Re: [Clamav-users] RE: Return value "72" from clamd <-> mimedefang.pl SOLVED

[paul]

> These are the entries I copied directly from the newly-installed
> startup scripts in /usr/local/etc/rc.d, over to /etc/rc.conf, then
> simply
> executed the startup scripts without so much as a reboot. I must admit,
> though, that when faced with any balky startup script difficulties with
> installations in general, having used FreeBSD since /etc/sysconfig days,
> I'm prone to resorting to a plain-old-fashioned rc.local entry. :)
> 
> If you're having trouble getting things to start, make sure you enable
> every logging and debug knob you can find, then check the logs, after
> your start-up attempt.

I have three of these machines out in a round robin setup, all running
fbsd 5.2.1 and clamav 0.75. I built a 5.3 machine with .80 and threw
it into the mix to see what results I would get, as testing wasn't
telling me anything (debugging and logging).

The only real difference that I saw was that the conf file changed
names and such. However after any sort of real stress hit the machine,
clamd would die and that particular server would reject mail. Needless
to say, he came out of the mix rather quickly. I have been looking for
reasons as to why that could have been happening.

I know what you mean in regard to using rc.local as opposed to the
"newish" startup script method when there seem to be problems. I even
tried a similar method when I was initially troubleshooting the
sporadic death of clamd, but to no good end. I eventually found that
there were all sorts of people having the same issue with multiple
versions of clamav. A little disconcerting that the best solution I
have seen so far is the "cron job/ script to see if the daemon is
running". I was using that as a last gasp effort since I didn't want
to reject mail unnecessarily.

I haven't been on the list very long though, and there's a lot to be
said for 93 days without a glitch ;)

Thx.
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] DNS behind a firewall

[Sakshale eQuorian]

Peter Bonivart wrote:
Sakshale eQuorian wrote:
I was running 7.0 without any problems.
I updated to 8.0, but it appears that the new DNS functions;
   DatabaseMirror database.clamav.net
   DNSDatabaseInfo current.cvd.clamav.net
don't work with the proxy routines.
--
freshclam daemon 0.80 (OS: solaris2.9, ARCH: sparc, CPU: sparc)
ClamAV update process started at Wed Nov 10 13:50:18 2004
ERROR: Can't query current.cvd.clamav.net
main.cvd is up to date (version: 27, sigs: 23982, f-level: 2, 
builder: tomek)
ERROR: Can't query current.cvd.clamav.net
daily.cvd is up to date (version: 584, sigs: 2477, f-level: 3, 
builder: trog)
--

I have the following fields defined in the freshclam configuration file:
# Proxy settings
HTTPProxyServer proxy.example.com
HTTPProxyPort 8080
HTTPProxyUsername username
HTTPProxyPassword password
--
These worked for getting updates with 7.0;
--
Received signal 14, wake up
ClamAV update process started at Tue Nov  9 20:36:18 2004
SECURITY WARNING: NO SUPPORT FOR DIGITAL SIGNATURES
main.cvd is up to date (version: 27, sigs: 23982, f-level: 2, 
builder: tomek)
daily.cvd updated (version: 582, sigs: 2467, f-level: 3, builder: 
ccordes)
WARNING: Your ClamAV installation is OUTDATED - please update 
immediately !
WARNING: Current functionality level = 2, required = 3
Database updated (26449 signatures) from database.clamav.net.
Clamd successfully notified about the update.
--

___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Looks like you're running an older version than you think you are, 
otherwise you shouldn't get:

WARNING: Your ClamAV installation is OUTDATED - please update 
immediately ! 
Correct - That was before I updated.  I was simply showing that the 
proxy updates were working
at that time.  However, not that I've updated I get the error listed above;
   ERROR: Can't query current.cvd.clamav.net


Check for multiple installations at different locations. Did 0.80 
install in a different place than 0.70?

By the way, it's version 0.70 and 0.80, not 7.0 and 8.0. 
Got cha and thanks.
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] RE: Return value "72" from clamd <-> mimedefang.pl SOLVED

[Guy F. Boyd]

> -Original Message-
>
> Date: Wed, 10 Nov 2004 10:45:48 -0500
> From: paul <[EMAIL PROTECTED]>
> Subject: Re: [Clamav-users] RE: Return value "72" from clamd <->
>   mimedefang.pl   SOLVED
> To: ClamAV users ML <[EMAIL PROTECTED]>
> Message-ID: <[EMAIL PROTECTED]>
> Content-Type: text/plain; charset=US-ASCII
>
> Just a quick question. When changing to 0.80, did you have to change
> what you used in /etc/rc.conf to start clam? Meaning, anything
> different or more than clamav_clamd_enable="YES"
> clamav_freshclam_enable="YES"
>
> ?

No, looks correct, same enries here.

These are the entries I copied directly from the newly-installed
startup scripts in /usr/local/etc/rc.d, over to /etc/rc.conf, then
simply
executed the startup scripts without so much as a reboot. I must admit,
though, that when faced with any balky startup script difficulties with
installations in general, having used FreeBSD since /etc/sysconfig days,
I'm prone to resorting to a plain-old-fashioned rc.local entry. :)

If you're having trouble getting things to start, make sure you enable
every logging and debug knob you can find, then check the logs, after
your start-up attempt.

Good Luck.


Guy F. Boyd
Director Of Software Engineering And Design
Film Recording Engineer
VTA Technologies INC.
Atlanta, Georgia U.S.A.


___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] GMP must be in /usr and not /usr/local

[Rob Chanter]

On Wed, Nov 10, 2004 at 04:45:07PM -0600, Alex S Moore wrote:
> On Wed, 2004-11-10 at 14:24 -0800, Sakshale eQuorian wrote:
> > Hi;
> > 
> > Since I wanted to upgrade to 8.0, I decided to install
> > GMP on my solaris box to get rid of the "SECURITY WARNING"
> > that came with version 7.0.
> > 
> > Shouldn't /usr/local/include be included in the path?
> > Especially given that I built clamav to run in /usr/local.
> 
> I would not put anything in /usr.  There are options that you should use
> when building programs, such as CFLAGS, LDFLAGS, LD_OPTIONS, to point to
> other locations, for things like -I, -L, -R respectively.

Specifically, the below 'configure' line works for me on Solaris. There
is no '-lgmp' needed because the configure script picks that up. The
installation prefix and user/group are, obviously, specific to our site.

Also, on Solaris 9 (and 8, I think) make sure you build clam and gmp to
the same ABI. We compiled gmp as 32-bit and clamav with the defaults.

ABI=32 ./configure --prefix=/usr/local/graft/gmp-
make
make install
graft -v -i gmp-

LDFLAGS='-L/usr/local/lib -R/usr/local/lib -lgcc_s' \
 ./configure --prefix=/usr/local/graft/clamav- \
 --with-user=amavisd --with-group=amavisd
make
make install

the man page for ld(1) has all the info you might need. Alternatively,
you could look at crle(1) to define additional system library locations.

(P.S. graft is great for managing clamav installations:
http://www.gormand.com.au/peters/tools/graft/graft.html)

cheers 
rob
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] DNS behind a firewall

[Peter Bonivart]

Sakshale eQuorian wrote:
I was running 7.0 without any problems.
I updated to 8.0, but it appears that the new DNS functions;
   DatabaseMirror database.clamav.net
   DNSDatabaseInfo current.cvd.clamav.net
don't work with the proxy routines.
--
freshclam daemon 0.80 (OS: solaris2.9, ARCH: sparc, CPU: sparc)
ClamAV update process started at Wed Nov 10 13:50:18 2004
ERROR: Can't query current.cvd.clamav.net
main.cvd is up to date (version: 27, sigs: 23982, f-level: 2, builder: tomek)
ERROR: Can't query current.cvd.clamav.net
daily.cvd is up to date (version: 584, sigs: 2477, f-level: 3, builder: trog)
--
I have the following fields defined in the freshclam configuration file:
# Proxy settings
HTTPProxyServer proxy.example.com
HTTPProxyPort 8080
HTTPProxyUsername username
HTTPProxyPassword password
--
These worked for getting updates with 7.0;
--
Received signal 14, wake up
ClamAV update process started at Tue Nov  9 20:36:18 2004
SECURITY WARNING: NO SUPPORT FOR DIGITAL SIGNATURES
main.cvd is up to date (version: 27, sigs: 23982, f-level: 2, builder: tomek)
daily.cvd updated (version: 582, sigs: 2467, f-level: 3, builder: ccordes)
WARNING: Your ClamAV installation is OUTDATED - please update immediately !
WARNING: Current functionality level = 2, required = 3
Database updated (26449 signatures) from database.clamav.net.
Clamd successfully notified about the update.
--
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Looks like you're running an older version than you think you are, 
otherwise you shouldn't get:

WARNING: Your ClamAV installation is OUTDATED - please update immediately !
Check for multiple installations at different locations. Did 0.80 
install in a different place than 0.70?

By the way, it's version 0.70 and 0.80, not 7.0 and 8.0.
--
/Peter Bonivart
--Unix lovers do it in the Sun
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] GMP must be in /usr and not /usr/local

[Alex S Moore]

On Wed, 2004-11-10 at 14:24 -0800, Sakshale eQuorian wrote:
> Hi;
> 
> Since I wanted to upgrade to 8.0, I decided to install
> GMP on my solaris box to get rid of the "SECURITY WARNING"
> that came with version 7.0.
> 
> Shouldn't /usr/local/include be included in the path?
> Especially given that I built clamav to run in /usr/local.

I would not put anything in /usr.  There are options that you should use
when building programs, such as CFLAGS, LDFLAGS, LD_OPTIONS, to point to
other locations, for things like -I, -L, -R respectively.

Alex

___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

[Clamav-users] GMP must be in /usr and not /usr/local

[Sakshale eQuorian]

Hi;

Since I wanted to upgrade to 8.0, I decided to install
GMP on my solaris box to get rid of the "SECURITY WARNING"
that came with version 7.0.

I normally put all my stuff in /usr/local, keeping /usr
reserved for Sun's stuff.  However, after building and
installing GMP, 'configure' worked, but builds failed
because the compiler could not find gmp.h.

I removed and reinstalled gmp in /usr and everything worked.

Shouldn't /usr/local/include be included in the path?
Especially given that I built clamav to run in /usr/local.

Sakshale

___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

[Clamav-users] DNS behind a firewall

[Sakshale eQuorian]

I was running 7.0 without any problems.

I updated to 8.0, but it appears that the new DNS functions;
   DatabaseMirror database.clamav.net
   DNSDatabaseInfo current.cvd.clamav.net
don't work with the proxy routines.

--
freshclam daemon 0.80 (OS: solaris2.9, ARCH: sparc, CPU: sparc)
ClamAV update process started at Wed Nov 10 13:50:18 2004
ERROR: Can't query current.cvd.clamav.net
main.cvd is up to date (version: 27, sigs: 23982, f-level: 2, builder: tomek)
ERROR: Can't query current.cvd.clamav.net
daily.cvd is up to date (version: 584, sigs: 2477, f-level: 3, builder: trog)
--

I have the following fields defined in the freshclam configuration file:

# Proxy settings
HTTPProxyServer proxy.example.com
HTTPProxyPort 8080
HTTPProxyUsername username
HTTPProxyPassword password

--

These worked for getting updates with 7.0;

--
Received signal 14, wake up
ClamAV update process started at Tue Nov  9 20:36:18 2004
SECURITY WARNING: NO SUPPORT FOR DIGITAL SIGNATURES
main.cvd is up to date (version: 27, sigs: 23982, f-level: 2, builder: tomek)
daily.cvd updated (version: 582, sigs: 2467, f-level: 3, builder: ccordes)
WARNING: Your ClamAV installation is OUTDATED - please update immediately !
WARNING: Current functionality level = 2, required = 3
Database updated (26449 signatures) from database.clamav.net.
Clamd successfully notified about the update.
--

___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] clamuko - howto scan downloads while save them?

[Alexander Stielau]

Am Mon, Nov 08, 2004 at 05:32:10PM +0100 schrieb Alexander Stielau:
> 
> Is it possible to use something like ClamukoScanOnWrite, or is there a 
> logical mistake by myself?

I asked by the dazuko-developers, and it is *not* possible at this time
to use ON_CLOSE-Events with 2.6.X-kernels:


So i switched back to 2.4.27, and now i get an event ON_CLOSE by
dazuko/clamuko via clamd in the syslog, when i try to cp an testfile
from the source-distribution to a clamuko-scanned directory, but no
action against:

zwiebelfisch:/tmp# cp /usr/src/clamav-0.80/test/clam.exe /tmp/
zwiebelfisch:/tmp# ls -la /tmp/clam.exe 
-rw-r--r--  1 root root 544 Nov 10 17:54 /tmp/clam.exe
zwiebelfisch:/tmp# tail -1 /var/log/syslog
Nov 10 17:47:22 zwiebelfisch clamd[26600]: Clamuko: /tmp/clam.exe: 
ClamAV-Test-File FOUND 

So i got only a logging action on ScanOnClose, with
ScanOnOpen i get 'real' actions.

I need actions (e.g. do not bind the inode to the directory structure
information before the filehandle is unlocked or something like that) 
also for ScanOnClose.


Aleks

___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

RE: [Clamav-users] Bofra?

[Kevin Hanser]

> -Original Message-
> On Tue, 9 Nov 2004 14:54:05 -0500
> "Kevin Hanser" <[EMAIL PROTECTED]> wrote:
> 
> > I read a security blurb from Watchguard today that mentions a new
> > virus dubbed Bofra.A.  I looked thru the mailing list and 
> haven't seen
> > any mention of it yet...  Does ClamAV catch this one yet?
> 
> -> clamav-virusdb archives
> 
> -- 
>oo. Tomasz Kojm <[EMAIL PROTECTED]>

Thanx!  I didn't even realize that mailing list existed!  Subscribed now
:)

k
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] RE: Return value "72" from clamd <-> mimedefang.pl SOLVED

[paul]

Just a quick question. When changing to 0.80, did you have to change
what you used in /etc/rc.conf to start clam? Meaning, anything
different or more than clamav_clamd_enable="YES"
clamav_freshclam_enable="YES"

?




On Wed, 10 Nov 2004 09:20:52 -0500 (EST), gfb <[EMAIL PROTECTED]> wrote:
> >Date: Tue, 9 Nov 2004 22:47:01 -0500 (EST)
> >From: gfb <[EMAIL PROTECTED]>
> >Subject: [Clamav-users] Return value "72" from clamd <-> mimedefang.pl
> >   [help?]
> >To: [EMAIL PROTECTED]
> >Message-ID: <[EMAIL PROTECTED]>
> >
> >Tue Nov  9 22:03:30 EST 2004
> >
> >Hello,
> >
> >I am looking for some assistance in tracking down a failure of clamd
> >after an upgrade to ClamAV 0.80/582/. Interactively, clamscan and clamd
> >appear to function normally and correctly but when called from 
> >MIMEDefang-filter
> >(mimedefang.pl) , clamd returns an error code (72) that I have been unable 
> >to find
> 
> Follow up to myself, and thanks to all of those who would have helped had my
> nights sleep not clarified things. Answer:
> 
> a. Add lots of debug yourself , but watch out for Heisenberg. :)
> 
> b. Make sure that either the user that clamd runs as (clamav) has write 
> permission
> on the files/directories he has to scan AND/OR
> 
> c. Make sure that if you change the user clamd runs as (mailnull for instance)
> to get scanning permission on MIMEDefang directories , that THAT user can 
> write
> to the UNIX socket that clamd is listening on.
> 
> d. NEVER *completely* trust automatic upgrade scripts (FreeBSD Portupgrade) 
> and
> 
> e. If its almost quitting time, back away from the mail server slowly. When 
> the
> nice Clamav guys  say UPGRADE NOW they don't necessarily mean Right This 
> Minute. :)
> 
> -Guy Boyd
> VTA Technologies / VTA INC.
> Atlanta Georgia  USA
> 
> ___
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

[Clamav-users] RE: Return value "72" from clamd <-> mimedefang.pl SOLVED

[gfb]

>Date: Tue, 9 Nov 2004 22:47:01 -0500 (EST)
>From: gfb <[EMAIL PROTECTED]>
>Subject: [Clamav-users] Return value "72" from clamd <-> mimedefang.pl
>   [help?]
>To: [EMAIL PROTECTED]
>Message-ID: <[EMAIL PROTECTED]>
>
>Tue Nov  9 22:03:30 EST 2004
>
>Hello,
>
>I am looking for some assistance in tracking down a failure of clamd
>after an upgrade to ClamAV 0.80/582/. Interactively, clamscan and clamd
>appear to function normally and correctly but when called from 
>MIMEDefang-filter
>(mimedefang.pl) , clamd returns an error code (72) that I have been unable to 
>find

Follow up to myself, and thanks to all of those who would have helped had my
nights sleep not clarified things. Answer: 

a. Add lots of debug yourself , but watch out for Heisenberg. :)

b. Make sure that either the user that clamd runs as (clamav) has write 
permission 
on the files/directories he has to scan AND/OR

c. Make sure that if you change the user clamd runs as (mailnull for instance)
to get scanning permission on MIMEDefang directories , that THAT user can write
to the UNIX socket that clamd is listening on.   

d. NEVER *completely* trust automatic upgrade scripts (FreeBSD Portupgrade) and

e. If its almost quitting time, back away from the mail server slowly. When the 
nice Clamav guys  say UPGRADE NOW they don't necessarily mean Right This 
Minute. :)


-Guy Boyd
VTA Technologies / VTA INC.
Atlanta Georgia  USA


___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] LibClamAV Warning: Broken PE header detected

[Tomasz Kojm]

On Wed, 10 Nov 2004 12:30:55 +0300
George Chelidze <[EMAIL PROTECTED]> wrote:

> I know your team is very busy, but anyway if you are interested in 
> samples I can provide them.

Please don't submit broken samples (they will be rejected by our
submission system anyway).

-- 
   oo. Tomasz Kojm <[EMAIL PROTECTED]>
  (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg
 \..._ 0DCA5A08407D5288279DB43454822DC8985A444B
   //\   /\  Wed Nov 10 11:41:52 CET 2004


pgpNgBHvWQ3WW.pgp
Description: PGP signature
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] LibClamAV Warning: Broken PE header detected

[George Chelidze]

Tomasz Papszun wrote:
On Wed, 10 Nov 2004 at 11:47:59 +0300, George Chelidze wrote:
Tomasz Kojm wrote:
The way libclamav works in the case of executable files is:
1. check the file against the signature database and stop scanning if
virus is found
2. run PE parser (report broken executables; try to guess and unpack
compressed files)
One additional question here:
I get several messages a day which are marked as broken executables by 
clamav but as I-Worm.NetSky.o by kav. AFAIK it's an alias to 
Worm.SomeFool.N. Why clam doesn't detect known signature and falls to 
step 2? (Maybe a part of signature is missing because a file it's 
broken?) 

I believe so. To be sure, the samples would have to be examined.
I know your team is very busy, but anyway if you are interested in 
samples I can provide them.


I don't think clamav and kav use signatures which differs a 
lot, do they?

They surely differ.
Thanks for your time and your great product.
Best Regards,
--
George Chelidze
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] LibClamAV Warning: Broken PE header detected

[Tomasz Papszun]

On Wed, 10 Nov 2004 at 11:47:59 +0300, George Chelidze wrote:
> Tomasz Kojm wrote:
> >
> >The way libclamav works in the case of executable files is:
> >
> >1. check the file against the signature database and stop scanning if
> >virus is found
> >
> >2. run PE parser (report broken executables; try to guess and unpack
> >compressed files)
> 
> One additional question here:
> 
> I get several messages a day which are marked as broken executables by 
> clamav but as I-Worm.NetSky.o by kav. AFAIK it's an alias to 
> Worm.SomeFool.N. Why clam doesn't detect known signature and falls to 
> step 2? (Maybe a part of signature is missing because a file it's 
> broken?) 

I believe so. To be sure, the samples would have to be examined.

> I don't think clamav and kav use signatures which differs a 
> lot, do they?

They surely differ.

-- 
 Tomasz Papszun   SysAdm @ TP S.A. Lodz, Poland  | And it's only
 [EMAIL PROTECTED] http://www.lodz.tpsa.pl/iso/ | ones and zeros.
 [EMAIL PROTECTED]   http://www.ClamAV.net/   A GPL virus scanner
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] LibClamAV Warning: Broken PE header detected

[George Chelidze]

Tomasz Kojm wrote:
On Thu, 4 Nov 2004 11:47:41 +0200 (CAT)
Jim Holland <[EMAIL PROTECTED]> wrote:

The attachment is clearly malware (the message looks like a Klez

Clearly? How do you know that? Do you have a code analyser built into
your eyes?

virus-free(fortunately it then goes on to block it because of the file
name, but that is besides the point).  Is the above report an error
with ClamAV, or is the file actually harmless because of the broken PE
header?  Would it not be desirable for ClamAV to flag such files as
being viruses (even if they are broken)?

The way libclamav works in the case of executable files is:
1. check the file against the signature database and stop scanning if
virus is found
2. run PE parser (report broken executables; try to guess and unpack
compressed files)
One additional question here:
I get several messages a day which are marked as broken executables by 
clamav but as I-Worm.NetSky.o by kav. AFAIK it's an alias to 
Worm.SomeFool.N. Why clam doesn't detect known signature and falls to 
step 2? (Maybe a part of signature is missing because a file it's 
broken?) I don't think clamav and kav use signatures which differs a 
lot, do they?

So it doesn't re-eject files without scanning just because they
seem to be broken.


___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Thanks in advance.
Best Regards,
--
George Chelidze
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users