Re: [Clamav-users] Correct clamav-milter options to --postmaster-only
On Tuesday 02 Mar 2004 12:58 am, Stevens, John wrote: Please post an example of the bounce message, then I can see where it's coming from. From: MAILER-DAEMON To: [EMAIL PROTECTED] CC: [EMAIL PROTECTED] Subject: Virus intercepted A message you sent to [EMAIL PROTECTED] contained a virus and has not been delivered. stream: Worm.Bagle.E FOUND John, Unfortunately you've deleted the original message with all your options and I've deleted your original posting so I can't remember what they were. Anyway, this message is created by the -b (--bounce) option, so turn that off. John Stevens - MIS Manager, Senior Project Engineer -- Nigel Horne. Arranger, Composer, Typesetter. NJH Music, Barnsley, UK. ICQ#20252325 [EMAIL PROTECTED] http://www.bandsman.co.uk --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Re: debian-sid package broken
Derrick 'dman' Hudson schrieb: On Tue, Mar 02, 2004 at 12:00:28PM +0800, Me Its wrote: | I am using debian - sid, but I got error when I apt-get upgrade, when | it tries to install the new ClamAV | What should I do next ? Look for a related bug report on http://bugs.debian.org. If there is none, report the bug. At any rate, this is a debian packaging issue, not a clamav one. -D PS It is a good idea to know this before running unstable. It's a little safer to run testing instead, if you aren't that comfortable with running into such issues at times. This is a known bug in clamav-base_0.67-5, and 0.67-6 was uploaded last night. Thomas --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] How to disable notification
On Tuesday 02 Mar 2004 7:04 am, Janis wrote: I'd like to know whether is it possible to disable sending of notification to sender of incomming mail about the virus in the e-mail. man clamav-milter will tell you. Janis -Nigel -- Nigel Horne. Arranger, Composer, Typesetter. NJH Music, Barnsley, UK. ICQ#20252325 [EMAIL PROTECTED] http://www.bandsman.co.uk --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] password protected zip file
On Tue, Mar 02, 2004 at 03:07:31PM +0800, kengheng wrote: Hi, Can clamav detected those virus that is protected by a password in a zipped file? No -- Erik Corry I'd be a Libertarian, if they weren't all a [EMAIL PROTECTED] bunch of tax-dodging professional whiners. - B. Breathed. --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
RE: [Clamav-users] password protected zip file
-Original Message- From: [EMAIL PROTECTED] [mailto:clamav-users- [EMAIL PROTECTED] On Behalf Of Erik Corry Sent: 2. marts 2004 09:10 To: [EMAIL PROTECTED] Subject: Re: [Clamav-users] password protected zip file On Tue, Mar 02, 2004 at 03:07:31PM +0800, kengheng wrote: Hi, Can clamav detected those virus that is protected by a password in a zipped file? No I would say maybe. It's impossible to detect the encrypted zip file, but a signature was added yesterday that will match e-mails with the Bagle-F or Bagle-H zip attachment (Worm.Bagle.F-zippwd). So you should allow ClamAV also to scan the e-mail. BTW: I'm currently working on adding a second signature that will detect a variant of these e-mails. Best regards, Diego d'Ambra smime.p7s Description: S/MIME cryptographic signature
Re: [Clamav-users] Re: password-protected Worm.Bagle.F
On Mon, 01 Mar 2004 at 21:04:55 -0500, Derrick 'dman' Hudson wrote: Is the zip file really encrypted, or is the password just an Really. advisory flag that an unzip tool is supposed to honor? If its the latter, then clamav could just ignore the password to unpack and scan the archive anyways. As yesterday Diego d'Ambra added a signature Worm.Bagle.F-zippwd for email messages with password protected variant of Worm.Bagle.F, ClamAV should detect such messages. I mean _messages_. Not zip files themselves. So please folks, stop submitting encrypted zip files (without a full message) to us as it's quite impossible to create a signature for them. -- Tomasz Papszun SysAdm @ TP S.A. Lodz, Poland | And it's only [EMAIL PROTECTED] http://www.lodz.tpsa.pl/ | ones and zeros. [EMAIL PROTECTED] http://www.ClamAV.net/ A GPL virus scanner --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] FYI: clamav-devel-20040301 build error on Solaris
On Tue, 02 Mar 2004 12:58:57 +0700 Fajar A. Nugraha [EMAIL PROTECTED] wrote: Sure enough, I found these files on source tarball: ./clamd/dazukoio.o ./clamd/dazukoio_compat12.o Deleted these files, and clamav compiles OK. Fixed, thanks. -- oo. Tomasz Kojm [EMAIL PROTECTED] (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Tue Mar 2 09:27:37 CET 2004 pgp0.pgp Description: PGP signature
Re: [Clamav-users] password protected zip file
Erik Corry wrote: Hi, Can clamav detected those virus that is protected by a password in a zipped file? No Generally no, except in the case of Worm.Bagle.F-zippwd (Trend Micro identifies it as Worm.Bagle.F-1). There's another thread about it (password-protected Worm.Bagle.F). See archives. Regards, Fajar --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] clamav 0.65 not detecting Worm.Bagle.F
On Tue, 02 Mar 2004 at 15:00:16 +0800, Joey Esquibal wrote: [...] I have successfully configured MailScanner with ClamAV-0.65. Tested it [...] Any help of pointers are greatly appreciated. Please upgrade. -- Tomasz Papszun SysAdm @ TP S.A. Lodz, Poland | And it's only [EMAIL PROTECTED] http://www.lodz.tpsa.pl/ | ones and zeros. [EMAIL PROTECTED] http://www.ClamAV.net/ A GPL virus scanner --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Re: password-protected Worm.Bagle.F
On Tue, 02 Mar 2004 at 3:38:32 -0500, jef moskot wrote: On Tue, 2 Mar 2004, Tomasz Papszun wrote: So please folks, stop submitting encrypted zip files (without a full message) to us as it's quite impossible to create a signature for them. Does this mean you still want samples including the full message? As usually: only if ClamAV with an up-to-date database isn't detecting an infection in a sample. In this particular case a sample = a full message sample. -- Tomasz Papszun SysAdm @ TP S.A. Lodz, Poland | And it's only [EMAIL PROTECTED] http://www.lodz.tpsa.pl/ | ones and zeros. [EMAIL PROTECTED] http://www.ClamAV.net/ A GPL virus scanner --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Re: password-protected Worm.Bagle.F
On Tue, 2 Mar 2004, Tomasz Papszun wrote: As usually: only if ClamAV with an up-to-date database isn't detecting an infection in a sample. In this particular case a sample = a full message sample. Roger that. Up until a few minutes ago, a few samples had gotten through, but things look good now. My samples don't make it past the online tester (they had an hour ago) and now my local system can ID them as well. Jeffrey Moskot System Administrator [EMAIL PROTECTED] --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] What is the problem?
Adrian Gurbina (main) wrote: ccabbccacaa.zip : D:\Attachments\ccabbccacaa.zip is infected with the [EMAIL PROTECTED] virus output from NAV/Symantec so clamscan dont know any virus related to Beagle? i use the latest update related to the virus database how do we fix this problem? try out http://www.gietl.com/test-clamav/ to see if the working clamav finds the virus. If it does, something in your configuration seems wrong. If it doesn't, submit or make it available online, so we can try it out. -- Kristof --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] password-protected Worm.Bagle.F
About the password-encrypted zip file virusses, is there any information available on the web about this? I like to instruct my users about this new infection method. David Jansen --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] password-protected Worm.Bagle.F
David Jansen wrote: About the password-encrypted zip file virusses, is there any information available on the web about this? Try this http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_BAGLE.G Regards, Fajar --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] What is the problem?
On Tue, 2 Mar 2004, Adrian Gurbina (main) wrote: clamscan -V clamscan / ClamAV version 0.67 freshclam -V freshclam / ClamAV version 0.67 ccabbccacaa.zip : D:\Attachments\ccabbccacaa.zip is infected with the [EMAIL PROTECTED] virus output from NAV/Symantec clamscan ccabbccacaa.zip Known viruses: 20742 Scanned directories: 0 Scanned files: 1 Infected files: 0 Data scanned: 0.02 MB I/O buffer size: 131072 bytes Time: 1.208 sec (0 m 1 s) so clamscan dont know any virus related to Beagle? i use the latest update related to the virus database how do we fix this problem? Judging from the number of known signatures I'd say you don't have te last few updates to the signature db - try running freshclam and then scan the file again. Also, try extracting the zip file and scan the contents, it could be that maybe clam has a problem extracting it. I've just run freshclam, and with the latest files (main version 21, daily version 153) there is a total of 20352 signatures. You have a total number of 20742 signatures which tells me that your db is a little outdated - the number of signatures went down recently due to a db cleanup where a lot of duplicates where removed. -- Jesper Juhl [EMAIL PROTECTED] Systems Administrator, Danmarks Idræts-Forbund / The Danish Sports Federation Please don't top-posthttp://www.catb.org/~esr/jargon/html/T/top-post.html Please send plain text emails only http://www.expita.com/nomime.html --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id56alloc_id438op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] clamav stops running
I frequently have to run clamav manually, what makes to stop? Is there a way to re-run it automatically! --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
AW: [Clamav-users] clamav stops running
I frequently have to run clamav manually, what makes to stop? Is there a way to re-run it automatically! Read the ML-History , you will find some restartscripts for clamd. make a cronjob */1 * * * * for it. --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: AW: [Clamav-users] clamav stops running
Power-Netz (Schwarz) wrote: I frequently have to run clamav manually, what makes to stop? Is there a way to re-run it automatically! Read the ML-History , you will find some restartscripts for clamd. make a cronjob */1 * * * * for it. I personally run clamd under daemontools as I'm already running daemontools for qmail. Works a treat. You can find daemontools at http://cr.yp.to/daemontools.html D --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: AW: AW: [Clamav-users] clamav stops running
Power-Netz (Schwarz) wrote: I personally run clamd under daemontools as I'm already running daemontools for qmail. Works a treat. You can find daemontools at http://cr.yp.to/daemontools.html That will not help you, because clam will stop working, not crashing. Works just fine for me - my spamd occasionally dies, but never hangs with the daemon still running. daemontools is said to work on unix only, what is the altenative in linux? --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] password-protected Worm.Bagle.H
Worm.Bagle.H found in unzipped file. It\'s impossible to create signature of encrypted zip file. This new infection method is likely to drive us nuts. This is the password-less workaround I've come up with and your input is appreciated. The unix unzip output looks like so: $ uvscan -lv virus.zip Archive: TextDocument.zip Length MethodSize Ratio Date Time CRC-32Name -- --- - -- 21150 Stored21150 0% 03-01-04 19:33 7ac0095f hifrm.scr --- ------ 2115021150 0%1 file Fortunately we can get the file crc w/o actually extracting the file. Can zip file crc's count as sigs? A quick/crude perl hack to test for this at the MTA seems to work pretty well: if (!open(UNZIP, -|)) { exec(/usr/bin/unzip, '-lv', $file); } while (UNZIP) { if (/7ac0095f/) { close(UNZIP); print Found the w32nsc/Bagle.H-zip virus !!!\n; found_virus(); } } close(UNZIP); Suggestions? There are really easy ways for the virus writer to circumvent this type of check but until they start utilizing such strategies, is it possible to include the zip's crc into ClamAV's sigs? Eric Wheeler Vice President National Security Concepts, Inc. PO Box 3567 Tualatin, OR 97062 http://www.nsci.us/ Voice: (503) 293-7656 Fax: (503) 885-0770 --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
AW: AW: AW: [Clamav-users] clamav stops running
That will not help you, because clam will stop working, not crashing. Works just fine for me - my spamd occasionally dies, but never hangs with the daemon still running. daemontools is said to work on unix only, what is the altenative in linux? supervise .. but , as said, it won't help it the demon stops answering but does not crash at all. BTW: i thought with the thread version these hangs should stop? Anything new on that topic??? --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: AW: AW: [Clamav-users] clamav stops running
Japhet Samson wrote: Power-Netz (Schwarz) wrote: I personally run clamd under daemontools as I'm already running daemontools for qmail. Works a treat. You can find daemontools at http://cr.yp.to/daemontools.html That will not help you, because clam will stop working, not crashing. Works just fine for me - my spamd occasionally dies, but never hangs with the daemon still running. daemontools is said to work on unix only, what is the altenative in linux? daemontools works on a variety on *nix's - I personally am using it on Solaris and RedHat. --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: AW: AW: [Clamav-users] clamav stops running
On Tuesday 02 March 2004 12:17 pm, Japhet Samson wrote: Power-Netz (Schwarz) wrote: I personally run clamd under daemontools as I'm already running daemontools for qmail. Works a treat. You can find daemontools at http://cr.yp.to/daemontools.html That will not help you, because clam will stop working, not crashing. Works just fine for me - my spamd occasionally dies, but never hangs with the daemon still running. daemontools is said to work on unix only, what is the altenative in linux? I would have thought Linux counts as a form of Unix for this purpose. I think what the daemontools web page means by System requirements: daemontools works only under UNIX is that it won't work under Windows, VMS, MacOS, etc. Try it under Linux and see. Regards, Antony. -- This is not a rehearsal. This is Real Life. Please reply to the list; please don't CC me. --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: AW: AW: AW: [Clamav-users] clamav stops running
Power-Netz (Schwarz) wrote: That will not help you, because clam will stop working, not crashing. Works just fine for me - my spamd occasionally dies, but never hangs with the daemon still running. daemontools is said to work on unix only, what is the altenative in linux? supervise .. but , as said, it won't help it the demon stops answering but does not crash at all. supervise is part of daemontools. --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] password-protected Worm.Bagle.H
On Tue, 02 Mar 2004 at 4:14:52 -0800, [EMAIL PROTECTED] wrote: Worm.Bagle.H found in unzipped file. It\'s impossible to create signature of encrypted zip file. This new infection method is likely to drive us nuts. This is the password-less workaround I've come up with and your input is appreciated. The unix unzip output looks like so: [...] 21150 Stored21150 0% 03-01-04 19:33 7ac0095f hifrm.scr [...] Fortunately we can get the file crc w/o actually extracting the file. [...] It gives nothing as copies of Worm.Bagle.H (and previous variants also) vary in their contents and even sizes. So checksums are different. -- Tomasz Papszun SysAdm @ TP S.A. Lodz, Poland | And it's only [EMAIL PROTECTED] http://www.lodz.tpsa.pl/ | ones and zeros. [EMAIL PROTECTED] http://www.ClamAV.net/ A GPL virus scanner --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
RE: [Clamav-users] password-protected Worm.Bagle.H
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf This new infection method is likely to drive us nuts. This is the password-less workaround I've come up with and your input is appreciated. The unix unzip output looks like so: $ uvscan -lv virus.zip Archive: TextDocument.zip Length MethodSize Ratio Date Time CRC-32Name -- --- - -- 21150 Stored21150 0% 03-01-04 19:33 7ac0095f hifrm.scr --- ------ 2115021150 0%1 file Fortunately we can get the file crc w/o actually extracting the file. Can zip file crc's count as sigs? A quick/crude perl hack to test for this at the MTA seems to work pretty well: ---SNIP--- Suggestions? There are really easy ways for the virus writer to circumvent this type of check but until they start utilizing such strategies, is it possible to include the zip's crc into ClamAV's sigs? I'd say that if you're doing that you want to include the other key information, namely the size and the compression ratio. That way the chances of a collision are minimal (the odds are reasonable that there is another zip file with a single file that has the same CRC, the odds decrease however if you also use the size and compression ratio). -- PLEASE - keep list traffic on the list. Don't CC or send me mail directly. Rob MacGregor (BOFH) --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: AW: AW: AW: [Clamav-users] clamav stops running
Power-Netz (Schwarz) wrote: supervise .. but , as said, it won't help it the demon stops answering but does not crash at all. Try searching archive for posts on clamd monitoring A useful link http://mikecathey.com/code/clamdwatch/ This should check whether clamd is working or not (i.e hung, dead, etc). Regards, Fajar --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
RE: [Clamav-users] password-protected Worm.Bagle.H
-Original Message- From: [EMAIL PROTECTED] [mailto:clamav-users- [EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: 2. marts 2004 13:15 To: [EMAIL PROTECTED] Subject: Re: [Clamav-users] password-protected Worm.Bagle.H Suggestions? There are really easy ways for the virus writer to circumvent this type of check but until they start utilizing such strategies, is it possible to include the zip's crc into ClamAV's sigs? From the (unzipped) samples I've access to they differ in size, so MD5 or other checksums are useless. Best regards, Diego d'Ambra smime.p7s Description: S/MIME cryptographic signature
AW: AW: AW: AW: [Clamav-users] clamav stops running
supervise .. but , as said, it won't help it the demon stops answering but does not crash at all. supervise is part of daemontools. good to know, i never installed / compilied or viewed daemontools :-)) ( multi admin server ) --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
AW: [Clamav-users] Clamd problem Solaris 8
gcc -g -O2 -o .libs/clamd options.o cfgfile.o clamd.o tcpserver.o localserver.o session.o thrmgr.o Hi! I tried the latest snapshot with size 1kB (20040301) and had a compilation problem on Solaris 8!! server-th.o scanner.o others.o clamuko.o dazukoio_compat12.o dazukoio.o tests.o ../clamscan/getopt.o -L/export/home/wolfgang/dev/clamav-devel-20040301/libclamav /export/home/wolfgang/dev/clamav-devel-20040301/libclamav/.libs/libclamav.so -lz -lbz2 /usr/local/lib/libgmp.so -lpthread -lsocket -lnsl -lresolv -R/usr/local/lib ld: fatal: file dazukoio_compat12.o: wrong ELF machine type: EM_386 ld: fatal: File processing errors. No output written to .libs/clamd collect2: ld returned 1 exit status *** Error code 1 make: Fatal error: Command failed for target `clamd' Current working directory /export/home/wolfgang/dev/clamav-devel-20040301/clamd *** Error code 1 make: Fatal error: Command failed for target `all-recursive' Current working directory /export/home/wolfgang/dev/clamav-devel-20040301 *** Error code 1 make: Fatal error: Command failed for target `all' Is this also a known problem?? Wolfgang -Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Tomasz Kojm Gesendet: Dienstag, 02. März 2004 09:23 An: [EMAIL PROTECTED] Betreff: Re: [Clamav-users] Clamd problem Solaris 8 On Tue, 2 Mar 2004 07:51:30 +0100 Clamav [EMAIL PROTECTED] wrote: Tue Mar 2 02:56:35 2004 - Session 0 stopped due to timeout. Tue Mar 2 03:05:02 2004 - +++ Started at Tue Mar 2 03:05:02 2004 Is this a known problem ? Yes, it is. Please update to the CVS version. -- oo. Tomasz Kojm [EMAIL PROTECTED] (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Tue Mar 2 09:22:12 CET 2004 --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id56alloc_id438op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] Wanted
Hello Community, We suspect that ClamAV is missing a signature against Welchia.B (Nachi.B). If someone has a sample please submit it through http://clamav.sourceforge.net/cgi-bin/sendvirus.cgi Thanks in advance... Best regards, Diego d'Ambra smime.p7s Description: S/MIME cryptographic signature
Re: [Clamav-users] Errors - need some help
On Tue, 2004-03-02 at 13:36, Kevin Barrett wrote: ClamAV users; I could use a bit of direction here. I've just installed clamd from RPM on a RH linux server running EXIM. with the exiscan-acl patch. When I enable an ACL for Scan at DATA time I get the following error in the log files 2004-02-27 08:59:04 1AwiW8-NF-Lk malware acl condition: clamd: ClamAV returned /var/spool/exim/scan/1AwiW8-NF-Lk: Can't access the file ERROR The directory is there and owned by exim but there are no files in it. You need to run clamd as a user with permissions to read the files (which you put in clamav.conf), probably whatever exim runs as. -trog signature.asc Description: This is a digitally signed message part
Re: AW: [Clamav-users] clamav stops running
On Tuesday 02 Mar 2004 11:40 am, Darren Honeyball [ML] wrote: Power-Netz (Schwarz) wrote: I frequently have to run clamav manually, what makes to stop? Is there a way to re-run it automatically! Read the ML-History , you will find some restartscripts for clamd. make a cronjob */1 * * * * for it. I personally run clamd under daemontools as I'm already running daemontools for qmail. Works a treat. Can clamd be started from xinetd? You can find daemontools at http://cr.yp.to/daemontools.html D -Nigel -- Nigel Horne. Arranger, Composer, Typesetter. NJH Music, Barnsley, UK. ICQ#20252325 [EMAIL PROTECTED] http://www.bandsman.co.uk --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Errors - need some help
ClamAV users; I could use a bit of direction here. I've just installed clamd from RPM on a RH linux server running EXIM. with the exiscan-acl patch. When I enable an ACL for Scan at DATA time I get the following error in the log files 2004-02-27 08:59:04 1AwiW8-NF-Lk malware acl condition: clamd: ClamAV returned /var/spool/exim/scan/1AwiW8-NF-Lk: Can't access the file ERROR The directory is there and owned by exim but there are no files in it. Any help, thoughts? Kevin Hi Kevin, I got this same error and I have ClamAV, AMaViS and sendmail running. I tried various things like changing permissions and stuff. Nothing worked. Another thing I noticed was that this happens only when clam is made to run as clam user and not root user. When it runs as root, no problems at all (but running as root is the problem). Please check if this is true in your case. I looked into amavis script and hacked its directory creation permissions and now things are working OK even when running as non-root. (The hack is not the best thing to do, but atleast temporarily it solved my problem). I am still waiting for someone to answer my earlier question on this one. If people want me to resubmit my question, I would be happy to do it. Prakash --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] clamav stops running
On Tue, 2 Mar 2004 15:17:37 +0300 (EAT) Japhet Samson [EMAIL PROTECTED] wrote: Power-Netz (Schwarz) wrote: I personally run clamd under daemontools as I'm already running daemontools for qmail. Works a treat. You can find daemontools at http://cr.yp.to/daemontools.html That will not help you, because clam will stop working, not crashing. Works just fine for me - my spamd occasionally dies, but never hangs with the daemon still running. daemontools is said to work on unix only, what is the altenative in linux? It works on Linux also. Phil --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] Re: password-protected Worm.Bagle.F
On Tue, Mar 02, 2004 at 09:37:48AM +0100, Tomasz Papszun wrote: | On Mon, 01 Mar 2004 at 21:04:55 -0500, Derrick 'dman' Hudson wrote: | | Is the zip file really encrypted, or is the password just an | | Really. Oh, ok. I guess zip files can be more secure than I assumed at first. -D -- I can do all things through Christ who strengthens me. Philippians 4:13 www: http://dman13.dyndns.org/~dman/jabber: [EMAIL PROTECTED] signature.asc Description: Digital signature
[Clamav-users] database reloading (waiting)
Hi all I run clamd version 0.67 (which is super-stable!) + clam-milter + sendmail 8.12. Suddenly clamd is struggling to load the db and reports the waiting as listed below. Updates happen at 32 minutes past the hour. While clamd was waiting for the db, my smtp service chugged along so slowly that it was reaching time-outs. Fixed by restarting clamd the milter. Any ideas what this is and why it happens? Tue Mar 2 12:24:15 2004 - Session 0 stopped due to timeout. Tue Mar 2 12:24:15 2004 - SelfCheck: Database modification detected. Forcing reload. Tue Mar 2 12:24:15 2004 - SelfCheck: Integrity OK Tue Mar 2 12:24:15 2004 - Main thread: database reloading (waiting). Tue Mar 2 12:26:14 2004 - Database reload: some threads must be stopped in the next iteration. Tue Mar 2 12:26:14 2004 - Session 1 stopped due to timeout. Tue Mar 2 12:26:16 2004 - Main thread: database reloaded. Tue Mar 2 12:26:16 2004 - Main thread: database reloading (waiting). Tue Mar 2 12:26:16 2004 - Accepted connection on port 40940, fd 109 Tue Mar 2 12:28:16 2004 - Main thread: database reloaded. Tue Mar 2 12:28:16 2004 - Main thread: database reloading (waiting). Tue Mar 2 12:28:16 2004 - Accepted connection on port 29594, fd 109 Tue Mar 2 12:30:16 2004 - Main thread: database reloaded. Tue Mar 2 12:30:16 2004 - Main thread: database reloading (waiting). Tue Mar 2 12:30:16 2004 - Accepted connection on port 41978, fd 109 Tue Mar 2 12:32:17 2004 - Main thread: database reloaded. Tue Mar 2 12:32:17 2004 - Main thread: database reloading (waiting). Tue Mar 2 12:32:17 2004 - Accepted connection on port 2455, fd 126 Tue Mar 2 12:34:17 2004 - Main thread: database reloaded. Tue Mar 2 12:34:17 2004 - Main thread: database reloading (waiting). Tue Mar 2 12:34:17 2004 - Accepted connection on port 36830, fd 130 Tue Mar 2 12:36:17 2004 - Main thread: database reloaded. Tue Mar 2 12:36:17 2004 - Main thread: database reloading (waiting). Tue Mar 2 12:36:17 2004 - Accepted connection on port 16153, fd 137 Tue Mar 2 12:38:18 2004 - Main thread: database reloaded. Tue Mar 2 12:38:18 2004 - Main thread: database reloading (waiting). Tue Mar 2 12:38:18 2004 - Accepted connection on port 9453, fd 141 Tue Mar 2 12:40:18 2004 - Main thread: database reloaded. Tue Mar 2 12:40:18 2004 - Main thread: database reloading (waiting). Tue Mar 2 12:40:18 2004 - Accepted connection on port 36723, fd 145 Tue Mar 2 12:42:18 2004 - Main thread: database reloaded. Tue Mar 2 12:42:18 2004 - Main thread: database reloading (waiting). Tue Mar 2 12:44:19 2004 - Main thread: database reloaded. Tue Mar 2 12:44:19 2004 - Main thread: database reloading (waiting). Tue Mar 2 12:46:19 2004 - Main thread: database reloaded. Tue Mar 2 12:46:19 2004 - Main thread: database reloading (waiting). Jaap Scholten eNetworks 136 Upper Waterkant Street Cape Town 8001, South Africa --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.594 / Virus Database: 377 - Release Date: 2004/02/24 --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] German Language
Hi all, i would like to have clamav send its messages in german. where can i edit these text? or anyone done this before? Regards Rudi
RE: [Clamav-users] password-protected Worm.Bagle.H
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Diego d'Ambra Sent: Tuesday, March 02, 2004 4:55 AM To: [EMAIL PROTECTED] Subject: RE: [Clamav-users] password-protected Worm.Bagle.H -Original Message- From: [EMAIL PROTECTED] [mailto:clamav-users- [EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: 2. marts 2004 13:15 To: [EMAIL PROTECTED] Subject: Re: [Clamav-users] password-protected Worm.Bagle.H Suggestions? There are really easy ways for the virus writer to circumvent this type of check but until they start utilizing such strategies, is it possible to include the zip's crc into ClamAV's sigs? From the (unzipped) samples I've access to they differ in size, so MD5 or other checksums are useless. Best regards, Diego d'Ambra Seeing how quickly this could get out of hand, and how hard it would be to write code to read the password from the mail - how about a simple option that allows full rejection of password encrypted archives - or optional (based on db lookup) but I'm probably hoping too much there... I run virtual users out of a mysql database - the user emails are in one field - options controlling mail handling are in others ('Y' / 'N' enums). Being able to control this would be ideal, but being able to outright reject them would be an improvement. Another tack on this might be accomplished through procmail / maildrop if unzip will report if archived files are in fact password protected... does anyone know if there is a way to list passworded file besides trying to extract them? Just a few thoughts - as always thank you for the excellent tool m/ --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] password-protected Worm.Bagle.H
On Tue, Mar 02, 2004 at 07:38:59AM -0800, Mitch (WebCob) wrote: Seeing how quickly this could get out of hand, and how hard it would be to write code to read the password from the mail - how about a simple option that allows full rejection of password encrypted archives - or optional (based on db lookup) but I'm probably hoping too much there... The question is how much of a problem it really is. Are users really that dumb? What I'm wondering is whether the encrypted version of the virus can be created by the unencrypted version, or whether the encrypted versions of the virus we have seen have all been produced by actual encrypted-zip infections. Anyone know? -- Erik Corry I'd be a Libertarian, if they weren't all a [EMAIL PROTECTED] bunch of tax-dodging professional whiners. - B. Breathed. --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Re: password-protected Worm.Bagle.F
At 10:04 AM 3/2/2004 +0100, Tomasz Papszun wrote: As usually: only if ClamAV with an up-to-date database isn't detecting an infection in a sample. In this particular case a sample = a full message sample. OK - I am still receiving emails containing a PW-protected zip with this virus. Should I use the Web form to get you the email? Or should I just redirect the message to [EMAIL PROTECTED] ? I know the latter is deprecated so what would be the best way to get you a sample in this case? Thanks in advance. -- B.K. DeLong [EMAIL PROTECTED] +1.617.797.2472 http://ocw.mit.eduWork. http://www.brain-stream.com Play. http://www.the-leaky-cauldron.orgPotter. http://www.city-of-doors.com Sigil. http://www.hackerfoundation.org Future. PGP Fingerprint: 38D4 D4D4 5819 8667 DFD5 A62D AF61 15FF 297D 67FE --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] German Language HTML
sry for the html, outlook default :-) again, anyone having locales for clamav? german in special! Regards Rudi --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] virus not detected one but detected on another machine
Hi, I have a strange problem. I have two email servers. Both are Redhat 7.3 and using qmail. I have installed clamav 0.65 from the source on Machine A. Then I installed clamav 0.67 On Machine B I have installed clamav 0.67 the first time. I am using gadoyanvirus 0.2 as the link between qmail and clamav. Machine B detects all the viruses but Machine A do not detect all the virus. When I send eicar.com, the test virus both detects it. But when I send some of the new viruses like document_4125.pif only Machine B detects it. I have checked the following. 1. clamav.conf (both are the same) 2. run freshclam (both are up to date) 3. I have increased the softlimit for qmail to 60mb (both have the same value) 4. ftp the virus into the Machine A and did a clamscan and it detected it. 5. send eicar.com both machines detected it. The only diffrence I can see is that on machine A I installed clamav 0.65 then installed 0.67. Is there anything else I can do or check? P.V.Anthony --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] virus not detected one but detected on another machine
Hi, I have a strange problem. I have two email servers. Both are Redhat 7.3 and using qmail. I have installed clamav 0.65 from the source on Machine A. Then I installed clamav 0.67 On Machine B I have installed clamav 0.67 the first time. I am using gadoyanvirus 0.2 as the link between qmail and clamav. Machine B detects all the viruses but Machine A do not detect all the virus. When I send eicar.com, the test virus both detects it. But when I send some of the new viruses like document_4125.pif only Machine B detects it. I have checked the following. 1. clamav.conf (both are the same) 2. run freshclam (both are up to date) 3. I have increased the softlimit for qmail to 60mb (both have the same value) 4. ftp the virus into the Machine A and did a clamscan and it detected it. 5. send eicar.com both machines detected it. The only diffrence I can see is that on machine A I installed clamav 0.65 then installed 0.67. Is there anything else I can do or check? P.V.Anthony --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
RE: [Clamav-users] password-protected Worm.Bagle.H
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Erik Corry The question is how much of a problem it really is. Are users really that dumb? What I'm wondering is whether the encrypted version of the virus can be created by the unencrypted version, or whether the encrypted versions of the virus we have seen have all been produced by actual encrypted-zip infections. Anyone know? Yes, people really are that dumb. Heck, I talked with somebody earlier today who infected himself with Netsky-D, and this is somebody normally pretty smart... PLEASE - keep list traffic on the list. Email sent directly to me may be ignored utterly. -- Rob | What part of no was it you didn't understand? --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] ClamAV 0.67 memory leak
Anyone seen this... 3843 ?S 0:00 clamd 3846 ?S 0:01 \_ clamd 3847 ?S 0:03 \_ clamd when i cat the /proc/3843/status file... Name: clamd State: S (sleeping) Tgid: 3843 Pid:3843 PPid: 1 TracerPid: 0 Uid:0 0 0 0 Gid:0 0 0 0 FDSize: 32 Groups: 0 VmSize: 210900 kB VmLck: 0 kB VmRSS: 22940 kB VmData: 209128 kB VmStk:16 kB VmExe:36 kB VmLib: 1672 kB pgp0.pgp Description: PGP signature
RE: [Clamav-users] Re: password-protected Worm.Bagle.F
-Original Message- From: [EMAIL PROTECTED] [mailto:clamav-users- [EMAIL PROTECTED] On Behalf Of B.K. DeLong Sent: 2. marts 2004 17:06 To: [EMAIL PROTECTED] Subject: Re: [Clamav-users] Re: password-protected Worm.Bagle.F OK - I am still receiving emails containing a PW-protected zip with this virus. Should I use the Web form to get you the email? Or should I just redirect the message to [EMAIL PROTECTED] ? I know the latter is deprecated so what would be the best way to get you a sample in this case? Through http://clamav.sourceforge.net/cgi-bin/sendvirus.cgi Best regards, Diego d'Ambra smime.p7s Description: S/MIME cryptographic signature
Re: [Clamav-users] clamav and netsky.d
Vpopmail Mailinglist wrote: hi Guys.. i there a update for netsky.d ? Clamav detect it for 2 days! Just run freshclam. --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] password-protected Worm.Bagle.H
The question is how much of a problem it really is. Are users really that dumb? What I'm wondering is whether the encrypted version of the virus can be created by the unencrypted version, or whether the encrypted versions of the virus we have seen have all been produced by actual encrypted-zip infections. Anyone know? yes, they are. i've gotten about 10 of those in the last 3 days. --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] Archive Not Working?
The archive for the mailing list seems to have stopped around the 14th of January. Can the admins take a look at that and figure out why? Yay sourceforge! Tom Walsh Network Administrator http://www.ala.net/ --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] For those using Procmail - a simple rule to hinder the Bagle-I virus
Maybe OT - but its a decent interim fix so people can continue sending large(r) Zips. SO - not sure if this is OT or what, but if you use procmail as the delivery agent on your system, this rule below will catch the ZIPs under 250k in size and having 'password:' somewhere in the body. Not perfect, not guaranteed - but its been working for us. If I knew how large or how small these attachments were, we could obviously adjust the size. And I am sure it can be tweaked - like do these viruses only have the attachment name in the headers and not the body? Would make the rule less prone to hit regular Zips. Places them all in a file in your mail spool folder called: antivirus-bagle.I so you can hunt down any false positives until the Virus Scanner folks can figure out how to handle this one. Good luck guys! Keep up the good work ClamAV, just another one to beat down. Too bad the MailScanner folks could not adjust for size on file name type rules... Jerome TEMP RULE FOR BAGLE-I :0 BH * ^(Content.*(file)?name=.+\.(zip).*$|\ Content-Type:(.*$)+.*(file)?name=.+\.(zip).*$|\ .*\/^.*name=.*\.(zip)) { :0 * 25 { :0 B * .*\/(password:) { LOG=SPAMLOG Antivirus BAGLE-I $MATCH :0 antivirus-bagle.I } } } ePaxsys/FRWS Technical Staff ePaxsys, Inc. http://www.epaxsys.net FRWS: http://www.frws.com Live Text Support: http://www.epaxsys.net/live-help --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Re: password-protected Worm.Bagle.F
On Tue, 02 Mar 2004 at 11:05:53 -0500, B.K. DeLong wrote: At 10:04 AM 3/2/2004 +0100, Tomasz Papszun wrote: As usually: only if ClamAV with an up-to-date database isn't detecting an infection in a sample. In this particular case a sample = a full message sample. OK - I am still receiving emails containing a PW-protected zip with this virus. Should I use the Web form to get you the email? Or should I just Yes, the WWW form. redirect the message to [EMAIL PROTECTED] ? I know the latter is deprecated so what would be the best way to get you a sample in this case? http://clamav.sourceforge.net/cgi-bin/sendvirus.cgi -- Tomasz Papszun SysAdm @ TP S.A. Lodz, Poland | And it's only [EMAIL PROTECTED] http://www.lodz.tpsa.pl/ | ones and zeros. [EMAIL PROTECTED] http://www.ClamAV.net/ A GPL virus scanner --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] virus not detected one but detected on another machine
On Tue, 2004-03-02 at 12:21, P.V.Anthony wrote: The only diffrence I can see is that on machine A I installed clamav 0.65 then installed 0.67. So what part of 0.67 works better and I should install it on machine A are you missing? Is there anything else I can do or check? Check if it is plugged in. -- Russel Oliver [EMAIL PROTECTED] http://www.techsane.com --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] Some more evidence for my last mail ...
Hey there, in my last mail I told that clamscan founds the virus while clamd doesn't. Here's some more evidence for this: sh-2.04$ /usr/local/clamav-0.67/bin/clamscan ./your_archive.pif ./your_archive.pif: Worm.SomeFool.B-petite FOUND --- SCAN SUMMARY --- Known viruses: 20355 Scanned directories: 0 Scanned files: 1 Infected files: 1 Data scanned: 0.02 MB I/O buffer size: 131072 bytes Time: 0.750 sec (0 m 0 s) sh-2.04$ /usr/local/clamav-0.67/bin/clamdscan ./your_archive.pif /var/amavis/./your_archive.pif: OK --- SCAN SUMMARY --- Infected files: 0 Time: 0.007 sec (0 m 0 s) Any ideas? Never got such problems with the previous versions :(. Thomas --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] netsky-d found by clamscan but not by clamd?
hey folks, I'm running clam-av 0.67 in combination with amavisd-new. With nearly never a virus slipping through, thanks to the devs. But recently a lot of viruses started to slip through. Checking it on the same machine, extracting the attachment by hand it is detected by clamscan, so it must be clamd choking on it. amavisd-new extracts the parts too but stores them without the filenames or extension. is there a dependency on the name? or any other thing I could look for? TIA, Thomas --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] password-protected Worm.Bagle.H
On Tue, Mar 02, 2004 at 11:59:19AM -0600, John Jolet wrote: The question is how much of a problem it really is. Are users really that dumb? yes, they are. i've gotten about 10 of those in the last 3 days. That doesn't actually prove that anyone typed in the password and got infected. The version with unencrypted zip file can send the version with encrypted zip file to others. The best defence against it (if it really is a problem) might be blocking encrypted zip files with suspicious filenames in them. You can see that the file contains a .exe .pif, etc. ending without the password. That's probably not a task for clamav though, more like MIMEDefang: http://www.mimedefang.org/ Someone seems to have been giving this some thought: http://lists.roaringpenguin.com/pipermail/mimedefang/2004-March/020563.html -- Erik Corry I'd be a Libertarian, if they weren't all a [EMAIL PROTECTED] bunch of tax-dodging professional whiners. - B. Breathed. --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] For those using Procmail - a simple rule to hinder the Bagle-I virus
On Tue, 02 Mar 2004 at 11:18:25 -0700, Support ePaxsys/FRWS wrote: Maybe OT - but its a decent interim fix so people can continue sending large(r) Zips. SO - not sure if this is OT or what, but if you use procmail as the delivery agent on your system, this rule below will catch the ZIPs under 250k in size and having 'password:' somewhere in the body. Not perfect, not guaranteed - but its been working for us. If I knew how large or how small these attachments were, we could obviously adjust the size. [...] Usually messages with various Bagles are between 20 KB and 35 KB in size. Attachments themselves (decoded) are between 15 KB and 30 KB. -- Tomasz Papszun SysAdm @ TP S.A. Lodz, Poland | And it's only [EMAIL PROTECTED] http://www.lodz.tpsa.pl/ | ones and zeros. [EMAIL PROTECTED] http://www.ClamAV.net/ A GPL virus scanner --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Some more evidence for my last mail ...
Thomas, On Tue, 2004-03-02 at 14:09, Thomas Seifert wrote: in my last mail I told that clamscan founds the virus while clamd doesn't. Here's some more evidence for this: Reload clamd and see if that makes a difference. It sounds like freshclam may not be telling clamd to reload the virus databases. Cheers, Mike --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Some more evidence for my last mail ...
On Tue, 02 Mar 2004 at 20:09:08 +0100, Thomas Seifert wrote: in my last mail I told that clamscan founds the virus while clamd doesn't. Here's some more evidence for this: sh-2.04$ /usr/local/clamav-0.67/bin/clamscan ./your_archive.pif ./your_archive.pif: Worm.SomeFool.B-petite FOUND [...] sh-2.04$ /usr/local/clamav-0.67/bin/clamdscan ./your_archive.pif /var/amavis/./your_archive.pif: OK Only a short note related to clamdscan itself: is your_archive.pif readable by user running clamd? (not you, but clamd). -- Tomasz Papszun SysAdm @ TP S.A. Lodz, Poland | And it's only [EMAIL PROTECTED] http://www.lodz.tpsa.pl/ | ones and zeros. [EMAIL PROTECTED] http://www.ClamAV.net/ A GPL virus scanner --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] ClamAV 0.67 memory leak
On Tue, 2 Mar 2004 19:39:23 +0200 Nigel Kukard [EMAIL PROTECTED] wrote: Anyone seen this... 3843 ?S 0:00 clamd 3846 ?S 0:01 \_ clamd 3847 ?S 0:03 \_ clamd when i cat the /proc/3843/status file... Please post your clamav.conf. -- oo. Tomasz Kojm [EMAIL PROTECTED] (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Tue Mar 2 21:39:02 CET 2004 pgp0.pgp Description: PGP signature
RE: [Clamav-users] Correct clamav-milter options to --postmaster-only
-Original Message- From: Nigel Horne [mailto:[EMAIL PROTECTED] Sent: Tuesday, 2 March 2004 6:46 PM To: [EMAIL PROTECTED] Subject: Re: [Clamav-users] Correct clamav-milter options to --postmaster-only On Tuesday 02 Mar 2004 12:58 am, Stevens, John wrote: Please post an example of the bounce message, then I can see where it's coming from. From: MAILER-DAEMON To: [EMAIL PROTECTED] CC: [EMAIL PROTECTED] Subject: Virus intercepted A message you sent to [EMAIL PROTECTED] contained a virus and has not been delivered. stream: Worm.Bagle.E FOUND John, Unfortunately you've deleted the original message with all your options and I've deleted your original posting so I can't remember what they were. Anyway, this message is created by the -b (--bounce) option, so turn that off. John Stevens - MIS Manager, Senior Project Engineer -- Nigel Horne. Arranger, Composer, Typesetter. NJH Music, Barnsley, UK. ICQ#20252325 [EMAIL PROTECTED] http://www.bandsman.co.uk Hi Nigel, Options I am passing are -lob -postmaster-only [EMAIL PROTECTED] /path/to/socket. I do want the postmaster notifications as outlined in the man pages with the offending message ID. I do not want the bounce going back to sender. I am aware I can stop the bounce by turning off the bounce option, but according to my reading of the man page, it must be on for the postmaster to get notifications. Hence I have left it on, but I am only CC'd in a bounce message, and that does not contain the message ID of the offending message. Thanks TUSC Computer Systems - www.tusc.com.au John Stevens - MIS Manager, Senior Project Engineer Mobile: 0419840411 Direct: 03 9840 4428 --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id56alloc_id438op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Can somebody help me with this error message?
On Tue, Mar 02, 2004 at 03:13:55PM -0500, Frank DeChellis said: Hi. Exim 4.2 with Exiscan clamav 0.66 on a separate server NetBSd 1.6.2 on both servers The sacans are happening but this is the messa ge I receive in my log files 2004-03-02 15:18:38 1AyGLe-mS-J3 H=h207-176-232-131.enertiatech.com (enertia1.enertiatech.com) [207.176.232.131] F=[EMAIL PROTECTED] rejected after DATA: This message contains a virus: ( Can't access the file ERROR) please scan your system. Clam is running as a seperate uid than exim, probably - see what uid exim runs as, then add a 'User $(uid of exim)' statement to clamav.conf -- -- | Stephen Gran | james abuse me. I'm so lame I sent a | | [EMAIL PROTECTED] | bug report to debian-devel- | | http://www.lobefin.net/~steve | changes | -- pgp0.pgp Description: PGP signature
[Clamav-users] Re: virus not detected one but detected on another machine
russ wrote: On Tue, 2004-03-02 at 12:21, P.V.Anthony wrote: The only diffrence I can see is that on machine A I installed clamav 0.65 then installed 0.67. So what part of 0.67 works better and I should install it on machine A are you missing? Is there anything else I can do or check? Check if it is plugged in. Troll Attack! - ignore that. Look in your virus database location and check that the updated signatures are the same. (/var/lib/clamav, /usr/local/clamav, etc. It's defined as DataDirectory in clamav.conf. --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Can somebody help me with this error message?
On Tue, 2 Mar 2004, Frank DeChellis wrote: Hi. Exim 4.2 with Exiscan clamav 0.66 on a separate server NetBSd 1.6.2 on both servers The sacans are happening but this is the messa ge I receive in my log files 2004-03-02 15:18:38 1AyGLe-mS-J3 H=h207-176-232-131.enertiatech.com (enertia1.enertiatech.com) [207.176.232.131] F=[EMAIL PROTECTED] rejected after DATA: This message contains a virus: ( Can't access the file ERROR) please scan your system. Any ideas? Maybe try 0.67-1 or a recent CVS version? -- Jesper Juhl [EMAIL PROTECTED] Systems Administrator, Danmarks Idræts-Forbund / The Danish Sports Federation Please don't top-posthttp://www.catb.org/~esr/jargon/html/T/top-post.html Please send plain text emails only http://www.expita.com/nomime.html --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id56alloc_id438op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] For those using Procmail - a simple rule to hinder the Bagle-I virus
At 09:22 PM 3/2/04 +0100, Tomasz Papszun wrote: On Tue, 02 Mar 2004 at 11:18:25 -0700, Support ePaxsys/FRWS wrote: Maybe OT - but its a decent interim fix so people can continue sending large(r) Zips. SO - not sure if this is OT or what, but if you use procmail as the delivery agent on your system, this rule below will catch the ZIPs under 250k in size and having 'password:' somewhere in the body. Not perfect, not guaranteed - but its been working for us. If I knew how large or how small these attachments were, we could obviously adjust the size. [...] Usually messages with various Bagles are between 20 KB and 35 KB in size. Attachments themselves (decoded) are between 15 KB and 30 KB. -- Tomasz Papszun SysAdm @ TP S.A. Lodz, Poland | And it's only [EMAIL PROTECTED] http://www.lodz.tpsa.pl/ | ones and zeros. [EMAIL PROTECTED] http://www.ClamAV.net/ A GPL virus scanner --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users Thanks Thomas. Adjusted rule for size less than 55k and another password type line. So as not to spam the list: http://www.frws.com/jpp/bagle.rc Enjoy... Jerome ePaxsys/FRWS Technical Staff ePaxsys, Inc. http://www.epaxsys.net FRWS: http://www.frws.com Live Text Support: http://www.epaxsys.net/live-help --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] password-protected Worm.Bagle.H
on my qmail server qmail-scanner do this job for me. google for qmail-scanner - Original Message - From: Erik Corry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, March 02, 2004 9:11 PM Subject: Re: [Clamav-users] password-protected Worm.Bagle.H On Tue, Mar 02, 2004 at 11:59:19AM -0600, John Jolet wrote: The question is how much of a problem it really is. Are users really that dumb? yes, they are. i've gotten about 10 of those in the last 3 days. That doesn't actually prove that anyone typed in the password and got infected. The version with unencrypted zip file can send the version with encrypted zip file to others. The best defence against it (if it really is a problem) might be blocking encrypted zip files with suspicious filenames in them. You can see that the file contains a .exe .pif, etc. ending without the password. That's probably not a task for clamav though, more like MIMEDefang: http://www.mimedefang.org/ Someone seems to have been giving this some thought: http://lists.roaringpenguin.com/pipermail/mimedefang/2004-March/020563.html -- Erik Corry I'd be a Libertarian, if they weren't all a [EMAIL PROTECTED] bunch of tax-dodging professional whiners. - B. Breathed. --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] netsky-d found by clamscan but not by clamd?
On Tue, 02 Mar 2004 19:43:40 +0100 Thomas Seifert [EMAIL PROTECTED] wrote: filenames or extension. is there a dependency on the name? No, there isn't. -- oo. Tomasz Kojm [EMAIL PROTECTED] (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Tue Mar 2 23:24:01 CET 2004 pgp0.pgp Description: PGP signature
Re: [Clamav-users] Some more evidence for my last mail ...
On Tue, 02 Mar 2004 20:09:08 +0100 Thomas Seifert [EMAIL PROTECTED] wrote: Any ideas? Connect to clamd and send the RELOAD command. -- oo. Tomasz Kojm [EMAIL PROTECTED] (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Tue Mar 2 23:25:59 CET 2004 pgp0.pgp Description: PGP signature
[Clamav-users] Clam AV 0.67 e-smith RedHat 7.3 Packages
Hi, I downloaded the Red Hat package from http://crash.fce.vutbr.cz/crash-hat/1/clamav/. When I try installing it on e-smith 6.0 with Red Hat 7.3, I get the following error: [EMAIL PROTECTED] src]# rpm -Uvh clamav-0.67-1.i386.rpm error: failed dependencies: libc.so.6(GLIBC_2.3) is needed by clamav-0.67-1 libwrap.so.0 is needed by clamav-0.67-1 [EMAIL PROTECTED] src]# rpm -Uvh glibc-2.2.5-44.i386.rpm error: failed dependencies: glibc-common = 2.2.5-44 is needed by glibc-2.2.5-44 [EMAIL PROTECTED] src]# rpm -Uvh glibc-common-2.2.5-44.i386.rpm error: failed dependencies: glibc-common = 2.2.5-43 is needed by glibc-2.2.5-43 [EMAIL PROTECTED] src]# There are so many packages and library files needed to get this working. Is there a single location or implementation guideline. I read the manual but it does not cover the package in detail and does not tell where to find all the needed files. Thanks for your help in advance, New Fresh Clam User --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Some more evidence for my last mail ... - SOLVED
Thomas Seifert wrote: On Tue, 02 Mar 2004 15:15:19 -0500 Mike Cathey [EMAIL PROTECTED] wrote: Thomas, On Tue, 2004-03-02 at 14:09, Thomas Seifert wrote: in my last mail I told that clamscan founds the virus while clamd doesn't. Here's some more evidence for this: Reload clamd and see if that makes a difference. It sounds like freshclam may not be telling clamd to reload the virus databases. That isn't the problem, sorry. I killed and restarted clamd already a couple of times. Now I've found the problem, your message led to the point. I used my old clamav.conf which pointed to an old database directory. I didn't realize that freshclam was having its own config-file ... updating the new database directory. So I changed clamav.conf to contain the new database directory too and it worked. The strange thing is ... clamscan used the new dir (its default directory) and didn't use the path given in clamav.conf!? Thanks a lot, getting back from 0,7s to 0,007s is much better :) Thomas --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users Ah ha, guilty of the same, the new compiled version moved the .cvd files from /var/lib/clamav to /usr/local/share/clamav, a different directory. Should fix the problem. Explains why only the new virus passwed thru. Loren --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Clam AV 0.67 e-smith RedHat 7.3 Packages
On Tue, Mar 02, 2004 at 02:49:48PM -0800, FreshClam wrote: Hi, I downloaded the Red Hat package from http://crash.fce.vutbr.cz/crash-hat/1/clamav/. When I try installing it on e-smith 6.0 with Red Hat 7.3, I get the following error: [EMAIL PROTECTED] src]# rpm -Uvh clamav-0.67-1.i386.rpm error: failed dependencies: libc.so.6(GLIBC_2.3) is needed by clamav-0.67-1 libwrap.so.0 is needed by clamav-0.67-1 [EMAIL PROTECTED] src]# rpm -Uvh glibc-2.2.5-44.i386.rpm error: failed dependencies: glibc-common = 2.2.5-44 is needed by glibc-2.2.5-44 [EMAIL PROTECTED] src]# rpm -Uvh glibc-common-2.2.5-44.i386.rpm error: failed dependencies: glibc-common = 2.2.5-43 is needed by glibc-2.2.5-43 [EMAIL PROTECTED] src]# There are so many packages and library files needed to get this working. Is there a single location or implementation guideline. I read the manual but it does not cover the package in detail and does not tell where to find all the needed files. You might like to read: http://www.pagefault.org/howto/e-smith-antivirus.shtml or http://www.pagefault.org/howto/amavis_clam.shtml Or try http://contribs.org/modules/pbboard/ -- Damien --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] ClamAV 0.67 memory leak
Nigel Kukard schrieb: Anyone seen this... 3843 ?S 0:00 clamd 3846 ?S 0:01 \_ clamd 3847 ?S 0:03 \_ clamd when i cat the /proc/3843/status file... Name: clamd State: S (sleeping) Tgid: 3843 Pid:3843 PPid: 1 TracerPid: 0 Uid:0 0 0 0 Gid:0 0 0 0 FDSize: 32 Groups: 0 VmSize: 210900 kB VmLck: 0 kB VmRSS: 22940 kB VmData: 209128 kB VmStk:16 kB VmExe:36 kB VmLib: 1672 kB Which version exactly (I guess it's 0.67 release, but better save...), on which OS/Distribution ? I've not seen huge mem leaks in clam since it's 0.65 days, and I tend to check this every now and then with valgrind. Thomas --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Can somebody help me with this error message?
They're on separate servers...does that matter? I run exim as exim and clam as clamav. On Tue, 2 Mar 2004, Stephen Gran wrote: Date: Tue, 2 Mar 2004 16:32:30 -0500 From: Stephen Gran [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: [Clamav-users] Can somebody help me with this error message? On Tue, Mar 02, 2004 at 03:13:55PM -0500, Frank DeChellis said: Hi. Exim 4.2 with Exiscan clamav 0.66 on a separate server NetBSd 1.6.2 on both servers The sacans are happening but this is the messa ge I receive in my log files 2004-03-02 15:18:38 1AyGLe-mS-J3 H=h207-176-232-131.enertiatech.com (enertia1.enertiatech.com) [207.176.232.131] F=[EMAIL PROTECTED] rejected after DATA: This message contains a virus: ( Can't access the file ERROR) please scan your system. Clam is running as a seperate uid than exim, probably - see what uid exim runs as, then add a 'User $(uid of exim)' statement to clamav.conf -- -- | Stephen Gran | james abuse me. I'm so lame I sent a | | [EMAIL PROTECTED] | bug report to debian-devel- | | http://www.lobefin.net/~steve | changes | -- --- Frank DeChellis Internet Access Worldwide 3 East Main StreetWelland, Ontario, CanadaL3B 3W4 905-714-1400 fax 905-732-0524 www.iaw.com -- --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] Password-protected .zip file viruses
Clearly the virus DB maintainers are inundated with password-protected .zip files with viruses inside. I think I understand the technical impossibility of making a signature for these - the .zip header is the same, and then the filenames inside are randomized, as is the password, and thus the encrypted body has nothing recognizable - so there isn't anything available to make a signature off of. We don't want to waste your time submitting these - would it be useful to put a comment on the virus submission page that you just don't want these? I see that there have been a few rejected, stating that you'd need the *complete* E-mail - are you looking for other characteristics of the complete E-mail message, something not specifically tied to the attachment? -- Charlie Watts Brainstorm Internet 970 247-1442 x113 [EMAIL PROTECTED] http://www.brainstorminternet.net/ --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] some little questions
I've 3 little questions but at first I'm sorry couse I dosn't check the archives. :o) 1. Is it possible to improve the BSD-support? Like on-acces-scanning and co? 2. Are there any improvemts planed wich enable clamAV to clean files? Now it just delete them. 3. Please don't make a flamewar () but: Why GPL? I think clamAV could also use a more free license like the BSD-license couse nobody steals something from clamAV. And the reason is easy: All other commercial scanners detects more virii/worms and they could also clean the most files. So why GPL and not BSD-License? I think with the BSD-License clamAV could be more acceptable for more people. Not just all current BSD-OSs (NetBSD, FreeBSD, OpenBSD, MirBSD, MicroBSD...). There much more people wich prefer BSD-Licensed code and wich strictly against GPL (such as Plan9 and other OSs). I hope I see this point as neutral as I'm able to do that. But I repeat: There's no reason for the GPL-License. And now I hope I became a precise answer why ClamAV using the GPL-License and why it can't be under BSD-License. :) MfG. Rembrandt van Rijn p.s. Tomasz (leader) please check your mails! pgp0.pgp Description: PGP signature
Re: [Clamav-users] some little questions
On Wed, 3 Mar 2004, Rembrandt wrote: [...] 2. Are there any improvemts planed wich enable clamAV to clean files? Now it just delete them. I can't speak for anyone but myself, but I don't think that is planned. First of all, some virii may be impossible to clean (some of them destroy the files they infect). Second, some files may be *very* hard to clean since the virii rewrite the binary in order to insert itself and figuring out what the file looked like prior to infection is *not* trivial, so it's a hard problem and to do it requires a lot of time and often specific handling of each individual virus. Third, would you trust a file after it was cleaned? Personally I would not - no matter who cleaned it; clam or some commercial AV vendor doesn't matter, I still wouldn't trust that file. If an infected file is found, the only proper action in my oppinion is to delete the file and then restore a known-good copy from original media or backup. 3. Please don't make a flamewar () but: Why GPL? I think clamAV could also use a more free license like the BSD-license couse nobody steals something from clamAV. And the reason is easy: All other commercial scanners detects more virii/worms and they could also clean the most files. So why GPL and not BSD-License? I think with the BSD-License clamAV could be more acceptable for more people. Not just all current BSD-OSs (NetBSD, FreeBSD, OpenBSD, MirBSD, MicroBSD...). There much more people wich prefer BSD-Licensed code and wich strictly against GPL (such as Plan9 and other OSs). Again, I can only answer this from my own personal point of view - I didn't write the original code so I did not deside the license. My /personal/ oppinion is that the GPL is a better license than the BSD license since it ensures that modifications are contributed back to the ClamAV community. With a BSD license nothing stops someone from incorporating ClamAV in a commercial product without giving anything back. But, that's just my personal oppinion. Hope that was properly flame-proof ;-) -- Jesper Juhl [EMAIL PROTECTED] Systems Administrator, Danmarks Idræts-Forbund / The Danish Sports Federation Please don't top-posthttp://www.catb.org/~esr/jargon/html/T/top-post.html Please send plain text emails only http://www.expita.com/nomime.html --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id56alloc_id438op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Password-protected .zip file viruses
On Tue, 2 Mar 2004, Charlie Watts wrote: Clearly the virus DB maintainers are inundated with password-protected .zip files with viruses inside. I think I understand the technical impossibility of making a signature for these - the .zip header is the same, and then the filenames inside are randomized, as is the password, and thus the encrypted body has nothing recognizable - so there isn't anything available to make a signature off of. What I'm thinking is; Would it be feasible to add an option to attempt to brute-force-crack the passwords on zip files when scanning them? Yes, it would slow down scanning immensely, and there's *no* way it should ever be a default option, but zip file passwords are /resonably/ simple to crack, so it is doable (although it takes time)... I could whip some code together for this if it has any interrest at all... -- Jesper Juhl [EMAIL PROTECTED] Systems Administrator, Danmarks Idræts-Forbund / The Danish Sports Federation Please don't top-posthttp://www.catb.org/~esr/jargon/html/T/top-post.html Please send plain text emails only http://www.expita.com/nomime.html --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id56alloc_id438op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] password-protected Worm.Bagle.H
It gives nothing as copies of Worm.Bagle.H (and previous variants also) vary in their contents and even sizes. So checksums are different. We have started to see this as well -- we only caught a few w/ the hard-coded crc hack. This is not perfect either and it falls in line with one gentleman's procmail filter. Still, this may help some users. We have updated our virus filter to look something like this: if ((stat($file))[7] 10) # filesize { if (!open(UNZIP, -|)) { close(STDERR); open(STDERR, STDOUT); exec(/usr/bin/unzip, '-t', '-P', '', $file); } while (UNZIP) { if (/incorrect password/) { close(UNZIP); print Found the w32nsc/crypt-zip.gen virus !!!\n; found_virus(); } } close(UNZIP); } We are /hoping/ that virus .zip's are 100k. If anyone sends a legitimate message which is an encrypted zip that is 100k we still quarantine it if the user need to have a copy and they are notified of the quarantine. After a few tests, it does not appear that it will mark unpassworded zips falsely since a zip w/o password and a zip w/ a password of '' appear to be equivalent. Eric Wheeler Vice President National Security Concepts, Inc. PO Box 3567 Tualatin, OR 97062 http://www.nsci.us/ Voice: (503) 293-7656 Fax: (503) 885-0770 --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Password-protected .zip file viruses
On Wed, 3 Mar 2004 02:54:35 +0100 (CET) [EMAIL PROTECTED] (Jesper Juhl) wrote: On Tue, 2 Mar 2004, Charlie Watts wrote: Clearly the virus DB maintainers are inundated with password-protected.zip files with viruses inside. I think I understand the technical impossibility of making a signature fo r these - the .zip header is the same, and then the filenames inside are randomized, as is the password, and thus the encrypted body has nothing recognizable - so there isn't anything available to make a signature off of. What I'm thinking is; Would it be feasible to add an option to attempt to brute-force-crack the passwords on zip files when scanning them? Yes, it would slow down scanning immensely, and there's *no* way it should ever be a default option, but zip file passwords are /resonably/ simple to crack, so it is doable (although it takes time)... I could whip some code together for this if it has any interrest at all... There 2 ways to see this fact: 1. The AV is able to clean/scan EACH file coretly, well! But on the other hand what's with ACE, RAR and many others? 2. On the other hand there's my point of view and (sure.. :) ) it's the right point of view: NO! I don't angree! I will stop all work for clamAV and other things! I wont ask old contacts anymore if this feauture will be included. Why? a) Huge Mailsers CAN'T crack each file... there's not enough CPU-Power b) That's the way the damn GOV-GUYS work, it's not my way... and so I say hard NO couse if you break a encryption enabled by a user you could spy his personal data and so on. And you're wrong! ZIP-PWs aren't easy to crack. The old PW, well.. But GZ use blowfish and i read somewhere that WinZIP will use AES soon. Rembrandt pgp0.pgp Description: PGP signature
Re: [Clamav-users] some little questions
On Wed, 3 Mar 2004 02:50:15 +0100 (CET) [EMAIL PROTECTED] (Jesper Juhl) wrote: On Wed, 3 Mar 2004, Rembrandt wrote: [...] 2. Are there any improvemts planed wich enable clamAV to clean files? Now it just delete them. I can't speak for anyone but myself, but I don't think that is planned. First of all, some virii may be impossible to clean (some of them destroy the files they infect). Second, some files may be *very* hard to clean since the virii rewrite the binary in order to insert itself and figuring out what the file looked like prior to infection is *not* trivial, so it's a hard problem and to do it requires a lot of time and often specific handling of each individual virus. Third, would you trust a file after it was cleaned? Personally I would not - no matter who cleaned it; clam or some commercial AV vendor doesn't matter, I still wouldn't trust that file. If an infected file is found, the only proper action in my oppinion is to delete the file and then restore a known-good copy from original media or backup. I think you've to wath on both sides of the medal. Yes I would trust cleaned files but why dosn't matter here. The situation you've to think about: What's whenn all possible backups and copies are infected? I know guys wich are working as administrators at a newspaper. They make backups.. yes.. But they make it only for 1 week (couse there's too much data). So they're able to restore all files wich changed since date X. But what's about a virii wich infects the files and waits until a special date? Or what's about logic-bombs? Trust me: I'm able to think about a virii wich is more destructive then all over together. So I think such a function is needed. 3. Please don't make a flamewar () but: Why GPL? I think clamAV could also use a more free license like the BSD-license couse nobody steals something from clamAV. And the reason is easy: All other commercial scanners detects more virii/worms and they could also clean the most files. So why GPL and not BSD-License? I think with the BSD-License clamAV could be more acceptable for more people. Not just all current BSD-OSs (NetBSD, FreeBSD, OpenBSD, MirBSD, MicroBSD...). There much more people wich prefer BSD-Licensed code and wich strictly against GPL (such as Plan9 and other OSs). Again, I can only answer this from my own personal point of view - I didn't write the original code so I did not deside the license. My /personal/ oppinion is that the GPL is a better license than the BSD license since it ensures that modifications are contributed back to the ClamAV community. With a BSD license nothing stops someone from incorporating ClamAV in a commercial product without giving anything back. But, that's just my personal oppinion. Hope that was properly flame-proof;-) Sorry I don't angree to that. It's not true that ALL people will steals this source. Yes with GPL it's a MUST to contribute something back. But I prefer BSD (it could also be BSD-Like, so that every commercial Product must told the user that they use code of clamAV). Why? With GPL companies aren't able to cross-license something. That's a huge problem. Take a look to intel and WLAN-support on *NIX. It's damn... the most normals NICs work but mostly the developers haven't any docs. And why? Couse Intel fears that someone could steal something (so I understand the situation). The other point why GPL isn't usefull: GPL infects other Licenses. If I write something and put it under BSD-License (could also be another license, like the license from plan9 or something else) I can't use GPL-Licensed patches or improvements. When I include such patches/improvements the whoole project goes under GPL. I think that's the reason why BSDs dosn't accept clamAV. Yes it's in the ports but it could be std-software wich is always on each BSD. And I think there a lot of developers outside who will help but who wont accept GPL. I personaly dosn't love the GPL and some guys maybe think I hate the GPL. Maybe.. but if I analyse the situation: There's NO need for GPL couse nobody will steals something. It could be more political... If GPL is the digital socialism BSD would be the great communism. :p Ok just 2 cents from a man who read Marx and others. so please ignore this line and the 3 lines before. :-) Rembrandt pgp0.pgp Description: PGP signature
Re: [Clamav-users] password-protected Worm.Bagle.H
On Tue, 2 Mar 2004 18:08:15 -0800 (PST) [EMAIL PROTECTED] wrote: It gives nothing as copies of Worm.Bagle.H (and previous variants also) vary in their contents and even sizes. So checksums are different. We have started to see this as well -- we only caught a few w/ the hard-coded crc hack. This is not perfect either and it falls in line with one gentleman's procmail filter. Still, this may help some users. We have updated our virus filter to look something like this: if ((stat($file))[7] 10) # filesize { if (!open(UNZIP, -|)) { close(STDERR); open(STDERR, STDOUT); exec(/usr/bin/unzip, '-t', '-P', '', $file); } while (UNZIP) { if (/incorrect password/) { close(UNZIP); print Found the w32nsc/crypt-zip.gen virus !!!\n; found_virus(); } } close(UNZIP); } We are /hoping/ that virus .zip's are 100k. If anyone sends a legitimate message which is an encrypted zip that is 100k we still quarantine it if the user need to have a copy and they are notified of the quarantine. After a few tests, it does not appear that it will mark unpassworded zips falsely since a zip w/o password and a zip w/ a password of '' appear to be equivalent. I also recived such a Mail today from an OpenBSD-Mailinglist (sorry but: Damn WindowsKiddys wich are not able to hold their fingers far away from the left mousebutton). I saw 2 things: 1. An encrypted ZIP 2. A password in the mail Now I asked myself: - Does the worm use everytime the same password or does the worm generate new passwords. - Maybe a skilled user could write a script wich lookes for a PW into the mail. If a PW is detected the user should became a warning. The archive shouldn't be decrypted. Rembrandt pgp0.pgp Description: PGP signature
Re: [Clamav-users] Password-protected .zip file viruses
On Wed, 3 Mar 2004, Rembrandt wrote: On Wed, 3 Mar 2004 02:54:35 +0100 (CET) [EMAIL PROTECTED] (Jesper Juhl) wrote: On Tue, 2 Mar 2004, Charlie Watts wrote: Clearly the virus DB maintainers are inundated with password-protected.zip files with viruses inside. I think I understand the technical impossibility of making a signature fo r these - the .zip header is the same, and then the filenames inside are randomized, as is the password, and thus the encrypted body has nothing recognizable - so there isn't anything available to make a signature off of. What I'm thinking is; Would it be feasible to add an option to attempt to brute-force-crack the passwords on zip files when scanning them? Yes, it would slow down scanning immensely, and there's *no* way it should ever be a default option, but zip file passwords are /resonably/ simple to crack, so it is doable (although it takes time)... I could whip some code together for this if it has any interrest at all... There 2 ways to see this fact: 1. The AV is able to clean/scan EACH file coretly, well! But on the other hand what's with ACE, RAR and many others? 2. On the other hand there's my point of view and (sure.. :) ) it's the right point of view: NO! I don't angree! I will stop all work for clamAV and other things! I wont ask old contacts anymore if this feauture will be included. Calm down. I just suggested it as something to optionally do. I know it's not something that is actually resonable to do on every file, but I thought that it might be useful for some people. It was/is just a suggestion. Why? a) Huge Mailsers CAN'T crack each file... there's not enough CPU-Power agreed. b) That's the way the damn GOV-GUYS work, it's not my way... and so I say hard NO couse if you break a encryption enabled by a user you could spy his personal data and so on. Well, mails pass through your mailserver - plenty of ways to spy on personal data if that's what you want to do. I suggested this as a way to scan inside protected archives, not as a way of spying on anyone. Besides, if the data is so sensible, the person who send it should use encryption strong enough that it can't be broken before the sun goes out... But, that's just my personal oppinion... And you're wrong! ZIP-PWs aren't easy to crack. The old PW, well.. Well, I was thinking of the old password protection - all I have actual experience with. But GZ use blowfish and i read somewhere that WinZIP will use AES soon. In that case it would take ages ;) -- Jesper Juhl [EMAIL PROTECTED] Systems Administrator, Danmarks Idræts-Forbund / The Danish Sports Federation Please don't top-posthttp://www.catb.org/~esr/jargon/html/T/top-post.html Please send plain text emails only http://www.expita.com/nomime.html --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id56alloc_id438op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] Problem compiling clamav-milter on Solaris 8
I ran configure --ebable-milter, but the clamav-milter didn't build (nor give any error). /home/betsys/clamav-devel-20040301/clamav-milter- make clamav-milter /bin/bash ../libtool --mode=link gcc -g -O2 -o clamav-milter-L../libclamav -lclamav -L/usr/lib/libmilter -L/usr/local/include -lmilter -lpthread -lsocket -lnsl -lresolv gcc -g -O2 -o .libs/clamav-milter -L/home/betsys/packages/clamav-devel-20040301/libclamav /home/betsys/packages/clamav-devel-20040301/libclamav/.libs/libclamav.so -lz -lbz2 /usr/local/lib/libgmp.so -L/usr/lib/libmilter -L/usr/local/include -lmilter -lpthread -lsocket -lnsl -lresolv -R/usr/local/lib Undefined first referenced symbol in file main /usr/local/lib/gcc-lib/sparc-sun-solaris2.8/3.3/crt1.o ld: fatal: Symbol referencing errors. No output written to .libs/clamav-milter collect2: ld returned 1 exit status make: *** [clamav-milter] Error 1 Sendmail has previously been rebuilt with milter support, and is currently running with vbs-filter. Clamd and clamscan build OK and seem to be working ok. I've installed or updated gcc , gm4, and gmp. Also, following a tip from google, copied the sendmail libmilter include files over to /usr/local/include and thrown that into the link library path. (and did a make clean and reconfigure after upgrading everything) what next? thanks Betsy --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Can somebody help me with this error message?
On Tue, Mar 02, 2004 at 07:24:36PM -0500, Frank DeChellis DSL said: They're on separate servers...does that matter? I run exim as exim and clam as clamav. Hmm - I had forgotten that. Sorry, kind of a knee jerk reaction. What do the clam logs say? Try turning on LogVerbose and LogClean in clamav.conf to get extra information out of it. You can also run clamd with --foreground and --debug temporarily to see even more info. -- -- | Stephen Gran | In love, she who gives her portrait | | [EMAIL PROTECTED] | promises the original. -- Bruton | | http://www.lobefin.net/~steve | | -- pgp0.pgp Description: PGP signature
Re: [Clamav-users] Clamd problem Solaris 8
Alex S Moore wrote: gcc -g -O2 -o .libs/clamd options.o cfgfile.o clamd.o tcpserver.o localserver.o session.o thrmgr.o Hi! I tried the latest snapshot with size 1kB (20040301) and had a compilation problem on Solaris 8!! Is this also a known problem?? I posted that problem earlier, and Tomasz replied Fixed, thanks. It's a problem on that particular snapshot only. This morning I built the latest cvs snapshot on Solaris 8, both sparc and x86 and had no problems. That would be a newer snapshot. It may not be the latest snapshot, Usually I have the most recent binary bulit from snapshot. Updated daily. http://www.clamav.or.id I don't have stables though. I still have my own build available. The more the merrier :) Regards, Fajar --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Clam AV 0.67 e-smith RedHat 7.3 Packages
FreshClam wrote: Red Hat 7.3, I get the following error: [EMAIL PROTECTED] src]# rpm -Uvh clamav-0.67-1.i386.rpm error: failed dependencies: libc.so.6(GLIBC_2.3) is needed by clamav-0.67-1 libwrap.so.0 is needed by clamav-0.67-1 Looks like it was meant for RH 8+, not RH 7.3 there a single location or implementation guideline. Either - look for other clamav RPM source for RH 7.3 - compile yourself (not THAT hard). - get RH 7.3 binaries (tar.gz, not rpm) from http://www.clamav.or.id Regards, Fajar --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Some more evidence for my last mail ... - SOLVED
Thomas Seifert wrote: clamscan used the new dir (its default directory) and didn't use the path given in clamav.conf!? I believe clamscan don't read clamav.conf at all; It uses hard-coded compiled settings. I might be wrong :) Regards, Fajar --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
RE: [Clamav-users] Password-protected .zip file viruses
My understanding of reliable zip password checking was that you needed two or more files encoded with the same password in the archive to allow a good check... Maybe I'm wrong on that, but still I'd rather a setting that allows me to reject unscannable attachements. Preferably as mentioned before somehow by user - if this was a command line argument ignore unscannable archives vs. reject unscannable archives. m/ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Jesper Juhl Sent: Tuesday, March 02, 2004 5:55 PM To: [EMAIL PROTECTED] Subject: Re: [Clamav-users] Password-protected .zip file viruses On Tue, 2 Mar 2004, Charlie Watts wrote: Clearly the virus DB maintainers are inundated with password-protected .zip files with viruses inside. I think I understand the technical impossibility of making a signature for these - the .zip header is the same, and then the filenames inside are randomized, as is the password, and thus the encrypted body has nothing recognizable - so there isn't anything available to make a signature off of. What I'm thinking is; Would it be feasible to add an option to attempt to brute-force-crack the passwords on zip files when scanning them? Yes, it would slow down scanning immensely, and there's *no* way it should ever be a default option, but zip file passwords are /resonably/ simple to crack, so it is doable (although it takes time)... I could whip some code together for this if it has any interrest at all... -- Jesper Juhl [EMAIL PROTECTED] Systems Administrator, Danmarks Idræts-Forbund / The Danish Sports Federation Please don't top-post http://www.catb.org/~esr/jargon/html/T/top-post.html Please send plain text emails only http://www.expita.com/nomime.html --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id56alloc_id438op=ick ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id56alloc_id438op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] Clamd will NOT start
Clamd will not start now.. i am using version .67 It was working fine last week... we had a power outage... now when I run /usr/sbin/clamd as root... it goes to next line but nothing is started... Where would I look for errors? I see it has no verbose setting... So i have no clue why it will NOT start I used this configure: ./configure \ --prefix=/usr \ --sysconfdir=/etc \ --datadir=/var/clamav \ --enable-milter Also followed this install http://www.linux-sxs.org/administration/clamav-milter.html It was fine the day I installed it... I am using slackware v9.0. 2.4.22 kernel HELP!!! -Andrew
[Clamav-users] Followup: Problem compiling clamav-milter on Solaris 8
To followup to my own post, I tried dropping back to the stable version 0.67 and saw the same behavior. Exact same error. Am I missing a step somewhere? --- I ran configure --enable-milter, but the clamav-milter didn't build (nor give any error). /home/betsys/clamav-devel-20040301/clamav-milter- make clamav-milter /bin/bash ../libtool --mode=link gcc -g -O2 -o clamav-milter-L../libclamav -lclamav -L/usr/lib/libmilter -L/usr/local/include -lmilter -lpthread -lsocket -lnsl -lresolv gcc -g -O2 -o .libs/clamav-milter -L/home/betsys/packages/clamav-devel-20040301/libclamav /home/betsys/packages/clamav-devel-20040301/libclamav/.libs/libclamav.so -lz -lbz2 /usr/local/lib/libgmp.so -L/usr/lib/libmilter -L/usr/local/include -lmilter -lpthread -lsocket -lnsl -lresolv -R/usr/local/lib Undefined first referenced symbol in file main /usr/local/lib/gcc-lib/sparc-sun-solaris2.8/3.3/crt1.o ld: fatal: Symbol referencing errors. No output written to .libs/clamav-milter collect2: ld returned 1 exit status make: *** [clamav-milter] Error 1 Sendmail has previously been rebuilt with milter support, and is currently running with vbs-filter. Clamd and clamscan build OK and seem to be working ok. I've installed or updated gcc , gm4, and gmp. Also, following a tip from google, copied the sendmail libmilter include files over to /usr/local/include and thrown that into the link library path. (and did a make clean and reconfigure after upgrading everything) what next? thanks Betsy --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] passworded zips slipping thru
For some reason, my system is allowing Worm.Bagle.F-zippwd files through, but can detect them once they've arrived. I haven't had a single capture of one of these passworded files. Example: clamscan -V clamscan / ClamAV version 0.67-1 clamscan passworded.sample passworded.sample: Worm.Bagle.F-zippwd FOUND --- SCAN SUMMARY --- Known viruses: 20355 Scanned directories: 0 Scanned files: 1 Infected files: 1 Data scanned: 0.02 MB I/O buffer size: 131072 bytes Time: 0.425 sec (0 m 0 s) clamscan --mbox passworded.sample passworded.sample: Worm.Bagle.F-zippwd FOUND --- SCAN SUMMARY --- Known viruses: 20355 Scanned directories: 0 Scanned files: 1 Infected files: 1 Data scanned: 0.04 MB I/O buffer size: 131072 bytes Time: 0.452 sec (0 m 0 s) passworded.sample is an mbox file with only the offending message in it. If I forward the message to myself, it gets through, and, of course, it got through in the first place. Even as I type this, it's picking up new incoming viruses, so it doesn't seem to be a database issue. The only weak link I can think of is that I'm using amavis-perl11 (if it ain't broke...), and I suspect not many others are. He's the clam invocation in the amavis perl script: --- my $clamscan = /usr/local/bin/clamscan; ... # # Clam AV # if ($clamscan ne ) { # --one-virus is only for esthetic reasons. $output = `$clamscan --stdout -r -w --one-virus $TEMPDIR/parts`; $errval = ($? 8); do_log(2,$output); if ($errval != 0) { if ($errval == 1) { @virusname = ($output =~ /.*: (.+) FOUND/g); do_virus($output); } else { do_log(0,Virus scanner failure: $clamscan (error code: $errval)); } } } --- I assume this only makes sense if you're reasonably familiar with amavis-perl11. Traffic is light enough that I don't need any daemons running for mail, so I've never seen a need to update before this. It might be easier to set up a new version of amavis, but this one IS set up and it (usually) works, and messing with sendmail is the sort of voodoo I like to avoid if possible. At any rate, does this make any sense? How can a manual clamscan succeed while the automatic one fails? Is this possibly a question for the amavis mailing list, or do you think something else is going on? Jeffrey Moskot System Administrator [EMAIL PROTECTED] --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Clamd will NOT start
On Tue, 2004-03-02 at 22:26, Andrew Keuhs wrote: Clamd will not start now.. i am using version .67 It was working fine last week... we had a power outage... now when I run /usr/sbin/clamd as root... it goes to next line but nothing is started... Where would I look for errors? I see it has no verbose setting... So i have no clue why it will NOT start $5 says /tmp/clamd still exists. -Jeremy -- Jeremy Kitchen Systems Administrator [EMAIL PROTECTED] Kitchen @ #qmail on EFNet - Join the party! . Inter7 Internet Technologies, Inc. www.inter7.com 866.528.3530 toll free 847.492.0470 int'l 847.492.0632 fax GNUPG key ID: 93BDD6CE --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] ClamAV 0.67 memory leak
sorry, its 0.67. seems the VM kills it when it uses up all the RAM, couldn't this be other peoples problems aswell? I mean i see quite a few people saying clamd just dies? On Wed, Mar 03, 2004 at 12:42:48AM +0100, Thomas Lamy wrote: Nigel Kukard schrieb: Anyone seen this... 3843 ?S 0:00 clamd 3846 ?S 0:01 \_ clamd 3847 ?S 0:03 \_ clamd when i cat the /proc/3843/status file... Name: clamd State: S (sleeping) Tgid: 3843 Pid:3843 PPid: 1 TracerPid: 0 Uid:0 0 0 0 Gid:0 0 0 0 FDSize: 32 Groups: 0 VmSize: 210900 kB VmLck: 0 kB VmRSS: 22940 kB VmData: 209128 kB VmStk:16 kB VmExe:36 kB VmLib: 1672 kB Which version exactly (I guess it's 0.67 release, but better save...), on which OS/Distribution ? I've not seen huge mem leaks in clam since it's 0.65 days, and I tend to check this every now and then with valgrind. Thomas pgp0.pgp Description: PGP signature
Re: [Clamav-users] ClamAV 0.67 memory leak
Here is what I see on my system, maybe it's something in the kernel your using. I'm using 2.6.3 Name: clamd State: S (sleeping) SleepAVG: 0% Tgid: 751 Pid:751 PPid: 1 TracerPid: 0 Uid:0 0 0 0 Gid:0 0 0 0 FDSize: 32 Groups: 0 VmSize:21304 kB VmLck: 0 kB VmRSS: 12032 kB VmData:19336 kB VmStk: 8 kB VmExe:40 kB VmLib: 1840 kB Threads:2 SigPnd: ShdPnd: SigBlk: 7ffbbafc SigIgn: 0004 SigCgt: 80004403 CapInh: CapPrm: feff CapEff: feff --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] RHE and ClamAV
I have clamav (clamd and clamav-milter) running on an RHEL box installed from source. I didn't have any troubles compiling or anything on the RHEL box. Carl - Original Message - From: Galactic To: [EMAIL PROTECTED] Sent: Tuesday, March 02, 2004 9:57 PM Subject: [Clamav-users] RHE and ClamAV Ok, just upgraded my web server and all to RHE and Plesk 7 using qmail from my RH9 box. I had clam on the old box and it was working great, so I go to install it on my RHE box and I dont see it listed as a supported install. Will ClamAV be available for RHE and if so, where can I get a RPM for it please. Thanks in advance, Franklyn Halamka Galactic Zero.
Re: [Clamav-users] password-protected Worm.Bagle.H
On Tue, 2 Mar 2004 17:07:53 +0100 Erik Corry [EMAIL PROTECTED] exclaimed: The question is how much of a problem it really is. Are users really that dumb? What I'm wondering is whether the encrypted version of the virus can be created by the unencrypted version, or whether the encrypted versions of the virus we have seen have all been produced by actual encrypted-zip infections. Anyone know? Well, Given the level of replication I'm seeing on this bug, I'd say the answer is yes. Shawn --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Clamd will NOT start
NO there isnt... I checked.. - Original Message - From: Jeremy Kitchen [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, March 03, 2004 12:04 AM Subject: Re: [Clamav-users] Clamd will NOT start On Tue, 2004-03-02 at 22:26, Andrew Keuhs wrote: Clamd will not start now.. i am using version .67 It was working fine last week... we had a power outage... now when I run /usr/sbin/clamd as root... it goes to next line but nothing is started... Where would I look for errors? I see it has no verbose setting... So i have no clue why it will NOT start $5 says /tmp/clamd still exists. -Jeremy -- Jeremy Kitchen Systems Administrator [EMAIL PROTECTED] Kitchen @ #qmail on EFNet - Join the party! . Inter7 Internet Technologies, Inc. www.inter7.com 866.528.3530 toll free 847.492.0470 int'l 847.492.0632 fax GNUPG key ID: 93BDD6CE --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Re: Clamd will NOT start
Already tried that... didnt work... - Original Message - From: roliver [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, March 03, 2004 12:06 AM Subject: [Clamav-users] Re: Clamd will NOT start Andrew Keuhs writes: Clamd will not start now.. i am using version .67 It was working fine last week... we had a power outage That may have corrupted clamd. I used this configure: ./configure \ --prefix=/usr \ --sysconfdir=/etc \ --datadir=/var/clamav \ --enable-milter I suggest you re-install. First run make clean Then install it exactly as you did before. HTH --- Russel Oliver [EMAIL PROTECTED] --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
RE: [Clamav-users] debian-sid package broken
I thought I was the only one with that problem on a recent upgrade. Easiest way for me was to: % apt-get --purge remove clamav clamav-base clamav-data clamav-freshclam clamav-testfiles libclamav libclamav1 % apt-get install clamav clamav-daemon Jae -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Me Its Sent: Monday, March 01, 2004 8:00 PM To: [EMAIL PROTECTED] Subject: [Clamav-users] debian-sid package broken Importance: High I am using debian - sid, but I got error when I apt-get upgrade, when it tries to install the new ClamAV Setting up clamav-base (0.67-5) ... dirname: too few arguments [snip] What should I do next ? --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] password-protected Worm.Bagle.H
On Tue, 2 Mar 2004, Erik Corry wrote: On Tue, Mar 02, 2004 at 11:59:19AM -0600, John Jolet wrote: The question is how much of a problem it really is. Are users really that dumb? yes, they are. i've gotten about 10 of those in the last 3 days. That doesn't actually prove that anyone typed in the password and got infected. The version with unencrypted zip file can send the version with encrypted zip file to others. The best defence against it (if it really is a problem) might be blocking encrypted zip files with suspicious filenames in them. You can see that the file contains a .exe .pif, etc. ending without the password. That's probably not a task for clamav though, more like MIMEDefang: http://www.mimedefang.org/ Someone seems to have been giving this some thought: http://lists.roaringpenguin.com/pipermail/mimedefang/2004-March/020563.html I think clamav should return a certain value if the zip file is deemed clean because it's encrypted, so that glue programs like amavisd-new can allow people to control when encrypted zips are allowed through. This is a reasonable thing for clamav to do regardless, if you think about it; isn't that essentially an error condition (can't scan zipfile)? It would seem a simple fix for somebody familiar with the code. Developers, any comments? Thanks, Andy --- Andy Dills Xecunet, Inc. www.xecu.net 301-682-9972 --- --- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users