Re: [Clamav-users] Virus Names
At 23:38 05-04-2004 -0500, you wrote: Question: If Worm.SomeFool is Netsky, then why is not labeled as netsky? Also, is there a way to make an alias in the virus database so my users can see netsky instead of Worm.Somefool? Basically that's because the users keep complaning about the virus names that cannot be found anywhere else (like the virus databse from TrendMicro). It would be good if all AV software would use the same names. Still, most commercial AV vendors are using their own naming conventions and so does Clamav. Somefool at least describes the sender of the virus :) B. --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Virus Names
B. van Ouwerkerk wrote: At 23:38 05-04-2004 -0500, you wrote: Question: If Worm.SomeFool is Netsky, then why is not labeled as netsky? It would be good if all AV software would use the same names. Still, most commercial AV vendors are using their own naming conventions and so does Clamav. Actually, it is usually happen the Clamav recognises the virii before the other AV vendors so no well-known name was available. See the archive for the more detailed answers, this question already answered here. --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] Re: Don't Understand
Thanks guys Now Clamav seems to work. I'm trying now use it witth Amavisd-new and when i start amavisd in debug mode, i try to send a test email using telnet on 10024 i've got an error that tell me can't access the file in the /var/lib/amavis/tmp directory, ownership of this directory is set to user/group amavis. Do my clamav user/group have to have a read access on this directory, if yes could you tell me how to set it . And then as i think i have to learn more on how to define rights under a linux system, could you told me a good tutorial of this. thanks before. Rémi "Rémi Goyard" <[EMAIL PROTECTED]> a écrit dans le message de news: [EMAIL PROTECTED] > Hi everybody, > > I'm trying to install Clamav for mail viruses scanning susing Postfix > and Amavisd-new. > But when i run clamd, ther's no errors, but if just after i want to > verify the execution of the clamav daemon whith clamdscan this return : > connect(): Connection refused > ERROR: Can't connect to clamd. > > It seems to mean that clamd is not running, but i don't understand why. > Can anyone help me please ? > Thanks > > Rémi > > > > --- > Outgoing mail is certified Virus Free. > Checked by AVG anti-virus system (http://www.grisoft.com). > Version: 6.0.648 / Virus Database: 415 - Release Date: 31/03/2004 > > > > > > --- > This SF.Net email is sponsored by: IBM Linux Tutorials > Free Linux tutorial presented by Daniel Robbins, President and CEO of > GenToo technologies. Learn everything from fundamentals to system > administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click > ___ > Clamav-users mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/clamav-users > --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.648 / Virus Database: 415 - Release Date: 31/03/2004 --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Virus Names
Fisher <[EMAIL PROTECTED]> writes: > Actually, it is usually happen the Clamav recognises the virii before > the other AV vendors so no well-known name was available. See the > archive for the more detailed answers, this question already answered > here. So maybe, as with celestial objects, there should be agreement that the first AV 'vendor' to publish a detection for a virus should be given the honour of naming it and the other vendors adopt the same name rather than inventing their own (and potentially causing confusion). So if Clamav is first, other vendors should adopt its name and if some other vendor is first then Clamav should use the name that vendor gives it. --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Virus Names
On Tuesday 06 April 2004 9:48 am, Graham Murray wrote: > Fisher <[EMAIL PROTECTED]> writes: > > Actually, it is usually happen the Clamav recognises the virii before > > the other AV vendors so no well-known name was available. See the > > archive for the more detailed answers, this question already answered > > here. > > So maybe, as with celestial objects, there should be agreement that > the first AV 'vendor' to publish a detection for a virus should be > given the honour of naming it and the other vendors adopt the same > name rather than inventing their own (and potentially causing > confusion). Celestial objects do not commonly appear and need an agreed name within the urgent timescale of computer viruses :) Whilst your proposal makes excellent sense, it assumes: a) cooperation between the commercial A-V vendors and Open Source developers (there is often a blockage in one direction here) b) that it's easy to tell if the virus one person's given a name to is the same as the virus someone else has just named c) that the time taken to cooperate over the name is very short compared to the time to get a signature out under the corresponding name Basically, it comes down to the fact that the commercial A-V vendors don't want to share their new virus samples with the Open Source community, so we have no way of knowing whether the virus we've just named is the same one that they have. I think the best we'll ever achieve is a cross-reference database. Regards, Antony. -- These clients are often infected by viruses or other malware and need to be fixed. If not, the user at that client needs to be fixed... - Henrik Nordstrom, on Squid users' mailing list Please reply to the list; please don't CC me. --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] clamav-0.70-rc make probs
What's up? ./configure is done without errors, but make stop at the beginning (SuSE 8.2, kernel 2.4.20,gcc 3.3 20030226) ... make all-recursive make[1]: Entering directory `/src/clamav-0.70-rc' Making all in libclamav make[2]: Entering directory `/src/clamav-0.70-rc/libclamav' source='matcher.c' object='matcher.lo' libtool=yes \ depfile='.deps/matcher.Plo' tmpdepfile='.deps/matcher.TPlo' \ depmode=gcc3 /bin/sh ../depcomp \ /bin/sh ../libtool --mode=compile gcc -DHAVE_CONFIG_H -I. -I. -I.. -I.. -I./zziplib-g -O2 -c -o matcher.lo `test -f 'matcher.c' || echo './'`matcher.c mkdir .libs gcc -DHAVE_CONFIG_H -I. -I. -I.. -I.. -I./zziplib -g -O2 -c matcher.c -MT matcher.lo -MD -MP -MF .deps/matcher.TPlo -fPIC -DPIC -o .libs/matcher.lo In file included from /usr/include/string.h:372, from matcher.c:29: /usr/include/bits/string.h:1826:9: missing terminating " character make[2]: *** [matcher.lo] Error 1 can anyone help? thanks :) clamav-0.68-1 is installed and work with complete satisfaction! Cheers,Patrick -- - Environmental Agency of North Rhine-Westphalia / Duesseldorf,Germany - Postfach 11 11 20, 40511 Düsseldorf http://www.stua-d.nrw.de "Text used in this document is made from 100% recycled electrons and magnetic particles." --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id70&alloc_id638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
RE: [Clamav-users] Virus Names
Graham Murray wrote: > So maybe, as with celestial objects, there should be > agreement that the first AV 'vendor' to publish a detection > for a virus should be given the honour of naming it and the > other vendors adopt the same name rather than inventing their > own (and potentially causing confusion). So if Clamav is > first, other vendors should adopt its name and if some other > vendor is first then Clamav should use the name that vendor gives it. Viruses are discovered a darned sight more rapidly than celestial objects. Let's not waste the antivirus folks' time by making them jump through hoops over naming protocols. I'd rather priorities were given to protecting us the darned things instead of worrying about what the vendors call them. Phil Phil Randal Network Engineer Herefordshire Council Hereford, UK --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] Question on SomeFool Virus
I have several emails which clamav detects as 'Worm.SomeFool.Gen-2', but Sophos nor McAcfee will detect the virus. Would this be some new varient that clamav fould. From the description, this sig was added to detect possible future varients of the NetSky viruses. Should I submit this? or just be thankful or both? Vernon --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Question on SomeFool Virus
On Tuesday 06 April 2004 9:57 am, Vernon A. Fort wrote: > I have several emails which clamav detects as 'Worm.SomeFool.Gen-2', but > Sophos nor McAcfee will detect the virus. Would this be some new > varient that clamav fould. From the description, this sig was added to > detect possible future varients of the NetSky viruses. Sound like it's working then :) > Should I submit this? or just be thankful or both? No point submitting a virus which ClamAV already detects :) Be thankful the team did a better job than Sophos & McAfee again. Regards, Antony. -- If you can't find an Open Source solution for it, then it isn't a real problem. Please reply to the list; please don't CC me. --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] Re: Some viruses go through
Sorry, sorry, sorry. I had some troubles with subscription AND posting by a newsreader. I don't think that it is a problem related to specific virus/message, peraphs it is a fetchmail related issue. I download messages from external POP3 accounts of my users using fetchmail and then I relay them to their internal accounts, using Sendmail+ClamAV on the same machine. When fetchmail try to relay an infected message, sendmail should answer with '550 5.7.1 Virus detected by ClamAV'. And then? Thanks again Mimmus --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] clamav-0.70-rc make probs
Schmidt, Patrick wrote: What's up? ./configure is done without errors, but make stop at the beginning (SuSE 8.2, kernel 2.4.20,gcc 3.3 20030226) ... How about the recent CVS snapshot? Last one compiles and installs OK on my Fedora Core 2 test 2. Usually some problems are already fixed in CVS versions. Regards, Fajar -- Don't use GIF. Use PNG instead http://www.gnu.org/philosophy/gif.html --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] not recognising virus in zip files
I'm having problems with the SomeFool virus and zip files... here's what's happening... If I upload the zip file to the server and run clamscan or clamdscan on the file it recognises the virus no problem. If I extract the virus and send it to myself as a mail attachment it recognises the viruses no problem. BUT... if I send the zip file which contains the virus to myself as a mail attachment, clam doesn't recognise the virus at all and just lets it through. I have updated to: clamdscan / ClamAV version devel-20040406 but that doesn't seem to have fixed it. Any ideas? Regan --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] not recognising virus in zip files
On Tuesday 06 April 2004 11:57 am, Regan Yelcich wrote: > I'm having problems with the SomeFool virus and zip files... here's > what's happening... > > If I upload the zip file to the server and run clamscan or clamdscan > on the file it recognises the virus no problem. > > If I extract the virus and send it to myself as a mail attachment it > recognises the viruses no problem. > > BUT... if I send the zip file which contains the virus to myself as a > mail attachment, clam doesn't recognise the virus at all and just > lets it through. How are you interfacing your email system to ClamAV (ie: what is unpacking the emails and passing them to ClamAV for analysis)? Milter? MailScanner? Amavisd? Something else? Regards, Antony. -- Perfection in design is achieved not when there is nothing left to add, but rather when there is nothing left to take away. - Antoine de Saint-Exupery Please reply to the list; please don't CC me. --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Question on SomeFool Virus
Antony Stone wrote: On Tuesday 06 April 2004 9:57 am, Vernon A. Fort wrote: I have several emails which clamav detects as 'Worm.SomeFool.Gen-2', but Sophos nor McAcfee will detect the virus. Would this be some new varient that clamav fould. From the description, this sig was added to detect possible future varients of the NetSky viruses. Sound like it's working then :) Should I submit this? or just be thankful or both? No point submitting a virus which ClamAV already detects :) Be thankful the team did a better job than Sophos & McAfee again. I use ClamAV in addition to commercial scanners for exactly this reason - ClamAV does detect new viruses sooner that any other commerical scanner. I was just curious if any of the virus admins wanted a look at the message file. If so, let me know how and where to send. Vernon --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Virus Names
On Mon, 5 Apr 2004 23:38:08 -0500 "Erick Perez - Vision Media" <[EMAIL PROTECTED]> wrote: > Question: > If Worm.SomeFool is Netsky, then why is not labeled as netsky? > Also, is there a way to make an alias in the virus database so my users can > see netsky instead of Worm.Somefool? It's time to place answer for this question into faq. -- Korchmenuk Nickolay 06 Apr 2004 14:25:24 --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] not recognising virus in zip files
sorry - should have mentioned that! clam is being called through MIMEDefang 2.36 just re-installed clam to version 0.68-1 to see if that changed anything - but it didnt. Regan --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] clamd exited on signal 6
So this problem is know in 0.70-rc and should have been fixed? On Mon, 5 Apr 2004, Tomasz Kojm wrote: > On Mon, 5 Apr 2004 16:25:57 +0200 (MET DST) > Mipam <[EMAIL PROTECTED]> wrote: > > > Hi, > > > > Im facing this problem: > > > > kernel: pid 567 (clamd), uid 1006: exited on signal 6 > > Probably some assertion failed and the process received SIGABRT. Try > update to the latest CVS version. > > -- >oo. Tomasz Kojm <[EMAIL PROTECTED]> > (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg > \..._ 0DCA5A08407D5288279DB43454822DC8985A444B >//\ /\ Mon Apr 5 22:06:04 CEST 2004 > --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Re: Don't Understand
On Tue, 2004-04-06 at 02:45, Rmi Goyard wrote: > Thanks guys > Now Clamav seems to work. > I'm trying now use it witth Amavisd-new The easiest thing to do is to run amavis-new and clamd under the same user. Since you will upgrade clamav more often than amavis, it's probably easiest to run the amavis daemon as clamav rather than the other way around. > and when i start amavisd in debug > mode, i try to send a test email using telnet on 10024 i've got an error > that tell me can't access the file in the /var/lib/amavis/tmp directory, > ownership of this directory is set to user/group amavis. > Do my clamav user/group have to have a read access on this directory, if yes > could you tell me how to set it . > And then as i think i have to learn more on how to define rights under a > linux system, could you told me a good tutorial of this. > thanks before. -- Daniel J McDonald <[EMAIL PROTECTED]> Austin Energy --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Trojan.Dropper.JS.Mimail.B ?
Thanks. I hadn't looked back nearly that far. Something really odd is going on then. Is it possible all of these folks really are suddenly infected? Something to research... Tomasz Papszun wrote: On Mon, 05 Apr 2004 at 8:54:02 -0500, Keith Murphy wrote: I'm suddenly seeing a buttload of these. When was this added? Can't find it in the daily updates. Most, but not all of these, are in folk's browser caches. McAfee and AVG don't detect them. There: From: Denis De Messemacker To: [EMAIL PROTECTED] Subject: [Clamav-virusdb] Update (daily: 46) Date: Sat, 6 Dec 2003 04:57:29 +0100 -- Why waste time learning when ignorance is instantaneous? -- Hobbes --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] Re: Virus Names
Antony Stone wrote: [...] > I think the best we'll ever achieve is a cross-reference database. Yes please. What needs to be done to get this online? Who needs access to what? Public reference submissions, or core maintainers? I think we desperately need this functionality. -- Jesse Guardiani, Systems Administrator WingNET Internet Services, P.O. Box 2605 // Cleveland, TN 37320-2605 423-559-LINK (v) 423-559-5145 (f) http://www.wingnet.net --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Virus Names
Quoting Erick Perez - Vision Media <[EMAIL PROTECTED]>: Question: If Worm.SomeFool is Netsky, then why is not labeled as netsky? Answer: If netsky is Worm.SomeFool, then why is it not labeled as Worm.SomeFool? Basically that's because the users keep complaning about the virus names that cannot be found anywhere else (like the virus databse from TrendMicro). If they want to use the name TrendMicro uses, then they should use the TrendMicro software. Thanks, Erick -- Eric Rostetter --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] Re: Virus Names
Jesse Guardiani wrote: > Antony Stone wrote: > > [...] > >> I think the best we'll ever achieve is a cross-reference database. > > Yes please. > > What needs to be done to get this online? Who needs access to what? > Public reference submissions, or core maintainers? > > I think we desperately need this functionality. I also think it would be VERY nice to have the date and time the virus was added included in either the definition database or in this reference database. Do any other AV vendors include this info in their sig databases? If they DO, then we might be able to import that information into our cross references too. I think it would also be good to design the database tables (assuming we end up going with a relational database) in such a way that it is efficient to query not only for ClamAV viruses to retrieve what the OTHER guys call it, but also to query the other guys' name and see what ClamAV calls it. Hmmm... then again, this is starting to sound like a separate project. -- Jesse Guardiani, Systems Administrator WingNET Internet Services, P.O. Box 2605 // Cleveland, TN 37320-2605 423-559-LINK (v) 423-559-5145 (f) http://www.wingnet.net --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Virus Names
Quoting Graham Murray <[EMAIL PROTECTED]>: So maybe, as with celestial objects, there should be agreement that the first AV 'vendor' to publish a detection for a virus should be given the honour of naming it and the other vendors adopt the same name rather than inventing their own (and potentially causing confusion). So if Clamav is first, other vendors should adopt its name and if some other vendor is first then Clamav should use the name that vendor gives it. This is exactly what ClamAV does. Now you just need to get the rest of the AV vendors to follow that rule. Good luck with that! -- Eric Rostetter --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Virus Names
On Tuesday 06 April 2004 3:58 pm, Eric Rostetter wrote: > Quoting Erick Perez - Vision Media <[EMAIL PROTECTED]>: > > Question: > > If Worm.SomeFool is Netsky, then why is not labeled as netsky? > > Answer: > If netsky is Worm.SomeFool, then why is it not labeled as Worm.SomeFool? Do you call people Eskimos or Inuits? They're still the same people, but looking up one or other in some information resource may provide different results. > > Basically that's because the users keep complaning about the virus names > > that cannot be found anywhere else (like the virus databse from > > TrendMicro). > > If they want to use the name TrendMicro uses, then they should use the > TrendMicro software. No, many people are interested to know more about the viruses which are being detected. If you do a Google search for "NetSky virus" you get 308,000 results. If you do a Google search for "SomeFool virus" you get 2,080. Therefore knowing the more common name for a virus is useful to people who use ClamAV. Regards, Antony. -- 90% of networking problems are routing problems. 9 of the remaining 10% are routing problems in the other direction. The remaining 1% might be something else, but check the routing anyway. Please reply to the list; please don't CC me. --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] Strange syslog messages from clamav-milter
I'm periodically seeing the following syslogd messages: Apr 6 09:23:37 earth rvard.edu> >n_children = 1 Received: PORT 50143 Connecting to local port 50143 clamfi_abort pthread_cond_broadcast >n_children = 1 Received: PORT 30713 Connecting to local port 30713 clamfi_abort pthread_cond_broadcast >n_children = 1 Received: PORT 1109 Connecting to local port 1109 clamfi_envrcpt: <[EMAIL PROTECTED]> clamfi_header clamfi_header clamfi_header clamfi_header clamfi_header clamfi_header clamfi_header clamfi_header clamfi_header clamfi_header clamfi_header clamfi_eoh clamfi_envbody: 112 bytes clamfi_eom clamfi_eom: read stream: OK pthread_cond_broadcast >n_chi These were broadcast to all users like this: Message from [EMAIL PROTECTED] at Mon Apr 5 02:06:31 2004 ... wind [EMAIL PROTECTED]> >n_children = 1 clamfi_envfrom: <[EMAIL PROTECTED]> >n_children = 1 clamfi_envfrom: <[EMAIL PROTECTED]> >n_children = 1 clamfi_envfrom: <[EMAIL PROTECTED]> >n_children = 2 clamfi_envfrom: <[EMAIL PROTECTED]> >n_children = 1 clamfi_envfrom: <[EMAIL PROTECTED]> >n_children = 1 clamfi_envfrom: <[EMAIL PROTECTED]> >n_children = 1 clamfi_envfrom: <[EMAIL PROTECTED]> >n_children = 1 clamfi_envfrom: <[EMAIL PROTECTED]> >n_children = 1 clamfi_envfrom: <[EMAIL PROTECTED]> >n_children = 1 clamfi_envfrom: <[EMAIL PROTECTED]> >n_children = 1 clamfi_envfrom: <[EMAIL PROTECTED]> >n_children = 1 clamfi_envfrom: <[EMAIL PROTECTED]> >n_children = 1 clamfi_envfrom: <[EMAIL PROTECTED]> >n_children = 1 clamfi_envfrom: <[EMAIL PROTECTED]> >n_children = 1 clamfi_envfrom: <[EMAIL PROTECTED]> >n_children = 1 clamfi_envfrom: <[EMAIL PROTECTED]> >n_children = 1 clamfi_envfrom: until I commented out the following from syslogd.conf: #*.emerg* This happens with versions 0.67 and above. I think it may have started with 0.67, though I'm not sure. Any help on stopping these would be greatly appreciated. - Orion -- Orion Poplawski System Administrator 303-415-9701 x222 Colorado Research Associates/NWRA FAX: 303-415-9702 3380 Mitchell Lane, Boulder CO 80301 http://www.co-ra.com --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Virus Names
> > If netsky is Worm.SomeFool, then why is it not labeled as Worm.SomeFool? Rhetoric aside, this is obviously an itch that needs scratched. Clam does a wonderful job and (as was the case with SomeFool) does it faster than most. Perhaps we might be able to scratch up support for an alias correlation database, planting the seed with Clam. > No, many people are interested to know more about the viruses which are being > detected. > > If you do a Google search for "NetSky virus" you get 308,000 results. If you > do a Google search for "SomeFool virus" you get 2,080. > > Therefore knowing the more common name for a virus is useful to people who use > ClamAV. I think that, for our purposes, we need only search on the Clam name for a virus. All other names are potentially worthless work--AFAIK, the clam DB contains only (or mostly) viruses in the wild. If we had as part of the submission process an additional field noting what name the detecting AV called it (For example, worm.notagoodguy passes through clam, but is picked up by trend as WORM.BADGUY). Any aliases that we come up with could get submitted right alongside such a sample. Our search really only needs to be one-way, to keep it in scope. There's no need to support searching everyone else's names, only Clam's. Everyone's talking about NetSky? If you're not receiving SomeFool, then why do you care? If you are, look up SomeFool. If you're getting files and Clam doesn't detect them, then submit them. They'll be named, and you'll be able to search. --Seth --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Strange syslog messages from clamav-milter
On Tuesday 06 Apr 2004 4:28 pm, Orion Poplawski wrote: > I'm periodically seeing the following syslogd messages: > Any help on stopping these would be greatly appreciated. Rerun configure without '--enable-debug'. > - Orion -- Nigel Horne. Arranger, Composer, Typesetter. NJH Music, Barnsley, UK. ICQ#20252325 [EMAIL PROTECTED] http://www.bandsman.co.uk --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] clamd.ctl file not read in FC1
clamav/d (0.68) installed. When rebooting in FC1 I get FAILED report on read of /var/run/clamav/clamd.ctl though the file appears to exist. Is there some way I can modify or fix that file short of re-installing clamav entirely? Original installation does not seem to be entirely broken as I can run freshclam and clamscan OK (and do, in a script I put in cron.daily). Question about clamscan: I'm using the move= option but when I run it against an mbox the entire folder is moved when a worm is found (which makes sense as an mbox is just one long file). However, I've tried the --remove option with no success either. Since clamscan has an --mbox option I would think there is some provision for extracting just the "wormy" email but I haven't found it. I'd appreciate advice on this. Thanks. Karl L --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] undetected virus by clamav
I have 3 viruses found on my harddrive which not detected by clamav other scanner like fprot or mcaffee detect the virus as 1.ex# Found the MultiDropper-IY trojan !!! 2.ex# Found the W32/Spybot.worm.gen.d virus !!! 3.ex# Found the IRC/Flood.dj trojan !!! I have scan the files with the online scanner from clamav. he say clamav scans the file ... Clamav-Output: /tmp/phpeQMyfj: OK Clamav DID NOT identify your sample as malicious content I scan one more times with mcaffee and found the 3 viruses. when I try submit the virus files with the online submit page I get an error message like this This virus is already recognized by ClamAV. Be careful when submitting samples and remember to run freshclam! I have run freshclam and the database is up to date. but the virus is undetected by clamav since four days. --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Segmentation fault in clamav-0.70rc-1
> It's a good idea to disable archive/mail support when using on-access > scanner. Sorry I didn't answer before, I wasn't available... I disabled archive/mail support and the problem persists. In all the cases the problem occurs exactly when the log rotates. I find the last line of the previous log saying: SIGHUP caught: re-opening log file. And the first lines of the new log say: No stats for Database check - forcing reload Reading databases from /var/lib/clamav (sometimes this line doesn't appear) Segmentation fault :-( Bye.. The last time it happend, clamd was up for just 65 minutes. Then the message appears and some filesystems are locked. After that I have to reboot. Any ideas or workarounds? I'm not using milter, I'm just using clamd 0.70rc-1 and clamuko (with dazuko 2.0 on /home and /tmp) for a workstation with RH9.0 (kernel 2.4.20-30.9) Anyone with a similar configuration? Do you have this problem or is it just my installation? I've installed it several times and the result is always the same. Can I change something in order to avoid the problem in the moment that the log rotates? Thanks again, --Claudio Los mejores usados y las más tentadoras ofertas de 0km están en Yahoo! Autos. Comprá o vendé tu auto en http://autos.yahoo.com.ar --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Trojan.Dropper.JS.Mimail.B ?
Keith G. Murphy wrote: Thanks. I hadn't looked back nearly that far. Something really odd is going on then. Is it possible all of these folks really are suddenly infected? Something to research... It makes more sense now. I'm running Debian stable, and had installed Luca Gibelli's 0.65-1 backport. I had ignored his README, which states very clearly that you need to remove the old-format virus database files. I guess freshclam must use those in preference to the .cvd's. (I wonder why). I found out that a couple of signatures had been removed for that trojan between the date of my old-format files and the latest .cvd's. Upon obtaining, building, and installing the Debian source testing packages on my system, the problem went away. Turns out that the clamav-freshclam package from them deletes the old-format files upon installation. Kudos to Stephen Gran, the Debian maintainer. What still doesn't make sense is why I suddenly started seeing the problem. --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Virus Names
On Tue, 6 Apr 2004, Eric Rostetter wrote: > If netsky is Worm.SomeFool, then why is it not labeled as Worm.SomeFool? While I agree with this in principle, I think for instances where a question like this pops up at least once a week just on this list, it might be worth it to just bite the bullet and go along with the herd. I understand that when the ClamAV (as it often does) discovers a worm before there's a common name for it, that it's not just inconvenient, it's impossible to choose the name that everyone else will eventually use. But when something is this much of a phenomenon, why not just change the name? I know it's been done for other worms in the past. Jeffrey Moskot System Administrator [EMAIL PROTECTED] --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Virus Names
While I can and do understand what Eric was saying, I have to agree with Erick. http://www.bitdefender.com/index.php - Bitdefender http://www.grisoft.com/us/us_index.php - AVG http://www.pandasoftware.com/home/ - Panda http://www.symantec.com/ - Norton http://us.mcafee.com/default.asp - Mcafee http://www.trendmicro.com - Trendmicro http://viruslist.com/eng/ -- Virus List While different, all have 1 thing in common with each other. CVID's (Common Virus Identifiers), granted some list "netsky" as worm-i/netsky, or w32/netsky, but in the end you (the user/administrator) know what was stopped, and thus have the ability to see what's being identified and or do research on what the virus/worm did (the function) Not complaining.. just expressing my 2 cents ;) - Original Message - From: "Eric Rostetter" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, April 06, 2004 10:58 AM Subject: Re: [Clamav-users] Virus Names > Quoting Erick Perez - Vision Media <[EMAIL PROTECTED]>: > > > Question: > > If Worm.SomeFool is Netsky, then why is not labeled as netsky? > > Answer: > If netsky is Worm.SomeFool, then why is it not labeled as Worm.SomeFool? > > > Basically that's because the users keep complaning about the virus names > > that cannot be found anywhere else (like the virus databse from TrendMicro). > > If they want to use the name TrendMicro uses, then they should use the > TrendMicro software. > > > Thanks, > > Erick > > -- > Eric Rostetter > > > --- > This SF.Net email is sponsored by: IBM Linux Tutorials > Free Linux tutorial presented by Daniel Robbins, President and CEO of > GenToo technologies. Learn everything from fundamentals to system > administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click > ___ > Clamav-users mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/clamav-users --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] Freshclam no longer checking in.
On my FreeBSD 5.2.1-RELEASE-p4 system, I upgraded to the latest clamd port, when it was released a few days ago. Now, freshclam doesn't check in to look for updates anymore, and only does so if I stopr and restart it - at that point it downloads the update, successfully notifys clamd, then just goes comatose again. The only thing logged to freshclam.log is the signal 15 when I stop it, and the db update when I restart it. Any ideas? I do run both clamd and freshclam as vscan (what amavisd-new runs as). After upgrading clamd, I did make sure (to the best of my knowledge) that directory permissions and ownership were correct. -ste --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Virus Names
On Tue, 06 Apr 2004 at 12:17:05 -0400, Hanford, Seth wrote: > > If we had as part of the submission process an additional field noting > what name the detecting AV called it There is such a field! And if it's too short, you can add more names/details/URLs in the description field (that big area below). > (For example, worm.notagoodguy passes through clam, but is picked up by > trend as WORM.BADGUY). Any aliases that we come up with could get submitted > right alongside such a sample. We include aliases in our announcements. Unfortunately, while submitting, many people fail to write the name (according to other scanner), though they select that the sample is detected by other scanner and sometimes they even write which scanner (but no virus name). -- Tomasz Papszun SysAdm @ TP S.A. Lodz, Poland | And it's only [EMAIL PROTECTED] | ones and zeros. [EMAIL PROTECTED] http://www.ClamAV.net/ A GPL virus scanner --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
RE: [Clamav-users] Virus Names
> -Original Message- > From: [EMAIL PROTECTED] [mailto:clamav-users- > [EMAIL PROTECTED] On Behalf Of jef moskot > Sent: 6. april 2004 19:08 > To: [EMAIL PROTECTED] > Subject: Re: [Clamav-users] Virus Names > > On Tue, 6 Apr 2004, Eric Rostetter wrote: > > If netsky is Worm.SomeFool, then why is it not labeled as Worm.SomeFool? > > But when something is this much of a phenomenon, why not just change the > name? I know it's been done for other worms in the past. > And that is what we'll (try to) do in the future (if a common name has been established). Best regards, Diego d'Ambra smime.p7s Description: S/MIME cryptographic signature
Re: [Clamav-users] Virus Names
Quoting Antony Stone <[EMAIL PROTECTED]>: On Tuesday 06 April 2004 3:58 pm, Eric Rostetter wrote: Quoting Erick Perez - Vision Media <[EMAIL PROTECTED]>: > Question: > If Worm.SomeFool is Netsky, then why is not labeled as netsky? Answer: If netsky is Worm.SomeFool, then why is it not labeled as Worm.SomeFool? Do you call people Eskimos or Inuits? Irrelevant. > Basically that's because the users keep complaning about the virus names > that cannot be found anywhere else (like the virus databse from > TrendMicro). If they want to use the name TrendMicro uses, then they should use the TrendMicro software. No, many people are interested to know more about the viruses which are being detected. So? If you do a Google search for "NetSky virus" you get 308,000 results. If you do a Google search for "SomeFool virus" you get 2,080. And 2,080 isn't enough? The first of those 2080 suggests netsky == somefool. The second confirms it. So then you can read more about somefool, or redo the search for netsky. Where's the problem? Therefore knowing the more common name for a virus is useful to people who use ClamAV. Yes, it is. But changing the name after the fact would just confuse people more. We can't go merrily along for a week or so until the AV people or the media -- and often it is the media who decide -- come up with the most popular name, and then rename it. What would that do to any kind of tracking people do? What would that do to users (last week I got somefool, but now I'm getting a new virus netsky?) It would cause caos. And much more caos than having multiple names for a single virus. Regards, Antony. -- Eric Rostetter --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] Supervised Clamd
Has anyone gotten Clamd to run with daemontools? I have a clamd running supervised, but the log file will not supervise correctly. I have /service/clamd/log with: [EMAIL PROTECTED] spamd]# cd /service/clamd/log/ [EMAIL PROTECTED] log]# ls -l total 4 -rwxr-xr-x 1 root qmail 101 Apr 6 14:20 run drwx-- 2 root qmail 512 Apr 6 14:06 supervise but when I run clamdctl stat I get: [EMAIL PROTECTED] log]# clamdctl stat /service/clamd: up (pid 1526) 658 seconds /service/clamd/log: supervise not running Any ideas? Thanks! - Jeff --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id70&alloc_id638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] compiling clamav 0.68
Hi, I am compiling clamav 0.68 on HP-UX 11.00. I am getting following error during make. I am using GCC 3.0.1. ++ gcc -g -O2 -o clamscan clamscan.o options.o getopt.o others.o manager.o treewalk.o -L/usr/local/lib -L/opt/gmp/lib -L/test/down/clamav-0.68/libclamav /usr/local/lib/libclamav.sl -lz -lpthread -Wl,+b -Wl,/usr/local/lib /usr/ccs/bin/ld: Unsatisfied symbols: cl_mbox (first referenced in manager.o) (code) cl_gentemp (first referenced in manager.o) (code) cl_debug (first referenced in clamscan.o) (code) cl_strerror (first referenced in manager.o) (code) cli_strtok (first referenced in manager.o) (code) collect2: ld returned 1 exit status *** Error exit code 1 Stop. *** Error exit code 1 Stop. *** Error exit code 1 ++ Any input would be a great help. Thanks in advance. PAd
Re: [Clamav-users] Virus Names
Diego d'Ambra wrote: And that is what we'll (try to) do in the future (if a common name has been established). But that would break statistics. I don't mind if the name is different as long as it can be cross-referenced. Someone was working on a web site with just that but I haven't heard of any news for some time. -- /Peter Bonivart --Unix lovers do it in the Sun Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.25-14, SpamAssassin 2.63 + DCC 1.2.30, ClamAV 0.67 + GMP 4.1.2, MailStats 0.25 --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Virus Names
On Tue, 6 Apr 2004, Eric Rostetter wrote: > But changing the name after the fact would just confuse people more. I completely disagree. Hardcore Clam users are more likely to understand the reality of the situation and realize that the ClamAV team has to call the viruses SOMETHING. Usually, that's the same name everyone else uses, but sometimes it isn't. There's maybe a small amount of confusion for a couple days, and that's that. But we are constantly being asked by casual (or new) users why ClamAV doesn't pick up Netsky, what the heck "SomeFool" is, etc. Many of those Google hits are "WTF is SomeFool?". A lot of work could be saved by being more user-friendly. Seriously, what have we to gain from using an obscure name? OK, so, we have the moral high ground, but that's not really the focus of the product. Other than some kind of issue with logging things by virus name, are there any sensible reasons to not use the same name everyone else in the computer community is using? Jeffrey Moskot System Administrator [EMAIL PROTECTED] --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Virus Names
Quoting jef moskot <[EMAIL PROTECTED]>: On Tue, 6 Apr 2004, Eric Rostetter wrote: But changing the name after the fact would just confuse people more. I completely disagree. Hardcore Clam users are more likely to understand the reality of the situation and realize that the ClamAV team has to call the viruses SOMETHING. Usually, that's the same name everyone else uses, but sometimes it isn't. Great for netsky since almost everyone uses it. But what about viruses that have multiple names from the other vendors and the media? For the first week, SCO (clamd) was called novarg by most, until the media took off with mydoom and that became the new name. Should clamav have migrated along from SCO to NOVARG to MYDOOM just because the others came along later and in that order? There's maybe a small amount of confusion for a couple days, and that's that. Most viruses don't last for more than a few days anyway, so this only applies to the rare cases (like lately with the virus wars over netsky et al). But we are constantly being asked by casual (or new) users why ClamAV doesn't pick up Netsky Yes, but the user is just being stupid. They are not getting infected with netsky, so obviously it is picking it up. what the heck "SomeFool" is, etc. Many of those You don't think you'll get that question even if you use the more common name for viruses? Google hits are "WTF is SomeFool?". A lot of work could be saved by being more user-friendly. Try looking at them again. Seriously, what have we to gain from using an obscure name? OK, so, we have the moral high ground, but that's not really the focus of the product. The focus of the product is to stop viruses, not to name them with a popular name. Other than some kind of issue with logging things by virus name, are there any sensible reasons to not use the same name everyone else in the computer community is using? Only when clamav names it before anyone else. Even then, clamav is willing to rename it if it can be done quickly, before the current name becomes established, in my experience. It is only when there is a large gap between the clamav name and the popular name that they don't rename it. Also, as I've pointed out, not all the AV vendors agree on the names. It usually isn't clamav against the world (as it appears with netsky). It is more normal that there are 2, 3, or 4 other names for the virus. And you never know which will become the most popular until days or weeks after you name it. Jeffrey Moskot System Administrator [EMAIL PROTECTED] -- Eric Rostetter --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Virus Names
On Tue, 6 Apr 2004, Eric Rostetter wrote: > Great for netsky since almost everyone uses it. Exactly. > Should clamav have migrated along from SCO to NOVARG to MYDOOM just > because the others came along later and in that order? It could easily be taken on a case-by-case basis. But, as even you admit, Netsky/SomeFool is a slam dunk. > Most viruses don't last for more than a few days anyway, so this only > applies to the rare cases (like lately with the virus wars over netsky > et al). I agree. > The focus of the product is to stop viruses, not to name them with a > popular name. Yes, but this is not best accomplished by calling users "stupid" (even when they are). We don't want to make something available to people and then insult them when they use it in good faith. The larger issue it that the more people who use anti-virus methods and the more well-informed users we have, the better it is for everyone. Jeffrey Moskot System Administrator [EMAIL PROTECTED] --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] help configuring 0.70-rc w/gnu mp
hi, i'm trying to get clamav 0.70-rc installed and have gmp installed in a directory under my home dir (eg. /home/norm/bin/gmp) when i run ./configure --prefix=/home/norm/bin/clamav --disable-clamav --enable-milter one of the messages i see is: checking for mpz_init in -lgmp... no WARNING: GNU MP 2 or newer NOT FOUND - digital signature support will be disabled ! i'm a configure n00b but I am guessing i need to somehow tell it to look in /home/norm/bin/gmp for the GMP libraries? How do I do this? i'm running RH (/etc/rehat-release says "Red Hat Linux release HAL9000") thanks in advance, -norm --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
RE: [Clamav-users] Virus Names
> -Original Message- > From: [EMAIL PROTECTED] [mailto:clamav-users- > [EMAIL PROTECTED] On Behalf Of Peter Bonivart > Sent: 6. april 2004 22:12 > To: [EMAIL PROTECTED] > Subject: Re: [Clamav-users] Virus Names > > Diego d'Ambra wrote: > > And that is what we'll (try to) do in the future (if a common name has > > been established). > > But that would break statistics. I don't mind if the name is different > as long as it can be cross-referenced. Someone was working on a web site > with just that but I haven't heard of any news for some time. > Yes, sorry. People calculating statistics will have to create some sort of mapping between old and new name. Currently e-mail with update announcement will contain the needed information. ---snip, sample from daily version 239--- Submission: n/a Notes: Change of virus name to reflect most common used name. Old virus name: Worm.VB.C New virus name: Worm.Sober.F ---snip-- Best regards, Diego d'Ambra smime.p7s Description: S/MIME cryptographic signature
Re: [Clamav-users] Virus Names
On Tuesday 06 April 2004 9:44 pm, jef moskot wrote: > > The focus of the product is to stop viruses, not to name them with a > > popular name. > > Yes, but this is not best accomplished by calling users "stupid" (even > when they are). That may be true, however it's no excuse for allowing stupid users to continue with their misguided notions, without some attempt at education and correction. ClamAV is focused on detecting viruses, sure, and you're right that this is not best accomplished by telling stupid users that they're stupid, however it doesn't condone pandering to their preconceived misconceptions about viruses and worms (such as "they should each have only one name") either. There are many examples of the commercial A-V vendors having different names for the same virus, and ClamAV happens to be showing this characteristic recently simply because the signature development team is doing such a good job (and, it should be noted, without the cooperation of commercial vendors providing the ClamAV team with newly discovered virus samples through their exclusive partnerships). I do not agree with criticising the product because it is better than its competitors. It cannot be too hard to explain to a clueless user how viruses get named, and hope that at least some proportion of those people might understand that this inevitably leads to different names for the same thing found in different places at about the same time. And, if that doesn't work, give them a courgette and ask them whether it's a zucchini, give them a football and see if they kick it or carry it, ask them how to pronounce tomato, ask them which side of the road it is correct to drive on, put them on the pavement and see if they want to walk or drive on it, check whether they stop at traffic light or robots, or even ask them to do something momentarily. Regards, Antony. -- There's no such thing as bad weather - only the wrong clothes. - Billy Connolly Please reply to the list; please don't CC me. --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] help configuring 0.70-rc w/gnu mp
On Tue, Apr 06, 2004 at 01:51:29PM -0700, Norman Yee said: > hi, > > i'm trying to get clamav 0.70-rc installed and have gmp installed in a > directory under my home dir (eg. /home/norm/bin/gmp) > > when i run > > ./configure --prefix=/home/norm/bin/clamav --disable-clamav --enable-milter > > one of the messages i see is: > checking for mpz_init in -lgmp... no > WARNING: GNU MP 2 or newer NOT FOUND - digital signature support will be > disabled ! > > i'm a configure n00b but I am guessing i need to somehow tell it to look in > /home/norm/bin/gmp for the GMP libraries? How do I do this? i'm running RH > (/etc/rehat-release says "Red Hat Linux release HAL9000") > > thanks in advance, > -norm [EMAIL PROTECTED]:~/Debian/clamav/0.70/clamav-0.70-rc$ ./configure --help [...] Some influential environment variables: LDFLAGS linker flags, e.g. -L if you have libraries in a nonstandard directory So try: LDFLAGS=-L/home/norm/bin/gmp ./configure --prefix=/home/norm/bin/clamav --disable-clamav --enable-milter (all on one line) HTH, -- -- | Stephen Gran | He who is good for making excuses is| | [EMAIL PROTECTED] | seldom good for anything else. | | http://www.lobefin.net/~steve | | -- pgp0.pgp Description: PGP signature
Re: [Clamav-users] Virus Names
On Tue, 6 Apr 2004, Antony Stone wrote: > There are many examples of the commercial A-V vendors having different > names for the same virus... That's true, but when that's the case for an extremely prevalent virus, it's usually noted in the media. Using the well-known naming convention is a much simpler and more logical response to the real world. At such time as everyone else in the world becomes wise to ClamAV's superior ways, then it would make sense to just use our own word for whatever threat comes along. But in THIS world, it's easier for just about everyone involved (including all the admins who keep dropping in here asking about Netsky and their users) to take the path of least resistance. > I do not agree with criticising the product because it is better than > its competitors. I'm not criticizing it, I'm just trying to be practical. If a some admin who has never heard of this mailing list or our political crusade to educate the world about worms is looking into ClamAV (some free product he might be suspicious of on principle, but is checking out because the price is right), checks the database to see if it handles one of his biggest problems and it turns out it's not in the database...then we've lost one potential ClamAV user and done a disservice to the open source community. > It cannot be too hard to explain to a clueless user how viruses get > named... It's not too hard to explain to one user, but this situation is repeated over and over, probably many times a day. It's not hard, but it's unnecessary and we don't gain much by making a pointless stand. Users aren't incapable of understanding the process, but being different for no purpose doesn't make any sense. Jeffrey Moskot System Administrator [EMAIL PROTECTED] --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users