[Clamav-users] Some questions

2004-03-11 Thread Peter van der Does 
Hi,

We're evaluating clamav to use with our mail server. So far I'm very
enthousiastic, espec cause clamav detects the encrypted zip files and
the speed new signatures come available but unfortunately I'm not the
only one who decides if we're going to use it anyway we're running:
clamd / ClamAV version 0.67
freshclam / ClamAV version 0.67

We only got a two small problems, we let freshclam check every hour for
updates and it gets them, the problems with it:

Q1.
We have had problems with the databasemirror set as
database.clamav.net. we got the errors:

>From the log:
ERROR: Malformed CVD header detected.
ERROR: Can't read main.cvd header from database.clamav.net (ourproxy)
Trying again...

After setting it to a real mirror everything went fine. But we prefer
to use the database.clamav.net.


Q2.
I just read the UpdateDB mail:
Submission: 1890
Sender: Dirk Mueller
Submitted virus name: WM97/Outblack-A
Virus name: WM97.Outblack.A
Virus name alias: IRC-Worm.Blackput (kaspersky)
Note: Latest CVS version of ClamAV is required to detect 
Note: the macro viruses.
Added: Yes

Does this mean our version of clamav doesn't detect macro viruses at
all? If so what other forms of virusses doesn't it detect?

Thanx for making a awesome program and hopefully one day I can inform
you we're going to use it for real.


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Virus scanned by clamav.net but updated db missed it

2004-03-11 Thread Karis Matik 
Fajar:

>PS : Has your problem solved yet?

Unfortunately nope. The problem might be relevant to amavisd-new where it incorrectly 
passes the mail attachment to clamd.
Is there any way to view the content of the vcd file to see if the virus is within the 
definition.

I posted another thread in regards to amavis patch misses the bagle-F-zippwd. Although 
the patch is done, still I can't detect the zip protected virus.

Needs further investigation. Thanks for all your help.

--
Karis

-
This e-mail was sent using a CentralPets WebMail account
Get yours at: http://mail.centralpets.com





---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Logfile

2004-03-11 Thread Odhiambo Washington 
* Betsy Schwartz <[EMAIL PROTECTED]> [20040311 22:44]: wrote:
> At 12:41 PM 3/11/2004, John Jolet wrote:
> >why not just run logrotate and have done with it?
> 
> It would help if clamd took a "kill -HUP" and started a new logfile.
> 
I support the original poster. It would be a nice feature if it were
done inside clamav itself, as he argued.


cheers
   - wash 
+--+-+
Odhiambo Washington . WANANCHI ONLINE LTD (Nairobi, KE)  |
  . 1ere Etage, Loita Hse, Loita St.,  |
GSM: (+254) 722 743 223 . # 10286, 00100 NAIROBI |
GSM: (+254) 733 744 121 . (+254) 020 313 985 - 9 |
+-+--+
"Oh My God! They killed init! You Bastards!"  
 --from a /. post


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] --detect-encrypted?

2004-03-11 Thread Odhiambo Washington 
* Fajar A. Nugraha <[EMAIL PROTECTED]> [20040311 19:30]: wrote:
> Odhiambo Washington wrote:
> 
> >hehee, I noticed that and added 2 days ago, but just today Tomas
> >(Kojm) wrote to the list with that option again ;)
> >
> > 
> >
> You mean the one with
> "
> 
> But anyway you should check the
> --detect-encrypted option (CVS).
> "
> 
> I assume he meant it as an option for clamscan (as stated in ChangeLog)

Thanks for the clarification. I will be more careful to spare time to
also read the Changelog, besides what I see being discussed ;(.
All along I had thought that it was an option to ./configure.


cheers
   - wash 
+--+-+
Odhiambo Washington . WANANCHI ONLINE LTD (Nairobi, KE)  |
  . 1ere Etage, Loita Hse, Loita St.,  |
GSM: (+254) 722 743 223 . # 10286, 00100 NAIROBI |
GSM: (+254) 733 744 121 . (+254) 020 313 985 - 9 |
+-+--+
"Oh My God! They killed init! You Bastards!"  
 --from a /. post


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Patch not work for Amavis to scan Bagle zippwd

2004-03-11 Thread Noel Jones 
On Fri, Mar 12, 2004 at 12:59:17AM +, Karis Matik wrote:
> 
> Hi Noel,
> Yes, I've put the MAIL$ line in the amavisd.conf. Still, it missed the Info.zip 
> attachment.
> Have you tested with a zipped password protected?
> My initial thinking is (probably) the database isn't read properly. But again, 
> during restart of clamd service, I got good indication that 40,000 something kind of 
> viruses listed in the database from clamd.log.
> 

Yes, mine was and still is detecting the password-protected versions.

You have too many viruses detected, should be something like:
Known viruses: 20447
I would suspect you have old viruses.db and viruses.db2 files lying
around, they should be removed.  But that probably won't solve your
reported problem.  

Recheck you patch or upgrade to the -p8 version announced yesterday.

-- 
Noel Jones


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] new to clamAV ...

2004-03-11 Thread Betsy Schwartz 
At 10:04 PM 3/11/2004, kent e. wrote:
In the step 9 of the above link what does it mean signature? Does it
means the file with an extension name of .sig ???
seems like a success but how to update the virus definition or the db of
The "signature" is the signature of the virus, or the virus definition. I 
guess we call it a signature because it can be used to identify the virus. 
Anyway that's what freshclam is doing, updating the definition database

Betsy Schwartzemail: 
[EMAIL PROTECTED]
Unix Systems Administrator,CRG   voice: 617-495-5947
Harvard Graduate School of Design fax:617-496-5866





---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Re: Logfile

2004-03-11 Thread Betsy Schwartz 
When you say clamAV works with logrotate, what command are you issuing to 
get clamav to start using the new file? What I'm seeing is that it doesn't 
respond to SIGHUP but has to be killed and restarted to get it to let go of 
the old filehandle



Betsy Schwartzemail: 
[EMAIL PROTECTED]
Unix Systems Administrator,CRG   voice: 617-495-5947
Harvard Graduate School of Design fax:617-496-5866





---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] new to clamAV ...

2004-03-11 Thread kent e. 
I just downloaded the version 0.67 and I followed the step-by-step
config in http://linux-sxs.org/administration/clamav.html 

In the step 9 of the above link what does it mean signature? Does it
means the file with an extension name of .sig ???

seems like a success but how to update the virus definition or the db of
the clamAV

Im doing the install on a redhat9 and on fedora core1

== 
Thanks in Advance

Kent E.




---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Virus aliases

2004-03-11 Thread jef moskot 
On Thu, 11 Mar 2004, Dave Ewart wrote:
> ClamAV is a fabulous project - wish I could find some way to contribute.

Well, there's always: http://clamav.net/donate.php#pagestart

Jeffrey Moskot
System Administrator
[EMAIL PROTECTED]


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Virus scanned by clamav.net but updated db missed it

2004-03-11 Thread Fajar A. Nugraha 
Karis Matik wrote:

What are the *.db* files? What are the *.cvd files? Is the *.db* file just a list which will be compiled into binary file (namely the .cvd files)?

 

Simply put, the *.cvd is the new format vor viruses.db and viruses.db2. 
As the name implied, main.cvd is the main virus signature database 
(rarely updated) and daily.cvd is the database which contains most 
recent virus signatures (frequently updated). *.cvd does not require 
*.md5 files to verify database integrity anymore. It is also smaller 
(less than half in size) compared to *.db. You can test database 
integrity with `sigtool -i daily.cvd` or `sigtool -i main.cvd`.

If you want to add your own virus definition, you can still do it using 
the old *.db format, name it anything-you-want.db, and put it in 
signatures directory. ClamAV will pick it up automatically.

Regards,

Fajar

PS : Has your problem solved yet?

---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Patch not work for Amavis to scan Bagle zippwd

2004-03-11 Thread Karis Matik 
>> Got an attachment contain Bagle-F zippwd with the name: Info.zip. When I test the 
>> attachment, clam still allows the mail to get through. Anyone has similar problem 
>> and solution?
>>
>
>This patch worked fine for me.
>(I've since upgraded to the -p8 release, which also works fine)
>Did you remember to edit amavisd.conf and add MAIL to the
>$keep_decoded_original parameter?  That is required to activate
>this feature.
>
>  $keep_decoded_original_re = new_RE(
>qr'^MAIL$',# retain full original message for virus checking
>qr'^(ASCII(?! cpio)|text|uuencoded|xxencoded|binhex)'i,
>  );
>
>
>--
>Noel Jones
>
>

Hi Noel,
Yes, I've put the MAIL$ line in the amavisd.conf. Still, it missed the Info.zip 
attachment.
Have you tested with a zipped password protected?
My initial thinking is (probably) the database isn't read properly. But again, during 
restart of clamd service, I got good indication that 40,000 something kind of viruses 
listed in the database from clamd.log.


Thank you.

-- Karis

-
This e-mail was sent using a CentralPets WebMail account
Get yours at: http://mail.centralpets.com

Re: [Clamav-users] Patch not work for Amavis to scan Bagle zippwd

2004-03-11 Thread Noel Jones 
On Thu, Mar 11, 2004 at 10:59:40PM +, Karis Matik wrote:
> This is my installed amavis and clamd:
> 
> amavisd-new-0.20030616-10mdk
> clamav-db-0.66-0.20031204.1mdk
> libclamav1-0.66-0.20031204.1mdk
> clamav-0.66-0.20031204.1mdk
> clamdmail-0.15-1mdk
> clamd-0.66-0.20031204.1mdk
> 
> I applied the patch from Mark Martinec (reference: 
> http://marc.theaimsgroup.com/?l=amavis-user&m=10782706748&w=2)
> --
> --- amavisd~Mon Jan  5 02:00:19 2004
> +++ amavisd Tue Mar  2 22:49:15 2004
> @@ -5307,4 +5307,12 @@
> }
> $which_section = "virus_scan";
> +   # special case to preserve complete mail file for inspection
> +   if (lookup('MAIL',$keep_decoded_original_re)) {
> +   # keep the original email.txt by making a hard link
> +   # to it in ./parts/
> +   link("$tempdir/email.txt", "$tempdir/parts/email.txt")
> +   or die "Can't create hard link $tempdir/email.txt: $!";
> +   do_log(4, "providing full original message to scanners");
> +   }
> # some virus scanners behave badly if interrupted,
> # so for now just turn off the timer
> --
> 
> Got an attachment contain Bagle-F zippwd with the name: Info.zip. When I test the 
> attachment, clam still allows the mail to get through. Anyone has similar problem 
> and solution?
> 

This patch worked fine for me.
(I've since upgraded to the -p8 release, which also works fine)
Did you remember to edit amavisd.conf and add MAIL to the
$keep_decoded_original parameter?  That is required to activate
this feature.

  $keep_decoded_original_re = new_RE(
qr'^MAIL$',# retain full original message for virus checking
qr'^(ASCII(?! cpio)|text|uuencoded|xxencoded|binhex)'i,
  );


-- 
Noel Jones


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] Patch not work for Amavis to scan Bagle zippwd

2004-03-11 Thread Karis Matik 
This is my installed amavis and clamd:

amavisd-new-0.20030616-10mdk
clamav-db-0.66-0.20031204.1mdk
libclamav1-0.66-0.20031204.1mdk
clamav-0.66-0.20031204.1mdk
clamdmail-0.15-1mdk
clamd-0.66-0.20031204.1mdk

I applied the patch from Mark Martinec (reference: 
http://marc.theaimsgroup.com/?l=amavis-user&m=10782706748&w=2)
--
--- amavisd~Mon Jan  5 02:00:19 2004
+++ amavisd Tue Mar  2 22:49:15 2004
@@ -5307,4 +5307,12 @@
}
$which_section = "virus_scan";
+   # special case to preserve complete mail file for inspection
+   if (lookup('MAIL',$keep_decoded_original_re)) {
+   # keep the original email.txt by making a hard link
+   # to it in ./parts/
+   link("$tempdir/email.txt", "$tempdir/parts/email.txt")
+   or die "Can't create hard link $tempdir/email.txt: $!";
+   do_log(4, "providing full original message to scanners");
+   }
# some virus scanners behave badly if interrupted,
# so for now just turn off the timer
--

Got an attachment contain Bagle-F zippwd with the name: Info.zip. When I test the 
attachment, clam still allows the mail to get through. Anyone has similar problem and 
solution?

Thank you.

Regards,
Karis

-
This e-mail was sent using a CentralPets WebMail account
Get yours at: http://mail.centralpets.com





---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Virus scanned by clamav.net but updated db missed it

2004-03-11 Thread Karis Matik 
Thanks to Fajar and Antoni.
One thing I still don't understand is about the viruses.db or viruses.db2.

What are the *.db* files? What are the *.cvd files? Is the *.db* file just a list 
which will be compiled into binary file (namely the .cvd files)?

Fajar mentioned the virus database used is the .cvd. But the name viruses.db implies 
its meaning by itself. Confused.

The reason I ask this question because when I checked the log file for clamd, I saw 
the update is successful. But only .cvd file timestamp changed, not the *.db* file 
timestamp. Thus, the viruses.db* are not updated.

Sorry for my shallow understanding on clamav.

Cheers,
Karis


>-Original Message-
>From: Fajar A. Nugraha [mailto:[EMAIL PROTECTED]
>Sent: Thursday, March 11, 2004 02:00 PM
>To: [EMAIL PROTECTED]
>Subject: Re: [Clamav-users] Virus scanned by clamav.net but updated db missed it
>
>Karis Matik wrote:
>
>>Thanks for your reply.
>>Several questions:
>>1. which virus database amavis 0.66 uses? viruses.db or viruses.db2 or both?
>>
>>
>Not amavis 0.66. Clamav 0.66.
>Antoni's reply is correct : ClamAV will use any/all files which end in
>.db or .db?
>But since you use 0.66, you don't need to have any *.db*. The default db
>is *.cvd.
>
>See this?
>"
>
>Thu Mar 11 23:15:06 2004 -> Protecting against 40864 viruses.
>
>"
>This is too much. It means clamav is reading the *.cvd and viruses.*.
>Better remove the viruses.*
>since the signatures are the same anyway.
>
>>2. When I do a restart on clamd service, I can't find: Database correctly reloaded 
>>message.
>>
>>
>>
>On restart, you should look for "Protecting against xxx viruses".
>However, during clamd runs it will perform self checks periodically and 
>reload the database as needed,
>producing the "Database correctly reloaded" message.
>On newer versions, freshclam will also notify clamd to reload if a new
>database version is available, producing
>in freshclam.log entries like
>
>"
>Database updated (20432 signatures) from clamav.antispam.or.id
>(202.134.0.71).
>Clamd successfully notified about the update.
>"
>
>You should remove your viruses.*, restart clamd, and try again.
>If that still don't work, try upgrading to latest stable or CVS snapshot
>(I recommend latest snapshot).
>
>Regards,
>
>Fajar
>
>
>---
>This SF.Net email is sponsored by: IBM Linux Tutorials
>Free Linux tutorial presented by Daniel Robbins, President and CEO of
>GenToo technologies. Learn everything from fundamentals to system
>administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
>___
>Clamav-users mailing list
>[EMAIL PROTECTED]
>https://lists.sourceforge.net/lists/listinfo/clamav-users
>

-
This e-mail was sent using a CentralPets WebMail account
Get yours at: http://mail.centralpets.com





---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id70&alloc_id638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Clamdscan hanging when clamd checks/reloads database

2004-03-11 Thread Trog 
On Thu, 2004-03-11 at 20:18, Robert Blayzor wrote:
> I didn't get any responses on this, so I'm trying a repost of this:
> 
> Using clamd devel-20040304 on FreeBSD 4.9
> 
> On several occasions now we've noticed that when clamd checks and reloads
> the virus database current clamdscan's hang and then time out.
> 
>

Hmm. Do you have a low level of clamd usage?

Could you try the enclosed patch, and let me know if it helps/doesn't
help?

Cheers,
-trog


--- clamd/thrmgr.c.orig 2004-03-11 21:34:08.0 +
+++ clamd/thrmgr.c  2004-03-11 21:36:28.0 +
@@ -174,13 +174,12 @@
timeout.tv_nsec = 0;
threadpool->thr_idle++;
while (((job_data=work_queue_pop(threadpool->queue)) == NULL)
-   && (threadpool->state != POOL_EXIT)) {
+   && !must_exit) {
/* Sleep, awaiting wakeup */
retval = pthread_cond_timedwait(&(threadpool->pool_cond),
&(threadpool->pool_mutex), &timeout);
-   if (retval == ETIMEDOUT) {
+   if ((retval == ETIMEDOUT) || (threadpool->state == POOL_EXIT)) 
{
must_exit = TRUE;
-   break;
}
}
threadpool->thr_idle--;

[Clamav-users] Re: Logfile

2004-03-11 Thread Jorge Valdes 
>At 12:41 PM 3/11/2004, John Jolet wrote:
>>why not just run logrotate and have done with it?
>
>It would help if clamd took a "kill -HUP" and started a new logfile.
>
>Betsy Schwartz
Depending on traffic, and logging options selected, this can grow fairly 
quickly. If log entries are lost, debugging may not be possible, and 
reporting will be incomplete depending on the amount not logged.

If the program already "knows" its reached the file size limit, why not 
just start logging to another file?  This can even be limited via 
configuration option, and -HUP would never be requiered.
Jorge Valdes
NOC Manager
Intercom El Salvador
[EMAIL PROTECTED]
Tel. 503-278-5068
Tel. 503-265-7070
Fax. 503-265-7025



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] clamav hpux make problems

2004-03-11 Thread Jon Fraley 
I tried using gcc, but it still failed during "make".  I will try
something else.

Jon

On Thu, 2004-03-11 at 14:14, Richard Nairn wrote:
> I have a HPUX 11.00 machine with GCC, I tried to compile the latest 
> sendmail with milter, and use the clamav-milter with it. I was never able 
> to get the milter library compiled for sendmail, and thus clamav-milter to 
> work.  Did you have any success with that?  My issue is I only have the 
> base compiler for it, not an ANSI compiler so I haven't been able to get 
> both packages compiled. I switched my mail over to an Alpha machine 
> running linux
> 
> 
> 
> On Thu, 11 Mar 2004 21:44:17 +0700, Fajar A. Nugraha <[EMAIL PROTECTED]> 
> wrote:
> 
> > Jon Fraley wrote:
> >
> >> How do I tell it to compile with gcc?
> >>
> >>
> > Step 1 : get gcc package for HPUX (if any exist)
> > Step 2 : execute
> >
> > CC=gcc ./configure
> >
> > instead of just ./configure
> >
> >
> > ---
> > This SF.Net email is sponsored by: IBM Linux Tutorials
> > Free Linux tutorial presented by Daniel Robbins, President and CEO of
> > GenToo technologies. Learn everything from fundamentals to system
> > administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
> > ___
> > Clamav-users mailing list
> > [EMAIL PROTECTED]
> > https://lists.sourceforge.net/lists/listinfo/clamav-users
> 
> 



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] Clamdscan hanging when clamd checks/reloads database

2004-03-11 Thread Robert Blayzor 
I didn't get any responses on this, so I'm trying a repost of this:

Using clamd devel-20040304 on FreeBSD 4.9

On several occasions now we've noticed that when clamd checks and reloads
the virus database current clamdscan's hang and then time out.

This causes some real problems on a process that uses clamdscan as it thinks
clamd is dead and then just bombs out.

Last messages in the clamd.log are:

Tue Mar  9 19:59:40 2004 -> SelfCheck: Database modification detected.
Forcing reload.
Tue Mar  9 19:59:40 2004 -> Reading databases from /usr/local/share/clamav
Tue Mar  9 20:06:54 2004 -> Database correctly reloaded (20426 viruses)
Tue Mar  9 20:06:54 2004 -> /var/tmp/scavs/22217/5/msg-6-2.bin:
Worm.SomeFool.Gen-1 FOUND


When checking clamd manually it appears to be running ok... It just whenever
a database reload happens at the time either a clamdscan is in progress or
one is trying to initiate during a reload, the clamdscan process just
hangs...

Any ideas on how to fix this or if more recent devel code has addressed this
issue?

--
Robert Blayzor, BOFH
INOC, LLC
[EMAIL PROTECTED]
PGP: http://www.inoc.net/~dev/
Key fingerprint = 1E02 DABE F989 BC03 3DF5  0E93 8D02 9D0B CB1A A7B0

Portable:  Survives system reboot.




---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] clamav hpux make problems

2004-03-11 Thread Richard Nairn 
I have a HPUX 11.00 machine with GCC, I tried to compile the latest 
sendmail with milter, and use the clamav-milter with it. I was never able 
to get the milter library compiled for sendmail, and thus clamav-milter to 
work.  Did you have any success with that?  My issue is I only have the 
base compiler for it, not an ANSI compiler so I haven't been able to get 
both packages compiled. I switched my mail over to an Alpha machine 
running linux



On Thu, 11 Mar 2004 21:44:17 +0700, Fajar A. Nugraha <[EMAIL PROTECTED]> 
wrote:

Jon Fraley wrote:

How do I tell it to compile with gcc?


Step 1 : get gcc package for HPUX (if any exist)
Step 2 : execute
CC=gcc ./configure

instead of just ./configure

---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users


--
|   Richard Nairn  Specializing in Linux
| Nairn Consulting Web / Database Solutions
|Calgary, AB
 | [EMAIL PROTECTED]
---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Logfile

2004-03-11 Thread John Jolet 
Betsy Schwartz wrote:

At 12:41 PM 3/11/2004, John Jolet wrote:

why not just run logrotate and have done with it?


It would help if clamd took a "kill -HUP" and started a new logfile.



Betsy Schwartz
email: [EMAIL PROTECTED]
Unix Systems Administrator,CRG   voice: 
617-495-5947
Harvard Graduate School of Design fax:
617-496-5866





---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users
hmm, logrotate seems to be working just fine on my fedora box.

---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Virus aliases

2004-03-11 Thread Tomasz Kojm 
On Thu, 11 Mar 2004 07:52:44 -0800
"Mitch (WebCob)" <[EMAIL PROTECTED]> wrote:


> Maybe I spoke to soon... if you guys are already working on this great
> - how will aliases be identified and submissions be processed?
> 
> I've heard that the bigger manufacturers often copy the first known
> name - is there a way to get in that peer group?
> 
> Will the system handle multiple aliases in the event it occurs?

The idea is to include aliases in a signature and allow clamscan/clamd
to print them optionally, eg.

clamscan foo
foo: Worm.SomeFool FOUND

clamscan --aliases foo
foo: Worm.SomeFool W32.Netsky FOUND

-- 
   oo. Tomasz Kojm <[EMAIL PROTECTED]>
  (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg
 \..._ 0DCA5A08407D5288279DB43454822DC8985A444B
   //\   /\  Thu Mar 11 19:41:13 CET 2004


pgp0.pgp
Description: PGP signature

Re: [Clamav-users] Using ClamAV with Declude Virus

2004-03-11 Thread Tomasz Kojm 
On Thu, 11 Mar 2004 09:18:00 -0700
"Brad Morgan" <[EMAIL PROTECTED]> wrote:

> So as you can see, I'd like Declude to parse the output and capture
> the virus name.  Declude support tells me there's a "standard" format
> for the report output and ClamAV doesn't adhere to the "standard". 
> AVG, F-Prot, F-Secure, Inoculan, McAfee, and Sophos do.  I don't know
> where the"standard" came from yet.

Neither do I.

> If an option were added to clamscan (i.e. --declude) to change the
> output format, could that change be incorporated into the source CVS? 

No, it couldn't. The output is extremely simple to parse (because virus
names don't contain colons), look at the simple example:

int main(int argc, char **argv)
{
char *out = "/some/file/with:colon: VIRUS FOUND\n", *pt;

for(pt = out + strlen(out) - 1; *pt != ':'; pt--);
pt += 2;
printf("%s", pt);
return 1;
}

> It sounds like Scott at Declude knows exactly where to make the change
> and I could probably hack up the
> rest of the necessary patches (it would be my first open source code
> contribution).

Of course you can adapt ClamAV to your needs but that changes won't be
incorporated into the main tree.

-- 
   oo. Tomasz Kojm <[EMAIL PROTECTED]>
  (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg
 \..._ 0DCA5A08407D5288279DB43454822DC8985A444B
   //\   /\  Thu Mar 11 19:28:12 CET 2004


pgp0.pgp
Description: PGP signature

Re: [Clamav-users] Logfile

2004-03-11 Thread Tomasz Kojm 
On Thu, 11 Mar 2004 10:57:43 -0600
Jorge Valdes <[EMAIL PROTECTED]> wrote:

> Hi,
> I am very happy with clamav, and would like everyone's opinion to the 
> following feature request:
> 
> clamd logs to a file and you can control the size, but when this limit
> is reached, logging stops. When this happens, an entry in the file
> says it has reached the file size limit. Since the program realize
> this, wouldn't it be better to rename the logfile automatically by
> just adding an extention (like logrotate) and create a new file?

The latest snapshots work properly with logrotate.

-- 
   oo. Tomasz Kojm <[EMAIL PROTECTED]>
  (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg
 \..._ 0DCA5A08407D5288279DB43454822DC8985A444B
   //\   /\  Thu Mar 11 19:03:49 CET 2004


pgp0.pgp
Description: PGP signature

Re: [Clamav-users] Logfile

2004-03-11 Thread Betsy Schwartz 
At 12:41 PM 3/11/2004, John Jolet wrote:
why not just run logrotate and have done with it?
It would help if clamd took a "kill -HUP" and started a new logfile.



Betsy Schwartzemail: 
[EMAIL PROTECTED]
Unix Systems Administrator,CRG   voice: 617-495-5947
Harvard Graduate School of Design fax:617-496-5866





---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Help with New Install clamav-milter

2004-03-11 Thread Krištof Petr 
Ed Kasky wrote:

In what instance would one enable the following?
# TCP port address.
#TCPSocket 3310
When you have windows clients for example.

Petr



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Logfile

2004-03-11 Thread John Jolet 
Jorge Valdes wrote:

Hi,
I am very happy with clamav, and would like everyone's opinion to the 
following feature request:

clamd logs to a file and you can control the size, but when this limit 
is reached, logging stops. When this happens, an entry in the file 
says it has reached the file size limit. Since the program realize 
this, wouldn't it be better to rename the logfile automatically by 
just adding an extention (like logrotate) and create a new file?

Jorge Valdes
NOC Manager
Intercom El Salvador
[EMAIL PROTECTED]
Tel. 503-278-5068
Tel. 503-265-7070
Fax. 503-265-7025


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users
why not just run logrotate and have done with it?



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Help with New Install clamav-milter

2004-03-11 Thread Ed Kasky 
At 06:20 AM Thursday, 3/11/2004, Krištof Petr wrote -=>

Is this the correct switch to use when loading the daemon?
local:/var/run/clamav/clamav.sock
(This is also set in clamav.conf)
Beware! In /etc/clamav.conf you are setting socket for communication
between clamd <-> clamav-milter what if different from socket
for sendmail <-> clamav-milter.
That fixed it!

Here's what I have now -

- in /etc/clamav.conf:
LocalSocket /var/run/clamav/clamd.sock
- in startup for clamav-milter:
local:/var/run/clamav/clamavmr.sock
- in sendmail.mc:
INPUT_MAIL_FILTER(`clamav', `S=local:/var/run/clamav/clamavmr.sock, F=S, 
T=S:4m;R:4m;E:10m')dnl
define(`confINPUT_MAIL_FILTERS', `clamavmr')dnl

In what instance would one enable the following?
# TCP port address.
#TCPSocket 3310
Thanks a lot for the help in this.

Ed
. . . . . . . .
Living in the now is a gift.  That's why they call it the present.


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id70&alloc_id638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Using ClamAV with Declude Virus

2004-03-11 Thread David Gregg 
> On Thursday 11 March 2004 4:18 pm, Brad Morgan wrote:
>
> > > The output format won't change. Please check the 3-rd party software
(on
> > > www.clamav.net) for parsing details.
> >
> > Sorry to hear that the output format is frozen in time.
>
> There are too many existing packages which call ClamAV and expect to be
able
> to understand the result which comes back.   There's no reason you can't
> write a simple perl script (perhaps awk would do it?) to call ClamAV,
> rearrange the output as you want, and return the new format to your
> application.
>
> > Declude Virus is one product (http://www.declude.com) produced by
> > Computerized Horizons that interfaces with Imail
(http://www.ipswitch.com),
> > a popular  (non-exchange) email server for Windows.
>
> ClamAV is (mainly) used on Unix systems - mostly Linux & BSD, therefore
> integration with a Windows mail server seems a minority interest.

ClamAV already works great using Windows.  Our product interfaces with it
without any problems what so ever.  That's part of the calling programs
responsibility.  For what Scott charges, he should make them changes to his
program if he wants to support ClamAV fully.

>
> > Declude Virus provides the interface hook into the SMTP server, handles
> > mime decoding etc., and then uses your choice of command line virus
> > scanner(s) to do the actual virus check.  If a virus is detected,
Declude
> > virus then provides the usual options for dealing with the email.
>
> ClamAV has been made to work under Windows using the Cygwin environment -
> nothing to stop you rewriting the output as described above (or even
> modifying the source to produce a different format given a command-line
> option to be "Declude-compatible"?).

No rewriting/modifying ClamAV is required.  The calling applicaiton just
needs to know how to parse the results.

>
> > If an option were added to clamscan (i.e. --declude) to change the
output
> > format, could that change be incorporated into the source CVS?  It
sounds
> > like Scott at Declude knows exactly where to make the change and I could
> > probably hack up the rest of the necessary patches (it would be my first
> > open source code contribution).
>
> Sounds like an excellent idea (but I'm not on the development team).
Since
> ClamAV is GPL, however, you're free to do any hacks you like; the only
> question is whether they get "officially" adopted or not.


Regards,

David Gregg
dgSoft Internet Services
+1.949.584-1514

---
mxGuard for IMail
Server based spam and virus protection for under $100
Request a free trial at http://www.mxGuard.com/postmaster
---



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] Logfile

2004-03-11 Thread Jorge Valdes 
Hi,
I am very happy with clamav, and would like everyone's opinion to the 
following feature request:

clamd logs to a file and you can control the size, but when this limit is 
reached, logging stops. When this happens, an entry in the file says it has 
reached the file size limit. Since the program realize this, wouldn't it be 
better to rename the logfile automatically by just adding an extention 
(like logrotate) and create a new file?

Jorge Valdes
NOC Manager
Intercom El Salvador
[EMAIL PROTECTED]
Tel. 503-278-5068
Tel. 503-265-7070
Fax. 503-265-7025


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] SomeFool.Gen-1

2004-03-11 Thread Antony Stone 
On Thursday 11 March 2004 4:40 pm, [EMAIL PROTECTED] wrote:

> What virus is Worm.SomeFool.Gen-1 is it a Netsky virus?

Yes, but there isn't a one-to-one correspondence between what the different 
A-V vendors are picking up from different binaries:

ClamAV: all_document.pif contains Worm.SomeFool.Gen-1 
AntiVir: ALERT: [Worm/Netsky.D.Dam worm] all_document.pif
F-Prot: all_document.pif  Infection: W32/[EMAIL PROTECTED]
Inoculan: [all_document.pif] was infected by virus [Win32/Netsky.D.Worm]
Kaspersky: all_document.pif infected: I-Worm.NetSky.d
McAfee: all_document.pifFound the W32/[EMAIL PROTECTED] virus !!!

also:

ClamAV: object_story.zip contains Worm.SomeFool.Gen-1 
AntiVir: ALERT: [Worm/NetSky.C worm] object_story.zip
F-Prot: object_story.zip->object_story.htm.com  Infection: W32/[EMAIL PROTECTED]
Inoculan: [object_story.zip:object_story.htm.com] was infected by virus 
[Win32/Netsky.C.Worm]
McAfee: object_story.zipFound the W32/[EMAIL PROTECTED] virus !!!

Regards,

Antony.

-- 
The idea that Bill Gates appeared like a knight in shining armour to lead all 
customers out of a mire of technological chaos neatly ignores the fact that 
it was he who, by peddling second-rate technology, led them into it in the 
first place.

 - Douglas Adams in The Guardian, 25th August 1995

 Please reply to the list;
   please don't CC me.



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] SomeFool.Gen-1

2004-03-11 Thread elemint 
What virus is Worm.SomeFool.Gen-1 is it a Netsky virus?




Jim



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Using ClamAV with Declude Virus

2004-03-11 Thread Antony Stone 
On Thursday 11 March 2004 4:18 pm, Brad Morgan wrote:

> > The output format won't change. Please check the 3-rd party software (on
> > www.clamav.net) for parsing details.
>
> Sorry to hear that the output format is frozen in time.

There are too many existing packages which call ClamAV and expect to be able 
to understand the result which comes back.   There's no reason you can't 
write a simple perl script (perhaps awk would do it?) to call ClamAV, 
rearrange the output as you want, and return the new format to your 
application.

> Declude Virus is one product (http://www.declude.com) produced by
> Computerized Horizons that interfaces with Imail (http://www.ipswitch.com),
> a popular  (non-exchange) email server for Windows.

ClamAV is (mainly) used on Unix systems - mostly Linux & BSD, therefore 
integration with a Windows mail server seems a minority interest.

> Declude Virus provides the interface hook into the SMTP server, handles
> mime decoding etc., and then uses your choice of command line virus
> scanner(s) to do the actual virus check.  If a virus is detected, Declude
> virus then provides the usual options for dealing with the email.

ClamAV has been made to work under Windows using the Cygwin environment - 
nothing to stop you rewriting the output as described above (or even 
modifying the source to produce a different format given a command-line 
option to be "Declude-compatible"?).

> If an option were added to clamscan (i.e. --declude) to change the output
> format, could that change be incorporated into the source CVS?  It sounds
> like Scott at Declude knows exactly where to make the change and I could
> probably hack up the rest of the necessary patches (it would be my first
> open source code contribution).

Sounds like an excellent idea (but I'm not on the development team).   Since 
ClamAV is GPL, however, you're free to do any hacks you like; the only 
question is whether they get "officially" adopted or not.

Regards,

Antony

-- 
You can spend the whole of your life trying to be popular,
but at the end of the day the size of the crowd at your funeral
will be largely dictated by the weather.

 - Frank Skinner

 Please reply to the list;
   please don't CC me.



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] Using ClamAV with Declude Virus

2004-03-11 Thread Brad Morgan 
>
> You can look for the last colon...
>
> > the begining of the -l output.  Can the change Scott suggested be made
> > to the ClamAV source?
> > Does it have to have an option added because the old format is being
> > parsed by
> > other programs?
>
> The output format won't change. Please check the 3-rd party software (on
> www.clamav.net) for parsing details.
>
> BTW: What is "Declude Virus" ?

Sorry to hear that the output format is frozen in time.

Declude Virus is one product (http://www.declude.com) produced by
Computerized Horizons that interfaces with Imail (http://www.ipswitch.com),
a popular  (non-exchange) email server for Windows.

Declude Virus provides the interface hook into the SMTP server, handles mime
decoding etc., and then uses your choice of command line virus scanner(s) to
do the actual virus check.  If a virus is detected, Declude virus then
provides the usual options for dealing with the email.

One of its options is to parse the virus scan output for the name of the
virus that was found and present it as an "environment type" variable for
reporting in logs and in (optional) generated emails to the intended
receipent, sender, local and remote postmasters, etc.

A feature just recently added is the ability to check the virus name against
a
database of viruses that are known to forge the from address.  If found in
this
database, then the from address is replaced by [forged] and can be used to
limit
who gets notified about the infected email.

So as you can see, I'd like Declude to parse the output and capture the
virus name.  Declude support tells me there's a "standard" format for the
report output and ClamAV doesn't adhere to the "standard".  AVG, F-Prot,
F-Secure, Inoculan, McAfee, and Sophos do.  I don't know where the
"standard" came from yet.

If an option were added to clamscan (i.e. --declude) to change the output
format, could that change be incorporated into the source CVS?  It sounds
like Scott at Declude knows exactly where to make the change and I could
probably hack up the
rest of the necessary patches (it would be my first open source code
contribution).

Regards,

Brad Morgan



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] ifupdown error

2004-03-11 Thread Rick Weinbender 
Odhiambo Washington wrote:

> * Rick Weinbender <[EMAIL PROTECTED]> [20040311 05:11]: wrote:
> > After installing clamav I get the following errors on boot.
> >
> > Configuring network interfaces:  run-parts:  failed to exec
> > /etc/network/if-up.d/clamav-freshclam-ifupdown:  Permission Denied
> > run-parts:  /etc/network/if-up.d/clamav-freshclam-ifupdown  exited with
> > return code 1
> >
> > this error repeats twice.
> > any ideas what might cause this?
>
> First guess:
> chmod 755 /etc/network/if-up.d/clamav*
> Else check the permissions.
> cheers
>- wash

***
Thanks!
That seemed to do it.
-Rick



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] Virus aliases

2004-03-11 Thread Mitch \(WebCob\) 


> -Original Message-
> From: Tomasz Kojm
>
> On Thu, 11 Mar 2004 10:15:50 +
> Dave Ewart <[EMAIL PROTECTED]> wrote:
>
> > 2. Can the alias details be extracted from the .cvd files?  If not
> > currently, is there any way to add this detail?
>
> Virus aliases will be supported in signatures in the near future.
>

Maybe I spoke to soon... if you guys are already working on this great - how
will aliases be identified and submissions be processed?

I've heard that the bigger manufacturers often copy the first known name -
is there a way to get in that peer group?

Will the system handle multiple aliases in the event it occurs?

Will the system identify the "owner" of the alias (like norton / sophos /
etc.)

Thanks!

m/



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] --detect-encrypted?

2004-03-11 Thread Fajar A. Nugraha 
Odhiambo Washington wrote:

hehee, I noticed that and added 2 days ago, but just today Tomas
(Kojm) wrote to the list with that option again ;)
 

You mean the one with
"
But anyway you should check the
--detect-encrypted option (CVS).
"
I assume he meant it as an option for clamscan (as stated in ChangeLog)

Regards,

Fajar



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] Virus aliases

2004-03-11 Thread Mitch \(WebCob\) 
> No idea how easy this would be to implement but here goes:
>
> As well as the virus signature databases, how about having an alias
> database which would contain a record for each virus, indicating its
> ClamAV name along with those used by the more mainstream AV software
> like Sophos, McAfee etc. Then have the scanning software (clamd etc.)
> accept a commandline switch to indicate your preferred naming. That way,
> if you also use Sopos/McAfee/whatever on internal servers you could get
> ClamAV to report an infection using the same naming as internally.  Of
> course, as the Clam sigs are usually ahead of the rest, the aliases for
> a particular virus would all be set to ClamAV's chosen name. Then, as
> the other vendors get their signatures out the aliases could be updated
> accordingly.
>
> Workable/unworkable/insane idea?
>
> Paul

I like it!

Should be quite simple to implement and very workable - depending on the
will of the powers that be to maintain...

A little more complex idea would be to create a cololaborative maintenance
system allowing the users to update and complete the information - a simple
voting system could accept mutliple submissions from confirmed contributors
as validation...

With such a database (downloadable like freshclam currently maintains
regular virus db) we could issue warnings that make more sense to users of
bigger name commercial products, and even generate links to their
educational content on the virii...

The feeling I get is that clam detects the virus - generates the sig and
done... Norton, etc. decode it and see what it does and then publish the
info - when the link between the clam viruss and the norton name is made
(for example) a link to that content would let the clam user know what they
found and what potential damage it could or might have already caused.

The developers of clam already have probably got their plates full with clam
issues... I could (as I imagine many others) consider building and hosting
something like this if there was enough support for it - thoughts?

Thanks!

m/



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] ClamAV via ScanMail

2004-03-11 Thread Gerry Maddock 
Just a quick thank you to all of you who help with clamav! I use clamav on
my mailserver via MailScanner. (I'm using MailScanner with F-Secure and
ClamAV) Several times ClamAV is the only antivirus that will see viruses via
email. KEEP UP THE GOOD WORK!



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] --detect-encrypted?

2004-03-11 Thread Odhiambo Washington 
* Fajar A. Nugraha <[EMAIL PROTECTED]> [20040311 17:49]: wrote:
> Odhiambo Washington wrote:
> 
> >Since this option was mentioned, I have done checked out the cvs version
> >but ./configure refuses to accept that option.
> >Even from a cvs checkout I did today ;)
> >
> > 
> >
> It's not ./configure option. It's clamscan option.
> With clamd, it's
> 
> ArchiveDetectEncrypted
> 
> in clamav.conf.


hehee, I noticed that and added 2 days ago, but just today Tomas
(Kojm) wrote to the list with that option again ;)


cheers
   - wash 
+--+-+
Odhiambo Washington . WANANCHI ONLINE LTD (Nairobi, KE)  |
  . 1ere Etage, Loita Hse, Loita St.,  |
GSM: (+254) 722 743 223 . # 10286, 00100 NAIROBI |
GSM: (+254) 733 744 121 . (+254) 020 313 985 - 9 |
+-+--+
"Oh My God! They killed init! You Bastards!"  
 --from a /. post


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] clamav hpux make problems

2004-03-11 Thread Fajar A. Nugraha 
Jon Fraley wrote:

How do I tell it to compile with gcc?

 

Step 1 : get gcc package for HPUX (if any exist)
Step 2 : execute
CC=gcc ./configure

instead of just ./configure

---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Help with New Install clamav-milter

2004-03-11 Thread Ed Kasky 
On Thu, 11 Mar 2004, Nigel Horne wrote:

> > Mar 10 17:57:11 clam-milter[5623]: recv failed from clamd getting PORT
> > Mar 10 17:57:11 Milter: from=<[EMAIL PROTECTED]>, reject=451 4.7.1
> > Please try again later
> >
> > I assume it's rejecting because clamd can't get port?
> 
> Is clamd running?

 $ ps -U clamav
 PID TTY  TIME CMD
 1575 ?00:00:00 clamd
 1578 ?00:00:00 clamd
 1579 ?00:00:00 clamd
 1602 ?00:00:00 clamav-milter
 1605 ?00:00:00 clamav-milter
 1606 ?00:00:00 clamav-milter

The log files do not indicate that either has died...

Ed

Randomly generated quote:
The large print giveth, and the small print taketh away. -Tom Waits



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Help with New Install clamav-milter

2004-03-11 Thread Ed Kasky 
On Thu, 11 Mar 2004, [windows-1252] Krištof Petr wrote:

> > When I start clamd, it loads just fine and I can use clamdscan just 
> > fine.  However, running clamav-milter through sendmail results in the 
> > following from the maillog: 
> 
> 
> Did you started clamav-milter daemon? If yes, does it open socket for 
> communication with sendmail?
> What are the file permissions of this socket?
> 
> How did you configure your sendmail.mc?

$ ps -U clamav
 PID TTY  TIME CMD
 1575 ?00:00:00 clamd
 1578 ?00:00:00 clamd
 1579 ?00:00:00 clamd
 1602 ?00:00:00 clamav-milter
 1605 ?00:00:00 clamav-milter
 1606 ?00:00:00 clamav-milter


Is this the correct switch to use when loading the daemon?
local:/var/run/clamav/clamav.sock
(This is also set in clamav.conf)

If it is:
srwxr-xr-x   1 clamav   clamav   0 Mar 10 23:13 
/var/run/clamav/clamav.sock

INPUT_MAIL_FILTER(`clamav', `S=local:/var/run/clamav/clamav.sock, 
T=S:4m;R:4m')dnl
define(`confINPUT_MAIL_FILTERS', `clamav')dnl

Ed

Randomly generated quote:
There is so much good in the worst of us and so much bad
in the best of us that it ill behooves us to find fault
with the rest of us. -Mom



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id70&alloc_id638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] --detect-encrypted?

2004-03-11 Thread Fajar A. Nugraha 
Odhiambo Washington wrote:

Since this option was mentioned, I have done checked out the cvs version
but ./configure refuses to accept that option.
Even from a cvs checkout I did today ;)
 

It's not ./configure option. It's clamscan option.
With clamd, it's
ArchiveDetectEncrypted

in clamav.conf.

Regards,

Fajar



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Virus scanned by clamav.net but updated db missed it

2004-03-11 Thread Fajar A. Nugraha 
Karis Matik wrote:

Thanks for your reply.
Several questions:
1. which virus database amavis 0.66 uses? viruses.db or viruses.db2 or both?
 

Not amavis 0.66. Clamav 0.66.
Antoni's reply is correct : ClamAV will use any/all files which end in 
.db or .db?
But since you use 0.66, you don't need to have any *.db*. The default db 
is *.cvd.

See this?
"
Thu Mar 11 23:15:06 2004 -> Protecting against 40864 viruses.

"
This is too much. It means clamav is reading the *.cvd and viruses.*. 
Better remove the viruses.*
since the signatures are the same anyway.

2. When I do a restart on clamd service, I can't find: Database correctly reloaded message.

 

On restart, you should look for "Protecting against xxx viruses".
However, during clamd runs it will perform self checks periodically and 
reload the database as needed,
producing the "Database correctly reloaded" message.
On newer versions, freshclam will also notify clamd to reload if a new 
database version is available, producing
in freshclam.log entries like

"
Database updated (20432 signatures) from clamav.antispam.or.id 
(202.134.0.71).
Clamd successfully notified about the update.
"

You should remove your viruses.*, restart clamd, and try again.
If that still don't work, try upgrading to latest stable or CVS snapshot 
(I recommend latest snapshot).

Regards,

Fajar

---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] clamav hpux make problems

2004-03-11 Thread Jon Fraley 
On Wed, 2004-03-10 at 22:15, Fajar A. Nugraha wrote:
> Jon Fraley wrote:
> 
> >I am installing clamav-0.67 on HPUX-11.0.  After ironing out issues with
> >./configure, I now have a problem with make.  After running a while I
> >get the following:  Any ideas on solving this?  
> >
> >/zzip-zip.c' || echo './'`zziplib/zzip-zip.c
> >rm -f .libs/zzip-zip.lo
> >cc -DHAVE_CONFIG_H -I. -I. -I.. -I.. -I./zziplib -g -c
> >zziplib/zzip-zip.c -Wp,-M.deps/zzip-zip.TPlo  +Z -DPIC -o
> >.libs/zzip-zip.lo
> >cpp: "./zziplib/zzip-file.h", line 29: warning 2013: Unknown
> >preprocessing directive.
> >  
> >
> Have you tried gcc yet?
> Or try recent CVS snapshot 
> (http://www.clamav.net/snapshot/clamav-devel-latest.tar.gz).
> It compiles OK with cc on DEC OSF (meaning that particular snapshot 
> don't need gcc).
> I havent tested clamav-0.67 though; I only test daily snapshots.
> 
> Regards,
> 
> Fajar
> 
> 
> ---
> This SF.Net email is sponsored by: IBM Linux Tutorials
> Free Linux tutorial presented by Daniel Robbins, President and CEO of
> GenToo technologies. Learn everything from fundamentals to system
> administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
> ___
> Clamav-users mailing list
> [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/clamav-users

How do I tell it to compile with gcc?

Jon



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Virus aliases

2004-03-11 Thread Dave Ewart 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Thursday, 11.03.2004 at 13:52 +0100, Tomasz Kojm wrote:

> On Thu, 11 Mar 2004 10:15:50 + Dave Ewart
> <[EMAIL PROTECTED]> wrote:
> 
> > 2. Can the alias details be extracted from the .cvd files?  If not
> > currently, is there any way to add this detail?
> 
> Virus aliases will be supported in signatures in the near future.

Excellent news!  ClamAV is a fabulous project - wish I could find some
way to contribute.

At the moment, all I'm managing is word-of-mouth praise etc.

Cheers,

Dave.
- -- 
Dave Ewart
[EMAIL PROTECTED]
Computing Manager, Epidemiology Unit, Oxford
Cancer Research UK
PGP: CC70 1883 BD92 E665 B840 118B 6E94 2CFD 694D E370

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFAUGlEbpQs/WlN43ARAlXXAKCxVz8Cl3kfVFmkSFKw7msX+dPwygCgwTwu
X92mp+3brsZ1pLL5K9E6qxY=
=I5hu
-END PGP SIGNATURE-


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] --detect-encrypted?

2004-03-11 Thread Odhiambo Washington 
Since this option was mentioned, I have done checked out the cvs version
but ./configure refuses to accept that option.
Even from a cvs checkout I did today ;)


cheers
   - wash 
+--+-+
Odhiambo Washington . WANANCHI ONLINE LTD (Nairobi, KE)  |
  . 1ere Etage, Loita Hse, Loita St.,  |
GSM: (+254) 722 743 223 . # 10286, 00100 NAIROBI |
GSM: (+254) 733 744 121 . (+254) 020 313 985 - 9 |
+-+--+
"Oh My God! They killed init! You Bastards!"  
 --from a /. post


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Virus scanned by clamav.net but updated db missed it

2004-03-11 Thread Antony Stone 
On Thursday 11 March 2004 12:47 pm, Karis Matik wrote:

> Thanks for your reply.
> Several questions:
> 1. which virus database amavis 0.66 uses? viruses.db or viruses.db2 or
> both?

Both.   In fact ClamAV will use any/all files which end in .db or .db? 
(wildcard) in the appropriate directory.   You can thus easily add your own 
signatures (if you want to) just by putting them in your own file called 
something like mysigs.db, and those will get used alongside the main database 
files, without being overwritten when there's an update.

Regards,

Antony.

-- 
Never write it in Perl if you can do it in Awk.
Never do it in Awk if sed can handle it.
Never use sed when tr can do the job.
Never invoke tr when cat is sufficient.
Avoid using cat whenever possible.

 Please reply to the list;
   please don't CC me.



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Virus aliases

2004-03-11 Thread Tomasz Kojm 
On Thu, 11 Mar 2004 10:15:50 +
Dave Ewart <[EMAIL PROTECTED]> wrote:

> 2. Can the alias details be extracted from the .cvd files?  If not
> currently, is there any way to add this detail?

Virus aliases will be supported in signatures in the near future.

-- 
   oo. Tomasz Kojm <[EMAIL PROTECTED]>
  (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg
 \..._ 0DCA5A08407D5288279DB43454822DC8985A444B
   //\   /\  Thu Mar 11 13:51:55 CET 2004


pgp0.pgp
Description: PGP signature

Re: [Clamav-users] Using ClamAV with Declude Virus

2004-03-11 Thread Tomasz Kojm 
On Thu, 11 Mar 2004 17:38:43 +0700
"Fajar A. Nugraha" <[EMAIL PROTECTED]> wrote:

> Tomasz Kojm wrote:
> 
> >BTW: What is "Declude Virus" ?
> >
> >  
> >
> Something like Amavis which only works on Imail
> http://www.declude.com/Virus/index.html

It's very expensive...

-- 
   oo. Tomasz Kojm <[EMAIL PROTECTED]>
  (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg
 \..._ 0DCA5A08407D5288279DB43454822DC8985A444B
   //\   /\  Thu Mar 11 13:53:05 CET 2004


pgp0.pgp
Description: PGP signature

Re: [Clamav-users] Virus scanned by clamav.net but updated db missed it

2004-03-11 Thread Karis Matik 
Thanks for your reply.
Several questions:
1. which virus database amavis 0.66 uses? viruses.db or viruses.db2 or both?
2. When I do a restart on clamd service, I can't find: Database correctly reloaded 
message.

Thu Mar 11 23:11:01 2004 -> Signal 15 caught -> exiting.
Thu Mar 11 23:11:01 2004 -> Freeing trie structure.
Thu Mar 11 23:11:01 2004 -> Shutting down the main socket.
Thu Mar 11 23:11:01 2004 -> Closing the main socket.
Thu Mar 11 23:11:01 2004 -> Socket file removed.
Thu Mar 11 23:11:01 2004 -> Pid file removed.
Thu Mar 11 23:11:01 2004 -> Freeing stat structure.
Thu Mar 11 23:11:01 2004 -> Exit level 2, ThreadWatcher termination.
Thu Mar 11 23:11:01 2004 -> --- Stopped at Thu Mar 11 23:11:01 2004
Thu Mar 11 23:15:05 2004 -> +++ Started at Thu Mar 11 23:15:05 2004
Thu Mar 11 23:15:05 2004 -> Log file size limited to 2097152 bytes.
Thu Mar 11 23:15:05 2004 -> Verbose logging activated.
Thu Mar 11 23:15:05 2004 -> Running as user clamav (UID 80, GID 107)
Thu Mar 11 23:15:05 2004 -> Reading databases from /var/lib/clamav
Thu Mar 11 23:15:06 2004 -> Protecting against 40864 viruses.
Thu Mar 11 23:15:06 2004 -> Unix socket file /var/lib/clamav/clamd.socket
Thu Mar 11 23:15:06 2004 -> Setting connection queue length to 15
Thu Mar 11 23:15:06 2004 -> Listening daemon: PID: 2309
Thu Mar 11 23:15:06 2004 -> Maximal number of threads: 64
Thu Mar 11 23:15:06 2004 -> Archive: Archived file size limit set to 10485760 by
tes.
Thu Mar 11 23:15:06 2004 -> Archive: Recursion level limit set to 5.
Thu Mar 11 23:15:06 2004 -> Archive: Files limit set to 1000.
Thu Mar 11 23:15:06 2004 -> Archive: Compression ratio limit set to 200.
Thu Mar 11 23:15:06 2004 -> Archive support enabled.
Thu Mar 11 23:15:06 2004 -> RAR support disabled.
Thu Mar 11 23:15:06 2004 -> Mail files support enabled.
Thu Mar 11 23:15:06 2004 -> ThreadWatcher: Started in process 2311
Thu Mar 11 23:15:06 2004 -> Self checking every 3600 seconds.
Thu Mar 11 23:15:06 2004 -> Timeout set to 500 seconds.
Thu Mar 11 23:15:06 2004 -> SelfCheck: Database status OK.
Thu Mar 11 23:15:06 2004 -> SelfCheck: Integrity OK

How do I make it reload the database?

Many thanks.

>-Original Message-
>From: Fajar A. Nugraha [mailto:[EMAIL PROTECTED]
>Sent: Thursday, March 11, 2004 11:42 AM
>To: [EMAIL PROTECTED]
>Subject: Re: [Clamav-users] Virus scanned by clamav.net but updated db missed it
>
>Karis Matik wrote:
>
>>less viruses.db
>>And I looked for Worm.Bagle.Gen-zippwd, I can't get one. 
>>
>You're looking in the wrong place
>bash-2.03# grep Worm.Bagle.Gen-zippwd viruses*
>viruses.db2:Worm.Bagle.Gen-zippwd 
>(Clam)=504b03040a000100*504b010214000a000100*504b050601000100
>
>>Any one can give me a hint what's going on with the update?
>>
>>  
>>
>Assuming you use clamd, check to make sure that the database is reloaded 
>correctly.
>I put clamd logs in a file. Yours might be on syslog.
>There should be something like
>
>Thu Mar 11 05:20:29 2004 -> Reading databases from /usr/local/share/clamav
>Thu Mar 11 05:20:33 2004 -> Database correctly reloaded (20432 viruses)
>
>Upgrading clamav to current stable version or CVS snapshot wouldn't hurt 
>either.
>
>Regards,
>
>Fajar
>
>
>---
>This SF.Net email is sponsored by: IBM Linux Tutorials
>Free Linux tutorial presented by Daniel Robbins, President and CEO of
>GenToo technologies. Learn everything from fundamentals to system
>administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
>___
>Clamav-users mailing list
>[EMAIL PROTECTED]
>https://lists.sourceforge.net/lists/listinfo/clamav-users
>

-
This e-mail was sent using a CentralPets WebMail account
Get yours at: http://mail.centralpets.com





---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Virus scanned by clamav.net but updated db missed it

2004-03-11 Thread Fajar A. Nugraha 
Karis Matik wrote:

less viruses.db
And I looked for Worm.Bagle.Gen-zippwd, I can't get one. 

You're looking in the wrong place
bash-2.03# grep Worm.Bagle.Gen-zippwd viruses*
viruses.db2:Worm.Bagle.Gen-zippwd 
(Clam)=504b03040a000100*504b010214000a000100*504b050601000100

Any one can give me a hint what's going on with the update?

 

Assuming you use clamd, check to make sure that the database is reloaded 
correctly.
I put clamd logs in a file. Yours might be on syslog.
There should be something like

Thu Mar 11 05:20:29 2004 -> Reading databases from /usr/local/share/clamav
Thu Mar 11 05:20:33 2004 -> Database correctly reloaded (20432 viruses)
Upgrading clamav to current stable version or CVS snapshot wouldn't hurt 
either.

Regards,

Fajar

---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] Virus scanned by clamav.net but updated db missed it

2004-03-11 Thread Karis Matik 
Clam Users/Developers:

First of all, I'd like to thank for all your great work with clam AV.
I currently have a mail server with the following specs:
Mandrake 9.2
clamav version 0.66 (installed from mandrake RPM)
spamassassin
amavis
It runs okay, but I found something strange.

Got an email with strange zip attachment. I submit the attachment to clamav.net for 
checking if the database recognizes the virus. The check result is:

File is valid, and was successfully uploaded. clamav scans the file ... 
Clamav-Output:/tmp/phpjPpvQe: Worm.Bagle.Gen-zippwd FOUND
And found something: Worm.Bagle.Gen-zippwd  

Obviously the amavis in my mail server can't pick it up.
I checked the freshclam log, and I found the database has been updated (hourly):

ClamAV update process started at Thu Mar 11 20:01:00 2004
main.cvd is up to date (version: 21, sigs: 20094, f-level: 1, builder: tkojm)
daily.cvd is up to date (version: 176, sigs: 338, f-level: 1, builder: ddm)

As of March 11 2004, my database is recent. But when I do:
less viruses.db
And I looked for Worm.Bagle.Gen-zippwd, I can't get one. I only found: Worm.Bagle.A

The md5sum of my database is: 4e4f1a294d2748ed1ee76b232d2e, which I believe 
up-to-date as of march 11 2004.

Any one can give me a hint what's going on with the update?

Thank you.

Regards,
Karis

-
This e-mail was sent using a CentralPets WebMail account
Get yours at: http://mail.centralpets.com





---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Using ClamAV with Declude Virus

2004-03-11 Thread Fajar A. Nugraha 
Tomasz Kojm wrote:

BTW: What is "Declude Virus" ?

 

Something like Amavis which only works on Imail
http://www.declude.com/Virus/index.html


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] Virus aliases

2004-03-11 Thread Paul Walsh 
No idea how easy this would be to implement but here goes:

As well as the virus signature databases, how about having an alias
database which would contain a record for each virus, indicating its
ClamAV name along with those used by the more mainstream AV software
like Sophos, McAfee etc. Then have the scanning software (clamd etc.)
accept a commandline switch to indicate your preferred naming. That way,
if you also use Sopos/McAfee/whatever on internal servers you could get
ClamAV to report an infection using the same naming as internally.  Of
course, as the Clam sigs are usually ahead of the rest, the aliases for
a particular virus would all be set to ClamAV's chosen name. Then, as
the other vendors get their signatures out the aliases could be updated
accordingly.

Workable/unworkable/insane idea?

Paul


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id70&alloc_id638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] Virus aliases

2004-03-11 Thread Dave Ewart 
Hello,

(I am new to the list, but have scanned the archives and have been
unable to find a complete answer to this, although it has been brought
up once or twice ...)

I'd like to be able to see the alias names for detected viruses.  The
clamav-virusdb announcements include aliases, but searching the mail
archives is a rather haphazard way of matching up viruses with different
aliases.

I was originally rather alarmed because, when I first installed ClamAV
last week, I did:

> sigtool --list-sigs | grep -i netsky

and got nothing back!  My initial response was "Whoa!  It's out of date
..."

I use ClamAV and Sophos in series on our mail server and would like to
tie up which viruses are actually the same thing ...

There was a message on the archives from about three weeks ago from
someone who was planning to maintain an web page listing the aliases, so
my questions are:

1. Is this web page live?  If so, what's the address?

2. Can the alias details be extracted from the .cvd files?  If not
currently, is there any way to add this detail?

3. Is searching the archives of clamav-virusdb the only way to find
alias names currently?

Cheers,

Dave.

-- 
Dave Ewart
[EMAIL PROTECTED]
Computing Manager, Epidemiology Unit, Oxford
Cancer Research UK
PGP: CC70 1883 BD92 E665 B840 118B 6E94 2CFD 694D E370



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Using ClamAV with Declude Virus

2004-03-11 Thread Tomasz Kojm 
On Wed, 10 Mar 2004 17:35:57 -0700
"Brad Morgan" <[EMAIL PROTECTED]> wrote:

> > I believe the code that should be changed is in the checkfile( )
> > function in the manager.c file, where there are two references to
> > "%s: %s FOUND\n", which could be changed to "%s: infected with %s\n"
> > or "%s: FOUND%s\n".  That would do the trick.
> >
> >   -Scott
> 
> I can't use the ":" as the delimiter because there's a time stamp at

You can look for the last colon...

> the begining of the -l output.  Can the change Scott suggested be made
> to the ClamAV source?
> Does it have to have an option added because the old format is being
> parsed by
> other programs?

The output format won't change. Please check the 3-rd party software (on
www.clamav.net) for parsing details.

BTW: What is "Declude Virus" ?

-- 
   oo. Tomasz Kojm <[EMAIL PROTECTED]>
  (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg
 \..._ 0DCA5A08407D5288279DB43454822DC8985A444B
   //\   /\  Thu Mar 11 10:29:40 CET 2004



pgp0.pgp
Description: PGP signature

Re: [Clamav-users] freshclam no connect

2004-03-11 Thread Tomasz Kojm 
On Wed, 10 Mar 2004 20:33:52 -0600
Chris Lopeman <[EMAIL PROTECTED]> wrote:

> Hi  All,
> 
> I have seen the opposite question posed but not this one.  I get the 
> error about not being able to connect to clamd.  But I am not running 
> clamd.  I don't want to.  I am also not using the  --daemon-notify 
> option.  Yet it appears to always try to notify.  Is there an option
> to make it not notify?  Except for a couple of thing I don't
> understand about the product I am quite impressed.
> 
> connect(): Connection refused
> ERROR: Can't connect to clamd.

Which version of clamav ?

-- 
   oo. Tomasz Kojm <[EMAIL PROTECTED]>
  (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg
 \..._ 0DCA5A08407D5288279DB43454822DC8985A444B
   //\   /\  Thu Mar 11 10:22:19 CET 2004


pgp0.pgp
Description: PGP signature

Re: [Clamav-users] password protected zip file

2004-03-11 Thread Tomasz Kojm 
On Thu, 11 Mar 2004 12:49:36 +1100
Jonathan Trott <[EMAIL PROTECTED]> wrote:

> At the moment, if you put any virus inside an encrypted zip file, 
> clamav reports that there isn't a virus in there, which is a false 
> negative. Better to report that it couldn't be scanned than there 
> wasn't a virus in there.

No, that's definitely not a false negative. Password protected viruses
are not dangerous (and not interesting to us) as long as they don't
distribute the password. But anyway you should check the
--detect-encrypted option (CVS).

-- 
   oo. Tomasz Kojm <[EMAIL PROTECTED]>
  (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg
 \..._ 0DCA5A08407D5288279DB43454822DC8985A444B
   //\   /\  Thu Mar 11 10:23:45 CET 2004


pgp0.pgp
Description: PGP signature

Re: [Clamav-users] Help with New Install clamav-milter

2004-03-11 Thread Krištof Petr 
Ed Kasky wrote:

#ls -al /var/run/clamav
drwxr-xr-x2 clamav   clamav   4096 Mar 10 17:52 .
drwxr-xr-x6 root root 4096 Mar 10 17:57 ..
srwxr-xr-x1 clamav   clamav  0 Mar 10 17:52 clamav.sock
-rw-rw1 clamav   clamav  4 Mar 10 17:52 clamd.pid
Looks OK.

When I start clamd, it loads just fine and I can use clamdscan just 
fine.  However, running clamav-milter through sendmail results in the 
following from the maillog: 


Did you started clamav-milter daemon? If yes, does it open socket for 
communication with sendmail?
What are the file permissions of this socket?

How did you configure your sendmail.mc?

Petr



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Help with New Install clamav-milter

2004-03-11 Thread Nigel Horne 
On Thursday 11 March 2004 2:21 am, Ed Kasky wrote:

> Mar 10 17:57:11 clam-milter[5623]: recv failed from clamd getting PORT
> Mar 10 17:57:11 Milter: from=<[EMAIL PROTECTED]>, reject=451 4.7.1
> Please try again later
>
> I assume it's rejecting because clamd can't get port?

Is clamd running?

> Ed

-Nigel


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] freshclam no connect

2004-03-11 Thread Krištof Petr 
Chris Lopeman wrote:

Hi  All,

I have seen the opposite question posed but not this one.  I get the 
error about not being able to connect to clamd.  But I am not running 
clamd.  I don't want to.  I am also not using the  --daemon-notify 
option.  Yet it appears to always try to notify.  Is there an option 
to make it not notify?  Except for a couple of thing I don't 
understand about the product I am quite impressed.

connect(): Connection refused
ERROR: Can't connect to clamd. 
Setup /etc/freshclam.conf to fit you needs.

Petr



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users