Re: [Clamav-users] Problems upgrading from 0.70rc to 0.75.1
John Twyman wanted us to know: >I haven't changed my clamav.conf file at all between versions. Its contents >are: >LocalSocket /tmp/clamd >FixStaleSocket >TCPAddr x.x.x.x You can't have both a TCP and a unix file socket. Gotta comment one or the other out. -- Regards... Todd They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. --Benjamin Franklin Linux kernel 2.6.3-15mdkenterprise 3 users, load average: 0.01, 0.03, 0.00 --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Idea for more timely virusdb updates
On Monday, August 09, 2004 11:18 PM [EST], Fajar A. Nugraha wrote: >> > You know, this isn't so crazy after all. I put arbitrary data on my > DNS server so that exim > can get config data using dnsdb lookup. Its cheaper than mysql > lookup (Plus, you eliminate single point of failure), > and you can still update config from a central location instead of > updating each server config. > > The only snag, is that TXT record is limited to a number of bytes ( > I tried putting 4096 bytes on it, it didn't work). > Now, the question is, can the daily (or hourly) updates fit in a > single TXT record? > If it must span multiple records than it will be somewhat > complicated > > Regards, > > Fajar I'd not recommend putting all the data in TXT records.TXT records can be a max of 255 characters (anything more and you'll have problems with other resolvers and such). But yeah, the version number in the TXT records would be good, set the TTL to about 30-60 mins, and have the freshclam client query and check the version. I could assist with implementing the necessary server side scripts to make the DNS management part really easy (I do something similar to this all the time, rbldnsd makes stuff like this stupidly simple and quick). Hell, I could even offer the DNSbl servers that the AHBL has to host the zones if needbe. -- Brian Bruns The Summit Open Source Development Group Open Solutions For A Closed World / Anti-Spam Resources http://www.sosdg.org The Abusive Hosts Blocking List http://www.ahbl.org --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] QS 1.23 upgrade - procs not dying
linux RH9 2.4.20-31.9 Qmail-Scanner 1.23 clamav 0.75.1 odd problem since upgrading to 1.23, with coincidental update to clamav 0.75 Over the past 3-4 days I've seen clamscan processes hanging around, sucking up resources, never dying, causing high load. I can kill the processes, but after some time I end up in the same boat: qscand 21954 29.3 0.0 17576 240 ?RAug08 419:37 /usr/local/bin/clamscan -r -m --unzip --unrar --unzoo --lha --disable-summary --max-recursion=10 --max-space=10 /var/spool/qmailscan/tmp/twobar.example.com109201865648221824 qscand 29758 20.5 1.4 17576 7188 ?R01:18 259:40 /usr/local/bin/clamscan -r -m --unzip --unrar --unzoo --lha --disable-summary --max-recursion=10 --max-space=10 /var/spool/qmailscan/tmp/twobar.example.com109202866348229710 qscand 940 18.6 3.1 17576 16012 ? R02:41 219:42 /usr/local/bin/clamscan -r -m --unzip --unrar --unzoo --lha --disable-summary --max-recursion=10 --max-space=10 /var/spool/qmailscan/tmp/twobar.example.com1092033643482923 qscand7719 16.4 2.1 17576 11140 ? R05:27 166:18 /usr/local/bin/clamscan -r -m --unzip --unrar --unzoo --lha --disable-summary --max-recursion=10 --max-space=10 /var/spool/qmailscan/tmp/twobar.example.com10920436464827686 qscand 10256 15.9 3.1 17576 16360 ? R06:34 150:23 /usr/local/bin/clamscan -r -m --unzip --unrar --unzoo --lha --disable-summary --max-recursion=10 --max-space=10 /var/spool/qmailscan/tmp/twobar.example.com109204762448210210 qscand 17328 15.2 3.1 17576 16364 ? R09:21 118:35 /usr/local/bin/clamscan -r -m --unzip --unrar --unzoo --lha --disable-summary --max-recursion=10 --max-space=10 /var/spool/qmailscan/tmp/twobar.example.com109205766648217284 qscand 15221 12.9 3.2 17576 16608 ? R21:34 5:44 /usr/local/bin/clamscan -r -m --unzip --unrar --unzoo --lha --disable-summary --max-recursion=10 --max-space=10 /var/spool/qmailscan/tmp/twobar.example.com109210165848215092 I notice clamscan options within QS have changed from: my $clamscan_options="-r --disable-summary --max-recursion=10 --max-space=10"; to: my $clamscan_options="-r -m --unzip --unrar --unzoo --lha --disable-summary --max-recursion=10 --max-space=10"; but I can run any of the above options from cmd line on the orig. email msg w/o problem. Anyone seeing similar problems with thier QS setup? --QS LOGS-- Mon, 09 Aug 2004 21:34:18 EDT:15092: +++ starting debugging for process 15092 by uid=2003 Mon, 09 Aug 2004 21:34:18 EDT:15092: setting UID to EUID so subprocesses can access files generated by this script Mon, 09 Aug 2004 21:34:18 EDT:15092: program name is qmail-scanner-queue.pl, version 1.23 Mon, 09 Aug 2004 21:34:18 EDT:15092: incoming SMTP connection from via SMTP from 205.210.42.52 Mon, 09 Aug 2004 21:34:18 EDT:15092: w_c: mkdir /var/spool/qmailscan/tmp/twobar.example.com109210165848215092 Mon, 09 Aug 2004 21:34:18 EDT:15092: w_c: start dumping incoming msg into /var/spool/qmailscan/working/tmp/twobar.example.com109210165848215092 [0.001631] Mon, 09 Aug 2004 21:34:18 EDT:15092: c_a_g: found MIME attachment Mon, 09 Aug 2004 21:34:18 EDT:15092: w_c: primary Content-Type of multipart/mixed found Mon, 09 Aug 2004 21:34:18 EDT:15092: w_c: found a top-level boundary definition of \-\-\-\-\=_NextPart_000_00E8_01C47C19\.81734BA0 Mon, 09 Aug 2004 21:34:18 EDT:15092: w_c: attachment 1: Content-Type of multipart/related found Mon, 09 Aug 2004 21:34:18 EDT:15092: w_c: attachment 2: Content-Type of multipart/alternative found Mon, 09 Aug 2004 21:34:18 EDT:15092: w_c: attachment 3: Content-Type of text/plain found Mon, 09 Aug 2004 21:34:18 EDT:15092: w_c: attachment 4: Content-Type of text/html found Mon, 09 Aug 2004 21:34:19 EDT:15092: found C-T attachment filename image001.jpg Mon, 09 Aug 2004 21:34:19 EDT:15092: w_c: attachment 6: Content-Type of image/jpeg found Mon, 09 Aug 2004 21:34:19 EDT:15092: found C-T attachment filename image002.jpg Mon, 09 Aug 2004 21:34:19 EDT:15092: w_c: attachment 7: Content-Type of image/jpeg found Mon, 09 Aug 2004 21:34:20 EDT:15092: found C-T attachment filename image003.jpg Mon, 09 Aug 2004 21:34:20 EDT:15092: w_c: attachment 8: Content-Type of image/jpeg found Mon, 09 Aug 2004 21:34:23 EDT:15092: found C-T attachment filename image004.jpg Mon, 09 Aug 2004 21:34:23 EDT:15092: w_c: attachment 9: Content-Type of image/jpeg found Mon, 09 Aug 2004 21:34:24 EDT:15092: found C-T attachment filename image005.jpg Mon, 09 Aug 2004 21:34:24 EDT:15092: w_c: attachment 10: Content-Type of image/jpeg found Mon, 09 Aug 2004 21:34:25 EDT:15092: found C-T attachment filename image006.jpg Mon, 09 Aug 2004 21:34:25 EDT:15092: w_c: attachment 11: Content-Type of image/jpeg found Mon, 09 Aug 2004 21:34:27 EDT:15092: found C-T attachment filename image007.jpg Mon, 09 Aug 2004 21:34:27 EDT:15092: w_c: attachment 12: Content-Type of image/jpeg found Mon,
Re: [Clamav-users] Idea for more timely virusdb updates
Damian Menscher wrote: On Mon, 9 Aug 2004, Christopher X. Candreva wrote: Suppose there was a DNS entry, say virusdb.clamav.net (or version.virusdb.clamav.net, etc), that returned simply a text record with the current DB version in it. After seeing a Defcon talk on putting arbitrary data in DNS, though, I wonder if we could put the daily updates (gpg signed) into DNS? That would take a lot of load off the mirrors (occasional checks for main.cvd updates are all that is required). And caching DNS servers would distribute the load a bit. You know, this isn't so crazy after all. I put arbitrary data on my DNS server so that exim can get config data using dnsdb lookup. Its cheaper than mysql lookup (Plus, you eliminate single point of failure), and you can still update config from a central location instead of updating each server config. The only snag, is that TXT record is limited to a number of bytes ( I tried putting 4096 bytes on it, it didn't work). Now, the question is, can the daily (or hourly) updates fit in a single TXT record? If it must span multiple records than it will be somewhat complicated Regards, Fajar -- http://justreadthis.com/ --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] Problems upgrading from 0.70rc to 0.75.1
Hi folks, I've run into some problems upgrading ClamAV from 0.70rc to the latest version (0.75.1) and was hoping someone on the list might be able to shed some light on the matter. Specifically my problem is with clamav-milter and its inability to talk to the clamd daemon after I upgrade (clamdscan runs just fine). My upgrade procedure: 1. Kill existing processes (clamd, freshclam, clamav-milter) 2. Kill sendmail 3. Make sure /tmp/clamd and /var/run/clamav/clmilter.sock sockets are non-existant 4. Run make uninstall from the 0.70rc source directory 5. configure --enable-milter;make;make check;make install in the 0.75.1 source directory 6. Start in order: clamd freshclam -d -c 12 --daemon-notify=/usr/local/etc/clamav.conf clamav-milter -dnoP local:/var/run/clamav/clmilter.sock sendmail I haven't changed my clamav.conf file at all between versions. Its contents are: LogFile /var/log/clamd.log LogSyslog PidFile /var/run/clamav/clamd.pid TemporaryDirectory /var/tmp LocalSocket /tmp/clamd FixStaleSocket TCPAddr x.x.x.x StreamSaveToDisk StreamMaxLength 5M MaxThreads 15 MaxDirectoryRecursion 5 FollowDirectorySymlinks FollowFileSymlinks User clamav ScanMail ScanArchive ArchiveMaxFileSize 2M ArchiveMaxRecursion 3 ArchiveMaxFiles 300 ArchiveMaxCompressionRatio 200 The relevant sendmail config is unchanged (8.12.8): INPUT_MAIL_FILTER(`clamav', `S=local:/var/run/clamav/clmilter.sock, F=, T=S:4m;R:4m')dnl define(`confINPUT_MAIL_FILTERS',`clamav') I'm getting the following errors appear in my mail log: clamav-milter[8872]: clamd / ClamAV version 0.75.1, clamav-milter version 0.75c clamav-milter[8880]: Failed to connect to port 34447 given by clamd: PORT 34447 clamav-milter[8880]: No data received from clamd in 120 seconds clamav-milter[8946]: Failed to connect to port 31045 given by clamd: PORT 31045 clamav-milter[8952]: Failed to connect to port 39433 given by clamd: PORT 39433 clamav-milter[8956]: Failed to connect to port 59518 given by clamd: PORT 59518 clamav-milter[8963]: Failed to connect to port 13792 given by clamd: PORT 13792 clamav-milter[8946]: No data received from clamd in 120 seconds The machine itself is running Red Hat 8. I'm stumped...any ideas? Cheers, John john twyman school of geosciences university of sydney w: +61 2 9351 3189 m: +61 401 992 836 e: [EMAIL PROTECTED] --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Additional logging info.
Stephen Gran wrote: As for your actual question, I don;t think the milter has access to that - it gets the email as a data stream from sendmail, and is relatively isolated from the actual connection, AFAIK. If you feel like patching the milter http://www.milter.org/milter_api/xxfi_connect.html Or you could find and retrieve the apropriate macro from sendmail with http://www.milter.org/milter_api/smfi_getsymval.html In general this is a good resource for milters http://www.milter.org/milter_api/ --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Additional logging info.
On Mon, Aug 09, 2004 at 04:10:22PM -0400, Brett Simpson said: > Is there a way I can configure the following log entry for Clamav-milter to also > output the origin address? The reason I'm asking is because I'm using a script to go > through the log file and count all of the big virus senders but it takes forever to > run since I'm having to loop through my maillog file to find the message id > "i79K3CfR009900" with the ip address. > > So I see this > Aug 9 16:03:14 ns2b clamav-milter[9851]: i79K3CfR009900: stream: > Trojan.JS.RunMeIntercepted virus from <[EMAIL PROTECTED]> to <[EMAIL PROTECTED]> > > But would like to see something similar to this...(if possible) > Aug 9 16:03:14 ns2b clamav-milter[9851]: i79K3CfR009900: stream: > Trojan.JS.RunMeIntercepted virus from <[EMAIL PROTECTED]> at 4.4.103.77 to <[EMAIL > PROTECTED]> Don't loop - make a more complicated data structure, like a multi level hash (ugly pseudo-code to follow): my %hash = [ i79K3CfR009900 => [ virus => Trojan.JS.RunMeIntercepted, to => [EMAIL PROTECTED], from => [EMAIL PROTECTED], ip => 4.4.103.77,], nextmessageid => [ ...], ]; Just read the file once, fill in the bits as you go, and process the whole thing at the end. As for your actual question, I don;t think the milter has access to that - it gets the email as a data stream from sendmail, and is relatively isolated from the actual connection, AFAIK. -- -- | Stephen Gran | RMS for President??? | | [EMAIL PROTECTED] | ...or ESR, he wants a new job ;)| | http://www.lobefin.net/~steve | | -- pgpmlHGw3bGbo.pgp Description: PGP signature
Re: [Clamav-users] Trojan.JS.RunMe?
On Mon, Aug 09, 2004 at 04:44:23PM -0500, Steven Stern wrote: > As usual, ClamAV's name came out too soon The standard naming seems to Yes - well done. ClamAV had updates for this virus hours before they started hitting our site. I also want to point out that the two commercial AV systems we also use both didn't get updates out for at least 2-3 hours after ClamAV. Amazing what a bunch of "volunteers" can do vs a large multi-billion dollar industry :-) -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Trojan.JS.RunMe?
On Mon, 9 Aug 2004 23:34:04 +0100, Matt <[EMAIL PROTECTED]> wrote: >> As usual, ClamAV's name came out too soon ironic adj 1: humorously sarcastic or mocking; "dry humor"; "an ironic remark often conveys an intended meaning obliquely"; "an ironic novel"; "an ironical smile"; "with a wry Scottish wit" [syn: dry, ironical, wry] 2: characterized by often poignant difference or incongruity between what is expected and what actually is; "madness, an ironic fate for such a clear thinker"; "it was ironical that the well-planned scheme failed so completely" [syn: ironical] -- Steve --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
RE: [Clamav-users] Re: [Clamav-virusdb] Update (daily: 445)
> I have 445 (have had it for 5 hours or so) and it still calls it > Trojan.JS.RunMe. Am I missing something? I can see in my > clamd.log where > it picked up the changes and reloaded the database, and sigtool -l lists > both Trojan.JS.RunMe and Worm.Bagle.AI-2 in it. > I'm going to take a guess here... The RunMe is the HTML part... The Worm... is the executable payload... iirc, clam stops scanning when it sees the first match. HTML would be seen before payload, so that could be what you are seeing. m/ --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
RE: [Clamav-users] Trojan.JS.RunMe?
Ditto. I didn't get one from the "Big Guys" until after 5:00Eastern, a bit late for my windows users. -Original Message- From: Scott Call [mailto:[EMAIL PROTECTED] Sent: Monday, August 09, 2004 7:20 PM To: [EMAIL PROTECTED] Subject: Re: [Clamav-users] Trojan.JS.RunMe? On Mon, 9 Aug 2004, Steven Stern wrote: > > As usual, ClamAV's name came out too soon The standard naming seems to be > Not to beat a dead horse, but I'd rather have an ill-named signature 3-5 hours before the "big guys" name it, than wait for the name to put in the signature :) --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Trojan.JS.RunMe?
Scott Call wrote: On Mon, 9 Aug 2004, Steven Stern wrote: As usual, ClamAV's name came out too soon The standard naming seems to be Not to beat a dead horse, but I'd rather have an ill-named signature 3-5 hours before the "big guys" name it, than wait for the name to put in the signature :) --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users I whole heartedly agree!! --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Re: [Clamav-virusdb] Update (daily: 445)
On Mon, 9 Aug 2004, Todd Lyons wrote: ClamAV database updated (2004.08.09 18:34 GMT): daily.cvd, viruses.db2 Version: 445 Namechange: Trojan.Runme -> Worm.Bagle.AI-2 I have 445 (have had it for 5 hours or so) and it still calls it Trojan.JS.RunMe. Am I missing something? I can see in my clamd.log where it picked up the changes and reloaded the database, and sigtool -l lists both Trojan.JS.RunMe and Worm.Bagle.AI-2 in it. Thanks -S --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
RE: [Clamav-users] Idea for more timely virusdb updates
What about a deeper mirroring system? Perhaps one that supports notification? One of the things I like about BIND (not enough to use it, but still an admired concept ;-) is the way zones can be distributed... notification speeds things up if it works, polling creates a failsafe in which a missing notify doesn't cause the world to end... Hourly polls is a good thing - but if the system worked both ways, the mirror could signal the end clients that it's time to download... those notifies could be send only to clients that had registered to receive it (an option in freshclam) and would not push the data, but trigger a freshclam pull. It could provide faster update response and smooth out the spikes in download traffic, and could be used to maintain a larger set of mirrors... without increasing polling frquency... a new "freshclam server" could allow all larger users to easily run their own mirrors for internal distribution... Just a few ideas... m/ --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Trojan.JS.RunMe?
On Mon, 9 Aug 2004, Steven Stern wrote: As usual, ClamAV's name came out too soon The standard naming seems to be Not to beat a dead horse, but I'd rather have an ill-named signature 3-5 hours before the "big guys" name it, than wait for the name to put in the signature :) --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Trojan.JS.RunMe?
> As usual, ClamAV's name came out too soon The standard naming seems > to be Call me finicky if you will, but seeing as none of the various vendors use the same name, how can Clam's definition be classed as misnaming? The following, by the way, is Vexira's name for the same thing: TR/RunMe.Dldr.1 Matt --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Trojan.JS.RunMe?
On Mon, 09 Aug 2004 16:44:23 -0500 Steven Stern <[EMAIL PROTECTED]> wrote: > On Mon, 9 Aug 2004 11:03:27 -0700 (PDT), Scott Call > <[EMAIL PROTECTED]> wrote: > > >I'm seeing a huge quantity of "Trojan.JS.RunMe" both with 0.75.1 and > >the latest snapshot. I can't seem to find any information on this > >signature (nothing in the virusdb list and nothing on google). > > > > As usual, ClamAV's name came out too soon The standard naming > seems to be > > [EMAIL PROTECTED] [Symantec] > W32/[EMAIL PROTECTED] [McAfee], > WORM_BAGLE.AC [Trend], > Win32.Bagle.AG [Computer Associates] We call it Worm.Bagle.AI, only the HTML part is called Trojan.JS.RunMe. -- oo. Tomasz Kojm <[EMAIL PROTECTED]> (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Tue Aug 10 00:34:08 CEST 2004 pgpdkFteGrcoK.pgp Description: PGP signature
Re: [Clamav-users] Trojan.JS.RunMe?
- Original Message - From: "Steven Stern" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, August 09, 2004 4:44 PM Subject: Re: [Clamav-users] Trojan.JS.RunMe? > > As usual, ClamAV's name came out too soon The standard naming seems to be > Came out too soon? Maybe next time we can all wait to catch viruses until Symantec and the others notice the virus. At least clam has been catching it. For all I care the name could be anything. :) --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Memory Leaks om 0.75.1 & 20040805
Damian Menscher wrote: On Mon, 9 Aug 2004, Christopher X. Candreva wrote: On Mon, 9 Aug 2004, Christopher X. Candreva wrote: 0.75.1 Running since Aug 3 is currently using 272 M of RAM, and 20040805 running since Aug 5 is using 104M. I'm killing and restarting now to free up some memory. After 3 hours, 0.75.1 is useing 45M. 20040805 appears to have just restarted itself within the last hour. Just a thought, but this probably scales as the number of messages processed, rather than the amount of time. Those reporting memory leaks might want to give us sime idea of their mailserver load. For bonus points, generate a plot of memory usage vs time. It'd be interesting to see if it grows slowly, or if there are occasional large jumps (triggered by evil messages, for example). Damian Menscher I'm seeing about 60k messages/day with three sendmail servers feeding a single instance of ClamAV. The milter is J-Chkmail running on the same server as ClamAV. I'll look at monitoring growth over time although it takes very little time. dp --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Trojan.JS.RunMe?
On Mon, 09 Aug 2004 16:44:23 -0500 in [EMAIL PROTECTED] Steven Stern <[EMAIL PROTECTED]> wrote: > As usual, ClamAV's name came out too soon You mean that the other AV vendors are too slow, surely? -- Brian Morrison bdm at fenrir dot org dot uk GnuPG key ID DE32E5C5 - http://wwwkeys.uk.pgp.net/pgpnet/wwwkeys.html --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Trojan.JS.RunMe?
On Aug 9, 2004, at 14:44, Steven Stern wrote: On Mon, 9 Aug 2004 11:03:27 -0700 (PDT), Scott Call <[EMAIL PROTECTED]> wrote: I'm seeing a huge quantity of "Trojan.JS.RunMe" both with 0.75.1 and the latest snapshot. I can't seem to find any information on this signature (nothing in the virusdb list and nothing on google). As usual, ClamAV's name came out too soon The standard naming seems to be [EMAIL PROTECTED] [Symantec] W32/[EMAIL PROTECTED] [McAfee], WORM_BAGLE.AC [Trend], Win32.Bagle.AG [Computer Associates] If thats a standard then by definition there are no standards, so why worry? --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] Re: [Clamav-virusdb] Update (daily: 445)
Christoph Cordes wanted us to know: >ClamAV database updated (2004.08.09 18:34 GMT): daily.cvd, viruses.db2 >Version: 445 > >Submission: 5037-web, 5038-web, 5039-web, 5040-web, 5042-web, >5049-web, 5050-web, 5051-web, 5052-web, 5053-web, 5054-web, 5055-web, >5056-web, 5057-web, 5058-web, 5059-web, 5060-web, 5061-web, 5062-web, >5063-web, 5064-web, 5065-web, 5066-web, 5067-web, 5068-web, 5069-web, >5070-web >Virus: Unknown Virus >Added: Worm.Bagle.AI >Namechange: Trojan.Runme -> Worm.Bagle.AI-2 Wow, this is something new that I like very very much. You guys on the development end kick butt! Thanks! -- Regards... Todd We should not be building surveillance technology into standards. Law enforcement was not supposed to be easy. Where it is easy, it's called a police state. -- Jeff Schiller on NANOG Linux kernel 2.6.3-15mdkenterprise 2 users, load average: 0.06, 0.05, 0.04 --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Idea for more timely virusdb updates
On Mon, Aug 09, 2004 at 05:33:05PM -0400, Chris Meadors wrote:
> > Suppose there was a DNS entry, say virusdb.clamav.net (or
> > version.virusdb.clamav.net, etc), that returned simply a text record with
> > the current DB version in it. Then, it would be possible to check the
> > version with a relatively cheap single UDP packet, rather than a full http
> > check, and people could check for DB updates more often than once an hour
> > without taxing the distribution system.
>
> Then all users would sworm to download the new sig, as soon as that
> serial number incrimented, flooding the download server with update
> requests.
Only tracker.clamav.net (can be loadbalanced) should be able to handle
a fair number of connections, but daily.cvd.torrent is small enough
you could put it in a DNS TXT record :) (OK, DNS is far from secure,
so reliability will be at stake in that case... you might need to
cryptographically sign the file).
(1/2 :-)
--
#!perl -wpl # mmfppfmpmmpp mmpffm <[EMAIL PROTECTED]>
$p=3-2*/[^\W\dmpf_]/i;s.[a-z]{$p}.vec($f=join('',$p-1?chr(sub{$_[0]*9+$_[1]*3+
$_[2]}->(map{/p|f/i+/f/i}split//,$&)+97):qw(m p f)[map{((ord$&)%32-1)/$_%3}(9,
3,1)]),5,1)='`'lt$&;$f.eig;# Jan-Pieter Cornet
---
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Additional logging info.
Brett Simpson wanted us to know: >Is there a way I can configure the following log entry for Clamav-milter to also >output the origin address? The reason I'm asking is because I'm using a script to go >through the log file and count all of the big virus senders but it takes forever to >run since I'm having to loop through my maillog file to find the message id >"i79K3CfR009900" with the ip address. > >So I see this >Aug 9 16:03:14 ns2b clamav-milter[9851]: i79K3CfR009900: stream: >Trojan.JS.RunMeIntercepted virus from <[EMAIL PROTECTED]> to <[EMAIL PROTECTED]> > >But would like to see something similar to this...(if possible) >Aug 9 16:03:14 ns2b clamav-milter[9851]: i79K3CfR009900: stream: >Trojan.JS.RunMeIntercepted virus from <[EMAIL PROTECTED]> at 4.4.103.77 to <[EMAIL >PROTECTED]> Does the milter even have access to the IP address? I didn't think that it did. -- Regards... Todd We should not be building surveillance technology into standards. Law enforcement was not supposed to be easy. Where it is easy, it's called a police state. -- Jeff Schiller on NANOG Linux kernel 2.6.3-15mdkenterprise 2 users, load average: 0.00, 0.04, 0.05 --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Trojan.JS.RunMe?
On Mon, 9 Aug 2004 11:03:27 -0700 (PDT), Scott Call <[EMAIL PROTECTED]> wrote: >I'm seeing a huge quantity of "Trojan.JS.RunMe" both with 0.75.1 and the >latest snapshot. I can't seem to find any information on this signature >(nothing in the virusdb list and nothing on google). > As usual, ClamAV's name came out too soon The standard naming seems to be [EMAIL PROTECTED] [Symantec] W32/[EMAIL PROTECTED] [McAfee], WORM_BAGLE.AC [Trend], Win32.Bagle.AG [Computer Associates] Identifications are now appearing on vendor sites: http://www.sarc.com/avcenter/venc/data/[EMAIL PROTECTED] -- Steve --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Idea for more timely virusdb updates
On Mon, 2004-08-09 at 16:55 -0400, Christopher X. Candreva wrote: > This thread on Trojan.JS.RunMe had me thinking: Hourly virus updates is > better than any of the commercial virus scanners, but obviously still has > issues, especially since a bunch of us obviously submitted updates that had > already been entered. I gather from these posts that the virusdb's actually > have some form of version number. > > Suppose there was a DNS entry, say virusdb.clamav.net (or > version.virusdb.clamav.net, etc), that returned simply a text record with > the current DB version in it. Then, it would be possible to check the > version with a relatively cheap single UDP packet, rather than a full http > check, and people could check for DB updates more often than once an hour > without taxing the distribution system. > > If nothing else, if this TXT record existing we could hack together some > shell script to check it and run freshclam as needed. Then all users would sworm to download the new sig, as soon as that serial number incrimented, flooding the download server with update requests. --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Idea for more timely virusdb updates
On Mon, 9 Aug 2004, Christopher X. Candreva wrote: > This thread on Trojan.JS.RunMe had me thinking: Hourly virus updates is > better than any of the commercial virus scanners, but obviously still has > issues, especially since a bunch of us obviously submitted updates that had > already been entered. I gather from these posts that the virusdb's actually > have some form of version number. > > Suppose there was a DNS entry, say virusdb.clamav.net (or > version.virusdb.clamav.net, etc), that returned simply a text record with > the current DB version in it. Then, it would be possible to check the > version with a relatively cheap single UDP packet, rather than a full http > check, and people could check for DB updates more often than once an hour > without taxing the distribution system. That's a very interesting idea, but I can imagine a few problems: - we'd have to have a very short time-to-live or it would get stale - the dns might know about the update before the mirrors all get it - if everyone finds out about an update within 5 minutes of each other, the mirrors might not handle the load After seeing a Defcon talk on putting arbitrary data in DNS, though, I wonder if we could put the daily updates (gpg signed) into DNS? That would take a lot of load off the mirrors (occasional checks for main.cvd updates are all that is required). And caching DNS servers would distribute the load a bit. Anyway, just another crazy idea for the developers to consider. Damian Menscher -- -=#| Physics Grad Student & SysAdmin @ U Illinois Urbana-Champaign |#=- -=#| 488 LLP, 1110 W. Green St, Urbana, IL 61801 Ofc:(217)333-0038 |#=- -=#| 4602 Beckman, VMIL/MS, Imaging Technology Group:(217)244-3074 |#=- -=#| <[EMAIL PROTECTED]> www.uiuc.edu/~menscher/ Fax:(217)333-9819 |#=- -=#| The above opinions are not necessarily those of my employers. |#=- --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] Idea for more timely virusdb updates
This thread on Trojan.JS.RunMe had me thinking: Hourly virus updates is better than any of the commercial virus scanners, but obviously still has issues, especially since a bunch of us obviously submitted updates that had already been entered. I gather from these posts that the virusdb's actually have some form of version number. Suppose there was a DNS entry, say virusdb.clamav.net (or version.virusdb.clamav.net, etc), that returned simply a text record with the current DB version in it. Then, it would be possible to check the version with a relatively cheap single UDP packet, rather than a full http check, and people could check for DB updates more often than once an hour without taxing the distribution system. If nothing else, if this TXT record existing we could hack together some shell script to check it and run freshclam as needed. Just a thought. == Chris Candreva -- [EMAIL PROTECTED] -- (914) 967-7816 WestNet Internet Services of Westchester http://www.westnet.com/ --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] Additional logging info.
Is there a way I can configure the following log entry for Clamav-milter to also output the origin address? The reason I'm asking is because I'm using a script to go through the log file and count all of the big virus senders but it takes forever to run since I'm having to loop through my maillog file to find the message id "i79K3CfR009900" with the ip address. So I see this Aug 9 16:03:14 ns2b clamav-milter[9851]: i79K3CfR009900: stream: Trojan.JS.RunMeIntercepted virus from <[EMAIL PROTECTED]> to <[EMAIL PROTECTED]> But would like to see something similar to this...(if possible) Aug 9 16:03:14 ns2b clamav-milter[9851]: i79K3CfR009900: stream: Trojan.JS.RunMeIntercepted virus from <[EMAIL PROTECTED]> at 4.4.103.77 to <[EMAIL PROTECTED]> Thanks, Brett --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] clamd cannot connect to Unix socket
Aug 9 08:51:12 mail amavis[22421]: (22421-05) Clam Antivirus-clamd: Can"t connect to UNIX socket /var/run/amavis/clamd.ctl: No such file or directory, retrying (3) This may help you: Configuring ClamAV (clamd) for use with amavisd-new HOWTO http://www.xmission.com/~jmcrc/clamav-amavisd-new.html _ Express yourself instantly with MSN Messenger! Download today - it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] New virus/worm ???
- Original Message - From: "Michael Brennen" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, August 09, 2004 1:58 PM Subject: [Clamav-users] New virus/worm ??? > > Just in the last few minutes I've started getting hit with several > copies of a a zip packaged exe file from widely varying sources. The > names are of the form 'price.*\.zip'. I've submitted a copy online > and it was accepted. Anyone else seeing this? > >-- Michael Yea, I've gotten atleast 22 of them in the past hour from the Mod_SSL lists If it's not one thing it's another :/ --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] New virus/worm ???
On Mon, 9 Aug 2004, Tomasz Kojm wrote: > On Mon, 9 Aug 2004 12:58:52 -0500 (CDT) > Michael Brennen <[EMAIL PROTECTED]> wrote: > > > > > Just in the last few minutes I've started getting hit with several > > copies of a a zip packaged exe file from widely varying sources. The > > The database has been updated on 17.00 GMT. Updates are run hourly at *:43; looks like the 13:43 update got it, as Trojan.JS.RunMe is now being caught. Next time I'll run freshclam manually first. Thanks much. -- Michael --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Trojan.JS.RunMe?
On Mon, 9 Aug 2004, Scott Call wrote: > I'm seeing a huge quantity of "Trojan.JS.RunMe" both with 0.75.1 and the > latest snapshot. I can't seem to find any information on this signature > (nothing in the virusdb list and nothing on google). > > Any ideas what this is? I'm concerned because I see repeated attempts from Something very new. We got our first one here at 13:46 EDT, and clam didn't detect it, even after running freshclam. By the time I submitted it to the web site, I was told it was in the database. Run freshclam again, and Clam was filtering it by 13:52 EDT. This probably isn't the answer you wanted :-) but I had to say just how amazing I think the Clam team is. == Chris Candreva -- [EMAIL PROTECTED] -- (914) 967-7816 WestNet Internet Services of Westchester http://www.westnet.com/ --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] New virus/worm ???
Michael Brennen said the following on 8/9/2004 7:58 PM GMT+2: Just in the last few minutes I've started getting hit with several copies of a a zip packaged exe file from widely varying sources. The names are of the form 'price.*\.zip'. I've submitted a copy online and it was accepted. Anyone else seeing this? -- Michael Run freshclam. daily 444 detects the price zip as Trojan.RunMe. The price.exe has some urls inside it, if you wget that 2.jpg you get a Worm.Bagle.AI, which made it into daily 445. Regards, Niek Baakman --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] New virus/worm ???
On Mon, Aug 09, 2004 at 12:58:52PM -0500, Michael Brennen said: > > Just in the last few minutes I've started getting hit with several > copies of a a zip packaged exe file from widely varying sources. The > names are of the form 'price.*\.zip'. I've submitted a copy online > and it was accepted. Anyone else seeing this? Yes - it contains an executable, price.exe. clam is not currently picking it up as a virus. I was going to submit it, but if you already have, I'll hold off. -- -- | Stephen Gran | * knghtbrd can already envision:| | [EMAIL PROTECTED] | "Subject: [INTENT TO PREPARE TO PROPOSE | | http://www.lobefin.net/~steve | FILING OF BUG REPORT] Typos in the | || policy document"| -- pgpwvLq0R3Sfq.pgp Description: PGP signature
Re: [Clamav-users] New virus/worm ???
At 10:58 AM 8/9/2004, Michael Brennen wrote: Just in the last few minutes I've started getting hit with several copies of a a zip packaged exe file from widely varying sources. The names are of the form 'price.*\.zip'. I've submitted a copy online and it was accepted. Anyone else seeing this? Tons of 'em. Run freshclam -- update 444 picks it up as Trojan.JS.RunMe. Kelson Vibber SpeedGate Communications --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] New virus/worm ???
> Just in the last few minutes I've started getting hit with several > copies of a a zip packaged exe file from widely varying sources. The > names are of the form 'price.*\.zip'. I've submitted a copy online and > it was accepted. Anyone else seeing this? We were seeing a bunch, however, new signatures are catching it. John -- John Madden UNIX Systems Engineer Ivy Tech State College [EMAIL PROTECTED] --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] New virus/worm ???
On Monday, August 9, 2004, 7:58:52 PM, Michael Brennen wrote: MB> Just in the last few minutes I've started getting hit with several MB> copies of a a zip packaged exe file from widely varying sources. The MB> names are of the form 'price.*\.zip'. I've submitted a copy online MB> and it was accepted. Anyone else seeing this? MB>-- Michael MB> --- MB> This SF.Net email is sponsored by OSTG. Have you noticed the changes on MB> Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now, MB> one more big change to announce. We are now OSTG- Open Source Technology MB> Group. Come see the changes on the new OSTG site. www.ostg.com MB> ___ MB> Clamav-users mailing list MB> [EMAIL PROTECTED] MB> https://lists.sourceforge.net/lists/listinfo/clamav-users Please run freshclam asap. -- Best regards, Christophmailto:[EMAIL PROTECTED] --- This SF.Net email is sponsored by OSTG. Have you noticed the changes on Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now, one more big change to announce. We are now OSTG- Open Source Technology Group. Come see the changes on the new OSTG site. www.ostg.com ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] New virus/worm ???
On Mon, 9 Aug 2004 12:58:52 -0500 (CDT) Michael Brennen <[EMAIL PROTECTED]> wrote: > > Just in the last few minutes I've started getting hit with several > copies of a a zip packaged exe file from widely varying sources. The The database has been updated on 17.00 GMT. > names are of the form 'price.*\.zip'. I've submitted a copy online > and it was accepted. Anyone else seeing this? Our interface is temporarily broken and doesn't reeject those files. Please do not submit them. -- oo. Tomasz Kojm <[EMAIL PROTECTED]> (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Mon Aug 9 20:23:15 CEST 2004 pgpRFbijB5ztg.pgp Description: PGP signature
Re: [Clamav-users] New virus/worm ???
Yep! - Original Message - From: "Michael Brennen" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, August 09, 2004 12:58 PM Subject: [Clamav-users] New virus/worm ??? > > Just in the last few minutes I've started getting hit with several > copies of a a zip packaged exe file from widely varying sources. The > names are of the form 'price.*\.zip'. I've submitted a copy online > and it was accepted. Anyone else seeing this? > >-- Michael > > > > --- > This SF.Net email is sponsored by OSTG. Have you noticed the changes on > Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now, > one more big change to announce. We are now OSTG- Open Source Technology > Group. Come see the changes on the new OSTG site. www.ostg.com > ___ > Clamav-users mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/clamav-users > > > !DSPAM:4117bca185706315579739! > > > > --- This SF.Net email is sponsored by OSTG. Have you noticed the changes on Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now, one more big change to announce. We are now OSTG- Open Source Technology Group. Come see the changes on the new OSTG site. www.ostg.com ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] New virus/worm ???
Just in the last few minutes I've started getting hit with several copies of a a zip packaged exe file from widely varying sources. The names are of the form 'price.*\.zip'. I've submitted a copy online and it was accepted. Anyone else seeing this? -- Michael --- This SF.Net email is sponsored by OSTG. Have you noticed the changes on Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now, one more big change to announce. We are now OSTG- Open Source Technology Group. Come see the changes on the new OSTG site. www.ostg.com ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] Trojan.JS.RunMe?
I'm seeing a huge quantity of "Trojan.JS.RunMe" both with 0.75.1 and the latest snapshot. I can't seem to find any information on this signature (nothing in the virusdb list and nothing on google). Any ideas what this is? I'm concerned because I see repeated attempts from the same address to delivery it to to an individual account (as opposed to move viruses that just deliver once and if they fail move on to the next address) Thanks -S Scott Call Router Geek, ATGi, home of $6.95 Prime Rib I make the world a better place, I boycott Wal-Mart VoIP incoming: +1 360-382-1814 --- This SF.Net email is sponsored by OSTG. Have you noticed the changes on Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now, one more big change to announce. We are now OSTG- Open Source Technology Group. Come see the changes on the new OSTG site. www.ostg.com ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] clamd cannot connect to Unix socket
On Mon, 2004-08-09 at 10:50, Jim wrote: > I am using clamav deamon with amavis and I am getting a lot of these > error messages in maill.log > > > > Aug 9 08:51:12 mail amavis[22421]: (22421-05) Clam Antivirus-clamd: > Can't connect to UNIX socket /var/run/amavis/clamd.ctl: No such file or > directory, retrying (3) Is that what you have in clamd.conf? If not, you need to change your amavisd.conf file to match (or clamd.conf and restart clamd - whichever they need to match) > > > What is strange is that that even though these messages are still being > printed clam is still working and stopping viruses amavis tries clamdscan, if it fails it tries clamscan. -- Daniel J McDonald <[EMAIL PROTECTED]> Austin Energy --- This SF.Net email is sponsored by OSTG. Have you noticed the changes on Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now, one more big change to announce. We are now OSTG- Open Source Technology Group. Come see the changes on the new OSTG site. www.ostg.com ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Memory Leaks om 0.75.1 & 20040805
On Mon, 9 Aug 2004, Christopher X. Candreva wrote: > On Mon, 9 Aug 2004, Christopher X. Candreva wrote: > > > 0.75.1 Running since Aug 3 is currently using 272 M of RAM, and 20040805 > > running since Aug 5 is using 104M. > > > I'm killing and restarting now to free up some memory. > > After 3 hours, 0.75.1 is useing 45M. > > 20040805 appears to have just restarted itself within the last hour. Just a thought, but this probably scales as the number of messages processed, rather than the amount of time. Those reporting memory leaks might want to give us sime idea of their mailserver load. For bonus points, generate a plot of memory usage vs time. It'd be interesting to see if it grows slowly, or if there are occasional large jumps (triggered by evil messages, for example). Damian Menscher -- -=#| Physics Grad Student & SysAdmin @ U Illinois Urbana-Champaign |#=- -=#| 488 LLP, 1110 W. Green St, Urbana, IL 61801 Ofc:(217)333-0038 |#=- -=#| 4602 Beckman, VMIL/MS, Imaging Technology Group:(217)244-3074 |#=- -=#| <[EMAIL PROTECTED]> www.uiuc.edu/~menscher/ Fax:(217)333-9819 |#=- -=#| The above opinions are not necessarily those of my employers. |#=- --- This SF.Net email is sponsored by OSTG. Have you noticed the changes on Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now, one more big change to announce. We are now OSTG- Open Source Technology Group. Come see the changes on the new OSTG site. www.ostg.com ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] clamscan dumps core
I upgraded clamav to 0.75 but that didn't help and although I thought I did this, I upped the softlimit (-m) and now it works. I think the file just grew big enough. FYI--I got 0.70rc from the FreeBSD ports and it complained that the feature set wasn't high enough?? So I went to 0.75 (not using FreeBSD ports). Putting that here so it is in the archive. Thanks! Weldon If memory serves me right, sometime around 10:06am, Weldon S Godfrey 3 told me: > > Hello, I am running qmail-scanner-1.20 with clamscan: 0.65. on a FreeBSD > 5.2.1-RELEASE system. Everything worked fine until shortly before 2:40EDT > on 8/5/2004 in which every attachment that is scanned dumps core. I have > checked every permission, memory size setting I can think of. The only > think that clears this up is to remove the daily.cvd file and restart > clamd. When this happens, viruses that are in the main.cvd are caught > fine and I stop getting core dumps. Is there something in daily.cvd > messing up my version of clamav? > > Thanks! > > Weldon > > > > --- > This SF.Net email is sponsored by OSTG. Have you noticed the changes on > Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now, > one more big change to announce. We are now OSTG- Open Source Technology > Group. Come see the changes on the new OSTG site. www.ostg.com > ___ > Clamav-users mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/clamav-users > --- This SF.Net email is sponsored by OSTG. Have you noticed the changes on Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now, one more big change to announce. We are now OSTG- Open Source Technology Group. Come see the changes on the new OSTG site. www.ostg.com ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] clamd cannot connect to Unix socket
> Aug 9 08:51:12 mail amavis[22421]: (22421-05) Clam Antivirus-clamd: > Can't connect to UNIX socket /var/run/amavis/clamd.ctl: No such file or > directory, retrying (3) > > > What is strange is that that even though these messages are still being > printed clam is still working and stopping viruses Is clamd still scanning and stopping messages, or is amavis giving up on clamd and calling clamscan to check messages? Depending on how you've got your amavis logging set up, their should be some indications of how amavis is calling ClamAV. As for the Clam socket, does the clam config point to it? Does the amavis config point to it? Is it owned by the right user? Does it exist? etc... Cheers, Matt --- This SF.Net email is sponsored by OSTG. Have you noticed the changes on Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now, one more big change to announce. We are now OSTG- Open Source Technology Group. Come see the changes on the new OSTG site. www.ostg.com ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Memory Leaks om 0.75.1 & 20040805
On Mon, 9 Aug 2004, Christopher X. Candreva wrote: > 0.75.1 Running since Aug 3 is currently using 272 M of RAM, and 20040805 > running since Aug 5 is using 104M. > I'm killing and restarting now to free up some memory. After 3 hours, 0.75.1 is useing 45M. 20040805 appears to have just restarted itself within the last hour. == Chris Candreva -- [EMAIL PROTECTED] -- (914) 967-7816 WestNet Internet Services of Westchester http://www.westnet.com/ --- This SF.Net email is sponsored by OSTG. Have you noticed the changes on Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now, one more big change to announce. We are now OSTG- Open Source Technology Group. Come see the changes on the new OSTG site. www.ostg.com ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] clamd cannot connect to Unix socket
> > Aug 9 08:51:12 mail amavis[22421]: (22421-05) Clam Antivirus-clamd: > Can't connect to UNIX socket /var/run/amavis/clamd.ctl: No such file or > directory, retrying (3) > Permissions on socket? Matt --- This SF.Net email is sponsored by OSTG. Have you noticed the changes on Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now, one more big change to announce. We are now OSTG- Open Source Technology Group. Come see the changes on the new OSTG site. www.ostg.com ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Memory Leaks om 0.75.1 & 20040805
Christopher X. Candreva wrote: I'm seeing memory leaks in both clamd 0.75.1 and the 20040805 snap posted about last week. This is on Solaris 8 Sparc, compiled under gcc 3.4.0 0.75.1 Running since Aug 3 is currently using 272 M of RAM, and 20040805 running since Aug 5 is using 104M. Previous versions were using on the order of 20M. I'm killing and restarting now to free up some memory. -Chris I'm running it on Solaris 9 and restart clamd when it exceeds 350 M. Cron runs every 20 minutes to monitor size. I get a couple restarts each day. Either it is broken code or there is a compile option I've missed. This is true for all versions and snapshot builds since .65 when I started using it. dp --- This SF.Net email is sponsored by OSTG. Have you noticed the changes on Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now, one more big change to announce. We are now OSTG- Open Source Technology Group. Come see the changes on the new OSTG site. www.ostg.com ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] clamd cannot connect to Unix socket
I am using clamav deamon with amavis and I am getting a lot of these error messages in maill.log Aug 9 08:51:12 mail amavis[22421]: (22421-05) Clam Antivirus-clamd: Can't connect to UNIX socket /var/run/amavis/clamd.ctl: No such file or directory, retrying (3) What is strange is that that even though these messages are still being printed clam is still working and stopping viruses Jim --- This SF.Net email is sponsored by OSTG. Have you noticed the changes on Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now, one more big change to announce. We are now OSTG- Open Source Technology Group. Come see the changes on the new OSTG site. www.ostg.com ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Re: clamscan dumps core
Weldon S Godfrey 3 wrote: Hello, I am running qmail-scanner-1.20 with clamscan: 0.65. on a FreeBSD 5.2.1-RELEASE system. Everything worked fine until shortly before 2:40EDT on 8/5/2004 in which every attachment that is scanned dumps core. I have checked every permission, memory size setting I can think of. The only think that clears this up is to remove the daily.cvd file and restart clamd. When this happens, viruses that are in the main.cvd are caught fine and I stop getting core dumps. Is there something in daily.cvd messing up my version of clamav? The version of ClamAV you are running is very old. Try a more recent version? The current cvd files use a version 2 functionality level which is supported by ClamAV 0.70 and higher. It has been kept backwards compatible until now, but perhaps a rule was added that is no longer compatible? You should be updating ClamAV fairly often as the newer viruses are not always detected by older versions of ClamAV. -- James Lick -- éåæ -- [EMAIL PROTECTED] -- http://jameslick.com/ --- This SF.Net email is sponsored by OSTG. Have you noticed the changes on Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now, one more big change to announce. We are now OSTG- Open Source Technology Group. Come see the changes on the new OSTG site. www.ostg.com ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Memory Leaks om 0.75.1 & 20040805
Chris I'm running 0.75.1 on Solaris8 also. My clamd processes are around 15 Meg. I compiled them under gcc 3.3.2. HTH Ken McKittrick ISP Engineer USADatanet On Aug 9, 2004, at 9:48 AM, Christopher X. Candreva wrote: I'm seeing memory leaks in both clamd 0.75.1 and the 20040805 snap posted about last week. This is on Solaris 8 Sparc, compiled under gcc 3.4.0 0.75.1 Running since Aug 3 is currently using 272 M of RAM, and 20040805 running since Aug 5 is using 104M. Previous versions were using on the order of 20M. I'm killing and restarting now to free up some memory. -Chris == Chris Candreva -- [EMAIL PROTECTED] -- (914) 967-7816 WestNet Internet Services of Westchester http://www.westnet.com/ --- This SF.Net email is sponsored by OSTG. Have you noticed the changes on Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now, one more big change to announce. We are now OSTG- Open Source Technology Group. Come see the changes on the new OSTG site. www.ostg.com ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users --- This SF.Net email is sponsored by OSTG. Have you noticed the changes on Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now, one more big change to announce. We are now OSTG- Open Source Technology Group. Come see the changes on the new OSTG site. www.ostg.com ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] clamscan dumps core
Hello, I am running qmail-scanner-1.20 with clamscan: 0.65. on a FreeBSD 5.2.1-RELEASE system. Everything worked fine until shortly before 2:40EDT on 8/5/2004 in which every attachment that is scanned dumps core. I have checked every permission, memory size setting I can think of. The only think that clears this up is to remove the daily.cvd file and restart clamd. When this happens, viruses that are in the main.cvd are caught fine and I stop getting core dumps. Is there something in daily.cvd messing up my version of clamav? Thanks! Weldon --- This SF.Net email is sponsored by OSTG. Have you noticed the changes on Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now, one more big change to announce. We are now OSTG- Open Source Technology Group. Come see the changes on the new OSTG site. www.ostg.com ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] Re: clamscan dumps core
I'm sorry, I meant to put 2:40pmEDT (14:40) If memory serves me right, sometime around 10:06am, Weldon S Godfrey 3 told me: > > Hello, I am running qmail-scanner-1.20 with clamscan: 0.65. on a FreeBSD > 5.2.1-RELEASE system. Everything worked fine until shortly before 2:40EDT > on 8/5/2004 in which every attachment that is scanned dumps core. I have > checked every permission, memory size setting I can think of. The only > think that clears this up is to remove the daily.cvd file and restart > clamd. When this happens, viruses that are in the main.cvd are caught > fine and I stop getting core dumps. Is there something in daily.cvd > messing up my version of clamav? > > Thanks! > > Weldon > > --- This SF.Net email is sponsored by OSTG. Have you noticed the changes on Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now, one more big change to announce. We are now OSTG- Open Source Technology Group. Come see the changes on the new OSTG site. www.ostg.com ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] Memory Leaks om 0.75.1 & 20040805
I'm seeing memory leaks in both clamd 0.75.1 and the 20040805 snap posted about last week. This is on Solaris 8 Sparc, compiled under gcc 3.4.0 0.75.1 Running since Aug 3 is currently using 272 M of RAM, and 20040805 running since Aug 5 is using 104M. Previous versions were using on the order of 20M. I'm killing and restarting now to free up some memory. -Chris == Chris Candreva -- [EMAIL PROTECTED] -- (914) 967-7816 WestNet Internet Services of Westchester http://www.westnet.com/ --- This SF.Net email is sponsored by OSTG. Have you noticed the changes on Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now, one more big change to announce. We are now OSTG- Open Source Technology Group. Come see the changes on the new OSTG site. www.ostg.com ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
