Re: [Clamav-users] Violation of the GPL ?

[Brian Bruns]

On Wednesday, April 07, 2004 10:34 PM [EST], Guillermito
<[EMAIL PROTECTED]> wrote:

> Hello to all members of this list.
>
> I was wondering if a company has the right to distribute a scanner
> they probably coded, which uses the ClamAV virus signatures database,
> and provide this package for free - as in free beer - but not under
> the GPL, without source code, and even more, with a home-made licence
> that explicitely forbids any reverse engineering or analysis. In other
> words, a closed software under a non-GPL compliant licence.
>
> This french company sells a generic antivirus, and distributes this
> scanner tool, well hidden on their website, to clean computers before
> installation of their own product. You can find this tool here:
>
> http://www.tegam.fr/download/tools/vdetect.zip
>
>
>
> [DISCLAIMER]
>
> There is a conflict of interest here. I am currently sued by this
> company because I published an analysis of their anti-virus product,
> showed a few flaws, and debunked their claim of stopping "100% of
> known and unknown viruses", on my website. The publication of exploits
> to demonstrate my theorical analysis was labelled as "counterfeiting",
> and I am currently indicted for that in France. More info on my
> website: http://www.guillermito2.net/archives/2004_03_25e.html
> I'm not hiding that if this company actually violates the GPL, it will
> help my own case, by showing who acts in good faith and who does not.
>
> [/DISCLAIMER]



Regardless of what ClamAV is licensed as, is the database being published
under the GPL as well?  Is it public domain?

We've run into very similar type questions with the AHBL stuff - what are we
going to publish our database information as?  Our standard license is either
GPL or BSD.  Now, there is a difference between the AHBL and the ClamAV
database - the AHBL database was pretty much completely constructed by me, and
as I own the SOSDG/AHBL, I also own the database, so I can decide alone, or
delegate that decision to someone else in my group, on what it will be
released as.


However, there is alot more people working on ClamAV and its database then
just one group - so who technically owns the ClamAV virus database?

 That would be the person who could act on something like this.

If this company is found to be in violation of the GPL, let me know, and I'll
see if I can put some heat on them.  We've had to smack some people up in the
past for breaking licenses on software some of our users developed years ago.

-- 
Brian Bruns
The Summit Open Source Development Group
Open Solutions For A Closed World / Anti-Spam Resources
http://www.sosdg.org

The Abusive Hosts Blocking List
http://www.ahbl.org



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] Trouble compiling clamav-latest..

[turgut kalfaoglu]

Hi there - I seem to have much trouble compiling last night's snapshot. 
I checked, and I have automake 1.8 installed, and yet I get this 
complaint during make :

(...)
creating sigtool
make[2]: Leaving directory 
`/export/home/turgut/sunos/clamav-devel-20040407/sigtool'
Making all in database
make[2]: Entering directory 
`/export/home/turgut/sunos/clamav-devel-20040407/database'
cd .. && \
 /bin/bash /usr/users/turgut/sunos/clamav-devel-20040407/missing --run 
automake-1.6 --gnu  database/Makefile
aclocal.m4:4200: version mismatch.  This is Automake 1.6, but aclocal.m4
aclocal.m4:4200: was generated for Automake 1.6.1.  You should recreate
aclocal.m4:4200: aclocal.m4 with aclocal and run automake again.
make[2]: *** [Makefile.in] Error 1
make[2]: Leaving directory 
`/export/home/turgut/sunos/clamav-devel-20040407/database'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/export/home/turgut/sunos/clamav-devel-20040407'
make: *** [all] Error 2
#

Any ideas what to do ?
Thanks! -turgut
---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Re: Some viruses go through

[Tristan Griffiths]

Andrei Bucur wrote:

Hi,

i have the same problem ... some viruses go through...
my NAV detect some mails with viruses who are detected by clam.
When NAV detect a virus i save it on my hdd and after that i run clamscan
he detect corectly the virus 
in the past because some e-mails was rejected "451 - try again later" i use
clamav-milter with --dont-scan-on-error --- maybe here is the problem.
 

I've upgraded our ClamAV installation to "clamd / ClamAV version
devel-20040407, clamav-milter version 0.70g" and we no longer get the
451 error. I did have some issues with clamav-milter not being happy
with the main clamav.conf file... So I used the command line option to
force it to a stripped down version.
- Original Message - 
From: "René Bellora" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, April 07, 2004 10:27 PM
Subject: Re: [Clamav-users] Re: Some viruses go through
 

Tomasz Papszun wrote:

   

$ clamscan -m av-inet1.txt

LibClamAV Warning: Multipart MIME message contains no boundary lines
av-inet1.txt: Worm.SomeFool.P FOUND
$ clamscan -V
clamscan / ClamAV version devel-20040323
So it _is_ detected.

I'd bet: you've got old version or misconfigured system.
 



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id70&alloc_id638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] Re: Virus Names

[Jesse Guardiani]

Hanford, Seth wrote:

[...]

> Our search really only needs to be one-way, to keep it in scope.  There's
> no
> need to support searching everyone else's names, only Clam's.  Everyone's
> talking about NetSky?  If you're not receiving SomeFool, then why do you
> care?  If you are, look up SomeFool.  If you're getting files and Clam
> doesn't detect them, then submit them.  They'll be named, and you'll be
> able to search.

I couldn't disagree more. Why shouldn't we support reverse lookups? If aliases
are submitted just like we submit virus samples now, then what harm would it
do to allow the door to swing both ways? And the benefit is obvious: Some windows
guy got infected with NetSky? Hmmm... I wonder what Clam calls that? Let's find
out...

-- 
Jesse Guardiani, Systems Administrator
WingNET Internet Services,
P.O. Box 2605 // Cleveland, TN 37320-2605
423-559-LINK (v)  423-559-5145 (f)
http://www.wingnet.net




---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Re: Some viruses go through

[Andrei Bucur]

Hi,

i have the same problem ... some viruses go through...
my NAV detect some mails with viruses who are detected by clam.
When NAV detect a virus i save it on my hdd and after that i run clamscan
he detect corectly the virus 
in the past because some e-mails was rejected "451 - try again later" i use
clamav-milter with --dont-scan-on-error --- maybe here is the problem.



- Original Message - 
From: "René Bellora" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, April 07, 2004 10:27 PM
Subject: Re: [Clamav-users] Re: Some viruses go through


> Tomasz Papszun wrote:
>
> >$ clamscan -m av-inet1.txt
> >
> >LibClamAV Warning: Multipart MIME message contains no boundary lines
> >av-inet1.txt: Worm.SomeFool.P FOUND
> >
> >$ clamscan -V
> >clamscan / ClamAV version devel-20040323
> >
> >So it _is_ detected.
> >
> >I'd bet: you've got old version or misconfigured system.
> >
> >
> >
> i had installed devel-20040320, it didn't detect it. I installed latest
> snapshot (20040407). Now it does detect it, but i'm having problems with
> a few emails that were correctly detected in the past... I'll send a
> couple of them to Nigel
>
>
> best regards,
> René
>
>
> ---
> This SF.Net email is sponsored by: IBM Linux Tutorials
> Free Linux tutorial presented by Daniel Robbins, President and CEO of
> GenToo technologies. Learn everything from fundamentals to system
> administration.http://ads.osdn.com/?ad_id70&alloc_id638&opÌk
> ___
> Clamav-users mailing list
> [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/clamav-users
>



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id70&alloc_id638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] Violation of the GPL ?

[Guillermito]

Hello to all members of this list.

I was wondering if a company has the right to distribute a scanner
they probably coded, which uses the ClamAV virus signatures database,
and provide this package for free - as in free beer - but not under
the GPL, without source code, and even more, with a home-made licence
that explicitely forbids any reverse engineering or analysis. In other
words, a closed software under a non-GPL compliant licence.

This french company sells a generic antivirus, and distributes this
scanner tool, well hidden on their website, to clean computers before
installation of their own product. You can find this tool here:

http://www.tegam.fr/download/tools/vdetect.zip



[DISCLAIMER]

There is a conflict of interest here. I am currently sued by this
company because I published an analysis of their anti-virus product,
showed a few flaws, and debunked their claim of stopping "100% of
known and unknown viruses", on my website. The publication of exploits
to demonstrate my theorical analysis was labelled as "counterfeiting",
and I am currently indicted for that in France. More info on my
website: http://www.guillermito2.net/archives/2004_03_25e.html
I'm not hiding that if this company actually violates the GPL, it will
help my own case, by showing who acts in good faith and who does not.

[/DISCLAIMER]

-- 
Guillermito
http://www.guillermito2.net



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Behaviour of "StreamMaxLength"

[Andrew Chan]

1, 2) Both clamd and clamav-milter are built from 0.70RC (stock built from
Petr Kristof's RedHat SPEC file).

3) No I don't, I will.

I am seeing the following in clamd.log:

WARNING: ScanStream: Size exceeded (stopped at 10461493, max: 10485760)

and this in /var/log/messages:

clamav-milter: ClamAv, mi_rd_cmd: read returned -1: Connection reset by peer

and this in /var/log/maillog:

SYSERR(root): out of memory: Cannot allocate memory

I am seeing a huge number of the "Cannot allocate memory" messages, many
many more than the clamd & clamav-milter mesages (which correspond to each
other). Although I believe the "Cannot allocate memory" messages are related
to this problem.

Many thanks.

Andrew

> Subject: Re: [Clamav-users] Behaviour of "StreamMaxLength"


> On Wednesday 07 Apr 2004 7:41 pm, Andrew Chan wrote:
> > I am not sure I understand "StreamMaxLength".
> >
> > I am using clamav-milter (sendmail) and I've set "StreamMaxLength 10M".
>
> 1) What version of clamd (clamscan -V)
> 2) What version of clamav-milter (clamav-milter --version)
> 3) Do you have LogSysLog enabled in clamav.conf, and if so
> are you seeing entries of this form in your syslog?
>   Message more than StreamMaxLength (%ld) bytes - not scanned
>
> > Andrew




---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Anyone know where I can find deb's of .70rc

[Stephen Gran]

On Wed, Apr 07, 2004 at 01:59:41PM -0500, robert said:
> I am using debian testing and althought clam is apt-get able it is .67
> and I really want to use .70rc with the OLE option but I before to not
> have to compile.  Has anyone made a build yet?

http://www.lobefin.net/~steve/debian.html is a woody backport.  It's an
adsl line, so please be gentle, everybody.  If you can wait until this
weekend, my hardware problems on my main build machine will be repaired,
and new version will appear in sid.

Sorry for the delay, and thanks for the patience,
-- 
 --
|  Stephen Gran  | Just about every computer on the market |
|  [EMAIL PROTECTED] | today runs Unix, except the Mac (and|
|  http://www.lobefin.net/~steve | nobody cares about it).   -- Bill Joy   |
|| 6/21/85 |
 --


pgp0.pgp
Description: PGP signature

Re: [Clamav-users] Clamd protocol

[Tomasz Kojm]

On Wed, 7 Apr 2004 01:57:23 +0200
Przemyslaw Wegrzyn <[EMAIL PROTECTED]> wrote:

> Hi!
> 
> I'm about to include clamavis support in our very simple mail scanner.
> My first idea was to use libclamav for that, however my filter will be
> 
> integrated with our mail server in the way that it will be spawned for
> each mail. 
> 
> For obvious performance reason I'd like to use clamd, but I've found
> that libclamav is actually a full scanner, with no "thin client"
> possibilities.
> 
> Thus I have following options:
> 
> a) write my own daemon which uses libcalamav, and a client for it, all
> using custom protocol (don't write me to use amavisd - we have some
> specific requirements)
> 
> b) use clamdscan via forking and pipe
> 
> c) write a client for clamd protocol, basing on clamdscan sources
> 
> I don't like a) for effort amounts, b) is a bit ugly IMHO, c) depends
> on a protocol that can be a subject to change .
> 
> Which solution would you suggest ?

For a "very simple mail scanner" the (b) solution seems to be the best
IMHO.

-- 
   oo. Tomasz Kojm <[EMAIL PROTECTED]>
  (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg
 \..._ 0DCA5A08407D5288279DB43454822DC8985A444B
   //\   /\  Thu Apr  8 02:05:53 CEST 2004


pgp0.pgp
Description: PGP signature

Re: [Clamav-users] Just installed

[tech-lists]

you can check  your  clamd.log where ever you put that :P

or you can use something like
warn log_message = {VIRUS?} Found, logged and discarding.
discard message = something to say..    
malware = *


discard is better than deny i think since deny bounces it.. and who wants even more bounce backs.

so exiscan doesn't really use the discard message part...

if you do want to bounce though its easier

deny message = {VIRUS?} Found virus ($malware_name)
marlware = *

only reason i use {VIRUS?} is cause our webmail application already had a built in filter for this type of subject..  as well as {SPAM?}  

if you want to then see how many you got you can just check your  exim/spool/log/mainlog if you discard or rejectlog if you deny for {VIRUS?}   grep {VIRUS?} /your/log/file | wc -l    for a count of em or something like that..



On Thu, 8 Apr 2004 00:16:02 CEST , Ian Armstrong <[EMAIL PROTECTED]> sent:


I have just installed Clamav with exiscan. How do I know when Clamav has
found (or rejected) a virus?



Ian Armstrong //
/-/ [EMAIL PROTECTED] /
/ http://www.expressmail.dk /
/ Brøndshøj 14, Rønne, 3700, Bornholm, Denmark /
/--/





---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/\?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Msg sent via CWNet - http://www.cwnet.com/


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Just installed

[Antony Stone]

On Thursday 08 April 2004 4:16 am, Ian Armstrong wrote:

> I have just installed Clamav with exiscan. How do I know when Clamav has
> found (or rejected) a virus?

You could try sending yourself a test virus and see what happens?

http://www.eicar.org/anti_virus_test_file.htm

Regards,

Antony.

-- 
Having been asked for a reference for this man,
I can confirm that you will be very lucky indeed if you can get him to work 
for you.

 Please reply to the list;
   please don't CC me.



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] Just installed

[Ian Armstrong]

I have just installed Clamav with exiscan. How do I know when Clamav has
found (or rejected) a virus?



  Ian Armstrong //
 /-/ [EMAIL PROTECTED] /
/http://www.expressmail.dk /
   / Brøndshøj 14, Rønne, 3700, Bornholm, Denmark /
  /--/





---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] False positives

[Luca 'NERvOus' Gibelli]

> > > How/Where do I report false positives?

it's a faq :)
 
> > Same place you submit uncaught viruses:
> I tried this and got this error message:
> File is valid, and was successfully uploaded. You uploaded more than 500 kbytes.
> This looks wrong. Exiting.

Send it to virus _at_ clamav.net (encrypted with a pass if you like) and I'll
try to find the problem.


Thanks

-- 
Luca 'NERvOus' Gibelli ([EMAIL PROTECTED] || [EMAIL PROTECTED])
Home Page: http://www.nervous.it

BOFH excuse 2815:
 * Daemons loose in system.



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Behaviour of "StreamMaxLength"

[Nigel Horne]

On Wednesday 07 Apr 2004 7:41 pm, Andrew Chan wrote:
> I am not sure I understand "StreamMaxLength".
>
> I am using clamav-milter (sendmail) and I've set "StreamMaxLength 10M".

1) What version of clamd (clamscan -V)
2) What version of clamav-milter (clamav-milter --version)
3) Do you have LogSysLog enabled in clamav.conf, and if so
are you seeing entries of this form in your syslog? 
Message more than StreamMaxLength (%ld) bytes - not scanned

> Andrew

-Nigel

-- 
Nigel Horne. Arranger, Composer, Typesetter.
NJH Music, Barnsley, UK.  ICQ#20252325
[EMAIL PROTECTED] http://www.bandsman.co.uk



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] Clamd protocol

[Przemyslaw Wegrzyn]

Hi!

I'm about to include clamavis support in our very simple mail scanner. My 
first idea was to use libclamav for that, however my filter will be 
integrated with our mail server in the way that it will be spawned for each 
mail. 

For obvious performance reason I'd like to use clamd, but I've found that 
libclamav is actually a full scanner, with no "thin client" possibilities.

Thus I have following options:

a) write my own daemon which uses libcalamav, and a client for it, all using 
custom protocol (don't write me to use amavisd - we have some specific 
requirements)

b) use clamdscan via forking and pipe

c) write a client for clamd protocol, basing on clamdscan sources

I don't like a) for effort amounts, b) is a bit ugly IMHO, c) depends on a 
protocol that can be a subject to change .

Which solution would you suggest ?

Best Regards,
Przemyslaw


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] False positives

[Fajar A. Nugraha]

Kevin W. Gagel wrote:

How/Where do I report false positives?

 

The usual http://www.nervous.it/~nervous/cgi-bin/sendvirus.cgi
or follow the link from www.clamav.net.
There's a flag for false-positive there.
Regards,

Fajar
--
Don't use GIF. Use PNG instead
http://www.gnu.org/philosophy/gif.html


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Anyone know where I can find deb's of .70rc

[Fajar A. Nugraha]

robert wrote:

I am using debian testing and althought clam is apt-get able it is .67 
and I really want to use .70rc with the OLE option but I before to not 
have to compile. Has anyone made a build yet?

Binary build of latest daily CVS snapshot is usually available on 
http://clamav.or.id.
It's not .deb, but the static binary .tgz should work on any linux i386.
Clamav-milter is included too.

Regards,

Fajars
--
Please avoid sending me Microsoft Office attachments.
See http://www.fsf.org/philosophy/no-word-attachments.html
---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] False positives

[Tomasz Papszun]

On Wed, 07 Apr 2004 at 12:12:25 -0700, Kevin W. Gagel wrote:
> How/Where do I report false positives?
> 

Like other samples - at
http://clamav.sourceforge.net/cgi-bin/sendvirus.cgi

Don't forget to select the "A false positive" option. Give as many
details as possible.

-- 
 Tomasz Papszun   SysAdm @ TP S.A. Lodz, Poland  | And it's only
 [EMAIL PROTECTED]  | ones and zeros.
 [EMAIL PROTECTED]   http://www.ClamAV.net/   A GPL virus scanner


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] False positives

[Kevin W. Gagel]

- Original Message Follows -
From: Damian Menscher <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: Re: [Clamav-users] False positives
Date: Wed, 7 Apr 2004 14:53:47 -0500 (CDT)
> 
> On Wed, 7 Apr 2004, Kevin W. Gagel wrote:
> 
> > How/Where do I report false positives?
> 
> Same place you submit uncaught viruses:
> 
> http://www.nervous.it/~nervous/cgi-bin/sendvirus.cgi
> 
> Be sure to check the "false positive" box.
I tried this and got this error message:
File is valid, and was successfully uploaded. You uploaded more than 500 kbytes.
This looks wrong. Exiting.

What now?


Kevin W. Gagel
Network Administrator
(250) 561-5848 local 448
(250) 562-2131 local 448

--
The College of New Caledonia, Visit us at http://www.cnc.bc.ca
Virus scanning is done on all incoming and outgoing email.
--


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] False positives

[Boris B. Zhmurov]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hello, Kevin W. Gagel.

On 07.04.2004 23:12 you said the following:

| How/Where do I report false positives?
|
| 
| Kevin W. Gagel
| Network Administrator
| (250) 561-5848 local 448
| (250) 562-2131 local 448


http://www.nervous.it/~nervous/cgi-bin/sendvirus.cgi

Choose value "A false positive!!!" in "The file attached is:" field.

- --
Boris B. Zhmurov
mailto: [EMAIL PROTECTED]
"wget http://bb.rbcmail.ru/bb_public_key.pgp -O - | gpg --import"
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.3 (GNU/Linux)
iD8DBQFAdF8ZmEQixi5w37YRAuctAJ9Jk1Vu2gvapBCQWxKavKKfGA1BngCfdFqW
SEDIea+0Z9d5W9AyncLZQEs=
=qKOz
-END PGP SIGNATURE-
---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] False positives

[Damian Menscher]

On Wed, 7 Apr 2004, Kevin W. Gagel wrote:

> How/Where do I report false positives?

Same place you submit uncaught viruses:

http://www.nervous.it/~nervous/cgi-bin/sendvirus.cgi

Be sure to check the "false positive" box.

Damian Menscher
-- 
-=#| Physics Grad Student & SysAdmin @ U Illinois Urbana-Champaign |#=-
-=#| 488 LLP, 1110 W. Green St, Urbana, IL 61801 Ofc:(217)333-0038 |#=-
-=#| <[EMAIL PROTECTED]> www.uiuc.edu/~menscher/ Fax:(217)333-9819 |#=-
-=#| The above opinions are not necessarily those of my employers: |#=-
-=#| UIUC CITES Security Group || Beckman Imaging Technology Group |#=-


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Question on SomeFool Virus

[Damian Menscher]

On Wed, 7 Apr 2004, Denis De Messemacker wrote:
>
> However, i do not agree completely with you. I think that every variant
> of a virus should have a signature in the database, even if it is
> already detected by some generic signature.
>
> Why ? Because if we have to remove the generic signature due to some
> false positives, the variant virus will no longer be detected.
>
> So, generic signatures are fine, but I think we should also have signatures
> for a maximum of variants.

I almost agree, except for one point: does having extra (unnecessary)
signatures slow it down at all?

Damian Menscher
-- 
-=#| Physics Grad Student & SysAdmin @ U Illinois Urbana-Champaign |#=-
-=#| 488 LLP, 1110 W. Green St, Urbana, IL 61801 Ofc:(217)333-0038 |#=-
-=#| <[EMAIL PROTECTED]> www.uiuc.edu/~menscher/ Fax:(217)333-9819 |#=-
-=#| The above opinions are not necessarily those of my employers: |#=-
-=#| UIUC CITES Security Group || Beckman Imaging Technology Group |#=-


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Re: Some viruses go through

[René Bellora]

Tomasz Papszun wrote:

$ clamscan -m av-inet1.txt

LibClamAV Warning: Multipart MIME message contains no boundary lines
av-inet1.txt: Worm.SomeFool.P FOUND
$ clamscan -V
clamscan / ClamAV version devel-20040323
So it _is_ detected.

I'd bet: you've got old version or misconfigured system.

 

i had installed devel-20040320, it didn't detect it. I installed latest 
snapshot (20040407). Now it does detect it, but i'm having problems with 
a few emails that were correctly detected in the past... I'll send a 
couple of them to Nigel

best regards,
René
---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id70&alloc_id638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Netsky P not being blocked, using 0.70-rc

[Antony Stone]

On Wednesday 07 April 2004 7:59 pm, Jeff Ramsey wrote:

> Do I have to use a CVS version to get this one to be detected? Sophos
> detects it fine on this machine.

No.

I'm picking up Worm.SomeFool.P (aka Worm/NetSky.P according to Antivir, 
W32/[EMAIL PROTECTED] according to F-Prot, W32/[EMAIL PROTECTED] according to McAfee) 
with a very old version of ClamAV (0.60 running under MailScanner)

Regards,

Antony.

-- 
The lottery is a tax for people who can't do maths.

 Please reply to the list;
   please don't CC me.



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] False positives

[Kevin W. Gagel]

How/Where do I report false positives?


Kevin W. Gagel
Network Administrator
(250) 561-5848 local 448
(250) 562-2131 local 448

--
The College of New Caledonia, Visit us at http://www.cnc.bc.ca
Virus scanning is done on all incoming and outgoing email.
--


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] Anyone know where I can find deb's of .70rc

[robert]

I am using debian testing and althought clam is apt-get able it is .67 and I really want to use .70rc with the OLE option but I before to not have to compile.  Has anyone made a build yet?

Thanks
Robert

[Clamav-users] Netsky P not being blocked, using 0.70-rc

[Jeff Ramsey]

Do I have to use a CVS version to get this one to be detected? Sophos 
detects it fine on this machine.

-Jeff



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Spam/Virus stats using mrtg

[Howie Grapek]

I, too, would like these scripts if at all possible. 
thx, Howie. 
>From: Korchmenuk Nickolay <[EMAIL PROTECTED]> 
>Reply-To: [EMAIL PROTECTED] 
>To: [EMAIL PROTECTED] 
>Subject: Re: [Clamav-users] Spam/Virus stats using mrtg 
>Date: Wed, 7 Apr 2004 10:13:10 +0300 
>MIME-Version: 1.0 
>Received: from mc6-f8.hotmail.com ([65.54.252.144]) by mc6-s13.hotmail.com with Microsoft SMTPSVC(5.0.2195.6713); Wed, 7 Apr 2004 00:20:40 -0700 
>Received: from sc8-sf-list1.sourceforge.net ([66.35.250.206]) by mc6-f8.hotmail.com with Microsoft SMTPSVC(5.0.2195.6713); Wed, 7 Apr 2004 00:18:21 -0700 
>Received: from localhost ([127.0.0.1] helo=projects.sourceforge.net)by sc8-sf-list1.sourceforge.net with esmtp (Exim 4.30)id 1BB7G8-0007ha-44; Wed, 07 Apr 2004 00:14:04 -0700 
>Received: from sc8-sf-mx2-b.sourceforge.net ([10.3.1.12] helo=sc8-sf-mx2.sourceforge.net)by sc8-sf-list1.sourceforge.net with esmtp (Exim 4.30)id 1BB7Fm-0007aI-ANfor [EMAIL PROTECTED]; Wed, 07 Apr 2004 00:13:42 -0700 
>Received: from nobody.ukrsat.com ([212.35.160.22])by sc8-sf-mx2.sourceforge.net with esmtp (TLSv1:AES256-SHA:256)(Exim 4.30)id 1BB7Fk-0007fr-Lcfor [EMAIL PROTECTED]; Wed, 07 Apr 2004 00:13:41 -0700 
>Received: from tigra.ukrsat.lan (tigra.ukrsat.lan [10.0.0.35])by nobody.ukrsat.com (8.12.9p2/8.12.9) with SMTP id i377DAc1046079for <[EMAIL PROTECTED]>; Wed, 7 Apr 2004 10:13:10 +0300 (EEST) 
>X-Message-Info: KtxBqYfPyq1D4EZLTBDpN96y9TITVXoR 
>Message-Id: <[EMAIL PROTECTED]> 
>In-Reply-To: <[EMAIL PROTECTED]> 
>References: <[EMAIL PROTECTED]><[EMAIL PROTECTED]><[EMAIL PROTECTED]><[EMAIL PROTECTED]><[EMAIL PROTECTED]><[EMAIL PROTECTED]> 
>Organization: JSC UkrSat 
>X-Mailer: Sylpheed version 0.9.10claws (GTK+ 1.2.10; i686-pc-linux-gnu) 
>X-Spam-Score: 0.0 (/) 
>X-Spam-Report: Spam Filtering performed by sourceforge.net.See http://spamassassin.org/tag/ for more details.Report problems to http://sf.net/tracker/?func=add&group_id=1&atid=21 
>Errors-To: [EMAIL PROTECTED] 
>X-BeenThere: [EMAIL PROTECTED] 
>X-Mailman-Version: 2.0.9-sf.net 
>Precedence: bulk 
>List-Unsubscribe: , 
>List-Id: ClamAV Users Support List  
>List-Post:  
>List-Help:  
>List-Subscribe: , 
>List-Archive:  
>X-Original-Date: Wed, 7 Apr 2004 10:13:10 +0300 
>Return-Path: [EMAIL PROTECTED] 
>X-OriginalArrivalTime: 07 Apr 2004 07:18:24.0635 (UTC) FILETIME=[83CC84B0:01C41C70] 
> 
>Hi 
>On Fri, 02 Apr 2004 20:47:34 -0500 
>Rick Macdougall <[EMAIL PROTECTED]> wrote: 
> > Or see http://mail.limelyte.net/admin/qsla/ 
>Is it your script? Can I download this script? 
> 
>-- 
>  Korchmenuk Nickolay 
>07 Apr 2004 10:11:55 
> 
> 
>--- 
>This SF.Net email is sponsored by: IBM Linux Tutorials 
>Free Linux tutorial presented by Daniel Robbins, President and CEO of 
>GenToo technologies. Learn everything from fundamentals to system 
>administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click 
>___ 
>Clamav-users mailing list 
>[EMAIL PROTECTED] 
>https://lists.sourceforge.net/lists/listinfo/clamav-users 
 Persistent heartburn? Check out Digestive Health & Wellness for information and advice. 


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] Behaviour of "StreamMaxLength"

[Andrew Chan]

I am not sure I understand 
"StreamMaxLength".
 
I am using clamav-milter (sendmail) and I've 
set "StreamMaxLength 10M". 
 
My understanding is that It causes a disconnect to 
clamav-milter when the stream to be scanned gets larger that 10M. The trouble is 
apparently sendmail keeps retrying to scan this mail instead of just passing it 
thru. The directory /var/spool/mqueue ends up having a zillion copies of the 
orphaned dfxxx files of this mail. And the mail was never 
delivered.
 
I do NOT have "F=R" or "F=T" in my sendmail.mc 
file.
 
Any insights will be most appreciated.
 
Andrew

RE: [Clamav-users] Supervised Clamd

[Jeff Bilder]

>As you can see the multilog file is there, with zero size. The service is
>running, but not doing a thing!
>[EMAIL PROTECTED] init.d]# service clamdctl stat
>/service/clamd: up (pid 1258) 265702 seconds
>/service/clamd/log: up (pid 1259) 265702 seconds
>
>in your case, your clamdctl script must be OK since clamd in running. And
>I'll assume multilog is installed and running. Have you rechecked ownership
>and permissions on the /var/log/clamav *directory* ?
>What happens when you do:
>svc -u /service/clamd/log  ??

>Cheers,
>--Micha  

Hey Micha,

Thanks for the reponse.  Here is some more output.  I do have multilog running fine.  
My qmail is supervised just fine and so are the log files.  Here are the permissions 
on my /var/log/clamd dir

[EMAIL PROTECTED] electro]# ls -l /var/log/ |grep clamd
drwxr-xr-x  2 qscand  qscand   512 Apr  6 14:02 clamd

and when I try your suggestion:

[EMAIL PROTECTED] clamd]# svc -u /service/clamd/log 
svc: warning: unable to control /service/clamd/log: supervise not running

I appreciate all the help, I just cant think of why this would not be working.  Thanks!

- Jeff


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id70&alloc_id638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Re: Some viruses go through

[Tomasz Papszun]

On Wed, 07 Apr 2004 at 18:25:25 +0200, Mimmus wrote:
> Here is a mail going through ClamAV undetected:
>  http://www.geocities.com/viggiani/...
> 
> If I scan it also using www.antivirus.com (Trend) online scan, it is
> detected as WORM.NETSKY.P (Layer2 message.scr)
> 

$ clamscan -m av-inet1.txt

LibClamAV Warning: Multipart MIME message contains no boundary lines
av-inet1.txt: Worm.SomeFool.P FOUND

$ clamscan -V
clamscan / ClamAV version devel-20040323

So it _is_ detected.

I'd bet: you've got old version or misconfigured system.

-- 
 Tomasz Papszun   SysAdm @ TP S.A. Lodz, Poland  | And it's only
 [EMAIL PROTECTED]  | ones and zeros.
 [EMAIL PROTECTED]   http://www.ClamAV.net/   A GPL virus scanner


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] Virus Names

[Mitch \(WebCob\)]

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of B. van
> Ouwerkerk
> Sent: Wednesday, April 07, 2004 2:00 AM
> To: [EMAIL PROTECTED]
> Subject: Re: [Clamav-users] Virus Names
>
>
> I don't fancy the idea of doing the same job someone else does
> but I could
> do it if no one else does or has dropped the idea.
> This would be a good way for me to do something in return for
> using Clamav.

me either.

I'd certainly be willing to help with something along those lines as well -
even if it's only hosting a mirror!

I think the idea makes sense to me, but I keep hearing that the clamav
format will support some sort of alias system - just not sure what, or how,
or if it is enough information.

I'd IDEALLY like a system that allows us (collaboratively) to map viruses to
all commercial products - PARTICULARLY those maintaining virus information
databases, and then allow us to create a diff-based distribution of this
database - like the clamav datafile, and also a simple lookup page which
could use a template, and the database to return cross references / links to
information on the virii as documented by other systems.

m/



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] Re: Some viruses go through

[Mimmus]

Here is a mail going through ClamAV undetected:
 http://www.geocities.com/viggiani/av-inet1.txt

If I scan it also using www.antivirus.com (Trend) online scan, it is
detected as WORM.NETSKY.P (Layer2 message.scr)

Mimmus


"Antony Stone" <[EMAIL PROTECTED]> ha scritto nel messaggio
news:[EMAIL PROTECTED]
> I would also say that it might help us if you tell us which virus/es are
being
> missed in this way, and perhaps provide a link to an email we can download
> which has passed undetected through your system as described, so we can
see
> if there's anything strange about it.





---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] compiling clamav 0.68

[Pad Hosmane]

> Hi,
>   I am compiling clamav 0.68 on HP-UX 11.00. I am getting following
> error during make. 
> I am using GCC 3.0.1.
>  
>

> ++
> gcc -g -O2 -o clamscan clamscan.o options.o getopt.o others.o
manager.o
> treewalk.o  -L/usr/local/lib -L/opt/gmp/lib
> -L/test/down/clamav-0.68/libclamav /usr/local/lib/libclamav.sl -lz
Something strange is going on. ^
This should read libclamav.so.
> -lpthread -Wl,+b -Wl,/usr/local/lib
> /usr/ccs/bin/ld: Unsatisfied symbols:
>cl_mbox (first referenced in manager.o) (code)
>cl_gentemp (first referenced in manager.o) (code)
>cl_debug (first referenced in clamscan.o) (code)
>cl_strerror (first referenced in manager.o) (code)
>cli_strtok (first referenced in manager.o) (code)
> collect2: ld returned 1 exit status
> *** Error exit code 1


>>All those symbols are defined in libclamav.

>>And, while you're compiling, please try 0.70-rc (or, better, the
latest 
>>CVS snapshot). As usual, the CVS version fixes many bugs...
>  
> Thanks in advance.
> PAd
> 
>Thomas

>>>Thomas,
>>>   I first tried with 0.70-rc, it gave the same error. Then I
switched to >>>0.68. Both versions give the same error.

>>>Thanks
>>>PAd

Thomas,
It worked. I was able to compile 0.70-rc on HP-UX 11.00. I figured
out that make was trying use older clamav libraries in
/usr/local/lib/libclamav.* (clamav version 0.54). Removed old clamav
library from /usr/local/lib and make was successful.

Thanks
PAd






---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Question on SomeFool Virus

[Denis De Messemacker]

On Tue, Apr 06, 2004 at 11:15:15AM +0100, Antony Stone wrote :
> Sound like it's working then :)
> 
> > Should I submit this? or just be thankful or both?
> 
> No point submitting a virus which ClamAV already detects :)   Be thankful the 
> team did a better job than Sophos & McAfee again.
> 
> Regards,
> 
> Antony.
> 

Wow, it seems that Diego did a nice job with all those generic
signatures.

However, i do not agree completely with you. I think that every variant
of a virus should have a signature in the database, even if it is
already detected by some generic signature.

Why ? Because if we have to remove the generic signature due to some
false positives, the variant virus will no longer be detected.

So, generic signatures are fine, but I think we should also have signatures
for a maximum of variants.

Just my two cents,

/ddm

-- 
Denis De Messemacker
GnuPG Key-ID: 0x02787880
[EMAIL PROTECTED]   http://www.e-labs.org
[EMAIL PROTECTED]   http://www.ClamAV.net - A GPL virus scanner


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] Virus Names

[Colin A. Bartlett]

Stuart Mycock Sent: Wednesday, April 07, 2004 4:24 AM

> I'd prefer to adopt the approach of letting the Clam team get a def out 
> with any name they want and have a non-developer publish basic virus 
> info on an area of the Clam site, and on that page you'd just have the 
> blurb on "SomeFool.Q" for example, along with a short description (only 
> brief, tho, there's plenty of viral analysis on other sites) of the 
> virus with an "Also known as: NetSky.Q, SmellyVirus.1, Whatever.Q", etc.

How about a Wiki?

cheers,
Colin

Colin A. Bartlett
Kinetic Web Solutions
www.kineticweb.biz 



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] compiling clamav 0.68

[Pad Hosmane]

> Hi,
>   I am compiling clamav 0.68 on HP-UX 11.00. I am getting following
> error during make. 
> I am using GCC 3.0.1.
>  
>

> ++
> gcc -g -O2 -o clamscan clamscan.o options.o getopt.o others.o
manager.o
> treewalk.o  -L/usr/local/lib -L/opt/gmp/lib
> -L/test/down/clamav-0.68/libclamav /usr/local/lib/libclamav.sl -lz
Something strange is going on. ^
This should read libclamav.so.
> -lpthread -Wl,+b -Wl,/usr/local/lib
> /usr/ccs/bin/ld: Unsatisfied symbols:
>cl_mbox (first referenced in manager.o) (code)
>cl_gentemp (first referenced in manager.o) (code)
>cl_debug (first referenced in clamscan.o) (code)
>cl_strerror (first referenced in manager.o) (code)
>cli_strtok (first referenced in manager.o) (code)
> collect2: ld returned 1 exit status
> *** Error exit code 1
All those symbols are defined in libclamav.

And, while you're compiling, please try 0.70-rc (or, better, the latest 
CVS snapshot). As usual, the CVS version fixes many bugs...
>  
> Thanks in advance.
> PAd
> 
>Thomas

Thomas,
   I first tried with 0.70-rc, it gave the same error. Then I switched
to 0.68. Both versions give the same error.

Thanks
PAd






---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Virus Names

[The Count of CipherSpace]

Eric Rostetter at 2004-04-06 15:37 from [EMAIL PROTECTED] wrote:

>But changing the name after the fact would just confuse people
>more.   We can't go merrily along for a week or so until the AV people or
>the media -- and often it is the media who decide -- come up with the most
>popular name, and then rename it.  What would that do to any kind of
>tracking people do?  What would that do to users (last week I got somefool,
>but now I'm getting a new virus netsky?)  It would cause caos.  And much
>more caos than having multiple names for a single virus.

I agree with this completely.  I'd rather do some additional research on 
the 'Net than have my logs all messed up.


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Virus Names

[Bart Silverstrim]

On Apr 6, 2004, at 4:31 PM, Eric Rostetter wrote:

Quoting jef moskot <[EMAIL PROTECTED]>:

On Tue, 6 Apr 2004, Eric Rostetter wrote:
But changing the name after the fact would just confuse people more.
I completely disagree.  Hardcore Clam users are more likely to 
understand
the reality of the situation and realize that the ClamAV team has to 
call
the viruses SOMETHING.  Usually, that's the same name everyone else 
uses,
but sometimes it isn't.
Great for netsky since almost everyone uses it.  But what about viruses
that have multiple names from the other vendors and the media?  For the
first week, SCO (clamd) was called novarg by most, until the media took
off with mydoom and that became the new name.  Should clamav have 
migrated
along from SCO to NOVARG to MYDOOM just because the others came along
later and in that order?
That is the name that is popularized by the media after the fact...I 
think many "larger" AV vendors put the aliases in their virus 
encyclopedias online, don't they?


There's maybe a small amount of confusion for a couple days, and 
that's
that.
Most viruses don't last for more than a few days anyway, so this only
applies to the rare cases (like lately with the virus wars over netsky
et al).
Tell that to my web server...I still see hits from blaster...

But we are constantly being asked by casual (or new) users why ClamAV
doesn't pick up Netsky
Yes, but the user is just being stupid.  They are not getting infected
with netsky, so obviously it is picking it up.
Hardly.  Sometimes when justifying to the PHBs that ClamAV is just as 
good, if not better than, other solutions you need to answer the 
questions the PHBs get when they watch the evening news.  It would be 
helpful if you could point them to a knowledge base article or 
encyclopedia from Clam saying "it's an alias for virus FooBarsays 
so right here, added on ya ya ya in database version X...and we're 
protected because our signature version is Y."

what the heck "SomeFool" is, etc.  Many of those
You don't think you'll get that question even if you use the more 
common
name for viruses?

It's not the question, it's enabling users to easily find the answer.  
The question will still get asked, but seeing that most of the admins 
running ClamAV are hopefully a little more skilled than the average 
user, most of the questions should be answered at the local 
administrator level rather than the Clam team level.  If the answer 
were a simple site lookup of an entry for a virus name that was 
cross-referenced (or put on a separate server that could be CVS'd or 
Rsynced for a local copy...)

On top of that, we have our database being freshclammed several times a 
day.  Since most of the Windows viruses are now fully automated, what 
happens in the hours between a virus getting released and then 
discovered then added to the database then our server getting 
refreshed?  Not everyone is running freshclam on the mail 
server...we're using it to scan incoming mail then forward the mail to 
our internal mail server.  That means that if the WindowsDeath virus 
comes in before our database holds it, it will get to our internal 
servers...where a "backup scanner" has to catch it.  Then we get into 
the aliases of viruses problem...we get a report of virus WindowFool 
being in the message. Are we protected now, it was just something that 
slipped in between updates?  Or is it something we need to worry about? 
Or...?

The process becomes more time-consuming to verify than it needs to be.  
That's just the price to pay for a solution as flexible as ClamAV...

Other than some kind of issue with logging things by virus name, are 
there
any sensible reasons to not use the same name everyone else in the
computer community is using?

It adds overhead to a volunteer project.  Let the other vendors have 
their fun renaming things with the proprietary name games.  It would 
probably be easiest if the Clam group responded by just making an alias 
encyclopedia, in my opinion...

Also, as I've pointed out, not all the AV vendors agree on the names.  
It
usually isn't clamav against the world (as it appears with netsky).  
It is
more normal that there are 2, 3, or 4 other names for the virus.  And 
you
never know which will become the most popular until days or weeks after
you name it.

worse are the games where a minor minor variant comes out, they slap a 
new name on it, and then promote their product as catching x,000 
viruses while neglecting to mention that 200 of them are the same 
virus, only instead of having "screw you" embedded in it it has "screw 
you!", "No, screw YoU!",...etc. etc. etc.

Oh well.  That's my view, anyway...

-Bart



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3

Re: [Clamav-users] Virus Names

[Bart Silverstrim]

On Apr 6, 2004, at 3:23 PM, Diego d'Ambra wrote:

-Original Message-
From: [EMAIL PROTECTED] [mailto:clamav-users-
[EMAIL PROTECTED] On Behalf Of jef moskot
Sent: 6. april 2004 19:08
To: [EMAIL PROTECTED]
Subject: Re: [Clamav-users] Virus Names
On Tue, 6 Apr 2004, Eric Rostetter wrote:
If netsky is Worm.SomeFool, then why is it not labeled as
Worm.SomeFool?
But when something is this much of a phenomenon, why not just change
the
name?  I know it's been done for other worms in the past.

And that is what we'll (try to) do in the future (if a common name has
been established).
With all due respect, this may be a bad idea, if I understand you 
correctly...you're saying that when a virus is found by the clamav team 
and it's called foo, then other companies get ahold of it and call it 
bar, the clam team should call it bar also, correct?

This would mean that floating around out there in googleland (and for 
awhile unupdated databases) would be the name foo.  People researching 
will find extremely short-lived virus names floating around because it 
is one that was renamed...

I'm sure there's  a simple solution and I'm probably just worrying too 
much over it, but I would still think it would be better to have a wiki 
or some kind of knowledge base set up where people could put in 
information on the virus.  The ClamAV name, and a list of aliases from 
other companies, and maybe a breakdown of the behavior/payload/etc. of 
the virus, when it was added to the clamav database, etc. and just 
reference it that way.  It would mean minimal changes to clamav, a 
volunteer group (or the whole user community) could contribute 
separately from the programming team...would that work?

-Bart



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] rarlib question

[Korchmenuk Nickolay]

On Tue, 30 Mar 2004 21:28:18 +0200
Tomasz Kojm <[EMAIL PROTECTED]> wrote:

> On Tue, 30 Mar 2004 15:00:50 +0300
> Korchmenuk Nickolay <[EMAIL PROTECTED]> wrote:
> 
> > On Tue, 30 Mar 2004 15:43:24 +0500
> > Sergey <[EMAIL PROTECTED]> wrote:
> > 
> > > And more:
> > > "Due to security reasons clamd only scans archives supported by
> > > libclamav and can't use external programs"
> > what about unrar from freebsd ports? could developers include some
> > code from unrarsrc-3.x.xm for rar v3 support?
> 
> Unfortunately the license of unrar-3 conflicts with the GPL.
last qustion about rar from me:
why clamscan can use external unrar program and clamdscan(clamav-milter) can't? speed?

-- 
 Korchmenuk Nickolay
07 Apr 2004 12:50:13


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] Supervised Clamd

[Micha Silver]

> -Original Message-
> From: Jeff Bilder [mailto:[EMAIL PROTECTED] 
> Sent: Tuesday, April 06, 2004 9:42 PM
> To: [EMAIL PROTECTED]
> Subject: [Clamav-users] Supervised Clamd
> 
> 
> 
> Has anyone gotten Clamd to run with daemontools?  I have a 
> clamd running supervised, but the log file will not supervise 
> correctly.  I have /service/clamd/log  with:
> 
> [EMAIL PROTECTED] spamd]# cd /service/clamd/log/
> [EMAIL PROTECTED] log]# ls -l
> total 4
> -rwxr-xr-x  1 root  qmail  101 Apr  6 14:20 run
> drwx--  2 root  qmail  512 Apr  6 14:06 supervise
> 
> but when I run clamdctl stat I get:
> 
> [EMAIL PROTECTED] log]# clamdctl stat
> /service/clamd: up (pid 1526) 658 seconds
> /service/clamd/log: supervise not running

Works fine for me. I have the /service/clamd directory, the
/service/clamd/log directory and the /service/clamd.log.supervise
directories all sgid. And in the run scripts I used 'setuidgid qscand' (the
user that runs clamd). Like so:

[EMAIL PROTECTED] log]# pwd
/service/clamd/log
[EMAIL PROTECTED] log]# ls -al
total 16
drwxr-sr-x3 root root 4096 Jan 11 16:38 .
drwxr-sr-x4 root root 4096 Jan 11 16:38 ..
-rwxr-xr-x1 root root  104 Jan 11 16:30 run
drwx--S---2 root root 4096 Apr  4 14:08 supervise

[EMAIL PROTECTED] log]# cat run
#!/bin/sh
exec /usr/local/bin/setuidgid qscand /usr/local/bin/multilog t s100 n20
/var/log/clamav

HTH,
--Micha

> 
> Any ideas?  Thanks!
> 
> - Jeff
> 
> 
> ---
> This SF.Net email is sponsored by: IBM Linux Tutorials
> Free Linux tutorial presented by Daniel Robbins, President 
> and CEO of GenToo technologies. Learn everything from 
> fundamentals to system 
> administration.http://ads.osdn.com/?ad_id70&alloc_id638&op=click
> ___
> Clamav-users mailing list
> [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/clamav-users
> 


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Virus Names

[B. van Ouwerkerk]

At 22:12 06-04-2004 +0200, you wrote:
Diego d'Ambra wrote:
And that is what we'll (try to) do in the future (if a common name has
been established).
But that would break statistics. I don't mind if the name is different as 
long as it can be cross-referenced. Someone was working on a web site with 
just that but I haven't heard of any news for some time.
I'm curious about the status..

I have been looking at the latest announcements and it should be possible 
to parse them into a MySQL or PG database. A simple lookup page and a link 
in the warning to the user should fix it. And a page for a few trusted 
persons to add any information to viri, or allow any user to do so..

I don't fancy the idea of doing the same job someone else does but I could 
do it if no one else does or has dropped the idea.
This would be a good way for me to do something in return for using Clamav.



B. 



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Virus Names

[Stuart Mycock]

I'm behind the Clam team in that they focus on getting sigs out before 
worrying about the name.

I don't know if this is a technical limitation of the virus db's (and 
not sure if this has been mentioned previously, sorry) but what's to 
stop the name of the virus being changed in the virus db once a 'common' 
name has been determined?

My problem with doing that is that it requires a developer to update the 
DB when he could be busy beating the pants off Sophos analysing new wild 
viruses, and frankly I'd rather live with an AKA and have 
up-to-the-minute protection than wait a couple of hours until the other 
AV's have had their little waffle about cool names. ;)

I'd prefer to adopt the approach of letting the Clam team get a def out 
with any name they want and have a non-developer publish basic virus 
info on an area of the Clam site, and on that page you'd just have the 
blurb on "SomeFool.Q" for example, along with a short description (only 
brief, tho, there's plenty of viral analysis on other sites) of the 
virus with an "Also known as: NetSky.Q, SmellyVirus.1, Whatever.Q", etc.

I forget now, but someone had posted a brief list of AKA's, perhaps it 
can be integrated into the Clam website, or a new section created on 
clamav.net?

It would free-up the developers from having to think about common names, 
it would only take a couple of Clam admins to update it after doing some 
queries with other AV's, and all you'd need to do is direct your 
end-users to the virus info page so they can find out for themselves 
what SomeFool is according to the other AV's.

Stuart.



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] compiling clamav 0.68

[Thomas Lamy]

Pad Hosmane schrieb:

Hi,
  I am compiling clamav 0.68 on HP-UX 11.00. I am getting following
error during make. 
I am using GCC 3.0.1.
 

++
gcc -g -O2 -o clamscan clamscan.o options.o getopt.o others.o manager.o
treewalk.o  -L/usr/local/lib -L/opt/gmp/lib
-L/test/down/clamav-0.68/libclamav /usr/local/lib/libclamav.sl -lz
Something strange is going on. ^
This should read libclamav.so.
-lpthread -Wl,+b -Wl,/usr/local/lib
/usr/ccs/bin/ld: Unsatisfied symbols:
   cl_mbox (first referenced in manager.o) (code)
   cl_gentemp (first referenced in manager.o) (code)
   cl_debug (first referenced in clamscan.o) (code)
   cl_strerror (first referenced in manager.o) (code)
   cli_strtok (first referenced in manager.o) (code)
collect2: ld returned 1 exit status
*** Error exit code 1
All those symbols are defined in libclamav.

And, while you're compiling, please try 0.70-rc (or, better, the latest 
CVS snapshot). As usual, the CVS version fixes many bugs...
 
Thanks in advance.
PAd

Thomas



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Spam/Virus stats using mrtg

[Korchmenuk Nickolay]

Hi
On Fri, 02 Apr 2004 20:47:34 -0500
Rick Macdougall <[EMAIL PROTECTED]> wrote:
> Or see http://mail.limelyte.net/admin/qsla/
Is it your script? Can I download this script?

-- 
 Korchmenuk Nickolay
07 Apr 2004 10:11:55


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users