Re: [Clamav-users] CLAM 0.65 Not Identifying Anything
Adam Williams wrote: Both CLAM 0.60 and Solo Antivirus identify the following file as bieng infected with W97/Marker. But since upgrading to CLAM 0.65, CLAM does not detect the infection; either as a regular file or as a mail attachment via clamav-milter. But the message - X-Virus-Scanned: ClamAV version 'clamd / ClamAV version 0.65', clamav-milter version '0.60p' - gets added to the header of every message. Has anyone else experienced this? Partik wrote: The maillog tells me Dec 1 19:26:45 linux sm-mta[32103]: hB1IQh8D032103: Milter add: header: X-Virus-Scanned: clamdscan / ClamAV version 0.60+BugFixesFromCVS-20030916 and the header is there: X-Virus-Scanned: clamdscan / ClamAV version 0.60+BugFixesFromCVS-20030916 But it doesnt alert on ClamAV-Test-Signature. The mail is going through. Do you guys have at least these options enabled in your clamav.conf: ScanMail ScanArchive StreamSaveToDisk And, just to be sure, restarted clamd? Thomas --- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Oversized Zip, again ...
On Fri, 28 Nov 2003 18:24:02 +0100 Tomasz Papszun <[EMAIL PROTECTED]> wrote: > I think that this parameter should be made runtime configurable (in > clamav.conf). Not every site compiles Clamav on its own. You can now setup the limit with ArchiveMaxCompressionRatio in clamav.conf. Best regards, Tomasz Kojm -- oo. [EMAIL PROTECTED] www.ClamAV.net (\/)\. http://www.clamav.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Mon Dec 1 23:39:02 CET 2003 pgp0.pgp Description: PGP signature
Re: [Clamav-users] using ClamAV on Windows
Right now, there is no programs to integrate clamav with windows based apps. I've got something in development, but its still a long ways away. -- Brian Bruns The Summit Open Source Development Group Open Solutions For A Closed World / Anti-Spam Resources http://www.sosdg.org The AHBL - http://www.ahbl.org - Original Message - From: "G. Jullien" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, December 01, 2003 4:56 PM Subject: [Clamav-users] using ClamAV on Windows > Hi, > > I tried to use ClamAV on a standalone Win machine. > I don't know if I can filter incoming and outgoing mail > What should I install more ? > > Is it a good idea to try to use clamAV this way ? Or is this usage not > the purpose for ClamAV ? > > I had no answer about this before, maybe this time > > thanks for your help. > > niber > > > > > --- > This SF.net email is sponsored by: SF.net Giveback Program. > Does SourceForge.net help you be more productive? Does it > help you create better code? SHARE THE LOVE, and help us help > YOU! Click Here: http://sourceforge.net/donate/ > ___ > Clamav-users mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/clamav-users --- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] using ClamAV on Windows
Hi, I tried to use ClamAV on a standalone Win machine. I don't know if I can filter incoming and outgoing mail What should I install more ? Is it a good idea to try to use clamAV this way ? Or is this usage not the purpose for ClamAV ? I had no answer about this before, maybe this time thanks for your help. niber --- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] ClamAV vs Commercial Products
On Mon, 2003-12-01 at 14:00, Joshua French wrote: > Hello, > > I am trying to find out the difference(s) between ClamAV's virus db and > any given commercial product. In the latter, I've noted that they have > covered 70-80k viruses, whereas ClamAV has somewhere around 10k in its > definitions. > > Is this an apples and oranges comparison? Not really. Maybe Granny-Smiths and Romes, but certainly it is the correct order of magnitude. The difference is in the aim of the product. ClamAV is focused primarily on e-mail-bourne viruses. It specializes in providing signatures for fast-breaking-havoc-producing viruses, and doesn't have a lot of the historical DOS boot sector type viri. For completeness sake, they will eventually be added. As a priority, I hope the viri database administrators will concentrate on late-breaking viri and leave the historical oddities for when they are bored. > Does ClamAV's 10k not include > variants in it's numbers, but does in fact cover them? > > If anyone can provide some info regarding this, that would be most > appreciated. -- Daniel J McDonald <[EMAIL PROTECTED]> Austin Energy --- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] ClamAV vs Commercial Products
On 01 Dec 2003 14:00 , Joshua French <[EMAIL PROTECTED]> sent: >Hello, > >I am trying to find out the difference(s) between ClamAV's virus db and >any given commercial product. In the latter, I've noted that they have >covered 70-80k viruses, whereas ClamAV has somewhere around 10k in its >definitions. > >Is this an apples and oranges comparison? Does ClamAV's 10k not include >variants in it's numbers, but does in fact cover them? > I believe this has been in debate for. CLAMAV has definitions since its inception, and the other products have out-dated and antiquated definitions. Hopefully someone will address this a little more coherently. Prudential Preferred Properties www.prupref.com --- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] ClamAV vs Commercial Products
Hello, I am trying to find out the difference(s) between ClamAV's virus db and any given commercial product. In the latter, I've noted that they have covered 70-80k viruses, whereas ClamAV has somewhere around 10k in its definitions. Is this an apples and oranges comparison? Does ClamAV's 10k not include variants in it's numbers, but does in fact cover them? If anyone can provide some info regarding this, that would be most appreciated. Thanks, -Josh -- Joshua French Network/Systems Engineer GMSI Support: [EMAIL PROTECTED] Support Site: http://support.gmsi1.com --- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Process based clamd
On Sun, 30 Nov 2003 02:35:48 +0100 (CET) Jakub Jankowski <[EMAIL PROTECTED]> wrote: > On 2003-11-29, Tomasz Kojm wrote: > > >The current CVS code contains a new directive: UseProcesses that will > >cause clamd to use processes instead of threads. Initial version but > >seems to work ;) It should be really useful for clamav-milter users. > > Looks like clamd refuses to die on `killall clamd' when UseProcesses > directive is turned on: Hmm... it shutdowns cleanly under my Linux (2.4.18, workstation) and under Solaris 8 (SPARC). Best regards, Tomasz Kojm -- oo. [EMAIL PROTECTED] www.ClamAV.net (\/)\. http://www.clamav.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Mon Dec 1 20:52:07 CET 2003 pgp0.pgp Description: PGP signature
Re: [Clamav-users] Oversized Zip, again ...
On Mon, 1 Dec 2003 11:20:39 GMT Tomasz Klim <[EMAIL PROTECTED]> wrote: > The right solution is to decompress files block-by-block, and scanning > only that block, like it is done for reading and scanning file from > a descriptor. But this requires direct integration of unzip and scan > code. I know that is possible with zlib (.gz) library. Don't know > anything about zzip or any other zip decompressing code. Hmmm... I don't understand. Could you please describe your idea more precisely ? Best regards, Tomasz Kojm -- oo. [EMAIL PROTECTED] www.ClamAV.net (\/)\. http://www.clamav.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Mon Dec 1 20:46:59 CET 2003 pgp0.pgp Description: PGP signature
[Clamav-users] CLAM 0.65 Not Identifying Anything
Both CLAM 0.60 and Solo Antivirus identify the following file as bieng infected with W97/Marker. But since upgrading to CLAM 0.65, CLAM does not detect the infection; either as a regular file or as a mail attachment via clamav-milter. But the message - X-Virus-Scanned: ClamAV version 'clamd / ClamAV version 0.65', clamav-milter version '0.60p' - gets added to the header of every message. Has anyone else experienced this? [EMAIL PROTECTED] sbin]# clamscan --database=/var/clamav /home/adam/mod_workorder.doc /home/adam/mod_workorder.doc: OK --- SCAN SUMMARY --- Known viruses: 10575 Scanned directories: 0 Scanned files: 1 Infected files: 0 Data scanned: 0.04 MB I/O buffer size: 131072 bytes Time: 1.293 sec (0 m 1 s) [EMAIL PROTECTED] sbin]# ls -l /var/clamav total 596 srwxr-xr-x1 root root0 Dec 1 13:49 clmilter.socket -rw-r--r--1 clamav clamav 24020 Dec 1 13:47 daily.cvd -rw-r--r--1 clamav clamav 579456 Dec 1 13:46 main.cvd -rw-rw-r--1 clamav clamav 60 Nov 22 00:01 mirrors.txt --- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] Re: Re: Problems with clamav-milter + sendmail
See my earlier just posted post :p I have successfully created a new sendmail.cf, but it seems to be the case clamav-milter doesnt grap mails with virus, though it says i the maillog that clamav adds a header in the mail saying it have been checked. -Patrik - Original Message - From: "Richard G. Roberto" <[EMAIL PROTECTED]> Newsgroups: gmane.comp.security.virus.clamav.user Sent: Monday, December 01, 2003 7:50 PM Subject: Re: Re: Problems with clamav-milter + sendmail > That's a good question. Usually, there is a README file in the "cf" > subdirectory of the sendmail configuration (m4) sources that explains this > for your platform. I don't know where this is on a debian system. Its > in /usr/share/sendmail on FreeBSD. FreeBSD also has makefiles for everything > and generating a new cf is as simple as typing make filename.cf, but I really > don't know where debian puts theirs. > > sendmail.org has some decent instructions on how to do this by hand, but it > will still require locating a few bits and pieces on your debian system. > > Sorry I couldn't be of more help. You may also want to try the debian-users > list for debian specific sendmail help. > > rgr > > On Mon, 1 Dec 2003 15:18:18 +0100, Patrik wrote > > Richard, > > > > I have not generated a new /etc/mail/sendmail.cf > > Im not that familiar with sendmail, how do i generate a new one? > > > > Thanks, > > Patrik > > > > - Original Message - > > From: "Richard G. Roberto" <[EMAIL PROTECTED]> > > Newsgroups: gmane.comp.security.virus.clamav.user > > Sent: Monday, December 01, 2003 12:55 AM > > Subject: Re: Problems with clamav-milter + sendmail > > > > Patrick, > > > > When you modified the sendmail.mc file, did you then use it to > > generate a new sendmail.cf file and move it into the right place > > (not sure where that is on a debian system, but its usually > > /etc/mail/sendmail.cf) -- then restart sendmail? > > > > If so, you should set the log level to something suitably high and > > make sure syslogd is configured to log the mail facility correctly > > (usually mail.debug gets sent to its own file, but again, I don't > > know debian). The following .mc file entries should do the trick > > (but you can also just modify the .cf directly just to test this): > > > > define(`confLOG_LEVEL', `10') > > define(`confMILTER_LOG_LEVEL', `10') > > > > Once this is done, you should see messages from sendmail complaining > > about why it can't talk to the milter. That should help identify > > the problem. > > > > I hope that helps. > > > > rgr > > > > On Sun, 30 Nov 2003 10:51:24 +0100, Patrik wrote > > > First of all, ive checked the other threads about this. > > > So, running debian and having problems getting clamav-milter to work > > together with sendmail. > > > I've done what the documentation said and that is: > > > Installed debian packages: clamav-base, clamav, clamav-milter, clamav- > > daemon and the freshclam package (incl libs). > > > I've run dpkg-reconfigure clamav-daemon to configure it and the > > clamav.conf looks like this: > > > > > > #To reconfigure clamd run #dpkg-reconfigure clamav-daemon > > > LocalSocket /var/run/clamd.ctl > > > ScanMail > > > ScanArchive > > > StreamSaveToDisk > > > StreamMaxLength 50M > > > ArchiveMaxRecursion 5 > > > ArchiveMaxFiles 1000 > > > ArchiveMaxFileSize 10M > > > ThreadTimeout 180 > > > MaxThreads 5 > > > MaxConnectionQueueLength 15 > > > LogFile /var/log/clamav-daemon.log > > > LogTime > > > PidFile /var/run/clamd.pid > > > DataDirectory /var/lib/clamav/ > > > SelfCheck 3600 > > > > > > I've added the following to /etc/mail/sendmail.mc: > > > > > > INPUT_MAIL_FILTER(`clmilter',`S=local:/var/run/clmilter.clt, F=, > > T=S:4m;R:4m')dnl > > > define(`confINPUT_MAIL_FILTERS', `clmilter') > > > > > > clamd is started and clamav-milter to with: /usr/sbin/clamav-milter - > > blo /var/run/clmilter.clt > > > > > > Then I've restarted sendmail just as the documentation says but it doesnt > > work. > > > The mailheader doesnt say anything about X-Virus-Scanner or nothing, I've > > tried to send a mail with the clamav-signature virus but nothing. > > > /var/log/mail.log looks like this after I send a mail: > > > > > > Nov 30 10:50:00 linux sm-mta[25088]: AUTH=server, relay=.x.xxx > > [xxx.xxx.xxx.xxx], authid=web25p1, mech=LOGIN, bits=0 > > > Nov 30 10:50:01 linux sm-mta[25088]: XXXxxXXxx: [EMAIL PROTECTED], > > size=1137, class=0, nrcpts=1, > > msgid=<[EMAIL PROTECTED]>, proto=ESMTP, > > daemon=MTA, relay=xx.. [xxx.xxx.xxx.xxx] > > > Nov 30 10:50:01 linux sm-mta[25091]: xxxXXx: to=<[EMAIL PROTECTED]>, > > > > ctladdr=<[EMAIL PROTECTED]> (1276/106), delay=00:00:00, > > xdelay=00:00:00, mailer=esmtp, pri=30434, relay=x.xx. > > [xxx.xxx.xxx.xxx], dsn=2.0.0, stat=Sent (Ok: queued as E996C4095) > > > > > > Well xxx...xxx is ofcourse something else, but it doesnt look like > > anything went wrong. > > > What might be the problem? > > > > > > Thanks, > > >
Re: [Clamav-users] Re: Problems with clamav-milter + sendmail
That's a good question. Usually, there is a README file in the "cf" subdirectory of the sendmail configuration (m4) sources that explains this for your platform. I don't know where this is on a debian system. Its in /usr/share/sendmail on FreeBSD. FreeBSD also has makefiles for everything and generating a new cf is as simple as typing make filename.cf, but I really don't know where debian puts theirs. sendmail.org has some decent instructions on how to do this by hand, but it will still require locating a few bits and pieces on your debian system. Sorry I couldn't be of more help. You may also want to try the debian-users list for debian specific sendmail help. rgr On Mon, 1 Dec 2003 15:18:18 +0100, Patrik wrote > Richard, > > I have not generated a new /etc/mail/sendmail.cf > Im not that familiar with sendmail, how do i generate a new one? > > Thanks, > Patrik > > - Original Message - > From: "Richard G. Roberto" <[EMAIL PROTECTED]> > Newsgroups: gmane.comp.security.virus.clamav.user > Sent: Monday, December 01, 2003 12:55 AM > Subject: Re: Problems with clamav-milter + sendmail > > Patrick, > > When you modified the sendmail.mc file, did you then use it to > generate a new sendmail.cf file and move it into the right place > (not sure where that is on a debian system, but its usually > /etc/mail/sendmail.cf) -- then restart sendmail? > > If so, you should set the log level to something suitably high and > make sure syslogd is configured to log the mail facility correctly > (usually mail.debug gets sent to its own file, but again, I don't > know debian). The following .mc file entries should do the trick > (but you can also just modify the .cf directly just to test this): > > define(`confLOG_LEVEL', `10') > define(`confMILTER_LOG_LEVEL', `10') > > Once this is done, you should see messages from sendmail complaining > about why it can't talk to the milter. That should help identify > the problem. > > I hope that helps. > > rgr > > On Sun, 30 Nov 2003 10:51:24 +0100, Patrik wrote > > First of all, ive checked the other threads about this. > > So, running debian and having problems getting clamav-milter to work > together with sendmail. > > I've done what the documentation said and that is: > > Installed debian packages: clamav-base, clamav, clamav-milter, clamav- > daemon and the freshclam package (incl libs). > > I've run dpkg-reconfigure clamav-daemon to configure it and the > clamav.conf looks like this: > > > > #To reconfigure clamd run #dpkg-reconfigure clamav-daemon > > LocalSocket /var/run/clamd.ctl > > ScanMail > > ScanArchive > > StreamSaveToDisk > > StreamMaxLength 50M > > ArchiveMaxRecursion 5 > > ArchiveMaxFiles 1000 > > ArchiveMaxFileSize 10M > > ThreadTimeout 180 > > MaxThreads 5 > > MaxConnectionQueueLength 15 > > LogFile /var/log/clamav-daemon.log > > LogTime > > PidFile /var/run/clamd.pid > > DataDirectory /var/lib/clamav/ > > SelfCheck 3600 > > > > I've added the following to /etc/mail/sendmail.mc: > > > > INPUT_MAIL_FILTER(`clmilter',`S=local:/var/run/clmilter.clt, F=, > T=S:4m;R:4m')dnl > > define(`confINPUT_MAIL_FILTERS', `clmilter') > > > > clamd is started and clamav-milter to with: /usr/sbin/clamav-milter - > blo /var/run/clmilter.clt > > > > Then I've restarted sendmail just as the documentation says but it doesnt > work. > > The mailheader doesnt say anything about X-Virus-Scanner or nothing, I've > tried to send a mail with the clamav-signature virus but nothing. > > /var/log/mail.log looks like this after I send a mail: > > > > Nov 30 10:50:00 linux sm-mta[25088]: AUTH=server, relay=.x.xxx > [xxx.xxx.xxx.xxx], authid=web25p1, mech=LOGIN, bits=0 > > Nov 30 10:50:01 linux sm-mta[25088]: XXXxxXXxx: [EMAIL PROTECTED], > size=1137, class=0, nrcpts=1, > msgid=<[EMAIL PROTECTED]>, proto=ESMTP, > daemon=MTA, relay=xx.. [xxx.xxx.xxx.xxx] > > Nov 30 10:50:01 linux sm-mta[25091]: xxxXXx: to=<[EMAIL PROTECTED]>, > > ctladdr=<[EMAIL PROTECTED]> (1276/106), delay=00:00:00, > xdelay=00:00:00, mailer=esmtp, pri=30434, relay=x.xx. > [xxx.xxx.xxx.xxx], dsn=2.0.0, stat=Sent (Ok: queued as E996C4095) > > > > Well xxx...xxx is ofcourse something else, but it doesnt look like > anything went wrong. > > What might be the problem? > > > > Thanks, > > Patrik > > > > > > -- > Richard G. Roberto > [EMAIL PROTECTED] > > --- > This SF.net email is sponsored by: SF.net Giveback Program. > Does SourceForge.net help you be more productive? Does it > help you create better code? SHARE THE LOVE, and help us help > YOU! Click Here: http://sourceforge.net/donate/ > ___ > Clamav-users mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/clamav-users > > --- > This SF.net email is sponsored by: SF.net Giveback Program. > Does SourceForge.net help you be
[Clamav-users] Re: Re: Problems with clamav-milter + sendmail
Ah, got it. We're getting closer... The maillog tells me Dec 1 19:26:45 linux sm-mta[32103]: hB1IQh8D032103: Milter add: header: X-Virus-Scanned: clamdscan / ClamAV version 0.60+BugFixesFromCVS-20030916 and the header is there: X-Virus-Scanned: clamdscan / ClamAV version 0.60+BugFixesFromCVS-20030916 But it doesnt alert on ClamAV-Test-Signature. The mail is going through. Thanks -Patrik - Original Message - From: "Jakub Jankowski" <[EMAIL PROTECTED]> Newsgroups: gmane.comp.security.virus.clamav.user Sent: Monday, December 01, 2003 6:08 PM Subject: Re: Re: Problems with clamav-milter + sendmail > On 2003-12-01, Odhiambo Washington wrote: > > >* Patrik <[EMAIL PROTECTED]> [20031201 17:25]: wrote: > >> Richard, > >> > >> I have not generated a new /etc/mail/sendmail.cf > >> Im not that familiar with sendmail, how do i generate a new one? > > /usr/bin/m4 ../m4/cf.m4 config.mc > sendmail.cf > > Read cf/README > > >hehee, time to drop Sendmail on the floor and get an easier to use > >MTA which does not require you to "generate XYZ when you make changes", > >just a `kill -1 PID` ;-) > > FYI: You need *just* `kill -1 PID` for sendmail to reread its > configuration file. > > >PS: This is personal opinion and may cause a flame war. > > And it probably will. > > s. > > ps. please make your signature follow the netiquette guidelines > > -- > (0> Jakub Jankowski [url]: s.atn.pl "Nawet w Krainie Czarow > //\ [EMAIL PROTECTED] [rlu]: 174516 latwiej jest spotkac > V_/_ [EMAIL PROTECTED] [ekg]: 921514 Babe Jage niz Alicje" > Fingerprint: FCBF F03D 9ADB B768 8B92 BB52 0341 9037 A875 942D > > > --- > This SF.net email is sponsored by: SF.net Giveback Program. > Does SourceForge.net help you be more productive? Does it > help you create better code? SHARE THE LOVE, and help us help > YOU! Click Here: http://sourceforge.net/donate/ > ___ > Clamav-users mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/clamav-users > --- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] Re: Zip problems again
Tomasz Kojm writes: On Sat, 29 Nov 2003 17:16:07 + [EMAIL PROTECTED] (Sean Rima) wrote: I am finding this after updating to today's cvs: 003-11-29 17:13:56 1AQ8fM-00066n-1l malware acl condition: clamd: ClamAV returned /var/spool/exim/scan/1AQ8fM-00066n-1l/1AQ8fM-00066n-1l-1.com: Zip module failure. ERROR OK, but what about clamd ? Did it hang ? That error only means the zip was broken and that happens... I thoiught ofd this but canonot see why, it is a program that sends out compressed files all day long. the strange thing is that I routed the mail to my other exim which also runs ClamAV, same versiojn and that had no problems :) Sean pgp0.pgp Description: PGP signature
Re: [Clamav-users] Re: Problems with clamav-milter + sendmail
On 2003-12-01, Odhiambo Washington wrote: >* Patrik <[EMAIL PROTECTED]> [20031201 17:25]: wrote: >> Richard, >> >> I have not generated a new /etc/mail/sendmail.cf >> Im not that familiar with sendmail, how do i generate a new one? /usr/bin/m4 ../m4/cf.m4 config.mc > sendmail.cf Read cf/README >hehee, time to drop Sendmail on the floor and get an easier to use >MTA which does not require you to "generate XYZ when you make changes", >just a `kill -1 PID` ;-) FYI: You need *just* `kill -1 PID` for sendmail to reread its configuration file. >PS: This is personal opinion and may cause a flame war. And it probably will. s. ps. please make your signature follow the netiquette guidelines -- (0> Jakub Jankowski [url]: s.atn.pl "Nawet w Krainie Czarow //\ [EMAIL PROTECTED] [rlu]: 174516 latwiej jest spotkac V_/_ [EMAIL PROTECTED] [ekg]: 921514 Babe Jage niz Alicje" Fingerprint: FCBF F03D 9ADB B768 8B92 BB52 0341 9037 A875 942D --- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Re: Problems with clamav-milter + sendmail
On Mon, 1 Dec 2003, Patrik wrote: > I have not generated a new /etc/mail/sendmail.cf. > I not really familiar with sendmail.cf, how do I generate a new one? Generally, m4 sendmail.cf == Chris Candreva -- [EMAIL PROTECTED] -- (914) 967-7816 WestNet Internet Services of Westchester http://www.westnet.com/ --- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] Re: Problems with clamav-milter + sendmail
Richard, I have not generated a new /etc/mail/sendmail.cf. I not really familiar with sendmail.cf, how do I generate a new one? -Patrik "Richard G. Roberto" <[EMAIL PROTECTED]> skrev i meddelandet news:[EMAIL PROTECTED] Patrick, When you modified the sendmail.mc file, did you then use it to generate a new sendmail.cf file and move it into the right place (not sure where that is on a debian system, but its usually /etc/mail/sendmail.cf) -- then restart sendmail? If so, you should set the log level to something suitably high and make sure syslogd is configured to log the mail facility correctly (usually mail.debug gets sent to its own file, but again, I don't know debian). The following .mc file entries should do the trick (but you can also just modify the .cf directly just to test this): define(`confLOG_LEVEL', `10') define(`confMILTER_LOG_LEVEL', `10') Once this is done, you should see messages from sendmail complaining about why it can't talk to the milter. That should help identify the problem. I hope that helps. rgr On Sun, 30 Nov 2003 10:51:24 +0100, Patrik wrote > First of all, ive checked the other threads about this. > So, running debian and having problems getting clamav-milter to work together with sendmail. > I've done what the documentation said and that is: > Installed debian packages: clamav-base, clamav, clamav-milter, clamav- daemon and the freshclam package (incl libs). > I've run dpkg-reconfigure clamav-daemon to configure it and the clamav.conf looks like this: > > #To reconfigure clamd run #dpkg-reconfigure clamav-daemon > LocalSocket /var/run/clamd.ctl > ScanMail > ScanArchive > StreamSaveToDisk > StreamMaxLength 50M > ArchiveMaxRecursion 5 > ArchiveMaxFiles 1000 > ArchiveMaxFileSize 10M > ThreadTimeout 180 > MaxThreads 5 > MaxConnectionQueueLength 15 > LogFile /var/log/clamav-daemon.log > LogTime > PidFile /var/run/clamd.pid > DataDirectory /var/lib/clamav/ > SelfCheck 3600 > > I've added the following to /etc/mail/sendmail.mc: > > INPUT_MAIL_FILTER(`clmilter',`S=local:/var/run/clmilter.clt, F=, T=S:4m;R:4m')dnl > define(`confINPUT_MAIL_FILTERS', `clmilter') > > clamd is started and clamav-milter to with: /usr/sbin/clamav-milter - blo /var/run/clmilter.clt > > Then I've restarted sendmail just as the documentation says but it doesnt work. > The mailheader doesnt say anything about X-Virus-Scanner or nothing, I've tried to send a mail with the clamav-signature virus but nothing. > /var/log/mail.log looks like this after I send a mail: > > Nov 30 10:50:00 linux sm-mta[25088]: AUTH=server, relay=.x.xxx [xxx.xxx.xxx.xxx], authid=web25p1, mech=LOGIN, bits=0 > Nov 30 10:50:01 linux sm-mta[25088]: XXXxxXXxx: [EMAIL PROTECTED], size=1137, class=0, nrcpts=1, msgid=<[EMAIL PROTECTED]>, proto=ESMTP, daemon=MTA, relay=xx.. [xxx.xxx.xxx.xxx] > Nov 30 10:50:01 linux sm-mta[25091]: xxxXXx: to=<[EMAIL PROTECTED]>, ctladdr=<[EMAIL PROTECTED]> (1276/106), delay=00:00:00, xdelay=00:00:00, mailer=esmtp, pri=30434, relay=x.xx. [xxx.xxx.xxx.xxx], dsn=2.0.0, stat=Sent (Ok: queued as E996C4095) > > Well xxx...xxx is ofcourse something else, but it doesnt look like anything went wrong. > What might be the problem? > > Thanks, > Patrik > > -- Richard G. Roberto [EMAIL PROTECTED] --- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users --- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Re: Problems with clamav-milter + sendmail
* Patrik <[EMAIL PROTECTED]> [20031201 17:25]: wrote: > Richard, > > I have not generated a new /etc/mail/sendmail.cf > Im not that familiar with sendmail, how do i generate a new one? hehee, time to drop Sendmail on the floor and get an easier to use MTA which does not require you to "generate XYZ when you make changes", just a `kill -1 PID` ;-) PS: This is personal opinion and may cause a flame war. cheers - wash +--+-+ Odhiambo Washington . WANANCHI ONLINE LTD (Nairobi, KE) | . 1ere Etage, Loita Hse, Loita St., | GSM: (+254) 722 743 223 . # 10286, 00100 NAIROBI | GSM: (+254) 733 744 121 . (+254) 020 313 985 - 9 | +-+--+ "Oh My God! They killed init! You Bastards!" --from a /. post smime.p7s Description: S/MIME cryptographic signature
Re: [Clamav-users] Autochecking script for clamd
On Mon, 1 Dec 2003 09:24:06 -0600 "Lynn Duerksen" <[EMAIL PROTECTED]> wrote: > I don't understand what you are getting at. My bandwidth is not an > issue at this time. If you are suggesting that I am wasting the > bandwidth and cpu time on the servers I download from, how would > checking for updates 4 times a day be any different if done with a BTW: it's recommended to run freshclam at least 6 times a day. Best regards, Tomasz Kojm -- oo. [EMAIL PROTECTED] www.ClamAV.net (\/)\. http://www.clamav.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Mon Dec 1 16:32:54 CET 2003 pgp0.pgp Description: PGP signature
RE: [Clamav-users] Autochecking script for clamd
> > > > > > Well, but why run freshclam all the time? > > > > > > > I suppose that I could have run a cron job. But in dealing > > Am I wrong in thinking this way? That: > > You are wasting your bandwidth running freshclam (well, at > some point the virus db files are up to date so no data is > tx-ed to your box) all the time. You are making the database > servers use cpu time that could be used for other purposes. > Nothing personal here though, just a question. ;) I don't understand what you are getting at. My bandwidth is not an issue at this time. If you are suggesting that I am wasting the bandwidth and cpu time on the servers I download from, how would checking for updates 4 times a day be any different if done with a cron job versus a daemon? --- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Zip problems again
On Sat, 29 Nov 2003 17:16:07 + [EMAIL PROTECTED] (Sean Rima) wrote: > I am finding this after updating to today's cvs: > 003-11-29 17:13:56 1AQ8fM-00066n-1l malware acl condition: clamd: > ClamAV returned > /var/spool/exim/scan/1AQ8fM-00066n-1l/1AQ8fM-00066n-1l-1.com: > Zip module failure. ERROR OK, but what about clamd ? Did it hang ? That error only means the zip was broken and that happens... Best regards, Tomasz Kojm -- oo. [EMAIL PROTECTED] www.ClamAV.net (\/)\. http://www.clamav.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Mon Dec 1 15:23:11 CET 2003 pgp0.pgp Description: PGP signature
Re: [Clamav-users] Running as User amavis
On Tue, 2 Dec 2003 02:09:50 +0800 "Sandy T. Santos" <[EMAIL PROTECTED]> wrote: > hi, > > i've successfully compiled clamav-0.65 on my mandrake 8.2 but > everytime i start clamd i get this error. > > LibClamAV Error: cli_cvdload(): Can't create temporary > directory /root/tmp/45293e6f36fa5577 > ERROR: Unable to create temporary directory. > > here's my clamav.conf > User amavis > AllowSupplementaryGroups > PidFile /var/amavis/clamd.pid > LocalSocket /var/amavis/clamd > > however when i comment the User directive in clamav.conf, clamd starts > successfully. but i don't want it to run as root. This is a known problem with Mandrake and will be fixed in the next version. Here's a temporary solution from Martin Sitar: "The problem is that on Mandrake are default tmp directories at home dirs of users not in /tmp. Clamd is started with root privileges and then is running under clamav user, but keeps old roots TMPDIR setting so clam can`t create temporary directory /root/tmp/0c4be0b15cf73f95. Problem is between lines 283-293 in file cvd.c where is variable TMPDIR checked ... I solved this problem under Mandrake by exporting TMPDIR="/tmp" in /etc/init.d/clamd, but I think it should be fixed better way". Best regards, Tomasz Kojm -- oo. [EMAIL PROTECTED] www.ClamAV.net (\/)\. http://www.clamav.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Mon Dec 1 15:12:34 CET 2003 pgp0.pgp Description: PGP signature
[Clamav-users] Re: Problems with clamav-milter + sendmail
Richard, I have not generated a new /etc/mail/sendmail.cf Im not that familiar with sendmail, how do i generate a new one? Thanks, Patrik - Original Message - From: "Richard G. Roberto" <[EMAIL PROTECTED]> Newsgroups: gmane.comp.security.virus.clamav.user Sent: Monday, December 01, 2003 12:55 AM Subject: Re: Problems with clamav-milter + sendmail Patrick, When you modified the sendmail.mc file, did you then use it to generate a new sendmail.cf file and move it into the right place (not sure where that is on a debian system, but its usually /etc/mail/sendmail.cf) -- then restart sendmail? If so, you should set the log level to something suitably high and make sure syslogd is configured to log the mail facility correctly (usually mail.debug gets sent to its own file, but again, I don't know debian). The following .mc file entries should do the trick (but you can also just modify the .cf directly just to test this): define(`confLOG_LEVEL', `10') define(`confMILTER_LOG_LEVEL', `10') Once this is done, you should see messages from sendmail complaining about why it can't talk to the milter. That should help identify the problem. I hope that helps. rgr On Sun, 30 Nov 2003 10:51:24 +0100, Patrik wrote > First of all, ive checked the other threads about this. > So, running debian and having problems getting clamav-milter to work together with sendmail. > I've done what the documentation said and that is: > Installed debian packages: clamav-base, clamav, clamav-milter, clamav- daemon and the freshclam package (incl libs). > I've run dpkg-reconfigure clamav-daemon to configure it and the clamav.conf looks like this: > > #To reconfigure clamd run #dpkg-reconfigure clamav-daemon > LocalSocket /var/run/clamd.ctl > ScanMail > ScanArchive > StreamSaveToDisk > StreamMaxLength 50M > ArchiveMaxRecursion 5 > ArchiveMaxFiles 1000 > ArchiveMaxFileSize 10M > ThreadTimeout 180 > MaxThreads 5 > MaxConnectionQueueLength 15 > LogFile /var/log/clamav-daemon.log > LogTime > PidFile /var/run/clamd.pid > DataDirectory /var/lib/clamav/ > SelfCheck 3600 > > I've added the following to /etc/mail/sendmail.mc: > > INPUT_MAIL_FILTER(`clmilter',`S=local:/var/run/clmilter.clt, F=, T=S:4m;R:4m')dnl > define(`confINPUT_MAIL_FILTERS', `clmilter') > > clamd is started and clamav-milter to with: /usr/sbin/clamav-milter - blo /var/run/clmilter.clt > > Then I've restarted sendmail just as the documentation says but it doesnt work. > The mailheader doesnt say anything about X-Virus-Scanner or nothing, I've tried to send a mail with the clamav-signature virus but nothing. > /var/log/mail.log looks like this after I send a mail: > > Nov 30 10:50:00 linux sm-mta[25088]: AUTH=server, relay=.x.xxx [xxx.xxx.xxx.xxx], authid=web25p1, mech=LOGIN, bits=0 > Nov 30 10:50:01 linux sm-mta[25088]: XXXxxXXxx: [EMAIL PROTECTED], size=1137, class=0, nrcpts=1, msgid=<[EMAIL PROTECTED]>, proto=ESMTP, daemon=MTA, relay=xx.. [xxx.xxx.xxx.xxx] > Nov 30 10:50:01 linux sm-mta[25091]: xxxXXx: to=<[EMAIL PROTECTED]>, ctladdr=<[EMAIL PROTECTED]> (1276/106), delay=00:00:00, xdelay=00:00:00, mailer=esmtp, pri=30434, relay=x.xx. [xxx.xxx.xxx.xxx], dsn=2.0.0, stat=Sent (Ok: queued as E996C4095) > > Well xxx...xxx is ofcourse something else, but it doesnt look like anything went wrong. > What might be the problem? > > Thanks, > Patrik > > -- Richard G. Roberto [EMAIL PROTECTED] --- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users --- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Oversized Zip, again ...
> On Fri, 28 Nov 2003 at 21:24:43 -0800, Chris Paul wrote: > > On Fri, 28 Nov 2003 18:24:02 +0100 > > Tomasz Papszun <[EMAIL PROTECTED]> wrote: > > > > > I have also seen stopped .doc files compressed with ratio 236. > > > And .dbf files with ratio 1101. Also, .wav files with ratio 1182. > > > > > > Users send quite strange things. So an admin may be forced to set > > > ZIPOSDET for some big value. > > > > > > I think that this parameter should be made runtime configurable (in > > > clamav.conf). Not every site compiles Clamav on its own. > > > > You only get this kind of full disclosure with an Open Source virus > > scanner. Thanks for that. > > > > Now I may have missed something, but I'm wondering what is the harm of > > setting it to 1500 or to 2000? Just to make sure to catch everything. > > > > Setting it to a very big value would cause catching "mail-bombs" also. > I.e., it would make you vulnerable to denial of service attacks based on > sending little .zip files but containing very big files inside (which > would be uncompressed for scanning, wasting huge amounts of system > resources). > > Tomasz Papszun SysAdm @ TP S.A. Lodz, Poland | And it's only The right solution is to decompress files block-by-block, and scanning only that block, like it is done for reading and scanning file from a descriptor. But this requires direct integration of unzip and scan code. I know that is possible with zlib (.gz) library. Don't know anything about zzip or any other zip decompressing code. -- Tomasz Klim, [EMAIL PROTECTED] http://www.euroneto.pl Phone: +48 61 8433535 Fax: +48 61 8434455 Euronet Sp. z o.o., Dabrowskiego 81/85, 60-529 Poznan, Poland --- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] Re: Problems with clamav-milter + sendmail
I had the same problems. All seems working but clamav-milter doesnt' produce output not to logs nor to e-mail headers. I rebuilt the whole Sendmail package with milter enabled. After that all works. For configuring the Sendmail with milter enabled You must read the instruction in file: [your source directory of sendmail-8.12.X]/libmilter/README This README say: === NOTE: If you intend to use filters in sendmail, you must compile sendmail with -DMILTER defined. You can do this by adding the following to your devtools/Site/site.config.m4 file: APPENDDEF(`conf_sendmail_ENVDEF', `-DMILTER') === After that configuring You are to rebuild the whole Sendmail package and reinstall it to the system M. Khaletsky --- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Oversized Zip, again ...
On Fri, 28 Nov 2003 at 21:24:43 -0800, Chris Paul wrote: > On Fri, 28 Nov 2003 18:24:02 +0100 > Tomasz Papszun <[EMAIL PROTECTED]> wrote: > > > I have also seen stopped .doc files compressed with ratio 236. > > And .dbf files with ratio 1101. Also, .wav files with ratio 1182. > > > > Users send quite strange things. So an admin may be forced to set > > ZIPOSDET for some big value. > > > > I think that this parameter should be made runtime configurable (in > > clamav.conf). Not every site compiles Clamav on its own. > > You only get this kind of full disclosure with an Open Source virus > scanner. Thanks for that. > > Now I may have missed something, but I'm wondering what is the harm of > setting it to 1500 or to 2000? Just to make sure to catch everything. > Setting it to a very big value would cause catching "mail-bombs" also. I.e., it would make you vulnerable to denial of service attacks based on sending little .zip files but containing very big files inside (which would be uncompressed for scanning, wasting huge amounts of system resources). -- Tomasz Papszun SysAdm @ TP S.A. Lodz, Poland | And it's only [EMAIL PROTECTED] http://www.lodz.tpsa.pl/ | ones and zeros. [EMAIL PROTECTED] http://www.ClamAV.net/ A GPL virus scanner --- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Running as User amavis
* Sandy T. Santos <[EMAIL PROTECTED]> [20031201 10:22]: wrote: > Wash said: > >What is the $HOME of your clamav user? /root ??? > >I got such an error once when the owner of that $HOME was different than > >the "User amavis" directive (in your case). > >I solved it by > > the amavis user has '/var/amavis' as its home directory. > i also have a clamav user with '/home/clamav' as its home dir. > both home dirs are owned by their respective users. > > this is my configure script. > ./configure --prefix=/usr/local/clamav --with-user=amavis how about ./configure --prefix=/usr/local/clamav --disable-clamav --with-user=amavis cheers - wash +--+-+ Odhiambo Washington . WANANCHI ONLINE LTD (Nairobi, KE) | . 1ere Etage, Loita Hse, Loita St., | GSM: (+254) 722 743 223 . # 10286, 00100 NAIROBI | GSM: (+254) 733 744 121 . (+254) 020 313 985 - 9 | +-+--+ "Oh My God! They killed init! You Bastards!" --from a /. post smime.p7s Description: S/MIME cryptographic signature
Re: [Clamav-users] Running as User amavis
Wash said: >What is the $HOME of your clamav user? /root ??? >I got such an error once when the owner of that $HOME was different than >the "User amavis" directive (in your case). >I solved it by the amavis user has '/var/amavis' as its home directory. i also have a clamav user with '/home/clamav' as its home dir. both home dirs are owned by their respective users. this is my configure script. ./configure --prefix=/usr/local/clamav --with-user=amavis `` Sandy T. Santos --- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
