[Clamav-users] False positive with Oversized.zip
Since I upgraded to 0.80 I am seeing many false positives for the Oversized.zip virus, I have posted samples at the ClamAV website but in the mean time is there a way of removing the signatures for this virus from my copy of the database? FAS ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] False positive with Oversized.zip
If only I'd waited a bit longer... I now find the answer to my own question in the FAQ (should have looked first... a case of engaging the maillist before the brain... sorry). I post the correct answer here in case anyone else is a stupid as me!! # I get many false positives of Oversized.zip Whenever a file exceeds ArchiveMaxCompressionRatio (see clamd.conf man page), it's considered a logic bomb and marked as Oversized.zip . Try increasing your ArchiveMaxCompressionRatio setting. Francis Stevens wrote: Since I upgraded to 0.80 I am seeing many false positives for the Oversized.zip virus, I have posted samples at the ClamAV website but in the mean time is there a way of removing the signatures for this virus from my copy of the database? FAS ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] False positive with Oversized.zip
I don't feel so stupid now... I've set ArchiveMaxCompressionRatio to 0 to disable the limit and I still get the Oversized.zip FOUND message with clamscan and clamdscan. With clamscan I can use --max-ratio=0 and everything is OK but I'm actually using amavisd-new so this isn't an option. Anyone know whay ArchiveMaxCompressionRatio doesn't work and what I can do about it? FAS Francis Stevens wrote: If only I'd waited a bit longer... I now find the answer to my own question in the FAQ (should have looked first... a case of engaging the maillist before the brain... sorry). I post the correct answer here in case anyone else is a stupid as me!! # I get many false positives of Oversized.zip Whenever a file exceeds ArchiveMaxCompressionRatio (see clamd.conf man page), it's considered a logic bomb and marked as Oversized.zip . Try increasing your ArchiveMaxCompressionRatio setting. Francis Stevens wrote: Since I upgraded to 0.80 I am seeing many false positives for the Oversized.zip virus, I have posted samples at the ClamAV website but in the mean time is there a way of removing the signatures for this virus from my copy of the database? FAS ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] False positive with Oversized.zip
So I'm slightly stupid... I now know that clamscan doesn't seem to read the options in /etc/clamd.conf but clamdscan does (or rather clamd does), but of course you have to restart clamd after changing a value. Obviously must try harder as they used to say at school. FAS Francis Stevens wrote: I don't feel so stupid now... I've set ArchiveMaxCompressionRatio to 0 to disable the limit and I still get the Oversized.zip FOUND message with clamscan and clamdscan. With clamscan I can use --max-ratio=0 and everything is OK but I'm actually using amavisd-new so this isn't an option. Anyone know whay ArchiveMaxCompressionRatio doesn't work and what I can do about it? FAS Francis Stevens wrote: If only I'd waited a bit longer... I now find the answer to my own question in the FAQ (should have looked first... a case of engaging the maillist before the brain... sorry). I post the correct answer here in case anyone else is a stupid as me!! # I get many false positives of Oversized.zip Whenever a file exceeds ArchiveMaxCompressionRatio (see clamd.conf man page), it's considered a logic bomb and marked as Oversized.zip . Try increasing your ArchiveMaxCompressionRatio setting. Francis Stevens wrote: Since I upgraded to 0.80 I am seeing many false positives for the Oversized.zip virus, I have posted samples at the ClamAV website but in the mean time is there a way of removing the signatures for this virus from my copy of the database? FAS ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Odd error
On Mon, 25 Oct 2004 at 0:56:57 -0400, Forrest Aldrich wrote: I have ClamAV 0.80 (via FreeBSD ports) installed. I just sent someone a file.tar.gz that had some patches included (along with *.orig files). I saw this in the logs: Oct 25 00:51:26 forrie MailScanner[4303]: ProcessClamAVOutput: unrecognised line webuserprefs-0.5/ChangeLog. Please contact the authors! [...] And so I figured I'd send this here to see what the problem might be. As it was MailScanner that printed it, you should contact the MailScanner's authors, not ClamAV's ones, I think. -- Tomasz Papszun SysAdm @ TP S.A. Lodz, Poland | And it's only [EMAIL PROTECTED] http://www.lodz.tpsa.pl/iso/ | ones and zeros. [EMAIL PROTECTED] http://www.ClamAV.net/ A GPL virus scanner ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
[Clamav-users] WARNING: DNS record is older than 3 hours.
Hi there. I just started receiving these messages from freshclam. freshclam daemon 0.80 (OS: linux-gnu, ARCH: i386, CPU: i386) ClamAV update process started at Mon Oct 25 13:39:46 2004 WARNING: DNS record is older than 3 hours. WARNING: Invalid DNS reply. main.cvd is up to date (version: 27, sigs: 23982, f-level: 2, builder: tomek) WARNING: DNS record is older than 3 hours. WARNING: Invalid DNS reply. daily.cvd is up to date (version: 549, sigs: 1583, f-level: 3, builder: ccordes) What gives? -- Tarjei ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] WARNING: DNS record is older than 3 hours.
Tarjei Knapstad wrote: Hi there. I just started receiving these messages from freshclam. freshclam daemon 0.80 (OS: linux-gnu, ARCH: i386, CPU: i386) ClamAV update process started at Mon Oct 25 13:39:46 2004 WARNING: DNS record is older than 3 hours. WARNING: Invalid DNS reply. main.cvd is up to date (version: 27, sigs: 23982, f-level: 2, builder: tomek) WARNING: DNS record is older than 3 hours. WARNING: Invalid DNS reply. daily.cvd is up to date (version: 549, sigs: 1583, f-level: 3, builder: ccordes) What gives? Search the archive. Matt ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Old ClamAV workaround
On Oct 24, 2004, at 3:29 PM, Mark Adams wrote: Matt wrote: What's the worst that can happen? It fails to compile, and you still need to find a packaged version. You'll be no worse off than you are now. The worst that can happen? I descend once again into dependency hell and spend hours loosing my mind over this. I totally alienate my sense of well being and take up arms on a shooting spree that threatens everyone in a 400 mile circle leaving my children without any parents. Fortunatley, that didn't happen. I snagged a copy of source and it compiled smoothly. It seems to be working just fine for now. Stupid question (I've got TONS of them :-) ... When you only install programs from source, how do you know when upgrading them that there aren't remnants of binaries or libraries scattered around the OS? I grew up having to use Windows, so please forgive the question; I had one too many instances of uninstallers getting rid of the program then having old DLL's and older registry entries left behind (and before that, old .ini files). So when using source compiles, I have this ingrained flinch towards the idea of just running a compile and installing the results then trying to do an upgrade if there's no version control, etc. built into it (which I suppose is why RPM and apt-get and all the other packagers are so popular...supposedly they help prevent conflicts from upgrades) -Bart ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Old ClamAV workaround
On Mon, 2004-10-25 at 08:00 -0400, Bart Silverstrim wrote: On Oct 24, 2004, at 3:29 PM, Mark Adams wrote: When you only install programs from source, how do you know when upgrading them that there aren't remnants of binaries or libraries scattered around the OS? Well designed programs have a make uninstall option. So, you would go back to the orignial source, run make uninstall, then make install on the new source. So when using source compiles, I have this ingrained flinch towards the idea of just running a compile and installing the results then trying to do an upgrade if there's no version control, etc. built into it (which I suppose is why RPM and apt-get and all the other packagers are so popular...supposedly they help prevent conflicts from upgrades) Right, which is why I've taken to building SRPMs for every package I install if there is no pre-built one. it's not terribly difficult, just time consuming. For Mandrake users, you can usually snag the SRPM for a recent version from cooker or plf and update the source for a new version in just a couple of minutes. For clam 0.80 there were extensive changes to the config files, so it took me a good week to get all of the config patches the way I wanted them. ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] WARNING: DNS record is older than 3 hours.
On Mon, 2004-10-25 at 13:49, Matt wrote: Tarjei Knapstad wrote: Search the archive. Argh, I did... :-S Can't believe I missed it - sorry. -- T ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Old ClamAV workaround
Daniel J McDonald wrote: On Mon, 2004-10-25 at 08:00 -0400, Bart Silverstrim wrote: Well designed programs have a make uninstall option. So, you would go back to the orignial source, run make uninstall, then make install on the new source. except 'make uninstall' seems to be deprecated on perl modules like MIME-tools, and doesn't actually work. -- _/_/_/_/ _/ _/ _/_/ _/ _/ _/ _/_/_/_/ _/ _/_/ _/ _/ _/ _/_/_/_/ _/ _/ _/ Bill Maidment Maidment Enterprises Pty Ltd Unless you are named Alfred E. Newman, you may read only the odd numbered words (every other word beginning with the first) of the message above. If you have violated that, then you hereby owe the sender AU$10 for each even numbered word you have read. Adapted from Stupid Email Disclaimers (see http://www.goldmark.org/jeff/stupid-disclaimers/) ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Old ClamAV workaround
Bart Silverstrim wrote: On Oct 24, 2004, at 3:29 PM, Mark Adams wrote: Matt wrote: What's the worst that can happen? It fails to compile, and you still need to find a packaged version. You'll be no worse off than you are now. The worst that can happen? I descend once again into dependency hell and spend hours loosing my mind over this. I totally alienate my sense of well being and take up arms on a shooting spree that threatens everyone in a 400 mile circle leaving my children without any parents. Fortunatley, that didn't happen. I snagged a copy of source and it compiled smoothly. It seems to be working just fine for now. Stupid question (I've got TONS of them :-) ... When you only install programs from source, how do you know when upgrading them that there aren't remnants of binaries or libraries scattered around the OS? My process for installing a new version: Preserve the previous build for fall-back purposes 1. dl the source for the version of interst 2. read the dox for build changes 3. run a configure/make script (for repeatability - has my chosen options in it) 4. examine the new conf files for interesting entries 5. make backup copies of conf files from previous version 6. stop clamav procs 7. rm -f /usr/local/lib/*clam* (to remove old libraries) 8. make install 9. check again conf files - adjust as needed for new version 10. restart clamav processes If you run make -n install you will be shown what make would do in an install and where things will be put. This will tell you what you need to remove. dp ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
[Clamav-users] broken executable
Hello all. I've been using clamav with amavisd-new with success. The only problem so far is when a file which is gives me Possibly broken PE file when I run 'clamscan --verbose --debug file' but the file is not marked as Broken.Executable as I thought it would be. In my clamd.conf I have: ScanPE DetectBrokenExecutables Its version: ClamAV 0.80/549/Sun Oct 24 21:37:38 2004 It was installed via ports in a freebsd box. Is there anything i'm missing? -- Ricardo Campos Passanezi ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] broken executable
On Mon, 25 Oct 2004 10:58:02 -0300 Ricardo Campos Passanezi [EMAIL PROTECTED] wrote: Is there anything i'm missing? --detect-broken -- oo. Tomasz Kojm [EMAIL PROTECTED] (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Mon Oct 25 16:00:39 CEST 2004 pgpUgPXfOngYa.pgp Description: PGP signature ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Old ClamAV workaround
Bart Silverstrim wrote: On Oct 24, 2004, at 3:29 PM, Mark Adams wrote: Matt wrote: What's the worst that can happen? It fails to compile, and you still need to find a packaged version. You'll be no worse off than you are now. The worst that can happen? I descend once again into dependency hell and spend hours loosing my mind over this. I totally alienate my sense of well being and take up arms on a shooting spree that threatens everyone in a 400 mile circle leaving my children without any parents. Fortunatley, that didn't happen. I snagged a copy of source and it compiled smoothly. It seems to be working just fine for now. Stupid question (I've got TONS of them :-) ... When you only install programs from source, how do you know when upgrading them that there aren't remnants of binaries or libraries scattered around the OS? I grew up having to use Windows, so please forgive the question; I had one too many instances of uninstallers getting rid of the program then having old DLL's and older registry entries left behind (and before that, old .ini files). So when using source compiles, I have this ingrained flinch towards the idea of just running a compile and installing the results then trying to do an upgrade if there's no version control, etc. built into it (which I suppose is why RPM and apt-get and all the other packagers are so popular...supposedly they help prevent conflicts from upgrades) -Bart checkinstall is what you need. ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
[Clamav-users] Re: rld: Error:
Bogusaw Brandys wrote: Tomasz Kojm wrote: On Thu, 21 Oct 2004 14:28:58 -0500 Dale Bohl [EMAIL PROTECTED] wrote: /home/cheetah/dbohl/proj/hsm/terabyte: OK /home/cheetah/dbohl/proj/hsm/archiving: OK /home/cheetah/dbohl/proj/uit/home_links_reasons: OK LibClamAV Error: Can't create temporary file : No such file or directory Memory fault(coredump) This problem on IRIX was already reported. We can't help you because we don't have access to this OS. But looking at your e-mail address I'm sure you have some collegues that can fix it! I don't have IRIX but it sounds like You should try to check in Your stdio.h (?) value of TMP_MAX. Searching net I found something about max 17576 files generated by tmpname and I think it is also related to tmpfile() under IRIX 6.5 which is used in clamav library Look here: http://www.opengroup.org/csq/view.mhtml?norationale=1noreferences=1RID=sgi%2FSE1%2F1 P.S. I had similiar problems under Windows. Regards Boguslaw Brandys ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users I raised the value and rebuilt but the same happens. ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Re: rld: Error:
Dale Bohl wrote: Bogusaw Brandys wrote: Tomasz Kojm wrote: On Thu, 21 Oct 2004 14:28:58 -0500 Dale Bohl [EMAIL PROTECTED] wrote: /home/cheetah/dbohl/proj/hsm/terabyte: OK /home/cheetah/dbohl/proj/hsm/archiving: OK /home/cheetah/dbohl/proj/uit/home_links_reasons: OK LibClamAV Error: Can't create temporary file : No such file or directory Memory fault(coredump) This problem on IRIX was already reported. We can't help you because we don't have access to this OS. But looking at your e-mail address I'm sure you have some collegues that can fix it! I don't have IRIX but it sounds like You should try to check in Your stdio.h (?) value of TMP_MAX. Searching net I found something about max 17576 files generated by tmpname and I think it is also related to tmpfile() under IRIX 6.5 which is used in clamav library Look here: http://www.opengroup.org/csq/view.mhtml?norationale=1noreferences=1RID=sgi%2FSE1%2F1 P.S. I had similiar problems under Windows. Regards Boguslaw Brandys ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users I raised the value and rebuilt but the same happens. Well ,if this is TMP_MAX related,Your changes have no effects becouse problem lies in compiler run-time. The only way is to check if compiler runtime patches exist or replace tmpfile with other function (probably self-maded) Regards Boguslaw Brandys ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
[Clamav-users] LibClamAV 0.80 upgrade error
Hi, I had recently upgrade from 0.75.1 to 0.80. The upgrade was sucessfull. But i keep getting the below errors. I am running on RedHat 9. Has anyone come across this? /etc/cron.daily/clamscan: '/' will now be scanned for viruses with ClamAV clamscan version Virus Signature Daily Database version (built at ) LibClamAV Warning: Unknown encoding type 8-bit - report to [EMAIL PROTECTED] LibClamAV Warning: Unknown encoding type 8-bit - report to [EMAIL PROTECTED] LibClamAV Warning: Unknown encoding type 8-bit - report to [EMAIL PROTECTED] LibClamAV Warning: Unknown encoding type 8-bit - report to [EMAIL PROTECTED] LibClamAV Warning: Unknown encoding type 8-bit - report to [EMAIL PROTECTED] LibClamAV Warning: Unknown encoding type 8-bit - report to [EMAIL PROTECTED] LibClamAV Warning: Unknown encoding type 8-bit - report to [EMAIL PROTECTED] LibClamAV Warning: Unknown encoding type 8-bit - report to [EMAIL PROTECTED] LibClamAV Warning: Unknown encoding type 8-bit - report to [EMAIL PROTECTED] LibClamAV Warning: Unknown encoding type 8-bit - report to [EMAIL PROTECTED] LibClamAV Warning: Unknown encoding type 8-bit - report to [EMAIL PROTECTED] LibClamAV Warning: Unknown encoding type 8-bit - report to [EMAIL PROTECTED] LibClamAV Warning: Unknown encoding type 8-bit - report to [EMAIL PROTECTED] LibClamAV Warning: Unknown encoding type 8-bit - report to [EMAIL PROTECTED] LibClamAV Warning: Unknown encoding type 8-bit - report to [EMAIL PROTECTED] LibClamAV Warning: Unknown encoding type 8-bit - report to [EMAIL PROTECTED] LibClamAV Warning: Unknown encoding type 8-bit - report to [EMAIL PROTECTED] LibClamAV Warning: Unknown encoding type 8-bit - report to [EMAIL PROTECTED] LibClamAV Warning: Unknown encoding type 8-bit - report to [EMAIL PROTECTED] LibClamAV Warning: Unknown encoding type 8-bit - report to [EMAIL PROTECTED] LibClamAV Warning: Unknown encoding type 8-bit - report to [EMAIL PROTECTED] LibClamAV Warning: Unknown encoding type 8-bit - report to [EMAIL PROTECTED] LibClamAV Warning: Unknown encoding type 8-bit - report to [EMAIL PROTECTED] LibClamAV Warning: Unknown encoding type 8-bit - report to [EMAIL PROTECTED] LibClamAV Warning: Unknown encoding type 8-bit - report to [EMAIL PROTECTED] LibClamAV Warning: Unknown encoding type 8-bit - report to [EMAIL PROTECTED] LibClamAV Warning: Unknown encoding type 8-bit - report to [EMAIL PROTECTED] LibClamAV Warning: Unknown encoding type 8-bit - report to [EMAIL PROTECTED] LibClamAV Warning: Unknown encoding type 8-bit - report to [EMAIL PROTECTED] LibClamAV Warning: Unknown encoding type 8-bit - report to [EMAIL PROTECTED] LibClamAV Warning: Unknown encoding type 8-bit - report to [EMAIL PROTECTED] LibClamAV Warning: Unknown encoding type 8-bit - report to [EMAIL PROTECTED] LibClamAV Warning: Partial message received from MUA/MTA - message cannot be scanned LibClamAV Warning: Descriptor[10]: Bad format or broken data LibClamAV Warning: Partial message received from MUA/MTA - message cannot be scanned LibClamAV Warning: Descriptor[10]: Bad format or broken data LibClamAV Warning: Partial message received from MUA/MTA - message cannot be scanned LibClamAV Warning: Descriptor[10]: Bad format or broken data LibClamAV Warning: Partial message received from MUA/MTA - message cannot be scanned LibClamAV Warning: Descriptor[10]: Bad format or broken data LibClamAV Warning: Partial message received from MUA/MTA - message cannot be scanned LibClamAV Warning: Descriptor[10]: Bad format or broken data LibClamAV Warning: Partial message received from MUA/MTA - message cannot be scanned LibClamAV Warning: Descriptor[10]: Bad format or broken data LibClamAV Warning: Unknown encoding type 8-bit - report to [EMAIL PROTECTED] LibClamAV Warning: Unknown encoding type 8-bit - report to [EMAIL PROTECTED] LibClamAV Warning: Unknown encoding type 8-bit - report to [EMAIL PROTECTED] LibClamAV Warning: Unknown encoding type 8-bit - report to [EMAIL PROTECTED] LibClamAV Warning: Unknown MIME type: `test', set to Application - report to [EMAIL PROTECTED] LibClamAV Warning: Unknown MIME type: `test', set to Application - report to [EMAIL PROTECTED] LibClamAV Warning: Unknown MIME type: `test', set to Application - report to [EMAIL PROTECTED] LibClamAV Warning: Unknown MIME type: `test', set to Application - report to [EMAIL PROTECTED] LibClamAV Warning: Unknown MIME type: `test', set to Application - report to [EMAIL PROTECTED] LibClamAV Warning: Unknown MIME type: `test', set to Application - report to [EMAIL PROTECTED] LibClamAV Warning: Unknown MIME type: `test', set to Application - report to [EMAIL PROTECTED] LibClamAV Warning: Unknown MIME type: `test', set to Application - report to [EMAIL PROTECTED] LibClamAV Warning: Unknown MIME type: `test', set to Application - report to [EMAIL PROTECTED] LibClamAV Warning: Unknown MIME type: `test', set to Application - report to [EMAIL PROTECTED] LibClamAV Warning: Unknown MIME type: `test', set to Application -
[Clamav-users] Config update signature
Hi, I have installed version 0.80 on fedora core 2 and I have used file .rpm. The installation it's ok and at boot of my machine to start demon 'clamd' and 'freshclam' correctly. Now for schedule update, default is: /etc/cron.daily/freshclam .. therefore the update is to do every day, but if I want to schedule update every hour (and no every day) I must move the file freshcleam from directory /etc/cron.daily/ to /etc/cron.hourly ?? ..sorry for my banal question. -- Salvatore. --- [This E-mail scanned for viruses by Declude Virus] ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Config update signature
On Mon, 2004-10-25 at 21:10 +0200, Salvatore Basso wrote: Now for schedule update, default is: /etc/cron.daily/freshclam .. therefore the update is to do every day, but if I want to schedule update every hour (and no every day) I must move the file freshcleam from directory /etc/cron.daily/ to /etc/cron.hourly ?? yes, and please add the line: sleep $[ 900 + $RANDOM % 1800 ] before the freshclam statement. That will randomize the time that you check so that not everyone hits the update servers at the same instant. -- Daniel J McDonald, CCIE # 2495, CNX Austin Energy [EMAIL PROTECTED] ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Config update signature
On Mon, 25 Oct 2004 21:10:25 +0200 in [EMAIL PROTECTED] Salvatore Basso [EMAIL PROTECTED] wrote: Hi, I have installed version 0.80 on fedora core 2 and I have used file .rpm. The installation it's ok and at boot of my machine to start demon 'clamd' and 'freshclam' correctly. Now for schedule update, default is: /etc/cron.daily/freshclam .. therefore the update is to do every day, but if I want to schedule update every hour (and no every day) I must move the file freshcleam from directory /etc/cron.daily/ to /etc/cron.hourly ??..sorry for my banal question. No, the Checks parameter in freshclam.conf determines the update frequency for the pattern files. The /etc/cron.daily/freshclam entry is used to clean up/var/lib/clamav if any files in there have not been accessed in 72 hours. Except for the .cvd files of course, it does a touch on those. -- Brian Morrison bdm at fenrir dot org dot uk GnuPG key ID DE32E5C5 - http://wwwkeys.uk.pgp.net/pgpnet/wwwkeys.html ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Config update signature
Salvatore Basso wrote: Hi, I have installed version 0.80 on fedora core 2 and I have used file .rpm. The installation it's ok and at boot of my machine to start demon 'clamd' and 'freshclam' correctly. Now for schedule update, default is: /etc/cron.daily/freshclam .. therefore the update is to do every day, but if I want to schedule update every hour (and no every day) I must move the file freshcleam from directory /etc/cron.daily/ to /etc/cron.hourly ?? ..sorry for my banal question. First, don't start a new thread by replying to an existing one and changing the subject. You break threading and your email will likely be ignored by anyone not reading that thread. Just start a new message. Second, that would do what you want, but don't do it. You will hit the clamav server at the top of the hour along with a lot of other people who don't read the docs. It causes the bandwith utilization on the mirrors to spike at the top of the hour. It may be better if you have setup freshclam to use the new DNS method, but you still shouldn't do it. You should either run freshclam from your /etc/crontab and set it to run at an oddball times (e.g. 37mins past the hour) or run it as a daemon. There was a thread a while back about generating a random number in the crontab so that it does not run at the same time every hour. You may want to try that. For further info: man freshclam read archives of this list read docs on website man -a crontab -- Dennis Skinner Systems Administrator BlueFrog Internet http://www.bluefrog.com Every season hath its pleasure; Spring may boast her flowery prime, Yet the vineyard's ruby treasuries Brighten Autumn's sob'rer time. - Thomas Moore ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Config update signature
Salvatore Basso wanted us to know: /etc/cron.daily/freshclam .. therefore the update is to do every day, but if I want to schedule update every hour (and no every day) I must move the file freshcleam from directory /etc/cron.daily/ to /etc/cron.hourly ?? Yes. -- Regards... Todd They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. --Benjamin Franklin Linux kernel 2.6.8.1-12mdkenterprise 4 users, load average: 0.00, 0.03, 0.00 ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Config update signature
Todd Lyons wrote: .. therefore the update is to do every day, but if I want to schedule update every hour (and no every day) I must move the file freshcleam from directory /etc/cron.daily/ to /etc/cron.hourly ?? Yes. ..now my file is in '/etc/cron.daily/' but why the the update is to run every hour ? in the log file: ClamAV updates process started at Mon Oct 25 20:03:01 2004 main.cvd is up to date (version: 27, sigs: 23982, f-level: 2, builder: tomek) daily.cvd is up to date (version: 550, sigs: 1607, f-level: 3, builder: trog) --- Received signal 14, wake up ClamAV updates process started at Mon Oct 25 21:03:01 2004 main.cvd is up to date (version: 27, sigs: 23982, f-level: 2, builder: tomek) daily.cvd is up to date (version: 550, sigs: 1607, f-level: 3, builder: trog) --- Received signal 14, wake up ClamAV updates process started at Mon Oct 25 22:03:01 2004 main.cvd is up to date (version: 27, sigs: 23982, f-level: 2, builder: tomek) daily.cvd is up to date (version: 550, sigs: 1607, f-level: 3, builder: trog) ..why this to happen also if the file 'freshcleam' is in the /etc/cron.daily/ and not in /etc/cron.hourly ?? I add which I excute freshclam how demon (freshclam -d). thanks. Salvatore. --- [This E-mail scanned for viruses by Declude Virus] ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
RE: [Clamav-users] Config update signature
Salvatore Basso wrote: ..why this to happen also if the file 'freshcleam' is in the /etc/cron.daily/ and not in /etc/cron.hourly ?? I add which I excute freshclam how demon (freshclam -d). thanks. If you run freshclam -d then it only needs to be started ONCE (put it in init.rd, for example) If you run freshclam from /etc/cron.something/ then don't use the -d flag. Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902 Hispanic Business Inc./HireDiversity.com Software Engineer perl -emap{y/a-z/l-za-k/;print}shift Jjhi pcdiwtg Ptga wprztg, ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Config update signature
Brian Morrison wrote No, the Checks parameter in freshclam.conf determines the update frequency for the pattern files. The /etc/cron.daily/freshclam entry is used to clean up/var/lib/clamav if any files in there have not been accessed in 72 hours. Except for the .cvd files of course, it does a touch on those. ..in the file /etc/freshclam.conf there is write: # Number of database checks for day # Default: 12 (every two hours) Checks 24 this does not make reference to update signature or I mistake ? thanks. Salvatore. --- [This E-mail scanned for viruses by Declude Virus] ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Config update signature
[EMAIL PROTECTED] wrote: If you run freshclam -d then it only needs to be started ONCE (put it in init.rd, for example) If you run freshclam from /etc/cron.something/ then don't use the -d flag. .. after installed clamav (with file .rpm) I excute: #freshclam -d .. and in '/etc/init.d/' there is a file called 'freshclam' (and at boot of my machine start freshclam) , now in the my situation the file '/etc/cron.daily/freshclam' is not important ? if is this where I can modify the update frequency ? in what file ? thanks. Salvatore. --- [This E-mail scanned for viruses by Declude Virus] ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
RE: [Clamav-users] Config update signature
Salvatore Basso wrote: .. and in '/etc/init.d/' there is a file called 'freshclam' (and at boot of my machine start freshclam) , now in the my situation the file '/etc/cron.daily/freshclam' is not important ? if is this where I can modify the update frequency ? in what file ? thanks. Please post results of: cat /etc/init.d/freshclam cat /etc/cron.daily/freshclam cat /etc/freshclam.conf ps -aux | grep clam Hopefully you're not running a freshclam -d from /etc/cron.daily or you'd be running more and more freshclam processes as days go by. You set the update frequency in /etc/freshclam.conf as Checks - the update frequency is ) (Checks) times per day for freshclam -d. If you run freshclam via cron.hourly, leave off the -d. Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902 Hispanic Business Inc./HireDiversity.com Software Engineer perl -emap{y/a-z/l-za-k/;print}shift Jjhi pcdiwtg Ptga wprztg, ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Config update signature
Dennis Skinner wrote: First, don't start a new thread by replying to an existing one and changing the subject. You break threading and your email will likely be ignored by anyone not reading that thread. Just start a new message. .. sorry for this but I don't find previous thread when there is solution for my problem Second, that would do what you want, but don't do it. You will hit the [cut] setup freshclam to use the new DNS method, but you still shouldn't do it. .. I try answers real for not to give problem For further info: man freshclam read archives of this list read docs on website man -a crontab .. I haved read documentation but I don't understand how to resolve my problem, sorry for this. thanks. Salvatore. --- [This E-mail scanned for viruses by Declude Virus] ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Config update signature
[EMAIL PROTECTED] wrote: Please post results of: cat /etc/init.d/freshclam # Source function library . /etc/init.d/functions # Get network config . /etc/sysconfig/network test -f /etc/freshclam.conf || exit 0 RETVAL=0 start() { echo -n $Starting freshclam: # Start me up! daemon /usr/bin/freshclam -d -p /var/run/clamav/freshclam.pid RETVAL=$? echo [ $RETVAL -eq 0 ] touch /var/lock/subsys/freshclam return $RETVAL } stop() { echo -n $Stopping freshclam: killproc freshclam RETVAL=$? echo [ $RETVAL -eq 0 ] rm -f /var/run/clamav/freshclam.pid /var/lock/subsys/freshclam return $RETVAL } restart() { stop start } reload() { echo -n $Reloading DB: killproc freshclam -ALRM RETVAL=$? echo return $RETVAL } case $1 in start) start ;; stop) stop ;; status) status freshclam ;; restart) restart ;; condrestart) [ -f /var/lock/subsys/freshclam ] restart || : ;; reload) reload ;; *) echo $Usage: $0 {start|stop|status|restart|condrestart|reload} exit 1 esac exit $? cat /etc/cron.daily/freshclam /bin/touch -a /var/lib/clamav/*.cvd /usr/sbin/tmpwatch 72 /var/lib/clamav cat /etc/freshclam.conf DatabaseDirectory /var/lib/clamav UpdateLogFile /var/log/clamav/freshclam.log PidFile /var/run/clamav/freshclam.pid DatabaseOwner clamav DNSDatabaseInfo current.cvd.clamav.net DatabaseMirror database.clamav.net # Number of database checks per day. # Default: 12 (every two hours) Checks 24 NotifyClamd /etc/clamd.conf ps -aux | grep clam Warning: bad syntax, perhaps a bogus '-'? See http://procps.sf.net/faq.html clamav1938 0.0 0.5 8808 5700 ?S22:15 0:00 /usr/sbin/clamd clamav1948 0.0 0.1 4824 1236 ?S22:15 0:00 /usr/bin/freshclam -d -p /var/run/clamav/freshclam.pid root 2711 0.0 0.0 4628 752 pts/3S22:40 0:00 man freshclam root 2739 0.0 0.0 5216 868 pts/3S22:40 0:00 sh -c /usr/bin/bzip2 -c -d /var/cache/man/cat1/freshclam.1.bz2 | /usr/bin/less -is root 2832 0.0 0.0 4376 720 pts/2S23:03 0:00 grep clam Hopefully you're not running a freshclam -d from /etc/cron.daily or you'd be running more and more freshclam processes as days go by. .. in the /etc/cron.daily there isn't freshclam -d then it's present in /etc/init.d/freshclam You set the update frequency in /etc/freshclam.conf as Checks - the update frequency is ) (Checks) times per day for freshclam -d. If you run freshclam via cron.hourly, leave off the -d. .. my value is 'Checks 24', but why the update is to excute every hour ? thanks. Salvatore. --- [This E-mail scanned for viruses by Declude Virus] ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
RE: [Clamav-users] Config update signature
Salvatore Basso wrote: [EMAIL PROTECTED] wrote: Please post results of: cat /etc/init.d/freshclam boils down to run freshclam -d cat /etc/cron.daily/freshclam boils down to remove unused files in /var/lib/clamav/ cat /etc/freshclam.conf # Number of database checks per day. # Default: 12 (every two hours) Checks 24 OK, so it checks 24 times a day - once every hour If you want it to check every 30 minutes, change this to 48 If you want it to check every two hours, change this to 12 ps -aux | grep clam You're fine here Hopefully you're not running a freshclam -d from /etc/cron.daily or you'd be running more and more freshclam processes as days go by. OK, this isn't happening, good my value is 'Checks 24', but why the update is to excute every hour ? Um, because there are 24 hours in a day Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902 Hispanic Business Inc./HireDiversity.com Software Engineer perl -emap{y/a-z/l-za-k/;print}shift Jjhi pcdiwtg Ptga wprztg, ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
RE: [Clamav-users] Config update signature
Matthew.van.Eerde wrote: cat /etc/freshclam.conf # Number of database checks per day. # Default: 12 (every two hours) Checks 24 OK, so it checks 24 times a day - once every hour If you want it to check every 30 minutes, change this to 48 If you want it to check every two hours, change this to 12 Oh, and to have your changes take effect, restart freshclam -d... /etc/init.rd/freshclam restart Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902 Hispanic Business Inc./HireDiversity.com Software Engineer perl -emap{y/a-z/l-za-k/;print}shift Jjhi pcdiwtg Ptga wprztg, ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
[Clamav-users] Duplicate attachments
Hello, I am a ClamAV newbie - I just inherited a FreeBSD 4.10 server running postfix and clamav and am trying to figure out a strange issue. I have one user who occasionally gets duplicate attachments with his incoming mail. The only thing consistant about this problem is that the attachments are PDF files. Has anyone seen this problem before? Any help or ideas would be appreciated. Thanks! - Paul ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Config update signature
[EMAIL PROTECTED] wrote: Um, because there are 24 hours in a day .. at least on this we are all agreement :-) .. ok, now all is clear !! many thanks Matthew and thanks to all for aid ! Salvatore. --- [This E-mail scanned for viruses by Declude Virus] ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Config update signature
On Mon, 25 Oct 2004 22:34:33 +0200 in [EMAIL PROTECTED] Salvatore Basso [EMAIL PROTECTED] wrote: Brian Morrison wrote No, the Checks parameter in freshclam.conf determines the update frequency for the pattern files. The /etc/cron.daily/freshclam entry is used to clean up/var/lib/clamav if any files in there have not been accessed in 72 hours. Except for the.cvd files of course, it does a touch on those. ..in the file /etc/freshclam.conf there is write: # Number of database checks for day # Default: 12 (every two hours) Checks 24 this does not make reference to update signature or I mistake ? thanks. Yes. That is exactly what this means. Freshclam runs as a daemon, started from /etc/rc.d/init.d/freshclam. It reads /etc/freshclam.conf for its settings. /etc/cron.daily/freshclam is used simply to remove unchanged non .cvd files in the database directory. -- Brian Morrison bdm at fenrir dot org dot uk GnuPG key ID DE32E5C5 - http://wwwkeys.uk.pgp.net/pgpnet/wwwkeys.html ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Duplicate attachments
Paul Porter wrote: Hello, I am a ClamAV newbie - I just inherited a FreeBSD 4.10 server running postfix and clamav and am trying to figure out a strange issue. I have one user who occasionally gets duplicate attachments with his incoming mail. The only thing consistant about this problem is that the attachments are PDF files. Has anyone seen this problem before? Any help or ideas would be appreciated. Filter software? Matt ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Duplicate attachments
Sorry, I forgot to mention that we are also using SpamAssassin on this server. On Mon, 2004-10-25 at 14:45, Matt wrote: Paul Porter wrote: Hello, I am a ClamAV newbie - I just inherited a FreeBSD 4.10 server running postfix and clamav and am trying to figure out a strange issue. I have one user who occasionally gets duplicate attachments with his incoming mail. The only thing consistant about this problem is that the attachments are PDF files. Has anyone seen this problem before? Any help or ideas would be appreciated. Filter software? Matt ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Duplicate attachments
Paul Porter wrote: Sorry, I forgot to mention that we are also using SpamAssassin on this server. And the filtering software is? Eg: Amavis, ClamSMTP, Inflex. Matt ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Duplicate attachments
Amavis. Thanks Matt! On Mon, 2004-10-25 at 15:49, Matt wrote: Paul Porter wrote: Sorry, I forgot to mention that we are also using SpamAssassin on this server. And the filtering software is? Eg: Amavis, ClamSMTP, Inflex. Matt ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
[Clamav-users] Performance Help - 100% cpu usage
I built a new 4 cpu/1 gig ram qmail/vpopmail/qmailscanner/clamv mail server. (Four (4) PentiumĀ® III Xeon 700 MHz/ 1 MB Cache) I put it in last Thursday with it running great, then yesterday, about 6pm, the cpu usage went to near 100% with about 800 smtp transfers per hour. This morning about 8am, the cpu is at 100% and we're running about 1400 smtp transfers per hour. It appears that even this box can't keep up with all the scanning that has to take place. Here is top at this hour: http://t10.net/cpu.jpg http://t10.net/cpu2.jpg Tasks: 118 total, 7 running, 111 sleeping, 0 stopped, 0 zombie Cpu0 : 69.2% user, 30.8% system, 0.0% nice, 0.0% idle Cpu1 : 75.6% user, 24.4% system, 0.0% nice, 0.0% idle Cpu2 : 73.1% user, 26.9% system, 0.0% nice, 0.0% idle Cpu3 : 76.3% user, 23.7% system, 0.0% nice, 0.0% idle Mem: 1032988k total, 836408k used, 196580k free, 37472k buffers Swap: 128480k total, 93060k used, 35420k free, 351288k cached PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND 1290 qscand 15 0 57368 56m 696 R 50.8 5.6 172:29.51 clamdscan 25135 qscand 14 0 57368 56m 696 R 50.2 5.6 187:57.60 clamdscan 4980 qscand 15 0 57368 46m 696 R 50.2 4.6 167:42.45 clamdscan 30917 qscand 14 0 57368 56m 696 R 49.8 5.6 177:53.10 clamdscan 8861 qscand 15 0 57368 776 696 R 49.5 0.1 163:36.55 clamdscan 28183 qscand 14 0 57368 56m 696 R 49.2 5.6 182:21.71 clamdscan This is a vanilla install off qmailrocks.org site. Debian install 3.0r1. Used apt-get to get my clam packages. clamav 0.75.1-4 Antivirus scanner for Unix clamav-base0.75.1-4 Base package for clamav, an anti-virus clamav-freshcl 0.75.1-4 Downloads clamav virus databases from the libclamav1 0.75.1-4 Virus scanner library Anyone have any advice on what I could be doing wrong or how to improve the performance of the scanning? Thanks, Eric *update* - 8:00pm Monday night - I rebooted and it's all back to normal for now. ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Performance Help - 100% cpu usage
Eric Worthy wrote: I built a new 4 cpu/1 gig ram qmail/vpopmail/qmailscanner/clamv mail server. (Four (4) PentiumĀ® III Xeon 700 MHz/ 1 MB Cache) I put it in last Thursday with it running great, then yesterday, about 6pm, the cpu usage went to near 100% with about 800 smtp transfers per hour. This morning about 8am, the cpu is at 100% and we're running about 1400 smtp transfers per hour. 1400 is kind of low. I use Sparc v120 (single processor UltraSparc II 650 MHz) to handle much higher traffic than that. It appears that even this box can't keep up with all the scanning that has to take place. Here is top at this hour: This is a vanilla install off qmailrocks.org site. Debian install 3.0r1. Used apt-get to get my clam packages. clamav 0.75.1-4 Antivirus scanner for Unix clamav-base0.75.1-4 Base package for clamav, an anti-virus clamav-freshcl 0.75.1-4 Downloads clamav virus databases from the libclamav1 0.75.1-4 Virus scanner library 0.75.1 is not the latest Anyone have any advice on what I could be doing wrong or how to improve the performance of the scanning? Try 0.80. If it's not in debian's apt list, build it manually from source. If you still have performance issues with 0.80, there are some settings that you can modify later on clamd.conf. I suspect you didn't put limits on some settings (max archive size, etc.) For now, try 0.80 first. Regards, Fajar ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users