Re: [Clamav-users] Re: Yet another TESTVIRUS.org result !!

[Dilip M]

[...]

Some people complained that ClamAV is not a 'vulnerability/exploit' 
scanner,
but a virus scanner. This makes sense (and helps to avoid code bloat), 
but if
[...]

After blocking 'com' extension i absorved that many of viruses from
testvirus.org had 'com' extension!!
Better i block the 'com' extension itself,atleast reducing the load on
CLAM :))
Which scanner are you using? qmail-scanner scans viruses FIRST, then 
blocks extensions based on policy. This change was made between 1.20-rc2 
and 1.20-rc3 if I remember correctly.
I'm using Exim mailserver with " exiscan-acl patch revision 14"
This will block unwanted attachments first,than scans allowed attachments..
Why to scan those attachments which we won't allow!! As i seen right now 
clamav is only process which is taking most of CPU usage!!(Compared to 
other process on the server,but not a problem)

Atleast this scan reduce load on CLAMAV ;)

Better if we won't block these attachment while we are testing CLAMAV :)

-Dilip



--
I was born intelligent  education ruined me.

---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Re: Yet another TESTVIRUS.org result !!

[Bart Silverstrim]

On Mar 26, 2004, at 2:35 PM, Trog wrote:

On Fri, 2004-03-26 at 18:35, Bart Silverstrim wrote:

Hmm...when I just tested it (postfix, clamav, amavisd-new) tests 8, 
12,
24, and 25 got through.  Am I missing something in my config?

How worried should I be about those viruses getting through? :-/
#8 was blocked with current CVS (didn't test other versions)
#12 is blocked if you tell clamscan to detect password protected files
That (#12) is only in the CVS version as well, no?

I've been waiting until the latest version is in the ports tree 
(FreeBSD 4.9) so I wouldn't end up with a mix of ports and tarballed 
apps on the server, so latest updates could be taken care of via 
portupgrade... :-/

#24 and #25 don't contain any viruses, so it's not surprising they
aren't detected.
This was supposed to test a potential infection vector?



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] Rejected messages

[Robert S]

I am getting messages rejected.  I've been getting a few notifications that
messages are not arriving.  I get the following messages in my mail log.

Note: "sender", "recipient", "myserver" and "mydomain.com.au" are
fictitious.

Mar 26 22:59:40 myserver sm-mta[9106]: i2QBvPA0009106:
from=<[EMAIL PROTECTED]>, size=1608733, class=0, nrcpts=1, msgid=
<[EMAIL PROTECTED]>, proto=ESMTP,
daemon=MTA, relay=mail.velocitynet.com.au [203.17.154.98]
 (may be forged)
Mar 26 22:59:40 myserver sm-mta[9106]: i2QBvPA0009106: Milter: data,
reject=451 4.7.1 Please try again later
Mar 26 22:59:40 myserver sm-mta[9106]: i2QBvPA0009106:
to=<[EMAIL PROTECTED]>, delay=00:02:13, pri=1638733, stat=Please try
again later
Mar 26 23:00:04 myserver sm-mta[9107]: i2QBvPpD009107:
from=<[EMAIL PROTECTED]>, size=2496283, class=0, nrcpts=1, msgid=
<[EMAIL PROTECTED]>, proto=ESMTP,
daemon=MTA, relay=mail.velocitynet.com.au [203.17.154.98]
 (may be forged)
Mar 26 23:00:04 myserver sm-mta[9107]: i2QBvPpD009107: Milter: data,
reject=451 4.7.1 Please try again later

I'm using sendmail-8.12.11, clamav-devel-20040226, clamav-milter version
0.67h and slackware 9.1.  I have very light traffic on my server and I doubt
that its so busy that there would be other processes happening that
frequently.

Maybe this is something really simple - I'm not a sendmail/clamav guru.  Can
anybody help?





---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] clam not fresh

[Brian W. Antoine]

At 01:11 PM 3/26/2004, you wrote:
On Thu, 25 Mar 2004 at 21:42:57 -0800, Brian W. Antoine wrote:
>
>   I just ran freshclam again and instead of downloading viruses.db and
> then giving me a checksum error it now claims:
>
> Connected to clamav.elektrapro.com.
> Reading md5 sum (viruses.md5): ERROR: md5 sum not found on remote server
> ERROR: Can't get viruses.md5 sum from clamav.elektrapro.com
>
>   Obviously somebodies figured out that the checksums were broken and
> is playing with the files.
I don't want your problem see ignored, so - though I don't know if
somebody was plaing with the files or not - I'd like just to be sure
that now it's OK. Is it?
  Yes, sometime since I wrote my reply last night the problem was
corrected and I can once again do a freshclam from elektrapro and
get a good reply.


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Re: Application to generate CLAMAV report

[Peter Bonivart]

Craig Daters wrote:
Okay, I discovered that all of the logging is being done in 
/var/log/maillog as opposed to /var/log/messages, and once I pointed 
grep to the right file, then all has become well in the universe.
I wouldn't have dared posting about that. ;-)

--
/Peter Bonivart
--Unix lovers do it in the Sun

Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.25-14,
SpamAssassin 2.63 + DCC 1.2.30, ClamAV 0.67 + GMP 4.1.2, MailStats 0.25
---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Freshclam timeout error

[Tomasz Papszun]

On Fri, 26 Mar 2004 at 16:21:10 +, Roger Fishwick wrote:
> 
> I've check the archive at length but I don't think any of the other posts 
> are the same problem.
> 
> the error is freshclam wont, error in log is:
> ClamAV update process started at Fri Mar 26 15:01:37 2004
> ERROR: Maximal time (1200 seconds) reached.
> 
> I've installed clam from the latest RPMs on a mandrake 9.2 system:
> rpm -qa --last | grep -i clam
> clamav-db-0.70-3mdk   Fri 26 Mar 2004 14:58:38 GMT
> clamd-0.70-3mdk   Fri 26 Mar 2004 14:05:21 GMT
> clamav-0.70-3mdk  Fri 26 Mar 2004 14:05:20 GMT
> libclamav1-0.70-3mdk  Fri 26 Mar 2004 14:05:19 GMT
> 
[...]

A proxy server between?...

-- 
 Tomasz Papszun   SysAdm @ TP S.A. Lodz, Poland  | And it's only
 [EMAIL PROTECTED]   http://www.lodz.tpsa.pl/   | ones and zeros.
 [EMAIL PROTECTED]   http://www.ClamAV.net/   A GPL virus scanner


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] reject=451 4.7.1 Please try again later

[Krzysztof Snopek]

On Fri, 26 Mar 2004, Joe Maimon wrote:

>
>
> Nigel Horne wrote:
>
> >The evidence points to incoming connections taking a long time (minutes) to send 
> >the first
> >line of header after establishing a connection.so clamd gives up waiting. 
> >Increasing clamd's timeout
> >will help. I have seen 4-5 minutes between an SMTP connection being established and 
> >the conversation
> >finally getting around to doing a DATA statement.

> Cant be it.
> ThreadTimeout 600
>
> Still happening.

Agree with above: I'm using ThreadTimeout 500 all the time, and this error
still happens. (clamav 0.70rc)

Krzysztof Snopek


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] reject=451 4.7.1 Please try again later

[Joe Maimon]

Trog wrote:

On Fri, 2004-03-26 at 17:03, Joe Maimon wrote:
 

# Thread (scanner - single task) will be stopped after this time (seconds).
# Default is 180. Value of 0 disables the timeout. SECURITY HINT: 
Increase the
# timeout instead of disabling it.
ThreadTimeout 600

Still happening.

Besides sendmail is only reporting aroound a (max) 2:00 delay for the 
rejected 451 emails.

   

What version of clamav are you using? ThreadTimeout is not used on
anything past 0.68, or CVS for the last couple of months.
The default timeout for receiving data on a socket is 1 minute.

-trog



 

Color me clueless but I just downloaded and installed clamav. (Past week)
Only timeout related thing I have in clamav.conf or man clamav.conf is 
ThreadTimeout

Guess its to the source.

Nope, no timeout named options in clamd/config.c  other LogTime and 
ThreadTimeout

How about this? (I added a zero)

grep CL_DEFAULT_SCANTIMEOU *
defaults.h:#define CL_DEFAULT_SCANTIMEOUT 600
Suggestions?

---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Fwd: Re: [Clamav-users] Re: Application to generate CLAMAV report

[Antony Stone]

Looks like my previous posting on this topic didn't make it to the list...

--  Forwarded Message  --

Subject: Re: [Clamav-users] Re: Application to generate CLAMAV report
Date: Fri, 26 Mar 2004 19:28:14 +
From: Antony Stone <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]

On Friday 26 March 2004 5:39 pm, Craig Daters wrote:
> Let me preface this by stating that I am a newbie with using the
> commands below, I have only ever used grep to locate simple things, I
> have not used any of the others...
>
> So how come when I enter the commands below, I get an error that
> says: "grep: unknown directories method"?

Try starting with the simple grep command, then add each command with its
 pipe symbol one at a time until something breaks (or, hopefully, it all
 works).

Note that the grep command here *is* very simple, so it is no different from
the sort of thing you have used it for in the past.   All the remaining lines
are commands which the output is piped to, not a more complicated grep...

> >>  grep FOUND /var/log/messages \
> >>
> >>  | cut -d ":" -f 5 \
> >>  | sed -e "s/\ FOUND//" \
> >>  | sort \
> >>  | uniq -c \
> >>  | sort -r

So, start off with just:

grep FOUND /var/log/messages

This should generate lots of lines of output, but no error.

Assuming that works, add the next command and test again:

grep FOUND /var/log/messages | cut -d ":" -f 5

(or split it as shown above with a "space-backslash" at the end of the first
line)

Then add more commands one at a time (you will suddenly get a whole lot less
lines once you add the "uniq" command) and hopefully all will become clear...

Regards,

Antony.

--
People who use Microsoft software should be certified.

 Please reply to the list;
   please don't CC me.



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Re: Application to generate CLAMAV report

[Antony Stone]

On Friday 26 March 2004 8:44 pm, Craig Daters wrote:

> >Craig Daters wrote:
> >>  Let me preface this by stating that I am a newbie with using the
> >>  commands below, I have only ever used grep to locate simple things, I
> >>  have not used any of the others...
> >>
> >>  So how come when I enter the commands below, I get an error that
> >>  says: "grep: unknown directories method"?
> >
> >I don't know. Please read `man grep` to find out.
> >
> Been there, done that. The man page offers no clues...

I suspect you made a typo.   The grep part of the command is very short and 
very simple.   The rest is just pipes to other short, simple commands.

My money is on making some error with the backslash line continuations...

Regards,

Antony.

-- 
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
A: Top-posting.
Q: What is the most annoying thing on usenet and in e-mail?

 Please reply to the list;
   please don't CC me.



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] clam not fresh

[Tomasz Papszun]

On Thu, 25 Mar 2004 at 21:42:57 -0800, Brian W. Antoine wrote:
> 
>   I just ran freshclam again and instead of downloading viruses.db and
> then giving me a checksum error it now claims:
> 
> Connected to clamav.elektrapro.com.
> Reading md5 sum (viruses.md5): ERROR: md5 sum not found on remote server
> ERROR: Can't get viruses.md5 sum from clamav.elektrapro.com
> 
>   Obviously somebodies figured out that the checksums were broken and
> is playing with the files.

I don't want your problem see ignored, so - though I don't know if
somebody was plaing with the files or not - I'd like just to be sure
that now it's OK. Is it?

-- 
 Tomasz Papszun   SysAdm @ TP S.A. Lodz, Poland  | And it's only
 [EMAIL PROTECTED]   http://www.lodz.tpsa.pl/   | ones and zeros.
 [EMAIL PROTECTED]   http://www.ClamAV.net/   A GPL virus scanner


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Re: Application to generate CLAMAV report

[Craig Daters]

Okay, I discovered that all of the logging is being done in 
/var/log/maillog as opposed to /var/log/messages, and once I pointed 
grep to the right file, then all has become well in the universe.

Thanks again.

Try starting with the simple grep command, then add each command with its pipe
symbol one at a time until something breaks (or, hopefully, it all works).
Note that the grep command here *is* very simple, so it is no different from
the sort of thing you have used it for in the past.   All the remaining lines
are commands which the output is piped to, not a more complicated grep...
 >>  grep FOUND /var/log/messages \
 >>  | cut -d ":" -f 5 \
 >>  | sed -e "s/\ FOUND//" \
 >>  | sort \
 >>  | uniq -c \
 >>  | sort -r
So, start off with just:

grep FOUND /var/log/messages

This should generate lots of lines of output, but no error.

Assuming that works, add the next command and test again:

grep FOUND /var/log/messages | cut -d ":" -f 5

(or split it as shown above with a "space-backslash" at the end of the first
line)
Then add more commands one at a time (you will suddenly get a whole lot less
lines once you add the "uniq" command) and hopefully all will become clear...
Regards,

Antony.


--
--
Craig Daters ([EMAIL PROTECTED])
Systems Administrator
West Press Printing
1663 West Grant Road
Tucson, Arizona 85745-1433
Tel: 520-624-4939
Fax: 520-624-2715
www.westpress.com

--

---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] Re: Application to generate CLAMAV report

[Craig Daters]

Been there, done that. The man page offers no clues...

Craig Daters wrote:

 Let me preface this by stating that I am a newbie with using the
 commands below, I have only ever used grep to locate simple things, I
 have not used any of the others...
 So how come when I enter the commands below, I get an error that
 says: "grep: unknown directories method"?
I don't know. Please read `man grep` to find out.

--
Jesse Guardiani, Systems Administrator
WingNET Internet Services,
P.O. Box 2605 // Cleveland, TN 37320-2605
423-559-LINK (v)  423-559-5145 (f)
http://www.wingnet.net


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users


--
--
Craig Daters ([EMAIL PROTECTED])
Systems Administrator
West Press Printing
1663 West Grant Road
Tucson, Arizona 85745-1433
Tel: 520-624-4939
Fax: 520-624-2715
www.westpress.com

--

---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Re: Yet another TESTVIRUS.org result !!

[Trog]

On Fri, 2004-03-26 at 18:35, Bart Silverstrim wrote:

> Hmm...when I just tested it (postfix, clamav, amavisd-new) tests 8, 12, 
> 24, and 25 got through.  Am I missing something in my config?
> 
> How worried should I be about those viruses getting through? :-/

#8 was blocked with current CVS (didn't test other versions)
#12 is blocked if you tell clamscan to detect password protected files

#24 and #25 don't contain any viruses, so it's not surprising they
aren't detected.

-trog




---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] OT: Re: Application to generate CLAMAV report

[Craig Daters]

RH9 with Sendmail

What os are you using?

- Original Message Follows -
From: Craig Daters <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: [Clamav-users] Re: Application to generate CLAMAV report
Date: Fri, 26 Mar 2004 10:39:24 -0700
 Let me preface this by stating that I am a newbie with using the
 commands below, I have only ever used grep to locate simple things, I
 have not used any of the others...
 So how come when I enter the commands below, I get an error that
 says: "grep: unknown directories method"?
 >Ralph Angenendt wrote:
 >
 >[...]
 >
 >>  grep FOUND /var/log/messages \
 >>  | cut -d ":" -f 5 \
 >>  | sed -e "s/\ FOUND//" \
 >>  | sort \
 >>  | uniq -c \
 >>  | sort -r
 >>
 >>  This gives us the following output (yes, no percentages, one might hack
 >>  that into it):
 >>
 >> 9353  Worm.SomeFool.Gen-1
 >> 3647  Worm.SomeFool.P
 >> 2312  Worm.SomeFool.Gen-2
 >>  912  Worm.Sober.D
 >>  521  Worm.Dumaru.A
 >>  174  Worm.SomeFool.I
 >>   55  Worm.Mydoom.F
 >>   53  Worm.Dumaru.K
 >>   39  Worm.Dumaru.Y
 >>   35  Worm.Bagle.Gen-zippwd
 >>   23  Worm.Bagle.Gen-1
 >  >  [...]
 --
 --
 Craig Daters ([EMAIL PROTECTED])
 Systems Administrator
 West Press Printing
 1663 West Grant Road
 Tucson, Arizona 85745-1433
 Tel: 520-624-4939
 Fax: 520-624-2715
 www.westpress.com

 --

 ---
 This SF.Net email is sponsored by: IBM Linux Tutorials
 Free Linux tutorial presented by Daniel Robbins, President and CEO of
 GenToo technologies. Learn everything from fundamentals to system
 administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
 ___
 Clamav-users mailing list
 [EMAIL PROTECTED]
 https://lists.sourceforge.net/lists/listinfo/clamav-users

Kevin W. Gagel
Network Administrator
(250) 561-5848 local 448
(250) 562-2131 local 448
--
The College of New Caledonia, Visit us at http://www.cnc.bc.ca
Virus scanning is done on all incoming and outgoing email.
--
---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users


--
--
Craig Daters ([EMAIL PROTECTED])
Systems Administrator
West Press Printing
1663 West Grant Road
Tucson, Arizona 85745-1433
Tel: 520-624-4939
Fax: 520-624-2715
www.westpress.com

--

---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Re: Application to generate CLAMAV report

[Antony Stone]

On Friday 26 March 2004 5:39 pm, Craig Daters wrote:

> Let me preface this by stating that I am a newbie with using the
> commands below, I have only ever used grep to locate simple things, I
> have not used any of the others...
>
> So how come when I enter the commands below, I get an error that
> says: "grep: unknown directories method"?

Try starting with the simple grep command, then add each command with its pipe 
symbol one at a time until something breaks (or, hopefully, it all works).

Note that the grep command here *is* very simple, so it is no different from 
the sort of thing you have used it for in the past.   All the remaining lines 
are commands which the output is piped to, not a more complicated grep...

> >>  grep FOUND /var/log/messages \
> >>  | cut -d ":" -f 5 \
> >>  | sed -e "s/\ FOUND//" \
> >>  | sort \
> >>  | uniq -c \
> >>  | sort -r

So, start off with just:

grep FOUND /var/log/messages

This should generate lots of lines of output, but no error.

Assuming that works, add the next command and test again:

grep FOUND /var/log/messages | cut -d ":" -f 5

(or split it as shown above with a "space-backslash" at the end of the first 
line)

Then add more commands one at a time (you will suddenly get a whole lot less 
lines once you add the "uniq" command) and hopefully all will become clear...

Regards,

Antony.

-- 
People who use Microsoft software should be certified.

 Please reply to the list;
   please don't CC me.


--
This email has been scanned for viruses, spam
and dangerous content by the Rockstone Networker
secure mail server, and is believed to be clean.



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Segmentation fault in clamav-0.70rc-1

[Claudio Alonso]

 --- Tomasz Kojm <[EMAIL PROTECTED]> escribió: 
> It's a good idea to disable archive/mail support when using on-access
> scanner.

Hello Tomasz,
Disabling archive support means that compressed files will be managed using external
decompressors?



Los mejores usados y las más tentadoras 
ofertas de 0km están en Yahoo! Autos.
Comprá o vendé tu auto en
http://autos.yahoo.com.ar


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] Re: Application to generate CLAMAV report

[Jesse Guardiani]

Craig Daters wrote:

> Let me preface this by stating that I am a newbie with using the
> commands below, I have only ever used grep to locate simple things, I
> have not used any of the others...
> 
> So how come when I enter the commands below, I get an error that
> says: "grep: unknown directories method"?

I don't know. Please read `man grep` to find out.

-- 
Jesse Guardiani, Systems Administrator
WingNET Internet Services,
P.O. Box 2605 // Cleveland, TN 37320-2605
423-559-LINK (v)  423-559-5145 (f)
http://www.wingnet.net




---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] clamav.conf - user

[Ryan Moore]

Björn Ketelaars wrote:
Hello,

I'm running ClamAV 0.68-1 on a OpenBSD-machine (i386, snapshot 190304). 
When I set 'User _clamd' in clamav.conf and start clamd as root I'm not 
able to use clamdscan (not able to open file...most probably due to 
file-restrictions). When I replace _clamd with root everything works 
great. There is just one little thing, I just can't escape the feeling 
that I'm not supposed to change user to Root.

Any suggestions or wise words?

With kind regards,

Björn


If clamd is running as an unprivileged user, there will be several parts 
of the file system that it can't scan due to file system permissions 
(such as /root). For most people this probably isn't a problem since it 
is integrated with a mail system and permissions just need to be set to 
where clamd has access to wherever the queue/tmp files are stored. If 
you don't want to mess with permissions and want to be able to scan 
various things easily as root, you can use clamscan instead of clamdscan.

--
Ryan Moore
--
Perigee.net Corporation
704-849-8355 (sales)
704-849-8017 (tech)
www.perigee.net
---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id70&alloc_id638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] Building clamav-milter on 0.70-rc

[Mike Nolan]

What's the trick to building and installing milter on 0.70-rc?  

I've got 0.65 running on this system with milter, so the milter libs 
for sendmail should be OK.

I get a .o file but clamav-milter is the temporary wrapper script, and
an install doesn't seem to build a linked executable anywhere.

This is a redhat 9 system.
--
Mike Nolan


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] clamav.conf - user

[Björn Ketelaars]

Hello,

I'm running ClamAV 0.68-1 on a OpenBSD-machine (i386, snapshot 190304). 
When I set 'User _clamd' in clamav.conf and start clamd as root I'm not 
able to use clamdscan (not able to open file...most probably due to 
file-restrictions). When I replace _clamd with root everything works 
great. There is just one little thing, I just can't escape the feeling 
that I'm not supposed to change user to Root.

Any suggestions or wise words?

With kind regards,

Björn

---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id70&alloc_id638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Re: Application to generate CLAMAV report

[Ola Thoresen]

Fri, 26 Mar 2004 at 17:47 GMT Jesse Guardiani <[EMAIL PROTECTED]> wrote



> 
> Here's a sample output:
> 



And if you mix this output with a cronjob, some sql and jpgraph
(http://www.aditus.nu/jpgraph/), you might end up with something like
this:

https://www.olen.net/modules.php?name=MailStats&show=virus

=;-)


Have a great weekend.
Now it's beertime



Ola Thoresen



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] clamd hanging on SunOS 5.8

[turgut kalfaoglu]

Many thanks Fajar!
I had ScanMail enabled! I thought we needed that.. Darn; I just 
disabled it now.

thanks a lot, -turgut



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Re: Yet another TESTVIRUS.org result !!

[Bart Silverstrim]

On Mar 26, 2004, at 11:10 AM, Jesse Guardiani wrote:

Dilip M wrote:

[...]

Only improvement is Test # 12 was detected ?

Where as all other Viruses,ie
Test # 19,21,23,25
came through :(
That is exactly what I'm getting with qmail-scanner-1.21 and 
clamav0.70-rc
(and the CVS version from 2004/03/25).

I think there was a discussion about these last four items a few weeks 
ago.
Some people complained that ClamAV is not a 'vulnerability/exploit' 
scanner,
but a virus scanner. This makes sense (and helps to avoid code bloat), 
but if
this is the concensus then I hope that qmail-scanner will soon address 
the
above 4 items internally, or that someone else will create a program
dedicated to this task. Exploit scanning may not belong in ClamAV,
but it needs to be addressed somewhere.

Hmm...when I just tested it (postfix, clamav, amavisd-new) tests 8, 12, 
24, and 25 got through.  Am I missing something in my config?

How worried should I be about those viruses getting through? :-/



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] OT: Re: Application to generate CLAMAV report

[Kevin W. Gagel]

What os are you using?


- Original Message Follows -
From: Craig Daters <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: [Clamav-users] Re: Application to generate CLAMAV report
Date: Fri, 26 Mar 2004 10:39:24 -0700
> 
> Let me preface this by stating that I am a newbie with using the 
> commands below, I have only ever used grep to locate simple things, I 
> have not used any of the others...
> 
> So how come when I enter the commands below, I get an error that 
> says: "grep: unknown directories method"?
> 
> >Ralph Angenendt wrote:
> >
> >[...]
> >
> >>  grep FOUND /var/log/messages \
> >>  | cut -d ":" -f 5 \
> >>  | sed -e "s/\ FOUND//" \
> >>  | sort \
> >>  | uniq -c \
> >>  | sort -r
> >>
> >>  This gives us the following output (yes, no percentages, one might hack
> >>  that into it):
> >>
> >> 9353  Worm.SomeFool.Gen-1
> >> 3647  Worm.SomeFool.P
> >> 2312  Worm.SomeFool.Gen-2
> >>  912  Worm.Sober.D
> >>  521  Worm.Dumaru.A
> >>  174  Worm.SomeFool.I
> >>   55  Worm.Mydoom.F
> >>   53  Worm.Dumaru.K
> >>   39  Worm.Dumaru.Y
> >>   35  Worm.Bagle.Gen-zippwd
> >>   23  Worm.Bagle.Gen-1
> >  >  [...]
> 
> -- 
> --
> 
> Craig Daters ([EMAIL PROTECTED])
> Systems Administrator
> West Press Printing
> 1663 West Grant Road
> Tucson, Arizona 85745-1433
> 
> Tel: 520-624-4939
> Fax: 520-624-2715
> 
> www.westpress.com
> 
> --
> 
> 
> ---
> This SF.Net email is sponsored by: IBM Linux Tutorials
> Free Linux tutorial presented by Daniel Robbins, President and CEO of
> GenToo technologies. Learn everything from fundamentals to system
> administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
> ___
> Clamav-users mailing list
> [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/clamav-users


Kevin W. Gagel
Network Administrator
(250) 561-5848 local 448
(250) 562-2131 local 448

--
The College of New Caledonia, Visit us at http://www.cnc.bc.ca
Virus scanning is done on all incoming and outgoing email.
--


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] reject=451 4.7.1 Please try again later

[Trog]

On Fri, 2004-03-26 at 17:03, Joe Maimon wrote:
> # Thread (scanner - single task) will be stopped after this time (seconds).
> # Default is 180. Value of 0 disables the timeout. SECURITY HINT: 
> Increase the
> # timeout instead of disabling it.
> ThreadTimeout 600
> 
> Still happening.
> 
> Besides sendmail is only reporting aroound a (max) 2:00 delay for the 
> rejected 451 emails.
> 

What version of clamav are you using? ThreadTimeout is not used on
anything past 0.68, or CVS for the last couple of months.

The default timeout for receiving data on a socket is 1 minute.

-trog




---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] GMX Systematic Comparison

[Philipp Grosswiler]

Hello.

GMX released a paper where they were comparing the four biggest e-mail
provider in Germany and how successful the most known viruses are caught by
the e-mail software.

They were testing the following providers and virus software:

www.1und1.de (Symantec)
www.gmx.de (Sophos Anti-Virus)
www.web.de (ClamAV)
www.freenet.de (ClamAV)

Now they say that Symantec and Sophos caught 100% of all the viruses, and
ClamAV only got 54%!

I have to say, that this test was done in January with ClamAV 0.65 and
current signatures at that time.

I am a little disappointed with these results and I am sure it is not really
representative. First, because ClamAV 0.65 didn't have support to scan OLE2
documents (so no macro viruses were caught).

Unfortunately they didn't say which viruses were not caught by ClamAV, but
they say they were using the January virus list published at
www.wildlist.org! There are 254 viruses on that list with 2 infected files
for each virus, means the anti-virus software has to find 508 viruses. They
added 113 obsolete wildlist viruses to the test, also with 2 infected files
for each virus, means 226 files. In total, it should check 734 infected
files (these are file, macro and script viruses).

To make the test more difficult, they took some files from Windows 2000 and
XP installation CD, which should not be detected by the anti-virus software.
All files sent to the mail server are 6'266 files (57MB).

Now I am curious to know how the current ClamAV is performing. But
unfortunately I can't get any viruses from wildlist.org, so maybe the
developers can check the list at wildlist.org and see if they support all
those viruses there.

What is the reaction of the ClamAV team?

Regards,
Phil.


smime.p7s
Description: S/MIME cryptographic signature

[Clamav-users] Re: Application to generate CLAMAV report

[Craig Daters]

Let me preface this by stating that I am a newbie with using the 
commands below, I have only ever used grep to locate simple things, I 
have not used any of the others...

So how come when I enter the commands below, I get an error that 
says: "grep: unknown directories method"?

Ralph Angenendt wrote:

[...]

 grep FOUND /var/log/messages \
 | cut -d ":" -f 5 \
 | sed -e "s/\ FOUND//" \
 | sort \
 | uniq -c \
 | sort -r
 This gives us the following output (yes, no percentages, one might hack
 that into it):
9353  Worm.SomeFool.Gen-1
3647  Worm.SomeFool.P
2312  Worm.SomeFool.Gen-2
 912  Worm.Sober.D
 521  Worm.Dumaru.A
 174  Worm.SomeFool.I
  55  Worm.Mydoom.F
  53  Worm.Dumaru.K
  39  Worm.Dumaru.Y
  35  Worm.Bagle.Gen-zippwd
  23  Worm.Bagle.Gen-1
 >  [...]
--
--
Craig Daters ([EMAIL PROTECTED])
Systems Administrator
West Press Printing
1663 West Grant Road
Tucson, Arizona 85745-1433
Tel: 520-624-4939
Fax: 520-624-2715
www.westpress.com

--

---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] Re: Segfault on password protected rar?

[Ethan P]

I think I figured it out.  Just read the release notes for .66 (the fix for 
this issue).  I'm on .70RC and it's working like a champ now. 

-Ethan P 

Ethan P writes: 

I'm running ClamAV .65 on an RH9 system, with Qmail-Scanner-1.20RC3.  

The other day, the following worm slipped through my clamav scanner:
Worm.Bagle.Gen-rarpwd  

At first, I thought it was a new rar file, and tried to submit it.  This 
variant had already been input into the database.  Figuring that I was 
just out-of-date, I ran freshclam.  

I decided to grab the file and run clamscan on it -- just to make sure 
that it's being caught.  Upon a regular scan, clamav (clamscan) segfaults. 
 I assumed that this is due to the file being password protected -- so I 
re-ran it with the --disable-archive option and sure enough, the worm was 
found:  

[EMAIL PROTECTED] root]# clamscan --disable-archive -i first_part.rar
first_part.rar: Worm.Bagle.Gen-rarpwd FOUND  

--- SCAN SUMMARY ---
Known viruses: 41298
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.02 MB
I/O buffer size: 131072 bytes
Time: 0.782 sec (0 m 0 s)  

Problem is, when I send this file via email, ClamAV doesn't detect it.  I 
assume it's segfaulting each time it scans this file.  

What's the best thing I can do at this point?  I want ClamAV to open 
archives when possible, but I don't want it to segfault and allow password 
protected archived worms through.  

Thanks in advance,
Ethan Pinkert  

 

---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users




---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] Re: Re: email structure logging

[Jesse Guardiani]

Mike Cathey wrote:

> Jesse,
> 
> On Fri, 2004-03-26 at 10:46, Jesse Guardiani wrote:
>> :) Why not if it can already performing actions on the above
>> items?
> 
> Clamav is a virus scanner.  Features like that belong in whatever rips
> apart messages for Clamav to scan (amavisd-new in my case).

I thought someone might argue that point, but the fact of the matter is
that ClamAV itself is ripping appart these emails with BinHex and OLE2
all by itself without the help of some other scanner.

I'm pretty sure that TNEF encoded emails are the only emails that ClamAV
needs qmail-scanner's help scanning. I don't think ClamAV is capable of
scanning TNEF emails raw.

So I'll ask again: If we've already added code bloat with the addition
of the ScanMail option, why not add a (perhaps optional) logging statement
or two?

If the ClamAV developers are really code purists then they should remove
the ScanMail functionality entirely and let a wrapper program handle BinHex
and MIME emails.

-- 
Jesse Guardiani, Systems Administrator
WingNET Internet Services,
P.O. Box 2605 // Cleveland, TN 37320-2605
423-559-LINK (v)  423-559-5145 (f)
http://www.wingnet.net




---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] reject=451 4.7.1 Please try again later

[Joe Maimon]

Trog wrote:

On Fri, 2004-03-26 at 15:44, Nigel Horne wrote:
 

The evidence points to incoming connections taking a long time (minutes) to send the 
first
line of header after establishing a connection.so clamd gives up waiting. Increasing 
clamd's timeout
will help. I have seen 4-5 minutes between an SMTP connection being established and 
the conversation
finally getting around to doing a DATA statement.
   

The only reason I can think off for something like this, is that maybe
sendmail is tar-pitting the connection and deliberately adding a delay.
Does sendmail have tar-pitting these days?
 

Not my sendmail. There are milters that do it and sendmail 8.13.0 looks 
like it will have some kind of tarpitting.

Do you have a tcpdump of such a conversation?
 

Nope. That might be doable.

-trog



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users
 



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Find bagle in Zip files.

[Trog]

On Fri, 2004-03-26 at 13:48, Tomasz Kojm wrote:

> > But AFAIK, Kaspersky AntiVirus can crack a password on zip archive
> > in some special circumstances. I have a program, that can do the
> > same, but Tomasz Kojm is not interested in it.
> 
> Right. ClamAV must be transparent in its licensing.

The key issue here is the "in some special circumstances" part. What Kaspersky
did, i.e. tokenize the message text body and use them as possible passwords,
was useful for less than 2 days as a methodology.

-trog




---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] reject=451 4.7.1 Please try again later

[Joe Maimon]

Nigel Horne wrote:

The evidence points to incoming connections taking a long time (minutes) to send the 
first
line of header after establishing a connection.so clamd gives up waiting. Increasing 
clamd's timeout
will help. I have seen 4-5 minutes between an SMTP connection being established and 
the conversation
finally getting around to doing a DATA statement.
-Nigel

 

Cant be it.

# Thread (scanner - single task) will be stopped after this time (seconds).
# Default is 180. Value of 0 disables the timeout. SECURITY HINT: 
Increase the
# timeout instead of disabling it.
ThreadTimeout 600

Still happening.

Besides sendmail is only reporting aroound a (max) 2:00 delay for the 
rejected 451 emails.

Joe

---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] reject=451 4.7.1 Please try again later

[Trog]

On Fri, 2004-03-26 at 15:44, Nigel Horne wrote:
> The evidence points to incoming connections taking a long time (minutes) to send the 
> first
> line of header after establishing a connection.so clamd gives up waiting. Increasing 
> clamd's timeout
> will help. I have seen 4-5 minutes between an SMTP connection being established and 
> the conversation
> finally getting around to doing a DATA statement.
> 

The only reason I can think off for something like this, is that maybe
sendmail is tar-pitting the connection and deliberately adding a delay.

Does sendmail have tar-pitting these days?

Do you have a tcpdump of such a conversation?

-trog




---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] Segfault on password protected rar?

[Steve Dimoff]

Ethan,

Qmail-Scanner 1.21 has a new option:

--block-password-protected [yes|no]  Defaults to "no". Setting this to "yes"
allows
  you to quarantine any incoming zip files that are
password
  protected. This is primarily to stop viruses such
as Bagle which
  arrive within a password-protected zip file.


-Original Message-
From: Ethan P [mailto:[EMAIL PROTECTED]
Sent: Friday, March 26, 2004 7:32 AM
To: [EMAIL PROTECTED]
Subject: [Clamav-users] Segfault on password protected rar?


I'm running ClamAV .65 on an RH9 system, with Qmail-Scanner-1.20RC3. 

The other day, the following worm slipped through my clamav scanner:
Worm.Bagle.Gen-rarpwd 

At first, I thought it was a new rar file, and tried to submit it.  This 
variant had already been input into the database.  Figuring that I was just 
out-of-date, I ran freshclam. 

I decided to grab the file and run clamscan on it -- just to make sure that 
it's being caught.  Upon a regular scan, clamav (clamscan) segfaults.  I 
assumed that this is due to the file being password protected -- so I re-ran

it with the --disable-archive option and sure enough, the worm was found: 

[EMAIL PROTECTED] root]# clamscan --disable-archive -i first_part.rar
first_part.rar: Worm.Bagle.Gen-rarpwd FOUND 

 --- SCAN SUMMARY ---
Known viruses: 41298
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.02 MB
I/O buffer size: 131072 bytes
Time: 0.782 sec (0 m 0 s) 


Problem is, when I send this file via email, ClamAV doesn't detect it.  I 
assume it's segfaulting each time it scans this file. 

What's the best thing I can do at this point?  I want ClamAV to open 
archives when possible, but I don't want it to segfault and allow password 
protected archived worms through. 

Thanks in advance,
Ethan Pinkert 



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] clam not fresh

[Tomasz Kojm]

On Fri, 26 Mar 2004 15:27:23 -
"Randal, Phil" <[EMAIL PROTECTED]> wrote:

> I think it is time for you to erase ALL of your clamAV
> files, wherever you have them scattered, and reinstall
> and reconfigure, so you only have one set of .conf files
> and one set of .cvd files, and then reboot.

Reboot ? ClamAV doesn't load any vxd's ;-)

-- 
   oo. Tomasz Kojm <[EMAIL PROTECTED]>
  (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg
 \..._ 0DCA5A08407D5288279DB43454822DC8985A444B
   //\   /\  Fri Mar 26 17:37:05 CET 2004


pgp0.pgp
Description: PGP signature

Re: [Clamav-users] Segmentation fault in clamav-0.70rc-1

[Tomasz Kojm]

On Thu, 25 Mar 2004 13:36:00 -0300 (ART)
Claudio Alonso <[EMAIL PROTECTED]> wrote:

> I'm using Clamuko with Dazuko 2.0. only on /home and /tmp
> I know Clamuko support isn't very tested, but is it possible for
> Clamuko to generate a clamd segm. fault? Or may it be a different
> problem?

It's a good idea to disable archive/mail support when using on-access
scanner.

-- 
   oo. Tomasz Kojm <[EMAIL PROTECTED]>
  (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg
 \..._ 0DCA5A08407D5288279DB43454822DC8985A444B
   //\   /\  Fri Mar 26 17:29:59 CET 2004


pgp0.pgp
Description: PGP signature

[Clamav-users] Re: Clamav error

[Jesse Guardiani]

Jesse Guardiani wrote:

[...]

> I see similar symptoms when my clamd (0.70-rc) process chokes on a
> message it doesn't like. The clamd process starts eating between 50%
> and 100% CPU and gobbling up RAM.

Quick note: The CVS version from 2004/03/26 fixes this problem for me.

-- 
Jesse Guardiani, Systems Administrator
WingNET Internet Services,
P.O. Box 2605 // Cleveland, TN 37320-2605
423-559-LINK (v)  423-559-5145 (f)
http://www.wingnet.net




---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] Freshclam timeout error

[Roger Fishwick]

Hi,

I've check the archive at length but I don't think any of the other posts 
are the same problem.

the error is freshclam wont, error in log is:
ClamAV update process started at Fri Mar 26 15:01:37 2004
ERROR: Maximal time (1200 seconds) reached.
I've installed clam from the latest RPMs on a mandrake 9.2 system:
rpm -qa --last | grep -i clam
clamav-db-0.70-3mdk   Fri 26 Mar 2004 14:58:38 GMT
clamd-0.70-3mdk   Fri 26 Mar 2004 14:05:21 GMT
clamav-0.70-3mdk  Fri 26 Mar 2004 14:05:20 GMT
libclamav1-0.70-3mdk  Fri 26 Mar 2004 14:05:19 GMT
Permissons all look ok:
ls -al /var/lib/clamav/
total 6202
drwxr-xr-x2 clamav   clamav280 Mar 26 15:59 ./
drwxr-xr-x   18 root root  496 Mar 25 17:11 ../
srwxrwxrwx1 clamav   clamav  0 Mar 26 15:59 clamd.socket=
-rw-r--r--1 clamav   clamav  41517 Mar 23 16:19 daily.cvd
-rw-r--r--1 clamav   clamav 944351 Mar 23 16:19 main.cvd
if I bring the viruses.db's in by hand clam works fine.

I've straced refreshclam (below) and can't see what the problem might be, 
any help at this point will be gratefully received.

Roger

cat /tmp/fresh.strace
execve("/usr/bin/freshclam", ["freshclam"], [/* 43 vars */]) = 0
uname({sys="Linux", node="giant12.giantuk.com", ...}) = 0
brk(0)  = 0x805e62c
old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 
0) = 0x2ca6b000
open("/etc/ld.so.preload", O_RDONLY)= -1 ENOENT (No such file or 
directory)
open("/etc/ld.so.cache", O_RDONLY)  = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=38944, ...}) = 0
old_mmap(NULL, 38944, PROT_READ, MAP_PRIVATE, 3, 0) = 0x2ca6c000
close(3)= 0
open("/usr/lib/libclamav.so.1", O_RDONLY) = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\240B\0"..., 512) = 
512
fstat64(3, {st_mode=S_IFREG|0755, st_size=118416, ...}) = 0
old_mmap(NULL, 136212, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0x2ca76000
old_mmap(0x2ca92000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 3, 
0x1c000) = 0x2ca92000
old_mmap(0x2ca93000, 17428, PROT_READ|PROT_WRITE, 
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x2ca93000
close(3)= 0
open("/lib/libz.so.1", O_RDONLY)= 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\340\30"..., 512) = 
512
fstat64(3, {st_mode=S_IFREG|0755, st_size=55448, ...}) = 0
old_mmap(NULL, 54412, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0x2ca98000
old_mmap(0x2caa4000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 3, 
0xc000) = 0x2caa4000
close(3)= 0
open("/usr/lib/libbz2.so.1", O_RDONLY)  = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\20\22\0"..., 512) 
= 512
fstat64(3, {st_mode=S_IFREG|0755, st_size=62044, ...}) = 0
old_mmap(NULL, 61008, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0x2caa6000
old_mmap(0x2cab4000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 3, 
0xe000) = 0x2cab4000
close(3)= 0
open("/usr/lib/libgmp.so.3", O_RDONLY)  = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0`Z\0\000"..., 512) 
= 512
fstat64(3, {st_mode=S_IFREG|0755, st_size=192008, ...}) = 0
old_mmap(NULL, 195100, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0x2cab5000
old_mmap(0x2cae4000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 3, 
0x2e000) = 0x2cae4000
close(3)= 0
open("/lib/i686/libpthread.so.0", O_RDONLY) = 3
read(3, "[EMAIL PROTECTED]"..., 512) 
= 512
fstat64(3, {st_mode=S_IFREG|0755, st_size=58516, ...}) = 0
old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 
0) = 0x2cae5000
old_mmap(NULL, 327200, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0x2cae6000
old_mmap(0x2caf3000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 3, 
0xd000) = 0x2caf3000
old_mmap(0x2caf4000, 269856, PROT_READ|PROT_WRITE, 
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x2caf4000
close(3)= 0
open("/lib/i686/libc.so.6", O_RDONLY)   = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\20]\1\000"..., 
512) = 512
fstat64(3, {st_mode=S_IFREG|0755, st_size=1237568, ...}) = 0
old_mmap(NULL, 1242756, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0x2cb36000
old_mmap(0x2cc6, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 3, 
0x12a000) = 0x2cc6
old_mmap(0x2cc63000, 9860, PROT_READ|PROT_WRITE, 
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x2cc63000
close(3)= 0
munmap(0x2ca6c000, 38944)   = 0
set_thread_area({entry_number:-1 -> -1, base_addr:0x2caf3060, 
limit:1048575, seg_32bit:1, contents:0, read_exec_only:0, limit_in_pages:1, 
seg_not_present:0, useable:1}) = -1 ENOSYS (Function not implemented)
modify_ldt(1, {entry_number:0, base_addr:0x2caf3060, limit:1048575, 
seg_32bit:1, contents:0, read_exec_only:0, limit_in_pages:1, 
seg_not_pre

Re: [Clamav-users] clam not fresh

[Steven Stern]

On Fri, 26 Mar 2004 09:14:08 -0600, Mark Novak <[EMAIL PROTECTED]> wrote:


>> Jim
>>
>My number of signatures is exactly the same as yours.  When I grep for  
>somefool, I stop at M.
>
>I do still have the old style signatures located in /usr/share/clamav  
>from clam-0.65.  Tomasz mentioned in an earlier post that this could be  
>the problem.  I am wondering if I should change the freshclam.conf  
>database line from /var/lib/clamav to /usr/share/clamav?
>
>It seems to me that I am updated, as I have the same number of  
>signatures as you do, but when I grep it for somefool, maybe it is  
>going to the old set in the other directory?
>
>What do you think?
>
>Thanks,
>
>Mark
>


H..

Looking at my system with 0.70RC-1 installed, I find

[$ ls -l /var/lib/clamav
total 992
-rw-r--r--  1 clamav clamav  59601 Mar 26 04:17 daily.cvd
-rw-r--r--  1 clamav clamav 944351 Mar 16 13:48 main.cvd
$ locate daily.cvd
/var/lib/clamav/daily.cvd
/usr/local/share/clamav/daily.cvd
$ ls -l /usr/local/share/clamav/
total 976
-rw-r--r--  1 clamav clamav  47654 Mar 19 12:47 daily.cvd
-rw-rw-r--  1 clamav clamav 944351 Mar 19 12:34 main.cvd

So, The updates are going into /var/lib

clamav.conf says

# Path to the database directory.
# Default is the hardcoded directory (mostly /usr/local/share/clamav,
# but it depends on installation options).
#DatabaseDirectory /var/lib/clamav

So, just to be safe, I'm going to uncomment the DatabaseDirectory line, delete
/usr/local/share/clamav/*.cvd, and restart everything.



OK it may have been an artifact of the initial installation, but after
chaning clamav.conf,  stopping sendmail, clamav-milter, and clamd, deleting
/usr/local/share/clamav, then restarting the 3 services and running
freschclam, it appears everyone is looking at /var/lib/clamav.
--
   Steve
   


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id70&alloc_id638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] Re: email structure logging

[Rob]

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf 
> Of Jesse Guardiani
> 
> :) Why not if it can already performing actions on the above
> items?

Code bloat is a Bad Thing.  I'd rather have my virus scanner doing
exactly what it's supposed to do - no more.

> I use qmail-scanner currently, which does much of the above,
> but qmail-scanner doesn't recognize BinHex or OLE2. I just
> thought it would be neat for statistics reporting purposes.
> 
> Haven't you ever wondered what percentage of the mail going
> through your server is BinHex?

Not really, but there are tools, like MIMEDefang, that can be used to
answer that.


PLEASE - keep list traffic on the list.  Email sent directly to me may
be ignored utterly.

-- 
Rob | What part of "no" was it you didn't understand? 


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] clam not fresh [Solved]

[Mark Novak]

All,


I think it is time for you to erase ALL of your clamAV
files, wherever you have them scattered, and reinstall
and reconfigure, so you only have one set of .conf files
and one set of .cvd files, and then reboot.
At least then you'll know where to look and/or get
meaningful error messages.
I solved the problem by changing the DatabaseDirectory to 
/usr/local/share/clamav instead of /var/lib/clamav.  I then ran 
freshclam and it updated correctly and shows the correct number of 
somefool signatures.  Last, I deleted the /var/lib/clamav directory 
that I should never have created.

Thanks for everyone's help!

Thanks,

Mark Novak

---
[This E-mail scanned for viruses by Declude Virus]


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Segfault on password protected rar?

[Odhiambo Washington]

* Ethan P <[EMAIL PROTECTED]> [20040326 19:15]: wrote:
> I'm running ClamAV .65 on an RH9 system, with Qmail-Scanner-1.20RC3. 

Does it still behave the same if you upgrade to higher version?


cheers
   - wash 
+--+-+
Odhiambo Washington . WANANCHI ONLINE LTD (Nairobi, KE)  |
  . 1ere Etage, Loita Hse, Loita St.,  |
GSM: (+254) 722 743 223 . # 10286, 00100 NAIROBI |
GSM: (+254) 733 744 121 . (+254) 020 313 985 - 9 |
+-+--+
"Oh My God! They killed init! You Bastards!"  
 --from a /. post


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Re: email structure logging

[Mike Cathey]

Jesse,

On Fri, 2004-03-26 at 10:46, Jesse Guardiani wrote:
> :) Why not if it can already performing actions on the above
> items?

Clamav is a virus scanner.  Features like that belong in whatever rips
apart messages for Clamav to scan (amavisd-new in my case).  However, it
sounds like something that would make a nice addition to amavis-stats.

I've been planning on adding RBL stats to amavis-stats for a while,
thanks for reminding me. :)

Cheers,

Mike



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] Re: Application to generate CLAMAV report

[Jesse Guardiani]

Ralph Angenendt wrote:

[...]

> grep FOUND /var/log/messages \
> | cut -d ":" -f 5 \
> | sed -e "s/\ FOUND//" \
> | sort \
> | uniq -c \
> | sort -r
> 
> This gives us the following output (yes, no percentages, one might hack
> that into it):
> 
>9353  Worm.SomeFool.Gen-1
>3647  Worm.SomeFool.P
>2312  Worm.SomeFool.Gen-2
> 912  Worm.Sober.D
> 521  Worm.Dumaru.A
> 174  Worm.SomeFool.I
>  55  Worm.Mydoom.F
>  53  Worm.Dumaru.K
>  39  Worm.Dumaru.Y
>  35  Worm.Bagle.Gen-zippwd
>  23  Worm.Bagle.Gen-1
>  [...]

:) That's interesting. I use something very similar with qmail-scanner on
FreeBSD. And all this time I thought I was being clever. :)

zcat /var/spool/qmailscan/quarantine.log.0.gz \
| awk 'BEGIN { FS = "\t" }{print $5};' \
| sed 's/ - Files.*/ - (ATTACHMENT)/' \
| sort -d | uniq -c | sort -n -r

Here's a sample output:

 490 Worm.SomeFool.P
 382 Worm.SomeFool.Gen-1
 134 JS.Spam.Scramble.A
  54 Worm.SomeFool.I
  31 Worm.SomeFool.Gen-2
  19 Worm.Gibe.F
  18 Disallowed content found in MIME attachment - potential virus
  15 Worm.Klez.H
  14 Encrypted.Zip
  13 Worm.Bagle.N
   8 Disallowed MIME boundary found in attachment - potential virus
   6 Worm.Dumaru.A
   2 Worm.SomeFool.O
   2 Worm.Ganda-A
   2 CIH #2
   1 Worm.SomeFool.F
   1 Worm.BugBear.B
   1 Worm.Bagle.H-zippwd-1
   1 Worm.Bagle.Gen-1
   1 W32.Magistr.B5
   1 W32.Magistr.B
   1 Trojan.URLspoof.gen.2
   1 SCR - (ATTACHMENT)
   1 PIF - (ATTACHMENT)
   1 LNK - (ATTACHMENT)
   1 Exploit.HTML.Bagle.Gen-7-eml
   1 Exploit.HTML.Bagle.Gen-3-eml
   1 Disallowed breakage found in header name - potential virus


-- 
Jesse Guardiani, Systems Administrator
WingNET Internet Services,
P.O. Box 2605 // Cleveland, TN 37320-2605
423-559-LINK (v)  423-559-5145 (f)
http://www.wingnet.net




---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] clam not fresh

[Colin A. Bartlett]

Mark Novak Sent: Friday, March 26, 2004 10:14 AM

> It seems to me that I am updated, as I have the same number of
> signatures as you do, but when I grep it for somefool, maybe it is
> going to the old set in the other directory?

This, apparently, is my problem. Read my post from yesterday about how I
copied my CVDs from one folder on top of the ones in another folder. Try
that and then maybe it will work. I still havn't figured out my problem
though since I apparently need to change the path in clamav before
compiling. I barely know what compiling is.

cheers,
Colin

Colin A. Bartlett
Kinetic Web Solutions
www.kineticweb.biz



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] Re: Yet another TESTVIRUS.org result !!

[Jesse Guardiani]

Dilip M wrote:

[...]

>> Only improvement is Test # 12 was detected ?
>>
>> Where as all other Viruses,ie
>> Test # 19,21,23,25
>> came through :(

That is exactly what I'm getting with qmail-scanner-1.21 and clamav0.70-rc
(and the CVS version from 2004/03/25).

I think there was a discussion about these last four items a few weeks ago.
Some people complained that ClamAV is not a 'vulnerability/exploit' scanner,
but a virus scanner. This makes sense (and helps to avoid code bloat), but if
this is the concensus then I hope that qmail-scanner will soon address the
above 4 items internally, or that someone else will create a program
dedicated to this task. Exploit scanning may not belong in ClamAV,
but it needs to be addressed somewhere.


> After blocking 'com' extension i absorved that many of viruses from
> testvirus.org had 'com' extension!!
> 
> Better i block the 'com' extension itself,atleast reducing the load on
> CLAM :))

Which scanner are you using? qmail-scanner scans viruses FIRST, then blocks
extensions based on policy. This change was made between 1.20-rc2 and 1.20-rc3
if I remember correctly.

-- 
Jesse Guardiani, Systems Administrator
WingNET Internet Services,
P.O. Box 2605 // Cleveland, TN 37320-2605
423-559-LINK (v)  423-559-5145 (f)
http://www.wingnet.net




---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] Segfault on password protected rar?

[Jim Maul]

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of Ethan P
> Sent: Friday, March 26, 2004 10:32 AM
> To: [EMAIL PROTECTED]
> Subject: [Clamav-users] Segfault on password protected rar?
> 
> 
> I'm running ClamAV .65 on an RH9 system, with Qmail-Scanner-1.20RC3. 
> 
> The other day, the following worm slipped through my clamav scanner:
> Worm.Bagle.Gen-rarpwd 
> 
> At first, I thought it was a new rar file, and tried to submit it.  This 
> variant had already been input into the database.  Figuring that 
> I was just 
> out-of-date, I ran freshclam. 
> 
> I decided to grab the file and run clamscan on it -- just to make 
> sure that 
> it's being caught.  Upon a regular scan, clamav (clamscan) segfaults.  I 
> assumed that this is due to the file being password protected -- 
> so I re-ran 
> it with the --disable-archive option and sure enough, the worm was found: 
> 
> [EMAIL PROTECTED] root]# clamscan --disable-archive -i first_part.rar
> first_part.rar: Worm.Bagle.Gen-rarpwd FOUND 
> 
>  --- SCAN SUMMARY ---
> Known viruses: 41298
> Scanned directories: 0
> Scanned files: 1
> Infected files: 1
> Data scanned: 0.02 MB
> I/O buffer size: 131072 bytes
> Time: 0.782 sec (0 m 0 s) 
> 
> 
> Problem is, when I send this file via email, ClamAV doesn't detect it.  I 
> assume it's segfaulting each time it scans this file. 
> 
> What's the best thing I can do at this point?  I want ClamAV to open 
> archives when possible, but I don't want it to segfault and allow 
> password 
> protected archived worms through. 
> 

Im not sure why its segfaulting, but upgrading to 0.70 may fix this problem.

Jim



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id70&alloc_id638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] reject=451 4.7.1 Please try again later

[Nigel Horne]

The evidence points to incoming connections taking a long time (minutes) to send the 
first
line of header after establishing a connection.so clamd gives up waiting. Increasing 
clamd's timeout
will help. I have seen 4-5 minutes between an SMTP connection being established and 
the conversation
finally getting around to doing a DATA statement.

-Nigel

-- 
Nigel Horne. Arranger, Composer, Typesetter.
NJH Music, Barnsley, UK.  ICQ#20252325
[EMAIL PROTECTED] http://www.bandsman.co.uk



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] Re: email structure logging

[Jesse Guardiani]

Nigel Horne wrote:

> On Thursday 25 Mar 2004 10:05 pm, Jesse Guardiani wrote:
> 
>> Is there any way to make clamd log the structure of
>> a message and it's attachments? BinHex, MIME, plain-text,
>> ZIP, RAR, BZIP, GZIP, OLE2, etc...?
> 
> I don't consider that to be the job of a virus scanner.

:) Why not if it can already performing actions on the above
items?

I use qmail-scanner currently, which does much of the above,
but qmail-scanner doesn't recognize BinHex or OLE2. I just
thought it would be neat for statistics reporting purposes.

Haven't you ever wondered what percentage of the mail going
through your server is BinHex?

-- 
Jesse Guardiani, Systems Administrator
WingNET Internet Services,
P.O. Box 2605 // Cleveland, TN 37320-2605
423-559-LINK (v)  423-559-5145 (f)
http://www.wingnet.net




---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] clam not fresh

[Jim Maul]

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of Mark Novak
> Sent: Friday, March 26, 2004 10:14 AM
> To: [EMAIL PROTECTED]
> Subject: Re: [Clamav-users] clam not fresh
>
> My number of signatures is exactly the same as yours.  When I grep for
> somefool, I stop at M.
>
> I do still have the old style signatures located in /usr/share/clamav
> from clam-0.65.  Tomasz mentioned in an earlier post that this could be
> the problem.  I am wondering if I should change the freshclam.conf
> database line from /var/lib/clamav to /usr/share/clamav?
>
> It seems to me that I am updated, as I have the same number of
> signatures as you do, but when I grep it for somefool, maybe it is
> going to the old set in the other directory?
>
> What do you think?


I would remove the copy in /usr/share/clamav.  If you are using clamscan,
then having /var/lib/clamav as the database directory in /etc/clamav.conf
doesnt make any difference because clamscan does not listen to this config
file.  /etc/clamav.conf is for clamDscan only.  You can specify the database
path on the command line with clamscan using --database=FILE/DIR.  However i
would just remove the /usr/share copy of the database to prevent future
confusion.

Jim



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] Segfault on password protected rar?

[Ethan P]

I'm running ClamAV .65 on an RH9 system, with Qmail-Scanner-1.20RC3. 

The other day, the following worm slipped through my clamav scanner:
Worm.Bagle.Gen-rarpwd 

At first, I thought it was a new rar file, and tried to submit it.  This 
variant had already been input into the database.  Figuring that I was just 
out-of-date, I ran freshclam. 

I decided to grab the file and run clamscan on it -- just to make sure that 
it's being caught.  Upon a regular scan, clamav (clamscan) segfaults.  I 
assumed that this is due to the file being password protected -- so I re-ran 
it with the --disable-archive option and sure enough, the worm was found: 

[EMAIL PROTECTED] root]# clamscan --disable-archive -i first_part.rar
first_part.rar: Worm.Bagle.Gen-rarpwd FOUND 

--- SCAN SUMMARY ---
Known viruses: 41298
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.02 MB
I/O buffer size: 131072 bytes
Time: 0.782 sec (0 m 0 s) 

Problem is, when I send this file via email, ClamAV doesn't detect it.  I 
assume it's segfaulting each time it scans this file. 

What's the best thing I can do at this point?  I want ClamAV to open 
archives when possible, but I don't want it to segfault and allow password 
protected archived worms through. 

Thanks in advance,
Ethan Pinkert 



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] clam not fresh

[Randal, Phil]

> I do still have the old style signatures located in 
> /usr/share/clamav from clam-0.65.  Tomasz mentioned
> in an earlier post that this could be the problem.
> I am wondering if I should change the freshclam.conf  
> database line from /var/lib/clamav to /usr/share/clamav?
> 
> It seems to me that I am updated, as I have the same
> number of signatures as you do, but when I grep it
> for somefool, maybe it is going to the old set in
> the other directory?
> 
> What do you think?

I think it is time for you to erase ALL of your clamAV
files, wherever you have them scattered, and reinstall
and reconfigure, so you only have one set of .conf files
and one set of .cvd files, and then reboot.

At least then you'll know where to look and/or get
meaningful error messages.

Cheers,

Phil
-
Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] clam not fresh

[Mark Novak]

Jim,

On Mar 26, 2004, at 8:43 AM, Jim Maul wrote:



I did exactly that, deleted the cvd files and re-ran freshclam.  I am
only showing through SomeFool.M, no O, P or P-dll.
Any ideas or tips appreciated.

Thanks,

Mark


Well, being that this makes no sense, the only thing i can suggest is  
to try
another mirror.  If you are not specifying one explicitly then you  
should
get a different one almost every time you run freshclam so i dont know  
why
this would matter, but i am running out of ideas.  What is the total  
number
of viruses it says for your database?

Try this

[EMAIL PROTECTED] jmaul]# sigtool -i /var/lib/clamav/main.cvd
Build time: 29 Feb 2004 18-19 +0100
Version: 21
# of signatures: 20094
Functionality level: 1
Builder: tkojm
MD5: a20b254aa5f6b97dcafc115a63c8af4e
Digital signature:
rpzUhP4jcYOSj/tMnkU5zPs3GbJWsdmj2+7Z4BkUGOfN8pS0XnQ2qJY1TF/ 
1P4jeadvBVNoCwJiI
wamnGtBO8fTnLiMgMXSiy/ 
L1odsalY0iCyRmxzYNqWUoG6Q3CMhEJ8M9c8idT7LBGYHwtKCBv0hH
hIIrkqS2jh5V0XAxIwh
Verification OK.

[EMAIL PROTECTED] jmaul]# sigtool -i /var/lib/clamav/daily.cvd
Build time: 26 Mar 2004 10-20 +0100
Version: 217
# of signatures: 615
Functionality level: 1
Builder: diego
MD5: 4c963cdbafb148be77556bf0cc9a
Digital signature:
QhYZD+fLArMzj4Eukpl7HCNZVgPw3aNNYyx860Mb2tj8CFXTHNZSM6L0k+pUtLKXa8wFbLj 
FPQCF
fnmiE0GiB5zjzT/oyzeFpXhmNH3axBrhQZ/h/qkN/XZgDgX2Dl4g9tv75uzu/ 
XbAtNcbWBl04TPE
wkbu2Dq1aE5Ml0hlZfh
Verification OK.

see if the "# of signatures" matches what i have here.

Jim

My number of signatures is exactly the same as yours.  When I grep for  
somefool, I stop at M.

I do still have the old style signatures located in /usr/share/clamav  
from clam-0.65.  Tomasz mentioned in an earlier post that this could be  
the problem.  I am wondering if I should change the freshclam.conf  
database line from /var/lib/clamav to /usr/share/clamav?

It seems to me that I am updated, as I have the same number of  
signatures as you do, but when I grep it for somefool, maybe it is  
going to the old set in the other directory?

What do you think?

Thanks,

Mark

---
[This E-mail scanned for viruses by Declude Virus]


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] clam not fresh

[Jim Maul]

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of Mark Novak
> Sent: Thursday, March 25, 2004 5:37 PM
> To: [EMAIL PROTECTED]
> Subject: Re: [Clamav-users] clam not fresh
>



>
> I did exactly that, deleted the cvd files and re-ran freshclam.  I am
> only showing through SomeFool.M, no O, P or P-dll.
>
> Any ideas or tips appreciated.
>
> Thanks,
>
> Mark


Well, being that this makes no sense, the only thing i can suggest is to try
another mirror.  If you are not specifying one explicitly then you should
get a different one almost every time you run freshclam so i dont know why
this would matter, but i am running out of ideas.  What is the total number
of viruses it says for your database?

Try this

[EMAIL PROTECTED] jmaul]# sigtool -i /var/lib/clamav/main.cvd
Build time: 29 Feb 2004 18-19 +0100
Version: 21
# of signatures: 20094
Functionality level: 1
Builder: tkojm
MD5: a20b254aa5f6b97dcafc115a63c8af4e
Digital signature:
rpzUhP4jcYOSj/tMnkU5zPs3GbJWsdmj2+7Z4BkUGOfN8pS0XnQ2qJY1TF/1P4jeadvBVNoCwJiI
wamnGtBO8fTnLiMgMXSiy/L1odsalY0iCyRmxzYNqWUoG6Q3CMhEJ8M9c8idT7LBGYHwtKCBv0hH
hIIrkqS2jh5V0XAxIwh
Verification OK.

[EMAIL PROTECTED] jmaul]# sigtool -i /var/lib/clamav/daily.cvd
Build time: 26 Mar 2004 10-20 +0100
Version: 217
# of signatures: 615
Functionality level: 1
Builder: diego
MD5: 4c963cdbafb148be77556bf0cc9a
Digital signature:
QhYZD+fLArMzj4Eukpl7HCNZVgPw3aNNYyx860Mb2tj8CFXTHNZSM6L0k+pUtLKXa8wFbLjFPQCF
fnmiE0GiB5zjzT/oyzeFpXhmNH3axBrhQZ/h/qkN/XZgDgX2Dl4g9tv75uzu/XbAtNcbWBl04TPE
wkbu2Dq1aE5Ml0hlZfh
Verification OK.

see if the "# of signatures" matches what i have here.

Jim



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Find bagle in Zip files.

[Tomasz Kojm]

On Fri, 26 Mar 2004 07:31:58 GMT
Tomasz Klim <[EMAIL PROTECTED]> wrote:

> > clamav to find a virus in a password protected file when f-secure
> > support claims it isnt possible?
> 
> Clamav doesn't find viruses in passworded zip archives. Clamav just
> have in its virus database 2 special signatures, that treat _all_
> passworded zip archives as viruses. No matter what they contain.

As Trog already described, that's not true.

> But AFAIK, Kaspersky AntiVirus can crack a password on zip archive
> in some special circumstances. I have a program, that can do the
> same, but Tomasz Kojm is not interested in it.

Right. ClamAV must be transparent in its licensing.

-- 
   oo. Tomasz Kojm <[EMAIL PROTECTED]>
  (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg
 \..._ 0DCA5A08407D5288279DB43454822DC8985A444B
   //\   /\  Fri Mar 26 14:11:02 CET 2004



pgp0.pgp
Description: PGP signature

Re: [Clamav-users] Yet another TESTVIRUS.org result !!

[Dilip M]

[..]
Test # 12,19,21,23,25

Is this normal or i need to upgrade ?
Get latest clamav, 0.70rc or even CVS, then enable ScanMail.


Just now i got this CLAMAV installed...
---
# rpm -qa|grep clam
clamav-0.70rc-1
-
ClamAV update process started at Fri Mar 26 15:45:25 2004
main.cvd is up to date (version: 21, sigs: 20094, f-level: 1, builder: 
tkojm)
daily.cvd is up to date (version: 217, sigs: 615, f-level: 1, builder: 
diego)
-

Only improvement is Test # 12 was detected ?

Where as all other Viruses,ie
Test # 19,21,23,25
came through :(
After blocking 'com' extension i absorved that many of viruses from 
testvirus.org had 'com' extension!!

Better i block the 'com' extension itself,atleast reducing the load on 
CLAM :))

I think it better to do this as last after testing Clam is detecting those 
viruses or not :)

-Dilip



--
I was born intelligent  education ruined me.

---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] RE: Clamav error

[Thiago Taranto]

Jesse Guardiani 

uname -na
Linux korn 2.4.23 #2 Fri Dec 26 13:44:13 BRST 2003 i686 unknown





---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Yet another TESTVIRUS.org result !!

[Dilip M]

On Wed, 24 Mar 2004 10:19:26 -0300, Everton da Silva Marques 
<[EMAIL PROTECTED]> wrote:

On Wed, Mar 24, 2004 at 02:33:09PM +0530, Dilip M wrote:
I'm running "clamav-0.67-1",
with Exim 4.30/exiscan-acl patch revision 14.
I got these viruses skipped while testing tro testvirus.org

Test # 12,19,21,23,25

Is this normal or i need to upgrade ?
Get latest clamav, 0.70rc or even CVS, then enable ScanMail.


Just now i got this CLAMAV installed...
---
# rpm -qa|grep clam
clamav-0.70rc-1
-
ClamAV update process started at Fri Mar 26 15:45:25 2004
main.cvd is up to date (version: 21, sigs: 20094, f-level: 1, builder: 
tkojm)
daily.cvd is up to date (version: 217, sigs: 615, f-level: 1, builder: 
diego)
-

Only improvement is Test # 12 was detected ?

Where as all other Viruses,ie
Test # 19,21,23,25
came through :(
-Dilip

---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] conbination with spamassasin

[Fajar A. Nugraha]

Joe's Web Hosting $B!!(B-- $B;3EDHi.
(B>
(B>Exiscan is a patch for the source program of Exim,
(B>so Exim should be compiled.
(B>  
(B>
(BYes
(B
(B>However, I am using cPanel also.
(B>My admin thinks Amavisd-new is better than Exiscan.
(B>
(B>  
(B>
(BNo way.
(B
(BThe recommended setup will result mail flow
(Bsender -> exim -> amavis -> exim -> mailbox. VERY BAD.
(BNote the extra hops? It means your exim will process the same mail twice.
(BCompare it with exim+exiscan solution.
(Bsender -> exim -> mailbox
(B
(B>Is there any way to use amavisd-new for realizing the combinaion 
(B> with spamassasin?
(B>
(B>  
(B>
(BYes, but I can't help you there.
(BI tried once, but performance-wise it's terrible.
(BI used instructions from http://www.ijs.si/software/amavisd/README.exim_v4
(BYou add amavis router, amavis transport, and local_interfaces directive.
(B
(BAnyway, as I said earlier this is the wrong list,
(BYou might get better luck on exim-users or amavis-users list.
(B
(B
(BRegards,
(B
(BFajar
(B
(B
(B---
(BThis SF.Net email is sponsored by: IBM Linux Tutorials
(BFree Linux tutorial presented by Daniel Robbins, President and CEO of
(BGenToo technologies. Learn everything from fundamentals to system
(Badministration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
(B___
(BClamav-users mailing list
(B[EMAIL PROTECTED]
(Bhttps://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Building Clam-RPM without milter support ?

[Dilip M]

On Fri, 26 Mar 2004 14:33:46 +0530, Dilip M <[EMAIL PROTECTED]> wrote:

Hi,

Just downloaded the src RPM "clamav-0.70rc-1.src.rpm  " 

I wanted to build RPM without milter support ?

Did
%define _without_milter 1
its getting built :)



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Help with clamav-milter.sh

[Krištof Petr]

Bryce wrote:

The startup script “clamav-milter.sh” Makes a few calls to init.d. I 
am on a Virtual Private Server so I do not have init.d available to 
me. All I have is rc.d. How can I then get clamav-milter to start when 
I reboot my server?

Thanks

Write your own simple script and put them to rc.d/

#!/bin/sh
echo "Starting clamav-milter. "
/usr/sbin/clamav-milter $CLAMAV_FLAGS
#end
Petr



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Building Clam-RPM without milter support ?

[Krištof Petr]

Dilip M wrote:

Hi,

Just downloaded the src RPM "clamav-0.70rc-1.src.rpm  " 
I wanted to build RPM without milter support ?
What i need to change in SPEC file...
Sorry i know very very little abt SPEC file .
Thanks
-Dilip
Try:

'rpmbuild -ba clamav.spec --without milter'

Petr



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] Building Clam-RPM without milter support ?

[Dilip M]

Hi,

Just downloaded the src RPM "clamav-0.70rc-1.src.rpm  " 

I wanted to build RPM without milter support ?

What i need to change in SPEC file...

Sorry i know very very little abt SPEC file .

Thanks

-Dilip

--
The brain is a wonderful organ. It gets automounted  the moment you get Up 
in the morning and does not goes to sleep state until you force fully 
umount it !!
-

---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] email structure logging

[Nigel Horne]

On Thursday 25 Mar 2004 10:05 pm, Jesse Guardiani wrote:

> Is there any way to make clamd log the structure of
> a message and it's attachments? BinHex, MIME, plain-text,
> ZIP, RAR, BZIP, GZIP, OLE2, etc...?

I don't consider that to be the job of a virus scanner.

-Nigel

-- 
Nigel Horne. Arranger, Composer, Typesetter.
NJH Music, Barnsley, UK.  ICQ#20252325
[EMAIL PROTECTED] http://www.bandsman.co.uk



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

SV: [Clamav-users] Find bagle in Zip files.

[Simon Gate]

> -Ursprungligt meddelande-
> Från: Fajar A. Nugraha [mailto:[EMAIL PROTECTED] 
> Skickat: den 26 mars 2004 09:09
> Till: [EMAIL PROTECTED]
> Ämne: Re: [Clamav-users] Find bagle in Zip files.
> 
> 
> Simon Gate wrote:
> 
> >Hello.
> >
> >Im running a smtp server with f-secure and clamav. I have a problem 
> >with the f-secure server because it cant find the bagle virus in 
> >password protected zip files but clamav does. I e-mailed f-secure 
> >support about and they said to me it isnt any virus scanner 
> today that 
> >can find virus in password protected zip files.
> >
> true.
> 
> >And this answer confuses me because
> >clamav does find the virus in the password protected zip 
> file. And now 
> >my question, how is it possible for clamav to find a virus in a 
> >password protected file when f-secure support claims it isnt 
> possible?
> >
> >  
> >
> Beacuse clamav doesn't just scan attachments. It also 
> examines the raw email for certain patterns to mark 
> archive-encrypted viruses. Something like "password" and then 
> followed by an attachment.
> 
> If you only feed clamav with attachment (e.g. the encrypted 
> zip), it won't be able to find it either.
> 

When i feed my clamav with the attachment of a bagle virus it says 
Worm.Bagle.Gen-zippwd FOUND. And this is when i have ArchiveDetectEncrypted turned 
off. I dont know if clamav only detects the early variants of bagle.

> Last, clamav (the latest version) also has an option in 
> clamav.conf : ArchiveDetectEncrypted
> 
> If you turn this option on, clamav will reject all encrypted 
> zips as Encrypted.Zip virus. Also works on encrypted rars. 
> Even with that option off (which is the default case), you 
> still catch most archive-encrypted viruses (In this case, Bagle).
> 

This might be a good option. I dont think anyone in our organization uses password 
protected zip files. If they need to protect their files i would suggest something 
more reliable.

Best Regards
Simon


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id70&alloc_id638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Find bagle in Zip files.

[Trog]

On Fri, 2004-03-26 at 07:31, Tomasz Klim wrote:
> > Im running a smtp server with f-secure and clamav. I have a problem with
> > the f-secure server because it cant find the bagle virus in password
> > protected zip files but clamav does. I e-mailed f-secure support about
> > and they said to me it isnt any virus scanner today that can find virus
> > in password protected zip files. And this answer confuses me because
> > clamav does find the virus in the password protected zip file. And now
> > my question, how is it possible for clamav to find a virus in a password
> > protected file when f-secure support claims it isnt possible?
> 
> Clamav doesn't find viruses in passworded zip archives. Clamav just
> have in its virus database 2 special signatures, that treat _all_
> passworded zip archives as viruses. No matter what they contain.
> 

Thats not entirely accurate, or the complete picture.

Vesion 0.70-rc has the config option:
ArchiveDetectEncrypted

which will then flag password protected zips and rars as a virus by
returning Encrypted.RAR and  Encrypted.Zip as the virus name.

In addition to that, there is a generic Bagle.zippwd signature in the
signature database that specifically catches Bagle encrypted zip
archives by scanning the raw zip file. It is possible to do that due to
some unusual characteristics of the zip format used.

-trog



signature.asc
Description: This is a digitally signed message part

Re: [Clamav-users] Application to generate CLAMAV report

[Bo-Lina teknisk support]

How do I get ClamAV to generate this repport?

//Regards Jonas

- Original Message - 
From: <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, March 25, 2004 7:35 AM
Subject: [Clamav-users] Application to generate CLAMAV report


Dear all,
I have created a small application that allows the creation of a
report based on the email virus report that Clamav sends out. It can
generate report based on the virus name, virus sender and virus recipient.
It also has a user interface that allows for a user to manipulate the data.
A sample screen is at

http://www.geocities.com/synasir/emailavlog.jpg

A sample report is below.

--- VIRUS NAME--- 
Worm.SomeFool.Gen-1 ,1084,47.17%  Worm.SomeFool.P ,771,33.55%
Worm.SomeFool.Gen-2 ,121,5.27%  Worm.Bagle.Gen-zippwd ,103,4.48%
Worm.SCO.A ,67,2.92%  JS.Spam.Scramble.A-mail ,48,2.09%  Worm.Mydoom.F
,32,1.39%  Worm.SomeFool.I ,18,.78%  Trojan.Dropper.C ,16,.7%
Worm.Bagle.Gen-1 ,15,.65%  Worm.Bagle.P ,6,.26%  Worm.Klez.H ,5,.22%
Worm.Bagle.Gen-zippwd-2 ,3,.13%  JS.Spam.Scramble.A ,2,.09%  Worm.Nyxem
,2,.09%  Exploit.HTML.Bagle.Gen-3-eml ,1,.04%  Exploit.HTML.Bagle.Gen-4-eml
,1,.04%  JS.FortNight.M ,1,.04%
 Worm.Mydoom.G ,1,.04%

If you are interested, please get it at
http://www.geocities.com/synasir/emailavlog.zip (about 2 MB)

This is emailware. If you are using it, please send me an email at
[EMAIL PROTECTED]

Don't forget to send me an email if you are using it.


Thanks.



mail2web - Check your email from the web at
http://mail2web.com/ .




---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id70&alloc_id638&op=ick
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users




---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Find bagle in Zip files.

[Bo-Lina teknisk support]

How do I get ClamAV do search thru password protected files?
Im using ClamAV-devel-20030318

//Regards Jonas
- Original Message - 
From: "Simon Gate" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, March 26, 2004 8:04 AM
Subject: [Clamav-users] Find bagle in Zip files.


Hello.

Im running a smtp server with f-secure and clamav. I have a problem with
the f-secure server because it cant find the bagle virus in password
protected zip files but clamav does. I e-mailed f-secure support about
and they said to me it isnt any virus scanner today that can find virus
in password protected zip files. And this answer confuses me because
clamav does find the virus in the password protected zip file. And now
my question, how is it possible for clamav to find a virus in a password
protected file when f-secure support claims it isnt possible?


Best regards Simon.


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id70&alloc_id638&op=ick
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users




---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] conbination with spamassasin

[Joe's Web Hosting $B!!(B-- $B;3ED]

Hi.
(B
(BExiscan is a patch for the source program of Exim,
(Bso Exim should be compiled.
(BHowever, I am using cPanel also.
(BMy admin thinks Amavisd-new is better than Exiscan.
(B
(BIs there any way to use amavisd-new for realizing the combinaion 
(B with spamassasin?
(B
(BMany thanks.
(B
(B> Joe's Web Hosting $B!!(B-- $B;3ED 
(B> >Hello.
(B> >
(B> >I installed amavis under exim.
(B> >They communicate themselves each other.
(B> >I found spamassasin in exim does not work
(B> >  if the router and transport are ON.
(B> >The problem occurs because 
(B> >exim is regarded as a outer command and 
(B> >exim is executed infinitely many times.
(B> >
(B> >Anybody knows how to fix this?
(B> >
(B> >  
(B> >
(B> Wrong list, Joe :)
(B> As an exim user, however, I suggest you discard amavis completely
(B> and go for exim+eximscan (http://duncanthrax.net/exiscan-acl/)
(B> It can use clamav and SpamAssassin natively.
(B> 
(B> Regards,
(B> 
(B> Fajar
(B> 
(B> 
(B> ---
(B> This SF.Net email is sponsored by: IBM Linux Tutorials
(B> Free Linux tutorial presented by Daniel Robbins, President and CEO of
(B> GenToo technologies. Learn everything from fundamentals to system
(B> administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
(B> ___
(B> Clamav-users mailing list
(B> [EMAIL PROTECTED]
(B> https://lists.sourceforge.net/lists/listinfo/clamav-users
(B> 
(B
(B
(B
(B
(B---
(BThis SF.Net email is sponsored by: IBM Linux Tutorials
(BFree Linux tutorial presented by Daniel Robbins, President and CEO of
(BGenToo technologies. Learn everything from fundamentals to system
(Badministration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
(B___
(BClamav-users mailing list
(B[EMAIL PROTECTED]
(Bhttps://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Find bagle in Zip files.

[Fajar A. Nugraha]

Simon Gate wrote:

Hello.

Im running a smtp server with f-secure and clamav. I have a problem with
the f-secure server because it cant find the bagle virus in password
protected zip files but clamav does. I e-mailed f-secure support about
and they said to me it isnt any virus scanner today that can find virus
in password protected zip files. 

true.

And this answer confuses me because
clamav does find the virus in the password protected zip file. And now
my question, how is it possible for clamav to find a virus in a password
protected file when f-secure support claims it isnt possible?
 

Beacuse clamav doesn't just scan attachments. It also examines
the raw email for certain patterns to mark archive-encrypted viruses.
Something like "password" and then followed by an attachment.
If you only feed clamav with attachment (e.g. the encrypted zip), it won't
be able to find it either.
Last, clamav (the latest version) also has an option in clamav.conf :
ArchiveDetectEncrypted
If you turn this option on, clamav will reject all encrypted zips as
Encrypted.Zip virus. Also works on encrypted rars.
Even with that option off (which is the default case), you still catch
most archive-encrypted viruses (In this case, Bagle).
Regards,

Fajar

---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Find bagle in Zip files.

[Tomasz Klim]

> Im running a smtp server with f-secure and clamav. I have a problem with
> the f-secure server because it cant find the bagle virus in password
> protected zip files but clamav does. I e-mailed f-secure support about
> and they said to me it isnt any virus scanner today that can find virus
> in password protected zip files. And this answer confuses me because
> clamav does find the virus in the password protected zip file. And now
> my question, how is it possible for clamav to find a virus in a password
> protected file when f-secure support claims it isnt possible?

Clamav doesn't find viruses in passworded zip archives. Clamav just
have in its virus database 2 special signatures, that treat _all_
passworded zip archives as viruses. No matter what they contain.

But AFAIK, Kaspersky AntiVirus can crack a password on zip archive
in some special circumstances. I have a program, that can do the
same, but Tomasz Kojm is not interested in it.


--
Tomasz Klim,  [EMAIL PROTECTED]
http://www.euroneto.pl
Phone: +48 61 8433535 Fax: +48 61 8434455
Euronet Sp. z o.o., Dabrowskiego 81/85, 60-529 Poznan, Poland




---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users