Since 2-3 days our mail server is getting hit by several rassistic e-mails,
all written in German. First, I thought it is a spam case, but after reading
some of those offending e-mails, I understood that they were coming from the
Sober author (he left some personal comments at the end).
But becaus
Will ClamAV be able to detect this kind of viruses?
http://securityresponse.symantec.com/avcenter/venc/data/w64.rugrat.3344.html
Regards,
Phil.
smime.p7s
Description: S/MIME cryptographic signature
Hello Tomasz.
> What does 'most known' mean ?
Just the famous one, or as they call it on wildlist.org, the ones which were
submitted more than once...
> At least Symantec has full access to all WildList.org virus
> samples because that "independent" organization was founded,
> among others, by
Hello.
GMX released a paper where they were comparing the four biggest e-mail
provider in Germany and how successful the most known viruses are caught by
the e-mail software.
They were testing the following providers and virus software:
www.1und1.de (Symantec)
www.gmx.de (Sophos Anti-Virus)
www.
Hello Tomasz.
> ClamAV databases updated (04-mar-2004 13:11 GMT): daily.cvd,
> viruses.db2
> version: 165
>
> Submission: n/a
> Sender: Diego d'Ambra
> Virus name: Worm.Bagle.Gen-zippwd
> Notes: Generic signature to detect password-protected Bagle zip files
> Notes: Signature by Trog
> Added: Y
Hello Trog.
> The libpthread thread manager seg faulted. I've never seen that happen
> before. I guess that would be either a bug in libpthread or some very
> bad memory corruption somewhere.
Well, this happened about 2-3 times (before, I was not able to use gdb). But
I am using the current CV
Hello Thomas.
> There was a small bug in main.cvd that affected the latest snapshots.
> I just uploaded a fixed version so please run freshclam.
Thanks for fixing this bug, now the latest CVS is working again. Keep up the
excellent work :) ...
Regards,
Phil.
OK, now I got something for you... but could be that the problem is already
solved in the latest CVS version... just that the latest CVS is not working
for me (see my earlier post about readdb()).
> 3. Wait for a seg fault. Then issue the backtrace command.
That happened right now.
> 4. If may a
Hello Thomas.
> The error message is misleading. Most of the time this is due
> to memory allocation problems (I changed the code but since I
> didn't test it thoroughly it's still not checked in to CVS).
Well, but isn't it strange then, that it is still working with the earlier
version? So I
I am using clamav-devel-20040228 and since then I can't start clamd anymore.
I always get the following error:
LibClamAV Error: readdb(): Malformed pattern line 5526 (file
/tmp/910f9072257e1c88/viruses.db).
I already tried to remove all .cvd files and reload the new ones using
freshclam. But it s
Hello Trog.
> In order to track this problem down, we would need you to do the
> following:
>
> 1. Run clamd in debug mode:
> /usr/local/sbin/clamd --debug
>
> 2. Attach gdb to the running clamd process
> gdb /usr/local/sbin/clamd
>then in gdb, issue the command
> continu
OK, this is the last time I will post about the occurance of this problem:
Thu Feb 26 23:57:01 2004 -> stream: Worm.SomeFool FOUND
Thu Feb 26 23:57:12 2004 -> Segmentation fault :-( Bye..
Fri Feb 27 00:23:42 2004 -> SelfCheck: Database status OK.
Fri Feb 27 00:37:08 2004 -> ERROR: accept() failed
Hello Jim.
> That is an _incredibly_ high spam score. I've never seen over 30.
If you have a blacklist set up, you will always get a score of 100 plus the
usual scores :) ...
> On a more 'relative to the topic' note, logging like that of spamd
> would be quite nice. :)
Yes, that's what I woul
Hello Trog.
> It's likely that a file it is scanning is causing the
> failure. Would it be possible to isolate which file(s) it is
> scanning at the time?
It doesn't seem to be the e-mail it was scanning, or I can't exactly say
which e-mail it was (unfortunately clamd doesn't show much in the l
Shortly after starting clamd again, it crashed once again with the same
problem: segmentation fault!
Thu Feb 26 09:46:17 2004 -> stream: Trojan.Spybot.gen-1 FOUND Thu Feb 26
09:46:28 2004 -> Segmentation fault :-( Bye..
Thu Feb 26 10:22:09 2004 -> ERROR: accept() failed
This time I tried to use g
> Which version exactly? On which OS/Distribution? Did you
> compile from source or installed a binary (from where did you get it)?
clamav-devel-20040224
Linux version 2.4.21-166-smp4G ([EMAIL PROTECTED]) (gcc version 3.3.1 (SuSE
Linux)) #1 SMP Fri Dec 19 15:43:30 UTC 2003
I was compiling from t
Unfortunately, clamd crashed today morning at 05:00 (almost exactly at
05:00). I only realized it by accident. This is what the log is showing:
Thu Feb 26 04:58:10 2004 -> stream: Worm.MyDoom.E.UPX FOUND
Thu Feb 26 05:01:21 2004 -> Segmentation fault :-( Bye..
Thu Feb 26 05:11:18 2004 -> SelfCheck
> If you have can put an accurate time on when clamd stopped
> responding, would it correspond to their being a virus DB update?
I don't think so.
> I assume that you do automatic updates and this is signalled
> to clamd (probably via freshclam --daemon-notify).
That's true, I am doing automat
> So, how is clamd behaving with the patch and ThreadTimout=0?
>
> Is it any better?
It is actually better, but unfortunately, there still seems to be a problem
somewhere. Here is what gdb shows me:
GNU gdb 5.3.92
Copyright 2003 Free Software Foundation, Inc.
GDB is free software, covered by the
> So, how is clamd behaving with the patch and ThreadTimout=0?
>
> Is it any better?
Yes, indeed. It didn't crash since one day now. I will continue to observe.
Regards,
Phil.
---
The SF.Net email is sponsored by EclipseCon 2004
Premiere Con
> LinuxThreads are based on processes - the three processes
> are: the main thread of clamd, threadwatcher (from clamd) and
> thread-manager (always spawned by LinuxThreads).
So it is correct to only use gdb with the first process (main thread of
clamd)? Or is it necessary to also include backtr
> Do:
>
> cd /clamav-0.65/clamd
> patch -p0 < /path/to/clamd.timeout.patch
>
> and in clamav.conf set this:
>
> ThreadTimeout 0
Thank you for the patch, I will apply it and re-compile clamd.
I also saw in the log file, that whenever clamd crashes, the last line
logged is something like this:
trog,
I could finally manage to get the backtrace you requested... clamd now fails
almost every 6 hours. here is what I got:
(gdb) bt
#0 0x40093b94 in __pthread_sigsuspend () from /lib/i686/libpthread.so.0
#1 0x400939d8 in __pthread_wait_for_restart_signal () from
/lib/i686/libpthread.so.0
#2
> clamd will be linked against libpthread, the command 'ldd
> /usr/local/sbin/clamd' should so this.
The command shows the following output:
libclamav.so.1 => /usr/local/lib/libclamav.so.1 (0x4001a000)
libz.so.1 => /lib/libz.so.1 (0x4003c000)
libbz2.so.1 => /usr/lib/libbz
OK, clamd already crashed once again, and now I was trying to follow your
guide...
> (I'm going to assume you're clamd is multithreaded. If not
> just do steps 1-3 followed by the command 'bt').
I think so, how can I tell?
> This may, or may not, provide some useful information.
>
> 1. Use 'ps
> What version are you running?
ClamAV 0.65
> A number of people have reported this issue and it has
> resulted in scripts being written that check the status of
> clamd periodically and restart it.
I heard about that, but I was asking about doing this remotely, since spamd
itself is actually
I would like to know how I can remotely restart the clamd server... or
actually kill all the processes.
It happens that clamd sometimes is not working correctly anymore, but I can
still remotely access it and send commands. I am using clamd (running on
Linux) to scan the mail server (running on Wi
> That depends on how broken it is.
I guess that's the problem with this virus. It is so badly written.
> Beyond a certain amount of loss of the complete virus, there
> isn't enough left to know what it was supposed to be, and besides, if
what
> you've got isn't the complete Mimail virus, it s
I found out that ClamAV does not always recognize the Mimail virus,
instead it is reported as "Seriously Broken Zip", which may be correct,
but doesn't really identify the virus itself...
How can this be avoided? I would like to get the virus name instead of
the information of a broken ZIP?
Regar
Would it at least be possible to have a reference or alias to other online
resources (e.g. McAfee's Virus Information Library)?
For example, if I am searching for the virus "Worm.Gibe.F" on the McAfee
Virus Information Library there are no matches found. It would be nice if I
could use the alias t
I am wondering if there exists any descriptions of the viruses found by
ClamAV, similary to McAfee/Symantec/...
Many of my customers would like to find out more about the virus they got
and how they could protect themselves, and that's why I want to give them a
link to the virus in the report (whi
31 matches
Mail list logo
