav docs..) > > > > Situation: > > PC 1: installed clamd, clamav, clamav-base, > > clamav-daemon, clamav-freshclam, libclamav1 > > --> has internet connection (sometimes) > > > > PC2: installed clamav, clamav-base, clamav-freshclam, > > libclamav1 > > --> just local network > > > > PC1: db-update via internet > > PC2: tries to connect to PC1 for db update with > > freshclam > > --> errormessage: > > ClamAV update process started at Wed May 26 13:59:43 > > 2004 > > ERROR: Can't connect to port 80 of host 10.1.0.6 > > (10.1.0.6) > > ERROR: Connection with 10.1.0.6 (IP: 10.1.0.6) failed. > > > > some help? > > > Just a thought, but why do you run freshclam on PC2? If you ran > freshclam via cron on PC1, then once PC1 has updated it's database(s) > OK (check the return codes from Freshclam in the documentation) you > could, as part of the same cron job, use scp (see SSH documentation if > you're not familiar with scp) to copy the new database(s) to PC2 (and > as many other PC's as you wish). > > Perhaps you could use NFS to "share" the directory on PC1 with other > PC's? I guess it depends a bit on your security considerations and on > what it is your trying to do. > > Jo. > If I understand what you're saying, PC2 does NOT run clamd, it uses the clamd daemon on PC1. In that case, you don't need freshclam, scp or any other utility. -Samuel - Don't fix it if it's not broken. But if u still want to fix it, call me. I'll break it for u. --- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
RE: [Clamav-users] freshclam: NotifyClamd or not NotifyClamd
> [mailto:[EMAIL PROTECTED] nombre de Trog > Enviado el: Martes, 25 de Mayo de 2004 11:19 a.m. > > On Tue, 2004-05-25 at 15:41, Samuel Benzaquen wrote: > > > Upgrade to 0.71. > > > > > > It was most likely waiting for a scanning thread to finish, > which it has > > > to do before it can reload the sig DB. If a scanning thread fails to > > > finish, that indicates a bug in the scanner somewhere (which may have > > > been fixed already). > > > > Is there any way I can reproduce this problem? > > Just to see if the upgrade fixes it. > > Only if you have positively identified a file that caused it. > > > > > > > > > You should try and recover the file that is has a problem scanning. > > > > How can I do that? > > We have no quarantine directory configured. > > > > If clamd still has a file descriptor open to a file you can recover it > through the /proc filesystem (even if it's been deleted). > > cat /proc//fd/ > file.msg > > -trog > Happened again yesterday twice. Done the cat and recovered both files. Both files have an attachment with this desc: --=_NextPart_000_0030_01C444A2.53C581E0 Content-Type: application/mac-binhex40; name="CoverNB.jpg.hqx" Content-Transfer-Encoding: quoted-printable Content-Disposition: attachment; filename="CoverNB.jpg.hqx" (This file must be converted with BinHex 4.0) :#%&[EMAIL PROTECTED]"TAJ!!#q8qI2rpMri!!35NC*4J!"!J%!C!" N!!$ri4PA4AKTCJ!!68d!+JJ!"`%5!!-"!!%!!!%D!!8"BJ% E!!8"DJ%S!!-"!!)!!!%a!!)8FJ%b!!)8KSG T!!3"R-J!!!"N!3!!!'3"[EMAIL PROTECTED]'K[G'pcD'p`)$F Z-!!b-$!d1M!e1M)h)$%c1M!`1M3j!*!%!k!"!!-"rrm!!+!#!!3"!!! .. When I do a clamscan of the file it returns OK inmediatly, but when I do a clamdscan it gets stuck. [EMAIL PROTECTED] (mail-01) /var/tmp # clamdscan ./tmpf5kXB5B [EMAIL PROTECTED] (mail-01) /var/tmp # clamscan ./tmpf5kXB5B ./tmpf5kXB5B: OK --- SCAN SUMMARY --- Known viruses: 21755 Scanned directories: 0 Scanned files: 1 Infected files: 0 Data scanned: 0.61 MB I/O buffer size: 131072 bytes Time: 1.291 sec (0 m 1 s) [EMAIL PROTECTED] (mail-01) /var/tmp What should I do? Thanks, Samuel Benzaquen --- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
RE: [Clamav-users] Zero bytes vbs & cpl attachment
I've seen zip attachments with no content (like 70 bytes long the zip file). The mail looks just as a Netsky worm, but with no content in the zip. -samuel > -Mensaje original- > De: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] nombre de Bad Apple > Enviado el: Lunes, 31 de Mayo de 2004 11:52 a.m. > Para: [EMAIL PROTECTED] > Asunto: [Clamav-users] Zero bytes vbs & cpl attachment > > > Hi all , > > I use qmail-ldap + qmail-scanner (v 1.22 ) + > clamav-0.70 . > > From some time I have been seeing mails which pass > through the ClamAV , > which have a zero bytes attachment of .vbs & .cpl > extention . > I have stopped these mails by the content scanning > rules in Qmail-Scanner > .Still I was wondering if any body has faced this > issue . Any help will be > appreciated . > > Thanx in advance > BadApple > > > > > Yahoo! India Matrimony: Find your partner online. > http://yahoo.shaadi.com/india-matrimony/ > > > --- > This SF.Net email is sponsored by: Oracle 10g > Get certified on the hottest thing ever to hit the market... Oracle 10g. > Take an Oracle 10g class now, and we'll give you the exam FREE. > http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click > ___ > Clamav-users mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/clamav-users --- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
RE: [Clamav-users] clamd crash triggered by THIS list
> -Mensaje original- > De: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] nombre de christian > laubscher > Enviado el: Martes, 01 de Junio de 2004 03:28 a.m. > Para: [EMAIL PROTECTED] > Asunto: Re: [Clamav-users] clamd crash triggered by THIS list > > > On Tue, Jun 01, 2004 at 01:41:08AM -0500, Damian Menscher wrote: > > > May 31 11:36:23 astro clamd[1002]: Segmentation fault :-( Bye.. > > > So... the message that broke it was sent to this list, specifically the > > message from Samuel Benzaquen with timestamp: > > Date: Mon, 31 May 2004 11:16:12 -0400 > > same happened here. > .070/.70j, no patch, slack 9.1 > > -- Sorry about that. =( For the ones that could not read my mail, I sent the header of an attachment that contained a BinHex file. The mail that I received broke my clamd and i was asking the list for help about it. I guess just by sending the header causes the clamd to break. I'm running same version of clamav / clamav-milter. I think that I found a DoS by accident. =P Hope they fix it soon. -Samuel Benzaquen --- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
RE: [Clamav-users] Problems with clamd in local network {Scanned}
> [mailto:[EMAIL PROTECTED] nombre de Pippi > Langstrumpf > Enviado el: Martes, 01 de Junio de 2004 09:26 a.m. > > > thats what I try to do. But how can I say PC2 to use > the clamd (or the virus database) of PC1? > I'm 'guessing' that if you configure /etc/clamav.conf on PC2: - Commenting local socket - Configuring TCPAddr to PC1 clamdscan will read that conf and connect to that clamd daemon. - extract from /etc/clamav.conf -- # Path to the local socket. The daemon doesn't change the mode of the # created file (portability reasons). You may want to create it in a directory # which is only accessible for a user running daemon. # LocalSocket /tmp/clamd # TCP port address. #TCPSocket 3310 # TCP address. # By default we bind to INADDR_ANY, probably not wise. # Enable the following to provide some degree of protection # from the outside world. #TCPAddr 127.0.0.1 --- Be sure to use clamdscan. clamscan will not try to connect to a clamd deamon. -samuel > > --- Samuel Benzaquen <[EMAIL PROTECTED]> schrieb: > > > > > > [mailto:[EMAIL PROTECTED] > > nombre de Jo Mills > > > Enviado el: Jueves, 27 de Mayo de 2004 07:33 a.m. > > > > > > > > > On Thu, May 27, 2004 at 01:06:01PM +0200, Pippi > > Langstrumpf wrote: > > > > Hi, > > > > > > > > how can i configure clamd in a local network? > > has > > > > anybody some documentation (more detailed than > > the the > > > > normal clamav docs..) > > > > > > > > Situation: > > > > PC 1: installed clamd, clamav, clamav-base, > > > > clamav-daemon, clamav-freshclam, libclamav1 > > > > --> has internet connection (sometimes) > > > > > > > > PC2: installed clamav, clamav-base, > > clamav-freshclam, > > > > libclamav1 > > > > --> just local network > > > > > > > > PC1: db-update via internet > > > > PC2: tries to connect to PC1 for db update with > > > > freshclam > > > > --> errormessage: > > > > ClamAV update process started at Wed May 26 > > 13:59:43 > > > > 2004 > > > > ERROR: Can't connect to port 80 of host 10.1.0.6 > > > > (10.1.0.6) > > > > ERROR: Connection with 10.1.0.6 (IP: 10.1.0.6) > > failed. > > > > > > > > some help? > > > > > > > Just a thought, but why do you run freshclam on > > PC2? If you ran > > > freshclam via cron on PC1, then once PC1 has > > updated it's database(s) > > > OK (check the return codes from Freshclam in the > > documentation) you > > > could, as part of the same cron job, use scp (see > > SSH documentation if > > > you're not familiar with scp) to copy the new > > database(s) to PC2 (and > > > as many other PC's as you wish). > > > > > > Perhaps you could use NFS to "share" the directory > > on PC1 with other > > > PC's? I guess it depends a bit on your security > > considerations and on > > > what it is your trying to do. > > > > > > Jo. > > > > > > > If I understand what you're saying, PC2 does NOT run > > clamd, it uses the > > clamd daemon on PC1. > > In that case, you don't need freshclam, scp or any > > other utility. > > > > -Samuel > > - > > Don't fix it if it's not broken. > > But if u still want to fix it, call me. I'll break > > it for u. > > > > > > > > > --- > > This SF.Net email is sponsored by: Oracle 10g > > Get certified on the hottest thing ever to hit the > > market... Oracle 10g. > > Take an Oracle 10g class now, and we'll give you the > > exam FREE. > > > http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click > > ___ > > Clamav-users mailing list > > [EMAIL PROTECTED] > > > https://lists.sourceforge.net/lists/listinfo/clamav-users > > > > > > > Mit schönen Grüßen von Yahoo! Mail - http://mail.yahoo.de > > > --- > This SF.Net email is sponsored by: Oracle 10g > Get certified on the hottest thing ever to hit the market... Oracle 10g. > Take an Oracle 10g class now, and we'll give you the exam FREE. > http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click > ___ > Clamav-users mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/clamav-users --- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id149&alloc_id66&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
RE: [Clamav-users] Silly question, may be a log file..
Yes... you could see the log file. Actually, you have to read /etc/clamav.conf to see where is it logging (file or syslog or both). And you could probably use LogClean just to see if it is scanning at all. REMEMBER TO REMOVE THIS OPTION LATER. Can also check CPU time/usage on clamd process. Or use clamdscan to scan a directory. It uses the clamd daemon. ClamAV sources come with some test files (not real virus, just a test signature) under the 'test' dir. Try those too. -samuel -Mensaje original-De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]En nombre de Tunc EresenEnviado el: Viernes, 04 de Junio de 2004 10:13 a.m.Para: [EMAIL PROTECTED]Asunto: [Clamav-users] Silly question, may be a log file.. How could I check that Clamav is working? Thanks Tunc
[Clamav-users] clamav-milter: Changing reject message
Hello, I've been looking for a way to change the standard 55x reject message to something on my own language (spanish) for my clients to understand it. I looked over clamav-milter's command line options and can't find it. For what I looked on clamav-milter.c it is forced on the code. Is there a way of changing it without needing to recompile? I'm usign RPMs. Will it be available for change thru command line / config file? -Samuel --- This SF.Net email is sponsored by: GNOME Foundation Hackers Unite! GUADEC: The world's #1 Open Source Desktop Event. GNOME Users and Developers European Conference, 28-30th June in Norway http://2004/guadec.org ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
RE: [Clamav-users] Ethics Question
> Tris Forster > Sent: Wednesday, June 09, 2004 1:02 PM > > While the aim of doing this may be completely honourable, sending > winpopups to a non-firewalled machine stinks of spamming and thus I am > in two minds about putting it into practice You are right. That could be even worst that the virus, because you are sending it on purpose while the infected computer it's just a victim. > > Any thoughts or experiences with similar situations would be > appreciated.. > I think the only way I could think is reporting the IP to some DNSBLs. That way you can stop receiving their mails and you leave the cleansing problem to their ISP. -Samuel --- This SF.Net email is sponsored by: GNOME Foundation Hackers Unite! GUADEC: The world's #1 Open Source Desktop Event. GNOME Users and Developers European Conference, 28-30th June in Norway http://2004/guadec.org ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
RE: [Clamav-users] Ethics Question
> > I think the only way I could think is reporting the IP to some DNSBLs. > > That way you can stop receiving their mails and you leave the cleansing > > problem to their ISP. > > And just hope that the next person to dial in to the ISP who gets > that IP address > from DHCP is the same person... > Before we used ClamAV to block outgoing messages (and firewall to prevent port 25 outgoing from clients to the Internet), we got complete class C networks blocked very often because just one IP was sending virus. As those networks are dial-up, it is very likely to happen what you say, but eventually they will have their whole network blocked and they will have to do something about it. If you don't clean your house, your neighbors will complain about the infestation and will force you to clean it. -samuel --- This SF.Net email is sponsored by: GNOME Foundation Hackers Unite! GUADEC: The world's #1 Open Source Desktop Event. GNOME Users and Developers European Conference, 28-30th June in Norway http://2004/guadec.org ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] OLE Problem WARNING: not scanned; untested big block size - please report
Hello, We have clamav 0.72 installed on our servers and found that they segfault on some attachments. After some digging on /tmp I found the file: --- [EMAIL PROTECTED] tmp]# file Seguimiento\ RON\ SANTA\ TERESA\ -\ carta.docKd0l57 Seguimiento RON SANTA TERESA - carta.docKd0l57: Microsoft Office Document --- Then searching the changelog I found that it was fixed to skip 'probably corrupt' OLE files, so I tried with 0.74 and the result was: --- [EMAIL PROTECTED] tmp]# clamscan /var/tmp/Seguimiento\ RON\ SANTA\ TERESA\ -\ carta.docKd0l57 LibClamAV Error: WARNING: not scanned; untested big block size - please report /var/tmp/Seguimiento RON SANTA TERESA - carta.docKd0l57: OK --- It doesn't segfault anymore. As the message says *please report*, that is what I am doing. Is this the way to report it ? Do you need the .doc file ? Regards, - Samuel Benzaquen --- This SF.Net email sponsored by Black Hat Briefings & Training. Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
RE: [Clamav-users] OLE Problem WARNING: not scanned; untested bigblock size - please report
> From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Trog > Sent: Friday, July 02, 2004 4:02 AM > > On Thu, 2004-07-01 at 15:27, Samuel Benzaquen wrote: > > > > Then searching the changelog I found that it was fixed to skip 'probably > > corrupt' OLE files, so I tried with 0.74 and the result was: > > --- > > [EMAIL PROTECTED] tmp]# clamscan /var/tmp/Seguimiento\ RON\ SANTA\ > TERESA\ -\ > > carta.docKd0l57 > > LibClamAV Error: WARNING: not scanned; untested big block size - please > > report > > /var/tmp/Seguimiento RON SANTA TERESA - carta.docKd0l57: OK > > --- > > > > It doesn't segfault anymore. > > As the message says *please report*, that is what I am doing. > > Is this the way to report it ? > > Do you need the .doc file ? > > If you have the original email message the document was in, please send > it to me, or send the .doc file if that is all you have. > I don't have the original message, just the attachment. The problem is that I can't send you the file because it contains confidential information about a client. I've asked the digital security dept =(. Nevertheless, if you send me instructions on how to extract the information you need, I will gladly do it. Regards, -Samuel --- This SF.Net email sponsored by Black Hat Briefings & Training. Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] i386 precompiled or compiling on i686. Is there a difference in performance?
Hello all, We have been using dag's i386 rpm and we're wondering if there are some optimizations done for >i686 processors that would worth compiling it ourselves. (Or asking dag to compile some in i686 ;) Thanks, Samuel Benzaquen --- This SF.Net email sponsored by Black Hat Briefings & Training. Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
RE: [Clamav-users] Idea for more timely virusdb updates
> -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Dennis > Peterson > > > Jeremy Kitchen wrote: > > On Tuesday 10 August 2004 02:41 pm, Damian Menscher wrote: > > [snip: using a program delivery to process update mailing list mails] > > > >>With sendmail, you could add to /etc/aliases something like: > >>clamav-updates | sigtool --add > > > > > > that's the ticket. > > > > > > And a cool little DOS tool. Nothing like a well-known email > address for a little > fun having. I imagine the blackhats will slam that rather quickly. > The list can have a simple algorithm to filter any 'easy' or mnemotenic email address thats trying to subscribe. That way we can reduce the problem. In concern of cvd corruption because a malformed patches, I think that the updater could backup some old states of the sig file in order to have the posibility to downgrade without downloading sigs again (manually or something). In any case, the patch can always have a 'before MD5' and an 'after MD5', just to be sure. Another idea to save bandwidth (in a pull fashion) could be to download instead of: daily.cvd something like: daily.cvd?myver=XXX&MD5=XX Were _myver_ and _MD5_ are my sigfile's version and it's MD5 respectively. The server could make a patch to the last version in real time and send it, instead of sending the 'big' file. The realtime patch could be done cat'ing all patches needed together or already having created all the respective daily_fromN_toCURRENT.cvd patches. Could also be implemented directly into main.cvd. Brainstorming is great... as long as I don't have to code resulting ideas ;) Thanks to all for this great bits. -Samuel --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
RE: [Clamav-users] contrib/init/RedHat suggested patch
> -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of > [EMAIL PROTECTED] > > > Damian Menscher wrote: > > For most mailserver admins, the danger of losing our jobs > > is much greater if we tempfail all incoming mail due to a clamav crash > > than is the danger of losing our jobs due to a couple of viruses leaking > > through. > > s/most/some/; > > Spoken as one who has never gotten burned by a virus. Many > organizations have their strongest anti-virus protection at the > perimeter. Once through ClamAV, viruses can spread like wildfire. > True for organizations/companies where you can have a downtime because of 'security reasons'. But for ISPs, mail has to be _always_ up, no matter if virus/spam blocking is active or not. -Samuel --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
RE: [Clamav-users] JPEG vulnerability
> -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Daniel > Lord > > > Those signatures don't catch the poc xploit found at > http://www.gulftech.org/?node=downloads. But maybe it's better to > leave this alone till there are real worms etc. to produce good > signatures. At the moment clamav sigs don't seem good enought to > catch this. (No support for absolute offsets) > I think it is really good for ClamAV's name to be able to catch the worms even before they are created... It seems really cool to me. -Samuel --- This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 Project Admins to receive an Apple iPod Mini FREE for your judgement on who ports your project to Linux PPC the best. Sponsored by IBM. Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
RE: [Clamav-users] ERROR: JPEG.Comment
> -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Bart > Silverstrim > Sent: Thursday, September 30, 2004 7:50 AM > > > On Sep 30, 2004, at 3:26 AM, Damian Menscher wrote: > > > On Wed, 29 Sep 2004 [EMAIL PROTECTED] wrote: > >> ... It's interesting that viruses are finally starting to implement > >> what > >> we were joking about in 1995 at high school... > > > > I'm impressed with how far we've come. Less than a year ago, I could > > most email viruses with simple procmail scripts. Now even antivirus > > products are having difficulty keeping up with the threats. > > But for the jpeg threat, as I understand it, patching systems *should* > fix this so even if a "virus" does get loose on your system (jpeg > virus), it shouldn't have an effect. The problem is with the way it's > interpreted by some libraries in Windows. Slightly different than > running an executable (who would have thought a few years ago that > spreading a virus would be as simple as an anonymous email with a .exe > attached saying, "This is neat, UsEr! Run this program!"...AND THEY > DO!?? AARGH!). That's what happen to us for trying to make everythin s easy =) > Once all bazillion Windows machines are patched by all the users on the > planet who know more about their computer than where the on/off switch > is, this "jpeg virus" threat will be a minor footnote in computer > history. > That's not going to happen. I still get Blaster attempts on my network =@ > You do realize, of course, in several years there's a distinct > possibility that this will turn into a "minefield" with otherwise > harmless jpegs (to some platforms) winding up on web pages for viewing. > Some people patch, some don't, eventually...*foom*...infected on those > systems the user never patched. This will be happening five years from > now. Not counting that this is a real virus. A piece of code that could potencially insert itself into a legitimte code/data. There could be one JPEG that infects all other JPEGs! This could be really be a threat on a unprotected WebServer. Imagine a user uploading an image, then the admin just browsing the folder (with thumbnails or something) and BLUM! All the images on the webserver are infected! > The only way to really "fix" it is to either A) fix the libraries with > the problem or B) create a screen program that processes EVERY jpg, > resaving them in a "stripped" form so the executable code won't exist > in the new copy, and forward it or present it to the user...this would > have to be done like some kind of web browser plugin or something of > that nature. I think that you can't assume A), so you have to do B). > At least, those are two ideas I see as possible. The second one would > be a real PITA, though. Both require users to update their systems or > antivirus programs or spyware programs Here's another > thing...what's with spyware and viruses mixing now? Five years ago > viruses were viruses, slimy company advertising was slimy company > advertising. Now, my Windows antivirus is picking up "trojan" adware > and viruses and my spybot is searching for Bagle?!? This is getting > bloody crazy. Now that virus vectors are coming through email rather > than just sharing programs, and are increasingly shifting towards > infection via web browsing, how long before Clam will need to be run > with some sort of web proxy plugin via Squid?? But now I'm just > ranting... > As I remember... there IS a plugin for using Clam on Squid =P This world is not getting any easier... but if it were we would be unemployed =). Regards, -Samuel ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
RE: [Clamav-users] Comment on TCP option in clamd
> -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Andy Fiddaman > Sent: Thursday, November 04, 2004 6:49 AM > > > > On Wed, 3 Nov 2004, Jason Haar wrote: > > ; Hi there > ; > ; I think the TCP option needs some more explicit documentation, as I have > ; begun seeing RPMs of clamav where the Socket option is > *disabled* and the > ; TCP option is *enabled* as the defaults. > ; > ; As far as I'm aware, that is *not* a good idea. Not only are there now > ; network security issues you should attend to, but the TCP > option IS ALWAYS > ; SLOWER THAN THE SOCKET MODE (please tell me if I am wrong). > From what I can > ; gather, clamdscan has to pipe the entire file/directory to > clamd over TCP - > ; whereas it only has to tell clamd where the file/dir is over Sockets. > > What we're talking about here in just the control connection > between clamdscan > and clamd. There is actually no functional difference between > the two modes; > clamdscan can instruct clamd to scan a named file/directory OR > ask it to open a > TCP port over which to accept a file with both control socket options. > > There is a slight speed difference in communicating over a unix > domain socket > rather than inet domain but, for the amount of data that's actually > communicated over this, it's extremely slight and insignificant > against the > greater overhead of actually doing the scan. > > However, I agree with you from the security point - I'd rather that no > TCP ports were opened by default by installing the RPM. > I agree... having clamd listening over TCP *with no restriction over the network* is vulnerable to DoS attack as _any_ client could inject a lot of scanning on the server. Even more if it is a home user PC that connects directly to the internet... - SamSam ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
RE: [Clamav-users] ClamAV and Exchange mailboxes...
> -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Tim Howell > Sent: Tuesday, November 09, 2004 3:44 PM > > > [EMAIL PROTECTED] wrote: > > On Mon, 8 Nov 2004 [EMAIL PROTECTED] wrote: > > > >> Tim Howell wrote: > >>> Have any of you thought of what it would take to use Clam to scan > >>> mailboxes stored on an Exchange server? > >> > >> Hmmm... > >> Get a list of mailboxes via LDAP > >> Connect to each mailbox in turn using Mail::IMAPClient Walk through > >> all folders in the mailbox Download each mail item to a temporary > >> file Scan the file Accumulate an infection report > > > > (next time I read all my mail before responding top-down ;) > > > > Tim has a good point and for an exchange-specific application this > > would probably be more efficient than a popwatch-type implementation. > > The IMAP idea was actually Matthew's, but I'm working on an > implementation now. I don't know if it will prove useful or not, but a > couple of quick experiments with my own mailbox make me think that it > just might work. =) > Doesn't that idea forces you to have everyone's password to connect via the IMAP server? -SamSam ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
RE: [Clamav-users] This is how I use ClamAV
9
45 HTML.Mydoom.email-gen-2
44 Worm.Nyxem.C
27 HTML.Phishing.Bank-52
24 Exploit.HTML.Bagle.Gen-7-eml
21 Exploit.HTML.Bagle.Gen-4-eml
20 Worm.Wurmark.A
19 Yaha.K
18 HTML.Phishing.Bank-3
18 Worm.Mydoom.T
17 Worm.SomeFool.P.2
16 HTML.Phishing.Bank-22
13 Worm.Nyxem.D
13 Worm.SomeFool.F
12 HTML.Phishing.Bank-37
10 HTML.Phishing.Bank-12
10 W95.Dupator.1503
9 Worm.Mydoom.H
8 Exploit.HTML.Bagle.Gen-8-eml
7 Worm.SomeFool.Z-msg-2
7 Worm.Dumaru.Y
7 Worm.SomeFool.N
6 HTML.Phishing.Auction-3
6 HTML.Phishing.Auction-2
6 Trojan.Dropper.JS.Mimail.B
5 Worm.P2P.Darby.Gen
4 HTML.Phishing.Bank-49
4 Worm.Bugbear.E-1
4 HTML.Phishing.Bank-45
4 Worm.SomeFool.M
4 HTML.Phishing.Auction-4
3 HTML.Phishing.Bank-28
3 Worm.Mabutu.A
3 Exploit.IFrame.Gen
3 Worm.Sobig.A
3 W97M.Pri.A
3 Oversized.Zip
2 Worm.Nyxem.B
2 CIH.2
2 Worm.MyDoom.H-2
1 Exploit.HTML.ObjectData
1 Joke.W32.Amigo
1 Joke.Xmas
1 W97M.Aquiles
1 Joke.CokeGift
1 Trojan.Dropper.JS.Zerolin-6
1 Worm.SomeFool.R.2
1 Trojan.Dropper.JS.Zerolin-7
1 Worm.P2P.Darby.O
1 W32.Magistr.B2
1 Exploit.HTML.Bagle.Gen-1-eml
1 Worm.Lovgate.R
1 Worm.SomeFool.K
1 Dialer.StarDialer-4
1 Worm.Yaha.G
1 Worm.Torvil.D
1 Worm.Sircam
1 W97M.Marker.C.2
1 Trojan.Downloader.Small-165
--
330556
You can guess our monthly stats.
We have more than 4 million mails daily, 150 clamav-milter and 26 clamd
threads concurrently per server on peak hour.
Regards,
Samuel Benzaquen
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
RE: [Clamav-users] RE: Re: This is how I use ClamAV
> -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Jeremy > Kitchen > Sent: Friday, December 03, 2004 11:51 AM > To: ClamAV users ML > Subject: Re: [Clamav-users] RE: Re: This is how I use ClamAV > > > On Friday 03 December 2004 09:44 am, Kiril Todorov wrote: > > Ian Lewis wrote: > > > That is very interesting information Samuel. I shall be interested to > > > compare it to my own data. > > > > > > We quarantine our emails just in case there are any which are > genuine but > > > holding viruses. Not very likely but you never know. > > > > > > Do I understand from what you say that having identified 4 million > > > viruses you reject them and they go 'back' to the often > spoofed sender, > > > still capable of causing trouble? > > > > I belive he meant rejected at SMTP level with a permanent error code > > (5.x.x) > > in which case, the only way they would go to an innocent third > party is if > they were relayed through another smtp server, and that's Somebody Else's > Problem, because if that other smtp server had rejected the virus in the > first place, you wouldn't have had to reject the message yourself. > > Any legit emails that get rejected because of infections (false > positive or > not) should go back to the original sender without any problems. > That's just what I meant =) I don't like the idea of adding to quarantine 300K viruses daily 'just in case' and then use the helpdesk to help people recover their messages. -Samuel ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
RE: [Clamav-users] Re: This is how I use ClamAV
> -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Matias Lopez > Bergero > Sent: Friday, December 03, 2004 2:40 PM > > > > We use Sendmail 8.13.0 (since 8.12.11) + Clamav-milter + Clamd. > > No quarantine, no postmaster/sender/recipient notice, just > reject messages. > > Centralized freshclam on two servers at different times > (minutes 23 and 53 > > respectively). OnUpdate it propagates vía sftp to the other 9 servers > > (including the other one that runs freshclam, so it doesn't > have to update > > again). OnUpdate & OnError sends a message to postmaster. > > > > You can guess our monthly stats. > > We have more than 4 million mails daily, 150 clamav-milter and 26 clamd > > threads concurrently per server on peak hour. > > Damn, > That's the kind of things that makes me fell like I'm managing a coffee > maker :-P > Don't feel bad. If my coffee maker went offline... =O N =O I can't even think about it! Rather having coffee than mail ;P -Samuel ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
RE: [Clamav-users] How does freshclam execute OnUpdateExecute program?
> -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of C. Bensend > Sent: Wednesday, December 15, 2004 10:31 AM > To: [EMAIL PROTECTED] > Subject: [Clamav-users] How does freshclam execute OnUpdateExecute > program? > > > > Hey folks, > >I'm working on a new server, and things are running beautifully. I > did, however, notice something I thought was a little odd... > >I wrote a pair of shell scripts that will email me an alert when > freshclam updates the database successfully, and also if it fails. I > tested, and it worked perfectly. > >... Until I set the user (_qscand) that clamd/freshclam run as to > have a restricted (/sbin/nologin) shell, that is. Then, I didn't get > any further alerts. Just to make sure I wasn't smoking the bad crack, > I changed the shell back to bash, and I got alerts again. > >How does freshclam actually execute this command? Is there a way > around this? I'd rather run that user without a real shell if possible. > If not, no huge deal, but it would be nice. > This is the way I do it: OnUpdateExecute BASH_ENV=~clamav/.bashrc HOME=~clamav /usr/local/bin/propagate_bd_clamav.sh | mail [EMAIL PROTECTED] -s "Freshclam update $HOSTNAME" OnErrorExecute tail /var/log/clamav/freshclam.log | mail [EMAIL PROTECTED] -s "Freshclam error $HOSTNAME" propagate_bd_clamav.sh is a /bin/bash script that propagates the cvds to other servers via sftp. that way they don't have to download it again. it prints out its results to stdout, so it gets delivered by mail to [EMAIL PROTECTED] User clamav doesn't have a valid shell and I had to add the env variables to make it work. Regards, -Samuel ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
RE: [Clamav-users] initial configure
> -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Arkady > V.Belousov > > >> M> I failed to remember it was a geographically inclined selection :) > >> ? How access to free AV databases may/should depend from > >> geography?! > >> Why database.clamav.net resolved to servers, where one doesn't not > >> contain anonymous access, other protect anonymous by unknown password? > M> For load balancing and closer connects. > > "Closer"? How Austrialia close to Japan (where resides ftpmail robot, > which I use)? > The term 'closer' is related to the Internet and Australia is closer to Japan than the US or something on the other side of the world. > M> ftp ftp://anonymous:[EMAIL PROTECTED] > M> ^username ^password > M> The above works fine, tested by myself. > > __O\_/_\_/O__ > open database.clamav.net anonymous anonymous > Connecting to database.clamav.net > 220 ProFTPD 1.2.10 Server (thor.raimei.co.jp) [219.106.255.66] > ---> USER anonymous > 331 Password required for anonymous. > ---> PASS > 530 Login incorrect. > Failed to login > _ > O/~\ /~\O > > Also, where to find ClamAV databases? One server, which answers, > shows next > directories (which not looks related to ClamAV): > It's been said that the service ClamAV team is giving is HTTP sites for updates download. When a mirror is added it is just a Virtual Domain with Host Headers. It doesn't need to have it's own IP address. I'm just guessing that those sites happen to respond FTP request because, and just because, they share the same IP with some FTP site the admin of the site is running, not because it is related to it. That's why there is no standard about username and password on those FTP sites nor you can find the cvd files on their structure. The official mirrors are giving the updates thru *HTTP*. That's *HTTP*, not any other protocol. You should read the mirror doc (http://www.clamav.net/doc/mirrors/clamav-mirror-howto.txt) I've been reading this thread and I think you are not getting the point of this project. ClamAV is a virus 'detection' software designed to run on '*nix' for filtering 'email'. There are other projects that are on top of ClamAV like ClamWin that can run it on a Windows machine. Nevertheless, it doesn't have an online access scanner which I think is the feature you are looking for. Regards, -Samuel ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
RE: [Clamav-users] initial configure
> -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Arkady > V.Belousov > > SB> I'm just guessing that those sites happen to respond FTP > request because, > SB> and just because, they share the same IP with some FTP site > the admin of the > [...] > SB> The official mirrors are giving the updates thru *HTTP*. > That's *HTTP*, not > SB> any other protocol. > > What bad with giving read access to bases thru ftp? Especially, this > requires neither any investment, nor change the program? > Just for the record. Anonymous FTP is not free, because you have to have an IP address for it that can not be shared with any other anonymous FTP site. On the other hand, you can have an anonymous HTTP site using Host Headers just by adding a DNS entry to that IP, and this one can be shared with your already up and running site without any trouble. -Samuel ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
RE: [Clamav-users] ClamAV Install
> -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Mal Herring > > > Hello ClamAV-Users, > I am running Clam on a Gentoo box, However the latest version is not yet > in Portage... > > Does anyone know how much of a mission it would be to "un-merge" my > current .80 version and install the latest from source ? > 0.80 is the lastest release. 0.81rc1 is just a Release Candidate. I'm guessing that's why it hasn't been updated on the portage tree. Regards, Samuel ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
RE: [Clamav-users] updateerror
> -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of jijo > Sent: Sunday, January 30, 2005 7:05 AM > To: clamav-users@lists.clamav.net > Subject: [Clamav-users] updateerror > > > I have ClamAV 0.80-2 and I want to update it to clamAV 0.81-2 > I have installed it thrgh the RPM packets when it try to update i > am getting > the error like > this > > warning: clamav-0.81-2.i386.rpm: V3 DSA signature: NOKEY, key ID 6cdf2cc1 > error: Failed dependencies: > zlib >= 1.2.1.2 is needed by clamav-0.81-2 > clamav = 70:0.80-2 is needed by (installed) clamav-devel-0.80-2 > clamav = 70:0.80-2 is needed by (installed) clamav-milter-0.80-2 > This only tells you that you need to install: - A new zlib RPM thats 1.2.1.2 or newer. - And the packages clamav-devel and clamav-milter that depend on clamav. I suggest you to remove the current installation first. rpm -e clamav clamav-milter clamav-devel and then installing the new one. Regards, -Samuel ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
RE: [Clamav-users] Failed to delete X-Virus-Status header 1
> > At the risk of showing my ignorance...what is a CVS, and how does one go > about applying one? > You can never be ignorant if you have the Internet on your hands ;) You can read some about it here: http://en.wikipedia.org/wiki/Concurrent_Versions_System -Samuel ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
RE: [Clamav-users] No announcement of 0.83 on clamav-announce ML
> -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Hal Goldfarb > Sent: Tuesday, February 15, 2005 9:41 PM > > I am trying to play by the rules, honest. Can you instruct me on how to > properly be informed of clamav code updates? I also think RPM binaries > should be made available before an official release. There are > probably a > lot of people out there who are not CVS and/or build savvy, but want to > support you all in your efforts to provide the world with a free and open > anti-virus tool. > I rather wait a couple of days for some packager to kindly make the rpm/ebuild/etc for me and let the development team focus on what they do: develop! Asking them to do packages as well will only make the whole process slower and nobody wants that. This product is designed for _mail servers_, that means that will be used by _sysadmins_ who should know how to unpack/configure/make/make_install. We here use crash's srpm just for convenience (that is SRPMS =). We compile the program for our needs, but since we use Fedora, we like it to be all about RPMs. If your system is so important the needs to be upgraded as fast as possible, you should ask for some paid support (not to the clamav team, but to some third party). I guess your system worth it. -Samuel ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
RE: [Clamav-users] freshclam question
> -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Allan > Joergensen > Sent: Thursday, February 17, 2005 9:16 AM > To: clamav-users@lists.clamav.net > Subject: [Clamav-users] freshclam question > > > Hi, > > in order to insure that the database is always up to date I'm trying to > use OnErrorExecute/OnUpdateExecute to generate alerts in our monitoring > system, so far with little luck. > > I've tried both OnUpdateExecute logger -t . > and OOnUpdateExecute /path/to/script none of them seems to work. > > I see no obviuos reasons why this isn't working. > You have to know that even if you run freshclam with root, it setuid's to the clamav user. That said, you have to be sure that that user can log (have homedir and stuff) and run the script. In my case I had to add some env vars to run the script. It wasn't easy to debug. It's a really weird problem. This is our line on the freshclam file: OnUpdateExecute BASH_ENV=~clamav/.bashrc HOME=~clamav /some/script.sh | mail [EMAIL PROTECTED] -s "ClamAV updated $HOSTNAME" The OnError line was much easier: OnErrorExecute tail /var/log/clamav/freshclam.log | mail [EMAIL PROTECTED] -s "ClamAV Error $HOSTNAME" Regards, Samuel ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
RE: [Clamav-users] Why did Clam Av Let this in?
> -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Mark Penkower > Sent: Tuesday, March 01, 2005 2:30 PM > To: clamav-users@lists.clamav.net > Subject: [Clamav-users] Why did Clam Av Let this in? > > Why Did ClamAV let the file get to my mail server in the first > place. Our > incoming Mail Server is the same as our outgoing mail server. My guess is that the signature was added to virusdb between sends. You can check it on clamav-virusdb mailing list. -Samuel ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] Sendmail+CLMilter : Not detecting when forwarding virus mail...
It's very strange... 1. I recieved one of those trojan.small variants this morning and wanted to see if clamav can catch it now. So, what I did was to forward the mail to myself and it was just accepted! When checking the (new incoming copy of) the mail it says X-Virus-Status: Clean. 2. I copied the .zip to some dir on the mail server and ran clamdscan of it and it said /var/tmp/trojan.msg: Trojan.Small-57-5 FOUND 3. I composed a new email message and attached the .zip file and tried to send it and it was rejected. 4. I forwarded the first message again to myself and again it was ACCEPTED! The mail client is Outlook 2K. Clamav 0.81 (I know its not the lastest, but we want to wait for 0.84 because of the embedded MIME fix) Sendmail 8.13 Linux Fedora Core 2 Does someone knows why it is different when I just forward the message to when I compose a new one ? (same attachment) Thanks, -Samuel ___ http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] Funny pathes
> -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Rainer > Zocholl > Sent: Friday, March 11, 2005 12:36 PM > To: clamav-users@lists.clamav.net > Subject: [Clamav-users] Funny pathes > > > > /tmp/clamav-178c630c01f4f986/usr/share/clamav-testfiles/clam.rar: > ClamAV-Test-File FOUND > /tmp/clamav-178c630c01f4f986/usr/share/clamav-testfiles/clam.zip: > ClamAV-Test-File FOUND > /tmp/clamav-235ce24142354262/usr/share/classpath/glibj.zip: > Zip.ExceededFilesLimit FOUND > /tmp/clamav-fbb1808681386c40/usr/share/classpath/glibj.zip: > Zip.ExceededFilesLimit FOUND > My guess is that those are not *real* pathes, but pathes inside a tar.gz or something. If there where real there would be no reason to copy those files to /tmp/clamav-* -Samuel ___ http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] Report Phishing attacks?
> > Yeah, people here keep telling me that, though they're not exactly > communicative about why that is. All I've read is "_I_ don't need what > you are proposing, so shut up" or just plain "shut up". Little substance, > not very helpful, and certainly no reason for me (or anyone!) to stop > bringing up the issue. > I think the problem is simple math: Finite number of devs with finite time. They have to use it in what they think will be more productive for the majority of us. The problem is that if you add another category to what it is supposed to block, they will spend more time making sigs than they are spending now. Which means that they will spend less time coding new and better features. I can also say that they don't want to compete against commercial AV vendors as I have read here 2^32 times that we should use not _only_ clamav, but a list of AVs to improve the chances to catch malware. Just a thought, -Samuel ___ http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] Will ClamAV always be an open source project ?
> else) other people are free to pick up where they left off and > continue updating ClamAV. > > You could even do this yourself if you wanted to ;) > > That's the nice things about Free Software This is so true. Even if they systematically obliterate the mirrors (and their devel PCs) I can assure you that someone, somewhere, has a copy of the source code on their server/PC. This kind of source code won't dissapear easily ;) -SamSam ___ http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] Virus Volumes
> > Doug Hardie wrote: > > I have been running clamav for quite some time now. For most of that > > time I was receiving between 1500 and 2000 viruses per day. However, > > lately the number is down to about 200 per day. I don't have any users > > complaining about receiving viruses so I don't think there is a problem > > with clamav. Is the virus volume really decreasing? > > > We've also seen it on our annual graph. I would post the link, but our graphs require authentication... =( Viral traffic on our network is now half of what it used to be on Nov 2004. We have addopted a policy of blocking the ADSL conection on any of our clients that is discovered to have virus. It's a way of preventing the blacklisting of out networks and controlling the viral activity on the Net. -SamSam ___ http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] Can phishing be considered one kind of spam ?
> > Sweet... here are my selections > [x] viruses > [x] phishing > [x] spam > [x] stupid jokes > [x] urban myths > [x] (company) will pay you $ for every person you forward this to > [x] cute puppies > [x] sob stories > ... > [x] completly useless messages from useful mailing lists Oh, no! This message would have been rejected =P! -SamSam ___ http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] benchmarks for a LARGE site?
> [mailto:[EMAIL PROTECTED] Behalf Of Damian > Menscher > > My silly university spent $0.5M on a commercial product to perform spam > and virus filtering (they have the "if it costs that much, it MUST be > good" mentality). And, just after they put it into production, Sober.P > came out and knocked it flat. After a couple days with multi-hour email > delays, people are pretty pissed. And I smell opportunity > It's always nice to learn at Universities... some people learn that they messed up with some half a million decision ;) We had the same issue here with Exchange and some paid AV. It really didn't let virus pass, because when the landslide of viral mail came, the servers collapsed =) We set up some Linux/sendmail/clamav servers and we are now the enterprise MX and Smarthost to filter their mail. > Could someone with a LARGE site (we have about 35,000 users) post what > hardware they use for ClamAV, and how many messages/day it handles? > I'd like to suggest they put it on a few PCs and have their relays > contact the milter via a network socket in a round-robin fashion. But > it would be good to hear people's experiences with something on this > large of a scale before I make the proposal. > We have nearly 4M messages and like 600K viral messages per day on four: - 2 x Intel(R) Xeon(TM) CPU 2.40GHz (HT) (4 virtual processors) - 2GB RAM These servers don't do delivery, their are just the MXs, filtering incoming mail and relaying to internal servers. They have avg CPU% of 20% and avg/peak load of 1/10. We also have a similar setup as the Smarthost, filtering outgoing mail and relaying to the world. -Samuel ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] DNS server used for dynamic resolution
Hi, I have a couple of hours looking on google and the lists if it has been asked and it beats be. Is there anywhere I can read about the DNS server software that db.local.clamav.net uses? how does it resolve name depending on the IP address of the client ? Thanks, -Samuel ___ http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] DNS server used for dynamic resolution
> -Original Message- > From: [EMAIL PROTECTED] > > [EMAIL PROTECTED] wrote: > > Hi, > > > > I have a couple of hours looking on google and the lists if it has > > been asked and it beats be. > > Is there anywhere I can read about the DNS server software that > > db.local.clamav.net uses? how does it resolve name depending on the IP > > address of the client ? > > > > Thanks, > > > > -Samuel > > http://www.squish.net/dnscheck/ > look up "db.local.clamav.net" record type "ANY" > > ns1.clamav.net69.61.68.204BIND: 9.2.5 > ns2.clamav.net207.201.202.73 BIND: 9.2.1 > ns3.clamav.net195.70.36.141 BIND: 9.3.1 > ns4.clamav.net80.69.66.9 BIND: 9.2.3 > ns5.clamav.net213.92.8.2 BIND: 9.3.1 > > Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902 I still can't figure out how can BIND know which IP belongs to which country. Is there a network list organized by country or does it do a whois on a per query basis ? I know this is not a BIND list, but since clamav uses it... I'm just curious. -Samuel ___ http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] Upgrade to 0.85 or wait for 0.86
> -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Matt Fretwell > And yes, I will echo what Tomasz said in this regard. These > gentleman|lady admins are paid to keep these systems in prime working > condition, inclusive of updates for new threats or security exploits. > Period. That is why they are called (I.T|Network) Administrators. > Your are right. We are paid. Our time is company money and if the product needs too much Admin time, then it is not that _gratis_ as we presented it to our bosses in the first place. And as this is not the only platform we run, is not that crazy skip one or two versions of clamav, if they come too close, to use that upgrade time on other platforms/projects. There is always something that has to be upgraded/updated. What will be the next thing taken care of will be decided by the priorities from the people who hold the money. I'm not saying that the devs should not release a new version fast to fix some specific bug. I'm just saying that we can't always be on the last version. All that argue no the side, I have to say that this product is great. We will be evaluating it for desktop (M$) use the moment it has a realtime scanner and we are also evaluating the purchase of some of those hw accelerators for mail scanning when 0.90 comes out. Thank you guys, -Samuel ___ http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] DNS server used for dynamic resolution
> > > http://www.squish.net/dnscheck/ > > > look up "db.local.clamav.net" record type "ANY" > > > > > > ns1.clamav.net69.61.68.204BIND: 9.2.5 > > I still can't figure out how can BIND know which IP belongs to which > > country. > > It's impossible. We just _try_ to do that. Our primary goal is to > distribute the load among mirrors. The secondary goal is to redirect > most of the clients (not 100%!) to the nearest mirror. You tried BIND? I guess it should be resoling itself the queries. Forwarding the queries to a dynamic DNS would not work, because it will see queries coming from BIND server and not from the client. > > Is there a network list organized by country or does it do a > whois on a per > > yes > Yeah, I found out about GeoIP. Just put the CSV to a MySQL DB and it works great. -Samuel ___ http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] database number
Matt Fretwell wrote: > > Rainer Zocholl wrote: > > > There are two flaws IMHO: > > - "Gray" should only be used for *un*important infos, but > > it is used for important infos and worse main titles(!) too. > > And I thought I rambled on about irrelevant things. I don't see it as irrelevant as you do. The web page it's the face to people that don't know about the product. A well presented web page can attract users just like any other quality of the product. > > > - Important infos should be visible with out scrolling. > >If you click one item at top, nothing seems to change, > >because all changes are shown below... > > My, would you like someone to volunteer to press the down button for you? > For goodness sake, someone has gone to the pain and trouble of designing > the site, writing the documentation and making it all available, and your > complaining about colours and having to scroll? > Don't go criticizing clamav.net's next volunteer web designer ;) No, really... Maybe I don't feel what your talking about because I have a 17" monitor with a resolution of at least 1024x768, but people on 800x600 could have problem noticing that the page actually changed (without the #pagestart anchor). Maybe a smaller header could do the trick. -Samuel ___ http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] Sendmail out of memory with clmilter
> -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Elliot > Mackenzie > Sent: Friday, May 20, 2005 9:24 AM > To: ClamAV users ML > Subject: [Clamav-users] Sendmail out of memory with clmilter > > > I have run into a problem with sendmail and clmilter. Specifically, when > sendmail is instructed to filter mail through clam (clmilter), telnetting > to sendmail results in an "out of memory, unable to allocate memory" > exception. Sendmail itself is working because it works 100% when > I remove > clmilter. > How many concurrent connections do you have ? Their is an issue with milters and max number of threads on x86. Depending of your OS version, there is some default value for the Thread Stack Size. Basically you can have 2^31/StackSize threads per process because of memory managment on linux. It doesn't matter how much memory they actually use, the virtual memory space in the process is reserved. With Fedora's default (8192KB) there is room for like 256 threads. We reduced the stack size (just for that process) to 2048KB to let it be 4 times more threads. With `ulimit -s` you can see the size. With `ulimit -s 2048` you can set the size. Anyway... I wrote too much and I don't even know if this is your problem =) -Samuel ___ http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] Re: Clamav-milter dies after working ok for somehours
> -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Damian > Menscher > > At least, that's the theory. In practice, n_children isn't ever hitting > 0, so it stays in the !accepting state forever. For example, in the > ktrace you posted, n_children dropped from 7 down to 2. The fact that > it never reached 0 is the entire problem. Of course, nobody knows *why* > it isn't reaching 0. It might be from a hung scanner thread, or from a > pthreads race condition, or even a locking issue. > Does sendmail reuses milter connections ? Since it does for SMTP sockets, my guess would be that it could be doing it for Milter sockets too. -Samuel ___ http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] clamd lockup ?
> -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Matt Fretwell > Sent: Friday, May 27, 2005 1:56 PM > To: ClamAV users ML > Subject: Re: [Clamav-users] clamd lockup ? > > > Jason Frisvold wrote: > > > Hi all, > > > > The clamd process on one of my mail servers appears to have locked up > > earlier today. I was unable to restart or kill the process. In fact, > > I had to do a hard reset to fix the problem. > > > > So, Im wondering what steps I can take next time to a) determine why > > clamd has locked up, b) gather sufficient debugging information for > > the clamav team, and c) kill and restart the process without the hard > > reboot. > > > > Can anyone give me some pointers? I understand that there's not a lot > > of information here. I'm looking for what to do next time, assuming > > there is a next time.. :) > > > If a 'kill -9' will not kill the process, I would say your problem lies > elsewhere than with Clam. That would be more indicative of a hardware or > OS problem. > If the process is trying some I/O to some not-available, hard-mounted NFS filesystem, then the process will not die with 'kill -9'. Just a thought. -Samuel ___ http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] ClamAV HW acceleration
> -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Timo Schoeler > Sent: Sunday, June 05, 2005 6:06 PM > To: ClamAV users ML > Subject: Re: [Clamav-users] ClamAV HW acceleration > > > furthermore it's a ecological *and* economical thing: for a large ISP, > deploying two medium Suns (e.g.) with each four AV accels is much better > than having hundrets of mediocre performing GNU/L*nux (or any other) > boxens standing around which demand lots of space, generate a lot of > heat and administration demands, etc. > According to them, it can have a 18X boost. Supposing they can achieve a 10X boost, a 3000$ server with a $3000 card could do the job of 10x$3000 servers. $6000 is always less than $3. And having to upgrade clamav on only 2 servers is nicer too. > as always, YMMV. a small ISP may want to build a dedicated ClamAV > machine which gets things to be scanned handed over, a large(r) ISP may > draw a different picture. > Thats right, if your traffic don't cope a single server, you don't really need it. It depends on your needs. -Samuel > cheers, > > -- > Timo Schoeler | http://macfinity.net/~tis | [EMAIL PROTECTED] ___ http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] Re: Worm.Mytob
> -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of René Berber > Sent: Wednesday, June 08, 2005 4:00 PM > To: clamav-users@lists.clamav.net > Subject: [Clamav-users] Re: Worm.Mytob > > > Pavel R. Levashov wrote: > > > I have a mail server (sendmail on RedHat 7.3) with clamav antivirus > > (clamd version 0.85.1, clamav-milter version 0.85). Clamd updates its > > antivirus bases regularly, clamav-milter catches all viruses except one: > > Worm.Mytob. This virus is transparent for clamav-milter. The surprise is > > that ClamWin 0.85.1 on Windows XP finds this virus at once. Could you > > give me a piece of advise what is the reason of such behavior? > > > > Below are pieces of log files > > > > on RedHat Linux 7.3 from freshclam.log: > > -- > > Received signal: wake up > > ClamAV update process started at Wed Jun 8 22:33:09 2005 > > main.cvd is up to date (version: 32, sigs: 34720, f-level: 5, builder: > > tkojm) > > daily.cvd is up to date (version: 921, sigs: 753, f-level: 5, builder: > > diego) > > -- > > Are you using clamav-milter with or without clamd? > > If you are using it with clamd then you should add (uncomment really) > NotifyClamd in your freshclam.conf . This may only solve the > problem if clamd > has been running a long time but not refreshing the database > (since freshclam is > not telling it to do it). > Nevertheless, clamd's SelfCheck would have reloaded the new database if it has been written to the right directory. You can check the running version sending the "VERSION" command to clamd's socket. You could be ommiting some option on clamd's conf. Is it with all Mytob sigs or some specific sigs ? -Samuel ___ http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] ERROR: Clamuko: Can't register with Dazuko
> -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Scott > Woodford > Sent: Wednesday, June 08, 2005 3:55 PM > To: 'ClamAV users ML' > Subject: RE: [Clamav-users] ERROR: Clamuko: Can't register with Dazuko > > > Tim, not a problem. Been a long day for me too, so I know how ya feel. > > I'd love to just replace that code and use it, but that doesn't > seem to work > for me. All I want is a message box popping up, telling the user that a > virus was found. I've even tried "VirusEvent echo %v", which is a pretty > simple, but that's not working either. I hate being a newbie. > You could use xmessage to show a message in a window on X. For example: VirusEvent xmessage Virus found: %v I have not used xmessage for a long time, so you should read the man page for more customization. -Samuel ___ http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] odd problem w/clamd
> -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of > [EMAIL PROTECTED] > Sent: Friday, June 10, 2005 4:21 PM > To: ClamAV users ML > Subject: Re: [Clamav-users] odd problem w/clamd > > > and what of a virus zipped into a larger zip file? Since the largest > message we'll accept is 100M, then that's what my StreamMaxLength is > set at, per the comments in clamd.conf. on the other hand, it would > take an awfully determined virus distributed to put their virus in > such a large message. > I guess that if you check a 100MB email message which contains MIME/archives that have to be converted and unpacked several times there could be a disk bottle neck. Maybe your are suffering from I/O wait and it fixes when you kill the thread that's analizing that big email. What it's been said is that a selfreplicating email virus generally comes in a small email, because a 20MB virus would not fit anywhere =P. Setting StreamMaxLength to 1MB or 2MB wont let pass any of these. -Samuel ___ http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] Password protected ZIP's---howto?
> -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Johnny Stork > Sent: Monday, June 20, 2005 11:49 AM > To: clamav-users@lists.clamav.net > Subject: [Clamav-users] Password protected ZIP's---howto? > > >Is there any way to get clamav to handle password protected > zip files? We >receive and send many files as pw protected zips and since deploying >clamav, they have all been flagged as viruses? >Thanks >If there is no way this can be done, what needs to change in the >clamd.conf to allow them to go through? Never underestimate the power of the man ;) man clamd.conf ArchiveBlockEncrypted Mark encrypted archives as viruses (Encrypted.Zip, Encrypted.RAR). Default: disabled Check that option on your config. -Samuel ___ http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] problem with clamav-0.85.1
> -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of suneel cumar > Sent: Monday, June 20, 2005 11:42 PM > To: clamav-users@lists.clamav.net > Subject: [Clamav-users] problem with clamav-0.85.1 > > > i have upgraded the clamav 0.74 to 0.85.1. > ClamAV has changed A LOT from version 0.74. I suggest that your read and understand completely your config files. These new config files wont even work if you don't edit them (thats on purpose). If you are using some binary distribution, there could be changes on the default conf. -Samuel ___ http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] virusDB update issue
> -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of .rp > Sent: Wednesday, July 20, 2005 4:40 PM > To: ClamAV users ML > Subject: Re: [Clamav-users] virusDB update issue > > > > > Hi all, > > > > I have one question about the virusDB updating. Supposely my clamd is > > scanning for virus while libclamAV is updating the database. Does it > > take effect immediately to my current scanning upon the completion of > > the updating , or does it take effect on the next time I do the virus > > scan and leave the current scanning with the outdated virus pattern? > > > > > The updated database is not in use until the restart of clamav. > You should > see in your logs something allow the lines of 'database read in' > Actually it depends on the way you are scanning. If you are using 'clamscan', it reloads the DB everytime you run the program, so in this case you would have to restart the scanning. If you are using 'clamdscan', clamd reloads the DB every time it does a "SelfCheck" (configured at /etc/clamd.conf). The threads that are currently scanning continue to scan with the old DB, but the new ones start scanning with the updated DB. You don't need to restart clamd. Clamd also reload the DB if you told it to thru the RELOAD command. - Samuel ___ http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] Libclamav and zip files
> -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Eric Scopinho > > Long Question: > I'm doing some tests with libipq (kind of userspace packet filter). > I get network packets, write them in small temp files and scan using > cl_scandesc from libclamav, if a virus is founded, drop the packet. It > seems to work fine, but the problem happens whem an zipped infected file > has sent over the net. > Someone could give any idea how to handle that? > Clamd can handle it alone. If ScanArchive is active, it will unpack the file and scan recursively inside. -Samuel ___ http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] protection
> -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Mad Unix > Sent: Tuesday, July 26, 2005 8:26 AM > To: ClamAV users ML > Subject: Re: [Clamav-users] protection > > > okay ... thats for the internet mail server, and what about a > Intranet Mail server > with local use only > You can send the infected mail yourself. Send the EICAR test signature on the body of an email (just the eicar, no more text). Clamav should detect it and reject/discard/tempfail the email. I'm not attaching the sig here, 'cause it would be rejected =P. Look at http://eicar.com/anti_virus_test_file.htm somewhere arround the middle. It the line that starts with X5O!... -Samuel ___ http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] ScanStream: Size limit reached ( max: 10485760)
> > Hi, > > I get this error, and i googled but found nought but source code. > > What is the meaning of this error ? > > man clamd.conf There are several limits that have to be configured according your needs. These limits are imposed to avoid scanning files that can overload your clamd server. -Samuel ___ http://lurker.clamav.net/list/clamav-users.html
