[Clamav-users] clamdscan problem: Can't access the file ERROR

2004-01-13 Thread ricardo 
Hi,

I'm having a problem with clamdscan, this only happens when
running clamdscan and not clamscan.

I'm running clamav-0.65 on suse linux.

I'm running it over a directory which has a couple of virus
files. It works with clamscan, here's the output:

clamscan /dev/shm/tmp/messages/mime/1517/
/dev/shm/tmp/messages/mime/1517//textfile9: Worm.Gibe.F
FOUND
/dev/shm/tmp/messages/mime/1517//doubleCR.1: OK
/dev/shm/tmp/messages/mime/1517//qtc.exe: Worm.Gibe.F FOUND
/dev/shm/tmp/messages/mime/1517//textfile8: Empty file.
/dev/shm/tmp/messages/mime/1517//textfile7: OK
/dev/shm/tmp/messages/mime/1517//textfile6: OK
/dev/shm/tmp/messages/mime/1517//textfile5: Empty file.
/dev/shm/tmp/messages/mime/1517//textfile4: OK
/dev/shm/tmp/messages/mime/1517//textfile3: OK
/dev/shm/tmp/messages/mime/1517//textfile2: Empty file.
/dev/shm/tmp/messages/mime/1517//textfile1: Empty file.
/dev/shm/tmp/messages/mime/1517//textfile0: OK

--- SCAN SUMMARY ---
Known viruses: 20101
Scanned directories: 1
Scanned files: 8
Infected files: 2
Data scanned: 0.15 MB
I/O buffer size: 131072 bytes
Time: 8.050 sec (0 m 8 s)


Now here's the clamdscan output:

clamdscan /dev/shm/tmp/messages/mime/1517/
/dev/shm/tmp/messages/mime/1517/: Can't access the file
ERROR

--- SCAN SUMMARY ---
Infected files: 0
Time: 0.001 sec (0 m 0 s)

This is happening very consistenly... so virus scanning is
failing for me.

Any ideas what this could be?

Thanks
Ricardo



---
This SF.net email is sponsored by: Perforce Software.
Perforce is the Fast Software Configuration Management System offering
advanced branching capabilities and atomic changes on 50+ platforms.
Free Eval! http://www.perforce.com/perforce/loadprog.html
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] worm in zip file

2004-03-05 Thread ricardo 
Hi,

Is clamav catching this latest worm that has a password
protected zip file?

I've seen a bunch of these come through and it doesn't seem
like clamdscan has caught it. I don't have one of these
messages around to manually test it.

Thanks
Ricardo



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] worm in zip file

2004-03-05 Thread ricardo 
>> Hi,
>> 
>> Is clamav catching this latest worm that has a password
>> protected zip file?

> Yes, it is.

Thank you. Are there multiple versions of this worm? I have seen some come 
into my mailbox and not be detected... but I no longer have the files in 
order to test.

Ricardo


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[clamav-users] virus signatures and updates

2003-04-28 Thread ricardo 
Hi all,

Currently, how many virus signatures are in the database for clamav? How
often are signatures updated?

I've seen in the list archives that clamav can compare favorably with
other antivirus software, but my concern is, how well is it kept up to
date? When a new virus is discovered, how quickly will it make it into
clamav's database?

Most commercial AV solutions have daily updates of signatures.

Thanks
Ricardo

[clamav-users] is this list alive? ;-)

2003-04-29 Thread ricardo 
Hi,

Haven't seen any postings since I signed up, other than my one posting,
and no responses... Is anyone out there?

Ricardo

Re: [clamav-users] is this list alive? ;-)

2003-04-29 Thread ricardo 

Hello David.

I see you're out there. ;-)   But do you know the answer to my original
question...?

How many virus signatures does clamav have, how reliable is it, how often 
does its database get updated?

I'm trying to compare it to commercial alternatives.

Ricardo

On Tue, 29 Apr 2003 14:35:30 +0100 David Woolley wrote:

> Hi ricardo,
> 
> 
> 
> -- 
> Best regards,
>  David
> 
> Tuesday, April 29, 2003, 2:26:28 PM, you wrote:
> rac> Hi,
> 
> rac> Haven't seen any postings since I signed up, other than my one
> posting,
> rac> and no responses... Is anyone out there?
> 
> rac> Ricardo
> 
> 
> 
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>

Re: [clamav-users] is this list alive? ;-)

2003-04-29 Thread ricardo 

Thank you!

Why is the date listed below more than 5 months old?

Ok... so I guess there's quite a large discrepancy... most commercial AV
have tens of thousands of signatures. For example, RAV has 77000 signatures.

Is there any chance that clamAV will "catch up" anytime soon?

Thanks again.
Ricardo

On Tue, 29 Apr 2003 15:29:03 +0100 Robert Harrison wrote:

> Checking for a new database - started at Sat Nov 30 04:00:00 2002
> viruses.db2 is up to date.
> Database updated (containing in total 7295 signatures).
> 
> 
> 
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>

[clamav-users] clamav snapshots

2003-04-30 Thread ricardo 
Hi all,

How stable are the snapshots? Should I go with stable and steer away from 
snapshots?

When is 0.55 due to be released?

Thanks
Ricardo

[clamav-users] clamscan & clamd

2003-04-30 Thread ricardo 
Hi again,

Sorry for all the questions, but I'm still trying to get familiar with
how clamav works.

Is clamscan the client portion, which connects to clamd? Or is clamscan a 
scanner by itself that doesn't rely on clamd?

Seems to me clamscan runs fine without clamd running. So I'm guessing
clamscan is self-sufficient and doesn't rely on clamd.

If that's the case, then what is the client program for clamd? Is it
clamuko? I didn't quite understand.

How can I get clamav's statistics, I've seen postings of the number of
viruses scanned historically...

Thanks
Ricardo

Re: [clamav-users] clamscan & clamd

2003-05-01 Thread ricardo 

Thank you!

Ok, so that brings me to the question of what would be the advantage of
using clamdscan/clamd versus simply using clamscan.

I ran a simple test to compare the performance.

I ran clamdscan 5 times on the clamscan install directory, got an average 
of 2.22 seconds
Then I ran clamscan 5 times on the same directory, with an average of
1.18 seconds, basically twice as fast!

So should clamdscan+clamd only be used in scenarios where I have a
central clamav server? Because it seems the regular clamscan is much faster.

Ricardo
On Thu, 01 May 2003 10:01:09 +0200 Andreas Schmitz wrote:

> [EMAIL PROTECTED] wrote:
> 
> >If that's the case, then what is the client program for clamd? Is it
> >clamuko? I didn't quite understand.
> >  
> >
> clamdscan is the client programm, which need clamd.
> 
> Best Regards
> -- 
> Andreas Schmitz
> AS-DataService <http://www.as-dataservice.de>
> Kastanienallee 24
> D-54662 Speicher
> 
> Tel.: (0 65 62) 93 05 17
> Fax: (0 65 62) 93 05 18
> Email: [EMAIL PROTECTED] 
> <mailto:[EMAIL PROTECTED]>
> 
> Ust-IdNr.: DE211466407
> Handelsregister: HRA 1869 - Amtsgericht Bitburg
> <http://www.as-dataservice.de>
> 
>  

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [clamav-users] clamscan & clamd

2003-05-01 Thread ricardo 

You gotta point. So I changed the command to be:

clamscan -r

--- SCAN SUMMARY ---
Known viruses: 7286
Scanned directories: 36
Scanned files: 349
Infected files: 3
Data scanned: 5.94 Mb
I/O buffer size: 131072 bytes
Time: 3.528 sec (0 m 3 s)

clamdscan -r

--- SCAN SUMMARY ---
Infected files: 1
Time: 2.690 sec (0 m 2 s)

Why do they get different results? clamdscan doesn't show the total
files, but only shows 1 infected... while clamscan in this case does take 
longer but finds 3 infected files.



On Thu, 1 May 2003 13:54:28 -0400 "Shayne Lebrun" wrote:

> Did both report having scanned the same files/number of files?
> 
> > -Original Message-
> > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
> > Sent: Thursday, May 01, 2003 1:42 PM
> > To: [EMAIL PROTECTED]
> > Subject: Re: [clamav-users] clamscan & clamd
> >
> >
> >
> > Thank you!
> >
> > Ok, so that brings me to the question of what would be the advantage of
> > using clamdscan/clamd versus simply using clamscan.
> >
> > I ran a simple test to compare the performance.
> >
> > I ran clamdscan 5 times on the clamscan install directory, got an
> average
> > of 2.22 seconds
> > Then I ran clamscan 5 times on the same directory, with an average of
> > 1.18 seconds, basically twice as fast!
> >
> > So should clamdscan+clamd only be used in scenarios where I have a
> > central clamav server? Because it seems the regular clamscan is
> > much faster.
> >
> > Ricardo
> > On Thu, 01 May 2003 10:01:09 +0200 Andreas Schmitz wrote:
> >
> > > [EMAIL PROTECTED] wrote:
> > >
> > > >If that's the case, then what is the client program for clamd? Is it
> > > >clamuko? I didn't quite understand.
> > > >
> > > >
> > > clamdscan is the client programm, which need clamd.
> > >
> > > Best Regards
> > > --
> > > Andreas Schmitz
> > > AS-DataService <http://www.as-dataservice.de>
> > > Kastanienallee 24
> > > D-54662 Speicher
> > >
> > > Tel.: (0 65 62) 93 05 17
> > > Fax: (0 65 62) 93 05 18
> > > Email: [EMAIL PROTECTED]
> > > <mailto:[EMAIL PROTECTED]>
> > >
> > > Ust-IdNr.: DE211466407
> > > Handelsregister: HRA 1869 - Amtsgericht Bitburg
> > > <http://www.as-dataservice.de>
> > >
> > >
> >
> > -
> > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > For additional commands, e-mail: [EMAIL PROTECTED]
> >
> 
> 
> 
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>

Re: [clamav-users] clamscan & clamd

2003-05-01 Thread ricardo 

I'm running both as root...  just to be sure, whether it matters or not,
I did a chown -R clamav on the directory that's being checked, but clamd
is running as root anyway (should it run as clamav?)



On Thu, 1 May 2003 14:20:29 -0400 "Shayne Lebrun" wrote:

> Clamdscan tells clamd to scan; so what user is clamd running as?
> What user
> are *you* running as when you run clamscan manually?
>   -Original Message-
>   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
>   Sent: Thursday, May 01, 2003 2:10 PM
>   To: [EMAIL PROTECTED]
>   Subject: Re: [clamav-users] clamscan & clamd
> 
> 
> 
>   You gotta point. So I changed the command to be:
> 
>   clamscan -r
> 
>   --- SCAN SUMMARY ---
>   Known viruses: 7286
>   Scanned directories: 36
>   Scanned files: 349
>   Infected files: 3
>   Data scanned: 5.94 Mb
>   I/O buffer size: 131072 bytes
>   Time: 3.528 sec (0 m 3 s)
> 
>   clamdscan -r
> 
>   --- SCAN SUMMARY ---
>   Infected files: 1
>   Time: 2.690 sec (0 m 2 s)
> 
>   Why do they get different results? clamdscan doesn't show the total 
> files,
> but only shows 1 infected... while clamscan in this case does take longer
> but finds 3 infected files.
> 
> 
> 
>   On Thu, 1 May 2003 13:54:28 -0400 "Shayne Lebrun" wrote:
> 
>   > Did both report having scanned the same files/number of files?
>   >
>   > > -Original Message-
>   > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
>   > > Sent: Thursday, May 01, 2003 1:42 PM
>   > > To: [EMAIL PROTECTED]
>   > > Subject: Re: [clamav-users] clamscan & clamd
>   > >
>   > >
>   > >
>   > > Thank you!
>   > >
>   > > Ok, so that brings me to the question of what would be the advantage
> of
>   > > using clamdscan/clamd versus simply using clamscan.
>   > >
>   > > I ran a simple test to compare the performance.
>   > >
>   > > I ran clamdscan 5 times on the clamscan install directory, got an
>   > average
>   > > of 2.22 seconds
>   > > Then I ran clamscan 5 times on the same directory, with an
> average of
>   > > 1.18 seconds, basically twice as fast!
>   > >
>   > > So should clamdscan+clamd only be used in scenarios where I have a
>   > > central clamav server? Because it seems the regular clamscan is
>   > > much faster.
>   > >
>   > > Ricardo
>   > > On Thu, 01 May 2003 10:01:09 +0200 Andreas Schmitz wrote:
>   > >
>   > > > [EMAIL PROTECTED] wrote:
>   > > >
>   > > > >If that's the case, then what is the client program for clamd? Is
> it
>   > > > >clamuko? I didn't quite understand.
>   > > > >
>   > > > >
>   > > > clamdscan is the client programm, which need clamd.
>   > > >
>   > > > Best Regards
>   > > > --
>   > > > Andreas Schmitz
>   > > > AS-DataService <http://www.as-dataservice.de>;
>   > > > Kastanienallee 24
>   > > > D-54662 Speicher
>   > > >
>   > > > Tel.: (0 65 62) 93 05 17
>   > > > Fax: (0 65 62) 93 05 18
>   > > > Email: [EMAIL PROTECTED]
>   > > > <mailto:[EMAIL PROTECTED]>
>   > > >
>   > > > Ust-IdNr.: DE211466407
>   > > > Handelsregister: HRA 1869 - Amtsgericht Bitburg
>   > > > <http://www.as-dataservice.de>;
>   > > >
>   > > >
>   > >
>   > >
> -
>   > > To unsubscribe, e-mail: [EMAIL PROTECTED]
>   > > For additional commands, e-mail: [EMAIL PROTECTED]
>   > >
>   >
>   >
>   >
>   > -
>   > To unsubscribe, e-mail: [EMAIL PROTECTED]
>   > For additional commands, e-mail: [EMAIL PROTECTED]
>   >

[clamav-users] scanning via procmail or maildrop?

2003-05-03 Thread ricardo 
Hi,

How can I use clamav from withing a filtering program such as procmail or 
maildrop? It seems to me that clamscan only takes a file or directory...

Thanks
Ricardo

[clamav-users] clamav stats and virus types

2003-05-04 Thread ricardo 

Hi Ed,

I was wondering how you got the statistics you displayed below, does
clamav keep some cumulative statistics of viruses found?

Also, for any particular file, if clamscan finds a virus, how can I tell
which virus(es) it found?  I can't seem to find how to do that by running 
clamscan. Even in the summary, it will only say how many were found, but
not the actual type.

Thanks
Ricardo

On Tue, 29 Apr 2003 11:46:24 -0400 (EDT) Ed Phillips wrote:

>2 Joke.CokeGift FOUND
>2 Joke.Schmilz FOUND
>2 Kit/VCL FOUND
>2 TR.IWorm.MTX FOUND
>2 W2000M/Thus.B.Macro FOUND
>2 W32/Nimda.eml FOUND
>2 W97M/VMPCK FOUND
>2 Worm/Fbound.C FOUND
>3 W32/Gop FOUND
>4 CIH #2 FOUND
>4 ClamAV-Test-Signature FOUND
>4 Mid/Kakworm-Z FOUND
>4 VBS.SST-A #3 FOUND
>4 W32/Joke.HHold FOUND
>4 W97M/Class.B FOUND
>4 Worm/BadTrans.B1 FOUND
>5 W32.FunLove.4099 FOUND
>6 Joke.SmallPenis FOUND
>6 W32/Blakan FOUND
>6 W32/Joke.Jep FOUND
>8 Oror-fam FOUND
>   10 TR.Sub7.Bonus.Srv FOUND
>   11 WM97/Marker FOUND
>   12 Worm.Yaha-L FOUND
>   12 Yaha.R FOUND
>   14 HTML/Winevar FOUND
>   14 W32/Worm.Winevar FOUND
>   14 WScr.Unsafe.D FOUND
>   15 VBS/Redlof-A FOUND
>   16 TR.Happy99/SKA FOUND
>   18 W32/Goner-A FOUND
>   18 W32/Magistr.B2 FOUND
>   18 W95/Hybris.PI.004 FOUND
>   20 Eicar-Test-Signature FOUND
>   20 V5M.Unstable FOUND
>   20 W32/Magistr.B1 FOUND
>   26 W32/Hybris.C FOUND
>   32 W32/Magistr.B4 FOUND
>   34 VBS.Redlof.Encoded FOUND
>   34 W32/Magistr.B3 FOUND
>   40 W95.Matrix.SCR FOUND
>   40 WM/Thus.B FOUND
>   48 W32/Magistr.B6 FOUND
>   48 W97/Marker FOUND
>   56 VBS.LoveLetter.D FOUND
>   62 W32/Nimda.html FOUND
>   82 Lirva FOUND
>  108 Worm.Ganda-A FOUND
>  138 W32/Magistr.B5 FOUND
>  140 Worm/Gibe.1 FOUND
>  160 W95/Hybris.PI.000 FOUND
>  160 Worm/Lentin.E FOUND
>  166 W95/Hybris.PI.001 FOUND
>  169 Worm/Klez.E FOUND
>  240 W32/Magistr.A FOUND
>  264 W95/Hybris.PI.002 FOUND
>  290 Lirva-B FOUND
>  302 Lirva-C FOUND
>  435 Yaha.P FOUND
>  506 W32/BugBear.A FOUND
>  526 W32/Magistr.B FOUND
>  528 W98/Hybris.E FOUND
>  796 Worm.Gibe.B FOUND
>  829 W32/Brid.Worm FOUND
> 2184 W95/Hybris.PI.003 FOUND
> 3846 Worm.Sobig.A FOUND
> 6536 Exploit.IFrame FOUND
> 9894 W32/Yaha.g.dam FOUND
> 10354 Sircam FOUND
> 10980 Yaha.K FOUND
> 119974 Exploit.IFrame.HTML FOUND
> 182089 Worm/Klez.H FOUND
> 
> Amazingly short list for a University with no firewalls, students and
> staff installing computers and hooking them to the network without any
> security requirements or checks, etc.  Note the major percentage of our
> total virus counts are in the top-ten at the bottom of the list (Yep,
> that's 182,089 copies of Klez.H stripped out of email attachments!).
> 


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

[clamav-users] Re: clamav stats and virus types

2003-05-05 Thread ricardo 

Thanks Ed!

So you use clamd + clamdscan, and information is kept in the clamd log.

Is there any way to know what viruses were found other than having to
look at the clamd log?

Thomasz, is it possible to have clamscan and clamdscan output the name of 
the virus in the scan summary? 

Another question, I see clamscan can use "-" to take a file in STDIN, but 
it seems clamdscan doesn't have that option?

Thanks
Ricardo

On Sun, 4 May 2003 20:52:15 -0400 (EDT) Ed Phillips wrote:

> Hi,
> 
> I got these counts from our clamd log.  Each time it finds a virus, it
> prints a line naming the virus.
> 
> Hope this helps...
> 
>   Ed

[clamav-users] Re: clamav stats and virus types

2003-05-05 Thread ricardo 

Does clamav not take apart MIME messages? 

Is something like MIMEDefang necessary with clamav?

Thanks
Ricardo

On Mon, 5 May 2003 11:45:58 -0400 (EDT) Ed Phillips wrote:

> On Mon, 5 May 2003 [EMAIL PROTECTED] wrote:
> 
> > Thanks Ed!
> >
> > So you use clamd + clamdscan, and information is kept in the clamd log.
> 
> Actually, we use clamd + MIMEDefang (which takes apart email messages,
> tells clamd to scan them, then checks the results)...
> 
> > Is there any way to know what viruses were found other than having to
> > look at the clamd log?
> 
> I don't know.  I thought clamscan printed out the same kind of message
> that clamd did... but I don't use clamscan much.
> 
>   Ed

[clamav-users] Re: clamav stats and virus types

2003-05-05 Thread ricardo 

Oh, that's great! Good to know that clamscan does MIME processing.

Is anyone aware of known bugs with clamscan's MIME processing?

Thanks for your help, Ed!

Ricardo

On Mon, 5 May 2003 11:58:17 -0400 (EDT) Ed Phillips wrote:

> On Mon, 5 May 2003 [EMAIL PROTECTED] wrote:
> 
> > Does clamav not take apart MIME messages?
> >
> > Is something like MIMEDefang necessary with clamav?
> 
> No.  We use MIMEDefang for many things (taking apart the email is just one
> of those things).  We also use MD for running SpamAssassin scoring on
> email messages.
> 
> ClamAV has features to take apart MIME messages, as far as I know, but
> last I heard, clamd doesn't (only clamscan can do it).  Support for taking
> apart MIME messages in ClamAV is pretty "new", so personally, I'd wait for
> the wrinkles to get ironed out before using it to take apart 100-300,000
> emails a day - but that's probably just my own paranoia. ;-)  MIMEDefang
> has most of its wrinkles already worked out.  (MIME is a terrible thing...
> and MIME-bursting software is notoriously buggy in my experience).
> However, we're pretty happy to let MD do the MIME-bursting and let clamd
> just scan the attachment files.
> 
>   Ed
> 
> >
> > Thanks
> > Ricardo
> >
> > On Mon, 5 May 2003 11:45:58 -0400 (EDT) Ed Phillips wrote:
> >
> > > On Mon, 5 May 2003 [EMAIL PROTECTED] wrote:
> > >
> > > > Thanks Ed!
> > > >
> > > > So you use clamd + clamdscan, and information is kept in the
> clamd log.
> > >
> > > Actually, we use clamd + MIMEDefang (which takes apart email messages,
> > > tells clamd to scan them, then checks the results)...
> > >
> > > > Is there any way to know what viruses were found other than
> having to
> > > > look at the clamd log?
> > >
> > > I don't know.  I thought clamscan printed out the same kind of message
> > > that clamd did... but I don't use clamscan much.
> > >
> > >   Ed
> >
> 
> Ed Phillips <[EMAIL PROTECTED]> University of Delaware (302) 831-6082
> Systems Programmer III, Network and Systems Services
> finger -l [EMAIL PROTECTED] for PGP public key

[clamav-users] help understanding scan results

2003-05-05 Thread ricardo 
Hi,

I have a folder (mbox folder under PINE) in which I've kept a few virus
messages around to help me with scan testing. There are 8 messages in
there. I currently run RAV antivirus on another box, and if I scan that
folder (the mbox file) with ravav I get this:

/home/r.../viruses->(part0001:)->(IFRAME) Infected: HTML/IFrame_Exploit*
/home/r...il/viruses->(part0002:DOCS.DOC.pif) Infected: Win32/[EMAIL PROTECTED]
/home/r...uses->(part0004:Officiants.doc.pif) Infected: Win32/[EMAIL PROTECTED]
/home/r...viruses->(part0006:ME_NUDE.MP3.scr) Infected: Win32/[EMAIL PROTECTED]
/home/r...l/viruses->(part0007:SETUP.DOC.scr) Infected: Win32/[EMAIL PROTECTED]
/home/r...s->(part0008:www.myparty.yahoo.com) Infected: Win32/[EMAIL PROTECTED]
/home/r...s->(part0009:www.myparty.yahoo.com) Infected: Win32/[EMAIL PROTECTED]
/home/r...uses->(part0010:Officiants.doc.pif) Infected: Win32/[EMAIL PROTECTED]
/home/r...11:)->(part0001:Officiants.doc.lnk) Infected: Win32/[EMAIL PROTECTED]

Infected: 9. Different virus bodies: 4.

So in the 8 messages it found 9 viruses.

Then I tested clamav in 2 different ways, one where I ran clamscan on the 
mbox file itself, the other where I forwarded each message individually
to another account, and then later manually ran clamscan on each
individual message (messages stored in maildir format, so ran the files
individually through clamscan).

Here are my results:

# cat /tmp/viruses.mbox |clamscan --mbox -
/tmp/e28834880f1d6b5b/textportionnM5YLG: OK
/tmp/e28834880f1d6b5b/Officiants.doc.pifXdVedm.pif: Sircam FOUND
/tmp/e28834880f1d6b5b/textportionNHL2E1: OK
/tmp/e28834880f1d6b5b/textportionmC146G: OK
/tmp/e28834880f1d6b5b/Officiants.doc.pifmBcbCm.pif: Sircam FOUND
/tmp/e28834880f1d6b5b/Officiants.doc.lnkmeTga2.lnk: Sircam FOUND

--- SCAN SUMMARY ---
Known viruses: 7286
Scanned directories: 1
Scanned files: 6
Infected files: 3
Data scanned: 0.38 Mb
I/O buffer size: 131072 bytes
Time: 1.160 sec (0 m 1 s)

So with --mbox, it only finds 3 of the 9 infected.

With individual file scanning, NO viruses are found... :-(  how can that be?

# clamscan /tmp/viruses 
/tmp/viruses/1052155096.M598808P5794V000AI008325A7_0.server2.a
mericasnet.com,S=41499: OK
/tmp/viruses/1052155101.M342071P5820V000AI008431CD_0.server2.a
mericasnet.com,S=226902: OK
/tmp/viruses/1052155106.M834887P5846V000AI008431D0_0.server2.a
mericasnet.com,S=41502: OK
/tmp/viruses/1052155113.M833382P5872V000AI008431D1_0.server2.a
mericasnet.com,S=41431: OK
/tmp/viruses/1052155122.M751341P5898V000AI008431D2_0.server2.a
mericasnet.com,S=41990: OK
/tmp/viruses/1052155128.M852730P5924V000AI008431D3_0.server2.a
mericasnet.com,S=41981: OK
/tmp/viruses/1052155136.M327169P5950V000AI008431D4_0.server2.a
mericasnet.com,S=226902: OK
/tmp/viruses/1052155143.M329226P5976V000AI008431D5_0.server2.a
mericasnet.com,S=226904: OK

--- SCAN SUMMARY ---
Known viruses: 7286
Scanned directories: 1
Scanned files: 8
Infected files: 0
Data scanned: 0.84 Mb
I/O buffer size: 131072 bytes
Time: 0.729 sec (0 m 0 s)

Re: [clamav-users] help understanding scan results

2003-05-07 Thread ricardo 

Hello Tomasz,

On Wed, 7 May 2003 14:28:00 +0200 (CEST) Tomasz Kojm wrote:

> > 
> > So with --mbox, it only finds 3 of the 9 infected.
>  
> Please test the newest version from http://clamav.elektrapro.com/snapshot,
> old code is known to ignore some types of attachments.

Ok, I'll try that out.


> /tmp/viruses/1052155136.M327169P5950V000AI008431D4_0.server2.a
> > mericasnet.com,S=226902: OK
> >
> /tmp/viruses/1052155143.M329226P5976V000AI008431D5_0.server2.a
> > mericasnet.com,S=226904: OK
>  
> What is this ? This is not produced by clamscan.

It just looks confusing. Those are the filenames in the /tmp/viruses
directory, and clamscan was reporting "OK" for each of the files (which
have the very long filenames). These are maildir files produced by the
courier mail server.

Thanks again
Ricardo

Re: [clamav-users] help understanding scan results

2003-05-07 Thread ricardo 
On Wed, 7 May 2003 14:28:00 +0200 (CEST) Tomasz Kojm wrote:

> Please test the newest version from http://clamav.elektrapro.com/snapshot,
> old code is known to ignore some types of attachments.
> 

Is the newest version the one from April 3? Is there a newer one somewhere?

Ricardo

Re: [clamav-users] Mime mails

2003-05-23 Thread ricardo 

My experience is that it does to some extent. I know, though, that it
doesn't support uuencoded messages, for example (unless I'm doing
something wrong).

The only way I can get it to work well for mime and uuencoded messages is 
to run a program (like ripmime) on the message and then run clamscan on
the mime parts.

If anyone has a better way of doing it, I'd love to hear it.

Ricardo

On Fri, 23 May 2003 17:43:49 +0100 Sean Rima wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
> 
> Does clamav (0.54) read understand mime. I am just curious
> 
> Sean
> - -- 
> Q: Because it reverses the logical flow of conversation.
> A: Why is top posting frowned upon?
> 
> Normal Email sean AT tcob1 DOT net  GPG Key Id 7DA70294
>   ICQ: 679813  Jabber: [EMAIL PROTECTED] 
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v1.2.2 (MingW32)
> 
> iD8DBQE+zk/FHMnSWn2nApQRAtU3AJ0RTaUvh1Luk9jjmkg0hKtXkOTW7QCgkXHw
> FkUUyczrZJfFPWPmM43JeI4=
> =X3fz
> -END PGP SIGNATURE-
> 
> 
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>

Re: [clamav-users] Mime mails

2003-05-23 Thread ricardo 

I don't really have a test suite, I'm assuming ripmime works well.

Anybody have a suite of these kinds of messages to run through?

Ricardo

On Fri, 23 May 2003 21:43:04 +0200 Damjan wrote:

> > The only way I can get it to work well for mime and uuencoded
> messages is 
> > to run a program (like ripmime) on the message and then run clamscan on
> > the mime parts.
> 
> How well does ripmime handle strange/non-standard mime messages like
> those generated by viruses?
> 
> 
> 
> 
> -- 
> Damjan Georgievski
> jabberID: [EMAIL PROTECTED]
> 
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>

[clamav-users] Safebrowsing not working? (newbie alert)

2013-08-26 Thread Ricardo Stella 

A really poor attempt as a phishing scam came thru our systems.   The
URL is blocked by Chrome and Firefox as phishing scams (there are no
plugins enabled for anti malware or anything).  Chrome shows the
'Reported Phishing Website Ahead!' for example.

However, running clamscan does not detect it when pointing to a copy of
the email.  I ran with debug and clearly see safebrowsing being loaded
(and it is also updated), but it doesn't seem to trigger a hit.

Any ideas?


-- 
°((( = (( ===°°° ((( 

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

[Clamav-users] clamdscan problem: Can't access the file ERROR

2004-01-13 Thread Ricardo Kleemann 

Hi,

I'm having a problem with clamdscan, this only happens when
running clamdscan and not clamscan.

I'm running clamav-0.65 on suse linux.

I'm running it over a directory which has a couple of virus
files. It works with clamscan, here's the output:

clamscan /dev/shm/tmp/messages/mime/1517/
/dev/shm/tmp/messages/mime/1517//textfile9: Worm.Gibe.F
FOUND
/dev/shm/tmp/messages/mime/1517//doubleCR.1: OK
/dev/shm/tmp/messages/mime/1517//qtc.exe: Worm.Gibe.F FOUND
/dev/shm/tmp/messages/mime/1517//textfile8: Empty file.
/dev/shm/tmp/messages/mime/1517//textfile7: OK
/dev/shm/tmp/messages/mime/1517//textfile6: OK
/dev/shm/tmp/messages/mime/1517//textfile5: Empty file.
/dev/shm/tmp/messages/mime/1517//textfile4: OK
/dev/shm/tmp/messages/mime/1517//textfile3: OK
/dev/shm/tmp/messages/mime/1517//textfile2: Empty file.
/dev/shm/tmp/messages/mime/1517//textfile1: Empty file.
/dev/shm/tmp/messages/mime/1517//textfile0: OK

--- SCAN SUMMARY ---
Known viruses: 20101
Scanned directories: 1
Scanned files: 8
Infected files: 2
Data scanned: 0.15 MB
I/O buffer size: 131072 bytes
Time: 8.050 sec (0 m 8 s)


Now here's the clamdscan output:

clamdscan /dev/shm/tmp/messages/mime/1517/
/dev/shm/tmp/messages/mime/1517/: Can't access the file
ERROR

--- SCAN SUMMARY ---
Infected files: 0
Time: 0.001 sec (0 m 0 s)

This is happening very consistenly... so virus scanning is
failing for me.

Any ideas what this could be?

Thanks
Ricardo


---
This SF.net email is sponsored by: Perforce Software.
Perforce is the Fast Software Configuration Management System offering
advanced branching capabilities and atomic changes on 50+ platforms.
Free Eval! http://www.perforce.com/perforce/loadprog.html
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] Are there any open source virus scanners for windows desktop?

2004-01-13 Thread Ricardo Kleemann 
Hi,

I use clamav on my linux server...

But of course I want to protect my windows desktop against
viruses and be able to scan my disks. Am I still stuck with
having to pay Norton or whoever else for a windows scanner?

Any open source alternatives?

Thanks
Ricardo


---
This SF.net email is sponsored by: Perforce Software.
Perforce is the Fast Software Configuration Management System offering
advanced branching capabilities and atomic changes on 50+ platforms.
Free Eval! http://www.perforce.com/perforce/loadprog.html
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] DOS ?

2004-02-10 Thread Ricardo Kleemann 
Hi,

I saw a couple of messages posted on the list about a DOS
where clamav would die with a badly formatted uuencoded
message.

I'm sorry if I missed the rest of the thread, but I didn't
seem to find any responses to it.

I'm currently running 0.65 very successfully, I'm wondering
if there's a fix out there for the DOS, if there's a need
for me to upgrade. I don't want to upgrade unless I really
need to.

Thanks
Ricardo


---
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] how to determine failure?

2004-03-31 Thread Ricardo Kleemann 
Hi,

I run clamdscan from within a script and wanted to know if
it is possible to detect any problem with clamd when running
clamdscan?

Last night clamd ran into a strange problem, I don't know
what it was, but basically it seemed to be stuck and all
instances of my script were basically "hung". 

Will clamdscan hang forever if for some reason it can't
communicate with clamd?

I didn't have a chance to investigate anymore but all I
noticed is that my kernel (linux) was complaining about
threads, and things only returned to normal after I stopped
and restarted clamd. Maybe clamd was leaking threads (I'm
running 0.65)?

I don't know... but in any case, clamd has been VERY stable
for me, my main concern is to be able to determine when
there's a problem. I was surprised that clamdscan didn't
time out, but rather seemed to be hung? 

Is it possible to ensure that clamdscan times out and
returns some sort of error?

Ricardo


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] how to determine failure?

2004-03-31 Thread Ricardo Kleemann 

> > and restarted clamd. Maybe clamd was leaking threads
> > (I'm running 0.65)?
> 
> 0.65 ? Good luck..
> 

Why do you say that? I've been using 0.65 with moderate
traffic for quite some time, last night was the first time I
had problems... I wasn't aware it's considered a bad
release?

Which is the latest stable release? Is it 0.70-rc or 0.68 ?

Ricardo


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] File type problem

2004-04-20 Thread Ricardo Bernardes 



Hi
 
i´m running ClamAV in a RedHat 8 box with Sendmail 
and MailScanner.
 
 - i'd like to know how to not scan certain 
file types for certain users
eg: don't scan .zip files for user x
 
 - is it possible for ClamAV to know wich .exe 
are bad and wich are good
eg: flash presentations are good and are 
.exe
 
thank you
 
ricardo

[Clamav-users] .ZIP file scanning

2004-04-21 Thread Ricardo Bernardes 
hi

is it possible to stop ClamAV from scanning .zip files?

(RedHat 8; Sendmail; Mailscanner)
thank you



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] installation update require - trouble !

2004-04-26 Thread Ricardo Bernardes 


Hi

i got the same message and decided to update
after that i ran freshclam to check the result, but get:

ClamAV update process started at Mon Apr 26 12:32:20 2004
Reading CVD header (main.cvd): OK
main.cvd is up to date (version: 22, sigs: 20229, f-level: 1, builder:
tkojm)
Reading CVD header (daily.cvd): OK
daily.cvd is up to date (version: 281, sigs: 989, f-level: 2, builder:
tkojm)
WARNING: Your ClamAV installation is OUTDATED - please update immediately !
WARNING: Current functionality level = 1, required = 2


after that i went to check if the package was ok with rpm -U
clamav-0.70-1.i386.rpm

and got

warning: clamav-0.70-1.i386.rpm: V3 DSA signature: NOKEY, key ID 6cdf2cc1
package clamav-0.70-1 is already installed


please help

tia
ricardo




---
This SF.net email is sponsored by: The Robotic Monkeys at ThinkGeek
For a limited time only, get FREE Ground shipping on all orders of $35
or more. Hurry up and shop folks, this offer expires April 30th!
http://www.thinkgeek.com/freeshipping/?cpg=12297
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] installation update require - trouble !

2004-04-26 Thread Ricardo Bernardes 
yes
i get the same error after freshclam:

[EMAIL PROTECTED] sources]# freshclam
ClamAV update process started at Mon Apr 26 15:07:04 2004
Reading CVD header (main.cvd): OK
main.cvd is up to date (version: 22, sigs: 20229, f-level: 1, builder:
tkojm)
Reading CVD header (daily.cvd): OK
daily.cvd is up to date (version: 282, sigs: 1028, f-level: 2, builder:
ccordes)
WARNING: Your ClamAV installation is OUTDATED - please update immediately !
WARNING: Current functionality level = 1, required = 2

tia
ricardo

- Original Message -
From: "Dave Tiger" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday, April 26, 2004 1:59 PM
Subject: RE: [Clamav-users] installation update require - trouble !


Did u restart clamd after install ?

Dave Carrera


EPH Group Ltd.
Professional UK Based Web Hosting
http://www.ephgroup.com
In the UK? Call FREE: 0800 031 9190
Unlimited WebSpace, Unlimited Email Accounts, FREE Telephone Support,
FREE co.uk domain name, FAST FRIENDLY SERVICE, UNIX & Windows accounts


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ricardo
Bernardes
Sent: 26 April 2004 12:44
To: [EMAIL PROTECTED]
Subject: [Clamav-users] installation update require - trouble !




Hi

i got the same message and decided to update
after that i ran freshclam to check the result, but get:

ClamAV update process started at Mon Apr 26 12:32:20 2004 Reading CVD header
(main.cvd): OK main.cvd is up to date (version: 22, sigs: 20229, f-level: 1,
builder:
tkojm)
Reading CVD header (daily.cvd): OK
daily.cvd is up to date (version: 281, sigs: 989, f-level: 2, builder:
tkojm)
WARNING: Your ClamAV installation is OUTDATED - please update immediately !
WARNING: Current functionality level = 1, required = 2


after that i went to check if the package was ok with rpm -U
clamav-0.70-1.i386.rpm

and got

warning: clamav-0.70-1.i386.rpm: V3 DSA signature: NOKEY, key ID 6cdf2cc1
package clamav-0.70-1 is already installed


please help

tia
ricardo




---
This SF.net email is sponsored by: The Robotic Monkeys at ThinkGeek For a
limited time only, get FREE Ground shipping on all orders of $35 or more.
Hurry up and shop folks, this offer expires April 30th!
http://www.thinkgeek.com/freeshipping/?cpg=12297
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

---
Incoming mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.667 / Virus Database: 429 - Release Date: 23/04/2004


---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.667 / Virus Database: 429 - Release Date: 23/04/2004




---
This SF.net email is sponsored by: The Robotic Monkeys at ThinkGeek
For a limited time only, get FREE Ground shipping on all orders of $35
or more. Hurry up and shop folks, this offer expires April 30th!
http://www.thinkgeek.com/freeshipping/?cpg297
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
MailScanner thanks transtec Computers for their support.





---
This SF.net email is sponsored by: The Robotic Monkeys at ThinkGeek
For a limited time only, get FREE Ground shipping on all orders of $35
or more. Hurry up and shop folks, this offer expires April 30th!
http://www.thinkgeek.com/freeshipping/?cpg=12297
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] installation update require - trouble !

2004-04-26 Thread Ricardo Bernardes 
weird

this is the output of "freshclam --version"
freshclam / ClamAV version 0.70-rc

and from "clamd --version" i got
clamd / ClamAV version 0.70-rc


i've installed the new rpm and checked that the package is installed
(with linuxconf : package management)
but it looks like that the older version is still on.

what can i do?

thanks
ricardo




- Original Message - 
From: "Rob" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday, April 26, 2004 4:33 PM
Subject: RE: [Clamav-users] installation update require - trouble !


> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf 
> Of Ricardo Bernardes
> 
> yes
> i get the same error after freshclam:
> 
> [EMAIL PROTECTED] sources]# freshclam
> ClamAV update process started at Mon Apr 26 15:07:04 2004
> Reading CVD header (main.cvd): OK
> main.cvd is up to date (version: 22, sigs: 20229, f-level: 1, builder:
> tkojm)
> Reading CVD header (daily.cvd): OK
> daily.cvd is up to date (version: 282, sigs: 1028, f-level: 
> 2, builder:
> ccordes)
> WARNING: Your ClamAV installation is OUTDATED - please update 
> immediately !
> WARNING: Current functionality level = 1, required = 2

What's the output of "freshclam --version"?


PLEASE - keep list traffic on the list.  Email sent directly to me may
be ignored utterly.

-- 
Rob | What part of "no" was it you didn't understand? 


---
This SF.net email is sponsored by: The Robotic Monkeys at ThinkGeek
For a limited time only, get FREE Ground shipping on all orders of $35
or more. Hurry up and shop folks, this offer expires April 30th!
http://www.thinkgeek.com/freeshipping/?cpg=12297
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
MailScanner thanks transtec Computers for their support.




---
This SF.net email is sponsored by: The Robotic Monkeys at ThinkGeek
For a limited time only, get FREE Ground shipping on all orders of $35
or more. Hurry up and shop folks, this offer expires April 30th!
http://www.thinkgeek.com/freeshipping/?cpg=12297
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] installation update require - trouble !

2004-04-26 Thread Ricardo Bernardes 
ok
done
thanks a lot
i´ve solved the problem by deleting all files related to the old rpm,
uninstalling it and the, after
being certain that all file were gone, i've installed the new rpm.
my system kept the path to the old file so i had to copy the new ones
(executables) to these location
so that commands such as "clamd --version" would work without have to write
the full path

here are the results for:

[EMAIL PROTECTED] sources]# clamd --version
clamd / ClamAV version 0.70
[EMAIL PROTECTED] sources]# freshclam --version
freshclam / ClamAV version 0.70

and

[EMAIL PROTECTED] sources]# freshclam
ClamAV update process started at Mon Apr 26 18:59:34 2004
Reading CVD header (main.cvd): OK
main.cvd is up to date (version: 22, sigs: 20229, f-level: 1, builder:
tkojm)
Reading CVD header (daily.cvd): OK
daily.cvd is up to date (version: 284, sigs: 1031, f-level: 2, builder:
ccordes)


thanks again
ricardo




---
This SF.net email is sponsored by: The Robotic Monkeys at ThinkGeek
For a limited time only, get FREE Ground shipping on all orders of $35
or more. Hurry up and shop folks, this offer expires April 30th!
http://www.thinkgeek.com/freeshipping/?cpg=12297
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re:[Clamav-users] installation update require - trouble !

2004-04-27 Thread Ricardo Bernardes 

good advice
done that
thanks
- Original Message -
From: "jjolet" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday, April 26, 2004 8:10 PM
Subject: Re: [Clamav-users] installation update require - trouble !


just a word of advice for the future.i'd have put symlinks in the
old locations, not copied executablesthat's a good way to end up
with multiple versions down the line.  if you make a symlink, then when
you upgrade in location a, location b now points to the correct
things...

On Monday, April 26, 2004, at 01:02 PM, Ricardo Bernardes wrote:

> ok
> done
> thanks a lot
> i´ve solved the problem by deleting all files related to the old rpm,
> uninstalling it and the, after
> being certain that all file were gone, i've installed the new rpm.
> my system kept the path to the old file so i had to copy the new ones
> (executables) to these location
> so that commands such as "clamd --version" would work without have to
> write
> the full path
>
> here are the results for:
>
> [EMAIL PROTECTED] sources]# clamd --version
> clamd / ClamAV version 0.70
> [EMAIL PROTECTED] sources]# freshclam --version
> freshclam / ClamAV version 0.70
>
> and
>
> [EMAIL PROTECTED] sources]# freshclam
> ClamAV update process started at Mon Apr 26 18:59:34 2004
> Reading CVD header (main.cvd): OK
> main.cvd is up to date (version: 22, sigs: 20229, f-level: 1, builder:
> tkojm)
> Reading CVD header (daily.cvd): OK
> daily.cvd is up to date (version: 284, sigs: 1031, f-level: 2, builder:
> ccordes)
>
>
> thanks again
> ricardo
>
>
>
>
> ---
> This SF.net email is sponsored by: The Robotic Monkeys at ThinkGeek
> For a limited time only, get FREE Ground shipping on all orders of $35
> or more. Hurry up and shop folks, this offer expires April 30th!
> http://www.thinkgeek.com/freeshipping/?cpg=12297
> ___
> Clamav-users mailing list
> [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/clamav-users



---
This SF.net email is sponsored by: The Robotic Monkeys at ThinkGeek
For a limited time only, get FREE Ground shipping on all orders of $35
or more. Hurry up and shop folks, this offer expires April 30th!
http://www.thinkgeek.com/freeshipping/?cpg297
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
MailScanner thanks transtec Computers for their support.





---
This SF.net email is sponsored by: The Robotic Monkeys at ThinkGeek
For a limited time only, get FREE Ground shipping on all orders of $35
or more. Hurry up and shop folks, this offer expires April 30th!
http://www.thinkgeek.com/freeshipping/?cpg=12297
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Your ClamAV installation is OUTDATED

2004-04-29 Thread Ricardo Bernardes 
i´ve updated my installation and it required no downtime.
it´s really a simple process, once you have all dependecies in place
i've used the RPM file

ricardo




>>What are the consequences of not upgrading?  I'd have to plan
>>downtime,





---
This SF.Net email is sponsored by: Oracle 10g
Get certified on the hottest thing ever to hit the market... Oracle 10g.
Take an Oracle 10g class now, and we'll give you the exam FREE.
http://ads.osdn.com/?ad_id149&alloc_id66&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [clamav-users] Mime mails

2003-05-24 Thread Ricardo Kleemann 


Whatever that means, uudecoding is not working. I have messages where the
virus is inside a regular text message, in uuencoded content, and clamscan
does not catch it.

This message itself is not a mime message, but a simple example of
clamscan needing the help of a decoder. I know there are other instances
where clamscan will fail properly detecting a virus in mime parts.

I've attached the message with uuencoded text (zipped up).

Ricardo

 On Sat, 24 May 2003, Nigel Horne
wrote:

> uudecoding is handled by libclamav/message.c
>
> -Nigel
>
>


party.virus.gz
Description: Binary data
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [clamav-users] clamd init script?

2003-06-20 Thread Ricardo Kleemann 

Thank you!

- Original Message Follows -
> I got this from the clamav-users previously.
> 
> Ricardo Kleemann wrote:
> 
> >Hi,
> >
> >Does anyone have a linux rc init script for clamd?
> >
> >Thanks
> >Ricardo
> >
> >-
>  >To unsubscribe, e-mail:
> [EMAIL PROTECTED] >For additional
> commands, e-mail: [EMAIL PROTECTED] >
> >  
> >
> 
> -- 
> Tim Kelly, Director of Development
> Building Engines, Inc.
> 
> Phone: 781-290-5300
> Cell: 508-561-0985
> 
> www.buildingengines.com
> 
> 275 Wyman Street
> Suite 11
> Waltham MA 02451
> 
> 
> 
> 
> 
> 
> --
> --- To unsubscribe, e-mail:
> [EMAIL PROTECTED] For additional
> commands, e-mail: [EMAIL PROTECTED]
> [Attachment: clamd]

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

[clamav-users] clamd init script?

2003-06-20 Thread Ricardo Kleemann 
Hi,

Does anyone have a linux rc init script for clamd?

Thanks
Ricardo

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

[clamav-users] clamd init script?

2003-06-20 Thread Ricardo Kleemann 
Hi,

Does anyone have a linux rc init script for clamd?

Thanks
Ricardo

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [clamav-users] clamd init script?

2003-06-20 Thread Ricardo Kleemann 
Thank you!

- Original Message Follows -
> I got this from the clamav-users previously.
> 
> Ricardo Kleemann wrote:
> 
> >Hi,
> >
> >Does anyone have a linux rc init script for clamd?
> >
> >Thanks
> >Ricardo
> >
> >-
>  >To unsubscribe, e-mail:
> [EMAIL PROTECTED] >For additional
> commands, e-mail: [EMAIL PROTECTED] >
> >  
> >
> 
> -- 
> Tim Kelly, Director of Development
> Building Engines, Inc.
> 
> Phone: 781-290-5300
> Cell: 508-561-0985
> 
> www.buildingengines.com
> 
> 275 Wyman Street
> Suite 11
> Waltham MA 02451
> 
> 
> 
> 
> 
> 
> --
> --- To unsubscribe, e-mail:
> [EMAIL PROTECTED] For additional
> commands, e-mail: [EMAIL PROTECTED]
> [Attachment: clamd]

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

[Clamav-users] attaching a message file (rfc822) to a message goes by unnoticed

2003-08-21 Thread Ricardo Kleemann 
Hi,

In testing clamd, I was able to get a virus through
unnoticed. This is basically due to the fact that clamav
doesn't process mime attachments very well and to make it
work properly, it relies on other programs extracting mime
attachments.

Here's my setup:

1. I have a message file which has the Sircam virus in it.

2. I run a wrapper which uses ripmime to extract any mime
parts into a directory, then I run clamscand on that
directory. Normally this works fine, because ripmime
extracts the offending virus attachment as a separate file
and clamav then catches the virus.

3. I send myself a message which has the message file as an
attachment. Via pine, what happens is the message file gets
attached as a base64-encoded attachment.

4. My script, which uses ripmime, then runs and extracts the
attachment, which then happens to be just the rfc822 message
file. At this point, clamav does not catch the virus because
that attachment file is the message that has in it the virus
which is another attachment. The only way I can imagine this
working is if somehow there was a recursive extraction, to
the point that eventually the virus file itself got exposed.

So the problem is that typically it works fine just using
ripmime and running clamav on the resulting files.
Unfortunately this is a "recursive" case, and it does not
work.

Does anyone have a suggestion on how to solve this? My
script is getting called from maildrop; it extracts mime
parts into a directory and then runs clamdscan on that
directory. But for this specific scenario, it would only
work if somehow it ran ripmime recursively.

It really would be nice if clamdscan itself were able to
properly handle mime attachments; but I've never been able
to get it to work well with mime attachments. So I'm
dependent on using something like ripmime.

Maybe there's something similar to ripmime, which already
does some sort of recursive extraction?

Thanks for your help.

Ricardo


---
This SF.net email is sponsored by: VM Ware
With VMware you can run multiple operating systems on a single machine.
WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines
at the same time. Free trial click here:http://www.vmware.com/wl/offer/358/0
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] attaching a message file (rfc822) to a message goes by unnoticed

2003-08-22 Thread Ricardo Kleemann 

Hi Nigel,

I tried sending you a gzip attachment of the message file,
and it got bounced back with a virus being detected ;-)

So my question is, how do you process the messages? 

What can I be doing different that you can catch the virus,
but my clamdscan won't?

Thanks
Ricardo
- Original Message Follows -
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
> 
> Some work has been done on this recently. Please send me
> the e-mail and I'll double check it.
> 
> - -Nigel
> 
> - -- 
> Nigel Horne. Arranger, Composer, Conductor, Typesetter.
> Owner of the brass band group of the Internet.
> ICQ#20252325 [EMAIL PROTECTED]
> http://www.bandsman.co.uk/music.htm -BEGIN PGP
> SIGNATURE- Version: GnuPG v1.2.1 (GNU/Linux)
> 
> iD8DBQE/RcYMOv/MqfDWaY8RAk0eAJ95oXq0lyPT9oDEulkrFHhAxS1brw
> Cgql37 eqkWoSxIzXV4FN8UM0ru2Eo=VJqQ
> -END PGP SIGNATURE-
> 
> 
> 
> ---
> This SF.net email is sponsored by: VM Ware
> With VMware you can run multiple operating systems on a
> single machine. WITHOUT REBOOTING! Mix Linux / Windows /
> Novell virtual machines at the same time. Free trial click
> here:http://www.vmware.com/wl/offer/358/0
> ___
> Clamav-users mailing list
> [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/clamav-users


---
This SF.net email is sponsored by: VM Ware
With VMware you can run multiple operating systems on a single machine.
WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines
at the same time. Free trial click here:http://www.vmware.com/wl/offer/358/0
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] attaching a message file (rfc822) to a message goes by unnoticed

2003-08-24 Thread Ricardo Kleemann 
Hi Nigel,

I'm running clamd / ClamAV version 20030720

The august snapshot of clamav was hanging on me so I went
down to the July version.

Anyway, I'm going to try and send you a gzip file of a
message which has an embedded virus in it, and see if your
clamd catches that. I know my clamd does not, and when there
are compressed files, something like a ripmime or any other
mime extractor typically will not extract any mime parts
from a compressed file. Which means if those are not caught
by the virus scanner, they can easily go through unnoticed.

I'll send you another email containing the gzip file.

Ricardo

- Original Message Follows -
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
> 
> On Friday 22 Aug 2003 4:10 pm, Ricardo Kleemann wrote:
> 
> > I tried sending you a gzip attachment of the message
> > file, and it got bounced back with a virus being
> detected ;-)
> 
> Maybe I am just using a later version. Fixes to the code
> are frequently added to trap new worms/viruses that
> proporgate using new methods.
> 
> If my system is trapping it and yours isn't, that means at
> a fix is imminent  since I have added code support,
> probably I've just changed some code and the  change is
> yet to be published. You just need to be patient (sorry!)
> for the fix to be tested by me, then sent to Tomasz to
> test and incorporate in a  snapshot and/or release.
> 
> - -Nigel
> 
> - -- 
> Nigel Horne. Arranger, Composer, Conductor, Typesetter.
> Owner of the brass band group of the Internet.
> ICQ#20252325 [EMAIL PROTECTED]
> http://www.bandsman.co.uk/music.htm -BEGIN PGP
> SIGNATURE- Version: GnuPG v1.2.1 (GNU/Linux)
> 
> iD8DBQE/RjhNOv/MqfDWaY8RAlUkAKCwXbH92W9zpZx4Qjs21rFeJt2BFg
> Cgnos5 VTPaoQ8NDy7/4SC0AMBNhuo=D8wv
> -END PGP SIGNATURE-
> 
> 
> 
> ---
> This SF.net email is sponsored by: VM Ware
> With VMware you can run multiple operating systems on a
> single machine. WITHOUT REBOOTING! Mix Linux / Windows /
> Novell virtual machines at the same time. Free trial click
> here:http://www.vmware.com/wl/offer/358/0
> ___
> Clamav-users mailing list
> [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/clamav-users


---
This SF.net email is sponsored by: VM Ware
With VMware you can run multiple operating systems on a single machine.
WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines
at the same time. Free trial click here:http://www.vmware.com/wl/offer/358/0
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] Help with gzip attachments

2003-08-24 Thread Ricardo Kleemann 
Hi everyone,

I have my system setup such that it uses ripmime to extract
attachments from messages, then I run clamdscan on the
directory that contains the extracted attachments.

That works quite well in most cases.

However, I cannot get clamd to detect a virus which is
contained in a gzip file. So basically I have a file which
is a email message, that has a virus attachment, and the
file is gzip'ed. That gzip file itself is then attached to
another message. 

So when the message arrives, ripmime extracts the
attachments, including the gzip file, then clamdscan is run
on that. However, clamd does not detect the virus inside the
gzip file, so basically it passes through.

How can this problem be solved? Is there an address I can
send this file so clamd can be debugged or fixed to solve
the problem?

Thanks
Ricardo


---
This SF.net email is sponsored by: VM Ware
With VMware you can run multiple operating systems on a single machine.
WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines
at the same time. Free trial click here:http://www.vmware.com/wl/offer/358/0
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Help with gzip attachments

2003-08-25 Thread Ricardo Kleemann 

Hello Tomasz,

I do have ScanArchive enabled, and neither clamscan nor
clamdscan catch the virus.

This is an email message file with a virus attachment, that
has been gzip'ed.

If you'd like for me to send it to you, let me know where to
send it.

Thanks
Ricardo

- Original Message Follows -
> On Sat, 23 Aug 2003 21:47:48 -0700
> "Ricardo Kleemann" <[EMAIL PROTECTED]> wrote:
> 
> > Hi everyone,
> > 
> > I have my system setup such that it uses ripmime to
> > extract attachments from messages, then I run clamdscan
> > on the directory that contains the extracted
> > attachments. 
> > That works quite well in most cases.
> > 
> > However, I cannot get clamd to detect a virus which is
> > contained in a gzip file. So basically I have a file
> which
> 
> Please make sure ScanArchive is enabled in clamav.conf.
> Please check the file with clamscan, too.
> 
> Best regards,
> Tomasz Kojm
> -- 
>   oo.  [EMAIL PROTECTED]
>  (\/)\.   
> http://www.konarski.edu.pl/~zolw
> \..._  I nie zapomnij kliknac w
> brzuszek... 
>   //\   /\\ <- C. Amboinensis   
> www.pajacyk.pl  
> 
> 
> ---
> This SF.net email is sponsored by: VM Ware
> With VMware you can run multiple operating systems on a
> single machine. WITHOUT REBOOTING! Mix Linux / Windows /
> Novell virtual machines at the same time. Free trial click
> here:http://www.vmware.com/wl/offer/358/0
> ___
> Clamav-users mailing list
> [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/clamav-users


---
This SF.net email is sponsored by: VM Ware
With VMware you can run multiple operating systems on a single machine.
WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines
at the same time. Free trial click here:http://www.vmware.com/wl/offer/358/0
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] clamav-20030829

2003-08-30 Thread Ricardo Kleemann 
Hi Everyone,

This snapshot is MUCH better! :-)

It does catch a virus in a maildir file as well as that same
maildir file gzip'ed.

However, I do have a version which passes straight through.
It should be the same file that I've sent to Nigel and
Thomas (which if I'm not mistaken passed undetected to them
as well)... that file is basically a maildir file that has 2
attachments: 

1. another maildir file which is a text/plain but its
contents are really an rfc822 message
2. The same file as #1, except gzip'ed, so the attachment is
a gzip archive.

Nigel/Thomas, were you able to test this snapshot with the
gzip file I sent you?

Thanks
Ricardo

- Original Message Follows -
> The snapshot doesn't contain the virus databases.
> 
> Fri Aug 29 16:32:59 CEST 2003
> -
>   * clamav-milter: 0.60d: Removed superflous buffer and
> unneeded strerror
>call (Nigel)
>   * libclamav: enabled support for Maildir files (thanks
> to Tomasz Papszun
>for samples and to Nigel for making his code so
> flexible)
>   * libclamav: fixed memory leak (Nigel)
> 
> Wed Aug 27 23:25:52 CEST 2003
> -
>   * libclamav: message.c/h - allow any number of arguments
> to mime
>commands (Nigel)
>   * libclamav: mbox - parseMimeHeader() potential memory
> problem fixed (Nigel)
>   * clamd, clamscan: removed duplicated rndnum() and
> switched to cl_rndnum()
>   * clamd: new directive FixStaleSocket by Thomas Lamy and
> Mark Mielke
> 
> Sat Aug 23 21:17:33 CEST 2003
> -
>   * freshclam: fixed --on-error-execute (don't run a
> command on "no update"
>event). Fixed by David Woakes.
> 
> Wed Aug 20 02:30:37 CEST 2003
> -
>   * libclamav: mbox - support for "raw" messages (Nigel)
>   * sigtool: fixed a segmentation fault when a signature
> reaches end
>  of file (thanks to Tomasz Papszun for an example)
> 
> Tue Aug 19 02:33:48 CEST 2003
> -
>   * clamav-milter: 0.60b - support for CC bounces to an
> e-mail address other
>than. Now compiles out of the box on FreeBSD
> 4.x (Nigel)
>   * Various fixes for Tru64 support (5.1a tested) by
> Hrvoje Habjanic
> 
> Wed Aug 13 16:07:39 CEST 2003
> -
>   * clamav-milter: 0.60a - tidied up message when sender
> is unknown (Nigel)
>   * libclamav: mbox updates: fixed an assertion error with
> some mail
>files (Nigel)
> 
> 
> Best regards,
> Tomasz Kojm
> -- 
>   oo.  [EMAIL PROTECTED]
>  (\/)\.   
> http://www.konarski.edu.pl/~zolw
> \..._  I nie zapomnij kliknac w
> brzuszek... 
>   //\   /\\ <- C. Amboinensis   
> www.pajacyk.pl  
> 
> 
> ---
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> ___
> Clamav-users mailing list
> [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/clamav-users


---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] Help with gzip attachments

2003-09-15 Thread Ricardo Kleemann 

Hi,

- Original Message Follows -
> > Again, sorry for the top-posting. The indication I'm
> > getting from Nigel is that clamav's support for email
> > messages is limited and seems to only be valid for
> mbox-formatted messages, is that a correct description?
> 
> This is true for the moment, but work is being undertaken
> to add support to scan any file and pretend it's a mail
> file.

Does anyone know if this issue has been resolved in any
recent snapshot?

Basically this is the problem with a message which has a .gz
attachment, which is, itself, another message/rfc822 with a
virus attachment.

This is a test file I've sent out to a couple of you that
passes undetected... I'm just trying to see if this issue
has been resolved?

Thanks
Ricardo



---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Help with gzip attachments

2003-09-16 Thread Ricardo Kleemann 

Hi Nigel,

> > This is a test file I've sent out to a couple of you
> > that passes undetected... I'm just trying to see if this
> > issue has been resolved?
> 
> Please send me a copy of the test file and I'll double
> check. If this is a file you've already sent me, give me
> an indication which one it is please, and I'll retest.
> 

Yes, I've sent the file, probably twice. :-)  It is called
"virusfile.2.gz", I believe, please let me know if you'd
like me to send it again.

Ricardo


---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] detecting Swen vs. Worm.Gibe

2003-10-10 Thread Ricardo Kleemann 
Hi all,

I just noticed something strange... I have a virus file that
McAffee VirusScan reports as Swen, and clamd reports as
Worm.Gibe.F

Do those have similar signatures? I wonder why that would
be.

Ricardo


---
This SF.net email is sponsored by: SF.net Giveback Program.
SourceForge.net hosts over 70,000 Open Source Projects.
See the people who have HELPED US provide better services:
Click here: http://sourceforge.net/supporters.php
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] broken executable

2004-10-25 Thread Ricardo Campos Passanezi 
Hello all.

I've been using clamav with amavisd-new with success.

The only problem so far is when a file which is gives me "Possibly
broken PE file" when I run 'clamscan --verbose --debug file' but the
file is not marked as "Broken.Executable" as I thought it would be. 

In my clamd.conf I have: 
ScanPE
DetectBrokenExecutables

Its version: ClamAV 0.80/549/Sun Oct 24 21:37:38 2004

It was installed via ports in a freebsd box.

Is there anything i'm missing?

-- 
Ricardo Campos Passanezi
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

[Clamav-users] 100% CPU clamav samba-vscan thunderbird

2006-02-02 Thread Paulo Ricardo Bruck 
Hi guys

environment:

Debian Sarge 3.1
samba3.0.14a-3sarge
clamav-daemon  0.88-0volatile
vscan-samba 3.0.6b

When I test w/ eicar w/samba or w/ clamscan it works like a charm, but
when I tried to look at thunderbird mail at [ home] in samba, CPU
increase till 100%. 
This problem only occurs when any user tries to read/receive an email.

Any clues about it? Am I asking at the right list?

openantivir list is out..

thanks in advance

-- 
Paulo Ricardo Bruck - consultor



signature.asc
Description: Esta é uma parte de mensagem	assinada digitalmente
___
http://lurker.clamav.net/list/clamav-users.html

Re :Re: [Clamav-users] 100% CPU clamav samba-vscan thunderbird

2006-02-02 Thread Paulo Ricardo Bruck 
Em Qui, 2006-02-02 às 12:00 -0500, [EMAIL PROTECTED]
escreveu:

> --
> 
> Message: 14
> Date: Thu, 02 Feb 2006 11:37:00 -0500
> From: James Kosin <[EMAIL PROTECTED]>
> Subject: Re: [Clamav-users] 100% CPU  clamav samba-vscan thunderbird
> To: ClamAV users ML 
> Message-ID: <[EMAIL PROTECTED]>
> Content-Type: text/plain; charset=ISO-8859-1
> 
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
> 
> Paulo Ricardo Bruck wrote:
> > Hi guys
> > 
> > environment:
> > 
> > Debian Sarge 3.1
> > samba3.0.14a-3sarge
> > clamav-daemon  0.88-0volatile
> > vscan-samba 3.0.6b
> > 
> > When I test w/ eicar w/samba or w/ clamscan it works like a charm, but
> > when I tried to look at thunderbird mail at [ home] in samba, CPU
> > increase till 100%. 
> > This problem only occurs when any user tries to read/receive an email.
> > 
> > Any clues about it? Am I asking at the right list?
> > 
> > openantivir list is out..
> > 
> > thanks in advance
> 
> Hi,
> 
> This is probably because of your settings for vscan-samba.
> Here are my settings, although you may have to tweak things to get
> performance up.
> 
> You could also try setting one of the 'scan on open' / 'close' flags to
> no to see if that suites your needs.
> 
> - --- in samba-vscan.conf ---
> 
> max file size = 8388608 ; 8M
> 
> - 
> 
> You could also try the 0.40 snapshot for samba-vscan-clamav.  I have a
> copy in my RPM.
> http://support.intcomgrp.com/mirror/fedora-core/beta/src/samba-vscan-clamav-0.4.0-2.fc1.src.rpm
> 
> You probably are using IMAP or a huge inbox, try the max file size limit
> first.
> 
no only using pop for users and all mailboxes are under 10Mb


> Let me know,
> James Kosin
> 
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v1.4.2 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> 
> iD8DBQFD4jUskNLDmnu1kSkRAhz7AJoCOVM4rLQniso8mKhNGnFehgnzJgCeOry+
> 9j6P1AhPNpPtAmolf0ikpX0=
> =4pWV
> -END PGP SIGNATURE-
> -- 
> Scanned by ClamAV - http://www.clamav.net
> 
> 


Hi James 


Following your tips. I still have the same problem. Users trying to see
mail by thunderbird takes 100% of CPU.

if helps here my vscan.conf
--
samba-vscan]
  
  max file size = 10485760
  verbose file logging = yes
  scan on open = no
  scan on close = yes
  deny access on error = yes
  deny access on minor error = no
  send warning message = yes
  infected file action = quarantine
  quarantine directory  = /var/log/virus-quarantine
  quarantine prefix = vir-
  max lru files entries = 100
  lru file entry lifetime = 5
  exclude file types =
  clamd socket name = /var/run/clamav/clamd.ctl
  libclamav max files in archive = 1000
  libclamav max archived file size = 10485760
  libclamav max recursion level = 5
--



-- 
Paulo Ricardo Bruck - consultor



signature.asc
Description: Esta é uma parte de mensagem	assinada digitalmente
___
http://lurker.clamav.net/list/clamav-users.html

Re: Re: Re :Re: [Clamav-users] 100% CPU clamav samba-vscan thunderbird

2006-02-03 Thread Paulo Ricardo Bruck 
Hi guys, Hi James

<<-- Snip -->>
>
> Ok, Lets start again.
>
> (1)  Is the mail being stored on a samba share?  Eg: Thunderbird 
> getting  mail and putting it in mail-boxes that are on the server 
> share.

yes, exactly

Internet-> desktop + Norton Anti-virus ---> samba share ( Linux +
Clamav + Vscan-daemon)

> 
> (2)  Do you get any improvement if you temporarily turn off the
> samba-vscan?  Just trying to see if this is with samba-vscan or the
> Thunderbird client itself.

no improvement...8(

a) with 
max file size = 0 
scan on open = yes
scan on close = yes
exclude file types =

Thunderbird# clamdscan
Thunderbird: OK

--- SCAN SUMMARY ---
Infected files: 0
Time: 116.681 sec (1 m 56 s)

b) with 
max file size = 10485760
scan on open = no
scan on close = yes
exclude file types = text/x-mail

Thunderbird# 
Thunderbird: OK

--- SCAN SUMMARY ---
Infected files: 0
Time: 116.737 sec (1 m 56 s)

All tests above took 100% of CPU .

Thunderbird# du -hs
117M 

Is this normal???

> 
> (3)  Try lowering the max file size option.  samba-vscan does have a
> performance hit associated with it.

see above ...

> 
> (4)  Try excluding the mail-box files from being scanned.  Thunderbird
> like almost all email clients, won't like the mail-box files
> disappearing on them.  Had this problem many times especially with
> outlook.

inserting  exclude file types = text/x-mail  at vscan-samba.conf makes 
clamav runs like a charm.


Is this the real option??? I'm not confident about it..


>  You don't need to scan twice; especially if you already have
> clamav-milter installed and running.

yes just having Norton at desktop and Clamav at Samba gave us piece of
mind that I'm trying to have it again...8))

BTW sometimes clamav capture some virus that Norton let it pass
through.8)



Thanks in advanced
> 
> Let me know,
> James Kosin
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v1.4.2 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> 
> iD8DBQFD4lzskNLDmnu1kSkRAniWAJ4hAH4tsDH7qFlpDiHhzer6nC990ACeIdyT
> nKe7uo9O5yKDTZDbSBGGQJY=
> =teFj
> -END PGP SIGNATURE-
> -- 
> Scanned by ClamAV - http://www.clamav.net

-- 
Paulo Ricardo Bruck - consultor



signature.asc
Description: Esta é uma parte de mensagem	assinada digitalmente
___
http://lurker.clamav.net/list/clamav-users.html