Re: [Clamav-users] clamav milter: loading new database
Update to at least 0.83b. -Nigel On Friday 11 Mar 2005 07:23, christian laubscher wrote: i am running .83, clamav-milter w/o clamd, freshclam on slack 9.1. low load, but persistent flow of incoming messages ( a few hundred mails a day, no bad peaks). normally, shortly after a successful freshclam update, clamav milter logs a 'loading new database' message and the x-virus-scanned line is updated, accordingly. the 761 update (by freshclam) happened here at 2005-03-10-22.25.59 cet; the update was successful (checked by sigtool -i). but in the hours passed by since, clamav-milter doesn't seem to have seen the new version; no 'loading new database' was logged, and the x-virus-scanned line still reflects the 760 version. as this is happening for the first time: am i doing something wrong? and: how can i 'force' clamav-milter to reload the new database? tia! ___ http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] Use of ClamAV 0.83 on Red Enterprise Linux 3
Am I missing anything important? Thanks in advance... Edward W. Ray CISSP, MCSE 2003+Security, P.E. GCIA, GCIH NetSec Design Consulting I would install postfix and remove sendmail (use apt or yum) get the apt rpm from dag it will make things much easier. ftp://rpmfind.net/linux/dag/redhat/el3/en/i386/dag/RPMS/apt-0.5.15cnc6-3.1.e l3.dag.i386.rpm Then install Amavisd, spamassassin, razor from dag apt-get update apt-cache search amavis apt-get install amavisd clamd spamassassin razor download and compile dcc http://flakshack.com/anti-spam/wiki/index.php?page=Installing+DCC You can install most of this from RPMS on DAG using apt and it works without much needing to be done. For detailed configuration help on some of this check out http://www.flakshack.com/anti-spam/wiki/index.php. Modify postfix: #vi /etc/postfix/main.cf Read and uncomment the basic postfix config items(mydomain, mynetworks) Add the following line: content_filter=smtp-amavis:[127.0.0.1]:10024 #vi /etc/postfix/aliases Set the alias for root. #vi /etc/postfix/master.cf #ADD THE FOLLOWING smtp-amavis unix - - n - 3 smtp -o smtp_data_done_timeout=1200 -o disable_dns_lookups=yes 127.0.0.1:10025 inet n - n - - smtpd -o content_filter= -o local_recipient_maps= -o relay_recipient_maps= -o smtpd_restriction_classes= -o smtpd_client_restrictions= -o smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o mynetworks=127.0.0.0/8 -o strict_rfc821_envelopes=yes Restart postfix: service postfix restart Turn on the applications: #chkconfig amavisd on #chkconfig clamd on #chkconfig postfix on #vi /etc/mail/spamassassin/local.cf report_safe 0 use_bayes 1 bayes_path /var/amavisd/.spamassassin/bayes skip_rbl_checks 0 use_razor2 1 use_dcc 1 use_pyzor 0 dns_available yes header LOCAL_RCVD Received =~ /.*\(\S+\.domain\.com\s+\[.*\]\)/ describe LOCAL_RCVD Received from local machine score LOCAL_RCVD -50 #vi /etc/amavis.conf Modify how you want to handle spam, virus mail $mydomain = 'yourdomain.com' $virus_admin = [EMAIL PROTECTED]; # notifications recip. $spam_admin = [EMAIL PROTECTED]; # notifications recip. $mailfrom_notify_admin = [EMAIL PROTECTED]; # notifications sender $mailfrom_notify_recip = [EMAIL PROTECTED]; # notifications sender $mailfrom_notify_spamadmin = [EMAIL PROTECTED]; # notifications sender $mailfrom_to_quarantine = ''; # null return path; uses original sender if undef $final_virus_destiny = D_DISCARD; $final_banned_destiny = D_BOUNCE; $final_spam_destiny = D_BOUNCE; $final_bad_header_destiny = D_BOUNCE; Restart everything and test. ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] clamav milter: loading new database
On Fri, Mar 11, 2005 at 09:02:14AM +, Nigel Horne wrote: Update to at least 0.83b. would this be in the nightly snapshots (ie clamav-devel)? -- ___ http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] clamav milter: loading new database
Update to at least 0.83b. would this be in the nightly snapshots (ie clamav-devel)? Yes ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] (no subject)
Jordi Escolà MartínPriceWin Networks (Grupo CD World)Desarrollo de Proyectos C/ Gomis 1 - 08023 BarcelonaTel. 902 332266 - Fax. 902 113614 Este email ha sido escaneado en busca de virus informáticos por elservicio SerenaMail de Pricewin Networks. Para mas información acerca decómo proteger a su empresa contra los virus informáticos y el correobasura de forma permanente, visítenos en http://www.serenamail.com. ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] Funny pathes
/tmp/clamav-178c630c01f4f986/usr/share/clamav-testfiles/clam.rar: ClamAV-Test-File FOUND /tmp/clamav-178c630c01f4f986/usr/share/clamav-testfiles/clam.zip: ClamAV-Test-File FOUND /tmp/clamav-235ce24142354262/usr/share/classpath/glibj.zip: Zip.ExceededFilesLimit FOUND /tmp/clamav-fbb1808681386c40/usr/share/classpath/glibj.zip: Zip.ExceededFilesLimit FOUND [17:34:17]yoda:/etc/cron.weekly# ls -ald /usr/share/cla* drwxr-xr-x 2 root root 4096 Feb 24 18:48 /usr/share/clamav-testfiles clamav-testfiles ist OK, but there is no classpath directory! #locate glibj.zip does not find such a file. ?? Rainer ___ http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] Funny pathes
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Rainer Zocholl Sent: Friday, March 11, 2005 12:36 PM To: clamav-users@lists.clamav.net Subject: [Clamav-users] Funny pathes /tmp/clamav-178c630c01f4f986/usr/share/clamav-testfiles/clam.rar: ClamAV-Test-File FOUND /tmp/clamav-178c630c01f4f986/usr/share/clamav-testfiles/clam.zip: ClamAV-Test-File FOUND /tmp/clamav-235ce24142354262/usr/share/classpath/glibj.zip: Zip.ExceededFilesLimit FOUND /tmp/clamav-fbb1808681386c40/usr/share/classpath/glibj.zip: Zip.ExceededFilesLimit FOUND My guess is that those are not *real* pathes, but pathes inside a tar.gz or something. If there where real there would be no reason to copy those files to /tmp/clamav-* -Samuel ___ http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] Re: clamscan reports a virus Oversized.Zip
Oversized.Zip From man clamscan: --block-max Mark archives as viruses (e.g. RAR.ExceededFileSize, Zip.ExceededFilesLimit) if max-files, max-space, or max-recursion is reached. --max-recursion=#n Set archive recursion level limit. This option protects your system against DoS attacks (default: 8). --max-ratio=#n Set maximum archive compression ratio limit. This option protects your system against DoS attacks (default: 250). So you can use --max-recursion=? and --max-ratio=?; play with the values and see if you can get through. BTW your zip archive is not typical, it may be a real DoS attempt, for example here's a result with an ordinary (4.4M) zip file using Cygwin's own version of clamav-0.83: I created the zip file myself so I don't think there's anything wrong with it. It contains some binary files requested by the support people I'm working with on another issue. I'll do some more experiments and see if I can narrow it down any. ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] ClamAV return codes
Hey all, I'm sure this has probably been asked before, but I wasn't able to find it in the mailing list archives or the documentation - is there a list somewhere, either in the source code or in the docs, or on the web, which lists what each return code that clamscan gives back means? I've got someone asking about return code 128, and I've never seen it before. Thanks -- Brian Bruns The Summit Open Source Development Group http://www.sosdg.org / http://www.ahbl.org ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] Re: ClamAV return codes
Brian Bruns wrote: I'm sure this has probably been asked before, but I wasn't able to find it in the mailing list archives or the documentation - is there a list somewhere, either in the source code or in the docs, or on the web, which lists what each return code that clamscan gives back means? I've got someone asking about return code 128, and I've never seen it before. 128 means the program core-dumped. It's not a normal return code, those are documented at the end of man clamscan, it's a stopping/termination reason given by the OS. Just out of curiosity, in which OS are you seeing this? -- René Berber ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] Re: ClamAV return codes
Brian Bruns wrote: Its Cygwin, so I'll have to diagnose this with my user, since I'm not seeing these problems on my end. That explains everything: Cygwin version 1.5.13-1 (the latest) changed the way it reports exit codes to Windows. Inside a Cygwin shell everything is normal (in your case the shell intercepts the 128 and shows a text message which is the usual way under Unix) but for Windows processes things changed, now exit codes are multiplied by 256 and core dumps or other problems are included in the exit code, which (at OS level) is composed of two parts, exit code:reason (that's two bytes, usually reason is 0 so exit code 1 is integer 256, and so on). I had to change cgFilterMessages (a CommunigatePro filter) when this Cygwin change started. If you use clamdwatch.pl under anything that is not a Cygwin shell you'll have to change the way exit codes are handled (actually you have to change clamdwatch.pl anyway since Cygwin's perl doesn't handle the line that sets the temporary file mod). -- René ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] Re: ClamAV return codes
Brian Bruns wrote: The issue with return codes in 1.5.13 was fixed in a 1.5.14 snapshot which is what this user is using. I know all about the return code issue, and was ready to fork the Cygwin source code to fix it if they didn't fix it themselves. With the latest snapshots, everything is returning the right codes again Strange, from Cygwin users' mail list it didn't seemed that anything was going to be changed on this issue. So, I still have the issue where I need to find out what is causing the dumps in ClamAV. Back to square one. I have noone else reporting this issue currently. I have the CommuniGate server running with a snapshot from back in January 29, sockets didn't work at all after that date (but that snapshot fixed the problem with all the port connections left open). On my development machine I have the 1.5.13 release with clamav-0.83 both compiled and downloaded from Cygwin, the socket problem was fixed in between. No problems at all with clamav (tested: clamd, freshclam, clamscan, and clamdscan) on both machines, and both use the dynamic library. The only way to see what is causing the core dump is running clamscan under gdb; a workaround is to install everything you need again. Latest cygwin snapshots are here if you need the latest DLL: http://www.cygwin.com/snapshots/ Those are too dangerous, I know, I've used snapshots and they fix something and usually break something else... well it's the same with the stable releases, not much testing is done. The fastest fix is usually to go back to an earlier version of whatever caused the problem (see the install log for a list of what has been changed lately). If you need a list of packages/versions that do work I can provide it. Regards. -- René Berber ___ http://lurker.clamav.net/list/clamav-users.html