[Clamav-users] Load

[Scott Ryan]

Hello all, I have upgraded clamav from 0.55 to 0.67-1 so I can now catch
the bagle-passwd worm. It works and it catches the virus, but I have
noticed a significant increase in the load on the machine. I am running
qmail on a 6cpu Xeon P3 700 with 4Gb RAM. I am also running spam
assassin.

Is this load increase normal (from 4-5 average to 9-11 average) or is
there something i can do to drop the overhead?

cheers

Scott Ryan
Systems Administrator
Telkom Internet
South Africa


signature.asc
Description: This is a digitally signed message part

Re: [Clamav-users] Load

[Scott Ryan]

Sorted the problem out - it appears that clamscan will fork new
processes everytime it is called by the qmail scanner - I switched to
using clamdscan which uses the clamd daemon. 

It has halved the original load to average of 1-3 ...



On Fri, 2004-03-12 at 23:47, Jeremy Kitchen wrote:
> On Fri, 2004-03-12 at 04:18, Scott Ryan wrote:
> > Hello all, I have upgraded clamav from 0.55 to 0.67-1 so I can now catch
> > the bagle-passwd worm. It works and it catches the virus, but I have
> > noticed a significant increase in the load on the machine. I am running
> > qmail on a 6cpu Xeon P3 700 with 4Gb RAM. I am also running spam
> > assassin.
> > 
> > Is this load increase normal (from 4-5 average to 9-11 average) or is
> > there something i can do to drop the overhead?
> 
> if you're using qmail-scanner, that's normal.  I was doing some load
> testing on a customer's mail cluster and brought the system load to over
> 75, yet the system was completely responsive to everything.  It was as
> if the machine was idle.  And you are using a far more powerful machine
> than this was :)
> 
> -Jeremy


signature.asc
Description: This is a digitally signed message part

[Clamav-users] Bagle.Q

[Scott Ryan]

I am running 0.67-1 and was looking to get a copy of the virus to test
if clamd catches it. where would i be able to get a copy of it from?

Thanks

Scott Ryan
Telkom Internet
South Africa


signature.asc
Description: This is a digitally signed message part

[Clamav-users] Clamav - Qmail - Ezmlm

[Scott Ryan]

I may be posting to the wrong link, but I am just trying to cover all
angles:
I am using qmail - qmailscanner - clamav-0.70 and ezmlm.

All regular mail is passed to qmailscanner and thus virus scanned. But
all mail sent to a mailing list is not.

Is there anywhere in Ezmlm that i must configure for it to be parsed
through qmail scanner before hitting the queue?

Thanks in advance

Scott Ryan



---
This SF.Net email is sponsored by Sleepycat Software
Learn developer strategies Cisco, Motorola, Ericsson & Lucent use to 
deliver higher performing products faster, at low TCO.
http://www.sleepycat.com/telcomwpreg.php?From=osdnemail3
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] upgrade ClamAV ... again?

[Scott Ryan]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

I did a similar upgrade and it really pays to remove all clamav binarys and 
libs and install latest stable - a good peice of advice is to build packages, 
it makes upgrading to latest stable release all the easier.

On Tuesday 22 June 2004 08:32, Andy K. Suryanto wrote:
> we have our qmail using clamav 0.67 working with spamassassin 2.63 and
> qmail-scanner-1.20,
> we plan to upgrade the clamav to 0.70 (or newer) version to become more
> legit in filtering the
> 'big bad' virus ... can anyone help me providing hands on upgrading steps?
>
> should I uninstall all the related apps first and then re-install it
> again one by one? or just working
> on the clamav part?
>
> help please ... rgds,
> andy
>
>
> ---
> This SF.Net email sponsored by Black Hat Briefings & Training.
> Attend Black Hat Briefings & Training, Las Vegas July 24-29 -
> digital self defense, top technical experts, no vendor pitches,
> unmatched networking opportunities. Visit www.blackhat.com
> ___
> Clamav-users mailing list
> [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/clamav-users

- -- 
Kindest Regards,

+-+
(0> Scott Ryan
//\ Unix/Linux Systems Engineer
V_/_Telkom Internet - SA  
+-+
Email:  [EMAIL PROTECTED] 
Cell:+27721164832 
Work:+27126807835 
+-+
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFA19z2AFsW6Atlq9wRAs10AJ43uhZDnbbdmKdNvAUgTw1fWAqtFgCghVuC
iC+301mQwlN5yafY8h9Q7B4=
=433p
-END PGP SIGNATURE-


---
This SF.Net email sponsored by Black Hat Briefings & Training.
Attend Black Hat Briefings & Training, Las Vegas July 24-29 -
digital self defense, top technical experts, no vendor pitches,
unmatched networking opportunities. Visit www.blackhat.com
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] My.Doom.o

[Scott Ryan]

I have not submitted any virii (correct word?) before, so please bear with me.
I always run latest stable, currently 0.75 and have not had any virus issues 
up until now. I am seeing a high number of mails in the below format hitting 
our mail servers.

>Dear user <[EMAIL PROTECTED]>,
>Your e-mail account has been used to send a large amount of spam messages 
>during this week.
>Obviously, your computer had been infected by a recent virus and now runs a 
hidden proxy server.
>Please follow our instruction in order to keep your computer safe.
>Best wishes,
>The  team.

with a zip file attached containing a pif file.

I submitted the zip file only to have the message returned to me advising that 
it is not a virus, but "Binary fragment. Harmless."

Symantec identify these mails as My.Doom.o and i have checked sigtool which 
identifies My.Doom.m, but not My.Doom.o - 

My question is, how do i get clamav to identify these files as a virus?

Many thanks

-- 
+-----+
(0> Scott Ryan
//\ Unix/Linux Systems Engineer
V_/_Telkom Internet - SA
+-+
Email:  [EMAIL PROTECTED]
Cell:   +27721164832
Work:   +27126807835
+-+


---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] My.Doom.o

[Scott Ryan]

What about sheep ?

On Wednesday 28 July 2004 09:38, Andrzej Kukula wrote:
> Matt:
> > > On Tue, 2004-07-27 at 13:28, Kevin Spicer wrote:
> > > > On Tue, 2004-07-27 at 16:26, Scott Ryan wrote:
> > > > > I have not submitted any virii (correct word?)
> > > >
> > > > viruses
> > >
> > > Yup.
> > >
> > > http://www.topology.org/lang/virus.html
> > >
> > > Cheers,
> > >
> > > Mike
> >
> >  I know this is going wildly off topic, but this one could be
> > debateable. According to a Collin's English Gem Dictionary,
> > (1954 vintage), virus doesn't have a plural listed. So, is it
> > just a recent designation?
> >
> > Matt
>
> Neither Miriam-Webster nor Cambridge list plural form of 'virus'. But
> there's simple rule to make plurals in English: append 's' to a noun, and
> if the noun ends in 's', then append 'es'. Or I'm missing something.
>
> Regards,
> Andrzej Kukula
>
>
>
>
> ---
> This SF.Net email is sponsored by BEA Weblogic Workshop
> FREE Java Enterprise J2EE developer tools!
> Get your free copy of BEA WebLogic Workshop 8.1 today.
> http://ads.osdn.com/?ad_idG21&alloc_id040&op=Click
> ___
> Clamav-users mailing list
> [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/clamav-users

-- 
+-+
(0> Scott Ryan
//\ Unix/Linux Systems Engineer
V_/_Telkom Internet - SA
+-+
Email:  [EMAIL PROTECTED]
Cell:   +27721164832
Work:   +27126807835
+-+


---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] error compiling

[Scott Ryan]

Upgrade autoconf.

I had to do that just now.

On Wednesday 28 July 2004 10:44, zen wrote:
> Hello clamav-users,
>
>   i just stumble in to problem here,
>   try to build clamav on FreeBSD 4.10STABLE
>   but receive these error msg:
>
> cd . && /bin/sh /usr/local/src/clamav-devel-20040728/missing --run
> autoheader configure.in:20: error: Autoconf version 2.58 or higher is
> required aclocal.m4:529: AM_INIT_AUTOMAKE is expanded from...
> configure.in:20: the top level
> autoheader: autom4te failed with exit status: 1
>  at /usr/local/bin/autoheader line 163
> *** Error code 1
>
>  can anyone help me with this probs??
>
>  TIA

-- 
+-+
(0> Scott Ryan
//\ Unix/Linux Systems Engineer
V_/_Telkom Internet - SA
+-+
Email:  [EMAIL PROTECTED]
Cell:   +27721164832
Work:   +27126807835
+-+


---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] mydoom.m zipped version getting through clamav

[Scott Ryan]

I am seeing MyDoom.m coming through, but when i run clamscan or clamdscan on 
the directory where i save the zip, clamav identifies it as MyDoom.m

If I unzip it there is a message.cmd file which is executable and not broken 
binary rubbish.

The worrying thing is, my mail server has identified 450 MyDoom.m viruses 
since midnight last night. What is going on here?

I am running 0.75 latest stable. 

On Wednesday 28 July 2004 07:58, Trog wrote:
> On Tue, 2004-07-27 at 22:48, Jim wrote:
> > The new [EMAIL PROTECTED] zipped versions are getting through my
> > clamav/amavisd-new/spamassassin box.
> >
> > It is stopping and dropping zipped versions of Bagle, but no luck with
> > zipped versions of mydoom.M
> >
> > Any one else expereincing this?
>
> The only Mydoom.M I've seen not get detected are in fact just broken
> binary rubbish that are harmless as they are not executable.
>
> This includes files that are zipped and doubly zipped.
>
> -trog

-- 
+-+
(0> Scott Ryan
//\ Unix/Linux Systems Engineer
V_/_Telkom Internet - SA
+-+
Email:  [EMAIL PROTECTED]
Cell:   +27721164832
Work:   +27126807835
+-+


---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] mydoom.m zipped version getting through clamav

[Scott Ryan]

I have upgraded to latest snapshot, but I am still seeing zipped My.Doom.m 
viruses coming through.
When I run clamdscan on the zip file that get's through, clamav identifies it 
as My.Doom.m 

Is there something i am missing here?

On Wednesday 28 July 2004 09:18, Mike Brodbelt wrote:
> Trog wrote:
> > On Tue, 2004-07-27 at 22:48, Jim wrote:
> >>The new [EMAIL PROTECTED] zipped versions are getting through my
> >>clamav/amavisd-new/spamassassin box.
> >>
> >>It is stopping and dropping zipped versions of Bagle, but no luck with
> >>zipped versions of mydoom.M
> >>
> >>Any one else expereincing this?
> >
> > The only Mydoom.M I've seen not get detected are in fact just broken
> > binary rubbish that are harmless as they are not executable.
>
> I had several get through, due to the illegal Base64 encoding issue.
> Since I upgraded to the 20040727 snapshot (i.e. yesterday), everything
> seems to have been caught properly. So, if, like me, the OP isn't
> running recent code, an upgrade is probably in order.
>
> Mike.
>
>
> ---
> This SF.Net email is sponsored by BEA Weblogic Workshop
> FREE Java Enterprise J2EE developer tools!
> Get your free copy of BEA WebLogic Workshop 8.1 today.
> http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click
> ___
> Clamav-users mailing list
> [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/clamav-users

-- 
+-+
(0> Scott Ryan
//\ Unix/Linux Systems Engineer
V_/_Telkom Internet - SA
+-+
Email:  [EMAIL PROTECTED]
Cell:   +27721164832
Work:   +27126807835
+-+


---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] My.Doom.o

[Scott Ryan]

Like 'boxen'
;)
On Wednesday 28 July 2004 15:03, ©hris mckeever wrote:
> > Why you tend to complicate things? Isn't it just
> > 'viruses'?
> >
> > Regards,
> > Andrzej Kukula
> > \
>
> I like virii - it sounds important and like something
> that can be on the ER equivalent for geeks...
>
>
>
>
>
>
> ---
>
> > This SF.Net email is sponsored by BEA Weblogic
> > Workshop
> > FREE Java Enterprise J2EE developer tools!
> > Get your free copy of BEA WebLogic Workshop 8.1
> > today.
>
> http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click
>
> > ___
> > Clamav-users mailing list
> > [EMAIL PROTECTED]
>
> https://lists.sourceforge.net/lists/listinfo/clamav-users
>
>
>
>
>
> __
> Do you Yahoo!?
> Yahoo! Mail - 50x more storage than other providers!
> http://promotions.yahoo.com/new_mail
>
>
> ---
> This SF.Net email is sponsored by BEA Weblogic Workshop
> FREE Java Enterprise J2EE developer tools!
> Get your free copy of BEA WebLogic Workshop 8.1 today.
> http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click
> ___
> Clamav-users mailing list
> [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/clamav-users

-- 
+-+
(0> Scott Ryan
//\ Unix/Linux Systems Engineer
V_/_Telkom Internet - SA
+-+
Email:  [EMAIL PROTECTED]
Cell:   +27721164832
Work:   +27126807835
+-+


---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_idG21&alloc_id040&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] qmail dot files

[Scott Ryan]

On Thursday 29 July 2004 15:59, Jason wrote:
> Hi list,
>
> I have searched far and wide, a rare case where google comes up
> relatively short. Has anyone attempted to use clam with .qmail or
> .qmail-default files instead of patching qmail with QMAILQUEUE and using
> qmail-scanner?
>
> I am looking at doing this work if it has not been done before, if it
> has or will not work please share you thoughts as to why.
>
> TIA,
> Jason.

I would strongly recommend that you rather implement QMAIL-Scanner. It is easy 
to setup and works great. We handle in excess of a million mails a day and 
have no issues with it.
-- 
+-----+
(0> Scott Ryan
//\ Unix/Linux Systems Engineer
V_/_Telkom Internet - SA
+-+
Email:  [EMAIL PROTECTED]
Cell:   +27721164832
Work:   +27126807835
+-+


---
This SF.Net email is sponsored by OSTG. Have you noticed the changes on
Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now,
one more big change to announce. We are now OSTG- Open Source Technology
Group. Come see the changes on the new OSTG site. www.ostg.com
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] script to generate virus statistics

[Scott Ryan]

On Monday 02 August 2004 17:15, Julio E. Gonzalez P. wrote:
> I just want to share this bash script to generate virus statistics. I
> know is not perfect, but do the work.
>
> Hope it helps someone.
>
> Julio.
Here is another
Again, not perfect - but will do a job.


virus_stats.pl
Description: Perl program

[Clamav-users] MyDoom.M Starting to get through

[Scott Ryan]

I had an issue with this a while back which was fixed by upgrading to latest 
devel and then eventually 0.75-1.
I run qmail-scanner which in turn calls clamdscan. If i cat the message and 
pipe through clamdscan manually, clam reports that the message contains the 
virus myDoom.m, but it is not being trapped by clamav when invoked by the 
scanner.

What is strange is: In my virus logs, i do see the virus my.Doom.m being 
trapped and quite a lot...

The actual attachment is a zipped zip file, and in my clamav.conf i have 
archiveMaxRecursion set to 5 & ScanMail - but that is not the issue or clam 
would not have been able to capture the virus when run manually.

Does anyone have any ideas or should I submit this as a bug?

Many thanks
-- 
+-+
(0>     Scott Ryan
//\ Unix/Linux Systems Engineer
V_/_Telkom Internet - SA
+-+
Email:  [EMAIL PROTECTED]
Cell:   +27721164832
Work:   +27126807835
+-+



---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=5047&alloc_id=10808&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] MyDoom.M Starting to get through

[Scott Ryan]

On Friday 03 September 2004 07:50, ralf bosz wrote:
> Are you using the "--mbox" option when manually scanning the mailfiles?
>
No because I dont use mbox format. I cat the email message and pipe it through 
clamdscan. It picks up that it has to scan scanning mail messages from 
my /etc/clamav.conf

# cat testmail.eml | clamdscan --mbox -
WARNING: Ignoring option -m (--mbox): please edit clamav.conf instead.
stream: Worm.Mydoom.M FOUND

--- SCAN SUMMARY ---
Infected files: 1
Time: 0.023 sec (0 m 0 s)
[EMAIL PROTECTED] root]# cat testmail.eml | clamdscan -
stream: Worm.Mydoom.M FOUND

--- SCAN SUMMARY ---
Infected files: 1
Time: 0.023 sec (0 m 0 s)

I have tried installing latest snapshot and clam still doesnt pick up this 
particular zip file containing the my.Doom.M virus. I dont think that it is a 
problem with qmail scanner as i am picking up thousands of mails a day - like 
i said earlier, i even have records in my logs that clam is catching some 
my.doom.M viruses.

> On Fri, 3 Sep 2004 07:13:53 +0200, Scott Ryan <[EMAIL PROTECTED]> 
wrote:
> > I had an issue with this a while back which was fixed by upgrading to
> > latest devel and then eventually 0.75-1.
> > I run qmail-scanner which in turn calls clamdscan. If i cat the message
> > and pipe through clamdscan manually, clam reports that the message
> > contains the virus myDoom.m, but it is not being trapped by clamav when
> > invoked by the scanner.
> >
> > What is strange is: In my virus logs, i do see the virus my.Doom.m being
> > trapped and quite a lot...
> >
> > The actual attachment is a zipped zip file, and in my clamav.conf i have
> > archiveMaxRecursion set to 5 & ScanMail - but that is not the issue or
> > clam would not have been able to capture the virus when run manually.
> >
> > Does anyone have any ideas or should I submit this as a bug?
> >
> > Many thanks
> > --
> > +-+
> > (0> Scott Ryan
> > //\ Unix/Linux Systems Engineer
> > V_/_Telkom Internet - SA
> > +-+
> > Email:  [EMAIL PROTECTED]
> > Cell:   +27721164832
> > Work:   +27126807835
> > +-+
> >
> > ---
> > This SF.Net email is sponsored by BEA Weblogic Workshop
> > FREE Java Enterprise J2EE developer tools!
> > Get your free copy of BEA WebLogic Workshop 8.1 today.
> > http://ads.osdn.com/?ad_id=5047&alloc_id=10808&op=click
> > ___
> > Clamav-users mailing list
> > [EMAIL PROTECTED]
> > https://lists.sourceforge.net/lists/listinfo/clamav-users
>
> ---
> This SF.Net email is sponsored by BEA Weblogic Workshop
> FREE Java Enterprise J2EE developer tools!
> Get your free copy of BEA WebLogic Workshop 8.1 today.
> http://ads.osdn.com/?ad_id=5047&alloc_id=10808&op=click
> ___
> Clamav-users mailing list
> [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/clamav-users


---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=5047&alloc_id=10808&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] MyDoom.M Starting to get through

[Scott Ryan]

On Friday 03 September 2004 11:18, Rob MacGregor wrote:
> On Fri, 3 Sep 2004 10:26:49 +0200, Scott Ryan <[EMAIL PROTECTED]> 
wrote:
> > No because I dont use mbox format. I cat the email message and pipe it
> > through clamdscan. It picks up that it has to scan scanning mail messages
> > from my /etc/clamav.conf
>
> You may want to RTFM:
>
> --mbox Enable scanning of various mail file types (also treat stdin  as
>a mailbox - for backward compatability).
>
> So, the mbox option enables scanning of emails, not simply the mbox format.

Maybe you want to read the mail i sent again.
I use clamdscan not clamscan

# man clamdscan
...


---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=5047&alloc_id=10808&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] MyDoom.M Starting to get through

[Scott Ryan]

On Friday 03 September 2004 16:42, Chris Meadors wrote:
> On Fri, 2004-09-03 at 11:47 +0200, Scott Ryan wrote:
> > Maybe you want to read the mail i sent again.
> > I use clamdscan not clamscan
> >
> > # man clamdscan
>
> Then do you have the "ScanMail" option set in the clamav.conf file set?
Yes - This option has always been enabled.
This is really weird, because clamav does pick up the virus, but only when i 
invoke it manually. 

I am 99.99% sure that my config is all ok, as i said, I am picking up myDoom.M 
viruses - it seems like it is just this on file that is not being trapped.

Would it be possible for someone to check that this mail is trapped by clamav 
through a mail scanner? I can send it as an email file passwd zipped if it 
helps

Much appreciated. 


---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=5047&alloc_id=10808&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] MyDoom.M Starting to get through

[Scott Ryan]

On Friday 03 September 2004 07:13, Scott Ryan wrote:
> I had an issue with this a while back which was fixed by upgrading to
> latest devel and then eventually 0.75-1.
> I run qmail-scanner which in turn calls clamdscan. If i cat the message and
> pipe through clamdscan manually, clam reports that the message contains the
> virus myDoom.m, but it is not being trapped by clamav when invoked by the
> scanner.
>
> What is strange is: In my virus logs, i do see the virus my.Doom.m being
> trapped and quite a lot...
>
> The actual attachment is a zipped zip file, and in my clamav.conf i have
> archiveMaxRecursion set to 5 & ScanMail - but that is not the issue or clam
> would not have been able to capture the virus when run manually.
>
In case anyone else gets the same or similar issue - upgrading the version of 
qmail-scanner resolved this issue. Dont ask me why or how... i am just glad 
that it did.


---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=5047&alloc_id=10808&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Clamav under an SMP environment

[Scott Ryan]

4 x Dell 6650s -  4 HT Xeons.
It used to be a CPU hog until we started using clamdscan instead of 
clamscan :S

On Saturday 11 September 2004 11:44, Odhiambo Washington wrote:
> Anyone running ClamAv in an SMP server?
> Any exploits (good news) that you can share about running it under
> such a system?
> I have an SMP box, and I am running ClamAv devel, but I can see that
> it's one of the highest CPU hogs ;)
>
>
>
> cheers
>- wash
> +--+---
>--+ Odhiambo Washington . WANANCHI ONLINE LTD (Nairobi,
> KE)  |   . 1ere Etage, Loita Hse,
> Loita St.,  | GSM: (+254) 722 743 223 . # 10286, 00100
> NAIROBI | GSM: (+254) 733 744 121 . (+254) 020
> 313 985 - 9 |
> +-+
>--+ "Oh My God! They killed init! You Bastards!"
>--from a /. post
>
>
> ---
> This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
> Project Admins to receive an Apple iPod Mini FREE for your judgement on
> who ports your project to Linux PPC the best. Sponsored by IBM.
> Deadline: Sept. 13. Go here: http://sf.net/ppc_contest.php
> ___
> Clamav-users mailing list
> [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/clamav-users


---
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM. 
Deadline: Sept. 13. Go here: http://sf.net/ppc_contest.php
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] MyDoom.M not detected by ClamAV 0.75.1

[Scott Ryan]

On Monday 13 September 2004 23:13, Adam Bernstein wrote:
> Howdy.  We have a strange problem:  We're running the latest
> stable, 0.75.1, with virus definitions updated via freshclam
> every hour (the latest log entry shows "version 488".  We have
> a virus that keeps getting through, but it is recognized by
> your online virus submission scanner as MyDoom.M, so clearly
> the ClamAV run by that script (a -devel version) detects this
> virus while the release version apparently doesn't.
>
> Or is it just our installation for some reason?  Anyone else
> seen this problem?  Do we have any other recourse than moving
> to the development version, which we would rather not do,
> unless it really is very stable?

I have the exact same problem - in my case, it is a zipped zip file called 
transcript.zip. The online scanner, as pointed out yesterday, is running 
latest stable and not devel version. The only way i could get clamav to trap 
the virus was by installing devel version and upgrading qmail-scanner to 
latest version. Only then was it captured. But I am not running this setup in 
production yet.

The weird thing was that if i piped the email message through clamdscan, then 
it detected the virus.

Please let me know how you get on here.


---
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM. 
Deadline: Sept. 13. Go here: http://sf.net/ppc_contest.php
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Getting clamav to log with multilog

[Scott Ryan]

On Monday 20 September 2004 21:52, Daniel Alberto Cañas wrote:
> On Sep 20, 2004, at 12:41 PM, Matt Gourley wrote:
> > Niek wrote:
> >> On 9/20/2004 4:32 PM +0200, Matt Gourley wrote:
> >>> Hi all,
> >>>
> >>> I've been trying to get ClamAV to log via multilog so that I can
> >>> generate reports via mrtg.  I followed the instructions here:
> >>>
> >>> http://www.clamav.net/doc/0.75.1/clamd_supervised/clamd-daemontools-
> >>> guide.txt
> >>
> >> Here are my relevant clamav.conf settings:
> >>
> >> LogFile /dev/stderr
> >> LocalSocket /tmp/clamd
> >> #LogTime
> >> #LogClean
> >> #LogSyslog
> >> #LogVerbose
> >> #LogFileUnlock
> >> #LogFileMaxSize 2M
> >> FixStaleSocket
> >> StreamSaveToDisk
> >> MaxThreads 30
> >> MaxDirectoryRecursion 15
> >> Foreground
> >>
> >> Regards,
> >> Niek Baakman
> >
> > Thanks for your response, Niek.
> >
> > My clamav.conf is setup exactly the same way, however, when I start
> > clamd using clamdctl, clamd exits, supervise restarts it, clamd exits,
> > etc.  Logging is "running" but I get this in /var/log/clamd/current:
> >
> > @4000414f05f53a5b23ec server ended; result=0
> > @4000414f05f53a5b3b5c free() copt
> >
> > Any ideas?
> >
> > -Matt
>
> I have version 0.75.
> I had to patch clamd to be able to log to stderr.
>
> Then in the run file redirect stderr to stdout...  like this:
> exec /usr/local/bin/setuidgid qscand $path_to_clamd 2>&1

I was wondering though if you could you send me the patch - I am also having a 
similar issue.

many thanks


---
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] Unix Socket v TCP Socket

[Scott Ryan]

I am investigating the possibility of using a Unix socket as opposed to my 
current setup of tcp socket bound to 127.0.0.1.
I was just wondering what the clamav users' experience of this setup is.
Is there any benefits to Unix over TCP socket in both security and 
performance?

-- 

Kind regards,
+---+
(0>     Scott Ryan
//\ Senior Unix/Linux Engineer
V_/_Telkom Internet - South Africa
+---+
Email:  [EMAIL PROTECTED]
[EMAIL PROTECTED]
[EMAIL PROTECTED]
Cell:   +27-721164832
Work:   +27-126807835
10:36   Wednesday -- 22/Sep/2004
+---+
He who controls the past, controls the future,
He who controls the present, controls the past.
- George Orwell, 1984


---
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Unix Socket v TCP Socket

[Scott Ryan]

On Wednesday 22 September 2004 12:28, Brian Morrison shaped the electrons to 
say:
> On Wed, 22 Sep 2004 10:37:31 +0200 in
> [EMAIL PROTECTED] Scott Ryan
>
> <[EMAIL PROTECTED]> wrote:
> > I am investigating the possibility of using a Unix socket as opposed
> > to my current setup of tcp socket bound to 127.0.0.1.
> > I was just wondering what the clamav users' experience of this setup
> > is. Is there any benefits to Unix over TCP socket in both security and
> > performance?
>
> It will definitely help performance on a loaded server, but it will not
> be very noticeable on a lightly loaded one.
>
> I do this myself, and I don't have a high load. I work on the basis that
> every little bit of performance is worth having.

Many thanks. I am scanning 1M+ mails a day, so hopefully this should make a 
big difference for me.

-- 

Kind regards,
+--+
(0> Scott Ryan
//\ Senior Unix/Linux Engineer
V_/_Telkom Internet - South Africa
+--+
Email:  [EMAIL PROTECTED]
[EMAIL PROTECTED]
[EMAIL PROTECTED]
Cell:   +27-721164832
Work:   +27-126807835
12:44   Wednesday -- 22/Sep/2004
+--+
He who controls the past, controls the future,
He who controls the present, controls the past.
- George Orwell, 1984

This e-mail and its contents are subject to the
Telkom SA Limited
e-mail legal notice available at 
http://www.telkom.co.za/TelkomEMailLegalNotice.PDF


---
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] stats

[Scott Ryan]

On Wednesday 22 September 2004 15:17, ahellary shaped the electrons to say:
> hi there
>
> im keen to start a web based stats page on virus es caught etc ... i seem
> to remember a thread where one of you guys were developing such a thing can
> you please advise
>
I used an application called clamd-stat. It is a group of php scripts that 
munge the log files and populate rrd databases and another set of scripts to 
draw the pretty pictures.
It was very simple set of scripts and could easily be ported to perl of bash.
I'm sorry that i cannot remember the url

Kind regards,
+------+
(0> Scott Ryan
//\ Senior Unix/Linux Engineer
V_/_Telkom Internet - South Africa
+--+
Email:  [EMAIL PROTECTED]
[EMAIL PROTECTED]
[EMAIL PROTECTED]
Cell:   +27-721164832
Work:   +27-126807835
08:00   Thursday -- 23/Sep/2004
+--+
He who controls the past, controls the future,
He who controls the present, controls the past.
- George Orwell, 1984

This e-mail and its contents are subject to the
Telkom SA Limited
e-mail legal notice available at 
http://www.telkom.co.za/TelkomEMailLegalNotice.PDF


---
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] MaxCompressionRatio

[Scott Ryan]

I have read the documentation and the man pages, but maybe im just a bit 
slow ... Does this setting determine the number of files that it will scan in 
an archive or is it the amount of archived files that it will decompress and 
scan inside an archive? 
Or maybe I have missed it completely and it means something else

-- 
Kind regards,
+--+
(0>     Scott Ryan
//\ Senior Unix/Linux Engineer
V_/_Telkom Internet - South Africa
+--+
He who controls the past, controls the future,
He who controls the present, controls the past.
- George Orwell, 1984


___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

[Clamav-users] What Just Happened??

[Scott Ryan]

I saw on my monitoring application just now that clamav was outdated and that 
i must update immediately. I was running 0.80rc3, and the moment I got this 
message i was inundated with users complaining that any jpeg attachment is 
flagged as a virus / comment 1.
I upgraded to 0.80rc4 and the jpeg problem went away, but i still get the 
warning telling me to upgrade...

is there a release i am missing ??

-- 

+--+
(0>     Scott Ryan
//\ Senior Unix/Linux Engineer
V_/_Telkom Internet - South Africa
+--+
He who controls the past, controls the future,
He who controls the present, controls the past.
- George Orwell, 1984


___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

[Clamav-users] Exploit.JPEG.Comment.1

[Scott Ryan]

ClamAV databases updated (2004.10.19 12:59 +): daily.cvd
version: 540

Submission: n/a
Sender: Trog
Updated: Exploit.JPEG.Comment.1

I dont know about anyone else, but this caused me huge issues...
Flagged every jpeg attachment as a virus on 0.80rc3.

Upgraded to 0.80rc4 and problem went away.

-- 

+--+
(0>     Scott Ryan
//\ Senior Unix/Linux Engineer
V_/_Telkom Internet - South Africa
+--+
He who controls the past, controls the future,
He who controls the present, controls the past.
- George Orwell, 1984


___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] What Just Happened??

[Scott Ryan]

On Tuesday 19 October 2004 16:34, Trog shaped the electrons to say:
> On Tue, 2004-10-19 at 15:07, Scott Ryan wrote:
> > I saw on my monitoring application just now that clamav was outdated and
> > that i must update immediately. I was running 0.80rc3, and the moment I
> > got this message i was inundated with users complaining that any jpeg
> > attachment is flagged as a virus / comment 1.
> > I upgraded to 0.80rc4 and the jpeg problem went away, but i still get the
> > warning telling me to upgrade...
> >
> > is there a release i am missing ??
>
> Yes, 0.80
>
> You should leave your cave more often :-)

Or take the bucket of my head ;)

>
> -trog

-- 

+--+
(0> Scott Ryan
//\ Senior Unix/Linux Engineer
V_/_Telkom Internet - South Africa
+--+
He who controls the past, controls the future,
He who controls the present, controls the past.
- George Orwell, 1984


___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] Exploit.JPEG.Comment.1

[Scott Ryan]

On Tuesday 19 October 2004 16:38, Tomasz Kojm shaped the electrons to say:
> On Tue, 19 Oct 2004 16:09:54 +0200
>
> Scott Ryan <[EMAIL PROTECTED]> wrote:
> > ClamAV databases updated (2004.10.19 12:59 +): daily.cvd
> > version: 540
> >
> > Submission: n/a
> > Sender: Trog
> > Updated: Exploit.JPEG.Comment.1
> >
> > I dont know about anyone else, but this caused me huge issues...
> > Flagged every jpeg attachment as a virus on 0.80rc3.
> >
> > Upgraded to 0.80rc4 and problem went away.
>
> To 0.80rc4?!

I will now install 0.80

-- 

+--+
(0> Scott Ryan
//\ Senior Unix/Linux Engineer
V_/_Telkom Internet - South Africa
+--+
He who controls the past, controls the future,
He who controls the present, controls the past.
- George Orwell, 1984


___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] Performance Help - 100% cpu usage

[Scott Ryan]

On Tuesday 26 October 2004 09:52, Trog shaped the electrons to say:
> On Tue, 2004-10-26 at 03:45, Eric Worthy wrote:
> > This is a vanilla install off qmailrocks.org site.
>
> This may be your problem. I seem to remember they are guilty of doing
> very bad things to the clamav install, like linking clamdscan to
> clamscan.

Why the hell would they want to suggest that?? This would totally limit the 
ability to scale. Are there any docs suggesting what the 'benefits' are?
When I took over here at my current job, qmailscanner was setup to use 
clamscan instead of clamdscan. We send/receive over a million mails a day and 
the cpus were sitting at 100% constantly. The first thing i did was to change 
to clamdscan and cpu usage dropped unbelievably.

-- 

+------+
(0> Scott Ryan
//\ Senior Unix/Linux Engineer
V_/_Telkom Internet - South Africa
+--+
He who controls the past, controls the future,
He who controls the present, controls the past.
- George Orwell, 1984


___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] Performance Help - 100% cpu usage

[Scott Ryan]

On Tuesday 26 October 2004 16:56, Trog shaped the electrons to say:
> On Tue, 2004-10-26 at 15:01, Jim Maul wrote:
> > Keep in mind while i agree the instructions are a little messed up for
> > the current versions of the software it uses, the instructions are the
> > way they are to correct problems and certain small errors that occured
> > in older versions of the sofware.  Basically the instructions are
> > outdated in my opinion.  I dont believe the reason for the
> > clamscan/clamdscan linking is still a valid reason as well as other
> > "workarounds" that were put in place.  The instructions should be
> > updated.
>
> They were updated four days ago, and they are still grossly wrong.
>
> > With that said, the person, yes, only 1 person, who created qmr is
> > obviously busy and this is not his full time job.  I think it is great
> > that he has taken this amount of time out of his everyday life to
> > provide this great service for everyonecut him some slack will ya?
>
> I believe the same problems have been in there for over a year.
>
> > Saying "for no reason other than ignorance and gross stupidity" is quite
> > incorrect and even downright rude.
>
> You don't think it's rude to break other peoples software, for which we
> then have to deal with the resulting mess, as witnessed by this thread?
>
> >   You have NO idea why he set up the
> > instructions this way and you yourself are making huge assumptions.  If
> > you have some constructive criticism here im sure it would be
> > appreciated but you previous comments were IMO not helpful at all.
>
> 1. Install ClamAV as per it's documentation, and then don't break it by
> linking clamdscan to clamscan.
>
> 2. If you want to use clamscan rather than clamdscan (for no reason,
> other then to send your CPU load to 100%, as per this thread), configure
> qmail-scanner to do so, it has a configure option for this).

'And the winner is by way of knockout... in the red corner - Trog!'

-- 

+--+
(0> Scott Ryan
//\ Senior Unix/Linux Engineer
V_/_Telkom Internet - South Africa
+--+
He who controls the past, controls the future,
He who controls the present, controls the past.
- George Orwell, 1984


___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] Performance Help - 100% cpu usage

[Scott Ryan]

On Tuesday 26 October 2004 16:42, [EMAIL PROTECTED] shaped the electrons to 
say:
> On Mon, 25 Oct 2004, Eric Worthy wrote:
> > Anyone have any advice on what I could be doing wrong or how to improve
> > the performance of the scanning?
>
> We always get a great performance boost in software by adding
> -march=(yourcpuhere) -O2 -fomit-frame-pointer -static to the build lines.
> If you can build static binaries an additional CPU register is available
> for function calls (EDX iirc).  If you're a quad p3 xeon, you want
> -march=i686.  You might also play with benching -O2 vs -03.  We seem to
> get mixed results depending on the nature of the software.  Some perform
> worse at -O3 and except for some weirdness in loop unrolling, I'm not sure
> why O3 would give slower performance.  Make sure that this happens for at
> least clam and clamd.  (caveot: some optimizations can create instability
> so test it).  Clam uses many libraries like libz and rebuilding those
> dependent libraries may help as well (may not matter if staticly linked?)
>
> Another point to look at is disk o/i bottle neck.  Mail has a tendency to
> write-copy-write-copy-write especially when you have a scanner and an MTA.
> This creation and deletion of spool files makes for a lot of journal
> traffic (ext3/reiser, assuming Linux) to the hard drive.  Unfortunately,
> journal traffic is largely synchronous so it can rollback transactions in
> the event of a failure.  Filesystem noatime,notail options are your friend
> here.

A good solution here is to have a seperate disk preferably on a hardware raid 
controller for your mail queue (/var/qmail/queue if you use qmail). That 
coupled with reiserfs with blocksize 4096 hugely increases performance.
If you are lucky to have a fibre channel SAN, you can put the queue on there 
for uber performance!

>
> You can get some mileage by putting your MTA's temp dir on a shmfs/tmpvs or
> other type of VM filesystem if you're on a different OS to reduce the disk
> i/o cycles.  By freeing I/O cycles, the cpus can do more *real* work and
> not wait precious cycles on io time.  On a 2.6 kernel, vmstat will tell
> you io-wait time (wa) get a feel for where the bottle neck is.

This can be dangerous. If your mta stores any mail here for whatever reason 
and the box (again for whatever reason) reboots/dies - you lose all that 
mail.

>
> Hope this helps.  We're constantly fighting io wait here due to the virus
> spam and message spool/accounting database and currently our bottleneck is
> definitely disk, not cpu (3.2ghz p4-ht).

Same here. We use qmail and find that 128Mb Raid controller for the queue dir 
increase the I/O immensely. Reiserfs helps as well.


-- 

+--+
(0> Scott Ryan
//\ Senior Unix/Linux Engineer
V_/_Telkom Internet - South Africa
+--+
He who controls the past, controls the future,
He who controls the present, controls the past.
- George Orwell, 1984


___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] Performance Help - 100% cpu usage

[Scott Ryan]

On Tuesday 26 October 2004 17:57, Jim Maul shaped the electrons to say:
> Scott Ryan wrote:
> > On Tuesday 26 October 2004 09:52, Trog shaped the electrons to say:
> >>On Tue, 2004-10-26 at 03:45, Eric Worthy wrote:
> >>>This is a vanilla install off qmailrocks.org site.
> >>
> >>This may be your problem. I seem to remember they are guilty of doing
> >>very bad things to the clamav install, like linking clamdscan to
> >>clamscan.
> >
> > Why the hell would they want to suggest that?? This would totally limit
> > the ability to scale. Are there any docs suggesting what the 'benefits'
> > are? When I took over here at my current job, qmailscanner was setup to
> > use clamscan instead of clamdscan. We send/receive over a million mails a
> > day and the cpus were sitting at 100% constantly. The first thing i did
> > was to change to clamdscan and cpu usage dropped unbelievably.
>
> First off, the QMR install is for people who are new to this type of
> setup and is NOT meant to be used in a full large volume production
> environment.

I dont dispute that.

> If you are using the QMR setup in this type of enviroment 
> its your own damn fault.  The suggested linking of clamdscan to clamscan
> was done to eliminate usage of clamd which at the time (i believe around
> ver 0.6 or so) there were some serious stbility issues
> To avoid these issues the site author just suggested the linking.  This is 
why i
> suggested that the instructions are out of date.  Yes the site was
> updated recently, but no, this text was not changed.

What are we arguing about here? I just know in my experience that you are 
seriously shooting yourself in the foot by using clamscan to scan all mails.
Trog's suggestion of modifying qmail-scanner (if you really want to create the 
link) sounds like the sensible solution to those who use QMR.


-- 

+--+
(0> Scott Ryan
//\ Senior Unix/Linux Engineer
V_/_Telkom Internet - South Africa
+--+
He who controls the past, controls the future,
He who controls the present, controls the past.
- George Orwell, 1984


___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] Performance Help - 100% cpu usage

[Scott Ryan]

On Tuesday 26 October 2004 18:47, Jim Maul shaped the electrons to say:
> Scott Ryan wrote:
>
> 
>
> > What are we arguing about here? I just know in my experience that you are
> > seriously shooting yourself in the foot by using clamscan to scan all
> > mails. Trog's suggestion of modifying qmail-scanner (if you really want
> > to create the link) sounds like the sensible solution to those who use
> > QMR.
>
> Im simply arguing the fact that someone has spent a lot of their time to
> help out the community by creating the QMR setup instructions 

I dont think that anyone doubts that. As has been mentioned in the thread, 
documentation is the hardest part of any installation / build process. 

> and 
> because of some points made in that install this person is being accused
> of being ignorant, stupid and breaking code.

Again, I dont think that anyone thinks that the Author is 'stupid', just that 
the benefits of using clamdscan over clamscan is in orders of magnitude more 
beneficial. By suggesting to users to replace it is not wise, thats all. If 
you are in contact with the author maybe it is worth suggesting to him to 
make the change.

>
> Thats just flat out wrong.
>
> -Jim
> ___
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

-- 

+--+
(0> Scott Ryan
//\ Senior Unix/Linux Engineer
V_/_Telkom Internet - South Africa
+--+
He who controls the past, controls the future,
He who controls the present, controls the past.
- George Orwell, 1984



___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

[Clamav-users] Clamdscan Runaway Number of Processes

[Scott Ryan]

I am having a slight problem which appears to have stemmed from swapping from 
tcp sockets to unix sockets. Every now and again, and across 5 identical 
servers, i get a huge number of clamdscan processes, which prevents qmail 
accepting smtp connections. I made the total random assumption that clamav 
has a problem tearing down unix sockets under load.
However, I would like to be able to prove this so I am looking for someone to 
give some pointer as to where to start looking. 
I would like to use unix sockets as I understand that there is not as much 
overhead compared to tcp sockets, but this issue is causing me a bit of 
problem.

any help would be appreciated.
-- 

+--+
(0>     Scott Ryan
//\ Senior Unix/Linux Engineer
V_/_Telkom Internet - South Africa
+--+
He who controls the past, controls the future,
He who controls the present, controls the past.
- George Orwell, 1984


___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] Clamdscan Runaway Number of Processes

[Scott Ryan]

On Wednesday 27 October 2004 21:48, Todd Lyons shaped the electrons to say:
> Scott Ryan wanted us to know:
> >I am having a slight problem which appears to have stemmed from swapping
> > from tcp sockets to unix sockets. Every now and again, and across 5
> > identical servers, i get a huge number of clamdscan processes, which
> > prevents qmail accepting smtp connections. I made the total random
> > assumption that clamav has a problem tearing down unix sockets under
> > load.
> >However, I would like to be able to prove this so I am looking for someone
> > to give some pointer as to where to start looking.
> >I would like to use unix sockets as I understand that there is not as much
> >overhead compared to tcp sockets, but this issue is causing me a bit of
> >problem.
>
> How many threads do you have set in clamd.conf?

Ah. This could very well be the issue. I have threads set to 200, but it could 
be possible that I have more concurrent local and remote smtp connections.

I will try to increase the number o threads to see if this helps any.

-- 

+--+
(0> Scott Ryan
//\ Senior Unix/Linux Engineer
V_/_Telkom Internet - South Africa
+--+
He who controls the past, controls the future,
He who controls the present, controls the past.
- George Orwell, 1984


___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] Clamdscan Runaway Number of Processes

[Scott Ryan]

On Wednesday 27 October 2004 22:27, Todd Lyons shaped the electrons to say:
> Scott Ryan wanted us to know:
> >> How many threads do you have set in clamd.conf?
> >
> >Ah. This could very well be the issue. I have threads set to 200, but it
> > could be possible that I have more concurrent local and remote smtp
> > connections. I will try to increase the number o threads to see if this
> > helps any.
>
> I have two pretty busy servers and my threads are set at 40.  Unless
> you're pushing more than 100K emails a day

1million+ Easily.

> , I don't see the threads 
> being the problem.  I'd suggest lowering the thread count first to see
> if that makes a difference, either better or worse.  That number "200"
> always makes me think "max open file" limits.

I will check that out, although im sure that the limits are set to 1024 
(default i think with redhat)

-- 

+--+
(0> Scott Ryan
//\ Senior Unix/Linux Engineer
V_/_Telkom Internet - South Africa
+--+
He who controls the past, controls the future,
He who controls the present, controls the past.
- George Orwell, 1984


___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] thank you

[Scott Ryan]

On Thursday 28 October 2004 16:33, Mike Lambert shaped the electrons to say:
> Thank you, team ClamAV, for your your hard work on the latest release.
> ClamAV 0.80 (FreeBSD 4.9) is by far the most stable and memory efficient
> clamd yet.
>
> *applause*
>
I will second that... if any of you are ever in South Africa, beers are on me.

-- 

+------+
(0> Scott Ryan
//\  Senior Unix/Linux Engineer
V_/_ Telkom Internet - South Africa
+--+
He who controls the past, controls the future,
He who controls the present, controls the past.
- George Orwell, 1984


___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] Comment on TCP option in clamd

[Scott Ryan]

On Wed, 2004-11-03 at 09:48 +1300, Jason Haar wrote:
> Hi there
> 
> I think the TCP option needs some more explicit documentation, as I have
> begun seeing RPMs of clamav where the Socket option is *disabled* and the
> TCP option is *enabled* as the defaults.
> 
> As far as I'm aware, that is *not* a good idea. Not only are there now
> network security issues you should attend to, but the TCP option IS ALWAYS
> SLOWER THAN THE SOCKET MODE (please tell me if I am wrong). From what I can
> gather, clamdscan has to pipe the entire file/directory to clamd over TCP -
> whereas it only has to tell clamd where the file/dir is over Sockets.

I changed just recently to use UNIX socket mode a little over a month
ago on the basis that TCP was deemed to be slower. Since changing, I
have experienced many issues with runaway clamdscan processes and no
noticeable performance increase. I process over a million mails a day
using clamav with daemontools.
I reverted back to tcp socket mode and have not had any issues so far
(touch wood).

my 2 cents worth...

> 
> I don't think this difference is spelt out well enough if people are going
> around making RPMs like that :-/
> 
> BTW: the RPM in question is clamd-0.80-1.1.fc2.dag - part of
> http://apt.sw.be/fedora/
> 
> [I don't use it myself - just suffered the fallout...]
> 

___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] Zip module failure

[Scott Ryan]

On Mon, 2004-11-22 at 14:54 -0500, Chris Gauch wrote:
> I've had the exact same problems with ZIP MODULE FAILURE ERRORS appearing
> intermittently throughout my clamd.log.  The problems also began around that
> same timeframe (approx. 2 weeks ago). I haven't done too much in terms of
> debugging, etc.  All I know is that the ZIP MODULE errors are becoming more
> numerous.
> 
> The error looks like the following in the clamd.log:
> 
> ...Zip module failure ERROR
> Mon Nov 22 13:59:52 2004 -> Client disconnected  
> 
> I'm running ClamAV 0.80 as well, and have tried to resolve the issue by
> installing a newer version of Archive::Zip, but that did not help.  
> 
> If anyone has any resolution to this, I'd appreciate any info.  Thanks.
> 
> - Chris

I am also receiving the same error Clamav-0.80, ... RHEL3
...Zip module failure ERROR

It also may be worth noting that I get the following errors as well.

.MS CAB module failure ERROR
.omsa.net-2004.11.07.02.00.tar.gz: Input/Output error ERROR
.LibClamAV Error: cli_untar: unknown type flag X
.RAR module failure ERROR

Something to do with unpacking files perhaps?

Cheers.

Scott Ryan
Telkom Internet
South Africa

___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

[Clamav-users] clamdscan processes running away

[Scott Ryan]

I am using clamdscan (clamav 0.80 - RHEL3) on 5 very intensively used mail 
servers and generally, I have no issues and it works wonderfully. But 
however, every now and again, to which there is no random pattern, and across 
all 5 servers, clamdscan processes go through the roof. All logging stops. 
Here is current status of one of the machines as it has happened:

[EMAIL PROTECTED] clamd]# ps -ef | grep clam| more
root 3906 3902 0 Nov01 ? 00:00:00 supervise clamd
root 14674 3906 9 Nov18 ? 1-02:54:35 /usr/sbin/clamd

## then I have lots of 

qmaild 14794 1 0 Nov29 ? 00:00:00 /usr/bin/clamdscan -r --disable-summary 
--max-recursion=10 
--max-space=10 
/var/spool/qmailscan/tmp/ophelia.telkomsa.net110173309447914648

114 of them to be precise.
If i look at the timestamps of the logs:

[EMAIL PROTECTED] clamd]# pwd
/var/log/clamd

[EMAIL PROTECTED] clamd]# ls -al
total 29180
-rwxr--r-- 1 clamav clamav 571978 Nov 29 17:00 current

[EMAIL PROTECTED] clamd]# date
Tue Nov 30 07:41:35 SAST 2004

You can see that there has been nothing in the logs since 5pm yesterday, I 
would like to be able to supply more information, but I dont seem to have 
any. Is it worth enabling debug mode (bearing in mind that we are scanning 
HUGE volumes of mail) ?
Also if I run clamdscan manually on the command line, it hangs; but clamscan 
works fine.

[EMAIL PROTECTED] clamd]# clamdscan\


[EMAIL PROTECTED] clamd]# clamscan
/var/log/clamd/freshclam.log: OK
/var/log/clamd/lock: Empty file.
/var/log/clamd/state: Empty file.
/var/log/clamd/current: OK
/var/log/clamd/clamav.log: OK


--- SCAN SUMMARY ---
Known viruses: 27913
Scanned directories: 1
Scanned files: 32
Infected files: 0
Data scanned: 74.89 MB
I/O buffer size: 131072 bytes
Time: 26.343 sec (0 m 26 s)

It would appear that somthing happens to clamd and I would appreciate any 
pointers or advise for further information if required.
Many Thanks
-- 
Scott Ryan
Telkom Internet
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] clamdscan processes running away

[Scott Ryan]

On Tuesday 30 November 2004 14:14, Trog wrote:
> On Tue, 2004-11-30 at 12:04, Scott Ryan wrote:
> > I am using clamdscan (clamav 0.80 - RHEL3) on 5 very intensively used
> > mail servers and generally, I have no issues and it works wonderfully.
> > But however, every now and again, to which there is no random pattern,
> > and across all 5 servers, clamdscan processes go through the roof. All
> > logging stops. Here is current status of one of the machines as it has
> > happened:
>
> What version of zlib are you using?

[EMAIL PROTECTED] root]# rpm -qa|grep zlib
zlib-1.1.4-8.1

>
> -trog

-- 
Scott Ryan
Telkom Internet
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] ClamAv New Install on Qmail-LDAP Question

[Scott Ryan]

On Saturday 01 January 2005 05:33, List wrote:
> > Is maildrop needed for the qmail-ldap setup?
>
> You will need maildrop for spamassassin It can be put to filter spams into
> a destinated Maildir. For infected mails, reports are usually send to
> postmaster mailbox. Most of my mailserver are running qmail + qmail-scanner
> + maildrop + spammassin + clamav and i had got maildrop to filter spams to
> a .Spam Maildir instead of Inbox. 

How did you get maildrop to manage quotas? I have the same setup as you 
mention above yet I am struggling to get quota working for accounts that are 
checked for spam. Because qmail-local is not used for the actual delivery of 
the message, quota checking function is not achieved. Sorry if this message 
is off topic, I sent it just in case anyone else had same/similar issue.

> But i do have one setup, qmail + simscan 
> + spamasssasin + clamav. Simscan reject spams and virus at smtp level which
> i dont feel there is a need to filter the spams. So maildrop is left out on
> this setup.
>
> ___
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

-- 
Scott Ryan
Telkom Internet
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] Zip module failure

[Scott Ryan]

On Wednesday 05 January 2005 14:59, Deon de Villiers wrote:
> Hi
>
> We are experiencing this as well.
>
> How stable is the current CVS version?  Is it OK to use in a busy
> production environment?  (I hope I am not asking a silly question...,
> but I need to get a fix for this asap).
We moved to CVS and then we noticed that the issue disappeared. We have been 
running CVS for a while now and we have not noticed any stability issues

>
> Thanks
> Deon.
>
> Chris Gauch wrote:
> > Nigel,
> >
> > Sure enough the newer CVS and the installation of zlib 1.2.2 solved the
> > issue.  Haven't seen a zip module error since then.
> >
> > - Chris
> >
> > ---
> >
> > Try the CVS version. If it still fails then contact me directly by e-mail
> > and I'll try to help.
> >
> > -Nigel
> >
> > ___
> > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
> ___
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] Kmail Filters

[Scott Ryan]

On Monday 07 February 2005 06:52, Nathaniel Jason Dube shaped the electrons to 
say:
> I want to set up a filter in Kmail to scan my email for viruses like I have
> spamassasian checking for spam.ÂÂCanÂsomeoneÂtellÂmeÂhowÂtoÂdoÂthat?

What version of Kmail are you running. You should have tools -> antivirus 
wizard. If not, upgrade kmail.

If you cant / dont want to upgrade kmail, then i suggest running one filter 
(placed at the top of the filter list) to pipe the message through a command 
based on size (if message < 500k). Set that command to be clamscan (or 
clamdscan if running clamd) Ensure that this filter is *not* set to stop 
processing after matching.
Then setup a second filter that will check the mail to see if it is a virus or 
not and then do with it what you please. Im not sure what it will be tagged 
with to identify if it has a virus. I am too lazy to 'rtfm' and check the 
clamscan man page :S
-- 
Scott Ryan
Telkom Internet
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] Exploit.W32.MS05-002 False Positives

[Scott Ryan]

On Wednesday 09 February 2005 15:56, Maxim Britov shaped the electrons to say:
> On Tue, 08 Feb 2005 16:32:41 +
>
> Francis Stevens <[EMAIL PROTECTED]> wrote:
> > Trog wrote:
> > > BTW, all the "false positives" I've seen so far are also reported as
> > > broken by the showriff utility, which was written specifically to check
> > > these files.
> > >
> > > For example:
> > >
> > > $ showriff virus-2005-02-08-n0009134
> > > Contents of file virus-2005-02-08-n0009134 (18926/0x8926 bytes):
> >
> > All the problem files I've had are Powerpoint and Word files. For the
> > Powerpoint files it was a common background image.
>
> P900\Beyonce Knowles - Crazy In Love (2).wav: Exploit.W32.MS05-002 FOUND
> p900\Evanescence - Bring Me To Life - Daredevil 2 (2).wav:
> Exploit.W32.MS05-002 FOUND p900\robby-feel.wav: Exploit.W32.MS05-002 FOUND

'Stealing Music?' tut tut ;)
-- 
Scott Ryan
Telkom Internet
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] M$ preparing AV software ?

[Scott Ryan]

On Wednesday 09 February 2005 23:22, Ed shaped the electrons to say:
> >> Good management is all about looking forward.
> >> They seem to bet om more horses these days...:-)
> >>
> >> Grz. Johan
> >
> > I'm actually viewing it more as a tactic of MS buying and then closing
> > up shops that sell Linux products.  Look at what they did with
> > VirtualPC.  The first release after they bought it you couldn't load
> > Linux in the virtual machine.
> >
> > I'm wondering if that is what they are doing with all the AV purchases
> > they've done?
> >
> > Thomas
> > ___
> > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
> I thought that when they took out RAV [ GeCAD ] ...  They [RAV] were
> supplying a lot of services to IBM which is a very large competitor to
> M$, and were almost totally a Linux / Unix application.  It appears this
> level of paranoia may have some basis.  I for one don't see M$ changing
> their ways.  They've always bought and put out of business their
> competition if they couldn't bully them or force them out some other
> way.  They love that monopoly thing.
>
> Go get 'em Bill !  Lets see how many times your anti-virus solution
> crashes when you demo that at a show ;-)  Yep I'd trust M$ with the
> security of my network .. sure right ...

As much as a chocolate fireguard...

>
> --Ed

-- 
Scott Ryan
Telkom Internet
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

[Clamav-users] Mime

[Scott Ryan]

Hi list, I have posted before about an issue with clamd hanging and yesterday 
we finally managed to find out what the underlying problem was. We came 
across an 800k mail that we initially thought was causing clamd to hang. The 
truth infact was that once we turned on debugging, we noticed that clamd was 
not hanging - just taking an age to scan the mail. This was obviously causing 
us huge problems as this was happening on very busy mail servers and in 
effect causes a DOS. 
We were running 0.83 and downgraded eventually to 0.80 and then we no longer 
experienced the issue.

What we noticed about this one particular mail was that it had hundreds of 
mime-parts. So it appears to us that there has been a major change in the way 
clamav deals with mime parts since 0.80. So much so that it goes from 
scanning this mail in under a second in 0.80: 

# ls -la 1108491486.1513-1.ophelia.telkomsa.net
-rw---1 root root   817795 Feb 15 20:35 
1108491486.1513-1.ophelia.telkomsa.net

# cat 1108491486.1513-1.ophelia.telkomsa.net | clamdscan -
stream: OK

--- SCAN SUMMARY ---
Infected files: 0
Time: 0.741 sec (0 m 0 s)

To taking over 4 minutes to scan in 0.83

Can anyone shed some light on this / offer some advice, as obviously we want 
to keep up with the latest stable version. I can provide the mail if anyone 
wants to examine it further.

Many thanks

Scott Ryan
Telkom Internet
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] Mime

[Scott Ryan]

On Wednesday 16 February 2005 16:26, Nigel Horne shaped the electrons to say:
> On Wednesday 16 Feb 2005 14:18, Ted Fines wrote:
> > FOUR MINUTES, 13 SECONDS for an 800k email.
>
> Look at the file again. It is NOT an 800k mail. It is over 200 emails
> embedded within each other. By definition the largest message is about 800K
> and the smallest is about 1K give or take, giving an average of 400K (don't
> worry if the maths isn't too accurate). So thats about 200x400K = c.80Mb.
> 0.80 didn't scan it properly and would have let a virus through, 0.83 fixes
> that bug.

My dillema is now this, we cannot upgrade to any version above 0.80 due to 
oversized mails potentially causing a DOS. What functionality am I missing 
out on (in a nutshell) by running 0.80? 
Are there many viruses that I will not be able to catch?

Is there potentially a work around for these types of mails?

regards
-- 
Scott Ryan
Telkom Internet
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] Mime

[Scott Ryan]

On Wednesday 16 February 2005 17:34, Nigel Horne shaped the electrons to say:
> On Wednesday 16 Feb 2005 15:15, Scott Ryan wrote:
> > On Wednesday 16 February 2005 16:26, Nigel Horne shaped the electrons to 
say:
> > > On Wednesday 16 Feb 2005 14:18, Ted Fines wrote:
> > > > FOUR MINUTES, 13 SECONDS for an 800k email.
> > >
> > > Look at the file again. It is NOT an 800k mail. It is over 200 emails
> > > embedded within each other. By definition the largest message is about
> > > 800K and the smallest is about 1K give or take, giving an average of
> > > 400K (don't worry if the maths isn't too accurate). So thats about
> > > 200x400K = c.80Mb. 0.80 didn't scan it properly and would have let a
> > > virus through, 0.83 fixes that bug.
> >
> > My dillema is now this, we cannot upgrade to any version above 0.80 due
> > to oversized mails potentially causing a DOS. What functionality am I
> > missing out on (in a nutshell) by running 0.80?
> > Are there many viruses that I will not be able to catch?
>
> I have seen this in the field, indeed the scans were added as the result of
> a bug report. It's your decision on what to do.

I will just have to allow these types of mails to go unscanned. Four minutes 
to scan 1 will cause a DOS.

Would it be possible to request that some kind of recursion limit be added 
here like there currently is on zip files?

Just a thought...

>
> > Is there potentially a work around for these types of mails?
> >
> > regards

-- 
Scott Ryan
Telkom Internet
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] Mime

[Scott Ryan]

On Wednesday 16 February 2005 18:43, Tomasz Kojm shaped the electrons to say:
> On Wed, 16 Feb 2005 17:51:28 +0200
>
> Scott Ryan <[EMAIL PROTECTED]> wrote:
> > I will just have to allow these types of mails to go unscanned. Four
> > minutes  to scan 1 will cause a DOS.
>
> So increase the number of MaxThreads...

It was at 200 - I will increase to 300 and see what result I get.

>
> > Would it be possible to request that some kind of recursion limit be
> > added  here like there currently is on zip files?
>
> There's already a recursion limit for mail scanning but it's not
> configurable (yet).

What is that limit?

-- 
Scott Ryan
Telkom Internet
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] Mime

[Scott Ryan]

On Thursday 17 February 2005 11:29, Andy Fiddaman shaped the electrons to say:
> On Wed, 16 Feb 2005, [ISO-8859-2] BogusÅaw Brandys wrote:
>
> ; -BEGIN PGP SIGNED MESSAGE-
> ; Hash: SHA1
> ;
> ; Nigel Horne wrote:
> ; > On Wednesday 16 Feb 2005 14:18, Ted Fines wrote:
> ; >
> ; >
> ; >>FOUR MINUTES, 13 SECONDS for an 800k email.
> ...
> ; > 0.80 didn't scan it properly and would have let a virus through, 0.83
> fixes that bug. ; Oversized.Mail ? Do we need such new detection or is
> better solution ?
>
> How about MailMaxMimeDepth and MailBlockMax directives ? Most other
> scanners I've used default to block any message with over 10 levels of
> mime nesting, maybe something like 25 is a good default though.

I even think that 25 is too much...

-- 
Scott Ryan
Telkom Internet
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

[Clamav-users] ClamAV not paying attention to conf file.

[Scott Ryan]

FC3, Clamav 0.83:

I removed the ScanMail option from the conf file, becuase I am using 
reformmime in qmail-scanner, but when I start clamav it keeps saying:
Mail files support enabled.

Conf file:

# cat /etc/clamd.conf

# General Config
User clamav
Foreground
LogFile /dev/stderr
LogSyslog
TemporaryDirectory /var/spool/qmailscan
SelfCheck 300

# DB Location
DatabaseDirectory /usr/share/clamav

# Socket Type and Port
TCPSocket 3310
TCPAddr 127.0.0.1

#Thread Stuff
MaxConnectionQueueLength 100
MaxThreads 300
ReadTimeout 60

# Scanning Parameters
StreamMaxLength 20M
MaxDirectoryRecursion 15
FollowDirectorySymlinks
FollowFileSymlinks
ScanPE
DetectBrokenExecutables
ScanOLE2
ScanHTML

# Archive Parameters
ScanArchive
ScanRAR
ArchiveMaxFileSize 10M
ArchiveMaxRecursion 5
ArchiveMaxFiles 100
ArchiveMaxCompressionRatio 200
ArchiveBlockMax

Log file:

2005-02-22 14:32:57.084198500 +++ Started at Tue Feb 22 14:32:57 2005
2005-02-22 14:32:57.084204500 clamd daemon 0.83 (OS: linux-gnu, ARCH: i386, 
CPU: i686)
2005-02-22 14:32:57.084210500 Log file size limited to 1048576 bytes.
2005-02-22 14:32:57.084215500 Running as user root (UID 0, GID 0)
2005-02-22 14:32:57.084221500 Reading databases from /usr/share/clamav
2005-02-22 14:32:58.514747500 Protecting against 31035 viruses.
2005-02-22 14:32:58.523123500 Bound to address 127.0.0.1 on port 3310
2005-02-22 14:32:58.523347500 Setting connection queue length to 100
2005-02-22 14:32:58.523669500 Archive: Archived file size limit set to 
10485760 bytes.
2005-02-22 14:32:58.523784500 Archive: Recursion level limit set to 5.
2005-02-22 14:32:58.523891500 Archive: Files limit set to 100.
2005-02-22 14:32:58.523997500 Archive: Compression ratio limit set to 200.
2005-02-22 14:32:58.524102500 Archive support enabled.
2005-02-22 14:32:58.524205500 Archive: RAR support enabled.
2005-02-22 14:32:58.524316500 Archive: Blocking archives that exceed limits.
2005-02-22 14:32:58.524422500 Portable Executable support enabled.
2005-02-22 14:32:58.524545500 Detection of broken executables enabled.
2005-02-22 14:32:58.524650500 Mail files support enabled.
2005-02-22 14:32:58.524754500 OLE2 support enabled.
2005-02-22 14:32:58.529606500 HTML support enabled.
2005-02-22 14:32:58.540238500 Self checking every 300 seconds

-- 
Scott Ryan
Telkom Internet
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] ClamAV not paying attention to conf file.

[Scott Ryan]

On Tuesday 22 February 2005 16:32, Matt Fretwell shaped the electrons to say:
> DisableDefaultScanOptions
A prime example of rtfm...
thanks.
-- 
Scott Ryan
Telkom Internet
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Mime - FIXED

[Scott Ryan]

On Wednesday 16 February 2005 14:35, Scott Ryan shaped the electrons to say:
> Hi list, I have posted before about an issue with clamd hanging and
> yesterday we finally managed to find out what the underlying problem was.
> We came across an 800k mail that we initially thought was causing clamd to
> hang. The truth infact was that once we turned on debugging, we noticed
> that clamd was not hanging - just taking an age to scan the mail. This was
> obviously causing us huge problems as this was happening on very busy mail
> servers and in effect causes a DOS.
> We were running 0.83 and downgraded eventually to 0.80 and then we no
> longer experienced the issue.
>
> What we noticed about this one particular mail was that it had hundreds of
> mime-parts. So it appears to us that there has been a major change in the
> way clamav deals with mime parts since 0.80. So much so that it goes from
> scanning this mail in under a second in 0.80:
>
> # ls -la 1108491486.1513-1.ophelia.telkomsa.net
> -rw---1 root root   817795 Feb 15 20:35
> 1108491486.1513-1.ophelia.telkomsa.net
>
> # cat 1108491486.1513-1.ophelia.telkomsa.net | clamdscan -
> stream: OK
>
> --- SCAN SUMMARY ---
> Infected files: 0
> Time: 0.741 sec (0 m 0 s)
>
> To taking over 4 minutes to scan in 0.83
>
> Can anyone shed some light on this / offer some advice, as obviously we
> want to keep up with the latest stable version. I can provide the mail if
> anyone wants to examine it further.

My setup is now as follows:

Qmail-scanner with 'reformmime' enabled. Clamd with the ScanMail option 
removed. It looks initially like this will solve our issue of clamd taking an 
age to scan messages that have huge numbers of messages within them.
Tested by sending a few viruses. and they were trapped.

Cheers.
-- 
Scott Ryan
Telkom Internet
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Thank You!

[Scott Ryan]

On Thursday 24 February 2005 11:29, Yatin Shah (QualiSpace, Sales) shaped the 
electrons to say:
> Thank You!
>
>   Thank you very much for mailing me. I will definitely check your mail and 
get back to you. Meanwhile, please note:
> >>If you have any support related query, please send an email to
> >> [EMAIL PROTECTED] If you have any new order, please send an email
> >> to [EMAIL PROTECTED] If you have any billing related query, please
> >> send an email to [EMAIL PROTECTED]
>
>  Kindly consider the above for your convinience and fast response as I may
> not check your mail at the time when you need it urgent.
>
> Thanks & Regards,
>
> Yatin Shah
> 
> Cell: 91 9323182676
> Email: [EMAIL PROTECTED]
> 
> ___
> http://lurker.clamav.net/list/clamav-users.html

WTF ?

-- 
slr.
___
http://lurker.clamav.net/list/clamav-users.html

[Clamav-users] Clam Denial Of Service

[Scott Ryan]

gentoo-announce] [ GLSA 200506-23 ] Clam AntiVirus: Denial of Service 
Vulnerability

Sorry if this has been discussed before:
I do not see anything on the ClamAV website indicating the status of this 
potential DoS or whether is rectified or even no applicable. Can anyone shed 
some light on this concern?

Thanks
-- 
slr


pgp1ll4DNF5tP.pgp
Description: PGP signature
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Slow scanning of large Power Point Presentations

[Scott Ryan]

This one time, at band camp, Chris Hannam wrote:
> Hi,
> I`m running Clam AV 0.87 and have noticed some poor performance when
> scanning large (20Mb+) Power Point presentations. These scans can take

Of course it will take long to scan files of that size.

> upwards of 3 minutes. I had similar issues with 0.86.1 but upgrading
> has not resolved the problem.
> 
> I'm running Clamd with Mimedefang on a 2.4Ghz Xeon 4 processor machine
> with 3Gb of RAM, running Red Hat 8.

I'm not sure about mimedefang, but I found that reformime was very fast. I used 
to use ripmime, but because of speed issues, I changed to reformime. I also 
removed the scanMail option from clamd.conf.

> 
> Has anyone else experienced issues with .ppt files taking large amounts of 
> time?

Set your file limit to something smaller (10Mb, I find is ok). It is extremly 
unlikely you are going to get any virii that are larger than that.

> 
> Chris Hannam
> 

-- 
slr,

ISP Systems Specialist
Telkom Internet
#qmail-ldap @ irc.freenode.net

This message has been made from 100% recycled bits.

BEGIN GEEK CODE BLOCK-
Version: 3.12
GIT/MU/E d? s+:+ a- C>+ USL$ P !E(---)W+@ !N
o?(--) K? !w(---) O- M+ V PS+@ PE Y-- PGP++>+++ !t(---) !5 !X
R-- !tv b(++) DI++ !D() G+++> e++>* h(*) r+++ y
-END GEEK CODE BLOCK--


pgpIP5vZDW5o0.pgp
Description: PGP signature
___
http://lurker.clamav.net/list/clamav-users.html

[Clamav-users] clamd-stream-client

[Scott Ryan]

Hi, I am looking at implementing something like this app and was wondering if 
there are any ppl on the list currently using it.
I have set up a clamav server that listens on port 3310 - If I telnet to it, I 
see the port is open.

$ telnet 192.168.3.197 3310
Trying 192.168.3.197...
Connected to 192.168.3.197.
Escape character is '^]'

UNKNOWN COMMAND

I then installed clamd-stream-client and executed it with the instruction to 
contact my clamav server (using -d)
However I do not see anything happening at all - I enabled libclamav debugging 
on the server but still nothing. I even used tcpdump to see if there was 
anything happening, but still nothing.

Any ideas would be greatly appreciated.

-- 
Regards,

Scott Ryan
Telkom Internet
-
Good judgement comes with experience. 
Unfortunately, the experience
usually comes from bad judgement.
-
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Clamav Uninstall

[Scott Ryan]

On Friday 18 August 2006 06:02, Robert wrote with regard to - Re: 
[Clamav-users] Clamav Uninstall :
> That's my problem !
>
> An 'unnamed colleague' deleted the previous build directory.

May I suggest that you start using some sort of package management tool - like 
RPM ?

Everything would be a whole lot easier...

-- 
Regards,

Scott Ryan
ISP Systems Development & Integration Specialist
Telkom Internet
-
Good judgement comes with experience. 
Unfortunately, the experience
usually comes from bad judgement.
-
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Clamav Uninstall

[Scott Ryan]

On Friday 18 August 2006 16:19, Jim Maul wrote with regard to - Re: 
[Clamav-users] Clamav Uninstall :
> Dennis Peterson wrote:
> > Scott Ryan wrote:
> >> On Friday 18 August 2006 06:02, Robert wrote with regard to - Re:
> >>
> >> [Clamav-users] Clamav Uninstall :
> >>> That's my problem !
> >>>
> >>> An 'unnamed colleague' deleted the previous build directory.
> >>
> >> May I suggest that you start using some sort of package management
> >> tool - like RPM ?
> >>
> >> Everything would be a whole lot easier...
> >
> > And lets someone else who's skill set you don't know and who's practices
> > are equally unknown make all manner of decisions about your
> > installation. Thanks, no. This is really very easy stuff to build and
> > manage.
>
> You are already using free software created by 'someone who's skill set
> you don't know and who's practices are equally unknown'.  Your argument
> holds no water.  Of course the best part is you are free to choose your
> own method.
>
> -Jim
> ___
> http://lurker.clamav.net/list/clamav-users.html

Thanks Jim, you saved me saying pretty much the same thing, but if DP is 
concerned more with how the package is constructed - 
Thats where the beauty of RPM comes in. Download the SRPM, read what is 
happening in the SPEC file and if you dont like it, change it and then 
rebuild the RPM. Amazingly simple... Just make sure you update the 
changelog ;)

-- 
Regards,

Scott Ryan
ISP Systems Development & Integration Specialist
Telkom Internet
-
Good judgement comes with experience. 
Unfortunately, the experience
usually comes from bad judgement.
-
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Clamav Uninstall

[Scott Ryan]

On Friday 18 August 2006 16:27, Dennis Peterson wrote with regard to - Re: 
[Clamav-users] Clamav Uninstall :
> Jim Maul wrote:
> > Dennis Peterson wrote:
> >> Scott Ryan wrote:
> >>> On Friday 18 August 2006 06:02, Robert wrote with regard to - Re:
> >>>
> >>> [Clamav-users] Clamav Uninstall :
> >>>> That's my problem !
> >>>>
> >>>> An 'unnamed colleague' deleted the previous build directory.
> >>>
> >>> May I suggest that you start using some sort of package management
> >>> tool - like RPM ?
> >>>
> >>> Everything would be a whole lot easier...
> >>
> >> And lets someone else who's skill set you don't know and who's
> >> practices are equally unknown make all manner of decisions about your
> >> installation. Thanks, no. This is really very easy stuff to build and
> >> manage.
> >
> > You are already using free software created by 'someone who's skill set
> > you don't know and who's practices are equally unknown'.  Your argument
> > holds no water.  Of course the best part is you are free to choose your
> > own method.
> >
> > -Jim
>
> Nonsense - my repeatability over time because of my documented practices
> is solid and good business. And I'm not dependent upon a packager to
> provide a build for a new bug or feature release, let alone provide a
> consistent and predictable product. I haven't looked, but I have yet to
> see the configuration, options, build, and package parameters/guidelines
> used by any ClamAV packagers. Have you? And if I completely trusted the
> ClamAV team I wouldn't be following these forums :)
>
> dp
> ___
> http://lurker.clamav.net/list/clamav-users.html

Hope I got in here first...
From ClamAV site http://www.clamav.net/binary.html#pagestart :

"SRPMS: http://filelister.linux-kernel.at/?current=/packages/SRPMS/";

It took me 20 seconds...

-- 
Regards,

Scott Ryan
ISP Systems Development & Integration Specialist
Telkom Internet
-
Good judgement comes with experience. 
Unfortunately, the experience
usually comes from bad judgement.
-
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Clamav Uninstall

[Scott Ryan]

On Friday 18 August 2006 16:43, Dennis Peterson wrote with regard to - Re: 
[Clamav-users] Clamav Uninstall :
> Scott Ryan wrote:
> > On Friday 18 August 2006 16:27, Dennis Peterson wrote with regard to -
> > Re:
> >
> > [Clamav-users] Clamav Uninstall :
> >> Jim Maul wrote:
> >>> Dennis Peterson wrote:
> >>>> Scott Ryan wrote:
> >>>>> On Friday 18 August 2006 06:02, Robert wrote with regard to - Re:
> >>>>>
> >>>>> [Clamav-users] Clamav Uninstall :
> >>>>>> That's my problem !
> >>>>>>
> >>>>>> An 'unnamed colleague' deleted the previous build directory.
> >>>>>
> >>>>> May I suggest that you start using some sort of package management
> >>>>> tool - like RPM ?
> >>>>>
> >>>>> Everything would be a whole lot easier...
> >>>>
> >>>> And lets someone else who's skill set you don't know and who's
> >>>> practices are equally unknown make all manner of decisions about your
> >>>> installation. Thanks, no. This is really very easy stuff to build and
> >>>> manage.
> >>>
> >>> You are already using free software created by 'someone who's skill set
> >>> you don't know and who's practices are equally unknown'.  Your argument
> >>> holds no water.  Of course the best part is you are free to choose your
> >>> own method.
> >>>
> >>> -Jim
> >>
> >> Nonsense - my repeatability over time because of my documented practices
> >> is solid and good business. And I'm not dependent upon a packager to
> >> provide a build for a new bug or feature release, let alone provide a
> >> consistent and predictable product. I haven't looked, but I have yet to
> >> see the configuration, options, build, and package parameters/guidelines
> >> used by any ClamAV packagers. Have you? And if I completely trusted the
> >> ClamAV team I wouldn't be following these forums :)
> >>
> >> dp
> >> ___
> >> http://lurker.clamav.net/list/clamav-users.html
> >
> > Hope I got in here first...
> > From ClamAV site http://www.clamav.net/binary.html#pagestart :
> >
> > "SRPMS: http://filelister.linux-kernel.at/?current=/packages/SRPMS/";
> >
> > It took me 20 seconds...
>
> I'm still looking for the OS X and Solaris data. Be right back...

Let me help you...
http://www.rpm.org/platforms/osx/
http://www.xernolan.org/rpm/solrpm.html

If you need solaris 9 or 10 packages for RPM, I can give them to you.

>
> dp
> ___
> http://lurker.clamav.net/list/clamav-users.html

-- 
Regards,

Scott Ryan
ISP Systems Development & Integration Specialist
Telkom Internet
-
Good judgement comes with experience. 
Unfortunately, the experience
usually comes from bad judgement.
-
___
http://lurker.clamav.net/list/clamav-users.html