[Clamav-users] client-server config
Hello Everyone, I've installed ClamAV 0.70 and am curious as to how to have a client/server configuration setup. More exact, how do I tell the clamscan/clamdscan client to connect to a remote host that is running 'clamd'. I have looked at the docs on the site, but do not see anything on this; or perhaps I've missed it. I'll look again, but I would like to hear from everyone's opinion and experiences. Also, I have set the configuration ('/etc/clamav/clamd.conf') to use the following settings on the server side (server running clamd) :: # TCP port address. TCPSocket 3310 # TCP address TCPAddr 10.10.10.200 Any help or pointing me in the right direction would be apprieciated. Thanks, ~Martin --- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] Clamav-milter and Mailman - user not authenticating?
I am noticing something strange and frustrating when I have clamav-milter enabled in my sendmail installation. First, the vital stats: Fedora Core 2 Sendmail 8.12.11-4.6 Clam-AV 0.70 Clamav-milter 0.70j Mailman 2.1.4-4 I do have mailman on this server, though no active lists at the moment. Whenever I have clamav-milter enabled in my sendmail.mc/cf, I get the following in my maillog (below). For some reason, the mailman user seems to be trying to send a message to itself. When I remove the milter from the configuration, I not only cease to see the milter lines in the log (of course) but also the reject line: May 26 15:50:06 davinci sendmail[30441]: ruleset=trust_auth, [EMAIL PROTECTED], relay=[192.168.1.1], re ject=550 5.7.1 <[EMAIL PROTECTED]>... not authenticated There are no mailman processes running; this seems to happen every 5 minutes. Has anyone seen anything like this, and/or have any suggestions? -Don May 26 15:50:01 davinci sendmail[30438]: i4QJo0R3030438: from=mailman, size=1074, class=0, nrcpts=1, msgid=<200405261950 [EMAIL PROTECTED]>, [EMAIL PROTECTED] May 26 15:50:06 davinci sendmail[30441]: NOQUEUE: connect from [192.168.1.1] May 26 15:50:06 davinci sendmail[30441]: AUTH: available mech=PLAIN LOGIN DIGEST-MD5 CRAM-MD5 ANONYMOUS, allowed mech=DI GEST-MD5 CRAM-MD5 LOGIN PLAIN May 26 15:50:06 davinci sendmail[30441]: i4QJo6NG030441: Milter (clmilter): init success to negotiate May 26 15:50:06 davinci sendmail[30441]: i4QJo6NG030441: Milter: connect to filters May 26 15:50:06 davinci sendmail[30441]: i4QJo6NG030441: milter=clmilter, action=connect, continue May 26 15:50:06 davinci sendmail[30441]: i4QJo6NG030441: --- 220 [davinci.the-leveys.us ESMTP MTAname vmta.version; Wed, 26 May 2004 15:50:06 -0400] - All Access Logged - No Unauthorised Access Permitted - Unauthorized access subject to fin es, fees, and costs of cleanup - All Rights Reserved, including those not explicitly mentioned May 26 15:50:06 davinci sendmail[30441]: i4QJo6NG030441: <-- EHLO davinci.the-leveys.us May 26 15:50:06 davinci sendmail[30441]: i4QJo6NG030441: --- 250-davinci.the-leveys.us Hello [192.168.1.1], pleased to m eet you May 26 15:50:06 davinci sendmail[30441]: i4QJo6NG030441: --- 250-ENHANCEDSTATUSCODES May 26 15:50:06 davinci sendmail[30441]: i4QJo6NG030441: --- 250-PIPELINING May 26 15:50:06 davinci sendmail[30441]: i4QJo6NG030441: --- 250-8BITMIME May 26 15:50:06 davinci sendmail[30441]: i4QJo6NG030441: --- 250-SIZE May 26 15:50:06 davinci sendmail[30441]: i4QJo6NG030441: --- 250-DSN May 26 15:50:06 davinci sendmail[30441]: i4QJo6NG030441: --- 250-ETRN May 26 15:50:06 davinci sendmail[30441]: i4QJo6NG030441: --- 250-AUTH DIGEST-MD5 CRAM-MD5 LOGIN PLAIN May 26 15:50:06 davinci sendmail[30441]: i4QJo6NG030441: --- 250-DELIVERBY May 26 15:50:06 davinci sendmail[30441]: i4QJo6NG030441: --- 250 HELP May 26 15:50:06 davinci sendmail[30441]: i4QJo6NG030441: <-- MAIL From:<[EMAIL PROTECTED]> SIZE=1074 AUTH=ma [EMAIL PROTECTED] May 26 15:50:06 davinci sendmail[30441]: ruleset=trust_auth, [EMAIL PROTECTED], relay=[192.168.1.1], re ject=550 5.7.1 <[EMAIL PROTECTED]>... not authenticated May 26 15:50:06 davinci sendmail[30441]: i4QJo6NG030441: Milter: senders: <[EMAIL PROTECTED]> May 26 15:50:06 davinci sendmail[30441]: i4QJo6NG030441: milter=clmilter, action=mail, continue May 26 15:50:06 davinci sendmail[30441]: i4QJo6NG030441: --- 250 2.1.0 <[EMAIL PROTECTED]>... Sender ok May 26 15:50:06 davinci sendmail[30441]: i4QJo6NG030441: <-- RCPT To:<[EMAIL PROTECTED]> May 26 15:50:06 davinci sendmail[30441]: i4QJo6NG030441: Milter: rcpts: <[EMAIL PROTECTED]> May 26 15:50:06 davinci sendmail[30441]: i4QJo6NG030441: milter=clmilter, action=rcpt, continue May 26 15:50:06 davinci sendmail[30441]: i4QJo6NG030441: --- 250 2.1.5 <[EMAIL PROTECTED]>... Recipient ok May 26 15:50:06 davinci sendmail[30441]: i4QJo6NG030441: <-- DATA May 26 15:50:06 davinci sendmail[30441]: i4QJo6NG030441: --- 354 Enter mail, end with "." on a line by itself May 26 15:50:06 davinci sendmail[30441]: i4QJo6NG030441: from=<[EMAIL PROTECTED]>, size=1369, class=0, nrcpt s=1, msgid=<[EMAIL PROTECTED]>, proto=ESMTP, daemon=MTA, relay=[192.168.1.1] May 26 15:50:06 davinci sendmail[30441]: i4QJo6NG030441: milter=clmilter, action=header, continue May 26 15:50:06 davinci last message repeated 9 times May 26 15:50:06 davinci sendmail[30441]: i4QJo6NG030441: milter=clmilter, action=eoh, continue May 26 15:50:06 davinci sendmail[30441]: i4QJo6NG030441: milter=clmilter, action=body, continue May 26 15:50:06 davinci sendmail[30441]: i4QJo6NG030441: Milter add: header: X-Virus-Scanned: clamd / ClamAV version 0.7 0, clamav-milter version 0.70j May 26 15:50:06 davinci sendmail[30441]: i4QJo6NG030441: Milter accept: message May 26 15:50:06 davinci sendmail[30441]: i4QJo6NG030441: --- 250 2.0.0 i4QJo6NG030441 Message accepted for delivery May 26 15:50:06 davinci sendmail[30438]: i4QJo0R3030438: to=mailman, ctladdr=mailman (41
RE: [Clamav-users] Re: Re: Suspicious?
> Sorry for the confusion. Sandbox is part of Norman's AV > product, and not a > separate product. Ah, OK. I'll take a look at that then. > Also I never scanned the cab file yesterday I just posted a > report from a > earlier infection I had. I did this just to illustrate the > type of info you > get when it finds something suspicious. OK. I guess there's no way to update a ClamAV submission with new information. > from http://www.linemovie.com/link/user2/update/winmsg2k_1.exe > It may also attempt to get the same file from > http://www.linkno1.com/link/update/winmsg2k_1.exe > I tried to get this file from both servers, but it was not there. Poking around a bit at www.linemovie.com and looking at the source for the index page (retrieved via wget and viewed with vi), let me to http://www.abcroot.com/line/user1/update/winmsg2k_1.exe , which also seems to have a full copy of whatever this thing is. (Although the winmsg2k*.exe files retrieved from both sites are different. Possibly just a difference between the 'user1' and 'user2'.) > As I said, I only used 'strings' so although the info here is > correct, some > of my conclusions may not be. I would however suggest you check your > registry and do a search for the mentioned files including > winmsg2k_1.exe. Patrick, thanks again for doing all that you have. I'm pretty sure my system is safe, since I've only been looking at this stuff from my linux mail gateway. :) I am however concerned about any folks in my network that may have allowed the original email to get their machine infected because they don't make use of the spamassassin tags (which has been tagging the email as spam all along), and also have the preview pane enabled. Doing a google search on the clsid 65431623-C69F-410E-A392-6360366CAC19 leads me to believe that this virus/worm/whatever has been out there since the end of March-- there are google usenet hits for Mar 31, 2004 . For anybody else who is inclined to take a look at this as well-- www.linemovie.com seems to be some kind of central distribution point for desktops that are trying to infect themselves. On a hunch, I ran wget against several similar urls, and each url hands out different (but similar) files. http://www.linemovie.com/line/user1/msxml20.cab http://www.linemovie.com/line/user3/msxml20.cab http://www.linemovie.com/line/user4/msxml20.cab http://www.linemovie.com/line/user5/msxml20.cab http://www.linemovie.com/line/user6/msxml20.cab http://www.linemovie.com/link/user6/msxml20.cab -ron I am now more than ever very interested in putting web proxies in front of all internet connections, and having clamav w/mod_proxy scan all incoming web content-- at least this way when I recognize a risk faster than the commercial scanners do I can create my own signatures. --- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
RE: [Clamav-users] Freshclam Oddness?
> -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of > [EMAIL PROTECTED] > Sent: Wednesday, May 26, 2004 1:05 PM > To: [EMAIL PROTECTED] > Subject: [Clamav-users] Freshclam Oddness? > > > Ok I have just recently updated from .70RC to .71. However when I run > freshclam I get the following. > > [EMAIL PROTECTED]:/progs/clamav-0.71# freshclam > ClamAV update process started at Wed May 26 12:40:37 2004 > Reading CVD header (main.cvd): OK > main.cvd is up to date (version: 23, sigs: 21096, f-level: 2, > builder: ddm) > WARNING: Your ClamAV installation is OUTDATED - please update > immediately ! > WARNING: Current functionality level = 1, required = 2 > Reading CVD header (daily.cvd): OK > daily.cvd is up to date (version: 329, sigs: 598, f-level: 2, > builder: tomek) > WARNING: Your ClamAV installation is OUTDATED - please update > immediately ! > WARNING: Current functionality level = 1, required = 2 > > [EMAIL PROTECTED]:/progs/clamav-0.71# clamd --version > clamd / ClamAV version 0.71 > [EMAIL PROTECTED]:/progs/clamav-0.71# > > [EMAIL PROTECTED]:/progs/clamav-0.71# freshclam --version > freshclam / ClamAV version 0.71 > [EMAIL PROTECTED]:/progs/clamav-0.71# > > > So the clamAV is current. I have installed Version .71 on another box and > it has worked flawlessly. Has anyone ever encountered this? > > Justyn > > While i havent seen this myself, i have seen others report this on the list. I believe it was due to old libclamav files laying around somewhere. You may want to search the list (if you have not already) or try to dig around your system for anything clamav that is not up to date. Jim --- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] Freshclam Oddness?
Ok I have just recently updated from .70RC to .71. However when I run freshclam I get the following. [EMAIL PROTECTED]:/progs/clamav-0.71# freshclam ClamAV update process started at Wed May 26 12:40:37 2004 Reading CVD header (main.cvd): OK main.cvd is up to date (version: 23, sigs: 21096, f-level: 2, builder: ddm) WARNING: Your ClamAV installation is OUTDATED - please update immediately ! WARNING: Current functionality level = 1, required = 2 Reading CVD header (daily.cvd): OK daily.cvd is up to date (version: 329, sigs: 598, f-level: 2, builder: tomek) WARNING: Your ClamAV installation is OUTDATED - please update immediately ! WARNING: Current functionality level = 1, required = 2 [EMAIL PROTECTED]:/progs/clamav-0.71# clamd --version clamd / ClamAV version 0.71 [EMAIL PROTECTED]:/progs/clamav-0.71# [EMAIL PROTECTED]:/progs/clamav-0.71# freshclam --version freshclam / ClamAV version 0.71 [EMAIL PROTECTED]:/progs/clamav-0.71# So the clamAV is current. I have installed Version .71 on another box and it has worked flawlessly. Has anyone ever encountered this? Justyn --- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] blocking attachments
On Tuesday 25 May 2004 11:12 am, Ken Jones wrote: > Is it possible to configure clamav to block certain > types of attachements even if they do not have a virus? > > Thanks, > Ken Jones Thanks for all the input. We are using qmail, qscanq and clamav. We picked qscanq since it is very efficent. Looks like the most logical place for attachment blocking would be in qscanq since it already breaks out attachments (using ripmime). Thanks again, Ken Jones --- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Errors Building snapshots on Redhat 7.3
--On Wednesday, May 26, 2004 8:51 AM -0400 "Michael H. Martel" <[EMAIL PROTECTED]> wrote: I'm getting the following error when I try and build the latest snapshot from CVS on Redhat 7.3 . DOH. Once I upgraded Autoconf and Automake to the latest versions it works fine. Sorry for wasting bandwidth! Michael -- o- Michael H. Martel | Vermont State Colleges [EMAIL PROTECTED] | Systems Administrator http://probe.vsc.edu/~michael | PH:802-241-2544 FX:802-241-3363 --- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] Errors Building snapshots on Redhat 7.3
Hello! I'm getting the following error when I try and build the latest snapshot from CVS on Redhat 7.3 . creating ./config.status cd . && /bin/sh ./config.status Makefile Usage: ./config.status [--recheck] [--version] [--help] make: *** [Makefile] Error 1 [EMAIL PROTECTED] src]# Releases build just fine, but the snapshots give this error. I'm sure it's something I need to upgrade, since my YellowDoig Linux 3.0.1 boxes build fine from shapshots. Thanks! Michael -- o- Michael H. Martel | Vermont State Colleges [EMAIL PROTECTED] | Systems Administrator http://probe.vsc.edu/~michael | PH:802-241-2544 FX:802-241-3363 --- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] Re: Re: Suspicious?
( Appologies to the group if this arrives twice - Gmane.og seems to be acting up) Ron, Sorry for the confusion. Sandbox is part of Norman's AV product, and not a separate product. Also I never scanned the cab file yesterday I just posted a report from a earlier infection I had. I did this just to illustrate the type of info you get when it finds something suspicious. Today however I did scan it, and it found nothing :-/ Now that my interest was raised I extracted the cab onto a floppy and on my Linux box ran 'strings' against the dll and ocx. >From the dll I got the following info. It looks like it attempts to install and run a exe called winmsg2k_1.exe from http://www.linemovie.com/link/user2/update/winmsg2k_1.exe It may also attempt to get the same file from http://www.linkno1.com/link/update/winmsg2k_1.exe I tried to get this file from both servers, but it was not there. It also looks as if it changes the computers registry to something like the following; HKLM\SOFTWARE\Windows\CurrentVersion\Run Microsoft Taskmstask20.exe Other files it mentions are; services20.exe msxml20cd.dll msxml20cc.dll msvcrt20kb.dll msvcrt20ka.dll Doing a google for mstask.exe and services.exe returns plenty of hits - they are ms files. However mstask20.exe and services20.exe return nothing. As the dlls have '20' in them I'd suspect them also. Both the above mentioned domains are Korea registered with the contact email addresses hotmail and empal accounts. Most registrars won't allow this. As I said, I only used 'strings' so although the info here is correct, some of my conclusions may not be. I would however suggest you check your registry and do a search for the mentioned files including winmsg2k_1.exe. Hope this helps -- Patrick --- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Worm.Hybris.D {Scanned}
On Wed, May 26, 2004 at 01:50:30PM +0200, Ivan Petroff wrote: > Hi everybody, > > when I run clamscan from the System Rescue CD (www.sysresccd.org) on a > Windows partition, I get a lot of "Worm.Hybris.D FOUND". > But when I check the "infected files" on http://www.gietl.com/test-clamav/, > it says they are not infected. > > I always update the latest virus definitions before scanning. > > Thank you for the ones who can help me. > > Ivan > Possiby a false positive? See http://www.nervous.it/~nervous/cgi-bin/sendvirus.cgi for how to submit a flase positive sample. Jo. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. MailScanner thanks transtec Computers for their support. --- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] Worm.Hybris.D
Hi everybody, when I run clamscan from the System Rescue CD (www.sysresccd.org) on a Windows partition, I get a lot of "Worm.Hybris.D FOUND". But when I check the "infected files" on http://www.gietl.com/test-clamav/, it says they are not infected. I always update the latest virus definitions before scanning. Thank you for the ones who can help me. Ivan --- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] Problem configuring & building version 0.71 on NetBSD
On a system where clamav 0.70 is installed, I had problems building version 0.70 which failed during link of clamscan and clamd. Configure as: export CPPFLAGS=-I/usr/pkg/include export LDFLAGS=-L/usr/pkg/lib ./configure --prefix=/usr/pkg --enable-milter I had to modify the link commands to link the new libclam, not the previously version's lib after comparing to a build on linux. The linux build is done without the --prefix option. Can this be changed in configure somehow? In other applications on linux I have seen similar problems, so it may have to do with recent configure scripts ? Link commands as generated by configure: ( cd clamscan ; gcc -g -O2 -o clamscan output.o getopt.o memory.o cfgparser.o clamscan.o options.o others.o manager.o treewalk.o -L/usr/pkg/lib -L/usr/home/local/src/clamav-0.71/libclamav /usr/pkg/lib/libclamav.so -lz /usr/pkg/lib/libbz2.so /usr/pkg/lib/libgmp.so /usr/pkg/lib/libpthread.so -Wl,--rpath -Wl,/usr/pkg/lib -Wl,--rpath -Wl,/usr/pkg/lib ) ( cd clamd ; gcc -g -O2 -o clamd output.o cfgparser.o getopt.o memory.o options.o clamd.o tcpserver.o localserver.o session.o thrmgr.o server-th.o scanner.o others.o clamuko.o dazukoio_compat12.o dazukoio.o tests.o -L/usr/pkg/lib -L/usr/home/local/src/clamav-0.71/libclamav /usr/pkg/lib/libclamav.so -lz /usr/pkg/lib/libbz2.so /usr/pkg/lib/libgmp.so /usr/pkg/lib/libpthread.so -Wl,--rpath -Wl,/usr/pkg/lib -Wl,--rpath -Wl,/usr/pkg/lib ) Modified link commands: ( cd clamscan ; gcc -g -O2 -o clamscan output.o getopt.o memory.o cfgparser.o clamscan.o options.o others.o manager.o treewalk.o -L/usr/pkg/lib -L/usr/home/local/src/clamav-0.71/libclamav /usr/home/local/src/clamav-0.71/libclamav/.libs/libclamav.so -lz /usr/pkg/lib/libbz2.so /usr/pkg/lib/libgmp.so /usr/pkg/lib/libpthread.so -Wl,--rpath -Wl,/usr/pkg/lib -Wl,--rpath -Wl,/usr/pkg/lib ) ( cd clamd ; gcc -g -O2 -o clamd output.o cfgparser.o getopt.o memory.o options.o clamd.o tcpserver.o localserver.o session.o thrmgr.o server-th.o scanner.o others.o clamuko.o dazukoio_compat12.o dazukoio.o tests.o -L/usr/pkg/lib -L/usr/home/local/src/clamav-0.71/libclamav /usr/home/local/src/clamav-0.71/libclamav/.libs/libclamav.so -lz /usr/pkg/lib/libbz2.so /usr/pkg/lib/libgmp.so /usr/pkg/lib/libpthread.so -Wl,--rpath -Wl,/usr/pkg/lib -Wl,--rpath -Wl,/usr/pkg/lib ) -- /jørgen nørgaard e-mail: [EMAIL PROTECTED] | Phone: +45 2627 3769 http://anneli.dk/~jnp/ |\ _,,,---,,_ /,`.-'`' -. ;-;;,_ |,4- ) )-,_. ,\ ( `'-' '---''(_/--' `-'\_)