* Fajar A. Nugraha <[EMAIL PROTECTED]> [20040315 06:20]: wrote:
> Michael Torrie wrote:
>
> >In another escalation of the arms war, the latest variant of
> >password-encrypted archive virus now distributes itself in an encrypted
> >rar file, and the password is an at
On Sat, 13 Mar 2004 13:48:58 -0700, Michael Torrie <[EMAIL PROTECTED]> wrote:
> password-encrypted archive virus now distributes itself in an encrypted
> rar file, and the password is an attached bitmap to eliminate the
>
How does it create this rar archive? Does this virus use rar
installed
I am trying to run clamscan from a cron job. I have written a bash
script for that, which i attached below. I am sorry it is in german
language an not in polish.
The batch works fine when i start it from the command line. freshclam
returns 52, because it can't handle the Microsoft NTLM proxy an
Hi,
seems that the clamav Port (0.67-1) has problems with RAR Files (e.g. Bagle.N):
[EMAIL PROTECTED]:/root# /usr/local/bin/clamscan ./first_part.rar
./first_part.rar: RAR module failure.
./first_part.rar: OK
--- SCAN SUMMARY ---
Known viruses: 20477
Scanned directories: 0
Scanne
I'm compiling the latest clam-devel on a 3 new boxes right now. I'm was
planning on using the same configure options from my other RH9 server
that's running clam-devel-20040211. After looking at those configure
options I used with that release I'm left with questions about the
necessity of a
Sorry, though it was in the e-mail.
RH 9 Linux system running clamv v0.67
[EMAIL PROTECTED] root]# ls -l /dev/urandom
crwxr-xr-x1 root root 1, 9 Mar 9 17:22 /dev/urandom
wget http://heanet.dl.sourceforge.net/sourceforge/clamav/clamav-0.67.tar.gz
-Original Message-
Fr
clamdscan / ClamAV version devel-20040312
FreeBSD 4.9
I'm still seeing clamdscan processes "hang" every now and then. They
eventually exit but only after a VERY long time. 5+ minutes usually. (maybe
on the thread timeout value). I've checked our logs and it almost always
happens when the databas
On Mar 14, 2004, at 10:56 PM, simon dcunha wrote:
Hi,
I have recently installed clamscan and is workin finebut i do have a
couple of queries and apprecite your help.
1) I need to check when my linux mail server which uses sendmail
recives
any infected mail can i check it with clamav so that it w
On Mon, 2004-03-15 at 14:49, Robert Blayzor wrote:
> Mar 15 07:23:11 mx1-a clamd[5474]: Reading databases from
> /usr/local/share/clamav
> Mar 15 07:30:23 mx1-a clamd[5474]: Database correctly reloaded (20478
> viruses)
It actually took 7 mins to reload the sig database - that is very
strange.
I'm suddenly seeing this:
clamscan Notepad.exe
Notepad.exe: W32.Ladmar.A FOUND
when run against C:\WINDOWS\Notepad.exe on several Win98 workstations.
I don't see any recent updates that involve this virus, but I'm dubious
about whether multiple workstations really are infected with this. A
rec
Helmut Schneider wrote:
> seems that the clamav Port (0.67-1) has problems with RAR Files (e.g.
> Bagle.N):
To avoid missunderstandings, I know the file is pwd, but clamav does not recognize the
virus within the archive (maybe a DB problem)...
Please do not feed my mailbox, Swen already got th
On Mon, Mar 15, 2004 at 10:01:00AM -0600, Keith Murphy wrote :
> I'm suddenly seeing this:
>
> clamscan Notepad.exe
> Notepad.exe: W32.Ladmar.A FOUND
>
> when run against C:\WINDOWS\Notepad.exe on several Win98 workstations.
> I don't see any recent updates that involve this virus, but I'm dubio
On 3/15/04 10:35 AM, "Trog" <[EMAIL PROTECTED]> wrote:
> It actually took 7 mins to reload the sig database - that is very
> strange.
>
> All threads are stopped *before* the "Reading databases ..." message.
> All that happens after that is to reset the database statistics
> structure and reload
We just recently got
a message sent to us that's infected w/the [EMAIL PROTECTED] virus (that's what
norton/symantec calls it). For some reason, clamAV doesn't seem to be
catching this virus. I ran a saved copy of the message thru the online
clamAV @ http://www.gietl.com/test-clamav/ and
I have successfully installed CLAMAV into my machine
into Linux and updated its virus database. For
checking it's efficiency I mounted my windows drive
and performed scanning on it using clamscan.
Surprisingly, I got a virus warning into notepad.exe
it was showing infected by W32.Ladmar.A. However,
the sample anyway? I don't want to waste anyone's time if
this is something that's already being dealt with?
I run 0.67-1 in production but have also tried an mbox scan with
clamav-devel-20040315.
Cheers,
Stuart.
---
This SF.
Hi
One of our clients uses a multiple vendor AV solution (clam included) and
has found an interesting scenario. They get sent signature updates and
fixes from NAI which are sent as a non-passworded zip file. The zip file
typically contains a single binary file and a text "readme" type file.
I'm running clamscan / ClamAV version 0.67-1 on FreeBSD 4.9 (clamav
from ports collection), using clamd to scan incoming email for viruses.
I have seen some people on the list say that clamd will stop working
if the maximum logfile size is hit?
Is there anyone using newsyslog to rotate the log
Sorted the problem out - it appears that clamscan will fork new
processes everytime it is called by the qmail scanner - I switched to
using clamdscan which uses the clamd daemon.
It has halved the original load to average of 1-3 ...
On Fri, 2004-03-12 at 23:47, Jeremy Kitchen wrote:
> On Fri,
Hi
One of my user (and possibly another) received a mail with an attachment
Document.zip and password in a jpeg file. McAfee detected it as Bagle.N and
ClamAV website site detected it as Worm.Bagle.Gen-zippwd-2 . However, when I ran
clamscan on my Linux mail server with update 185, it doesn't dete
On Mon, 2004-03-15 at 14:06, Ling Ho wrote:
> Anyone has this problem?
Try with --mbox
Cheers,
Mike
---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo techn
On Mon, 15 Mar 2004, Martin A. Brooks wrote:
; Part of the text file is a boilerplate set of instructions on how to make
; an EICAR test file. Clam detects this signature and marks the file as
; being infected. NAI and Norton AV do not.
;
; I'm undecided as to which action is correct and would
Has the Ladmar.A virus been merged as a different virus? The count went
down by 1 and Ladmar was removed. Any ideas?
--
Eric Wheeler
Vice President
National Security Concepts, Inc.
PO Box 3567
Tualatin, OR 97062
http://www.nsci.us/
Voice: (503) 293-7656
Fax: (503) 885-0770
-- For
On Mon, 15 Mar 2004 12:35:17 -0500
"Kevin Hanser" <[EMAIL PROTECTED]> wrote:
> We just recently got a message sent to us that's infected w/the
> [EMAIL PROTECTED] virus (that's what norton/symantec calls it). For
> some reason, clamAV doesn't seem to be catching this virus. I ran a
> saved copy
Been having problems lately. Using clamav-milter on Solaris 9 with version
0.67-1 (whatever the latest release is). It has been working brilliantly
for months. Recently, I started getting a mail.warning message: ClamAv:
Private data not NULL. After this starts, the thread count continues to
gro
Which versions are you seeing this under?
I've tested notepad.exe from 98, ME, and XP Pro and show no virus result for
it.
It is possible that the files are indeed infected.
My suggestion before writing it off as an error on ClamAV's part, is to take
the win machine in question and perform a web
virus fine.
Shall I submit the sample anyway? I don't want to waste anyone's time if
this is something that's already being dealt with?
I run 0.67-1 in production but have also tried an mbox scan with
clamav-devel-20040315.
Cheers,
Stuart.
Please submit the raw message either to me o
From: Ling Ho [mailto:[EMAIL PROTECTED]
>One of my user (and possibly another) received a mail with an attachment
>Document.zip and password in a jpeg file. McAfee detected it as Bagle.N and
>ClamAV website site detected it as Worm.Bagle.Gen-zippwd-2 . However, when
I ran
>clamscan on my Linux mail
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of Ling Ho
> Sent: Monday, March 15, 2004 2:06 PM
> To: [EMAIL PROTECTED]
> Subject: [Clamav-users] Bagle.N Virus cannot be detected by local
> clamscan
>
>
> Hi
>
> One of my user (and possibly another)
At 20:02 15/03/2004, you wrote:
Clam's behaviour is incorrect because the Eicar test file page
(http://www.eicar.org/anti_virus_test_file.htm) states:
"Any anti-virus product that supports the test file should detect it in any
file providing that the file starts with the following 68 characters, an
forgive me if this sounds silly.
I completely understand the problem with the password protected archives but
would like to make a suggestion.
Can we take confirmed protected zips and md5sum them and have that sum added
to av database?
Granted I dont really have any idea how the signature system
Found that clamdscan/clamd was able to detect the virus. My amavis-new
setup was using clamscan, not clamd. Now that I changed to clamd, the
virus can be detected properly. I probably need to update the clamscan
myself, not rely on Fedora site.
Sorry for the earlier post.
Thanks
...
ling
Ling H
On Monday 15 March 2004 9:49 pm, redragon wrote:
> I completely understand the problem with the password protected archives
> but would like to make a suggestion.
>
> Can we take confirmed protected zips and md5sum them and have that sum
> added to av database?
They are not the same each time.
A
I'd love to submit the sample :)
I just need some help in doing it, since I'm not sure exactly how to do
it. What I currently have is a MIME-encoded message that has the virus
attachment in it. Do I submit the entire message, or just the
attachment?
If someone could give me a quick submission h
On Mon, 2004-03-15 at 20:20, [EMAIL PROTECTED] wrote:
>
> Has the Ladmar.A virus been merged as a different virus? The count went
> down by 1 and Ladmar was removed. Any ideas?
>
It was temporarily removed due to a false positive. You can keep track
of additions and removals by subscribing to
>If someone could give me a quick submission howto for newbie
>submitters,
>that'd be great :)
Go here:
http://www.nervous.it/~nervous/cgi-bin/sendvirus.cgi
It's really self-explanitory after that.
--J(K)
---
This SF.Net email is sponsore
Hi
SOrry, didn't see this post before I post a reply to my own post.
The --mbox option seems to work for clamscan too.
Thanks Mike.
...
ling
Mike Cathey wrote:
On Mon, 2004-03-15 at 14:06, Ling Ho wrote:
Anyone has this problem?
Try with --mbox
Cheers,
Mike
-
On Mon, 2004-03-15 at 14:20, [EMAIL PROTECTED] wrote:
> Has the Ladmar.A virus been merged as a different virus? The count went
> down by 1 and Ladmar was removed. Any ideas?
It's been picking up false positives.
--
Daniel J McDonald <[EMAIL PROTECTED]>
Austin Energy
---
I was reading about the String module for iptables in Linux Journal over the
weekend and it occured to me that this could be used for scanning the LAN
for the presence of an infected system.
Does anyone know if such a tool exists? We're seeing *much* higher network
activity lately than in the pas
On Mon, 15 Mar 2004 20:02:49 + (GMT)
Andy Fiddaman <[EMAIL PROTECTED]> wrote:
>
>
> On Mon, 15 Mar 2004, Martin A. Brooks wrote:
> ; Part of the text file is a boilerplate set of instructions on how
> to make; an EICAR test file. Clam detects this signature and marks
> the file as; being i
On Monday 15 March 2004 10:46 pm, Michael St. Laurent wrote:
> I was reading about the String module for iptables in Linux Journal over
> the weekend and it occured to me that this could be used for scanning the
> LAN for the presence of an infected system.
The String match in netfilter is not th
Denis De Messemacker wrote:
> On Mon, Mar 15, 2004 at 10:01:00AM -0600, Keith Murphy wrote :
> > I'm suddenly seeing this:
> >
> > clamscan Notepad.exe
> > Notepad.exe: W32.Ladmar.A FOUND
(...)
> Please submit this executable in the web submission interface as 'false
> virus'. Then we will proc
On Mon, 2004-03-15 at 15:49, redragon wrote:
> forgive me if this sounds silly.
>
> I completely understand the problem with the password protected archives but
> would like to make a suggestion.
>
> Can we take confirmed protected zips and md5sum them and have that sum added
> to av database?
N
On Mon, 2004-03-15 at 16:49, redragon wrote:
> Granted I dont really have any idea how the signature
> system works cause I just haven't had the time to pry
> into it (one day!!) but is this a possibility for
> detecting the password protected archives?
No. The md5sum of passworded zips would be
Would it be possible for posts to clamav-announce to be cross-posted
here please. I imagine I'm not the only one here that didn't know about
0.68.
Cross posting to the users list seems to be fairly common among other
projects (it makes sense that anyone on the users list is going to want
to know
On Mon, 15 Mar 2004 14:45:27 -0600
Alex S Moore <[EMAIL PROTECTED]> wrote:
> Been having problems lately. Using clamav-milter on Solaris 9 with
> version 0.67-1 (whatever the latest release is). It has been working
> brilliantly for months. Recently, I started getting a mail.warning
> message:
use something like:
acidlab to detect scans,
or nessus/sara to activelly scan your network for particular vulnerabilities.
Michael St. Laurent said:
> I was reading about the String module for iptables in Linux Journal over
> the
> weekend and it occured to me that this could be used for scanning
On Monday 15 March 2004 11:29 pm, Kevin Spicer wrote:
> Would it be possible for posts to clamav-announce to be cross-posted
> here please. I imagine I'm not the only one here that didn't know about
> 0.68.
I'm subscribed on clamav-announce as well as this list, and not only did I not
know abou
Fajar A. Nugraha said:
> An interesting fact on ChangeLog:
>
> Thu Mar 11 21:50:32 CET 2004 (tk)
> -
> * libclamav: rar: added support for encrypted archive (Encrypted.RAR)
> detection
>
To make an obvious statement.
Clamav should add encrypted compre
Tomasz Kojm <[EMAIL PROTECTED]> wrote on 12/03/2004 00:07:01:
> On Thu, 11 Mar 2004 12:49:36 +1100
> Jonathan Trott <[EMAIL PROTECTED]> wrote:
>
> > At the moment, if you put any virus inside an encrypted zip file,
> > clamav reports that there isn't a virus in there, which is a false
> > negat
Ok,
I see now that .68 is out, and .70rc is out as well.
Right now I'm actually relying on the fact that clamscan coredumps on
some rar files and exits with a nice exit code as it crashes which seems
to have prevented some of the passing through of the new rar encrypted
viruses.
Would it poss
Edward W. Ray wrote:
Sorry, though it was in the e-mail.
RH 9 Linux system running clamv v0.67
[EMAIL PROTECTED] root]# ls -l /dev/urandom
crwxr-xr-x1 root root 1, 9 Mar 9 17:22 /dev/urandom
I can't say much about 0.67, but I know that I'm running the latest CVS
snapshot
Helmut Schneider wrote:
seems that the clamav Port (0.67-1) has problems with RAR Files (e.g.
Bagle.N):
To avoid missunderstandings, I know the file is pwd, but clamav does not recognize the virus within the archive (maybe a DB problem)...
Sometimes the signatures were created using the
Robert Blayzor wrote:
Having to run
freshclam on them all individually would seem like a waste. Suggestions?
Local mirror? Just have one primary freshclam download *.cvd to the root
directory of
your local webserver. Then setup other freshclams to point to that
webserver
(with DatabaseMirror
Alex S Moore wrote:
Help!
Since clamd's log isn't showing any problems, my gues is that it's
clamav-milter or
clamd's ScanMail problem.
clamav FAQ still states *
A rogue mail locks up clamd when scanned and stops it from responding.
What can I do?*
Disable the ScanMail directive in clama
On Mar 8, 2004, at 13:18, Doug Hardie wrote:
After a review of clamd/session.c and the developers forum archives I
know what the cause of my problem is, but not necessarily why. The
version that works (clamd / ClamAV version devel-20040209',
clamav-milter version '0.66m) does not use either po
On Tue, 16 Mar 2004 09:32:37 +0700
"Fajar A. Nugraha" <[EMAIL PROTECTED]> wrote:
> clamav FAQ still states *
>
> A rogue mail locks up clamd when scanned and stops it from responding.
> What can I do?*
>
> Disable the ScanMail directive in clamav.conf. Our internal mail
> scanner is sti
I'm currently using clamav 0.67, and I'm seeing clamav taking a long time
scanning files with mostly 0xFFs.
Normally the time it takes to scan a file is not a problem but once a while we
receive a large mostly white picture, and instead of the usual minute or so
to scan a file, it takes 20+ m
On Mar 15, 2004, at 18:44, Doug Hardie wrote:
On Mar 8, 2004, at 13:18, Doug Hardie wrote:
After a review of clamd/session.c and the developers forum archives
I know what the cause of my problem is, but not necessarily why.
The version that works (clamd / ClamAV version devel-20040209',
clama
* Bart Silverstrim <[EMAIL PROTECTED]> [20040316 01:46]: wrote:
> I'm running clamscan / ClamAV version 0.67-1 on FreeBSD 4.9 (clamav
> from ports collection), using clamd to scan incoming email for viruses.
I also run on FreeBSD 4.9-STABLE, but I have been running CVS code for
ages now. Interes
Hi,
I have these RPMS installed .
# rpm -qa|grep clam
clamav-devel-0.67-1
clamav-0.67-1
Where is the "sock" file ?
I searched the whole system,no where i found socket file for clamav.
-Thanks
-Dilip
--
I was born intelligent education ruined me.
--
* Dilip M <[EMAIL PROTECTED]> [20040316 09:10]: wrote:
> Hi,
>
> I have these RPMS installed .
> # rpm -qa|grep clam
> clamav-devel-0.67-1
> clamav-0.67-1
>
>
> Where is the "sock" file ?
What is a "sock" file?
Do you have a file clamav.conf??
cheers
- wash
+-
On Tue, 16 Mar 2004 09:11:40 +0300, Odhiambo Washington
<[EMAIL PROTECTED]> wrote:
* Dilip M <[EMAIL PROTECTED]> [20040316 09:10]: wrote:
Hi,
I have these RPMS installed .
# rpm -qa|grep clam
clamav-devel-0.67-1
clamav-0.67-1
Where is the "sock" file ?
What is a "sock" file?
Do you have a fi
Dear Sir,
I have checked both points that u mentioned but did not find any of
them. I have conf file in /usr/local/etc/clamav.conf
In this file I have entry
LocalSocket /tmp/clamd
I also check the location of /var/run but did not find folder clamav. It
means installation did not create clamav.soc
On Mon, 15 Mar 2004 10:01:00 -0600
Keith Murphy <[EMAIL PROTECTED]> wrote:
> I'm suddenly seeing this:
>
> clamscan Notepad.exe
> Notepad.exe: W32.Ladmar.A FOUND
Fixed - please run freshclam.
--
oo. Tomasz Kojm <[EMAIL PROTECTED]>
(\/)\. http://www.ClamAV.n
i have:
clamav 0.70 + sendmail 8.12.11 ... both with milter
clamscan detects OK
clamav seems to work:
Proto RefCnt Flags Type State I-Node Path
unix 2 [ ACC ] STREAM LISTENING 20612
/var/clamd/clamd-milter.sock
unix 2 [ ACC ] STREAM LISTENING
Dilip M wrote:
On Tue, 16 Mar 2004 09:11:40 +0300, Odhiambo Washington
<[EMAIL PROTECTED]> wrote:
I have these RPMS installed .
# rpm -qa|grep clam
clamav-devel-0.67-1
clamav-0.67-1
Where is the "sock" file ?
I'm talking about "socket" file ?
Is there a way to coonect to CLAM using socket
* Dilip M <[EMAIL PROTECTED]> [20040316 09:52]: wrote:
> On Tue, 16 Mar 2004 09:11:40 +0300, Odhiambo Washington
> <[EMAIL PROTECTED]> wrote:
>
> >* Dilip M <[EMAIL PROTECTED]> [20040316 09:10]: wrote:
> >>Hi,
> >>
> >>I have these RPMS installed .
> >># rpm -qa|grep clam
> >>clamav-devel-0.6
Muhammad Kashif Muneer wrote:
Dear Sir,
I have checked both points that u mentioned but did not find any of
them. I have conf file in /usr/local/etc/clamav.conf
In this file I have entry
LocalSocket /tmp/clamd
I also check the location of /var/run but did not find folder clamav. It
means installa
69 matches
Mail list logo
