Re: [Clamav-users] Virus Definitions update website

[Robert Fleming]

--On Wednesday, October 13, 2004 12:52 PM -0500 Jeff Bilder is rumoured to 
have written:

Hey group,
Was curious if there is a website the shows a chart of which companies,
and clam, rate in terms of updating their Virus Definitions.  I need to
put some documentation together for my director.  Thanks!
Nothing recent, but here area  couple URLs comparing 'the other guys' 
including information on the mydoom outbreak with a message from this list 
showing how clamav fared in with that one (attached)



Rob
--
Random Tagline:
Endless the world's turn, endless the sun's spinning
Endless the quest;
I turn again, back to my own beginning,
And here, find rest.
--- Begin Message ---
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:clamav-users-
> [EMAIL PROTECTED] On Behalf Of Dinko Ivanov
> Sent: 4. februar 2004 11:57
> To: [EMAIL PROTECTED]
> Subject: [Clamav-users] MyDoom???
> 
> When clamav will  detect MyDoom?
> I hope soon?!
> 

ClamAV was updated 21:23 (+0100) the 26th of January to detect 'Mydoom'.
Since no other av-scanner was able to detect it, the ClamAV team decided
to name it 'Worm.SCO.A' due to its content.

Below is a list complied by PC-Welt that show release time by other
av-scanners (time is in +0100).

McAfee (BETA) - 26.01. 22:20 - W32/[EMAIL PROTECTED] 
Symantec (BETA) - 26.01. 23:00 - [EMAIL PROTECTED] 
F-Prot - 26.01. 23:30 - W32/[EMAIL PROTECTED] 
Trend Micro - 26.01. 23:35 - WORM_MIMAIL.R 
Trend (BETA) - 26.01. 23:35 - WORM_MIMAIL.R 
RAV - 27.01. 00:00 - Win32/[EMAIL PROTECTED] 
Norman - 27.01. 00:05 - [EMAIL PROTECTED] 
F-Secure - 27.01. 00:05 - W32/[EMAIL PROTECTED] 
Virusbuster - 27.01. 00:05 - I-Worm.Mydoom.A 
AVG - 27.01. 00:15 - I-Worm/Mydoom 
Avast - 27.01. 00:15 - Win32:Mydoom [Unp] 
Kaspersky - 27.01. 00:30 - I-Worm.Novarg 
AntiVir - 27.01. 00:30 - Worm/MyDoom.A2 
Symantec - 27.01. 01:05 - [EMAIL PROTECTED] 
InoculateIT-CA - 27.01. 01:20 - Win32/Shimg.Worm 
Command - 27.01. 01:20 - W32/[EMAIL PROTECTED] 
A2 - 27.01. 01:30 - Worm.Win32.Mydoom 
Sophos - 27.01. 01:40 - W32/MyDoom-A 
InoculateIT-VET - 27.01. 02:30 - Win32.Mydoom.A 
Esafe - 27.01. 02:50 - Win32.Mydoom.a 
Dr. Web - 27.01. 03:40 - Win32.HLLM.Foo.32768 
Panda (BETA) - 27.01. 04:10 - W32/Mydoom.A.worm 
McAfee - 27.01. 05:00 - W32/[EMAIL PROTECTED] 
Quickheal - 27.01. 05:00 - W32.Novarg 
Bitdefender - 27.01. 05:00 - [EMAIL PROTECTED] 
Panda - 27.01. 05:10 - W32/Mydoom.A.worm 
Ikarus - 27.01. 09:35 - I-Worm.Mydoom

Best regards,
Diego d'Ambra


smime.p7s
Description: S/MIME cryptographic signature
--- End Message ---
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

[Clamav-users] Re: freshclam: 'Broken or not a CVD file'

[Tim Boyer]

On Thu, 14 Oct 2004 01:21:47 +0100, Matt <[EMAIL PROTECTED]> wrote:

>Tim Boyer wrote:
>
>> Downloading daily.cvd [*]
>> ERROR: Verification: Broken or not a CVD file
>> Giving up...
>> 
>> I went to rc4 last night in the hope that it would be fixed, but I'm
>> getting the same error.
>
>
> This is answered in the archives. Can't think of the cause offhand.
>
>Matt

Matt -

The only things I can find in the archive is 'update to .75.1' and to
run as --user=root.  The first is out, obviously, and the second is a)
a bad idea, and b) doesn't work.


-- 
Tim Boyer
[EMAIL PROTECTED]

___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

[Clamav-users] What are the exit codes for clamdscan - and should they be more specific?

[Jason Haar]

Hi there
I'm running clamav 0.80rc4 and have just had our Qmail-Scanner system 
spit the dummy on a message because clamdscan was exiting error status 2 
with the message "Bad format or broken data ERROR".

I'm going to guess that the message was corrupt in some way that 
clamdscan didn't like - that's fine - but is that error code 2 the same 
if clamdscan has a corrupt virus DB file as well?

i.e. shouldn't clamav differentiate between reporting error codes for 
internal errors (which are fatal), and external/file error - which are 
more informational as they are beyond clamav's direct control?

i.e. I'd like to see different exit codes so that Qmail-Scanner can 
differentiate them ;-)

Thanks!
PS: no I can't show you the offending file. It was probably a virus. The 
SMTP client sending it tried 21 times in 7 minutes to resend it and then 
disappeared - I never got a chance to grab a copy. Doesn't sound like a 
valid mail server...

--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] freshclam: 'Broken or not a CVD file'

[Matt]

Tim Boyer wrote:

> Downloading daily.cvd [*]
> ERROR: Verification: Broken or not a CVD file
> Giving up...
> 
> I went to rc4 last night in the hope that it would be fixed, but I'm
> getting the same error.


 This is answered in the archives. Can't think of the cause offhand.

Matt
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

[Clamav-users] freshclam: 'Broken or not a CVD file'

[Tim Boyer]

I installed 0.80rc3, and when I try to run freshclam I get the
following:

freshclam --user=defang
ClamAV update process started at Wed Oct 13 19:08:21 2004
main.cvd is up to date (version: 27, sigs: 23982, f-level: 2, builder:
tomek)
Downloading daily.cvd [*]
ERROR: Verification: Broken or not a CVD file
Trying again...
ClamAV update process started at Wed Oct 13 19:08:22 2004
main.cvd is up to date (version: 27, sigs: 23982, f-level: 2, builder:
tomek)
Downloading daily.cvd [*]
ERROR: Verification: Broken or not a CVD file
Trying again...
ClamAV update process started at Wed Oct 13 19:08:23 2004
main.cvd is up to date (version: 27, sigs: 23982, f-level: 2, builder:
tomek)
Downloading daily.cvd [*]
ERROR: Verification: Broken or not a CVD file
Giving up...

I went to rc4 last night in the hope that it would be fixed, but I'm
getting the same error.  

Thanks much,



-- 
Tim Boyer
[EMAIL PROTECTED]

___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] Re: Upgrade to 0.80rc3 breaks Exim malware acl [fixed in exiscan-acl-4.34-21.patch]

[Brian Morrison]

On Wed, 13 Oct 2004 22:05:01 +0100 in [EMAIL PROTECTED] Philip
Ross <[EMAIL PROTECTED]> wrote:

>  This fix is in exiscan-acl-4.34-21.patch and later.

That explains it then, I have never used earlier than the -21 patch.

I always build exim from source or from a source rpm myself, the latter
by means of editing the .spec file and doing a rebuild.

-- 

Brian Morrison

bdm at fenrir dot org dot uk

GnuPG key ID DE32E5C5 - http://wwwkeys.uk.pgp.net/pgpnet/wwwkeys.html
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

[Clamav-users] Re: Upgrade to 0.80rc3 breaks Exim malware acl [fixed in exiscan-acl-4.34-21.patch]

[Philip Ross]

Philip Ross wrote:
I've just compared the clamd code between exiscan-acl-4.33-20 and 
exiscan-acl-4.33-28 and found the following (which looks like it could 
be the cause of the problem):
(that should have been exiscan-acl-4.43-28 rather than 4.33-28 in the above)
I've now rebuilt my exim-4.33 package with this change and it has fixed 
the problem.

This fix is in exiscan-acl-4.34-21.patch and later.
Phil
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] Re: Upgrade to 0.80rc3 breaks Exim malware acl (still broken in 0.80rc4)

[Brian Morrison]

On Wed, 13 Oct 2004 21:10:45 +0100 in [EMAIL PROTECTED] Philip
Ross <[EMAIL PROTECTED]> wrote:

>  I'm running the Exim/Exiscan package that comes with Fedora Core 2 
>  (Exim-4.33 with exiscan-acl-4.33-20).
> 
>  I've just compared the clamd code between exiscan-acl-4.33-20 and 
>  exiscan-acl-4.33-28 and found the following (which looks like it
>  could be the cause of the problem):

Hmm, I think the earliest exiscan-acl I used was 4.34-21. I've used
Clamav of 0.65 and later, but have had 0.70 or later since I changed to
using Exim 4.x, and I'm pretty sure I have never seen this problem.

Hope that is useful information, I'm afraid I don't have any old logs to
look at and can't tell you when the change to exiscan you mention might
have been made, but I expect it is in Tom's changelog.

-- 

Brian Morrison

bdm at fenrir dot org dot uk

GnuPG key ID DE32E5C5 - http://wwwkeys.uk.pgp.net/pgpnet/wwwkeys.html
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

[Clamav-users] Re: Upgrade to 0.80rc3 breaks Exim malware acl (still broken in 0.80rc4)

[Philip Ross]

Brian Morrison wrote:
I'm using Exim 4.43, with exiscan-acl-4.43-28, and all of my incoming
mail has the added X-Scan-Signature header that Exim adds in there to
show that the scanning occurred. I have seen no indication that this is
not happening and I can find nothing in my mail or Exim logs that
suggests a problem exists. So far I have had not trouble with any of the
0.80rc series up to and including rc4.
I'm running the Exim/Exiscan package that comes with Fedora Core 2 
(Exim-4.33 with exiscan-acl-4.33-20).

I've just compared the clamd code between exiscan-acl-4.33-20 and 
exiscan-acl-4.33-28 and found the following (which looks like it could 
be the cause of the problem):

--- exiclam.old 2004-10-13 21:04:43.036454125 +0100
+++ exiclam.new 2004-10-13 21:04:08.433816809 +0100
@@ -87,8 +87,14 @@
 +return DEFER;
 +  }
 +
-+  /* we're done sending, close socket for writing */
-+  shutdown(sock, SHUT_WR);
++  /*
++We're done sending, close socket for writing.
++
++One user reported that clamd 0.70 does not like this any more ...
++
++  */
++
++  /* shutdown(sock, SHUT_WR); */
 +
 +  /* Read the result */
 +  memset(av_buffer, 0, sizeof(av_buffer));
Phil
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

[Clamav-users] Re: Upgrade to 0.80rc3 breaks Exim malware acl (still broken in 0.80rc4)

[Philip Ross]

Trog wrote:
I've never used exiscan, but it sounds like a bug in exiscan (or a
configuration issue).
The issue started occurring (for several people on this list) between 
0.80rc2 and 0.80rc3.

According to others, the change that broke it was 
http://cvs.sourceforge.net/viewcvs.py/clamav/clamav-devel/clamd/others.c?r1=1.17&r2=1.18

exiscan must be closing it's side of the connection to clamd without
waiting for clamd to finish scanning. This signals to clamd to abort the
scan. exiscan must not do that.
I've done a tethereal capture (see attached clamdcapture.txt). This does 
show exiscan closing the socket after sending a SCAN request and 
receiving an acknowledgment. From a brief look at the exiscan code 
(http://duncanthrax.net/exiscan-acl/exiscan-acl-4.43-28.patch - search 
for '"clamd" scanner type'), I cannot see why this would be happening.

I'll post to the exiscan list and see if anyone there has any ideas.
Thanks,
Phil
  0.00127.0.0.1 -> 127.0.0.1TCP 6 > 3310 [SYN] Seq=0 Ack=0 Win=32767 
Len=0 MSS=16396 TSV=44568512 TSER=0 WS=7

  00 00 00 00 00 00 00 00 00 00 00 00 08 00 45 00   ..E.
0010  00 3c a7 47 40 00 40 06 95 72 7f 00 00 01 7f 00   .<[EMAIL PROTECTED]@..r..
0020  00 01 82 38 0c ee e8 54 a8 87 00 00 00 00 a0 02   ...8...T
0030  7f ff 5d 3b 00 00 02 04 40 0c 04 02 08 0a 02 a8   ..];[EMAIL PROTECTED]
0040  0f c0 00 00 00 00 01 03 03 07 ..

  0.000115127.0.0.1 -> 127.0.0.1TCP 3310 > 6 [SYN, ACK] Seq=0 Ack=1 
Win=32767 Len=0 MSS=16396 TSV=44568513 TSER=44568512 WS=7

  00 00 00 00 00 00 00 00 00 00 00 00 08 00 45 00   ..E.
0010  00 3c 00 00 40 00 40 06 3c ba 7f 00 00 01 7f 00   .<[EMAIL PROTECTED]@.<...
0020  00 01 0c ee 82 38 e8 dc 77 51 e8 54 a8 88 a0 12   .8..wQ.T
0030  7f ff ea 92 00 00 02 04 40 0c 04 02 08 0a 02 a8   [EMAIL PROTECTED]
0040  0f c1 02 a8 0f c0 01 03 03 07 ..

  0.000181127.0.0.1 -> 127.0.0.1TCP 6 > 3310 [ACK] Seq=1 Ack=1 Win=32768 
Len=0 TSV=44568513 TSER=44568513

  00 00 00 00 00 00 00 00 00 00 00 00 08 00 45 00   ..E.
0010  00 34 a7 48 40 00 40 06 95 79 7f 00 00 01 7f 00   [EMAIL PROTECTED]@..y..
0020  00 01 82 38 0c ee e8 54 a8 88 e8 dc 77 52 80 10   ...8...TwR..
0030  01 00 d2 b5 00 00 01 01 08 0a 02 a8 0f c1 02 a8   
0040  0f c1 ..

  0.000337127.0.0.1 -> 127.0.0.1TCP 6 > 3310 [PSH, ACK] Seq=1 Ack=1 
Win=32768 [CHECKSUM INCORRECT] Len=43 TSV=44568513 TSER=44568513

  00 00 00 00 00 00 00 00 00 00 00 00 08 00 45 00   ..E.
0010  00 5f a7 49 40 00 40 06 95 4d 7f 00 00 01 7f 00   [EMAIL PROTECTED]@..M..
0020  00 01 82 38 0c ee e8 54 a8 88 e8 dc 77 52 80 18   ...8...TwR..
0030  01 00 fe 53 00 00 01 01 08 0a 02 a8 0f c1 02 a8   ...S
0040  0f c1 53 43 41 4e 20 2f 76 61 72 2f 73 70 6f 6f   ..SCAN /var/spoo
0050  6c 2f 65 78 69 6d 2f 73 63 61 6e 2f 31 43 48 70   l/exim/scan/1CHp
0060  35 6c 2d 30 30 30 31 69 4e 2d 49 78 0a5l-0001iN-Ix.

  0.000374127.0.0.1 -> 127.0.0.1TCP 3310 > 6 [ACK] Seq=1 Ack=44 Win=32768 
Len=0 TSV=44568513 TSER=44568513

  00 00 00 00 00 00 00 00 00 00 00 00 08 00 45 00   ..E.
0010  00 34 78 93 40 00 40 06 c4 2e 7f 00 00 01 7f 00   [EMAIL PROTECTED]@.
0020  00 01 0c ee 82 38 e8 dc 77 52 e8 54 a8 b3 80 10   .8..wR.T
0030  01 00 d2 8a 00 00 01 01 08 0a 02 a8 0f c1 02 a8   
0040  0f c1 ..

  0.000458127.0.0.1 -> 127.0.0.1TCP 6 > 3310 [FIN, ACK] Seq=44 Ack=1 
Win=32768 Len=0 TSV=44568513 TSER=44568513

  00 00 00 00 00 00 00 00 00 00 00 00 08 00 45 00   ..E.
0010  00 34 a7 4a 40 00 40 06 95 77 7f 00 00 01 7f 00   [EMAIL PROTECTED]@..w..
0020  00 01 82 38 0c ee e8 54 a8 b3 e8 dc 77 52 80 11   ...8...TwR..
0030  01 00 d2 89 00 00 01 01 08 0a 02 a8 0f c1 02 a8   
0040  0f c1 ..

  0.007107127.0.0.1 -> 127.0.0.1TCP 3310 > 6 [FIN, ACK] Seq=1 Ack=45 
Win=32768 Len=0 TSV=44568520 TSER=44568513

  00 00 00 00 00 00 00 00 00 00 00 00 08 00 45 00   ..E.
0010  00 34 78 94 40 00 40 06 c4 2d 7f 00 00 01 7f 00   [EMAIL PROTECTED]@..-..
0020  00 01 0c ee 82 38 e8 dc 77 52 e8 54 a8 b4 80 11   .8..wR.T
0030  01 00 d2 81 00 00 01 01 08 0a 02 a8 0f c8 02 a8   
0040  0f c1 ..

  0.007244127.0.0.1 -> 127.0.0.1TCP 6 > 3310 [ACK] Seq=45 Ack=2 Win=32768 
Len=0 TSV=44568520 TSER=44568520

  00 00 00 00 00 00 00 00 00 00 00 00 08 00 45 00   ..E.
0010  00 34 a7 4b 40 00 40 06 95 76 7f 00 00 01 7f 00   [EMAIL PROTECTED]@..v..
0020  00 01 82 38 0c ee e8 54 a8 b4 e8 dc 77 53 80 10   ...8...TwS..
0030  01 00 d2 7a 00 00 01 01 08 0a 02 a8 0f c8 02 a8   ...z

Re: [Clamav-users] Where is my mail going? (newby)

[Dennis Skinner]

Greg T. wrote:
As I understand it, here is the flow:
fetchmail -> exim -> cyrus
The clam and spam stuff gets done while exim is
processing.
There are lines of code in the configuration file
which tell clam and spam what and how to process.
acl_check_content:
  # Reject virus infested messages.
  deny  message = This message contains malware
($malware_name)
demime = *
malware = */defer_ok
  deny message = This message contains malformed MIME
($demime_reason)
demime = *
condition = ${if
The "glue" in this case is Exiscan which is a patch against Exim.  Since 
you seem unaware of this, I'm guessing you grabbed an RPM with it 
already applied.

You should read both the Exim docs (all of it, esp the part about ACL's) 
and the Exiscan doc.  Running a mail server without understanding how it 
works is a good way to get your site blacklisted.

One of the best reasons to run Exim is the extensive and very 
user-friendly documentation.  Use it.  Grab the pdf or html tarball. 
Take it home and digest it.  Reference it everytime you make a change.

--
Dennis Skinner
Systems Administrator
BlueFrog Internet
http://www.bluefrog.com
"Winter is an etching, spring a watercolor, summer an oil painting and 
autumn a mosaic of them all.  - Stanley Horowitz"
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] Where is my mail going? (newby)

[Stephen Gran]

On Wed, Oct 13, 2004 at 11:51:14AM -0700, Greg T. said:
> As I understand it, here is the flow:
> 
> fetchmail -> exim -> cyrus

Yes.

> The clam and spam stuff gets done while exim is processing.

Yes.

> There are lines of code in the configuration file which tell clam and
> spam what and how to process.

[snip]

> This is the standard configuration.  I have not modified it.  I'm
> getting mail from my mailbox on my isp.  I want to get the mailserver
> fully functional prior to cutting the cord.

So what do exim's logs say for the lost messages?  What were the lost
messages and how do you know they are missing?  The standard
configuration you are using will 5xx an email if it contains a virus.  I
don't know fetchmail's behavior on receiving a 5xx from the local
machine, but I would think it should drop the message.  Leaving it to be
picked up later just means repeating, when you've already gotten a
permanent failure, but like I said, I don't know what it does.

> > > > Somewhere between Exim and Cyrus, selected emails are
> > > > disappearing.  I don't know what the criterion is for the emails
> > > > coming up missing, so I thought I'd start with ClamAV.  When
> > > > Clam decides an email contains a virus, what does it (Clam) do
> > > > with the email.  Does it put the email somewhere?

As has been stated before, clam does nothing but identify a virus.
Since you are using the standard exim acl setup, this means that exim
will reject any message that clamav identifies as having a virus in it.
The only answer for this is going to be looking in the logfiles for exim
- you will want to start looking for an email you know ent missing
(exigrep is good for this) and see what happened to it.
-- 
 --
|  Stephen Gran  | Well, the handwriting is on the floor.  |
|  [EMAIL PROTECTED] | -- Joe E. Lewis |
|  http://www.lobefin.net/~steve | |
 --


pgpVqZS5MVAS0.pgp
Description: PGP signature
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] Where is my mail going? (newby)

[Patrick Boutilier]

On 10/13/2004 03:51 PM, Greg T. wrote:
As I understand it, here is the flow:
fetchmail -> exim -> cyrus
The clam and spam stuff gets done while exim is
processing.
There are lines of code in the configuration file
which tell clam and spam what and how to process.
acl_check_content:
  # Reject virus infested messages.
  deny  message = This message contains malware
($malware_name)
demime = *
malware = */defer_ok

If a mail has a virus in it Exim will send a 550 SMTP error and not 
accept the mail. (Reject virus infested messages.)


___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] Where is my mail going? (newby)

[Greg T.]

As I understand it, here is the flow:

fetchmail -> exim -> cyrus

The clam and spam stuff gets done while exim is
processing.

There are lines of code in the configuration file
which tell clam and spam what and how to process.


acl_check_content:

  # Reject virus infested messages.
  deny  message = This message contains malware
($malware_name)
demime = *
malware = */defer_ok

  deny message = This message contains malformed MIME
($demime_reason)
demime = *
condition = ${if
>{$demime_errorlevel}{2}{1}{0}}

  # Always add X-Spam-Score and X-Spam-Report headers,
using SA system-wide settings
  # (user "nobody"), no matter if over threshold or
not.
  warn  message = X-Spam-Score: $spam_score
($spam_bar)
spam = nobody:true
  warn  message = X-Spam-Report: $spam_report
spam = nobody:true

  # Add X-Spam-Flag if spam is over system-wide
threshold
  warn message = X-Spam-Flag: YES
   spam = nobody

  # Reject spam messages with score over 10, using an
extra condition.
  deny  message = This message scored $spam_score
points. Congratulations!
spam = nobody:true
condition = ${if
>{$spam_score_int}{100}{1}{0}}

  # finally accept all the rest
  accept
[snip]

This is the standard configuration.  I have not
modified it.  I'm getting mail from my mailbox on my
isp.  I want to get the mailserver fully functional
prior to cutting the cord.



--- [EMAIL PROTECTED] wrote:

> 
> On Wed, 13 Oct 2004, Greg T. wrote:
> 
> > I guess I don't understand the question.  I hate
> to
> > sound dense, but could you restate?  Also, be
> aware
> > that I'm no mail genius.
> > --- [EMAIL PROTECTED] wrote:
> > 
> > > > Somewhere between Exim and Cyrus, selected
> emails
> > > are disappearing.  I don't know what the
> criterion
> > > is for the emails coming up missing, so I
> thought
> > > I'd start with ClamAV.
> > > >  
> > > > When Clam decides an email contains a virus,
> what
> > > does it (Clam) do with the email.  Does it put
> the
> > > email somewhere?
> > > >  
> > > 
> > > Clam doesn't touch the email itself, it simply
> tells
> > > the calling program 
> > > that it either is or isn't a virus.  What does
> exim
> > > use to send the 
> > > message off to be filtered?
> 
> 
> Exim is an MTA (mail transfer agent).  It's job is
> to take mail in via
> smtp or a local socket and deliver it to the LDA
> (local delivery agent
> like procmail or vdeliver) so that a user can use an
> MUA (mail user agent
> like pine, outlook, etc) to read the mail.  The
> scanner gets placed
> between the MTA and LDA.  What is the "glue" which
> does the
> scanning/filtering from Exim?
> MTA<-->Scanner/filter<-->LDA.  I don't use
> exim and this scanning mechanisim may be built in. 
> Generally people use
> software like amavis as the "glue" between the MTA
> and LDA for
> scanning/filtering viruses.  Either way, Clam
> doesn't do the mail
> filtering itself, it just says yes it is a virus or
> no it isn't.
> 
> Does this help answer your question?
> 
> -- 
> Eric Wheeler
> Vice President
> National Security Concepts, Inc.
> PO Box 3567
> Tualatin, OR 97062
> 
> http://www.nsci.us/
> Voice: (503) 293-7656
> Fax:   (503) 885-0770
> 
> ___
>
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 


__
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] Where is my mail going? (newby)

[Greg T.]

>From /etc/exim.conf:
[snip]
acl_check_content:

  # Reject virus infested messages.
  deny  message = This message contains malware
($malware_name)
demime = *
malware = */defer_ok

  deny message = This message contains malformed MIME
($demime_reason)
demime = *
condition = ${if
>{$demime_errorlevel}{2}{1}{0}}

  # Always add X-Spam-Score and X-Spam-Report headers,
using SA system-wide settings
  # (user "nobody"), no matter if over threshold or
not.
  warn  message = X-Spam-Score: $spam_score
($spam_bar)
spam = nobody:true
  warn  message = X-Spam-Report: $spam_report
spam = nobody:true

  # Add X-Spam-Flag if spam is over system-wide
threshold
  warn message = X-Spam-Flag: YES
   spam = nobody

  # Reject spam messages with score over 10, using an
extra condition.
  deny  message = This message scored $spam_score
points. Congratulations!
spam = nobody:true
condition = ${if
>{$spam_score_int}{100}{1}{0}}

  # finally accept all the rest
  accept
[snip]

I've included the spamd stuff to be rigorous.

--- Brian Morrison <[EMAIL PROTECTED]> wrote:

> On Tue, 12 Oct 2004 16:40:52 -0700 (PDT) in
> [EMAIL PROTECTED]
> Greg Traud
> <[EMAIL PROTECTED]> wrote:
> 
> >  Somewhere between Exim and Cyrus, selected emails
> are disappearing. 
> >  I don't know what the criterion is for the emails
> coming up missing,
> >  so I thought I'd start with ClamAV.
> >   
> >  When Clam decides an email contains a virus, what
> does it (Clam) do
> >  with the email.  Does it put the email somewhere?
> >   
> 
> There are several methods of letting Exim call
> Clamav and take action
> based on the result. I suspect that the most common
> is the one I use
> myself, if a virus is found, Exim aborts the smtp
> transaction and
> rejects the mail.
> 
> What is in your exim.conf file regarding clamav in
> the ACL section?
> 
> -- 
> 
> Brian Morrison
> 
> bdm at fenrir dot org dot uk
> 
> GnuPG key ID DE32E5C5 -
> http://wwwkeys.uk.pgp.net/pgpnet/wwwkeys.html
> ___
>
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 




___
Do you Yahoo!?
Declare Yourself - Register online to vote today!
http://vote.yahoo.com
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] Where is my mail going? (newby)

[clamav]

On Wed, 13 Oct 2004, Greg T. wrote:

> I guess I don't understand the question.  I hate to
> sound dense, but could you restate?  Also, be aware
> that I'm no mail genius.
> --- [EMAIL PROTECTED] wrote:
> 
> > > Somewhere between Exim and Cyrus, selected emails
> > are disappearing.  I don't know what the criterion
> > is for the emails coming up missing, so I thought
> > I'd start with ClamAV.
> > >  
> > > When Clam decides an email contains a virus, what
> > does it (Clam) do with the email.  Does it put the
> > email somewhere?
> > >  
> > 
> > Clam doesn't touch the email itself, it simply tells
> > the calling program 
> > that it either is or isn't a virus.  What does exim
> > use to send the 
> > message off to be filtered?


Exim is an MTA (mail transfer agent).  It's job is to take mail in via
smtp or a local socket and deliver it to the LDA (local delivery agent
like procmail or vdeliver) so that a user can use an MUA (mail user agent
like pine, outlook, etc) to read the mail.  The scanner gets placed
between the MTA and LDA.  What is the "glue" which does the
scanning/filtering from Exim? MTA<-->Scanner/filter<-->LDA.  I don't use
exim and this scanning mechanisim may be built in.  Generally people use
software like amavis as the "glue" between the MTA and LDA for
scanning/filtering viruses.  Either way, Clam doesn't do the mail
filtering itself, it just says yes it is a virus or no it isn't.

Does this help answer your question?

-- 
Eric Wheeler
Vice President
National Security Concepts, Inc.
PO Box 3567
Tualatin, OR 97062

http://www.nsci.us/
Voice: (503) 293-7656
Fax:   (503) 885-0770

___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] clamd hang in rc4

[clamav]

> > > I had the same problem with spamass-milter a while back. What you need 
> > > is a "watchdog" script, something like this...
> > > 
> > 
> > We had a problem similar to this this week, however, the problem wasn't
> > due to a dead/core'd process.  clamdscan actually hung for one reason or
> > another and clamd had to be shot down with a -9.  This took place just
> > after the upgrade to .80rc4 and I attributed it to (possibly) having a rc3
> > clamd running with a rc4 clamdscan.  Perhaps I did not adequately shut
> > down rc3 before the update.  Either way, I assume that clamdscan shouldn't
> > hang if clamd is dead.  I noticed that mail was backed up because the
> > amavis delivery agent (ADA?) hung when it relayed to amavisd.  Eventually
> > the problem was found to be clamdscan hanging and restarting clamd (after
> > a -9) seemed to work.
> > 
> > Is anyone else experiencing similar problems?
> 
> The only known crashing issue with clamd is due to broken versions of
> libz. Either run zlib-1.1.4 or a fixed version of 1.2.1 (which some
> vendors have issued, see CAN-2004-0797)

[EMAIL PROTECTED] ewheeler]$ rpm -qa | grep zlib
zlib1-devel-1.1.3-19.1mdk
zlib1-1.1.3-19.1mdk

According to
http://www.mandrakesoft.com/security/advisories?name=MDKSA-2003:033 this
is a patched 1.1.3 which we installed way back in Feb when the advisory
came out. Should I hand-upgrade to 1.1.4 anyway?  Does Clam static or 
dynamic link to libz?

-- 
Eric Wheeler
Vice President
National Security Concepts, Inc.
PO Box 3567
Tualatin, OR 97062

http://www.nsci.us/
Voice: (503) 293-7656
Fax:   (503) 885-0770

___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] Strange Behavior

[clamav]

> Do you really want to keep all the viruses people send you?



___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] Strange Behavior

[Stephen Gran]

On Wed, Oct 13, 2004 at 11:47:37AM -0400, Scott Rothgaber said:
> Here are the log entries from the test (trimmed and wrapped)...

Take a look:
i9DFeFAr011069: from=<[EMAIL PROTECTED]>
to=<[EMAIL PROTECTED]>
Milter: data, reject=554 5.7.1 ClamAV-Test-Signature
detected by ClamAV - http://www.clamav.net
i9DFeJeO011072: from=<[EMAIL PROTECTED]>
to=<[EMAIL PROTECTED]>
stat=Sent (2256485 message accepted for delivery)

Do you have recipient notification turned on for the milter?  The
original message was rejected, but the _recipient notification_ was sent
on and scanned by spamd.  If you want recipient notification, but don't
want spamass-milter to scan them, turn off spam scanning of emails from
localhost for the spam milter.  Otherwise, I'd just turn off recipient
notification in clamav milter - it's a waste fo time for the most part.
-- 
 --
|  Stephen Gran  | Wanna buy a duck?   |
|  [EMAIL PROTECTED] | |
|  http://www.lobefin.net/~steve | |
 --


pgpdyOWJ2lAfB.pgp
Description: PGP signature
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

[Clamav-users] Virus Definitions update website

[Jeff Bilder]

Hey group,

Was curious if there is a website the shows a chart of which companies, and clam, rate 
in terms of updating their Virus Definitions.  I need to put some documentation 
together for my director.  Thanks!

- Jeff

___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] Re: R: More log information

[Daniel J McDonald]

On Wed, 2004-10-13 at 15:53 +0200, Wolfgang Cernohorsky wrote:
> Cali Federico wrote:
> 
> > I'm using:
> > - postfix
> > - AMaViS-new
> > - ClamAV
> > 
> > Do you know some tools that allow to obtain statistics about viruses detected.

> You can try "amavis-stats"[1] if you like graphs, e.g.
> http://rekudos.net/amavis-stats/node/view/7.

and pflogsumm if you don't want graphs.  I use both.
http://jimsun.linxnet.com/postfix_contrib.html

-- 
Daniel J McDonald, CCIE # 2495, CNX
Austin Energy

[EMAIL PROTECTED]

___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] Where is my mail going? (newby)

[Greg T.]

I guess I don't understand the question.  I hate to
sound dense, but could you restate?  Also, be aware
that I'm no mail genius.
--- [EMAIL PROTECTED] wrote:

> > Somewhere between Exim and Cyrus, selected emails
> are disappearing.  I don't know what the criterion
> is for the emails coming up missing, so I thought
> I'd start with ClamAV.
> >  
> > When Clam decides an email contains a virus, what
> does it (Clam) do with the email.  Does it put the
> email somewhere?
> >  
> 
> Clam doesn't touch the email itself, it simply tells
> the calling program 
> that it either is or isn't a virus.  What does exim
> use to send the 
> message off to be filtered?
> 
> -- 
> Eric Wheeler
> Vice President
> National Security Concepts, Inc.
> PO Box 3567
> Tualatin, OR 97062
> 
> http://www.nsci.us/
> Voice: (503) 293-7656
> Fax:   (503) 885-0770
> 
> ___
>
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 




___
Do you Yahoo!?
Declare Yourself - Register online to vote today!
http://vote.yahoo.com
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] Re: Upgrade to 0.80rc3 breaks Exim malware acl (still broken in 0.80rc4)

[Brian Morrison]

On Wed, 13 Oct 2004 17:34:28 +0100 in [EMAIL PROTECTED]
Trog <[EMAIL PROTECTED]> wrote:

>  > Can anyone else confirm that this is still a problem with 0.80rc4?
>  > 
>  > Are the developers aware of this issue? Is there a fix pending?
> 
>  I've never used exiscan, but it sounds like a bug in exiscan (or a
>  configuration issue).
> 
>  exiscan must be closing it's side of the connection to clamd without
>  waiting for clamd to finish scanning. This signals to clamd to abort
>  the scan. exiscan must not do that.

I'm using Exim 4.43, with exiscan-acl-4.43-28, and all of my incoming
mail has the added X-Scan-Signature header that Exim adds in there to
show that the scanning occurred. I have seen no indication that this is
not happening and I can find nothing in my mail or Exim logs that
suggests a problem exists. So far I have had not trouble with any of the
0.80rc series up to and including rc4.

It may be due to the way your Exiscan ACLs are configured, does the OP
have any debug information that points to the problem area more
accurately?

-- 

Brian Morrison

bdm at fenrir dot org dot uk

GnuPG key ID DE32E5C5 - http://wwwkeys.uk.pgp.net/pgpnet/wwwkeys.html
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] Re: Upgrade to 0.80rc3 breaks Exim malware acl (still broken in 0.80rc4)

[Trog]

On Tue, 2004-10-12 at 21:11, Philip Ross wrote:
> Philip Ross wrote:
> > Another change to the HAVE_POLL code in clamd/others.c has now been 
> > checked in to CVS:
> > 
> > http://cvs.sourceforge.net/viewcvs.py/clamav/clamav-devel/clamd/others.c?r1=1.18&r2=1.19
> > 
> > 
> > I haven't yet tried this to see if this fixes the problem.
> 
> I'm now running 0.80rc4 and am still seeing the same problem. This 
> change to others.c hasn't fixed the problem with Exim/exiscan.
> 
> Can anyone else confirm that this is still a problem with 0.80rc4?
> 
> Are the developers aware of this issue? Is there a fix pending?

I've never used exiscan, but it sounds like a bug in exiscan (or a
configuration issue).

exiscan must be closing it's side of the connection to clamd without
waiting for clamd to finish scanning. This signals to clamd to abort the
scan. exiscan must not do that.

-trog



signature.asc
Description: This is a digitally signed message part
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] Strange Behavior

[Scott Rothgaber]

[EMAIL PROTECTED] wrote:
Are you using the -outgoing switch in clamav-milter ?
No. I'm going to do another test and post the headers.
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] clamd hang in rc4

[Trog]

On Tue, 2004-10-12 at 18:56, [EMAIL PROTECTED] wrote:
> On Tue, 12 Oct 2004, Scott Rothgaber wrote:
> > Doug Hardie wrote:
> > 
> > > have encountered quite a few situations in the last month where clamav 
> > > just stopped working properly and had to be manually restarted.
> > 
> > I had the same problem with spamass-milter a while back. What you need 
> > is a "watchdog" script, something like this...
> > 
> 
> We had a problem similar to this this week, however, the problem wasn't
> due to a dead/core'd process.  clamdscan actually hung for one reason or
> another and clamd had to be shot down with a -9.  This took place just
> after the upgrade to .80rc4 and I attributed it to (possibly) having a rc3
> clamd running with a rc4 clamdscan.  Perhaps I did not adequately shut
> down rc3 before the update.  Either way, I assume that clamdscan shouldn't
> hang if clamd is dead.  I noticed that mail was backed up because the
> amavis delivery agent (ADA?) hung when it relayed to amavisd.  Eventually
> the problem was found to be clamdscan hanging and restarting clamd (after
> a -9) seemed to work.
> 
> Is anyone else experiencing similar problems?

The only known crashing issue with clamd is due to broken versions of
libz. Either run zlib-1.1.4 or a fixed version of 1.2.1 (which some
vendors have issued, see CAN-2004-0797)

-trog



signature.asc
Description: This is a digitally signed message part
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] Strange Behavior

[Scott Rothgaber]

Here are the log entries from the test (trimmed and wrapped)...
sm-mta[11069]: i9DFeFAr011069: from=<[EMAIL PROTECTED]>,
  size=337, class=0, nrcpts=1,
  msgid=<[EMAIL PROTECTED]>, proto=ESMTP,
  daemon=IPv4, relay=neors.cat.cc.md.us [204.153.79.3]
clamd[9893]: stream: ClamAV-Test-Signature FOUND
sm-mta[11069]: i9DFeFAr011069: Milter add: header: X-Virus-Scanned:
  clamd / ClamAV version 0.75.1, clamav-milter version 0.75c\n\ton
  s3.palmetto.tv
sm-mta[11069]: i9DFeFAr011069: Milter add: header: X-Virus-Status:
  Infected
clamav-milter[9895]: i9DFeFAr011069: stream: ClamAV-Test-Signature
  Intercepted virus from <[EMAIL PROTECTED]> to
  <[EMAIL PROTECTED]>
sendmail[11071]: i9DFeJdg011071: from=clamav, size=347, class=0,
  nrcpts=1, msgid=<[EMAIL PROTECTED]>,
  [EMAIL PROTECTED]
sm-mta[11072]: i9DFeJeO011072: from=<[EMAIL PROTECTED]>, size=608,
  class=0, nrcpts=1, msgid=<[EMAIL PROTECTED]>,
  proto=ESMTP, daemon=IPv4, relay=localhost [127.0.0.1]
spamd[9831]: connection from localhost [127.0.0.1] at port 3748
spamd[11074]: processing message
  <[EMAIL PROTECTED]> for root:200.
spamd[11074]: clean message (1.0/5.0) for root:200 in 2.0 seconds, 778
  bytes.
sm-mta[11072]: i9DFeJeO011072: Milter add: header: X-Spam-Flag: NO
sm-mta[11072]: i9DFeJeO011072: Milter add: header: X-Spam-Status:
  Hits=1.0  Required=5.0  Tests=BAYES_01=1  Autolearn=no
sm-mta[11072]: i9DFeJeO011072: Milter add: header: X-Spam-Level: =
sm-mta[11072]: i9DFeJeO011072: Milter add: header:
  X-Spam-Checker-Version: SpamAssassin 2.64 on s3.palmetto.tv
sm-mta[11072]: i9DFeJeO011072: Milter message: body replaced
sendmail[11071]: i9DFeJdg011071: to=<[EMAIL PROTECTED]>,
  ctladdr=clamav (300/300), delay=00:00:02, xdelay=00:00:02,
  mailer=relay, pri=30347, relay=[127.0.0.1] [127.0.0.1], dsn=2.0.0,
  stat=Sent (i9DFeJeO011072 Message accepted for delivery)
sm-mta[11069]: i9DFeFAr011069: Milter: data, reject=554 5.7.1
  ClamAV-Test-Signature detected by ClamAV - http://www.clamav.net
sm-mta[11069]: i9DFeFAr011069: to=<[EMAIL PROTECTED]>,
  delay=00:00:05, pri=30337, stat=ClamAV-Test-Signature detected by
  ClamAV - http://www.clamav.net
sm-mta[11076]: STARTTLS=client, relay=mail.saberspace.com.,
  version=TLSv1/SSLv3, verify=FAIL, cipher=DES-CBC3-SHA, bits=168/168
sm-mta[11076]: i9DFeJeO011072: to=<[EMAIL PROTECTED]>,
  ctladdr=<[EMAIL PROTECTED]> (300/300), delay=00:00:03,
  xdelay=00:00:01, mailer=smtp, pri=30608, relay=mail.saberspace.com.
  [63.82.200.42], dsn=2.0.0, stat=Sent (2256485 message accepted for
  delivery)
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] Strange Behavior

[Net . Admin]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1



>
>
> Stephen Gran wrote:
>
> >
> I read the FP as saying that after a virus is found sendmail-submit is
> called which should only happen if a notification is being sent.
>
> ___
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>

This rings a bell. I don't know if this is the same problem or not, but I
remember having the same problem. It occurred on an upgrade. The upgrade
worked but I noticed a new clamav-milter feature :-

 0.70q   22/4/04 No need to parse the received line if --headers is given
 If -outgoing is given put generated emails in the
deferred
 queue to avoid the milter being called
twice at the
 same time (one on the incoming one on the
outgoing)

I liked the idea of this so I used the -outgoing CLS and my sendmail logs
went nuts. I got the same behaviour as you are reporting. Needles to say I
just took the CLS off and I haven't had time to back and fix whatever is
wrong with my sendmail.

Are you using the -outgoing switch in clamav-milter ?

Jim :-)
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFBbUNwRdAZy0oJ0LwRAqMpAJ9Y78rbtoYxNGs1GvchndFNHB2SRACeKzvO
kTwtI8bmdhTHTEMorZ/kF4s=
=U/GS
-END PGP SIGNATURE-
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] Strange Behavior

[Joe Maimon]

Stephen Gran wrote:
On Wed, Oct 13, 2004 at 09:38:03AM -0400, Scott Rothgaber said:
 

Stephen Gran wrote:
   

Well, really, it looks like something sendmail is failing to do.
 

Thanks, Stephen! Here's what I have in .mc (wrapped)...
INPUT_MAIL_FILTER(`clmilter',`S=local:/var/run/clamav/clmilter.sock,
	F=,T=S:4m;R:4m')
INPUT_MAIL_FILTER(`spamassassin',
	`S=local:/var/run/spamd/spamass-milter.sock, F=,
	T=C:15m;S:4m;R:4m;E:10m')
define(`confINPUT_MAIL_FILTERS', `clmilter, spamassassin')
   

Try ending the lines with dnl's?  Sendmail's m4 makes my ears bleed, but
it looks like something is definitely going wrong.  Your setup looks
reasonable, and sendmail should be giving a 5xx in response to a virus
being found.  

I read the FP as saying that after a virus is found sendmail-submit is 
called which should only happen if a notification is being sent.

___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

[Clamav-users] Re: R: More log information

[Wolfgang Cernohorsky]

Cali Federico wrote:

> I'm using:
> - postfix
> - AMaViS-new
> - ClamAV
> 
> Do you know some tools that allow to obtain statistics about viruses detected.
> I know sawmill that ( reading the sw information )is able to analyze ClamAv log.
> But using the trial version It seem don't recognize the log format.

You can try "amavis-stats"[1] if you like graphs, e.g.
http://rekudos.net/amavis-stats/node/view/7.

[1] http://rekudos.net/amavis-stats/

HTH,
Wolfgang

___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] Strange Behavior

[Stephen Gran]

On Wed, Oct 13, 2004 at 09:38:03AM -0400, Scott Rothgaber said:
> Stephen Gran wrote:
> 
> >Well, really, it looks like something sendmail is failing to do.
> 
> Thanks, Stephen! Here's what I have in .mc (wrapped)...
> 
> INPUT_MAIL_FILTER(`clmilter',`S=local:/var/run/clamav/clmilter.sock,
>   F=,T=S:4m;R:4m')
> INPUT_MAIL_FILTER(`spamassassin',
>   `S=local:/var/run/spamd/spamass-milter.sock, F=,
>   T=C:15m;S:4m;R:4m;E:10m')
> define(`confINPUT_MAIL_FILTERS', `clmilter, spamassassin')

Try ending the lines with dnl's?  Sendmail's m4 makes my ears bleed, but
it looks like something is definitely going wrong.  Your setup looks
reasonable, and sendmail should be giving a 5xx in response to a virus
being found.  

Can you send a virus email (eicar or something) through that machine,
and then paste the logs into an email?
-- 
 --
|  Stephen Gran  | Support wildlife -- vote for an orgy.   |
|  [EMAIL PROTECTED] | |
|  http://www.lobefin.net/~steve | |
 --


pgpuJifM7UMFx.pgp
Description: PGP signature
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] Strange Behavior

[Scott Rothgaber]

Stephen Gran wrote:
Well, really, it looks like something sendmail is failing to do.
Thanks, Stephen! Here's what I have in .mc (wrapped)...
INPUT_MAIL_FILTER(`clmilter',`S=local:/var/run/clamav/clmilter.sock,
F=,T=S:4m;R:4m')
INPUT_MAIL_FILTER(`spamassassin',
`S=local:/var/run/spamd/spamass-milter.sock, F=,
T=C:15m;S:4m;R:4m;E:10m')
define(`confINPUT_MAIL_FILTERS', `clmilter, spamassassin')
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

R: [Clamav-users] More log information

[Cali Federico]

I'm using:
- postfix
- AMaViS-new
- ClamAV

Do you know some tools that allow to obtain statistics about viruses detected.
I know sawmill that ( reading the sw information )is able to analyze ClamAv log.
But using the trial version It seem don't recognize the log format.

thanks

Federico  
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] Strange Behavior

[Stephen Gran]

On Wed, Oct 13, 2004 at 09:26:08AM -0400, Scott Rothgaber said:
> Stephen Gran wrote:
> 
> >Why is clmilter just adding headers and passing the message on, instead
> >of 5xx'ing the virus?
> 
> That's what *I* want to know!  ;-)
> 
> Joe suggested that spamd be told not to scan locally-generated messages. 
> First of all, I didn't see any options that address this in 'man spamd'. 
> Second, I agree with you, Stephen. This looks like something that 
> clmilter is failing to do.

Well, really, it looks like something sendmail is failing to do.  Here
is how I call it in sendmail.mc here:

INPUT_MAIL_FILTER(`clamav', `S=local:/var/run/clamav/clamav-milter.ctl, F=, 
T=S:4m;R:4m')dnl
define(`confINPUT_MAIL_FILTERS', `clamav')

Those two lines may wrap, but it is supposed to be two lines.
-- 
 --
|  Stephen Gran  | A mouse is an elephant built by the |
|  [EMAIL PROTECTED] | Japanese.   |
|  http://www.lobefin.net/~steve | |
 --


pgpnbR7DHG9lX.pgp
Description: PGP signature
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] Strange Behavior

[Scott Rothgaber]

Stephen Gran wrote:
Why is clmilter just adding headers and passing the message on, instead
of 5xx'ing the virus?
That's what *I* want to know!  ;-)
Joe suggested that spamd be told not to scan locally-generated messages. 
First of all, I didn't see any options that address this in 'man spamd'. 
Second, I agree with you, Stephen. This looks like something that 
clmilter is failing to do.

___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] downloading without advertising

[david thompson]

Thanks for all your tips, but as it turned out, upon retrying from the 
site, it worked this time.  I had no need to alter any settings on my end.

Cheers
david thompson wrote:
I would like to download clamav. however using adblock in mozilla 
stops the ability to download.

Are there any other places to download from - other than sourceforge.
cheers
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] Strange Behavior

[Stephen Gran]

On Wed, Oct 13, 2004 at 08:34:56AM -0400, Scott Rothgaber said:
> Good Morning!
> 
> I've built a gateway using sendmail, clamav and spamassassin. After 
> setting the MX records for a test domain to go through this box, the 
> spam is rolling in!  ;-)  Then, I threw a virus at it. The resulting 
> behavior is nothing like what I expected...
> 
> 1) sendmail receives message, calls clamd
> 2) clamd identifies virus
> 3) clmilter adds headers, hands message to sendmail-submit
> 4) sendmail-submit calls spamd
> ...
> 
> Say what?!?!
> 
> In an attempt to get rid of sendmail-submit, I renamed submit.cf and 
> tried again. This time, the message is rejected as it should be but now 
> I get a bunch of bitching from sendmail about the inability to save 
> queue files because of permissions.
> 
> H!!!
> 
> Anyone been down this road before?

Why is clmilter just adding headers and passing the message on, instead
of 5xx'ing the virus?  Do you really want to keep all the viruses people
send you?
-- 
 --
|  Stephen Gran  | About the time we think we can make |
|  [EMAIL PROTECTED] | ends meet, somebody moves the ends.   - |
|  http://www.lobefin.net/~steve | - Herbert Hoover|
 --


pgpJl1ELw1LTv.pgp
Description: PGP signature
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] Strange Behavior

[Joe Maimon]

Scott Rothgaber wrote:
Good Morning!
I've built a gateway using sendmail, clamav and spamassassin. After 
setting the MX records for a test domain to go through this box, the 
spam is rolling in!  ;-)  Then, I threw a virus at it. The resulting 
behavior is nothing like what I expected...

1) sendmail receives message, calls clamd
2) clamd identifies virus
3) clmilter adds headers, hands message to sendmail-submit
   
^^^
You need to disable spamd scanning local generated email. Be wise to do 
the same for clamav-milter. Currently this is milter-specific.
(If you dont mind checking out the bleeding edge there is a patch out 
there that allows sendmail to control this..milter rulesets...google)

4) sendmail-submit calls spamd
Dont go that route.
...
Say what?!?!
In an attempt to get rid of sendmail-submit, I renamed submit.cf and 
tried again. This time, the message is rejected as it should be but 
now I get a bunch of bitching from sendmail about the inability to 
save queue files because of permissions.

H!!!
Anyone been down this road before?
Thanks!
Scott
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

[Clamav-users] Strange Behavior

[Scott Rothgaber]

Good Morning!
I've built a gateway using sendmail, clamav and spamassassin. After 
setting the MX records for a test domain to go through this box, the 
spam is rolling in!  ;-)  Then, I threw a virus at it. The resulting 
behavior is nothing like what I expected...

1) sendmail receives message, calls clamd
2) clamd identifies virus
3) clmilter adds headers, hands message to sendmail-submit
4) sendmail-submit calls spamd
...
Say what?!?!
In an attempt to get rid of sendmail-submit, I renamed submit.cf and 
tried again. This time, the message is rejected as it should be but now 
I get a bunch of bitching from sendmail about the inability to save 
queue files because of permissions.

H!!!
Anyone been down this road before?
Thanks!
Scott
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] More log information

[Daniel J McDonald]

On Wed, 2004-10-13 at 11:49 +0200, Cali Federico wrote:
> Hi all,
> is it possible to have detailed information ( such as sender, recipients,virus 
> type/name etc) 
> in the clamad.log when a virus is detected ?
> I'd like know this information in order to produce virus detecting statistics.
Clamav by itself doesn't know this information.  I use AMaViS-new, which
does log all of that.

-- 
Daniel J McDonald, CCIE # 2495, CNX
Austin Energy

[EMAIL PROTECTED]

___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

[Clamav-users] More log information

[Cali Federico]

Hi all,
is it possible to have detailed information ( such as sender, recipients,virus 
type/name etc) 
in the clamad.log when a virus is detected ?
I'd like know this information in order to produce virus detecting statistics.

Thanks in advance

Federico.

  
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] Adding Virus type to the X-Virus-Flag: Yes

[Niek]

On 10/12/2004 4:51 PM +0200, marvin wrote:
Although it logs the virus to the /var/log/clamd.log, I would like it added
to the header e.g.
X-Virus-Flag: Yes - Worm.SomeFool.P
Any ideas how I can achieve this ?
Marvin
Clamav detects viruses.
Other software does the tagging/reporting/ect based on clamav findings.
My input to this thread is the following:
Why do you want to add an header to an infected email ?
Wouldn't it be simpler to reject emails which contain a virus ?
Regards,
Niek
--
___
Read about mime:http://www.geoapps.com/nomime.shtml
Read about quoting: http://www.netmeister.org/news/learn2quote.html
Read about disclaimers: http://www.goldmark.org/jeff/stupid-disclaimers
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users