Re: [Clamav-users] Correct clamav-milter options to --postmaster-only

[Nigel Horne]

On Tuesday 02 Mar 2004 12:58 am, Stevens, John wrote:
 Please post an example of the bounce message, then I can see where it's
  coming from.

 From: MAILER-DAEMON
 To: [EMAIL PROTECTED]
 CC: [EMAIL PROTECTED]
 Subject: Virus intercepted
 A message you sent to [EMAIL PROTECTED] contained a virus and has not
 been delivered. stream: Worm.Bagle.E FOUND

John,

Unfortunately you've deleted the original message with all your options and
I've deleted your original posting so I can't remember what they were. Anyway,
this message is created by the -b (--bounce) option, so turn that off.

 John Stevens - MIS Manager, Senior Project Engineer

-- 
Nigel Horne. Arranger, Composer, Typesetter.
NJH Music, Barnsley, UK.  ICQ#20252325
[EMAIL PROTECTED] http://www.bandsman.co.uk



---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps  Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Re: debian-sid package broken

[Thomas Lamy]

Derrick 'dman' Hudson schrieb:

On Tue, Mar 02, 2004 at 12:00:28PM +0800, Me Its wrote:
| I am using debian - sid, but I got error when I apt-get upgrade, when 
| it tries to install the new ClamAV

| What should I do next ?

Look for a related bug report on http://bugs.debian.org.  If there is
none, report the bug.  At any rate, this is a debian packaging issue,
not a clamav one.
-D

PS  It is a good idea to know this before running unstable.  It's a
little safer to run testing instead, if you aren't that
comfortable with running into such issues at times.
This is a known bug in clamav-base_0.67-5, and 0.67-6 was uploaded last 
night.

Thomas

---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps  Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] How to disable notification

[Nigel Horne]

On Tuesday 02 Mar 2004 7:04 am, Janis wrote:

 I'd like to know whether is it possible to disable sending of notification
 to sender of incomming mail about the virus in the e-mail.

man clamav-milter will tell you.

 Janis

-Nigel

-- 
Nigel Horne. Arranger, Composer, Typesetter.
NJH Music, Barnsley, UK.  ICQ#20252325
[EMAIL PROTECTED] http://www.bandsman.co.uk



---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps  Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] password protected zip file

[Erik Corry]

On Tue, Mar 02, 2004 at 03:07:31PM +0800, kengheng wrote:
 Hi, Can clamav detected those virus that is protected by a password in a zipped file?

No

-- 
Erik Corry I'd be a Libertarian, if they weren't all a
[EMAIL PROTECTED] bunch of tax-dodging professional whiners.   - B. Breathed.


---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps  Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] password protected zip file

[Diego d'Ambra]

 -Original Message-
 From: [EMAIL PROTECTED] [mailto:clamav-users-
 [EMAIL PROTECTED] On Behalf Of Erik Corry
 Sent: 2. marts 2004 09:10
 To: [EMAIL PROTECTED]
 Subject: Re: [Clamav-users] password protected zip file
 
 On Tue, Mar 02, 2004 at 03:07:31PM +0800, kengheng wrote:
  Hi, Can clamav detected those virus that is protected by a password
in a
 zipped file?
 
 No
 

I would say maybe. It's impossible to detect the encrypted zip file,
but a signature was added yesterday that will match e-mails with the
Bagle-F or Bagle-H zip attachment (Worm.Bagle.F-zippwd).

So you should allow ClamAV also to scan the e-mail.

BTW: I'm currently working on adding a second signature that will detect
a variant of these e-mails.

Best regards,
Diego d'Ambra


smime.p7s
Description: S/MIME cryptographic signature

Re: [Clamav-users] Re: password-protected Worm.Bagle.F

[Tomasz Papszun]

On Mon, 01 Mar 2004 at 21:04:55 -0500, Derrick 'dman' Hudson wrote:
 
 Is the zip file really encrypted, or is the password just an

Really.

 advisory flag that an unzip tool is supposed to honor?  If its the
 latter, then clamav could just ignore the password to unpack and scan
 the archive anyways.

As yesterday Diego d'Ambra added a signature Worm.Bagle.F-zippwd for
email messages with password protected variant of Worm.Bagle.F, ClamAV
should detect such messages.

I mean _messages_. Not zip files themselves.

So please folks, stop submitting encrypted zip files (without a full
message) to us as it's quite impossible to create a signature for them.

-- 
 Tomasz Papszun   SysAdm @ TP S.A. Lodz, Poland  | And it's only
 [EMAIL PROTECTED]   http://www.lodz.tpsa.pl/   | ones and zeros.
 [EMAIL PROTECTED]   http://www.ClamAV.net/   A GPL virus scanner


---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps  Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] FYI: clamav-devel-20040301 build error on Solaris

[Tomasz Kojm]

On Tue, 02 Mar 2004 12:58:57 +0700
Fajar A. Nugraha [EMAIL PROTECTED] wrote:

 Sure enough, I found these files on source tarball:
 ./clamd/dazukoio.o
 ./clamd/dazukoio_compat12.o
 
 Deleted these files, and clamav compiles OK.

Fixed, thanks.

-- 
   oo. Tomasz Kojm [EMAIL PROTECTED]
  (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg
 \..._ 0DCA5A08407D5288279DB43454822DC8985A444B
   //\   /\  Tue Mar  2 09:27:37 CET 2004


pgp0.pgp
Description: PGP signature

Re: [Clamav-users] password protected zip file

[Fajar A. Nugraha]

Erik Corry wrote:

Hi, Can clamav detected those virus that is protected by a password in a zipped file?
   

No

 

Generally no, except in the case of Worm.Bagle.F-zippwd (Trend Micro 
identifies it as Worm.Bagle.F-1).
There's another thread about it (password-protected Worm.Bagle.F). See 
archives.

Regards,

Fajar

---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps  Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] clamav 0.65 not detecting Worm.Bagle.F

[Tomasz Papszun]

On Tue, 02 Mar 2004 at 15:00:16 +0800, Joey Esquibal wrote:
[...]
 I have successfully configured MailScanner with ClamAV-0.65. Tested it 
[...]
 Any help of pointers are greatly appreciated.

Please upgrade.

-- 
 Tomasz Papszun   SysAdm @ TP S.A. Lodz, Poland  | And it's only
 [EMAIL PROTECTED]   http://www.lodz.tpsa.pl/   | ones and zeros.
 [EMAIL PROTECTED]   http://www.ClamAV.net/   A GPL virus scanner


---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps  Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Re: password-protected Worm.Bagle.F

[Tomasz Papszun]

On Tue, 02 Mar 2004 at  3:38:32 -0500, jef moskot wrote:
 On Tue, 2 Mar 2004, Tomasz Papszun wrote:
  So please folks, stop submitting encrypted zip files (without a full
  message) to us as it's quite impossible to create a signature for them.
 
 Does this mean you still want samples including the full message?
 

As usually: only if ClamAV with an up-to-date database isn't detecting
an infection in a sample. In this particular case a sample = a full
message sample.

-- 
 Tomasz Papszun   SysAdm @ TP S.A. Lodz, Poland  | And it's only
 [EMAIL PROTECTED]   http://www.lodz.tpsa.pl/   | ones and zeros.
 [EMAIL PROTECTED]   http://www.ClamAV.net/   A GPL virus scanner


---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps  Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Re: password-protected Worm.Bagle.F

[jef moskot]

On Tue, 2 Mar 2004, Tomasz Papszun wrote:
 As usually: only if ClamAV with an up-to-date database isn't detecting
 an infection in a sample. In this particular case a sample = a full
 message sample.

Roger that.  Up until a few minutes ago, a few samples had gotten through,
but things look good now.  My samples don't make it past the online tester
(they had an hour ago) and now my local system can ID them as well.

Jeffrey Moskot
System Administrator
[EMAIL PROTECTED]


---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps  Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] What is the problem?

[Kristof Hardy]

Adrian Gurbina (main) wrote:
ccabbccacaa.zip  : D:\Attachments\ccabbccacaa.zip is infected with the
[EMAIL PROTECTED] virus output from NAV/Symantec
so clamscan dont know any virus related to Beagle?
i use the latest update related to the virus database
how do we fix this problem?
try out http://www.gietl.com/test-clamav/ to see if the working clamav 
finds the virus. If it does, something in your configuration seems 
wrong. If it doesn't, submit or make it available online, so we can try 
it out.

--
Kristof
---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps  Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] password-protected Worm.Bagle.F

[David Jansen]

About the password-encrypted zip file virusses, is there any information
available on the web about this? I like to instruct my users about this
new infection method.

David Jansen



---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps  Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] password-protected Worm.Bagle.F

[Fajar A. Nugraha]

David Jansen wrote:

About the password-encrypted zip file virusses, is there any information
available on the web about this? 

Try this
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_BAGLE.G
Regards,

Fajar

---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps  Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] What is the problem?

[Jesper Juhl]

On Tue, 2 Mar 2004, Adrian Gurbina (main) wrote:

 clamscan -V
 clamscan / ClamAV version 0.67

 freshclam -V
 freshclam / ClamAV version 0.67

 ccabbccacaa.zip  : D:\Attachments\ccabbccacaa.zip is infected with the
 [EMAIL PROTECTED] virus output from NAV/Symantec

 clamscan ccabbccacaa.zip

 Known viruses: 20742
 Scanned directories: 0
 Scanned files: 1
 Infected files: 0
 Data scanned: 0.02 MB
 I/O buffer size: 131072 bytes
 Time: 1.208 sec (0 m 1 s)

 so clamscan dont know any virus related to Beagle?
 i use the latest update related to the virus database
 how do we fix this problem?


Judging from the number of known signatures I'd say you don't have te
last few updates to the signature db - try running freshclam and then
scan the file again. Also, try extracting the zip file and scan the
contents, it could be that maybe clam has a problem extracting it.

I've just run freshclam, and with the latest files (main version 21,
daily version 153) there is a total of 20352 signatures. You have a total
number of 20742 signatures which tells me that your db is a little
outdated - the number of signatures went down recently due to a db cleanup
where a lot of duplicates where removed.

-- 
Jesper Juhl [EMAIL PROTECTED]
Systems Administrator, Danmarks Idræts-Forbund / The Danish Sports Federation
Please don't top-posthttp://www.catb.org/~esr/jargon/html/T/top-post.html
Please send plain text emails only  http://www.expita.com/nomime.html


---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps  Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id56alloc_id438op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] clamav stops running

[Japhet Samson]

I frequently have to run clamav manually, what makes to stop? Is there a way to re-run
it automatically!


---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps  Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

AW: [Clamav-users] clamav stops running

[Power-Netz \(Schwarz\)]

 
 I frequently have to run clamav manually, what makes to stop? Is 
 there a way to re-run
 it automatically!

Read the ML-History , you will find some restartscripts for clamd.
make a cronjob */1 * * * * for it.




---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps  Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: AW: [Clamav-users] clamav stops running

[Darren Honeyball [ML]]

Power-Netz (Schwarz) wrote:

I frequently have to run clamav manually, what makes to stop? Is 
there a way to re-run
it automatically!


Read the ML-History , you will find some restartscripts for clamd.
make a cronjob */1 * * * * for it.
I personally run clamd under daemontools as I'm already running 
daemontools for qmail.  Works a treat.

You can find daemontools at http://cr.yp.to/daemontools.html

D

---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps  Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: AW: AW: [Clamav-users] clamav stops running

[Japhet Samson]

 Power-Netz (Schwarz) wrote:

I personally run clamd under daemontools as I'm already running
daemontools for qmail.  Works a treat.

You can find daemontools at http://cr.yp.to/daemontools.html


 That will not help you, because clam will stop working, not crashing.

 Works just fine for me - my spamd occasionally dies, but never hangs
 with the daemon still running.


daemontools is said to work on unix only, what is the altenative in linux?



---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps  Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] password-protected Worm.Bagle.H

[clamav]

 Worm.Bagle.H found in unzipped file. It\'s impossible
 to create signature of encrypted zip file.

This new infection method is likely to drive us nuts.  This is the
password-less workaround I've come up with and your input is appreciated.  
The unix unzip output looks like so:

   $ uvscan -lv virus.zip  
   Archive:  TextDocument.zip
Length   MethodSize  Ratio   Date   Time   CRC-32Name
     --  --- -         --
  21150  Stored21150   0%  03-01-04 19:33  7ac0095f  hifrm.scr
     ---  ------
  2115021150   0%1 file

Fortunately we can get the file crc w/o actually extracting the file.  
Can zip file crc's count as sigs?  A quick/crude perl hack to test for
this at the MTA seems to work pretty well:

  if (!open(UNZIP, -|))
  {
exec(/usr/bin/unzip, '-lv', $file);
  }
  while (UNZIP)
  {
if (/7ac0095f/)
{
  close(UNZIP);
  print Found the w32nsc/Bagle.H-zip virus !!!\n;
  found_virus();
}
  }
  close(UNZIP);


Suggestions?  There are really easy ways for the virus writer to 
circumvent this type of check but until they start utilizing such 
strategies, is it possible to include the zip's crc into ClamAV's sigs?


Eric Wheeler
Vice President
National Security Concepts, Inc.
PO Box 3567
Tualatin, OR 97062

http://www.nsci.us/
Voice: (503) 293-7656
Fax:   (503) 885-0770



---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps  Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

AW: AW: AW: [Clamav-users] clamav stops running

[Power-Netz \(Schwarz\)]

 That will not help you, because clam will stop working, not crashing.
 
  Works just fine for me - my spamd occasionally dies, but never hangs
  with the daemon still running.
 

 daemontools is said to work on unix only, what is the altenative in linux?

supervise .. but , as said, it won't help it the demon stops answering but
does not
crash at all.

BTW: i thought with the thread version these hangs should stop? Anything new
on that
topic???



---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps  Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: AW: AW: [Clamav-users] clamav stops running

[Darren Honeyball [ML]]

Japhet Samson wrote:

Power-Netz (Schwarz) wrote:


I personally run clamd under daemontools as I'm already running
daemontools for qmail.  Works a treat.
You can find daemontools at http://cr.yp.to/daemontools.html


That will not help you, because clam will stop working, not crashing.
Works just fine for me - my spamd occasionally dies, but never hangs
with the daemon still running.


daemontools is said to work on unix only, what is the altenative in linux?
daemontools works on a variety on *nix's - I personally am using it on 
Solaris and RedHat.

---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps  Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: AW: AW: [Clamav-users] clamav stops running

[Antony Stone]

On Tuesday 02 March 2004 12:17 pm, Japhet Samson wrote:

  Power-Netz (Schwarz) wrote:
 I personally run clamd under daemontools as I'm already running
 daemontools for qmail.  Works a treat.
 
 You can find daemontools at http://cr.yp.to/daemontools.html
 
  That will not help you, because clam will stop working, not crashing.
 
  Works just fine for me - my spamd occasionally dies, but never hangs
  with the daemon still running.

 daemontools is said to work on unix only, what is the altenative in linux?

I would have thought Linux counts as a form of Unix for this purpose.

I think what the daemontools web page means by System requirements: 
daemontools works only under UNIX is that it won't work under Windows, VMS, 
MacOS, etc.

Try it under Linux and see.

Regards,

Antony.

-- 
This is not a rehearsal.
This is Real Life.

 Please reply to the list;
   please don't CC me.



---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps  Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: AW: AW: AW: [Clamav-users] clamav stops running

[Darren Honeyball [ML]]

Power-Netz (Schwarz) wrote:

That will not help you, because clam will stop working, not crashing.

Works just fine for me - my spamd occasionally dies, but never hangs
with the daemon still running.
daemontools is said to work on unix only, what is the altenative in linux?


supervise .. but , as said, it won't help it the demon stops answering but
does not
crash at all.
supervise is part of daemontools.



---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps  Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] password-protected Worm.Bagle.H

[Tomasz Papszun]

On Tue, 02 Mar 2004 at  4:14:52 -0800, [EMAIL PROTECTED] wrote:
 
  Worm.Bagle.H found in unzipped file. It\'s impossible
  to create signature of encrypted zip file.
 
 This new infection method is likely to drive us nuts.  This is the
 password-less workaround I've come up with and your input is appreciated.  
 The unix unzip output looks like so:
[...]
   21150  Stored21150   0%  03-01-04 19:33  7ac0095f  hifrm.scr
[...]
 Fortunately we can get the file crc w/o actually extracting the file.  
[...]

It gives nothing as copies of Worm.Bagle.H (and previous variants also)
vary in their contents and even sizes. So checksums are different.

-- 
 Tomasz Papszun   SysAdm @ TP S.A. Lodz, Poland  | And it's only
 [EMAIL PROTECTED]   http://www.lodz.tpsa.pl/   | ones and zeros.
 [EMAIL PROTECTED]   http://www.ClamAV.net/   A GPL virus scanner


---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps  Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] password-protected Worm.Bagle.H

[Rob MacGregor]

 -Original Message-
 From: [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED] On Behalf 
 
 This new infection method is likely to drive us nuts.  This 
 is the password-less workaround I've come up with and your 
 input is appreciated.  
 The unix unzip output looks like so:
 
$ uvscan -lv virus.zip  
Archive:  TextDocument.zip
 Length   MethodSize  Ratio   Date   Time   CRC-32Name
  --  --- -         --
   21150  Stored21150   0%  03-01-04 19:33  7ac0095f  hifrm.scr
  ---  ------
   2115021150   0%1 file
 
 Fortunately we can get the file crc w/o actually extracting 
 the file.  
 Can zip file crc's count as sigs?  A quick/crude perl hack to 
 test for this at the MTA seems to work pretty well:
 
---SNIP--- 
 Suggestions?  There are really easy ways for the virus writer 
 to circumvent this type of check but until they start 
 utilizing such strategies, is it possible to include the 
 zip's crc into ClamAV's sigs?

I'd say that if you're doing that you want to include the other key
information, namely the size and the compression ratio.  That way the
chances of a collision are minimal (the odds are reasonable that there is
another zip file with a single file that has the same CRC, the odds decrease
however if you also use the size and compression ratio).

-- 
  PLEASE - keep list traffic on the list.  Don't CC or send me mail
directly.

 Rob MacGregor (BOFH) 


---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps  Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: AW: AW: AW: [Clamav-users] clamav stops running

[Fajar A. Nugraha]

Power-Netz (Schwarz) wrote:

supervise .. but , as said, it won't help it the demon stops answering but
does not
crash at all.
 

Try searching archive for posts on clamd monitoring
A useful link
http://mikecathey.com/code/clamdwatch/
This should check whether clamd is working or not (i.e hung, dead, etc).
Regards,

Fajar

---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps  Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] password-protected Worm.Bagle.H

[Diego d'Ambra]

 -Original Message-
 From: [EMAIL PROTECTED] [mailto:clamav-users-
 [EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
 Sent: 2. marts 2004 13:15
 To: [EMAIL PROTECTED]
 Subject: Re: [Clamav-users] password-protected Worm.Bagle.H
 
 Suggestions?  There are really easy ways for the virus writer to
 circumvent this type of check but until they start utilizing such
 strategies, is it possible to include the zip's crc into ClamAV's
sigs?
 

From the (unzipped) samples I've access to they differ in size, so MD5
or other checksums are useless.

Best regards,
Diego d'Ambra


smime.p7s
Description: S/MIME cryptographic signature

AW: AW: AW: AW: [Clamav-users] clamav stops running

[Power-Netz \(Schwarz\)]

 
  supervise .. but , as said, it won't help it the demon stops 
 answering but
  does not
  crash at all.
 
 supervise is part of daemontools.

good to know, i never installed / compilied or viewed daemontools :-))
( multi admin server ) 




---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps  Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

AW: [Clamav-users] Clamd problem Solaris 8

[Clamav]

gcc -g -O2 -o .libs/clamd options.o cfgfile.o clamd.o tcpserver.o localserver.o 
session.o thrmgr.o 
Hi!
I tried the latest snapshot with size  1kB (20040301) and had a compilation problem 
on Solaris 8!!

server-th.o scanner.o others.o clamuko.o dazukoio_compat12.o dazukoio.o tests.o 
../clamscan/getopt.o  -L/export/home/wolfgang/dev/clamav-devel-20040301/libclamav 
/export/home/wolfgang/dev/clamav-devel-20040301/libclamav/.libs/libclamav.so -lz -lbz2 
/usr/local/lib/libgmp.so -lpthread -lsocket -lnsl -lresolv -R/usr/local/lib
ld: fatal: file dazukoio_compat12.o: wrong ELF machine type: EM_386
ld: fatal: File processing errors. No output written to .libs/clamd
collect2: ld returned 1 exit status
*** Error code 1
make: Fatal error: Command failed for target `clamd'
Current working directory /export/home/wolfgang/dev/clamav-devel-20040301/clamd
*** Error code 1
make: Fatal error: Command failed for target `all-recursive'
Current working directory /export/home/wolfgang/dev/clamav-devel-20040301
*** Error code 1
make: Fatal error: Command failed for target `all'

Is this also a known problem??
Wolfgang



 -Ursprüngliche Nachricht-
 Von: [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED] Im Auftrag 
 von Tomasz Kojm
 Gesendet: Dienstag, 02. März 2004 09:23
 An: [EMAIL PROTECTED]
 Betreff: Re: [Clamav-users] Clamd problem Solaris 8
 
 
 On Tue, 2 Mar 2004 07:51:30 +0100
 Clamav [EMAIL PROTECTED] wrote:
 
  Tue Mar  2 02:56:35 2004 - Session 0 stopped due to 
 timeout. Tue Mar  
  2 03:05:02 2004 - +++ Started at Tue Mar  2 03:05:02 2004
  
  Is this a known problem ?
 
 Yes, it is. Please update to the CVS version.
 
 -- 
oo. Tomasz Kojm [EMAIL PROTECTED]
   (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg
  \..._ 0DCA5A08407D5288279DB43454822DC8985A444B
//\   /\  Tue Mar  2 09:22:12 CET 2004
 


---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps  Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id56alloc_id438op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] Wanted

[Diego d'Ambra]

Hello Community,

We suspect that ClamAV is missing a signature against Welchia.B
(Nachi.B). If someone has a sample please submit it through
http://clamav.sourceforge.net/cgi-bin/sendvirus.cgi

Thanks in advance...

Best regards,
Diego d'Ambra


smime.p7s
Description: S/MIME cryptographic signature

Re: [Clamav-users] Errors - need some help

[Trog]

On Tue, 2004-03-02 at 13:36, Kevin Barrett wrote:
 ClamAV users;
 
 
 I could use a bit of direction here.  I've just installed clamd from RPM on 
 a RH linux server running EXIM. with the exiscan-acl patch. When I enable 
 an ACL for Scan at DATA time I get the following error in the log files
 2004-02-27 08:59:04 1AwiW8-NF-Lk malware acl condition: clamd: ClamAV 
 returned /var/spool/exim/scan/1AwiW8-NF-Lk: Can't access the file ERROR
 
 The directory is there and owned by exim but there are no files in it.
 

You need to run clamd as a user with permissions to read the files
(which you put in clamav.conf), probably whatever exim runs as.

-trog



signature.asc
Description: This is a digitally signed message part

Re: AW: [Clamav-users] clamav stops running

[Nigel Horne]

On Tuesday 02 Mar 2004 11:40 am, Darren Honeyball [ML] wrote:
 Power-Netz (Schwarz) wrote:
 I frequently have to run clamav manually, what makes to stop? Is
 there a way to re-run
 it automatically!
 
  Read the ML-History , you will find some restartscripts for clamd.
  make a cronjob */1 * * * * for it.

 I personally run clamd under daemontools as I'm already running
 daemontools for qmail.  Works a treat.

Can clamd be started from xinetd?

 You can find daemontools at http://cr.yp.to/daemontools.html

 D

-Nigel

-- 
Nigel Horne. Arranger, Composer, Typesetter.
NJH Music, Barnsley, UK.  ICQ#20252325
[EMAIL PROTECTED] http://www.bandsman.co.uk



---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps  Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Errors - need some help

[Prakash Velayutham]

ClamAV users;

I could use a bit of direction here.  I've just installed clamd from RPM 
on a RH linux server running EXIM. with the exiscan-acl patch. When I 
enable an ACL for Scan at DATA time I get the following error in the log files
2004-02-27 08:59:04 1AwiW8-NF-Lk malware acl condition: clamd: ClamAV 
returned /var/spool/exim/scan/1AwiW8-NF-Lk: Can't access the file ERROR

The directory is there and owned by exim but there are no files in it.

Any help, thoughts?

Kevin
Hi Kevin,

I got this same error and I have ClamAV, AMaViS and sendmail running.
I tried various things like changing permissions and stuff. Nothing worked.
Another thing I noticed was that this happens only when clam is made to run 
as clam user and not root user. When it runs as root, no problems at all 
(but running as root is the problem). Please check if this is true in your 
case.
I looked into amavis script and hacked its directory creation permissions 
and now things are working OK even when running as non-root.
(The hack is not the best thing to do, but atleast temporarily it solved my 
problem).
I am still waiting for someone to answer my earlier question on this one. 
If people want me to resubmit my question, I would be happy to do it.

Prakash



---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps  Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] clamav stops running

[Phil Schilling]

On Tue, 2 Mar 2004 15:17:37 +0300 (EAT)
Japhet Samson [EMAIL PROTECTED] wrote:

  Power-Netz (Schwarz) wrote:
 
 I personally run clamd under daemontools as I'm already running
 daemontools for qmail.  Works a treat.
 
 You can find daemontools at http://cr.yp.to/daemontools.html
 
 
  That will not help you, because clam will stop working, not crashing.
 
  Works just fine for me - my spamd occasionally dies, but never hangs
  with the daemon still running.
 
 
 daemontools is said to work on unix only, what is the altenative in linux?
 
 
It works on Linux also. 

Phil


---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps  Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] Re: password-protected Worm.Bagle.F

[Derrick 'dman' Hudson]

On Tue, Mar 02, 2004 at 09:37:48AM +0100, Tomasz Papszun wrote:
| On Mon, 01 Mar 2004 at 21:04:55 -0500, Derrick 'dman' Hudson wrote:
|  
|  Is the zip file really encrypted, or is the password just an
| 
| Really.

Oh, ok.  I guess zip files can be more secure than I assumed at first.

-D

-- 
I can do all things through Christ who strengthens me.
Philippians 4:13
 
www: http://dman13.dyndns.org/~dman/jabber: [EMAIL PROTECTED]


signature.asc
Description: Digital signature

[Clamav-users] database reloading (waiting)

[Jaap Scholten]

Hi all

I run clamd version 0.67 (which is super-stable!) + clam-milter + sendmail
8.12.

Suddenly clamd is struggling to load the db and reports the waiting as
listed below.
Updates happen at 32 minutes past the hour.  While clamd was waiting for the
db, my smtp service chugged along so slowly that it was reaching time-outs.
Fixed by restarting clamd  the milter.  Any ideas what this is and why it
happens?


Tue Mar  2 12:24:15 2004 - Session 0 stopped due to timeout.
Tue Mar  2 12:24:15 2004 - SelfCheck: Database modification detected.
Forcing reload.
Tue Mar  2 12:24:15 2004 - SelfCheck: Integrity OK
Tue Mar  2 12:24:15 2004 - Main thread: database reloading (waiting).
Tue Mar  2 12:26:14 2004 - Database reload: some threads must be stopped in
the next iteration.
Tue Mar  2 12:26:14 2004 - Session 1 stopped due to timeout.
Tue Mar  2 12:26:16 2004 - Main thread: database reloaded.
Tue Mar  2 12:26:16 2004 - Main thread: database reloading (waiting).
Tue Mar  2 12:26:16 2004 - Accepted connection on port 40940, fd 109
Tue Mar  2 12:28:16 2004 - Main thread: database reloaded.
Tue Mar  2 12:28:16 2004 - Main thread: database reloading (waiting).
Tue Mar  2 12:28:16 2004 - Accepted connection on port 29594, fd 109
Tue Mar  2 12:30:16 2004 - Main thread: database reloaded.
Tue Mar  2 12:30:16 2004 - Main thread: database reloading (waiting).
Tue Mar  2 12:30:16 2004 - Accepted connection on port 41978, fd 109
Tue Mar  2 12:32:17 2004 - Main thread: database reloaded.
Tue Mar  2 12:32:17 2004 - Main thread: database reloading (waiting).
Tue Mar  2 12:32:17 2004 - Accepted connection on port 2455, fd 126
Tue Mar  2 12:34:17 2004 - Main thread: database reloaded.
Tue Mar  2 12:34:17 2004 - Main thread: database reloading (waiting).
Tue Mar  2 12:34:17 2004 - Accepted connection on port 36830, fd 130
Tue Mar  2 12:36:17 2004 - Main thread: database reloaded.
Tue Mar  2 12:36:17 2004 - Main thread: database reloading (waiting).
Tue Mar  2 12:36:17 2004 - Accepted connection on port 16153, fd 137
Tue Mar  2 12:38:18 2004 - Main thread: database reloaded.
Tue Mar  2 12:38:18 2004 - Main thread: database reloading (waiting).
Tue Mar  2 12:38:18 2004 - Accepted connection on port 9453, fd 141
Tue Mar  2 12:40:18 2004 - Main thread: database reloaded.
Tue Mar  2 12:40:18 2004 - Main thread: database reloading (waiting).
Tue Mar  2 12:40:18 2004 - Accepted connection on port 36723, fd 145
Tue Mar  2 12:42:18 2004 - Main thread: database reloaded.
Tue Mar  2 12:42:18 2004 - Main thread: database reloading (waiting).
Tue Mar  2 12:44:19 2004 - Main thread: database reloaded.
Tue Mar  2 12:44:19 2004 - Main thread: database reloading (waiting).
Tue Mar  2 12:46:19 2004 - Main thread: database reloaded.
Tue Mar  2 12:46:19 2004 - Main thread: database reloading (waiting).

Jaap Scholten

eNetworks
136 Upper Waterkant Street
Cape Town 8001, South Africa

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.594 / Virus Database: 377 - Release Date: 2004/02/24




---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps  Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] German Language

[Rudolf Kliemstein]

Hi all,

i would like to have clamav send its messages in 
german.
where can i edit these text?
or anyone done this before?

Regards

Rudi

RE: [Clamav-users] password-protected Worm.Bagle.H

[Mitch \(WebCob\)]

 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] Behalf Of Diego
 d'Ambra
 Sent: Tuesday, March 02, 2004 4:55 AM
 To: [EMAIL PROTECTED]
 Subject: RE: [Clamav-users] password-protected Worm.Bagle.H


  -Original Message-
  From: [EMAIL PROTECTED] [mailto:clamav-users-
  [EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
  Sent: 2. marts 2004 13:15
  To: [EMAIL PROTECTED]
  Subject: Re: [Clamav-users] password-protected Worm.Bagle.H
 
  Suggestions?  There are really easy ways for the virus writer to
  circumvent this type of check but until they start utilizing such
  strategies, is it possible to include the zip's crc into ClamAV's
 sigs?
 

 From the (unzipped) samples I've access to they differ in size, so MD5
 or other checksums are useless.

 Best regards,
 Diego d'Ambra

Seeing how quickly this could get out of hand, and how hard it would be to
write code to read the password from the mail - how about a simple option
that allows full rejection of password encrypted archives - or optional
(based on db lookup) but I'm probably hoping too much there...

I run virtual users out of a mysql database - the user emails are in one
field - options controlling mail handling are in others ('Y' / 'N' enums).

Being able to control this would be ideal, but being able to outright reject
them would be an improvement.

Another tack on this might be accomplished through procmail / maildrop if
unzip will report if archived files are in fact password protected... does
anyone know if there is a way to list passworded file besides trying to
extract them?

Just a few thoughts - as always thank you for the excellent tool

m/



---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps  Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] password-protected Worm.Bagle.H

[Erik Corry]

On Tue, Mar 02, 2004 at 07:38:59AM -0800, Mitch (WebCob) wrote:
 
 Seeing how quickly this could get out of hand, and how hard it would be to
 write code to read the password from the mail - how about a simple option
 that allows full rejection of password encrypted archives - or optional
 (based on db lookup) but I'm probably hoping too much there...

The question is how much of a problem it really is.  Are users
really that dumb?

What I'm wondering is whether the encrypted version of the
virus can be created by the unencrypted version, or whether the
encrypted versions of the virus we have seen have all been
produced by actual encrypted-zip infections.  Anyone know?

-- 
Erik Corry I'd be a Libertarian, if they weren't all a
[EMAIL PROTECTED] bunch of tax-dodging professional whiners.   - B. Breathed.


---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps  Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Re: password-protected Worm.Bagle.F

[B.K. DeLong]

At 10:04 AM 3/2/2004 +0100, Tomasz Papszun wrote:
As usually: only if ClamAV with an up-to-date database isn't detecting
an infection in a sample. In this particular case a sample = a full
message sample.
OK  - I am still receiving emails containing a PW-protected zip with this 
virus. Should I use the Web form to get you the email? Or should I just 
redirect the message to [EMAIL PROTECTED] ? I know the latter is deprecated 
so what would be the best way to get you a sample in this case?

Thanks in advance.

--
B.K. DeLong
[EMAIL PROTECTED]
+1.617.797.2472
http://ocw.mit.eduWork.
http://www.brain-stream.com   Play.
http://www.the-leaky-cauldron.orgPotter.
http://www.city-of-doors.com   Sigil.
http://www.hackerfoundation.org  Future.
PGP Fingerprint:
38D4 D4D4 5819 8667 DFD5  A62D AF61 15FF 297D 67FE 



---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps  Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] German Language HTML

[Rudolf Kliemstein]

sry for the html, outlook default :-)
again, anyone having locales for clamav? german in special!

Regards

Rudi


---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps  Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] virus not detected one but detected on another machine

[P.V.Anthony]

Hi,

I have a strange problem.

I have two email servers. Both are Redhat 7.3 and using qmail.

I have installed clamav 0.65 from the source on Machine A. Then I installed
clamav 0.67

On Machine B I have installed clamav 0.67 the first time.

I am using gadoyanvirus 0.2 as the link between qmail and clamav.

Machine B detects all the viruses but Machine A do not detect all the virus.

When I send eicar.com, the test virus both detects it. But when I send some
of the new viruses like document_4125.pif only Machine B detects it.

I have checked the following.

1. clamav.conf (both are the same)
2. run freshclam (both are up to date)
3. I have increased the softlimit for qmail to 60mb (both have the same
value)
4. ftp the virus into the Machine A and did a clamscan and it detected it.
5. send eicar.com both machines detected it.

The only diffrence I can see is that on machine A I installed clamav 0.65
then installed 0.67.

Is there anything else I can do or check?

P.V.Anthony



---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps  Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] virus not detected one but detected on another machine

[P.V.Anthony]

Hi,

I have a strange problem.

I have two email servers. Both are Redhat 7.3 and using qmail.

I have installed clamav 0.65 from the source on Machine A. Then I installed
clamav 0.67

On Machine B I have installed clamav 0.67 the first time.

I am using gadoyanvirus 0.2 as the link between qmail and clamav.

Machine B detects all the viruses but Machine A do not detect all the virus.

When I send eicar.com, the test virus both detects it. But when I send some
of the new viruses like document_4125.pif only Machine B detects it.

I have checked the following.

1. clamav.conf (both are the same)
2. run freshclam (both are up to date)
3. I have increased the softlimit for qmail to 60mb (both have the same
value)
4. ftp the virus into the Machine A and did a clamscan and it detected it.
5. send eicar.com both machines detected it.

The only diffrence I can see is that on machine A I installed clamav 0.65
then installed 0.67.

Is there anything else I can do or check?

P.V.Anthony




---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps  Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] password-protected Worm.Bagle.H

[Rob]

 -Original Message-
 From: [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED] On Behalf 
 Of Erik Corry
 
 The question is how much of a problem it really is.  Are users
 really that dumb?
 
 What I'm wondering is whether the encrypted version of the
 virus can be created by the unencrypted version, or whether the
 encrypted versions of the virus we have seen have all been
 produced by actual encrypted-zip infections.  Anyone know?

Yes, people really are that dumb.  Heck, I talked with somebody earlier
today who infected himself with Netsky-D, and this is somebody normally
pretty smart...


PLEASE - keep list traffic on the list.  Email sent directly to me may be
ignored utterly.

-- 
Rob | What part of no was it you didn't understand? 


---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps  Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] ClamAV 0.67 memory leak

[Nigel Kukard]

Anyone seen this...

 3843 ?S  0:00 clamd
 3846 ?S  0:01  \_ clamd
 3847 ?S  0:03  \_ clamd

when i cat the /proc/3843/status file...

Name:   clamd
State:  S (sleeping)
Tgid:   3843
Pid:3843
PPid:   1
TracerPid:  0
Uid:0   0   0   0
Gid:0   0   0   0
FDSize: 32
Groups: 0
VmSize:   210900 kB
VmLck: 0 kB
VmRSS: 22940 kB
VmData:   209128 kB
VmStk:16 kB
VmExe:36 kB
VmLib:  1672 kB




pgp0.pgp
Description: PGP signature

RE: [Clamav-users] Re: password-protected Worm.Bagle.F

[Diego d'Ambra]

 -Original Message-
 From: [EMAIL PROTECTED] [mailto:clamav-users-
 [EMAIL PROTECTED] On Behalf Of B.K. DeLong
 Sent: 2. marts 2004 17:06
 To: [EMAIL PROTECTED]
 Subject: Re: [Clamav-users] Re: password-protected Worm.Bagle.F
 
 OK  - I am still receiving emails containing a PW-protected zip with
this
 virus. Should I use the Web form to get you the email? Or should I
just
 redirect the message to [EMAIL PROTECTED] ? I know the latter is
deprecated
 so what would be the best way to get you a sample in this case?
 

Through http://clamav.sourceforge.net/cgi-bin/sendvirus.cgi

Best regards,
Diego d'Ambra


smime.p7s
Description: S/MIME cryptographic signature

Re: [Clamav-users] clamav and netsky.d

[Cedric Foll]

Vpopmail Mailinglist wrote:

hi Guys..
i there a update for netsky.d ?
 

Clamav detect it for 2 days!
Just run freshclam.
---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps  Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] password-protected Worm.Bagle.H

[John Jolet]

The question is how much of a problem it really is.  Are users
really that dumb?
What I'm wondering is whether the encrypted version of the
virus can be created by the unencrypted version, or whether the
encrypted versions of the virus we have seen have all been
produced by actual encrypted-zip infections.  Anyone know?
 

yes, they are.  i've gotten about 10 of those in the last 3 days.

---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps  Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] Archive Not Working?

[Tom Walsh]

The archive for the mailing list seems to have stopped around the 14th
of January.

Can the admins take a look at that and figure out why?

Yay sourceforge!

Tom Walsh
Network Administrator
http://www.ala.net/




---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps  Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] For those using Procmail - a simple rule to hinder the Bagle-I virus

[Support ePaxsys/FRWS]

Maybe OT - but its a decent interim fix so people can continue sending 
large(r) Zips.

SO - not sure if this is OT or what, but if you use procmail as the 
delivery agent on your system, this rule below will catch the ZIPs under 
250k in size and having   'password:'  somewhere in the body.
Not perfect, not guaranteed - but its been working for us. If I knew how 
large or how small these attachments were, we could obviously adjust the 
size. And I am sure it can be tweaked - like do these viruses only have the 
attachment name in the headers and not the body? Would make the rule less 
prone to hit regular Zips.

Places them all in a file in your mail spool folder 
called:  antivirus-bagle.I so you can hunt down any false positives until 
the Virus Scanner folks can figure out how to handle this one. Good luck guys!

Keep up the good work ClamAV, just another one to beat down. Too bad the 
MailScanner folks could not adjust for size on file name type rules...

Jerome

 TEMP RULE FOR BAGLE-I
:0 BH
  *  ^(Content.*(file)?name=.+\.(zip).*$|\
 Content-Type:(.*$)+.*(file)?name=.+\.(zip).*$|\
 .*\/^.*name=.*\.(zip))
{
  :0
  *  25
  {
:0 B
* .*\/(password:)
{
LOG=SPAMLOG Antivirus BAGLE-I $MATCH 
:0
antivirus-bagle.I
}
  }
}


ePaxsys/FRWS Technical Staff
ePaxsys, Inc. http://www.epaxsys.net
FRWS: http://www.frws.com
Live Text Support: http://www.epaxsys.net/live-help


---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps  Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Re: password-protected Worm.Bagle.F

[Tomasz Papszun]

On Tue, 02 Mar 2004 at 11:05:53 -0500, B.K. DeLong wrote:
 At 10:04 AM 3/2/2004 +0100, Tomasz Papszun wrote:
 As usually: only if ClamAV with an up-to-date database isn't detecting
 an infection in a sample. In this particular case a sample = a full
 message sample.
 
 OK  - I am still receiving emails containing a PW-protected zip with this 
 virus. Should I use the Web form to get you the email? Or should I just 

Yes, the WWW form.

 redirect the message to [EMAIL PROTECTED] ? I know the latter is deprecated 
 so what would be the best way to get you a sample in this case?

http://clamav.sourceforge.net/cgi-bin/sendvirus.cgi

-- 
 Tomasz Papszun   SysAdm @ TP S.A. Lodz, Poland  | And it's only
 [EMAIL PROTECTED]   http://www.lodz.tpsa.pl/   | ones and zeros.
 [EMAIL PROTECTED]   http://www.ClamAV.net/   A GPL virus scanner


---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps  Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] virus not detected one but detected on another machine

[russ]

On Tue, 2004-03-02 at 12:21, P.V.Anthony wrote:

 The only diffrence I can see is that on machine A I installed clamav 0.65
 then installed 0.67.

So what part of 0.67 works better and I should install it on machine A
are you missing?
 
 Is there anything else I can do or check?

Check if it is plugged in.

-- 
Russel Oliver
[EMAIL PROTECTED]
http://www.techsane.com



---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps  Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] Some more evidence for my last mail ...

[Thomas Seifert]

Hey there,

in my last mail I told that clamscan founds the virus while clamd doesn't.
Here's some more evidence for this:
sh-2.04$ /usr/local/clamav-0.67/bin/clamscan ./your_archive.pif
./your_archive.pif: Worm.SomeFool.B-petite FOUND
--- SCAN SUMMARY ---
Known viruses: 20355
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.02 MB
I/O buffer size: 131072 bytes
Time: 0.750 sec (0 m 0 s)
sh-2.04$ /usr/local/clamav-0.67/bin/clamdscan ./your_archive.pif
/var/amavis/./your_archive.pif: OK
--- SCAN SUMMARY ---
Infected files: 0
Time: 0.007 sec (0 m 0 s)
Any ideas?
Never got such problems with the previous versions :(.
Thomas



---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps  Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] netsky-d found by clamscan but not by clamd?

[Thomas Seifert]

hey folks,

I'm running clam-av 0.67 in combination with amavisd-new.
With nearly never a virus slipping through, thanks to the devs.
But recently a lot of viruses started to slip through.
Checking it on the same machine, extracting the attachment by hand
it is detected by clamscan, so it must be clamd choking on it.
amavisd-new extracts the parts too but stores them without the filenames
or extension. is there a dependency on the name?
or any other thing I could look for?

TIA,

Thomas



---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps  Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] password-protected Worm.Bagle.H

[Erik Corry]

On Tue, Mar 02, 2004 at 11:59:19AM -0600, John Jolet wrote:
 
 The question is how much of a problem it really is.  Are users
 really that dumb?

 yes, they are.  i've gotten about 10 of those in the last 3 days.

That doesn't actually prove that anyone typed in the password
and got infected.  The version with unencrypted zip file can
send the version with encrypted zip file to others.

The best defence against it (if it really is a problem) might
be blocking encrypted zip files with suspicious filenames in
them.  You can see that the file contains a .exe .pif, etc.
ending without the password.

That's probably not a task for clamav though, more like MIMEDefang:
http://www.mimedefang.org/

Someone seems to have been giving this some thought:
http://lists.roaringpenguin.com/pipermail/mimedefang/2004-March/020563.html

-- 
Erik Corry I'd be a Libertarian, if they weren't all a
[EMAIL PROTECTED] bunch of tax-dodging professional whiners.   - B. Breathed.


---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps  Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] For those using Procmail - a simple rule to hinder the Bagle-I virus

[Tomasz Papszun]

On Tue, 02 Mar 2004 at 11:18:25 -0700, Support ePaxsys/FRWS wrote:
 Maybe OT - but its a decent interim fix so people can continue sending 
 large(r) Zips.
 
 SO - not sure if this is OT or what, but if you use procmail as the 
 delivery agent on your system, this rule below will catch the ZIPs under 
 250k in size and having   'password:'  somewhere in the body.
 Not perfect, not guaranteed - but its been working for us. If I knew how 
 large or how small these attachments were, we could obviously adjust the 
 size. [...]

Usually messages with various Bagles are between 20 KB and 35 KB in
size. Attachments themselves (decoded) are between 15 KB and 30 KB.

-- 
 Tomasz Papszun   SysAdm @ TP S.A. Lodz, Poland  | And it's only
 [EMAIL PROTECTED]   http://www.lodz.tpsa.pl/   | ones and zeros.
 [EMAIL PROTECTED]   http://www.ClamAV.net/   A GPL virus scanner


---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps  Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Some more evidence for my last mail ...

[Mike Cathey]

Thomas,

On Tue, 2004-03-02 at 14:09, Thomas Seifert wrote:
 in my last mail I told that clamscan founds the virus while clamd doesn't.
 Here's some more evidence for this:

Reload clamd and see if that makes a difference.  It sounds like
freshclam may not be telling clamd to reload the virus databases.

Cheers,

Mike



---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps  Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Some more evidence for my last mail ...

[Tomasz Papszun]

On Tue, 02 Mar 2004 at 20:09:08 +0100, Thomas Seifert wrote:
 
 in my last mail I told that clamscan founds the virus while clamd doesn't.
 Here's some more evidence for this:
 
 sh-2.04$ /usr/local/clamav-0.67/bin/clamscan ./your_archive.pif
 ./your_archive.pif: Worm.SomeFool.B-petite FOUND
 
[...]
 sh-2.04$ /usr/local/clamav-0.67/bin/clamdscan ./your_archive.pif
 /var/amavis/./your_archive.pif: OK

Only a short note related to clamdscan itself:

is your_archive.pif readable by user running clamd? (not you, but
clamd).

-- 
 Tomasz Papszun   SysAdm @ TP S.A. Lodz, Poland  | And it's only
 [EMAIL PROTECTED]   http://www.lodz.tpsa.pl/   | ones and zeros.
 [EMAIL PROTECTED]   http://www.ClamAV.net/   A GPL virus scanner


---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps  Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] ClamAV 0.67 memory leak

[Tomasz Kojm]

On Tue, 2 Mar 2004 19:39:23 +0200
Nigel Kukard [EMAIL PROTECTED] wrote:

 Anyone seen this...
 
  3843 ?S  0:00 clamd
  3846 ?S  0:01  \_ clamd
  3847 ?S  0:03  \_ clamd
 
 when i cat the /proc/3843/status file...

Please post your clamav.conf.

-- 
   oo. Tomasz Kojm [EMAIL PROTECTED]
  (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg
 \..._ 0DCA5A08407D5288279DB43454822DC8985A444B
   //\   /\  Tue Mar  2 21:39:02 CET 2004


pgp0.pgp
Description: PGP signature

RE: [Clamav-users] Correct clamav-milter options to --postmaster-only

[Stevens, John]

-Original Message-
From: Nigel Horne [mailto:[EMAIL PROTECTED]
Sent: Tuesday, 2 March 2004 6:46 PM
To: [EMAIL PROTECTED]
Subject: Re: [Clamav-users] Correct clamav-milter options to --postmaster-only

On Tuesday 02 Mar 2004 12:58 am, Stevens, John wrote:
 Please post an example of the bounce message, then I can see where it's
  coming from.

 From: MAILER-DAEMON
 To: [EMAIL PROTECTED]
 CC: [EMAIL PROTECTED]
 Subject: Virus intercepted
 A message you sent to [EMAIL PROTECTED] contained a virus and has not
 been delivered. stream: Worm.Bagle.E FOUND

John,

Unfortunately you've deleted the original message with all your options and
I've deleted your original posting so I can't remember what they were. Anyway,
this message is created by the -b (--bounce) option, so turn that off.

 John Stevens - MIS Manager, Senior Project Engineer

--
Nigel Horne. Arranger, Composer, Typesetter.
NJH Music, Barnsley, UK.  ICQ#20252325
[EMAIL PROTECTED] http://www.bandsman.co.uk

 
Hi Nigel,
Options I am passing are -lob -postmaster-only [EMAIL PROTECTED] /path/to/socket.
I do want the postmaster notifications as outlined in the man pages with the offending 
message ID.  I do not want the bounce going back to sender.
I am aware I can stop the bounce by turning off the bounce option, but according to my 
reading of the man page, it must be on for the postmaster to get notifications.  Hence 
I have left it on, but I am only CC'd in a bounce message, and that does not contain 
the message ID of the offending message.
Thanks


TUSC Computer Systems - www.tusc.com.au
John Stevens - MIS Manager, Senior Project Engineer
Mobile: 0419840411
Direct: 03 9840 4428




---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps  Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id56alloc_id438op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Can somebody help me with this error message?

[Stephen Gran]

On Tue, Mar 02, 2004 at 03:13:55PM -0500, Frank DeChellis said:
 Hi.
 
 Exim 4.2 with Exiscan
 clamav 0.66 on a separate server
 NetBSd 1.6.2 on both servers
 
 The sacans are happening but this is the messa ge I receive in my log files
 
 2004-03-02 15:18:38 1AyGLe-mS-J3 H=h207-176-232-131.enertiatech.com
 (enertia1.enertiatech.com) [207.176.232.131]
 F=[EMAIL PROTECTED] rejected after DATA: This message contains
 a virus: ( Can't access the file ERROR) please scan your system.

Clam is running as a seperate uid than exim, probably - see what uid
exim runs as, then add a 'User $(uid of exim)' statement to clamav.conf

-- 
 --
|  Stephen Gran  | james abuse me.  I'm so lame I sent a |
|  [EMAIL PROTECTED] | bug report to debian-devel- |
|  http://www.lobefin.net/~steve | changes |
 --


pgp0.pgp
Description: PGP signature

[Clamav-users] Re: virus not detected one but detected on another machine

[Starbane]

russ wrote:
On Tue, 2004-03-02 at 12:21, P.V.Anthony wrote:


The only diffrence I can see is that on machine A I installed clamav 0.65
then installed 0.67.


So what part of 0.67 works better and I should install it on machine A
are you missing?
Is there anything else I can do or check?


Check if it is plugged in.

Troll Attack! - ignore that.

Look in your virus database location and check that the updated 
signatures are the same.  (/var/lib/clamav, /usr/local/clamav, etc. 
It's defined as DataDirectory in clamav.conf.



---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps  Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Can somebody help me with this error message?

[Jesper Juhl]

On Tue, 2 Mar 2004, Frank DeChellis wrote:

 Hi.

 Exim 4.2 with Exiscan
 clamav 0.66 on a separate server
 NetBSd 1.6.2 on both servers

 The sacans are happening but this is the messa ge I receive in my log files

 2004-03-02 15:18:38 1AyGLe-mS-J3 H=h207-176-232-131.enertiatech.com
 (enertia1.enertiatech.com) [207.176.232.131]
 F=[EMAIL PROTECTED] rejected after DATA: This message contains
 a virus: ( Can't access the file ERROR) please scan your system.

 Any ideas?


Maybe try 0.67-1 or a recent CVS version?


-- 
Jesper Juhl [EMAIL PROTECTED]
Systems Administrator, Danmarks Idræts-Forbund / The Danish Sports Federation
Please don't top-posthttp://www.catb.org/~esr/jargon/html/T/top-post.html
Please send plain text emails only  http://www.expita.com/nomime.html


---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps  Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id56alloc_id438op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] For those using Procmail - a simple rule to hinder the Bagle-I virus

[Support ePaxsys/FRWS]

At 09:22 PM 3/2/04 +0100, Tomasz Papszun wrote:
On Tue, 02 Mar 2004 at 11:18:25 -0700, Support ePaxsys/FRWS wrote:
 Maybe OT - but its a decent interim fix so people can continue sending
 large(r) Zips.

 SO - not sure if this is OT or what, but if you use procmail as the
 delivery agent on your system, this rule below will catch the ZIPs under
 250k in size and having   'password:'  somewhere in the body.
 Not perfect, not guaranteed - but its been working for us. If I knew how
 large or how small these attachments were, we could obviously adjust the
 size. [...]
Usually messages with various Bagles are between 20 KB and 35 KB in
size. Attachments themselves (decoded) are between 15 KB and 30 KB.
--
 Tomasz Papszun   SysAdm @ TP S.A. Lodz, Poland  | And it's only
 [EMAIL PROTECTED]   http://www.lodz.tpsa.pl/   | ones and zeros.
 [EMAIL PROTECTED]   http://www.ClamAV.net/   A GPL virus scanner
---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps  Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users


Thanks Thomas.

Adjusted rule for size less than 55k and another password type line.

So as not to spam the list: http://www.frws.com/jpp/bagle.rc

Enjoy...

Jerome

ePaxsys/FRWS Technical Staff
ePaxsys, Inc. http://www.epaxsys.net
FRWS: http://www.frws.com
Live Text Support: http://www.epaxsys.net/live-help


---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps  Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] password-protected Worm.Bagle.H

[Tomas Charvat]

on my qmail server qmail-scanner do this job for me.

google for qmail-scanner


- Original Message - 
From: Erik Corry [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Tuesday, March 02, 2004 9:11 PM
Subject: Re: [Clamav-users] password-protected Worm.Bagle.H


 On Tue, Mar 02, 2004 at 11:59:19AM -0600, John Jolet wrote:
 
  The question is how much of a problem it really is.  Are users
  really that dumb?
 
  yes, they are.  i've gotten about 10 of those in the last 3 days.

 That doesn't actually prove that anyone typed in the password
 and got infected.  The version with unencrypted zip file can
 send the version with encrypted zip file to others.

 The best defence against it (if it really is a problem) might
 be blocking encrypted zip files with suspicious filenames in
 them.  You can see that the file contains a .exe .pif, etc.
 ending without the password.

 That's probably not a task for clamav though, more like MIMEDefang:
 http://www.mimedefang.org/

 Someone seems to have been giving this some thought:

http://lists.roaringpenguin.com/pipermail/mimedefang/2004-March/020563.html

 -- 
 Erik Corry I'd be a Libertarian, if they weren't all a
 [EMAIL PROTECTED] bunch of tax-dodging professional whiners.   - B.
Breathed.


 ---
 SF.Net is sponsored by: Speed Start Your Linux Apps Now.
 Build and deploy apps  Web services for Linux with
 a free DVD software kit from IBM. Click Now!
 http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click
 ___
 Clamav-users mailing list
 [EMAIL PROTECTED]
 https://lists.sourceforge.net/lists/listinfo/clamav-users



---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps  Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] netsky-d found by clamscan but not by clamd?

[Tomasz Kojm]

On Tue, 02 Mar 2004 19:43:40 +0100
Thomas Seifert [EMAIL PROTECTED] wrote:

 filenames or extension. is there a dependency on the name?

No, there isn't.

-- 
   oo. Tomasz Kojm [EMAIL PROTECTED]
  (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg
 \..._ 0DCA5A08407D5288279DB43454822DC8985A444B
   //\   /\  Tue Mar  2 23:24:01 CET 2004


pgp0.pgp
Description: PGP signature

Re: [Clamav-users] Some more evidence for my last mail ...

[Tomasz Kojm]

On Tue, 02 Mar 2004 20:09:08 +0100
Thomas Seifert [EMAIL PROTECTED] wrote:

 Any ideas?

Connect to clamd and send the RELOAD command.

-- 
   oo. Tomasz Kojm [EMAIL PROTECTED]
  (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg
 \..._ 0DCA5A08407D5288279DB43454822DC8985A444B
   //\   /\  Tue Mar  2 23:25:59 CET 2004


pgp0.pgp
Description: PGP signature

[Clamav-users] Clam AV 0.67 e-smith RedHat 7.3 Packages

[FreshClam]

Hi, I downloaded the Red Hat package from
http://crash.fce.vutbr.cz/crash-hat/1/clamav/. When I try installing it on
e-smith 6.0 with Red Hat 7.3, I get the following error: 

[EMAIL PROTECTED] src]# rpm -Uvh clamav-0.67-1.i386.rpm 
error: failed dependencies:
libc.so.6(GLIBC_2.3)   is needed by clamav-0.67-1
libwrap.so.0   is needed by clamav-0.67-1

[EMAIL PROTECTED] src]# rpm -Uvh glibc-2.2.5-44.i386.rpm 
error: failed dependencies:
glibc-common = 2.2.5-44 is needed by glibc-2.2.5-44
[EMAIL PROTECTED] src]# rpm -Uvh glibc-common-2.2.5-44.i386.rpm 
error: failed dependencies:
glibc-common = 2.2.5-43 is needed by glibc-2.2.5-43
[EMAIL PROTECTED] src]# 

There are so many packages and library files needed to get this working. Is
there a single location or implementation guideline. I read the manual but
it does not cover the package in detail and does not tell where to find all
the needed files. 

Thanks for your help in advance,
New Fresh Clam User



---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps  Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Some more evidence for my last mail ... - SOLVED

[Loren Salsgiver]

Thomas Seifert wrote:
On Tue, 02 Mar 2004 15:15:19 -0500 Mike Cathey [EMAIL PROTECTED] wrote:


Thomas,

On Tue, 2004-03-02 at 14:09, Thomas Seifert wrote:

in my last mail I told that clamscan founds the virus while clamd doesn't.
Here's some more evidence for this:
Reload clamd and see if that makes a difference.  It sounds like
freshclam may not be telling clamd to reload the virus databases.


That isn't the problem, sorry. I killed and restarted clamd already a couple of times.

Now I've found the problem, your message led to the point.
I used my old clamav.conf which pointed to an old database directory.
I didn't realize that freshclam was having its own config-file ... updating the new 
database directory.
So I changed clamav.conf to contain the new database directory too and it worked.
The strange thing is ... clamscan used the new dir (its default directory) and didn't use
the path given in clamav.conf!? 

Thanks a lot, getting back from 0,7s to 0,007s is much better :)

Thomas

---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps  Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Ah ha, guilty of the same, the new compiled version moved the .cvd files 
from /var/lib/clamav to /usr/local/share/clamav, a different directory. 
 Should fix the problem.  Explains why only the new virus passwed thru.

Loren





---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps  Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Clam AV 0.67 e-smith RedHat 7.3 Packages

[Damien Curtain]

On Tue, Mar 02, 2004 at 02:49:48PM -0800, FreshClam wrote:
 Hi, I downloaded the Red Hat package from
 http://crash.fce.vutbr.cz/crash-hat/1/clamav/. When I try installing it on
 e-smith 6.0 with Red Hat 7.3, I get the following error: 
 
 [EMAIL PROTECTED] src]# rpm -Uvh clamav-0.67-1.i386.rpm 
 error: failed dependencies:
 libc.so.6(GLIBC_2.3)   is needed by clamav-0.67-1
 libwrap.so.0   is needed by clamav-0.67-1
 
 [EMAIL PROTECTED] src]# rpm -Uvh glibc-2.2.5-44.i386.rpm 
 error: failed dependencies:
 glibc-common = 2.2.5-44 is needed by glibc-2.2.5-44
 [EMAIL PROTECTED] src]# rpm -Uvh glibc-common-2.2.5-44.i386.rpm 
 error: failed dependencies:
 glibc-common = 2.2.5-43 is needed by glibc-2.2.5-43
 [EMAIL PROTECTED] src]# 
 
 There are so many packages and library files needed to get this working. Is
 there a single location or implementation guideline. I read the manual but
 it does not cover the package in detail and does not tell where to find all
 the needed files. 

You might like to read:
http://www.pagefault.org/howto/e-smith-antivirus.shtml
or
http://www.pagefault.org/howto/amavis_clam.shtml

Or try http://contribs.org/modules/pbboard/ 
-- 
 Damien


---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps  Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] ClamAV 0.67 memory leak

[Thomas Lamy]

Nigel Kukard schrieb:

Anyone seen this...

 3843 ?S  0:00 clamd
 3846 ?S  0:01  \_ clamd
 3847 ?S  0:03  \_ clamd
when i cat the /proc/3843/status file...

Name:   clamd
State:  S (sleeping)
Tgid:   3843
Pid:3843
PPid:   1
TracerPid:  0
Uid:0   0   0   0
Gid:0   0   0   0
FDSize: 32
Groups: 0
VmSize:   210900 kB
VmLck: 0 kB
VmRSS: 22940 kB
VmData:   209128 kB
VmStk:16 kB
VmExe:36 kB
VmLib:  1672 kB

Which version exactly (I guess it's 0.67 release, but better save...), 
on which OS/Distribution ?
I've not seen huge mem leaks in clam since it's 0.65 days, and I tend to 
check this every now and then with valgrind.

Thomas

---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps  Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Can somebody help me with this error message?

[Frank DeChellis DSL]

They're on separate servers...does that matter? I run exim as exim  and
clam as clamav.


On Tue, 2 Mar 2004, Stephen Gran wrote:

 Date: Tue, 2 Mar 2004 16:32:30 -0500
 From: Stephen Gran [EMAIL PROTECTED]
 Reply-To: [EMAIL PROTECTED]
 To: [EMAIL PROTECTED]
 Subject: Re: [Clamav-users] Can somebody help me with this error message?

 On Tue, Mar 02, 2004 at 03:13:55PM -0500, Frank DeChellis said:
  Hi.
 
  Exim 4.2 with Exiscan
  clamav 0.66 on a separate server
  NetBSd 1.6.2 on both servers
 
  The sacans are happening but this is the messa ge I receive in my log files
 
  2004-03-02 15:18:38 1AyGLe-mS-J3 H=h207-176-232-131.enertiatech.com
  (enertia1.enertiatech.com) [207.176.232.131]
  F=[EMAIL PROTECTED] rejected after DATA: This message contains
  a virus: ( Can't access the file ERROR) please scan your system.

 Clam is running as a seperate uid than exim, probably - see what uid
 exim runs as, then add a 'User $(uid of exim)' statement to clamav.conf

 --
  --
 |  Stephen Gran  | james abuse me.  I'm so lame I sent a |
 |  [EMAIL PROTECTED] | bug report to debian-devel- |
 |  http://www.lobefin.net/~steve | changes |
  --


---
Frank DeChellis
Internet Access Worldwide
3 East Main StreetWelland, Ontario, CanadaL3B 3W4
905-714-1400 fax 905-732-0524
www.iaw.com
--


---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps  Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] Password-protected .zip file viruses

[Charlie Watts]

Clearly the virus DB maintainers are inundated with password-protected
.zip files with viruses inside.

I think I understand the technical impossibility of making a signature for
these - the .zip header is the same, and then the filenames inside are
randomized, as is the password, and thus the encrypted body has nothing
recognizable - so there isn't anything available to make a signature off
of.

We don't want to waste your time submitting these - would it be useful to
put a comment on the virus submission page that you just don't want these?


I see that there have been a few rejected, stating that you'd need the
*complete* E-mail - are you looking for other characteristics of the
complete E-mail message, something not specifically tied to the
attachment?

-- 
Charlie Watts
Brainstorm Internet
970 247-1442 x113
[EMAIL PROTECTED]
http://www.brainstorminternet.net/


---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps  Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] some little questions

[Rembrandt]

I've 3 little questions but at first I'm sorry couse I dosn't check the
archives. :o)

1. 
Is it possible to improve the BSD-support? Like on-acces-scanning and
co?

2.
Are there any improvemts planed wich enable clamAV to clean files? Now
it just delete them.

3.
Please don't make a flamewar () but: 

Why GPL?
I think clamAV could also use a more free license like the BSD-license
couse nobody steals something from clamAV. And the reason is easy: All
other commercial scanners detects more virii/worms and they could also
clean the most files. So why GPL and not BSD-License?
I think with the BSD-License clamAV could be more acceptable for more
people. Not just all current BSD-OSs (NetBSD, FreeBSD, OpenBSD, MirBSD,
MicroBSD...). There much more people wich prefer
BSD-Licensed code and wich strictly against GPL (such as Plan9 and other
OSs).

I hope I see this point as neutral as I'm able to do that.
But I repeat: There's no reason for the GPL-License.

And now I hope I became a precise answer why ClamAV using the
GPL-License and why it can't be under BSD-License. :)



MfG. Rembrandt van Rijn

p.s. Tomasz (leader) please check your mails!


pgp0.pgp
Description: PGP signature

Re: [Clamav-users] some little questions

[Jesper Juhl]

On Wed, 3 Mar 2004, Rembrandt wrote:

[...]
 2.
 Are there any improvemts planed wich enable clamAV to clean files? Now
 it just delete them.

I can't speak for anyone but myself, but I don't think that is planned.
First of all, some virii may be impossible to clean (some of them destroy
the files they infect).
Second,  some files may be *very* hard to clean since the virii rewrite
the binary in order to insert itself and figuring out what the file
looked like prior to infection is *not* trivial, so it's a hard problem
and to do it requires a lot of time and often specific handling of
each individual virus.
Third, would you trust a file after it was cleaned? Personally I would
not - no matter who cleaned it; clam or some commercial AV vendor doesn't
matter, I still wouldn't trust that file. If an infected file is found,
the only proper action in my oppinion is to delete the file and then
restore a known-good copy from original media or backup.


 3.
 Please don't make a flamewar () but:

 Why GPL?
 I think clamAV could also use a more free license like the BSD-license
 couse nobody steals something from clamAV. And the reason is easy: All
 other commercial scanners detects more virii/worms and they could also
 clean the most files. So why GPL and not BSD-License?
 I think with the BSD-License clamAV could be more acceptable for more
 people. Not just all current BSD-OSs (NetBSD, FreeBSD, OpenBSD, MirBSD,
 MicroBSD...). There much more people wich prefer
 BSD-Licensed code and wich strictly against GPL (such as Plan9 and other
 OSs).

Again, I can only answer this from my own personal point of view - I
didn't write the original code so I did not deside the license.
My /personal/ oppinion is that the GPL is a better license than the BSD
license since it ensures that modifications are contributed back to the
ClamAV community. With a BSD license nothing stops someone from
incorporating ClamAV in a commercial product without giving anything back.
But, that's just my personal oppinion. Hope that was properly flame-proof
;-)


-- 
Jesper Juhl [EMAIL PROTECTED]
Systems Administrator, Danmarks Idræts-Forbund / The Danish Sports Federation
Please don't top-posthttp://www.catb.org/~esr/jargon/html/T/top-post.html
Please send plain text emails only  http://www.expita.com/nomime.html


---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps  Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id56alloc_id438op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Password-protected .zip file viruses

[Jesper Juhl]

On Tue, 2 Mar 2004, Charlie Watts wrote:

 Clearly the virus DB maintainers are inundated with password-protected
 .zip files with viruses inside.

 I think I understand the technical impossibility of making a signature for
 these - the .zip header is the same, and then the filenames inside are
 randomized, as is the password, and thus the encrypted body has nothing
 recognizable - so there isn't anything available to make a signature off
 of.


What I'm thinking is; Would it be feasible to add an option to attempt to
brute-force-crack the passwords on zip files when scanning them?
Yes, it would slow down scanning immensely, and there's *no* way it should
ever be a default option, but zip file passwords are /resonably/ simple to
crack, so it is doable (although it takes time)...

I could whip some code together for this if it has any interrest at all...


-- 
Jesper Juhl [EMAIL PROTECTED]
Systems Administrator, Danmarks Idræts-Forbund / The Danish Sports Federation
Please don't top-posthttp://www.catb.org/~esr/jargon/html/T/top-post.html
Please send plain text emails only  http://www.expita.com/nomime.html


---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps  Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id56alloc_id438op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] password-protected Worm.Bagle.H

[clamav]

 It gives nothing as copies of Worm.Bagle.H (and previous variants also)
 vary in their contents and even sizes. So checksums are different.

We have started to see this as well -- we only caught a few w/ the
hard-coded crc hack.  This is not perfect either and it falls in line with
one gentleman's procmail filter.  Still, this may help some users.  We
have updated our virus filter to look something like this:

  if ((stat($file))[7]  10) # filesize
  {
if (!open(UNZIP, -|))
{
  close(STDERR);
  open(STDERR, STDOUT);
  exec(/usr/bin/unzip, '-t', '-P', '', $file);
}
while (UNZIP)
{
  if (/incorrect password/)
  {
close(UNZIP);
print Found the w32nsc/crypt-zip.gen virus !!!\n;
found_virus();
  }
}
close(UNZIP);
  }

We are /hoping/ that virus .zip's are 100k.  If anyone sends a legitimate
message which is an encrypted zip that is 100k we still quarantine it if 
the user need to have a copy and they are notified of the quarantine.  
After a few tests, it does not appear that it will mark unpassworded zips 
falsely since a zip w/o password and a zip w/ a password of '' appear to 
be equivalent.


Eric Wheeler
Vice President
National Security Concepts, Inc.
PO Box 3567
Tualatin, OR 97062

http://www.nsci.us/
Voice: (503) 293-7656
Fax:   (503) 885-0770



---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps  Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Password-protected .zip file viruses

[Rembrandt]

On Wed, 3 Mar 2004 02:54:35 +0100 (CET)
[EMAIL PROTECTED] (Jesper Juhl) wrote:

 On Tue, 2 Mar 2004, Charlie Watts wrote:
 
  Clearly the virus DB maintainers are inundated with
  password-protected.zip files with viruses inside.
 
  I think I understand the technical impossibility of making a
  signature fo
 r
  these - the .zip header is the same, and then the filenames inside
  are randomized, as is the password, and thus the encrypted body has
  nothing recognizable - so there isn't anything available to make a
  signature off of.
 
 
 What I'm thinking is; Would it be feasible to add an option to attempt
 to brute-force-crack the passwords on zip files when scanning them?
 Yes, it would slow down scanning immensely, and there's *no* way it
 should ever be a default option, but zip file passwords are
 /resonably/ simple to crack, so it is doable (although it takes
 time)...
 
 I could whip some code together for this if it has any interrest at
 all...

There 2 ways to see this fact:

1. The AV is able to clean/scan EACH file coretly, well! But on the
other hand what's with ACE, RAR and many others?

2. On the other hand there's my point of view and (sure.. :) ) it's the
right point of view:

NO!
I don't angree!
I will stop all work for clamAV and other things!
I wont ask old contacts anymore if this feauture will be included.

Why?
a) Huge Mailsers CAN'T crack each file... there's not enough CPU-Power
b) That's the way the damn GOV-GUYS work, it's not my way... and so I
say hard NO couse if you break a encryption enabled by a user you could
spy his personal data and so on.

And you're wrong!
ZIP-PWs aren't easy to crack. The old PW, well..
But GZ use blowfish and i read somewhere that WinZIP will use AES soon.


Rembrandt


pgp0.pgp
Description: PGP signature

Re: [Clamav-users] some little questions

[Rembrandt]

On Wed, 3 Mar 2004 02:50:15 +0100 (CET)
[EMAIL PROTECTED] (Jesper Juhl) wrote:

 On Wed, 3 Mar 2004, Rembrandt wrote:
 
 [...]
  2.
  Are there any improvemts planed wich enable clamAV to clean files?
  Now it just delete them.
 
 I can't speak for anyone but myself, but I don't think that is
 planned. First of all, some virii may be impossible to clean (some of
 them destroy the files they infect).
 Second,  some files may be *very* hard to clean since the virii
 rewrite the binary in order to insert itself and figuring out what the
 file looked like prior to infection is *not* trivial, so it's a hard
 problem and to do it requires a lot of time and often specific
 handling of each individual virus.
 Third, would you trust a file after it was cleaned? Personally I
 would not - no matter who cleaned it; clam or some commercial AV
 vendor doesn't matter, I still wouldn't trust that file. If an
 infected file is found, the only proper action in my oppinion is to
 delete the file and then restore a known-good copy from original media
 or backup.

I think you've to wath on both sides of the medal.
Yes I would trust cleaned files but why dosn't matter here.
The situation you've to think about: What's whenn all possible backups
and copies are infected?
I know guys wich are working as administrators at a newspaper.
They make backups.. yes.. 
But they make it only for 1 week (couse there's too much data).
So they're able to restore all files wich changed since date X.
But what's about a virii wich infects the files and waits until a
special date?
Or what's about logic-bombs?

Trust me: I'm able to think about a virii wich is more destructive then
all over together. 

So I think such a function is needed.

  3.
  Please don't make a flamewar () but:
 
  Why GPL?
  I think clamAV could also use a more free license like the
  BSD-license couse nobody steals something from clamAV. And the
  reason is easy: All other commercial scanners detects more
  virii/worms and they could also clean the most files. So why GPL and
  not BSD-License? I think with the BSD-License clamAV could be more
  acceptable for more people. Not just all current BSD-OSs (NetBSD,
  FreeBSD, OpenBSD, MirBSD, MicroBSD...). There much more people wich
  prefer BSD-Licensed code and wich strictly against GPL (such as
  Plan9 and other OSs).
 
 Again, I can only answer this from my own personal point of view - I
 didn't write the original code so I did not deside the license.
 My /personal/ oppinion is that the GPL is a better license than the
 BSD license since it ensures that modifications are contributed back
 to the ClamAV community. With a BSD license nothing stops someone from
 incorporating ClamAV in a commercial product without giving anything
 back. But, that's just my personal oppinion. Hope that was properly
 flame-proof;-)

Sorry I don't angree to that.
It's not true that ALL people will steals this source.
Yes with GPL it's a MUST to contribute something back.
But I prefer BSD (it could also be BSD-Like, so that every commercial
Product must told the user that they use code of clamAV). Why?
With GPL companies aren't able to cross-license something.
That's a huge problem. Take a look to intel and WLAN-support on *NIX.
It's damn... the most normals NICs work but mostly the developers
haven't any docs. And why? Couse Intel fears that someone could steal
something (so I understand the situation).

The other point why GPL isn't usefull: GPL infects other Licenses.
If I write something and put it under BSD-License (could also be another
license, like the license from plan9 or something else) I can't use
GPL-Licensed patches or improvements. When I include such
patches/improvements the whoole project goes under GPL.
I think that's the reason why BSDs dosn't accept clamAV.
Yes it's in the ports but it could be std-software wich is always on
each BSD. And I think there a lot of developers outside who will help
but who wont accept GPL.

I personaly dosn't love the GPL and some guys maybe think I hate the
GPL.
Maybe.. but if I analyse the situation: There's NO need for GPL couse
nobody will  steals something.

It could be more political...
If GPL is the digital socialism BSD would be the great communism. :p
Ok just 2 cents from a man who read Marx and others.
so please ignore this line and the 3 lines before. :-)


Rembrandt


pgp0.pgp
Description: PGP signature

Re: [Clamav-users] password-protected Worm.Bagle.H

[Rembrandt]

On Tue, 2 Mar 2004 18:08:15 -0800 (PST)
[EMAIL PROTECTED] wrote:

 
  It gives nothing as copies of Worm.Bagle.H (and previous variants
  also) vary in their contents and even sizes. So checksums are
  different.
 
 We have started to see this as well -- we only caught a few w/ the
 hard-coded crc hack.  This is not perfect either and it falls in line
 with one gentleman's procmail filter.  Still, this may help some
 users.  We have updated our virus filter to look something like this:
 
   if ((stat($file))[7]  10) # filesize
   {
 if (!open(UNZIP, -|))
 {
   close(STDERR);
   open(STDERR, STDOUT);
   exec(/usr/bin/unzip, '-t', '-P', '', $file);
 }
 while (UNZIP)
 {
   if (/incorrect password/)
   {
 close(UNZIP);
 print Found the w32nsc/crypt-zip.gen virus !!!\n;
 found_virus();
   }
 }
 close(UNZIP);
   }
 
 We are /hoping/ that virus .zip's are 100k.  If anyone sends a
 legitimate message which is an encrypted zip that is 100k we still
 quarantine it if the user need to have a copy and they are notified of
 the quarantine.  After a few tests, it does not appear that it will
 mark unpassworded zips falsely since a zip w/o password and a zip w/ a
 password of '' appear to be equivalent.

I also recived such a Mail today from an OpenBSD-Mailinglist (sorry but:
Damn WindowsKiddys wich are not able to hold their fingers far away from
the left mousebutton).
I saw 2 things:

1. An encrypted ZIP
2. A password in the mail

Now I asked myself: 
- Does the worm use everytime the same password or does the worm
generate new passwords.
- Maybe a skilled user could write a script wich lookes for a PW into
the mail. If a PW is detected the user should became a warning.
The archive shouldn't be decrypted.

Rembrandt


pgp0.pgp
Description: PGP signature

Re: [Clamav-users] Password-protected .zip file viruses

[Jesper Juhl]

On Wed, 3 Mar 2004, Rembrandt wrote:

 On Wed, 3 Mar 2004 02:54:35 +0100 (CET)
 [EMAIL PROTECTED] (Jesper Juhl) wrote:

  On Tue, 2 Mar 2004, Charlie Watts wrote:
 
   Clearly the virus DB maintainers are inundated with
   password-protected.zip files with viruses inside.
  
   I think I understand the technical impossibility of making a
   signature fo
  r
   these - the .zip header is the same, and then the filenames inside
   are randomized, as is the password, and thus the encrypted body has
   nothing recognizable - so there isn't anything available to make a
   signature off of.
  
 
  What I'm thinking is; Would it be feasible to add an option to attempt
  to brute-force-crack the passwords on zip files when scanning them?
  Yes, it would slow down scanning immensely, and there's *no* way it
  should ever be a default option, but zip file passwords are
  /resonably/ simple to crack, so it is doable (although it takes
  time)...
 
  I could whip some code together for this if it has any interrest at
  all...

 There 2 ways to see this fact:

 1. The AV is able to clean/scan EACH file coretly, well! But on the
 other hand what's with ACE, RAR and many others?

 2. On the other hand there's my point of view and (sure.. :) ) it's the
 right point of view:

 NO!
 I don't angree!
 I will stop all work for clamAV and other things!
 I wont ask old contacts anymore if this feauture will be included.

Calm down. I just suggested it as something to optionally do. I know it's
not something that is actually resonable to do on every file, but I
thought that it might be useful for some people. It was/is just a
suggestion.


 Why?
 a) Huge Mailsers CAN'T crack each file... there's not enough CPU-Power

agreed.

 b) That's the way the damn GOV-GUYS work, it's not my way... and so I
 say hard NO couse if you break a encryption enabled by a user you could
 spy his personal data and so on.


Well, mails pass through your mailserver - plenty of ways to spy on
personal data if that's what you want to do. I suggested this as a way to
scan inside protected archives, not as a way of spying on anyone. Besides,
if the data is so sensible, the person who send it should use encryption
strong enough that it can't be broken before the sun goes out... But,
that's just my personal oppinion...


 And you're wrong!
 ZIP-PWs aren't easy to crack. The old PW, well..

Well, I was thinking of the old password protection - all I have actual
experience with.

 But GZ use blowfish and i read somewhere that WinZIP will use AES soon.

In that case it would take ages ;)


-- 
Jesper Juhl [EMAIL PROTECTED]
Systems Administrator, Danmarks Idræts-Forbund / The Danish Sports Federation
Please don't top-posthttp://www.catb.org/~esr/jargon/html/T/top-post.html
Please send plain text emails only  http://www.expita.com/nomime.html


---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps  Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id56alloc_id438op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] Problem compiling clamav-milter on Solaris 8

[Betsy Schwartz]

I ran configure --ebable-milter, but the clamav-milter didn't build (nor 
give any error).

 /home/betsys/clamav-devel-20040301/clamav-milter- make clamav-milter
/bin/bash ../libtool --mode=link gcc  -g -O2   -o 
clamav-milter-L../libclamav -lclamav -L/usr/lib/libmilter 
-L/usr/local/include -lmilter  -lpthread -lsocket -lnsl -lresolv
gcc -g -O2 -o 
.libs/clamav-milter 
-L/home/betsys/packages/clamav-devel-20040301/libclamav 
/home/betsys/packages/clamav-devel-20040301/libclamav/.libs/libclamav.so 
-lz -lbz2 /usr/local/lib/libgmp.so -L/usr/lib/libmilter 
-L/usr/local/include -lmilter -lpthread -lsocket -lnsl -lresolv 
-R/usr/local/lib
Undefined   first referenced
 symbol in file
main 
/usr/local/lib/gcc-lib/sparc-sun-solaris2.8/3.3/crt1.o
ld: fatal: Symbol referencing errors. No output written to .libs/clamav-milter
collect2: ld returned 1 exit status
make: *** [clamav-milter] Error 1
Sendmail has previously been rebuilt with milter support, and is currently 
running with vbs-filter.
Clamd and clamscan build OK and seem to be working ok.

I've installed or updated gcc , gm4,  and gmp. Also, following a tip from 
google,  copied the sendmail libmilter include files over to 
/usr/local/include and thrown that into the link library path.
(and did a make clean and reconfigure after upgrading everything)

what next?
thanks Betsy


---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps  Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Can somebody help me with this error message?

[Stephen Gran]

On Tue, Mar 02, 2004 at 07:24:36PM -0500, Frank DeChellis DSL said:
 They're on separate servers...does that matter? I run exim as exim  and
 clam as clamav.

Hmm - I had forgotten that.  Sorry, kind of a knee jerk reaction.  What
do the clam logs say?  Try turning on LogVerbose and LogClean in
clamav.conf to get extra information out of it.  You can also run clamd
with --foreground and --debug temporarily to see even more info.

-- 
 --
|  Stephen Gran  | In love, she who gives her portrait |
|  [EMAIL PROTECTED] | promises the original.   -- Bruton  |
|  http://www.lobefin.net/~steve | |
 --


pgp0.pgp
Description: PGP signature

Re: [Clamav-users] Clamd problem Solaris 8

[Fajar A. Nugraha]

Alex S Moore wrote:

gcc -g -O2 -o .libs/clamd options.o cfgfile.o clamd.o tcpserver.o
localserver.o session.o thrmgr.o Hi!
I tried the latest snapshot with size  1kB (20040301) and had a
compilation problem on Solaris 8!!
Is this also a known problem??
   

I posted that problem earlier, and Tomasz replied Fixed, thanks.
It's a problem on that particular snapshot only.
This morning I built the latest cvs snapshot on Solaris 8, both sparc and
x86 and had no problems.
 

That would be a newer snapshot.

It
may not be the latest snapshot, 

Usually I have the most recent binary bulit from snapshot. Updated 
daily. http://www.clamav.or.id
I don't have stables though.

I still have my own build available.

 

The more the merrier :)

Regards,

Fajar

---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps  Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Clam AV 0.67 e-smith RedHat 7.3 Packages

[Fajar A. Nugraha]

FreshClam wrote:

Red Hat 7.3, I get the following error: 

[EMAIL PROTECTED] src]# rpm -Uvh clamav-0.67-1.i386.rpm 
error: failed dependencies:
   libc.so.6(GLIBC_2.3)   is needed by clamav-0.67-1
   libwrap.so.0   is needed by clamav-0.67-1

 

Looks like it was meant for RH 8+, not RH 7.3

there a single location or implementation guideline. 

Either
-   look for other clamav RPM source for RH 7.3
-   compile yourself (not THAT hard).
-   get RH 7.3 binaries (tar.gz, not rpm) from http://www.clamav.or.id
Regards,

Fajar

---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps  Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Some more evidence for my last mail ... - SOLVED

[Fajar A. Nugraha]

Thomas Seifert wrote:

clamscan used the new dir (its default directory) and didn't use
the path given in clamav.conf!? 

 

I believe clamscan don't read clamav.conf at all; It uses hard-coded 
compiled settings.
I might be wrong :)

Regards,

Fajar

---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps  Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] Password-protected .zip file viruses

[Mitch \(WebCob\)]

My understanding of reliable zip password checking was that you needed two
or more files encoded with the same password in the archive to allow a good
check...

Maybe I'm wrong on that, but still I'd rather a setting that allows me to
reject unscannable attachements. Preferably as mentioned before somehow by
user - if this was a command line argument ignore unscannable archives vs.
reject unscannable archives.

m/

 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] Behalf Of Jesper
 Juhl
 Sent: Tuesday, March 02, 2004 5:55 PM
 To: [EMAIL PROTECTED]
 Subject: Re: [Clamav-users] Password-protected .zip file viruses


 On Tue, 2 Mar 2004, Charlie Watts wrote:

  Clearly the virus DB maintainers are inundated with password-protected
  .zip files with viruses inside.
 
  I think I understand the technical impossibility of making a
 signature for
  these - the .zip header is the same, and then the filenames inside are
  randomized, as is the password, and thus the encrypted body has nothing
  recognizable - so there isn't anything available to make a signature off
  of.
 

 What I'm thinking is; Would it be feasible to add an option to attempt to
 brute-force-crack the passwords on zip files when scanning them?
 Yes, it would slow down scanning immensely, and there's *no* way it should
 ever be a default option, but zip file passwords are /resonably/ simple to
 crack, so it is doable (although it takes time)...

 I could whip some code together for this if it has any interrest at all...


 --
 Jesper Juhl [EMAIL PROTECTED]
 Systems Administrator, Danmarks Idræts-Forbund / The Danish
 Sports Federation
 Please don't top-post
 http://www.catb.org/~esr/jargon/html/T/top-post.html
 Please send plain text emails only
 http://www.expita.com/nomime.html


 ---
 SF.Net is sponsored by: Speed Start Your Linux Apps Now.
 Build and deploy apps  Web services for Linux with
 a free DVD software kit from IBM. Click Now!
 http://ads.osdn.com/?ad_id56alloc_id438op=ick
 ___
 Clamav-users mailing list
 [EMAIL PROTECTED]
 https://lists.sourceforge.net/lists/listinfo/clamav-users




---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps  Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id56alloc_id438op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] Clamd will NOT start

[Andrew Keuhs]

Clamd will not start now.. i am using version 
.67

It was working fine last week... we had a power 
outage... now when I run /usr/sbin/clamd as root... it goes to next line but 
nothing is started... Where would I look for errors? I see it has no verbose 
setting... So i have no clue why it will NOT start

I used this configure:

./configure \ --prefix=/usr 
\ --sysconfdir=/etc 
\ --datadir=/var/clamav 
\ --enable-milter

Also followed this install http://www.linux-sxs.org/administration/clamav-milter.html

It was fine the day I installed it... I am using 
slackware v9.0. 2.4.22 kernel

HELP!!! 

-Andrew

[Clamav-users] Followup: Problem compiling clamav-milter on Solaris 8

[Betsy Schwartz]

To followup to my own post, I tried dropping back to the stable version 
0.67 and saw the same behavior. Exact same error. Am I missing a step 
somewhere?
---

I ran configure --enable-milter, but the clamav-milter didn't build (nor 
give any error).

 /home/betsys/clamav-devel-20040301/clamav-milter- make clamav-milter
/bin/bash ../libtool --mode=link gcc  -g -O2   -o 
clamav-milter-L../libclamav -lclamav -L/usr/lib/libmilter 
-L/usr/local/include -lmilter  -lpthread -lsocket -lnsl -lresolv
gcc -g -O2 -o 
.libs/clamav-milter 
-L/home/betsys/packages/clamav-devel-20040301/libclamav 
/home/betsys/packages/clamav-devel-20040301/libclamav/.libs/libclamav.so 
-lz -lbz2 /usr/local/lib/libgmp.so -L/usr/lib/libmilter 
-L/usr/local/include -lmilter -lpthread -lsocket -lnsl -lresolv 
-R/usr/local/lib
Undefined   first referenced
 symbol in file
main 
/usr/local/lib/gcc-lib/sparc-sun-solaris2.8/3.3/crt1.o
ld: fatal: Symbol referencing errors. No output written to .libs/clamav-milter
collect2: ld returned 1 exit status
make: *** [clamav-milter] Error 1
Sendmail has previously been rebuilt with milter support, and is currently 
running with vbs-filter.
Clamd and clamscan build OK and seem to be working ok.

I've installed or updated gcc , gm4,  and gmp. Also, following a tip from 
google,  copied the sendmail libmilter include files over to 
/usr/local/include and thrown that into the link library path.
(and did a make clean and reconfigure after upgrading everything)

what next?
thanks Betsy


---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps  Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] passworded zips slipping thru

[jef moskot]

For some reason, my system is allowing Worm.Bagle.F-zippwd files through,
but can detect them once they've arrived.  I haven't had a single capture
of one of these passworded files.

Example:

 clamscan -V
clamscan / ClamAV version 0.67-1

 clamscan passworded.sample
passworded.sample: Worm.Bagle.F-zippwd FOUND

--- SCAN SUMMARY ---
Known viruses: 20355
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.02 MB
I/O buffer size: 131072 bytes
Time: 0.425 sec (0 m 0 s)

 clamscan --mbox passworded.sample
passworded.sample: Worm.Bagle.F-zippwd FOUND

--- SCAN SUMMARY ---
Known viruses: 20355
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.04 MB
I/O buffer size: 131072 bytes
Time: 0.452 sec (0 m 0 s)

passworded.sample is an mbox file with only the offending message in it.
If I forward the message to myself, it gets through, and, of course, it
got through in the first place.

Even as I type this, it's picking up new incoming viruses, so it doesn't
seem to be a database issue.

The only weak link I can think of is that I'm using amavis-perl11 (if it
ain't broke...), and I suspect not many others are.  He's the clam
invocation in the amavis perl script:

---

my $clamscan = /usr/local/bin/clamscan;

...

#
# Clam AV
#

if ($clamscan ne ) {
# --one-virus is only for esthetic reasons.
$output = `$clamscan --stdout -r -w --one-virus $TEMPDIR/parts`;
$errval = ($?  8);
do_log(2,$output);
if ($errval != 0) {
if ($errval == 1) {
@virusname = ($output =~ /.*: (.+) FOUND/g);
do_virus($output);
} else {
do_log(0,Virus scanner failure: $clamscan (error
code: $errval));
}
}
}

---

I assume this only makes sense if you're reasonably familiar with
amavis-perl11.

Traffic is light enough that I don't need any daemons running for mail, so
I've never seen a need to update before this.  It might be easier to set
up a new version of amavis, but this one IS set up and it (usually) works,
and messing with sendmail is the sort of voodoo I like to avoid if
possible.

At any rate, does this make any sense?

How can a manual clamscan succeed while the automatic one fails?

Is this possibly a question for the amavis mailing list, or do you think
something else is going on?

Jeffrey Moskot
System Administrator
[EMAIL PROTECTED]


---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps  Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Clamd will NOT start

[Jeremy Kitchen]

On Tue, 2004-03-02 at 22:26, Andrew Keuhs wrote:
 Clamd will not start now.. i am using version .67
  
 It was working fine last week... we had a power outage... now when I
 run /usr/sbin/clamd as root... it goes to next line but nothing is
 started... Where would I look for errors? I see it has no verbose
 setting... So i have no clue why it will NOT start

$5 says /tmp/clamd still exists.
 
-Jeremy 

-- 
Jeremy Kitchen
Systems Administrator
[EMAIL PROTECTED]
Kitchen @ #qmail on EFNet - Join the party!
.
Inter7 Internet Technologies, Inc.
www.inter7.com
866.528.3530 toll free
847.492.0470 int'l
847.492.0632 fax
GNUPG key ID: 93BDD6CE



---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps  Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] ClamAV 0.67 memory leak

[Nigel Kukard]

sorry, its 0.67. seems the VM kills it when it uses up all the RAM,
couldn't this be other peoples problems aswell? I mean i see quite a few
people saying clamd just dies?


On Wed, Mar 03, 2004 at 12:42:48AM +0100, Thomas Lamy wrote:
 Nigel Kukard schrieb:
 
 Anyone seen this...
 
  3843 ?S  0:00 clamd
  3846 ?S  0:01  \_ clamd
  3847 ?S  0:03  \_ clamd
 
 when i cat the /proc/3843/status file...
 
 Name:   clamd
 State:  S (sleeping)
 Tgid:   3843
 Pid:3843
 PPid:   1
 TracerPid:  0
 Uid:0   0   0   0
 Gid:0   0   0   0
 FDSize: 32
 Groups: 0
 VmSize:   210900 kB
 VmLck: 0 kB
 VmRSS: 22940 kB
 VmData:   209128 kB
 VmStk:16 kB
 VmExe:36 kB
 VmLib:  1672 kB
 
 
 Which version exactly (I guess it's 0.67 release, but better save...), 
 on which OS/Distribution ?
 I've not seen huge mem leaks in clam since it's 0.65 days, and I tend to 
 check this every now and then with valgrind.
 
 Thomas
 
 


pgp0.pgp
Description: PGP signature

Re: [Clamav-users] ClamAV 0.67 memory leak

[Jim Gifford]

Here is what I see on my system, maybe it's something in the kernel your
using. I'm using 2.6.3

Name:   clamd
State:  S (sleeping)
SleepAVG:   0%
Tgid:   751
Pid:751
PPid:   1
TracerPid:  0
Uid:0   0   0   0
Gid:0   0   0   0
FDSize: 32
Groups: 0
VmSize:21304 kB
VmLck: 0 kB
VmRSS: 12032 kB
VmData:19336 kB
VmStk: 8 kB
VmExe:40 kB
VmLib:  1840 kB
Threads:2
SigPnd: 
ShdPnd: 
SigBlk: 7ffbbafc
SigIgn: 0004
SigCgt: 80004403
CapInh: 
CapPrm: feff
CapEff: feff



---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps  Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] RHE and ClamAV

[redragon]

I have clamav (clamd and clamav-milter) running on 
an RHEL box installed from source. I didn't have any troubles compiling or 
anything on the RHEL box.

Carl


  - Original Message - 
  From: 
  Galactic 
  To: [EMAIL PROTECTED] 
  
  Sent: Tuesday, March 02, 2004 9:57 
  PM
  Subject: [Clamav-users] RHE and 
  ClamAV
  
  
  Ok, just upgraded my web server 
  and all to RHE and Plesk 7 using qmail from my RH9 box. I had clam on the old 
  box and it was working great, so I go to install it on my RHE box and I don’t 
  see it listed as a supported install.
  
  Will ClamAV be available for RHE 
  and if so, where can I get a RPM for it please.
  
  Thanks in 
  advance,
  
  Franklyn Halamka
  Galactic 
  Zero.

Re: [Clamav-users] password-protected Worm.Bagle.H

[Shawn Tayler]

On Tue, 2 Mar 2004 17:07:53 +0100 Erik Corry [EMAIL PROTECTED] exclaimed:

 The question is how much of a problem it really is.  Are users
 really that dumb?
 
 What I'm wondering is whether the encrypted version of the
 virus can be created by the unencrypted version, or whether the
 encrypted versions of the virus we have seen have all been
 produced by actual encrypted-zip infections.  Anyone know?

Well,

Given the level of replication I'm seeing on this bug, I'd say the answer
is yes.

Shawn


---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps  Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Clamd will NOT start

[Andrew Keuhs]

NO there isnt... I checked..

- Original Message - 
From: Jeremy Kitchen [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Wednesday, March 03, 2004 12:04 AM
Subject: Re: [Clamav-users] Clamd will NOT start


 On Tue, 2004-03-02 at 22:26, Andrew Keuhs wrote:
  Clamd will not start now.. i am using version .67
   
  It was working fine last week... we had a power outage... now when I
  run /usr/sbin/clamd as root... it goes to next line but nothing is
  started... Where would I look for errors? I see it has no verbose
  setting... So i have no clue why it will NOT start
 
 $5 says /tmp/clamd still exists.
  
 -Jeremy 
 
 -- 
 Jeremy Kitchen
 Systems Administrator
 [EMAIL PROTECTED]
 Kitchen @ #qmail on EFNet - Join the party!
 .
 Inter7 Internet Technologies, Inc.
 www.inter7.com
 866.528.3530 toll free
 847.492.0470 int'l
 847.492.0632 fax
 GNUPG key ID: 93BDD6CE
 
 
 
 ---
 SF.Net is sponsored by: Speed Start Your Linux Apps Now.
 Build and deploy apps  Web services for Linux with
 a free DVD software kit from IBM. Click Now!
 http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click
 ___
 Clamav-users mailing list
 [EMAIL PROTECTED]
 https://lists.sourceforge.net/lists/listinfo/clamav-users
 
 



---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps  Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Re: Clamd will NOT start

[Andrew Keuhs]

Already tried that... didnt work...

- Original Message -
From: roliver [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Wednesday, March 03, 2004 12:06 AM
Subject: [Clamav-users] Re: Clamd will NOT start


 Andrew Keuhs writes:

  Clamd will not start now.. i am using version .67
 
  It was working fine last week... we had a power outage

 That may have corrupted clamd.

  I used this configure:
 
  ./configure \
  --prefix=/usr \
  --sysconfdir=/etc \
  --datadir=/var/clamav \
  --enable-milter

 I suggest you re-install. First run make clean Then install it exactly
as
 you did before.

 HTH
  ---

 Russel Oliver
 [EMAIL PROTECTED]



 ---
 SF.Net is sponsored by: Speed Start Your Linux Apps Now.
 Build and deploy apps  Web services for Linux with
 a free DVD software kit from IBM. Click Now!
 http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click
 ___
 Clamav-users mailing list
 [EMAIL PROTECTED]
 https://lists.sourceforge.net/lists/listinfo/clamav-users





---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps  Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] debian-sid package broken

[Jae Chang]

I thought I was the only one with that problem on a recent upgrade.

Easiest way for me was to:

% apt-get --purge remove clamav clamav-base clamav-data clamav-freshclam
clamav-testfiles libclamav libclamav1
% apt-get install clamav clamav-daemon

Jae

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Me Its
Sent: Monday, March 01, 2004 8:00 PM
To: [EMAIL PROTECTED]
Subject: [Clamav-users] debian-sid package broken
Importance: High


I am using debian - sid, but I got error when I apt-get upgrade, when 
it tries to install the new ClamAV

Setting up clamav-base (0.67-5) ...
dirname: too few arguments

[snip]

What should I do next ?



---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps  Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] password-protected Worm.Bagle.H

[Andy Dills]

On Tue, 2 Mar 2004, Erik Corry wrote:

 On Tue, Mar 02, 2004 at 11:59:19AM -0600, John Jolet wrote:
 
  The question is how much of a problem it really is.  Are users
  really that dumb?
 
  yes, they are.  i've gotten about 10 of those in the last 3 days.

 That doesn't actually prove that anyone typed in the password
 and got infected.  The version with unencrypted zip file can
 send the version with encrypted zip file to others.

 The best defence against it (if it really is a problem) might
 be blocking encrypted zip files with suspicious filenames in
 them.  You can see that the file contains a .exe .pif, etc.
 ending without the password.

 That's probably not a task for clamav though, more like MIMEDefang:
 http://www.mimedefang.org/

 Someone seems to have been giving this some thought:
 http://lists.roaringpenguin.com/pipermail/mimedefang/2004-March/020563.html

I think clamav should return a certain value if the zip file is deemed
clean because it's encrypted, so that glue programs like amavisd-new can
allow people to control when encrypted zips are allowed through. This is a
reasonable thing for clamav to do regardless, if you think about it;
isn't that essentially an error condition (can't scan zipfile)?

It would seem a simple fix for somebody familiar with the code.
Developers, any comments?

Thanks,
Andy

---
Andy Dills
Xecunet, Inc.
www.xecu.net
301-682-9972
---


---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps  Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users