Re: [Clamav-users] Leak on Linux 2.4
> >Can clamd be made to exit on memory errors? That way daemontools can just > >start it from scratch again > > > Can't you use clamdwatch.pl with it ? Sure, but that's only a workaround. We have mailservers that get clamd restartet (via clamdwatch.pl) nearly 10-15 times a day. Every time clamd hangs that has consequences to the mail-flow, and that's a real problem. Running clamd without softlimit ends in clamd (after some time, some hours, some days or a week, I never found out why) eating up all memory until the servers hook off. So softlimit is a workaround, but not the solution. These memory leaks may be the only real reason not to deal with clamav, in all other relations this project is nice and fine. It would be very positive to get the code 'de-leaked'. I'm not the C-programmer to work on it, but if it helps our company could make some donations to get clamd more (memory-) stable. --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Leak on Linux 2.4
Jason Haar wrote: On Tue, Aug 17, 2004 at 12:57:15PM +0100, Brian Morrison wrote: Yes, there's almost no point to having free physical memory on a machine, if it is freed and not claimed by something else the VM will remember the last use and not overwrite or swap unless something else needs to commit memory. Sory - but coding that way will just lead to DoS attacks. [snip] I don't mind it using 200M - but I don't know if *sometimes* it need xxxM. I do know I can't have clamd taking 1Gb RAM without my system grinding to a halt - and that'w why I want to use softlimit to stop that happening. ...and yet I can't :-( Can clamd be made to exit on memory errors? That way daemontools can just start it from scratch again Can't you use clamdwatch.pl with it ? On my setup, I have clamd under softlimit, fghack, and daemontools. I also run clamdwatch.pl every 5 minutes. If clamdwatch fails (out of memory, bad database, or whatever) I kill clamd (kill -9 `ps -ef | grep /usr/local/sbin/clamd | awk '{print $2}'`) and let daemontools start it. It's not elegant, but it works for me. Regards, Fajar --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Leak on Linux 2.4
On Tue, Aug 17, 2004 at 12:57:15PM +0100, Brian Morrison wrote: > Yes, there's almost no point to having free physical memory on a > machine, if it is freed and not claimed by something else the VM will > remember the last use and not overwrite or swap unless something else > needs to commit memory. Sory - but coding that way will just lead to DoS attacks. This is still (actually I stopped trying after 0.70 came out) an issue with clamd. I like running daemons under softlimit to limit the potential for DoS attacks (i.e. runaway process tries to swallow all RAM on system: softlimit sets max memory to 50M - process hits memory, gets "out of memory" error and exits). I could never get clamd to run under softlimits. Looks like clamd specifically overrides "out of memory" errors and keeps running ("out of memory"?? Hmm, sleep, try again. "out of memory"?? Hmm, sleep, try again..). Right now I have a couple of clamd servers running with 60M of RAM - I've seen them sitting at over 200M before. Once they acquire memory, they never let it go. I don't mind it using 200M - but I don't know if *sometimes* it need xxxM. I do know I can't have clamd taking 1Gb RAM without my system grinding to a halt - and that'w why I want to use softlimit to stop that happening. ...and yet I can't :-( Can clamd be made to exit on memory errors? That way daemontools can just start it from scratch again -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Error building on FreeBSD 4.10-STABLE (II)
mbox.c:382: curl/curl.h: No such file or directory This has been reported and has already been fixed. You need to be patient with sourceforge, there is nothing I can do to speed it up getting to the public server. Please report bugs to [EMAIL PROTECTED], especially those relating to CVS development releases. -Nigel --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Getting signature file versions in PERL
Thanks all for the suggestions. I wasn't aware that the version numbers were in plain obvious sight, but thanks for pointing that out. -- Robert Blayzor, BOFH INOC, LLC [EMAIL PROTECTED] PGP: http://www.inoc.net/~dev/ Key fingerprint = 1E02 DABE F989 BC03 3DF5 0E93 8D02 9D0B CB1A A7B0 That's a great computer you have there; have you considered how it would work as a BSD machine? --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] Error building on FreeBSD 4.10-STABLE (II)
Hi all and hi rob (FreeBSD clamv port mantainer). I am using a build box FreeBSD 4.10-STABLE to build a daily clamav binary. For some reason I can't use the FreeBSD port system so I am obliged to build it by hand. I get the latest daily cvs tarball: http://www.clamav.net/snapshot/clamav-devel-latest.tar.gz I am unpacking it and then use the following configure line: ./configure --enable-milter --sysconfdir=/usr/local/etc --prefix=/usr/local --with-dbdir=/usr/local/share/clamav --disable-clamav --disable-clamuko --enable-bigstack --disable-dependency-tracking Then I iussue a make and I get after a while: gcc -DHAVE_CONFIG_H -I. -I. -I.. -I.. -I./zziplib -I./mspack -g -O2 -c blob.c -fPIC -DPIC -o .libs/blob.lo gcc -DHAVE_CONFIG_H -I. -I. -I.. -I.. -I./zziplib -I./mspack -g -O2 -c blob.c -o blob.o >/dev/null 2>&1 mv -f .libs/blob.lo blob.lo /bin/sh ../libtool --mode=compile gcc -DHAVE_CONFIG_H -I. -I. -I.. -I.. -I./zziplib -I./mspack -g -O2 -c -o mbox.lo mbox.c rm -f .libs/mbox.lo gcc -DHAVE_CONFIG_H -I. -I. -I.. -I.. -I./zziplib -I./mspack -g -O2 -c mbox.c -fPIC -DPIC -o .libs/mbox.lo mbox.c:382: curl/curl.h: No such file or directory *** Error code 1 I could not find the file curl.h in my system. It seems (because I am in holyday right now with limited Internet access) that the last time I succesfully build it is on: 20040806. I have examined the file: mbox.c and I found the following lines that could cause the problem ... ---> begin <--- #define CHECKURLS /* If an email contains URLs, check them */ #ifdef CHECKURLS #define LIBCURL /* To build with LIBCURL: * LDFLAGS=`curl-config --libs` ./configure ... */ #define MAX_URLS10 /* * Maximum number of URLs scanned in a message * part */ #ifdef LIBCURL #include #endif #endif --> end <-- Bypass the I go some steps forward but then I get : gcc -DSENDMAIL_BIN=\"/usr/sbin/sendmail\" -g -O2 -o .libs/clamav-milter cfgparser.o getopt.o memory.o clamav-milter.o ../libclamav/.libs/libclamav.so -lz -lbz2 -lgmp -lmilter -lc_r -lwrap -Wl,--rpath -Wl,/usr/local/lib /usr/lib/libc.so: WARNING! setkey(3) not present in the system! /usr/lib/libc.so: warning: this program uses gets(), which is unsafe. /usr/lib/libc.so: warning: mktemp() possibly used unsafely; consider using mkstemp() /usr/lib/libc.so: WARNING! des_setkey(3) not present in the system! /usr/lib/libc.so: WARNING! encrypt(3) not present in the system! /usr/lib/libc.so: warning: tmpnam() possibly used unsafely; consider using mkstemp() /usr/lib/libc.so: warning: this program uses f_prealloc(), which is not recommended. /usr/lib/libc.so: WARNING! des_cipher(3) not present in the system! /usr/lib/libc.so: warning: tempnam() possibly used unsafely; consider using mkstemp() clamav-milter.o: In function `clamfi_gethostbyname': /usr/home/gm-projects/clamav/clamav-devel-latest/clamav-milter/clamav-milter.c:3262: undefined reference to `gethostbyname_r' *** Error code 1 Stop in /usr/home/gm-projects/clamav/clamav-devel-latest/clamav-milter. I have the following env: FreeBSD mckoy.masternet.it 4.10-STABLE FreeBSD 4.10-STABLE #4: Tue Jul 27 19:43:32 CEST 2004 [EMAIL PROTECTED]:/usr/obj/usr/src/sys/FREEBSD i386 # gcc -v Using builtin specs. gcc version 2.95.4 20020320 [FreeBSD] # pkg_info | grep auto autoconf-2.59_2 Automatically configure source code on many Un*x platforms automake-1.9GNU Standards-compliant Makefile generator (version 1.9) Any tips to get thing working ? Thanks. Ciao Gianmarco --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Getting signature file versions in PERL
Todd Lyons <[EMAIL PROTECTED]> wrote: > Robert Blayzor wanted us to know: > > >[foo:/usr/local/share/clamav] sigtool -i daily.cvd > >Version: 459 > >I'm really interested in just getting Version #'s from within a PERL > >script. Anyone know how I can accomplish this natively without having > >to rely on system calling sigtool externally? > > Well by running strings, I see this: > smtp1 clamav # strings daily.cvd | head -1 > ClamAV-VDB:17 Aug 2004 14-49 > +0100:459:1653:2:56716b5ea7fb38e049ba3f3657e5ab35:sBj2SGZrCm7xW+p67J+n7 > mbTJqxpgwtoYgGjM0bwhyAooG5yLOXE8aqH7aLfGl25hR6vvPdENjr0Nm5qDWm3/46P6SAn > xKSgSqZg4d2W5/iItqm24CbRbqavOMJkvggXP9pucFEt3hwxdPTOrnH6oKVYwb7rXk0EekR > Fl30O8Jd:trog > > So I would think that some sort of string search for ClamAV-VDB would > put you in the right spot to find the version number (in between : marks > after the +0100 timestamp). > -- > Regards...Todd strings /path/to/daily.cvd | head -1 | tr -s ":" "\n" | sed -e '/[[:alpha:]]/d' | head -1 The above will give you the version number if it's in the same place each time. It's only a quick one, so it may be refinable. Matt --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Getting signature file versions in PERL
On 2004-08-18, Robert Blayzor wrote: I'm really interested in just getting Version #'s from within a PERL script. open(FH, " HTH -- (0> Jakub Jankowski [url]: s.atn.pl "Nawet w Krainie Czarow //\ [EMAIL PROTECTED] [rlu]: 174516 latwiej jest spotkac V_/_ [EMAIL PROTECTED] [ekg]: 921514 Babe Jage niz Alicje" Fingerprint: FCBF F03D 9ADB B768 8B92 BB52 0341 9037 A875 942D --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Getting signature file versions in PERL
On Wed, Aug 18, 2004 at 11:48:56AM -0400, Robert Blayzor said: > I know I can do the following with sigtool: [snip] > I'm really interested in just getting Version #'s from within a PERL > script. Anyone know how I can accomplish this natively without having > to rely on system calling sigtool externally? You just want the first line of daily.cvd, and the third field of that line. Fields are seperated by ':'. perl: use Tie::File; tie @array, 'Tie::File', '/var/lib/clamav/daily.cvd' or die "Can't open /var/lib/clamav/daily.cvd: $!\n"; @first_line=split /:/, @array[0]; print $first_line[2]; shell: head -n 1 /var/lib/clamav/daily.cvd | awk -F ':' '{print $3}' etc. There's More Than One Way To Do It, though :) -- -- | Stephen Gran | Cheap things are of no value, valuable | | [EMAIL PROTECTED] | things are not cheap. | | http://www.lobefin.net/~steve | | -- pgp4JSyRTykDq.pgp Description: PGP signature
[Clamav-users] fyi: MacOSX installation howto
hi, for those interested, here are my unadorned, somewhat dusty, 'from scratch' install notes for clamav. for me, works great on OSX 10.3.5. richard gmp -- GNU Multiple Precision Arithmetic Library # http://www.swox.com/gmp/ DL: ftp://ftp.gnu.org/gnu/gmp/gmp-4.1.3.tar.gz gnutar zxf gmp-4.1.3.tar.gz cd /usr/ports/gmp-4.1.3 unsetenv CFLAGS CPPFLAGS CXX CXXFLAGS LDFLAGS LDDLFLAGS LD_PREBIND LC_ALL LANG LINGUAS ./configure \ --prefix=/usr/local \ --enable-cxx \ --enable-fft \ --enable-mpbsd \ --enable-mpfr \ --disable-shared \ --enable-static # note: i simply can NOT get the shared libs to build ... working on it make make install clamav # http://clamav.sourceforge.net # http://www.afp548.com/eBBS/viewtopic.php?t=728 DL: cvs -d:pserver:[EMAIL PROTECTED]:/cvsroot/clamav login CVS password: (empty) cvs -d:pserver:[EMAIL PROTECTED]:/cvsroot/clamav co clamav-devel # create dedicated user/group # change to make sure that XX & YY are "free" IDs niutil -create / /groups/clamav ;\ niutil -createprop / /groups/clamav gid XX ;\ niutil -create / /users/clamav ;\ niutil -createprop / /users/clamav shell /bin/tcsh ;\ niutil -createprop / /users/clamav realname "Clamav User" ;\ niutil -createprop / /users/clamav uid XX ;\ niutil -createprop / /users/clamav gid YY ;\ niutil -createprop / /users/clamav _shadow_passwd ;\ passwd clamav New password: "XXX" Retype new password: "XXX" niutil -appendprop / /groups/clamav users clamav niutil -appendprop . /groups/clamav users root niutil -read . /groups/clamav niutil -appendprop . /groups/mail users clamav cd /usr/ports/clamav-devel unsetenv CFLAGS CPPFLAGS CXX CXXFLAGS LDFLAGS LDDLFLAGS LD_PREBIND LC_ALL LANG LINGUAS ;\ setenv LDFLAGS "-lgmp" ./configure \ --prefix=/usr/local/clamav \ --mandir=/usr/local/man \ --enable-shared \ --enable-static \ --with-user=clamav \ --with-group=clamav ranlib /usr/lib/libbz2.a make rm -rf /usr/local/clamav ;\ make install # setup freshclam log touch /var/log/freshclam.log ;\ chmod 644 /var/log/freshclam.log ;\ chown clamav:clamav /var/log/freshclam.log # setup clamd log touch /var/log/clamd.log ;\ chmod 644 /var/log/clamd.log ;\ chown clamav:clamav /var/log/clamd.log mkdir /var/clamav (EDITOR) /var/clamav/clamav.conf ## config file for the Clam AV daemon ## ref: man clamav.conf LogFile /var/log/clamd.log # LogFileUnlock LogFileMaxSize 2M LogTime # LogClean LogSyslog LogVerbose PidFile /var/run/clamd.pid # Optional path to the global temporary directory. # Default is system specific - usually /var/tmp or /tmp. #TemporaryDirectory /var/tmp DatabaseDirectory /var/clamav_db DatabaseMirror clamav.man.olsztyn.pl MaxAttempts 3 LocalSocket /tmp/clamd FixStaleSocket # TCPSocket 3310 # TCP address. # By default we bind to INADDR_ANY, probably not wise. # Enable the following to provide some degree of protection # from the outside world. #TCPAddr 127.0.0.1 # TCPAddr 10.0.0.2 MaxConnectionQueueLength 15 ## input stream will be saved to disk before scanning ## this allows scanning within archives. # StreamSaveToDisk # Close the connection if this limit is exceeded. # StreamMaxLength 10M MaxThreads 10 MaxDirectoryRecursion 15 FollowDirectorySymlinks FollowFileSymlinks SelfCheck 3600 ## Execute a command when virus is found. In the command string %v and %f will ## be replaced by the virus name and the infected file name respectively. ## ## SECURITY WARNING: Make sure the virus event command cannot be exploited, ## eg. by using some special file name when %f is used. ## Always use a full path to the command. ## Never delete/move files with this directive ! # VirusEvent /usr/local/bin/send_sms 123456789 "VIRUS ALERT: %f: %v" User clamav # AllowSupplementaryGroups ## Don't fork into background. Useful in debugging. # Foreground ## Enable debug messages in libclamav. Debug ## Document scanning # This option enables scanning of Microsoft Office document macros. ScanOLE2 ## Mail support ## Uncomment this option if you are planning to scan mail files. ScanMail ## Archive support ScanArchive # ScanRAR ArchiveMaxFileSize 10M ArchiveMaxRecursion 5 ArchiveMaxFiles 1000 # Mark potential archive bombs as viruses (0 disables the limit) ArchiveMaxCompressionRatio 200 # ArchiveLimitMemoryUsage # Mark encrypted archives as viruses (Encrypted.Zip, Encrypted.RAR). #ArchiveDetectEncrypted # initialize virusdb mkdir /var/clamav_db (EDITOR) /var/clamav_db/mirrors.txt # us & pol
Re: [Clamav-users] Getting signature file versions in PERL
Robert Blayzor wanted us to know: >[foo:/usr/local/share/clamav] sigtool -i daily.cvd >Version: 459 >I'm really interested in just getting Version #'s from within a PERL >script. Anyone know how I can accomplish this natively without having >to rely on system calling sigtool externally? Well by running strings, I see this: smtp1 clamav # strings daily.cvd | head -1 ClamAV-VDB:17 Aug 2004 14-49 +0100:459:1653:2:56716b5ea7fb38e049ba3f3657e5ab35:sBj2SGZrCm7xW+p67J+n7mbTJqxpgwtoYgGjM0bwhyAooG5yLOXE8aqH7aLfGl25hR6vvPdENjr0Nm5qDWm3/46P6SAnxKSgSqZg4d2W5/iItqm24CbRbqavOMJkvggXP9pucFEt3hwxdPTOrnH6oKVYwb7rXk0EekRFl30O8Jd:trog So I would think that some sort of string search for ClamAV-VDB would put you in the right spot to find the version number (in between : marks after the +0100 timestamp). -- Regards... Todd We should not be building surveillance technology into standards. Law enforcement was not supposed to be easy. Where it is easy, it's called a police state. -- Jeff Schiller on NANOG Linux kernel 2.6.3-15mdkenterprise 2 users, load average: 0.14, 0.07, 0.02 --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] clamav and queue files of CGPro
On Wed, 18 Aug 2004 at 16:20:44 +0400, Vladimir Mendelevich wrote: > You wrote to <[EMAIL PROTECTED]> on Wed, 18 Aug 2004 > 11:58:59 +0200: > > TK> The -devel version handles such files. > > You are right. It;s works fine for me now. Any news about incorporate this > changes in stable? In the end, a today's "devel" becomes a tomorrow's "stable". -- Tomasz Papszun SysAdm @ TP S.A. Lodz, Poland | And it's only [EMAIL PROTECTED] http://www.lodz.tpsa.pl/iso/ | ones and zeros. [EMAIL PROTECTED] http://www.ClamAV.net/ A GPL virus scanner --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Getting signature file versions in PERL
On Wed, 18 Aug 2004 at 11:48:56 -0400, Robert Blayzor wrote: > I know I can do the following with sigtool: > > [foo:/usr/local/share/clamav] sigtool -i daily.cvd > Build time: 17 Aug 2004 14-49 +0100 > Version: 459 > # of signatures: 1653 > Functionality level: 2 > Builder: trog > MD5: 56716b5ea7fb38e049ba3f3657e5ab35 > Digital signature: > sBj2SGZrCm7xW+p67J+n7mbTJqxpgwtoYgGjM0bwhyAooG5yLOXE8aqH7aLfGl25hR6vvPdENjr0Nm5qDWm3/46P6SAnxKSgSqZg4d2W5/iItqm24CbRbqavOMJkvggXP9pucFEt3hwxdPTOrnH6oKVYwb7rXk0EekRFl30O8Jd > Verification OK. > > I'm really interested in just getting Version #'s from within a PERL > script. Anyone know how I can accomplish this natively without having > to rely on system calling sigtool externally? > I haven't got the perl script handy, but have a look at the beginning of the daily.cvd contents and compare it with the above output. All is visible. Colon is the separator. 43 6C 61 6D 41 56 2D 56 44 42 3A 31 37 20 41 75 ClamAV-VDB:17 Au 0010 67 20 32 30 30 34 20 31 34 2D 34 39 20 2B 30 31 g 2004 14-49 +01 0020 30 30 3A 34 35 39 3A 31 36 35 33 3A 32 3A 35 36 00:459:1653:2:56 0030 37 31 36 62 35 65 61 37 66 62 33 38 65 30 34 39 716b5ea7fb38e049 0040 62 61 33 66 33 36 35 37 65 35 61 62 33 35 3A 73 ba3f3657e5ab35:s 0050 42 6A 32 53 47 5A 72 43 6D 37 78 57 2B 70 36 37 Bj2SGZrCm7xW+p67 0060 4A 2B 6E 37 6D 62 54 4A 71 78 70 67 77 74 6F 59 J+n7mbTJqxpgwtoY 0070 67 47 6A 4D 30 62 77 68 79 41 6F 6F 47 35 79 4C gGjM0bwhyAooG5yL 0080 4F 58 45 38 61 71 48 37 61 4C 66 47 6C 32 35 68 OXE8aqH7aLfGl25h 0090 52 36 76 76 50 64 45 4E 6A 72 30 4E 6D 35 71 44 R6vvPdENjr0Nm5qD 00A0 57 6D 33 2F 34 36 50 36 53 41 6E 78 4B 53 67 53 Wm3/46P6SAnxKSgS 00B0 71 5A 67 34 64 32 57 35 2F 69 49 74 71 6D 32 34 qZg4d2W5/iItqm24 00C0 43 62 52 62 71 61 76 4F 4D 4A 6B 76 67 67 58 50 CbRbqavOMJkvggXP 00D0 39 70 75 63 46 45 74 33 68 77 78 64 50 54 4F 72 9pucFEt3hwxdPTOr 00E0 6E 48 36 6F 4B 56 59 77 62 37 72 58 6B 30 45 65 nH6oKVYwb7rXk0Ee 00F0 6B 52 46 6C 33 30 4F 38 4A 64 3A 74 72 6F 67 20 kRFl30O8Jd:trog 0100 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 -- Tomasz Papszun SysAdm @ TP S.A. Lodz, Poland | And it's only [EMAIL PROTECTED] http://www.lodz.tpsa.pl/iso/ | ones and zeros. [EMAIL PROTECTED] http://www.ClamAV.net/ A GPL virus scanner --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Freshclam cron interval {Revisado por Antivirus}
On Wed, 18 Aug 2004 at 7:22:35 -0700, Dennis Peterson wrote: > Tomasz Kojm wrote: > > > >You can setup your own (internal) database mirror. Freshclam connects to > >the httpd (80) port of DatabaseMirror, so you only need to download > >databases into a root directory of your www server (freshclam > >--datadir=, or edit DatabaseDirectory in freshclam.conf) and point other > >freshclams to this server. > > > > Any chance that port could be made configurable? 80 is not an option in my > environment. > At least in case of using proxy: HTTPProxyServer STR, HTTPProxyPort NUM Use given proxy server and TCP port for database downloads. freshclam.conf(5) -- Tomasz Papszun SysAdm @ TP S.A. Lodz, Poland | And it's only [EMAIL PROTECTED] http://www.lodz.tpsa.pl/iso/ | ones and zeros. [EMAIL PROTECTED] http://www.ClamAV.net/ A GPL virus scanner --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] contrib/init/RedHat suggested patch
Christopher X. Candreva said: > On Tue, 17 Aug 2004, Damian Menscher wrote: > >> If user A emails user B and the email doesn't go through in under 2 >> minutes, there will be complaints. Tempfail is just too dangerous. >> Yes, nothing will be lost. But you have to admit it's pretty bad for >> email to be down. A few viruses leaking through is minor compared to >> that. At least, that's how we run our shop. Things may be different > > Have to disagree. > > With so mnay of the major providers haveing multiple-HOUR delays through > their system as standard, a delay of one queue interval for a single > message > won't be noticed. (Comcast comes to mind) > As always, milage varies. I recently implemented gray listing on a sendmail server farm because of unusually heavy distributed spam runs - just a 10 minute delay caused all kinds of grief. The end users have come to believe that Internet mail should be as quick as inter-office mail. Unrealistic, yes, but as the sys admin I'm outgunned. My best practices response is a minor delay is far better than allowing viruses to enter the system. The problem, then, is to educate the mail users about the realities of email in the spam age. BTW, the gray listing worked perfectly and the spam runs were handled cleanly leaving me to believe they were from infected Windows drones. There were no retries. dp --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] Getting signature file versions in PERL
I know I can do the following with sigtool: [foo:/usr/local/share/clamav] sigtool -i daily.cvd Build time: 17 Aug 2004 14-49 +0100 Version: 459 # of signatures: 1653 Functionality level: 2 Builder: trog MD5: 56716b5ea7fb38e049ba3f3657e5ab35 Digital signature: sBj2SGZrCm7xW+p67J+n7mbTJqxpgwtoYgGjM0bwhyAooG5yLOXE8aqH7aLfGl25hR6vvPdENjr0Nm5qDWm3/46P6SAnxKSgSqZg4d2W5/iItqm24CbRbqavOMJkvggXP9pucFEt3hwxdPTOrnH6oKVYwb7rXk0EekRFl30O8Jd Verification OK. I'm really interested in just getting Version #'s from within a PERL script. Anyone know how I can accomplish this natively without having to rely on system calling sigtool externally? Perhaps by using the libclamav directly? -- Robert Blayzor, BOFH INOC, LLC [EMAIL PROTECTED] PGP: http://www.inoc.net/~dev/ Key fingerprint = 1E02 DABE F989 BC03 3DF5 0E93 8D02 9D0B CB1A A7B0 Meets quality standards: Compiles without errors. --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Mac OS X installation?
> On Wednesday 18 Aug 2004 11:03, Derek Tom wrote: > >> Would very much appreciate some basic info on getting it installed on OS X. > > Use the same method as any other system: download the latest tarball (stable > or > development, the choice is yours), run configure with various options then > 'make install'. > > Works fine on MAC OS/X 10.1. I'm not more up to date than that because Apple > charge > me for bug fixes and I don't have that type of spare cash :-( > >> Thanks, >> Derek > > -Nigel You might want to get the Gnu MP library first and do ./configure make make check make install This way clamav/freshclam knows about digital signatures. See the FAQ entry! Pascal --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Freshclam cron interval {Revisado por Antivirus}
Tomasz Kojm wrote: On Tue, 17 Aug 2004 11:36:30 +0100 (BST) [EMAIL PROTECTED] wrote: If we currently have four servers checking every hour. With a cache, just one update (through both our and clamav's valuable banmdwidth) You can setup your own (internal) database mirror. Freshclam connects to the httpd (80) port of DatabaseMirror, so you only need to download databases into a root directory of your www server (freshclam --datadir=, or edit DatabaseDirectory in freshclam.conf) and point other freshclams to this server. Any chance that port could be made configurable? 80 is not an option in my environment. dp --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] contrib/init/RedHat suggested patch
On Tue, 17 Aug 2004, Damian Menscher wrote: > If user A emails user B and the email doesn't go through in under 2 > minutes, there will be complaints. Tempfail is just too dangerous. > Yes, nothing will be lost. But you have to admit it's pretty bad for > email to be down. A few viruses leaking through is minor compared to > that. At least, that's how we run our shop. Things may be different Have to disagree. With so mnay of the major providers haveing multiple-HOUR delays through their system as standard, a delay of one queue interval for a single message won't be noticed. (Comcast comes to mind) Futher, the damage from a viruses getting into your network, if it spreads, can be very expensive in terms of support, cleaning, etc. The other solution, if mail is that important, is multiple MX servers, each with their own clam-av. One fails, the other should be tried immediately. Odds are slim that BOTH will be down at the same time. == Chris Candreva -- [EMAIL PROTECTED] -- (914) 967-7816 WestNet Internet Services of Westchester http://www.westnet.com/ --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Mac OS X installation?
On Wednesday 18 Aug 2004 11:03, Derek Tom wrote: > Would very much appreciate some basic info on getting it installed on OS X. Use the same method as any other system: download the latest tarball (stable or development, the choice is yours), run configure with various options then 'make install'. Works fine on MAC OS/X 10.1. I'm not more up to date than that because Apple charge me for bug fixes and I don't have that type of spare cash :-( > Thanks, > Derek -Nigel -- Nigel Horne. Arranger, Composer, Typesetter. NJH Music, Barnsley, UK. ICQ#20252325 [EMAIL PROTECTED] http://www.bandsman.co.uk --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Mac OS X installation?
On Aug 18, 2004, at 6:03 AM, Derek Tom wrote: Hello, Mac OS X is listed as a supported platform but beyond that, there's no info on actually getting ClamAV installed on OS X. I looked through the FAQ, binary packages and ports (OS X not even listed), documentation, WikiWiki, and did a quick mailing list archive search but could not find an answer. Would very much appreciate some basic info on getting it installed on OS X. Best way I've found is to install Fink and install ClamAV using Fink (Fink Commander). VERY easy to keep updated to the latest ClamAV using Fink (although you do need to keep running freshclam separately...Fink only upgrades ClamAV, not definitions) -Bart --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Freshclam cron interval {Revisado por Antivirus}
> How do I (as admin) stop internal clients going outside for updates and > force them to use my cache. (Once I set it up). You need a transparent proxy in-line on your network connection (eg just in front of your firewall or router). G --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] clamav and queue files of CGPro
Hello, Tomasz! You wrote to <[EMAIL PROTECTED]> on Wed, 18 Aug 2004 11:58:59 +0200: TK> The -devel version handles such files. You are right. It;s works fine for me now. Any news about incorporate this changes in stable? ? ?, ?? ??? ? "1?-?" UIN:9244669 Phone:+7(095)250-6393 --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] Bagle.AQ not detected
Hello all, I have a amavis-clamav(0.75.1)-postfix system installed on a fedora core 1 and it works very well. My "little" problem is about the "price_new.zip" virus (seems to be bagle.aq) tht's is not detected. Have you the same problem ? --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] clamav and queue files of CGPro
Hello, Tomasz! You wrote to <[EMAIL PROTECTED]> on Wed, 18 Aug 2004 11:58:59 +0200: TK> The -devel version handles such files. Trying to compile devel. 1st problem - in mbox.c written - no curl.h needed anymore. It isn't true. :-)) Now installing curl-devel. About my problem. Thanks. Will see. ? ?, ?? ??? ? "1?-?" UIN:9244669 Phone:+7(095)250-6393 --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] clamav and queue files of CGPro
Hello, Tomasz! You wrote to <[EMAIL PROTECTED]> on Wed, 18 Aug 2004 11:45:11 +0200: TP> Which version of ClamAV? 0.75.1 TP> Have you tried also the current devel version? Nop. TP> Email scanning has been improved significantly in devel. Ok. Will try it. Thanks. ? ?, ?? ??? ? "1?-?" UIN:9244669 Phone:+7(095)250-6393 --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] clamav and queue files of CGPro
On Wed, 18 Aug 2004 12:44:47 +0400 "Vladimir Mendelevich" <[EMAIL PROTECTED]> wrote: > Hello! > > I have some strange problem. > > I have files from CGPro Queue with viruses. Drweb can find viruses in > those files. ClamAV can too but with some modications. > > Like that. > > Original file. CLAMAV cannot find a virus. > <---> > P I 18-08-2004 07:12:53 <[EMAIL PROTECTED]> > S SMTP [212.57.189.194] > R W 18-08-2004 07:12:53 _FY_ <[EMAIL PROTECTED]> The -devel version handles such files. -- oo. Tomasz Kojm <[EMAIL PROTECTED]> (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Wed Aug 18 11:58:13 CEST 2004 pgpD8XfrhiOlv.pgp Description: PGP signature
[Clamav-users] Mac OS X installation?
Hello, Mac OS X is listed as a supported platform but beyond that, there's no info on actually getting ClamAV installed on OS X. I looked through the FAQ, binary packages and ports (OS X not even listed), documentation, WikiWiki, and did a quick mailing list archive search but could not find an answer. Would very much appreciate some basic info on getting it installed on OS X. Thanks, Derek --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] clamav and queue files of CGPro
On Wed, 18 Aug 2004 at 12:44:47 +0400, Vladimir Mendelevich wrote: > > I have files from CGPro Queue with viruses. Drweb can find viruses in those > files. ClamAV can too but with some modications. > > Original file. CLAMAV cannot find a virus. [...] Which version of ClamAV? Have you tried also the current devel version? Email scanning has been improved significantly in devel. -- Tomasz Papszun SysAdm @ TP S.A. Lodz, Poland | And it's only [EMAIL PROTECTED] http://www.lodz.tpsa.pl/iso/ | ones and zeros. [EMAIL PROTECTED] http://www.ClamAV.net/ A GPL virus scanner --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] contrib/init/RedHat suggested patch
Damian Menscher wrote: On Mon, 16 Aug 2004, Richard A Nelson wrote: On Mon, 16 Aug 2004, Todd Lyons wrote: It shouldn't, however change if a virus is accepted - since sendmail should be tempfailing mail until the milters are functioning. Incorrect, depending on how you define your milter call for sendmail. Yes, I guess one cant legislate sanity, can one :( But spamassassin and clamav should default to tempfail ! ...still cant believe that people aren't recommending a safe, by default setup. We are. ;) For most mailserver admins, the danger of losing our jobs is much greater if we tempfail all incoming mail due to a clamav crash than is the danger of losing our jobs due to a couple of viruses leaking through. Where email is concerned, message delivery is critical. Virus and spam filtering are features. Damian Menscher Hear Hear. Precisely right in any service situation I have seen. More important to get email than to get clean email. At least these days, for whatever reasons. Especialy when customers may/should have their own line of defense. Also why limiting sendmail connections/rate limiting or attachment sizes in repsonse to clamav limits is not the way to go, as I have advocated in the past. I advocate running a second line virus scanner with quarantine and notifying site postmaster/administrator to catch the ones that slip through for whatever reason, and actualy keep them around for diagnostics. AMavisd-new works well for this, on sendmail. One can get rid of the ones clamav recognizes by running #!/bin/bash AMAVIS_QDIR="/var/lib/amavis/virusmails" for tempvar in `ls $AMAVIS_QDIR`; do echo "$AMAVIS_QDIR/$tempvar" cat "$AMAVIS_QDIR/$tempvar" | clamdscan --disable-summary - if (( $? == 1 )); then rm -- "$AMAVIS_QDIR/$tempvar" fi done --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Leak on Linux 2.4
Nigel Horne wrote: People here seem to be under the misunderstanding that free(3) will always reduce the amount of memory used by an application, returning memory back to the operating system. So it isn't? So the fact that "top" returns VIRT 3 GB but RES only 11M is normal? I'm confused then. Forgive my lack of knowledge here; I'm not used to coding in C. Regards, Fajar --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Clam or clamassassin problem
On Tuesday 17 August 2004 02:22 pm, lnx wrote: > X-Virus-Status: Failed > X-Virus-Report: Internal error mktemp MSGTMP failed > X-Virus-Checker-Version: clamassassin 1.2.1 with clamdscan / ClamAV version > 0.75.1 signatures 24.457 Status: Its a clamassassin problem. Whatever directory you using, isnt allowing you to create the file it needs to scan. It dumps the email to a temp file and scans it.. Make sure whatever directory your using allowing writing to it. -- === Jabber: tradergt@(smelser.org|jabber.org) Quote: Bards make good cannon fodder. === --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Freshclam cron interval {Revisado por Antivirus}
On Tue, 2004-08-17 at 16:40, [EMAIL PROTECTED] wrote: > so in addition to our servers, there are some 50 client machines all > querying the clamav databases, probably every hour most likely more often > if I know M$ lovers. > > Making all users aware of the proxy cache will now mean we will only have > one machine check and download. Everyone else can get it from that server. > > How do I (as admin) stop internal clients going outside for updates and > force them to use my cache. (Once I set it up). Many ways. > > They have all just installed it themselves when their commerical scanners > license ran out and I can't really stop them from connecting to my www > proxy on port 80. > You can stop them connecting to your proxy - it may not make for happy clients very happy though. You could: - Block access to just the databse update site - Set a policy for using clam updates, and apply it. - Add a DNS authoritative domain on your INTERNAL DNS so updates get directed to your own server. - Use a redirector on your proxy server. I'm sure there are other methods. -trog signature.asc Description: This is a digitally signed message part
RE: [Clamav-users] Re: False positive or problem with zipped exe
> -Original Message- > From: [EMAIL PROTECTED] [mailto:clamav-users- > [EMAIL PROTECTED] On Behalf Of Xavier Poinsard > Sent: 18. august 2004 09:49 > To: [EMAIL PROTECTED] > Subject: [Clamav-users] Re: False positive or problem with zipped exe > > Tomasz Papszun wrote: > > On Tue, 17 Aug 2004 at 10:44:56 +0200, Xavier Poinsard wrote: > > > >>Today, clamav reported that some old files where just infected with > >>Trojan.Delf.CB-1-enc > >>I suspect a false positive seems the files weren't modified since > >>several months. > >>All the infected files are executables autoextractable. > >>But if I unzip the files and run clamscan on those files I didn't get > >>the trojan. > >>=> May be a bug with internal unzip for executables ? > > > > > > Nobody can answer unless you submit the file. > > > > http://clamav.sourceforge.net/cgi-bin/sendvirus.cgi > > > > The page didn't work : my browser says "Document contains no data" > The other problem is that file size is 2M > You're welcome to submit the file directly to me. Please send the sample in a password protected zip file. Thanks in advance... Best regards, Diego d'Ambra smime.p7s Description: S/MIME cryptographic signature
[Clamav-users] clamav and queue files of CGPro
Hello! I have some strange problem. I have files from CGPro Queue with viruses. Drweb can find viruses in those files. ClamAV can too but with some modications. Like that. Original file. CLAMAV cannot find a virus. <---> P I 18-08-2004 07:12:53 <[EMAIL PROTECTED]> S SMTP [212.57.189.194] R W 18-08-2004 07:12:53 _FY_ <[EMAIL PROTECTED]> Received: from [212.57.189.194] (HELO on-line.ru) by on-line.ru (CommuniGate Pro SMTP 4.2) with ESMTP id 7700997 for [EMAIL PROTECTED]; Wed, 18 Aug 2004 11:12:53 +0400 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Mail Delivery (failure [EMAIL PROTECTED]) Date: Wed, 18 Aug 2004 13:12:54 +0600 MIME-Version: 1.0 Content-Type: multipart/related; type="multipart/alternative"; boundary="=_NextPart_000_001B_01C0CA80.6B015D10" X-Priority: 3 X-MSMail-Priority: Normal Message-ID: <[EMAIL PROTECTED]> This is a multi-part message in MIME format. --=_NextPart_000_001B_01C0CA80.6B015D10 Content-Type: multipart/alternative; boundary="=_NextPart_001_001C_01C0CA80.6B015D10" --=_NextPart_001_001C_01C0CA80.6B015D10 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable --=_NextPart_001_001C_01C0CA80.6B015D10 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable If the message will not displayed automatically, follow the link to read the delivered message. Received message is available at: cid:[EMAIL PROTECTED] height=3D0 width=3D0>www.on-line.ru/inbox/auto-05185020/read.php?sessionid-13465 cid:[EMAIL PROTECTED] height=3D0 width=3D0> --=_NextPart_001_001C_01C0CA80.6B015D10-- --=_NextPart_000_001B_01C0CA80.6B015D10 Content-Type: audio/x-wav; name="message.scr" Content-Transfer-Encoding: base64 Content-ID:<[EMAIL PROTECTED]> --=_NextPart_000_001B_01C0CA80.6B015D10-- <---> Modified file. CLAMAV can find virus in file <---> Received: from [212.57.189.194] (HELO on-line.ru) by on-line.ru (CommuniGate Pro SMTP 4.2) with ESMTP id 7700997 for [EMAIL PROTECTED]; Wed, 18 Aug 2004 11:12:53 +0400 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Mail Delivery (failure [EMAIL PROTECTED]) Date: Wed, 18 Aug 2004 13:12:54 +0600 MIME-Version: 1.0 Content-Type: multipart/related; type="multipart/alternative"; boundary="=_NextPart_000_001B_01C0CA80.6B015D10" X-Priority: 3 X-MSMail-Priority: Normal Message-ID: <[EMAIL PROTECTED]> This is a multi-part message in MIME format. --=_NextPart_000_001B_01C0CA80.6B015D10 Content-Type: multipart/alternative; boundary="=_NextPart_001_001C_01C0CA80.6B015D10" --=_NextPart_001_001C_01C0CA80.6B015D10 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable --=_NextPart_001_001C_01C0CA80.6B015D10 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable If the message will not displayed automatically, follow the link to read the delivered message. Received message is available at: cid:[EMAIL PROTECTED] height=3D0 width=3D0>www.on-line.ru/inbox/auto-05185020/read.php?sessionid-13465 cid:[EMAIL PROTECTED] height=3D0 width=3D0> --=_NextPart_001_001C_01C0CA80.6B015D10-- --=_NextPart_000_001B_01C0CA80.6B015D10 Content-Type: audio/x-wav; name="message.scr" Content-Transfer-Encoding: base64 Content-ID:<[EMAIL PROTECTED]> --=_NextPart_000_001B_01C0CA80.6B015D10-- <---> As You can see the difference is only first 4 lines. <---> P I 18-08-2004 07:12:53 <[EMAIL PROTECTED]> S SMTP [212.57.189.194] R W 18-08-2004 07:12:53 _FY_ <[EMAIL PROTECTED]> <---> My suggestions. If something is before "Received: " in email letter - CLAMAV cannot find a virus. Or something like that. I have tested those files by online checker at http://www.gietl.com/test-clamav/. Same thing. It can find a virus only in modified file. That header modification is made by CommuniGatePro - MTA from stalker. CGPro use this header in it's own internal needs. It newer comes out of the server. But ClamAv check files when they are inside queue of the CGPro. So the problem persist. С уважением, Владимир Менделевич Сетевой отдел компании "1С-Рарус" UIN:9244669 Phone:+7(095)250-6393 --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Leak on Linux 2.4
People here seem to be under the misunderstanding that free(3) will always reduce the amount of memory used by an application, returning memory back to the operating system. -Nigel -- Nigel Horne. Arranger, Composer, Typesetter. NJH Music, Barnsley, UK. ICQ#20252325 [EMAIL PROTECTED] http://www.bandsman.co.uk --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Freshclam cron interval {Revisado por Antivirus}
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Is this in the manual/docs ? if so then IAP I realised after my post that nearly all our clients are using win32 clamav so in addition to our servers, there are some 50 client machines all querying the clamav databases, probably every hour most likely more often if I know M$ lovers. Making all users aware of the proxy cache will now mean we will only have one machine check and download. Everyone else can get it from that server. How do I (as admin) stop internal clients going outside for updates and force them to use my cache. (Once I set it up). They have all just installed it themselves when their commerical scanners license ran out and I can't really stop them from connecting to my www proxy on port 80. Jim :-) Dr James Allen GnuPG key : ftp://ftp.heartsine.co.uk/hst_gpg_public_keys/jim.allen.hst.gpg.asc > > No need for some magic "freshcache". Just run freshclam on one of your > servers, run a webserver on it (maybe allowing only your machines to > use it if you want so) and instruct other machines' freshclams to use > your webserver (DatabaseMirror directive in freshclam.conf) as the > source for updates. > > -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQFBIibdRdAZy0oJ0LwRAhoEAJ9Q4o453nq23zYd0j1l0atDKretBwCfWiFC ejhMWVYPKjNApV609WZQ7Ac= =J2A9 -END PGP SIGNATURE- --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] Re: False positive or problem with zipped exe
Tomasz Papszun wrote: On Tue, 17 Aug 2004 at 10:44:56 +0200, Xavier Poinsard wrote: Today, clamav reported that some old files where just infected with Trojan.Delf.CB-1-enc I suspect a false positive seems the files weren't modified since several months. All the infected files are executables autoextractable. But if I unzip the files and run clamscan on those files I didn't get the trojan. => May be a bug with internal unzip for executables ? Nobody can answer unless you submit the file. http://clamav.sourceforge.net/cgi-bin/sendvirus.cgi The page didn't work : my browser says "Document contains no data" The other problem is that file size is 2M --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] Another Clam newbie
I hope you can help me; I'm having several problems ClamAV. The manual says that clamd responds to the following commands: ping, reload...etc. But how do I send these commands? I have clamuko running, but how do I know if it has detected a virus? How does it tell me? Is it possible to make clamuko email me with a virus alert, without having a mail client installed? Thanks Chris Rooney Programmer Serco Integrated Transport This message, including attachments, is intended only for the use by the person(s) to whom it is addressed. It may contain information which is privileged and confidential. Copying or use by anybody else is not authorised. If you are not the intended recipient, please contact the sender as soon as possible. The views expressed in this communication may not necessarily be the views held by Serco Integrated Transport.
Re: [Clamav-users] Leak on Linux 2.4
Trog wrote: The problem is that clamd is using nearly twice as much memory as it was a minute before... It uses memory to scan files, especially to scan email messages. An email message could make the memory usage jump. I agree it would jump up and down of course, maybe increasing over the time when it hits its so-far-limit. But stay at 14M for a day, then jump up to 27M and stay there? Hmm. Clamd has scanned about 100k messages before doing the jump, btw. Anyway, as long as it doesn't happen again, I can't say much more about this. lg, daniel --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] clam newbie
On Wed, 2004-08-18 at 07:48, Tomasz Papszun wrote: > Please, make sure you do NOT send notifications to senders (they are > almost always spoofed nowadays), maybe except pertaining MS Office > macros and test signatures (EICAR and ClamAV-Test-Signature). I completely agree with that, but... > Also, do NOT send notifications to intended recipients (or they will > hate you ;-) ). ...thats more subjective. We always send notifications to our internal users (within our company) when they are the intended recipient of a virus, we've never had a complaint about this as far as I know (and we certainly recieve plenty!). Our thinking is that we want our users to know that we are protecting them and understand the scale of the problem. It also reinforces the warning messages we send out when there is a new rapidly spreading message (we warn our users to encourage them to take care when checking webmail etc. and also as a courtesy to those with a PC at home). It also helps justify some of the file type blocking we do (such as not allowing .exe files) if users can see we are catching infected files of the types we block. BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] clam newbie
On Tue, 17 Aug 2004 at 16:06:02 -0400, Kern, Tom wrote: > [...] > also, where can i configure clamav to send a notification if when a virus is detected? > Please, make sure you do NOT send notifications to senders (they are almost always spoofed nowadays), maybe except pertaining MS Office macros and test signatures (EICAR and ClamAV-Test-Signature). Also, do NOT send notifications to intended recipients (or they will hate you ;-) ). -- Tomasz Papszun SysAdm @ TP S.A. Lodz, Poland | And it's only [EMAIL PROTECTED] http://www.lodz.tpsa.pl/iso/ | ones and zeros. [EMAIL PROTECTED] http://www.ClamAV.net/ A GPL virus scanner --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users