[Clamav-users] RE: Clamav-users digest, Vol 1 #1033 - 11 msgs
Nigel, Thanks for your reply, and please accept my apologies for the woeful lack of detail in my first post. Here's how we kick off clamav: #!/bin/sh /usr/local/bin/freshclam -d -p /var/clamav/freshclam.pid /usr/local/sbin/clamd /usr/local/sbin/clamav-milter --debug -c /etc/clamav.conf -AdNq local:/var/clamav/clmilter.sock Note that I couldn't get clamav-milter to accept --dubug-level=n despite this being documented in the man page and building with % ./configure --enable-debug Here are the relevant run-time files: % ls -al /var/clamav drwx-- 6 clamav clamav 204 29 Sep 10:58 . drwxr-xr-x 22 rootwheel 748 29 Sep 09:06 .. -rw-rw 1 clamav clamav4 29 Sep 10:58 clamd.pid srwxrwxrwx 1 clamav clamav0 29 Sep 10:58 clamd.sock srwx-- 1 clamav clamav0 29 Sep 10:58 clmilter.sock -rw-rw 1 clamav clamav4 29 Sep 10:58 freshclam.pid Here's my configuration customisations: % cat /etc/clamav.conf | grep -v # | grep -v '^$' LogSyslog LogFacility LOG_MAIL LogVerbose PidFile /var/clamav/clamd.pid LocalSocket /var/clamav/clamd.sock FixStaleSocket StreamSaveToDisk StreamMaxLength 10M MaxThreads 10 MaxDirectoryRecursion 15 User clamav ScanOLE2 ScanMail ScanArchive ArchiveMaxFileSize 10M ArchiveMaxRecursion 5 ArchiveMaxFiles 1000 ArchiveMaxCompressionRatio 200 ClamukoScanOnOpen ClamukoScanOnClose ClamukoScanOnExec ClamukoIncludePath /home ClamukoMaxFileSize 1M ClamukoScanArchive Here's the relevant snippet from my mail log showing the info you requested: Sep 29 10:57:31 localhost clamd[9693]: Daemon started. Sep 29 10:57:31 localhost clamd[9693]: clamd daemon 0.75.1 (OS: darwin7.5.0, ARCH: ppc, CPU: powerpc) Sep 29 10:57:31 localhost clamd[9693]: Log file size limited to 1048576 bytes. Sep 29 10:57:31 localhost clamd[9693]: Verbose logging activated. Sep 29 10:57:31 localhost clamd[9693]: Running as user clamav (UID 30, GID 30) Sep 29 10:57:31 localhost clamd[9693]: Reading databases from /usr/local/share/clamav Sep 29 10:57:32 localhost clamd[9693]: Protecting against 24128 viruses. Sep 29 10:57:33 localhost clamd[9694]: Unix socket file /var/clamav/clamd.sock Sep 29 10:57:33 localhost clamd[9694]: Setting connection queue length to 15 Sep 29 10:57:33 localhost clamd[9694]: Listening daemon: PID: 9694 Sep 29 10:57:33 localhost clamd[9694]: Archive: Archived file size limit set to 10485760 bytes. Sep 29 10:57:33 localhost clamd[9694]: Archive: Recursion level limit set to 5. Sep 29 10:57:33 localhost clamd[9694]: Archive: Files limit set to 1000. Sep 29 10:57:33 localhost clamd[9694]: Archive: Compression ratio limit set to 200. Sep 29 10:57:33 localhost clamd[9694]: Archive support enabled. Sep 29 10:57:33 localhost clamd[9694]: RAR support disabled. Sep 29 10:57:33 localhost clamd[9694]: Mail files support enabled. Sep 29 10:57:33 localhost clamd[9694]: OLE2 support enabled. Sep 29 10:57:33 localhost clamd[9694]: Self checking every 3600 seconds. Sep 29 10:58:53 localhost clamav-milter[9842]: Starting: clamd / ClamAV version 0.75.1, clamav-milter version 0.75c Sep 29 10:58:53 localhost clamav-milter[9842]: Started: clamd / ClamAV version 0.75.1, clamav-milter version 0.75c Sep 29 10:59:11 localhost sendmail[9864]: starting daemon (8.13.1): [EMAIL PROTECTED]:20:00 Sep 29 10:59:11 localhost sendmail[9867]: starting daemon (8.13.1): [EMAIL PROTECTED]:20:00 Sep 29 10:59:15 localhost fetchmail[9886]: starting fetchmail 6.2.5 daemon Sep 29 11:01:10 localhost fetchmail[9886]: 1 message for [EMAIL PROTECTED] at pop.my.mail.provider.net (773 octets). Sep 29 11:01:11 localhost fetchmail[9886]: reading message [EMAIL PROTECTED]@pop.my.mail.provider.net:1 of 1 (773 octets) Sep 29 11:01:11 localhost clamav-milter[9842]: clamfi_close Sep 29 11:01:11 localhost sendmail[9898]: i8T1VBd6009898: from=[EMAIL PROTECTED], size=866, class=0, nrcpts=1, msgid=[EMAIL PROTECTED], proto=ESMTP, daemon=MTA, relay=localhost [127.0.0.1] If you need anything else let me know. Thanks again, Damon Original Message Follows From: Nigel Horne lt;[EMAIL PROTECTED]gt; Organization: NJH Music (bandsman.co.uk) To: [EMAIL PROTECTED] Subject: Re: [Clamav-users] fetchmail amp; clamav-milter Date: Tue, 28 Sep 2004 08:12:09 +0100 Reply-To: [EMAIL PROTECTED] [snip] Yes, don't use -l, -o or -f. What options are you using? What version of clamav-milter? _ On the road to retirement? Check out MSN Life Events for advice on how to get there! http://lifeevents.msn.com/category.aspx?cid=Retirement --- This SF.net email is sponsored by: IT Product Guide on ITManagersJournal Use IT products in your business? Tell us what you think of them. Give us Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more http://productguide.itmanagersjournal.com/guidepromo.tmpl ___ Clamav-users mailing list [EMAIL PROTECTED]
Re: [Clamav-users] virus submission problem
Hello, Mitch (WebCob) wrote: This is not an isolated case. The virus submission page must be changed to run the latest RELEASED version of clamav. Haven't looked in a while, but I think it should: Display result using latest RELEASE Display result using latest CVS Display IDENTITY of the virus Display config of the online scanner (in case this affects the result) Indicate time / date of the addition of this sig. This would eliminate confusion, and all the it says detected but not what it is etc. I volunteered to look at making changes like this as did a few others iirc, but for some reason this tool is not open :( Hopefully if enough people second the motion, the changes can at least be implemented. This could be done by writing PHP code to clamscan or better libclamav or clamd. Anyone knows how to write PHP extension ? For clamscan it could be a simple script invoking clamscan for scanning file stored in /tmp but it is quite dangerous. Regards Boguslaw Brandys --- This SF.net email is sponsored by: IT Product Guide on ITManagersJournal Use IT products in your business? Tell us what you think of them. Give us Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more http://productguide.itmanagersjournal.com/guidepromo.tmpl ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] clamv problem with 0.80rc2 and rc3
Hello, Bill Maidment wrote: I'm getting these errors on multiple machines when trying to scan an email with an attachment on 0.80rc2 and upgrading to rc3 didn't help. Any ideas? Sep 29 14:27:44 video mimedefang.pl[28480]: i8T4Rc2d028538: Clamd returned error: /var/spool/MIMEDefang/mdefang-i8T4Rc2d028538/Work/msg-28480-2.bz2: Input/Output error Sep 29 14:27:44 video mimedefang.pl[28480]: Problem running virus scanner: code=999, category=swerr, action=tempfail Sep 29 14:27:44 video mimedefang.pl[28480]: filter: i8T4Rc2d028538: tempfail=1 Sep 29 14:27:44 video mimedefang[28493]: i8T4Rc2d028538: Tempfailing because filter instructed us to Sep 29 14:27:44 video sendmail[28538]: i8T4Rc2d028538: Milter: data, reject=451 4.3.0 Problem running virus-scanner Sep 29 14:27:44 video sendmail[28538]: i8T4Rc2d028538: to=[EMAIL PROTECTED], delay=00:00:05, pri=1758805, stat=Problem running virus-scanner First check how is set TMPDIR and permissions to that directory , i think (but I maybe wrong ;-) Boguslaw --- This SF.net email is sponsored by: IT Product Guide on ITManagersJournal Use IT products in your business? Tell us what you think of them. Give us Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more http://productguide.itmanagersjournal.com/guidepromo.tmpl ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] 0.80rc bad format or broken data error - POSIX tar files
Hi, I see that a similar reported problem was fixed (RFC2298 fixes) but I have a slightly different problem. After some debugging, I can see that clamav doesn't seem to be able to scan POSIX tar archives (returns Bad format or broken data ERROR) while GNU tar archives are fine. I used 'file' on the archive to determine what was what. Is this a ClamAV issue, or an OS issue - Redhat ES 3.0? If it's been fixed in RC3, then sorry - I cannot compile on this platform so am dependant on binary ports and there kind maintainers. -S --- This SF.net email is sponsored by: IT Product Guide on ITManagersJournal Use IT products in your business? Tell us what you think of them. Give us Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more http://productguide.itmanagersjournal.com/guidepromo.tmpl ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
RE: [Clamav-users] RE: Clamav-users digest, Vol 1 #1033 - 11 msgs
Note that I couldn't get clamav-milter to accept --dubug-level=n despite this being documented in the man page and building with % ./configure --enable-debug That should read --debug-level not --dubug-level. -Nigel --- This SF.net email is sponsored by: IT Product Guide on ITManagersJournal Use IT products in your business? Tell us what you think of them. Give us Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more http://productguide.itmanagersjournal.com/guidepromo.tmpl ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: AW: [Clamav-users] virus submission problem
On Tue, 2004-09-28 at 21:35, Steffen Heil wrote: Hi I have a serious issue with the current way virus samples are submitted. Right now, many viruses, such as the currently-spreading jpeg virus (see http://www.easynews.com/virus.txt) are detected by 0.80rc# or by some CVS version. But we can't be expected to run those on production servers. Yes, I understand that 0.7x can't do a heuristic check for the jpeg exploit. However, it *can* look for this particular file (get your free copy from http://easynews.com/virus/virus-jpeg.zip), and a signature should be released. This is not an isolated case. The virus submission page must be changed to run the latest RELEASED version of clamav. I totally agree. It is great to know, that some soon coming version will detect things better and can detect generic problems instead of single viri only. However I have somehow the feeling, that right now our servers are under attack and we are left in the rain alone. One of the major advantages of ClamAV over commercial products is that you are able to add your own signatures. Signatures for the JPEG exploit for non-80rc versions have been posted to the list. The only signatures in the new format in the current db are there because old style signatures would either produce false positives, or are not possible to create. There are less than 10 of them. The main advantage of the 0.80 version is the new unpackers and file type support. As such it is able to spot existing signatures in more file types. It does not inherently support a huge number of new signatures. The ClamAV team have very limited resources, and our time is better spent creating new signatures for unknown viruses, rather than wading through old viruses we already have signatures for, just because they happen to be in some archive type that old versions of clam don't know about. Maybe, development could be split into two parts: engine and program host. Then updates to the engine (to accomodate new virus signature types) could be added, while the program can be developed more slowly. Are you volunteering to build 'engine' binaries for every platform that every user would conceivably use ClamAV on in order to support this? I like clam-av very much, but knowing, that I got a virus that was happily detected by McAfee some weeks ago and that I tried to submit to the clamav team, is still not detected by my server and may still hit my customers is a nightmare. I've said this before, and I'll say it again. Thats a business decision on your part. You have to way up the pro and cons of the options and make a decision based on those. You can do things to mitigate the perceived risks of deploying the 0.80rc3 version, like doing internal testing, having an warm backup of your production system with which to continually test CVS versions (and supply feedback), re-configure your system to use clamscan rather than clamdscan, etc. Personally, I chucked 15GB of customer email through CVS versions prior to 0.80rc in order to check it's integrity. And continued to do so until I was happy with the results. As such I have confidence in it's stability. -trog signature.asc Description: This is a digitally signed message part
Re: [Clamav-users] virus submission problem
Hi everyone, Bogusaw Brandys wrote: This is not an isolated case. The virus submission page must be changed to run the latest RELEASED version of clamav. Seconded. I run an up-to-date release version of ClamAV (0.75), there are virusses getting trough, but I can't submit them because 0.80rc3 would have recognised them. And we know clamav 0.75 would be able to detect these given specific examples. Regards, Paul Boven. --- This SF.net email is sponsored by: IT Product Guide on ITManagersJournal Use IT products in your business? Tell us what you think of them. Give us Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more http://productguide.itmanagersjournal.com/guidepromo.tmpl ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] How to install clamav to my raq4i
Askari wrote: Yes, my raq4i run linux system. Any links tutorial and file for setup clamav on my raq4i ?, where i can found it?. Seeing as it would not appear that you have even attempted installation yet, reading the basic documentation may, (by some weird stroke of fortune), point you in the right direction. http://www.clamav.net/doc/ Matt --- This SF.net email is sponsored by: IT Product Guide on ITManagersJournal Use IT products in your business? Tell us what you think of them. Give us Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more http://productguide.itmanagersjournal.com/guidepromo.tmpl ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] virus submission problem
On Wed, 2004-09-29 at 11:21, Paul Boven wrote: Hi everyone, Bogusaw Brandys wrote: This is not an isolated case. The virus submission page must be changed to run the latest RELEASED version of clamav. Seconded. I run an up-to-date release version of ClamAV (0.75), there The current stable version is 0.75.1 are virusses getting trough, but I can't submit them because 0.80rc3 would have recognised them. And we know clamav 0.75 would be able to detect these given specific examples. Your clairvoyance astounds me. You are free to add your own signatures to spot your samples. They almost certainly wouldn't catch any other samples of the same virus though. -trog signature.asc Description: This is a digitally signed message part
Re: [Clamav-users] 0.80rc bad format or broken data error - POSIX tar files
On Wednesday 29 Sep 2004 09:28, Steve Brown wrote: After some debugging, I can see that clamav doesn't seem to be able to scan POSIX tar archives (returns Bad format or broken data ERROR) while GNU tar archives are fine. Send me an example, please, and I'll have a look into it. I used 'file' on the archive to determine what was what. Is this a ClamAV issue, or an OS issue - Redhat ES 3.0? -S -Nigel -- Nigel Horne. Arranger, Composer, Typesetter. NJH Music, Barnsley, UK. ICQ#20252325 [EMAIL PROTECTED] http://www.bandsman.co.uk --- This SF.net email is sponsored by: IT Product Guide on ITManagersJournal Use IT products in your business? Tell us what you think of them. Give us Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more http://productguide.itmanagersjournal.com/guidepromo.tmpl ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] Virus not detected
Hello list, I am using clamav version 0.72 qmail 1.3 Qmail-scanner-queue 1.21st I have a problem and I think it is related to clamav. The is a virus with name W32.Netsky.p.dam ( according to Norton antivirus) not caught by clamav. Is there is something wrong in my setup or it is not yet in the Database? Although I have got it about 10 days ago or so. You feedback will be very much appreciated Best Regards,Kareem Mahgoub
Re: [Clamav-users] 0.80rc bad format or broken data error - POSIX tar files
Hi, Steve Brown wrote: Hi, I see that a similar reported problem was fixed (RFC2298 fixes) but I have a slightly different problem. After some debugging, I can see that clamav doesn't seem to be able to scan POSIX tar archives (returns Bad format or broken data ERROR) while GNU tar archives are fine. I used 'file' on the archive to determine what was what. Is this a ClamAV issue, or an OS issue - Redhat ES 3.0? If it's been fixed in RC3, then sorry - I cannot compile on this platform so am dependant on binary ports and there kind maintainers. Could You send me example file which causes this error ? My email : [EMAIL PROTECTED] I have compiled CVS version I will check this (however my version is Windows version ;^) Boguslaw Brandys --- This SF.net email is sponsored by: IT Product Guide on ITManagersJournal Use IT products in your business? Tell us what you think of them. Give us Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more http://productguide.itmanagersjournal.com/guidepromo.tmpl ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] virus submission problem
Paul Boven wrote: This is not an isolated case. The virus submission page must be changed to run the latest RELEASED version of clamav. Seconded. I run an up-to-date release version of ClamAV (0.75), there are virusses getting trough, but I can't submit them because 0.80rc3 would have recognised them. And we know clamav 0.75 would be able to detect these given specific examples. Why doesn't someone offer to create and host such a page, if it is that important? If I've said it once, I've said it a thousand times, a virus scanner should be the last line of defence in any given email scanning system. There are multiple ways to stop most infected emails before they ever even reach the virus scanner(s). No one should be wholly reliant upon a virus scanning solution to protect their email integrity. If people are having problems with infected emails slipping through, your parsing/scanning scripts are either misconfigured or just useless crap. There are a significant amount of other methods that will generally detect an infected email. Approximately 3.8% of infected emails ever reach the stage where the virus scanners I use get called into action, and Clam hasn't missed one of those yet. Check for other email exploits before checking for virii. ( I really should have been a preacher :) Matt --- This SF.net email is sponsored by: IT Product Guide on ITManagersJournal Use IT products in your business? Tell us what you think of them. Give us Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more http://productguide.itmanagersjournal.com/guidepromo.tmpl ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Virus not detected
Kareem Mahgoub wrote: Hello list, I am using clamav version 0.72 qmail 1.3 Qmail-scanner-queue1.21st I have a problem and I think it is related to clamav. The is a virus with name W32.Netsky.p.dam ( according to Norton antivirus) not caught by clamav. Is there is something wrong in my setup or it is not yet in the Database? Although I have got it about 10 days ago or so. You feedback will be very much appreciated Best Regards, Kareem Mahgoub Please upgrade. 0.72 was released on June 3rd, with 1470 lines in the ChangeLog since then... --- This SF.net email is sponsored by: IT Product Guide on ITManagersJournal Use IT products in your business? Tell us what you think of them. Give us Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more http://productguide.itmanagersjournal.com/guidepromo.tmpl ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] virus submission problem
On Wed, 2004-09-29 at 12:42, Bill Maidment wrote: Trog wrote: The current stable version is 0.75.1 The stable webpage points me to 0.80rc3 as the latest!!! No it doesn't. It takes you to a page containing a number of links and information, one such link is to clamav-0.80rc3.tar.gz another such link is clamav-0.75.1.tar.gz. The page states this: Before downloading, you may want to read Release Notes and ChangeLog The README with 0.80rc3 clearly states it is a release candidate. -trog signature.asc Description: This is a digitally signed message part
[Clamav-users] Update
Hi, in my /var/log/clamav/freashcleam.log: freshclam daemon 0.75.1 (OS: linux-gnu, ARCH: i386, CPU: i686) ClamAV update process started at Wed Sep 29 14:45:30 2004 ERROR: Can't open new file ./clamav-8afb9be871b84532 to write ERROR: Can't download main.cvd from 147.229.3.16 .. the owner of /var/log/clamav/ permission is clamav/clamav (user/group), and the /var/lib/clamav is empty ! When I mistake ?? thanks. -- Salvatore. --- [This E-mail scanned for viruses by Declude Virus] --- This SF.net email is sponsored by: IT Product Guide on ITManagersJournal Use IT products in your business? Tell us what you think of them. Give us Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more http://productguide.itmanagersjournal.com/guidepromo.tmpl ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Virus not detected
- Original Message - From: Kareem Mahgoub [EMAIL PROTECTED] Hello list, I am using clamav version 0.72 Upgrade to at least 0.75.1, update your signatures and try again. -- Rob MacGregor Whoever fights monsters should see to it that in the process he doesn't become a monster. Friedrich Nietzsche --- This SF.net email is sponsored by: IT Product Guide on ITManagersJournal Use IT products in your business? Tell us what you think of them. Give us Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more http://productguide.itmanagersjournal.com/guidepromo.tmpl ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] 0.80rc bad format or broken data error - POSIX tar files
Nigel Horne wrote: Send me an example, please, and I'll have a look into it. Sure, I already asked the user to create an example suitable for the public domain in advance of my query ;-) Naturally he's on holiday today, and I'm away from tomorrow for a week... When I get back I'll forward it. Thanks very much for the interest. -S -- Steve Brown Unix Systems Manager Accenture Data Centre, QinetiQ Farnborough FRN (802) 4416 +44 1252 394416 --- This SF.net email is sponsored by: IT Product Guide on ITManagersJournal Use IT products in your business? Tell us what you think of them. Give us Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more http://productguide.itmanagersjournal.com/guidepromo.tmpl ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
AW: [Clamav-users] virus submission problem
Hi There are a significant amount of other methods that will generally detect an infected email. Approximately 3.8% of infected emails ever reach the stage where the virus scanners I use get called into action, and Clam hasn't missed one of those yet. Check for other email exploits before checking for virii. So tell use, our preacher, how you do that? For example, I DO have dnsblacklists, helo string checking, mime checks, clsid extension checks, empty and to large boundary checks, verify sender domain and soon some callout-checks in front of clamav. However, some mail should get delivered and those should be checked, right? Regards, Steffen smime.p7s Description: S/MIME cryptographic signature
RE: [Clamav-users] virus submission problem
Lol @ preacher -Original Message- From: Matt [mailto:[EMAIL PROTECTED] Sent: 29 September 2004 14:45 To: [EMAIL PROTECTED] Subject: Re: [Clamav-users] virus submission problem Paul Boven wrote: This is not an isolated case. The virus submission page must be changed to run the latest RELEASED version of clamav. Seconded. I run an up-to-date release version of ClamAV (0.75), there are virusses getting trough, but I can't submit them because 0.80rc3 would have recognised them. And we know clamav 0.75 would be able to detect these given specific examples. Why doesn't someone offer to create and host such a page, if it is that important? If I've said it once, I've said it a thousand times, a virus scanner should be the last line of defence in any given email scanning system. There are multiple ways to stop most infected emails before they ever even reach the virus scanner(s). No one should be wholly reliant upon a virus scanning solution to protect their email integrity. If people are having problems with infected emails slipping through, your parsing/scanning scripts are either misconfigured or just useless crap. There are a significant amount of other methods that will generally detect an infected email. Approximately 3.8% of infected emails ever reach the stage where the virus scanners I use get called into action, and Clam hasn't missed one of those yet. Check for other email exploits before checking for virii. ( I really should have been a preacher :) Matt --- This SF.net email is sponsored by: IT Product Guide on ITManagersJournal Use IT products in your business? Tell us what you think of them. Give us Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more http://productguide.itmanagersjournal.com/guidepromo.tmpl ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users --- This SF.net email is sponsored by: IT Product Guide on ITManagersJournal Use IT products in your business? Tell us what you think of them. Give us Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more http://productguide.itmanagersjournal.com/guidepromo.tmpl ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] ERROR: JPEG.Comment
On Wed, 2004-09-29 at 05:34, Brandon Knitter wrote: I have a few images that seem to be flagged as virii, when they are not. I'm taking an image that is considered fine (no virus), then when I process it through convert (ImageMagick) it thinks it's has the virus. I have over 4000 images I've processed this way, and only 232 of them clamscan thinks has the error. Version: 0.80rc3 Any advice? Where do I post something like that? Were these by any chance taken by an Olympus camera? I've seen two false positives using my own signature for this exploit - both of which were pictures from an Olympus (run strings on the file and grep for Oly). BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. --- This SF.net email is sponsored by: IT Product Guide on ITManagersJournal Use IT products in your business? Tell us what you think of them. Give us Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more http://productguide.itmanagersjournal.com/guidepromo.tmpl ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Update
On Wed, 29 Sep 2004 15:20:50 +0200 in [EMAIL PROTECTED] Salvatore Basso [EMAIL PROTECTED] wrote: .. the owner of /var/log/clamav/ permission is clamav/clamav (user/group), and the /var/lib/clamav is empty ! When I mistake ?? Ownership of /var/lib/clamav? Should be clamav/clamav Temporary directory world writable? -- Brian Morrison bdm at fenrir dot org dot uk GnuPG key ID DE32E5C5 - http://wwwkeys.uk.pgp.net/pgpnet/wwwkeys.html --- This SF.net email is sponsored by: IT Product Guide on ITManagersJournal Use IT products in your business? Tell us what you think of them. Give us Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more http://productguide.itmanagersjournal.com/guidepromo.tmpl ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] freshclam problem
Salvatore Basso wrote: Hi, I have the following problem with clamav 0.75.1 on fc 2: [EMAIL PROTECTED] Archive-Zip-1.13]# /usr/local/bin/freshclam -d ERROR: Can't open /var/log/freshclam.log in append mode. ERROR: Problem with internal logger .. when I mistake ?? Your mistake was not searching google first. :) http://www.google.com/search?q=freshclam%20append%20mode Hint: freshclam doesn't have permissions to write to the log file. --Ajay - Satyajot (Ajay) Sharma REVShare Corp System Administrator --- This SF.net email is sponsored by: IT Product Guide on ITManagersJournal Use IT products in your business? Tell us what you think of them. Give us Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more http://productguide.itmanagersjournal.com/guidepromo.tmpl ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Update
On Wed, 29 Sep 2004 17:34:06 +0200 Bogusław Brandys [EMAIL PROTECTED] wrote: What is the value of TMPDIR variable ? Empty ? I suspect that Freshclam doesn't use TMPDIR, it only create files in DatabaseDirectory. -- oo. Tomasz Kojm [EMAIL PROTECTED] (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Wed Sep 29 18:39:40 CEST 2004 pgpiGlcfW9ure.pgp Description: PGP signature
Re: [Clamav-users] fetchmail clamav-milter
Is clamd running? It's difficult to read your mail because you've sent from Hotmail which annoyingly puts HTML in e-mails, but it looks as though clamd is running OK. Try to clamdscan (note the d) a file. Are you running 0.75 or 0.80? What makes you believe that incoming messages aren't being scanned? I notice no clamav-milter.pid, if you do ps is clamav-milter still running? -Nigel On Wednesday 29 Sep 2004 13:28, Damon McMahon wrote: Nigel, Sorry about that. The problem is that clamav-milter isn't scanning incoming mail. I want to configure it to scan mail that is passed to sendmail from fetchmail (running on the same host) to deliver to local mailboxes, but not scan outgoing mail. I agree, the documentation implies that leaving off the -o -f and -l switches should achieve this, but for some reason it's just not scanning anything [see the bottom of the mail log below]. I confirm that clamav-milter does indeed scan mail if the -o or -l switch is used. How does clamav-milter determine what is incoming, what is outgoing and what is lan mail (and pardon my ignorance)? Is it my sendmail configuration, perhaps? Cheers, Damon Original Message Follows From: Nigel Horne lt;[EMAIL PROTECTED]gt; Organization: NJH Music (bandsman.co.uk) To: [EMAIL PROTECTED] Date: Wed, 29 Sep 2004 08:24:47 +0100 Subject: [Clamav-users] Re: Clamav-users digest, Vol 1 #1033 - 11 msgs Reply-To: [EMAIL PROTECTED] I can't remember the original problem, you've removed the history from this post that would have reminded me! -Nigel On Wednesday 29 Sep 2004 02:58, Damon McMahon wrote: gt; Nigel, gt; gt; Thanks for your reply, and please accept my apologies for the woeful lack of gt; detail in my first post. gt; gt; Here's how we kick off clamav: gt; gt; #!/bin/sh gt; /usr/local/bin/freshclam -d -p /var/clamav/freshclam.pid gt; /usr/local/sbin/clamd gt; /usr/local/sbin/clamav-milter --debug -c /etc/clamav.conf -AdNq gt; local:/var/clamav/clmilter.sock gt; gt; Note that I couldn't get clamav-milter to accept --dubug-level=n despite gt; this being documented in the man page and building with gt; gt; % ./configure --enable-debug gt; gt; Here are the relevant run-time files: gt; gt; % ls -al /var/clamav gt; drwx-- 6 clamav clamav 204 29 Sep 10:58 . gt; drwxr-xr-x 22 rootwheel 748 29 Sep 09:06 .. gt; -rw-rw 1 clamav clamav4 29 Sep 10:58 clamd.pid gt; srwxrwxrwx 1 clamav clamav0 29 Sep 10:58 clamd.sock gt; srwx-- 1 clamav clamav0 29 Sep 10:58 clmilter.sock gt; -rw-rw 1 clamav clamav4 29 Sep 10:58 freshclam.pid gt; gt; Here's my configuration customisations: gt; gt; % cat /etc/clamav.conf | grep -v # | grep -v '^$' gt; LogSyslog gt; LogFacility LOG_MAIL gt; LogVerbose gt; PidFile /var/clamav/clamd.pid gt; LocalSocket /var/clamav/clamd.sock gt; FixStaleSocket gt; StreamSaveToDisk gt; StreamMaxLength 10M gt; MaxThreads 10 gt; MaxDirectoryRecursion 15 gt; User clamav gt; ScanOLE2 gt; ScanMail gt; ScanArchive gt; ArchiveMaxFileSize 10M gt; ArchiveMaxRecursion 5 gt; ArchiveMaxFiles 1000 gt; ArchiveMaxCompressionRatio 200 gt; ClamukoScanOnOpen gt; ClamukoScanOnClose gt; ClamukoScanOnExec gt; ClamukoIncludePath /home gt; ClamukoMaxFileSize 1M gt; ClamukoScanArchive gt; gt; Here's the relevant snippet from my mail log showing the info you requested: gt; gt; Sep 29 10:57:31 localhost clamd[9693]: Daemon started. gt; Sep 29 10:57:31 localhost clamd[9693]: clamd daemon 0.75.1 (OS: darwin7.5.0, gt; ARCH: ppc, CPU: powerpc) gt; Sep 29 10:57:31 localhost clamd[9693]: Log file size limited to 1048576 gt; bytes. gt; Sep 29 10:57:31 localhost clamd[9693]: Verbose logging activated. gt; Sep 29 10:57:31 localhost clamd[9693]: Running as user clamav (UID 30, GID gt; 30) gt; Sep 29 10:57:31 localhost clamd[9693]: Reading databases from gt; /usr/local/share/clamav gt; Sep 29 10:57:32 localhost clamd[9693]: Protecting against 24128 viruses. gt; Sep 29 10:57:33 localhost clamd[9694]: Unix socket file gt; /var/clamav/clamd.sock gt; Sep 29 10:57:33 localhost clamd[9694]: Setting connection queue length to 15 gt; Sep 29 10:57:33 localhost clamd[9694]: Listening daemon: PID: 9694 gt; Sep 29 10:57:33 localhost clamd[9694]: Archive: Archived file size limit set gt; to 10485760 bytes. gt; Sep 29 10:57:33 localhost clamd[9694]: Archive: Recursion level limit set to gt; 5. gt; Sep 29 10:57:33 localhost clamd[9694]: Archive: Files limit set to 1000. gt; Sep 29 10:57:33 localhost clamd[9694]: Archive: Compression ratio limit set gt; to 200. gt; Sep 29 10:57:33 localhost clamd[9694]: Archive support enabled. gt; Sep 29 10:57:33 localhost clamd[9694]: RAR support disabled. gt; Sep 29 10:57:33 localhost clamd[9694]: Mail files support enabled. gt; Sep 29 10:57:33 localhost clamd[9694]: OLE2 support enabled. gt; Sep 29 10:57:33 localhost clamd[9694]: Self checking
RE: [Clamav-users] How to install clamav to my raq4i
Matt scribbled on Wednesday, September 29, 2004 4:02 AM: Askari wrote: Yes, my raq4i run linux system. Any links tutorial and file for setup clamav on my raq4i ?, where i can found it?. Seeing as it would not appear that you have even attempted installation yet, reading the basic documentation may, (by some weird stroke of fortune), point you in the right direction. http://www.clamav.net/doc/ Matt I agree totally with Matt. Definitely read everything in the docs before attempting an install. I would also suggest using MailScanner as a wrapper for ClamAV (and Spamassassin if desired) as it makes things much easier. There is a tutorial for the raq4 at http://www.qitc.net/support/mailscanner/ but remember that it is a little dated and you will still need to read the current docs on all the various pieces to insure a successful install. People here, the SA list, and the MS list are more than willing to help as long as you are willing to do some reading before hand. FAQ's MAQ's and the install's and readme's from the packages would be a great place to start. AFAIK there is no iron-clad step-by-step tutorial that is kept up to date. It's been my experience that these programs are constantly evolving to keep up with the never ending changes in viruses and spam techniques. New releases (or release candidates) are being generated constantly and it does take a willingness to do some reading to keep up. I'm using MailScanner, ClamAV, and Spamassassin very successfully here. The authors and developers deserve much praise for their awesome products and continued development and support. The least we users can do is to do a little reading and research before asking basic questions. If you want something that runs out of the box and where someone will fix it for you if it breaks, I would suggest a commercial package. There are several out there that use the same packages I mention above. Hope this gets you on the right track. Ken Goods Network Administrator AIA Insurance, Inc. --- This SF.net email is sponsored by: IT Product Guide on ITManagersJournal Use IT products in your business? Tell us what you think of them. Give us Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more http://productguide.itmanagersjournal.com/guidepromo.tmpl ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Update
Put /var/lib/clamav to owner clamav group clamav. Salvatore Basso wrote: Hi, in my /var/log/clamav/freashcleam.log: freshclam daemon 0.75.1 (OS: linux-gnu, ARCH: i386, CPU: i686) ClamAV update process started at Wed Sep 29 14:45:30 2004 ERROR: Can't open new file ./clamav-8afb9be871b84532 to write ERROR: Can't download main.cvd from 147.229.3.16 .. the owner of /var/log/clamav/ permission is clamav/clamav (user/group), and the /var/lib/clamav is empty ! When I mistake ?? thanks. -- Salvatore. --- [This E-mail scanned for viruses by Declude Virus] --- This SF.net email is sponsored by: IT Product Guide on ITManagersJournal Use IT products in your business? Tell us what you think of them. Give us Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more http://productguide.itmanagersjournal.com/guidepromo.tmpl ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users --- This SF.net email is sponsored by: IT Product Guide on ITManagersJournal Use IT products in your business? Tell us what you think of them. Give us Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more http://productguide.itmanagersjournal.com/guidepromo.tmpl ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] fetchmail clamav-milter
On Wednesday 29 Sep 2004 13:28, Damon McMahon wrote: gt; Sep 29 10:57:31 localhost clamd[9693]: clamd daemon 0.75.1 (OS: darwin7.5.0, If I'd looked closer I'd seen that. Duh. You're sunning 0.75.1 I see. The other questions are still valid though. -Nigel -- Nigel Horne. Arranger, Composer, Typesetter. NJH Music, Barnsley, UK. ICQ#20252325 [EMAIL PROTECTED] http://www.bandsman.co.uk --- This SF.net email is sponsored by: IT Product Guide on ITManagersJournal Use IT products in your business? Tell us what you think of them. Give us Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more http://productguide.itmanagersjournal.com/guidepromo.tmpl ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] virus submission problem
On Wed, Sep 29, 2004 at 03:17:08PM +0200, Steffen Heil said: Hi There are a significant amount of other methods that will generally detect an infected email. Approximately 3.8% of infected emails ever reach the stage where the virus scanners I use get called into action, and Clam hasn't missed one of those yet. Check for other email exploits before checking for virii. So tell use, our preacher, how you do that? For example, I DO have dnsblacklists, helo string checking, mime checks, clsid extension checks, empty and to large boundary checks, verify sender domain and soon some callout-checks in front of clamav. However, some mail should get delivered and those should be checked, right? I also use greylisting on top of all of the methods you have above, and clam now catches single digits of viruses/week (granted, this mx only handles about 800-1000 emails/day, but scale appropriately). The only viruses hitting my MX are coming in from forwarding services. All direct to MX viruses have stopped. -- -- | Stephen Gran | Tallulah Bankhead barged down the Nile | | [EMAIL PROTECTED] | last night as Cleopatra and sank. -- | | http://www.lobefin.net/~steve | John Mason Brown, drama critic | -- pgp1OPVHdd40E.pgp Description: PGP signature
Re: [Clamav-users] clamv problem with 0.80rc2 and rc3
Bogusaw Brandys wrote: First check how is set TMPDIR and permissions to that directory , i think (but I maybe wrong ;-) TMPDIR is not set to anything. What controls that? I've never had any problems like this until today. -- _/_/_/_/ _/ _/ _/_/ _/ _/ _/ _/_/_/_/ _/ _/_/ _/ _/ _/ _/_/_/_/ _/ _/ _/ Bill Maidment Maidment Enterprises Pty Ltd Unless you are named Alfred E. Newman, you may read only the odd numbered words (every other word beginning with the first) of the message above. If you have violated that, then you hereby owe the sender AU$10 for each even numbered word you have read. Adapted from Stupid Email Disclaimers (see http://www.goldmark.org/jeff/stupid-disclaimers/)
RE: [Clamav-users] How to install clamav to my raq4i
snip I agree totally with Matt. Definitely read everything in the docs before attempting an install. I would also suggest using MailScanner as a wrapper for ClamAV (and Spamassassin if desired) as it makes things much easier. There is a tutorial for the raq4 at http://www.qitc.net/support/mailscanner/ but remember that it is a little dated and you will still snip Askari, I should mention that the tutorial I pointed you to suggests using f-prot for antivirus. While I'm sure f-prot is a great product, I use ClamAV so I can't personally recommend it. f-prot is free for personal use but there is a license fee for commercial use. If you were looking for an open source solution, in the case of this tutorial, ClamAV would be used in place of f-prot. Kind regards, Ken --- This SF.net email is sponsored by: IT Product Guide on ITManagersJournal Use IT products in your business? Tell us what you think of them. Give us Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more http://productguide.itmanagersjournal.com/guidepromo.tmpl ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] virus submission problem
Matt wrote: Steffen Heil wrote: For example, I DO have dnsblacklists, helo string checking, mime checks, clsid extension checks, empty and to large boundary checks, verify sender domain and soon some callout-checks in front of clamav. However, some mail should get delivered and those should be checked, right? The helo checks, blacklists and other sender/client checks are just generalisations for any type of junk email. They are not the ones that I was including in that assessment. The main types of checks that should be done are regarding the composition of the emails. For example, the ones you mention above, clsid and boundary checks, will stop a proportional amount of virus mails from getting any further. Then there are others, like iframe, executabl I may be in the minority here but I strenuously object to the banned extensions methodology. Especialy when implementing outside of the SMTP layer. For a service provider its a hassle for their customers. An internal corp. may be able to inflict such abuse on its users, but not an SP. For that matter, thanks to MS new outlooks You cant open this attachement if your life depended on it (except if you hack the reg for each and every one -- but if you trash your machine your sol) security misfeature, is now a pain in the neck to email anything usefull to a windows/outlook user. You send it, you go on your merry way, you (maybe) hear back I cant open it Send it again What are you talking about. Just wait till zips become a banned extension. What are we going to do when users become accustomed to renaming attachments back to the proper form? Make them click an extra ok button? And for those who say but they wont do that? -- password protected zips? Aggressive blacklisting is the answer. People who send you viruses should get blacklisted semi-automatically. Now you dont even have to enter the DATA stage when they come knocking again. Joe --- This SF.net email is sponsored by: IT Product Guide on ITManagersJournal Use IT products in your business? Tell us what you think of them. Give us Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more http://productguide.itmanagersjournal.com/guidepromo.tmpl ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] clamav-milter - user notification
I guess a better way of putting it is this. Here is a copy of what my inbox looks like: With 80RC3: [EMAIL PROTECTED] 9:00 Virus intercepted 1.5 k [EMAIL PROTECTED] 9:00 Virus intercepted 1.5 k With 75.1 [EMAIL PROTECTED] 8:50 Virus intercepted 1.6 k [EMAIL PROTECTED] 8:50 Virus intercepted 1.6 k With 75.1, the From address in the in-box showed the apparent sender. I find this usefull as in some cases it *IS* the real sender and they don't know they have a virus. As for the -o option, in setting it up, I understood it to scan outgoing mail as well. The servers I have this installed on are gateways for ALL smtp mail traffic and if one of my users gets a virus, I wanted it to be trapped before leaving my network. - Ken On Wednesday 29 Sep 2004 01:46, Ken Jones wrote: All, I just upgraded from 75.1 to 80rc3. Prior to the upgrade, all virus were quarentined and sent to the user clamav. A notification was sent to the original receipent and the postmaster. The message sent to postmaster and the original receipent, appeared to arrive from the original sender, not mailer-daemon and the subject was Virus intercepted. Now, after the upgrade, the message sent to the original receipent and postmaster arrive from MAILER-DAEMON. how do I fix this, as in some cases, the mail is expected, although without virus and knowing the original sender can be useful. my clamav-milter startup line is: clamav-milter -lo -p [EMAIL PROTECTED] -Q clamav /var/run/clamd/clmilter.sock It's likely that the messages you want are in the sendmail output queue waiting to be scanned, you have enabled the -o option after all. Can I ask, why have you enabled the -o option? -Nigel -- Nigel Horne. Arranger, Composer, Typesetter. NJH Music, Barnsley, UK. ICQ#20252325 [EMAIL PROTECTED] http://www.bandsman.co.uk --- This SF.net email is sponsored by: IT Product Guide on ITManagersJournal Use IT products in your business? Tell us what you think of them. Give us Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more http://productguide.itmanagersjournal.com/guidepromo.tmpl ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users -- Ken Jones [EMAIL PROTECTED] (630) 548-1627 (Home) (630) 263-3574 (Cell) https://www.kenandlori.com Y! : [EMAIL PROTECTED] MSN: [EMAIL PROTECTED] AIM: ptownjones ICQ: 9807841 --- This SF.net email is sponsored by: IT Product Guide on ITManagersJournal Use IT products in your business? Tell us what you think of them. Give us Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more http://productguide.itmanagersjournal.com/guidepromo.tmpl ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Update
Hi .. now the owner of /var/lib/clamav is clamav/clamav and the problem result .. but I have still problem: freshclam daemon 0.75.1 (OS: linux-gnu, ARCH: i386, CPU: i686) ClamAV update process started at Wed Sep 29 18:45:30 2004 main.cvd updated (version: 27, sigs: 23982, f-level: 2, builder: tomek) daily.cvd updated (version: 509, sigs: 635, f-level: 2, builder: trog) Database updated (24617 signatures) from database.clamav.net (62.210.153.202) ERROR: Clamd was NOT notified: Can't connect to clamd through /tmp/clamd .. why I have this error ?? perhaps after that I configured user/group clamav on /var/lib/clamav is necessary only ??: #clamd stop #clamd start .. is normal that I haven't file /etc/clamd.conf ?? .. many thanks ! -- Salvatore. - Original Message - From: Brian Morrison [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, September 29, 2004 5:13 PM Subject: Re: [Clamav-users] Update On Wed, 29 Sep 2004 15:20:50 +0200 in [EMAIL PROTECTED] Salvatore Basso [EMAIL PROTECTED] wrote: .. the owner of /var/log/clamav/ permission is clamav/clamav (user/group), and the /var/lib/clamav is empty ! When I mistake ?? Ownership of /var/lib/clamav? Should be clamav/clamav Temporary directory world writable? -- Brian Morrison bdm at fenrir dot org dot uk GnuPG key ID DE32E5C5 - http://wwwkeys.uk.pgp.net/pgpnet/wwwkeys.html --- This SF.net email is sponsored by: IT Product Guide on ITManagersJournal Use IT products in your business? Tell us what you think of them. Give us Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more http://productguide.itmanagersjournal.com/guidepromo.tmpl ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- This SF.net email is sponsored by: IT Product Guide on ITManagersJournal Use IT products in your business? Tell us what you think of them. Give us Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more http://productguide.itmanagersjournal.com/guidepromo.tmpl ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Virus protection: WAS: [Clamav-users] virus submission problem
Joe Maimon wrote: I may be in the minority here but I strenuously object to the banned extensions methodology. Especialy when implementing outside of the SMTP layer. For a service provider its a hassle for their customers. An internal corp. may be able to inflict such abuse on its users, but not an SP. Thought I would change this to a new thread to stop the thread purists becoming annoyed ;) Must admit, I couldn't agree more on that part. I do, however, block quite a few attachment types. When was the last time you saw a valid .scr or .pif in an email :) As Stephen Gran mentioned in his reply, greylisting is also very effective at dissuading the one shot wonder attempts, as they tend to try once or change the sender address each time, thereby never gaining a valid triplet, and it only causes a slight delay in mail delivery times. That is the point, however, that I am trying to make. There are a shedload of solutions that can whittle down the amount of virii that ever reach the filtering/scanning stage of an email system, and once the remaining few, (few in relative terms), reach the filtering scripts, you can whittle them down, by various methods, to an even smaller proportion, before they ever need to be virus scanned. A cascade of various options, applied in the correct sequence, can make a fairly good barrier to the virus ingress. Virii evolve, and are created more quickly, and in more variation, than exploits or workarounds are found for existing software and access enforcement methods. Thereby, filtering on the variables that change at a slower rate of pace, whether it be by greylisting, extension type, or software vulnerabilities, will generate a larger blockage rate than allowing the virii to get to a line of defence which has to be kept constantly upto date to catch the rapidly evolving nature of the problem. Blocking on the constants first, then variations, and then morphs last, will yield a greater blockage rate. Matt --- This SF.net email is sponsored by: IT Product Guide on ITManagersJournal Use IT products in your business? Tell us what you think of them. Give us Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more http://productguide.itmanagersjournal.com/guidepromo.tmpl ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] Re: Clamav-users digest, Vol 1 #1033 - 11 msgs
I can't remember the original problem, you've removed the history from this post that would have reminded me! -Nigel On Wednesday 29 Sep 2004 02:58, Damon McMahon wrote: Nigel, Thanks for your reply, and please accept my apologies for the woeful lack of detail in my first post. Here's how we kick off clamav: #!/bin/sh /usr/local/bin/freshclam -d -p /var/clamav/freshclam.pid /usr/local/sbin/clamd /usr/local/sbin/clamav-milter --debug -c /etc/clamav.conf -AdNq local:/var/clamav/clmilter.sock Note that I couldn't get clamav-milter to accept --dubug-level=n despite this being documented in the man page and building with % ./configure --enable-debug Here are the relevant run-time files: % ls -al /var/clamav drwx-- 6 clamav clamav 204 29 Sep 10:58 . drwxr-xr-x 22 rootwheel 748 29 Sep 09:06 .. -rw-rw 1 clamav clamav4 29 Sep 10:58 clamd.pid srwxrwxrwx 1 clamav clamav0 29 Sep 10:58 clamd.sock srwx-- 1 clamav clamav0 29 Sep 10:58 clmilter.sock -rw-rw 1 clamav clamav4 29 Sep 10:58 freshclam.pid Here's my configuration customisations: % cat /etc/clamav.conf | grep -v # | grep -v '^$' LogSyslog LogFacility LOG_MAIL LogVerbose PidFile /var/clamav/clamd.pid LocalSocket /var/clamav/clamd.sock FixStaleSocket StreamSaveToDisk StreamMaxLength 10M MaxThreads 10 MaxDirectoryRecursion 15 User clamav ScanOLE2 ScanMail ScanArchive ArchiveMaxFileSize 10M ArchiveMaxRecursion 5 ArchiveMaxFiles 1000 ArchiveMaxCompressionRatio 200 ClamukoScanOnOpen ClamukoScanOnClose ClamukoScanOnExec ClamukoIncludePath /home ClamukoMaxFileSize 1M ClamukoScanArchive Here's the relevant snippet from my mail log showing the info you requested: Sep 29 10:57:31 localhost clamd[9693]: Daemon started. Sep 29 10:57:31 localhost clamd[9693]: clamd daemon 0.75.1 (OS: darwin7.5.0, ARCH: ppc, CPU: powerpc) Sep 29 10:57:31 localhost clamd[9693]: Log file size limited to 1048576 bytes. Sep 29 10:57:31 localhost clamd[9693]: Verbose logging activated. Sep 29 10:57:31 localhost clamd[9693]: Running as user clamav (UID 30, GID 30) Sep 29 10:57:31 localhost clamd[9693]: Reading databases from /usr/local/share/clamav Sep 29 10:57:32 localhost clamd[9693]: Protecting against 24128 viruses. Sep 29 10:57:33 localhost clamd[9694]: Unix socket file /var/clamav/clamd.sock Sep 29 10:57:33 localhost clamd[9694]: Setting connection queue length to 15 Sep 29 10:57:33 localhost clamd[9694]: Listening daemon: PID: 9694 Sep 29 10:57:33 localhost clamd[9694]: Archive: Archived file size limit set to 10485760 bytes. Sep 29 10:57:33 localhost clamd[9694]: Archive: Recursion level limit set to 5. Sep 29 10:57:33 localhost clamd[9694]: Archive: Files limit set to 1000. Sep 29 10:57:33 localhost clamd[9694]: Archive: Compression ratio limit set to 200. Sep 29 10:57:33 localhost clamd[9694]: Archive support enabled. Sep 29 10:57:33 localhost clamd[9694]: RAR support disabled. Sep 29 10:57:33 localhost clamd[9694]: Mail files support enabled. Sep 29 10:57:33 localhost clamd[9694]: OLE2 support enabled. Sep 29 10:57:33 localhost clamd[9694]: Self checking every 3600 seconds. Sep 29 10:58:53 localhost clamav-milter[9842]: Starting: clamd / ClamAV version 0.75.1, clamav-milter version 0.75c Sep 29 10:58:53 localhost clamav-milter[9842]: Started: clamd / ClamAV version 0.75.1, clamav-milter version 0.75c Sep 29 10:59:11 localhost sendmail[9864]: starting daemon (8.13.1): [EMAIL PROTECTED]:20:00 Sep 29 10:59:11 localhost sendmail[9867]: starting daemon (8.13.1): [EMAIL PROTECTED]:20:00 Sep 29 10:59:15 localhost fetchmail[9886]: starting fetchmail 6.2.5 daemon Sep 29 11:01:10 localhost fetchmail[9886]: 1 message for [EMAIL PROTECTED] at pop.my.mail.provider.net (773 octets). Sep 29 11:01:11 localhost fetchmail[9886]: reading message [EMAIL PROTECTED]@pop.my.mail.provider.net:1 of 1 (773 octets) Sep 29 11:01:11 localhost clamav-milter[9842]: clamfi_close Sep 29 11:01:11 localhost sendmail[9898]: i8T1VBd6009898: from=[EMAIL PROTECTED], size=866, class=0, nrcpts=1, msgid=[EMAIL PROTECTED], proto=ESMTP, daemon=MTA, relay=localhost [127.0.0.1] If you need anything else let me know. Thanks again, Damon Original Message Follows From: Nigel Horne lt;[EMAIL PROTECTED]gt; Organization: NJH Music (bandsman.co.uk) To: [EMAIL PROTECTED] Subject: Re: [Clamav-users] fetchmail amp; clamav-milter Date: Tue, 28 Sep 2004 08:12:09 +0100 Reply-To: [EMAIL PROTECTED] [snip] Yes, don't use -l, -o or -f. What options are you using? What version of clamav-milter? _ On the road to retirement? Check out MSN Life Events for advice on how to get there! http://lifeevents.msn.com/category.aspx?cid=Retirement -- Nigel Horne. Arranger, Composer, Typesetter. NJH Music, Barnsley, UK. ICQ#20252325 [EMAIL PROTECTED]
Re: [Clamav-users] Update
On Wed, 29 Sep 2004 21:05:54 +0200 in [EMAIL PROTECTED] Salvatore Basso [EMAIL PROTECTED] wrote: ERROR: Clamd was NOT notified: Can't connect to clamd through /tmp/clamd .. why I have this error ?? perhaps after that I configured user/group clamav on /var/lib/clamav is necessary only ??: #clamd stop #clamd start .. is normal that I haven't file /etc/clamd.conf ?? .. many thanks ! It's probably because you need to tell freshclam how to tell clamd that a new database update has occurred. Then the next time clamd is passed data it will force a database reload. Look at the NotifyClamd option, mine is: NotifyClamd /etc/clamd.conf -- Brian Morrison bdm at fenrir dot org dot uk GnuPG key ID DE32E5C5 - http://wwwkeys.uk.pgp.net/pgpnet/wwwkeys.html --- This SF.net email is sponsored by: IT Product Guide on ITManagersJournal Use IT products in your business? Tell us what you think of them. Give us Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more http://productguide.itmanagersjournal.com/guidepromo.tmpl ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
AW: [Clamav-users] virus submission problem
Hi The main types of checks that should be done are regarding the composition of the emails. For example, the ones you mention above, clsid and boundary checks, will stop a proportional amount of virus mails from getting any further. Okay... already doing so. Then there are others, like iframe, executable extensions, certain aspects of html content, excessive header line lengths, to name but a few. I cannot prevent such things. I have no way to tell my customers: you may not send each other executables or html-files with frames. They would go somewhere else immediately. Also greylisting is no option, since it slows down email traffic and some of my customers use robots, which rely on these mails. For the same reason, excessive header line lengths need to work. Altogether, the point is, I may not drop or slow down legitimate mail. So I simply scan for viri. Regards, Steffen smime.p7s Description: S/MIME cryptographic signature
Re: [Clamav-users] Update
Salvatore Basso wrote: .. is normal that I haven't file /etc/clamd.conf ?? You're running 0-75.1. The config file is clamav.conf. Matt --- This SF.net email is sponsored by: IT Product Guide on ITManagersJournal Use IT products in your business? Tell us what you think of them. Give us Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more http://productguide.itmanagersjournal.com/guidepromo.tmpl ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Update
.. however start and stop clamd and try again /usr/local/bin/freshclam -d and in freshclam.log there is writed: freshclam daemon 0.75.1 (OS: linux-gnu, ARCH: i386, CPU: i686) ClamAV update process started at Wed Sep 29 22:29:30 2004 main.cvd updated (version: 27, sigs: 23982, f-level: 2, builder: tomek) daily.cvd updated (version: 509, sigs: 635, f-level: 2, builder: trog) .. therefore now is all ok ??!!, it's just ?? thanks. -- Salvatore. - Original Message - From: Brian Morrison [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, September 29, 2004 9:19 PM Subject: Re: [Clamav-users] Update On Wed, 29 Sep 2004 21:05:54 +0200 in [EMAIL PROTECTED] Salvatore Basso [EMAIL PROTECTED] wrote: ERROR: Clamd was NOT notified: Can't connect to clamd through /tmp/clamd .. why I have this error ?? perhaps after that I configured user/group clamav on /var/lib/clamav is necessary only ??: #clamd stop #clamd start .. is normal that I haven't file /etc/clamd.conf ?? .. many thanks ! It's probably because you need to tell freshclam how to tell clamd that a new database update has occurred. Then the next time clamd is passed data it will force a database reload. Look at the NotifyClamd option, mine is: NotifyClamd /etc/clamd.conf -- Brian Morrison bdm at fenrir dot org dot uk GnuPG key ID DE32E5C5 - http://wwwkeys.uk.pgp.net/pgpnet/wwwkeys.html --- This SF.net email is sponsored by: IT Product Guide on ITManagersJournal Use IT products in your business? Tell us what you think of them. Give us Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more http://productguide.itmanagersjournal.com/guidepromo.tmpl ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- This SF.net email is sponsored by: IT Product Guide on ITManagersJournal Use IT products in your business? Tell us what you think of them. Give us Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more http://productguide.itmanagersjournal.com/guidepromo.tmpl ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: Virus protection: WAS: [Clamav-users] virus submission problem
Steffen Heil wrote: I cannot prevent such things. I have no way to tell my customers: you may not send each other executables or html-files with frames. They would go somewhere else immediately. Just shifted the reply to this thread, Steffen. The iframe exploit, you are already discriminating against, as it is in the Clam database as: Exploit.IFrame.Gen I never meant to imply that you use draconian methods on any broad areas of email communication, but as you can see from the above, there are specific portions of a laden email which can only point to one designated purpose. I disagree, however, with ISP's or companies who use lax restrictions on email content, just to keep customers or staff happy. At the end of the day, maintaining a proper, healthy, and most of all, sociable system takes precedence over peoples whims. It is the same in any business. You do your best to meet your customers needs, but you never allow customers to dictate poor practice. If you generalise areas, then you are theoretically arguing against AV interception altogether. The 'html-files with frames' bit above is generalising. A specific combination is what you protect against, not a general range. For the same reason, excessive header line lengths need to work. Long header lines are fine, but when they are above the maximum laid down in the RFC's? Why should someone send an email which violates the specs, and expect for it to be accepted without further ado? With regards to greylisting and SAV, and other such components, they are purely a business or preference decision. They do work, but at an offset cost. They are an extra line of defence, they are not compulsory. All the best, Matt --- This SF.net email is sponsored by: IT Product Guide on ITManagersJournal Use IT products in your business? Tell us what you think of them. Give us Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more http://productguide.itmanagersjournal.com/guidepromo.tmpl ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Update
On Wed, 29 Sep 2004 22:30:55 +0200 in [EMAIL PROTECTED] Salvatore Basso [EMAIL PROTECTED] wrote: .. therefore now is all ok ??!!, it's just ?? thanks. Possibly, I've just noticed that your config file for clamd is probably still called clamav.conf as you are using 0.75.1, so you need: NotifyClamd /etc/clamav.conf in freshclam.conf -- Brian Morrison bdm at fenrir dot org dot uk GnuPG key ID DE32E5C5 - http://wwwkeys.uk.pgp.net/pgpnet/wwwkeys.html --- This SF.net email is sponsored by: IT Product Guide on ITManagersJournal Use IT products in your business? Tell us what you think of them. Give us Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more http://productguide.itmanagersjournal.com/guidepromo.tmpl ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] ScanMail default differs in milter and clamd
Sorry if this has been reported already; I'm behind on email. Running 0.80rc3. [EMAIL PROTECTED] etc]# /etc/init.d/clamav-milter start Starting clamav-milter: clamav-milter: ScanMail not enabled in /usr/local/encap/clamav-0.80rc3/etc/clamd.conf The .conf file says: # Enable internal e-mail scanner. # Default: enabled #ScanMail Uncommenting ScanMail fixes things. Looks like a case of the milter having different defaults than the daemon. Damian Menscher -- -=#| Physics Grad Student SysAdmin @ U Illinois Urbana-Champaign |#=- -=#| 488 LLP, 1110 W. Green St, Urbana, IL 61801 Ofc:(217)333-0038 |#=- -=#| 4602 Beckman, VMIL/MS, Imaging Technology Group:(217)244-3074 |#=- -=#| [EMAIL PROTECTED] www.uiuc.edu/~menscher/ Fax:(217)333-9819 |#=- -=#| The above opinions are not necessarily those of my employers. |#=- --- This SF.net email is sponsored by: IT Product Guide on ITManagersJournal Use IT products in your business? Tell us what you think of them. Give us Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more http://productguide.itmanagersjournal.com/guidepromo.tmpl ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] ERROR: JPEG.Comment
On Wed, 29 Sep 2004, Brandon Knitter wrote: I'm unsure what type of camera originally took the pictures. But the original pictures DO NOT show as having a virus. After I put it through ImageMagick's convert (I make thumbnails) it then thinks it has the virus. Now, I'm pretty sure that ImageMagick isn't injecting a virus as many of the other thumbnails I make do not with the same exact binary report no virus. Could you, and everyone else who has seen a false JPEG.Comment, please re-run the scans? I just discovered something EXTREMELY disturbing: I just upgraded to 0.80rc3 on a RH9 machine. As a test of clamav, I went into my public_html directory and did a clamscan -r. It found one of my images to contain the virus: [EMAIL PROTECTED] public_html]# clamscan -r . ./Asia_Pics/New Folder/dsc_0009.jpg: Exploit.JPEG.Comment FOUND But later scans didn't show a problem with it: [EMAIL PROTECTED] New Folder]# clamscan dsc_0009.jpg dsc_0009.jpg: OK [EMAIL PROTECTED] New Folder]# clamscan -r . ./dsc_0009.jpg: OK [EMAIL PROTECTED] public_html]# clamscan ./Asia_Pics/New Folder/dsc_0009.jpg ./Asia_Pics/New Folder/dsc_0009.jpg: OK [EMAIL PROTECTED] public_html]# clamscan -r Asia_Pics/ Asia_Pics//New Folder/dsc_0009.jpg: OK [EMAIL PROTECTED] public_html]# clamscan -r . ./Asia_Pics/New Folder/dsc_0009.jpg: OK And no, the file didn't change between scans: [EMAIL PROTECTED] public_html]# ls -l ./Asia_Pics/New Folder/dsc_0009.jpg -r-xr-xr-x1 menscher astro 347067 Jan 10 2004 ./Asia_Pics/New Folder/dsc_0009.jpg If I had to guess, I'd say clamscan has some uninitialized memory that's causing occasional false positives. If anyone can suggest an alternative explanation, or a way I could debug this further, I'd love to help. Problem is, I can't reproduce the false positive anymore. Damian Menscher -- -=#| Physics Grad Student SysAdmin @ U Illinois Urbana-Champaign |#=- -=#| 488 LLP, 1110 W. Green St, Urbana, IL 61801 Ofc:(217)333-0038 |#=- -=#| 4602 Beckman, VMIL/MS, Imaging Technology Group:(217)244-3074 |#=- -=#| [EMAIL PROTECTED] www.uiuc.edu/~menscher/ Fax:(217)333-9819 |#=- -=#| The above opinions are not necessarily those of my employers. |#=- --- This SF.net email is sponsored by: IT Product Guide on ITManagersJournal Use IT products in your business? Tell us what you think of them. Give us Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more http://productguide.itmanagersjournal.com/guidepromo.tmpl ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Some good news
Dennis Peterson wrote: Since building and installing .80rc2 and then rc3, all the memory leaks are gone. You know, I just noticed that you're right :) I wouldn't call it memory leaks though, since it may be just high memory usage (remember the long kernel: Out of Memory thread?) But the point is clamd's memory usage is much lower now compared to what it was a few weeks ago. Where I was normally rebooting clamd several times a day when the size got out of control it now is running for days on end with no change in size. The not-so-busy server that I have now only use 9M, and the busiest one only use 19M here. Strangely enough I can't see anything that might point to this change of behaviour on Changelog. --- This SF.net email is sponsored by: IT Product Guide on ITManagersJournal Use IT products in your business? Tell us what you think of them. Give us Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more http://productguide.itmanagersjournal.com/guidepromo.tmpl ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] ERROR: JPEG.Comment
On Wed, 29 Sep 2004 10:21:10 -0700 Brandon Knitter [EMAIL PROTECTED] wrote: I'm unsure what type of camera originally took the pictures. But the original pictures DO NOT show as having a virus. After I put it through ImageMagick'sconvert (I make thumbnails) it then thinks it has the virus. Now, I'm pretty sure that ImageMagick isn't injecting a virus as many of the other thumbnails I make do not with the same exact binary report no virus. I was unaware of the submit feature. I just sent it in at the submit site as a false positive! :) Thanks. Fixed in CVS. -- oo. Tomasz Kojm [EMAIL PROTECTED] (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Thu Sep 30 02:28:28 CEST 2004 pgpeOpPRDPfPj.pgp Description: PGP signature
Re: [Clamav-users] Error building on FreeBSD 4.10-STABLE
On or about Wed, 29 Sep 2004 09:09:25 +1000 Gib Gilbertson Jr. [EMAIL PROTECTED] allegedly wrote: I just downloaded and tried to make and get the same error message. According to the date of the post below from the archives, I would think this was fixed by now? I'm running FreeBSD 4.10, trying to install ClamAV-0.80rc3 and getting the following error message... Well it installed and it runs for me here, but I did get some ugly warnings: making clamav-0.80rc3 on FreeBSD-4.10-STABLE curl -lssl -lcrypto -lz -lc_r -Wl,--rpath -Wl,/usr/local/lib /usr/lib/libc.so: WARNING! setkey(3) not present in the system! /usr/lib/libc.so: warning: this program uses gets(), which is unsafe. /usr/lib/libc.so: warning: mktemp() possibly used unsafely; consider using mkstemp() /usr/lib/libc.so: WARNING! des_setkey(3) not present in the system! /usr/lib/libc.so: WARNING! encrypt(3) not present in the system! /usr/lib/libc.so: warning: tmpnam() possibly used unsafely; consider using mkstemp() /usr/lib/libc.so: warning: this program uses f_prealloc(), which is not recommended. /usr/lib/libc.so: WARNING! des_cipher(3) not present in the system! CP -- Chris Paul Sentinare Messaging Solutions 890 Robles Drive, Santa Cruz, CA 95060 web: http://www.sentinare.com phone: +1 (877) 727-9786 --- This SF.net email is sponsored by: IT Product Guide on ITManagersJournal Use IT products in your business? Tell us what you think of them. Give us Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more http://productguide.itmanagersjournal.com/guidepromo.tmpl ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] Test
Please ignore this message. -- oo. Tomasz Kojm [EMAIL PROTECTED] (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Thu Sep 30 02:31:51 CEST 2004 pgpjroeTZFQkd.pgp Description: PGP signature ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Test
Tomasz Kojm wrote: Please ignore this message. Ummm, make me ? Rick ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] ERROR: JPEG.Comment
On Wed, 29 Sep 2004, Damian Menscher wrote: I just upgraded to 0.80rc3 on a RH9 machine. As a test of clamav, I went into my public_html directory and did a clamscan -r. It found one of my images to contain the virus: [EMAIL PROTECTED] public_html]# clamscan -r . ./Asia_Pics/New Folder/dsc_0009.jpg: Exploit.JPEG.Comment FOUND But later scans didn't show a problem with it: [EMAIL PROTECTED] New Folder]# clamscan dsc_0009.jpg dsc_0009.jpg: OK And no, the file didn't change between scans: [EMAIL PROTECTED] public_html]# ls -l ./Asia_Pics/New Folder/dsc_0009.jpg -r-xr-xr-x1 menscher astro 347067 Jan 10 2004 ./Asia_Pics/New Folder/dsc_0009.jpg If I had to guess, I'd say clamscan has some uninitialized memory that's causing occasional false positives. If anyone can suggest an alternative explanation, or a way I could debug this further, I'd love to help. Problem is, I can't reproduce the false positive anymore. Ok, I feel dumb. Turns out the difference was the release of daily 509, which eliminated the false positive. I swear I looked to make sure it wasn't a freshclam update that made it disappear, but checking a second time shows otherwise. Sorry for the false alarm. Damian Menscher -- -=#| Physics Grad Student SysAdmin @ U Illinois Urbana-Champaign |#=- -=#| 488 LLP, 1110 W. Green St, Urbana, IL 61801 Ofc:(217)333-0038 |#=- -=#| 4602 Beckman, VMIL/MS, Imaging Technology Group:(217)244-3074 |#=- -=#| [EMAIL PROTECTED] www.uiuc.edu/~menscher/ Fax:(217)333-9819 |#=- -=#| The above opinions are not necessarily those of my employers. |#=- ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] ERROR: JPEG.Comment
Damian Menscher said: On Wed, 29 Sep 2004, Damian Menscher wrote: If I had to guess, I'd say clamscan has some uninitialized memory that's causing occasional false positives. If anyone can suggest an alternative explanation, or a way I could debug this further, I'd love to help. Problem is, I can't reproduce the false positive anymore. Ok, I feel dumb. Turns out the difference was the release of daily 509, which eliminated the false positive. I swear I looked to make sure it wasn't a freshclam update that made it disappear, but checking a second time shows otherwise. Sorry for the false alarm. Damian Menscher I logged 32 jpeg files flagged as positive on the 27-28th. They stopped as soon as the new db showed up. I sure hope these patters are gold cuz I can't afford fp's on images. Worse, I can't afford undetected positives. Anyone got a plan for when encrypted zip'd jpeg files start showing up? dp ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] ERROR: JPEG.Comment
On Wed, 29 Sep 2004, Dennis Peterson wrote: Anyone got a plan for when encrypted zip'd jpeg files start showing up? dp ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Either start a password greper/parser which should be able to be updated to recognize new formats in a non-executable way (regex or something) included in the sigs to rip \w+ out of images and html. If it's a passworded zip we can forward what we think the password is into the decompressor. Could start to make a profile of the zips too and ship 'em in with a signature. Remember that you can still read the CRC of the files within the encrypted zip and the filename would probably follow a strict format like IMG001.jpg to keep it looking innocent. Yes, I am almost talking about bayes virus detection and I think that is where we (the antivirus industry) will end up in the future otherwise we will never be proactive. /me waits for a polymorphic jpeg ... It's interesting that viruses are finally starting to implement what we were joking about in 1995 at high school... -- Eric Wheeler Vice President National Security Concepts, Inc. PO Box 3567 Tualatin, OR 97062 http://www.nsci.us/ Voice: (503) 293-7656 Fax: (503) 885-0770 ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] ML server change
Joe, On Wed, 2004-09-29 at 23:04, Joe Christy wrote: Will clamav-announce and clamav-virusdb be moving as well? All of the clamav(-*) mailing lists are on lists.clamav.net now. Cheers, Mike ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
