Re: [Clamav-users] New virus not getting scanned, but web interface says already detected?

[Ryan Moore]

Mitch (WebCob) wrote:
For one thing, the web interface for uploading could be A LOT MORE USEFUL by
stating it's current clamscan version, what it detects the upload as,
selected options/config, and signature database - just allowing easier
confirmation of relavent settings.
I've downloaded the 0.75, and upgraded, ensured my freshclam is running and
current, and manually unpacked the zip archive containing the file.
Still don't get a positive scan on my end, though.
Help? Don't want to post the virus publicly of course... what now?
Thanks.
I'm in the same boat. I just upgraded my workstation to 0.75 (from 0.72) 
to make sure I had the latest version, ran freshclam to make sure I had 
the latest definitions (already had daily v423), still doesn't detect 
this new mydoom variant (not mydoom.m, have a sig for that).

Ryan Moore
--
Perigee.net Corporation
704-849-8355 (sales)
704-849-8017 (tech)
www.perigee.net

---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] New variant Bagle not being detected?

[Mike Brodbelt]

Tomasz Papszun wrote:
 On Mon, 26 Jul 2004 at 17:28:21 +0100, Mike Brodbelt wrote:

 The update was on its way. Then:
 $ clamscan -m 11582.
 11582.: Worm.Mydoom.M FOUND
 (11582. is the file submitted by you).
 
 We got very many samples of this and - working in the hurry - we
 had no time to give long explanation in each response.
 In fact, the signature has been added, though not exactly from your
 submission, that's why the note looked that way.

I'm glad to hear it's sorted - I thought that was likely, but the tone
of the message was worrying. Can I be a pedant and suggest you change
the auto-response systems to give a reject reason like duplicate
submission or something.

 I want to take an opportunity and say thank you from the ClamAV Team
 to all who submit samples to us!
 
 
Is there a way I can manually extract a signature to add to my local
database, if ClamAV won't do it?
 
 
 Of course. It's described in signatures.pdf.

Ah - had read that one, but forgotten about it. Thanks,

Mike.



---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] New variant Bagle not being detected?

[Trog]

On Tue, 2004-07-27 at 10:05, Mike Brodbelt wrote:

 I'm glad to hear it's sorted - I thought that was likely, but the tone
 of the message was worrying. Can I be a pedant and suggest you change
 the auto-response systems to give a reject reason like duplicate
 submission or something.
 

The submission system is already capable of doing that.

However, due to the large number of submissions, I didn't have the hours
to spare typing the same thing on countless submissions.

-trog



signature.asc
Description: This is a digitally signed message part

[Clamav-users] Virus found, not detected by Clamav, can't submit (claimed already recognised but is not)

[Albert Pauw]

I found an already older virusmail (February this year) which was
recognised by inocucmd
and tried to feed it to clamav (0.75. main.cvd 24, daily.cvd 423). It
didn't recognise it (I used the --mbox option).

However when I tried to submit it, the page came back saying that it
already is recognised.

Here's the output of inocucmd (running on my old SuSE 7 system, clamav
not installed)

# /usr/local/av/inocucmd -NEX virus-20030403-121256-27560
--./virus-20030403-121256-27560
[./virus-20030403-121256-27560:BlueMountaineCard.pif] was infected by
virus [Backdoor/SDBot.Server.Variant]

Total Files Scanned:2
Total Bytes Scanned:22189
Total Viruses Found:1
Total Infected Files Found: 1
Scan Type:  Fast

*** End Of Summary ***

And here's the result of clamav 0.75:

# clamscan --mbox virus-20030403-121256-27560
virus-20030403-121256-27560: OK

--- SCAN SUMMARY ---
Known viruses: 22927
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 0.05 MB
I/O buffer size: 131072 bytes
Time: 0.677 sec (0 m 0 s)

What's going on here?

Thanks,

Albert

P.S. I managed to create a single .cvd file for it. It works (in clamscan) but it looks like it doesn't work in clamav-milter.

[Clamav-users] Procmailrc settings (for bounce, notify etc)

[Suril Patel]

Hi,

I have successfully got ClamAV working after configuring/tweaking everything
necessary and it works fine (so far).

However, I've changed my mind regarding some settings for virus interception
in e-mails and would like some help on the settings in
/usr/local/etc/procmailrc. At the moment, all messages containing viruses
are deleted 'quietly', i.e. the e-mail gets deleted without either party
knowing. I presume the detection is in the logs but I'd like the message not
to be delivered to me, while the sender gets a message saying your message
was failed due to virus etc. etc. Obviously the sender should just get the
subject line or something and not the attachment. Postmaster doesn't need to
be notified.

Here is my file as it stands - what should the settings be instead and how
can I modify the failure notice sent to the original sender?

===
TMPLOGFILE=$LOGFILE
TMPLOGABSTRACT=$LOGABSTRACT
TMPVERBOSE=$VERBOSE

LOGFILE=/var/log/procmail.clamav
LOGABSTRACT=all
VERBOSE=off
NL=


:0
CLAMAV=|/usr/local/bin/clamscan --disable-summary --stdout --mbox -

:0
* CLAMAV ?? .*: \/.* FOUND
{
  LOG=Possible virus ${MATCH}${NL}

  :0 fhw
  | formail -aX-ClamAV: ${MATCH}
}

:0E fhw
| formail -aX-ClamAV: clean

:0
* ^X-ClamAV: \/.*
* ! MATCH ?? ^^clean^^
/dev/null

LOGFILE=$TMPLOGFILE
LOGABSTRACT=$TMPLOGABSTRACT
VERBOSE=$TMPVERBOSE
==

Thanks,

Suril



---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Suggestion: Feature Freeze

[Trog]

On Mon, 2004-07-26 at 21:59, John Madden wrote:
  Could we perhaps stop adding features for a few days and get a stable
  release out?  It would really help.
 
 I'd like to second that.  Those of us depending on clamav to catch stuff
 can't afford to upgrade in the middle of the day for new signatures to
 work.

Why not? If you say because it's a production system and it needs to be
tested, then that is a business decision to accept the risk of letting
in known viruses.

Most people would prefer that updates to the code to catch more viruses
are released.

   And why don't these new signatures work?  Has that interface not
 yet stabilized?

No. Adding more powerful features to the scanning engine requires
changes to the signature format.

-trog



signature.asc
Description: This is a digitally signed message part

Re: [Clamav-users] Virus found, not detected by Clamav, can't submit (claimed already recognised but is not)

[Nigel Horne]

 # clamscan --mbox virus-20030403-121256-27560

Forward a copy of the email to me and I'll look into it.

-Nigel

-- 
Nigel Horne. Arranger, Composer, Typesetter.
NJH Music, Barnsley, UK.  ICQ#20252325
[EMAIL PROTECTED] http://www.bandsman.co.uk


---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Procmailrc settings (for bounce, notify etc)

[Dave Ewart]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Tuesday, 27.07.2004 at 11:32 +0100, Suril Patel wrote:

 [...]  I presume the detection is in the logs but I'd like the message
 not to be delivered to me, while the sender gets a message saying
 your message was failed due to virus etc. etc. Obviously the sender
 should just get the subject line or something and not the attachment.
 [...]

Don't notify the sender.

You'll just be generating unnecessary mail.  In the case of most
virus-generated emails, which are the ones you are going to be
detecting, the sender address will be faked.  Therefore, any
notification would go to the wrong person in any case.

Log the messages by all means, delete them automatically if you wish,
but don't notify anyone (except possibly your local system
administrator).

Dave.
- -- 
Dave Ewart
[EMAIL PROTECTED]
Computing Manager, Epidemiology Unit, Oxford
Cancer Research UK
PGP: CC70 1883 BD92 E665 B840 118B 6E94 2CFD 694D E370

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBBk76bpQs/WlN43ARAoDRAKDdFf3oTw2OUbX3i4h2KiQvUg8OSgCgyO6B
fNpBH773gHV9vFZF9EwcJBk=
=uDk0
-END PGP SIGNATURE-


---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Procmailrc settings (for bounce, notify etc)

[Paul Bijnens]

Suril Patel wrote:
I have successfully got ClamAV working after configuring/tweaking everything
necessary and it works fine (so far).
However, I've changed my mind regarding some settings for virus interception
in e-mails and would like some help on the settings in
/usr/local/etc/procmailrc. At the moment, all messages containing viruses
are deleted 'quietly', i.e. the e-mail gets deleted without either party
knowing. I presume the detection is in the logs but I'd like the message not
to be delivered to me, while the sender gets a message saying your message
was failed due to virus etc. etc. Obviously the sender should just get the
subject line or something and not the attachment. Postmaster doesn't need to
be notified.
Actually, neither need the sender be notified, because that address
is forged in 99.9% of the current virusses.  Unless you want to
contribute to the backscatter.  Read:
   http://www.postfix.org/BACKSCATTER_README.html

Here is my file as it stands - what should the settings be instead and how
can I modify the failure notice sent to the original sender?
===
TMPLOGFILE=$LOGFILE
TMPLOGABSTRACT=$LOGABSTRACT
TMPVERBOSE=$VERBOSE
LOGFILE=/var/log/procmail.clamav
LOGABSTRACT=all
VERBOSE=off
NL=

:0
CLAMAV=|/usr/local/bin/clamscan --disable-summary --stdout --mbox -
:0
* CLAMAV ?? .*: \/.* FOUND
{
  LOG=Possible virus ${MATCH}${NL}
  :0 fhw
  | formail -aX-ClamAV: ${MATCH}
}
:0E fhw
| formail -aX-ClamAV: clean
:0
* ^X-ClamAV: \/.*
* ! MATCH ?? ^^clean^^
/dev/null

Wow, so I just need to forge a mail with a header 'X-ClamAV: clean' to 
pass your virusblocker.
Don't add these things to the header.   Just keep the X-ClamAV: $(MATCH)
and test for is absence.

And here is a receipe for auto-reply, if you really really want
to backscatter innocent people.
#
:0 h c
* !^FROM_DAEMON
* !^X-Loop: virusnotification
| (formail -rt -IPrecedence: junk \
  -AX-Loop: virusnotification ; \
  cat /your/friendly/message ) | $SENDMAIL -oi -t
#
--
Paul Bijnens, XplanationTel  +32 16 397.511
Technologielaan 21 bus 2, B-3001 Leuven, BELGIUMFax  +32 16 397.512
http://www.xplanation.com/  email:  [EMAIL PROTECTED]
***
* I think I've got the hang of it now:  exit, ^D, ^C, ^\, ^Z, ^Q, F6, *
* quit,  ZZ, :q, :q!,  M-Z, ^X^C,  logoff, logout, close, bye,  /bye, *
* stop, end, F3, ~., ^]c, +++ ATH, disconnect, halt,  abort,  hangup, *
* PF4, F20, ^X^X, :D::D, KJOB, F14-f-e, F8-e,  kill -1 $$,  shutdown, *
* kill -9 1,  Alt-F4,  Ctrl-Alt-Del,  AltGr-NumLock,  Stop-A,  ...*
* ...  Are you sure?  ...   YES   ...   Phew ...   I'm out  *
***

---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Procmailrc settings (for bounce, notify etc)

[Lionel Bouton]

Dave Ewart wrote the following on 07/27/2004 02:47 PM :
Don't notify the sender.
You'll just be generating unnecessary mail.  In the case of most
virus-generated emails, which are the ones you are going to be
detecting, the sender address will be faked.  Therefore, any
notification would go to the wrong person in any case.
 

You might want to be more accurate than that : worms using mail for 
propagation usually fake the From header, but when clamav detects a 
virus using other means of propagation (meaning the From couldn't be 
faked by the virus), notifying the sender is useful.

Amavisd-new is configured to do this by using :
$viruses_that_fake_sender_re = new_RE(
...
 qr'Worm'i,  # worms as labeled by ClamAV, Kaspersky, etc
 [qr'^(EICAR|Joke\.|Junk\.)'i = 0],
 [qr'^(WM97|OF97|W95/CIH-|JS/Fort)'i  = 0],
);

---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] My.Doom.o

[Scott Ryan]

I have not submitted any virii (correct word?) before, so please bear with me.
I always run latest stable, currently 0.75 and have not had any virus issues 
up until now. I am seeing a high number of mails in the below format hitting 
our mail servers.

Dear user [EMAIL PROTECTED],
Your e-mail account has been used to send a large amount of spam messages 
during this week.
Obviously, your computer had been infected by a recent virus and now runs a 
hidden proxy server.
Please follow our instruction in order to keep your computer safe.
Best wishes,
The domain team.

with a zip file attached containing a pif file.

I submitted the zip file only to have the message returned to me advising that 
it is not a virus, but Binary fragment. Harmless.

Symantec identify these mails as My.Doom.o and i have checked sigtool which 
identifies My.Doom.m, but not My.Doom.o - 

My question is, how do i get clamav to identify these files as a virus?

Many thanks

-- 
+-+
(0 Scott Ryan
//\ Unix/Linux Systems Engineer
V_/_Telkom Internet - SA
+-+
Email:  [EMAIL PROTECTED]
Cell:   +27721164832
Work:   +27126807835
+-+


---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] Re: Clam AV 0.75

[Jesse Guardiani]

Rob W wrote:

 Hi
 
 I have a couple of question that I hope you can help me with.
 
 Are there going to be released official patches or a new release to
 correct the issues that have been mentioned on this list? I wanted to
 update but this issue have kept me back. I don't want to use the
 CVS-version on a production machine. I think that it would be nice if
 there were released official patches and/or minor releases like 0.75.1 to
 correct bugs or other critical issues (like changes needed to catch new
 viruses that otherwise would require update to a cvs-version) in between
 new releases.
 
 Is http://sourceforge.net/news/?group_id=86638 still going to be updated
 with news? There aren't any notice of version 0.75 being released (or any
 other version since 0.70).

I concur. :)

I'm still running 0.73 because I've seen reports of viruses slipping
through 0.74 and 0.75.


-- 
Jesse Guardiani, Systems Administrator
WingNET Internet Services,
P.O. Box 2605 // Cleveland, TN 37320-2605
423-559-LINK (v)  423-559-5145 (f)
http://www.wingnet.net




---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Virus found, not detected by Clamav, can't submit (claimed already recognised but is not)

[Mike Cathey]

Albert,

On Tue, 2004-07-27 at 06:15, Albert Pauw wrote:
 However when I tried to submit it, the page came back
 saying that it already is recognised.

We had to move the submission interface to another server (one of mine)
and in the process, the interface was broken.  This was resolved
yesterday afternoon/evening (GMT-4).  I sincerely apologize for the
inconvenience.

Cheers,

Mike
-- 
Mike Cathey - [EMAIL PROTECTED]
Unix/Networking geek  Perl hacker
http://www.mikecathey.com/



---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] malformed error

[Steve Lenti]

On Mon, 26 Jul 2004 15:28:07 -0700 (PDT), hris mckeever
[EMAIL PROTECTED] wrote:
 --- hris mckeever [EMAIL PROTECTED] wrote:
  I get this when running qmail-scanner 1.22 and
  clamscan .75 -
  command line clamscan works fine, same cl
  arguements...
 
  I have upgraded to .75, I have removed the .cvd
  files
  and manually ran freshclam (I am not sure why the
  error calls virus.db - thinking it is a
  temp file created)
 
  There is at least 150MB of free memory
 
 
  LibClamAV Error: readdb(): Malformed pattern line
  21327 (file
 
 /var/spool/qmailscan/tmp/prupref-mailgate109085904848026536/clamav-
 
  08a702a225a402a3/viruses.db).
  LibClamAV Error: cli_calloc(): Can't allocate memory
  (8 bytes).
 
  anyone have any ideas?
 
 I switched qmail-scanner over to use clamdscan rather
 than clamscan - it now finds the virii that were
 getting through -
 
 so - 2 items
 
 1 - anyone have an idea why clamscan itself would
 die??
 2 - is there a way to ensure that clamd doesnt die (or
 starts itself again if so)
 

clamscan is dying because you aren't allocating enough memory using
the softlimit function.  Take a look at the qmail-scanner FAQ.  The
reason clamdscan is working it because it takes less memory to run
then clamscan.

I don't have many problems with clamd dying... but you could setup
daemontools to monitor it and restart if it dies.
-Steve

-- 
Steve Lenti | [EMAIL PROTECTED]

 SELECT * FROM users WHERE clue  0;
0 rows returned


---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_idG21alloc_id040op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] My.Doom.o

[Trog]

On Tue, 2004-07-27 at 16:26, Scott Ryan wrote:

 with a zip file attached containing a pif file.
 
 I submitted the zip file only to have the message returned to me advising that 
 it is not a virus, but Binary fragment. Harmless.
 

If you unpack it and look at the actual content of the attachment you'll
see it's not a valid executable, just some rubbish.

If you want to attempt to write a signature that matches ALL the
possible email messages and broken attachments, then I'm sure the sig
team would be happy to receive it.

-trog



signature.asc
Description: This is a digitally signed message part

RE: [Clamav-users] Virus found, not detected by Clamav, can't submit (claimed already recognised but is not)

[Mitch \(WebCob\)]

Hi.

Before you do, I've been told by Tomasz Papszun that there are signatures
that won't work for anything other than CVS... so you'd have to try building
a CVS version to make it work.

I suggested changes to allow us users to know this info when we do an upload
to the webform, but haven't had response from any of the other developers,
so don't know if the idea is generally approved or not.

Wouldn't want anyone to waste time researching something that might be as
simple as a cvs snapshot build ;-)

Try running the snapshot build (perhaps without installing? can that work?)
to scan the individual file of interest... then you will know...

m/

 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] Behalf Of Nigel
 Horne
 Sent: Tuesday, July 27, 2004 4:50 AM
 To: [EMAIL PROTECTED]
 Subject: Re: [Clamav-users] Virus found, not detected by Clamav, can't
 submit (claimed already recognised but is not)


  # clamscan --mbox virus-20030403-121256-27560

 Forward a copy of the email to me and I'll look into it.

 -Nigel

 --
 Nigel Horne. Arranger, Composer, Typesetter.
 NJH Music, Barnsley, UK.  ICQ#20252325
 [EMAIL PROTECTED] http://www.bandsman.co.uk


 ---
 This SF.Net email is sponsored by BEA Weblogic Workshop
 FREE Java Enterprise J2EE developer tools!
 Get your free copy of BEA WebLogic Workshop 8.1 today.
 http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click
 ___
 Clamav-users mailing list
 [EMAIL PROTECTED]
 https://lists.sourceforge.net/lists/listinfo/clamav-users




---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] malformed error

[©hris]

--- Steve Lenti [EMAIL PROTECTED] wrote:

 On Mon, 26 Jul 2004 15:28:07 -0700 (PDT), ©hris
 mckeever
 [EMAIL PROTECTED] wrote:
  --- �hris mckeever [EMAIL PROTECTED] wrote:
   I get this when running qmail-scanner 1.22 and
   clamscan .75 -
   command line clamscan works fine, same cl
   arguements...
  
   I have upgraded to .75, I have removed the .cvd
   files
   and manually ran freshclam (I am not sure why
 the
   error calls virus.db - thinking it is a
   temp file created)
  
   There is at least 150MB of free memory
  
  
   LibClamAV Error: readdb(): Malformed pattern
 line
   21327 (file
  
 

/var/spool/qmailscan/tmp/prupref-mailgate109085904848026536/clamav-
  
   08a702a225a402a3/viruses.db).
   LibClamAV Error: cli_calloc(): Can't allocate
 memory
   (8 bytes).
  
   anyone have any ideas?
  
  I switched qmail-scanner over to use clamdscan
 rather
  than clamscan - it now finds the virii that were
  getting through -
  
  so - 2 items
  
  1 - anyone have an idea why clamscan itself would
  die??
  2 - is there a way to ensure that clamd doesnt die
 (or
  starts itself again if so)
  
 
 clamscan is dying because you aren't allocating
 enough memory using
 the softlimit function.  Take a look at the
 qmail-scanner FAQ.  The
 reason clamdscan is working it because it takes less
 memory to run
 then clamscan.
 
 I don't have many problems with clamd dying... but
 you could setup
 daemontools to monitor it and restart if it dies.
 -Steve
 

Steve - thanks I will play with that a bit today, I am
sure I boosted the crap out of soft-limit when all
this started to happen --- thanks


 -- 
 Steve Lenti | [EMAIL PROTECTED]
 
  SELECT * FROM users WHERE clue  0;
 0 rows returned
 
 

---
 This SF.Net email is sponsored by BEA Weblogic
 Workshop
 FREE Java Enterprise J2EE developer tools!
 Get your free copy of BEA WebLogic Workshop 8.1
 today.
 http://ads.osdn.com/?ad_idG21alloc_id040op=click
 ___
 Clamav-users mailing list
 [EMAIL PROTECTED]

https://lists.sourceforge.net/lists/listinfo/clamav-users
 




__
Do you Yahoo!?
Yahoo! Mail is new and improved - Check it out!
http://promotions.yahoo.com/new_mail


---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Suggestion: Feature Freeze

[Todd Lyons]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Trog wanted us to know:

  Could we perhaps stop adding features for a few days and get a stable
  release out?  It would really help.
 I'd like to second that.  Those of us depending on clamav to catch stuff
 can't afford to upgrade in the middle of the day for new signatures to
 work.
Why not? If you say because it's a production system and it needs to be
tested, then that is a business decision to accept the risk of letting
in known viruses.
Most people would prefer that updates to the code to catch more viruses
are released.

I agree on both sides.  I think the biggest uncertainty with the use
current CVS directive is that a person could be checking out while one
or more developers are making changes.  In a 15 minute window, the code
could be broken or produce strange results that occured neither before
nor after that window.  Perhaps a daily CVS snapshot (or whatever
frequency you deem useful but not overloading) made by you would be a
good solution.  Then we could establish functionality based on date and
it would be quite easy to move forward or backward through the daily's
(speaking purely from a sysadmin point of view).  It's important to note
that I get constant heat from management about using non-release
versions of anything, especially on anything as visible to the end user
as email.  At least with a snapshot release, I can say The developers
say this version should work for production.

Food for thought.
- -- 
Regards...  Todd
They that can give up essential liberty to obtain a little temporary 
safety deserve neither liberty nor safety.   --Benjamin Franklin
Linux kernel 2.6.3-8mdkenterprise   1 user,  load average: 0.01, 0.02, 0.00
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBBnHRY2VBGxIDMLwRAveZAJ9/foM9Kc/zpAejEp9y3v3ZTEc7rwCfZl5L
wcvBHJ5sU9N1BUIKalhYOjM=
=MrW0
-END PGP SIGNATURE-


---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] My.Doom.o

[Paul Bijnens]

Scott Ryan wrote:
I have not submitted any virii (correct word?) before, so please bear with me.
I always run latest stable, currently 0.75 and have not had any virus issues 
up until now. I am seeing a high number of mails in the below format hitting 
our mail servers.


Dear user [EMAIL PROTECTED],
Your e-mail account has been used to send a large amount of spam messages 
during this week.
Obviously, your computer had been infected by a recent virus and now runs a 
hidden proxy server.
Please follow our instruction in order to keep your computer safe.
Best wishes,
The domain team.

with a zip file attached containing a pif file.
I submitted the zip file only to have the message returned to me advising that 
it is not a virus, but Binary fragment. Harmless.
Yes, it is a fragment of a virus.
It is a dead virus :-)

Symantec identify these mails as My.Doom.o and i have checked sigtool which 
identifies My.Doom.m, but not My.Doom.o - 
You could identify it, but it cannot do any harm anymore.

My question is, how do i get clamav to identify these files as a virus?

--
Paul Bijnens, XplanationTel  +32 16 397.511
Technologielaan 21 bus 2, B-3001 Leuven, BELGIUMFax  +32 16 397.512
http://www.xplanation.com/  email:  [EMAIL PROTECTED]
***
* I think I've got the hang of it now:  exit, ^D, ^C, ^\, ^Z, ^Q, F6, *
* quit,  ZZ, :q, :q!,  M-Z, ^X^C,  logoff, logout, close, bye,  /bye, *
* stop, end, F3, ~., ^]c, +++ ATH, disconnect, halt,  abort,  hangup, *
* PF4, F20, ^X^X, :D::D, KJOB, F14-f-e, F8-e,  kill -1 $$,  shutdown, *
* kill -9 1,  Alt-F4,  Ctrl-Alt-Del,  AltGr-NumLock,  Stop-A,  ...*
* ...  Are you sure?  ...   YES   ...   Phew ...   I'm out  *
***

---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] malformed error

[Jeremy Kitchen]

On Monday 26 July 2004 05:28 pm, ©hris mckeever wrote:
  08a702a225a402a3/viruses.db).
  LibClamAV Error: cli_calloc(): Can't allocate memory
  (8 bytes).

 1 - anyone have an idea why clamscan itself would
 die??

It can't allocate memory.  Please refer to the qmail-scanner FAQ as this is a 
VERY VERY VERY VERY VERY (like, at least 20 times a day in #qmail) frequently 
asked question.

 2 - is there a way to ensure that clamd doesnt die (or
 starts itself again if so)

http://cr.yp.to/daemontools.html
http://smarden.org/runit/

pick one.

-Jeremy

-- 
Jeremy Kitchen ++ Systems Administrator ++ Inter7 Internet Technologies, Inc.
  [EMAIL PROTECTED] ++ www.inter7.com ++ 866.528.3530 ++ 847.492.0470 int'l
kitchen @ #qmail #gentoo on EFnet ++ scriptkitchen.com/qmail



---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_idG21alloc_id040op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Virus found, not detected by Clamav, can't submit (claimed already recognised but is not)

[Mike Brodbelt]

Mitch (WebCob) wrote:
 Hi.
 
 Before you do, I've been told by Tomasz Papszun that there are signatures
 that won't work for anything other than CVS... so you'd have to try building
 a CVS version to make it work.

I've updated my install to the latest CVS snapshot after finding that it
wasn't detecting MyDoom.M, which I'm starting to get hit with.

 Wouldn't want anyone to waste time researching something that might be as
 simple as a cvs snapshot build ;-)
 
 Try running the snapshot build (perhaps without installing? can that work?)
 to scan the individual file of interest... then you will know...

You can compile the CVS snapshot and than just do clamscan -m file on
a raw mail message containing the virus. That's what I tend to do just
to make sure it can pick them up, before actually installing the new
version onto the live system.

HTH,

Mike.


---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] Virus found, not detected by Clamav, can'tsubmit (claimed already recognised but is not)

[Mitch \(WebCob\)]

I'd be willing to hack the code to add the information mentioned the other
day - care to share the base script (off list is fine by me).

I'd like to make it a little more informative what was found and how it was
found etc.

thanks

m/

 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] Behalf Of Mike
 Cathey
 Sent: Tuesday, July 27, 2004 7:13 AM
 To: Clamav-users
 Subject: Re: [Clamav-users] Virus found, not detected by Clamav,
 can'tsubmit (claimed already recognised but is not)


 Albert,

 On Tue, 2004-07-27 at 06:15, Albert Pauw wrote:
  However when I tried to submit it, the page came back
  saying that it already is recognised.

 We had to move the submission interface to another server (one of mine)
 and in the process, the interface was broken.  This was resolved
 yesterday afternoon/evening (GMT-4).  I sincerely apologize for the
 inconvenience.

 Cheers,

 Mike
 --
 Mike Cathey - [EMAIL PROTECTED]
 Unix/Networking geek  Perl hacker
 http://www.mikecathey.com/



 ---
 This SF.Net email is sponsored by BEA Weblogic Workshop
 FREE Java Enterprise J2EE developer tools!
 Get your free copy of BEA WebLogic Workshop 8.1 today.
 http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click
 ___
 Clamav-users mailing list
 [EMAIL PROTECTED]
 https://lists.sourceforge.net/lists/listinfo/clamav-users




---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Suggestion: Feature Freeze

[Matt]

  
  I'd like to second that.  Those of us depending on clamav to catch
  stuff can't afford to upgrade in the middle of the day for new
  signatures to work.
 
 Why not? If you say because it's a production system and it needs to be
 tested, then that is a business decision to accept the risk of letting
 in known viruses.
 
 Most people would prefer that updates to the code to catch more viruses
 are released.
 
And why don't these new signatures work?  Has that interface not
  yet stabilized?
 
 No. Adding more powerful features to the scanning engine requires
 changes to the signature format.
 
 -trog
 

 Could I add my two penneth on this one? No disrespect to anyone specific,
but their seems to be a lot of whingeing of late regarding it doesn't do
this or that, or it's not catching this virus. 
 Anyone who is dependent upon virii scanning for their business
security/stability, should never rely wholly upon one method of
detection/prevention. If you want to be 100% safe, it isn't going to
happen, either with a commercial vendor, or otherwise. It's a case of
minimising, not obliterating. Perfection doesn't exist.
 It's about time someone actually said thanks or well done to the
maintainers/writers of Clam, not to keep slating them. Try to achieve this
level of speed and communication with a commercial vendor!
 Personally, I would like to say thanks for a stonkingly good AV scanner.
Keep it up chaps.

All the best

Matt



---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] My.Doom.o

[Steven Stern]

On Tue, 27 Jul 2004 15:26:30 +, Scott Ryan [EMAIL PROTECTED]
wrote:

I have not submitted any virii (correct word?) before, so please bear with me.
I always run latest stable, currently 0.75 and have not had any virus issues 
up until now. I am seeing a high number of mails in the below format hitting 
our mail servers.

Dear user [EMAIL PROTECTED],
Your e-mail account has been used to send a large amount of spam messages 
during this week.
Obviously, your computer had been infected by a recent virus and now runs a 
hidden proxy server.
Please follow our instruction in order to keep your computer safe.
Best wishes,
The domain team.

with a zip file attached containing a pif file.

I submitted the zip file only to have the message returned to me advising that 
it is not a virus, but Binary fragment. Harmless.

Symantec identify these mails as My.Doom.o and i have checked sigtool which 
identifies My.Doom.m, but not My.Doom.o - 

My question is, how do i get clamav to identify these files as a virus?


I got a few of these, too.  Norton AV with this morning's definitions doesn't
flag it as a virus.  I have just submitted the .zip file to them for analysis.

--
   Steve
   


---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_idG21alloc_id040op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] My.Doom.o

[Kevin Spicer]

On Tue, 2004-07-27 at 16:26, Scott Ryan wrote:
 I have not submitted any virii (correct word?) 

viruses





BMRB International 
http://www.bmrb.co.uk
+44 (0)20 8566 5000
_
This message (and any attachment) is intended only for the 
recipient and may contain confidential and/or privileged 
material.  If you have received this in error, please contact the 
sender and delete this message immediately.  Disclosure, copying 
or other action taken in respect of this email or in 
reliance on it is prohibited.  BMRB International Limited 
accepts no liability in relation to any personal emails, or 
content of any email which does not directly relate to our 
business.




---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] upgrade

[Jona Tallieu]

Hi All,

Just upgraded to 0.75 on OSX 10.3.

When checking CLAMAV version to be sure the upgrade was ok I get:

mail:/usr/local/bin root# ./clamscan --version
clamscan / ClamAV version 0.75

But when I forgot the ./, I get this:

mail:/usr/local/bin root# clamscan --version
clamscan / ClamAV version 0.70

Is this normal (difference in version)?


Thnx.

J.


---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Suggestion: Feature Freeze

[Dennis Skinner]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Todd Lyons wrote:
| Perhaps a daily CVS snapshot (or whatever
| frequency you deem useful but not overloading) made by you would be a
| good solution.  Then we could establish functionality based on date and
| it would be quite easy to move forward or backward through the daily's
| (speaking purely from a sysadmin point of view).  It's important to note
Excellent idea.  Good thing you checked the website before making this
suggestion.  :)
http://www.clamav.net/snapshot.html#pagestart
Read the last line.
Daily snapshots have been around since I started using it at 0.60 or so
- --
Dennis Skinner
Systems Administrator
BlueFrog Internet
http://www.bluefrog.com
When fortune empties her chamber pot on your head, smile and say We are
going to have a summer shower.  -  Sir John A. Macdonald
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFBBpdNy9iYXMzyPbYRAuD2AJ0VJPgILOvRY+4tLIxWyGcJ1afrUgCcC4Aw
RY7zCsLY91eqvTYJ4xU8ud0=
=fsS6
-END PGP SIGNATURE-
---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] upgrade

[Freddie Cash]

On July 27, 2004 10:54 am, Jona Tallieu wrote:
 Just upgraded to 0.75 on OSX 10.3.

 When checking CLAMAV version to be sure the upgrade was ok I get:
 mail:/usr/local/bin root# ./clamscan --version
 clamscan / ClamAV version 0.75

 But when I forgot the ./, I get this:
 mail:/usr/local/bin root# clamscan --version
 clamscan / ClamAV version 0.70

 Is this normal (difference in version)?

You have two different versions installed.  One located 
in /usr/local/bin, the other somewhere else in your PATH 
(probably /usr/bin).  Try whereis clamscan to find where the other 
one is and remove it.

-- 
Freddie Cash, CCNT CCLPHelpdesk / Network Support Tech.
School District 73 (250) 377-HELP [377-4357]
[EMAIL PROTECTED]


---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Virus found, not detected by Clamav, can't submit (claimed already recognised but is not)

[Jim Maul]

Quoting Mike Brodbelt [EMAIL PROTECTED]:
Mitch (WebCob) wrote:
Hi.
Before you do, I've been told by Tomasz Papszun that there are signatures
that won't work for anything other than CVS... so you'd have to try building
a CVS version to make it work.
I've updated my install to the latest CVS snapshot after finding that it
wasn't detecting MyDoom.M, which I'm starting to get hit with.
Am I the only one here whos existing installation is catching MyDoom.M?
[EMAIL PROTECTED] clamav]# grep -i mydoom /var/log/clamav/clamd.log
Tue Jul 27 13:32:23 2004 -
/var/spool/qmailscan/tmp/external.elih.org109094954247931544/attachment.zip:
Worm.Mydoom.M FOUND
Tue Jul 27 13:32:23 2004 -
/var/spool/qmailscan/tmp/external.elih.org109094954247931544/orig-external.elih.org109094954247931544:
Worm.Mydoom.M FOUND
Tue Jul 27 13:35:54 2004 -
/var/spool/qmailscan/tmp/external.elih.org109094975447931691/message.zip:
Worm.Mydoom.M FOUND
[EMAIL PROTECTED] clamav]# clamscan -V
clamscan / ClamAV version 0.74
Or am i missing something?
Jim
---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] My.Doom.o

[Mike Cathey]

On Tue, 2004-07-27 at 13:28, Kevin Spicer wrote:
 On Tue, 2004-07-27 at 16:26, Scott Ryan wrote:
  I have not submitted any virii (correct word?) 
 
 viruses

Yup.  

http://www.topology.org/lang/virus.html
  
Cheers,

Mike



---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] upgrade

[steve b]

On Tue, 27 Jul 2004, Jona Tallieu wrote:

 Hi All,

 Just upgraded to 0.75 on OSX 10.3.

 When checking CLAMAV version to be sure the upgrade was ok I get:

 mail:/usr/local/bin root# ./clamscan --version
 clamscan / ClamAV version 0.75

 But when I forgot the ./, I get this:

 mail:/usr/local/bin root# clamscan --version
 clamscan / ClamAV version 0.70

 Is this normal (difference in version)?


The ./ tells your shell to execute the binary located in your current
working directory.   Just entering clamscan tells your shell to search
your PATH environment for the binary.  It appears that you have another,
older version of clamav still installed.  Try using which clamscan to
locate the older version.  Note that there is more to the package than
just this one binary, and it's probably a good idea to get rid of the
entire previous installation.

Steve


---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] Virus found, not detected by Clamav, can't submit (claimed already recognised but is not)

[Nigel Horne]

 Hi.

 Before you do, I've been told by Tomasz Papszun that there are signatures
 that won't work for anything other than CVS... so you'd have to
 try building
 a CVS version to make it work.

 I suggested changes to allow us users to know this info when we
 do an upload
 to the webform, but haven't had response from any of the other developers,
 so don't know if the idea is generally approved or not.

 Wouldn't want anyone to waste time researching something that might be as
 simple as a cvs snapshot build ;-)

 Try running the snapshot build (perhaps without installing? can
 that work?)
 to scan the individual file of interest... then you will know...

 m/

  -Original Message-
  From: [EMAIL PROTECTED]
  [mailto:[EMAIL PROTECTED] Behalf Of Nigel
  Horne
  Sent: Tuesday, July 27, 2004 4:50 AM
  To: [EMAIL PROTECTED]
  Subject: Re: [Clamav-users] Virus found, not detected by Clamav, can't
  submit (claimed already recognised but is not)
 
 
   # clamscan --mbox virus-20030403-121256-27560
 
  Forward a copy of the email to me and I'll look into it.
 
  -Nigel

You have missed the point. I did not mention web interface or signatures
because my proposal had nothing to do with that, it was an offer to
check that there wasn't a bug in the inbuilt MIME decoder.

I have nothing to do with the web interface or signature side, so I don't
know why you'd think that my posting did.

Anyway it's all academic, the poster sent me a copy and I was able to
determine that it wasn't a MIME related problem.

-Nigel



---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] upgrade

[Jim Maul]

Quoting Jona Tallieu [EMAIL PROTECTED]:
Hi All,
Just upgraded to 0.75 on OSX 10.3.
When checking CLAMAV version to be sure the upgrade was ok I get:
mail:/usr/local/bin root# ./clamscan --version
clamscan / ClamAV version 0.75
But when I forgot the ./, I get this:
mail:/usr/local/bin root# clamscan --version
clamscan / ClamAV version 0.70
Is this normal (difference in version)?

No, this is not normal.  It measn you have (atleast) two versions of clamav
installed.  When you run ./clamscan it is running the copy in that particular
dir.  when you just run clamscan it is running the copy in the path (/usr/bin/
or similar).  You should get rid of ALL files left over from previous versions
of clamav.
Jim
---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Virus found, not detected by Clamav, can't submit (claimed already recognised but is not)

[Chris Meadors]

On Tue, 2004-07-27 at 14:06 -0400, Jim Maul wrote:

 Am I the only one here whos existing installation is catching MyDoom.M?
 
 [EMAIL PROTECTED] clamav]# grep -i mydoom /var/log/clamav/clamd.log
 Tue Jul 27 13:32:23 2004 -
 /var/spool/qmailscan/tmp/external.elih.org109094954247931544/attachment.zip:
 Worm.Mydoom.M FOUND
 Tue Jul 27 13:32:23 2004 -
 /var/spool/qmailscan/tmp/external.elih.org109094954247931544/orig-external.elih.org109094954247931544:
 Worm.Mydoom.M FOUND
 Tue Jul 27 13:35:54 2004 -
 /var/spool/qmailscan/tmp/external.elih.org109094975447931691/message.zip:
 Worm.Mydoom.M FOUND
 
 [EMAIL PROTECTED] clamav]# clamscan -V
 clamscan / ClamAV version 0.74
 
 
 Or am i missing something?

grep Mydoom\.M clamd.log | wc -l
798

That's since midnight today.  So mine seems to be working.  I'm using
Exiscan for Exim.  I upgraded to 0.75 yesterday thinking I must have
been missing something, but looking at the logs from 0.72 it was also
catching it.

I dunno.  But you aren't the only one catching it.



---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] sigtool outout very large

[zbuckholz]

I have an email attachment that uvscan is detecting as:



(When zipped) 

Found the W32/[EMAIL PROTECTED] virus !!!



(When unzipped using password in email text) 

Found the W32/[EMAIL PROTECTED] virus !!!



Clamscan detects it as:

(When unzipped using password in email text) 

gyadu.exe: Worm.Bagle.Gen-1 FOUND



(Original zip file that is password protected 

MoreInfo.zip: OK





If I run sigtool as follows

/home/clamav/bin/sigtool --list-sigs | grep pwd



I get a list of known virus signatures that come in password
zip files.



Worm.Tibbo-zippwd

Worm.Bagle.F-zippwd

Worm.Bagle.F-zippwd-2

Worm.Bagle.F-zippwd-3

Worm.Bagle.F-zippwd-4

Worm.Bagle.F-zippwd-5

Worm.Bagle.F-zippwd-6

Worm.Bagle.F-zippwd-7

Worm.Bagle.H-zippwd-1

Worm.Bagle.Gen-zippwd-2

Worm.Bagle.Gen-rarpwd

Trojan.Dropper.Small.HG-zippwd

Worm.Bagle.Gen-zippwd







My basic question is why will clamscan not detect this Bagle , and if
its because the password has changed how can I either update the main.cvd or
extract the similar signature and put that into the local.db with the correct
password. This is all assuming that the typically used password is stored in
the main.cvd.





Thanks



Zack

Re: [Clamav-users] upgrade

[Jona Tallieu]

Quoting Jona Tallieu [EMAIL PROTECTED]:

 Hi All,

 Just upgraded to 0.75 on OSX 10.3.

 When checking CLAMAV version to be sure the upgrade was ok I get:

 mail:/usr/local/bin root# ./clamscan --version
 clamscan / ClamAV version 0.75

 But when I forgot the ./, I get this:

 mail:/usr/local/bin root# clamscan --version
 clamscan / ClamAV version 0.70

 Is this normal (difference in version)?



No, this is not normal.  It measn you have (atleast) two versions of clamav
installed.  When you run ./clamscan it is running the copy in that particular
dir.  when you just run clamscan it is running the copy in the path (/usr/bin/
or similar).  You should get rid of ALL files left over from previous versions
of clamav.

Thanks for your reply.

I removed the 2 from /usr/bin and relinked them:

#ln /usr/local/bin/clamscan /usr/bin/
#ln /usr/local/bin/freshclam /usr/bin/

Now both have same version number.

Any other place I should chekc for leftovers from the previous version
(previous was 0.70).


Thnx!


J.




---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] sigtool outout very large

[Ryan Moore]

zbuckholz wrote:
I have an email attachment that uvscan is detecting as:
(When zipped)
Found the W32/[EMAIL PROTECTED] virus !!!
(When unzipped using password in email text)
Found the W32/[EMAIL PROTECTED] virus !!!
Clamscan detects it as:
(When unzipped using password in email text)
gyadu.exe: Worm.Bagle.Gen-1 FOUND
(Original zip file that is password protected
MoreInfo.zip: OK
My basic question is why will clamscan not detect this Bagle , and if 
its because the password has changed how can I either update the 
main.cvd or extract the similar signature and put that into the local.db 
with the correct password. This is all assuming that the typically used 
password is stored in the main.cvd.

 
Clamav needs the original rfc822 message text to detect it as a password 
protected virus I think. If you're trying to scan the password protected 
zip file itself, then I don't think it will work.

Ryan Moore
--
Perigee.net Corporation
704-849-8355 (sales)
704-849-8017 (tech)
www.perigee.net
---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] upgrade

[Antony Stone]

On Tuesday 27 July 2004 6:54 pm, Jona Tallieu wrote:

 Hi All,

 Just upgraded to 0.75 on OSX 10.3.

 When checking CLAMAV version to be sure the upgrade was ok I get:

 mail:/usr/local/bin root# ./clamscan --version
 clamscan / ClamAV version 0.75

 But when I forgot the ./, I get this:

 mail:/usr/local/bin root# clamscan --version
 clamscan / ClamAV version 0.70

 Is this normal (difference in version)?

No - it means you have two versions installed in different places on your 
system (which is not good).

Try locate clamscan or find / -name clamscan to see where the older 
version is, if you're not sure about where to remove it from.

Regards,

Antony.

-- 
What makes you think I know what I'm talking about?
I just have more O'Reilly books than most people.

 Please reply to the list;
   please don't CC me.



---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Virus found, not detected by Clamav, can't submit (claimed already recognised but is not)

[Jim Maul]

Quoting [EMAIL PROTECTED]:
On Tue, 27 Jul 2004 14:06:14 -0400
Jim Maul [EMAIL PROTECTED] wrote:
Am I the only one here whos existing installation is catching MyDoom.M?
[EMAIL PROTECTED] clamav]# grep -i mydoom /var/log/clamav/clamd.log
Tue Jul 27 13:32:23 2004 -
/var/spool/qmailscan/tmp/external.elih.org109094954247931544/attachment.zip:
Worm.Mydoom.M FOUND
Well, we upgraded to 0.75.. And since last sunday out of
2171 viruses there've been 64 Mydoom variants. Including
Mydoom.M, J, etc..

Indeed, but i am running 0.74 which i thought was unable to catch these.
Jim
---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Virus found, not detected by Clamav, can't submit (claimed already recognised but is not)

[kristof.hardy]

On Tue, 27 Jul 2004 14:06:14 -0400
Jim Maul [EMAIL PROTECTED] wrote:
Am I the only one here whos existing installation is 
catching MyDoom.M?
[EMAIL PROTECTED] clamav]# grep -i mydoom 
/var/log/clamav/clamd.log
Tue Jul 27 13:32:23 2004 -
/var/spool/qmailscan/tmp/external.elih.org109094954247931544/attachment.zip:
Worm.Mydoom.M FOUND
Well, we upgraded to 0.75.. And since last sunday out of 
2171 viruses there've been 64 Mydoom variants. Including 
Mydoom.M, J, etc..

--
Best regards,
Kristof
---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] sigtool outout very large

[Tomasz Kojm]

On Tue, 27 Jul 2004 12:48:55 -0700
zbuckholz [EMAIL PROTECTED] wrote:

 My basic question is why will clamscan not detect this Bagle , and if

I'm sure your version is older than 0.70.

-- 
   oo. Tomasz Kojm [EMAIL PROTECTED]
  (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg
 \..._ 0DCA5A08407D5288279DB43454822DC8985A444B
   //\   /\  Tue Jul 27 22:55:14 CEST 2004


pgpyi53ipXUvn.pgp
Description: PGP signature

Re: [Clamav-users] upgrade

[Chris Meadors]

On Tue, 2004-07-27 at 21:17 +0100, Antony Stone wrote:
 On Tuesday 27 July 2004 6:54 pm, Jona Tallieu wrote:
 
  Hi All,
 
  Just upgraded to 0.75 on OSX 10.3.
 
  When checking CLAMAV version to be sure the upgrade was ok I get:
 
  mail:/usr/local/bin root# ./clamscan --version
  clamscan / ClamAV version 0.75
 
  But when I forgot the ./, I get this:
 
  mail:/usr/local/bin root# clamscan --version
  clamscan / ClamAV version 0.70
 
  Is this normal (difference in version)?
 
 No - it means you have two versions installed in different places on your 
 system (which is not good).
 
 Try locate clamscan or find / -name clamscan to see where the older 
 version is, if you're not sure about where to remove it from.

Even better, which clamscan will tell you which clamscan program will
run if you just type it without being pathed out.



---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] upgrade

[Daniel J McDonald]

On Tue, 2004-07-27 at 12:54, Jona Tallieu wrote:
 Just upgraded to 0.75 on OSX 10.3.
 But when I forgot the ./, I get this:
 mail:/usr/local/bin root# clamscan --version
 clamscan / ClamAV version 0.70

You probably have 0.70 installed in /usr/local/bin and 0.75 in /usr/bin

Yo need to remove all of the existing 0.70 before putting 0.75 in
production.
-- 
Daniel J McDonald [EMAIL PROTECTED]
Austin Energy



---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] sigtool outout very large

[zbuckholz]

I just took your suggestion and tried it and it still does not detect the
virus. I have the original text email that I scan like follows:
./clamscan sample.txt 
This is a copy of the atomic-time-stamp type file in the Maildir

I do not know the format of the cvd files, I assume I would need to find
The signature that matches the unzipped version and create a new entry
Just like that but with the password.

Thanks
Zack




-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ryan Moore
Sent: Tuesday, July 27, 2004 1:19 PM
To: [EMAIL PROTECTED]
Subject: Re: [Clamav-users] sigtool outout very large

zbuckholz wrote:
 I have an email attachment that uvscan is detecting as:
 (When zipped)
 Found the W32/[EMAIL PROTECTED] virus !!!
 
 
 (When unzipped using password in email text)
 
 Found the W32/[EMAIL PROTECTED] virus !!!
 
 
 Clamscan detects it as:
 
 (When unzipped using password in email text)
 
 gyadu.exe: Worm.Bagle.Gen-1 FOUND
 
 
 (Original zip file that is password protected
 
 MoreInfo.zip: OK
 

 My basic question is why will clamscan not detect this Bagle , and if 
 its because the password has changed how can I either update the 
 main.cvd or extract the similar signature and put that into the local.db 
 with the correct password. This is all assuming that the typically used 
 password is stored in the main.cvd.
 
  

Clamav needs the original rfc822 message text to detect it as a password 
protected virus I think. If you're trying to scan the password protected 
zip file itself, then I don't think it will work.

Ryan Moore
--
Perigee.net Corporation
704-849-8355 (sales)
704-849-8017 (tech)
www.perigee.net


---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users



---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] mydoom.m zipped version getting through clamav

[Jim]

The new [EMAIL PROTECTED] zipped versions are getting through my 
clamav/amavisd-new/spamassassin box.

It is stopping and dropping zipped versions of Bagle, but no luck with 
zipped versions of mydoom.M

Any one else expereincing this?

Also does anyone know when the .75 release will be avialable as a deb?


Jim




---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] sigtool outout very large

[Ryan Moore]

zbuckholz wrote:
I just took your suggestion and tried it and it still does not detect the
virus. I have the original text email that I scan like follows:
./clamscan sample.txt 
This is a copy of the atomic-time-stamp type file in the Maildir

I do not know the format of the cvd files, I assume I would need to find
The signature that matches the unzipped version and create a new entry
Just like that but with the password.
Thanks
Zack
I probably should have mentioned, that if you do that, you'll need to 
pass the --mbox parameter to clamscan (or if you use clamdscan, you need 
the Scanmail parameter in the config file). Such as:

clamscan --mbox sample.txt
Also make sure you have a current version of the software and have run 
freshclam, as the signatures you mentioned seem to be a very small 
subset of the current signature database. I have 72 bagle related 
signatures in my 0.75 distro (when I did `sigtool -l | grep -ci bagle`).

Ryan Moore
--
Perigee.net Corporation
704-849-8355 (sales)
704-849-8017 (tech)
www.perigee.net
---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] sigtool outout very large

[Tomasz Kojm]

On Tue, 27 Jul 2004 16:18:54 -0400
Ryan Moore [EMAIL PROTECTED] wrote:

 Clamav needs the original rfc822 message text to detect it as a
 password protected virus I think. If you're trying to scan the

No, it doesn't. The Worm.Bagle.Gen-zippwd signature should catch the raw
zip file.

-- 
   oo. Tomasz Kojm [EMAIL PROTECTED]
  (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg
 \..._ 0DCA5A08407D5288279DB43454822DC8985A444B
   //\   /\  Wed Jul 28 00:00:10 CEST 2004


pgpUDRYRN8sLH.pgp
Description: PGP signature

Re: [Clamav-users] sigtool outout very large

[Daniel Lord]

Hi,

On Tue, Jul 27, 2004 at 02:35:56PM -0700, zbuckholz wrote:
 I just took your suggestion and tried it and it still does not detect the
 virus. I have the original text email that I scan like follows:
 ./clamscan sample.txt 
 This is a copy of the atomic-time-stamp type file in the Maildir

man clamscan

 I do not know the format of the cvd files, I assume I would need to find
 The signature that matches the unzipped version and create a new entry
 Just like that but with the password.

http://www.clamav.net/doc/0.72/signatures.pdf
http://www.netmeister.org/news/learn2quote.html

Greetings Daniel
-- 
When you come to a fork in the road, take it.


---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] Re: Clamav-users digest, Vol 1 #859 - 13 msgs

[Matt]

 Hi,
 
 Good question, ok at the moment my firewall is also acting as router
 where we share internet access.
 
 At the moment I had set up my mail server with clamav and it's working
 fine.
 
 Now the big problem that I have is that some of my users are downloading
 some stuff from internet which some of them is a virus, now my network
 is full with viruses.
 
 I would like to filter the tcp/ip traffic and block any virus to be
 downloaded and if possible filter any file which pass-through my router
 aka firewall.
 

 The link that you were given for the http proxy will accomplish most of
this, the only other general source of download being ftp, which I have no
idea whether it covers that or not. With regards to any other means of
ingress/egress, block none required/essential ports at the firewall.
 Give your users what they need, not what they think they want.

Matt 



---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] My.Doom.o

[Matt]

 On Tue, 2004-07-27 at 13:28, Kevin Spicer wrote:
  On Tue, 2004-07-27 at 16:26, Scott Ryan wrote:
   I have not submitted any virii (correct word?) 
  
  viruses
 
 Yup.  
 
 http://www.topology.org/lang/virus.html
   
 Cheers,
 
 Mike

 I know this is going wildly off topic, but this one could be debateable.
According to a Collin's English Gem Dictionary, (1954 vintage), virus
doesn't have a plural listed. So, is it just a recent designation?

Matt



---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] mydoom.m zipped version getting through clamav

[Stephen Gran]

On Tue, Jul 27, 2004 at 02:48:21PM -0700, Jim said:
 The new [EMAIL PROTECTED] zipped versions are getting through my 
 clamav/amavisd-new/spamassassin box.
 
 It is stopping and dropping zipped versions of Bagle, but no luck with 
 zipped versions of mydoom.M
 
 Any one else expereincing this?

I'm getting hundreds of hits for it.  What version are you running?

 Also does anyone know when the .75 release will be avialable as a deb?

I'm waiting on a patch decision before uploading.  Otherwise, it's ready
to go.
-- 
 --
|  Stephen Gran  | Let us be charitable, and call it a |
|  [EMAIL PROTECTED] | misleading feature  :-)  -- |
|  http://www.lobefin.net/~steve | Larry Wall in [EMAIL PROTECTED]  |
 --


pgpM2SVS9omJD.pgp
Description: PGP signature

Re: [Clamav-users] My.Doom.o

[John Fleming]

- Original Message - 
From: Matt [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Tuesday, July 27, 2004 5:52 PM
Subject: Re: [Clamav-users] My.Doom.o


  On Tue, 2004-07-27 at 13:28, Kevin Spicer wrote:
   On Tue, 2004-07-27 at 16:26, Scott Ryan wrote:
I have not submitted any virii (correct word?) 
   
   viruses
  
  Yup.  
  
  http://www.topology.org/lang/virus.html

  Cheers,
  
  Mike
 
  I know this is going wildly off topic, but this one could be debateable.
 According to a Collin's English Gem Dictionary, (1954 vintage), virus
 doesn't have a plural listed. So, is it just a recent designation?

It's been viruses in the medical world since the 19th century.
John




---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] Calling clamd form an email client

[L. Clayton Parker]

Before I download clamAV, could someone tell me if it is possible to
call clamd from an email client using a pipe to shell command filter?
I want to us it in conjunction with the Ximian Evolution email client in
conjunction with spamassassin.

Lee

-- 
L. Parker
chief cook, bottle washer and sometime sysadmin
cacaphony.net


signature.asc
Description: This is a digitally signed message part

[Clamav-users] Does Your Clamd Mem Usage Grows?

[Bitz]

Hello List,
Is it normal for clamd mem usage to grow? I'm using 0.75 on this box.
29238 qscand15   0 50452  45M   436 S 0.4  2.2  83:55   1 clamd
There are occasions where it grows more than 100mb - so I had to install 
monit to make sure it'll trigger a restart once it exceeds 100mb.

I have 0.60 clamav running on another box but the mem usage stays at 13mb.
Thanks! :)
-b.

---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] clamd Socket File Error

[Darton Williams]

Running clamav-0.75 on FreeBSD 5.2.1, compiled from source. Everything runs 
fine, except when I try clamd stop/start or clamd restart. I get the 
error: 

Wed Jul 28 00:56:48 2004 - +++ Started at Wed Jul 28 00:56:48 2004
Wed Jul 28 00:56:48 2004 - clamd daemon 0.75 (OS: freebsd5.2.1, ARCH: i386, 
CPU: i386)
Wed Jul 28 00:56:48 2004 - Log file size limited to 10485760 bytes.
Wed Jul 28 00:56:48 2004 - Reading databases from 
/usr/local/clamav/share/clamav
Wed Jul 28 00:56:49 2004 - Protecting against 22932 viruses.
Wed Jul 28 00:56:49 2004 - ERROR: Socket file /var/run/clamd is in use by 
another process. 

I've seen this error mentioned a couple of places (obviously not a solution 
mentioned), and I've tried setting the following in clamav.conf:
# Remove stale socket after unclean shutdown.
FixStaleSocket 

Also checked the permissions, made sure the pid is set, etc. Nothing seems 
to work short of manually deleting the socket file. Any ideas? 

Best Regards,
Darton 


---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] upgrade

[OpenMacNews]

when you specify the ./ it means here
when you leave it off, you're selecting the one in the default path ... and it looks 
like you've got an older version lying around.
try:
% which clamscan
odds are the result is NOT in /usr/local/bin
richard
-- On Tuesday, July 27, 2004 7:54 PM +0200  Jona Tallieu [EMAIL PROTECTED] wrote:

Hi All,
Just upgraded to 0.75 on OSX 10.3.
When checking CLAMAV version to be sure the upgrade was ok I get:
mail:/usr/local/bin root# ./clamscan --version
clamscan / ClamAV version 0.75
But when I forgot the ./, I get this:
mail:/usr/local/bin root# clamscan --version
clamscan / ClamAV version 0.70
Is this normal (difference in version)?
Thnx.
J.
---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users


---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] clamd Socket File Error

[OpenMacNews]

is clamd running as a user that has permission for the /var/run?
if not, rather than messing /var/run up, try pointing at a 'dedicated' /tmp/clamd 
instead, with permissions for that user/group ...
richard
-- On Wednesday, July 28, 2004 1:31 AM -0400  Darton Williams [EMAIL PROTECTED] 
wrote:

Running clamav-0.75 on FreeBSD 5.2.1, compiled from source. Everything runs fine, except when I try 
clamd stop/start or clamd restart. I get the error:
Wed Jul 28 00:56:48 2004 - +++ Started at Wed Jul 28 00:56:48 2004
Wed Jul 28 00:56:48 2004 - clamd daemon 0.75 (OS: freebsd5.2.1, ARCH: i386, CPU: i386)
Wed Jul 28 00:56:48 2004 - Log file size limited to 10485760 bytes.
Wed Jul 28 00:56:48 2004 - Reading databases from /usr/local/clamav/share/clamav
Wed Jul 28 00:56:49 2004 - Protecting against 22932 viruses.
Wed Jul 28 00:56:49 2004 - ERROR: Socket file /var/run/clamd is in use by another 
process.
I've seen this error mentioned a couple of places (obviously not a solution 
mentioned), and I've tried setting the following in clamav.conf:
# Remove stale socket after unclean shutdown.
FixStaleSocket
Also checked the permissions, made sure the pid is set, etc. Nothing seems to work 
short of manually deleting the socket file. Any ideas?
Best Regards,
Darton
---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users


---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users