[Clamav-users] How to disable an option?
Hi, From clamd man it is not clear how to disable options which are enabled by default. Can somebody tell me how to do it? I want to disable ScanOLE2. What I need to put into config _exactly_? Thank you! Sincerely yours, Roman A.Suzi -- - Petrozavodsk - Karelia - Russia - mailto:[EMAIL PROTECTED] - ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] How to disable an option?
* Roman Suzi [EMAIL PROTECTED] [20041102 12:37]: wrote: Hi, From clamd man it is not clear how to disable options which are enabled by default. Can somebody tell me how to do it? I want to disable ScanOLE2. What I need to put into config _exactly_? Uncomment DisableDefaultScanOptions in clamd.conf ciao -Wash http://www.netmeister.org/news/learn2quote.html -- +==+ |\ _,,,---,,_ | Odhiambo Washington[EMAIL PROTECTED] Zzz /,`.-'`'-. ;-;;,_ | Wananchi Online Ltd. www.wananchi.com |,4- ) )-,_. ,\ ( `'-'| Tel: +254 20 313985-9 +254 20 313922 '---''(_/--' `-'\_) | GSM: +254 722 743223 +254 733 744121 +==+ One planet is all you get. ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] TCP and UDP ports used by clamd
Le Ven 29 oct 15:46:44 2004, René Berber écrit: I found this by accident, trying to run TrippLite's PowerAlert the program reported that the port was in use, I checked and clamd was using that TCP port. So I checked some more, with Sysinternals' tcpvcon to see what ports was the clamd process using and the list is really big. I didn't expect clamd to be using any port (yes I checked the documentation and FAQ). Clamd is listening on a predefined TCP port then use random TCP ports to exchange the files to check with the client (like FTP). This is not firewall friendly. You should allow TCP connexions from the client to the server using high ports. ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] cygwin clamscan hangs
On Fri, 29 Oct 2004 at 11:51:50 +0200, Bogusaw Brandys wrote: David Nicol wrote: I decided to test cygwin clamscan and it hung after a few hundred files Going to see if winclam has the same difficulties [...] What is it winclam ? I didn't hear about it. Most probably David meant ClamWin. -- Tomasz Papszun SysAdm @ TP S.A. Lodz, Poland | And it's only [EMAIL PROTECTED] http://www.lodz.tpsa.pl/iso/ | ones and zeros. [EMAIL PROTECTED] http://www.ClamAV.net/ A GPL virus scanner ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] please fix your freshclam setup
Hello Steven Stern, 1) if you run freshclam from crontab, check that you have an entry like the following: N * * * * /usr/local/bin/freshclam --quiet [snip] Are you OK with this? 12 */2 * * * sleep `expr $RANDOM \% 1800` /usr/bin/freshclam --quiet Every other hour, it runs at some random point between 12 after the hour and 42 after the hour. Yes, checking every two hours (and a half, worst case) is ok too. Best regards -- Luca Gibelli ([EMAIL PROTECTED]) - http://www.ClamAV.net - A GPL virus scanner PGP Key Fingerprint: C782 121E 8C3A 90E3 7A87 D802 6277 8FF4 5EFC 5582 PGP Key Available on: Key Servers || http://www.clamav.net/gpg/nervoso.gpg ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] please fix your freshclam setup
Hello, I got this instead. Meaning i do not have DNSDatabaseInfo? if you are running ClamAV 0.80 please edit freshclam.conf (usually installed under /etc/clamav/ or /usr/local/etc/clamav/) and add the following line: DNSDatabaseInfo current.cvd.clamav.net Then run # freshclam -v from the command line and verify that everything is working properly. You should see the following lines, among the others: main.cvd version from DNS: 27 daily.cvd version from DNS: 568 If you are not running ClamAV 0.80, it's time to upgrade :) If you don't want or can't upgrade ATM, please be sure that your freshclam doesn't check for updates more often than once an hour. Best regards -- Luca Gibelli ([EMAIL PROTECTED]) - http://www.ClamAV.net - A GPL virus scanner PGP Key Fingerprint: C782 121E 8C3A 90E3 7A87 D802 6277 8FF4 5EFC 5582 PGP Key Available on: Key Servers || http://www.clamav.net/gpg/nervoso.gpg ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] please fix your freshclam setup
Hello [EMAIL PROTECTED], Here is the output from mine run a few minutes ago. Current working dir is /var/www/html/clamav Max retries == 3 ClamAV update process started at Mon Nov 1 14:21:33 2004 TTL: 880 main.cvd version from DNS: 27 Software version from DNS: 0.80 Connecting via batman.belfast.heartsine.net main.cvd is up to date (version: 27, sigs: 23982, f-level: 2, builder: tomek) TTL: 880 daily.cvd version from DNS: 566 Connecting via batman.belfast.heartsine.net daily.cvd is up to date (version: 566, sigs: 2093, f-level: 3, builder: ccordes) Freeing option list...done Compare this to Filbert's, as you can see that everything was up to date yet it still connected even though DNS was consulted. batman.belfast.heartsine.net is a proxy. If you check the proxy's logs, you'll see that no connection is made by freshclam. The debug message printed by freshclam is misleading. Best regards -- Luca Gibelli ([EMAIL PROTECTED]) - http://www.ClamAV.net - A GPL virus scanner PGP Key Fingerprint: C782 121E 8C3A 90E3 7A87 D802 6277 8FF4 5EFC 5582 PGP Key Available on: Key Servers || http://www.clamav.net/gpg/nervoso.gpg ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
[Clamav-users] Exploit-Mime.gen.c detection
Hi all, analyzing the same e-mail with two different antivirus software I have different results: -- ClamAv detects Worm.SomeFool.p virus -- McAfee WebShield detects both W32/[EMAIL PROTECTED] and Exploit-MIME.gen.c I know that Worm.SomeFool.p and W32/[EMAIL PROTECTED] are the same but what about Exploit ? Could you explain me why ClamAv doesn't detect this virus? Thanks a lot Federico ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Clamd process
On Tue, 2004-11-02 at 19:39, Henri van Riel wrote: Hello all, I'm new to ClamAV and this list and I have the following `problem`. I use clamav together with p3scan but that is irrelevant to my question. I first start the clamd deamon and then the p3scan deamon. Everything starts just fine. But when I use clamdscan to scan a directory for instance several new instances of clamd are started, sometimes up to four new processes/instances. After a while one after the other terminates by itself except for one. That means I then have 2 instances of clamd running as deamon... The second process never terminates but everything seems to work just fine. P3scan works and so does clamdscan. I'm just wondering why there are two processes... They aren't processes, they are threads. Clamd spawns new threads to do the actual work, and when a worker thread has been idle for a while, it goes away again. -trog ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re[2]: [Clamav-users] Clamd process
Hello Trog, Tuesday, November 2, 2004, 8:47:26 PM, you wrote: On Tue, 2004-11-02 at 19:39, Henri van Riel wrote: I'm just wondering why there are two processes... They aren't processes, they are threads. Clamd spawns new threads to do the actual work, and when a worker thread has been idle for a while, it goes away again. Yes, I know they are threads but why is there only one when clamd starts for the first time and one extra thread never ends when clamd did some scanning? Shouldn't that one disappear after a while too? It's been there (with the same process ID) for over 24 hours and because I'm running clamav on a test server it hasn't done anything for hours... -- Best regards, Henrimailto:[EMAIL PROTECTED] ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Exploit-Mime.gen.c detection
Cali Federico wrote: Hi all, analyzing the same e-mail with two different antivirus software I have different results: -- ClamAv detects Worm.SomeFool.p virus -- McAfee WebShield detects both W32/[EMAIL PROTECTED] and Exploit-MIME.gen.c I know that Worm.SomeFool.p and W32/[EMAIL PROTECTED] are the same but what about Exploit ? Could you explain me why ClamAv doesn't detect this virus? I believe clam stops after the first virus found Thanks a lot Federico ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
[Clamav-users] [SA12959] Internet Explorer IFRAME Buffer Overflow Vulnerability (fwd)
This just came across the wire and if anyone can find a working exploit to make a signature for this latest iframe we can jump ahead of new exploits which are fast coming. I will continue to look for a working exploit and post a sig when available. We are on the edge of a big outbreak and example code exists on the Internet. This is labeled Extrememly Critical and everyone knows how well windows users do their updates. As best that I can tell, everyone who uses Internet Explorer derived mail rendering is vulnerable. This includes Outlook, Outlook Express and Incredimail. Certainly others exist as well and this will not be a small issue. -- Eric Wheeler Vice President National Security Concepts, Inc. PO Box 3567 Tualatin, OR 97062 http://www.nsci.us/ Voice: (503) 293-7656 Fax: (503) 885-0770 -- Forwarded message -- Date: Tue, 2 Nov 2004 20:56:47 +0100 To: [EMAIL PROTECTED] From: Secunia Security Advisories [EMAIL PROTECTED] Subject: [SA12959] Internet Explorer IFRAME Buffer Overflow Vulnerability X-NSC-p: 0.379006690703401 X-NSC-s: 0 X-NSC-r: 16777215 -- Monitor, Filter, and Manage Security Information - Filtering and Management of Secunia advisories - Overview, documentation, and detailed reports - Alerting via email and SMS Request Trial: https://ca.secunia.com/?f=l -- TITLE: Internet Explorer IFRAME Buffer Overflow Vulnerability SECUNIA ADVISORY ID: SA12959 VERIFY ADVISORY: http://secunia.com/advisories/12959/ CRITICAL: Extremely critical IMPACT: System access WHERE: From remote SOFTWARE: Microsoft Internet Explorer 6 http://secunia.com/product/11/ DESCRIPTION: A vulnerability has been reported in Internet Explorer, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to a boundary error in the handling of certain attributes in the IFRAME HTML tag. This can be exploited to cause a buffer overflow via a malicious HTML document containing overly long strings in the SRC and NAME attributes of the IFRAME tag. Successful exploitation allows execution of arbitrary code. The vulnerability has been confirmed in the following versions: * Internet Explorer 6.0 on Windows XP SP1 (fully patched). * Internet Explorer 6.0 on Windows 2000 (fully patched). NOTE: This advisory has been rated Extremely critical as a working exploit has been published on public mailing lists. SOLUTION: The vulnerability does not affect systems running Windows XP with SP2 installed. Use another product. PROVIDED AND/OR DISCOVERED BY: Discovered by: ned Additional research and exploit by: Berend-Jan Wever -- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. -- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=announce%40national-security.net -- ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
RE: [Clamav-users] [SA12959] Internet Explorer IFRAME Buffer Overflow Vulnerability (fwd)
Looks like there is proof of concept code here: http://felinemenace.org/~nd/crash_ie/ file 2446.html http://www.securityfocus.com/bid/11515/exploit/ Nelson Minica ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
RE: [Clamav-users] [SA12959] Internet Explorer IFRAME Buffer Overflow Vulnerability (fwd)
On Tue, 2 Nov 2004, Minica, Nelson (EDS) wrote:
Looks like there is proof of concept code here:
http://felinemenace.org/~nd/crash_ie/ file 2446.html
http://www.securityfocus.com/bid/11515/exploit/
From Nelson's file and from another code example of this exploit that I
found (http://www.k-otik.com/exploits/20041102.InternetExploiter.htm.php),
the following signature should work if I understand correctly. This isn't
perfect and there are many javascripty ways arround it so please add your
thoughts.
Matches a case-sensitive regex of: IFRAME={256,}
Exploit.IFRAME.foo:*:494652414d453d??{256-}
You can probably all see the problem already. IfRaMe is not cought by our
sig. Does this mean 6! (factorial) additional signatures are needed to
match this? Am I doing this completely wrong somewhere? Are our virus
sigs quickly becoming a dictionary of regex's for malware? -- 'cause that
could be bad and error-prone.
Your thoughts?
--
Eric Wheeler
Vice President
National Security Concepts, Inc.
PO Box 3567
Tualatin, OR 97062
http://www.nsci.us/
Voice: (503) 293-7656
Fax: (503) 885-0770
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] [SA12959] Internet Explorer IFRAME Buffer Overflow Vulnerability (fwd)
On Tue, 2 Nov 2004 16:11:30 -0800 (PST)
[EMAIL PROTECTED] wrote:
Matches a case-sensitive regex of: IFRAME={256,}
Exploit.IFRAME.foo:*:494652414d453d??{256-}
Bad format.
You can probably all see the problem already. IfRaMe is not cought by
our sig. Does this mean 6! (factorial) additional signatures are
needed to match this? Am I doing this completely wrong somewhere?
http://www.clamav.net/doc/0.80/signatures.pdf
Section 4.1 (Special files: HTML)
Your thoughts?
Please RTM.
--
oo. Tomasz Kojm [EMAIL PROTECTED]
(\/)\. http://www.ClamAV.net/gpg/tkojm.gpg
\..._ 0DCA5A08407D5288279DB43454822DC8985A444B
//\ /\ Wed Nov 3 01:31:06 CET 2004
pgpDwVBJYC4he.pgp
Description: PGP signature
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] [SA12959] Internet Explorer IFRAME Buffer Overflow Vulnerability (fwd)
On Wed, 3 Nov 2004 01:35:39 +0100
Tomasz Kojm [EMAIL PROTECTED] wrote:
On Tue, 2 Nov 2004 16:11:30 -0800 (PST)
[EMAIL PROTECTED] wrote:
Matches a case-sensitive regex of: IFRAME={256,}
Exploit.IFRAME.foo:*:494652414d453d??{256-}
Bad format.
You can probably all see the problem already. IfRaMe is not cought
by our sig. Does this mean 6! (factorial) additional signatures are
Just for the record: the above calculation is also incorrect. There are
2^6 (= 64) possibilities (and not 6! = 720) to write iframe with mixed
upper and lower case letters.
--
oo. Tomasz Kojm [EMAIL PROTECTED]
(\/)\. http://www.ClamAV.net/gpg/tkojm.gpg
\..._ 0DCA5A08407D5288279DB43454822DC8985A444B
//\ /\ Wed Nov 3 01:42:09 CET 2004
pgp4j7sAWN8XR.pgp
Description: PGP signature
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] [SA12959] Internet Explorer IFRAME Buffer Overflow Vulnerability (fwd)
On Wed, 3 Nov 2004, Tomasz Kojm wrote:
Matches a case-sensitive regex of: IFRAME={256,}
Exploit.IFRAME.foo:*:494652414d453d??{256-}
Bad format.
Thank you for pointing that out, I greatly appreciate your help. Perhaps
I misunderstood what the format meant when I posted the message the first
time after only reading the signature documentation once. Would you be so
kind as to explain how it should properly be formated based on the
information above? The documentation explains that the extended format
looks as follows:
MalwareName:TargetType:Offset:HexSignature[:MinEngineFunctionalityLevel]
Did I simply miss a 3 for target type?
You can probably all see the problem already. IfRaMe is not cought by
our sig. Does this mean 6! (factorial) additional signatures are
needed to match this? Am I doing this completely wrong somewhere?
http://www.clamav.net/doc/0.80/signatures.pdf Section 4.1 (Special
files: HTML)
As expressed above, I have read all 7 pages of the document before
posting. Just to be sure, I read it a second time. If this particular
problem has already been addressed, it is not expressly stated in the
documentation. Although 4.1 comments about the script.html output are
lower-cased java script, nothing is said about the case-sensitivity of the
nocomment.html output. Since, after testing, it does appear to lower-case
all of the files (not just script.html as indicated by documentation) then
perhaps the documentation needs updated.
That being stated, does the following take the proper format and is it
sufficient to merge into our database?
Exploit.IFRAME.foo:3:*:96672616d653d??{256-}
Your thoughts?
Please RTM.
3rd time is the charm?
--
Eric Wheeler
Vice President
National Security Concepts, Inc.
PO Box 3567
Tualatin, OR 97062
http://www.nsci.us/
Voice: (503) 293-7656
Fax: (503) 885-0770
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] [SA12959] Internet Explorer IFRAME Buffer Overflow Vulnerability (fwd)
On Wed, 3 Nov 2004, Tomasz Kojm wrote: You can probably all see the problem already. IfRaMe is not cought by our sig. Does this mean 6! (factorial) additional signatures are Just for the record: the above calculation is also incorrect. There are 2^6 (= 64) possibilities (and not 6! = 720) to write iframe with mixed upper and lower case letters. Oops! You are right, 2^6 not 6! -- End of the day my head isn't thinking strait ;) -- Eric Wheeler Vice President National Security Concepts, Inc. PO Box 3567 Tualatin, OR 97062 http://www.nsci.us/ Voice: (503) 293-7656 Fax: (503) 885-0770 ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] configure failure: libmilter directory not found?
Tom, you've probably tried using Stuffit to extract the archive. Try tar -xzf sendmail.8.13.1.tar.gz This should extract it properly. -- Dale ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] how do you start clamav-milter
Tom D`Asto wrote:
I'm following the instructions in clamav-0.80/clamav-milter/INSTALL.
My first problem is that the following file does not exist so I can't
add the variable CLAMAV_FLAGS:
Add to /etc/sysconfig/clamav-milter
CLAMAV_FLAGS=local:/var/run/clamav/clmilter.sock
vim /etc/sysconfig/clamav-milter
and the add the above line.
The next problem is that I don't know where the script I should have
received is located...
You should have received a script to put in /ect/init.d with this
software.
look in the source files...
or try this as a bash script:
vim /etc/init.d/clsmd
[quote]
if [ $1 = start ]; then {
/bin/echo Starting Clamd: ;
/usr/local/sbin/clamd -c /etc/clamav.conf;
}
elif [ $1 = stop ]; then {
/bin/echo Stopping Clamd:
killall -qw /usr/local/sbin/clamd
}
else
echo usage: $0 start|stop
fi
[end quote]
Finally, how do I start clamav-milter. The documentation states the
following command but again the file does not exist:
/usr/local/sbin/clamav-milter -lo /var/run/clmilter.sock
you should have configured the package properly , like:
./configure --prefix=/usr/local/sbin
so the executeable would be there...
if you didn't, i guess it would be in /usr/bin
try: find / -name clamav-milter
Sincerely,
Meni Shapiro
Thanks,
Tom
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
