Re: [Clamav-users] "Too many open files" Error :-(

2004-03-05 Thread Sergey 
On Saturday 06 March 2004 02:08, Nigel Horne wrote:

> > For restore work I need to restart clamd and clamav-milter...
> > Have you any idea ?
> 
> Not unless you let us know the version of clamav-milter (clamav-milter --version)
> and clamd and whether you can reproduce with the latest version from CVS.

Sorry for missing information. 
On last month i work with CVS snapshots only. Last probed on RH 6.2: 
ClamAV version devel-20040303, clamav-milter version 0.67j

And I can't reproduce it on new distribution (while I probe
Alt Linux Sisyphus only, but I will be probe Red Hat 7.3 and
Trustx 2.0 soon)

-- 
Regards,
Sergey



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Re: duh, ignore my last question

2004-03-05 Thread John Jolet 
On Friday 05 March 2004 09:30 pm, Starbane wrote:
> Jim Maul wrote:
> > my apologies, it was almost 5pm on a friday and for some reason i asked
> > if sendmail supports maildirs.  musta been a brain fart cause obviously
> > thats not the mta's job.  Feel free to point and laugh.
> >
> > Thanks
> > Jim
>
> Since we're sharing, I recently spent an hour trying to figure out why
> my cron job wasn't running.
>
> Of course, after editing the job and scratching my head watching syslog,
> I eventually DID notice that crond was not running.
>
> Definitely  goes along with having to crack the case on a PC, only to
> discover the reason it wasn't POSTing was the lack of an attached power
> cable.
>
> :)
>
> ---
> This SF.Net email is sponsored by: IBM Linux Tutorials
> Free Linux tutorial presented by Daniel Robbins, President and CEO of
> GenToo technologies. Learn everything from fundamentals to system
> administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
> ___
> Clamav-users mailing list
> [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/clamav-users
(sigh) it's the little things that make this career worth it, isn't it? :)


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] Re: duh, ignore my last question

2004-03-05 Thread Starbane 
Jim Maul wrote:
my apologies, it was almost 5pm on a friday and for some reason i asked if
sendmail supports maildirs.  musta been a brain fart cause obviously thats
not the mta's job.  Feel free to point and laugh.
Thanks
Jim
Since we're sharing, I recently spent an hour trying to figure out why 
my cron job wasn't running.

Of course, after editing the job and scratching my head watching syslog, 
I eventually DID notice that crond was not running.

Definitely  goes along with having to crack the case on a PC, only to 
discover the reason it wasn't POSTing was the lack of an attached power 
cable.

:)



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] duh, ignore my last question

2004-03-05 Thread redragon 
To cheer everyone up (virus can be so depressing sometimes)

*points at Jim and laughs*

Carl

- Original Message -
From: "Jim Maul" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, March 05, 2004 4:44 PM
Subject: [Clamav-users] duh, ignore my last question


> my apologies, it was almost 5pm on a friday and for some reason i asked if
> sendmail supports maildirs.  musta been a brain fart cause obviously thats
> not the mta's job.  Feel free to point and laugh.
>
> Thanks
> Jim
>
>
> ---
> This SF.Net email is sponsored by: IBM Linux Tutorials
> Free Linux tutorial presented by Daniel Robbins, President and CEO of
> GenToo technologies. Learn everything from fundamentals to system
> administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
> ___
> Clamav-users mailing list
> [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/clamav-users
>



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] network scanning questions

2004-03-05 Thread Charles Sprickman 
Hello,

I'm looking at implementing clamav for a somewhat large userbase.  Due to
that, I need to run multiple clamds on seperate machines so as not to eat
all the resources on the main mail server.  Think "spamd/spamc"...

>From what I can tell, the client included with clamav does not allow for
this; it's network support is limited to telling the remote machine what
files to scan on the remote machine.

I have found this client:

ftp://victor.teaser.fr/pub/lwa/clamd-stream-client/

Is anyone aware of any others?

I also can't find any information on the network protocol in the docs or
the list archives.  I did find some posts stating that it's "difficult to
firewall" because it behaves similar to ftp.  I've also found mention in
the docs that the current STREAM mode stuff is due to be replaced soon.
Is this actively being developed, and if so, where can I find the docs
dealing with that?

Thanks,

Charles


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] worm in zip file

2004-03-05 Thread ricardo 
>> Hi,
>> 
>> Is clamav catching this latest worm that has a password
>> protected zip file?

> Yes, it is.

Thank you. Are there multiple versions of this worm? I have seen some come 
into my mailbox and not be detected... but I no longer have the files in 
order to test.

Ricardo


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Problems with clamd

2004-03-05 Thread Doug Hardie 
On Mar 5, 2004, at 02:41, Trog wrote:

On Fri, 2004-03-05 at 01:15, Doug Hardie wrote:

I just uncommented the thread timeout the last time I restarted clamd
a couple minutes ago so I don't know what effect that will have.
ThreadTimeout isn't used in the current CVS version.

Here is some more information:  After running with the timeout set to
500, clamd no longer dies.  It chugs along for quite awhile (about 10
minutes) at full cpu usage and then returns to normal use.  I don't 
see
anything different in the load between the periods.  However a ktrace
of clamd shows a significant difference.  Normally clamd shows nothing
much when idle and it shows the messages being received (read) when
processing a message.  However, when its running at full cpu
utilization, ktrace shows thousands of sequences like:

   8313 clamdPSIG  SIGPROF caught handler=0x28116228 mask=0x0
code=0x0
   8313 clamdCALL  gettimeofday(0x2815fe4c,0)
   8313 clamdRET   gettimeofday 0
   8313 clamdCALL  sigprocmask(0x3,0x2815fed8,0)
   8313 clamdRET   sigprocmask 0
   8313 clamdCALL  sigaltstack(0x2817c000,0)
   8313 clamdRET   sigaltstack 0
   8313 clamdCALL  poll(0x806f000,0x1,0)
   8313 clamdRET   poll 0
   8313 clamdCALL  sigreturn(0x808ac64)
   8313 clamdRET   sigreturn JUSTRETURN
and then there will be one message processed and then back to a few
more thousand of those sequences.
This looks entirely broken. Your trace indicates that the last argument
to poll (the timeout) is zero. The code looked like this
count = poll(poll_data, 1, CL_DEFAULT_SCANTIMEOUT*1000);

i.e. the timeout *can't* be zero unless you changed the value of
CL_DEFAULT_SCANTIMEOUT or your system is fundamentally broken.
unless your system is using poll to spin somewhere.

-trog
That was my thought also.  I don't know why its zero.  When clamd is 
only using about 2% of the cpu, the number is on the order of 5 to 10 
seconds.  However, something is very unusual here.  The line of code 
above is not in the version I am using.  I am using the snapshot from 
the morning of 4 Mar.



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] worm in zip file

2004-03-05 Thread Tomasz Kojm 
On Fri, 5 Mar 2004 14:37:18 -0800 (PST)
ricardo <[EMAIL PROTECTED]> wrote:

> Hi,
> 
> Is clamav catching this latest worm that has a password
> protected zip file?

Yes, it is.

-- 
   oo. Tomasz Kojm <[EMAIL PROTECTED]>
  (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg
 \..._ 0DCA5A08407D5288279DB43454822DC8985A444B
   //\   /\  Sat Mar  6 00:03:27 CET 2004


pgp0.pgp
Description: PGP signature

Re: [Clamav-users] sendmail devel?

2004-03-05 Thread Erick Ivaan Lopez Carreon 
El vie, 05-03-2004 a las 12:20, Eric escribió:
> How do I tell if I have sendmail-devel installed.  the clamav milter tells
> me to ensure that it is there. I know I am using sendmail 8.12.5 but how do
> I know if its devel? which sendmail and which sendmail-devel show nothing.
> 
> 
> Eric

Hello:

If you use debian:

a)apt-cache search sendmail dev

b)dpkg -s package


You need libmilter, and the support for this is only in sendmail 8.12 or
newer.


Saludos!!




---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id70&alloc_id638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] duh, ignore my last question

2004-03-05 Thread Jim Maul 
my apologies, it was almost 5pm on a friday and for some reason i asked if
sendmail supports maildirs.  musta been a brain fart cause obviously thats
not the mta's job.  Feel free to point and laugh.

Thanks
Jim


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] sendmail devel?

2004-03-05 Thread Jim Maul 
> Some "pop3" services work of the system accounts (/etc/passwd) while
> others
> are database driven and use a "seperate" system.  The only thing you need
> to
> make sure is that the pop3 system your using works on the same level that
> your MTA does.  qpopper, courier, ipop all seem to work off system user
> accounts while other things such as hive work off a database driven mail
> system.
>

I dont know about courier pop, but courier imap works with virtual users
(neither system nor database driven accounts).  But that is together with
vpopmail so...




---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] worm in zip file

2004-03-05 Thread ricardo 
Hi,

Is clamav catching this latest worm that has a password
protected zip file?

I've seen a bunch of these come through and it doesn't seem
like clamdscan has caught it. I don't have one of these
messages around to manually test it.

Thanks
Ricardo



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Password-protected .zip file viruses

2004-03-05 Thread Tomasz Kojm 
On Fri, 5 Mar 2004 13:31:35 -0800 (PST)
[EMAIL PROTECTED] wrote:

> 
> uvscan is detecting zipped/passworded bagle zip's as 
> Worm.Bagle.Gen-zippwd.  Any ideas as to how they might be doing this?

Please don't top post.

That's not your uvscan but ClamAV detecting the worm.

-- 
   oo. Tomasz Kojm <[EMAIL PROTECTED]>
  (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg
 \..._ 0DCA5A08407D5288279DB43454822DC8985A444B
   //\   /\  Fri Mar  5 23:10:04 CET 2004


pgp0.pgp
Description: PGP signature

Re: [Clamav-users] Occasionally missing viruses

2004-03-05 Thread Nigel Horne 
On Friday 05 Mar 2004 9:47 pm, Dominic Mazzoni wrote:
> >> Try running 'clamscan --mbox email'
>
> Actually I should note that this almost completely fixes my
> problem.  Now it's catching 99% of my viruses.  The only
> question now is why it still misses 1 or 2 of them when
> the virus is found when base64-decoding the attachment and
> scanning that.

I you forward copies of the e-mails in which clamAV fails to locate the viruses
that would help. Send them by private e-mail to me.

> Dominic

-Nigel

-- 
Nigel Horne. Arranger, Composer, Typesetter.
NJH Music, Barnsley, UK.  ICQ#20252325
[EMAIL PROTECTED] http://www.bandsman.co.uk



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] sendmail devel?

2004-03-05 Thread redragon 
Some "pop3" services work of the system accounts (/etc/passwd) while others
are database driven and use a "seperate" system.  The only thing you need to
make sure is that the pop3 system your using works on the same level that
your MTA does.  qpopper, courier, ipop all seem to work off system user
accounts while other things such as hive work off a database driven mail
system.

Carl

- Original Message -
From: "Hanford, Seth" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, March 05, 2004 2:56 PM
Subject: Re: [Clamav-users] sendmail devel?


> > Why does multiple or single domains matter to the POP3 server?
>
> The only thing I can imagine off the top of my head is user accounts -- if
> you have [EMAIL PROTECTED] and [EMAIL PROTECTED], you need to make sure that
> your POP3 server doesn't think they both necessarily use the same mailbox
> b/c they are both named Joe.  Granted, a lot of other pieces (MTA, MDA,
> etc.) also need to have the exact same idea of who is who.
>
> Seth
>
>
>
> ---
> This SF.Net email is sponsored by: IBM Linux Tutorials
> Free Linux tutorial presented by Daniel Robbins, President and CEO of
> GenToo technologies. Learn everything from fundamentals to system
> administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
> ___
> Clamav-users mailing list
> [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/clamav-users
>



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] "Too many open files" Error :-(

2004-03-05 Thread Nigel Horne 
On Friday 05 Mar 2004 6:18 pm, Sergey wrote:

> For restore work I need to restart clamd and clamav-milter...
> Have you any idea ?

Not unless you let us know the version of clamav-milter (clamav-milter --version)
and clamd and whether you can reproduce with the latest version from CVS.

-Nigel

-- 
Nigel Horne. Arranger, Composer, Typesetter.
NJH Music, Barnsley, UK.  ICQ#20252325
[EMAIL PROTECTED] http://www.bandsman.co.uk



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Occasionally missing viruses

2004-03-05 Thread Dominic Mazzoni 
Try running 'clamscan --mbox email'
Actually I should note that this almost completely fixes my
problem.  Now it's catching 99% of my viruses.  The only
question now is why it still misses 1 or 2 of them when
the virus is found when base64-decoding the attachment and
scanning that.
Thanks,
Dominic


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] "Too many open files" Error :-(

2004-03-05 Thread Robert Schmidt 
On Fri, 2004-03-05 at 13:18, Sergey wrote:
> Hello.
> 
> I run Clam AV on RedHat 6.2.
> Some time after (about one hour) running clamav-milter is stop scanning with error:

> For restore work I need to restart clamd and clamav-milter...
> Have you any idea ?

What is important is how many file descriptors the user clamav runs as
has. For example number of open files (-n) on a Fedora box defaults to
1024, which may not be enough.

You may want to also probe clamd when it is running to see how many/why
it needs so many files open (command-line examples below).

We have started restarting clamd every 3 hours. This is with 0.67, we
find that to be a reasonable solution.


[EMAIL PROTECTED] etc]# su - clamav -s /bin/bash -c "ulimit -a"
core file size(blocks, -c) 0
data seg size (kbytes, -d) unlimited
file size (blocks, -f) unlimited
max locked memory (kbytes, -l) unlimited
max memory size   (kbytes, -m) unlimited
open files(-n) 1024
pipe size  (512 bytes, -p) 8
stack size(kbytes, -s) 10240
cpu time (seconds, -t) unlimited
max user processes(-u) 7168
virtual memory(kbytes, -v) unlimited

[EMAIL PROTECTED] bin]# lsof -p `ps --no-headers -C clamd -o pid`


-- 
Robert Schmidt -- UNIX Tech Support
[EMAIL PROTECTED]
MC1021 519-888-4567 x6453



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] sendmail devel?

2004-03-05 Thread Jim Maul 


> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of Hanford,
> Seth
> Sent: Friday, March 05, 2004 3:57 PM
> To: [EMAIL PROTECTED]
> Subject: Re: [Clamav-users] sendmail devel?
>
>
> > Why does multiple or single domains matter to the POP3 server?
>
> The only thing I can imagine off the top of my head is user accounts -- if
> you have [EMAIL PROTECTED] and [EMAIL PROTECTED], you need to make sure that
> your POP3 server doesn't think they both necessarily use the same mailbox
> b/c they are both named Joe.  Granted, a lot of other pieces (MTA, MDA,
> etc.) also need to have the exact same idea of who is who.
>
> Seth
>
>

Exactly, usually to solve this problem, the username is [EMAIL PROTECTED]
instead of just user.  There are other variations on this too
(user%domain.com ive seen before as well)

Jim



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] clam and pop3 scanner

2004-03-05 Thread Kevin BRown 
   So I got the pop3 scanner installed.
redhat 9, clarkconnect firewall.
I did a cp p3scan.conf.sample to p3scan.conf and uncommented lines and 
did light configuration.
But I get this error in "tail /var/log/messages"
Mar  5 13:33:25 compaq p3scan: p3scan[7004]: P3Scan Version 1.0
Mar  5 13:33:25 compaq p3scan: p3scan[7004]: Selected scannertype: basic (
file invocation scanner)
Mar  5 13:33:25 compaq p3scan: p3scan[7004]: Listen now on 192.168.1.1:811
Mar  5 13:33:25 compaq p3scan: p3scan[7004]: Changing uid (we are root)
Mar  5 13:33:25 compaq p3scan: p3scan[7004]: Changed UID.GID to 8.12
Mar  5 13:33:25 compaq p3scan: p3scan[7004]: No Regular Expression given!
ames can't be extracted
Mar  5 13:33:25 compaq p3scan: p3scan[7004]: Waiting for connections.
Can anyone tell me what "No Regular Expression" is ?
is it important?
bueller, Bueller ?

Also my p3scan.conf file is set at scanner=/var/lib/clamav
default=basic.
I can run freshclam /home/user no problems and even found a virus last 
week (mp3 file none the less)
Also when I do a rpm -q libpcre it shows nothing, but I have a
rpm -q pcre it shows
rpm pcre-3.9-10 installed.
Is it compatible ??

:-)>
kevin


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] Milter's problem ?

2004-03-05 Thread Sergey 
Hello.

I need to correct reply form clamav-milter. I make 
some overpatching and... And I get inoperative programm.
I add some debug messages to different functions and I 
see what clamfi_envfrom called in unexpected time:

Mar  6 00:39:12 clamav-milter[31322]: clamfi_helo: centurion
Mar  6 00:39:12 clamav-milter[31322]: clamfi_helo: --1-- (null)
Mar  6 00:39:12 clamav-milter[31322]: clamfi_helo: --2-- (null)
Mar  6 00:39:12 clamav-milter[31322]: clamfi_helo: --3-- ╗>,
Mar  6 00:39:12 clamav-milter[31322]: clamfi_helo: --4-- centurion
Mar  6 00:39:12 clamav-milter[31322]: clamfi_helo: smfi_setpriv ok, privdata = 
0x805c638
Mar  6 00:39:13 clamav-milter[31322]: clamfi_envfrom: privdata = 0x805c638
Mar  6 00:39:13 clamav-milter[31322]: clamfi_envfrom: <[EMAIL PROTECTED]>
Mar  6 00:39:13 clamav-milter[31322]: clamfi_envfrom: n_children = 2
Mar  6 00:39:13 clamav-milter[31322]: clamfi_envfrom: continue
Mar  6 00:39:15 clamav-milter[31322]: clamfi_envrcpt: <[EMAIL PROTECTED]>
Mar  6 00:39:16 clamav-milter[31322]: clamfi_header: From: "" <[EMAIL 
PROTECTED]>
Mar  6 00:39:16 clamav-milter[31322]: clamfi_header: To: 
Mar  6 00:39:16 clamav-milter[31322]: clamfi_header: Subject: xx
Mar  6 00:39:16 clamav-milter[31322]: clamfi_header: Date: Sat, 6 Mar 2004 00:39:28 
+0400
Mar  6 00:39:16 clamav-milter[31322]: clamfi_header: MIME-Version: 1.0
Mar  6 00:39:16 clamav-milter[31322]: clamfi_header: Content-Type: text/plain;
Mar  6 00:39:16 clamav-milter[31322]: clamfi_header: X-Mailer: Microsoft Office 
Outlook, Build 11.0.5510
Mar  6 00:39:16 clamav-milter[31322]: clamfi_header: X-MimeOLE: Produced By Microsoft 
MimeOLE V6.00.2800.1123
Mar  6 00:39:16 clamav-milter[31322]: clamfi_eoh
Mar  6 00:39:16 clamav-milter[31322]: clamfi_envbody: 332 bytes
Mar  6 00:39:16 clamav-milter[31322]: clamfi_eom
Mar  6 00:39:16 clamav-milter[31322]: clamfi_eom: read stream: OK
Mar  6 00:39:16 clamav-milter[31322]: i25KdBI3031318: clean message from <[EMAIL 
PROTECTED]>
Mar  6 00:39:16 clamav-milter[31322]: clamfi_free called
Mar  6 00:39:16 clamav-milter[31322]: clamfi_free: privdata = 0x805c638
Mar  6 00:39:16 clamav-milter[31322]: clamfi_free: privdata = 0x805c638
Mar  6 00:39:17 clamav-milter[31322]: clamfi_envfrom: privdata = (nil)
Mar  6 00:39:17 clamav-milter[31322]: clamfi_envfrom: <[EMAIL PROTECTED]>
Mar  6 00:39:17 clamav-milter[31322]: clamfi_envfrom: n_children = 2

Why ?... (clamfi_envfrom: privdata = (nil) because private context initialization 
moved from clamfi_envfrom to clamfi_helo).

I make verification in begin on clamfi_envfrom

if(!privdata) {
syslog(LOG_DEBUG, "clamfi_envfrom: privdata is NULL, breake");
return cl_error;
}


but i don't understand...

-- 
Regards,
Sergey



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id70&alloc_id638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Password-protected .zip file viruses

2004-03-05 Thread clamav 

uvscan is detecting zipped/passworded bagle zip's as 
Worm.Bagle.Gen-zippwd.  Any ideas as to how they might be doing this?

-Eric

On Wed, 3 Mar 2004, Lucas Albers wrote:

> Tomasz Papszun said:
> >WE ASK USERS TO NOT SUBMIT naked zip files IF their contents is DETECTED
> >as infected by ClamAV AFTER UNZIPPING. It's a utter waste of our time,
> >which results in delays in processing really significant samples!
> 
> Why not add this on the web submittal nag screen?
> 
> 
> Luke Computer Science System Administrator
> Security Administrator,College of Engineering
> Montana State University-Bozeman,Montana
> 
> 
> 
> ---
> This SF.Net email is sponsored by: IBM Linux Tutorials
> Free Linux tutorial presented by Daniel Robbins, President and CEO of
> GenToo technologies. Learn everything from fundamentals to system
> administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
> ___
> Clamav-users mailing list
> [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/clamav-users
> 

-- 
Eric Wheeler
Vice President
National Security Concepts, Inc.
PO Box 3567
Tualatin, OR 97062

http://www.nsci.us/
Voice: (503) 293-7656
Fax:   (503) 885-0770



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] sendmail devel?

2004-03-05 Thread Jim Maul 


> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of Jeff
> Ramsey
> Sent: Friday, March 05, 2004 3:47 PM
> To: [EMAIL PROTECTED]
> Subject: Re: [Clamav-users] sendmail devel?
>
> And while we're digging up old hatchets that have been buried long ago,
> I use vi over emacs.
>

My workstation has an amd processor instead of intel and i have an nvidia
vid card not ati.

With that said, we should all probably stop this before someone gets hurt.



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] sendmail devel?

2004-03-05 Thread Jim Maul 


> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of Antony
> Stone
> Sent: Friday, March 05, 2004 3:32 PM
> To: [EMAIL PROTECTED]
> Subject: Re: [Clamav-users] sendmail devel?
>
>
> On Friday 05 March 2004 8:22 pm, redragon wrote:
>
> > This could end up being a long drawn out battle.
>
> That is not what I intended to start when I posted my question,
> and I hope it
> doesn't happen.
>
> > I personally prefer
> > sendmail to any other MTA and have no security issues with it.  Like any
> > other piece of software you install it must be maintained.
>
> Agreed.   I personally like sendmail, but that's partly simply
> because I know
> it better than other MTAs.
>
> I simply wanted to know if people were aware of any recent assessments
> comparing the security of sendmail vs. other MTAs, showing that sendmail
> still has problems.   The opinion expressed by Jim, that sendmail is less
> secure than postfix or qmail, suggested to me that he might have
> something to
> support it, and I would be very interested to see that.
>

Well sorry to disappoint, but there is no recent support to my claims.
Indeed i do not wish to start any quarrels with anyone so i hope that does
not happen here.  I was simply basing my claims on the history of the
software.  I do not run sendmail so i can not vouch for its current
security.  Simply put, i do not need all the fancy stuff that sendmail
supports.  Ease of installation/use is the main reason i use qmail.

It all comes down to what YOU need your mta to do.  Neither is better/worse
than any other.  IMHO the problem with sendmail is that when it was
designed, the author had NO idea just how popular it was going to be.  Had
he known, im sure it would have been designed differently.

On a (not so) side not, does sendmail support maildirs?  I tried finding the
answer to this on the website, but no luck.

Jim



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Occasionally missing viruses

2004-03-05 Thread Tomasz Papszun 
On Fri, 05 Mar 2004 at 12:49:45 -0800, Dominic Mazzoni wrote:
> Ryan Moore wrote:
> >
> >Try running 'clamscan --mbox email'
> 
> Oops, I didn't realize that.
> 
> Same problem:
> 
> >clamscan --mbox email
> email: OK

If it's with the current CVS version, you can submit a sample via our
submission WWW interface, describing the problem of course.

-- 
 Tomasz Papszun   SysAdm @ TP S.A. Lodz, Poland  | And it's only
 [EMAIL PROTECTED]   http://www.lodz.tpsa.pl/   | ones and zeros.
 [EMAIL PROTECTED]   http://www.ClamAV.net/   A GPL virus scanner


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] ScanMail destabilizing clamd?

2004-03-05 Thread Tomasz Kojm 
On Fri, 5 Mar 2004 16:54:12 -0300
Everton da Silva Marques <[EMAIL PROTECTED]> wrote:

> Is ScanMail known to be unstable?

Yes, it is. It's very hard to parse all that broken messages.

-- 
   oo. Tomasz Kojm <[EMAIL PROTECTED]>
  (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg
 \..._ 0DCA5A08407D5288279DB43454822DC8985A444B
   //\   /\  Fri Mar  5 22:04:00 CET 2004


pgp0.pgp
Description: PGP signature

Re: [Clamav-users] sendmail devel?

2004-03-05 Thread redragon 
Agreed, about 99% of it is preference and knowledge of what you use.
Postfix, exim (3 and 4), and sendmail all natively provide auth smtp and tls
as well as most any other feature the average admin uses.

Carl

- Original Message -
From: "John Jolet" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, March 05, 2004 2:42 PM
Subject: Re: [Clamav-users] sendmail devel?


> Antony Stone wrote:
>
> >On Friday 05 March 2004 7:54 pm, Jim Maul wrote:
> >
> >
> >
> >>> On the other hand, remove sendmail and install Postfix
instead.
> >>>
> >>>
> >>Or qmail.  Both are more secure than sendmail.
> >>
> >>
> >
> >Is this still true?   I know sendmail had a bad history of security
problems
> >in its early days (but then again it has been around for a very long
time).
> >
> >What has sendmail's *recent* history of security problems been like?
Where
> >can I see some tests showing postfix or qmail are better?
> >
> >Regards,
> >
> >Antony,
> >
> >
> >
> this is ot, however, we just moved our gateway mail servers from
> sendmail to postfix and saw a tremendous cpu-utilization drop.  Security
> concerns aside, postfix is (in my opinion) a heck of a lot easier to
> manage and configure.
>
>
> ---
> This SF.Net email is sponsored by: IBM Linux Tutorials
> Free Linux tutorial presented by Daniel Robbins, President and CEO of
> GenToo technologies. Learn everything from fundamentals to system
> administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
> ___
> Clamav-users mailing list
> [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/clamav-users
>



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Occasionally missing viruses

2004-03-05 Thread Lucas Albers 
I was missing some virus's until I upgraded from .65 to .67.
Bounce back zipped virus's were slipping by.
Dominic Mazzoni said:
> Ryan Moore wrote:
>> Dominic Mazzoni wrote:
>>
>>> I'm also having the problem that Ron Snyder reported yesterday,
>>> where clamscan will mark a file as OK, but if I extract the
>>> attachment (just by base64-decoding it, NOT by unzipping it too),
>>> then clamscan properly recognizes the virus (in this case, SCO.A).
>>>
>>
>> Try running 'clamscan --mbox email'
>
> Oops, I didn't realize that.
>
> Same problem:
>
>> clamscan --mbox email
> email: OK
>
> --- SCAN SUMMARY ---
> Known viruses: 20383
> Scanned directories: 0
> Scanned files: 1
> Infected files: 0
> Data scanned: 0.03 MB
> I/O buffer size: 131072 bytes
> Time: 0.626 sec (0 m  s)
>
> Thanks for responding.
>
> - Dominic
>
>
>
>
> ---
> This SF.Net email is sponsored by: IBM Linux Tutorials
> Free Linux tutorial presented by Daniel Robbins, President and CEO of
> GenToo technologies. Learn everything from fundamentals to system
> administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
> ___
> Clamav-users mailing list
> [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/clamav-users
>


-- 
Luke Computer Science System Administrator
Security Administrator,College of Engineering
Montana State University-Bozeman,Montana



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] sendmail devel?

2004-03-05 Thread Hanford, Seth 
> Why does multiple or single domains matter to the POP3 server?

The only thing I can imagine off the top of my head is user accounts -- if
you have [EMAIL PROTECTED] and [EMAIL PROTECTED], you need to make sure that
your POP3 server doesn't think they both necessarily use the same mailbox
b/c they are both named Joe.  Granted, a lot of other pieces (MTA, MDA,
etc.) also need to have the exact same idea of who is who.

Seth



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] sendmail devel?

2004-03-05 Thread Hanford, Seth 
> what pop3 is good for multiple domains? instead of qpopper

CourierPop3d and CourierImap are both good for multiple domains. (of course,
CourierIMAP is not Pop3, but they are often packaged together, and do not
require the Courier MTA).

--Seth



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Occasionally missing viruses

2004-03-05 Thread Dominic Mazzoni 
Ryan Moore wrote:
Dominic Mazzoni wrote:

I'm also having the problem that Ron Snyder reported yesterday,
where clamscan will mark a file as OK, but if I extract the
attachment (just by base64-decoding it, NOT by unzipping it too),
then clamscan properly recognizes the virus (in this case, SCO.A).
Try running 'clamscan --mbox email'
Oops, I didn't realize that.

Same problem:

clamscan --mbox email
email: OK

--- SCAN SUMMARY ---
Known viruses: 20383
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 0.03 MB
I/O buffer size: 131072 bytes
Time: 0.626 sec (0 m 0 s)
Thanks for responding.

- Dominic



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] sendmail devel?

2004-03-05 Thread Jeff Ramsey 
If you already have sendmail configured and working, why switch? I 
agree that sendmail has had it's share of security holes, but in that 
respect, it's like the Windows of MTAs: It was so widely used, it was 
picked apart. I believe this made it stronger. I don't believe there is 
any more security in another MTA, and if you take the time to learn it, 
you'll enjoy it's flexibility.

And while we're digging up old hatchets that have been buried long ago, 
I use vi over emacs.

Jeff
On Mar 5, 2004, at 12:32 PM, Antony Stone wrote:
On Friday 05 March 2004 8:22 pm, redragon wrote:

This could end up being a long drawn out battle.
That is not what I intended to start when I posted my question, and I 
hope it
doesn't happen.

I personally prefer
sendmail to any other MTA and have no security issues with it.  Like 
any
other piece of software you install it must be maintained.
Agreed.   I personally like sendmail, but that's partly simply because 
I know
it better than other MTAs.

I simply wanted to know if people were aware of any recent assessments
comparing the security of sendmail vs. other MTAs, showing that 
sendmail
still has problems.   The opinion expressed by Jim, that sendmail is 
less
secure than postfix or qmail, suggested to me that he might have 
something to
support it, and I would be very interested to see that.

Regards,

Antony.

--
In science, one tries to tell people
in such a way as to be understood by everyone
something that no-one ever knew before.
In poetry, it is the exact opposite.

 - Paul Dirac

 Please reply to 
the list;
   please 
don't CC me.



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Jeff Ramsey
MIS Administrator
Tubafor Mill, Inc.


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] sendmail devel?

2004-03-05 Thread Antony Stone 
On Friday 05 March 2004 8:42 pm, Eric wrote:

> what pop3 is good for multiple domains? instead of qpopper

Why does multiple or single domains matter to the POP3 server?

Handling domains is up to the receiving MTA - POP3 just deals with local 
mailboxes.

(Or am I missing something about how other people use POP3?)

Antony.

-- 
Having been asked for a reference for this man,
I can confirm that you will be very lucky indeed if you can get him to work 
for you.

 Please reply to the list;
   please don't CC me.



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] sendmail devel?

2004-03-05 Thread John Jolet 
Antony Stone wrote:

On Friday 05 March 2004 7:54 pm, Jim Maul wrote:

 

 On the other hand, remove sendmail and install Postfix instead.
 

Or qmail.  Both are more secure than sendmail.
   

Is this still true?   I know sendmail had a bad history of security problems 
in its early days (but then again it has been around for a very long time).

What has sendmail's *recent* history of security problems been like?   Where 
can I see some tests showing postfix or qmail are better?

Regards,

Antony,

 

this is ot, however, we just moved our gateway mail servers from 
sendmail to postfix and saw a tremendous cpu-utilization drop.  Security 
concerns aside, postfix is (in my opinion) a heck of a lot easier to 
manage and configure.

---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] sendmail devel?

2004-03-05 Thread Eric 
what pop3 is good for multiple domains? instead of qpopper
> >
> > > >  On the other hand, remove sendmail and install Postfix
instead.
>




---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] sendmail devel?

2004-03-05 Thread Jesper Juhl 
On Fri, 5 Mar 2004, Antony Stone wrote:

> On Friday 05 March 2004 7:54 pm, Jim Maul wrote:
>
> > >  On the other hand, remove sendmail and install Postfix instead.
> >
> > Or qmail.  Both are more secure than sendmail.
>
> Is this still true?   I know sendmail had a bad history of security problems
> in its early days (but then again it has been around for a very long time).
>
> What has sendmail's *recent* history of security problems been like?   Where
> can I see some tests showing postfix or qmail are better?
>
Security issues aside, postfix is significantly simpler to setup and
maintain than sendmail and deals just fine with heavy loads. It might be
slightly less flexible, but for 99% of all users I'd say it's more than
flexible enough.


-- 
Jesper Juhl <[EMAIL PROTECTED]>
Systems Administrator, Danmarks Idræts-Forbund / The Danish Sports Federation
Please don't top-posthttp://www.catb.org/~esr/jargon/html/T/top-post.html
Please send plain text emails only  http://www.expita.com/nomime.html


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id70&alloc_id638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] sendmail devel?

2004-03-05 Thread Antony Stone 
On Friday 05 March 2004 8:22 pm, redragon wrote:

> This could end up being a long drawn out battle.

That is not what I intended to start when I posted my question, and I hope it 
doesn't happen.

> I personally prefer
> sendmail to any other MTA and have no security issues with it.  Like any
> other piece of software you install it must be maintained.

Agreed.   I personally like sendmail, but that's partly simply because I know 
it better than other MTAs.

I simply wanted to know if people were aware of any recent assessments 
comparing the security of sendmail vs. other MTAs, showing that sendmail 
still has problems.   The opinion expressed by Jim, that sendmail is less 
secure than postfix or qmail, suggested to me that he might have something to 
support it, and I would be very interested to see that.

Regards,

Antony.

-- 
In science, one tries to tell people
in such a way as to be understood by everyone
something that no-one ever knew before.

In poetry, it is the exact opposite.

 - Paul Dirac

 Please reply to the list;
   please don't CC me.



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] sendmail devel?

2004-03-05 Thread redragon 
It really depends on your distro.  I'm going to presume you have Redhat or
similar flavor installed.  If so you can do rpm -qa|grep sendmail and see if
sendmail dev is installed.

Carl

- Original Message -
From: "Eric" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, March 05, 2004 12:20 PM
Subject: [Clamav-users] sendmail devel?


> How do I tell if I have sendmail-devel installed.  the clamav milter tells
> me to ensure that it is there. I know I am using sendmail 8.12.5 but how
do
> I know if its devel? which sendmail and which sendmail-devel show nothing.
>
>
> Eric
>
>
>
> ---
> This SF.Net email is sponsored by: IBM Linux Tutorials
> Free Linux tutorial presented by Daniel Robbins, President and CEO of
> GenToo technologies. Learn everything from fundamentals to system
> administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
> ___
> Clamav-users mailing list
> [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/clamav-users
>



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] clamd crashing on some emails

2004-03-05 Thread Marcus Reid 
Hi,

I run clamav on some higher-volume mail servers (scanning
a couple hundred thousand emails a day.) Let me begin by
saying that I've been very impressed at the quality of clamav;
it's fast and integrates well with amavisd-new. Updates seem
to be done well, and it compares favorably with the other
scanners that I evaluated, F-Prot and Grisoft AVG. clamav is
more configurable and flexible.

I initially had trouble with clamd crashing occasionally,
which has been less of a problem since a recent upgrade to
the current version in CVS. It still happens once in a while
though, and the last couple of instances seem to be related
to an encrypted zipfile attachment (not a worm email.) Is
anybody else seeing this?

Sincerely,

Marcus


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] Occasionally missing viruses

2004-03-05 Thread Ron Snyder 
> On Fri, 05 Mar 2004 at 10:57:12 -0800, Dominic Mazzoni wrote:
> > I'm also having the problem that Ron Snyder reported yesterday,
> 
> Ron's problem regarded milter if I saw correctly, so it may 
> be something
> diferent. Anyway...

I thought it was milter related, but now I'm not sure. It may just be the
way that the milter is designed. They way I captured the samples that got
through was to modify an extension munging script that we have on our MX
gateway, so that any message that had the base64 signature of a zip file got
copied to a special directory. I've then been checking that directory every
so often for zip files that look suspicious.

The three zipped files that got through all came as bounced messages, but
because the bounce message headers don't have proper mime headers, the
base64 encoded virus doesn't properly show up as an attachment. I am
presuming that this is why clamav-milter isn't finding it, as well as the
reason why clamscan --mbox doesn't find it either.  (I know it is actually
Sco.A because if I go through the steps to actually decode it, clamscan does
recognize it.)

So I guess my concerns are resolved, as long as clamav-milter and clamscan
are actually supposed to be ignoring encoded files that don't have proper
mime parts.

-ron



> 
> > where clamscan will mark a file as OK, but if I extract the
> > attachment (just by base64-decoding it, NOT by unzipping it too),
> > then clamscan properly recognizes the virus (in this case, SCO.A).
> > 
> > Actually clamscan seems to be having this problem with every
> > single SCO.A virus I get, though I'm not sure it's limited to
> > just this one.
> > 
> > I saved the email (directly out of my Imap Maildir) as "email",
> > and the zip attachment (containing SCO.A) as "document.zip".
> > Here's what I get with clamscan (version 0.67, after running
> > freshclam):
> > 
> > > clamscan email
> > email: OK
> 
> One _must_ use option --mbox (-m) with clamscan to scan mail files!
> 
> > Any suggestions?  Note that clamscan is successfully finding other
> > viruses in my inbox, but it's missing all of the SCO ones, as
> 
> This is a little strange (I mean: that it finds other viruses without
> --mbox) but some viruses are detectable even without enabling 
> --mbox, so
> it's possible.
> 
> > far as I can tell.  I have over 200 of them saved in a separate
> > directory and clamscan misses all of those.
> 
> Just use --mbox and tell us what happens.
> 
> -- 
>  Tomasz Papszun   SysAdm @ TP S.A. Lodz, Poland  | And it's only
>  [EMAIL PROTECTED]   http://www.lodz.tpsa.pl/   | ones and zeros.
>  [EMAIL PROTECTED]   http://www.ClamAV.net/   A GPL virus scanner
> 
> 
> ---
> This SF.Net email is sponsored by: IBM Linux Tutorials
> Free Linux tutorial presented by Daniel Robbins, President and CEO of
> GenToo technologies. Learn everything from fundamentals to system
> administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
> ___
> Clamav-users mailing list
> [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/clamav-users
> 


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] sendmail devel?

2004-03-05 Thread redragon 
This could end up being a long drawn out battle.  I personally prefer
sendmail to any other MTA and have no security issues with it.  Like any
other piece of software you install it must be maintained.

Sendmail offers everything I need in the virtual hosting environment that I
offer customers.  Its strong, reliable, easy to maintain, and requires
little of my system resources.  Even on the larger machines with over 500
domains and 1500 email accounts.

Postfix and exim are also excellent MTA.  I can't however recommend qmail
for its lack of support for later technologies.  If you want TLS or Auth
SMTP i believe qmail requires you to rely on 3rd party software to integrate
that support.

Carl

- Original Message -
From: "Antony Stone" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, March 05, 2004 2:02 PM
Subject: Re: [Clamav-users] sendmail devel?


> On Friday 05 March 2004 7:54 pm, Jim Maul wrote:
>
> > >  On the other hand, remove sendmail and install Postfix
instead.
> >
> > Or qmail.  Both are more secure than sendmail.
>
> Is this still true?   I know sendmail had a bad history of security
problems
> in its early days (but then again it has been around for a very long
time).
>
> What has sendmail's *recent* history of security problems been like?
Where
> can I see some tests showing postfix or qmail are better?
>
> Regards,
>
> Antony,
>
> --
> These clients are often infected by viruses or other malware and need to
be
> fixed.  If not, the user at that client needs to be fixed...
>
>  - Henrik Nordstrom, on Squid users' mailing list
>
>  Please reply to the
list;
>please don't CC
me.
>
>
>
> ---
> This SF.Net email is sponsored by: IBM Linux Tutorials
> Free Linux tutorial presented by Daniel Robbins, President and CEO of
> GenToo technologies. Learn everything from fundamentals to system
> administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
> ___
> Clamav-users mailing list
> [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/clamav-users
>



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] sendmail devel?

2004-03-05 Thread Antony Stone 
On Friday 05 March 2004 7:54 pm, Jim Maul wrote:

> >  On the other hand, remove sendmail and install Postfix instead.
>
> Or qmail.  Both are more secure than sendmail.

Is this still true?   I know sendmail had a bad history of security problems 
in its early days (but then again it has been around for a very long time).

What has sendmail's *recent* history of security problems been like?   Where 
can I see some tests showing postfix or qmail are better?

Regards,

Antony,

-- 
These clients are often infected by viruses or other malware and need to be 
fixed.  If not, the user at that client needs to be fixed...

 - Henrik Nordstrom, on Squid users' mailing list

 Please reply to the list;
   please don't CC me.



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] ScanMail destabilizing clamd?

2004-03-05 Thread Everton da Silva Marques 
Hi,

I'm testing clamd from CVS as of 2004-03-04
under Solaris 7 on Sparc with the following
basic config:

# clamav.conf
LogFile /var/adm/clamav/clamd.log
LogFileMaxSize 10M
LogTime
PidFile /var/adm/clamav/clamd.pid
TCPSocket 3310
TCPAddr 127.0.0.1
StreamSaveToDisk
StreamMaxLength 30M
MaxThreads 10
MaxDirectoryRecursion 15
User clamav
AllowSupplementaryGroups
ScanOLE2
#ScanMail
ScanArchive
ArchiveMaxFileSize 30M
ArchiveMaxRecursion 5
ArchiveMaxFiles 1000
ArchiveMaxCompressionRatio 200
ArchiveDetectEncrypted

clamd seems pretty stable, unless the
ScanMail option is enabled. If I
turn ScanMail on, clamd eventually
goes wild and consumes huge amounts of
CPU cycles indefinitely. My current fix
is to restart clamd.

Is ScanMail known to be unstable?

I'm searching for similar experiences.
Please share your thoughts.

Thanks,
Everton


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] sendmail devel?

2004-03-05 Thread Jim Maul 


> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of John
> Vestrum
> Sent: Friday, March 05, 2004 2:05 PM
> To: [EMAIL PROTECTED]
> Subject: Re: [Clamav-users] sendmail devel?
>



>  On the other hand, remove sendmail and install Postfix instead.
> Forget rpm, compile from source. Amavisd-new is a nice package to
> tie Postfix
> to ClamAV. 
>
> John

Or qmail.  Both are more secure than sendmail.

just my 0.218698 pesos

Jim



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Inline scanning on firewall ?

2004-03-05 Thread Fajar A. Nugraha 
Tomasz Papszun wrote:

On Fri, 05 Mar 2004 at  9:26:31 -0800, Kevin BRown wrote:
 

jsut want to set clam to scan for
clients who use the gateway to access mail servers on pop or smtop
kevin
   

 

If by "gateway" you mean clients setting their gateway IP address to 
your server/firewall, then
the answer is no. There is no module that integrates clamav 
transparently with any type of firewall yet.

at  http://www.clamav.net/3rdparty.html
there are mentioned some "proxy" pieces of software for SMTP and POP.
 

One of them is amavisd-new. But that would require users setting their 
SMTP address to your server
instead of the real SMTP server, and changing DNS MX records for your 
domain. None of them
will work transparently with firewall.

Regards,

Fajar



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Occasionally missing viruses

2004-03-05 Thread Tomasz Papszun 
On Fri, 05 Mar 2004 at 10:57:12 -0800, Dominic Mazzoni wrote:
> I'm also having the problem that Ron Snyder reported yesterday,

Ron's problem regarded milter if I saw correctly, so it may be something
diferent. Anyway...

> where clamscan will mark a file as OK, but if I extract the
> attachment (just by base64-decoding it, NOT by unzipping it too),
> then clamscan properly recognizes the virus (in this case, SCO.A).
> 
> Actually clamscan seems to be having this problem with every
> single SCO.A virus I get, though I'm not sure it's limited to
> just this one.
> 
> I saved the email (directly out of my Imap Maildir) as "email",
> and the zip attachment (containing SCO.A) as "document.zip".
> Here's what I get with clamscan (version 0.67, after running
> freshclam):
> 
> > clamscan email
> email: OK

One _must_ use option --mbox (-m) with clamscan to scan mail files!

> Any suggestions?  Note that clamscan is successfully finding other
> viruses in my inbox, but it's missing all of the SCO ones, as

This is a little strange (I mean: that it finds other viruses without
--mbox) but some viruses are detectable even without enabling --mbox, so
it's possible.

> far as I can tell.  I have over 200 of them saved in a separate
> directory and clamscan misses all of those.

Just use --mbox and tell us what happens.

-- 
 Tomasz Papszun   SysAdm @ TP S.A. Lodz, Poland  | And it's only
 [EMAIL PROTECTED]   http://www.lodz.tpsa.pl/   | ones and zeros.
 [EMAIL PROTECTED]   http://www.ClamAV.net/   A GPL virus scanner


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Occasionally missing viruses

2004-03-05 Thread Ryan Moore 


Dominic Mazzoni wrote:
I'm also having the problem that Ron Snyder reported yesterday,
where clamscan will mark a file as OK, but if I extract the
attachment (just by base64-decoding it, NOT by unzipping it too),
then clamscan properly recognizes the virus (in this case, SCO.A).
Actually clamscan seems to be having this problem with every
single SCO.A virus I get, though I'm not sure it's limited to
just this one.
I saved the email (directly out of my Imap Maildir) as "email",
and the zip attachment (containing SCO.A) as "document.zip".
Here's what I get with clamscan (version 0.67, after running
freshclam):
 > clamscan email
email: OK
--- SCAN SUMMARY ---
Known viruses: 20381
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 0.03 MB
I/O buffer size: 131072 bytes
Time: 0.833 sec (0 m 0 s)
 > clamscan document.zip
document.zip: Worm.SCO.A FOUND
--- SCAN SUMMARY ---
Known viruses: 20381
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.02 MB
I/O buffer size: 131072 bytes
Time: 0.787 sec (0 m 0 s)
Any suggestions?  Note that clamscan is successfully finding other
viruses in my inbox, but it's missing all of the SCO ones, as
far as I can tell.  I have over 200 of them saved in a separate
directory and clamscan misses all of those.
Thanks,
Dominic



Try running 'clamscan --mbox email'

Ryan Moore
--
Perigee.net Corporation
704-849-8355 (sales)
704-849-8017 (tech)
www.perigee.net


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] sendmail devel?

2004-03-05 Thread John Vestrum 
If you are on an rpm based system (Mandrake, Fedora, etc), use:
# rpm -qa | grep -i sendmail
and look for a sendmail-devel package. If it's not there, you need to find 
one that matches your version of sendmail. If sendmail came with your linux 
distribution (assuming you are using linux) then look for the sendmail-devel 
rpm in the same place you got the distro from (your install CDs, ftp server, 
etc). BTW, *-devel rpms only contain the "extra stuff" you need for 
compiling, so don't remove sendmail when you install sendmail-devel.

 On the other hand, remove sendmail and install Postfix instead. 
Forget rpm, compile from source. Amavisd-new is a nice package to tie Postfix 
to ClamAV. 

John

On Friday 05 March 2004 12:20 pm, you wrote:
> How do I tell if I have sendmail-devel installed.  the clamav milter tells
> me to ensure that it is there. I know I am using sendmail 8.12.5 but how do
> I know if its devel? which sendmail and which sendmail-devel show nothing.
>
>
> Eric
>
>
>
> ---
> This SF.Net email is sponsored by: IBM Linux Tutorials
> Free Linux tutorial presented by Daniel Robbins, President and CEO of
> GenToo technologies. Learn everything from fundamentals to system
> administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
> ___
> Clamav-users mailing list
> [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/clamav-users


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] Occasionally missing viruses

2004-03-05 Thread Dominic Mazzoni 
I'm also having the problem that Ron Snyder reported yesterday,
where clamscan will mark a file as OK, but if I extract the
attachment (just by base64-decoding it, NOT by unzipping it too),
then clamscan properly recognizes the virus (in this case, SCO.A).
Actually clamscan seems to be having this problem with every
single SCO.A virus I get, though I'm not sure it's limited to
just this one.
I saved the email (directly out of my Imap Maildir) as "email",
and the zip attachment (containing SCO.A) as "document.zip".
Here's what I get with clamscan (version 0.67, after running
freshclam):
> clamscan email
email: OK
--- SCAN SUMMARY ---
Known viruses: 20381
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 0.03 MB
I/O buffer size: 131072 bytes
Time: 0.833 sec (0 m 0 s)
> clamscan document.zip
document.zip: Worm.SCO.A FOUND
--- SCAN SUMMARY ---
Known viruses: 20381
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.02 MB
I/O buffer size: 131072 bytes
Time: 0.787 sec (0 m 0 s)
Any suggestions?  Note that clamscan is successfully finding other
viruses in my inbox, but it's missing all of the SCO ones, as
far as I can tell.  I have over 200 of them saved in a separate
directory and clamscan misses all of those.
Thanks,
Dominic




---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Inline scanning on firewall ?

2004-03-05 Thread Tomasz Papszun 
On Fri, 05 Mar 2004 at  9:26:31 -0800, Kevin BRown wrote:
> Can I set clam to scan incoming mail messages?
> I use a clarkconnect 2.1 (redhat9) based firewall /gateway for a dsl modem.
> It is not a mail server, jsut want to set clam to scan for
> clients who use the gateway to access mail servers on pop or smtop
> kevin

I haven't checked exactly but at  http://www.clamav.net/3rdparty.html
there are mentioned some "proxy" pieces of software for SMTP and POP.

-- 
 Tomasz Papszun   SysAdm @ TP S.A. Lodz, Poland  | And it's only
 [EMAIL PROTECTED]   http://www.lodz.tpsa.pl/   | ones and zeros.
 [EMAIL PROTECTED]   http://www.ClamAV.net/   A GPL virus scanner


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] sendmail devel?

2004-03-05 Thread Eric 
How do I tell if I have sendmail-devel installed.  the clamav milter tells
me to ensure that it is there. I know I am using sendmail 8.12.5 but how do
I know if its devel? which sendmail and which sendmail-devel show nothing.


Eric



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] "Too many open files" Error :-(

2004-03-05 Thread Sergey 
Hello.

I run Clam AV on RedHat 6.2.
Some time after (about one hour) running clamav-milter is stop scanning with error:

2004-03-05 17:50:51 clamav-milter[24815]: clamfi_envfrom: 
2004-03-05 17:50:51 clamav-milter[24812]: clamfi_envfrom: 
2004-03-05 17:50:52 clamav-milter[24825]: clamfi_envfrom: 
2004-03-05 17:50:53 clamav-milter[24808]: clamfi_envfrom: 
2004-03-05 17:50:54 clamav-milter[24845]: clamfi_envfrom: 
2004-03-05 17:50:54 clamav-milter[24832]: clamfi_envfrom: 
2004-03-05 17:50:54 clamav-milter[24822]: clamfi_envfrom: 
2004-03-05 17:50:54 clamav-milter[24851]: clamfi_envfrom: 
2004-03-05 17:50:55 clamav-milter[24856]: clamfi_envfrom: 
2004-03-05 17:50:55 clamav-milter[23628]: ClamAv: accept() returned invalid socket 
(Too many open files), try again
2004-03-05 17:50:55 clamav-milter[24854]: clamfi_envfrom: 
2004-03-05 17:50:56 clamav-milter[23628]: ClamAv: accept() returned invalid socket 
(Too many open files), try again
2004-03-05 17:50:57 clamav-milter[24856]: clamfi_close
2004-03-05 17:50:58 clamav-milter[23628]: ClamAv: accept() returned invalid socket 
(Too many open files), try again
2004-03-05 17:50:58 clamav-milter[24883]: clamfi_envfrom: 
2004-03-05 17:50:58 clamav-milter[24854]: clamfi_close
2004-03-05 17:50:58 clamav-milter[24883]: clamfi_close
2004-03-05 17:50:59 clamav-milter[23628]: ClamAv: accept() returned invalid socket 
(Too many open files), try again
2004-03-05 17:50:59 clamav-milter[6728]: clamfi_close
2004-03-05 17:50:59 clamav-milter[24908]: clamfi_envfrom: 
2004-03-05 17:50:59 clamav-milter[24906]: clamfi_envfrom: 
2004-03-05 17:50:59 clamav-milter[24903]: clamfi_envfrom: 
2004-03-05 17:50:59 clamav-milter[24903]: clamfi_close
2004-03-05 17:51:00 clamav-milter[23628]: ClamAv: accept() returned invalid socket 
(Too many open files), try again
2004-03-05 17:51:00 clamav-milter[24934]: clamfi_envfrom: 
2004-03-05 17:51:00 clamav-milter[24906]: clamfi_close
2004-03-05 17:51:01 clamav-milter[24904]: clamfi_envfrom: 
2004-03-05 17:51:01 clamav-milter[23628]: ClamAv: accept() returned invalid socket 
(Too many open files), try again

The linux kernel (2.2.26) is manualy configured:
--limits.h--
#ifndef _LINUX_LIMITS_H
#define _LINUX_LIMITS_H

#define NR_OPEN 4096

#define NGROUPS_MAX   32/* supplemental group IDs are available */
#define ARG_MAX   131072/* # bytes of args + environ for exec() */
#define CHILD_MAX999/* no limit :-) */
#define OPEN_MAX2048/* # open files a process may have */
#define LINK_MAX 127/* # links a file may have */
#define MAX_CANON255/* size of the canonical input queue */
#define MAX_INPUT255/* size of the type-ahead buffer */
#define NAME_MAX 255/* # chars in a file name */
#define PATH_MAX4095/* # chars in a path name */
#define PIPE_BUF4096/* # bytes in atomic write to a pipe */

#define RTSIG_MAX 32

#endif
-

For restore work I need to restart clamd and clamav-milter...
Have you any idea ?

-- 
Regards,
Sergey



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] Re: [Clamav-virusdb] Update (daily: 165)

2004-03-05 Thread Derrick 'dman' Hudson 
On Fri, Mar 05, 2004 at 08:38:48AM +, Trog wrote:
| On Fri, 2004-03-05 at 08:15, Virgo PÃrna wrote:
| > On Fri, 5 Mar 2004 01:55:17 +0100, Tomasz Papszun wrote:
| > > On Thu, 04 Mar 2004 at 19:14:32 -0500, Tim B wrote:
| > >> 
| > >> Does this mean that 0.67 will now detect the the encrypted versions 
| > >> regardless of password?  
| > > 
| > > Yes.
| > 
| >  But it's still usable only with full message scan?
| 
| No, it'll match with just the encrypted zip file.

Nice.  It actually works, too.  (a coworker had a copy he received, so
I tested it with that)

-D

-- 
"He is no fool who gives up what he cannot keep to gain what he cannot lose."
--Jim Elliot
 
www: http://dman13.dyndns.org/~dman/jabber: [EMAIL PROTECTED]


signature.asc
Description: Digital signature

[Clamav-users] Inline scanning on firewall ?

2004-03-05 Thread Kevin BRown 
Can I set clam to scan incoming mail messages?
I use a clarkconnect 2.1 (redhat9) based firewall /gateway for a dsl modem.
It is not a mail server, jsut want to set clam to scan for
clients who use the gateway to access mail servers on pop or smtop
kevin


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Trouble Installing ClamAV

2004-03-05 Thread Krištof Petr 
Henry Hartley wrote:

I'm trying to install ClamAV on my Fedora Core 1 server.  I used yum to
install from the FC repository.  It installed version 0.65.  I noticed that
on the clamav site that the current release is 0.67 and I found reference to
Petr Kristof's repository (crash.fce.vutbr.cz) and I added that to my
yum.conf.
When I try to upgrade (yum upgrade clamav) I am get the following three
errors:
Errors reported doing trial run
file /usr/lib/libclamav.so.1.0.3 from install of clamav-0.67-1 conflicts
with file from package clamav-lib-0.65-0.fdr.5.1
file /var/lib/clamav/daily.cvd from install of clamav-0.67-1 conflicts with
file from package clamav-data-0.65-0.fdr.5.1
file /var/lib/clamav/main.cvd from install of clamav-0.67-1 conflicts with
file from package clamav-data-0.65-0.fdr.5.1
 

Hello Henry,

it seems you have installed clamav made by different packager, who 
splited clamav
to several subpackages.

Run 'rpm -qa | grep clam" to see list of all clamav packages.
Uninstall each of them manualy by 'rpm -e package_name'
Now you can install it from scratch by 'yum update clamav'

Hope it helps

Petr



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] Core dump backtrace for crash

2004-03-05 Thread Robert Schmidt 
We've been having some trouble with 0.67 crashing. I believe it has to
do with a mail loop created between hotmail and a forwarded local user
account.

Right before the crash all memory will be used. Before we started using
ulimits we would get:

Mar  4 14:34:33 minos kernel: Out of Memory: Killed process 21902
(clamd).

We have 1Gb RAM and another Gb of swap so it is pretty hungry.

Every file in the directory listed has the exact same message (there are
16 of them):

Final-Recipient: rfc822;@hotmail.com
Action: failed
Status: 5.2.3
Diagnostic-Code: smtp;552 5.2.3 This message is larger than the current
system limit or the recipient's mailbox is full. Create a shorter
message body or remove attachments and try sending it again.


I'm running the crashhat rpms (recompiled locally) with clamav-milter
and ulimits on the clamav user to prevent it from eating all the RAM
(this happens a lot, I believe related to this crash).

clamav-milter --version:
ClamAV version 0.67, clamav-milter version 0.66n

[EMAIL PROTECTED] profile.d]# su - clamav -s /bin/bash -c "ulimit -a"
core file size(blocks, -c) unlimited
data seg size (kbytes, -d) 20
file size (blocks, -f) unlimited
max locked memory (kbytes, -l) unlimited
max memory size   (kbytes, -m) 20
open files(-n) 5000
pipe size  (512 bytes, -p) 8
stack size(kbytes, -s) 10240
cpu time (seconds, -t) unlimited
max user processes(-u) 7168
virtual memory(kbytes, -v) 20


For those interested in ulimits: We had to make a small modification to
the init script to make it use ulimits. 

change:
daemon /usr/sbin/clamd

to:
daemon --user clamav /usr/sbin/clamd

-- 
Robert Schmidt -- UNIX Tech Support
[EMAIL PROTECTED]
MC1021 519-888-4567 x6453

(gdb) bt
#0  0x008b8c32 in _dl_sysinfo_int80 () from /lib/ld-linux.so.2
#1  0x008f7989 in raise () from /lib/tls/libc.so.6
#2  0x008f9342 in abort () from /lib/tls/libc.so.6
#3  0x008f1338 in __assert_fail () from /lib/tls/libc.so.6
#4  0x003bffc8 in messageToText (m=0xaee63b60) at message.c:1070
#5  0x003bc447 in parseEmailHeaders (m=0x6, rfc821Table=0x97538a8) at mbox.c:403
#6  0x003bd4e0 in parseEmailBody (messageIn=0xaea5a1b8, blobsIn=0x0, nBlobs=0, 
textIn=0x0, dir=0x8d313d0 "/tmp/68c22c5cdec7b0e8",
rfc821Table=0x97538a8, subtypeTable=0x9753928) at mbox.c:958
#7  0x003bd525 in parseEmailBody (messageIn=0xafcc6388, blobsIn=0x0, nBlobs=0, 
textIn=0x0, dir=0x8d313d0 "/tmp/68c22c5cdec7b0e8",
rfc821Table=0x97538a8, subtypeTable=0x9753928) at mbox.c:960
#8  0x003bd525 in parseEmailBody (messageIn=0xb0c2d490, blobsIn=0x0, nBlobs=0, 
textIn=0x0, dir=0x8d313d0 "/tmp/68c22c5cdec7b0e8",
rfc821Table=0x97538a8, subtypeTable=0x9753928) at mbox.c:960
#9  0x003bd525 in parseEmailBody (messageIn=0xb1e8f2d8, blobsIn=0x0, nBlobs=0, 
textIn=0x0, dir=0x8d313d0 "/tmp/68c22c5cdec7b0e8",
rfc821Table=0x97538a8, subtypeTable=0x9753928) at mbox.c:960
#10 0x003bd525 in parseEmailBody (messageIn=0xb30ed508, blobsIn=0x0, nBlobs=0, 
textIn=0x0, dir=0x8d313d0 "/tmp/68c22c5cdec7b0e8",
rfc821Table=0x97538a8, subtypeTable=0x9753928) at mbox.c:960
#11 0x003bd525 in parseEmailBody (messageIn=0xb4047d48, blobsIn=0x0, nBlobs=0, 
textIn=0x0, dir=0x8d313d0 "/tmp/68c22c5cdec7b0e8",
rfc821Table=0x97538a8, subtypeTable=0x9753928) at mbox.c:960
#12 0x003bd525 in parseEmailBody (messageIn=0xb529dc78, blobsIn=0x0, nBlobs=0, 
textIn=0x0, dir=0x8d313d0 "/tmp/68c22c5cdec7b0e8",
rfc821Table=0x97538a8, subtypeTable=0x9753928) at mbox.c:960
#13 0x003bd525 in parseEmailBody (messageIn=0xb64f0dd8, blobsIn=0x0, nBlobs=0, 
textIn=0x0, dir=0x8d313d0 "/tmp/68c22c5cdec7b0e8",
rfc821Table=0x97538a8, subtypeTable=0x9753928) at mbox.c:960
#14 0x003bd525 in parseEmailBody (messageIn=0xb743f440, blobsIn=0x0, nBlobs=0, 
textIn=0x0, dir=0x8d313d0 "/tmp/68c22c5cdec7b0e8",
rfc821Table=0x97538a8, subtypeTable=0x9753928) at mbox.c:960
#15 0x003bd525 in parseEmailBody (messageIn=0xb868cc60, blobsIn=0x0, nBlobs=0, 
textIn=0x0, dir=0x8d313d0 "/tmp/68c22c5cdec7b0e8",
rfc821Table=0x97538a8, subtypeTable=0x9753928) at mbox.c:960
#16 0x003bd525 in parseEmailBody (messageIn=0xb98d5890, blobsIn=0x0, nBlobs=0, 
textIn=0x0, dir=0x8d313d0 "/tmp/68c22c5cdec7b0e8",
rfc821Table=0x97538a8, subtypeTable=0x9753928) at mbox.c:960
#17 0x003bd525 in parseEmailBody (messageIn=0xba819538, blobsIn=0x0, nBlobs=0, 
textIn=0x0, dir=0x8d313d0 "/tmp/68c22c5cdec7b0e8",
rfc821Table=0x97538a8, subtypeTable=0x9753928) at mbox.c:960
#18 0x003bd525 in parseEmailBody (messageIn=0xbdcaefa0, blobsIn=0x0, nBlobs=0, 
textIn=0x0, dir=0x8d313d0 "/tmp/68c22c5cdec7b0e8",
rfc821Table=0x97538a8, subtypeTable=0x9753928) at mbox.c:960
#19 0x003bd525 in parseEmailBody (messageIn=0xa46ba28, blobsIn=0x0, nBlobs=0, 
textIn=0x0, dir=0x8d313d0 "/tmp/68c22c5cdec7b0e8",
rfc821Table=0x97538a8, subtypeTable=0x9753928) at mbox.c:960
#20 0x003bd525 in parseEmailBody (messageIn=0xa019df8, bl

[Clamav-users] Trouble Installing ClamAV

2004-03-05 Thread Henry Hartley 

I'm trying to install ClamAV on my Fedora Core 1 server.  I used yum to
install from the FC repository.  It installed version 0.65.  I noticed that
on the clamav site that the current release is 0.67 and I found reference to
Petr Kristof's repository (crash.fce.vutbr.cz) and I added that to my
yum.conf.

When I try to upgrade (yum upgrade clamav) I am get the following three
errors:

Errors reported doing trial run
file /usr/lib/libclamav.so.1.0.3 from install of clamav-0.67-1 conflicts
with file from package clamav-lib-0.65-0.fdr.5.1
file /var/lib/clamav/daily.cvd from install of clamav-0.67-1 conflicts with
file from package clamav-data-0.65-0.fdr.5.1
file /var/lib/clamav/main.cvd from install of clamav-0.67-1 conflicts with
file from package clamav-data-0.65-0.fdr.5.1

I uninstalled clamav (yum remove clamav) and made sure all these files were
gone but still got the errors.  I ran yum clean and deleted the clamav
headers from the cache, I deleted and rebuilt my rpm database and I still
these errors.

Am I just being stupid or what?

-- 
Henry


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Clam milter attachment scan problem

2004-03-05 Thread Michael Eglit 




probably yes... but after restarting now it's working good 
waiting for new "trouble"

Tomasz Kojm wrote:

  On Fri, 05 Mar 2004 13:14:12 +0200
Michael Eglit <[EMAIL PROTECTED]> wrote:

  
  
There is problem with scanning attachment with milter

all message with attachment for clam are infected:

contained a virus and has not been delivered.
	stream: (null) FOUND

mails without attachmets are ok ... :(

  
  
There must be some problem with clamd. Is the problem reproducable ?

  


-- 
Best regards,
 Michael Eglit
 C.T.Co, Riga, Latvia
 cell  +371 9109400mailto:[EMAIL PROTECTED]
 work  +371 7801942

[Clamav-users] Re: ArchiveDetectEncrypted and --detect-encrypted

2004-03-05 Thread Franck 
Trog wrote:

The message you just sent me got stopped:
VIRUS ALERT: Worm.Bagle.Gen-zippwd
Right.  I'll be upgrading then :o)
Thanks for your time.
--
Regards
/Franck


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] clamd/freshclam logging

2004-03-05 Thread Tomasz Kojm 
On Fri, 05 Mar 2004 09:34:55 +0100
Frank Elsner <[EMAIL PROTECTED]> wrote:

> ACK. So I repeat my request for syslog logging support for freshclam.

OK, request accepted :-)

-- 
   oo. Tomasz Kojm <[EMAIL PROTECTED]>
  (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg
 \..._ 0DCA5A08407D5288279DB43454822DC8985A444B
   //\   /\  Fri Mar  5 13:19:44 CET 2004


pgp0.pgp
Description: PGP signature

Re: [Clamav-users] Clam milter attachment scan problem

2004-03-05 Thread Tomasz Kojm 
On Fri, 05 Mar 2004 13:14:12 +0200
Michael Eglit <[EMAIL PROTECTED]> wrote:

> There is problem with scanning attachment with milter
> 
> all message with attachment for clam are infected:
> 
> contained a virus and has not been delivered.
>   stream: (null) FOUND
> 
> mails without attachmets are ok ... :(

There must be some problem with clamd. Is the problem reproducable ?

-- 
   oo. Tomasz Kojm <[EMAIL PROTECTED]>
  (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg
 \..._ 0DCA5A08407D5288279DB43454822DC8985A444B
   //\   /\  Fri Mar  5 13:18:01 CET 2004


pgp0.pgp
Description: PGP signature

Re: [Clamav-users] Clam milter attachment scan problem

2004-03-05 Thread Michael Eglit 




There was a problem with latest version - memory allocation problem ...

and I install latest version from FreeBSD ports

Nigel Horne wrote:

  On Friday 05 Mar 2004 11:14 am, Michael Eglit wrote:
  
  
There is problem with scanning attachment with milter

  
  
  
  
ClamAV version 0.65', clamav-milter version '0.60p under FreeBSD 4.9-STABLE

  
  
0.60p is old, what happens when you try an up to date version of the software?

-Nigel

  


-- 
Best regards,
 Michael Eglit
 C.T.Co, Riga, Latvia
 cell  +371 9109400mailto:[EMAIL PROTECTED]
 work  +371 7801942

Re: [Clamav-users] Clam milter attachment scan problem

2004-03-05 Thread Nigel Horne 
On Friday 05 Mar 2004 11:14 am, Michael Eglit wrote:
> There is problem with scanning attachment with milter

> ClamAV version 0.65', clamav-milter version '0.60p under FreeBSD 4.9-STABLE

0.60p is old, what happens when you try an up to date version of the software?

-Nigel

-- 
Nigel Horne. Arranger, Composer, Typesetter.
NJH Music, Barnsley, UK.  ICQ#20252325
[EMAIL PROTECTED] http://www.bandsman.co.uk



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] GMP installation problem in OS X Server 10.2.8

2004-03-05 Thread Hans Vallden 
I tried to follow the instructions at  
http://www.mail-archive.com/clamav-users%40lists.sourceforge.net/ 
msg04589.html to install ClamAV.

When trying to 'make' GMP, I get the following error.

libtool: unrecognized option `--tag=CC'

and GMP fails to install. I have a feeling this problem is caused by an  
outdated version of glibtool (1.4.2) in OS X Server 10.2.8. If so, how  
do I get glibtool 1.5 to install properly under OS X Server 10.2.8?

--
Hans Vallden
Strategiasuunnittelija
Suunnittelutoimisto Kirnauskis Oy
http://www.kirnauskis.fi/
puh. +358 50 517 4318


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] Clam milter attachment scan problem

2004-03-05 Thread Michael Eglit 
There is problem with scanning attachment with milter

all message with attachment for clam are infected:

contained a virus and has not been delivered.
stream: (null) FOUND
mails without attachmets are ok ... :(

ClamAV version 0.65', clamav-milter version '0.60p under FreeBSD 4.9-STABLE

--
Best regards,
Michael Eglit
C.T.Co, Riga, Latvia
cell  +371 9109400mailto:[EMAIL PROTECTED]
work  +371 7801942


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Error with clamav-milter

2004-03-05 Thread Japhet Samson 
> Hi there,
>
> I'm trying to get the clamav-milter to work with sendmail.  I've made all
> the required changes to the sendmail.cf file, but when I try to restart
> sendmail, I get the error:
> "sendmail: WARNING: Xclmilter'': local socket name
> /var/clamav/clmilter.sock' missing".
>
> I've verified, and the clmilter.sock file is indeed in the
> /var/clamav/clmilter.sock directory (srwxr-xr-x1 root root
> 0 Mar  3 16:51 clmilter.sock).
>
> Here is some info about the system:
> Redhat 8.0
> Kernel 2.4.18
> Sendmail 8.12.5-7 (though when connecting via telnet, the version is
> 8.12.8/8.12.5)
> ClamAV version 0.67-1
>
> I've compiled ClamAV with the --enable-milter option, and it works fine.
> clamd starts up fine as well, and all tests seem to go through.  One thing I
> noticed is that when I execute "/usr/sbin/clamav-milter -blo
> /var/clamav/clmilter.sock", I get a warning: "/usr/sbin/clamav-milter:
> running as root is not recommended".  However, I can see via "ps" that it is
> running.
>
> Is there something I missed?  Any help is appreciated.
>
> Thanks,
>
> James Barber
> [EMAIL PROTECTED]
>

give the clamav user the ownership;
chown clamav:clamav /var/clamav/clmilter.sock


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Problems with clamd

2004-03-05 Thread Trog 
On Fri, 2004-03-05 at 01:15, Doug Hardie wrote:

> >
> > I just uncommented the thread timeout the last time I restarted clamd 
> > a couple minutes ago so I don't know what effect that will have.

ThreadTimeout isn't used in the current CVS version.

> Here is some more information:  After running with the timeout set to 
> 500, clamd no longer dies.  It chugs along for quite awhile (about 10 
> minutes) at full cpu usage and then returns to normal use.  I don't see 
> anything different in the load between the periods.  However a ktrace 
> of clamd shows a significant difference.  Normally clamd shows nothing 
> much when idle and it shows the messages being received (read) when 
> processing a message.  However, when its running at full cpu 
> utilization, ktrace shows thousands of sequences like:
> 
>8313 clamdPSIG  SIGPROF caught handler=0x28116228 mask=0x0 
> code=0x0
>8313 clamdCALL  gettimeofday(0x2815fe4c,0)
>8313 clamdRET   gettimeofday 0
>8313 clamdCALL  sigprocmask(0x3,0x2815fed8,0)
>8313 clamdRET   sigprocmask 0
>8313 clamdCALL  sigaltstack(0x2817c000,0)
>8313 clamdRET   sigaltstack 0
>8313 clamdCALL  poll(0x806f000,0x1,0)
>8313 clamdRET   poll 0
>8313 clamdCALL  sigreturn(0x808ac64)
>8313 clamdRET   sigreturn JUSTRETURN
> 
> and then there will be one message processed and then back to a few 
> more thousand of those sequences.

This looks entirely broken. Your trace indicates that the last argument
to poll (the timeout) is zero. The code looked like this

count = poll(poll_data, 1, CL_DEFAULT_SCANTIMEOUT*1000);

i.e. the timeout *can't* be zero unless you changed the value of
CL_DEFAULT_SCANTIMEOUT or your system is fundamentally broken.

unless your system is using poll to spin somewhere.

-trog



signature.asc
Description: This is a digitally signed message part

Re: [Clamav-users] Re: ArchiveDetectEncrypted and --detect-encrypted

2004-03-05 Thread Trog 
On Fri, 2004-03-05 at 09:34, Franck wrote:

> Does this mean you want submissions of encrypted zip archives if they
> aren't getting caught?
> 'Cause I'm getting hit by what Symantec identifies as Bagle.J in
> encrypted archives that have slipped by Clam even with the newest
> updates.

The message you just sent me got stopped:

VIRUS ALERT: Worm.Bagle.Gen-zippwd

-trog



signature.asc
Description: This is a digitally signed message part

Re: [Clamav-users] Re: ArchiveDetectEncrypted and --detect-encrypted

2004-03-05 Thread Trog 
On Fri, 2004-03-05 at 09:34, Franck wrote:
> Tomasz Kojm wrote:
> 
> > Submission: n/a
> > Sender: Diego d'Ambra
> > Virus name: Worm.Bagle.Gen-zippwd
> > Notes: Generic signature to detect password-protected Bagle zip files
> > The signature matches encrypted zip files.
> 
> Does this mean you want submissions of encrypted zip archives if they
> aren't getting caught?
> 'Cause I'm getting hit by what Symantec identifies as Bagle.J in
> encrypted archives that have slipped by Clam even with the newest
> updates.
> 

Yes, you can send those to me if you still have them. Preferably as
complete email messages.

Cheers,
-trog



signature.asc
Description: This is a digitally signed message part

[Clamav-users] Re: ArchiveDetectEncrypted and --detect-encrypted

2004-03-05 Thread Franck 
Tomasz Kojm wrote:

Submission: n/a
Sender: Diego d'Ambra
Virus name: Worm.Bagle.Gen-zippwd
Notes: Generic signature to detect password-protected Bagle zip files
The signature matches encrypted zip files.
Does this mean you want submissions of encrypted zip archives if they
aren't getting caught?
'Cause I'm getting hit by what Symantec identifies as Bagle.J in
encrypted archives that have slipped by Clam even with the newest
updates.
- Other than that:  Just thanks for keeping our company mail server
safe!  :o)
--
Regards
/Franck


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] Re: [Clamav-virusdb] Update (daily: 165)

2004-03-05 Thread Virgo Pärna 
On Fri, 05 Mar 2004 08:38:48 +, Trog <[EMAIL PROTECTED]> wrote:
> 
> No, it'll match with just the encrypted zip file.
> 

 Right, disable-archive seems to do the magic...:)

-- 
Virgo Pärna 
[EMAIL PROTECTED]



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Re: [Clamav-virusdb] Update (daily: 165)

2004-03-05 Thread Trog 
On Fri, 2004-03-05 at 08:15, Virgo Pärna wrote:
> On Fri, 5 Mar 2004 01:55:17 +0100, Tomasz Papszun wrote:
> > On Thu, 04 Mar 2004 at 19:14:32 -0500, Tim B wrote:
> >> 
> >> Does this mean that 0.67 will now detect the the encrypted versions 
> >> regardless of password?  
> > 
> > Yes.
> > 
> 
>  But it's still usable only with full message scan?

No, it'll match with just the encrypted zip file.

-trog



signature.asc
Description: This is a digitally signed message part

Re: [Clamav-users] clamd/freshclam logging

2004-03-05 Thread Frank Elsner 
On Fri, 05 Mar 2004 08:40:25 +0100 Tomasz Kojm wrote:
> On Thu, 04 Mar 2004 22:00:14 +0100
> Frank Elsner <[EMAIL PROTECTED]> wrote:
> 
> > > > > Are you using the same log file for clamd and freshclam ?!
> > > > 
> > > > Yes. 
> > > 
> > > That's a very bad idea.
> > 
> > Tell me why. Clamd and freshclam belong together so the logging of
> > both
> >  should go to one file. 
> 
> Two separate processes shouldn't write to the one file without
> synchronization.

ACK. So I repeat my request for syslog logging support for freshclam.

--Frank Elsner




---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] Re: [Clamav-virusdb] Update (daily: 165)

2004-03-05 Thread Virgo Pärna 
On Fri, 5 Mar 2004 01:55:17 +0100, Tomasz Papszun wrote:
> On Thu, 04 Mar 2004 at 19:14:32 -0500, Tim B wrote:
>> 
>> Does this mean that 0.67 will now detect the the encrypted versions 
>> regardless of password?  
> 
> Yes.
> 

 But it's still usable only with full message scan?

-- 
Virgo Pärna 
[EMAIL PROTECTED]



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] clamd/freshclam logging

2004-03-05 Thread Tomasz Kojm 
On Thu, 04 Mar 2004 22:00:14 +0100
Frank Elsner <[EMAIL PROTECTED]> wrote:

> > > > Are you using the same log file for clamd and freshclam ?!
> > > 
> > > Yes. 
> > 
> > That's a very bad idea.
> 
> Tell me why. Clamd and freshclam belong together so the logging of
> both
>  should go to one file. 

Two separate processes shouldn't write to the one file without
synchronization.

-- 
   oo. Tomasz Kojm <[EMAIL PROTECTED]>
  (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg
 \..._ 0DCA5A08407D5288279DB43454822DC8985A444B
   //\   /\  Fri Mar  5 08:39:13 CET 2004


pgp0.pgp
Description: PGP signature

Re: [Clamav-users] Question about digital signatures on the databases

2004-03-05 Thread Tomasz Kojm 
On Thu, 04 Mar 2004 16:53:01 -0700
Shawn Michael <[EMAIL PROTECTED]> wrote:

> I have looked far and wide for the answer to this (docs, comments in 
> source, and the list archives.) and so far I cannot find an answer. 
> The question is what kind of digital signature is used to verify the 

That's a 1024 bit RSA with MD5 as a hash.

-- 
   oo. Tomasz Kojm <[EMAIL PROTECTED]>
  (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg
 \..._ 0DCA5A08407D5288279DB43454822DC8985A444B
   //\   /\  Fri Mar  5 08:41:53 CET 2004


pgp0.pgp
Description: PGP signature

Re: [Clamav-users] apologies to DBLIST

2004-03-05 Thread Tomasz Kojm 
On Thu, 04 Mar 2004 19:42:36 -0500
Tim B <[EMAIL PROTECTED]> wrote:

> My most humble apologies.  I accidentally sent a post I meant for 
> clamav-users to clamav-virusdb.

Don't worry - the virsdb@ list only accepts mails from the developers.

-- 
   oo. Tomasz Kojm <[EMAIL PROTECTED]>
  (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg
 \..._ 0DCA5A08407D5288279DB43454822DC8985A444B
   //\   /\  Fri Mar  5 08:27:21 CET 2004


pgp0.pgp
Description: PGP signature