Re: [clamav-users] Problem in using /usr/bin/freshclam --quiet -l/var/log/clam-update.log]
Hi Brian, Thanks :-) I deleted both and wala, freshclam did the update with issue. Nice. Dee On Tue, 2003-06-24 at 15:02, Brian May wrote: > unlink = delete > > make sure you are either root or the owner of the file you wish to remove > > Brian > > - Original Message - > From: "W.D. McKinney" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Tuesday, June 24, 2003 1:21 PM > Subject: [clamav-users] Problem in using > /usr/bin/freshclam --quiet -l/var/log/clam-update.log] > > > Hello, > > I am new to clamav but just had this error show up in the last couple > days. Any idea or directions to 'unlink viruses.db2 file ? > > Thanks > > -Forwarded Message- > > > From: Cron Daemon <[EMAIL PROTECTED]> > > To: [EMAIL PROTECTED] > > Subject: Cron <[EMAIL PROTECTED]>/usr/bin/freshclam --quiet -l > /var/log/clam-update.log > > Date: 24 Jun 2003 16:00:46 + > > > > ERROR: The checksum of viruses.db2 database isn't ok. Please check it > yourself or try again. > > > > webmail:/home/dee# /usr/bin/freshclam -l /var/log/clam-update.log > Checking for a new database - started at Tue Jun 24 12:14:37 2003 > Current working dir is /var/lib/clamav/ > viruses.db2 not found in the data directory. > Connected to clamav.elektrapro.com. > Reading md5 sum (viruses.md5): OK > viruses.db is up to date. > Reading md5 sum (viruses2.md5): OK > Downloading viruses.db2 .. done > ERROR: Can't unlink viruses.db2 file. Fix the problem and try again. > > > > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[clamav-users] Problem in using /usr/bin/freshclam --quiet -l /var/log/clam-update.log]
Hello, I am new to clamav but just had this error show up in the last couple days. Any idea or directions to 'unlink viruses.db2 file ? Thanks -Forwarded Message- > From: Cron Daemon <[EMAIL PROTECTED]> > To: [EMAIL PROTECTED] > Subject: Cron <[EMAIL PROTECTED]>/usr/bin/freshclam --quiet -l > /var/log/clam-update.log > Date: 24 Jun 2003 16:00:46 + > > ERROR: The checksum of viruses.db2 database isn't ok. Please check it yourself or > try again. > webmail:/home/dee# /usr/bin/freshclam -l /var/log/clam-update.log Checking for a new database - started at Tue Jun 24 12:14:37 2003 Current working dir is /var/lib/clamav/ viruses.db2 not found in the data directory. Connected to clamav.elektrapro.com. Reading md5 sum (viruses.md5): OK viruses.db is up to date. Reading md5 sum (viruses2.md5): OK Downloading viruses.db2 .. done ERROR: Can't unlink viruses.db2 file. Fix the problem and try again. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[Clamav-users] Set-up Help needed
I have a mail server running qmail 1.03. I also use qmail-scanner and SA with clamav. I noticed that I have not seen any copies of warnings of virus packed e-mails. So a quick check od syslog has : Aug 4 09:25:34 webmail spamc[1810]: connection attempt to spamd aborted after 3 retries Aug 4 09:25:46 webmail spamc[1828]: connect() to spamd at 127.0.0.1 failed, retrying (1/3): Connection refused Aug 4 09:25:47 webmail spamc[1828]: connect() to spamd at 127.0.0.1 failed, retrying (2/3): Connection refused Aug 4 09:25:48 webmail spamc[1828]: connect() to spamd at 127.0.0.1 failed, retrying (3/3): Connection refused Aug 4 09:25:49 webmail spamc[1828]: connection attempt to spamd aborted after 3 retries (Sorry about word wrapping :-( webmail is the host name and this was a working setup that stopped for some reason, and 1 cup of java doesn't make the elevator hit the top floor. Any thoughts. Dee --- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa0013ave/direct;at.aspnet_072303_01/01 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] MSBlast
Is the MSBlast worm in clamav db2 yet ? http://clamav.elektrapro.com/cgi-bin/sendvirus.cgi does not show it ? Dee --- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa0013ave/direct;at.aspnet_072303_01/01 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] MSBlast
Thanks a bunch. Dee On Tue, 2003-08-12 at 19:15, Nicholas Chua wrote: > W.D. McKinney wrote: > > Is the MSBlast worm in clamav db2 yet ? > > http://clamav.elektrapro.com/cgi-bin/sendvirus.cgi does not show it ? > > If i am not wrong, it is been detected as Worm.Blaster.A > > > > --- > This SF.Net email sponsored by: Free pre-built ASP.NET sites including > Data Reports, E-commerce, Portals, and Forums are available now. > Download today and enter to win an XBOX or Visual Studio .NET. > http://aspnet.click-url.com/go/psa0013ave/direct;at.aspnet_072303_01/01 > ___ > Clamav-users mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/clamav-users --- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa0013ave/direct;at.aspnet_072303_01/01 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] message.zip ?
Hi, One of our customers recieved a message that had a .zip attachment and looks suspect. Anyone here here what to take a look at at it ? Dee -- W.D.McKinney (Dee) Alaska Wireless Systems 11310 Lillan Lane, Anchorage, AK 99515-2914 Direct (907)349-4308 -=- http://www.akwireless.net --- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa0013ave/direct;at.aspnet_072303_01/01 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] FOO.EXE
Here I am looking at manual. Using my clamav tools I find. --- SCAN SUMMARY --- Known viruses: 9317 Scanned directories: 1 Scanned files: 33 Infected files: 0 Data scanned: 27.98 Mb I/O buffer size: 131072 bytes Time: 14.597 sec (0 m 14 s) webmail:/home/dee# clamscan viri viri/message.zip: Trojan.Dropper.C FOUND --- SCAN SUMMARY --- Known viruses: 9317 Scanned directories: 1 Scanned files: 1 Infected files: 1 Data scanned: 0.02 Mb I/O buffer size: 131072 bytes Time: 0.360 sec (0 m 0 s) Following the Signature Tool section 3.5 sigtool -c "clamscan --stdout" -f message.zip -s "message" Not detected at 3900, moving backward. Not detected at 1950, moving backward. Not detected at 975, moving backward. Not detected at 487, moving backward. Not detected at 243, moving backward. Not detected at 121, moving backward. Not detected at 60, moving backward. Not detected at 29, moving backward. Not detected at 13, moving backward. Not detected at 5, moving backward. Not detected at 1, moving backward. Not detected at 0, moving backward. Not detected at 0, moving backward. Starting precise loop Segmentation fault This made it past our version of clamav ? clamscan / ClamAV version 0.60 Dee --- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa0013ave/direct;at.aspnet_072303_01/01 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] FOO.EXE
Hi, One of our customers we host e-mail sent it to me from down in AU and it was from [EMAIL PROTECTED] as it made it to her from our server.(Like you said :-) This is the first instance of a known viris making through our system that I know. Thanks We run qmail/qmail-scanner/SA/clamav and it has worked excellent. It may have been in a small window of time On Sat, 2003-08-16 at 08:41, Antony Stone wrote: > On Saturday 16 August 2003 4:57 pm, W.D. McKinney wrote: > > > Here I am looking at manual. > > Using my clamav tools I find. > > > > webmail:/home/dee# clamscan viri > > viri/message.zip: Trojan.Dropper.C FOUND > > Yup - that's the one I thought it would be :) > > It's been detected by ClamAV since 1st August. > > > This made it past our version of clamav ? clamscan / ClamAV version 0.60 > > I don't understand. You said it just got detected and identified by your > version of ClamAV... > > Does whatever mail scanning system you use check .zip files for viruses? > Did it correctly pass this one to ClamAV for checking when it came through? > > Antony. --- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa0013ave/direct;at.aspnet_072303_01/01 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] a few damaged viri still making it through...
Interesting Daniel. I see hundreds of e-mails hitting a single account on our server that are passing as normail e-mail through our qmail-scanner/SA/clamav setup. IE.: Return-Path: <[EMAIL PROTECTED]> Delivered-To: [EMAIL PROTECTED] Received: (qmail 16021 invoked by uid 1009); 2 Sep 2003 02:24:58 - Received: from [EMAIL PROTECTED] by webmail by uid 1006 with qmail-scanner-1.16 (clamscan: 0.60. spamassassin: 2.54. Clear:SA:1(5.2/4.0):. Processed in 0.548682 secs); 02 Sep 2003 02:24:58 - X-Spam-Status: Yes, hits=5.2 required=4.0 Received: from unknown (HELO OFFICE) (24.237.26.143) by 0 with SMTP; 2 Sep 2003 02:24:57 - From: <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Subject: Re: Wicked screensaver Date: Mon, 1 Sep 2003 18:25:11 --0800 X-MailScanner: Found to be clean Importance: Normal X-Mailer: Microsoft Outlook Express 6.00.2600. X-MSMail-Priority: Normal X-Priority: 3 (Normal) MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="_NextPart_000_06F3D714" X-Qmail-Scanner-Message-ID: <[EMAIL PROTECTED]> This is a multipart message in MIME format --_NextPart_000_06F3D714 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Please see the attached file for details. --_NextPart_000_06F3D714-- This is something I wondered about.They are all similiar except different from fields. Dee On Tue, 2003-09-02 at 10:07, Daniel J McDonald wrote: > I'm running clamav 0.60 with amavisd-new-20030616-p4/. Clam is catching > almost all of my sobig.f viri - about 3000 a day still. But I also > catch two or three others with the same sorts of filenames - > Your_Application.pif, movie045.pif, etc. I have the mail nicely tucked > away in my quarantine folder (rfc 822 format), and they appear to be > DSNs where the mail daemon kindly included the attachment. > > Are these files worth tracking down and reporting? and if so, what must > be done with them so they can have the virus extracted and identified? --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] Latest Virus Threats
I looked at Symantec tonight, as I haven't in awhile. Saw the list at http://securityresponse.symantec.com/avcenter/vinfodb.html#threat_list and I am wondering how many of these are ones that get sent into the good folks adding db to clamav ? Is Symantec listing more than necessary to keep sales up ? Dee -- W.D.McKinney (Dee) | Affordable E-Mail and Internet Solutions Alaska Wireless Systems | for Schools, Libraries, Clinics & Business' http://www.akwireless.net | Call 1-907-349-4308 --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] UPDATE81.exe getting thru
Is anyone else seeing this happen ? Dee -- W.D.McKinney (Dee) | Affordable E-Mail and Internet Solutions Alaska Wireless Systems | for Schools, Libraries, Clinics & Business' http://www.akwireless.net | Call 1-907-349-4308 --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] RE: UPDATE81.exe getting thru
On Fri, 2003-09-19 at 13:51, Jesse Guardiani wrote: > Kevin Hanser wrote: > > > Yes, I received a couple of these this morning, one with an attachment > > called Update53.exe, and another w/an attachment called Install932.exe. > > > > I'm assuming this is the new "Swen" virus I have recently heard about? > > Yes, also Gibe-F apparently. But ClamAV's current virus def for Worm.Gibe.F > seems to be faulty because it only catches about 50% of my Gibe-F viruses... Is there a good way to stop this with clamav ? We like it's implemtation but this is not cool. Dee -- W.D.McKinney (Dee) | Affordable E-Mail and Internet Solutions Alaska Wireless Systems | for Schools, Libraries, Clinics & Business' http://www.akwireless.net | Call 1-907-349-4308 --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] RE: UPDATE81.exe getting thru
We host e-mail for schools, business's, etc. It's not feasible to enforce blocking .exe's and keep customers. Simple economics. Support costs are an issue and it's a small trade off in this incident to go blocking the gif route. Dee On Sat, 2003-09-20 at 09:16, Thomas Lamy wrote: > Antony Stone wrote: > > On Saturday 20 September 2003 4:54 pm, Daniel J McDonald wrote: > > > > > >>On Sat, 2003-09-20 at 10:40, Antony Stone wrote: > > > > > >>>A gif is not a virus, so it should not be detected by an anti-virus > >>>program. > >>> > >>>Anyway, what's the point? Why bother blocking a 'damaged' copy of a > >>>virus, where 'damaged' actually means 'missing'? > >> > >>Do you want to receive 200 of these mails, like I did last night? > >> > >>Do you want your clueless users calling you all day asking why they > >>can't find the patch that Microsoft e-mailed them? > > > > > > Are you suggesting that you allow emails with a .exe attachment to be > > delivered? > > > > I regard that as a sufficient reason to block an email, whether the .exe is a > > virus or not. > > > > The zero-length attachments on Gibe.F emails I've seen so far have all had > > .exe extensions, so they get blocked by my server (although for a different > > reason) just the same as the real ones. > > > This might work for you, but I for one have to manage an ISP's mail > server and an AV mail exchanger, where users _want_ to get non-virus > .exe attachments (either if they have noe clue, or aren't willing to > educate .exe senders. After all, they're paying for hassle-free internet > and mail access). > There are other/greater ISPs and portals (IIRC freenet.de, > sourceforge.net), which also can't completely block .exe's. Maybe Marian > Eichholz [freenet.de] can sched some light on their policies. > > > I still maintain that a gif is not a virus, and therefore shouldn't be > > recognised by an antivirus program, however the beauty of Open Source is that > > you can change it if you want to, so feel free to create your own signature > > for the gifs if you want, and put them in the ClamAv directory. > > > > I don't think such signatures will make it into the general distribution, > > though. > It's nearly the same discussion as with damaged sobig.f's with damaged > attachments. Technical, these mails weren't virii, but crap. Crap which > may make (not completely) uneducated users (like bosses) say: "Huh, this > is a virus. I thought we have an email virus scanner? Sysadmin, what > crappy av software are you using?" > I thought we came down to that this behaviour, although technically > correct, may give clamav a bad attitude (which clamav does not deserve). > > For this reason, I'm +1 for creating a signature which matches the gif. > At least temporary. > > > Thomas -- W.D.McKinney (Dee) | Affordable E-Mail and Internet Solutions Alaska Wireless Systems | for Schools, Libraries, Clinics & Business' http://www.akwireless.net | Call 1-907-349-4308 --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
RE: [Clamav-users] RE: UPDATE81.exe getting thru
On Sat, 2003-09-20 at 16:40, Diego d'Ambra wrote: > > The current standpoint of the team maintaining the DB is to include > signatures that also detect damaged viruses. These signatures are often > used to detect e-mails that somehow "lost" the damaging part. This is to > prevent users from getting bombarded with e-mails containing only > nonsense. > > The problem with these damaged viruses is that in some cases creating a > signature will increase the risk of false positives when the "leftovers" > are minimal. > > In the case of Gibe.F it was necessary to collect enough samples to > understand what was common between them. Because it is uncertain if the > person behind Gibe.F copied the embedded images from Microsoft, it > wasn't an option only to use these. > Thank you Diego. I appreciate the decision very much. Dee > Best regards, > Diego d'Ambra > > > --- > This sf.net email is sponsored by:ThinkGeek > Welcome to geek heaven. > http://thinkgeek.com/sf > ___ > Clamav-users mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/clamav-users -- W.D.McKinney (Dee) | Affordable E-Mail and Internet Solutions Alaska Wireless Systems | for Schools, Libraries, Clinics & Business' http://www.akwireless.net | Call 1-907-349-4308 --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] exit status 2 ?
We had a problem the other day and had to re-compile perl. Now we see this problem : clam_scanner: corrupt or unknown clamd scanner error or memory/resource/perms problem - exit status 2 Due I need to re-install ClamAV also? Dee --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Clamav and FreeBSD 5.1
On Wed, 2003-10-08 at 11:10, Robert Burtelow wrote: > Hello all, > > I've been banging my head against the desk for the past two days trying to figure > this one out. I'm running FreeBSD 5.1-RELEASE with qmail/qmail-scanner/clamav. > Whenever messages are sent to the server, I am getting a 451_unable_to_exec_qq error > message. > > On to my main problem. Anytime I try and run clamd from the command line, it seems > to run but won't show up as a process. So I checked the /var/log/clamav/clamd.log > file. It gives me the error: > > ERROR: Socket file /var/run/clamav/clamd already exists. Please remove it or use > another one. > > If I remove the socket file, I get: > > ERROR: bind() error: No such file or directory > > I tried changing the Socket directive in /usr/local/etc/clamav.conf to > /var/run/clamav/clamsocket, and I have the same problems listed above. > > I'm running version .60 currently on the server. If anyone would have any > suggestions I would appreciate some help. > Are you running qmail-scanner also by chance ? -- W.D.McKinney (Dee) | Affordable E-Mail and Internet Solutions Alaska Wireless Systems | for Schools, Libraries, Clinics & Business' http://www.akwireless.net | Call 1-907-349-4308 --- This SF.net email is sponsored by: SF.net Giveback Program. SourceForge.net hosts over 70,000 Open Source Projects. See the people who have HELPED US provide better services: Click here: http://sourceforge.net/supporters.php ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
