Re: [Clamav-users] exiscan and clamav
On Tue, May 18, 2004 at 10:00:34PM -0400, Stephen Gran wrote the following: > On Tue, May 18, 2004 at 07:43:54PM +0100, Miguel Saturnino said: > > Hi, all, > > > > I have clamav running perfectly with Mailscanner but I wanted to use > > exiscan. The problem is I can't get the configuring right... I don't > > know what to put in: > > grep Socket clamav.conf > > will tell you what socket you're actually using, and what socket to put > in your exim.conf. What about just using clamscan? -- AIM: pres CTHULHU ICQ: 18115568 Yahoo: pagan_prince Jabber: DarkKnightRadick@(jabber.org|amessage.at) PGP: 0x642F7BDA pgppElltqGxtq.pgp Description: PGP signature
Re: [Clamav-users] exiscan and clamav
On Tue, May 18, 2004 at 07:43:54PM +0100, Miguel Saturnino said: > Hi, all, > > I have clamav running perfectly with Mailscanner but I wanted to use > exiscan. The problem is I can't get the configuring right... I don't > know what to put in: grep Socket clamav.conf will tell you what socket you're actually using, and what socket to put in your exim.conf. -- -- | Stephen Gran | BOFH excuse #311: transient bus| | [EMAIL PROTECTED] | protocol violation | | http://www.lobefin.net/~steve | | -- pgpXBwvPWaere.pgp Description: PGP signature
Re: [Clamav-users] freshclam not restarting clamd
On Tue, May 18, 2004 at 06:12:45PM -0300, Mariano Absatz said: > Hi, > > I'm using clamav library from within MailScanner and I'm not running clamd at > all. > > I run freshclam from within a script called from cron. > > Everything is smooth and runs perfectly. However, everytime freshclam gets an > update, it complains that it can't connect to clamd to notify it, which > generates a message from cron with this message... > > ERROR: Clamd was NOT notified: Can't connect to clamd on 127.0.0.1:3310 > connect(): Connection refused > > Is there a way to tell freshclam to not try to notify clamd? (I didn't see it > in 'man freshclam')... 'freshclam --quiet' doesn't help. Remove NotifyClamd from freshclam.conf? -- -- | Stephen Gran | Never look a gift horse in the mouth. | | [EMAIL PROTECTED] | -- Saint Jerome | | http://www.lobefin.net/~steve | | -- pgpheIQPPmKOX.pgp Description: PGP signature
RE: [Clamav-users] Still trying to get clamdscan working.
>>I've been trying to get clamdscan working for quite some time now. I have >>installed clamav. clamscan works. Clamdscan fails with: >>connect(): Connection refused >>ERROR: Can't connect to clamd. >> > >>Where is your .sock file for clamd? >> >>locate sock |grep clam >> >>Then >> >>grep sock /etc/clamav.conf (or wherever your clamav.conf file is) >> >>The two need to agree. > >locate sock | grep clam results in no output. > >in the config file LocalSocket /tmp/clamd > >clamd is up: >ps -aux | grep clamd >root 954 0.0 0.0 1348 84 ?SMay09 0:00 supervise >clamd >gqscanq 24579 0.0 0.1 1632 540 ?S14:19 0:00 >/usr/local/sbin/clamd >root 24811 0.0 0.1 3572 628 pts/0S14:21 0:00 grep clamd >Is there a file /tmp/clamd? Yes, and it's chmod 777 right now cause I was trying to figure out why I was getting permission denied. Roger --- This SF.Net email is sponsored by: SourceForge.net Broadband Sign-up now for SourceForge Broadband and get the fastest 6.0/768 connection for only $19.95/mo for the first 3 months! http://ads.osdn.com/?ad_id=2562&alloc_id=6184&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Still trying to get clamdscan working.
On Tue, 18 May 2004 14:21:37 -0700, "Harrell, Roger" <[EMAIL PROTECTED]> wrote: >>I've been trying to get clamdscan working for quite some time now. I have >>installed clamav. clamscan works. Clamdscan fails with: >>connect(): Connection refused >>ERROR: Can't connect to clamd. More to check. What do you see in the log when clamd starts? Here's my messages May 6 18:45:31 ciscy clamd[2242]: Daemon started. May 6 18:45:31 ciscy clamd[2242]: Log file size limited to 1048576 bytes. May 6 18:45:31 ciscy clamd[2242]: Running as user clamav (UID 506, GID 507) May 6 18:45:31 ciscy clamd[2242]: Setting /tmp as global temporary directory May 6 18:45:31 ciscy clamd[2242]: Reading databases from /var/lib/clamav May 6 18:45:32 ciscy clamd[2242]: Protecting against 21437 viruses. May 6 18:45:33 ciscy clamd[2244]: Unix socket file /var/run/clamav/clamd.sock May 6 18:45:33 ciscy clamd[2244]: Setting connection queue length to 15 May 6 18:45:33 ciscy clamd[2244]: Archive: Archived file size limit set to 10485760 bytes. May 6 18:45:33 ciscy clamd[2244]: Archive: Recursion level limit set to 5. May 6 18:45:33 ciscy clamd[2244]: Archive: Files limit set to 1000. May 6 18:45:33 ciscy clamd[2244]: Archive: Compression ratio limit set to 200. May 6 18:45:33 ciscy clamd[2244]: Archive support enabled. May 6 18:45:33 ciscy clamd[2244]: RAR support disabled. May 6 18:45:33 ciscy clamd[2244]: Mail files support enabled. May 6 18:45:33 ciscy clamd[2244]: OLE2 support enabled. May 6 18:45:33 ciscy clamd[2244]: Self checking every 3600 seconds. May 6 18:45:33 ciscy clamd: clamd startup succeeded -- Steve --- This SF.Net email is sponsored by: SourceForge.net Broadband Sign-up now for SourceForge Broadband and get the fastest 6.0/768 connection for only $19.95/mo for the first 3 months! http://ads.osdn.com/?ad_id%62&alloc_ida84&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Still trying to get clamdscan working.
On Tue, 18 May 2004 14:21:37 -0700, "Harrell, Roger" <[EMAIL PROTECTED]> wrote: >>I've been trying to get clamdscan working for quite some time now. I have >>installed clamav. clamscan works. Clamdscan fails with: >>connect(): Connection refused >>ERROR: Can't connect to clamd. >> > >>Where is your .sock file for clamd? >> >>locate sock |grep clam >> >>Then >> >>grep sock /etc/clamav.conf (or wherever your clamav.conf file is) >> >>The two need to agree. > >locate sock | grep clam results in no output. > >in the config file LocalSocket /tmp/clamd > >clamd is up: >ps -aux | grep clamd >root 954 0.0 0.0 1348 84 ?SMay09 0:00 supervise >clamd >gqscanq 24579 0.0 0.1 1632 540 ?S14:19 0:00 >/usr/local/sbin/clamd >root 24811 0.0 0.1 3572 628 pts/0S14:21 0:00 grep clamd Is there a file /tmp/clamd? -- Steve --- This SF.Net email is sponsored by: SourceForge.net Broadband Sign-up now for SourceForge Broadband and get the fastest 6.0/768 connection for only $19.95/mo for the first 3 months! http://ads.osdn.com/?ad_id%62&alloc_ida84&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
RE: [Clamav-users] Still trying to get clamdscan working.
>I've been trying to get clamdscan working for quite some time now. I have >installed clamav. clamscan works. Clamdscan fails with: >connect(): Connection refused >ERROR: Can't connect to clamd. > >Where is your .sock file for clamd? > >locate sock |grep clam > >Then > >grep sock /etc/clamav.conf (or wherever your clamav.conf file is) > >The two need to agree. locate sock | grep clam results in no output. in the config file LocalSocket /tmp/clamd clamd is up: ps -aux | grep clamd root 954 0.0 0.0 1348 84 ?SMay09 0:00 supervise clamd gqscanq 24579 0.0 0.1 1632 540 ?S14:19 0:00 /usr/local/sbin/clamd root 24811 0.0 0.1 3572 628 pts/0S14:21 0:00 grep clamd Roger --- This SF.Net email is sponsored by: SourceForge.net Broadband Sign-up now for SourceForge Broadband and get the fastest 6.0/768 connection for only $19.95/mo for the first 3 months! http://ads.osdn.com/?ad_id=2562&alloc_id=6184&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] freshclam not restarting clamd
Hi, I'm using clamav library from within MailScanner and I'm not running clamd at all. I run freshclam from within a script called from cron. Everything is smooth and runs perfectly. However, everytime freshclam gets an update, it complains that it can't connect to clamd to notify it, which generates a message from cron with this message... ERROR: Clamd was NOT notified: Can't connect to clamd on 127.0.0.1:3310 connect(): Connection refused Is there a way to tell freshclam to not try to notify clamd? (I didn't see it in 'man freshclam')... 'freshclam --quiet' doesn't help. TIA. -- Mariano Absatz El Baby -- RAM DISK is not an installation procedure! --- This SF.Net email is sponsored by: SourceForge.net Broadband Sign-up now for SourceForge Broadband and get the fastest 6.0/768 connection for only $19.95/mo for the first 3 months! http://ads.osdn.com/?ad_id=2562&alloc_id=6184&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Still trying to get clamdscan working.
On Tue, 18 May 2004 12:48:01 -0700, "Harrell, Roger" <[EMAIL PROTECTED]> wrote: >I've been trying to get clamdscan working for quite some time now. I have >installed clamav. clamscan works. Clamdscan fails with: >connect(): Connection refused >ERROR: Can't connect to clamd. > Where is your .sock file for clamd? locate sock |grep clam Then grep sock /etc/clamav.conf (or wherever your clamav.conf file is) The two need to agree. -- Steve --- This SF.Net email is sponsored by: SourceForge.net Broadband Sign-up now for SourceForge Broadband and get the fastest 6.0/768 connection for only $19.95/mo for the first 3 months! http://ads.osdn.com/?ad_id%62&alloc_ida84&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Still trying to get clamdscan working.
On Tuesday, May 18, 2004, 9:48:01 PM, Harrell, Roger wrote: HR> I've been trying to get clamdscan working for quite some time now. I have HR> installed clamav. clamscan works. Clamdscan fails with: HR> connect(): Connection refused HR> ERROR: Can't connect to clamd. HR> --- SCAN SUMMARY --- HR> Infected files: 0 HR> Time: 0.001 sec (0 m 0 s) HR> I am using a local socket. I can't figure out what the "connection refused" HR> is, and don't know how to trouble shoot this. Any help or information would HR> be greatly appreciated. HR> Roger Did you make sure that clamd is running? are there any entries in the logfile? Some more info please! :-) -- Best regards, Christophmailto:[EMAIL PROTECTED] --- This SF.Net email is sponsored by: SourceForge.net Broadband Sign-up now for SourceForge Broadband and get the fastest 6.0/768 connection for only $19.95/mo for the first 3 months! http://ads.osdn.com/?ad_id=2562&alloc_id=6184&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] Still trying to get clamdscan working.
I've been trying to get clamdscan working for quite some time now. I have installed clamav. clamscan works. Clamdscan fails with: connect(): Connection refused ERROR: Can't connect to clamd. --- SCAN SUMMARY --- Infected files: 0 Time: 0.001 sec (0 m 0 s) I am using a local socket. I can't figure out what the "connection refused" is, and don't know how to trouble shoot this. Any help or information would be greatly appreciated. Roger --- This SF.Net email is sponsored by: SourceForge.net Broadband Sign-up now for SourceForge Broadband and get the fastest 6.0/768 connection for only $19.95/mo for the first 3 months! http://ads.osdn.com/?ad_id=2562&alloc_id=6184&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] virus in mail not detected
At 12:23 PM 5/18/04, Jona Tallieu wrote: Hi all, I'm new to CLAMAV, and have installed it on my OSX machine to test out. I plan to use it as an extra scanner for our CommuiGatePro mailserver. I have a message that got thru our current setup and wanted to try if CLAMAV would detect the virus. I saved the message as a raw TXT file, which holds de binary data of the . zip attachment attached to the email. If I let CLAMAV scan the raw txt file using the CLI, it does not detect the virus. If I first decompress the TXT file, and feed CLAMAV the zip file that was attached to the mail message it does detect the virus: /Users/jona/Desktop/p_message_3897.TXT.zip: Worm.Sober.G FOUND So it's safe to say that CLAMAV would not have detected it using it as a scanner for our mailserver, right? Since it has to detect it inside the mail message, correct? Is this a bug, and if so, is it a known one? clamscan --mbox doesn't detect the txt file as a mail message, probably due to the first line in the file: >From [EMAIL PROTECTED] Tue May 18 13:01:32 2004 which I suppose is added by your local delivery agent, and probably not present in the mail as originally received. If that single line is removed, clamscan --mbox correctly detects the virus. Sounds to me as if clam is working correctly and ready to be used with your CommuniGatePro. -- Noel Jones --- This SF.Net email is sponsored by: SourceForge.net Broadband Sign-up now for SourceForge Broadband and get the fastest 6.0/768 connection for only $19.95/mo for the first 3 months! http://ads.osdn.com/?ad_id=2562&alloc_id=6184&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] ClamAV not scanning for viruses... Help please
Hi all. Hoping someone can point me in the right direction with this issue. I have setup and configured (correctly I thought) ClamAV using cgpav with CommuniGate Pro on RedHat Enterprise Linux. When sending test emails containing the eicar.com virus, the messages aren't being scanned at all, from what I can tell. I have set clamd to run as root. I run the following from a command line: [EMAIL PROTECTED] var]# clamdscan -l scan.txt CommuniGate /var/CommuniGate/Accounts/test.macnt/INBOX.mbox: Eicar-Test-Signature FOUND /var/CommuniGate/eicar.com: Eicar-Test-Signature FOUND --- SCAN SUMMARY --- Infected files: 2 Time: 2.560 sec (0 m 2 s) But if I just send the message and receive it with the test account, the message is not rejected nor is there any notification of a virus being found in the message. Here's what's in the /var/log/clamav/clamd.log: Tue May 18 13:47:32 2004 -> +++ Started at Tue May 18 13:47:32 2004 Tue May 18 13:47:32 2004 -> Log file size limit disabled. Tue May 18 13:47:32 2004 -> Running as user root (UID 0, GID 0) Tue May 18 13:47:32 2004 -> Setting /tmp as global temporary directory Tue May 18 13:47:32 2004 -> Reading databases from /var/lib/clamav Tue May 18 13:47:32 2004 -> Protecting against 21611 viruses. Tue May 18 13:47:32 2004 -> Bound to address 127.0.0.1 on port 3310 Tue May 18 13:47:32 2004 -> Setting connection queue length to 30 Tue May 18 13:47:32 2004 -> Archive: Archived file size limit set to 10485760 bytes. Tue May 18 13:47:32 2004 -> Archive: Recursion level limit set to 5. Tue May 18 13:47:32 2004 -> Archive: Files limit set to 1000. Tue May 18 13:47:32 2004 -> Archive: Compression ratio limit set to 200. Tue May 18 13:47:32 2004 -> Archive support enabled. Tue May 18 13:47:32 2004 -> RAR support disabled. Tue May 18 13:47:32 2004 -> Blocking encrypted archives. Tue May 18 13:47:32 2004 -> Mail files support enabled. Tue May 18 13:47:32 2004 -> OLE2 support enabled. Tue May 18 13:47:32 2004 -> Self checking every 600 seconds. [EMAIL PROTECTED] clamav]# I'm sure I've probably just overlooked something or have something configured incorrectly. I can provide further info.. if needed. Any ideas or help would be greatly appreciated. Thanks in advance. Brian -- Brian C. Beers, CCNA Systems Administrator American Institute of Biological Sciences Ph: 703.834.0812 x: 102 email: [EMAIL PROTECTED] --- This SF.Net email is sponsored by: SourceForge.net Broadband Sign-up now for SourceForge Broadband and get the fastest 6.0/768 connection for only $19.95/mo for the first 3 months! http://ads.osdn.com/?ad_id=2562&alloc_id=6184&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] exiscan and clamav
Hi, all, I have clamav running perfectly with Mailscanner but I wanted to use exiscan. The problem is I can't get the configuring right... I don't know what to put in: av_scanner = I've tried av_scanner = clamd:/tmp/clamd but exim panic log says: malware acl condition: clamd: unable to connect to UNIX socket /tmp/clamd (No such file or directory) av_scanner = clamd:/usr/bin/clamdscan results in: malware acl condition: clamd: unable to connect to UNIX socket /usr/bin/clamdscan (Permission denied) av_scanner = clamd:/usr/sbin/clamd results in the same error av_scanner = clamd:127.0.0.1 3310 results in clamd: connection to 127.0.0.1, port 3310 failed (Bad file descriptor) av_scanner = clamd:192.168.0.3 3310 results in the same error... Here's the result of "locate clam" /etc/proftpd/clamav /etc/clamav.conf /usr/bin/clamscan /usr/bin/freshclam /usr/bin/clamdscan /usr/include/clamav.h /usr/lib/libclamav.so.1.0.3 /usr/lib/libclamav.so.1 /usr/lib/libclamav.so /usr/lib/libclamav.la /usr/lib/libclamav.a /usr/local/bin/freshclam /usr/local/clamav /usr/local/clamav/mail /usr/man/man1/clamscan.1 /usr/man/man1/freshclam.1 /usr/man/man1/clamdscan.1 /usr/man/man1/clamav-milter.1 /usr/man/man5/clamav.conf.5 /usr/man/man8/clamd.8 /usr/sbin/clamd /usr/share/clamav /usr/share/clamav/viruses.db /usr/share/clamav/viruses.db2 /usr/share/clamav/mirrors.txt /usr/mailscanner/lib/clamav-autoupdate /usr/mailscanner/lib/clamav-wrapper /var/log/clam-update.log /var/spool/mail/clamav Can anyone give me some hints? Thanks, Miguel --- This SF.Net email is sponsored by: SourceForge.net Broadband Sign-up now for SourceForge Broadband and get the fastest 6.0/768 connection for only $19.95/mo for the first 3 months! http://ads.osdn.com/?ad_id=2562&alloc_id=6184&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
RE: [Clamav-users] Getting virus size from signature file.
> On Tue, 18 May 2004, Antony Stone wrote: > > On Tuesday 18 May 2004 3:39 pm, Samuel Benzaquen wrote: > > > > > I'm trying to do a report of how clamav have reduced disk > usage by blocking > > > virus emails. > > > > Huh? That seems like a very strange measure of benefit from > blocking viruses > > to me. > > Depends on how much disk space you have to burn. We used to filter > incoming viruses to a mailbox. During an outbreak it wasn't uncommon > for it to "break" when the mailbox file hit the 2G filesize limit. > Every virus rejected means less network usage and filer space usage. Also decreases the downloading time of our clients, meaning that dial-up clients can be happy again =). When you have 2 million mail accounts, anything counts. Just yesterday, clamav rejected more than 20 Gb in virus/worm/exploit mails (> 700.000 mails). > > > What I need is the virus size. Can I get that from the signature file? > > > > No. You might be able to get an idea from some other A-V > vendors' websites, > > but I wouldn't think it's commonly listed information. > > > > Anyway, what do you want to measure the size of? The raw binary? A > > UUencoded MIME attachment? Base64? All these things and > more will be very > > different sizes. > > I'd recommend looking at http://vil.nai.com/. They have the size listed > for each virus. If you're thinking of encoded stuff (base64) then > multiply by 4/3 and add a couple K for headers. You can use > http://www.rainingfrogs.co.uk to translate from ClamAV names to NAI > names. Most of the time there are only a few viruses to worry about, so > just count the big ones (grep and wc -l are great for this) and multiply > the sizes. Should only take maybe an hour to get a fairly accurate > estimate. I actually did it using the size param from sendmail's log. Joined 'from' lines with 'FOUND' ones thru mail_id and sum the size values. > Of course, there's a catch if it was sent to a mailing list, since > you'll only see one block in your logs, but it actually prevented 10+ > people from getting it saved to their inboxes. > Didn't thought about it. Tnx =D - samuel --- This SF.Net email is sponsored by: SourceForge.net Broadband Sign-up now for SourceForge Broadband and get the fastest 6.0/768 connection for only $19.95/mo for the first 3 months! http://ads.osdn.com/?ad_id=2562&alloc_id=6184&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] virus in mail not detected
Jona Tallieu wrote the following on 05/18/2004 07:23 PM : The raw message is here: http://www.escobar.be/stuff/infected_message.txt Apparently this is the Mac ASCII encoding that confuses clamav. Specifically the new-line is encoded by a single char. Calling mac2unix on your file before handing it to clamscan --mbox works here. -- Lionel Bouton - inet6 - o Siege social: 51, rue de Verdun - 92158 Suresnes / _ __ _ Acces Bureaux: 33 rue Benoit Malon - 92150 Suresnes / /\ /_ / /_ France \/ \/_ / /_/ Tel. +33 (0) 1 41 44 85 36 Inetsys S.A.Fax +33 (0) 1 46 97 20 10 --- This SF.Net email is sponsored by: SourceForge.net Broadband Sign-up now for SourceForge Broadband and get the fastest 6.0/768 connection for only $19.95/mo for the first 3 months! http://ads.osdn.com/?ad_id=2562&alloc_id=6184&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] virus in mail not detected
Hi all, I'm new to CLAMAV, and have installed it on my OSX machine to test out. I plan to use it as an extra scanner for our CommuiGatePro mailserver. I have a message that got thru our current setup and wanted to try if CLAMAV would detect the virus. I saved the message as a raw TXT file, which holds de binary data of the . zip attachment attached to the email. If I let CLAMAV scan the raw txt file using the CLI, it does not detect the virus. If I first decompress the TXT file, and feed CLAMAV the zip file that was attached to the mail message it does detect the virus: /Users/jona/Desktop/p_message_3897.TXT.zip: Worm.Sober.G FOUND So it's safe to say that CLAMAV would not have detected it using it as a scanner for our mailserver, right? Since it has to detect it inside the mail message, correct? Is this a bug, and if so, is it a known one? The raw message is here: http://www.escobar.be/stuff/infected_message.txt The .zip file that was inside the message is here: http://www.escobar.be/stuff/p_message_3897.TXT.zip Thanks for the help! Regards, J. --- This SF.Net email is sponsored by: SourceForge.net Broadband Sign-up now for SourceForge Broadband and get the fastest 6.0/768 connection for only $19.95/mo for the first 3 months! http://ads.osdn.com/?ad_id=2562&alloc_id=6184&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Getting virus size from signature file.
On Tue, 18 May 2004, Antony Stone wrote: > On Tuesday 18 May 2004 3:39 pm, Samuel Benzaquen wrote: > > > I'm trying to do a report of how clamav have reduced disk usage by blocking > > virus emails. > > Huh? That seems like a very strange measure of benefit from blocking viruses > to me. Depends on how much disk space you have to burn. We used to filter incoming viruses to a mailbox. During an outbreak it wasn't uncommon for it to "break" when the mailbox file hit the 2G filesize limit. > > What I need is the virus size. Can I get that from the signature file? > > No. You might be able to get an idea from some other A-V vendors' websites, > but I wouldn't think it's commonly listed information. > > Anyway, what do you want to measure the size of? The raw binary? A > UUencoded MIME attachment? Base64? All these things and more will be very > different sizes. I'd recommend looking at http://vil.nai.com/. They have the size listed for each virus. If you're thinking of encoded stuff (base64) then multiply by 4/3 and add a couple K for headers. You can use http://www.rainingfrogs.co.uk to translate from ClamAV names to NAI names. Most of the time there are only a few viruses to worry about, so just count the big ones (grep and wc -l are great for this) and multiply the sizes. Should only take maybe an hour to get a fairly accurate estimate. Of course, there's a catch if it was sent to a mailing list, since you'll only see one block in your logs, but it actually prevented 10+ people from getting it saved to their inboxes. Damian Menscher -- -=#| Physics Grad Student & SysAdmin @ U Illinois Urbana-Champaign |#=- -=#| 488 LLP, 1110 W. Green St, Urbana, IL 61801 Ofc:(217)333-0038 |#=- -=#| <[EMAIL PROTECTED]> www.uiuc.edu/~menscher/ Fax:(217)333-9819 |#=- -=#| The above opinions are not necessarily those of my employers: |#=- -=#| UIUC CITES Security Group || Beckman Imaging Technology Group |#=- --- This SF.Net email is sponsored by: SourceForge.net Broadband Sign-up now for SourceForge Broadband and get the fastest 6.0/768 connection for only $19.95/mo for the first 3 months! http://ads.osdn.com/?ad_id=2562&alloc_id=6184&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Getting virus size from signature file.
On Tuesday 18 May 2004 3:39 pm, Samuel Benzaquen wrote: > Hi, > > I'm trying to do a report of how clamav have reduced disk usage by blocking > virus emails. Huh? That seems like a very strange measure of benefit from blocking viruses to me. It's a bit like measuring how much less frequently you need to buy shoes as a benefit of driving a motor car. > What I need is the virus size. Can I get that from the signature file? No. You might be able to get an idea from some other A-V vendors' websites, but I wouldn't think it's commonly listed information. Anyway, what do you want to measure the size of? The raw binary? A UUencoded MIME attachment? Base64? All these things and more will be very different sizes. Regards, Antony -- Abandon hope, all ye who enter here. You'll feel much better about things once you do. Please reply to the list; please don't CC me. --- This SF.Net email is sponsored by: SourceForge.net Broadband Sign-up now for SourceForge Broadband and get the fastest 6.0/768 connection for only $19.95/mo for the first 3 months! http://ads.osdn.com/?ad_id=2562&alloc_id=6184&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] ClamAV with Exim4 on Debian Sarge
On Tue, May 18, 2004 at 06:23:36PM +0600, Pradeeper wrote: > On Tue, May 18, 2004 at 05:53:38PM +0600, Pradeeper wrote: > > Tue May 18 14:27:00 2004 -> Setting connection queue length to 15 > > Tue May 18 14:27:00 2004 -> ERROR: Can't save PID in file > > /var/run/clamd.pid > I managed to remove this problem by changing the path to /var/run/clamav/clamd.pid > But still it's not scanning mails for viruses... > > Any clue? > > Pradeeper > -- > > Debian GNU/Linux Sarge (kernel 2.2.20-compact) > > If time heals all wounds, how come the belly button stays the same? > > > > --- > This SF.Net email is sponsored by: SourceForge.net Broadband > Sign-up now for SourceForge Broadband and get the fastest > 6.0/768 connection for only $19.95/mo for the first 3 months! > http://ads.osdn.com/?ad_id=2562&alloc_id=6184&op=click > ___ > Clamav-users mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/clamav-users First, I would advise checking for a stale lockfile and/or permissions issues. Also, to be certain of your config, check top or ps output. Is clam running? Then, is your mta properly piping mail to clam. I recommend starting from your mail entry point and working your way through the route. If you are clear on the piping order, you'll find what is broken. Regards, -- John Lalla Santa Barbara, CA .~. _ /v\-o) no gates... /( )\ /\\ running GNU/Linux no windows! ^ _\_vfree at last! "Only those who attempt the absurd can achieve the impossible." "Those who would trade liberty for security deserve neither." - Benjamin Franklin pgp8mXJBoWLRN.pgp Description: PGP signature
Re: [Clamav-users] Exim + ClamAV + what?
On Tue, 18 May 2004 16:34:08 +1200, Ray Jackson <[EMAIL PROTECTED]> wrote: >does the list believe that ClamAV is ready for the mainstream? for what it's worth, CompuServe is now using ClamAV to scan mail for users of the "compuserve classic" service. -- Steve --- This SF.Net email is sponsored by: SourceForge.net Broadband Sign-up now for SourceForge Broadband and get the fastest 6.0/768 connection for only $19.95/mo for the first 3 months! http://ads.osdn.com/?ad_id%62&alloc_ida84&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] Getting virus size from signature file.
Hi, I'm trying to do a report of how clamav have reduced disk usage by blocking virus emails. What I need is the virus size. Can I get that from the signature file? Thanks, -samuel benzaquen --- This SF.Net email is sponsored by: SourceForge.net Broadband Sign-up now for SourceForge Broadband and get the fastest 6.0/768 connection for only $19.95/mo for the first 3 months! http://ads.osdn.com/?ad_id=2562&alloc_id=6184&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] Re: Re[2]: clamd dying: reasons
K. Shantanu wrote: > On Mon, May 17, 2004 at 08:45:26AM -0400, Jesse Guardiani wrote: > >> It does if you delete the socket file from your run script. But you need >> to upgrade to 0.70 anyway, and I imagine that you'll start having >> problems with clamd hanging as well as dying once you do. > > Then why in the world should I upgrade if I will be having same problems? check your freshclam logs. -- Jesse Guardiani, Systems Administrator WingNET Internet Services, P.O. Box 2605 // Cleveland, TN 37320-2605 423-559-LINK (v) 423-559-5145 (f) http://www.wingnet.net --- This SF.Net email is sponsored by: SourceForge.net Broadband Sign-up now for SourceForge Broadband and get the fastest 6.0/768 connection for only $19.95/mo for the first 3 months! http://ads.osdn.com/?ad_id=2562&alloc_id=6184&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Compiled with '-g'
Sean Matheson wrote: Do I simply put --enable-debug in the CFLAGS definition? If you want to localize the debugging you can do add -g to CFLAGS as defined in the generated by configure Makefile If you go that route also add -DCL_DEBUG Better to use --enable-debug in the initial configure script. --- This SF.Net email is sponsored by: SourceForge.net Broadband Sign-up now for SourceForge Broadband and get the fastest 6.0/768 connection for only $19.95/mo for the first 3 months! http://ads.osdn.com/?ad_id=2562&alloc_id=6184&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Compiled with '-g'
Do I simply put --enable-debug in the CFLAGS definition? Sorry I am very new to Linux and it's MakeFiles. -- Sean Matheson Student Programmer
Re: [Clamav-users] ClamAV with Exim4 on Debian Sarge
Hi All On Tue, May 18, 2004 at 09:51:39PM +0600, Pradeeper wrote: > It's working now :-)) > Thanks for the tip. I tested my Virus Wall with http://www.testvirus.org/ According to it my scanner failed to block 4 types of viruses or variants as follows, Test #21: Eicar virus within zip file hidden using the "Long MIME Boundary Vulnerability" Test #23: Eicar virus within zip file hidden using the "Empty MIME Boundary Vulnerability" Test #24: Test for the "Partial (Fragmented) Vulnerability". This does not include Eicar virus, but your mail server still must block this since it can break a virus into multiple emails and reassemble it in your inbox. Test #25: Attachment with a CLSID extension which may hide the real file extension. This does not include Eicar virus, but your mail server still must block this since it can hide the true extension of a file. How can I avoid this? Is there any solution? Thanks! Pradeeper -- Debian GNU/Linux Sarge (kernel 2.2.20-compact) Down with categorical imperative! --- This SF.Net email is sponsored by: SourceForge.net Broadband Sign-up now for SourceForge Broadband and get the fastest 6.0/768 connection for only $19.95/mo for the first 3 months! http://ads.osdn.com/?ad_id=2562&alloc_id=6184&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Compiled with '-g'
On Tuesday 18 May 2004 9:56 am, Sean Matheson wrote: > Hello All; > > Could anyone please verify for me that freshclam is compiled with the > '-g' option? Which version of clamd? What operating system? What compiler? What is your value of the CFLAGS environment variable? What options did you give to 'configure'? > Thank you; -Nigel -- Nigel Horne. Arranger, Composer, Typesetter. NJH Music, Barnsley, UK. ICQ#20252325 [EMAIL PROTECTED] http://www.bandsman.co.uk --- This SF.Net email is sponsored by: SourceForge.net Broadband Sign-up now for SourceForge Broadband and get the fastest 6.0/768 connection for only $19.95/mo for the first 3 months! http://ads.osdn.com/?ad_id=2562&alloc_id=6184&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Exim + ClamAV + what?
Thanks for the feedback. Apologies if I worded my original email badly. I have the upmost respect for the ClamAV project and what it stands for. I am very keen on deploying ClamAV myself. I have already thrown several new viruses at it and it has blocked them all so far. As you might expect though I am the technical guy who is trying to convince the suits that ClamAV *isn't* too good to be true! - which is why I need ammunition to get their go-ahead. With regard to Amavis. The performance figures you mention look very promising. We are looking at deploying 2 x Dual Xeon 2.8Ghz, 2Gb RAM and a NetApp Filer (with NFS mounts) for the mail store. I will take another look at Exiscan - I thought orginally that you couldn't have the opt-in/out ability which we need. Thanks again, Ray Quoting "Fajar A. Nugraha" <[EMAIL PROTECTED]>: We currently use Sophos AV and we have a large number of corporate customers who need some assurance that the level of AV protection we are providing is more than respectable. Can anybody point me at any good documents or pages that I can put in front of our marketing people to reassure them that ClamAV is up to the job? http://www.clamav.net/whos.html#pagestart Depends on what you mean by "the level of AV protection we are providing is more than respectable". Keep in mind that clamav is still pre-1.0. So, if you want to say "look, I use clamav. It's great, it will never cause any problem, and we get great commercial support" -- you won't be able to. Get a commercial AV product and support. That way, you can blame their salesperson when it fails to catch a particular virus :) But you can say "Hey, I use clamav. It's still under development, but many people are using it already because it works great. It's open source, so you don't have to worry about license to use it. Sometimes it even recognizes new mail virus faster than other commercial AV vendors" Then you can point them to http://www.clamav.net/whos.html#pagestart to see which companies brave enough (and satisfied with it, judging by the fact that they're featured there) to use this pre-1.0 software. Regards, Fajar -- Please avoid sending me Microsoft Office attachments. See http://www.newsforge.com/software/04/03/27/0134204.shtml --- This SF.Net email is sponsored by: SourceForge.net Broadband Sign-up now for SourceForge Broadband and get the fastest 6.0/768 connection for only $19.95/mo for the first 3 months! http://ads.osdn.com/?ad_id=2562&alloc_id=6184&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users --- This SF.Net email is sponsored by: SourceForge.net Broadband Sign-up now for SourceForge Broadband and get the fastest 6.0/768 connection for only $19.95/mo for the first 3 months! http://ads.osdn.com/?ad_id=2562&alloc_id=6184&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Compiled with '-g'
passing --enable-debug through the configure script might help Sean Matheson wrote: Scrap that. I found that it was compiled with the '-g' option. But I still can't seem to get gdb working with the core file dumped by the freshclam seg fault. Back to the drawing board. -- Sean Matheson Student Programmer --- This SF.Net email is sponsored by: SourceForge.net Broadband Sign-up now for SourceForge Broadband and get the fastest 6.0/768 connection for only $19.95/mo for the first 3 months! http://ads.osdn.com/?ad_id=2562&alloc_id=6184&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] ClamAV with Exim4 on Debian Sarge
Hi Fajar On Tue, May 18, 2004 at 02:38:54PM +0700, Fajar A. Nugraha wrote: It's working now :-)) Thanks for the tip. Problem was in my Exim4 configuration. I put it in a wrong place ;-) > You should look at exim's log first. Now it's display all the things on Exim logs and as well clamd.log. Regards! Pradeeper -- Debian GNU/Linux Sarge (kernel 2.2.20-compact) No matter what happens, there is always someone who knew it would. --- This SF.Net email is sponsored by: SourceForge.net Broadband Sign-up now for SourceForge Broadband and get the fastest 6.0/768 connection for only $19.95/mo for the first 3 months! http://ads.osdn.com/?ad_id=2562&alloc_id=6184&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Compiled with '-g'
Scrap that. I found that it was compiled with the '-g' option. But I still can't seem to get gdb working with the core file dumped by the freshclam seg fault. Back to the drawing board. -- Sean Matheson Student Programmer
[Clamav-users] Compiled with '-g'
Hello All; Could anyone please verify for me that freshclam is compiled with the '-g' option? Thank you; -- Sean Matheson Student Programmer
Re: [Clamav-users] Exim + ClamAV + what?
--On 18 May 2004 16:34 +1200 Ray Jackson <[EMAIL PROTECTED]> wrote: Hi all, We are building a new mail platform and are looking at using ClamAV for our AV platform. Firstly, (and I know this is probably a silly question to ask here), does the list believe that ClamAV is ready for the 250,000 email per day and performance is very important! Any feedback/thoughts would be appreciated! Cheers, Ray I have a customer who run exim 4 + amavisd + spamAssassin + courier imap on 3 dual 1.13Ghz, 4Gb ram + scsi (160) raid, they handle 2-400,000 mails per 24 hours, I see around 1 missed virus per month (caught on the backend by symantec) and have gone for months with none getting through. The machines hum nicely and are not currently looking close to maximum loading. At the end of the day you must take your own view on using pre version 1 software on a production system. Regards, Roger --- This SF.Net email is sponsored by: SourceForge.net Broadband Sign-up now for SourceForge Broadband and get the fastest 6.0/768 connection for only $19.95/mo for the first 3 months! http://ads.osdn.com/?ad_id=2562&alloc_id=6184&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Exim + ClamAV + what?
We currently use Sophos AV and we have a large number of corporate customers who need some assurance that the level of AV protection we are providing is more than respectable. Can anybody point me at any good documents or pages that I can put in front of our marketing people to reassure them that ClamAV is up to the job? http://www.clamav.net/whos.html#pagestart Depends on what you mean by "the level of AV protection we are providing is more than respectable". Keep in mind that clamav is still pre-1.0. So, if you want to say "look, I use clamav. It's great, it will never cause any problem, and we get great commercial support" -- you won't be able to. Get a commercial AV product and support. That way, you can blame their salesperson when it fails to catch a particular virus :) But you can say "Hey, I use clamav. It's still under development, but many people are using it already because it works great. It's open source, so you don't have to worry about license to use it. Sometimes it even recognizes new mail virus faster than other commercial AV vendors" Then you can point them to http://www.clamav.net/whos.html#pagestart to see which companies brave enough (and satisfied with it, judging by the fact that they're featured there) to use this pre-1.0 software. Regards, Fajar -- Please avoid sending me Microsoft Office attachments. See http://www.newsforge.com/software/04/03/27/0134204.shtml --- This SF.Net email is sponsored by: SourceForge.net Broadband Sign-up now for SourceForge Broadband and get the fastest 6.0/768 connection for only $19.95/mo for the first 3 months! http://ads.osdn.com/?ad_id=2562&alloc_id=6184&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] ClamAV with Exim4 on Debian Sarge
Pradeeper wrote: Hi All I'm implementing a Spam and a Virus wall using Exim4, SA-Exim, SpamAssassin, Exiscan-ACL clamav-daemon and clamav on Debian Sarge. This is stand before my mail server and scan my mails for spam and viruses. Spam blocking is fine, but problem is in virus thing. You should submit this to exiscan-users list. My /etc/clamav/clamav.conf is like this, User clamav User should be whatever user running running exim (recommended). In my case, user is exim. Don't forget to change permission on clamav's db and log directory. Another method which MIGHT work (haven't test it yet) is to make clamav user a member of exim's group. ScanMail You don't need this with exiscan ArchiveMaxFileSize 10M I set it to something lower (1M) to reduce clamd's load. In Exim4 config main area (I'm using monolithic config), av_scanner = clamd:127.0.0.1 3310 And ACL section has, deny message = This message contain malware ($malware_name) log_message = $sender_host_address tried sending $malware_name demime = * malware = * Does order a matter in Exim ACLs? Yes, order matters. This ACL should be the first lines in data ACL ( not rcpt ACL ) Everything seems fine, but it's not cleaning my mails? When I see the logs.., /var/log/clamav/clamd.log I see only those, no hint about scanning mails :-( You should look at exim's log first. Regards, Fajar -- Please avoid sending me Microsoft Office attachments. See http://www.fsf.org/philosophy/no-word-attachments.html --- This SF.Net email is sponsored by: SourceForge.net Broadband Sign-up now for SourceForge Broadband and get the fastest 6.0/768 connection for only $19.95/mo for the first 3 months! http://ads.osdn.com/?ad_id=2562&alloc_id=6184&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Exim + ClamAV + what?
* Ray Jackson <[EMAIL PROTECTED]> [20040518 07:37]: wrote:
> Hi all,
>
> We are building a new mail platform and are looking at using ClamAV for our AV
> platform. Firstly, (and I know this is probably a silly question to ask here),
> does the list believe that ClamAV is ready for the mainstream?
What is mainstream according to you? With due respect, it's solely your own
decision on what to use, no?
Have you looked at http://www.clamav.net/whos.html#pagestart ??? You may
wish to, then ask yourself the same question a second time.
> We currently use Sophos AV and we have a large number of corporate customers who
> need some
> assurance that the level of AV protection we are providing is more than
> respectable. Can anybody point me at any good documents or pages that I can
> put in front of our marketing people to reassure them that ClamAV is up to the
> job?
http://www.clamav.net/whos.html#pagestart
> Secondly, we run the excellent Exim MTA here and are looking at the best way to
> interface with ClamAV. Currently, I have setup a test box using amavis-new
> (amavisd) which in turn talks to clamd. Is this the best way of doing things
> in terms of performance??
The best for Exim is called Exiscan - http://duncanthrax.net/exiscan-acl. That is
because it has been made almost an integral part of Exim. It interfaces
so nicely you'd think it is part of Exim ;-)
> We don't require Amavis to do anti-spam and since
> our users are opt-in we can't use exiscan or something that blocks viruses at
> the initial delivery stage. I would prefer not to use a Perl-based package
> like Amavis as we process over 250,000 email per day and performance is very
> important!
Well, you can still scan spam in the routers. I do the same thing here
using procmail. You only need a
condition = {scan only for these users}
cheers
- wash
+--+-+
Odhiambo Washington . WANANCHI ONLINE LTD (Nairobi, KE) |
. 1ere Etage, Loita Hse, Loita St., |
GSM: (+254) 722 743 223 . # 10286, 00100 NAIROBI |
GSM: (+254) 733 744 121 . (+254) 020 313 985 - 9 |
+-+--+
"Oh My God! They killed init! You Bastards!"
--from a /. post
---
This SF.Net email is sponsored by: SourceForge.net Broadband
Sign-up now for SourceForge Broadband and get the fastest
6.0/768 connection for only $19.95/mo for the first 3 months!
http://ads.osdn.com/?ad_id=2562&alloc_id=6184&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] real time doesn't work ?
- Original Message - From: "Christoph Cordes" <[EMAIL PROTECTED]> To: "net" <[EMAIL PROTECTED]> Sent: Monday, May 17, 2004 9:55 PM Subject: Re: [Clamav-users] real time doesn't work ? > On Monday, May 17, 2004, 11:21:55 AM, net wrote: > > n> Hello, > n> clamd is up, and I sent a message with "eicar.com" to my postfix, but Clamav > n> didn't see it :( > n> But when I run clamscan the file is matched with the database Signature... > n> Anyone could give me a reason of this failure ? > n> thx :) > > could you provide some more information please? what version of ClamAV > do you use, how do you scan mails (amavis maybe?). > > > -- > Best regards, > Christophmailto:[EMAIL PROTECTED] > > Sorry, The problem is solved, it was an error in my postfix configuration. Thx. N. Et. --- This SF.Net email is sponsored by: SourceForge.net Broadband Sign-up now for SourceForge Broadband and get the fastest 6.0/768 connection for only $19.95/mo for the first 3 months! http://ads.osdn.com/?ad_id=2562&alloc_id=6184&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
