Re: [clamav-users] daily dat not compatible with .95.3?
Hello Michael, the file that is BROKEN is larger: 2447360 Feb 10 16:03 daily.cld the file that works is smaller: 909036 Feb 10 16:34 daily.cvd .cvd is compressed, .cld is uncompressed, that's why it's larger. Best regards -- Luca Gibelli (luca _at_ clamav.net) ClamAV, a GPL anti-virus toolkit [Tel] +39 0187 1851862 [Fax] +39 0187 1852252 [IM] nervous/jabber.linux.it PGP key id 5EFC5582 @ any key-server || http://www.clamav.net/gpg/luca.gpg ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
[clamav-users] What happened to 12663 ?
Could someone please give some insight into what happened the the v12663 daily.cld? How long did it take to notice the problem, and how quickly was it fixed? For us it took down clamd on 15 servers at 00:03 today, and we received the fix 3 hours later... but clamd wasn't restarter before later this morning, leading to huge mailqueues. We should probably look into verifying the db before telling clamd to reload it... -jf ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] What happened to 12663 ?
On Fri, 11 Feb 2011 13:54:02 +0100 Jan-Frode Myklebust janfr...@tanso.net wrote: Could someone please give some insight into what happened the the v12663 daily.cld? How long did it take to notice the problem, and how quickly was it fixed? The database included a signature which was not compatible with ClamAV 0.95.x and older. The problem was fixed after reports sent to this ml. We run backward tests only on the last two release series, right now on 0.97.x and 0.96.x. 0.95.3 is already 16 months old so you should consider upgrading it if you want to avoid this kind of issues. For us it took down clamd on 15 servers at 00:03 today, and we received the fix 3 hours later... but clamd wasn't restarter before later this morning, leading to huge mailqueues. We should probably look into verifying the db before telling clamd to reload it... Upgrading to some recent version is also one of the options. The current version of freshclam has a special option TestDatabases, which is enabled by default and makes sure the new databases can be loaded properly before they get installed in the system. Regards, -- oo. Tomasz Kojm tk...@clamav.net (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Fri Feb 11 14:05:55 CET 2011 ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] What happened to 12663 ?
On 2011 Feb 11, at 13:54 , Jan-Frode Myklebust wrote: For us it took down clamd on 15 servers at 00:03 today, and we received the fix 3 hours later... but clamd wasn't restarter before later this morning, leading to huge mailqueues. We should probably look into verifying the db before telling clamd to reload it... I suggest you instead look at your mail config, verifying that mail keeps on flowing when clamav happens to be down/unresponsive. Unless you want to err on the safe side, and have a policy in place that says we do not want to receive/send ANY mail when the virus scanning doesn't work. In that case, your system is already working as designed, and tonight's outage was actually helpful, because it prevented mail from getting through that could have been detected by a newer version of the database. On the other hand, since you haven't updated ClamAV in over a year, leading to (significantly) decreased detection, maybe the scanning of email isn't top priority, and your mail scanning engine needs to fallback to letting mail through on scan errors. -- Jan-Pieter Cornet joh...@xs4all.nl People are continuously reinventing the flat tyre. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] What happened to 12663 ?
On 2/11/2011 8:31 AM, Jan-Pieter Cornet wrote: On the other hand, since you haven't updated ClamAV in over a year, leading to (significantly) decreased detection, maybe the scanning of email isn't top priority, and your mail scanning engine needs to fallback to letting mail through on scan errors. Forgive me for this but 3-4 days after v0.97 is released, v0.95 is considered obsolete and no longer worth testing databases for. However, I don't see that an announcement went out to this effect. And in fact, when you follow the OUTDATED link in the software it mentions 0.94. If you want to consider 0.95 series EOL please update. The test database feature seems plenty reason to upgrade without beating us over the head about what slackers we are. For some of us though it means compiling and deploying to production which carries it's own overhead that may be more than a need it fixed NOW as management wrings its hands. We disabled freshclam and kept running an older database instead. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] What happened to 12663 ?
On Feb 11, 2011, at 11:56 AM, Vincent Fox wrote: On 2/11/2011 8:31 AM, Jan-Pieter Cornet wrote: On the other hand, since you haven't updated ClamAV in over a year, leading to (significantly) decreased detection, maybe the scanning of email isn't top priority, and your mail scanning engine needs to fallback to letting mail through on scan errors. Forgive me for this but 3-4 days after v0.97 is released, v0.95 is considered obsolete and no longer worth testing databases for. However, I don't see that an announcement went out to this effect. And in fact, when you follow the OUTDATED link in the software it mentions 0.94. If you want to consider 0.95 series EOL please update. You are right. We'll get this updated. However, one of us will try and make an announcement to this fact as well on the ClamAV blog, just to keep everyone up to date with the newest information. Thanks. -- Joel Esler jesler () sourcefire.com http://blog.snort.org http://blog.clamav.net ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] What happened to 12663 ?
On 2011-02-11, Jan-Pieter Cornet joh...@xs4all.nl wrote: On 2011 Feb 11, at 13:54 , Jan-Frode Myklebust wrote: For us it took down clamd on 15 servers at 00:03 today, and we received the fix 3 hours later... but clamd wasn't restarter before later this morning, leading to huge mailqueues. We should probably look into verifying the db before telling clamd to reload it... I suggest you instead look at your mail config, verifying that mail keeps on flowing when clamav happens to be down/unresponsive. We fail over to using commandline clamscan, which means it keeps flowing, but apparently too slowly on our most busy servers. On the other hand, since you haven't updated ClamAV in over a year, leading to (significantly) decreased detection, maybe the scanning of email isn't top priority, and your mail scanning engine needs to fallback to letting mail through on scan errors. We have a strong preference to running only RHEL5+EPEL packages, so we're kind of stuck on 0.95.1 until EPEL updates or we move to RHEL6+EPEL which gives us clamav-0.96.1. I expect you will have quite a few users with the same/similar policy... Oh.. and freshclam said not to PANIC! ;-) -jf ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] What happened to 12663 ?
On 2/11/11 2:17 PM, Jan-Frode Myklebust wrote: We fail over to using commandline clamscan, which means it keeps flowing, but apparently too slowly on our most busy servers. with all the new sigs, sane sigs, google safebrowsing, clamscan cli is mostly useless. (our mail server times out on a per connection basis) oh, and clamscan also gave an error with the bad daily file. -- Michael Scheidell, CTO o: 561-999-5000 d: 561-948-2259 ISN: 1259*1300 *| *SECNAP Network Security Corporation * Certified SNORT Integrator * 2008-9 Hot Company Award Winner, World Executive Alliance * Five-Star Partner Program 2009, VARBusiness * Best in Email Security,2010: Network Products Guide * King of Spam Filters, SC Magazine 2008 __ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.secnap.com/products/spammertrap/ __ ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] What happened to 12663 ?
On 2/11/2011 2:17 PM, Jan-Frode Myklebust wrote: We have a strong preference to running only RHEL5+EPEL packages, so we're kind of stuck on 0.95.1 until EPEL updates or we move to RHEL6+EPEL which gives us clamav-0.96.1. I expect you will have quite a few users with the same/similar policy... FWIW, rpmforge has clamav-0.96.5 at the moment. Personally, I would swap repos if epel is going to take over 1.5 years (!) to update an antivirus package. -- Bowie ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] What happened to 12663 ?
On 2/11/11 2:59 PM, Bowie Bailey wrote: FWIW, rpmforge has clamav-0.96.5 at the moment. Personally, I would swap repos if epel is going to take over 1.5 years (!) to update an antivirus package. go freebsd! (ok, its not linux). but 0.97 was in ports 38 mins after clamav released it. -- Michael Scheidell, CTO o: 561-999-5000 d: 561-948-2259 ISN: 1259*1300 *| *SECNAP Network Security Corporation * Certified SNORT Integrator * 2008-9 Hot Company Award Winner, World Executive Alliance * Five-Star Partner Program 2009, VARBusiness * Best in Email Security,2010: Network Products Guide * King of Spam Filters, SC Magazine 2008 __ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.secnap.com/products/spammertrap/ __ ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] What happened to 12663 ?
On 2/11/2011 2:59 PM, Bowie Bailey wrote: On 2/11/2011 2:17 PM, Jan-Frode Myklebust wrote: We have a strong preference to running only RHEL5+EPEL packages, so we're kind of stuck on 0.95.1 until EPEL updates or we move to RHEL6+EPEL which gives us clamav-0.96.1. I expect you will have quite a few users with the same/similar policy... FWIW, rpmforge has clamav-0.96.5 at the moment. Personally, I would swap repos if epel is going to take over 1.5 years (!) to update an antivirus package. Actually, I misspoke. clamav-0.97 is in rpmforge. I was looking at what was actually installed on my system rather than what was available from the repo. -- Bowie ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] What happened to 12663 ?
On 2011 Feb 11, at 17:56 , Vincent Fox wrote: On 2/11/2011 8:31 AM, Jan-Pieter Cornet wrote: On the other hand, since you haven't updated ClamAV in over a year, leading to (significantly) decreased detection, maybe the scanning of email isn't top priority, and your mail scanning engine needs to fallback to letting mail through on scan errors. Forgive me for this but 3-4 days after v0.97 is released, v0.95 is considered obsolete and no longer worth testing databases for. Yes, that sucks. And the clamav team has admitted as much and promised to do something about it. I didn't like that either, I am running 0.95 myself, so clamav stopped functioning. To remedy the situation, I dug into my archive and recovered an older, working, daily.cvd, and installed that on top of the broken one. The reason I replied is that the OP mentioned that 'mail stopped because of this', somehow implicating it's ClamAV's fault. It isn't. There are a number of reasons that a virus scanner can fail, a bad database is just one of them. What I wanted to point out is: unless you consider virus scanning more important than the actual flowing of emails, you need to make sure that failures in the virus scanning don't stop your mail from functioning. If scan failures do prevent your mail from being delivered, then right there is your first configuration error: go fix it so you don't depend on the virus scanner to always behave correctly, because it simply won't. There will always be unpredictable circumstances that make your virus scanner crash, so you must be prepared to deal with that. If that makes you feel uneasy, because it might let unscanned mail through, put a monitoring mechanism in place that alerts you as soon as the virus scanning fails. Or get a second virus scanner, and use them both in parallel (that's what I do - also gives you a nice way to compare performance). -- Jan-Pieter Cornet joh...@xs4all.nl People are continuously reinventing the flat tyre. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] What happened to 12663 ?
On 02/11/2011 12:59 PM, Bowie Bailey wrote: On 2/11/2011 2:17 PM, Jan-Frode Myklebust wrote: We have a strong preference to running only RHEL5+EPEL packages, so we're kind of stuck on 0.95.1 until EPEL updates or we move to RHEL6+EPEL which gives us clamav-0.96.1. I expect you will have quite a few users with the same/similar policy... FWIW, rpmforge has clamav-0.96.5 at the moment. Personally, I would swap repos if epel is going to take over 1.5 years (!) to update an antivirus package. And if you are paying for support or RHEL5, I would start bitching loudly to RH. It should not take long for a junior engineer to run the system through it's paces to validate clamav. Your license and support should be worth something, just MHO. -- Jim Preston ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml