[Clamav-users] upgrade problems, no matter what i try freshclam still reports an outdated install
Please help when i perform an upgrade to my clamav i still get an error when i run freshclam ClamAV update process started at Tue Feb 22 20:42:00 2005 WARNING: Your ClamAV installation is OUTDATED - please update immediately! WARNING: Local version: 0.80 Recommended version: 0.83 main.cvd is up to date (version: 29, sigs: 29086, f-level: 3, builder: tomek) Downloading daily.cvd [*] daily.cvd updated (version: 720, sigs: 1949, f-level: 4, builder: tkojm) WARNING: Your ClamAV installation is OUTDATED - please update immediately! WARNING: Current functionality level = 3, required = 4 Database updated (31035 signatures) from db.au.clamav.net (203.16.234.78). Clamd successfully notified about the update. i have tried using yum update clamav and i still get the same result. i have tried doing a yum remove clamav, deleting all the rpm.save files and then reinstalling clamav. when i do a yum info clamav i get this Gathering header information file(s) from server(s) Server: Fedora Core 2 - i386 - Base Server: openswan - Fedora Openswan IPsec packages Server: Fedora Core 2 - i386 - CrashHat Finding updated packages Downloading needed headers Looking in Available Packages: Looking in Installed Packages: Name : clamav Arch : i386 Version: 0.83 Release: 1 Size : 3.56 MB Group : System Environment/Daemons Repo : Locally Installed Summary: An antivirus toolkit for Unix Description: Clam AntiVirus is a GPL anti-virus toolkit for UNIX. The main purpose of this software is the integration with mail servers (attachment scanning). The package provides a flexible and scalable multi-threaded daemon, a command line scanner, and a tool for automatic updating via Internet. The programs are based on a shared library distributed with package, which you can use with your own software. Most importantly, the virus database is kept up to date . obvisouly there is something simple that i am missing as i cant find any other reference to this problem. does any one have any ideas?Please help when i perform an upgrade to my clamav i still get an error when i run freshclam ClamAV update process started at Tue Feb 22 20:42:00 2005 WARNING: Your ClamAV installation is OUTDATED - please update immediately! WARNING: Local version: 0.80 Recommended version: 0.83 main.cvd is up to date (version: 29, sigs: 29086, f-level: 3, builder: tomek) Downloading daily.cvd [*] daily.cvd updated (version: 720, sigs: 1949, f-level: 4, builder: tkojm) WARNING: Your ClamAV installation is OUTDATED - please update immediately! WARNING: Current functionality level = 3, required = 4 Database updated (31035 signatures) from db.au.clamav.net (203.16.234.78). Clamd successfully notified about the update. i have tried using yum update clamav and i still get the same result. i have tried doing a yum remove clamav, deleting all the rpm.save files and then reinstalling clamav. when i do a yum info clamav i get this Gathering header information file(s) from server(s) Server: Fedora Core 2 - i386 - Base Server: openswan - Fedora Openswan IPsec packages Server: Fedora Core 2 - i386 - CrashHat Finding updated packages Downloading needed headers Looking in Available Packages: Looking in Installed Packages: Name : clamav Arch : i386 Version: 0.83 Release: 1 Size : 3.56 MB Group : System Environment/Daemons Repo : Locally Installed Summary: An antivirus toolkit for Unix Description: Clam AntiVirus is a GPL anti-virus toolkit for UNIX. The main purpose of this software is the integration with mail servers (attachment scanning). The package provides a flexible and scalable multi-threaded daemon, a command line scanner, and a tool for automatic updating via Internet. The programs are based on a shared library distributed with package, which you can use with your own software. Most importantly, the virus database is kept up to date . obvisouly there is something simple that i am missing as i cant find any other reference to this problem. does any one have any ideas?Please help when i perform an upgrade to my clamav i still get an error when i run freshclam ClamAV update process started at Tue Feb 22 20:42:00 2005 WARNING: Your ClamAV installation is OUTDATED - please update immediately!
[Clamav-users] clamav-virusdb-xml ?
I haven't seen any mails from the XML-list since Feb4 - what's the story? Was I accidentally unsubscribed or is the list down? /Per Jessen, Zürich ___ http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] upgrade problems, no matter what i try freshclam still reports an outdated install
obvisouly there is something simple that i am missing as i cant find any other reference to this problem. does any one have any ideas? This has been covered previously on more then one occasion... Please search the mailing list archives, You will find posts from others and me included when I was in your same situation. The answer is simple - search the archives and you will find the key - if you get really stuck then do ask another question to the list. Thanks. ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] clamav-virusdb-xml ?
Hello Per Jessen, I haven't seen any mails from the XML-list since Feb4 - what's the story? Was I accidentally unsubscribed or is the list down? We sent a message announcing that we were taking down the service. We'll be providing a new (better, we hope) service by the end of the month[*]. Best regards [*]: no guarantees, it may take longer, but we'll announce it on the old clamav-virusdb-xml@ when it's ready. -- Luca Gibelli (luca at clamav.net) - ClamAV, a GPL virus scanner PGP Key Fingerprint: C782 121E 8C3A 90E3 7A87 D802 6277 8FF4 5EFC 5582 PGP Key Available on: Key Servers || http://www.clamav.net/gpg/luca.gpg BOFH excuse: * hotpop.com went push ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] Request for --whitelist-ip-addr=FILE
Hello, as reported to the list a couple of months ago in some cases (my case too) emails are relayed from one mail server to another within the same network/organisation. When all the mail servers run clamav the emails get scanned more than one time. It would be handy if clamav-milter had an option like --whitelist-ip-addr=FILE, which would allow more networks to be added in the localNets array using an external file. Regards, Panagiotis ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] List SPF
On Tue, 2005-02-22 at 12:30 +0100, Luca Gibelli wrote: Hello Robin Lynn Frank, Might I respectfully suggest to the administrators of this list that if they use SPF, it would be a good idea to include any alternate servers they might use in the SPF DNS TXT. Can you provide a log showing where our setup would be wrong? Received: from bolt.electric.ci.austin.tx.us ([10.10.10.3]) by ohms.austinenergy.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id 1QMFMD2B; Mon, 21 Feb 2005 09:43:41 -0600 Received: from sa.austinenergy.com ([198.214.232.45]) by bolt.electric.ci.austin.tx.us via smtpd (for ohms.electric.ci.austin.tx.us [162.89.5.22]) with SMTP; Mon, 21 Feb 2005 09:44:59 -0600 Received: from localhost (sa.austinenergy.com [127.0.0.1]) by sa2.austinenergy.com (Postfix) with ESMTP id A07D9A5 for [EMAIL PROTECTED]; Mon, 21 Feb 2005 09:44:59 -0600 (CST) Received: from sa2.austinenergy.com ([127.0.0.1]) by localhost (sa2.austinenergy.com [127.0.0.1]) (amavisd-new, port 10025) with LMTP id 20930-01-78 for [EMAIL PROTECTED]; Mon, 21 Feb 2005 09:44:58 -0600 (CST) Received: from aj.catt.com (aj.catt.com [64.18.103.6]) by sa2.austinenergy.com (Postfix) with ESMTP id E8DFF41 for [EMAIL PROTECTED]; Mon, 21 Feb 2005 09:44:58 -0600 (CST) Received: from aj.catt.com (localhost [127.0.0.1]) by aj.catt.com (Postfix) with ESMTP id 8774C15601B; Mon, 21 Feb 2005 10:43:01 -0500 (EST) Received: from zeus.itg.uiuc.edu (zeus.itg.uiuc.edu [130.126.126.162]) by aj.catt.com (Postfix) with ESMTP id CB942155FE8 for clamav-users@lists.clamav.net; Sun, 20 Feb 2005 11:21:23 -0500 (EST) Received: from zeus.itg.uiuc.edu (localhost.localdomain [127.0.0.1]) by zeus.itg.uiuc.edu (8.12.11/8.12.11) with ESMTP id j1KGLMMG004993 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for clamav-users@lists.clamav.net; Sun, 20 Feb 2005 10:21:22 -0600 Received: from localhost ([EMAIL PROTECTED]) by zeus.itg.uiuc.edu (8.12.11/8.12.11/Submit) with ESMTP id j1KGLIWE004985 for clamav-users@lists.clamav.net; Sun, 20 Feb 2005 10:21:22 -0600 X-Authentication-Warning: zeus.itg.uiuc.edu: menscher owned process doing -bs Date: Sun, 20 Feb 2005 10:21:18 -0600 (CST) From: Damian Menscher [EMAIL PROTECTED] X-X-Sender: [EMAIL PROTECTED] To: ClamAV Users clamav-users@lists.clamav.net Message-ID: [EMAIL PROTECTED] MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Subject: ***SPAM*** [Clamav-users] freshclam and milter --internal notification X-BeenThere: clamav-users@lists.clamav.net X-Mailman-Version: 2.1.5 Precedence: list Reply-To: ClamAV users ML clamav-users@lists.clamav.net List-Id: ClamAV users ML clamav-users.lists.clamav.net List-Unsubscribe: http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users, mailto:[EMAIL PROTECTED] List-Post: mailto:clamav-users@lists.clamav.net List-Help: mailto:[EMAIL PROTECTED] List-Subscribe: http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users, mailto:[EMAIL PROTECTED] Sender: [EMAIL PROTECTED] Errors-To: [EMAIL PROTECTED] X-Virus-Scanned: amavisd-new at austinenergy.com X-Spam-Status: Yes, hits=4.999 tagged_above=-1 required=4.6 tests=SPF_FAIL, SPF_HELO_PASS X-Spam-Score: 4.999 X-Spam-Level: X-Spam-Flag: YES X-Evolution-Source: imap://aenetad%5cmcdonalddj% [EMAIL PROTECTED]/ ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] false positives
Hi all, Does clamscan report 'Found' on a virus which other scanners do not detect? What I mean to ask is, is clam fully reliable? I scanned a windows fat32 partition yesterday and one 'found' was reported. I went on to the web to find what 'w32.cih.1003' is. Its a trojan. At this point I scan the file with f-prot. Nothing found. I then download avg - the free windows virus scanner. install it and get the latest definitions. I scan in windows using avg. Nothing found. This is not the first time this has happened. I scanned a friends hard drive with windowsxp on it, and clamscan found 'lion' coincidentally within the same file that a virus was found on my winxp system - pagefile.sys. Thats why I am now thinking clamscan may not be working properly. I am using clam 0.83 on slackware 10. Any ideas Cheers David ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] ClamAV not paying attention to conf file.
FC3, Clamav 0.83: I removed the ScanMail option from the conf file, becuase I am using reformmime in qmail-scanner, but when I start clamav it keeps saying: Mail files support enabled. Conf file: # cat /etc/clamd.conf # General Config User clamav Foreground LogFile /dev/stderr LogSyslog TemporaryDirectory /var/spool/qmailscan SelfCheck 300 # DB Location DatabaseDirectory /usr/share/clamav # Socket Type and Port TCPSocket 3310 TCPAddr 127.0.0.1 #Thread Stuff MaxConnectionQueueLength 100 MaxThreads 300 ReadTimeout 60 # Scanning Parameters StreamMaxLength 20M MaxDirectoryRecursion 15 FollowDirectorySymlinks FollowFileSymlinks ScanPE DetectBrokenExecutables ScanOLE2 ScanHTML # Archive Parameters ScanArchive ScanRAR ArchiveMaxFileSize 10M ArchiveMaxRecursion 5 ArchiveMaxFiles 100 ArchiveMaxCompressionRatio 200 ArchiveBlockMax Log file: 2005-02-22 14:32:57.084198500 +++ Started at Tue Feb 22 14:32:57 2005 2005-02-22 14:32:57.084204500 clamd daemon 0.83 (OS: linux-gnu, ARCH: i386, CPU: i686) 2005-02-22 14:32:57.084210500 Log file size limited to 1048576 bytes. 2005-02-22 14:32:57.084215500 Running as user root (UID 0, GID 0) 2005-02-22 14:32:57.084221500 Reading databases from /usr/share/clamav 2005-02-22 14:32:58.514747500 Protecting against 31035 viruses. 2005-02-22 14:32:58.523123500 Bound to address 127.0.0.1 on port 3310 2005-02-22 14:32:58.523347500 Setting connection queue length to 100 2005-02-22 14:32:58.523669500 Archive: Archived file size limit set to 10485760 bytes. 2005-02-22 14:32:58.523784500 Archive: Recursion level limit set to 5. 2005-02-22 14:32:58.523891500 Archive: Files limit set to 100. 2005-02-22 14:32:58.523997500 Archive: Compression ratio limit set to 200. 2005-02-22 14:32:58.524102500 Archive support enabled. 2005-02-22 14:32:58.524205500 Archive: RAR support enabled. 2005-02-22 14:32:58.524316500 Archive: Blocking archives that exceed limits. 2005-02-22 14:32:58.524422500 Portable Executable support enabled. 2005-02-22 14:32:58.524545500 Detection of broken executables enabled. 2005-02-22 14:32:58.524650500 Mail files support enabled. 2005-02-22 14:32:58.524754500 OLE2 support enabled. 2005-02-22 14:32:58.529606500 HTML support enabled. 2005-02-22 14:32:58.540238500 Self checking every 300 seconds -- Scott Ryan Telkom Internet ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] ClamAV not paying attention to conf file.
On Tue, 2005-02-22 at 15:52 +0200, Scott Ryan wrote: FC3, Clamav 0.83: I removed the ScanMail option from the conf file, becuase I am using reformmime in qmail-scanner, but when I start clamav it keeps saying: Mail files support enabled. # By default clamd uses scan options recommended by libclamav. This option # disables recommended options and allows you to enable selected ones below. # DO NOT TOUCH IT unless you know what you are doing. # Default: disabled #DisableDefaultScanOptions -- Daniel J McDonald, CCIE # 2495, CNX Austin Energy [EMAIL PROTECTED] ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] false positives
david thompson wrote: Thats why I am now thinking clamscan may not be working properly. I am using clam 0.83 on slackware 10. Any ideas Submit false positives via www.clamav.net And don't over do the punctuation :) Niek -- ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] false positives
On Tue, 2005-02-22 at 15:28 +0100, Niek wrote: david thompson wrote: Thats why I am now thinking clamscan may not be working properly. I am using clam 0.83 on slackware 10. Any ideas Submit false positives via www.clamav.net And don't over do the punctuation :) Errr no. Don't submit your pagefile.sys. I suggest you exclude it from the scan. -trog signature.asc Description: This is a digitally signed message part ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] List SPF
Hello Daniel J McDonald, Might I respectfully suggest to the administrators of this list that if they use SPF, it would be a good idea to include any alternate servers they might use in the SPF DNS TXT. Can you provide a log showing where our setup would be wrong? aj.catt.com (Postfix) with ESMTP id CB942155FE8 for clamav-users@lists.clamav.net; Sun, 20 Feb 2005 11:21:23 -0500 (EST) That was an old message sitting in the queue. It doesn't apply to new messages. Best regards -- Luca Gibelli (luca at clamav.net) - ClamAV, a GPL virus scanner PGP Key Fingerprint: C782 121E 8C3A 90E3 7A87 D802 6277 8FF4 5EFC 5582 PGP Key Available on: Key Servers || http://www.clamav.net/gpg/luca.gpg ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] false positives
On Tue, Feb 22, 2005 at 01:47:17PM +, david thompson wrote: I scanned a windows fat32 partition yesterday and one 'found' was reported. I went on to the web to find what 'w32.cih.1003' is. Its a trojan. At this point I scan the file with f-prot. Nothing found. I then download avg - the free windows virus scanner. install it and get the latest definitions. I scan in windows using avg. Nothing found. When Clamav started blocking Trojan.Downloader.Small-165 at the end of january, F-prot went on for nearly a week telling the file was ok. F-prot started recognizing the Bagle variant *AFTER* I uploaded the attachment. It may happen, I have NOT lost my good opinion in f-prot. BTW... Thanks to all clamav-people! Bye, gc :-) ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] false positives
On Tue, 22 Feb 2005 13:47:17 + david thompson [EMAIL PROTECTED] wrote: I went on to the web to find what 'w32.cih.1003' is. Its a trojan. No, it isn't. It's a file virus using midfile infection method and most scanners do not clean it properly only changing the entry point and leaving the virus body untouched. -- oo. Tomasz Kojm [EMAIL PROTECTED] (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Tue Feb 22 15:44:06 CET 2005 pgpJCp2SivieC.pgp Description: PGP signature ___ http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] Exclude with clamdscan
Tomasz Kojm wrote: I'm still having problems while trying to run a full scan from root. If I scan using Clamscan -r / --exclude=/net --exclude=/home Clamscan seems to traverse down /net/localhost and then /net/localhost/net/hostname and then /net/localhost/net/hostname/net/loghost excluding each /pathname/file that has net in it rather than just hitting /net and moving onto another folder. I'm not sure if I am missing something obvious but is there a way to only local scan local real file system's from root. Does clamscan -r / --exclude=^/net.* --exclude=^/home.* work OK? No. It is correctly excluding the files but the scan never finishes as it still loops into /net/folder/file then /net/localhost/folder/file then /net/localhost/net/hostname/folder/file excluding each file it comes across. I'm not sure if this is just a Solaris problem but it seems that it is impossible to fully scan the server using clamscan -r / as it always gets stuck in a long loop when dealing with /net. Is it possible to completely exclude the /net folder so that when clamscan hits this directory it does not check the contents of it? Dean ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] Clamav Home Page Problem
When I go to the address http://www.clamav.net/ the latest version is still .82. If I click the download link, .83 is available. This could be a problem for someone not on the mailing list, and just checking the home page to ensure they have the latest version ... - Ken -- Ken Jones ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] freshclam and milter --internal notification
Damian Menscher wrote: [6th try to get this sent out.] And i've seen this messages 6 times already. I'm using clamav-milter in the default mode (no --external flag). As such, I see no need to run clamd. But freshclam doesn't like this very much: freshclam[26975]: ERROR: Clamd was NOT notified: No socket specified in /usr/local/encap/clamav-0.83/etc/clamd.conf Now, clamav-milter will still see the updates, right? Since it checks the database for changes? Or should I be doing something differently here, like setting the socket in clamd.conf to the milter.sock (rather than the clamd.sock it would normally have pointed to)? If I'm not doing something wrong here, then perhaps this freshclam message should be toned down a bit from ERROR to Warning, or have a flag to disable it? Damian Menscher ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] Freshclam and Cron
Freshclam via cron What sort of update intervals are people using, and can someone show me a working crontab entry? I've tried calling freshclam like this via a crontab entry 06 0 * * * /usr/local/bin/freshclam BUt it doesn't seem to work. Which means I'm probably missing somethign obvious. ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Clamav Home Page Problem
On Tue, 22 Feb 2005 09:38:20 -0600 (CST) Ken Jones [EMAIL PROTECTED] wrote: When I go to the address http://www.clamav.net/ the latest version is still .82. No, it isn't. That's only a news on exploit detection in 0.82. -- oo. Tomasz Kojm [EMAIL PROTECTED] (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Tue Feb 22 16:53:47 CET 2005 pgpCctWZQ700z.pgp Description: PGP signature ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Clamav Home Page Problem
On Tue, 22 Feb 2005 09:38:20 -0600 (CST) Ken Jones [EMAIL PROTECTED] wrote: When I go to the address http://www.clamav.net/ the latest version is still .82. 0.83 is listed under stable downloads, as it should be. I may be wrong here, but I believe 0.83 was more or less just a bug fix, which explains why you're not seeing it among the release notifications on the website. ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Freshclam and Cron
Freshclam is not to use on cron. In freshclam.conf , you have : # Check for new database 24 times a day Checks 24 So freshclam daemon will check every hour a day for updates. Freshclam must always be running. Just do a 'ps auxwww|grep fresh' to see if freschlam is running. Hope this will help. Pierrick ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Clamav Home Page Problem
On Tue, 22 Feb 2005 09:38:20 -0600 (CST) Ken Jones [EMAIL PROTECTED] wrote: When I go to the address http://www.clamav.net/ the latest version is still .82. No, it isn't. That's only a news on exploit detection in 0.82. Ok, I stand corrected ... but it might be nice, as that page also shows the latest dat revisions, to have a line indicating the latest stable release version ... For many , if not all, the releases since .74 they have always made it to that page. Just a suggestion :) - Ken -- oo. Tomasz Kojm [EMAIL PROTECTED] (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Tue Feb 22 16:53:47 CET 2005 ___ http://lurker.clamav.net/list/clamav-users.html -- Ken Jones ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] stdin - stdout mail filter
Philipp Offermann wrote: Hi, I'm using courier-mta and am looking for a mail filter that does the following: I've never used courier-mta, so don't know much about it. That said: - read mail from stdin - scan for viruses - modify header of the message accordingly - optional: send mail to sender in case of infection - optional: remove virus from mail - write resulting mail to stdout Clamassassin is a script which gives a spamassassin-like method of operation to ClamAV. In other words, it reads a file from STDIN, throws it to clamd for scanning, and then writes the email to STDOUT with headers inserted. It doesn't do the 'optional' things above, but you do say they're optional. It's designed to make ClamAV scanning easy for procmail users, so it needs formail to be present. We use it as a safety net; most mail is scanned on arrival by clamav-milter, but if the milter dies or is reset (or the mail takes a certain unusual path through the mail system which happens to bypass the primary, milter-equipped servers), mail will get through unscanned. Procmail checks for the milter-added headers and, if they're not there, passes the message to clamassassin. I want to be able to include that program in the .courier file with ||. I don't know about this. If the program or script would integrate spamassasin it would be great. It's an sh script, so with a bit of coding it would be simple to direct its output to spamc. There's a link to it on the 3rd party software page on the ClamAV website. Craig. -- At the moment I'm using the longtime discontinued blackhole, which does all of this except for writing to stdout, it writes directly to the mailbox preventing further filtering. Does anyone know a program that fulfills my needs? Thanks, Philipp ___ http://lurker.clamav.net/list/clamav-users.html ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Freshclam and Cron
On Tue, 22 Feb 2005 09:53:13 -0600, [EMAIL PROTECTED] wrote: Freshclam via cron What sort of update intervals are people using, and can someone show me a working crontab entry? I've tried calling freshclam like this via a crontab entry 06 0 * * * /usr/local/bin/freshclam This is mine: From /etc/cron.d/clamav: 2 * * * * root /usr/bin/freshclam /Per Jessen -- http://www.spamchek.ch/freetrial - lassen Sie sich überzeugen - 30 Tage Kostenlos! ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] Re: clamav-virusdb-xml ?
Luca Gibelli wrote: Hello Per Jessen, I haven't seen any mails from the XML-list since Feb4 - what's the story? Was I accidentally unsubscribed or is the list down? We sent a message announcing that we were taking down the service. We'll be providing a new (better, we hope) service by the end of the month[*]. Thanks, I obviously missed that one. /Per Jessen, Zürich ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] Disabling ScanArchive ?
Good morning, everybody. Can anyone advise on disabling archive scanning for ClamAV? I've researched and changed settings, but it doesn't seem to have changed anything. I want to continue scanning mail going through our server, but I want to pass all archives without checking inside. For now. In /etc/clamd.conf, I uncommented DisableDefaultScanOptions. Then I commented out the ScanArchive option. For good measure, I also changed ArchiveMaxFiles to zero. After these changes, clamd.log does show RECOMMENDED OPTIONS DISABLED and Archive support disabled -- but if I email myself a zip file, containing an executable (or other banned filename), it is still rejected. Password protected or not. I also commented out ArchiveBlockEncrypted. The instructions emailed to you from ClamAV whenever a banned file is encountered tell you to use a password-protected zip file. But even that doesn't work. Why not? Is there something I'm missing? I've looked at all the mailing list archives, FAQs, online documentation, and more. So far, the methods used above are what it seemed like you need to do. Thanks, for any help you can offer! -- Jason Byrns System Administrator, MicroLnk http://www.MicroLnk.com/ 402-328-8600 ext. 653 ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Disabling ScanArchive ?
On Tue, 2005-02-22 at 11:00 -0600, Jason Byrns wrote: After these changes, clamd.log does show RECOMMENDED OPTIONS DISABLED and Archive support disabled -- but if I email myself a zip file, containing an executable (or other banned filename), it is still rejected. Password protected or not. 'Banned filename'? ClamAV doesn't do banned filenames. -trog signature.asc Description: This is a digitally signed message part ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Disabling ScanArchive ?
On Tue, 22 Feb 2005 11:00:09 -0600 Jason Byrns [EMAIL PROTECTED] wrote: Good morning, everybody. Can anyone advise on disabling archive scanning for ClamAV? I've researched and changed settings, but it doesn't seem to have changed anything. I want to continue scanning mail going through our server, but I want to pass all archives without checking inside. For now. It's your decision but disabling archive scanning would be a VERY irresponsible move. Many worms are sending out themself archived, just like the yesterday's Worm.Sober.K. -- oo. Tomasz Kojm [EMAIL PROTECTED] (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Tue Feb 22 18:17:31 CET 2005 pgpmxZSARRBUj.pgp Description: PGP signature ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Disabling ScanArchive ?
On Tue, 22 Feb 2005 18:22:19 +0100 in [EMAIL PROTECTED] Tomasz Kojm [EMAIL PROTECTED] wrote: On Tue, 22 Feb 2005 11:00:09 -0600 Jason Byrns [EMAIL PROTECTED] wrote: Good morning, everybody. Can anyone advise on disabling archive scanning for ClamAV? I've researched and changed settings, but it doesn't seem to have changed anything. I want to continue scanning mail going through our server, but I want to pass all archives without checking inside. For now. It's your decision but disabling archive scanning would be a VERY irresponsible move. Many worms are sending out themself archived, just like the yesterday's Worm.Sober.K. I saw something in one of the tech news sites yesterday that stated that more and more worms are using the RAR format to try to avoid being scanned. Can someone on the dev team comment on the RAR scanner code in clamAV please, in terms of whether it is still regarded as having memory leaks and causing instability? I know it doesn't deal with RAR 3.0 format files but I'm wondering if it might be sensible to enable it, I just don't want clamd to fall over if I do. -- Brian Morrison bdm at fenrir dot org dot uk GnuPG key ID DE32E5C5 - http://wwwkeys.uk.pgp.net/pgpnet/wwwkeys.html ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Disabling ScanArchive ?
On Tue, 22 Feb 2005 17:30:42 + Brian Morrison [EMAIL PROTECTED] wrote: code in clamAV please, in terms of whether it is still regarded as having memory leaks and causing instability? I know it doesn't deal You have to test it empirically. with RAR 3.0 format files but I'm wondering if it might be sensible to enable it, I just don't want clamd to fall over if I do. Due to license issues with the original RAR3.0 unpacker one of our developers is working on a new version written from scratch. It's planned for 0.90. -- oo. Tomasz Kojm [EMAIL PROTECTED] (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Tue Feb 22 18:39:05 CET 2005 pgpKK8lPmrxA4.pgp Description: PGP signature ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Disabling ScanArchive ?
At 09:39 AM 2/22/2005, you wrote: Due to license issues with the original RAR3.0 unpacker one of our developers is working on a new version written from scratch. It's planned for 0.90. two questions: is there a rough timeline for release of 0.90? i.e. - a month, six months, a year? secondly, is there a way to employ unrar checking if one buys an unrar license and installs unrar - i couldn't quite see a hook to do that in clamd.conf. Paul Theodoropoulos http://www.anastrophe.com http://www.smileglobal.com ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Disabling ScanArchive ?
On Tue, 2005-02-22 at 09:57 -0800, [EMAIL PROTECTED] wrote: At 09:39 AM 2/22/2005, you wrote: Due to license issues with the original RAR3.0 unpacker one of our developers is working on a new version written from scratch. It's planned for 0.90. secondly, is there a way to employ unrar checking if one buys an unrar license and installs unrar - i couldn't quite see a hook to do that in clamd.conf. amavis-new does rar unpacking using an external binary, then passes the unpacked pieces to clamav. ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Disabling ScanArchive ?
Trog wrote: On Tue, 2005-02-22 at 11:00 -0600, Jason Byrns wrote: 'Banned filename'? ClamAV doesn't do banned filenames. So that's Amavis blocking banned file names, then? I have no problems continuing to scan within archives, and I agree that's how many viruses are now being distributed. But I can't even send password-protected zip files, if they have any banned file names inside. And the email instructions sent automatically (by Amavis and/or ClamAV) say password-protected zip files will get around the banned file name. So my real question is, what if people want to email a file on the banned list? (Y'know, files like *.exe, *.pif, *.bat, *.scr, *.vbs, etc) I see archives still show you the names of files inside, even if password protected. I guess I'd rather not just stop banned files altogether. It seems sensible to block files of these types. Requiring a password-protected zip seemed like a decent way to handle it, to me. Agreed? From my /etc/amavisd.conf: qr'.\.(exe|vbs|pif|scr|bat|cmd|com|cpl)$'i, # banned extension - basic Or is this just a question for the Amavis guys instead? ;) Thanks for all the quick replies!! -- Jason Byrns System Administrator, MicroLnk http://www.MicroLnk.com/ 402-328-8600 ext. 653 ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Disabling ScanArchive ?
they could always rename the file and include instructions to put the name back. bear in mind, that microsoft has started making it difficult to impossible to get at emails with those kinds of extensions in them using microsoft's email products. Some versions require altering a registry key to enable certain file names, others just require changing some options. While I agree, in principal, with the idea of protecting users from their own stupidity, the historical fact is that the three-letter extension was ALWAYS a stupid way of telling executables from non, and the default of hiding those extensions was an even stupider idea. the point here, is that even if you get the filenames through the scanner complex, the email client might block them, making users think the SCANNER is blocking. On Tue, 2005-02-22 at 12:09 -0600, Jason Byrns wrote: Trog wrote: On Tue, 2005-02-22 at 11:00 -0600, Jason Byrns wrote: 'Banned filename'? ClamAV doesn't do banned filenames. So that's Amavis blocking banned file names, then? I have no problems continuing to scan within archives, and I agree that's how many viruses are now being distributed. But I can't even send password-protected zip files, if they have any banned file names inside. And the email instructions sent automatically (by Amavis and/or ClamAV) say password-protected zip files will get around the banned file name. So my real question is, what if people want to email a file on the banned list? (Y'know, files like *.exe, *.pif, *.bat, *.scr, *.vbs, etc) I see archives still show you the names of files inside, even if password protected. I guess I'd rather not just stop banned files altogether. It seems sensible to block files of these types. Requiring a password-protected zip seemed like a decent way to handle it, to me. Agreed? From my /etc/amavisd.conf: qr'.\.(exe|vbs|pif|scr|bat|cmd|com|cpl)$'i, # banned extension - basic Or is this just a question for the Amavis guys instead? ;) Thanks for all the quick replies!! ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Disabling ScanArchive ?
On Tue, 2005-02-22 at 12:09 -0600, Jason Byrns wrote: Trog wrote: On Tue, 2005-02-22 at 11:00 -0600, Jason Byrns wrote: 'Banned filename'? ClamAV doesn't do banned filenames. So that's Amavis blocking banned file names, then? Yup. I guess I'd rather not just stop banned files altogether. It seems sensible to block files of these types. Requiring a password-protected zip seemed like a decent way to handle it, to me. Agreed? No. That means password protected zips can be used for new viruses. My solution is to force the vendors to put the files on a password protected website where my folks can go grab them. Since we have to reach out, there is little chance of automatic propagation Then again I'm paranoid. Or is this just a question for the Amavis guys instead? ;) Yes. ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Disabling ScanArchive ?
John Jolet wrote: they could always rename the file and include instructions to put the name back. Thanks, but I already tried that! Unfortunately (or fortunately, not sure which) it still sees the file as executable. In this case, I'm guessing it refers to the MIME type or something like that. For example, I took a file from my Bart's PE directory, and renamed it. bartpe.exe ...renamed to... bartpe.xex Yet it is still blocked. My rejection notice looks like this: BANNED CONTENTS ALERT Our content checker found banned name: P=p005,L=1,M=multipart/mixed | P=p003,L=1/2,M=application/octet-stream,T=exe,T=exe-ms,N=bartpe.xex in email presumably from you ([EMAIL PROTECTED]), to the following recipient: - [EMAIL PROTECTED] ...any other suggestions? ;) -- Jason Byrns System Administrator, MicroLnk http://www.MicroLnk.com/ 402-328-8600 ext. 653 ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Disabling ScanArchive ?
Daniel J McDonald wrote: No. That means password protected zips can be used for new viruses. My solution is to force the vendors to put the files on a password protected website where my folks can go grab them. Since we have to reach out, there is little chance of automatic propagation Yeah, that would definitely help defeat propagation. Too bad there's no easy way to really defeat social engineering, though. Then again I'm paranoid. Me, too. I agree that high security is extremely important. And using a web or FTP site occurred to me. I tend to think of email as a bad choice for sending big files around anyway. So thanks for everyone's input, I think I'm settling on that solution now. Seems like too many potential problems with removing or lowering the level of security on the email server and virus scanner. So probably best to avoid that. And if I have any more questions about this, I'll stop bothering ClamAV people and go looking for Amavis help instead. ;) Thanks again!! -- Jason Byrns System Administrator, MicroLnk http://www.MicroLnk.com/ 402-328-8600 ext. 653 ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Disabling ScanArchive ?
Daniel J McDonald wrote: On Tue, 2005-02-22 at 09:57 -0800, [EMAIL PROTECTED] wrote: At 09:39 AM 2/22/2005, you wrote: Due to license issues with the original RAR3.0 unpacker one of our developers is working on a new version written from scratch. It's planned for 0.90. secondly, is there a way to employ unrar checking if one buys an unrar license and installs unrar - i couldn't quite see a hook to do that in clamd.conf. amavis-new does rar unpacking using an external binary, then passes the unpacked pieces to clamav. As does qmail-scanner and i imagine a handful of other packages. -Jim ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] Re: Freshclam and Cron
[EMAIL PROTECTED] wrote: Freshclam via cron What sort of update intervals are people using, and can someone show me a working crontab entry? I've tried calling freshclam like this via a crontab entry 06 0 * * * /usr/local/bin/freshclam BUt it doesn't seem to work. Which means I'm probably missing somethign obvious. I have # ClamAV 57 12 * * * /usr/bin/freshclam --quiet and it means run once a day, at 12:57, every day, every month, every week day, and (cron) don't send me messages that it ran. If you have a mail server you should run it more often, your cron line says once at 0:06 hours. In different implementations of cron there is the possibility of using several variants, for instance: 57 12/2 * * * /usr/bin/freshclam --quiet would mean run every 2 hours starting at 12:57, this is for Paul Vixie's cron implementation. In other cron implementations (the one in Solaris for instance) the same would have to be written explicitly: 57 12,14,16,18,20,22,0,2,4,6,8,10 * * * /usr/bin/freshclam --quiet So, read your cron and crontab (usually 2) manuals. -- René ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Re: Freshclam and Cron
On Feb 22, 2005, at 14:46, René Berber wrote: [EMAIL PROTECTED] wrote: Freshclam via cron What sort of update intervals are people using, and can someone show me a working crontab entry? I've tried calling freshclam like this via a crontab entry 06 0 * * * /usr/local/bin/freshclam BUt it doesn't seem to work. Which means I'm probably missing somethign obvious. I have # ClamAV 57 12 * * * /usr/bin/freshclam --quiet and it means run once a day, at 12:57, every day, every month, every week day, and (cron) don't send me messages that it ran. If you have a mail server you should run it more often, your cron line says once at 0:06 hours. In different implementations of cron there is the possibility of using several variants, for instance: 57 12/2 * * * /usr/bin/freshclam --quiet would mean run every 2 hours starting at 12:57, this is for Paul Vixie's cron implementation. In other cron implementations (the one in Solaris for instance) the same would have to be written explicitly: 57 12,14,16,18,20,22,0,2,4,6,8,10 * * * /usr/bin/freshclam --quiet So, read your cron and crontab (usually 2) manuals. -- René I can't understand why everyone runs this through cron when it doesn't eat much memory or cpu cycles when run as a daemon? -- Dale ___ http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] Re: Freshclam and Cron
I can't understand why everyone runs this through cron when it doesn't eat much memory or cpu cycles when run as a daemon? Because with cron, one can vary the minutes-after-the-hour, to have finer control over when it runs. Or to have it run more frequently on certain days than on others... Or Whatever. I'm sure the scheduling engine used by cron is far more flexible than the one built into freshclam. Perhaps I know of a scheduled network outage window With cron I can schedule around that outage window. It might also be to help document the system for other admins who might not think to look for application-specific scheduling and whose first instinct is to look at crontab -l... I can think of lots of reasons. ___ http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] Re: Freshclam and Cron
On Tue, 22 Feb 2005, Cormack, Ken wrote: I can't understand why everyone runs this through cron when it doesn't eat much memory or cpu cycles when run as a daemon? I can think of lots of reasons. The way I look at it, if you need something in cron to periodically check that the freshclam daemon hasn't died, you might as well just configure the updates exactly as you'd like them with cron itself. I'd rather have something in cron anyway, as long as there's no major benefit to running the daemon. Jeffrey Moskot System Administrator [EMAIL PROTECTED] ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] false positives
david thompson wrote: I then download avg - the free windows virus scanner. install it and get the latest definitions. I scan in windows using avg. Nothing found. This is not the first time this has happened. I scanned a friends hard drive with windowsxp on it, and clamscan found 'lion' coincidentally within the same file that a virus was found on my winxp system - pagefile.sys. Never scan pagefile.sys, that file is your XP Swap file which gets random bits of information as programs page out of memory to the hard drive. ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] ClamAv v0.83 for SuSE 9.2 bin rpm's?
Op dinsdag 22 februari 2005 07:45, schreef Dörfler Andreas: taken from suse ml: Yes, we know. We will be releasing 0.83 too in some days. Ciao, Marcus im using suse 9.2 too but i dont wanna wait everytime for the rpms so i compile clam from source greetings andy Thanks Andy! I think i will wait for them to release. I can ofcourse compile but i am the lazy kind of sysadmin i guess:-) Grz. Johan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Johan Barelds Sent: Monday, February 21, 2005 6:37 PM To: ClamAV users ML Subject: [Clamav-users] ClamAv v0.83 for SuSE 9.2 bin rpm's? Hi all, Does someone know if or when ClamAv 0.83 for SuSE v9.2 will become available? The latest version on their website( ftp://ftp.suse.com/pub/projects/clamav) is 0.82. I seem to recall from earlier discussions in this list that SuSE have been patching the broken software themselves and therefor not upgrading the Clamav rpm's? Thanks for any info! -- Kind Regards / Met vriendelijke groet, Johan BareldsGood-IT! Tel.+31(0)70-3965230 Strijplaan 320 Mob.+31(0)6-54253750 2285 HZ Rijswijk(ZH) [EMAIL PROTECTED]http://www.good-it.com ___ http://lurker.clamav.net/list/clamav-users.html ___ http://lurker.clamav.net/list/clamav-users.html -- Kind Regards / Met vriendelijke groet, Johan Barelds Good-IT! Tel.+31(0)70-3965230Strijplaan 320 Mob.+31(0)6-542537502285 HZ Rijswijk(ZH) [EMAIL PROTECTED] http://www.good-it.com ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] Re: Freshclam and Cron
Dale Walsh wrote: [snip] I can't understand why everyone runs this through cron when it doesn't eat much memory or cpu cycles when run as a daemon? If freshclam fails as a daemon you would not know it. If it fails as a cron job, then cron will let you know something is wrong. Of course freshclam doesn't fail so this is only useful for user errors (like a bad path or permisions, etc.) Besides, setting it up as a daemon needs more work, I would add it to the init.d/clamd script but that's my choice and is not there to make it easy. Yes, sometimes I'm lazy, adding it to cron takes 10 sec, adding it to the script probably takes 30 sec. Just my opinion. -- René Berber ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Re: Freshclam and Cron
On Tuesday 22 Feb 2005 23:14, René Berber wrote: Dale Walsh wrote: [snip] I can't understand why everyone runs this through cron when it doesn't eat much memory or cpu cycles when run as a daemon? If freshclam fails as a daemon you would not know it. If it fails as a cron job, then cron will let you know something is wrong. That is a good reason, and true too, I have found the freshclam daemon not functioning on one occasion, so now I cron it. Another reason is to spread the load by setting it to cron at odd times, it must help the clamav server. Of course freshclam doesn't fail so this is only useful for user errors (like a bad path or permisions, etc.) Besides, setting it up as a daemon needs more work, I would add it to the init.d/clamd script but that's my choice and is not there to make it easy. Yes, sometimes I'm lazy, adding it to cron takes 10 sec, adding it to the script probably takes 30 sec. Just my opinion. -- - Bob Hutchinson Midwales dot com - ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] clamd/freshclam/logrotate
Anyone got logrotate working sensibly with clamd.log and freshclam.log? I can
get it to rename the log files, but it seems that clamd and freshclam keep the
file descriptor open. The new logs are appending to the .log.1 file rather
than appending to the newly created .log files.
Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902
Hispanic Business Inc./HireDiversity.com Software Engineer
perl -emap{y/a-z/l-za-k/;print}shift Jjhi pcdiwtg Ptga wprztg,
___
http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] clamd/freshclam/logrotate
Sure, this is how we do it :
/var/log/clamav/clamd.log {
missingok
nocompress
create 640 clamav clamav
postrotate
/bin/kill -HUP `cat /var/run/clamav/clamd.pid 2 /dev/null` 2
/dev/null || true
endscript
}
We run Freshclam as a daemon and do pretty much the same for it.
HTH
--Ed
[EMAIL PROTECTED] wrote:
Anyone got logrotate working sensibly with clamd.log and freshclam.log? I can
get it to rename the log files, but it seems that clamd and freshclam keep the
file descriptor open. The new logs are appending to the .log.1 file rather
than appending to the newly created .log files.
Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902
Hispanic Business Inc./HireDiversity.com Software Engineer
perl -emap{y/a-z/l-za-k/;print}shift Jjhi pcdiwtg Ptga wprztg,
___
http://lurker.clamav.net/list/clamav-users.html
--
__
EAS*Ent.Net - World Class Web Hosting and Email Services
www.easent.net
___
http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users]
Hello: Thanks for the URL, I tested to the server who has clamav and step all the tests. But I even have a problem, when send a mail with a file zip with password (with a virus), clamav does not stop it, and if send to an account of yahoo, this if it detects it and notifies it. The question is, single can be blocked through file clamd.conf enabling ArchiveBlockEncrypted On Sat, 19 Feb 2005 02:32:21 +0100, Tomasz Kojm [EMAIL PROTECTED] wrote: On Fri, 18 Feb 2005 19:21:01 -0600 Instituto de Ingenieria Unix [EMAIL PROTECTED] wrote: I have problems in my server mail, especially is the antivirus, I have suse enterprise 9,0 with postfix+amavisd-new+clamav. Clamav me this not stopping the post office with virus, that have an attached file of format zip which has one password, to that it must this? If you're talking about the test file from www.testvirus.org then you can safely ignore it. This is not the only strange test on that site. Is question of configuration the my antivirus or this incomplete me antivirus? ClamAV successfully stops password protected Bagles and some other worms. There's no need (and even possibility) to detect malware in all protected files. However, you can block _all_ passworded Zip/RAR archives by enabling ArchiveBlockEncrypted in clamd.conf (--block-encrypted in clamscan), but this is generally not recommended. -- oo. Tomasz Kojm [EMAIL PROTECTED] (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Sat Feb 19 02:29:35 CET 2005 ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users]
On Tue, 22 Feb 2005 19:16:33 -0600 Instituto de Ingenieria Unix [EMAIL PROTECTED] wrote: Hello: Thanks for the URL, I tested to the server who has clamav and step all the tests. But I even have a problem, when send a mail with a file zip with password (with a virus), clamav does not stop it, and if send to an account of yahoo, this if it detects it and notifies it. The question is, single can be blocked through file clamd.conf enabling ArchiveBlockEncrypted You've misunderstood my answer. Please ask someone to translate you the following blocks: If you're talking about the test file from www.testvirus.org then you can safely ignore it. This is not the only strange test on that site. [...] ClamAV successfully stops password protected Bagles and some other worms. There's no need (and even possibility) to detect malware in all protected files. However, you can block _all_ passworded Zip/RAR archives by enabling ArchiveBlockEncrypted in clamd.conf (--block-encrypted in clamscan), but this is generally not recommended. -- oo. Tomasz Kojm [EMAIL PROTECTED] (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Wed Feb 23 02:20:47 CET 2005 pgpQiLYhM51zB.pgp Description: PGP signature ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] Re:
Let me try to help, I'll translate to spanish Tomasz's answer. Tomasz Kojm wrote: On Tue, 22 Feb 2005 19:16:33 -0600 Instituto de Ingenieria Unix [EMAIL PROTECTED] wrote: Hello: Thanks for the URL, I tested to the server who has clamav and step all the tests. But I even have a problem, when send a mail with a file zip with password (with a virus), clamav does not stop it, and if send to an account of yahoo, this if it detects it and notifies it. The question is, single can be blocked through file clamd.conf enabling ArchiveBlockEncrypted You've misunderstood my answer. Please ask someone to translate you the following blocks: [Español] Has malentendido mi respuesta. Por favor pidele a alguien que te tradusca los siguientes párrafos: If you're talking about the test file from www.testvirus.org then you can safely ignore it. This is not the only strange test on that site. [Español] Si estás hablando acerca del archivo de prueba de www.testvirus.org entonces puedes ignorarlo sin problema. Esa no es la única prueba extraña en ese sitio. [...] ClamAV successfully stops password protected Bagles and some other worms. There's no need (and even possibility) to detect malware in all protected files. However, you can block _all_ passworded Zip/RAR archives by enabling ArchiveBlockEncrypted in clamd.conf (--block-encrypted in clamscan), but this is generally not recommended. [Español] ClamAV puede detener Bagles y algunos otros gusanos protejidos por password. No hay la necesidad (ni siquiera la posibilidad) de detectar software malicioso en todos los archivos protejidos. Sin embargo, tu puedes bloquear _todos_ los archivos Zip/RAR habilitando ArchiveBlockEncrypted en clamd.conf (o parámetro --block-encrypted en clamscan), pero esto generalmente no se recomienda. Hope this helps / Espero que esto sirva de ayuda. -- René Berber ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Freshclam and Cfengine
* [EMAIL PROTECTED] [EMAIL PROTECTED]
What sort of update intervals are people using, and can someone show
me a working crontab entry? I've tried calling freshclam like this via
a crontab entry
06 0 * * * /usr/local/bin/freshclam
BUt it doesn't seem to work. Which means I'm probably missing
somethign obvious.
I run freshclam from CFEngine, which means the updates will
automatically be spread out by the cfengine SplayTime, and wander over
time due to the 11h 59m update period. CFEngine does have a bit of a
learning curve, though.
control:
darwin|openbsd::
freshclam = ( /usr/local/bin/freshclam )
linux::
freshclam = ( /usr/bin/freshclam )
shellcommands:
any::
${freshclam} --quiet ifelapsed=719
As a side benefit, supporting new Operating Systems is easy: just set
the path to freshclam in the control section. No fiddling with crontab
entries or cron scripts.
--
Jeremy Mates (206) 22 1-4714
Systems AdministratorK 324, Health Sciences Center
http://cfm.gs.washington.edu/Mail Box 357730
___
http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Freshclam and Cfengine
Jeremy Mates said: * [EMAIL PROTECTED] [EMAIL PROTECTED] What sort of update intervals are people using, and can someone show me a working crontab entry? I've tried calling freshclam like this via a crontab entry 06 0 * * * /usr/local/bin/freshclam BUt it doesn't seem to work. Which means I'm probably missing somethign obvious. I run freshclam from CFEngine, which means the updates will automatically be spread out by the cfengine SplayTime, and wander over time due to the 11h 59m update period. CFEngine does have a bit of a learning curve, though. It is also a great way to distribute the pattern files across your clamav farm (for those that run multiple systems) as well as distributing new versions of the binaries as they become available. I don't know much it isn't good for, to be honest. dp ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] ClamAV not paying attention to conf file.
On Tuesday 22 February 2005 16:32, Matt Fretwell shaped the electrons to say: DisableDefaultScanOptions A prime example of rtfm... thanks. -- Scott Ryan Telkom Internet ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] EICAR signature update: second attempt
On Fri, 18 Feb 2005, Tomasz Kojm wrote: The signature will be updated on Monday (to better meet the official specification). All clamdwatch users should upgrade to the latest version as soon as possible to avoid problems similar to those from 2004. What's the status of this? I wrote a clmilter_watch program and want to ensure it works with the new signature before I release it. But if you changed your minds about changing the signature, I can release now. Damian Menscher -- -=#| Physics Grad Student SysAdmin @ U Illinois Urbana-Champaign |#=- -=#| 488 LLP, 1110 W. Green St, Urbana, IL 61801 Ofc:(217)333-0038 |#=- -=#| 4602 Beckman, VMIL/MS, Imaging Technology Group:(217)244-3074 |#=- -=#| [EMAIL PROTECTED] www.uiuc.edu/~menscher/ Fax:(217)333-9819 |#=- -=#| The above opinions are not necessarily those of my employers. |#=- ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Re: Freshclam and Cron
On Wed, 23 Feb 2005 00:49:20 +, Bob Hutchinson [EMAIL PROTECTED] wrote: That is a good reason, and true too, I have found the freshclam daemon not functioning on one occasion, so now I cron it. Another reason is to spread the load by setting it to cron at odd times, it must help the clamav server. However, with freshclam's DNS support, you're not gaining much as it'll only connect to the server when either the DNS record is horribly out of date, or it indicates a new update is available. -- Please keep list traffic on the list. Rob MacGregor Whoever fights monsters should see to it that in the process he doesn't become a monster. Friedrich Nietzsche ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Mime - FIXED
On Wednesday 16 February 2005 14:35, Scott Ryan shaped the electrons to say: Hi list, I have posted before about an issue with clamd hanging and yesterday we finally managed to find out what the underlying problem was. We came across an 800k mail that we initially thought was causing clamd to hang. The truth infact was that once we turned on debugging, we noticed that clamd was not hanging - just taking an age to scan the mail. This was obviously causing us huge problems as this was happening on very busy mail servers and in effect causes a DOS. We were running 0.83 and downgraded eventually to 0.80 and then we no longer experienced the issue. What we noticed about this one particular mail was that it had hundreds of mime-parts. So it appears to us that there has been a major change in the way clamav deals with mime parts since 0.80. So much so that it goes from scanning this mail in under a second in 0.80: # ls -la 1108491486.1513-1.ophelia.telkomsa.net -rw---1 root root 817795 Feb 15 20:35 1108491486.1513-1.ophelia.telkomsa.net # cat 1108491486.1513-1.ophelia.telkomsa.net | clamdscan - stream: OK --- SCAN SUMMARY --- Infected files: 0 Time: 0.741 sec (0 m 0 s) To taking over 4 minutes to scan in 0.83 Can anyone shed some light on this / offer some advice, as obviously we want to keep up with the latest stable version. I can provide the mail if anyone wants to examine it further. My setup is now as follows: Qmail-scanner with 'reformmime' enabled. Clamd with the ScanMail option removed. It looks initially like this will solve our issue of clamd taking an age to scan messages that have huge numbers of messages within them. Tested by sending a few viruses. and they were trapped. Cheers. -- Scott Ryan Telkom Internet ___ http://lurker.clamav.net/list/clamav-users.html
