Re: [Clamav-users] GDI+ bug exploit Mutations

[Julio Canto]

Tomasz Kojm wrote:
b) VirusTotal's site has a more up to date version of ClamAV, using
the builds from here (now and again): 
http://www.sosdg.org/clamav-win32/index.php
   

I don't think so, it seems they're using ClamWin.
 

Yes, all AV products in VirusTotal are Windows based, that is why we 
used ClamWin.

--
Regards,
 Julio Canto
 Hispasec Sistemas
 http://www.hispasec.com
 (+34) 902 161 025
 Parque Tecnologico de Andalucia
 Avda Juan Lopez Peñalver, 21
 Málaga, España
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] GDI+ bug exploit Mutations

[Meni Shapiro]

Bogusaw Brandys wrote:
Steve Basford wrote:

 Just use http://www.virustotal.com/ - excellent resource for scanning
suspicious files with multiple engines at once.  As mentioned in the
They did not catch it!!!
http://www.virustotal.com/flash/respuesta_sav/resultado?d5384ab0cdf6100f509aecf95454fe8d:eng
Sincerely,
Meni Shapiro
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

[Clamav-users] freshclam.pid: Permission denied

[Jona Tallieu (T T n.v.)]

Hi all,

I just upgraded from latest stable 0.75.1 to the final 0.80.

Now, when freshclam starts, I get this in the freshclam logfile:

ERROR: Can't save PID to file /var/clamav/freshclam.pid: Permission denied


The option in freshclam.conf has been disabled (default):
#PidFile /var/run/freshclam.pid


Any ideas?

Thnx.


J.
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] freshclam.pid: Permission denied

[Ralf Hildebrandt]

* Jona Tallieu (T  T  n.v.) [EMAIL PROTECTED]:
 Hi all,
 
 I just upgraded from latest stable 0.75.1 to the final 0.80.
 
 Now, when freshclam starts, I get this in the freshclam logfile:
 
 ERROR: Can't save PID to file /var/clamav/freshclam.pid: Permission denied
 
 
 The option in freshclam.conf has been disabled (default):
 #PidFile /var/run/freshclam.pid

The default value is being used: /var/run/freshclam.pid != /var/clamav/freshclam.pid !
-- 
Ralf Hildebrandt (i.A. des IT-Zentrum)  [EMAIL PROTECTED]
Charite - Universitätsmedizin BerlinTel.  +49 (0)30-450 570-155
Gemeinsame Einrichtung von FU- und HU-BerlinFax.  +49 (0)30-8445-4447
IT-Zentrum Standort CBF   AIM.  ralfpostfix
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] Latest snapshot greatly increases scanning speed

[Trog]

On Sun, 2004-10-17 at 05:16, Christopher X. Candreva wrote:
 I posted a week or so ago about problems scanning OLE files, where some 
 files took upwards of 2 minutes to scan.
 
 Tomasz e-mailed me about an updated in the latest CVS that addresses this 
 problem. That same file is now scanning in about 2 seconds.
 
 For anyone else having this problem, give the 20041017 snapshot a try. 
 Working great here.

Just for the record, the problem described was nothing to do with the
OLE2 unpacker, but rather a problem in the scanner.

-trog



signature.asc
Description: This is a digitally signed message part
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] GDI+ bug exploit Mutations

[Brian Morrison]

On Mon, 18 Oct 2004 11:22:01 +0200 in
[EMAIL PROTECTED] Tomasz Kojm [EMAIL PROTECTED]
wrote:

For those running 0.80rc4 or 0.80 final, you can catch all jpeg
exploits with the following signature (add it to a local.ndb file
in your database directory):

Exploit.JPEG.Comment.FalsePos:5:0:ffd8ff

Warning: do NOT use this if you're running 0.80rc[123], since it
WILL cause false positives.  Also, do NOT change the name.  The
ClamAV code
   
   Please do not use it. It seems the JPEG exploit verificator is
   still not perfect and may not eliminate all false positive matches.
 
  False alert. It appeared some Japanese camera software creates broken
  pictures.

So that signature *is* safe to use? Or have I read your comment wrongly?

-- 

Brian Morrison

bdm at fenrir dot org dot uk

GnuPG key ID DE32E5C5 - http://wwwkeys.uk.pgp.net/pgpnet/wwwkeys.html
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] GDI+ bug exploit Mutations

[Trog]

On Mon, 2004-10-18 at 15:40, Brian Morrison wrote:
 On Mon, 18 Oct 2004 11:22:01 +0200 in
 [EMAIL PROTECTED] Tomasz Kojm [EMAIL PROTECTED]
 wrote:
 
 For those running 0.80rc4 or 0.80 final, you can catch all jpeg
 exploits with the following signature (add it to a local.ndb file
 in your database directory):
 
 Exploit.JPEG.Comment.FalsePos:5:0:ffd8ff
 
 Warning: do NOT use this if you're running 0.80rc[123], since it
 WILL cause false positives.  Also, do NOT change the name.  The
 ClamAV code

Please do not use it. It seems the JPEG exploit verificator is
still not perfect and may not eliminate all false positive matches.
  
   False alert. It appeared some Japanese camera software creates broken
   pictures.
 
 So that signature *is* safe to use? Or have I read your comment wrongly?

It should be safe to use with 0.80, but on the other hand, it'll match
*every* JPEG file and process them through the false positive
elimination code, which will impact performance (very slightly).

-trog



signature.asc
Description: This is a digitally signed message part
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

[Clamav-users] Re: GDI+ bug exploit Mutations

[Virgo Prna]

 There was this another thread about scanning tar archives so I
tried to test it. 

dragon:~/soft/clamav clamscan -V
ClamAV 0.80/534/Mon Oct 18 17:29:28 2004
dragon:~/soft/clamav clamscan -r -i --no-summary clamav-0.80.tar.gz
clamav-0.80.tar.gz: Exploit.JPEG.Comment.E9 FOUND

Strange, lets see, what happens, when I scan unpacked clamav directory
(clamav was built in this directory).

dragon:~/soft/clamav clamscan -r -i --no-summary clamav-0.80
clamav-0.80/test/clam.cab: ClamAV-Test-File FOUND
clamav-0.80/test/clam.exe: ClamAV-Test-File FOUND
clamav-0.80/test/clam.rar: ClamAV-Test-File FOUND
clamav-0.80/test/clam.zip: ClamAV-Test-File FOUND
clamav-0.80/test/clam.exe.bz2: ClamAV-Test-File FOUND
clamav-0.80/contrib/clamdwatch/clamdwatch.tar.gz: Eicar-Test-Signature
FOUND
clamav-0.80/clamd/server-th.o: Exploit.JPEG.Comment.FA FOUND
clamav-0.80/clamd/.libs/clamd: Exploit.JPEG.Comment.C9 FOUND
clamav-0.80/sigtool/.libs/sigtool: Exploit.JPEG.Comment.C9 FOUND
clamav-0.80/clamscan/manager.o: Exploit.JPEG.Comment.E4 FOUND
clamav-0.80/libclamav/.libs/libclamav.a: Exploit.JPEG.Comment.F6 FOUND
clamav-0.80/libclamav/zzip-err.o: Exploit.JPEG.Comment.F6 FOUND
clamav-0.80/libclamav/zzip-err.lo: Exploit.JPEG.Comment.F6 FOUND
clamav-0.80/libclamav/message.o: Exploit.JPEG.Comment.C7 FOUND
clamav-0.80/libclamav/message.lo: Exploit.JPEG.Comment.C7 FOUND
dragon:~/soft/clamav


-- 
Virgo Pärna 
[EMAIL PROTECTED]

___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

[Clamav-users] RE: freshclam.pid: Permission denied

[Jona Tallieu (T T n.v.)]

* Jona Tallieu (T  T  n.v.) Junk at tnt.be:
 Hi all,

 I just upgraded from latest stable 0.75.1 to the final 0.80.

 Now, when freshclam starts, I get this in the freshclam logfile:

 ERROR: Can't save PID to file /var/clamav/freshclam.pid: Permission denied


 The option in freshclam.conf has been disabled (default):
 #PidFile /var/run/freshclam.pid

The default value is being used: /var/run/freshclam.pid !=
/var/clamav/freshclam.pid !


I tried activating the save PID file with the value /var/clamav/freshclam.pid
but I get the same error.

Now also, after a freshclam update, I get following error

ERROR: Clamd was NOT notified: Can't connect to clamd through
/var/clamav/clamd.sock

So it seems freshclam can not access anything in /var/clamav/.

The permissions for /var/clamav/ are:

drw-r--r--   4 lplp   136 18 Oct 10:49 clamav

And inside are:

-rw-rw  1 root  lp  4 18 Oct 10:39 clamd.pid
srwxrwxrwx  1 root  lp  0 18 Oct 10:39 clamd.sock


Anyone?

Thanks!


J.
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] non detection problem

[Tomasz Kojm]

On Mon, 18 Oct 2004 13:42:52 +0200
Meni Shapiro [EMAIL PROTECTED] wrote:

 Hello List,
 
 I just installed the latest stable clamav 0.80.
 My main.db and daily.db are also the latest.
 I run clamav on a debian machine (for test purpose - before installing
 
 it on the main mail server which runs  crux (yet another dist!))
 anyway - back to the problem...
 Installation went good.
 When i test it with the jpeg.zip, which i got from this list earlier 
 today, IT did NOT find anything ?!?
 i tried unziping (the file contains 2 jpg files) and nothing!
 I tried scanning it online in the mentioned site 
 (http://www.virustotal.com) and most AV software did detect a
 malware Clamav did NOT!

 
 Is that a problem??? or what?

The problem is you haven't even read my yesterday's e-mails in this
case.

 should i go for another AV

Two or more scanners from different vendors are recommended in these
days...

(i don't want to - but can i trust ClamAV??)

We don't guarantee you anything. See COPYING.

-- 
   oo. Tomasz Kojm [EMAIL PROTECTED]
  (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg
 \..._ 0DCA5A08407D5288279DB43454822DC8985A444B
   //\   /\  Mon Oct 18 15:09:35 CEST 2004


pgpBL7peDpfOA.pgp
Description: PGP signature
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] RE: freshclam.pid: Permission denied

[Thomas Lamy]

Jona Tallieu (T  T n.v.) schrieb:
ERROR: Clamd was NOT notified: Can't connect to clamd through
/var/clamav/clamd.sock
So it seems freshclam can not access anything in /var/clamav/.
The permissions for /var/clamav/ are:
drw-r--r--   4 lplp   136 18 Oct 10:49 clamav
And inside are:
-rw-rw  1 root  lp  4 18 Oct 10:39 clamd.pid
srwxrwxrwx  1 root  lp  0 18 Oct 10:39 clamd.sock
Anyone?
Thanks!
chmod 755 /var/clamav
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

[Clamav-users] disable a particular signature

[Chris Conn]

Hello,
Is it possible in clamav to disable a particular signature?  I am using 
0.80rc4 and since this morning (after downloading signature file version 
534) I have been matching a ton of false positives on .jpg and .tif 
files for the JPEG.Comment exploits.

If upgrading to 0.80 release is a requirement, I am currently doing so, 
however in future it could be useful as well.

Thanks,
Chris
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] RE: freshclam.pid: Permission denied

[Tomasz Papszun]

On Mon, 18 Oct 2004 at 17:04:52 +0200, Jona Tallieu (T  T  n.v.) wrote:
 * Jona Tallieu (T  T  n.v.) Junk at tnt.be:
  Hi all,
 
  I just upgraded from latest stable 0.75.1 to the final 0.80.
 
  Now, when freshclam starts, I get this in the freshclam logfile:
 
  ERROR: Can't save PID to file /var/clamav/freshclam.pid: Permission denied
 
  The option in freshclam.conf has been disabled (default):
  #PidFile /var/run/freshclam.pid
 
 The default value is being used: /var/run/freshclam.pid !=
 /var/clamav/freshclam.pid !
 
 I tried activating the save PID file with the value /var/clamav/freshclam.pid
 but I get the same error.
 
 Now also, after a freshclam update, I get following error
 
 ERROR: Clamd was NOT notified: Can't connect to clamd through
 /var/clamav/clamd.sock
 
 So it seems freshclam can not access anything in /var/clamav/.
 
 The permissions for /var/clamav/ are:
 
 drw-r--r--   4 lplp   136 18 Oct 10:49 clamav
 
 And inside are:
 
 -rw-rw  1 root  lp  4 18 Oct 10:39 clamd.pid
 srwxrwxrwx  1 root  lp  0 18 Oct 10:39 clamd.sock
 

Why is /var/clamav (and files there) owned by lp (i.e. print) user
and group??

-- 
 Tomasz Papszun   SysAdm @ TP S.A. Lodz, Poland  | And it's only
 [EMAIL PROTECTED] http://www.lodz.tpsa.pl/iso/ | ones and zeros.
 [EMAIL PROTECTED]   http://www.ClamAV.net/   A GPL virus scanner
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] disable a particular signature

[Tomasz Kojm]

On Mon, 18 Oct 2004 11:31:34 -0400
Chris Conn [EMAIL PROTECTED] wrote:

 Hello,
 
 Is it possible in clamav to disable a particular signature?  I am
 using 0.80rc4 and since this morning (after downloading signature file

No, it isn't.

 version 534) I have been matching a ton of false positives on .jpg and
 .tif files for the JPEG.Comment exploits.

Please don't be an egoist. You should report the false positive file on
our website:

http://www.clamav.net/sendvirus.html

to allow us to fix the problem globally.

 If upgrading to 0.80 release is a requirement, I am currently doing
 so, however in future it could be useful as well.

No, it would do more harm than good.

-- 
   oo. Tomasz Kojm [EMAIL PROTECTED]
  (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg
 \..._ 0DCA5A08407D5288279DB43454822DC8985A444B
   //\   /\  Mon Oct 18 17:45:06 CEST 2004


pgpGt66kuW9cL.pgp
Description: PGP signature
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] Error in latest update to Database

[Daniel J McDonald]

On Mon, 2004-10-18 at 18:44 +0200, Graham Dodd wrote:
 On the latest update to the signatures I saw this in the log file

 WARNING: Your ClamAV installation is OUTDATED - please update immediately !
 WARNING: Current functionality level = 2, required = 3 Database updated

 I'm running 0.75.1, so I'm wondering why I have this entry in the log as
 0.80 only got released in the last few days

Because there are a significant number of signatures that require 0.80,
so this is a prompt to get you to upgrade.

-- 
Daniel J McDonald, CCIE # 2495, CNX
Austin Energy

[EMAIL PROTECTED]

___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] Error in latest update to Database

[Tomasz Kojm]

On Mon, 18 Oct 2004 18:44:56 +0200
Graham Dodd [EMAIL PROTECTED] wrote:

 On the latest update to the signatures I saw this in the log file
 
 ClamAV update process started at Mon Oct 18 18:17:01 2004 main.cvd is
 up to date (version: 27, sigs: 23982, f-level: 2, builder: tomek)
 daily.cvd updated (version: 535, sigs: 1272, f-level: 3, builder:
 trog) WARNING: Your ClamAV installation is OUTDATED - please update
 immediately ! WARNING: Current functionality level = 2, required = 3
 Database updated(25254 signatures) from database.clamav.net
 (195.70.36.141). Clamd successfully notified about the update.
 
 I'm running 0.75.1, so I'm wondering why I have this entry in the log
 as 0.80 only got released in the last few days
 
 Anyone got any ideas ?

The subject of your message is Error in latest update to Database.

What error?! I do see only some warning messages.

-- 
   oo. Tomasz Kojm [EMAIL PROTECTED]
  (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg
 \..._ 0DCA5A08407D5288279DB43454822DC8985A444B
   //\   /\  Mon Oct 18 18:51:42 CEST 2004


pgpsRiqarDDN8.pgp
Description: PGP signature
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] GDI+ bug exploit Mutations

[Damian Menscher]

On Mon, 18 Oct 2004, Trog wrote:
On Mon, 2004-10-18 at 15:40, Brian Morrison wrote:
On Mon, 18 Oct 2004 11:22:01 +0200 Tomasz Kojm [EMAIL PROTECTED] wrote:
For those running 0.80rc4 or 0.80 final, you can catch all jpeg
exploits with the following signature (add it to a local.ndb file
in your database directory):
Exploit.JPEG.Comment.FalsePos:5:0:ffd8ff
Warning: do NOT use this if you're running 0.80rc[123], since it
WILL cause false positives.  Also, do NOT change the name.  The
ClamAV code
Please do not use it. It seems the JPEG exploit verificator is
still not perfect and may not eliminate all false positive matches.
False alert. It appeared some Japanese camera software creates broken
pictures.
So that signature *is* safe to use? Or have I read your comment wrongly?
It should be safe to use with 0.80, but on the other hand, it'll match
*every* JPEG file and process them through the false positive
elimination code, which will impact performance (very slightly).
Two questions:
Which Japanese camera software?  Nearly every digital camera is made by 
a Japanese company (Nikon, Canon, etc) so this might be important.

Which signature is safe?  Mine (shown above)?  Or only the slightly more 
restrictive one that you posted?

Oh, and yeah, the signature was designed to force all JPEG files though 
the elimination code, hence the name FalsePos.  ;)

Damian Menscher
--
-=#| Physics Grad Student  SysAdmin @ U Illinois Urbana-Champaign |#=-
-=#| 488 LLP, 1110 W. Green St, Urbana, IL 61801 Ofc:(217)333-0038 |#=-
-=#| 4602 Beckman, VMIL/MS, Imaging Technology Group:(217)244-3074 |#=-
-=#| [EMAIL PROTECTED] www.uiuc.edu/~menscher/ Fax:(217)333-9819 |#=-
-=#| The above opinions are not necessarily those of my employers. |#=-
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

[Clamav-users] Problems Compiling on Solaris X86 Box

[Ken Jones]

All,

I have been having problems compiling on a Solaris 8 X86 box since the
release of 80rc series.

Undefined   first referenced
 symbol in file
BZ2_bzRead  scanners.lo
BZ2_bzReadOpen  scanners.lo
BZ2_bzReadClose scanners.lo
ld: fatal: Symbol referencing errors. No output written to
.libs/libclamav.so.1.0.4

I can unzip / untar / configure and compile 75.1 and earlier without
trouble. With the 80 series, the above error occurs. Same environment
settings 

Thanks

-- 
Ken Jones
[EMAIL PROTECTED]


___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] Error in latest update to Database

[Niek]

On 10/18/2004 6:44 PM +0200, Graham Dodd wrote:
On the latest update to the signatures I saw this in the log file
ClamAV update process started at Mon Oct 18 18:17:01 2004 main.cvd is up to
date (version: 27, sigs: 23982, f-level: 2, builder: tomek) daily.cvd
updated (version: 535, sigs: 1272, f-level: 3, builder: trog)
WARNING: Your ClamAV installation is OUTDATED - please update immediately !
WARNING: Current functionality level = 2, required = 3 Database updated
(25254 signatures) from database.clamav.net (195.70.36.141).
Clamd successfully notified about the update.
I'm running 0.75.1, so I'm wondering why I have this entry in the log as
0.80 only got released in the last few days
Anyone got any ideas ?
Graham
I _think_ because you won't detect a bunch of viruses by not upgrading.
If symantec/sophos/ect would release an engine update,
you'd want that to be installed in order to catch the latest viruses?
Regards,
Niek
--
___
Read about mime:http://www.geoapps.com/nomime.shtml
Read about quoting: http://www.netmeister.org/news/learn2quote.html
Read about disclaimers: http://www.goldmark.org/jeff/stupid-disclaimers
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] freshclam.pid: Permission denied

[Tomasz Kojm]

On Mon, 18 Oct 2004 10:48:54 +0200
Jona Tallieu (T  T  n.v.) [EMAIL PROTECTED] wrote:

 Hi all,
 
 I just upgraded from latest stable 0.75.1 to the final 0.80.
 
 Now, when freshclam starts, I get this in the freshclam logfile:
 
 ERROR: Can't save PID to file /var/clamav/freshclam.pid: Permission
 denied
 
 
 The option in freshclam.conf has been disabled (default):
 #PidFile /var/run/freshclam.pid
 
 
 Any ideas?

There's also a command line option - make sure it's not in use.

-- 
   oo. Tomasz Kojm [EMAIL PROTECTED]
  (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg
 \..._ 0DCA5A08407D5288279DB43454822DC8985A444B
   //\   /\  Mon Oct 18 15:52:17 CEST 2004


pgpbLmSmBsmyJ.pgp
Description: PGP signature
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] clam.exe not being detected in mail

[Robert Haas]

On Sun, 2004-10-17 at 22:49, James Lick wrote:
 (Regarding clam.exe not being detected as an attachment.)
 
 Someone reported this same problem a few days ago to me as a possible 
 clamassassin bug.  I was able to verify the problem with an attachment 
 created with Mozilla 1.7.3 which was passed as OK by ClamAV.  
 extracting the attachment to a file and scanning the clam.exe file and 
 it is detected correctly, so the file didn't get corrupted along the 
 line somewhere.  I hadn't looked into it enough to report the bug yet, 
 but something is definitely wrong in detecting clam.exe as an attachment.

That is the exact issue I am seeing (even to the clamassassin, but I've
ruled that out as being the problem). I thought perhaps there was an
issue with how evolution was attaching the file, so I tried outlookE,
Mozilla, and pine, all with the same results.

A hex dump of the temporary file that clamav created shows that there is
a difference between it and the original. In addition the file sizes are
off by one byte, 545 versus the original 544.

-
[EMAIL PROTECTED] tmp]# hexdump clamexerKsqPN clamexe.mail
[EMAIL PROTECTED] tmp]# hexdump clam.exe  clamexe
[EMAIL PROTECTED] tmp]# diff -Naur clamexe clamexe.mail
--- clamexe 2004-10-18 11:07:47.993537065 -0500
+++ clamexe.mail2004-10-18 11:07:37.026031258 -0500
@@ -28,4 +28,5 @@
 1f0     435b 414c 414d 5d56
 200 1000  1000  0200  0001 
 210        c000
-220
+220 
+221
-

Somewhere a trailing nil (or is it NULL?) byte is being appended.

Again, Thank you for taking the time to read this.
Robert Haas


___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] List problem?

[Mike Cathey]

On Mon, 2004-10-18 at 13:03, Robin Lynn Frank wrote:
 Mail from the weekend arrived just fine, but this morning, I started
 seeing this in my logs:

The primary mail server had a problem with disk space on /var.  It is
now resolved.

Krisma is the backup server.  Luca controls that host.  It looks like
he's rejecting mail from you because your host's IP doesn't have a PTR.

Cheers,

Mike

___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] non detection problem

[Julio Canto]

Meni Shapiro wrote:
Hello List,
I just installed the latest stable clamav 0.80.
My main.db and daily.db are also the latest.
I run clamav on a debian machine (for test purpose - before installing 
it on the main mail server which runs  crux (yet another dist!))
anyway - back to the problem...
Installation went good.
When i test it with the jpeg.zip, which i got from this list earlier 
today, IT did NOT find anything ?!?
i tried unziping (the file contains 2 jpg files) and nothing!
I tried scanning it online in the mentioned site 
(http://www.virustotal.com) and most AV software did detect a malware
Clamav did NOT!

Is that a problem??? or what?
should i go for another AV (i don't want to - but can i trust ClamAV??)
I guess it is a problem of how that 'exploit' is being detected, and the 
different mutations of that jpeg exploiting archives are appearing. I've 
seen that problem of not detecting different 'mutations' of the MS04-028 
vulnerability with other AV products, not only with the version of Clam 
we're using on VirusTotal (in my humble opinion I think it is basically 
a matter of how signature files are made).

--
Regards,
 Julio Canto
 Hispasec Sistemas
 http://www.hispasec.com
 (+34) 902 161 025
 Parque Tecnologico de Andalucia
 Avda Juan Lopez Peñalver, 21
 Málaga, España
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] disable a particular signature

[Chris Conn]

version 534) I have been matching a ton of false positives on .jpg and
.tif files for the JPEG.Comment exploits.

Please don't be an egoist. You should report the false positive file on
our website:
http://www.clamav.net/sendvirus.html
to allow us to fix the problem globally.
Hello,
I did not want to be an egoist, I did not want to waste anyone's time 
with a defective installation.  I was using the RPM for 0.80rc4 and 
since upgraded to signatures version 534 my JPEG exploit matching went nuts.

I don't know if it is because I built a 0.80 rpm and installed it or if 
it is because of signature version 535 being released, however it has 
stopped.

So in any case, I don't know what caused this problem however the same 
files were sent through using 0.80-stable and signatures 535 and all is 
well.

Sincerely,
Chris Conn
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] disable a particular signature

[Christopher X. Candreva]

 Chris Conn [EMAIL PROTECTED] wrote:

  version 534) I have been matching a ton of false positives on .jpg and
  .tif files for the JPEG.Comment exploits.
 
 Please don't be an egoist. You should report the false positive file on
 our website:

For what it's worth -- as I was gathering documents to submit, the 535 
update came out and all the JPEGs I had that were triggering false positives 
suddenly worked again.

So if you are still haveing trouble and your database is still at 534, run 
freshclam and get up to 535.

The virus mailing list doesn't seem to have a post yet about 535, but we 
got it here at 12:04 EDT


==
Chris Candreva  -- [EMAIL PROTECTED] -- (914) 967-7816
WestNet Internet Services of Westchester
http://www.westnet.com/
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] Problems Compiling on Solaris X86 Box

[Tomasz Kojm]

On Mon, 18 Oct 2004 11:58:18 -0500 (CDT)
Ken Jones [EMAIL PROTECTED] wrote:

 All,
 
 I have been having problems compiling on a Solaris 8 X86 box since the
 release of 80rc series.
 
 Undefined   first referenced
  symbol in file
 BZ2_bzRead  scanners.lo
 BZ2_bzReadOpen  scanners.lo
 BZ2_bzReadClose scanners.lo
 ld: fatal: Symbol referencing errors. No output written to
 .libs/libclamav.so.1.0.4

As a workaround try to configure it with --disable-bzip2

-- 
   oo. Tomasz Kojm [EMAIL PROTECTED]
  (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg
 \..._ 0DCA5A08407D5288279DB43454822DC8985A444B
   //\   /\  Mon Oct 18 19:38:21 CEST 2004


pgpV5oE9MeKyS.pgp
Description: PGP signature
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] List problem?

[Robin Lynn Frank]

On Mon, 2004-10-18 at 10:12, Mike Cathey wrote:
 On Mon, 2004-10-18 at 13:03, Robin Lynn Frank wrote:
  Mail from the weekend arrived just fine, but this morning, I started
  seeing this in my logs:
 
 The primary mail server had a problem with disk space on /var.  It is
 now resolved.
 
 Krisma is the backup server.  Luca controls that host.  It looks like
 he's rejecting mail from you because your host's IP doesn't have a PTR.
 
 Cheers,
 
 Mike

Not quite, our server is rejecting mail from his server because of the
lack of reverse dns.
-- 
Robin Lynn Frank - Director of Operations
Paradigm-Omega, LLC - http://paradigm-omega.com

SpamTrap:  @null-route.merseine.nu

We support boycotting overseas outsourcers.


signature.asc
Description: This is a digitally signed message part
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] disable a particular signature

[Brian Morrison]

On Mon, 18 Oct 2004 13:39:12 -0400 in [EMAIL PROTECTED] Chris
Conn [EMAIL PROTECTED] wrote:

  I don't know if it is because I built a 0.80 rpm and installed it or
  if it is because of signature version 535 being released, however it
  has stopped.

Most likely the former I would expect. There were quite a lot of changes
between rc4 and 0.80 final in this area, the CVS changelogs are worth a
read.

-- 

Brian Morrison

bdm at fenrir dot org dot uk

GnuPG key ID DE32E5C5 - http://wwwkeys.uk.pgp.net/pgpnet/wwwkeys.html
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] clam.exe not being detected in mail

[Tomasz Kojm]

On Mon, 18 Oct 2004 11:43:23 -0500
Robert Haas [EMAIL PROTECTED] wrote:

 On Sun, 2004-10-17 at 22:49, James Lick wrote:
  (Regarding clam.exe not being detected as an attachment.)
  
  Someone reported this same problem a few days ago to me as a
  possible clamassassin bug.  I was able to verify the problem with an
  attachment created with Mozilla 1.7.3 which was passed as OK by
  ClamAV.  extracting the attachment to a file and scanning the
  clam.exe file and it is detected correctly, so the file didn't get
  corrupted along the line somewhere.  I hadn't looked into it enough
  to report the bug yet, but something is definitely wrong in
  detecting clam.exe as an attachment.
 
 That is the exact issue I am seeing (even to the clamassassin, but
 I've ruled that out as being the problem). I thought perhaps there was
 an issue with how evolution was attaching the file, so I tried
 outlookE, Mozilla, and pine, all with the same results.
 
 A hex dump of the temporary file that clamav created shows that there
 is a difference between it and the original. In addition the file
 sizes are off by one byte, 545 versus the original 544.

Please send the problematic mail file (in encrypted zip, pass: virus) to
[EMAIL PROTECTED] Thanks.

-- 
   oo. Tomasz Kojm [EMAIL PROTECTED]
  (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg
 \..._ 0DCA5A08407D5288279DB43454822DC8985A444B
   //\   /\  Mon Oct 18 19:53:08 CEST 2004


pgpzigxKQu5Gm.pgp
Description: PGP signature
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

[OT] Re: [Clamav-users] List problem?

[Niek]

On 10/18/2004 7:49 PM +0200, Robin Lynn Frank wrote:
Not quite, our server is rejecting mail from his server because of the
lack of reverse dns.
You probably know this, but you'll loose many emails and it won't stop spam.
Regards,
Niek
--
___
Read about mime:http://www.geoapps.com/nomime.shtml
Read about quoting: http://www.netmeister.org/news/learn2quote.html
Read about disclaimers: http://www.goldmark.org/jeff/stupid-disclaimers
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] List problem?

[Mike Cathey]

On Mon, 2004-10-18 at 13:49, Robin Lynn Frank wrote:
 Not quite, our server is rejecting mail from his server because of the
 lack of reverse dns.

Sorry, misread the log.  The primary is functioning properly again. 
I'll get with Luca to make sure that the DNS issue is resolved.

Cheers,

Mike

___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [OT] Re: [Clamav-users] List problem?

[Christopher X. Candreva]

On Mon, 18 Oct 2004, Niek wrote:

 You probably know this, but you'll loose many emails and it won't stop 
 spam.

No but it cuts it off considerably. It's cut the number of spams my account 
receives here from about 100 day to about 10.


==
Chris Candreva  -- [EMAIL PROTECTED] -- (914) 967-7816
WestNet Internet Services of Westchester
http://www.westnet.com/
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] List problem?

[Robin Lynn Frank]

On Mon, 2004-10-18 at 11:03, Mike Cathey wrote:
 On Mon, 2004-10-18 at 13:49, Robin Lynn Frank wrote:
  Not quite, our server is rejecting mail from his server because of the
  lack of reverse dns.
 
 Sorry, misread the log.  The primary is functioning properly again. 
 I'll get with Luca to make sure that the DNS issue is resolved.
 
 Cheers,
 
 Mike

Yes, I noticed I was getting mail again from the list.  thanks for your
help.
-- 
Robin Lynn Frank - Director of Operations
Paradigm-Omega, LLC - http://paradigm-omega.com

SpamTrap:  @null-route.merseine.nu

We support boycotting overseas outsourcers.


signature.asc
Description: This is a digitally signed message part
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [OT] Re: [Clamav-users] List problem?

[Niek]

On 10/18/2004 8:03 PM +0200, Christopher X. Candreva wrote:
No but it cuts it off considerably. It's cut the number of spams my account 
receives here from about 100 day to about 10.
Those figures could be right if spammers send chinese/korean zombies
after you.
However, in the 'western' world the ratio PTR yes/no is much higher.
Almost all the USA broadband zombies have rdns.
And still loads of legit mail servers have no rdns.
It's a choice you make. I don't do it, because I can stop spam
with other means. But I can't bring back legit emails from
people/companies that wont/can't/ect have rdns on their mailserver ip.
Regards,
Niek
--
___
Read about mime:http://www.geoapps.com/nomime.shtml
Read about quoting: http://www.netmeister.org/news/learn2quote.html
Read about disclaimers: http://www.goldmark.org/jeff/stupid-disclaimers
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

[Clamav-users] RE: freshclam.pid: Permission denied

[Jona Tallieu (T T nv)]

On Mon, 18 Oct 2004 at 17:04:52 +0200, Jona Tallieu (T  T  n.v.) wrote:
 * Jona Tallieu (T  T  n.v.) Junk at tnt.be:
  Hi all,
 
  I just upgraded from latest stable 0.75.1 to the final 0.80.
 
  Now, when freshclam starts, I get this in the freshclam logfile:
 
  ERROR: Can't save PID to file /var/clamav/freshclam.pid: Permission
denied
 
  The option in freshclam.conf has been disabled (default):
  #PidFile /var/run/freshclam.pid
 
 The default value is being used: /var/run/freshclam.pid !=
 /var/clamav/freshclam.pid !

 I tried activating the save PID file with the value
/var/clamav/freshclam.pid
 but I get the same error.

 Now also, after a freshclam update, I get following error

 ERROR: Clamd was NOT notified: Can't connect to clamd through
 /var/clamav/clamd.sock

 So it seems freshclam can not access anything in /var/clamav/.

 The permissions for /var/clamav/ are:

 drw-r--r--   4 lplp   136 18 Oct 10:49 clamav

 And inside are:

 -rw-rw  1 root  lp  4 18 Oct 10:39 clamd.pid
 srwxrwxrwx  1 root  lp  0 18 Oct 10:39 clamd.sock


Why is /var/clamav (and files there) owned by lp (i.e. print) user
and group??

I don't know why, I just followed the OSX instructions included
with ClamAV:

sudo mkdir /var/clamav 
sudo chown clamav:clamav /var/clamav 
sudo chmod 0644 /var/clamav 


It seems that chmod 755 /var/clamav solved it, I'll double
check when there's a database update...

Thanks!



J.

___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

[Clamav-users] Zip AV Bypass Vulnerability

[Steve Basford]

Hi All,
Just came across this:
http://www.securiteam.com/securitynews/6E00G2ABFY.html
Bit hard to say if this would impact ClamAV?
Cheers,
Steve
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] Zip AV Bypass Vulnerability

[clamav]

On Mon, 18 Oct 2004, Steve Basford wrote:
 Just came across this:
 http://www.securiteam.com/securitynews/6E00G2ABFY.html
 
 Bit hard to say if this would impact ClamAV?

Does clam skip the decompression if the local/global header contain a zero
filesize?  It sounds like from the article that those of use who use
amavis and other progies which actually unzip the files are ok at least on
the email side of things becasue [i]t is possible to modify the
uncompressed size of archived files in both the local and global header
without affecting functionality.

Does anyone have a good way to test this?

-- 
Eric Wheeler
Vice President
National Security Concepts, Inc.
PO Box 3567
Tualatin, OR 97062

http://www.nsci.us/
Voice: (503) 293-7656
Fax:   (503) 885-0770

___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] freshclam: Chunked Transfer Coding

[Tomasz Kojm]

On Tue, 19 Oct 2004 10:21:36 +0900
shivaken [EMAIL PROTECTED] wrote:

 I had a freshclam update problem with that like below.
 
  # freshclam 
  ClamAV update process started at Tue Oct 19 09:35:19 2004
  main.cvd is up to date (version: 27, sigs: 23982, f-level: 2,
  builder: tomek) Connecting via 127.0.0.1
  Reading CVD header (daily.cvd): OK
  Downloading daily.cvd [*]
  ERROR: Verification: Broken or not a CVD file
  Giving up...
 
 I couldn't find the reason for a long time. With wget, I can get CVD
 files properly. Finally I setted printf at freshclam/manager.c to see
 recieving data. Then I found the proxy uses chunked transfer coding to
 send data.  Delegate seems to use chunked transfer coding for HTTP/1.1
 client.

Update to 0.80

-- 
   oo. Tomasz Kojm [EMAIL PROTECTED]
  (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg
 \..._ 0DCA5A08407D5288279DB43454822DC8985A444B
   //\   /\  Tue Oct 19 03:24:50 CEST 2004


pgpqsLzNxt0eC.pgp
Description: PGP signature
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] freshclam: Chunked Transfer Coding

[shivaken]

That test is with 0.80.
(B
(BOn Tuesday 19 October 2004 10:25, Tomasz Kojm wrote:
(B On Tue, 19 Oct 2004 10:21:36 +0900
(B
(B shivaken [EMAIL PROTECTED] wrote:
(B  I had a freshclam update problem with that like below.
(B 
(B   # freshclam
(B   ClamAV update process started at Tue Oct 19 09:35:19 2004
(B   main.cvd is up to date (version: 27, sigs: 23982, f-level: 2,
(B   builder: tomek) Connecting via 127.0.0.1
(B   Reading CVD header (daily.cvd): OK
(B   Downloading daily.cvd [*]
(B   ERROR: Verification: Broken or not a CVD file
(B   Giving up...
(B 
(B  I couldn't find the reason for a long time. With wget, I can get CVD
(B  files properly. Finally I setted printf at freshclam/manager.c to see
(B  recieving data. Then I found the proxy uses chunked transfer coding to
(B  send data.  Delegate seems to use chunked transfer coding for HTTP/1.1
(B  client.
(B
(B Update to 0.80
(B
(B-- 
(B-- shivaken
(Bantshell: Ant command line front end
(Bhttp://www.antshell.org
(B___
(Bhttp://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] Zip AV Bypass Vulnerability

[Tomasz Kojm]

On Mon, 18 Oct 2004 13:31:41 -0700 (PDT)
[EMAIL PROTECTED] wrote:

 On Mon, 18 Oct 2004, Steve Basford wrote:
  Just came across this:
  http://www.securiteam.com/securitynews/6E00G2ABFY.html
  
  Bit hard to say if this would impact ClamAV?
 
 Does clam skip the decompression if the local/global header contain a
 zero filesize?  It sounds like from the article that those of use who

Yes, it does. Unfortunately.

-- 
   oo. Tomasz Kojm [EMAIL PROTECTED]
  (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg
 \..._ 0DCA5A08407D5288279DB43454822DC8985A444B
   //\   /\  Tue Oct 19 03:27:33 CEST 2004


pgpiInvB4lmEE.pgp
Description: PGP signature
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] freshclam: Chunked Transfer Coding

[Tomasz Kojm]

On Tue, 19 Oct 2004 10:29:20 +0900
shivaken [EMAIL PROTECTED] wrote:

 That test is with 0.80.

Please don't top-post.

Does it work with HTTPProxyServer disabled?

-- 
   oo. Tomasz Kojm [EMAIL PROTECTED]
  (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg
 \..._ 0DCA5A08407D5288279DB43454822DC8985A444B
   //\   /\  Tue Oct 19 03:32:56 CEST 2004


pgpDjUAQqr1BR.pgp
Description: PGP signature
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] freshclam: Chunked Transfer Coding

[shivaken]

On Tuesday 19 October 2004 10:33, Tomasz Kojm wrote:
(B  That test is with 0.80.
(B
(B Please don't top-post.
(B
(BSorry.
(B
(B Does it work with HTTPProxyServer disabled?
(B
(BWhat "it" means?
(B
(BMy freshclam.conf: 
(BHTTPProxyServer http://127.0.0.1
(BHTTPProxyPort 8080
(BHTTPProxyUsername 
(BHTTPProxyPassword 
(B
(BAt my test environment.
(BWithout proxy, freshclam works well.
(BWith Delegate (default setting), freshclam dosen't work.
(BWith Delegate not to use chunked encoding setting), freshclam works well.
(BWith Delegate (default setting), freshclam (use HTTP/1.0) works well.
(B
(B-- 
(B-- shivaken
(Bantshell: Ant command line front end
(Bhttp://www.antshell.org
(B___
(Bhttp://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

[Clamav-users] non detection problem

[Meni Shapiro]

Hello List,
I just installed the latest stable clamav 0.80.
My main.db and daily.db are also the latest.
I run clamav on a debian machine (for test purpose - before installing 
it on the main mail server which runs  crux (yet another dist!))
anyway - back to the problem...
Installation went good.
When i test it with the jpeg.zip, which i got from this list earlier 
today, IT did NOT find anything ?!?
i tried unziping (the file contains 2 jpg files) and nothing!
I tried scanning it online in the mentioned site 
(http://www.virustotal.com) and most AV software did detect a malware
Clamav did NOT!

Is that a problem??? or what?
should i go for another AV (i don't want to - but can i trust ClamAV??)
--
Sincerely,
Meni Shapiro
[EMAIL PROTECTED]
---
This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
Use IT products in your business? Tell us what you think of them. Give us
Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
http://productguide.itmanagersjournal.com/guidepromo.tmpl
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] Error in latest update to Database

[Graham Dodd]

On the latest update to the signatures I saw this in the log file

ClamAV update process started at Mon Oct 18 18:17:01 2004 main.cvd is up to
date (version: 27, sigs: 23982, f-level: 2, builder: tomek) daily.cvd
updated (version: 535, sigs: 1272, f-level: 3, builder: trog)
WARNING: Your ClamAV installation is OUTDATED - please update immediately !
WARNING: Current functionality level = 2, required = 3 Database updated
(25254 signatures) from database.clamav.net (195.70.36.141).
Clamd successfully notified about the update.

I'm running 0.75.1, so I'm wondering why I have this entry in the log as
0.80 only got released in the last few days

Anyone got any ideas ?

Graham

--

Graham K. Dodd
Director of Operations
Falk  Ross GmbH
Tel: 06301 717 0
 



---
This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
Use IT products in your business? Tell us what you think of them. Give us
Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
http://productguide.itmanagersjournal.com/guidepromo.tmpl
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] List problem?

[Robin Lynn Frank]

Mail from the weekend arrived just fine, but this morning, I started
seeing this in my logs:

Oct 18 09:52:38 omega postfix/smtpd[27078]: NOQUEUE: reject: RCPT from
unknown[194.242.226.43]: 550 Client host rejected: cannot find your
hostname, [194.242.226.43]; from=[EMAIL PROTECTED]
to=[EMAIL PROTECTED] proto=ESMTP helo=krisma.oltrelinux.com

Now, I am starting to see some list mail arrive via the sourceforge.net
server.

What's up?
-- 
Robin Lynn Frank - Director of Operations
Paradigm-Omega, LLC - http://paradigm-omega.com

SpamTrap:  @null-route.merseine.nu

We support boycotting overseas outsourcers.


signature.asc
Description: This is a digitally signed message part

Re: [Clamav-users] Error in latest update to Database

[Jim Maul]

Graham Dodd wrote:
On the latest update to the signatures I saw this in the log file
ClamAV update process started at Mon Oct 18 18:17:01 2004 main.cvd is up to
date (version: 27, sigs: 23982, f-level: 2, builder: tomek) daily.cvd
updated (version: 535, sigs: 1272, f-level: 3, builder: trog)
WARNING: Your ClamAV installation is OUTDATED - please update immediately !
WARNING: Current functionality level = 2, required = 3 Database updated
(25254 signatures) from database.clamav.net (195.70.36.141).
Clamd successfully notified about the update.
I'm running 0.75.1, so I'm wondering why I have this entry in the log as
0.80 only got released in the last few days
Youre seeing this message for the exact reason it says, your clamav 
installation is outdated.  Whether .80 was released a year ago or 
yesterday is irrelevant, its still newer than what your running now.

-Jim
---
This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
Use IT products in your business? Tell us what you think of them. Give us
Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
http://productguide.itmanagersjournal.com/guidepromo.tmpl
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] List problem?

[Robin Lynn Frank]

On Mon, 2004-10-18 at 10:08, Niek wrote:
 On 10/18/2004 7:03 PM +0200, Robin Lynn Frank wrote:
  Mail from the weekend arrived just fine, but this morning, I started
  seeing this in my logs:
  
  Oct 18 09:52:38 omega postfix/smtpd[27078]: NOQUEUE: reject: RCPT from
  unknown[194.242.226.43]: 550 Client host rejected: cannot find your
  hostname, [194.242.226.43]; from=[EMAIL PROTECTED]
  to=[EMAIL PROTECTED] proto=ESMTP helo=krisma.oltrelinux.com
  
  Now, I am starting to see some list mail arrive via the sourceforge.net
  server.
  
  What's up?
 
 Hi,
 
 clamav list moved a month ago.
 new posting-to address is: [EMAIL PROTECTED]
 
 Regards,
 Niek

I am aware of that, but the problem with their server's dns did not
appear until this morning.  Yesterday, they were using a different
server.

Now, the report from dnsreport.com notes:

ERROR: The IP of one or more of your mail server(s) have no reverse DNS
(PTR) entries (if you see Timeout below, it may mean that your DNS
servers did not respond fast enough). RFC1912 2.1 says you should have a
reverse DNS for all your mail servers. It is strongly urged that you
have them, as many mailservers will not accept mail from mailservers
with no reverse DNS entry. You can double-check using the 'Reverse DNS
Lookup' tool at the DNSstuff site. The problem MX records are:
45.30.103.83.in-addr.arpa [No reverse DNS entry (rcode: 3 ancount: 0)]
43.226.242.194.in-addr.arpa [No reverse DNS entry (rcode: 3 ancount: 0)]

and

WARNING: One or more of your mailservers may be claiming to be a host
other than what it really is (the SMTP greeting should be a 3-digit
code, followed by a space or a dash, then the host name). This probably
won't cause any harm, but may be a technical violation of RFC821 4.3
(and RFC2821 4.3.1).
mail2.oltrelinux.com claims to be host karma.oltrelinux.com.
mail.oltrelinux.com claims to be host krisma.oltrelinux.com.
-- 
Robin Lynn Frank - Director of Operations
Paradigm-Omega, LLC - http://paradigm-omega.com

SpamTrap:  @null-route.merseine.nu

We support boycotting overseas outsourcers.


signature.asc
Description: This is a digitally signed message part

[Clamav-users] freshclam: Chunked Transfer Coding

[shivaken]

I had a freshclam update problem with that like below.

 # freshclam 
 ClamAV update process started at Tue Oct 19 09:35:19 2004
 main.cvd is up to date (version: 27, sigs: 23982, f-level: 2, builder: tomek)
 Connecting via 127.0.0.1
 Reading CVD header (daily.cvd): OK
 Downloading daily.cvd [*]
 ERROR: Verification: Broken or not a CVD file
 Giving up...

I couldn't find the reason for a long time. With wget, I can get CVD files 
properly. Finally I setted printf at freshclam/manager.c to see recieving 
data. Then I found the proxy uses chunked transfer coding to send data.  
Delegate seems to use chunked transfer coding for HTTP/1.1 client.

I changed delegate setting no to use chunked transfer coding. Then I succeed  
to freshclam.

According to RFC 2616, 
All HTTP/1.1 applications that receive entities MUST accept the
   chunked transfer-coding (section 3.6), thus allowing this mechanism
   to be used for messages when the message length cannot be determined
   in advance.

So, please change freshclam to send http request as HTTP/1.0 or implement 
accepting chunked transfer-coding.

-- 
-- shivaken
antshell: Ant command line front end
http://www.antshell.org


---
This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
Use IT products in your business? Tell us what you think of them. Give us
Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
http://productguide.itmanagersjournal.com/guidepromo.tmpl
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Problems Compiling on Solaris X86 Box

[James Lick]

Ken Jones wrote:
All,
I have been having problems compiling on a Solaris 8 X86 box since the
release of 80rc series.
Undefined   first referenced
symbol in file
BZ2_bzRead  scanners.lo
BZ2_bzReadOpen  scanners.lo
BZ2_bzReadClose scanners.lo
ld: fatal: Symbol referencing errors. No output written to
.libs/libclamav.so.1.0.4
 

ClamAV 0.80 (and the rc versions) compiles fine for me on Solaris 10 B63 
x86, so it is not a general Solaris x86 problem.

--
James Lick --  -- [EMAIL PROTECTED] -- http://jameslick.com/
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] Problems Compiling on Solaris X86 Box

[Bill Maidment]

James Lick wrote:
Ken Jones wrote:
All,
I have been having problems compiling on a Solaris 8 X86 box since the
release of 80rc series.
Undefined   first referenced
symbol in file
BZ2_bzRead  scanners.lo
BZ2_bzReadOpen  scanners.lo
BZ2_bzReadClose scanners.lo
ld: fatal: Symbol referencing errors. No output written to
.libs/libclamav.so.1.0.4
 

ClamAV 0.80 (and the rc versions) compiles fine for me on Solaris 10 B63 
x86, so it is not a general Solaris x86 problem.

I'm not sure if this is related, but on a RedHat box I had problems 
compiling .80 until I installed the bzip2-devel rpm.

--
 _/_/_/_/  _/  _/
_/_/  _/  _/  _/
   _/_/_/_/  _/
  _/_/  _/  _/  _/
 _/_/_/_/  _/  _/  _/
Bill Maidment
Maidment Enterprises Pty Ltd
Unless you are named Alfred E. Newman, you may read only the odd 
numbered words (every other word beginning with the first) of the 
message above. If you have violated that, then you hereby owe the sender 
AU$10 for each even numbered word you have read.
Adapted from Stupid Email Disclaimers (see 
http://www.goldmark.org/jeff/stupid-disclaimers/)
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

[Clamav-users] Outdated Version Question

[Gary Brown]

Hi all

Upgraded straight away when I saw the new message

However, below is what is happening now..

ClamAV update process started at Tue Oct 19 12:19:01 2004
WARNING: Your ClamAV installation is OUTDATED - please update
immediately !
WARNING: Local version: 0.80rc4, Recommended version: 0.80
main.cvd is up to date (version: 27, sigs: 23982, f-level: 2, builder:
tomek)
daily.cvd is up to date (version: 535, sigs: 1272, f-level: 3, builder:
trog)
WARNING: Your ClamAV installation is OUTDATED - please update
immediately !
WARNING: Current functionality level = 2, required = 3

Question is 0.80rc4 different to 0.80??

Cheers

Gary
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] Outdated Version Question

[Fajar A. Nugraha]

Gary Brown wrote:
Question is 0.80rc4 different to 0.80??
 

Oh YES! There were some significant changes. Read ChangeLog for details.
If you don't care, you can still use the rc4 as it's only a warning.
Regards,
Fajar
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

[Clamav-users] Freshclam DNS Warnings

[Bill Maidment]

One of my servers is giving these warnings. What causes this and is it 
anything to worry about?

freshclam daemon 0.80 (OS: linux-gnu, ARCH: i386, CPU: i686)
ClamAV update process started at Tue Oct 19 14:39:06 2004
WARNING: DNS record is older than 3 hours.
WARNING: Invalid DNS reply.
main.cvd is up to date (version: 27, sigs: 23982, f-level: 2, builder: 
tomek)
WARNING: DNS record is older than 3 hours.
WARNING: Invalid DNS reply.
daily.cvd is up to date (version: 535, sigs: 1272, f-level: 3, builder: 
trog)

--
 _/_/_/_/  _/  _/
_/_/  _/  _/  _/
   _/_/_/_/  _/
  _/_/  _/  _/  _/
 _/_/_/_/  _/  _/  _/
Bill Maidment
Maidment Enterprises Pty Ltd
Unless you are named Alfred E. Newman, you may read only the odd 
numbered words (every other word beginning with the first) of the 
message above. If you have violated that, then you hereby owe the sender 
AU$10 for each even numbered word you have read.
Adapted from Stupid Email Disclaimers (see 
http://www.goldmark.org/jeff/stupid-disclaimers/)
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

[Clamav-users] [Updated] Clamav 0.80 -stable has been released for OpenBSD

[LOYET Jérôme]

Hello to all, 

I've made the port of Clamav 0.80 for OpenBSD. 
You can find it at http://www.fatbsd.com/openbsd/clamav/

Any comments are welcome, ++ Jerome

Here is the official changelog:

-) libclamav
+ Portable Executable analyser (CL_SCAN_PE) featuring:
o UPX decompression (all versions)
o Petite decompression (2.x)
o FSG decompression (1.3, 1.31, 1.33)
o detection of broken executables (CL_SCAN_BLOCKBROKEN)
+ new, memory efficient, pattern matching algorithm (multipattern
variant
  of Boyer-Moore) - it's now primary matcher and Aho-Corasick is only
used
  for regular expression extended signatures
+ new signature format with advanced target type and offset
specification
+ support for MD5 based signatures
+ extended regular expression scanner
+ added support for MS cabinet files
+ added support for CHM files
+ added support for POSIX tar archives
+ scanning inside PowerPoint documents
+ HTML normaliser with support for decoding of MS Script Encoder code
+ great improvements in e-mail scanner (now handles even more worm
tricks)
+ new method of mail files detection
+ all e-mail attachments are now scanned (previously only the first ten
  attachments were scanned)
+ added support for scanning URLs in e-mails (CL_SCAN_MAILURL)
+ detection of Worm.Mydoom.M.log
+ updated API (still backward compatible but please consult Section 6 of

  clamdoc.pdf and adapt your software)
+ faster base64 decoding
+ support for GNU tar files
+ updated on-access scanner

-) clamd
+ new directive ScanHTML (enables HTML normalisator and ScrEnc decoder)
+ new directive ScanPE (win32 executable analyser and decompressor)
+ new directive DetectBrokenExecutables (try to detect broken
executables
  and mark them as Broken.Executable)
+ new directive MailFollowURLs (try to download and scan files from URLs
  in mails. BE CAREFUL! DO NOT ENABLE IT ON LOADED MAIL SERVERS)
+ new directive ArchiveBlockMax (archives that exceed limits will be
  marked as viruses)
+ clamav.conf was renamed to clamd.conf

-) clamscan
+ mail files are scanned by default, use --no-mail to disable it
+ new option --no-html (disables HTML normalisator)
+ new option --no-pe (disables PE analyser)
+ new option --detect-broken
+ new option --block-max
+ new option --mail-follow-urls (download and scan files from URLs in
mails)

-) clamdscan
+ now prints warnings if some activated command line options are only
  supported by clamscan
+ added support for archive scanning in stdin mode

-) clamav-milter
+ improved template file format
+ quarantined file names now contain virus names
+ initial support for SESSION mode of clamd

-) freshclam:
+ new directive DNSDatabaseInfo that enables ultra lightweight version
  verification method through DNS (using TXT records). Based on idea by
  Christopher X. Candreva and enabled by default.
  (see http://www.gossamer-threads.com/lists/clamav/users/11102)
+ new option --no-dns (quick option to disable DNS method without
editing
  freshclam.conf)

-) sigtool
+ removed ability of automatic signature generation (use MD5 sums to
  create your own signatures, see signatures.pdf for details)
+ new option --md5
+ new option --html-normalise (saves HTML normalisation and decryption
  results in three html files in current directory)

-) configure:
+ new option --disable-gethostbyname_r (try enabling it if clamav-milter
  compilation fails)
+ new option --disable-dns (try enabling it if freshclam compilation
fails)
+ extended regular expression scanner

-) documentation
+ included new Mac OS X installation instructions
+ official documentation rewritten and outdated docs removed


We encourage our users to take advantage of our new mirror structure. In
order to download the database from the closest mirror you should configure
freshclam to use db.XY.clamav.net where XY is your country code (see
http://www.iana.org/cctld/cctld-whois.htm for the full list). Please add the
following lines to freshclam.conf:

DNSDatabaseInfo current.cvd.clamav.net
DatabaseMirror db.XY.clamav.net
DatabaseMirror database.clamav.net

DNSDatabaseInfo enables database and software version verification through
DNS TXT records, and the second database mirror acts as a fallback in case a
connection to the first mirror fails for some reason.


+---+
|   |
| LOYET Jérôme  |
| 4° année Télécom INSA-LYON|
| Responsable informatique EGA  |
| Responsable informatique ALMO |
|   |
| 23 Rue marcel dutartre|
| 69100 VILLEURBANNE|
| 08 71 73 42 00|
| 06 89 48 49 01|
| [EMAIL PROTECTED]  |
|   |