[Clamav-users] clamav-milter, "Please try again later" message.

[Sergey]

Hello.

Sometimes I see in maillog:

Feb 25 04:03:59 clamav-milter[7350]: clamfi_header: Received: from 192.168.1.1 
([192.168.1.1]) by mail(WinRoute Pro 4.1)
with SMTP; Tue, 24 Feb 2004 21:34:29 +0400
Feb 25 04:03:59 clamav-milter[7350]: clamfi_header: From: XX
Feb 25 04:03:59 clamav-milter[7350]: write failure to clamd
Feb 25 04:03:59 sendmail[7349]: i1OMRXXv007349: Milter: data, reject=451 4.7.1 Please 
try again later
Feb 25 04:03:59 sendmail[7349]: i1OMRXXv007349: to=, delay=00:02:55, 
pri=572864, stat=Please try again la

That do you think about add options "ignore scanning error" to clamav-milter ?
Some servers must deliver mail in any case...

-- 
Regards,
Sergey



---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Multiple viruses in same file.

[cc]

Virgo Pärna sighed and wrote::

>   It seems, that currently clamav stops scanning file, when it
> finds that it's infected. But for testing purposes it would be nice,
> if there would be swetch to run full db scan - so that the for file

But wouldn't that waste cpu cycles when it has already been confirmed
that the said file is infected?   I mean, if say you were scanning your
system and you find an infected(non-quarantined) file; would you care
which virus(es) infected it?   I for one would immediately delete
it.  In the case of automatic scanning by clamdscan, I would set
mimedefang to delete it as well.   That'd be my gut reaction to
any infected files.

However, with that said, I think it would be interesting to
see the statistics of whether or not such files(infected by
multiple viruses) do pass through the system.

Edmund




---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id56&alloc_id438&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] freshclam error

[Antony Stone]

On Wednesday 25 February 2004 12:24 am, Niber wrote:

> Antony Stone a écrit :
> > Do you always receive the error from the cron job, or did it just happen
> > one or two times?

> One or two times

I would say that is "normal" then, simply due to synchronisation problems of 
the signatures database on the remote server.   We all get those from time to 
time.

Regards,

Antony.

-- 
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
A: Top-posting.
Q: What is the most annoying thing on usenet and in e-mail?

 Please reply to the list;
   please don't CC me.



---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id56&alloc_id438&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] freshclam error

[Niber]

One or two times

Thanks for your help

Niber

Antony Stone a écrit :
Do you always receive the error from the cron job, or did it just happen one 
or two times?

Antony.





---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id56&alloc_id438&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] freshclam error

[Antony Stone]

On Tuesday 24 February 2004 8:36 pm, Niber wrote:

> Hello,
>
> I receive this mail from
> Cron <[EMAIL PROTECTED]> /usr/local/bin/freshclam --quiet -l
> /var/log/clam-update.log :
>
> ERROR: Verification: Broken or not a CVD file.
>
> When I manually run freshclam it looks fine
>
> Where is the problem with freshclam ?

Do you always receive the error from the cron job, or did it just happen one 
or two times?

Antony.

-- 
If the human brain were so simple that we could understand it,
we'd be so simple that we couldn't.

 Please reply to the list;
   please don't CC me.



---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] freshclam error

[Niber]

Hello,

I receive this mail from
Cron <[EMAIL PROTECTED]> /usr/local/bin/freshclam --quiet -l 
/var/log/clam-update.log :

ERROR: Verification: Broken or not a CVD file.
ERROR: Verification: Broken or not a CVD file.
ERROR: Verification: Broken or not a CVD file.
When I manually run freshclam it looks fine :
# freshclam
ClamAV update process started at Tue Feb 24 21:27:57 2004
SECURITY WARNING: NO SUPPORT FOR DIGITAL SIGNATURES
Reading CVD header (main.cvd): OK
main.cvd is up to date (version: 19, sigs: 19987, f-level: 1, builder: ddm)
Reading CVD header (daily.cvd): OK
Downloading daily.cvd [*]
daily.cvd updated (version: 138, sigs: 808, f-level: 1, builder: tomek)
Database updated (20795 signatures) from database.clamav.net (64.18.103.6).
serveur:~#
Where is the problem with freshclam ?

Niber



---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] [signatures] How to use self-made signatures ?

[Tomasz Papszun]

On Tue, 24 Feb 2004 at 15:46:18 +0100, David Girardey wrote:
> >> I'm testing signatures extraction with a 'home-made' virus : I extract
> >> a piece of a binary file (jpeg file), and put it into a test.virus.db
> 
> TP> No. First you must do a hex dump of the binary fragment. It's described
> TP> in the doc.
> 
> I use the "by hand" method.

Good.

> My steps are :
> use the command od -x to view my jpeg file into hex,
> copy a string of ~50 characters to my .sig,
> add "Name.Virus (Clam)=" in .sig,
> rename in .db
> 
> Is it right ?

Well, it depends on what you do with the 'od -x' output. Its format is
like the following:

000 5a4d 0050 0002  0004 000f  
020 00b8 2004   0040 001a  

while signature must be formed with continuous string of hex chars, like
5a4d00520004
etc.

Also, be cautious not to insert any "foreign" chars like newlines, EOFs.

If it still doesn't work, you must be doing some mistake :-).

-- 
 Tomasz Papszun   SysAdm @ TP S.A. Lodz, Poland  | And it's only
 [EMAIL PROTECTED]   http://www.lodz.tpsa.pl/   | ones and zeros.
 [EMAIL PROTECTED]   http://www.ClamAV.net/   A GPL virus scanner


---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Submission to virusbtn.com and AV-test.org?

[Antony Stone]

On Tuesday 24 February 2004 1:46 pm, Mitch (WebCob) wrote:

> I was given a pdf of a response time article written by Andreas
> Marx at AV-test.org, but on a side note, she thinks he was unofficially
> stating that Clam AV had only a 56% rate detection of virii in the wild -
> I'd say my experience is better, perhaps this is someone to chat with?

I wonder how long ago this was tested (ClamAV's signatures have really come on 
in the last 6-12 months), and also whether the testing was done with viruses 
which are currently in the wild, or with viruses which have been known to be 
in the wild (ClamAV does much better with current threats than with 
historical curiosities).

Regards,

Antony.

-- 
The difference between theory and practice is that in theory there is no 
difference, whereas in practice there is.

 Please reply to the list;
   please don't CC me.



---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] Submission to virusbtn.com and AV-test.org?

[Diego d'Ambra]

> -Original Message-
> From: [EMAIL PROTECTED] [mailto:clamav-users-
> [EMAIL PROTECTED] On Behalf Of Mitch (WebCob)
> Sent: 24. februar 2004 14:46
> To: [EMAIL PROTECTED]
> Subject: [Clamav-users] Submission to virusbtn.com and AV-test.org?
> 
> I was given a pdf of a response time article written by Andreas
> Marx at AV-test.org, but on a side note, she thinks he was
unofficially
> stating that Clam AV had only a 56% rate detection of virii in the
wild -
> I'd say my experience is better, perhaps this is someone to chat with?
> 

We're already in contact with Andreas Marx from AV-Test.org. They're
tracking ClamAVs response time, but currently I'm not allowed to publish
their results :-(

You can read their first test result at
http://www.pcwelt.de/news/viren_bugs/37827/2.html (or
http://www.av-test.org).

Best regards,
Diego d'Ambra


smime.p7s
Description: S/MIME cryptographic signature

Re[2]: [Clamav-users] [signatures] How to use self-made signatures ?

[David Girardey]

Hello Tomasz,

TP> On Tue, 24 Feb 2004 at 11:05:32 +0100, David Girardey wrote:
>> 
>> I'm testing signatures extraction with a 'home-made' virus : I extract
>> a piece of a binary file (jpeg file), and put it into a test.virus.db

TP> No. First you must do a hex dump of the binary fragment. It's described
TP> in the doc.

I use the "by hand" method.

My steps are :
use the command od -x to view my jpeg file into hex,
copy a string of ~50 characters to my .sig,
add "Name.Virus (Clam)=" in .sig,
rename in .db

Is it right ?

>> I use the creating signature manual to take a good string (size
>> between 40 and 200, etc).
>> 
>> I put this test.virus.db into my database directory (with daily.cvd
>> and main.cvd).
>> 
>> I test this signature with this command :
>> 
>> clamscan --mbox /tmp/image.jpg

TP> For testing purposes, quicker is using only that test signature:
TP> clamscan -d test.virus.db /path/fileforscanning

Thanks for your tips !

Regards,
-- 
David Girardey / Agence France Presse  mailto:[EMAIL PROTECTED]



---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] Submission to virusbtn.com and AV-test.org?

[Mitch \(WebCob\)]

I was looking for reviews on virus protection quality as well as response
time...

Helen, the editor of virusbtn.com says as far as she knows, Clam AV has
never been submitted for review.

I asked for details on the process, and ask here if there is any reason NOT
to submit to various reviewers - don't want to step on toes, but I figure
the broader range of support we can get for the project, the faster our
response times will be to detecting virii in the wild etc.

I was given a pdf of a response time article written by Andreas
Marx at AV-test.org, but on a side note, she thinks he was unofficially
stating that Clam AV had only a 56% rate detection of virii in the wild -
I'd say my experience is better, perhaps this is someone to chat with?

Don't want to step on toes, so I thought I'd ask before I kept digging.

Thanks!

m/



---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Clamuko?

[Claudio Alonso]

> Please don't use it yet - it will be back in the next week.
That's excellent news! Thanks Tomasz!

--Claudio


Los mejores usados y las más tentadoras 
ofertas de 0km están en Yahoo! Autos.
Comprá o vendé tu auto en
http://autos.yahoo.com.ar


---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] [signatures] How to use self-made signatures ?

[Tomasz Papszun]

On Tue, 24 Feb 2004 at 11:05:32 +0100, David Girardey wrote:
> 
> I'm testing signatures extraction with a 'home-made' virus : I extract
> a piece of a binary file (jpeg file), and put it into a test.virus.db

No. First you must do a hex dump of the binary fragment. It's described
in the doc.

> I use the creating signature manual to take a good string (size
> between 40 and 200, etc).
> 
> I put this test.virus.db into my database directory (with daily.cvd
> and main.cvd).
> 
> I test this signature with this command :
> 
> clamscan --mbox /tmp/image.jpg

For testing purposes, quicker is using only that test signature:
clamscan -d test.virus.db /path/fileforscanning

-- 
 Tomasz Papszun   SysAdm @ TP S.A. Lodz, Poland  | And it's only
 [EMAIL PROTECTED]   http://www.lodz.tpsa.pl/   | ones and zeros.
 [EMAIL PROTECTED]   http://www.ClamAV.net/   A GPL virus scanner


---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] [signatures] How to use self-made signatures ?

[David Girardey]

Hi,

I'm testing signatures extraction with a 'home-made' virus : I extract
a piece of a binary file (jpeg file), and put it into a test.virus.db

I use the creating signature manual to take a good string (size
between 40 and 200, etc).

I put this test.virus.db into my database directory (with daily.cvd
and main.cvd).

I test this signature with this command :

clamscan --mbox /tmp/image.jpg

But clamscan doesn't detect my signature, the file is not infected for
him.

I use clamav 0.67-1.

Any idea someone ?

Regards,
-- 
David Girardey / Agence France Presse   mailto:[EMAIL PROTECTED]



---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] Multiple viruses in same file.

[Virgo Pärna]

It seems, that currently clamav stops scanning file, when it
finds that it's infected. But for testing purposes it would be nice,
if there would be swetch to run full db scan - so that the for file
infected with multiple viruses allt of them would be recognized. For
example - I received virus mails that clamav recognized as "CIH #2",
NAV recognised them as Swen.A (Gibe.F in clamav). Which rises another
interesting question - if some new worm like Swen.A is infected with
some old filoe virus, would it be possible, that it's infected so
badly, that clamav does not recognize it as virus? It probably depends
of signature. Anyway, I'm glad, that clamav does recognize CIH - it
was quite nasty virus.

-- 
Virgo Pärna 
[EMAIL PROTECTED]



---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users