Re: [Clamav-users] New virus not getting scanned, but web interface says already detected?
Mitch (WebCob) wrote: For one thing, the web interface for uploading could be A LOT MORE USEFUL by stating it's current clamscan version, what it detects the upload as, selected options/config, and signature database - just allowing easier confirmation of relavent settings. I've downloaded the 0.75, and upgraded, ensured my freshclam is running and current, and manually unpacked the zip archive containing the file. Still don't get a positive scan on my end, though. Help? Don't want to post the virus publicly of course... what now? Thanks. I'm in the same boat. I just upgraded my workstation to 0.75 (from 0.72) to make sure I had the latest version, ran freshclam to make sure I had the latest definitions (already had daily v423), still doesn't detect this new mydoom variant (not mydoom.m, have a sig for that). Ryan Moore -- Perigee.net Corporation 704-849-8355 (sales) 704-849-8017 (tech) www.perigee.net --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] New variant Bagle not being detected?
Tomasz Papszun wrote: On Mon, 26 Jul 2004 at 17:28:21 +0100, Mike Brodbelt wrote: The update was on its way. Then: $ clamscan -m 11582. 11582.: Worm.Mydoom.M FOUND (11582. is the file submitted by you). We got very many samples of this and - working in the hurry - we had no time to give long explanation in each response. In fact, the signature has been added, though not exactly from your submission, that's why the note looked that way. I'm glad to hear it's sorted - I thought that was likely, but the tone of the message was worrying. Can I be a pedant and suggest you change the auto-response systems to give a reject reason like duplicate submission or something. I want to take an opportunity and say thank you from the ClamAV Team to all who submit samples to us! Is there a way I can manually extract a signature to add to my local database, if ClamAV won't do it? Of course. It's described in signatures.pdf. Ah - had read that one, but forgotten about it. Thanks, Mike. --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] New variant Bagle not being detected?
On Tue, 2004-07-27 at 10:05, Mike Brodbelt wrote: I'm glad to hear it's sorted - I thought that was likely, but the tone of the message was worrying. Can I be a pedant and suggest you change the auto-response systems to give a reject reason like duplicate submission or something. The submission system is already capable of doing that. However, due to the large number of submissions, I didn't have the hours to spare typing the same thing on countless submissions. -trog signature.asc Description: This is a digitally signed message part
[Clamav-users] Virus found, not detected by Clamav, can't submit (claimed already recognised but is not)
I found an already older virusmail (February this year) which was recognised by inocucmd and tried to feed it to clamav (0.75. main.cvd 24, daily.cvd 423). It didn't recognise it (I used the --mbox option). However when I tried to submit it, the page came back saying that it already is recognised. Here's the output of inocucmd (running on my old SuSE 7 system, clamav not installed) # /usr/local/av/inocucmd -NEX virus-20030403-121256-27560 --./virus-20030403-121256-27560 [./virus-20030403-121256-27560:BlueMountaineCard.pif] was infected by virus [Backdoor/SDBot.Server.Variant] Total Files Scanned:2 Total Bytes Scanned:22189 Total Viruses Found:1 Total Infected Files Found: 1 Scan Type: Fast *** End Of Summary *** And here's the result of clamav 0.75: # clamscan --mbox virus-20030403-121256-27560 virus-20030403-121256-27560: OK --- SCAN SUMMARY --- Known viruses: 22927 Scanned directories: 0 Scanned files: 1 Infected files: 0 Data scanned: 0.05 MB I/O buffer size: 131072 bytes Time: 0.677 sec (0 m 0 s) What's going on here? Thanks, Albert P.S. I managed to create a single .cvd file for it. It works (in clamscan) but it looks like it doesn't work in clamav-milter.
[Clamav-users] Procmailrc settings (for bounce, notify etc)
Hi, I have successfully got ClamAV working after configuring/tweaking everything necessary and it works fine (so far). However, I've changed my mind regarding some settings for virus interception in e-mails and would like some help on the settings in /usr/local/etc/procmailrc. At the moment, all messages containing viruses are deleted 'quietly', i.e. the e-mail gets deleted without either party knowing. I presume the detection is in the logs but I'd like the message not to be delivered to me, while the sender gets a message saying your message was failed due to virus etc. etc. Obviously the sender should just get the subject line or something and not the attachment. Postmaster doesn't need to be notified. Here is my file as it stands - what should the settings be instead and how can I modify the failure notice sent to the original sender? === TMPLOGFILE=$LOGFILE TMPLOGABSTRACT=$LOGABSTRACT TMPVERBOSE=$VERBOSE LOGFILE=/var/log/procmail.clamav LOGABSTRACT=all VERBOSE=off NL= :0 CLAMAV=|/usr/local/bin/clamscan --disable-summary --stdout --mbox - :0 * CLAMAV ?? .*: \/.* FOUND { LOG=Possible virus ${MATCH}${NL} :0 fhw | formail -aX-ClamAV: ${MATCH} } :0E fhw | formail -aX-ClamAV: clean :0 * ^X-ClamAV: \/.* * ! MATCH ?? ^^clean^^ /dev/null LOGFILE=$TMPLOGFILE LOGABSTRACT=$TMPLOGABSTRACT VERBOSE=$TMPVERBOSE == Thanks, Suril --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Suggestion: Feature Freeze
On Mon, 2004-07-26 at 21:59, John Madden wrote: Could we perhaps stop adding features for a few days and get a stable release out? It would really help. I'd like to second that. Those of us depending on clamav to catch stuff can't afford to upgrade in the middle of the day for new signatures to work. Why not? If you say because it's a production system and it needs to be tested, then that is a business decision to accept the risk of letting in known viruses. Most people would prefer that updates to the code to catch more viruses are released. And why don't these new signatures work? Has that interface not yet stabilized? No. Adding more powerful features to the scanning engine requires changes to the signature format. -trog signature.asc Description: This is a digitally signed message part
Re: [Clamav-users] Virus found, not detected by Clamav, can't submit (claimed already recognised but is not)
# clamscan --mbox virus-20030403-121256-27560 Forward a copy of the email to me and I'll look into it. -Nigel -- Nigel Horne. Arranger, Composer, Typesetter. NJH Music, Barnsley, UK. ICQ#20252325 [EMAIL PROTECTED] http://www.bandsman.co.uk --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Procmailrc settings (for bounce, notify etc)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tuesday, 27.07.2004 at 11:32 +0100, Suril Patel wrote: [...] I presume the detection is in the logs but I'd like the message not to be delivered to me, while the sender gets a message saying your message was failed due to virus etc. etc. Obviously the sender should just get the subject line or something and not the attachment. [...] Don't notify the sender. You'll just be generating unnecessary mail. In the case of most virus-generated emails, which are the ones you are going to be detecting, the sender address will be faked. Therefore, any notification would go to the wrong person in any case. Log the messages by all means, delete them automatically if you wish, but don't notify anyone (except possibly your local system administrator). Dave. - -- Dave Ewart [EMAIL PROTECTED] Computing Manager, Epidemiology Unit, Oxford Cancer Research UK PGP: CC70 1883 BD92 E665 B840 118B 6E94 2CFD 694D E370 -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFBBk76bpQs/WlN43ARAoDRAKDdFf3oTw2OUbX3i4h2KiQvUg8OSgCgyO6B fNpBH773gHV9vFZF9EwcJBk= =uDk0 -END PGP SIGNATURE- --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Procmailrc settings (for bounce, notify etc)
Suril Patel wrote: I have successfully got ClamAV working after configuring/tweaking everything necessary and it works fine (so far). However, I've changed my mind regarding some settings for virus interception in e-mails and would like some help on the settings in /usr/local/etc/procmailrc. At the moment, all messages containing viruses are deleted 'quietly', i.e. the e-mail gets deleted without either party knowing. I presume the detection is in the logs but I'd like the message not to be delivered to me, while the sender gets a message saying your message was failed due to virus etc. etc. Obviously the sender should just get the subject line or something and not the attachment. Postmaster doesn't need to be notified. Actually, neither need the sender be notified, because that address is forged in 99.9% of the current virusses. Unless you want to contribute to the backscatter. Read: http://www.postfix.org/BACKSCATTER_README.html Here is my file as it stands - what should the settings be instead and how can I modify the failure notice sent to the original sender? === TMPLOGFILE=$LOGFILE TMPLOGABSTRACT=$LOGABSTRACT TMPVERBOSE=$VERBOSE LOGFILE=/var/log/procmail.clamav LOGABSTRACT=all VERBOSE=off NL= :0 CLAMAV=|/usr/local/bin/clamscan --disable-summary --stdout --mbox - :0 * CLAMAV ?? .*: \/.* FOUND { LOG=Possible virus ${MATCH}${NL} :0 fhw | formail -aX-ClamAV: ${MATCH} } :0E fhw | formail -aX-ClamAV: clean :0 * ^X-ClamAV: \/.* * ! MATCH ?? ^^clean^^ /dev/null Wow, so I just need to forge a mail with a header 'X-ClamAV: clean' to pass your virusblocker. Don't add these things to the header. Just keep the X-ClamAV: $(MATCH) and test for is absence. And here is a receipe for auto-reply, if you really really want to backscatter innocent people. # :0 h c * !^FROM_DAEMON * !^X-Loop: virusnotification | (formail -rt -IPrecedence: junk \ -AX-Loop: virusnotification ; \ cat /your/friendly/message ) | $SENDMAIL -oi -t # -- Paul Bijnens, XplanationTel +32 16 397.511 Technologielaan 21 bus 2, B-3001 Leuven, BELGIUMFax +32 16 397.512 http://www.xplanation.com/ email: [EMAIL PROTECTED] *** * I think I've got the hang of it now: exit, ^D, ^C, ^\, ^Z, ^Q, F6, * * quit, ZZ, :q, :q!, M-Z, ^X^C, logoff, logout, close, bye, /bye, * * stop, end, F3, ~., ^]c, +++ ATH, disconnect, halt, abort, hangup, * * PF4, F20, ^X^X, :D::D, KJOB, F14-f-e, F8-e, kill -1 $$, shutdown, * * kill -9 1, Alt-F4, Ctrl-Alt-Del, AltGr-NumLock, Stop-A, ...* * ... Are you sure? ... YES ... Phew ... I'm out * *** --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Procmailrc settings (for bounce, notify etc)
Dave Ewart wrote the following on 07/27/2004 02:47 PM : Don't notify the sender. You'll just be generating unnecessary mail. In the case of most virus-generated emails, which are the ones you are going to be detecting, the sender address will be faked. Therefore, any notification would go to the wrong person in any case. You might want to be more accurate than that : worms using mail for propagation usually fake the From header, but when clamav detects a virus using other means of propagation (meaning the From couldn't be faked by the virus), notifying the sender is useful. Amavisd-new is configured to do this by using : $viruses_that_fake_sender_re = new_RE( ... qr'Worm'i, # worms as labeled by ClamAV, Kaspersky, etc [qr'^(EICAR|Joke\.|Junk\.)'i = 0], [qr'^(WM97|OF97|W95/CIH-|JS/Fort)'i = 0], ); --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] My.Doom.o
I have not submitted any virii (correct word?) before, so please bear with me. I always run latest stable, currently 0.75 and have not had any virus issues up until now. I am seeing a high number of mails in the below format hitting our mail servers. Dear user [EMAIL PROTECTED], Your e-mail account has been used to send a large amount of spam messages during this week. Obviously, your computer had been infected by a recent virus and now runs a hidden proxy server. Please follow our instruction in order to keep your computer safe. Best wishes, The domain team. with a zip file attached containing a pif file. I submitted the zip file only to have the message returned to me advising that it is not a virus, but Binary fragment. Harmless. Symantec identify these mails as My.Doom.o and i have checked sigtool which identifies My.Doom.m, but not My.Doom.o - My question is, how do i get clamav to identify these files as a virus? Many thanks -- +-+ (0 Scott Ryan //\ Unix/Linux Systems Engineer V_/_Telkom Internet - SA +-+ Email: [EMAIL PROTECTED] Cell: +27721164832 Work: +27126807835 +-+ --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] Re: Clam AV 0.75
Rob W wrote: Hi I have a couple of question that I hope you can help me with. Are there going to be released official patches or a new release to correct the issues that have been mentioned on this list? I wanted to update but this issue have kept me back. I don't want to use the CVS-version on a production machine. I think that it would be nice if there were released official patches and/or minor releases like 0.75.1 to correct bugs or other critical issues (like changes needed to catch new viruses that otherwise would require update to a cvs-version) in between new releases. Is http://sourceforge.net/news/?group_id=86638 still going to be updated with news? There aren't any notice of version 0.75 being released (or any other version since 0.70). I concur. :) I'm still running 0.73 because I've seen reports of viruses slipping through 0.74 and 0.75. -- Jesse Guardiani, Systems Administrator WingNET Internet Services, P.O. Box 2605 // Cleveland, TN 37320-2605 423-559-LINK (v) 423-559-5145 (f) http://www.wingnet.net --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Virus found, not detected by Clamav, can't submit (claimed already recognised but is not)
Albert, On Tue, 2004-07-27 at 06:15, Albert Pauw wrote: However when I tried to submit it, the page came back saying that it already is recognised. We had to move the submission interface to another server (one of mine) and in the process, the interface was broken. This was resolved yesterday afternoon/evening (GMT-4). I sincerely apologize for the inconvenience. Cheers, Mike -- Mike Cathey - [EMAIL PROTECTED] Unix/Networking geek Perl hacker http://www.mikecathey.com/ --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] malformed error
On Mon, 26 Jul 2004 15:28:07 -0700 (PDT), hris mckeever [EMAIL PROTECTED] wrote: --- hris mckeever [EMAIL PROTECTED] wrote: I get this when running qmail-scanner 1.22 and clamscan .75 - command line clamscan works fine, same cl arguements... I have upgraded to .75, I have removed the .cvd files and manually ran freshclam (I am not sure why the error calls virus.db - thinking it is a temp file created) There is at least 150MB of free memory LibClamAV Error: readdb(): Malformed pattern line 21327 (file /var/spool/qmailscan/tmp/prupref-mailgate109085904848026536/clamav- 08a702a225a402a3/viruses.db). LibClamAV Error: cli_calloc(): Can't allocate memory (8 bytes). anyone have any ideas? I switched qmail-scanner over to use clamdscan rather than clamscan - it now finds the virii that were getting through - so - 2 items 1 - anyone have an idea why clamscan itself would die?? 2 - is there a way to ensure that clamd doesnt die (or starts itself again if so) clamscan is dying because you aren't allocating enough memory using the softlimit function. Take a look at the qmail-scanner FAQ. The reason clamdscan is working it because it takes less memory to run then clamscan. I don't have many problems with clamd dying... but you could setup daemontools to monitor it and restart if it dies. -Steve -- Steve Lenti | [EMAIL PROTECTED] SELECT * FROM users WHERE clue 0; 0 rows returned --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_idG21alloc_id040op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] My.Doom.o
On Tue, 2004-07-27 at 16:26, Scott Ryan wrote: with a zip file attached containing a pif file. I submitted the zip file only to have the message returned to me advising that it is not a virus, but Binary fragment. Harmless. If you unpack it and look at the actual content of the attachment you'll see it's not a valid executable, just some rubbish. If you want to attempt to write a signature that matches ALL the possible email messages and broken attachments, then I'm sure the sig team would be happy to receive it. -trog signature.asc Description: This is a digitally signed message part
RE: [Clamav-users] Virus found, not detected by Clamav, can't submit (claimed already recognised but is not)
Hi. Before you do, I've been told by Tomasz Papszun that there are signatures that won't work for anything other than CVS... so you'd have to try building a CVS version to make it work. I suggested changes to allow us users to know this info when we do an upload to the webform, but haven't had response from any of the other developers, so don't know if the idea is generally approved or not. Wouldn't want anyone to waste time researching something that might be as simple as a cvs snapshot build ;-) Try running the snapshot build (perhaps without installing? can that work?) to scan the individual file of interest... then you will know... m/ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Nigel Horne Sent: Tuesday, July 27, 2004 4:50 AM To: [EMAIL PROTECTED] Subject: Re: [Clamav-users] Virus found, not detected by Clamav, can't submit (claimed already recognised but is not) # clamscan --mbox virus-20030403-121256-27560 Forward a copy of the email to me and I'll look into it. -Nigel -- Nigel Horne. Arranger, Composer, Typesetter. NJH Music, Barnsley, UK. ICQ#20252325 [EMAIL PROTECTED] http://www.bandsman.co.uk --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] malformed error
--- Steve Lenti [EMAIL PROTECTED] wrote: On Mon, 26 Jul 2004 15:28:07 -0700 (PDT), ©hris mckeever [EMAIL PROTECTED] wrote: --- �hris mckeever [EMAIL PROTECTED] wrote: I get this when running qmail-scanner 1.22 and clamscan .75 - command line clamscan works fine, same cl arguements... I have upgraded to .75, I have removed the .cvd files and manually ran freshclam (I am not sure why the error calls virus.db - thinking it is a temp file created) There is at least 150MB of free memory LibClamAV Error: readdb(): Malformed pattern line 21327 (file /var/spool/qmailscan/tmp/prupref-mailgate109085904848026536/clamav- 08a702a225a402a3/viruses.db). LibClamAV Error: cli_calloc(): Can't allocate memory (8 bytes). anyone have any ideas? I switched qmail-scanner over to use clamdscan rather than clamscan - it now finds the virii that were getting through - so - 2 items 1 - anyone have an idea why clamscan itself would die?? 2 - is there a way to ensure that clamd doesnt die (or starts itself again if so) clamscan is dying because you aren't allocating enough memory using the softlimit function. Take a look at the qmail-scanner FAQ. The reason clamdscan is working it because it takes less memory to run then clamscan. I don't have many problems with clamd dying... but you could setup daemontools to monitor it and restart if it dies. -Steve Steve - thanks I will play with that a bit today, I am sure I boosted the crap out of soft-limit when all this started to happen --- thanks -- Steve Lenti | [EMAIL PROTECTED] SELECT * FROM users WHERE clue 0; 0 rows returned --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_idG21alloc_id040op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users __ Do you Yahoo!? Yahoo! Mail is new and improved - Check it out! http://promotions.yahoo.com/new_mail --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Suggestion: Feature Freeze
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Trog wanted us to know: Could we perhaps stop adding features for a few days and get a stable release out? It would really help. I'd like to second that. Those of us depending on clamav to catch stuff can't afford to upgrade in the middle of the day for new signatures to work. Why not? If you say because it's a production system and it needs to be tested, then that is a business decision to accept the risk of letting in known viruses. Most people would prefer that updates to the code to catch more viruses are released. I agree on both sides. I think the biggest uncertainty with the use current CVS directive is that a person could be checking out while one or more developers are making changes. In a 15 minute window, the code could be broken or produce strange results that occured neither before nor after that window. Perhaps a daily CVS snapshot (or whatever frequency you deem useful but not overloading) made by you would be a good solution. Then we could establish functionality based on date and it would be quite easy to move forward or backward through the daily's (speaking purely from a sysadmin point of view). It's important to note that I get constant heat from management about using non-release versions of anything, especially on anything as visible to the end user as email. At least with a snapshot release, I can say The developers say this version should work for production. Food for thought. - -- Regards... Todd They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. --Benjamin Franklin Linux kernel 2.6.3-8mdkenterprise 1 user, load average: 0.01, 0.02, 0.00 -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFBBnHRY2VBGxIDMLwRAveZAJ9/foM9Kc/zpAejEp9y3v3ZTEc7rwCfZl5L wcvBHJ5sU9N1BUIKalhYOjM= =MrW0 -END PGP SIGNATURE- --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] My.Doom.o
Scott Ryan wrote: I have not submitted any virii (correct word?) before, so please bear with me. I always run latest stable, currently 0.75 and have not had any virus issues up until now. I am seeing a high number of mails in the below format hitting our mail servers. Dear user [EMAIL PROTECTED], Your e-mail account has been used to send a large amount of spam messages during this week. Obviously, your computer had been infected by a recent virus and now runs a hidden proxy server. Please follow our instruction in order to keep your computer safe. Best wishes, The domain team. with a zip file attached containing a pif file. I submitted the zip file only to have the message returned to me advising that it is not a virus, but Binary fragment. Harmless. Yes, it is a fragment of a virus. It is a dead virus :-) Symantec identify these mails as My.Doom.o and i have checked sigtool which identifies My.Doom.m, but not My.Doom.o - You could identify it, but it cannot do any harm anymore. My question is, how do i get clamav to identify these files as a virus? -- Paul Bijnens, XplanationTel +32 16 397.511 Technologielaan 21 bus 2, B-3001 Leuven, BELGIUMFax +32 16 397.512 http://www.xplanation.com/ email: [EMAIL PROTECTED] *** * I think I've got the hang of it now: exit, ^D, ^C, ^\, ^Z, ^Q, F6, * * quit, ZZ, :q, :q!, M-Z, ^X^C, logoff, logout, close, bye, /bye, * * stop, end, F3, ~., ^]c, +++ ATH, disconnect, halt, abort, hangup, * * PF4, F20, ^X^X, :D::D, KJOB, F14-f-e, F8-e, kill -1 $$, shutdown, * * kill -9 1, Alt-F4, Ctrl-Alt-Del, AltGr-NumLock, Stop-A, ...* * ... Are you sure? ... YES ... Phew ... I'm out * *** --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] malformed error
On Monday 26 July 2004 05:28 pm, ©hris mckeever wrote: 08a702a225a402a3/viruses.db). LibClamAV Error: cli_calloc(): Can't allocate memory (8 bytes). 1 - anyone have an idea why clamscan itself would die?? It can't allocate memory. Please refer to the qmail-scanner FAQ as this is a VERY VERY VERY VERY VERY (like, at least 20 times a day in #qmail) frequently asked question. 2 - is there a way to ensure that clamd doesnt die (or starts itself again if so) http://cr.yp.to/daemontools.html http://smarden.org/runit/ pick one. -Jeremy -- Jeremy Kitchen ++ Systems Administrator ++ Inter7 Internet Technologies, Inc. [EMAIL PROTECTED] ++ www.inter7.com ++ 866.528.3530 ++ 847.492.0470 int'l kitchen @ #qmail #gentoo on EFnet ++ scriptkitchen.com/qmail --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_idG21alloc_id040op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Virus found, not detected by Clamav, can't submit (claimed already recognised but is not)
Mitch (WebCob) wrote: Hi. Before you do, I've been told by Tomasz Papszun that there are signatures that won't work for anything other than CVS... so you'd have to try building a CVS version to make it work. I've updated my install to the latest CVS snapshot after finding that it wasn't detecting MyDoom.M, which I'm starting to get hit with. Wouldn't want anyone to waste time researching something that might be as simple as a cvs snapshot build ;-) Try running the snapshot build (perhaps without installing? can that work?) to scan the individual file of interest... then you will know... You can compile the CVS snapshot and than just do clamscan -m file on a raw mail message containing the virus. That's what I tend to do just to make sure it can pick them up, before actually installing the new version onto the live system. HTH, Mike. --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
RE: [Clamav-users] Virus found, not detected by Clamav, can'tsubmit (claimed already recognised but is not)
I'd be willing to hack the code to add the information mentioned the other day - care to share the base script (off list is fine by me). I'd like to make it a little more informative what was found and how it was found etc. thanks m/ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Mike Cathey Sent: Tuesday, July 27, 2004 7:13 AM To: Clamav-users Subject: Re: [Clamav-users] Virus found, not detected by Clamav, can'tsubmit (claimed already recognised but is not) Albert, On Tue, 2004-07-27 at 06:15, Albert Pauw wrote: However when I tried to submit it, the page came back saying that it already is recognised. We had to move the submission interface to another server (one of mine) and in the process, the interface was broken. This was resolved yesterday afternoon/evening (GMT-4). I sincerely apologize for the inconvenience. Cheers, Mike -- Mike Cathey - [EMAIL PROTECTED] Unix/Networking geek Perl hacker http://www.mikecathey.com/ --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Suggestion: Feature Freeze
I'd like to second that. Those of us depending on clamav to catch stuff can't afford to upgrade in the middle of the day for new signatures to work. Why not? If you say because it's a production system and it needs to be tested, then that is a business decision to accept the risk of letting in known viruses. Most people would prefer that updates to the code to catch more viruses are released. And why don't these new signatures work? Has that interface not yet stabilized? No. Adding more powerful features to the scanning engine requires changes to the signature format. -trog Could I add my two penneth on this one? No disrespect to anyone specific, but their seems to be a lot of whingeing of late regarding it doesn't do this or that, or it's not catching this virus. Anyone who is dependent upon virii scanning for their business security/stability, should never rely wholly upon one method of detection/prevention. If you want to be 100% safe, it isn't going to happen, either with a commercial vendor, or otherwise. It's a case of minimising, not obliterating. Perfection doesn't exist. It's about time someone actually said thanks or well done to the maintainers/writers of Clam, not to keep slating them. Try to achieve this level of speed and communication with a commercial vendor! Personally, I would like to say thanks for a stonkingly good AV scanner. Keep it up chaps. All the best Matt --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] My.Doom.o
On Tue, 27 Jul 2004 15:26:30 +, Scott Ryan [EMAIL PROTECTED] wrote: I have not submitted any virii (correct word?) before, so please bear with me. I always run latest stable, currently 0.75 and have not had any virus issues up until now. I am seeing a high number of mails in the below format hitting our mail servers. Dear user [EMAIL PROTECTED], Your e-mail account has been used to send a large amount of spam messages during this week. Obviously, your computer had been infected by a recent virus and now runs a hidden proxy server. Please follow our instruction in order to keep your computer safe. Best wishes, The domain team. with a zip file attached containing a pif file. I submitted the zip file only to have the message returned to me advising that it is not a virus, but Binary fragment. Harmless. Symantec identify these mails as My.Doom.o and i have checked sigtool which identifies My.Doom.m, but not My.Doom.o - My question is, how do i get clamav to identify these files as a virus? I got a few of these, too. Norton AV with this morning's definitions doesn't flag it as a virus. I have just submitted the .zip file to them for analysis. -- Steve --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_idG21alloc_id040op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] My.Doom.o
On Tue, 2004-07-27 at 16:26, Scott Ryan wrote: I have not submitted any virii (correct word?) viruses BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] upgrade
Hi All, Just upgraded to 0.75 on OSX 10.3. When checking CLAMAV version to be sure the upgrade was ok I get: mail:/usr/local/bin root# ./clamscan --version clamscan / ClamAV version 0.75 But when I forgot the ./, I get this: mail:/usr/local/bin root# clamscan --version clamscan / ClamAV version 0.70 Is this normal (difference in version)? Thnx. J. --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Suggestion: Feature Freeze
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Todd Lyons wrote: | Perhaps a daily CVS snapshot (or whatever | frequency you deem useful but not overloading) made by you would be a | good solution. Then we could establish functionality based on date and | it would be quite easy to move forward or backward through the daily's | (speaking purely from a sysadmin point of view). It's important to note Excellent idea. Good thing you checked the website before making this suggestion. :) http://www.clamav.net/snapshot.html#pagestart Read the last line. Daily snapshots have been around since I started using it at 0.60 or so - -- Dennis Skinner Systems Administrator BlueFrog Internet http://www.bluefrog.com When fortune empties her chamber pot on your head, smile and say We are going to have a summer shower. - Sir John A. Macdonald -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFBBpdNy9iYXMzyPbYRAuD2AJ0VJPgILOvRY+4tLIxWyGcJ1afrUgCcC4Aw RY7zCsLY91eqvTYJ4xU8ud0= =fsS6 -END PGP SIGNATURE- --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] upgrade
On July 27, 2004 10:54 am, Jona Tallieu wrote: Just upgraded to 0.75 on OSX 10.3. When checking CLAMAV version to be sure the upgrade was ok I get: mail:/usr/local/bin root# ./clamscan --version clamscan / ClamAV version 0.75 But when I forgot the ./, I get this: mail:/usr/local/bin root# clamscan --version clamscan / ClamAV version 0.70 Is this normal (difference in version)? You have two different versions installed. One located in /usr/local/bin, the other somewhere else in your PATH (probably /usr/bin). Try whereis clamscan to find where the other one is and remove it. -- Freddie Cash, CCNT CCLPHelpdesk / Network Support Tech. School District 73 (250) 377-HELP [377-4357] [EMAIL PROTECTED] --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Virus found, not detected by Clamav, can't submit (claimed already recognised but is not)
Quoting Mike Brodbelt [EMAIL PROTECTED]: Mitch (WebCob) wrote: Hi. Before you do, I've been told by Tomasz Papszun that there are signatures that won't work for anything other than CVS... so you'd have to try building a CVS version to make it work. I've updated my install to the latest CVS snapshot after finding that it wasn't detecting MyDoom.M, which I'm starting to get hit with. Am I the only one here whos existing installation is catching MyDoom.M? [EMAIL PROTECTED] clamav]# grep -i mydoom /var/log/clamav/clamd.log Tue Jul 27 13:32:23 2004 - /var/spool/qmailscan/tmp/external.elih.org109094954247931544/attachment.zip: Worm.Mydoom.M FOUND Tue Jul 27 13:32:23 2004 - /var/spool/qmailscan/tmp/external.elih.org109094954247931544/orig-external.elih.org109094954247931544: Worm.Mydoom.M FOUND Tue Jul 27 13:35:54 2004 - /var/spool/qmailscan/tmp/external.elih.org109094975447931691/message.zip: Worm.Mydoom.M FOUND [EMAIL PROTECTED] clamav]# clamscan -V clamscan / ClamAV version 0.74 Or am i missing something? Jim --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] My.Doom.o
On Tue, 2004-07-27 at 13:28, Kevin Spicer wrote: On Tue, 2004-07-27 at 16:26, Scott Ryan wrote: I have not submitted any virii (correct word?) viruses Yup. http://www.topology.org/lang/virus.html Cheers, Mike --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] upgrade
On Tue, 27 Jul 2004, Jona Tallieu wrote: Hi All, Just upgraded to 0.75 on OSX 10.3. When checking CLAMAV version to be sure the upgrade was ok I get: mail:/usr/local/bin root# ./clamscan --version clamscan / ClamAV version 0.75 But when I forgot the ./, I get this: mail:/usr/local/bin root# clamscan --version clamscan / ClamAV version 0.70 Is this normal (difference in version)? The ./ tells your shell to execute the binary located in your current working directory. Just entering clamscan tells your shell to search your PATH environment for the binary. It appears that you have another, older version of clamav still installed. Try using which clamscan to locate the older version. Note that there is more to the package than just this one binary, and it's probably a good idea to get rid of the entire previous installation. Steve --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
RE: [Clamav-users] Virus found, not detected by Clamav, can't submit (claimed already recognised but is not)
Hi. Before you do, I've been told by Tomasz Papszun that there are signatures that won't work for anything other than CVS... so you'd have to try building a CVS version to make it work. I suggested changes to allow us users to know this info when we do an upload to the webform, but haven't had response from any of the other developers, so don't know if the idea is generally approved or not. Wouldn't want anyone to waste time researching something that might be as simple as a cvs snapshot build ;-) Try running the snapshot build (perhaps without installing? can that work?) to scan the individual file of interest... then you will know... m/ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Nigel Horne Sent: Tuesday, July 27, 2004 4:50 AM To: [EMAIL PROTECTED] Subject: Re: [Clamav-users] Virus found, not detected by Clamav, can't submit (claimed already recognised but is not) # clamscan --mbox virus-20030403-121256-27560 Forward a copy of the email to me and I'll look into it. -Nigel You have missed the point. I did not mention web interface or signatures because my proposal had nothing to do with that, it was an offer to check that there wasn't a bug in the inbuilt MIME decoder. I have nothing to do with the web interface or signature side, so I don't know why you'd think that my posting did. Anyway it's all academic, the poster sent me a copy and I was able to determine that it wasn't a MIME related problem. -Nigel --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] upgrade
Quoting Jona Tallieu [EMAIL PROTECTED]: Hi All, Just upgraded to 0.75 on OSX 10.3. When checking CLAMAV version to be sure the upgrade was ok I get: mail:/usr/local/bin root# ./clamscan --version clamscan / ClamAV version 0.75 But when I forgot the ./, I get this: mail:/usr/local/bin root# clamscan --version clamscan / ClamAV version 0.70 Is this normal (difference in version)? No, this is not normal. It measn you have (atleast) two versions of clamav installed. When you run ./clamscan it is running the copy in that particular dir. when you just run clamscan it is running the copy in the path (/usr/bin/ or similar). You should get rid of ALL files left over from previous versions of clamav. Jim --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Virus found, not detected by Clamav, can't submit (claimed already recognised but is not)
On Tue, 2004-07-27 at 14:06 -0400, Jim Maul wrote: Am I the only one here whos existing installation is catching MyDoom.M? [EMAIL PROTECTED] clamav]# grep -i mydoom /var/log/clamav/clamd.log Tue Jul 27 13:32:23 2004 - /var/spool/qmailscan/tmp/external.elih.org109094954247931544/attachment.zip: Worm.Mydoom.M FOUND Tue Jul 27 13:32:23 2004 - /var/spool/qmailscan/tmp/external.elih.org109094954247931544/orig-external.elih.org109094954247931544: Worm.Mydoom.M FOUND Tue Jul 27 13:35:54 2004 - /var/spool/qmailscan/tmp/external.elih.org109094975447931691/message.zip: Worm.Mydoom.M FOUND [EMAIL PROTECTED] clamav]# clamscan -V clamscan / ClamAV version 0.74 Or am i missing something? grep Mydoom\.M clamd.log | wc -l 798 That's since midnight today. So mine seems to be working. I'm using Exiscan for Exim. I upgraded to 0.75 yesterday thinking I must have been missing something, but looking at the logs from 0.72 it was also catching it. I dunno. But you aren't the only one catching it. --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] sigtool outout very large
I have an email attachment that uvscan is detecting as: (When zipped) Found the W32/[EMAIL PROTECTED] virus !!! (When unzipped using password in email text) Found the W32/[EMAIL PROTECTED] virus !!! Clamscan detects it as: (When unzipped using password in email text) gyadu.exe: Worm.Bagle.Gen-1 FOUND (Original zip file that is password protected MoreInfo.zip: OK If I run sigtool as follows /home/clamav/bin/sigtool --list-sigs | grep pwd I get a list of known virus signatures that come in password zip files. Worm.Tibbo-zippwd Worm.Bagle.F-zippwd Worm.Bagle.F-zippwd-2 Worm.Bagle.F-zippwd-3 Worm.Bagle.F-zippwd-4 Worm.Bagle.F-zippwd-5 Worm.Bagle.F-zippwd-6 Worm.Bagle.F-zippwd-7 Worm.Bagle.H-zippwd-1 Worm.Bagle.Gen-zippwd-2 Worm.Bagle.Gen-rarpwd Trojan.Dropper.Small.HG-zippwd Worm.Bagle.Gen-zippwd My basic question is why will clamscan not detect this Bagle , and if its because the password has changed how can I either update the main.cvd or extract the similar signature and put that into the local.db with the correct password. This is all assuming that the typically used password is stored in the main.cvd. Thanks Zack
Re: [Clamav-users] upgrade
Quoting Jona Tallieu [EMAIL PROTECTED]: Hi All, Just upgraded to 0.75 on OSX 10.3. When checking CLAMAV version to be sure the upgrade was ok I get: mail:/usr/local/bin root# ./clamscan --version clamscan / ClamAV version 0.75 But when I forgot the ./, I get this: mail:/usr/local/bin root# clamscan --version clamscan / ClamAV version 0.70 Is this normal (difference in version)? No, this is not normal. It measn you have (atleast) two versions of clamav installed. When you run ./clamscan it is running the copy in that particular dir. when you just run clamscan it is running the copy in the path (/usr/bin/ or similar). You should get rid of ALL files left over from previous versions of clamav. Thanks for your reply. I removed the 2 from /usr/bin and relinked them: #ln /usr/local/bin/clamscan /usr/bin/ #ln /usr/local/bin/freshclam /usr/bin/ Now both have same version number. Any other place I should chekc for leftovers from the previous version (previous was 0.70). Thnx! J. --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] sigtool outout very large
zbuckholz wrote: I have an email attachment that uvscan is detecting as: (When zipped) Found the W32/[EMAIL PROTECTED] virus !!! (When unzipped using password in email text) Found the W32/[EMAIL PROTECTED] virus !!! Clamscan detects it as: (When unzipped using password in email text) gyadu.exe: Worm.Bagle.Gen-1 FOUND (Original zip file that is password protected MoreInfo.zip: OK My basic question is why will clamscan not detect this Bagle , and if its because the password has changed how can I either update the main.cvd or extract the similar signature and put that into the local.db with the correct password. This is all assuming that the typically used password is stored in the main.cvd. Clamav needs the original rfc822 message text to detect it as a password protected virus I think. If you're trying to scan the password protected zip file itself, then I don't think it will work. Ryan Moore -- Perigee.net Corporation 704-849-8355 (sales) 704-849-8017 (tech) www.perigee.net --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] upgrade
On Tuesday 27 July 2004 6:54 pm, Jona Tallieu wrote: Hi All, Just upgraded to 0.75 on OSX 10.3. When checking CLAMAV version to be sure the upgrade was ok I get: mail:/usr/local/bin root# ./clamscan --version clamscan / ClamAV version 0.75 But when I forgot the ./, I get this: mail:/usr/local/bin root# clamscan --version clamscan / ClamAV version 0.70 Is this normal (difference in version)? No - it means you have two versions installed in different places on your system (which is not good). Try locate clamscan or find / -name clamscan to see where the older version is, if you're not sure about where to remove it from. Regards, Antony. -- What makes you think I know what I'm talking about? I just have more O'Reilly books than most people. Please reply to the list; please don't CC me. --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Virus found, not detected by Clamav, can't submit (claimed already recognised but is not)
Quoting [EMAIL PROTECTED]: On Tue, 27 Jul 2004 14:06:14 -0400 Jim Maul [EMAIL PROTECTED] wrote: Am I the only one here whos existing installation is catching MyDoom.M? [EMAIL PROTECTED] clamav]# grep -i mydoom /var/log/clamav/clamd.log Tue Jul 27 13:32:23 2004 - /var/spool/qmailscan/tmp/external.elih.org109094954247931544/attachment.zip: Worm.Mydoom.M FOUND Well, we upgraded to 0.75.. And since last sunday out of 2171 viruses there've been 64 Mydoom variants. Including Mydoom.M, J, etc.. Indeed, but i am running 0.74 which i thought was unable to catch these. Jim --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Virus found, not detected by Clamav, can't submit (claimed already recognised but is not)
On Tue, 27 Jul 2004 14:06:14 -0400 Jim Maul [EMAIL PROTECTED] wrote: Am I the only one here whos existing installation is catching MyDoom.M? [EMAIL PROTECTED] clamav]# grep -i mydoom /var/log/clamav/clamd.log Tue Jul 27 13:32:23 2004 - /var/spool/qmailscan/tmp/external.elih.org109094954247931544/attachment.zip: Worm.Mydoom.M FOUND Well, we upgraded to 0.75.. And since last sunday out of 2171 viruses there've been 64 Mydoom variants. Including Mydoom.M, J, etc.. -- Best regards, Kristof --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] sigtool outout very large
On Tue, 27 Jul 2004 12:48:55 -0700 zbuckholz [EMAIL PROTECTED] wrote: My basic question is why will clamscan not detect this Bagle , and if I'm sure your version is older than 0.70. -- oo. Tomasz Kojm [EMAIL PROTECTED] (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Tue Jul 27 22:55:14 CEST 2004 pgpyi53ipXUvn.pgp Description: PGP signature
Re: [Clamav-users] upgrade
On Tue, 2004-07-27 at 21:17 +0100, Antony Stone wrote: On Tuesday 27 July 2004 6:54 pm, Jona Tallieu wrote: Hi All, Just upgraded to 0.75 on OSX 10.3. When checking CLAMAV version to be sure the upgrade was ok I get: mail:/usr/local/bin root# ./clamscan --version clamscan / ClamAV version 0.75 But when I forgot the ./, I get this: mail:/usr/local/bin root# clamscan --version clamscan / ClamAV version 0.70 Is this normal (difference in version)? No - it means you have two versions installed in different places on your system (which is not good). Try locate clamscan or find / -name clamscan to see where the older version is, if you're not sure about where to remove it from. Even better, which clamscan will tell you which clamscan program will run if you just type it without being pathed out. --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] upgrade
On Tue, 2004-07-27 at 12:54, Jona Tallieu wrote: Just upgraded to 0.75 on OSX 10.3. But when I forgot the ./, I get this: mail:/usr/local/bin root# clamscan --version clamscan / ClamAV version 0.70 You probably have 0.70 installed in /usr/local/bin and 0.75 in /usr/bin Yo need to remove all of the existing 0.70 before putting 0.75 in production. -- Daniel J McDonald [EMAIL PROTECTED] Austin Energy --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
RE: [Clamav-users] sigtool outout very large
I just took your suggestion and tried it and it still does not detect the virus. I have the original text email that I scan like follows: ./clamscan sample.txt This is a copy of the atomic-time-stamp type file in the Maildir I do not know the format of the cvd files, I assume I would need to find The signature that matches the unzipped version and create a new entry Just like that but with the password. Thanks Zack -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ryan Moore Sent: Tuesday, July 27, 2004 1:19 PM To: [EMAIL PROTECTED] Subject: Re: [Clamav-users] sigtool outout very large zbuckholz wrote: I have an email attachment that uvscan is detecting as: (When zipped) Found the W32/[EMAIL PROTECTED] virus !!! (When unzipped using password in email text) Found the W32/[EMAIL PROTECTED] virus !!! Clamscan detects it as: (When unzipped using password in email text) gyadu.exe: Worm.Bagle.Gen-1 FOUND (Original zip file that is password protected MoreInfo.zip: OK My basic question is why will clamscan not detect this Bagle , and if its because the password has changed how can I either update the main.cvd or extract the similar signature and put that into the local.db with the correct password. This is all assuming that the typically used password is stored in the main.cvd. Clamav needs the original rfc822 message text to detect it as a password protected virus I think. If you're trying to scan the password protected zip file itself, then I don't think it will work. Ryan Moore -- Perigee.net Corporation 704-849-8355 (sales) 704-849-8017 (tech) www.perigee.net --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] mydoom.m zipped version getting through clamav
The new [EMAIL PROTECTED] zipped versions are getting through my clamav/amavisd-new/spamassassin box. It is stopping and dropping zipped versions of Bagle, but no luck with zipped versions of mydoom.M Any one else expereincing this? Also does anyone know when the .75 release will be avialable as a deb? Jim --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] sigtool outout very large
zbuckholz wrote: I just took your suggestion and tried it and it still does not detect the virus. I have the original text email that I scan like follows: ./clamscan sample.txt This is a copy of the atomic-time-stamp type file in the Maildir I do not know the format of the cvd files, I assume I would need to find The signature that matches the unzipped version and create a new entry Just like that but with the password. Thanks Zack I probably should have mentioned, that if you do that, you'll need to pass the --mbox parameter to clamscan (or if you use clamdscan, you need the Scanmail parameter in the config file). Such as: clamscan --mbox sample.txt Also make sure you have a current version of the software and have run freshclam, as the signatures you mentioned seem to be a very small subset of the current signature database. I have 72 bagle related signatures in my 0.75 distro (when I did `sigtool -l | grep -ci bagle`). Ryan Moore -- Perigee.net Corporation 704-849-8355 (sales) 704-849-8017 (tech) www.perigee.net --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] sigtool outout very large
On Tue, 27 Jul 2004 16:18:54 -0400 Ryan Moore [EMAIL PROTECTED] wrote: Clamav needs the original rfc822 message text to detect it as a password protected virus I think. If you're trying to scan the No, it doesn't. The Worm.Bagle.Gen-zippwd signature should catch the raw zip file. -- oo. Tomasz Kojm [EMAIL PROTECTED] (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Wed Jul 28 00:00:10 CEST 2004 pgpUDRYRN8sLH.pgp Description: PGP signature
Re: [Clamav-users] sigtool outout very large
Hi, On Tue, Jul 27, 2004 at 02:35:56PM -0700, zbuckholz wrote: I just took your suggestion and tried it and it still does not detect the virus. I have the original text email that I scan like follows: ./clamscan sample.txt This is a copy of the atomic-time-stamp type file in the Maildir man clamscan I do not know the format of the cvd files, I assume I would need to find The signature that matches the unzipped version and create a new entry Just like that but with the password. http://www.clamav.net/doc/0.72/signatures.pdf http://www.netmeister.org/news/learn2quote.html Greetings Daniel -- When you come to a fork in the road, take it. --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] Re: Clamav-users digest, Vol 1 #859 - 13 msgs
Hi, Good question, ok at the moment my firewall is also acting as router where we share internet access. At the moment I had set up my mail server with clamav and it's working fine. Now the big problem that I have is that some of my users are downloading some stuff from internet which some of them is a virus, now my network is full with viruses. I would like to filter the tcp/ip traffic and block any virus to be downloaded and if possible filter any file which pass-through my router aka firewall. The link that you were given for the http proxy will accomplish most of this, the only other general source of download being ftp, which I have no idea whether it covers that or not. With regards to any other means of ingress/egress, block none required/essential ports at the firewall. Give your users what they need, not what they think they want. Matt --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] My.Doom.o
On Tue, 2004-07-27 at 13:28, Kevin Spicer wrote: On Tue, 2004-07-27 at 16:26, Scott Ryan wrote: I have not submitted any virii (correct word?) viruses Yup. http://www.topology.org/lang/virus.html Cheers, Mike I know this is going wildly off topic, but this one could be debateable. According to a Collin's English Gem Dictionary, (1954 vintage), virus doesn't have a plural listed. So, is it just a recent designation? Matt --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] mydoom.m zipped version getting through clamav
On Tue, Jul 27, 2004 at 02:48:21PM -0700, Jim said: The new [EMAIL PROTECTED] zipped versions are getting through my clamav/amavisd-new/spamassassin box. It is stopping and dropping zipped versions of Bagle, but no luck with zipped versions of mydoom.M Any one else expereincing this? I'm getting hundreds of hits for it. What version are you running? Also does anyone know when the .75 release will be avialable as a deb? I'm waiting on a patch decision before uploading. Otherwise, it's ready to go. -- -- | Stephen Gran | Let us be charitable, and call it a | | [EMAIL PROTECTED] | misleading feature :-) -- | | http://www.lobefin.net/~steve | Larry Wall in [EMAIL PROTECTED] | -- pgpM2SVS9omJD.pgp Description: PGP signature
Re: [Clamav-users] My.Doom.o
- Original Message - From: Matt [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, July 27, 2004 5:52 PM Subject: Re: [Clamav-users] My.Doom.o On Tue, 2004-07-27 at 13:28, Kevin Spicer wrote: On Tue, 2004-07-27 at 16:26, Scott Ryan wrote: I have not submitted any virii (correct word?) viruses Yup. http://www.topology.org/lang/virus.html Cheers, Mike I know this is going wildly off topic, but this one could be debateable. According to a Collin's English Gem Dictionary, (1954 vintage), virus doesn't have a plural listed. So, is it just a recent designation? It's been viruses in the medical world since the 19th century. John --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] Calling clamd form an email client
Before I download clamAV, could someone tell me if it is possible to call clamd from an email client using a pipe to shell command filter? I want to us it in conjunction with the Ximian Evolution email client in conjunction with spamassassin. Lee -- L. Parker chief cook, bottle washer and sometime sysadmin cacaphony.net signature.asc Description: This is a digitally signed message part
[Clamav-users] Does Your Clamd Mem Usage Grows?
Hello List, Is it normal for clamd mem usage to grow? I'm using 0.75 on this box. 29238 qscand15 0 50452 45M 436 S 0.4 2.2 83:55 1 clamd There are occasions where it grows more than 100mb - so I had to install monit to make sure it'll trigger a restart once it exceeds 100mb. I have 0.60 clamav running on another box but the mem usage stays at 13mb. Thanks! :) -b. --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] clamd Socket File Error
Running clamav-0.75 on FreeBSD 5.2.1, compiled from source. Everything runs fine, except when I try clamd stop/start or clamd restart. I get the error: Wed Jul 28 00:56:48 2004 - +++ Started at Wed Jul 28 00:56:48 2004 Wed Jul 28 00:56:48 2004 - clamd daemon 0.75 (OS: freebsd5.2.1, ARCH: i386, CPU: i386) Wed Jul 28 00:56:48 2004 - Log file size limited to 10485760 bytes. Wed Jul 28 00:56:48 2004 - Reading databases from /usr/local/clamav/share/clamav Wed Jul 28 00:56:49 2004 - Protecting against 22932 viruses. Wed Jul 28 00:56:49 2004 - ERROR: Socket file /var/run/clamd is in use by another process. I've seen this error mentioned a couple of places (obviously not a solution mentioned), and I've tried setting the following in clamav.conf: # Remove stale socket after unclean shutdown. FixStaleSocket Also checked the permissions, made sure the pid is set, etc. Nothing seems to work short of manually deleting the socket file. Any ideas? Best Regards, Darton --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] upgrade
when you specify the ./ it means here when you leave it off, you're selecting the one in the default path ... and it looks like you've got an older version lying around. try: % which clamscan odds are the result is NOT in /usr/local/bin richard -- On Tuesday, July 27, 2004 7:54 PM +0200 Jona Tallieu [EMAIL PROTECTED] wrote: Hi All, Just upgraded to 0.75 on OSX 10.3. When checking CLAMAV version to be sure the upgrade was ok I get: mail:/usr/local/bin root# ./clamscan --version clamscan / ClamAV version 0.75 But when I forgot the ./, I get this: mail:/usr/local/bin root# clamscan --version clamscan / ClamAV version 0.70 Is this normal (difference in version)? Thnx. J. --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] clamd Socket File Error
is clamd running as a user that has permission for the /var/run? if not, rather than messing /var/run up, try pointing at a 'dedicated' /tmp/clamd instead, with permissions for that user/group ... richard -- On Wednesday, July 28, 2004 1:31 AM -0400 Darton Williams [EMAIL PROTECTED] wrote: Running clamav-0.75 on FreeBSD 5.2.1, compiled from source. Everything runs fine, except when I try clamd stop/start or clamd restart. I get the error: Wed Jul 28 00:56:48 2004 - +++ Started at Wed Jul 28 00:56:48 2004 Wed Jul 28 00:56:48 2004 - clamd daemon 0.75 (OS: freebsd5.2.1, ARCH: i386, CPU: i386) Wed Jul 28 00:56:48 2004 - Log file size limited to 10485760 bytes. Wed Jul 28 00:56:48 2004 - Reading databases from /usr/local/clamav/share/clamav Wed Jul 28 00:56:49 2004 - Protecting against 22932 viruses. Wed Jul 28 00:56:49 2004 - ERROR: Socket file /var/run/clamd is in use by another process. I've seen this error mentioned a couple of places (obviously not a solution mentioned), and I've tried setting the following in clamav.conf: # Remove stale socket after unclean shutdown. FixStaleSocket Also checked the permissions, made sure the pid is set, etc. Nothing seems to work short of manually deleting the socket file. Any ideas? Best Regards, Darton --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users