RE: [Clamav-users] Sasser Worm Virus not shown with sigtool

[Colin A. Bartlett]

Lynn Duerksen Sent: Wednesday, May 05, 2004 11:26 AM

> Freshclam reports:
>
> RELAY:root>[sbin]  freshclam
> ClamAV update process started at Wed May  5 10:07:25 2004
> Reading CVD header (main.cvd): OK
> main.cvd is up to date (version: 22, sigs: 20229, f-level: 1, builder:
> tkojm)
> Reading CVD header (daily.cvd): OK
> daily.cvd is up to date (version: 303, sigs: 1196, f-level: 2, builder:
> trog)
> However when I run:
>
> sigtool -l | grep -i sasser
>
> I get nothing.  Shouldn't Worm.Sasser.A, Worm.Sasser.D and Worm.Sasser.B
all
> show up using this?

You probably have 2 versions of the database. Happened to me and many
others. Simple to rectify: search for main.cvd on your box. Then find which
one is being updated by freshclam. Delete the others and setup symbolic
links to the one that's updated by freshclam. I'm sure there are better ways
to do this like recompile with the proper path but I couldn't be bothered.
Works like a charm for me now.

cheers,
Colin

Colin A. Bartlett
Kinetic Web Solutions
www.kineticweb.biz



---
This SF.Net email is sponsored by Sleepycat Software
Learn developer strategies Cisco, Motorola, Ericsson & Lucent use to 
deliver higher performing products faster, at low TCO.
http://www.sleepycat.com/telcomwpreg.php?From=osdnemail3
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] Mail taking a *long* time to hit the list

[Colin A. Bartlett]

Michael St. Laurent Sent: Monday, May 03, 2004 2:11 PM

> Wow.  I posted a message to the list at 9:23 AM (PDT) and as of 11:06 AM
> (PDT) it *still* hasn't posted.  I wonder if this one will do any better?

The list has been slow for me too. Welcome to SourceForge. Used to happen
all the time on the SpamAssassin list until it moved to Apache. SF is free
though so I hesitate to complain. :) But because of it, I always try to CC
the person I'm replying to directly.

cheers,
Colin

Colin A. Bartlett
Kinetic Web Solutions
www.kineticweb.biz




---
This SF.Net email is sponsored by: Oracle 10g
Get certified on the hottest thing ever to hit the market... Oracle 10g. 
Take an Oracle 10g class now, and we'll give you the exam FREE. 
http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] Re: OT: Just some interesting stats

[Colin A. Bartlett]

Jim Maul Sent: Thursday, April 29, 2004 4:10 PM

> I think the wording is a little confusing..I could be wrong but i assume
he
> means current when he said last.  In the same way that "the last 24 hours"
> means "the current 24 hours", i think "last week" means "current week".

I'm sure Rick didn't want English language criticism when he asked for
suggestions but just to weigh in, maybe "past 24 hours", "past week", and
"past month" would be best. :)

cheers,
Colin

Colin A. Bartlett
Kinetic Web Solutions
www.kineticweb.biz



---
This SF.Net email is sponsored by: Oracle 10g
Get certified on the hottest thing ever to hit the market... Oracle 10g. 
Take an Oracle 10g class now, and we'll give you the exam FREE. 
http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] OT: Just some interesting stats

[Colin A. Bartlett]

Rick Macdougall Sent: Thursday, April 29, 2004 12:38 PM

> http://mail.limelyte.net/admin/virus/

NICE! We do something similar.
http://www.kineticweb.biz/virusreport.htm

I have a script that parses the log file and reads it into SQL. From there,
the rest is easy.

cheers,
Colin

Colin A. Bartlett
Kinetic Web Solutions
www.kineticweb.biz



---
This SF.Net email is sponsored by: Oracle 10g
Get certified on the hottest thing ever to hit the market... Oracle 10g. 
Take an Oracle 10g class now, and we'll give you the exam FREE. 
http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] Disabling a Signature

[Colin A. Bartlett]

Dexter Ang Sent: Thursday, April 29, 2004 2:02 PM

> ClamAV FAQ #17:
>
> I found a false positive in ClamAV virus database. What shall I do?
>
> Fill the form at
> http://clamav.sourceforge.net/cgi-bin/sendvirus.cgi Be sure to
> select The file attached is... a false positive.
>
> - anyway, maybe ask the user to zip the html attachment first until
> the false positive is cleared up in the updates.

Thanks. I was going to do just that. However the document has what appears
to be some sensitive financial data in it and I hesitated before
diseminating it. Can someone confirm that I needn't worry about sending it?
The user can't zip the document up because MailScanner checks files within
the zip as any good email scanner should.

cheers,
Colin

Colin A. Bartlett
Kinetic Web Solutions
www.kineticweb.biz



---
This SF.Net email is sponsored by: Oracle 10g
Get certified on the hottest thing ever to hit the market... Oracle 10g. 
Take an Oracle 10g class now, and we'll give you the exam FREE. 
http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] Disabling a Signature

[Colin A. Bartlett]

Team,
I'm receiving FPs on Trojan.URLspoof.gen from a client that attaches HTML
documents to emails. I need to somehow disable this signature so that he can
send these emails without getting the attachments stripped. Any way of doing
this? Or is it something up to the hook into my MTA (MailScanner)? For what
it's worth I saw an almost identical post to this in the archives but there
was no follow ups.

cheers,
Colin

Colin A. Bartlett
Kinetic Web Solutions
www.kineticweb.biz



---
This SF.Net email is sponsored by: Oracle 10g
Get certified on the hottest thing ever to hit the market... Oracle 10g. 
Take an Oracle 10g class now, and we'll give you the exam FREE. 
http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] Netsky P not being blocked, using 0.70-rc

[Colin A. Bartlett]

Jeff Ramsey Sent: Friday, April 09, 2004 4:23 PM

> I have done some further testing, and I am blocking Somefool and
> Somefool.B, but I am not blocking variant P.

FWIW, this same thing happened to me when I upgraded from Clam .60 to the
latest version. Apparently I installed it in a different place so there were
two version of my daily updates and it wasn't using the new one. Are you
sure your virus signatures are being updated and include the SomeFool.P
variant? Run "sigtool --list | grep SomeFool" to see if it's listed.

cheers,
Colin

Colin A. Bartlett
Kinetic Web Solutions
www.kineticweb.biz



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] Virus Names

[Colin A. Bartlett]

Stuart Mycock Sent: Wednesday, April 07, 2004 4:24 AM

> I'd prefer to adopt the approach of letting the Clam team get a def out 
> with any name they want and have a non-developer publish basic virus 
> info on an area of the Clam site, and on that page you'd just have the 
> blurb on "SomeFool.Q" for example, along with a short description (only 
> brief, tho, there's plenty of viral analysis on other sites) of the 
> virus with an "Also known as: NetSky.Q, SmellyVirus.1, Whatever.Q", etc.

How about a Wiki?

cheers,
Colin

Colin A. Bartlett
Kinetic Web Solutions
www.kineticweb.biz 



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] Virus DB Update

[Colin A. Bartlett]

Vernon A. Fort Sent: Tuesday, March 30, 2004 11:11 AM

> I noticed that virusdb was updated, according to the clamav-virusdb 
> list, to daily version 226 but my freshclam is still reporting that 225 
> is the latest.  Am I missing something?

FYI, my freshclam returns version 227.

cheers,
Colin

Colin A. Bartlett
Kinetic Web Solutions
www.kineticweb.biz 


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] clam not fresh

[Colin A. Bartlett]

Mark Novak Sent: Friday, March 26, 2004 10:14 AM

> It seems to me that I am updated, as I have the same number of
> signatures as you do, but when I grep it for somefool, maybe it is
> going to the old set in the other directory?

This, apparently, is my problem. Read my post from yesterday about how I
copied my CVDs from one folder on top of the ones in another folder. Try
that and then maybe it will work. I still havn't figured out my problem
though since I apparently need to change the path in clamav before
compiling. I barely know what compiling is.

cheers,
Colin

Colin A. Bartlett
Kinetic Web Solutions
www.kineticweb.biz



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] clam not fresh

[Colin A. Bartlett]

Jim Maul Sent: Thursday, March 25, 2004 4:28 PM

> If freshclam insists on saying they
> are up to date, i would try deleting them totally and running freshclam
> again.  Maybe that will clear up the problem.

Per Tomasz, I first checked the number of signatures reported by freshclam
and it was reporting the correct number. So Per Jim, I deleted both main.cvd
and daily.cvd from /var/lib/clamav and ran freshclam again. It downloaded
them again as expected. But grepping for SomeFool in the sig list still
didn't give me SomeFool.P. So I searched my system for the CVD files and
found a SECOND COPY of them in /usr/local/share/clamav. I checked my
/etc/clamav.conf file and it says, as I think it should:

DatabaseDirectory /var/lib/clamav

So for kicks, I copied the CVD files from /var/lib/clamav over top of the
ones in /usr/local/share/clamav. That worked! And now when I grep the sig
list for SomeFool I _DO_ get .P. So the question is this: if my clamav.conf
says to use /var/lib/clamav, and freshclam is downloading the files to
there, then why does clamscan use the files in /usr/local/share/clamav?

Thanks for your help and patience thus far!

cheers,
Colin

Colin A. Bartlett
Kinetic Web Solutions
www.kineticweb.biz



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] clam not fresh

[Colin A. Bartlett]

> Another poster pointed to testvirus.org for testing.  I think you'll
> find some methods of delivery more effective than others and that
> clamav will miss some of these.

They're not being detected by clam even when running them right through
clamscan on the command prompt. I think it's because SomeFool.P isn't in my
sig list even though freshclam says I'm up to date.

> And don't eat bad clams.

I had a bad oyster the other day but never a bad clam.

cheers,
Colin

Colin A. Bartlett
Kinetic Web Solutions
www.kineticweb.biz



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] clam not fresh

[Colin A. Bartlett]

Hello All

I've upgraded my ClamAV and I'm no longer getting errors on freshclam.
However it doesn't seem to be updated. I noticed some viruses slipping
through and ran them through the online scanner. Some were identified as
SomeFool.P. I grepped my sigtool -l  list for SomeFool and .P isn't listed.
But freshclam says main.cvd and daily.cvd are up to date.

Any ideas? Thanks as always.

cheers,
Colin

Colin A. Bartlett
Kinetic Web Solutions
www.kineticweb.biz



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] freshclam debugging help

[Colin A. Bartlett]

Tomasz Papszun Sent: Wednesday, March 24, 2004 2:24 PM

> Don't know the particular reason of this error...
> But you really should upgrade your Clamav. You use quite an old version!

Wow, thank you. I really needed an upgrade! All freshclam errors are gone
now. However I still have this one virus that ClamAV still thinks is clean.
The online scanner says it's "Worm.SomeFool.P". Even when I take MailScanner
out, unzip the file and scan it directly on the command line with clamscan,
it still says it's clean.

Any ideas why this might happen?

cheers,
Colin

Colin A. Bartlett
Kinetic Web Solutions
www.kineticweb.biz



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] freshclam debugging help

[Colin A. Bartlett]

Greetings,
I've been using ClamAV for months without any problems. I use it in
conjunction with MailScanner to scan our client's email. However today I
noticed a plethora of messages being marked as "clean" but that really did
have viruses attached. I posted them to the web-based checker and sure
enough the virus database should be catching them. I'm thinking maybe my
FreshClam isn't updating. So...

Can someone tell me how to find out what database version I cam using? I
searched the docs and manpages but couldn't find anything.

And also can someone help me debug the following output from freshclam?

cheers,
Colin

Colin A. Bartlett
Kinetic Web Solutions
www.kineticweb.biz


Current working dir is /usr/local/share/clamav
Checking for a new database - started at Wed Mar 24 13:01:07 2004
Connected to clamav.elektrapro.com.
Reading md5 sum (viruses.md5): OK
viruses.db is up to date.
Reading md5 sum (viruses2.md5): OK
ERROR: Can't open new file ./1c136a7d92ca0d50 to write
open: Permission denied
ERROR: Can't download viruses.db2 from clamav.elektrapro.com
Checking for a new database - started at Wed Mar 24 13:01:08 2004
Connected to clamav.ozforces.com.
Reading md5 sum (viruses.md5): OK
viruses.db is up to date.
Reading md5 sum (viruses2.md5): OK
ERROR: Can't open new file ./2d7ea71a36b0476c to write
open: Permission denied
ERROR: Can't download viruses.db2 from clamav.ozforces.com
Checking for a new database - started at Wed Mar 24 13:01:09 2004
Connected to clamav.essentkabel.com.
Reading md5 sum (viruses.md5): OK
viruses.db is up to date.
Reading md5 sum (viruses2.md5): OK
ERROR: Can't open new file ./90b93c4b1dbdb47b to write
open: Permission denied
ERROR: Can't download viruses.db2 from clamav.essentkabel.com
Checking for a new database - started at Wed Mar 24 13:01:10 2004

At this point, it just hangs.



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] Iframe messages

[Colin A. Bartlett]

Stuart Mycock Sent: Wednesday, March 24, 2004 5:03 AM

> What’s the consensus about messages with embedded iframe links?
>
> They look like a great potential for viral activity because they
> can be used to auto-download viruses, etc.. The reason I ask is my
> secondary AV caught a couple of messages that got past clam that
> weren’t carrying a virus as such but contained iframe code.

I use MailScanner with ClamAV and by default it catches Iframes. I've left
it on but the only emails that it has appeared to catch seem to be
quasi-legitimate marketing emails. Can't be too important though since no
clients have complained. I would think that scanning for iframes would be
better left to something like MailScanner or Amavis rather than Clam.

cheers,
Colin

Colin A. Bartlett
Kinetic Web Solutions
www.kineticweb.biz



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id70&alloc_id638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users