Re: [Clamav-users] Segmentation Fault in clamav-milter
On Friday 13 Aug 2004 02:51, David Champion wrote: . To my first glance, libwrap is not reentrant, and could be trouncing the clamav-milter stack(s) across threads. From the hosts_access man page: hosts_access() uses the strtok() library function. This may interfere with other code that relies on strtok(). strtok is *not* thread safe so it looks like you are correct. I will investigate. -- Nigel Horne. Arranger, Composer, Typesetter. NJH Music, Barnsley, UK. ICQ#20252325 [EMAIL PROTECTED] http://www.bandsman.co.uk --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] multiple signature for the same virus name in daily.cvd
On 08/13/04 09:37, Fajar A. Nugraha wrote: Hi, This is really a question for db maintainer, but I think it wouldn't hurt for normal user to know about this too. I'm parsing viruses.db2 (from daily.cvd with sigtool -u) for an application that I'm working on, and I found multiple signature for several virus names. For example : Trojan.Clicker.Small-2 (Clam)=616c7061726164652e636f6d2f6367692f636c69636b3f613d34353730363226733d313426703d316861636b736f722e657865005b4d41494e5d3a20426f7420737461727465642e4465 Trojan.Clicker.Small-2 (Clam)=58450043464941554449542e455845005550444154452e455845004e555047524144452e455845004d435550444154452e455845687474703a2f2f706f6c6f626565722e64652f312e6a706700687474703a2f2f7232363236722e64652f312e6a706700687474703a2f2f6b6f6f6c746f6b796f2e72752f312e6a706700687474703a2f2f6d6d61672e72752f312e6a they are not in adjacent location, so possibly different maintainer add them. daily.cvd version 450 has 1597 virus signatures, but only 1569 unique names. How does clamav handle this? Does a pattern have to match both or one of them is enough? One is enough If clamav treats them as different virus signature, wouldn't it be best to come up with unique name for each signature? In some cases multiple lines are required for a single signature. In some other cases a temp name is taken form a similar malware and it's subject to change after better investigation is performed. Last possibility is, as you've guessed, the second db updater added a non-unique name; not a great issue as both signatures are working. Anyway it will be fixed in one of the next updates. Thanks for poining out. Regards, acab --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Segmentation Fault in clamav-milter
On Friday 13 Aug 2004 02:51, David Champion wrote: After working with Nigel to resolve/eliminate other factors, I'm still getting quite similar problems to this on Solaris. I think I've narrowed down the problem. Please try rebuilding without libwrap enabled, and let us know what you see. To my first glance, libwrap is not reentrant, and could be trouncing the clamav-milter stack(s) across threads. Please try the latest version from CVS (0.75k) -- Nigel Horne. Arranger, Composer, Typesetter. NJH Music, Barnsley, UK. ICQ#20252325 [EMAIL PROTECTED] http://www.bandsman.co.uk --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] daily.db.clamav.or.id : clamav db update via DNS
On Fri, 13 Aug 2004 at 18:17:19 +0700, Fajar A. Nugraha wrote: Following the long thread of Idea for more timely virusdb updates, I have put together a basic system of putting daily.cvd in DNS TXT records. [...] Though lacking secure digital signing, quite interesting real solution of the long theoretical discussion! (2) Getting release date of a daily.cvd : [EMAIL PROTECTED] clamdsndb]# host -t txt added.450.daily.db.clamav.or.id added.450.daily.db.clamav.or.id text 2004081317 450 is the version, 2004081317 is MMDDHH the daily.cvd was added. Could the HH be given in GMT time? Overall, I'm impressed, I must say :-) . -- Tomasz Papszun SysAdm @ TP S.A. Lodz, Poland | And it's only [EMAIL PROTECTED] http://www.lodz.tpsa.pl/iso/ | ones and zeros. [EMAIL PROTECTED] http://www.ClamAV.net/ A GPL virus scanner --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] SomeFool.P/Q occasionally passing through
Hello all, We are having the same problem, we are using Clamav at our perimeter, then it forwards it to another server running Symantec. In the last week, Clamav has caught ~1200 viruses, but two got through. Symantec called it [EMAIL PROTECTED] According to Symantec's website, When a file is detected as [EMAIL PROTECTED], this indicates that it is a MIME-encoded file containing the [EMAIL PROTECTED] worm. I don't know much about MIME encoding. Should Clamav be able to pick this up? Thanks! David On Thu, 12 Aug 2004 21:05:26 +0300 Arthur Kerpician [EMAIL PROTECTED] wrote: Arthur Kerpician wrote: Todd Lyons wrote: Brian Morrison wanted us to know: Received: from localhost [127.0.0.1] by backup.ccina.ro with SpamAssassin (2.60 1.212-2003-09-23-exp); Wed, 11 Aug 2004 17:53:00 +0300 This is the last line of Received headers, so it never says exactly what host it came from. It was received on the loopback interface surely? That's kind of what I'm looking at. Some local webserver running on that machine? A formmail.pl on that machine? It does _not_ seem like it came from the outside. And if you don't tell it to scan locally generated emails, then that would certainly explain why it got through. Testing another thing todayif I send a virus (email saved from NAV quarantine, which previously passed ClamAV) through SquirrelMail (runing on the Linux/ClamAV box) it gets detected by ClamAV! So, mails sent from localhost (127.0.0.1) are scanned! --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Idea for more timely virusdb updates
On Wed, Aug 11, 2004 at 08:34:48PM +0200, Martin Konold wrote: The problem with bittorent is that bittorent addresses a different problem domain. clamav pattern update: - frequently changing small number of small files distributed from a single point to many bittorrent: - slowly changing high number of potentially very big files distributed from many sources to many destinations. This isn't correct. You somehow confusingly assume all current bittorrent downloads are related? They are not. Each individual .torrent starts out as a one-to-many distribution. The nice thing about bittorrent is that practically immediately after a third client connects, it becomes a many-to-many transfer, utilising the available upload capacity of all clients. So each individual torrent you find on those popular websites that list all torrents, started as a single-point-to-many distribution. And the number of torrents available there isn't slowly changing, in fact, it's often changing way faster than new virus definitions are released :) The main difference is that most currently offered torrents comprise many megabytes, while a virus definition file would only be a few kilobytes. But that doesn't invalidate the protocol, certainly not with a high number of downloaders. If anyone has questions on how the bittorrent protocol works, there is quite a bit of info on the official website: http://www.bitconjurer.org/BitTorrent/ and there's a wiki FAQ: http://wiki.theory.org/index.php/BitTorrentFAQ -- #!perl -wpl # mmfppfmpmmpp mmpffm [EMAIL PROTECTED] $p=3-2*/[^\W\dmpf_]/i;s.[a-z]{$p}.vec($f=join('',$p-1?chr(sub{$_[0]*9+$_[1]*3+ $_[2]}-(map{/p|f/i+/f/i}split//,$)+97):qw(m p f)[map{((ord$)%32-1)/$_%3}(9, 3,1)]),5,1)='`'lt$;$f.eig;# Jan-Pieter Cornet --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] Some help for a newbie regarding configuration files
We run a Cobalt Cube (RedHat 6.5?) for our email server. A 3rd party vendor installed Clam-AV and SpamAssassin for me last year because I am not adept at command line linux. They updated the Clam last week but I am not sure which version they used. I have not been able to connect with the vendor and I need to tweak how Clam is handling HTML emails because it is blocking legitimate emails containing conference registration forms. The dates on the files in the various directories in home/clamav/ are from June 2, 2004. I cannot find any conf files anywhere that are dated from the day they did the upgrade so I think they just dropped in the default files. I tried to run man but it said there was not an entry for clamav. My specific questions are: 1. What name should I use after man to get the help file for configuring ClamAv? 2. Where should the currently in effect configuration files be located and which one should I edit to allow forms through, at least from some addresses? 3. Is it possible and how would I state the argument to allow certain senders either by specific address or domain to send us html with forms? 4. How do I retrieve the quarantined emails? I can see the files if I use Putty to navigate to the right directories but I cannot see them using FTP Commander. Thanks in advance for any help. I did see some related discussions in the archives but the ones I could find did not address my issues directly. I hope you will forgive my ignorance about Linux and ClamAv - I am taking classes and doing lots of reading but I need the specific knowledge NOW. My teachers are going to hit the roof if I don't get this tweaked. Dana S. Millaway District Technology Coordinator Holdingford Public School 320-746-2221 x467 [EMAIL PROTECTED] --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] SomeFool.P/Q occasionally passing through
On Friday 13 Aug 2004 13:59, I wrote: Do you have the original e-mail that demonstrates the problem? If so please forward it to me and I'll look at it for you. Don't forget to zip with the password 'virus'. -Nigel -- Nigel Horne. Arranger, Composer, Typesetter. NJH Music, Barnsley, UK. ICQ#20252325 [EMAIL PROTECTED] http://www.bandsman.co.uk --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] SomeFool.P/Q occasionally passing through
On Friday 13 Aug 2004 13:18, David Williams wrote: Hello all, We are having the same problem, we are using Clamav at our perimeter, then it forwards it to another server running Symantec. In the last week, Clamav has caught ~1200 viruses, but two got through. Symantec called it [EMAIL PROTECTED] According to Symantec's website, When a file is detected as [EMAIL PROTECTED], this indicates that it is a MIME-encoded file containing the [EMAIL PROTECTED] worm. I don't know much about MIME encoding. Should Clamav be able to pick this up? Do you have the original e-mail that demonstrates the problem? If so please forward it to me and I'll look at it for you. Thanks! David -- Nigel Horne. Arranger, Composer, Typesetter. NJH Music, Barnsley, UK. ICQ#20252325 [EMAIL PROTECTED] http://www.bandsman.co.uk --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] daily.db.clamav.or.id : clamav db update via DNS
On Fri, 13 Aug 2004 14:01:49 +0200 Tomasz Papszun [EMAIL PROTECTED] wrote: On Fri, 13 Aug 2004 at 18:17:19 +0700, Fajar A. Nugraha wrote: I have put together a basic system of putting daily.cvd in DNS TXT records. [...] Though lacking secure digital signing, quite interesting real solution of the long theoretical discussion! It, IS, afterall a basic system :) I could probably add some kind of gpg verification later. Especially if many people decide to use this. (2) Getting release date of a daily.cvd : 450 is the version, 2004081317 is MMDDHH the daily.cvd was added. Could the HH be given in GMT time? Sure. It's changed now. The date should be in GMT for the next daily.cvd update. Overall, I'm impressed, I must say :-) . Thx :) --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] daily.db.clamav.or.id : clamav db update via DNS
At 13:17 13.08.2004, you wrote: Hi, Following the long thread of Idea for more timely virusdb updates, I have put together a basic system of putting daily.cvd in DNS TXT records. It stores current version of daily.cvd, new signatures, and what time a particular signature was added. Which means the next time clamav come up with a signature sooner than other AV vendors, we'll have a record of it without having to lookup each mail from clamav-db :) This is still an early version, so record names might change (or added, or even removed) later. Here's how it work: Nice, we could actually build a wrapper around freshclam to only fetch when there is a new version ready. I would still prefer to use another protocol to actually pass the virus data, I am not particularly fond of http, but it's simple and proven and, if we could settle on an incremental update method, it would be fairly painless too. I checked the possibility to build an incremental update 1) get the current ID, I used a saved cvd file daily.foo luna:/var/lib/clamav # /usr/local/bin/sigtool -i daily.foo Build time: 10 Aug 2004 23-53 +0200 Version: 448 # of signatures: 1555 Functionality level: 2 Builder: ccordes MD5: d87fe8f4a522413be7ee58fb2286aa2e Digital signature: 9l9GekAZ+eU5cSKT07lXvLm2WvaHxzDPLm68mXoBFw0coCxkZXn6BsFTrnReEm/KHlSj5FchPiZdMj/DNfHH9uf5oI9z3PKqjZmmjPilGboEyka7Ukx3o1TwwEoi76LxeCUaG6WpuyNkTwLMQRNF1eqWD3l9AsQY8/aRBnUwRUe Verification OK. OK, so it's old the following needs to be done on the server: 2) unpack the new file using sigtool luna:/var/lib/clamav # /usr/local/bin/sigtool -u daily.cvd luna:/var/lib/clamav # mv viruses.db2 viruses.451 3) unpack the old file using sigtool luna:/var/lib/clamav # /usr/local/bin/sigtool -u daily.foo luna:/var/lib/clamav # mv viruses.db2 viruses.448 4) diff the two files luna:/var/lib/clamav # diff -U 5 viruses.448 viruses.451 daily.448to451 -rw-r--r--1 root root18260 2004-08-13 19:23 daily.448to451 Mhhh, still 18K we better compress it.. -rw-r--r--1 root root 8189 2004-08-13 19:23 daily.448to451.gz OK only 8K to copy across the net now. back to the client 5) get the diff file somehow and uncompress it .. gunzip daily.448to451.gz 6) apply the patch to the old file luna:/var/lib/clamav # patch daily.448to451 patching file viruses.448 luna:/var/lib/clamav # 7) rebuild a .CVD file I have not been able to rebuild the cvd file using sigtool, so this is for someone with more sigtool experience, but the diff of the two files show that a patch is easily feasible -rw-r--r--1 clamav clamav1103636 2004-08-10 17:00 main.cvd -rw-r--r--1 root root 351165 2004-08-13 19:28 viruses.448 -rw-r--r--1 root root 351165 2004-08-13 19:21 viruses.451 luna:/var/lib/clamav # diff viruses.448 viruses.451 luna:/var/lib/clamav # Comments Erich THINK Püntenstrasse 39 8143 Stallikon mailto:[EMAIL PROTECTED] PGP Fingerprint: BC9A 25BC 3954 3BC8 C024 8D8A B7D4 FF9D 05B8 0A16 --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Some help for a newbie regarding configuration files
On Fri, 13 Aug 2004 07:55:13 -0500 in [EMAIL PROTECTED] Dana Millaway [EMAIL PROTECTED] wrote: We run a Cobalt Cube (RedHat 6.5?) for our email server. A 3rd party vendor installed Clam-AV and SpamAssassin for me last year because I am not adept at command line linux. They updated the Clam last week but I am not sure which version they used. I have not been able to connect with the vendor and I need to tweak how Clam is handling HTML emails because it is blocking legitimate emails containing conference registration forms. The dates on the files in the various directories in home/clamav/ are from June 2, 2004. I cannot find any conf files anywhere that are dated from the day they did the upgrade so I think they just dropped in the default files. I tried to run man but it said there was not an entry for clamav. My specific questions are: 1. What name should I use after man to get the help file for configuring ClamAv? man clamav.conf 2. Where should the currently in effect configuration files be located and which one should I edit to allow forms through, at least from some addresses? /etc is the usual place 3. Is it possible and how would I state the argument to allow certain senders either by specific address or domain to send us html with forms? The problem must be that clam is seeing virus-laden mail, have you checked the logs? 4. How do I retrieve the quarantined emails? I can see the files if I use Putty to navigate to the right directories but I cannot see them using FTP Commander. Permissions on those files perhaps? You may need to be logged in as root. Thanks in advance for any help. I did see some related discussions in the archives but the ones I could find did not address my issues directly. I hope you will forgive my ignorance about Linux and ClamAv - I am taking classes and doing lots of reading but I need the specific knowledge NOW. My teachers are going to hit the roof if I don't get this tweaked. -- Brian Morrison bdm at fenrir dot org dot uk GnuPG key ID DE32E5C5 - http://wwwkeys.uk.pgp.net/pgpnet/wwwkeys.html --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] OpenSource Clamav not ready?
On Wednesday, August 11, 2004 6:29 PM [EDT], Matthew Thomas wrote: I was wondering how many clamav users came across this article: http://www.eweek.com/article2/0,1759,1633536,00.asp The author says, among other things: Clearly the biggest need these days in an anti-virus system is for scanning e-mail, and here's where ClamAntiVirus scares me. According to the manual, mail support is turned off by default because it 'is still under development and may cause stability problems.' Yikes!...In certain circles ClamAntiVirus is highly respected, but that's at least partially for lack of anything else to respect. I haven't had any stability problems myself and was just wondering if users perceive clamav to be as experimental as the author suggests. I know we haven't reached a 1.0 version, yet, but it's all been good for me so far. So far, I've been using ClamAV with exim/exiscan and it runs flawlessly. Under my Windows port, it runs fairly well, with small glitches here and there. Most of the problems stem from issues with Cygwin (more like issues with Windows not being up to par with the rest of the operating systems out there). However, I do know of at least a dozen smaller ISPs and hosting services which are running my ClamAV For Windows port with various mail apps (MX Guard, etc), and are quite pleased with the results (especially for the cost). ClamAV has come a long way since it began. I'm sure if people who question its capibilities and such spent as much of their time helping track down bugs and improving it as they do knocking it, things would go even further. On a side note, I was approached the other day by an unnamed company asking what it would take to bolt on a real time scanner into ClamAV For Windows, so that they could replace all of their big name desktop antivirus apps with something more open and lower costing. The potential for ClamAV is limitless at this point. -- Brian Bruns The Summit Open Source Development Group Open Solutions For A Closed World / Anti-Spam Resources http://www.sosdg.org The Abusive Hosts Blocking List http://www.ahbl.org --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] daily.db.clamav.or.id : clamav db update via DNS
On Fri, 13 Aug 2004 at 19:48:34 +0200, Erich Titl wrote: [...] 7) rebuild a .CVD file I have not been able to rebuild the cvd file using sigtool, so this is for someone with more sigtool experience, but the diff of the two files show that a patch is easily feasible You can't rebuild a .cvd file with sigtool. Only virusdb maintainers can. Cvd files are digitally signed by them. It is on purpose - to make faking database impossible. -- Tomasz Papszun SysAdm @ TP S.A. Lodz, Poland | And it's only [EMAIL PROTECTED] http://www.lodz.tpsa.pl/iso/ | ones and zeros. [EMAIL PROTECTED] http://www.ClamAV.net/ A GPL virus scanner --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] SomeFool.P/Q occasionally passing through
David Williams wanted us to know: Hello all, We are having the same problem, we are using Clamav at our perimeter, then it forwards it to another server running Symantec. In the last week, Clamav has caught ~1200 viruses, but two got through. Symantec called it [EMAIL PROTECTED] According to Symantec's website, When a file is detected as [EMAIL PROTECTED], this indicates that it is a MIME-encoded file containing the [EMAIL PROTECTED] worm. I don't know much about MIME encoding. Should Clamav be able to pick this up? I wonder. If you hit the max threads and are using the clamav-milter, then it will drop through. Try picking up the max threads in clamav.conf and see if that makes a difference. -- Regards... Todd We should not be building surveillance technology into standards. Law enforcement was not supposed to be easy. Where it is easy, it's called a police state. -- Jeff Schiller on NANOG Linux kernel 2.6.3-15mdkenterprise 2 users, load average: 0.15, 0.05, 0.01 --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Worm.Mydoom.M
?? ?? wanted us to know: I remove old version of clamav install clamav .75.1 from tar.gz If you emerge sync, you can emerge clamav 0.75.1. It's masked though, so you have to force it: ACCEPT_KEYWORDS=~x86 emerge --buildpkg clamav I always use --buildpkg personally because I have a bank of machines. -- Regards... Todd They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. --Benjamin Franklin Linux kernel 2.6.3-15mdkenterprise 2 users, load average: 0.00, 0.01, 0.00 --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] clamav-milter children hanging, eating CPU
FreeBSD 4.10 ~200 users ClamAV version devel-20040806 clamav-milter version 0.74a Sendmail 8.12.11 clamav-milter --noreject --postmaster-only --local --max-children=10 /var/run/clamav/clmilter.sock I've already checked the FAQ, searched the archive, and Googled. Normal system load is low, less than 1.0. Normally, one clamav-milter process is seen in a ps. Clamav-milter doesn't even make the list in top, with mailman and imapd processes bumping it off the screen. However... In the last two days, I've twice had my system load jump to 10.0 (to the point where sendmail was rejecting incoming connections) due to the max number of clamav-milter children spawning and consuming memory and CPU. If I kill -9 the clamav-milter processes (doesn't respond to a graceful restart request), then restart clamav-milter, it's good to go, and doesn't immediately try to spawn the max number of children. Until the next day. Any thoughts or pointers, as I hunt for causes to this? -jg -- Jim Gaynor, SATG - Senior Computer Specialist UW College of Engineering, Office of the Dean email: [EMAIL PROTECTED] --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] daily.db.clamav.or.id : clamav db update via DNS
Erich Titl wanted us to know: Nice, we could actually build a wrapper around freshclam to only fetch when there is a new version ready. It already does this. snip 12:39:51.553344 IP 10.1.1.240.41996 65.77.42.207.80: P 1:145(144) ack 1 win 5840 nop,nop,timestamp 191254661 149266201 0x: 4500 00c4 1b41 4000 4006 a6e6 0a01 01f0 [EMAIL PROTECTED]@... 0x0010: 414d 2acf a40c 0050 0c61 4b7d 9e51 df57 AM*P.aK}.Q.W 0x0020: 8018 16d0 79c0 0101 080a 0b66 5085 yfP. 0x0030: 08e5 9f19 4745 5420 2f6d 6169 6e2e 6376 GET./main.cv 0x0040: 6420 4854 5450 2f31 2e31 0d0a 486f 7374 d.HTTP/1.1..Host 0x0050: 3a20 6461 7461 6261 7365 2e63 6c61 6d61 :.database.clama 0x0060: 762e 6e65 740d 0a55 7365 722d 4167 656e v.net..User-Agen 0x0070: 743a 2063 6c61 6d61 762f 302e 3735 2e31 t:.clamav/0.75.1 0x0080: 0d0a 4361 6368 652d 436f 6e74 726f 6c3a ..Cache-Control: 0x0090: 206e 6f2d 6361 6368 650d 0a43 6f6e 6e65 .no-cache..Conne 0x00a0: 6374 696f 6e3a 2063 6c6f 7365 0d0a 5261 ction:.close..Ra 0x00b0: 6e67 653a 2062 7974 6573 3d30 2d35 3131 nge:.bytes=0-511 0x00c0: 0d0a 0d0a snip 12:39:51.690287 IP 10.1.1.240.41997 65.77.42.207.80: P 1:146(145) ack 1 win 5840 nop,nop,timestamp 191254798 149266215 0x: 4500 00c5 f890 4000 4006 c995 0a01 01f0 [EMAIL PROTECTED]@... 0x0010: 414d 2acf a40d 0050 0d14 a843 8cb0 0e1e AM*P...C 0x0020: 8018 16d0 d840 0101 080a 0b66 510e [EMAIL PROTECTED] 0x0030: 08e5 9f27 4745 5420 2f64 6169 6c79 2e63 ...'GET./daily.c 0x0040: 7664 2048 5454 502f 312e 310d 0a48 6f73 vd.HTTP/1.1..Hos 0x0050: 743a 2064 6174 6162 6173 652e 636c 616d t:.database.clam 0x0060: 6176 2e6e 6574 0d0a 5573 6572 2d41 6765 av.net..User-Age 0x0070: 6e74 3a20 636c 616d 6176 2f30 2e37 352e nt:.clamav/0.75. 0x0080: 310d 0a43 6163 6865 2d43 6f6e 7472 6f6c 1..Cache-Control 0x0090: 3a20 6e6f 2d63 6163 6865 0d0a 436f 6e6e :.no-cache..Conn 0x00a0: 6563 7469 6f6e 3a20 636c 6f73 650d 0a52 ection:.close..R 0x00b0: 616e 6765 3a20 6279 7465 733d 302d 3531 ange:.bytes=0-51 0x00c0: 310d 0a0d 0a 1 snip It only retrives the first 512 bytes of data from each CVD file. Here is what a sample return packet looks like: 12:39:51.761643 IP 65.77.42.207.80 10.1.1.240.41997: P 1:812(811) ack 146 win 57456 nop,nop,timestamp 149266222 191254798 0x: 4500 035f d641 4000 3506 f44a 414d 2acf [EMAIL PROTECTED] 0x0010: 0a01 01f0 0050 a40d 8cb0 0e1e 0d14 a8d4 .P.. 0x0020: 8018 e070 66da 0101 080a 08e5 9f2e ...pf... 0x0030: 0b66 510e 4854 5450 2f31 2e31 2032 3036 .fQ.HTTP/1.1.206 0x0040: 2050 6172 7469 616c 2043 6f6e 7465 6e74 .Partial.Content 0x0050: 0d0a 4461 7465 3a20 4672 692c 2031 3320 ..Date:.Fri,.13. 0x0060: 4175 6720 3230 3034 2032 303a 3035 3a30 Aug.2004.20:05:0 0x0070: 3220 474d 540d 0a53 6572 7665 723a 2041 2.GMT..Server:.A 0x0080: 7061 6368 652f 312e 332e 3237 2028 556e pache/1.3.27.(Un 0x0090: 6978 290d 0a4c 6173 742d 4d6f 6469 6669 ix)..Last-Modifi 0x00a0: 6564 3a20 4672 692c 2031 3320 4175 6720 ed:.Fri,.13.Aug. 0x00b0: 3230 3034 2031 383a 3535 3a32 3720 474d 2004.18:55:27.GM 0x00c0: 540d 0a45 5461 673a 2022 3232 3265 3232 T..ETag:.222e22 0x00d0: 2d32 3761 6538 2d34 3131 6430 6539 6622 -27ae8-411d0e9f 0x00e0: 0d0a 4163 6365 7074 2d52 616e 6765 733a ..Accept-Ranges: 0x00f0: 2062 7974 6573 0d0a 436f 6e74 656e 742d .bytes..Content- 0x0100: 4c65 6e67 7468 3a20 3531 320d 0a43 6f6e Length:.512..Con 0x0110: 7465 6e74 2d52 616e 6765 3a20 6279 7465 tent-Range:.byte 0x0120: 7320 302d 3531 312f 3136 3235 3336 0d0a s.0-511/162536.. 0x0130: 436f 6e6e 6563 7469 6f6e 3a20 636c 6f73 Connection:.clos 0x0140: 650d 0a43 6f6e 7465 6e74 2d54 7970 653a e..Content-Type: 0x0150: 2074 6578 742f 706c 6169 6e0d 0a0d 0a43 .text/plainC 0x0160: 6c61 6d41 562d 5644 423a 3133 2041 7567 lamAV-VDB:13.Aug 0x0170: 2032 3030 3420 3230 2d35 3520 2b30 3230 .2004.20-55.+020 0x0180: 303a 3435 323a 3136 3138 3a32 3a31 3362 0:452:1618:2:13b 0x0190: 3836 3834 3366 3661 6232 6564 3761 6131 86843f6ab2ed7aa1 0x01a0: 3536 3436 3531 6531 3030 3833 373a 4d38 564651e100837:M8 0x01b0: 6d45 4938 6f76 7063 794b 3345 5744 7670 mEI8ovpcyK3EWDvp 0x01c0: 556f 7439 446e 3139 657a 3879 624a 4935 Uot9Dn19ez8ybJI5 0x01d0: 3935 6f36 7536 5733 6f75 4d41 786b 4859 95o6u6W3ouMAxkHY 0x01e0: 6a34 4868 4b6a 4252 2f70 5742 7442 4743 j4HhKjBR/pWBtBGC 0x01f0: 3465 4e64 6874 4644 2b48 644a 7a74 694f
[Clamav-users] Clamd - reloading of database delayed after freshclam update
Anyone any ideas as to why when freshclam updates daily.cvd, clamd does not reload the database until the next integrity check time arrives? I have told freshclam to notify clamd in freshclam.conf and passed the correct config file to clamd to ensure it gets the correct configuration but still this delay is there. Any thoughts, I can easily post snippets of config files if that will help. -- Brian Morrison bdm at fenrir dot org dot uk GnuPG key ID DE32E5C5 - http://wwwkeys.uk.pgp.net/pgpnet/wwwkeys.html --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] daily.db.clamav.or.id : clamav db update via DNS
At 21:13 13.08.2004, you wrote: On Fri, 13 Aug 2004 at 19:48:34 +0200, Erich Titl wrote: [...] 7) rebuild a .CVD file I have not been able to rebuild the cvd file using sigtool, so this is for someone with more sigtool experience, but the diff of the two files show that a patch is easily feasible You can't rebuild a .cvd file with sigtool. Only virusdb maintainers can. Cvd files are digitally signed by them. It is on purpose - to make faking database impossible. Oh, I thought the database was signed and the public key(s) published. I understand the reason behind this, although a self contained, automated process might do as well (if incremented update should become an issue). I believe if such a process can verify the md5sum of the input file against a publicly known md5sum of the original input, then to some extent a cdv file could be created locally. The signature would not have the same weight, but creating an identical md5sum for the fake input and/or .cvd file would be quite a challenge. cheers Erich THINK Püntenstrasse 39 8143 Stallikon mailto:[EMAIL PROTECTED] PGP Fingerprint: BC9A 25BC 3954 3BC8 C024 8D8A B7D4 FF9D 05B8 0A16 --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Idea for more timely virusdb updates
On Wed, Aug 11, 2004 at 03:07:35PM +0200, Lionel Bouton wrote: The ideal setup would be to push updates instead of clients polling them. It would requires a separate architecture though (HTTP mirrors can't push things). Since some time I am thinking of a bittorrent approach too. Bittorrent i... All this should fail for the *majority* of ClamAV sites!! Push updates implies people have put clam servers out on the Internet so that they are reachable - I don't think so! That's what firewalls were invented for. Similarly, BitTorrent *requires* raw Internet access in order to operate - again - not a normal situation for an AV server. DNS for serial numbers plus HTTP for actual data transfer still sounds best to me... All outgoing connections only, all well established (nothing exotic) -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] daily.db.clamav.or.id : clamav db update via DNS
On Fri, 13 Aug 2004, Todd Lyons wrote: Erich Titl wanted us to know: Nice, we could actually build a wrapper around freshclam to only fetch when there is a new version ready. It already does this. It only retrives the first 512 bytes of data from each CVD file. Here is what a sample return packet looks like: So it does not download each file in its entirety as people have been suggesting. Good to know, and maybe that means we're wasting our time on all these other ideas. But still, checking DNS for an update means a single UDP packet each way (which might even get cached). Downloading the first 512 bytes requires something like: SYN SYN-ACK ACK PUSH (request for data) ACK (response with data) FIN FIN-ACK ACK Plus, the server needs to handle the stateful connection. Seems a lot worse when you look at it this way. ;) Damian Menscher -- -=#| Physics Grad Student SysAdmin @ U Illinois Urbana-Champaign |#=- -=#| 488 LLP, 1110 W. Green St, Urbana, IL 61801 Ofc:(217)333-0038 |#=- -=#| 4602 Beckman, VMIL/MS, Imaging Technology Group:(217)244-3074 |#=- -=#| [EMAIL PROTECTED] www.uiuc.edu/~menscher/ Fax:(217)333-9819 |#=- -=#| The above opinions are not necessarily those of my employers. |#=- --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Some help for a newbie regarding configuration files
Dana Millaway wanted us to know: at command line linux. They updated the Clam last week but I am not sure which version they used. I have not been able to connect with the vendor and I need to tweak how Clam is handling HTML emails because it is blocking legitimate emails containing conference registration forms. Clam shouldn't be blocking emails just because they're html, only if they contain viruses. Chances are that SpamAssassin is what is causing your grief. Look in /var/log/maillog and see if you can get some detail about what's happening there. -- Regards... Todd We should not be building surveillance technology into standards. Law enforcement was not supposed to be easy. Where it is easy, it's called a police state. -- Jeff Schiller on NANOG Linux kernel 2.6.3-15mdkenterprise 2 users, load average: 0.15, 0.04, 0.01 --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] daily.db.clamav.or.id : clamav db update via DNS
Damian Menscher wanted us to know: Good to know, and maybe that means we're wasting our time on all these other ideas. But still, checking DNS for an update means a single UDP packet each way (which might even get cached). Yeah, I can see the simplicity and advantage of such a method. -- Regards... Todd We should not be building surveillance technology into standards. Law enforcement was not supposed to be easy. Where it is easy, it's called a police state. -- Jeff Schiller on NANOG Linux kernel 2.6.3-15mdkenterprise 2 users, load average: 0.03, 0.03, 0.00 --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] daily.db.clamav.or.id : clamav db update via DNS
On Fri, 13 Aug 2004 22:04:31 +0200 Erich Titl [EMAIL PROTECTED] wrote: become an issue). I believe if such a process can verify the md5sum of the input file against a publicly known md5sum of the original input, then to some extent a cdv file could be created locally. The signature You don't need to create a .cvd file because both clamd an clamscan can read .db and .db2 files as well. -- oo. Tomasz Kojm [EMAIL PROTECTED] (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Fri Aug 13 22:17:17 CEST 2004 pgpa4rBi3R8iG.pgp Description: PGP signature
Re: [Clamav-users] Idea for more timely virusdb updates
On Sat, 14 Aug 2004 08:02:51 +1200 Jason Haar [EMAIL PROTECTED] wrote: DNS for serial numbers plus HTTP for actual data transfer still sounds New version of freshclam will work in this way. Big thanks to all for the interesting thread ! -- oo. Tomasz Kojm [EMAIL PROTECTED] (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Fri Aug 13 22:26:46 CEST 2004 pgp2afXjVont1.pgp Description: PGP signature
Re: [Clamav-users] daily.db.clamav.or.id : clamav db update via DNS
Am Friday 13 August 2004 22:05 schrieb Damian Menscher: Hi, other ideas. But still, checking DNS for an update means a single UDP packet each way (which might even get cached). In the propose use case the DNS info is most probably cached by the next ISP already. Downloading the first 512 bytes requires something like: SYN SYN-ACK ACK PUSH (request for data) ACK (response with data) FIN FIN-ACK ACK Plus, the server needs to handle the stateful connection. Seems a lot worse when you look at it this way. ;) It uses at least 3 orders of magnitude more resources and of course does also not scale that well. Regards, -- martin Dipl.-Phys. Martin Konold e r f r a k o n Erlewein, Frank, Konold Partner - Beratende Ingenieure und Physiker Nobelstrasse 15, 70569 Stuttgart, Germany fon: 0711 67400963, fax: 0711 67400959 email: [EMAIL PROTECTED] --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
RE: [Clamav-users] Idea for more timely virusdb updates
DNS for serial numbers plus HTTP for actual data transfer still sounds New version of freshclam will work in this way. Big thanks to all for the interesting thread ! Sounds cool Tomasz! Be interested to hear if this helps reduce the load on the mirrors at all. Once this is tested, an update to recommended polling times would be appreciated (for anyone not running freshclam as a daemon) Thanks! m/ --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
RE: [Clamav-users] Idea for more timely virusdb updates
Similarly, BitTorrent *requires* raw Internet access in order to operate - again - not a normal situation for an AV server. Don't know what exactly you meant by raw as opposed to sauteed, broiled, baked or toasted, but BitTorrent does NOT require unfirewalled access. It does require a small port range to be forwarded to it, BUT that port range is not required to be the same on any two hosts. When the host contacts the tracker, it tells the tracker which ports it is listening on so the tracker can distribute load to it. m/ --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] SomeFool.P/Q occasionally passing through
On Friday 13 Aug 2004 8:08 pm, Todd Lyons wrote: I wonder. If you hit the max threads and are using the clamav-milter, then it will drop through. Try picking up the max threads in clamav.conf and see if that makes a difference. Not true. -Nigel --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Idea for more timely virusdb updates
On Fri, 13 Aug 2004, Tomasz Kojm wrote: New version of freshclam will work in this way. Big thanks to all for the interesting thread ! That's C-a-n-d-r-e-v-a . For the CHANGES file. :-) -Chris == Chris Candreva -- [EMAIL PROTECTED] -- (914) 967-7816 WestNet Internet Services of Westchester http://www.westnet.com/ --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] clamav-milter children hanging, eating CPU
On Fri, Aug 13, 2004 at 12:14:10PM -0700, Jim Gaynor said: FreeBSD 4.10 ~200 users ClamAV version devel-20040806 clamav-milter version 0.74a Sendmail 8.12.11 clamav-milter --noreject --postmaster-only --local --max-children=10 /var/run/clamav/clmilter.sock I've already checked the FAQ, searched the archive, and Googled. Normal system load is low, less than 1.0. Normally, one clamav-milter process is seen in a ps. Clamav-milter doesn't even make the list in top, with mailman and imapd processes bumping it off the screen. However... In the last two days, I've twice had my system load jump to 10.0 (to the point where sendmail was rejecting incoming connections) due to the max number of clamav-milter children spawning and consuming memory and CPU. If I kill -9 the clamav-milter processes (doesn't respond to a graceful restart request), then restart clamav-milter, it's good to go, and doesn't immediately try to spawn the max number of children. Until the next day. Any thoughts or pointers, as I hunt for causes to this? Get rid of max-children. Without the argument, clamav-milter spawns as many child processes as it needs. With it, requests from sendmail get stuck waiting for an available child, and the load can easily go through the roof. If the load from unlimited milter processes is too much, try limitng the number of sendmail processes that are allowed at a time. MaxDaemonChildren or something - you'll have to double check, since it's been a little while. -- -- | Stephen Gran | Why are you so hard to ignore? | | [EMAIL PROTECTED] | | | http://www.lobefin.net/~steve | | -- pgp1wK7cKJxvw.pgp Description: PGP signature
Re: [Clamav-users] daily.db.clamav.or.id : clamav db update via DNS
Hi At 21:41 13.08.2004, you wrote: Erich Titl wanted us to know: Nice, we could actually build a wrapper around freshclam to only fetch when there is a new version ready. It already does this. Yes, but it uses TCP, not hierarchically distributed servers, all this has been discussed lately. DNS is inherently fast and has little load. cheers Erich THINK Püntenstrasse 39 8143 Stallikon mailto:[EMAIL PROTECTED] PGP Fingerprint: BC9A 25BC 3954 3BC8 C024 8D8A B7D4 FF9D 05B8 0A16 --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] SomeFool.P/Q occasionally passing through
Nigel Horne wanted us to know: On Friday 13 Aug 2004 8:08 pm, Todd Lyons wrote: I wonder. If you hit the max threads and are using the clamav-milter, then it will drop through. Try picking up the max threads in clamav.conf and see if that makes a difference. Not true. I thought the default setting in the sendmail.mc file resulted in a non temp failure passthrough if the milter stopped responding. No matter, you know much better than I what is happening. -- Regards... Todd They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. --Benjamin Franklin Linux kernel 2.6.3-15mdkenterprise 2 users, load average: 0.01, 0.01, 0.00 --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] daily.db.clamav.or.id : clamav db update via DNS
Tomasz Kojm wrote: On Fri, 13 Aug 2004 22:04:31 +0200 Erich Titl [EMAIL PROTECTED] wrote: become an issue). I believe if such a process can verify the md5sum of the input file against a publicly known md5sum of the original input, then to some extent a cdv file could be created locally. The signature You don't need to create a .cvd file because both clamd an clamscan can read .db and .db2 files as well. Sure, but those are certainly more vulnerable cheers Erich --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] clamav-milter children hanging, eating CPU
Stephen Gran wrote: On Fri, Aug 13, 2004 at 12:14:10PM -0700, Jim Gaynor said: clamav-milter --noreject --postmaster-only --local --max-children=10 /var/run/clamav/clmilter.sock In the last two days, I've twice had my system load jump to 10.0 (to the point where sendmail was rejecting incoming connections) due to the max number of clamav-milter children spawning and consuming memory and CPU. If I kill -9 the clamav-milter processes (doesn't respond to a graceful restart request), then restart clamav-milter, it's good to go, and doesn't immediately try to spawn the max number of children. Get rid of max-children. Without the argument, clamav-milter spawns as many child processes as it needs. With it, requests from sendmail get stuck waiting for an available child, and the load can easily go through the roof. If the load from unlimited milter processes is too much, try limitng the number of sendmail processes that are allowed at a time. MaxDaemonChildren or something - you'll have to double check, since it's been a little while. It isn't sendmail that's borking this system, tho; it's the multiple high-load high-memory clamav-milter processes. I've checked the sendmail queue when those processes start to hog resources, and only had 32 items in queue one time, 24 another. Heck, right now I have 26, and load is still 1.0 I'm not saying your approach is wrong, I'm just saying I'm not entirely convinced it's right - spawning off more children doesn't seem the answer when the existing ones appear to have all gone into high-resource-consumption state... -jg -- Jim Gaynor, SATG - Senior Computer Specialist UW College of Engineering, Office of the Dean email: [EMAIL PROTECTED] --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Idea for more timely virusdb updates
On Fri, Aug 13, 2004 at 02:22:55PM -0700, Mitch (WebCob) wrote: Don't know what exactly you meant by raw as opposed to sauteed, broiled, baked or toasted, but BitTorrent does NOT require unfirewalled access. It does require a small port range to be forwarded to it, BUT that port range is not required to be the same on any two hosts. Well that means raw :-) It means the *incoming* ports involved need to be open to the Internet. Creating outgoing SMTP/HTTP/FTP from within a firewalled network doesn't mean you have to open up your firewall for any incoming ports - BitTorrent does require that. That falls into the must have really good business case - can we put you in a standalone DMZ? case for most largish companies. -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Freshclam cron interval {Revisado por Antivirus}
El jue, 12-08-2004 a las 18:46, Philip Ershler escribió: What do folks think is an appropriate interval for a cron job to run freshclam? Is once an hour reasonable? Thanks, Phil This is my line in /etc/crontab: 0 */4 * * * root /usr/local/bin/freshclam 2/tmp/freshclam.txt; cat \ /tmp/freshclam.txt | mail -s Actualizacion Antivirus jgalicia What it means: every four hours execute freshclam and send me an email with results. Saludos Julio Galicia signature.asc Description: Esta parte del mensaje =?ISO-8859-1?Q?est=E1?= firmada digitalmente
Re: [Clamav-users] Freshclam cron interval {Revisado por Antiviru s}
This is my line in /etc/crontab: 0 */4 * * * root /usr/local/bin/freshclam 2/tmp/freshclam.txt; cat \ /tmp/freshclam.txt | mail -s Actualizacion Antivirus jgalicia What it means: every four hours execute freshclam and send me an email with results. Two comments: First, do NOT do it *on* the hour. Too many people doing that will kill the mirrors. Pick some random minute to do it instead. Second, most sensible implementations of cron automatically email any output to the owner of the crontab (ie, root). So you are much better off just giving the --quiet option to freshclam, and it will only annoy you when there are problems, rather than all the time. This assumes, of course, that you are root, and that everyone who is root would want the notifications. Damian Menscher -- -=#| Physics Grad Student SysAdmin @ U Illinois Urbana-Champaign |#=- -=#| 488 LLP, 1110 W. Green St, Urbana, IL 61801 Ofc:(217)333-0038 |#=- -=#| 4602 Beckman, VMIL/MS, Imaging Technology Group:(217)244-3074 |#=- -=#| [EMAIL PROTECTED] www.uiuc.edu/~menscher/ Fax:(217)333-9819 |#=- -=#| The above opinions are not necessarily those of my employers. |#=- --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] clamav-milter children hanging, eating CPU
On Fri, Aug 13, 2004 at 04:07:47PM -0700, Jim Gaynor said: It isn't sendmail that's borking this system, tho; it's the multiple high-load high-memory clamav-milter processes. I've checked the sendmail queue when those processes start to hog resources, and only had 32 items in queue one time, 24 another. Heck, right now I have 26, and load is still 1.0 I'm not saying your approach is wrong, I'm just saying I'm not entirely convinced it's right - spawning off more children doesn't seem the answer when the existing ones appear to have all gone into high-resource-consumption state... No, you're reading me backwards. It is the clamav-milter child threads killing the system. However, adding senmail processes stuck in a wait state to that only makes it worse. Get rid of the max-children in clamav-milter, and control the overall scene by reducing the number of sendmail - milter processes spawned in sendmail. Doing it in the milter just adds choke to sendmail. This is what I have found most effective in (fairly) high-load mail systems, meaning 50-100,000 emails a day, where we do both clam and spamassassin scanning. It's better to delay the startup of a new sendmail - clam - whatever process, than to start up the transaction, and keep it waiting around longer because the system is resource starved. YMMV. -- -- | Stephen Gran | BOFH excuse #221: The mainframe needs | | [EMAIL PROTECTED] | to rest. It's getting old, you know. | | http://www.lobefin.net/~steve | | -- pgpzKDL6aTON2.pgp Description: PGP signature