[Clamav-users] Some questions
Hi, We're evaluating clamav to use with our mail server. So far I'm very enthousiastic, espec cause clamav detects the encrypted zip files and the speed new signatures come available but unfortunately I'm not the only one who decides if we're going to use it anyway we're running: clamd / ClamAV version 0.67 freshclam / ClamAV version 0.67 We only got a two small problems, we let freshclam check every hour for updates and it gets them, the problems with it: Q1. We have had problems with the databasemirror set as database.clamav.net. we got the errors: >From the log: ERROR: Malformed CVD header detected. ERROR: Can't read main.cvd header from database.clamav.net (ourproxy) Trying again... After setting it to a real mirror everything went fine. But we prefer to use the database.clamav.net. Q2. I just read the UpdateDB mail: Submission: 1890 Sender: Dirk Mueller Submitted virus name: WM97/Outblack-A Virus name: WM97.Outblack.A Virus name alias: IRC-Worm.Blackput (kaspersky) Note: Latest CVS version of ClamAV is required to detect Note: the macro viruses. Added: Yes Does this mean our version of clamav doesn't detect macro viruses at all? If so what other forms of virusses doesn't it detect? Thanx for making a awesome program and hopefully one day I can inform you we're going to use it for real. --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Virus scanned by clamav.net but updated db missed it
Fajar: >PS : Has your problem solved yet? Unfortunately nope. The problem might be relevant to amavisd-new where it incorrectly passes the mail attachment to clamd. Is there any way to view the content of the vcd file to see if the virus is within the definition. I posted another thread in regards to amavis patch misses the bagle-F-zippwd. Although the patch is done, still I can't detect the zip protected virus. Needs further investigation. Thanks for all your help. -- Karis - This e-mail was sent using a CentralPets WebMail account Get yours at: http://mail.centralpets.com --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Logfile
* Betsy Schwartz <[EMAIL PROTECTED]> [20040311 22:44]: wrote: > At 12:41 PM 3/11/2004, John Jolet wrote: > >why not just run logrotate and have done with it? > > It would help if clamd took a "kill -HUP" and started a new logfile. > I support the original poster. It would be a nice feature if it were done inside clamav itself, as he argued. cheers - wash +--+-+ Odhiambo Washington . WANANCHI ONLINE LTD (Nairobi, KE) | . 1ere Etage, Loita Hse, Loita St., | GSM: (+254) 722 743 223 . # 10286, 00100 NAIROBI | GSM: (+254) 733 744 121 . (+254) 020 313 985 - 9 | +-+--+ "Oh My God! They killed init! You Bastards!" --from a /. post --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] --detect-encrypted?
* Fajar A. Nugraha <[EMAIL PROTECTED]> [20040311 19:30]: wrote: > Odhiambo Washington wrote: > > >hehee, I noticed that and added 2 days ago, but just today Tomas > >(Kojm) wrote to the list with that option again ;) > > > > > > > You mean the one with > " > > But anyway you should check the > --detect-encrypted option (CVS). > " > > I assume he meant it as an option for clamscan (as stated in ChangeLog) Thanks for the clarification. I will be more careful to spare time to also read the Changelog, besides what I see being discussed ;(. All along I had thought that it was an option to ./configure. cheers - wash +--+-+ Odhiambo Washington . WANANCHI ONLINE LTD (Nairobi, KE) | . 1ere Etage, Loita Hse, Loita St., | GSM: (+254) 722 743 223 . # 10286, 00100 NAIROBI | GSM: (+254) 733 744 121 . (+254) 020 313 985 - 9 | +-+--+ "Oh My God! They killed init! You Bastards!" --from a /. post --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Patch not work for Amavis to scan Bagle zippwd
On Fri, Mar 12, 2004 at 12:59:17AM +, Karis Matik wrote: > > Hi Noel, > Yes, I've put the MAIL$ line in the amavisd.conf. Still, it missed the Info.zip > attachment. > Have you tested with a zipped password protected? > My initial thinking is (probably) the database isn't read properly. But again, > during restart of clamd service, I got good indication that 40,000 something kind of > viruses listed in the database from clamd.log. > Yes, mine was and still is detecting the password-protected versions. You have too many viruses detected, should be something like: Known viruses: 20447 I would suspect you have old viruses.db and viruses.db2 files lying around, they should be removed. But that probably won't solve your reported problem. Recheck you patch or upgrade to the -p8 version announced yesterday. -- Noel Jones --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] new to clamAV ...
At 10:04 PM 3/11/2004, kent e. wrote: In the step 9 of the above link what does it mean signature? Does it means the file with an extension name of .sig ??? seems like a success but how to update the virus definition or the db of The "signature" is the signature of the virus, or the virus definition. I guess we call it a signature because it can be used to identify the virus. Anyway that's what freshclam is doing, updating the definition database Betsy Schwartzemail: [EMAIL PROTECTED] Unix Systems Administrator,CRG voice: 617-495-5947 Harvard Graduate School of Design fax:617-496-5866 --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Re: Logfile
When you say clamAV works with logrotate, what command are you issuing to get clamav to start using the new file? What I'm seeing is that it doesn't respond to SIGHUP but has to be killed and restarted to get it to let go of the old filehandle Betsy Schwartzemail: [EMAIL PROTECTED] Unix Systems Administrator,CRG voice: 617-495-5947 Harvard Graduate School of Design fax:617-496-5866 --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] new to clamAV ...
I just downloaded the version 0.67 and I followed the step-by-step config in http://linux-sxs.org/administration/clamav.html In the step 9 of the above link what does it mean signature? Does it means the file with an extension name of .sig ??? seems like a success but how to update the virus definition or the db of the clamAV Im doing the install on a redhat9 and on fedora core1 == Thanks in Advance Kent E. --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Virus aliases
On Thu, 11 Mar 2004, Dave Ewart wrote: > ClamAV is a fabulous project - wish I could find some way to contribute. Well, there's always: http://clamav.net/donate.php#pagestart Jeffrey Moskot System Administrator [EMAIL PROTECTED] --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Virus scanned by clamav.net but updated db missed it
Karis Matik wrote: What are the *.db* files? What are the *.cvd files? Is the *.db* file just a list which will be compiled into binary file (namely the .cvd files)? Simply put, the *.cvd is the new format vor viruses.db and viruses.db2. As the name implied, main.cvd is the main virus signature database (rarely updated) and daily.cvd is the database which contains most recent virus signatures (frequently updated). *.cvd does not require *.md5 files to verify database integrity anymore. It is also smaller (less than half in size) compared to *.db. You can test database integrity with `sigtool -i daily.cvd` or `sigtool -i main.cvd`. If you want to add your own virus definition, you can still do it using the old *.db format, name it anything-you-want.db, and put it in signatures directory. ClamAV will pick it up automatically. Regards, Fajar PS : Has your problem solved yet? --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Patch not work for Amavis to scan Bagle zippwd
>> Got an attachment contain Bagle-F zippwd with the name: Info.zip. When I test the >> attachment, clam still allows the mail to get through. Anyone has similar problem >> and solution? >> > >This patch worked fine for me. >(I've since upgraded to the -p8 release, which also works fine) >Did you remember to edit amavisd.conf and add MAIL to the >$keep_decoded_original parameter? That is required to activate >this feature. > > $keep_decoded_original_re = new_RE( >qr'^MAIL$',# retain full original message for virus checking >qr'^(ASCII(?! cpio)|text|uuencoded|xxencoded|binhex)'i, > ); > > >-- >Noel Jones > > Hi Noel, Yes, I've put the MAIL$ line in the amavisd.conf. Still, it missed the Info.zip attachment. Have you tested with a zipped password protected? My initial thinking is (probably) the database isn't read properly. But again, during restart of clamd service, I got good indication that 40,000 something kind of viruses listed in the database from clamd.log. Thank you. -- Karis - This e-mail was sent using a CentralPets WebMail account Get yours at: http://mail.centralpets.com
Re: [Clamav-users] Patch not work for Amavis to scan Bagle zippwd
On Thu, Mar 11, 2004 at 10:59:40PM +, Karis Matik wrote: > This is my installed amavis and clamd: > > amavisd-new-0.20030616-10mdk > clamav-db-0.66-0.20031204.1mdk > libclamav1-0.66-0.20031204.1mdk > clamav-0.66-0.20031204.1mdk > clamdmail-0.15-1mdk > clamd-0.66-0.20031204.1mdk > > I applied the patch from Mark Martinec (reference: > http://marc.theaimsgroup.com/?l=amavis-user&m=10782706748&w=2) > -- > --- amavisd~Mon Jan 5 02:00:19 2004 > +++ amavisd Tue Mar 2 22:49:15 2004 > @@ -5307,4 +5307,12 @@ > } > $which_section = "virus_scan"; > + # special case to preserve complete mail file for inspection > + if (lookup('MAIL',$keep_decoded_original_re)) { > + # keep the original email.txt by making a hard link > + # to it in ./parts/ > + link("$tempdir/email.txt", "$tempdir/parts/email.txt") > + or die "Can't create hard link $tempdir/email.txt: $!"; > + do_log(4, "providing full original message to scanners"); > + } > # some virus scanners behave badly if interrupted, > # so for now just turn off the timer > -- > > Got an attachment contain Bagle-F zippwd with the name: Info.zip. When I test the > attachment, clam still allows the mail to get through. Anyone has similar problem > and solution? > This patch worked fine for me. (I've since upgraded to the -p8 release, which also works fine) Did you remember to edit amavisd.conf and add MAIL to the $keep_decoded_original parameter? That is required to activate this feature. $keep_decoded_original_re = new_RE( qr'^MAIL$',# retain full original message for virus checking qr'^(ASCII(?! cpio)|text|uuencoded|xxencoded|binhex)'i, ); -- Noel Jones --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] Patch not work for Amavis to scan Bagle zippwd
This is my installed amavis and clamd: amavisd-new-0.20030616-10mdk clamav-db-0.66-0.20031204.1mdk libclamav1-0.66-0.20031204.1mdk clamav-0.66-0.20031204.1mdk clamdmail-0.15-1mdk clamd-0.66-0.20031204.1mdk I applied the patch from Mark Martinec (reference: http://marc.theaimsgroup.com/?l=amavis-user&m=10782706748&w=2) -- --- amavisd~Mon Jan 5 02:00:19 2004 +++ amavisd Tue Mar 2 22:49:15 2004 @@ -5307,4 +5307,12 @@ } $which_section = "virus_scan"; + # special case to preserve complete mail file for inspection + if (lookup('MAIL',$keep_decoded_original_re)) { + # keep the original email.txt by making a hard link + # to it in ./parts/ + link("$tempdir/email.txt", "$tempdir/parts/email.txt") + or die "Can't create hard link $tempdir/email.txt: $!"; + do_log(4, "providing full original message to scanners"); + } # some virus scanners behave badly if interrupted, # so for now just turn off the timer -- Got an attachment contain Bagle-F zippwd with the name: Info.zip. When I test the attachment, clam still allows the mail to get through. Anyone has similar problem and solution? Thank you. Regards, Karis - This e-mail was sent using a CentralPets WebMail account Get yours at: http://mail.centralpets.com --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Virus scanned by clamav.net but updated db missed it
Thanks to Fajar and Antoni. One thing I still don't understand is about the viruses.db or viruses.db2. What are the *.db* files? What are the *.cvd files? Is the *.db* file just a list which will be compiled into binary file (namely the .cvd files)? Fajar mentioned the virus database used is the .cvd. But the name viruses.db implies its meaning by itself. Confused. The reason I ask this question because when I checked the log file for clamd, I saw the update is successful. But only .cvd file timestamp changed, not the *.db* file timestamp. Thus, the viruses.db* are not updated. Sorry for my shallow understanding on clamav. Cheers, Karis >-Original Message- >From: Fajar A. Nugraha [mailto:[EMAIL PROTECTED] >Sent: Thursday, March 11, 2004 02:00 PM >To: [EMAIL PROTECTED] >Subject: Re: [Clamav-users] Virus scanned by clamav.net but updated db missed it > >Karis Matik wrote: > >>Thanks for your reply. >>Several questions: >>1. which virus database amavis 0.66 uses? viruses.db or viruses.db2 or both? >> >> >Not amavis 0.66. Clamav 0.66. >Antoni's reply is correct : ClamAV will use any/all files which end in >.db or .db? >But since you use 0.66, you don't need to have any *.db*. The default db >is *.cvd. > >See this? >" > >Thu Mar 11 23:15:06 2004 -> Protecting against 40864 viruses. > >" >This is too much. It means clamav is reading the *.cvd and viruses.*. >Better remove the viruses.* >since the signatures are the same anyway. > >>2. When I do a restart on clamd service, I can't find: Database correctly reloaded >>message. >> >> >> >On restart, you should look for "Protecting against xxx viruses". >However, during clamd runs it will perform self checks periodically and >reload the database as needed, >producing the "Database correctly reloaded" message. >On newer versions, freshclam will also notify clamd to reload if a new >database version is available, producing >in freshclam.log entries like > >" >Database updated (20432 signatures) from clamav.antispam.or.id >(202.134.0.71). >Clamd successfully notified about the update. >" > >You should remove your viruses.*, restart clamd, and try again. >If that still don't work, try upgrading to latest stable or CVS snapshot >(I recommend latest snapshot). > >Regards, > >Fajar > > >--- >This SF.Net email is sponsored by: IBM Linux Tutorials >Free Linux tutorial presented by Daniel Robbins, President and CEO of >GenToo technologies. Learn everything from fundamentals to system >administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click >___ >Clamav-users mailing list >[EMAIL PROTECTED] >https://lists.sourceforge.net/lists/listinfo/clamav-users > - This e-mail was sent using a CentralPets WebMail account Get yours at: http://mail.centralpets.com --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id70&alloc_id638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Clamdscan hanging when clamd checks/reloads database
On Thu, 2004-03-11 at 20:18, Robert Blayzor wrote: > I didn't get any responses on this, so I'm trying a repost of this: > > Using clamd devel-20040304 on FreeBSD 4.9 > > On several occasions now we've noticed that when clamd checks and reloads > the virus database current clamdscan's hang and then time out. > > Hmm. Do you have a low level of clamd usage? Could you try the enclosed patch, and let me know if it helps/doesn't help? Cheers, -trog --- clamd/thrmgr.c.orig 2004-03-11 21:34:08.0 + +++ clamd/thrmgr.c 2004-03-11 21:36:28.0 + @@ -174,13 +174,12 @@ timeout.tv_nsec = 0; threadpool->thr_idle++; while (((job_data=work_queue_pop(threadpool->queue)) == NULL) - && (threadpool->state != POOL_EXIT)) { + && !must_exit) { /* Sleep, awaiting wakeup */ retval = pthread_cond_timedwait(&(threadpool->pool_cond), &(threadpool->pool_mutex), &timeout); - if (retval == ETIMEDOUT) { + if ((retval == ETIMEDOUT) || (threadpool->state == POOL_EXIT)) { must_exit = TRUE; - break; } } threadpool->thr_idle--;
[Clamav-users] Re: Logfile
>At 12:41 PM 3/11/2004, John Jolet wrote: >>why not just run logrotate and have done with it? > >It would help if clamd took a "kill -HUP" and started a new logfile. > >Betsy Schwartz Depending on traffic, and logging options selected, this can grow fairly quickly. If log entries are lost, debugging may not be possible, and reporting will be incomplete depending on the amount not logged. If the program already "knows" its reached the file size limit, why not just start logging to another file? This can even be limited via configuration option, and -HUP would never be requiered. Jorge Valdes NOC Manager Intercom El Salvador [EMAIL PROTECTED] Tel. 503-278-5068 Tel. 503-265-7070 Fax. 503-265-7025 --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] clamav hpux make problems
I tried using gcc, but it still failed during "make". I will try something else. Jon On Thu, 2004-03-11 at 14:14, Richard Nairn wrote: > I have a HPUX 11.00 machine with GCC, I tried to compile the latest > sendmail with milter, and use the clamav-milter with it. I was never able > to get the milter library compiled for sendmail, and thus clamav-milter to > work. Did you have any success with that? My issue is I only have the > base compiler for it, not an ANSI compiler so I haven't been able to get > both packages compiled. I switched my mail over to an Alpha machine > running linux > > > > On Thu, 11 Mar 2004 21:44:17 +0700, Fajar A. Nugraha <[EMAIL PROTECTED]> > wrote: > > > Jon Fraley wrote: > > > >> How do I tell it to compile with gcc? > >> > >> > > Step 1 : get gcc package for HPUX (if any exist) > > Step 2 : execute > > > > CC=gcc ./configure > > > > instead of just ./configure > > > > > > --- > > This SF.Net email is sponsored by: IBM Linux Tutorials > > Free Linux tutorial presented by Daniel Robbins, President and CEO of > > GenToo technologies. Learn everything from fundamentals to system > > administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click > > ___ > > Clamav-users mailing list > > [EMAIL PROTECTED] > > https://lists.sourceforge.net/lists/listinfo/clamav-users > > --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] Clamdscan hanging when clamd checks/reloads database
I didn't get any responses on this, so I'm trying a repost of this: Using clamd devel-20040304 on FreeBSD 4.9 On several occasions now we've noticed that when clamd checks and reloads the virus database current clamdscan's hang and then time out. This causes some real problems on a process that uses clamdscan as it thinks clamd is dead and then just bombs out. Last messages in the clamd.log are: Tue Mar 9 19:59:40 2004 -> SelfCheck: Database modification detected. Forcing reload. Tue Mar 9 19:59:40 2004 -> Reading databases from /usr/local/share/clamav Tue Mar 9 20:06:54 2004 -> Database correctly reloaded (20426 viruses) Tue Mar 9 20:06:54 2004 -> /var/tmp/scavs/22217/5/msg-6-2.bin: Worm.SomeFool.Gen-1 FOUND When checking clamd manually it appears to be running ok... It just whenever a database reload happens at the time either a clamdscan is in progress or one is trying to initiate during a reload, the clamdscan process just hangs... Any ideas on how to fix this or if more recent devel code has addressed this issue? -- Robert Blayzor, BOFH INOC, LLC [EMAIL PROTECTED] PGP: http://www.inoc.net/~dev/ Key fingerprint = 1E02 DABE F989 BC03 3DF5 0E93 8D02 9D0B CB1A A7B0 Portable: Survives system reboot. --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] clamav hpux make problems
I have a HPUX 11.00 machine with GCC, I tried to compile the latest sendmail with milter, and use the clamav-milter with it. I was never able to get the milter library compiled for sendmail, and thus clamav-milter to work. Did you have any success with that? My issue is I only have the base compiler for it, not an ANSI compiler so I haven't been able to get both packages compiled. I switched my mail over to an Alpha machine running linux On Thu, 11 Mar 2004 21:44:17 +0700, Fajar A. Nugraha <[EMAIL PROTECTED]> wrote: Jon Fraley wrote: How do I tell it to compile with gcc? Step 1 : get gcc package for HPUX (if any exist) Step 2 : execute CC=gcc ./configure instead of just ./configure --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users -- | Richard Nairn Specializing in Linux | Nairn Consulting Web / Database Solutions |Calgary, AB | [EMAIL PROTECTED] --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Logfile
Betsy Schwartz wrote: At 12:41 PM 3/11/2004, John Jolet wrote: why not just run logrotate and have done with it? It would help if clamd took a "kill -HUP" and started a new logfile. Betsy Schwartz email: [EMAIL PROTECTED] Unix Systems Administrator,CRG voice: 617-495-5947 Harvard Graduate School of Design fax: 617-496-5866 --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users hmm, logrotate seems to be working just fine on my fedora box. --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Virus aliases
On Thu, 11 Mar 2004 07:52:44 -0800 "Mitch (WebCob)" <[EMAIL PROTECTED]> wrote: > Maybe I spoke to soon... if you guys are already working on this great > - how will aliases be identified and submissions be processed? > > I've heard that the bigger manufacturers often copy the first known > name - is there a way to get in that peer group? > > Will the system handle multiple aliases in the event it occurs? The idea is to include aliases in a signature and allow clamscan/clamd to print them optionally, eg. clamscan foo foo: Worm.SomeFool FOUND clamscan --aliases foo foo: Worm.SomeFool W32.Netsky FOUND -- oo. Tomasz Kojm <[EMAIL PROTECTED]> (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Thu Mar 11 19:41:13 CET 2004 pgp0.pgp Description: PGP signature
Re: [Clamav-users] Using ClamAV with Declude Virus
On Thu, 11 Mar 2004 09:18:00 -0700 "Brad Morgan" <[EMAIL PROTECTED]> wrote: > So as you can see, I'd like Declude to parse the output and capture > the virus name. Declude support tells me there's a "standard" format > for the report output and ClamAV doesn't adhere to the "standard". > AVG, F-Prot, F-Secure, Inoculan, McAfee, and Sophos do. I don't know > where the"standard" came from yet. Neither do I. > If an option were added to clamscan (i.e. --declude) to change the > output format, could that change be incorporated into the source CVS? No, it couldn't. The output is extremely simple to parse (because virus names don't contain colons), look at the simple example: int main(int argc, char **argv) { char *out = "/some/file/with:colon: VIRUS FOUND\n", *pt; for(pt = out + strlen(out) - 1; *pt != ':'; pt--); pt += 2; printf("%s", pt); return 1; } > It sounds like Scott at Declude knows exactly where to make the change > and I could probably hack up the > rest of the necessary patches (it would be my first open source code > contribution). Of course you can adapt ClamAV to your needs but that changes won't be incorporated into the main tree. -- oo. Tomasz Kojm <[EMAIL PROTECTED]> (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Thu Mar 11 19:28:12 CET 2004 pgp0.pgp Description: PGP signature
Re: [Clamav-users] Logfile
On Thu, 11 Mar 2004 10:57:43 -0600 Jorge Valdes <[EMAIL PROTECTED]> wrote: > Hi, > I am very happy with clamav, and would like everyone's opinion to the > following feature request: > > clamd logs to a file and you can control the size, but when this limit > is reached, logging stops. When this happens, an entry in the file > says it has reached the file size limit. Since the program realize > this, wouldn't it be better to rename the logfile automatically by > just adding an extention (like logrotate) and create a new file? The latest snapshots work properly with logrotate. -- oo. Tomasz Kojm <[EMAIL PROTECTED]> (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Thu Mar 11 19:03:49 CET 2004 pgp0.pgp Description: PGP signature
Re: [Clamav-users] Logfile
At 12:41 PM 3/11/2004, John Jolet wrote: why not just run logrotate and have done with it? It would help if clamd took a "kill -HUP" and started a new logfile. Betsy Schwartzemail: [EMAIL PROTECTED] Unix Systems Administrator,CRG voice: 617-495-5947 Harvard Graduate School of Design fax:617-496-5866 --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Help with New Install clamav-milter
Ed Kasky wrote: In what instance would one enable the following? # TCP port address. #TCPSocket 3310 When you have windows clients for example. Petr --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Logfile
Jorge Valdes wrote: Hi, I am very happy with clamav, and would like everyone's opinion to the following feature request: clamd logs to a file and you can control the size, but when this limit is reached, logging stops. When this happens, an entry in the file says it has reached the file size limit. Since the program realize this, wouldn't it be better to rename the logfile automatically by just adding an extention (like logrotate) and create a new file? Jorge Valdes NOC Manager Intercom El Salvador [EMAIL PROTECTED] Tel. 503-278-5068 Tel. 503-265-7070 Fax. 503-265-7025 --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users why not just run logrotate and have done with it? --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Help with New Install clamav-milter
At 06:20 AM Thursday, 3/11/2004, Kritof Petr wrote -=> Is this the correct switch to use when loading the daemon? local:/var/run/clamav/clamav.sock (This is also set in clamav.conf) Beware! In /etc/clamav.conf you are setting socket for communication between clamd <-> clamav-milter what if different from socket for sendmail <-> clamav-milter. That fixed it! Here's what I have now - - in /etc/clamav.conf: LocalSocket /var/run/clamav/clamd.sock - in startup for clamav-milter: local:/var/run/clamav/clamavmr.sock - in sendmail.mc: INPUT_MAIL_FILTER(`clamav', `S=local:/var/run/clamav/clamavmr.sock, F=S, T=S:4m;R:4m;E:10m')dnl define(`confINPUT_MAIL_FILTERS', `clamavmr')dnl In what instance would one enable the following? # TCP port address. #TCPSocket 3310 Thanks a lot for the help in this. Ed . . . . . . . . Living in the now is a gift. That's why they call it the present. --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id70&alloc_id638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Using ClamAV with Declude Virus
> On Thursday 11 March 2004 4:18 pm, Brad Morgan wrote: > > > > The output format won't change. Please check the 3-rd party software (on > > > www.clamav.net) for parsing details. > > > > Sorry to hear that the output format is frozen in time. > > There are too many existing packages which call ClamAV and expect to be able > to understand the result which comes back. There's no reason you can't > write a simple perl script (perhaps awk would do it?) to call ClamAV, > rearrange the output as you want, and return the new format to your > application. > > > Declude Virus is one product (http://www.declude.com) produced by > > Computerized Horizons that interfaces with Imail (http://www.ipswitch.com), > > a popular (non-exchange) email server for Windows. > > ClamAV is (mainly) used on Unix systems - mostly Linux & BSD, therefore > integration with a Windows mail server seems a minority interest. ClamAV already works great using Windows. Our product interfaces with it without any problems what so ever. That's part of the calling programs responsibility. For what Scott charges, he should make them changes to his program if he wants to support ClamAV fully. > > > Declude Virus provides the interface hook into the SMTP server, handles > > mime decoding etc., and then uses your choice of command line virus > > scanner(s) to do the actual virus check. If a virus is detected, Declude > > virus then provides the usual options for dealing with the email. > > ClamAV has been made to work under Windows using the Cygwin environment - > nothing to stop you rewriting the output as described above (or even > modifying the source to produce a different format given a command-line > option to be "Declude-compatible"?). No rewriting/modifying ClamAV is required. The calling applicaiton just needs to know how to parse the results. > > > If an option were added to clamscan (i.e. --declude) to change the output > > format, could that change be incorporated into the source CVS? It sounds > > like Scott at Declude knows exactly where to make the change and I could > > probably hack up the rest of the necessary patches (it would be my first > > open source code contribution). > > Sounds like an excellent idea (but I'm not on the development team). Since > ClamAV is GPL, however, you're free to do any hacks you like; the only > question is whether they get "officially" adopted or not. Regards, David Gregg dgSoft Internet Services +1.949.584-1514 --- mxGuard for IMail Server based spam and virus protection for under $100 Request a free trial at http://www.mxGuard.com/postmaster --- --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] Logfile
Hi, I am very happy with clamav, and would like everyone's opinion to the following feature request: clamd logs to a file and you can control the size, but when this limit is reached, logging stops. When this happens, an entry in the file says it has reached the file size limit. Since the program realize this, wouldn't it be better to rename the logfile automatically by just adding an extention (like logrotate) and create a new file? Jorge Valdes NOC Manager Intercom El Salvador [EMAIL PROTECTED] Tel. 503-278-5068 Tel. 503-265-7070 Fax. 503-265-7025 --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] SomeFool.Gen-1
On Thursday 11 March 2004 4:40 pm, [EMAIL PROTECTED] wrote: > What virus is Worm.SomeFool.Gen-1 is it a Netsky virus? Yes, but there isn't a one-to-one correspondence between what the different A-V vendors are picking up from different binaries: ClamAV: all_document.pif contains Worm.SomeFool.Gen-1 AntiVir: ALERT: [Worm/Netsky.D.Dam worm] all_document.pif F-Prot: all_document.pif Infection: W32/[EMAIL PROTECTED] Inoculan: [all_document.pif] was infected by virus [Win32/Netsky.D.Worm] Kaspersky: all_document.pif infected: I-Worm.NetSky.d McAfee: all_document.pifFound the W32/[EMAIL PROTECTED] virus !!! also: ClamAV: object_story.zip contains Worm.SomeFool.Gen-1 AntiVir: ALERT: [Worm/NetSky.C worm] object_story.zip F-Prot: object_story.zip->object_story.htm.com Infection: W32/[EMAIL PROTECTED] Inoculan: [object_story.zip:object_story.htm.com] was infected by virus [Win32/Netsky.C.Worm] McAfee: object_story.zipFound the W32/[EMAIL PROTECTED] virus !!! Regards, Antony. -- The idea that Bill Gates appeared like a knight in shining armour to lead all customers out of a mire of technological chaos neatly ignores the fact that it was he who, by peddling second-rate technology, led them into it in the first place. - Douglas Adams in The Guardian, 25th August 1995 Please reply to the list; please don't CC me. --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] SomeFool.Gen-1
What virus is Worm.SomeFool.Gen-1 is it a Netsky virus? Jim --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Using ClamAV with Declude Virus
On Thursday 11 March 2004 4:18 pm, Brad Morgan wrote: > > The output format won't change. Please check the 3-rd party software (on > > www.clamav.net) for parsing details. > > Sorry to hear that the output format is frozen in time. There are too many existing packages which call ClamAV and expect to be able to understand the result which comes back. There's no reason you can't write a simple perl script (perhaps awk would do it?) to call ClamAV, rearrange the output as you want, and return the new format to your application. > Declude Virus is one product (http://www.declude.com) produced by > Computerized Horizons that interfaces with Imail (http://www.ipswitch.com), > a popular (non-exchange) email server for Windows. ClamAV is (mainly) used on Unix systems - mostly Linux & BSD, therefore integration with a Windows mail server seems a minority interest. > Declude Virus provides the interface hook into the SMTP server, handles > mime decoding etc., and then uses your choice of command line virus > scanner(s) to do the actual virus check. If a virus is detected, Declude > virus then provides the usual options for dealing with the email. ClamAV has been made to work under Windows using the Cygwin environment - nothing to stop you rewriting the output as described above (or even modifying the source to produce a different format given a command-line option to be "Declude-compatible"?). > If an option were added to clamscan (i.e. --declude) to change the output > format, could that change be incorporated into the source CVS? It sounds > like Scott at Declude knows exactly where to make the change and I could > probably hack up the rest of the necessary patches (it would be my first > open source code contribution). Sounds like an excellent idea (but I'm not on the development team). Since ClamAV is GPL, however, you're free to do any hacks you like; the only question is whether they get "officially" adopted or not. Regards, Antony -- You can spend the whole of your life trying to be popular, but at the end of the day the size of the crowd at your funeral will be largely dictated by the weather. - Frank Skinner Please reply to the list; please don't CC me. --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
RE: [Clamav-users] Using ClamAV with Declude Virus
> > You can look for the last colon... > > > the begining of the -l output. Can the change Scott suggested be made > > to the ClamAV source? > > Does it have to have an option added because the old format is being > > parsed by > > other programs? > > The output format won't change. Please check the 3-rd party software (on > www.clamav.net) for parsing details. > > BTW: What is "Declude Virus" ? Sorry to hear that the output format is frozen in time. Declude Virus is one product (http://www.declude.com) produced by Computerized Horizons that interfaces with Imail (http://www.ipswitch.com), a popular (non-exchange) email server for Windows. Declude Virus provides the interface hook into the SMTP server, handles mime decoding etc., and then uses your choice of command line virus scanner(s) to do the actual virus check. If a virus is detected, Declude virus then provides the usual options for dealing with the email. One of its options is to parse the virus scan output for the name of the virus that was found and present it as an "environment type" variable for reporting in logs and in (optional) generated emails to the intended receipent, sender, local and remote postmasters, etc. A feature just recently added is the ability to check the virus name against a database of viruses that are known to forge the from address. If found in this database, then the from address is replaced by [forged] and can be used to limit who gets notified about the infected email. So as you can see, I'd like Declude to parse the output and capture the virus name. Declude support tells me there's a "standard" format for the report output and ClamAV doesn't adhere to the "standard". AVG, F-Prot, F-Secure, Inoculan, McAfee, and Sophos do. I don't know where the "standard" came from yet. If an option were added to clamscan (i.e. --declude) to change the output format, could that change be incorporated into the source CVS? It sounds like Scott at Declude knows exactly where to make the change and I could probably hack up the rest of the necessary patches (it would be my first open source code contribution). Regards, Brad Morgan --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] ifupdown error
Odhiambo Washington wrote: > * Rick Weinbender <[EMAIL PROTECTED]> [20040311 05:11]: wrote: > > After installing clamav I get the following errors on boot. > > > > Configuring network interfaces: run-parts: failed to exec > > /etc/network/if-up.d/clamav-freshclam-ifupdown: Permission Denied > > run-parts: /etc/network/if-up.d/clamav-freshclam-ifupdown exited with > > return code 1 > > > > this error repeats twice. > > any ideas what might cause this? > > First guess: > chmod 755 /etc/network/if-up.d/clamav* > Else check the permissions. > cheers >- wash *** Thanks! That seemed to do it. -Rick --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
RE: [Clamav-users] Virus aliases
> -Original Message- > From: Tomasz Kojm > > On Thu, 11 Mar 2004 10:15:50 + > Dave Ewart <[EMAIL PROTECTED]> wrote: > > > 2. Can the alias details be extracted from the .cvd files? If not > > currently, is there any way to add this detail? > > Virus aliases will be supported in signatures in the near future. > Maybe I spoke to soon... if you guys are already working on this great - how will aliases be identified and submissions be processed? I've heard that the bigger manufacturers often copy the first known name - is there a way to get in that peer group? Will the system handle multiple aliases in the event it occurs? Will the system identify the "owner" of the alias (like norton / sophos / etc.) Thanks! m/ --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] --detect-encrypted?
Odhiambo Washington wrote: hehee, I noticed that and added 2 days ago, but just today Tomas (Kojm) wrote to the list with that option again ;) You mean the one with " But anyway you should check the --detect-encrypted option (CVS). " I assume he meant it as an option for clamscan (as stated in ChangeLog) Regards, Fajar --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
RE: [Clamav-users] Virus aliases
> No idea how easy this would be to implement but here goes: > > As well as the virus signature databases, how about having an alias > database which would contain a record for each virus, indicating its > ClamAV name along with those used by the more mainstream AV software > like Sophos, McAfee etc. Then have the scanning software (clamd etc.) > accept a commandline switch to indicate your preferred naming. That way, > if you also use Sopos/McAfee/whatever on internal servers you could get > ClamAV to report an infection using the same naming as internally. Of > course, as the Clam sigs are usually ahead of the rest, the aliases for > a particular virus would all be set to ClamAV's chosen name. Then, as > the other vendors get their signatures out the aliases could be updated > accordingly. > > Workable/unworkable/insane idea? > > Paul I like it! Should be quite simple to implement and very workable - depending on the will of the powers that be to maintain... A little more complex idea would be to create a cololaborative maintenance system allowing the users to update and complete the information - a simple voting system could accept mutliple submissions from confirmed contributors as validation... With such a database (downloadable like freshclam currently maintains regular virus db) we could issue warnings that make more sense to users of bigger name commercial products, and even generate links to their educational content on the virii... The feeling I get is that clam detects the virus - generates the sig and done... Norton, etc. decode it and see what it does and then publish the info - when the link between the clam viruss and the norton name is made (for example) a link to that content would let the clam user know what they found and what potential damage it could or might have already caused. The developers of clam already have probably got their plates full with clam issues... I could (as I imagine many others) consider building and hosting something like this if there was enough support for it - thoughts? Thanks! m/ --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] ClamAV via ScanMail
Just a quick thank you to all of you who help with clamav! I use clamav on my mailserver via MailScanner. (I'm using MailScanner with F-Secure and ClamAV) Several times ClamAV is the only antivirus that will see viruses via email. KEEP UP THE GOOD WORK! --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] --detect-encrypted?
* Fajar A. Nugraha <[EMAIL PROTECTED]> [20040311 17:49]: wrote: > Odhiambo Washington wrote: > > >Since this option was mentioned, I have done checked out the cvs version > >but ./configure refuses to accept that option. > >Even from a cvs checkout I did today ;) > > > > > > > It's not ./configure option. It's clamscan option. > With clamd, it's > > ArchiveDetectEncrypted > > in clamav.conf. hehee, I noticed that and added 2 days ago, but just today Tomas (Kojm) wrote to the list with that option again ;) cheers - wash +--+-+ Odhiambo Washington . WANANCHI ONLINE LTD (Nairobi, KE) | . 1ere Etage, Loita Hse, Loita St., | GSM: (+254) 722 743 223 . # 10286, 00100 NAIROBI | GSM: (+254) 733 744 121 . (+254) 020 313 985 - 9 | +-+--+ "Oh My God! They killed init! You Bastards!" --from a /. post --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] clamav hpux make problems
Jon Fraley wrote: How do I tell it to compile with gcc? Step 1 : get gcc package for HPUX (if any exist) Step 2 : execute CC=gcc ./configure instead of just ./configure --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Help with New Install clamav-milter
On Thu, 11 Mar 2004, Nigel Horne wrote: > > Mar 10 17:57:11 clam-milter[5623]: recv failed from clamd getting PORT > > Mar 10 17:57:11 Milter: from=<[EMAIL PROTECTED]>, reject=451 4.7.1 > > Please try again later > > > > I assume it's rejecting because clamd can't get port? > > Is clamd running? $ ps -U clamav PID TTY TIME CMD 1575 ?00:00:00 clamd 1578 ?00:00:00 clamd 1579 ?00:00:00 clamd 1602 ?00:00:00 clamav-milter 1605 ?00:00:00 clamav-milter 1606 ?00:00:00 clamav-milter The log files do not indicate that either has died... Ed Randomly generated quote: The large print giveth, and the small print taketh away. -Tom Waits --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Help with New Install clamav-milter
On Thu, 11 Mar 2004, [windows-1252] Kritof Petr wrote: > > When I start clamd, it loads just fine and I can use clamdscan just > > fine. However, running clamav-milter through sendmail results in the > > following from the maillog: > > > Did you started clamav-milter daemon? If yes, does it open socket for > communication with sendmail? > What are the file permissions of this socket? > > How did you configure your sendmail.mc? $ ps -U clamav PID TTY TIME CMD 1575 ?00:00:00 clamd 1578 ?00:00:00 clamd 1579 ?00:00:00 clamd 1602 ?00:00:00 clamav-milter 1605 ?00:00:00 clamav-milter 1606 ?00:00:00 clamav-milter Is this the correct switch to use when loading the daemon? local:/var/run/clamav/clamav.sock (This is also set in clamav.conf) If it is: srwxr-xr-x 1 clamav clamav 0 Mar 10 23:13 /var/run/clamav/clamav.sock INPUT_MAIL_FILTER(`clamav', `S=local:/var/run/clamav/clamav.sock, T=S:4m;R:4m')dnl define(`confINPUT_MAIL_FILTERS', `clamav')dnl Ed Randomly generated quote: There is so much good in the worst of us and so much bad in the best of us that it ill behooves us to find fault with the rest of us. -Mom --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id70&alloc_id638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] --detect-encrypted?
Odhiambo Washington wrote: Since this option was mentioned, I have done checked out the cvs version but ./configure refuses to accept that option. Even from a cvs checkout I did today ;) It's not ./configure option. It's clamscan option. With clamd, it's ArchiveDetectEncrypted in clamav.conf. Regards, Fajar --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Virus scanned by clamav.net but updated db missed it
Karis Matik wrote: Thanks for your reply. Several questions: 1. which virus database amavis 0.66 uses? viruses.db or viruses.db2 or both? Not amavis 0.66. Clamav 0.66. Antoni's reply is correct : ClamAV will use any/all files which end in .db or .db? But since you use 0.66, you don't need to have any *.db*. The default db is *.cvd. See this? " Thu Mar 11 23:15:06 2004 -> Protecting against 40864 viruses. " This is too much. It means clamav is reading the *.cvd and viruses.*. Better remove the viruses.* since the signatures are the same anyway. 2. When I do a restart on clamd service, I can't find: Database correctly reloaded message. On restart, you should look for "Protecting against xxx viruses". However, during clamd runs it will perform self checks periodically and reload the database as needed, producing the "Database correctly reloaded" message. On newer versions, freshclam will also notify clamd to reload if a new database version is available, producing in freshclam.log entries like " Database updated (20432 signatures) from clamav.antispam.or.id (202.134.0.71). Clamd successfully notified about the update. " You should remove your viruses.*, restart clamd, and try again. If that still don't work, try upgrading to latest stable or CVS snapshot (I recommend latest snapshot). Regards, Fajar --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] clamav hpux make problems
On Wed, 2004-03-10 at 22:15, Fajar A. Nugraha wrote: > Jon Fraley wrote: > > >I am installing clamav-0.67 on HPUX-11.0. After ironing out issues with > >./configure, I now have a problem with make. After running a while I > >get the following: Any ideas on solving this? > > > >/zzip-zip.c' || echo './'`zziplib/zzip-zip.c > >rm -f .libs/zzip-zip.lo > >cc -DHAVE_CONFIG_H -I. -I. -I.. -I.. -I./zziplib -g -c > >zziplib/zzip-zip.c -Wp,-M.deps/zzip-zip.TPlo +Z -DPIC -o > >.libs/zzip-zip.lo > >cpp: "./zziplib/zzip-file.h", line 29: warning 2013: Unknown > >preprocessing directive. > > > > > Have you tried gcc yet? > Or try recent CVS snapshot > (http://www.clamav.net/snapshot/clamav-devel-latest.tar.gz). > It compiles OK with cc on DEC OSF (meaning that particular snapshot > don't need gcc). > I havent tested clamav-0.67 though; I only test daily snapshots. > > Regards, > > Fajar > > > --- > This SF.Net email is sponsored by: IBM Linux Tutorials > Free Linux tutorial presented by Daniel Robbins, President and CEO of > GenToo technologies. Learn everything from fundamentals to system > administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click > ___ > Clamav-users mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/clamav-users How do I tell it to compile with gcc? Jon --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Virus aliases
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Thursday, 11.03.2004 at 13:52 +0100, Tomasz Kojm wrote: > On Thu, 11 Mar 2004 10:15:50 + Dave Ewart > <[EMAIL PROTECTED]> wrote: > > > 2. Can the alias details be extracted from the .cvd files? If not > > currently, is there any way to add this detail? > > Virus aliases will be supported in signatures in the near future. Excellent news! ClamAV is a fabulous project - wish I could find some way to contribute. At the moment, all I'm managing is word-of-mouth praise etc. Cheers, Dave. - -- Dave Ewart [EMAIL PROTECTED] Computing Manager, Epidemiology Unit, Oxford Cancer Research UK PGP: CC70 1883 BD92 E665 B840 118B 6E94 2CFD 694D E370 -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFAUGlEbpQs/WlN43ARAlXXAKCxVz8Cl3kfVFmkSFKw7msX+dPwygCgwTwu X92mp+3brsZ1pLL5K9E6qxY= =I5hu -END PGP SIGNATURE- --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] --detect-encrypted?
Since this option was mentioned, I have done checked out the cvs version but ./configure refuses to accept that option. Even from a cvs checkout I did today ;) cheers - wash +--+-+ Odhiambo Washington . WANANCHI ONLINE LTD (Nairobi, KE) | . 1ere Etage, Loita Hse, Loita St., | GSM: (+254) 722 743 223 . # 10286, 00100 NAIROBI | GSM: (+254) 733 744 121 . (+254) 020 313 985 - 9 | +-+--+ "Oh My God! They killed init! You Bastards!" --from a /. post --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Virus scanned by clamav.net but updated db missed it
On Thursday 11 March 2004 12:47 pm, Karis Matik wrote: > Thanks for your reply. > Several questions: > 1. which virus database amavis 0.66 uses? viruses.db or viruses.db2 or > both? Both. In fact ClamAV will use any/all files which end in .db or .db? (wildcard) in the appropriate directory. You can thus easily add your own signatures (if you want to) just by putting them in your own file called something like mysigs.db, and those will get used alongside the main database files, without being overwritten when there's an update. Regards, Antony. -- Never write it in Perl if you can do it in Awk. Never do it in Awk if sed can handle it. Never use sed when tr can do the job. Never invoke tr when cat is sufficient. Avoid using cat whenever possible. Please reply to the list; please don't CC me. --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Virus aliases
On Thu, 11 Mar 2004 10:15:50 + Dave Ewart <[EMAIL PROTECTED]> wrote: > 2. Can the alias details be extracted from the .cvd files? If not > currently, is there any way to add this detail? Virus aliases will be supported in signatures in the near future. -- oo. Tomasz Kojm <[EMAIL PROTECTED]> (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Thu Mar 11 13:51:55 CET 2004 pgp0.pgp Description: PGP signature
Re: [Clamav-users] Using ClamAV with Declude Virus
On Thu, 11 Mar 2004 17:38:43 +0700 "Fajar A. Nugraha" <[EMAIL PROTECTED]> wrote: > Tomasz Kojm wrote: > > >BTW: What is "Declude Virus" ? > > > > > > > Something like Amavis which only works on Imail > http://www.declude.com/Virus/index.html It's very expensive... -- oo. Tomasz Kojm <[EMAIL PROTECTED]> (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Thu Mar 11 13:53:05 CET 2004 pgp0.pgp Description: PGP signature
Re: [Clamav-users] Virus scanned by clamav.net but updated db missed it
Thanks for your reply. Several questions: 1. which virus database amavis 0.66 uses? viruses.db or viruses.db2 or both? 2. When I do a restart on clamd service, I can't find: Database correctly reloaded message. Thu Mar 11 23:11:01 2004 -> Signal 15 caught -> exiting. Thu Mar 11 23:11:01 2004 -> Freeing trie structure. Thu Mar 11 23:11:01 2004 -> Shutting down the main socket. Thu Mar 11 23:11:01 2004 -> Closing the main socket. Thu Mar 11 23:11:01 2004 -> Socket file removed. Thu Mar 11 23:11:01 2004 -> Pid file removed. Thu Mar 11 23:11:01 2004 -> Freeing stat structure. Thu Mar 11 23:11:01 2004 -> Exit level 2, ThreadWatcher termination. Thu Mar 11 23:11:01 2004 -> --- Stopped at Thu Mar 11 23:11:01 2004 Thu Mar 11 23:15:05 2004 -> +++ Started at Thu Mar 11 23:15:05 2004 Thu Mar 11 23:15:05 2004 -> Log file size limited to 2097152 bytes. Thu Mar 11 23:15:05 2004 -> Verbose logging activated. Thu Mar 11 23:15:05 2004 -> Running as user clamav (UID 80, GID 107) Thu Mar 11 23:15:05 2004 -> Reading databases from /var/lib/clamav Thu Mar 11 23:15:06 2004 -> Protecting against 40864 viruses. Thu Mar 11 23:15:06 2004 -> Unix socket file /var/lib/clamav/clamd.socket Thu Mar 11 23:15:06 2004 -> Setting connection queue length to 15 Thu Mar 11 23:15:06 2004 -> Listening daemon: PID: 2309 Thu Mar 11 23:15:06 2004 -> Maximal number of threads: 64 Thu Mar 11 23:15:06 2004 -> Archive: Archived file size limit set to 10485760 by tes. Thu Mar 11 23:15:06 2004 -> Archive: Recursion level limit set to 5. Thu Mar 11 23:15:06 2004 -> Archive: Files limit set to 1000. Thu Mar 11 23:15:06 2004 -> Archive: Compression ratio limit set to 200. Thu Mar 11 23:15:06 2004 -> Archive support enabled. Thu Mar 11 23:15:06 2004 -> RAR support disabled. Thu Mar 11 23:15:06 2004 -> Mail files support enabled. Thu Mar 11 23:15:06 2004 -> ThreadWatcher: Started in process 2311 Thu Mar 11 23:15:06 2004 -> Self checking every 3600 seconds. Thu Mar 11 23:15:06 2004 -> Timeout set to 500 seconds. Thu Mar 11 23:15:06 2004 -> SelfCheck: Database status OK. Thu Mar 11 23:15:06 2004 -> SelfCheck: Integrity OK How do I make it reload the database? Many thanks. >-Original Message- >From: Fajar A. Nugraha [mailto:[EMAIL PROTECTED] >Sent: Thursday, March 11, 2004 11:42 AM >To: [EMAIL PROTECTED] >Subject: Re: [Clamav-users] Virus scanned by clamav.net but updated db missed it > >Karis Matik wrote: > >>less viruses.db >>And I looked for Worm.Bagle.Gen-zippwd, I can't get one. >> >You're looking in the wrong place >bash-2.03# grep Worm.Bagle.Gen-zippwd viruses* >viruses.db2:Worm.Bagle.Gen-zippwd >(Clam)=504b03040a000100*504b010214000a000100*504b050601000100 > >>Any one can give me a hint what's going on with the update? >> >> >> >Assuming you use clamd, check to make sure that the database is reloaded >correctly. >I put clamd logs in a file. Yours might be on syslog. >There should be something like > >Thu Mar 11 05:20:29 2004 -> Reading databases from /usr/local/share/clamav >Thu Mar 11 05:20:33 2004 -> Database correctly reloaded (20432 viruses) > >Upgrading clamav to current stable version or CVS snapshot wouldn't hurt >either. > >Regards, > >Fajar > > >--- >This SF.Net email is sponsored by: IBM Linux Tutorials >Free Linux tutorial presented by Daniel Robbins, President and CEO of >GenToo technologies. Learn everything from fundamentals to system >administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click >___ >Clamav-users mailing list >[EMAIL PROTECTED] >https://lists.sourceforge.net/lists/listinfo/clamav-users > - This e-mail was sent using a CentralPets WebMail account Get yours at: http://mail.centralpets.com --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Virus scanned by clamav.net but updated db missed it
Karis Matik wrote: less viruses.db And I looked for Worm.Bagle.Gen-zippwd, I can't get one. You're looking in the wrong place bash-2.03# grep Worm.Bagle.Gen-zippwd viruses* viruses.db2:Worm.Bagle.Gen-zippwd (Clam)=504b03040a000100*504b010214000a000100*504b050601000100 Any one can give me a hint what's going on with the update? Assuming you use clamd, check to make sure that the database is reloaded correctly. I put clamd logs in a file. Yours might be on syslog. There should be something like Thu Mar 11 05:20:29 2004 -> Reading databases from /usr/local/share/clamav Thu Mar 11 05:20:33 2004 -> Database correctly reloaded (20432 viruses) Upgrading clamav to current stable version or CVS snapshot wouldn't hurt either. Regards, Fajar --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] Virus scanned by clamav.net but updated db missed it
Clam Users/Developers: First of all, I'd like to thank for all your great work with clam AV. I currently have a mail server with the following specs: Mandrake 9.2 clamav version 0.66 (installed from mandrake RPM) spamassassin amavis It runs okay, but I found something strange. Got an email with strange zip attachment. I submit the attachment to clamav.net for checking if the database recognizes the virus. The check result is: File is valid, and was successfully uploaded. clamav scans the file ... Clamav-Output:/tmp/phpjPpvQe: Worm.Bagle.Gen-zippwd FOUND And found something: Worm.Bagle.Gen-zippwd Obviously the amavis in my mail server can't pick it up. I checked the freshclam log, and I found the database has been updated (hourly): ClamAV update process started at Thu Mar 11 20:01:00 2004 main.cvd is up to date (version: 21, sigs: 20094, f-level: 1, builder: tkojm) daily.cvd is up to date (version: 176, sigs: 338, f-level: 1, builder: ddm) As of March 11 2004, my database is recent. But when I do: less viruses.db And I looked for Worm.Bagle.Gen-zippwd, I can't get one. I only found: Worm.Bagle.A The md5sum of my database is: 4e4f1a294d2748ed1ee76b232d2e, which I believe up-to-date as of march 11 2004. Any one can give me a hint what's going on with the update? Thank you. Regards, Karis - This e-mail was sent using a CentralPets WebMail account Get yours at: http://mail.centralpets.com --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Using ClamAV with Declude Virus
Tomasz Kojm wrote: BTW: What is "Declude Virus" ? Something like Amavis which only works on Imail http://www.declude.com/Virus/index.html --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
RE: [Clamav-users] Virus aliases
No idea how easy this would be to implement but here goes: As well as the virus signature databases, how about having an alias database which would contain a record for each virus, indicating its ClamAV name along with those used by the more mainstream AV software like Sophos, McAfee etc. Then have the scanning software (clamd etc.) accept a commandline switch to indicate your preferred naming. That way, if you also use Sopos/McAfee/whatever on internal servers you could get ClamAV to report an infection using the same naming as internally. Of course, as the Clam sigs are usually ahead of the rest, the aliases for a particular virus would all be set to ClamAV's chosen name. Then, as the other vendors get their signatures out the aliases could be updated accordingly. Workable/unworkable/insane idea? Paul --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id70&alloc_id638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] Virus aliases
Hello, (I am new to the list, but have scanned the archives and have been unable to find a complete answer to this, although it has been brought up once or twice ...) I'd like to be able to see the alias names for detected viruses. The clamav-virusdb announcements include aliases, but searching the mail archives is a rather haphazard way of matching up viruses with different aliases. I was originally rather alarmed because, when I first installed ClamAV last week, I did: > sigtool --list-sigs | grep -i netsky and got nothing back! My initial response was "Whoa! It's out of date ..." I use ClamAV and Sophos in series on our mail server and would like to tie up which viruses are actually the same thing ... There was a message on the archives from about three weeks ago from someone who was planning to maintain an web page listing the aliases, so my questions are: 1. Is this web page live? If so, what's the address? 2. Can the alias details be extracted from the .cvd files? If not currently, is there any way to add this detail? 3. Is searching the archives of clamav-virusdb the only way to find alias names currently? Cheers, Dave. -- Dave Ewart [EMAIL PROTECTED] Computing Manager, Epidemiology Unit, Oxford Cancer Research UK PGP: CC70 1883 BD92 E665 B840 118B 6E94 2CFD 694D E370 --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Using ClamAV with Declude Virus
On Wed, 10 Mar 2004 17:35:57 -0700 "Brad Morgan" <[EMAIL PROTECTED]> wrote: > > I believe the code that should be changed is in the checkfile( ) > > function in the manager.c file, where there are two references to > > "%s: %s FOUND\n", which could be changed to "%s: infected with %s\n" > > or "%s: FOUND%s\n". That would do the trick. > > > > -Scott > > I can't use the ":" as the delimiter because there's a time stamp at You can look for the last colon... > the begining of the -l output. Can the change Scott suggested be made > to the ClamAV source? > Does it have to have an option added because the old format is being > parsed by > other programs? The output format won't change. Please check the 3-rd party software (on www.clamav.net) for parsing details. BTW: What is "Declude Virus" ? -- oo. Tomasz Kojm <[EMAIL PROTECTED]> (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Thu Mar 11 10:29:40 CET 2004 pgp0.pgp Description: PGP signature
Re: [Clamav-users] freshclam no connect
On Wed, 10 Mar 2004 20:33:52 -0600 Chris Lopeman <[EMAIL PROTECTED]> wrote: > Hi All, > > I have seen the opposite question posed but not this one. I get the > error about not being able to connect to clamd. But I am not running > clamd. I don't want to. I am also not using the --daemon-notify > option. Yet it appears to always try to notify. Is there an option > to make it not notify? Except for a couple of thing I don't > understand about the product I am quite impressed. > > connect(): Connection refused > ERROR: Can't connect to clamd. Which version of clamav ? -- oo. Tomasz Kojm <[EMAIL PROTECTED]> (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Thu Mar 11 10:22:19 CET 2004 pgp0.pgp Description: PGP signature
Re: [Clamav-users] password protected zip file
On Thu, 11 Mar 2004 12:49:36 +1100 Jonathan Trott <[EMAIL PROTECTED]> wrote: > At the moment, if you put any virus inside an encrypted zip file, > clamav reports that there isn't a virus in there, which is a false > negative. Better to report that it couldn't be scanned than there > wasn't a virus in there. No, that's definitely not a false negative. Password protected viruses are not dangerous (and not interesting to us) as long as they don't distribute the password. But anyway you should check the --detect-encrypted option (CVS). -- oo. Tomasz Kojm <[EMAIL PROTECTED]> (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Thu Mar 11 10:23:45 CET 2004 pgp0.pgp Description: PGP signature
Re: [Clamav-users] Help with New Install clamav-milter
Ed Kasky wrote: #ls -al /var/run/clamav drwxr-xr-x2 clamav clamav 4096 Mar 10 17:52 . drwxr-xr-x6 root root 4096 Mar 10 17:57 .. srwxr-xr-x1 clamav clamav 0 Mar 10 17:52 clamav.sock -rw-rw1 clamav clamav 4 Mar 10 17:52 clamd.pid Looks OK. When I start clamd, it loads just fine and I can use clamdscan just fine. However, running clamav-milter through sendmail results in the following from the maillog: Did you started clamav-milter daemon? If yes, does it open socket for communication with sendmail? What are the file permissions of this socket? How did you configure your sendmail.mc? Petr --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Help with New Install clamav-milter
On Thursday 11 March 2004 2:21 am, Ed Kasky wrote: > Mar 10 17:57:11 clam-milter[5623]: recv failed from clamd getting PORT > Mar 10 17:57:11 Milter: from=<[EMAIL PROTECTED]>, reject=451 4.7.1 > Please try again later > > I assume it's rejecting because clamd can't get port? Is clamd running? > Ed -Nigel --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] freshclam no connect
Chris Lopeman wrote: Hi All, I have seen the opposite question posed but not this one. I get the error about not being able to connect to clamd. But I am not running clamd. I don't want to. I am also not using the --daemon-notify option. Yet it appears to always try to notify. Is there an option to make it not notify? Except for a couple of thing I don't understand about the product I am quite impressed. connect(): Connection refused ERROR: Can't connect to clamd. Setup /etc/freshclam.conf to fit you needs. Petr --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users