[Clamav-users] Clamav Loops infinitely
We are Running SME Server 6.0.1.01 and Clamav 0.83. We have a loop problem after upgrading clamav from 0.82 and 0.83. The problem is, that some thing causes the clamscan program to loop infinitely, taking all the available memory and stopping access to the internet. Some thing like this was posted by Harald Villemoes back in February and there were little or no replies. Can anybody help us with this issue Jeff Parson Grampians Community Health Centre STAWELL Vic 3380 PH (03) 5358 3700 Fax (03) 5358 4113 Email [EMAIL PROTECTED] *** CAUTION - The contents of this email transmission, including attachments, may be privileged and confidential. Any unauthorised use of the contents is expressly prohibited. If you have received this transmission in error, please advise the sender by return email or telephone immediately and destroy all versions. ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Bagle-BB.rar
Kiril Todorov wrote: Hello list, Just a quick warning to the ones still running 0.83. There seems to be a variation of Bagle which is being catched only by the devel versions of clamav 0.84rc1 for example. Could you please submit a sample to me (in a password protected zip file)? The signatures [Worm.Bagle.BB, Worm.Bagle.BB-rar] works with 0.83 and does match samples I've reviewed so far. What may be missing is signature for the worm behind yesterdays emails. They don't contain a worm, but a Trojan that downloads a worm, but none of the sites the Trojan tries to pull it from was online (at least none of the onces I tried). Thanks in advance... Best regards, Diego d'Ambra ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Fwd: Re: [Clamav-users] fileblobDestroy: file not saved]]
Hi Nigel, Sorry I am not an expert of the C language. It may have difficulty for me to trace the program. Any way, by turning the DEGUG on, what else do I need to watch out? Best Regards Gene Leung Nigel Horne wrote: What is happening is that on this line: snprintf(fullname, sizeof(fullname) - 1, %s/%.*sXX, dir, (int)(sizeof(fullname) - 9 - strlen(dir)), filename); The XX isn't being appended to the string. This cannot happen and points to a bug outside of my control. Perhaps enabling debugging within clamd will help to see why this is happening. -Nigel On Thursday 14 Apr 2005 10:46, Gene Leung wrote: Hi Nigel, Here are the files: LibClamAV Error: Can't create temporary file /var/tmp/clamav-a7b7920ff0485a4d/: Invalid argument LibClamAV Error: fileblobDestroy: file not saved: report to [EMAIL PROTECTED] [EMAIL PROTECTED] /var/tmp/clamav-a7b7920ff0485a4d]# ls -alt total 24 drwxrwxrwt 138 root root 12288 Apr 14 17:41 .. drwx-- 2 root root 4096 Apr 14 17:25 . -rw--- 1 root root 393 Apr 14 17:25 mixedtextportiono0twIg -rw--- 1 root root 1623 Apr 14 17:25 mixedtextportionpxd3Uy Should you need more to investigate, please let me know!! Thanks!! Best Regards Gene Leung Original Message Subject:[Fwd: [Fwd: Re: [Fwd: Re: [Clamav-users] fileblobDestroy: file not saved]]] Date: Thu, 14 Apr 2005 16:54:59 +0800 From: Gene Leung [EMAIL PROTECTED] To: [EMAIL PROTECTED] Hi Nigel, Oh, I am sorry! I think I can get it !! I will send one to you a little bit latter ! Best Regards Gene Original Message Subject:[Fwd: Re: [Fwd: Re: [Clamav-users] fileblobDestroy: file not saved]] Date: Thu, 14 Apr 2005 16:52:27 +0800 From: Gene Leung [EMAIL PROTECTED] To: [EMAIL PROTECTED] Hi Nigel, Thank you for the reply! Is there any hint from looking up those temporary directories? Since most of them are ok, only few may have errors. Best Regards Gene Leung /*** Message Sent by you ***/ Yes, sorry I remember you posting that to clamav-users. I can see nothing obvious wrong here than the one I mentioned about an incorrect LocalSocket value which isn't being used in your configuration. In that case, yes, your best bet is to turn on LeaveTemporaryFiles and see if you can track it. Watch out though, you'll soon have a lot of temporaryfiles so you will need to clean them out very often. -Nigel Horne ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] Can phishing be considered one kind of spam ?
Can phishing be considered one kind of spam ? __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Can phishing be considered one kind of spam ?
On Fri, 2005-04-15 at 06:39 -0700, Joanna Roman wrote: Can phishing be considered one kind of spam ? What is the universe in and where are God's parents? signature.asc Description: This is a digitally signed message part ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Can phishing be considered one kind of spam ?
Can phishing be considered one kind of spam ? What is the universe in and where are God's parents? 42 -- Ralf Hildebrandt (i.A. des IT-Zentrum) [EMAIL PROTECTED] Charite - Universitätsmedizin BerlinTel. +49 (0)30-450 570-155 Gemeinsame Einrichtung von FU- und HU-BerlinFax. +49 (0)30-450 570-962 IT-Zentrum Standort CBF send no mail to [EMAIL PROTECTED] ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Can phishing be considered one kind of spam ?
Joanna Roman wrote: Can phishing be considered one kind of spam ? Sure it can! HTH, HAND, daniel ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Can phishing be considered one kind of spam ?
On Apr 15, 2005, at 9:39 AM, Joanna Roman wrote: Can phishing be considered one kind of spam ? Please no...please please no ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] false hits
Hello all... Question...I recently tried booting up with the Ultimate Boot CD that included INSERT Linux as one of the images. I booted to INSERT, ran freshclam, then proceeded to scan a hard disk on which Windows 98 was installed. I had a number of hits showing up within the Windows/system directory. A subsequent scan with a standalone utility from an AV vendor showed no sign of the viruses in that directory. I was wondering if someone else could reproduce these hits to confirm that I wasn't dreaming this up...I'd submit the false hits, but the system has since been wiped to install NT and I didn't want to try extracting those files from the hard disk and sending them in if other people could get the same results. These appeared to be regular Windows dll's that it was getting hits on... Thanks, -Bart ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] false hits
Bart Silverstrim wrote: Hello all... Question...I recently tried booting up with the Ultimate Boot CD that included INSERT Linux as one of the images. I booted to INSERT, ran freshclam, then proceeded to scan a hard disk on which Windows 98 was installed. I had a number of hits showing up within the Windows/system directory. A subsequent scan with a standalone utility from an AV vendor showed no sign of the viruses in that directory. I was wondering if someone else could reproduce these hits to confirm that I wasn't dreaming this up...I'd submit the false hits, but the system has since been wiped to install NT and I didn't want to try extracting those files from the hard disk and sending them in if other people could get the same results. These appeared to be regular Windows dll's that it was getting hits on... Thanks, -Bart ___ http://lurker.clamav.net/list/clamav-users.html It's very common for older viruses to embed themselves inside exe's, dlls's, etc etc. I had a case of that quite a while ago, wipe/install was the only solution in sight. It could also be that these are false positives. But without the files in question. It's only a guessing game. As an aside, I've noticed that some AV vendors don't detect _all_ viruses since the bigging of time... So this could also be the case. -- Thanks, James ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] Yahoo using ClamAV
From a bounce message posted to the SPAM-L mailing list, which I thought people might find interesting (if it hasn't already been mentioned): The original message was received at Fri, 15 Apr 2005 14:10:54 +0100 - The following addresses had permanent fatal errors - xx xx - Transcript of session follows - ... while talking to mrin4.corp.yahoo.com DATA 554 5.7.1 virus HTML.Phishing.Bank-165 detected by ClamAV - http://www.clamav.net Kudos to the ClamAV guys for their excellent work. -- Brian Bruns The Summit Open Source Development Group http://www.sosdg.org / http://www.ahbl.org ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Can phishing be considered one kind of spam ?
Joanna Roman said: Can phishing be considered one kind of spam ? Of course. Rather that dither over the categorization of content of messages just think of any unsolicited bulk email as evil and to be destroyed. It helps to get past the problems of how to think about phishing and political prisoners with vast sums of cash, social engineering messages, male potency enhancers for little boyz with nothing but wet dreams, amateur mommys looking for action, etc. Self-replicating or other active attachments or inclusions that run in primitive operating systems such as Windows can be a part of phishing attempts but are a problem in addition to the intent of the phishing schemes. These two facets of mail content require different policies and tools. dp ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Can phishing be considered one kind of spam ?
Bart Silverstrim wrote: Please no...please please no ___ http://lurker.clamav.net/list/clamav-users.html LMAO! That was exactly what I was thinking when I opened the question ;) ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] false hits
Bart Silverstrim wrote: I had a number of hits showing up within the Windows/system directory. Heh, didn't Norton detect windows as a virus at one time? A subsequent scan with a standalone utility from an AV vendor showed no sign of the viruses in that directory. This doesn't necessarily mean anything. What I would do is do a online scan (I highly recommend http://housecall.trendmicro.com) If you are indeed compromised, there's a chance your AV may be as well ___ http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] remove scanner serve
*** REPLY SEPARATOR *** On 4/14/2005 at 10:24 PM Nigel Horne wrote: Okay this is what i have for clamav-milter on remote server Remote to sendmail? Or remote to clamd? Or both? CLAMAV_FLAGS=-qlm5 --external --server=xxx.xxx.xxx.xxx local:/var/run/clamav/clmilter.sock and I have to run clamd on that server so that clamav uses it externally to scan for virus (if i understand this correctly) I presume by that server you mean the server running clamav-milter and on my primary server i did the same thing and clamav creates local socket and scans thru clamd on remote server. I presume by primary server you mean the server running clamd, though I don't understand what you mean by you did the same thing? Why would you do the same on both machines? Surely one runs clamd and one runs clamav-milter? however if i use INPUT_MAIL_FILTER(`clamav', `S=inet:[EMAIL PROTECTED], F=, T=S:4m;R:4m')dnl (machine name chaned to correct machine of course) By machineb do you mean the same as primary server above? Or the same as that server? I still get socket errors in maillog about attempting to scan and clamd is on the remote socket not clamav-milter on the remote socket. I'm sure i'm doing something simple wrong but I sure can't figure it out. Sorry, but I can't figure out what you're trying to do and what you've tried to set up. The following scenarios are possible: 1) sendmail, clamav-milter and clamd all on one machine 2) sendmail and clamav-milter on one machine, clamd on another machine 3) sendmail on one machine, clamav-milter and clamd on another machine 4) sendmail, clamav-milter and clamd all on separate machines 5) sendmail and clamav-milter on one machine, clamd running on multiple machines load balanced 6) sendmail and clamav-milter on separate machines, clamd running on multiple machines load balanced, which may include the same machines. Please be very specific about what you're trying to achieve. I guess it's either scenario 2 or scenario 3? Carl I can get scenario 2 to work without a problem and this is how I did it for some time before .82 (when clamd scanning was integrated into clamav-milter and you no longer needed to run clamd just for clamav-milter) The problem I have is scenario 3. machine a has sendmail on it machine b is a low use box so I would like to run clamav-milter and clamd (if its necessary now) on it and have machine a connect to clamav-milter on machine b. however I am unable to get clamav-milter to listen on a TCP port on machine b Carl ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] remove scanner serve
On Friday 15 Apr 2005 15:58, Nigel Horne wrote: INPUT_MAIL_FILTER(`clamav', `S=inet:[EMAIL PROTECTED], F=, T=S:4m;R:4m')dn (I missed a final l on the cut 'n' paste before the pedantic start winging) INPUT_MAIL_FILTER(`clamav', `S=inet:[EMAIL PROTECTED], F=, T=S:4m;R:4m')dnl On machineb try starting clamav-milter thus (based on the options you gave, and ensure that clamd is running on machineb first): CLAMAV_FLAGS=-qlm5 --external inet:3311 Carl -Nigel -- Nigel Horne. Arranger, Composer, Typesetter. NJH Music, Barnsley, UK. ICQ#20252325 [EMAIL PROTECTED] http://www.bandsman.co.uk ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Can phishing be considered one kind of spam ?
On Fri, 15 Apr 2005 06:39:02 -0700 (PDT) in [EMAIL PROTECTED] Joanna Roman [EMAIL PROTECTED] wrote: Can phishing be considered one kind of spam ? When 0.90 is available it will allow you to decide whether to filter on different types of content, until then please don't get this list going on the phishing is not spam! discussion. -- Brian Morrison bdm at fenrir dot org dot uk GnuPG key ID DE32E5C5 - http://wwwkeys.uk.pgp.net/pgpnet/wwwkeys.html ___ http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] Can phishing be considered one kind of spam ?
Brian Morrison wrote: When 0.90 is available it will allow you to decide whether to filter on different types of content, until then please don't get this list going on the phishing is not spam! discussion. Sweet... here are my selections [x] viruses [x] phishing [x] spam [x] stupid jokes [x] urban myths [x] (company) will pay you $ for every person you forward this to [x] cute puppies [x] sob stories ... Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902 Hispanic Business Inc./HireDiversity.com Software Engineer perl -emap{y/a-z/l-za-k/;print}shift Jjhi pcdiwtg Ptga wprztg, ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Can phishing be considered one kind of spam ?
Ralf Hildebrandt wrote: Can phishing be considered one kind of spam ? What is the universe in and where are God's parents? 42 So long, and thanks for all the phish. ___ http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] Can phishing be considered one kind of spam ?
Sweet... here are my selections [x] viruses [x] phishing [x] spam [x] stupid jokes [x] urban myths [x] (company) will pay you $ for every person you forward this to [x] cute puppies [x] sob stories ... [x] completly useless messages from useful mailing lists Oh, no! This message would have been rejected =P! -SamSam ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Can phishing be considered one kind of spam ?
On Friday 15 Apr 2005 17:04, alan premselaar wrote: So long, and thanks for all the phish. Very droll -- Nigel Horne. Arranger, Composer, Typesetter. NJH Music, Barnsley, UK. ICQ#20252325 [EMAIL PROTECTED] http://www.bandsman.co.uk ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] remove scanner serve
*** REPLY SEPARATOR *** On 4/15/2005 at 3:58 PM Nigel Horne wrote: On Friday 15 Apr 2005 15:56, Carl Thompson wrote: *** REPLY SEPARATOR *** On 4/14/2005 at 10:24 PM Nigel Horne wrote: Okay this is what i have for clamav-milter on remote server Remote to sendmail? Or remote to clamd? Or both? CLAMAV_FLAGS=-qlm5 --external --server=xxx.xxx.xxx.xxx local:/var/run/clamav/clmilter.sock and I have to run clamd on that server so that clamav uses it externally to scan for virus (if i understand this correctly) I presume by that server you mean the server running clamav-milter and on my primary server i did the same thing and clamav creates local socket and scans thru clamd on remote server. I presume by primary server you mean the server running clamd, though I don't understand what you mean by you did the same thing? Why would you do the same on both machines? Surely one runs clamd and one runs clamav-milter? however if i use INPUT_MAIL_FILTER(`clamav', `S=inet:[EMAIL PROTECTED], F=, T=S:4m;R:4m')dnl (machine name chaned to correct machine of course) By machineb do you mean the same as primary server above? Or the same as that server? I still get socket errors in maillog about attempting to scan and clamd is on the remote socket not clamav-milter on the remote socket. I'm sure i'm doing something simple wrong but I sure can't figure it out. Sorry, but I can't figure out what you're trying to do and what you've tried to set up. The following scenarios are possible: 1) sendmail, clamav-milter and clamd all on one machine 2) sendmail and clamav-milter on one machine, clamd on another machine 3) sendmail on one machine, clamav-milter and clamd on another machine 4) sendmail, clamav-milter and clamd all on separate machines 5) sendmail and clamav-milter on one machine, clamd running on multiple machines load balanced 6) sendmail and clamav-milter on separate machines, clamd running on multiple machines load balanced, which may include the same machines. Please be very specific about what you're trying to achieve. I guess it's either scenario 2 or scenario 3? I can get scenario 2 to work without a problem and this is how I did it for some time before .82 (when clamd scanning was integrated into clamav-milter and you no longer needed to run clamd just for clamav-milter) The problem I have is scenario 3. machine a has sendmail on it machine b is a low use box so I would like to run clamav-milter and clamd (if its necessary now) on it and have machine a connect to clamav-milter on machine b. however I am unable to get clamav-milter to listen on a TCP port on machine b Machine a configure looks correct: INPUT_MAIL_FILTER(`clamav', `S=inet:[EMAIL PROTECTED], F=, T=S:4m;R:4m')dn On machineb try starting clamav-milter thus (based on the options you gave, and ensure that clamd is running on machineb first): CLAMAV_FLAGS=-qlm5 --external inet:3311 Carl -Nigel As a final update to this little endeavor this is what I did on the mail server i used INPUT_MAIL_FILTER(`clamav', `S=inet:[EMAIL PROTECTED], F=, T=S:4m;R:4m')dn on the scanning server i did the following CLAMAV_FLAGS=-qlm5 inet:3311 --server xxx.xxx.xxx.xxx I tried it with --external and that worked fine if I had clamd running (as it should be) so I figured i would try it internal and that worked fine. I did however have to specify --server because without it it bound to 3311 of 127.0.0.1 Carl ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] false hits
On Apr 15, 2005, at 10:45 AM, BitFuzzy wrote: Bart Silverstrim wrote: I had a number of hits showing up within the Windows/system directory. Heh, didn't Norton detect windows as a virus at one time? I remember there was something that reported Windows as a virus. I thought it was some old AV that was made for OS/2. The Clam team doesn't have a sense of humor...they refused my offer to send Win.com in for a signature addition :-) A subsequent scan with a standalone utility from an AV vendor showed no sign of the viruses in that directory. This doesn't necessarily mean anything. What I would do is do a online scan (I highly recommend http://housecall.trendmicro.com) If you are indeed compromised, there's a chance your AV may be as well Hope not. It was a standalone bootable utility to scan hard disks for viruses (well, I used the ultimate boot disk to boot to FreeDOS to run the scan). The Clam scan session was also done from a bootable CD with the latest definitions. I do agree with the online scanner, I often use it. This was more of a scanning-an-odd-acting-system that probably had some form of corruption before we formatted and reinstalled an OS. I was just wondering if anyone else had resources to try running the scan via a bootable Linux CD (like the INSERT CD) and scan a Windows system to see if they were getting oddball false hits. I just dismissed the results initially because it seemed from my many lurking sessions (and participation sessions) in the mailing list that Clam was and is primarily a mail scanner aimed at getting mail viruses, not the old school viruses like Brain...perhaps the signatures were just picking up oddball patterns on the drive and misreporting it. I miss the old days when there was a clear delineation among viruses and malware and just plain social engineering hoaxes and whatnot. Today it's just getting easier for administrators to simply label every file that's not approved as unrunnable and do away with AV. The best move we've been taking in months is to adopt Deep Freeze on systems. Go ahead and infect it...we reboot, the infection goes away, along with all the chaff and crud that the users have carelessly installed. :-) ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Can phishing be considered one kind of spam ?
Samuel Benzaquen wrote: Sweet... here are my selections [x] viruses [x] phishing [x] spam [x] stupid jokes [x] urban myths [x] (company) will pay you $ for every person you forward this to [x] cute puppies [x] sob stories ... [x] completly useless messages from useful mailing lists Oh, no! This message would have been rejected =P! -SamSam No, clamav doesnt reject anything ;) -Jim ___ http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] remove scanner serve
*** REPLY SEPARATOR *** On 4/15/2005 at 3:58 PM Nigel Horne wrote: On Friday 15 Apr 2005 15:56, Carl Thompson wrote: *** REPLY SEPARATOR *** On 4/14/2005 at 10:24 PM Nigel Horne wrote: Okay this is what i have for clamav-milter on remote server Remote to sendmail? Or remote to clamd? Or both? CLAMAV_FLAGS=-qlm5 --external --server=xxx.xxx.xxx.xxx local:/var/run/clamav/clmilter.sock and I have to run clamd on that server so that clamav uses it externally to scan for virus (if i understand this correctly) I presume by that server you mean the server running clamav-milter and on my primary server i did the same thing and clamav creates local socket and scans thru clamd on remote server. I presume by primary server you mean the server running clamd, though I don't understand what you mean by you did the same thing? Why would you do the same on both machines? Surely one runs clamd and one runs clamav-milter? however if i use INPUT_MAIL_FILTER(`clamav', `S=inet:[EMAIL PROTECTED], F=, T=S:4m;R:4m')dnl (machine name chaned to correct machine of course) By machineb do you mean the same as primary server above? Or the same as that server? I still get socket errors in maillog about attempting to scan and clamd is on the remote socket not clamav-milter on the remote socket. I'm sure i'm doing something simple wrong but I sure can't figure it out. Sorry, but I can't figure out what you're trying to do and what you've tried to set up. The following scenarios are possible: 1) sendmail, clamav-milter and clamd all on one machine 2) sendmail and clamav-milter on one machine, clamd on another machine 3) sendmail on one machine, clamav-milter and clamd on another machine 4) sendmail, clamav-milter and clamd all on separate machines 5) sendmail and clamav-milter on one machine, clamd running on multiple machines load balanced 6) sendmail and clamav-milter on separate machines, clamd running on multiple machines load balanced, which may include the same machines. Please be very specific about what you're trying to achieve. I guess it's either scenario 2 or scenario 3? I can get scenario 2 to work without a problem and this is how I did it for some time before .82 (when clamd scanning was integrated into clamav-milter and you no longer needed to run clamd just for clamav-milter) The problem I have is scenario 3. machine a has sendmail on it machine b is a low use box so I would like to run clamav-milter and clamd (if its necessary now) on it and have machine a connect to clamav-milter on machine b. however I am unable to get clamav-milter to listen on a TCP port on machine b Machine a configure looks correct: INPUT_MAIL_FILTER(`clamav', `S=inet:[EMAIL PROTECTED], F=, T=S:4m;R:4m')dn On machineb try starting clamav-milter thus (based on the options you gave, and ensure that clamd is running on machineb first): CLAMAV_FLAGS=-qlm5 --external inet:3311 Carl -Nigel As a final update to this little endeavor this is what I did on the mail server i used INPUT_MAIL_FILTER(`clamav', `S=inet:[EMAIL PROTECTED], F=, T=S:4m;R:4m')dn on the scanning server i did the following CLAMAV_FLAGS=-qlm5 inet:3311 --server xxx.xxx.xxx.xxx I tried it with --external and that worked fine if I had clamd running (as it should be) so I figured i would try it internal and that worked fine. I did however have to specify --server because without it it bound to 3311 of 127.0.0.1 Again I need more information here. When you say xxx.xxx.xxx.xxx, what IP address did you use? Furthermore what do you have in your tcpwrappers files (/etc/hosts.allow and /etc/hosts.deny). --server is to do with the link clamav-milter-clamd, where as the inet:3311 is to do with the link sendmail-clamav-milter, so adding --server should have no effect on the incoming as you've stated. I need more information to see what's going on with the bind you mention. Carl -Nigel ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] false hits
On Fri, 15 Apr 2005 09:53:11 -0400 Bart Silverstrim [EMAIL PROTECTED] wrote: Hello all... Question...I recently tried booting up with the Ultimate Boot CD that included INSERT Linux as one of the images. I booted to INSERT, ran freshclam, then proceeded to scan a hard disk on which Windows 98 was installed. I had a number of hits showing up within the Windows/system directory. A subsequent scan with a standalone utility from an AV vendor showed no sign of the viruses in that directory. Make sure your INSERT Linux contains the latest stable version of ClamAV (0.83). There were some issues with MS05-002 exploit detection in 0.82. -- oo. Tomasz Kojm [EMAIL PROTECTED] (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Fri Apr 15 18:54:23 CEST 2005 pgpXZ2KA3nllf.pgp Description: PGP signature ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] false hits
Bart Silverstrim wrote: I was just wondering if anyone else had resources to try running the scan via a bootable Linux CD (like the INSERT CD) and scan a Windows system to see if they were getting oddball false hits. I've got Knoppix lying around. Either tonight or tomorrow morning I'll load it, install ClamAV and see what happens. I'd do it today, but for some ungodly reason, today's looking more like a 'Monday Re-Loaded' ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] false hits
On Apr 15, 2005, at 12:54 PM, Tomasz Kojm wrote: On Fri, 15 Apr 2005 09:53:11 -0400 Bart Silverstrim [EMAIL PROTECTED] wrote: Hello all... Question...I recently tried booting up with the Ultimate Boot CD that included INSERT Linux as one of the images. I booted to INSERT, ran freshclam, then proceeded to scan a hard disk on which Windows 98 was installed. I had a number of hits showing up within the Windows/system directory. A subsequent scan with a standalone utility from an AV vendor showed no sign of the viruses in that directory. Make sure your INSERT Linux contains the latest stable version of ClamAV (0.83). There were some issues with MS05-002 exploit detection in 0.82. Good point...I don't know what version it was. It is the default with the latest version of UBCD... ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] Re: Clamav Loops infinitely
Jeff Parson wrote: We are Running SME Server 6.0.1.01 and Clamav 0.83. We have a loop problem after upgrading clamav from 0.82 and 0.83. The problem is, that some thing causes the clamscan program to loop infinitely, taking all the available memory and stopping access to the internet. Some thing like this was posted by Harald Villemoes back in February and there were little or no replies. Can anybody help us with this issue You may be looking at this problem: http://lurker.clamav.net/message/20050228.113055.3e7687b5.en.html the solution has been to install the CVS version until 0.84 comes out. Hope this helps. -- René Berber ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] clamscan and CPU usage
Hello Please, we have seen this in one of our servers: qscand 20687 13.4 0.0 19528 936 ?RApr13 389:37 /usr/local/clamav/bin/clamscan --verbose --debug /var/spool/qmailscan/tmp/servername111342211948731875 qscand9521 11.4 0.0 34176 960 ?RApr13 317:33 /usr/local/clamav/bin/clamscan --verbose --debug /var/spool/qmailscan/tmp/servername111342946848732286 qscand 11797 11.3 0.0 34176 956 ?RApr13 315:33 /usr/local/clamav/bin/clamscan --verbose --debug /var/spool/qmailscan/tmp/servername11134304914878366 qscand 21298 11.2 0.0 34176 956 ?RApr13 310:13 /usr/local/clamav/bin/clamscan --verbose --debug /var/spool/qmailscan/tmp/servername111343170648718919 qscand5002 11.1 0.0 34176 956 ?RApr13 302:58 /usr/local/clamav/bin/clamscan --verbose --debug /var/spool/qmailscan/tmp/servername11134337474871949 qscand 17446 5.8 1.2 34176 26744 ? RApr14 75:37 /usr/local/clamav/bin/clamscan --verbose --debug /var/spool/qmailscan/tmp/servername111352049348716262 qscand1449 5.7 1.2 34176 26744 ? RApr14 72:57 /usr/local/clamav/bin/clamscan --verbose --debug /var/spool/qmailscan/tmp/servername1113521775487767 qscand 16155 5.6 1.2 34176 26744 ? RApr14 69:28 /usr/local/clamav/bin/clamscan --verbose --debug /var/spool/qmailscan/tmp/servername111352357548715506 qscand 14164 5.4 1.2 34176 26732 ? RApr14 63:55 /usr/local/clam as you can see there are some clamscan processes 300 minutes running, and so. Any one have seen this issue? Is the only server of about 200 that is behaving this way. It was happening with v0.80, but is still happening with 0.84rc1. RedHat 7.3 very updated Intel P4 Enough Memory Any thoughts?? Thanks Agustín FuturaHost.Com's Support ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Re: Clamav Loops infinitely
On Friday 15 Apr 2005 20:31, René Berber wrote: Jeff Parson wrote: We are Running SME Server 6.0.1.01 and Clamav 0.83. We have a loop problem after upgrading clamav from 0.82 and 0.83. The problem is, that some thing causes the clamscan program to loop infinitely, taking all the available memory and stopping access to the internet. Some thing like this was posted by Harald Villemoes back in February and there were little or no replies. Can anybody help us with this issue You may be looking at this problem: http://lurker.clamav.net/message/20050228.113055.3e7687b5.en.html the solution has been to install the CVS version until 0.84 comes out. 0.84 RC1 is already out. ___ http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] remove scanner serve
*** REPLY SEPARATOR *** On 4/15/2005 at 5:49 PM Nigel Horne wrote: *** REPLY SEPARATOR *** On 4/15/2005 at 3:58 PM Nigel Horne wrote: On Friday 15 Apr 2005 15:56, Carl Thompson wrote: *** REPLY SEPARATOR *** On 4/14/2005 at 10:24 PM Nigel Horne wrote: Okay this is what i have for clamav-milter on remote server Remote to sendmail? Or remote to clamd? Or both? CLAMAV_FLAGS=-qlm5 --external --server=xxx.xxx.xxx.xxx local:/var/run/clamav/clmilter.sock and I have to run clamd on that server so that clamav uses it externally to scan for virus (if i understand this correctly) I presume by that server you mean the server running clamav-milter and on my primary server i did the same thing and clamav creates local socket and scans thru clamd on remote server. I presume by primary server you mean the server running clamd, though I don't understand what you mean by you did the same thing? Why would you do the same on both machines? Surely one runs clamd and one runs clamav-milter? however if i use INPUT_MAIL_FILTER(`clamav', `S=inet:[EMAIL PROTECTED], F=, T=S:4m;R:4m')dnl (machine name chaned to correct machine of course) By machineb do you mean the same as primary server above? Or the same as that server? I still get socket errors in maillog about attempting to scan and clamd is on the remote socket not clamav-milter on the remote socket. I'm sure i'm doing something simple wrong but I sure can't figure it out. Sorry, but I can't figure out what you're trying to do and what you've tried to set up. The following scenarios are possible: 1) sendmail, clamav-milter and clamd all on one machine 2) sendmail and clamav-milter on one machine, clamd on another machine 3) sendmail on one machine, clamav-milter and clamd on another machine 4) sendmail, clamav-milter and clamd all on separate machines 5) sendmail and clamav-milter on one machine, clamd running on multiple machines load balanced 6) sendmail and clamav-milter on separate machines, clamd running on multiple machines load balanced, which may include the same machines. Please be very specific about what you're trying to achieve. I guess it's either scenario 2 or scenario 3? I can get scenario 2 to work without a problem and this is how I did it for some time before .82 (when clamd scanning was integrated into clamav-milter and you no longer needed to run clamd just for clamav-milter) The problem I have is scenario 3. machine a has sendmail on it machine b is a low use box so I would like to run clamav-milter and clamd (if its necessary now) on it and have machine a connect to clamav-milter on machine b. however I am unable to get clamav-milter to listen on a TCP port on machine b Machine a configure looks correct: INPUT_MAIL_FILTER(`clamav', `S=inet:[EMAIL PROTECTED], F=, T=S:4m;R:4m')dn On machineb try starting clamav-milter thus (based on the options you gave, and ensure that clamd is running on machineb first): CLAMAV_FLAGS=-qlm5 --external inet:3311 Carl -Nigel As a final update to this little endeavor this is what I did on the mail server i used INPUT_MAIL_FILTER(`clamav', `S=inet:[EMAIL PROTECTED], F=, T=S:4m;R:4m')dn on the scanning server i did the following CLAMAV_FLAGS=-qlm5 inet:3311 --server xxx.xxx.xxx.xxx I tried it with --external and that worked fine if I had clamd running (as it should be) so I figured i would try it internal and that worked fine. I did however have to specify --server because without it it bound to 3311 of 127.0.0.1 Again I need more information here. When you say xxx.xxx.xxx.xxx, what IP address did you use? Furthermore what do you have in your tcpwrappers files (/etc/hosts.allow and /etc/hosts.deny). --server is to do with the link clamav-milter-clamd, where as the inet:3311 is to do with the link sendmail-clamav-milter, so adding --server should have no effect on the incoming as you've stated. I need more information to see what's going on with the bind you mention. Carl -Nigel okay this is what I have server A (sendmail server) clmilter, S=inet:[EMAIL PROTECTED],F=, T=S:4m;R:4m server B (clamav-milter server) CLAMAV_FLAGS=inet:3311 -qlm5 server B (sendmail config no real email accounts but the system usual) clmilter, S=inet:[EMAIL PROTECTED],F=, T=S:4m;R:4m The results are that server b sendmail works fine thru the inet connection to server b clamav-milter and scans perfectly fine but server a sendmail doesn't connect or attempt to connect (no errors or anything in logs) to clamav-milter on server b I can telnet from server a to server b port 3311 and connect without a problem, it is not blocked by iptables or hosts.deny the domain looks up fine and has same results if i replace its name with an ip address netstat report from server b on clamav [EMAIL