Re: [Clamav-users] GDI+ bug exploit Mutations
Tomasz Kojm wrote: b) VirusTotal's site has a more up to date version of ClamAV, using the builds from here (now and again): http://www.sosdg.org/clamav-win32/index.php I don't think so, it seems they're using ClamWin. Yes, all AV products in VirusTotal are Windows based, that is why we used ClamWin. -- Regards, Julio Canto Hispasec Sistemas http://www.hispasec.com (+34) 902 161 025 Parque Tecnologico de Andalucia Avda Juan Lopez Peñalver, 21 Málaga, España ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] GDI+ bug exploit Mutations
Bogusaw Brandys wrote: Steve Basford wrote: Just use http://www.virustotal.com/ - excellent resource for scanning suspicious files with multiple engines at once. As mentioned in the They did not catch it!!! http://www.virustotal.com/flash/respuesta_sav/resultado?d5384ab0cdf6100f509aecf95454fe8d:eng Sincerely, Meni Shapiro ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
[Clamav-users] freshclam.pid: Permission denied
Hi all, I just upgraded from latest stable 0.75.1 to the final 0.80. Now, when freshclam starts, I get this in the freshclam logfile: ERROR: Can't save PID to file /var/clamav/freshclam.pid: Permission denied The option in freshclam.conf has been disabled (default): #PidFile /var/run/freshclam.pid Any ideas? Thnx. J. ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] freshclam.pid: Permission denied
* Jona Tallieu (T T n.v.) [EMAIL PROTECTED]: Hi all, I just upgraded from latest stable 0.75.1 to the final 0.80. Now, when freshclam starts, I get this in the freshclam logfile: ERROR: Can't save PID to file /var/clamav/freshclam.pid: Permission denied The option in freshclam.conf has been disabled (default): #PidFile /var/run/freshclam.pid The default value is being used: /var/run/freshclam.pid != /var/clamav/freshclam.pid ! -- Ralf Hildebrandt (i.A. des IT-Zentrum) [EMAIL PROTECTED] Charite - Universitätsmedizin BerlinTel. +49 (0)30-450 570-155 Gemeinsame Einrichtung von FU- und HU-BerlinFax. +49 (0)30-8445-4447 IT-Zentrum Standort CBF AIM. ralfpostfix ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Latest snapshot greatly increases scanning speed
On Sun, 2004-10-17 at 05:16, Christopher X. Candreva wrote: I posted a week or so ago about problems scanning OLE files, where some files took upwards of 2 minutes to scan. Tomasz e-mailed me about an updated in the latest CVS that addresses this problem. That same file is now scanning in about 2 seconds. For anyone else having this problem, give the 20041017 snapshot a try. Working great here. Just for the record, the problem described was nothing to do with the OLE2 unpacker, but rather a problem in the scanner. -trog signature.asc Description: This is a digitally signed message part ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] GDI+ bug exploit Mutations
On Mon, 18 Oct 2004 11:22:01 +0200 in [EMAIL PROTECTED] Tomasz Kojm [EMAIL PROTECTED] wrote: For those running 0.80rc4 or 0.80 final, you can catch all jpeg exploits with the following signature (add it to a local.ndb file in your database directory): Exploit.JPEG.Comment.FalsePos:5:0:ffd8ff Warning: do NOT use this if you're running 0.80rc[123], since it WILL cause false positives. Also, do NOT change the name. The ClamAV code Please do not use it. It seems the JPEG exploit verificator is still not perfect and may not eliminate all false positive matches. False alert. It appeared some Japanese camera software creates broken pictures. So that signature *is* safe to use? Or have I read your comment wrongly? -- Brian Morrison bdm at fenrir dot org dot uk GnuPG key ID DE32E5C5 - http://wwwkeys.uk.pgp.net/pgpnet/wwwkeys.html ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] GDI+ bug exploit Mutations
On Mon, 2004-10-18 at 15:40, Brian Morrison wrote: On Mon, 18 Oct 2004 11:22:01 +0200 in [EMAIL PROTECTED] Tomasz Kojm [EMAIL PROTECTED] wrote: For those running 0.80rc4 or 0.80 final, you can catch all jpeg exploits with the following signature (add it to a local.ndb file in your database directory): Exploit.JPEG.Comment.FalsePos:5:0:ffd8ff Warning: do NOT use this if you're running 0.80rc[123], since it WILL cause false positives. Also, do NOT change the name. The ClamAV code Please do not use it. It seems the JPEG exploit verificator is still not perfect and may not eliminate all false positive matches. False alert. It appeared some Japanese camera software creates broken pictures. So that signature *is* safe to use? Or have I read your comment wrongly? It should be safe to use with 0.80, but on the other hand, it'll match *every* JPEG file and process them through the false positive elimination code, which will impact performance (very slightly). -trog signature.asc Description: This is a digitally signed message part ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
[Clamav-users] Re: GDI+ bug exploit Mutations
There was this another thread about scanning tar archives so I tried to test it. dragon:~/soft/clamav clamscan -V ClamAV 0.80/534/Mon Oct 18 17:29:28 2004 dragon:~/soft/clamav clamscan -r -i --no-summary clamav-0.80.tar.gz clamav-0.80.tar.gz: Exploit.JPEG.Comment.E9 FOUND Strange, lets see, what happens, when I scan unpacked clamav directory (clamav was built in this directory). dragon:~/soft/clamav clamscan -r -i --no-summary clamav-0.80 clamav-0.80/test/clam.cab: ClamAV-Test-File FOUND clamav-0.80/test/clam.exe: ClamAV-Test-File FOUND clamav-0.80/test/clam.rar: ClamAV-Test-File FOUND clamav-0.80/test/clam.zip: ClamAV-Test-File FOUND clamav-0.80/test/clam.exe.bz2: ClamAV-Test-File FOUND clamav-0.80/contrib/clamdwatch/clamdwatch.tar.gz: Eicar-Test-Signature FOUND clamav-0.80/clamd/server-th.o: Exploit.JPEG.Comment.FA FOUND clamav-0.80/clamd/.libs/clamd: Exploit.JPEG.Comment.C9 FOUND clamav-0.80/sigtool/.libs/sigtool: Exploit.JPEG.Comment.C9 FOUND clamav-0.80/clamscan/manager.o: Exploit.JPEG.Comment.E4 FOUND clamav-0.80/libclamav/.libs/libclamav.a: Exploit.JPEG.Comment.F6 FOUND clamav-0.80/libclamav/zzip-err.o: Exploit.JPEG.Comment.F6 FOUND clamav-0.80/libclamav/zzip-err.lo: Exploit.JPEG.Comment.F6 FOUND clamav-0.80/libclamav/message.o: Exploit.JPEG.Comment.C7 FOUND clamav-0.80/libclamav/message.lo: Exploit.JPEG.Comment.C7 FOUND dragon:~/soft/clamav -- Virgo Pärna [EMAIL PROTECTED] ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
[Clamav-users] RE: freshclam.pid: Permission denied
* Jona Tallieu (T T n.v.) Junk at tnt.be: Hi all, I just upgraded from latest stable 0.75.1 to the final 0.80. Now, when freshclam starts, I get this in the freshclam logfile: ERROR: Can't save PID to file /var/clamav/freshclam.pid: Permission denied The option in freshclam.conf has been disabled (default): #PidFile /var/run/freshclam.pid The default value is being used: /var/run/freshclam.pid != /var/clamav/freshclam.pid ! I tried activating the save PID file with the value /var/clamav/freshclam.pid but I get the same error. Now also, after a freshclam update, I get following error ERROR: Clamd was NOT notified: Can't connect to clamd through /var/clamav/clamd.sock So it seems freshclam can not access anything in /var/clamav/. The permissions for /var/clamav/ are: drw-r--r-- 4 lplp 136 18 Oct 10:49 clamav And inside are: -rw-rw 1 root lp 4 18 Oct 10:39 clamd.pid srwxrwxrwx 1 root lp 0 18 Oct 10:39 clamd.sock Anyone? Thanks! J. ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] non detection problem
On Mon, 18 Oct 2004 13:42:52 +0200 Meni Shapiro [EMAIL PROTECTED] wrote: Hello List, I just installed the latest stable clamav 0.80. My main.db and daily.db are also the latest. I run clamav on a debian machine (for test purpose - before installing it on the main mail server which runs crux (yet another dist!)) anyway - back to the problem... Installation went good. When i test it with the jpeg.zip, which i got from this list earlier today, IT did NOT find anything ?!? i tried unziping (the file contains 2 jpg files) and nothing! I tried scanning it online in the mentioned site (http://www.virustotal.com) and most AV software did detect a malware Clamav did NOT! Is that a problem??? or what? The problem is you haven't even read my yesterday's e-mails in this case. should i go for another AV Two or more scanners from different vendors are recommended in these days... (i don't want to - but can i trust ClamAV??) We don't guarantee you anything. See COPYING. -- oo. Tomasz Kojm [EMAIL PROTECTED] (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Mon Oct 18 15:09:35 CEST 2004 pgpBL7peDpfOA.pgp Description: PGP signature ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] RE: freshclam.pid: Permission denied
Jona Tallieu (T T n.v.) schrieb: ERROR: Clamd was NOT notified: Can't connect to clamd through /var/clamav/clamd.sock So it seems freshclam can not access anything in /var/clamav/. The permissions for /var/clamav/ are: drw-r--r-- 4 lplp 136 18 Oct 10:49 clamav And inside are: -rw-rw 1 root lp 4 18 Oct 10:39 clamd.pid srwxrwxrwx 1 root lp 0 18 Oct 10:39 clamd.sock Anyone? Thanks! chmod 755 /var/clamav ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
[Clamav-users] disable a particular signature
Hello, Is it possible in clamav to disable a particular signature? I am using 0.80rc4 and since this morning (after downloading signature file version 534) I have been matching a ton of false positives on .jpg and .tif files for the JPEG.Comment exploits. If upgrading to 0.80 release is a requirement, I am currently doing so, however in future it could be useful as well. Thanks, Chris ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] RE: freshclam.pid: Permission denied
On Mon, 18 Oct 2004 at 17:04:52 +0200, Jona Tallieu (T T n.v.) wrote: * Jona Tallieu (T T n.v.) Junk at tnt.be: Hi all, I just upgraded from latest stable 0.75.1 to the final 0.80. Now, when freshclam starts, I get this in the freshclam logfile: ERROR: Can't save PID to file /var/clamav/freshclam.pid: Permission denied The option in freshclam.conf has been disabled (default): #PidFile /var/run/freshclam.pid The default value is being used: /var/run/freshclam.pid != /var/clamav/freshclam.pid ! I tried activating the save PID file with the value /var/clamav/freshclam.pid but I get the same error. Now also, after a freshclam update, I get following error ERROR: Clamd was NOT notified: Can't connect to clamd through /var/clamav/clamd.sock So it seems freshclam can not access anything in /var/clamav/. The permissions for /var/clamav/ are: drw-r--r-- 4 lplp 136 18 Oct 10:49 clamav And inside are: -rw-rw 1 root lp 4 18 Oct 10:39 clamd.pid srwxrwxrwx 1 root lp 0 18 Oct 10:39 clamd.sock Why is /var/clamav (and files there) owned by lp (i.e. print) user and group?? -- Tomasz Papszun SysAdm @ TP S.A. Lodz, Poland | And it's only [EMAIL PROTECTED] http://www.lodz.tpsa.pl/iso/ | ones and zeros. [EMAIL PROTECTED] http://www.ClamAV.net/ A GPL virus scanner ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] disable a particular signature
On Mon, 18 Oct 2004 11:31:34 -0400 Chris Conn [EMAIL PROTECTED] wrote: Hello, Is it possible in clamav to disable a particular signature? I am using 0.80rc4 and since this morning (after downloading signature file No, it isn't. version 534) I have been matching a ton of false positives on .jpg and .tif files for the JPEG.Comment exploits. Please don't be an egoist. You should report the false positive file on our website: http://www.clamav.net/sendvirus.html to allow us to fix the problem globally. If upgrading to 0.80 release is a requirement, I am currently doing so, however in future it could be useful as well. No, it would do more harm than good. -- oo. Tomasz Kojm [EMAIL PROTECTED] (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Mon Oct 18 17:45:06 CEST 2004 pgpGt66kuW9cL.pgp Description: PGP signature ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Error in latest update to Database
On Mon, 2004-10-18 at 18:44 +0200, Graham Dodd wrote: On the latest update to the signatures I saw this in the log file WARNING: Your ClamAV installation is OUTDATED - please update immediately ! WARNING: Current functionality level = 2, required = 3 Database updated I'm running 0.75.1, so I'm wondering why I have this entry in the log as 0.80 only got released in the last few days Because there are a significant number of signatures that require 0.80, so this is a prompt to get you to upgrade. -- Daniel J McDonald, CCIE # 2495, CNX Austin Energy [EMAIL PROTECTED] ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Error in latest update to Database
On Mon, 18 Oct 2004 18:44:56 +0200 Graham Dodd [EMAIL PROTECTED] wrote: On the latest update to the signatures I saw this in the log file ClamAV update process started at Mon Oct 18 18:17:01 2004 main.cvd is up to date (version: 27, sigs: 23982, f-level: 2, builder: tomek) daily.cvd updated (version: 535, sigs: 1272, f-level: 3, builder: trog) WARNING: Your ClamAV installation is OUTDATED - please update immediately ! WARNING: Current functionality level = 2, required = 3 Database updated(25254 signatures) from database.clamav.net (195.70.36.141). Clamd successfully notified about the update. I'm running 0.75.1, so I'm wondering why I have this entry in the log as 0.80 only got released in the last few days Anyone got any ideas ? The subject of your message is Error in latest update to Database. What error?! I do see only some warning messages. -- oo. Tomasz Kojm [EMAIL PROTECTED] (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Mon Oct 18 18:51:42 CEST 2004 pgpsRiqarDDN8.pgp Description: PGP signature ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] GDI+ bug exploit Mutations
On Mon, 18 Oct 2004, Trog wrote: On Mon, 2004-10-18 at 15:40, Brian Morrison wrote: On Mon, 18 Oct 2004 11:22:01 +0200 Tomasz Kojm [EMAIL PROTECTED] wrote: For those running 0.80rc4 or 0.80 final, you can catch all jpeg exploits with the following signature (add it to a local.ndb file in your database directory): Exploit.JPEG.Comment.FalsePos:5:0:ffd8ff Warning: do NOT use this if you're running 0.80rc[123], since it WILL cause false positives. Also, do NOT change the name. The ClamAV code Please do not use it. It seems the JPEG exploit verificator is still not perfect and may not eliminate all false positive matches. False alert. It appeared some Japanese camera software creates broken pictures. So that signature *is* safe to use? Or have I read your comment wrongly? It should be safe to use with 0.80, but on the other hand, it'll match *every* JPEG file and process them through the false positive elimination code, which will impact performance (very slightly). Two questions: Which Japanese camera software? Nearly every digital camera is made by a Japanese company (Nikon, Canon, etc) so this might be important. Which signature is safe? Mine (shown above)? Or only the slightly more restrictive one that you posted? Oh, and yeah, the signature was designed to force all JPEG files though the elimination code, hence the name FalsePos. ;) Damian Menscher -- -=#| Physics Grad Student SysAdmin @ U Illinois Urbana-Champaign |#=- -=#| 488 LLP, 1110 W. Green St, Urbana, IL 61801 Ofc:(217)333-0038 |#=- -=#| 4602 Beckman, VMIL/MS, Imaging Technology Group:(217)244-3074 |#=- -=#| [EMAIL PROTECTED] www.uiuc.edu/~menscher/ Fax:(217)333-9819 |#=- -=#| The above opinions are not necessarily those of my employers. |#=- ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
[Clamav-users] Problems Compiling on Solaris X86 Box
All, I have been having problems compiling on a Solaris 8 X86 box since the release of 80rc series. Undefined first referenced symbol in file BZ2_bzRead scanners.lo BZ2_bzReadOpen scanners.lo BZ2_bzReadClose scanners.lo ld: fatal: Symbol referencing errors. No output written to .libs/libclamav.so.1.0.4 I can unzip / untar / configure and compile 75.1 and earlier without trouble. With the 80 series, the above error occurs. Same environment settings Thanks -- Ken Jones [EMAIL PROTECTED] ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Error in latest update to Database
On 10/18/2004 6:44 PM +0200, Graham Dodd wrote: On the latest update to the signatures I saw this in the log file ClamAV update process started at Mon Oct 18 18:17:01 2004 main.cvd is up to date (version: 27, sigs: 23982, f-level: 2, builder: tomek) daily.cvd updated (version: 535, sigs: 1272, f-level: 3, builder: trog) WARNING: Your ClamAV installation is OUTDATED - please update immediately ! WARNING: Current functionality level = 2, required = 3 Database updated (25254 signatures) from database.clamav.net (195.70.36.141). Clamd successfully notified about the update. I'm running 0.75.1, so I'm wondering why I have this entry in the log as 0.80 only got released in the last few days Anyone got any ideas ? Graham I _think_ because you won't detect a bunch of viruses by not upgrading. If symantec/sophos/ect would release an engine update, you'd want that to be installed in order to catch the latest viruses? Regards, Niek -- ___ Read about mime:http://www.geoapps.com/nomime.shtml Read about quoting: http://www.netmeister.org/news/learn2quote.html Read about disclaimers: http://www.goldmark.org/jeff/stupid-disclaimers ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] freshclam.pid: Permission denied
On Mon, 18 Oct 2004 10:48:54 +0200 Jona Tallieu (T T n.v.) [EMAIL PROTECTED] wrote: Hi all, I just upgraded from latest stable 0.75.1 to the final 0.80. Now, when freshclam starts, I get this in the freshclam logfile: ERROR: Can't save PID to file /var/clamav/freshclam.pid: Permission denied The option in freshclam.conf has been disabled (default): #PidFile /var/run/freshclam.pid Any ideas? There's also a command line option - make sure it's not in use. -- oo. Tomasz Kojm [EMAIL PROTECTED] (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Mon Oct 18 15:52:17 CEST 2004 pgpbLmSmBsmyJ.pgp Description: PGP signature ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] clam.exe not being detected in mail
On Sun, 2004-10-17 at 22:49, James Lick wrote: (Regarding clam.exe not being detected as an attachment.) Someone reported this same problem a few days ago to me as a possible clamassassin bug. I was able to verify the problem with an attachment created with Mozilla 1.7.3 which was passed as OK by ClamAV. extracting the attachment to a file and scanning the clam.exe file and it is detected correctly, so the file didn't get corrupted along the line somewhere. I hadn't looked into it enough to report the bug yet, but something is definitely wrong in detecting clam.exe as an attachment. That is the exact issue I am seeing (even to the clamassassin, but I've ruled that out as being the problem). I thought perhaps there was an issue with how evolution was attaching the file, so I tried outlookE, Mozilla, and pine, all with the same results. A hex dump of the temporary file that clamav created shows that there is a difference between it and the original. In addition the file sizes are off by one byte, 545 versus the original 544. - [EMAIL PROTECTED] tmp]# hexdump clamexerKsqPN clamexe.mail [EMAIL PROTECTED] tmp]# hexdump clam.exe clamexe [EMAIL PROTECTED] tmp]# diff -Naur clamexe clamexe.mail --- clamexe 2004-10-18 11:07:47.993537065 -0500 +++ clamexe.mail2004-10-18 11:07:37.026031258 -0500 @@ -28,4 +28,5 @@ 1f0 435b 414c 414d 5d56 200 1000 1000 0200 0001 210 c000 -220 +220 +221 - Somewhere a trailing nil (or is it NULL?) byte is being appended. Again, Thank you for taking the time to read this. Robert Haas ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] List problem?
On Mon, 2004-10-18 at 13:03, Robin Lynn Frank wrote: Mail from the weekend arrived just fine, but this morning, I started seeing this in my logs: The primary mail server had a problem with disk space on /var. It is now resolved. Krisma is the backup server. Luca controls that host. It looks like he's rejecting mail from you because your host's IP doesn't have a PTR. Cheers, Mike ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] non detection problem
Meni Shapiro wrote: Hello List, I just installed the latest stable clamav 0.80. My main.db and daily.db are also the latest. I run clamav on a debian machine (for test purpose - before installing it on the main mail server which runs crux (yet another dist!)) anyway - back to the problem... Installation went good. When i test it with the jpeg.zip, which i got from this list earlier today, IT did NOT find anything ?!? i tried unziping (the file contains 2 jpg files) and nothing! I tried scanning it online in the mentioned site (http://www.virustotal.com) and most AV software did detect a malware Clamav did NOT! Is that a problem??? or what? should i go for another AV (i don't want to - but can i trust ClamAV??) I guess it is a problem of how that 'exploit' is being detected, and the different mutations of that jpeg exploiting archives are appearing. I've seen that problem of not detecting different 'mutations' of the MS04-028 vulnerability with other AV products, not only with the version of Clam we're using on VirusTotal (in my humble opinion I think it is basically a matter of how signature files are made). -- Regards, Julio Canto Hispasec Sistemas http://www.hispasec.com (+34) 902 161 025 Parque Tecnologico de Andalucia Avda Juan Lopez Peñalver, 21 Málaga, España ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] disable a particular signature
version 534) I have been matching a ton of false positives on .jpg and .tif files for the JPEG.Comment exploits. Please don't be an egoist. You should report the false positive file on our website: http://www.clamav.net/sendvirus.html to allow us to fix the problem globally. Hello, I did not want to be an egoist, I did not want to waste anyone's time with a defective installation. I was using the RPM for 0.80rc4 and since upgraded to signatures version 534 my JPEG exploit matching went nuts. I don't know if it is because I built a 0.80 rpm and installed it or if it is because of signature version 535 being released, however it has stopped. So in any case, I don't know what caused this problem however the same files were sent through using 0.80-stable and signatures 535 and all is well. Sincerely, Chris Conn ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] disable a particular signature
Chris Conn [EMAIL PROTECTED] wrote: version 534) I have been matching a ton of false positives on .jpg and .tif files for the JPEG.Comment exploits. Please don't be an egoist. You should report the false positive file on our website: For what it's worth -- as I was gathering documents to submit, the 535 update came out and all the JPEGs I had that were triggering false positives suddenly worked again. So if you are still haveing trouble and your database is still at 534, run freshclam and get up to 535. The virus mailing list doesn't seem to have a post yet about 535, but we got it here at 12:04 EDT == Chris Candreva -- [EMAIL PROTECTED] -- (914) 967-7816 WestNet Internet Services of Westchester http://www.westnet.com/ ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Problems Compiling on Solaris X86 Box
On Mon, 18 Oct 2004 11:58:18 -0500 (CDT) Ken Jones [EMAIL PROTECTED] wrote: All, I have been having problems compiling on a Solaris 8 X86 box since the release of 80rc series. Undefined first referenced symbol in file BZ2_bzRead scanners.lo BZ2_bzReadOpen scanners.lo BZ2_bzReadClose scanners.lo ld: fatal: Symbol referencing errors. No output written to .libs/libclamav.so.1.0.4 As a workaround try to configure it with --disable-bzip2 -- oo. Tomasz Kojm [EMAIL PROTECTED] (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Mon Oct 18 19:38:21 CEST 2004 pgpV5oE9MeKyS.pgp Description: PGP signature ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] List problem?
On Mon, 2004-10-18 at 10:12, Mike Cathey wrote: On Mon, 2004-10-18 at 13:03, Robin Lynn Frank wrote: Mail from the weekend arrived just fine, but this morning, I started seeing this in my logs: The primary mail server had a problem with disk space on /var. It is now resolved. Krisma is the backup server. Luca controls that host. It looks like he's rejecting mail from you because your host's IP doesn't have a PTR. Cheers, Mike Not quite, our server is rejecting mail from his server because of the lack of reverse dns. -- Robin Lynn Frank - Director of Operations Paradigm-Omega, LLC - http://paradigm-omega.com SpamTrap: @null-route.merseine.nu We support boycotting overseas outsourcers. signature.asc Description: This is a digitally signed message part ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] disable a particular signature
On Mon, 18 Oct 2004 13:39:12 -0400 in [EMAIL PROTECTED] Chris Conn [EMAIL PROTECTED] wrote: I don't know if it is because I built a 0.80 rpm and installed it or if it is because of signature version 535 being released, however it has stopped. Most likely the former I would expect. There were quite a lot of changes between rc4 and 0.80 final in this area, the CVS changelogs are worth a read. -- Brian Morrison bdm at fenrir dot org dot uk GnuPG key ID DE32E5C5 - http://wwwkeys.uk.pgp.net/pgpnet/wwwkeys.html ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] clam.exe not being detected in mail
On Mon, 18 Oct 2004 11:43:23 -0500 Robert Haas [EMAIL PROTECTED] wrote: On Sun, 2004-10-17 at 22:49, James Lick wrote: (Regarding clam.exe not being detected as an attachment.) Someone reported this same problem a few days ago to me as a possible clamassassin bug. I was able to verify the problem with an attachment created with Mozilla 1.7.3 which was passed as OK by ClamAV. extracting the attachment to a file and scanning the clam.exe file and it is detected correctly, so the file didn't get corrupted along the line somewhere. I hadn't looked into it enough to report the bug yet, but something is definitely wrong in detecting clam.exe as an attachment. That is the exact issue I am seeing (even to the clamassassin, but I've ruled that out as being the problem). I thought perhaps there was an issue with how evolution was attaching the file, so I tried outlookE, Mozilla, and pine, all with the same results. A hex dump of the temporary file that clamav created shows that there is a difference between it and the original. In addition the file sizes are off by one byte, 545 versus the original 544. Please send the problematic mail file (in encrypted zip, pass: virus) to [EMAIL PROTECTED] Thanks. -- oo. Tomasz Kojm [EMAIL PROTECTED] (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Mon Oct 18 19:53:08 CEST 2004 pgpzigxKQu5Gm.pgp Description: PGP signature ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
[OT] Re: [Clamav-users] List problem?
On 10/18/2004 7:49 PM +0200, Robin Lynn Frank wrote: Not quite, our server is rejecting mail from his server because of the lack of reverse dns. You probably know this, but you'll loose many emails and it won't stop spam. Regards, Niek -- ___ Read about mime:http://www.geoapps.com/nomime.shtml Read about quoting: http://www.netmeister.org/news/learn2quote.html Read about disclaimers: http://www.goldmark.org/jeff/stupid-disclaimers ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] List problem?
On Mon, 2004-10-18 at 13:49, Robin Lynn Frank wrote: Not quite, our server is rejecting mail from his server because of the lack of reverse dns. Sorry, misread the log. The primary is functioning properly again. I'll get with Luca to make sure that the DNS issue is resolved. Cheers, Mike ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [OT] Re: [Clamav-users] List problem?
On Mon, 18 Oct 2004, Niek wrote: You probably know this, but you'll loose many emails and it won't stop spam. No but it cuts it off considerably. It's cut the number of spams my account receives here from about 100 day to about 10. == Chris Candreva -- [EMAIL PROTECTED] -- (914) 967-7816 WestNet Internet Services of Westchester http://www.westnet.com/ ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] List problem?
On Mon, 2004-10-18 at 11:03, Mike Cathey wrote: On Mon, 2004-10-18 at 13:49, Robin Lynn Frank wrote: Not quite, our server is rejecting mail from his server because of the lack of reverse dns. Sorry, misread the log. The primary is functioning properly again. I'll get with Luca to make sure that the DNS issue is resolved. Cheers, Mike Yes, I noticed I was getting mail again from the list. thanks for your help. -- Robin Lynn Frank - Director of Operations Paradigm-Omega, LLC - http://paradigm-omega.com SpamTrap: @null-route.merseine.nu We support boycotting overseas outsourcers. signature.asc Description: This is a digitally signed message part ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [OT] Re: [Clamav-users] List problem?
On 10/18/2004 8:03 PM +0200, Christopher X. Candreva wrote: No but it cuts it off considerably. It's cut the number of spams my account receives here from about 100 day to about 10. Those figures could be right if spammers send chinese/korean zombies after you. However, in the 'western' world the ratio PTR yes/no is much higher. Almost all the USA broadband zombies have rdns. And still loads of legit mail servers have no rdns. It's a choice you make. I don't do it, because I can stop spam with other means. But I can't bring back legit emails from people/companies that wont/can't/ect have rdns on their mailserver ip. Regards, Niek -- ___ Read about mime:http://www.geoapps.com/nomime.shtml Read about quoting: http://www.netmeister.org/news/learn2quote.html Read about disclaimers: http://www.goldmark.org/jeff/stupid-disclaimers ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
[Clamav-users] RE: freshclam.pid: Permission denied
On Mon, 18 Oct 2004 at 17:04:52 +0200, Jona Tallieu (T T n.v.) wrote: * Jona Tallieu (T T n.v.) Junk at tnt.be: Hi all, I just upgraded from latest stable 0.75.1 to the final 0.80. Now, when freshclam starts, I get this in the freshclam logfile: ERROR: Can't save PID to file /var/clamav/freshclam.pid: Permission denied The option in freshclam.conf has been disabled (default): #PidFile /var/run/freshclam.pid The default value is being used: /var/run/freshclam.pid != /var/clamav/freshclam.pid ! I tried activating the save PID file with the value /var/clamav/freshclam.pid but I get the same error. Now also, after a freshclam update, I get following error ERROR: Clamd was NOT notified: Can't connect to clamd through /var/clamav/clamd.sock So it seems freshclam can not access anything in /var/clamav/. The permissions for /var/clamav/ are: drw-r--r-- 4 lplp 136 18 Oct 10:49 clamav And inside are: -rw-rw 1 root lp 4 18 Oct 10:39 clamd.pid srwxrwxrwx 1 root lp 0 18 Oct 10:39 clamd.sock Why is /var/clamav (and files there) owned by lp (i.e. print) user and group?? I don't know why, I just followed the OSX instructions included with ClamAV: sudo mkdir /var/clamav sudo chown clamav:clamav /var/clamav sudo chmod 0644 /var/clamav It seems that chmod 755 /var/clamav solved it, I'll double check when there's a database update... Thanks! J. ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
[Clamav-users] Zip AV Bypass Vulnerability
Hi All, Just came across this: http://www.securiteam.com/securitynews/6E00G2ABFY.html Bit hard to say if this would impact ClamAV? Cheers, Steve ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Zip AV Bypass Vulnerability
On Mon, 18 Oct 2004, Steve Basford wrote: Just came across this: http://www.securiteam.com/securitynews/6E00G2ABFY.html Bit hard to say if this would impact ClamAV? Does clam skip the decompression if the local/global header contain a zero filesize? It sounds like from the article that those of use who use amavis and other progies which actually unzip the files are ok at least on the email side of things becasue [i]t is possible to modify the uncompressed size of archived files in both the local and global header without affecting functionality. Does anyone have a good way to test this? -- Eric Wheeler Vice President National Security Concepts, Inc. PO Box 3567 Tualatin, OR 97062 http://www.nsci.us/ Voice: (503) 293-7656 Fax: (503) 885-0770 ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] freshclam: Chunked Transfer Coding
On Tue, 19 Oct 2004 10:21:36 +0900 shivaken [EMAIL PROTECTED] wrote: I had a freshclam update problem with that like below. # freshclam ClamAV update process started at Tue Oct 19 09:35:19 2004 main.cvd is up to date (version: 27, sigs: 23982, f-level: 2, builder: tomek) Connecting via 127.0.0.1 Reading CVD header (daily.cvd): OK Downloading daily.cvd [*] ERROR: Verification: Broken or not a CVD file Giving up... I couldn't find the reason for a long time. With wget, I can get CVD files properly. Finally I setted printf at freshclam/manager.c to see recieving data. Then I found the proxy uses chunked transfer coding to send data. Delegate seems to use chunked transfer coding for HTTP/1.1 client. Update to 0.80 -- oo. Tomasz Kojm [EMAIL PROTECTED] (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Tue Oct 19 03:24:50 CEST 2004 pgpqsLzNxt0eC.pgp Description: PGP signature ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] freshclam: Chunked Transfer Coding
That test is with 0.80. (B (BOn Tuesday 19 October 2004 10:25, Tomasz Kojm wrote: (B On Tue, 19 Oct 2004 10:21:36 +0900 (B (B shivaken [EMAIL PROTECTED] wrote: (B I had a freshclam update problem with that like below. (B (B # freshclam (B ClamAV update process started at Tue Oct 19 09:35:19 2004 (B main.cvd is up to date (version: 27, sigs: 23982, f-level: 2, (B builder: tomek) Connecting via 127.0.0.1 (B Reading CVD header (daily.cvd): OK (B Downloading daily.cvd [*] (B ERROR: Verification: Broken or not a CVD file (B Giving up... (B (B I couldn't find the reason for a long time. With wget, I can get CVD (B files properly. Finally I setted printf at freshclam/manager.c to see (B recieving data. Then I found the proxy uses chunked transfer coding to (B send data. Delegate seems to use chunked transfer coding for HTTP/1.1 (B client. (B (B Update to 0.80 (B (B-- (B-- shivaken (Bantshell: Ant command line front end (Bhttp://www.antshell.org (B___ (Bhttp://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Zip AV Bypass Vulnerability
On Mon, 18 Oct 2004 13:31:41 -0700 (PDT) [EMAIL PROTECTED] wrote: On Mon, 18 Oct 2004, Steve Basford wrote: Just came across this: http://www.securiteam.com/securitynews/6E00G2ABFY.html Bit hard to say if this would impact ClamAV? Does clam skip the decompression if the local/global header contain a zero filesize? It sounds like from the article that those of use who Yes, it does. Unfortunately. -- oo. Tomasz Kojm [EMAIL PROTECTED] (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Tue Oct 19 03:27:33 CEST 2004 pgpiInvB4lmEE.pgp Description: PGP signature ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] freshclam: Chunked Transfer Coding
On Tue, 19 Oct 2004 10:29:20 +0900 shivaken [EMAIL PROTECTED] wrote: That test is with 0.80. Please don't top-post. Does it work with HTTPProxyServer disabled? -- oo. Tomasz Kojm [EMAIL PROTECTED] (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Tue Oct 19 03:32:56 CEST 2004 pgpDjUAQqr1BR.pgp Description: PGP signature ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] freshclam: Chunked Transfer Coding
On Tuesday 19 October 2004 10:33, Tomasz Kojm wrote: (B That test is with 0.80. (B (B Please don't top-post. (B (BSorry. (B (B Does it work with HTTPProxyServer disabled? (B (BWhat "it" means? (B (BMy freshclam.conf: (BHTTPProxyServer http://127.0.0.1 (BHTTPProxyPort 8080 (BHTTPProxyUsername (BHTTPProxyPassword (B (BAt my test environment. (BWithout proxy, freshclam works well. (BWith Delegate (default setting), freshclam dosen't work. (BWith Delegate not to use chunked encoding setting), freshclam works well. (BWith Delegate (default setting), freshclam (use HTTP/1.0) works well. (B (B-- (B-- shivaken (Bantshell: Ant command line front end (Bhttp://www.antshell.org (B___ (Bhttp://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
[Clamav-users] non detection problem
Hello List, I just installed the latest stable clamav 0.80. My main.db and daily.db are also the latest. I run clamav on a debian machine (for test purpose - before installing it on the main mail server which runs crux (yet another dist!)) anyway - back to the problem... Installation went good. When i test it with the jpeg.zip, which i got from this list earlier today, IT did NOT find anything ?!? i tried unziping (the file contains 2 jpg files) and nothing! I tried scanning it online in the mentioned site (http://www.virustotal.com) and most AV software did detect a malware Clamav did NOT! Is that a problem??? or what? should i go for another AV (i don't want to - but can i trust ClamAV??) -- Sincerely, Meni Shapiro [EMAIL PROTECTED] --- This SF.net email is sponsored by: IT Product Guide on ITManagersJournal Use IT products in your business? Tell us what you think of them. Give us Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more http://productguide.itmanagersjournal.com/guidepromo.tmpl ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] Error in latest update to Database
On the latest update to the signatures I saw this in the log file ClamAV update process started at Mon Oct 18 18:17:01 2004 main.cvd is up to date (version: 27, sigs: 23982, f-level: 2, builder: tomek) daily.cvd updated (version: 535, sigs: 1272, f-level: 3, builder: trog) WARNING: Your ClamAV installation is OUTDATED - please update immediately ! WARNING: Current functionality level = 2, required = 3 Database updated (25254 signatures) from database.clamav.net (195.70.36.141). Clamd successfully notified about the update. I'm running 0.75.1, so I'm wondering why I have this entry in the log as 0.80 only got released in the last few days Anyone got any ideas ? Graham -- Graham K. Dodd Director of Operations Falk Ross GmbH Tel: 06301 717 0 --- This SF.net email is sponsored by: IT Product Guide on ITManagersJournal Use IT products in your business? Tell us what you think of them. Give us Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more http://productguide.itmanagersjournal.com/guidepromo.tmpl ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
[Clamav-users] List problem?
Mail from the weekend arrived just fine, but this morning, I started seeing this in my logs: Oct 18 09:52:38 omega postfix/smtpd[27078]: NOQUEUE: reject: RCPT from unknown[194.242.226.43]: 550 Client host rejected: cannot find your hostname, [194.242.226.43]; from=[EMAIL PROTECTED] to=[EMAIL PROTECTED] proto=ESMTP helo=krisma.oltrelinux.com Now, I am starting to see some list mail arrive via the sourceforge.net server. What's up? -- Robin Lynn Frank - Director of Operations Paradigm-Omega, LLC - http://paradigm-omega.com SpamTrap: @null-route.merseine.nu We support boycotting overseas outsourcers. signature.asc Description: This is a digitally signed message part
Re: [Clamav-users] Error in latest update to Database
Graham Dodd wrote: On the latest update to the signatures I saw this in the log file ClamAV update process started at Mon Oct 18 18:17:01 2004 main.cvd is up to date (version: 27, sigs: 23982, f-level: 2, builder: tomek) daily.cvd updated (version: 535, sigs: 1272, f-level: 3, builder: trog) WARNING: Your ClamAV installation is OUTDATED - please update immediately ! WARNING: Current functionality level = 2, required = 3 Database updated (25254 signatures) from database.clamav.net (195.70.36.141). Clamd successfully notified about the update. I'm running 0.75.1, so I'm wondering why I have this entry in the log as 0.80 only got released in the last few days Youre seeing this message for the exact reason it says, your clamav installation is outdated. Whether .80 was released a year ago or yesterday is irrelevant, its still newer than what your running now. -Jim --- This SF.net email is sponsored by: IT Product Guide on ITManagersJournal Use IT products in your business? Tell us what you think of them. Give us Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more http://productguide.itmanagersjournal.com/guidepromo.tmpl ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] List problem?
On Mon, 2004-10-18 at 10:08, Niek wrote: On 10/18/2004 7:03 PM +0200, Robin Lynn Frank wrote: Mail from the weekend arrived just fine, but this morning, I started seeing this in my logs: Oct 18 09:52:38 omega postfix/smtpd[27078]: NOQUEUE: reject: RCPT from unknown[194.242.226.43]: 550 Client host rejected: cannot find your hostname, [194.242.226.43]; from=[EMAIL PROTECTED] to=[EMAIL PROTECTED] proto=ESMTP helo=krisma.oltrelinux.com Now, I am starting to see some list mail arrive via the sourceforge.net server. What's up? Hi, clamav list moved a month ago. new posting-to address is: [EMAIL PROTECTED] Regards, Niek I am aware of that, but the problem with their server's dns did not appear until this morning. Yesterday, they were using a different server. Now, the report from dnsreport.com notes: ERROR: The IP of one or more of your mail server(s) have no reverse DNS (PTR) entries (if you see Timeout below, it may mean that your DNS servers did not respond fast enough). RFC1912 2.1 says you should have a reverse DNS for all your mail servers. It is strongly urged that you have them, as many mailservers will not accept mail from mailservers with no reverse DNS entry. You can double-check using the 'Reverse DNS Lookup' tool at the DNSstuff site. The problem MX records are: 45.30.103.83.in-addr.arpa [No reverse DNS entry (rcode: 3 ancount: 0)] 43.226.242.194.in-addr.arpa [No reverse DNS entry (rcode: 3 ancount: 0)] and WARNING: One or more of your mailservers may be claiming to be a host other than what it really is (the SMTP greeting should be a 3-digit code, followed by a space or a dash, then the host name). This probably won't cause any harm, but may be a technical violation of RFC821 4.3 (and RFC2821 4.3.1). mail2.oltrelinux.com claims to be host karma.oltrelinux.com. mail.oltrelinux.com claims to be host krisma.oltrelinux.com. -- Robin Lynn Frank - Director of Operations Paradigm-Omega, LLC - http://paradigm-omega.com SpamTrap: @null-route.merseine.nu We support boycotting overseas outsourcers. signature.asc Description: This is a digitally signed message part
[Clamav-users] freshclam: Chunked Transfer Coding
I had a freshclam update problem with that like below. # freshclam ClamAV update process started at Tue Oct 19 09:35:19 2004 main.cvd is up to date (version: 27, sigs: 23982, f-level: 2, builder: tomek) Connecting via 127.0.0.1 Reading CVD header (daily.cvd): OK Downloading daily.cvd [*] ERROR: Verification: Broken or not a CVD file Giving up... I couldn't find the reason for a long time. With wget, I can get CVD files properly. Finally I setted printf at freshclam/manager.c to see recieving data. Then I found the proxy uses chunked transfer coding to send data. Delegate seems to use chunked transfer coding for HTTP/1.1 client. I changed delegate setting no to use chunked transfer coding. Then I succeed to freshclam. According to RFC 2616, All HTTP/1.1 applications that receive entities MUST accept the chunked transfer-coding (section 3.6), thus allowing this mechanism to be used for messages when the message length cannot be determined in advance. So, please change freshclam to send http request as HTTP/1.0 or implement accepting chunked transfer-coding. -- -- shivaken antshell: Ant command line front end http://www.antshell.org --- This SF.net email is sponsored by: IT Product Guide on ITManagersJournal Use IT products in your business? Tell us what you think of them. Give us Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more http://productguide.itmanagersjournal.com/guidepromo.tmpl ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Problems Compiling on Solaris X86 Box
Ken Jones wrote: All, I have been having problems compiling on a Solaris 8 X86 box since the release of 80rc series. Undefined first referenced symbol in file BZ2_bzRead scanners.lo BZ2_bzReadOpen scanners.lo BZ2_bzReadClose scanners.lo ld: fatal: Symbol referencing errors. No output written to .libs/libclamav.so.1.0.4 ClamAV 0.80 (and the rc versions) compiles fine for me on Solaris 10 B63 x86, so it is not a general Solaris x86 problem. -- James Lick -- -- [EMAIL PROTECTED] -- http://jameslick.com/ ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Problems Compiling on Solaris X86 Box
James Lick wrote: Ken Jones wrote: All, I have been having problems compiling on a Solaris 8 X86 box since the release of 80rc series. Undefined first referenced symbol in file BZ2_bzRead scanners.lo BZ2_bzReadOpen scanners.lo BZ2_bzReadClose scanners.lo ld: fatal: Symbol referencing errors. No output written to .libs/libclamav.so.1.0.4 ClamAV 0.80 (and the rc versions) compiles fine for me on Solaris 10 B63 x86, so it is not a general Solaris x86 problem. I'm not sure if this is related, but on a RedHat box I had problems compiling .80 until I installed the bzip2-devel rpm. -- _/_/_/_/ _/ _/ _/_/ _/ _/ _/ _/_/_/_/ _/ _/_/ _/ _/ _/ _/_/_/_/ _/ _/ _/ Bill Maidment Maidment Enterprises Pty Ltd Unless you are named Alfred E. Newman, you may read only the odd numbered words (every other word beginning with the first) of the message above. If you have violated that, then you hereby owe the sender AU$10 for each even numbered word you have read. Adapted from Stupid Email Disclaimers (see http://www.goldmark.org/jeff/stupid-disclaimers/) ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
[Clamav-users] Outdated Version Question
Hi all Upgraded straight away when I saw the new message However, below is what is happening now.. ClamAV update process started at Tue Oct 19 12:19:01 2004 WARNING: Your ClamAV installation is OUTDATED - please update immediately ! WARNING: Local version: 0.80rc4, Recommended version: 0.80 main.cvd is up to date (version: 27, sigs: 23982, f-level: 2, builder: tomek) daily.cvd is up to date (version: 535, sigs: 1272, f-level: 3, builder: trog) WARNING: Your ClamAV installation is OUTDATED - please update immediately ! WARNING: Current functionality level = 2, required = 3 Question is 0.80rc4 different to 0.80?? Cheers Gary ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Outdated Version Question
Gary Brown wrote: Question is 0.80rc4 different to 0.80?? Oh YES! There were some significant changes. Read ChangeLog for details. If you don't care, you can still use the rc4 as it's only a warning. Regards, Fajar ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
[Clamav-users] Freshclam DNS Warnings
One of my servers is giving these warnings. What causes this and is it anything to worry about? freshclam daemon 0.80 (OS: linux-gnu, ARCH: i386, CPU: i686) ClamAV update process started at Tue Oct 19 14:39:06 2004 WARNING: DNS record is older than 3 hours. WARNING: Invalid DNS reply. main.cvd is up to date (version: 27, sigs: 23982, f-level: 2, builder: tomek) WARNING: DNS record is older than 3 hours. WARNING: Invalid DNS reply. daily.cvd is up to date (version: 535, sigs: 1272, f-level: 3, builder: trog) -- _/_/_/_/ _/ _/ _/_/ _/ _/ _/ _/_/_/_/ _/ _/_/ _/ _/ _/ _/_/_/_/ _/ _/ _/ Bill Maidment Maidment Enterprises Pty Ltd Unless you are named Alfred E. Newman, you may read only the odd numbered words (every other word beginning with the first) of the message above. If you have violated that, then you hereby owe the sender AU$10 for each even numbered word you have read. Adapted from Stupid Email Disclaimers (see http://www.goldmark.org/jeff/stupid-disclaimers/) ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
[Clamav-users] [Updated] Clamav 0.80 -stable has been released for OpenBSD
Hello to all, I've made the port of Clamav 0.80 for OpenBSD. You can find it at http://www.fatbsd.com/openbsd/clamav/ Any comments are welcome, ++ Jerome Here is the official changelog: -) libclamav + Portable Executable analyser (CL_SCAN_PE) featuring: o UPX decompression (all versions) o Petite decompression (2.x) o FSG decompression (1.3, 1.31, 1.33) o detection of broken executables (CL_SCAN_BLOCKBROKEN) + new, memory efficient, pattern matching algorithm (multipattern variant of Boyer-Moore) - it's now primary matcher and Aho-Corasick is only used for regular expression extended signatures + new signature format with advanced target type and offset specification + support for MD5 based signatures + extended regular expression scanner + added support for MS cabinet files + added support for CHM files + added support for POSIX tar archives + scanning inside PowerPoint documents + HTML normaliser with support for decoding of MS Script Encoder code + great improvements in e-mail scanner (now handles even more worm tricks) + new method of mail files detection + all e-mail attachments are now scanned (previously only the first ten attachments were scanned) + added support for scanning URLs in e-mails (CL_SCAN_MAILURL) + detection of Worm.Mydoom.M.log + updated API (still backward compatible but please consult Section 6 of clamdoc.pdf and adapt your software) + faster base64 decoding + support for GNU tar files + updated on-access scanner -) clamd + new directive ScanHTML (enables HTML normalisator and ScrEnc decoder) + new directive ScanPE (win32 executable analyser and decompressor) + new directive DetectBrokenExecutables (try to detect broken executables and mark them as Broken.Executable) + new directive MailFollowURLs (try to download and scan files from URLs in mails. BE CAREFUL! DO NOT ENABLE IT ON LOADED MAIL SERVERS) + new directive ArchiveBlockMax (archives that exceed limits will be marked as viruses) + clamav.conf was renamed to clamd.conf -) clamscan + mail files are scanned by default, use --no-mail to disable it + new option --no-html (disables HTML normalisator) + new option --no-pe (disables PE analyser) + new option --detect-broken + new option --block-max + new option --mail-follow-urls (download and scan files from URLs in mails) -) clamdscan + now prints warnings if some activated command line options are only supported by clamscan + added support for archive scanning in stdin mode -) clamav-milter + improved template file format + quarantined file names now contain virus names + initial support for SESSION mode of clamd -) freshclam: + new directive DNSDatabaseInfo that enables ultra lightweight version verification method through DNS (using TXT records). Based on idea by Christopher X. Candreva and enabled by default. (see http://www.gossamer-threads.com/lists/clamav/users/11102) + new option --no-dns (quick option to disable DNS method without editing freshclam.conf) -) sigtool + removed ability of automatic signature generation (use MD5 sums to create your own signatures, see signatures.pdf for details) + new option --md5 + new option --html-normalise (saves HTML normalisation and decryption results in three html files in current directory) -) configure: + new option --disable-gethostbyname_r (try enabling it if clamav-milter compilation fails) + new option --disable-dns (try enabling it if freshclam compilation fails) + extended regular expression scanner -) documentation + included new Mac OS X installation instructions + official documentation rewritten and outdated docs removed We encourage our users to take advantage of our new mirror structure. In order to download the database from the closest mirror you should configure freshclam to use db.XY.clamav.net where XY is your country code (see http://www.iana.org/cctld/cctld-whois.htm for the full list). Please add the following lines to freshclam.conf: DNSDatabaseInfo current.cvd.clamav.net DatabaseMirror db.XY.clamav.net DatabaseMirror database.clamav.net DNSDatabaseInfo enables database and software version verification through DNS TXT records, and the second database mirror acts as a fallback in case a connection to the first mirror fails for some reason. +---+ | | | LOYET Jérôme | | 4° année Télécom INSA-LYON| | Responsable informatique EGA | | Responsable informatique ALMO | | | | 23 Rue marcel dutartre| | 69100 VILLEURBANNE| | 08 71 73 42 00| | 06 89 48 49 01| | [EMAIL PROTECTED] | | |