Oh, and I now realize that this is outside of freshclam's control, being
a sanesecurity signature. I removed the mbl.db and disabled that
cronjob until we sort this out...
On 02/22/2012 12:51 PM, John Madden wrote:
I wasn't able to receive my own post...
freshclam didn't
| sigtool --decode-sigs
That seems illogical. I did this instead:
sigtool --find-sigs MBL_207346 | sigtool --decode-sigs
VIRUS NAME: MBL_207346
DECODED SIGNATURE:
www.
If "www." is truly the signature, well, I think we've found the problem.
On 02/22/2012 10:49 AM, John Madden w
Any ideas here? Anyone else seeing this?
~$ sigtool --list-sigs | grep MBL_207346
MBL_207346
John
--
John Madden / Systems Engineer III
Office of Technology / Ivy Tech Community College of Indiana
Free Software is a matter of liberty, not price. To understand
the concept,
So I assume we're not the only ones getting creamed by this
IKEA/Hallmark/NetSky rebirth, right? No signatures yet, not sure if
there should be...
--
John Madden
Sr. UNIX Systems Engineer
Ivy Tech Community College of Indiana
jmad...@ivytec
rt before and never set it (and indeed,
my other working install doesn't have this set) and I've never seen an
error from freshclam without it set. At any rate, setting this on the
two broken installs fixed the problem.
John
--
John Madden
Sr. UNIX Systems Engineer
Ivy Tech Commun
ns here? Being like 6 days behind on virus definitions is
an uncomfortable feeling. Since the manual wget works, can I build the
database manually somehow until this is otherwise resolved?
John
--
John Madden
Sr. UNIX Systems Engineer
Ivy Tech Community College of Indi
again later)." Is there actually a problem with the mirrors?
John
--
John Madden
Sr. UNIX Systems Engineer
Ivy Tech Community College of Indiana
[EMAIL PROTECTED]
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clama
capitalism, in my opinion.
John
--
John Madden
UNIX Systems Engineer
Ivy Tech Community College of Indiana
[EMAIL PROTECTED]
___
http://lurker.clamav.net/list/clamav-users.html
the higher-cost sysadmins who implement
free/Free
solutions that do. :)
John
--
John Madden
UNIX Systems Engineer
Ivy Tech Community College of Indiana
[EMAIL PROTECTED]
___
http://lurker.clamav.net/list/clamav-users.html
that regard, and
> wholly unsecure.
Right. Which means *your* security policy still must include desktop security
by
way of firewalls/virus scanning/proxies/policies/etc. An insecure public web
mail
system is irrelevant.
John
--
John Madden
UNIX Systems Engineer
Ivy Tech State Coll
>> Exactly. Whatever numpty would have a web based application sending mail
>> directly, bypassing your smtp,
>
> Yahoo, gmail, etc
(No, their web mail applications work as they're supposed to, sending mail to
their pool of MTA's.)
--
John Madden
UNIX Sys
> Have you considered John Hardin's e-mail Sanitizer?
>
>http://www.impsec.org/email-tools/procmail-security.html
I like the concept, but I procmail-based setups don't scale well enough,
IMO, for the sort of mail setup (100k [virtual] accounts) I'm concerned
with.
J
> To handle the zip file situation, get qmail and patch it with Russell
> Nelson's ingenious qmail-smtp-viruscan patch. You will have no more zip
> file 'situation.' See http://www.qmail.org.
(I'm running postfix; I won't run qmail. Thanks for the suggestion t
> Timezone = CET (GMT+1)
>
> ClamAV update process started at Wed Feb 16 23:16:21 2005 main.cvd is up
> to date
Yeah, 6-hour difference, that's consistent with my findings.
John
--
John Madden
UNIX Systems Engineer
Ivy Tech State College
> Just stop mail with certain attachments (.bat/.com/.scr/.cpl/.ectect) at
> the door.
Well of course, and we currently block RAR's because of the license
issues, but that doesn't help the zip file situation. ...Perhaps amavisd
can.
John
--
John Madden
UNIX Systems Enginee
nally see the mailing list update post mentioning this variant:
http://lurker.clamav.net/message/20050217.010300.babe0dce.en.html
John
--
John Madden
UNIX Systems Engineer
Ivy Tech State College
[EMAIL PROTECTED]
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> Found 0 submissions - Total results (0 pages)
>
> (on both your name and "ivytech")
Uh. 'Guess I can't explain that, unless submissions for already-submitted
virii don't count.
John
--
John Madden
UNIX Systems Engineer
Ivy T
neener-neener 8-year-old voice
tones. :) ) I apologize if I sounded ungrateful, for ClamAV is certainly
a superb product.
John
--
John Madden
UNIX Systems Engineer
Ivy Tech State College
[EMAIL PROTECTED]
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
r
quota (and thus lose subsequent email), that's a problem that makes
managers want to buy AV licenses.
John
--
John Madden
UNIX Systems Engineer
Ivy Tech State College
[EMAIL PROTECTED]
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> Have you submitted any sample for the last two years?
Yes, when appropriate, which I believe has been thrice. (We haven't been
on Clam for that long, though.)
John
--
John Madden
UNIX Systems Engineer
Ivy Tech State College
[EMAIL P
> You haven't submitted anything on our site.
I would've today, had I not been off-site at a conference. Trouble is, by
the time I receive a copy, it's too late. I suppose it's a perception
problem with our users more than anything.
> Actually you're an ego
e's "update" of the
2/16/05 MyDoom variant.
> How often do you run freshclam ?
Every 20 mins.
John
--
John Madden
UNIX Systems Engineer
Ivy Tech State College
[EMAIL PROTECTED]
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
ng done to get signatures out more quickly, if anything? Or
can anything be done?
Thanks,
John
--
John Madden
UNIX Systems Engineer
Ivy Tech State College
[EMAIL PROTECTED]
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> Where is the reference to CrossOver Office???
They must show a different selection of three projects for each
submission? At any rate, despite running nearly 100% OSS in everything I
do, I didn't use any of the three they provided me to choose from.
John
--
John Madden
UNIX
vey questions were built.
I got through a few and stopped answering, figuring my contribution
wouldn't be very... useful...
John
--
John Madden
UNIX Systems Engineer
Ivy Tech State College
[EMAIL PROTECTED]
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
.AP successfully. I
can't afford to upgrade a production mail server to a -rc...
John
--
John Madden
UNIX Systems Engineer
Ivy Tech State College
[EMAIL PROTECTED]
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
hint (header?)
through amavisd as to the intended point of delivery (if local) so that
spamassassin, then spawned via amavisd, knows which bayes database to use.
John
--
John Madden
UNIX Systems Engineer
Ivy Tech State College
[EMAIL PROTECTED]
-
ere seeing a bunch, however, new signatures are catching it.
John
--
John Madden
UNIX Systems Engineer
Ivy Tech State College
[EMAIL PROTECTED]
---
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R
able
> release out? It would really help.
I'd like to second that. Those of us depending on clamav to catch stuff
can't afford to upgrade in the middle of the day for new signatures to
work. And why don't these new signatures work? Has that interface not
yet stabilized?
T
I'm getting reports of another bitmap-password zip virus, perhaps
Bagle.AA? Anyone else? I'll submit a sample as soon as I see one...
John
--
John Madden
UNIX Systems Engineer
Ivy Tech State College
[EMAIL PROTECTED]
---
T
> Update to ClamAV version 0.70
What are the consequences of not upgrading? I'd have to plan downtime,
etc...
John
--
John Madden
UNIX Systems Engineer
Ivy Tech State College
[EMAIL PROTECTED]
---
This SF.Net email is spon
hash{$x} \n";}'
(Note that this is taken from syslog while using amavisd, not clamd's log.)
--
John Madden
UNIX Systems Engineer
Ivy Tech State College
[EMAIL PROTECTED]
---
This SF.Net email is sponsored by: IBM Linux Tu
gh
other means (i.e., PGP). Perhaps there could be a clamav.conf option to
just discard protected zips?
John
--
John Madden
UNIX Systems Engineer
Ivy Tech State College
[EMAIL PROTECTED]
---
This SF.Net email is sponsored by: IBM Linux T
irus, AFAIK. We've
blocked 20 in the past 10 or so minutes.
Bottom line, what's clamav's current take on this one? Is there some way
we can just drop all protected archives outright?
Thanks,
John
--
John Madden
U
34 matches
Mail list logo
