Re: [Clamav-users] freshclam watchdog?

[Dennis Peterson]

Matt Fretwell said:
> Dennis Peterson wrote:
>
>> >any ideas? i'm thinking about cobbling together something
>> >in perl to run from a cron job.
>
>
>> Screw the daemon - run it out of cron.
>
>
>  At last, a sensible suggestion :) Cronning it does make the daemon
> hanging pretty much a moot point :)
>

Damn right. Just be sure to use a random time so you don't land in
lockstep with those who don't. You can imagine the load it could impose if
everyone checked for patterns on the hour or regular fraction thereof.

dp
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] clamd segfaulting as of about thursday

[Matt Fretwell]

Mark wrote:

> > If I was your boss, I'd fire you. Admins who wait with an update until
> > a software (especially a mission critical one responsible for e-mail
> > delivery) starts crashing are not worth any money.

> That seems a bit harsh.

 Actually, I was thinking that Tomasz ought to stop being subtle, and tell
us what he really thinks :)


> but still, it is quite sensible, imho, to wait a day or two before
> upgrading major stuff, to avoid these oopses.

 Correct. Several release versions, however, is a tad more than a day or
two, methinks.


Matt
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] freshclam watchdog?

[Matt Fretwell]

Dennis Peterson wrote:

> > any ideas? i'm thinking about cobbling together something
> > in perl to run from a cron job.


> Screw the daemon - run it out of cron.


 At last, a sensible suggestion :) Cronning it does make the daemon
hanging pretty much a moot point :)


Matt
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] problems after .84 upgrade

[Tomasz Kojm]

On Tue, 3 May 2005 16:24:04 -0700
<[EMAIL PROTECTED]> wrote:

> rick pim wrote:
> >  > Mind you I am
> >  > worried about the mode 777 for clamd.sock, if nothing else that
> >  seems > like a security breach to me.
> > 
> > true. but it seems to do that itself:
> > 
> > srwxrwxrwx   1 clamav   clamav 0 May  3 17:06 clamd.sock=
> 
> Stop me if I'm wrong but I think that's just the way sockets work.

On some systems (eg. Linux) it's possible to change permissions of a
socket file but generally it is not portable.

-- 
   oo. Tomasz Kojm <[EMAIL PROTECTED]>
  (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg
 \..._ 0DCA5A08407D5288279DB43454822DC8985A444B
   //\   /\  Wed May  4 01:50:23 CEST 2005


pgpxbKLDxbZmg.pgp
Description: PGP signature
___
http://lurker.clamav.net/list/clamav-users.html

RE: [Clamav-users] problems after .84 upgrade

[Christopher X. Candreva]

On Tue, 3 May 2005 [EMAIL PROTECTED] wrote:

> >  > Mind you I am
> >  > worried about the mode 777 for clamd.sock, if nothing else that
> >  seems > like a security breach to me.
> > 
> > true. but it seems to do that itself:
> > 
> > srwxrwxrwx   1 clamav   clamav 0 May  3 17:06 clamd.sock=
> 
> Stop me if I'm wrong but I think that's just the way sockets work.

Ah -- THAT is why I put the socket in a clamav directory owned by 
clamav.clamav

==
Chris Candreva  -- [EMAIL PROTECTED] -- (914) 967-7816
WestNet Internet Services of Westchester
http://www.westnet.com/
___
http://lurker.clamav.net/list/clamav-users.html

RE: [Clamav-users] problems after .84 upgrade

[Matthew.van.Eerde]

rick pim wrote:
>  > Mind you I am
>  > worried about the mode 777 for clamd.sock, if nothing else that
>  seems > like a security breach to me.
> 
> true. but it seems to do that itself:
> 
> srwxrwxrwx   1 clamav   clamav 0 May  3 17:06 clamd.sock=

Stop me if I'm wrong but I think that's just the way sockets work.

Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902
Hispanic Business Inc./HireDiversity.com Software Engineer
perl -e"map{y/a-z/l-za-k/;print}shift" "Jjhi pcdiwtg Ptga wprztg," 
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] problems after .84 upgrade

[rick pim]

> Mind you I am
> worried about the mode 777 for clamd.sock, if nothing else that seems
> like a security breach to me.
true. but it seems to do that itself:
# ls -al /var/clamav/
total 4
drwxr-x---   2 clamav   clamav   512 May  3 17:02 ./
drwxr-xr-x  32 root sys  512 Feb 11 13:21 ../
# /export/home/clamav/sbin/clamd
# ls -al /var/clamav/
total 4
drwxr-x---   2 clamav   clamav   512 May  3 17:06 ./
drwxr-xr-x  32 root sys  512 Feb 11 13:21 ../
srwxrwxrwx   1 clamav   clamav 0 May  3 17:06 clamd.sock=

You don've have a "clmilter.sock" file, which points to clamav-milter not having been started.
i recognize that -- this was just to illustrate that clamd.sock being
777 was done by clamd itself.
rp
___
http://lurker.clamav.net/list/clamav-users.html

RE: [Clamav-users] problems after .84 upgrade

[Jose Luis Hime]

Excuse me for my misunderstanding, but is there any special configuration I
should do to use --external ?

I read the man page for clamav-milter and I have one doubt:


-e, --external
   Usually clamav-milter scans the emails itself without the use  of  an
   external program.  The --external option informs clamav-milter to use
   an external program such as clamd(8)  running  either  on  the  local
   server  or  other  server(s) to perform the scanning.  The setting in
   clamd.conf for LocalSocket or TCPSocket is ignored.


If the setting in clamd.conf for LocalSocket is ignored, how does
clamav-milter discover the program and socket to be used?

May I just add --external to my startup script and clamav-milter will work?

Thank you for your patience,
Jose Hime

___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] problems after .84 upgrade

[Christopher X. Candreva]

On Tue, 3 May 2005, Nigel Horne wrote:

> > That´s true. It is not clear in the docs that --external is faster or more
> > reliable.
> 
> It's more secure, uses less memory and doesn't use IPC so it's faster.

I'm not saying it's more or less anything.  However, since I'm using 
--external and not having a problem, and (some) people using the internal 
scanner are having a problem, this might narrow down where the problem is.

-Chris

==
Chris Candreva  -- [EMAIL PROTECTED] -- (914) 967-7816
WestNet Internet Services of Westchester
http://www.westnet.com/
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] problems after .84 upgrade

[Nigel Horne]

On Tuesday 03 May 2005 22:26, Nigel Horne wrote:

> You don've have a

don't

-- 
Nigel Horne. Arranger, Composer, Typesetter.
NJH Music, Barnsley, UK.  ICQ#20252325
[EMAIL PROTECTED] http://www.bandsman.co.uk
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] problems after .84 upgrade

[Nigel Horne]

On Tuesday 03 May 2005 22:23, Jose Luis Hime wrote:
> > You might try adding --external. It looks like the people posting about 
> > clamav-milter problems are all not useing --external.
> 
> That´s true. It is not clear in the docs that --external is faster or more
> reliable.

It's more secure, uses less memory and doesn't use IPC so it's faster.

> I will change my configuration and test it. Thanks for the tip! 
> 
> Jose Hime


-- 
Nigel Horne. Arranger, Composer, Typesetter.
NJH Music, Barnsley, UK.  ICQ#20252325
[EMAIL PROTECTED] http://www.bandsman.co.uk
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] problems after .84 upgrade

[Nigel Horne]

On Tuesday 03 May 2005 22:07, rick pim wrote:
> 
>  > None without some information such as options used to start
>  > clamav-milter, clamd.conf, /etc/mail/sendmail.mc etc etc. 
> 
> clamav-milter is started with:
>   clamav-milter -PHl --postmaster=root -m 64 /var/clamav/clmilter.sock
> 
> here's an extract from clamd.conf:
> 
> # grep -v ^# clamd.conf | grep -v '^$'
> LogTime
> LogSyslog
> LogFacility LOG_MAIL
> TemporaryDirectory /export/home/clamav/tmp
> LocalSocket /var/clamav/clamd.sock
> FixStaleSocket
> MaxConnectionQueueLength 32
> StreamMaxLength 20M
> MaxThreads 64
> SelfCheck 3600
> User clamav
> ScanMail
> 
> sendmail.mc extract:
> 
> INPUT_MAIL_FILTER(`clamav', `S=local:/var/clamav/clmilter.sock, 
> F=,T=S:4m;R:4m')dnl
> define(`confINPUT_MAIL_FILTERS', `clamav')
> 
>  > Mind you I am
>  > worried about the mode 777 for clamd.sock, if nothing else that seems
>  > like a security breach to me.
> 
> true. but it seems to do that itself:
> 
> # ls -al /var/clamav/
> total 4
> drwxr-x---   2 clamav   clamav   512 May  3 17:02 ./
> drwxr-xr-x  32 root sys  512 Feb 11 13:21 ../
> # /export/home/clamav/sbin/clamd
> # ls -al /var/clamav/
> total 4
> drwxr-x---   2 clamav   clamav   512 May  3 17:06 ./
> drwxr-xr-x  32 root sys  512 Feb 11 13:21 ../
> srwxrwxrwx   1 clamav   clamav 0 May  3 17:06 clamd.sock=
> 
> rp
> 
> rick pim   [EMAIL PROTECTED]

You don've have a "clmilter.sock" file, which points to clamav-milter not 
having been started.

-- 
Nigel Horne. Arranger, Composer, Typesetter.
NJH Music, Barnsley, UK.  ICQ#20252325
[EMAIL PROTECTED] http://www.bandsman.co.uk
___
http://lurker.clamav.net/list/clamav-users.html

RE: [Clamav-users] problems after .84 upgrade

[Jose Luis Hime]

> You might try adding --external. It looks like the people posting about 
> clamav-milter problems are all not useing --external.

That´s true. It is not clear in the docs that --external is faster or more
reliable. I will change my configuration and test it. Thanks for the tip!

Jose Hime

___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] problems after .84 upgrade

[Christopher X. Candreva]

On Tue, 3 May 2005, rick pim wrote:

> clamav-milter is started with:
>   clamav-milter -PHl --postmaster=root -m 64 /var/clamav/clmilter.sock

OK, without --external, clamav-milter isn't useing clamd, it's useing it's 
calling libclamav directly.

You might try adding --external. It looks like the people posting about 
clamav-milter problems are all not useing --external.


==
Chris Candreva  -- [EMAIL PROTECTED] -- (914) 967-7816
WestNet Internet Services of Westchester
http://www.westnet.com/
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] freshclam watchdog?

[Dennis Peterson]

henry j. mason said:
>   hi clamav-users;

>   any ideas? i'm thinking about cobbling together something
>   in perl to run from a cron job.
>
>   tia
>   henry

Screw the daemon - run it out of cron.

Script: freshclam.sh

#!/bin/bash
# run freshclam at random intervals 3 times/hour

sleep $[ RANDOM % 900 ]

/usr/local/bin/freshclam \
  --quiet \
  --daemon-notify=/usr/local/etc/clamd.conf
exit

Crontab:
0,20,40 * * * * /usr/local/bin/freshclam.sh

dp
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] problems after .84 upgrade

[Pete 'Wolfy' Hanson]

Ah, and here's my startup command:

/usr/local/sbin/clamav-milter --dont-log-clean --headers --local
--pidfile=/var/clamav/clamav-milter.pid --quiet
/var/clamav/clamav-milter.sock

-- 
Pete Hanson

http://www.well.com/user/wolfy
http://www.fotolog.net/wolfy
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] problems after .84 upgrade

[rick pim]

 > None without some information such as options used to start
 > clamav-milter, clamd.conf, /etc/mail/sendmail.mc etc etc. 

clamav-milter is started with:
  clamav-milter -PHl --postmaster=root -m 64 /var/clamav/clmilter.sock

here's an extract from clamd.conf:

# grep -v ^# clamd.conf | grep -v '^$'
LogTime
LogSyslog
LogFacility LOG_MAIL
TemporaryDirectory /export/home/clamav/tmp
LocalSocket /var/clamav/clamd.sock
FixStaleSocket
MaxConnectionQueueLength 32
StreamMaxLength 20M
MaxThreads 64
SelfCheck 3600
User clamav
ScanMail

sendmail.mc extract:

INPUT_MAIL_FILTER(`clamav', `S=local:/var/clamav/clmilter.sock, 
F=,T=S:4m;R:4m')dnl
define(`confINPUT_MAIL_FILTERS', `clamav')

 > Mind you I am
 > worried about the mode 777 for clamd.sock, if nothing else that seems
 > like a security breach to me.

true. but it seems to do that itself:

# ls -al /var/clamav/
total 4
drwxr-x---   2 clamav   clamav   512 May  3 17:02 ./
drwxr-xr-x  32 root sys  512 Feb 11 13:21 ../
# /export/home/clamav/sbin/clamd
# ls -al /var/clamav/
total 4
drwxr-x---   2 clamav   clamav   512 May  3 17:06 ./
drwxr-xr-x  32 root sys  512 Feb 11 13:21 ../
srwxrwxrwx   1 clamav   clamav 0 May  3 17:06 clamd.sock=

rp

rick pim   [EMAIL PROTECTED]
information technology services  (613) 533-2242
queen's university, kingston   
---
"The main difference between men and women is that men are lunatics and 
women are idiots."
-- Rebecca West
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] problems after .84 upgrade

[Pete 'Wolfy' Hanson]

I'm seeing similar symptoms on Solaris 8 and 6, as I reported in the
"clamd segfaulting as of about thursday" thread.The rest of this
is reposted from that thread:

- Post 1

I am not explicity using the -B flag, nor do I believe that I need it.
The error is occurring in clamav-milter (I should have been more
explicit) using this in sendmail.mc

INPUT_MAIL_FILTER(`clmilter', `S=local:/var/clamav/clamav-milter.sock,
F=A, T=E:25m; R:90s; S:45s; C:30m')

The milter runs for some period of time - the most recent instance was
about 18 hours - and then it stops responding soon after an update to
the database.  Here's the most recent logging:

May  3 12:17:00 smtp freshclam[20408]: Daemon started.
May  3 12:17:00 smtp freshclam[20408]: ClamAV update process started
at Tue May  3 12:17:00 2005
May  3 12:17:00 smtp freshclam[20408]: main.cvd is up to date
(version: 31, sigs: 33079, f-level: 4, builder: tkojm)
May  3 12:17:02 smtp freshclam[20408]: daily.cvd updated (version:
866, sigs: 1070, f-level: 4, builder: arnaud)
May  3 12:17:02 smtp freshclam[20408]: Database updated (34149
signatures) from database.clamav.net (IP: 129.64.99.170)
May  3 12:17:02 smtp freshclam[20408]: ERROR: Clamd was NOT notified:
Can't connect to clamd through /var/clamav/clamd.sock
May  3 12:17:09 smtp clamav-milter[8067]: j43JG2OX019910:
/tmp/clamav-c7c0b2a04378f618/msg.ZrCyWp: Worm.Sober.P Intercepted
virus from <[EMAIL PROTECTED]> to <[EMAIL PROTECTED]> <[EMAIL PROTECTED]>
May  3 12:19:03 smtp clamav-milter[8067]: ClamAv: setsockopt() failed
(Invalid argument)
May  3 12:19:03 smtp last message repeated 23 times

Somehow or other, that -B flag is being set when clamav-milter
restarts following the reload.

- Post 2

FWIW, the problem is happening on both Solaris 2.8 and 2.6 systems (on
the 2.8 system, there are no logged error messages - the milter simply
stops responding, and everything needs to be restarted).  Both systems
are running sendmail 8.13.0

- Back live

Here's my clamd.conf, minus the comments:

LogFileMaxSize 0
LogTime
LogSyslog
LogFacility LOG_LOCAL6
PidFile /var/run/clamd.pid
TemporaryDirectory /tmp
LocalSocket /var/clamav/clamd.sock
FixStaleSocket
TCPAddr 127.0.0.1
MaxConnectionQueueLength 15
StreamMaxLength 8M
MaxThreads 64
ReadTimeout 60
MaxDirectoryRecursion 3
User clamav
ScanOLE2
ScanMail
ScanHTML
ScanArchive
ArchiveMaxFileSize 1M
ArchiveMaxRecursion 2
ArchiveMaxFiles 25
ArchiveMaxCompressionRatio 100

-- 
Pete Hanson

http://www.well.com/user/wolfy
http://www.fotolog.net/wolfy
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] problems after .84 upgrade

[Christopher X. Candreva]

On Tue, 3 May 2005, Nigel Horne wrote:

> clamav-milter, clamd.conf, /etc/mail/sendmail.mc etc etc. Mind you I am
> worried about the mode 777 for clamd.sock, if nothing else that seems
> like a security breach to me.

I don't recall the particulars, but I ran into the same problem where 
clamd.sock had to be mode 777. I got around it by putting it inside a clamav 
directory, owned by clamav.clamav and protecting the directory.

I wish I could remember exactly why I had to do this, because I agree it 
sounds ridiculous, but I know this is what I had to do, and it seemed to be 
a Solaris peculiarity.

==
Chris Candreva  -- [EMAIL PROTECTED] -- (914) 967-7816
WestNet Internet Services of Westchester
http://www.westnet.com/
___
http://lurker.clamav.net/list/clamav-users.html

RE: [Clamav-users] problems after .84 upgrade

[Jose Luis Hime]

I had the same problem (timeout before data read) and I fixed it by
starting clamav-milter with the option "--max-children=50".

Actually, I was receiving this error even with version .80, but I had
not realized that!

Currently, I use the following command to start the milter:

/usr/local/sbin/clamav-milter \
 --max-children=50 \
 --force-scan \
 --pidfile=/home/clamav/clamav-milter.pid \
 --postmaster-only \
 --headers \
 [EMAIL PROTECTED] \
 local:/home/clamav/clmilter.sock

Best Regards,
Jose Hime

___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] problems after .84 upgrade

[Nigel Horne]

 A. On Tue, 2005-05-03 at 21:41, rick pim wrote:
> environment: solaris 5.9, sendmail 8.13.2, clamav .84 (w/clamav-milter).
> 
> i upgraded to .84 yesterday with (as far as i could tell) no
> problems. things started afterwards and ran as expected.
> 
> there were problems yesterday afternoon but i restarted things and
> everything looked fine. this afternoon the same thing has happened.
> 
> symptoms:
> 
>  May  3 15:41:30 sennit sendmail[13416]: [ID 801593 mail.error] 
> j43JbUXa013416: Milter (clamav): timeout before data read
> May  3 15:41:30 sennit sendmail[13416]: [ID 801593 mail.info] j43JbUXa013416: 
> Milter (clamav): to error state
> 
> but the corresponding message was apparently delivered.
> 
> later on, the error message get rather more worrisome:
> 
> May  3 15:47:21 sennit sendmail[14381]: [ID 801593 mail.error] 
> j43JlKch014381: Milter (clamav): error connecting to filter: Connection 
> refused by /var/clamav/clmilter.sock
> May  3 15:47:21 sennit sendmail[14381]: [ID 801593 mail.info] j43JlKch014381: 
> Milter (clamav): to error state
> 
> the socket appears to be present:
> 
> # ll /var/clamav/
> total 4
> drwxr-xr-x   2 clamav   clamav   512 May  2 20:20 ./
> drwxr-xr-x  32 root sys  512 Feb 11 13:21 ../
> srwxrwxrwx   1 clamav   clamav 0 May  2 20:20 clamd.sock=
> srwxr-xr-x   1 clamav   clamav 0 May  2 20:20 clmilter.sock=
> 
> upon restart, things seem to work okay.
> 
> ideas?

None without some information such as options used to start
clamav-milter, clamd.conf, /etc/mail/sendmail.mc etc etc. Mind you I am
worried about the mode 777 for clamd.sock, if nothing else that seems
like a security breach to me.


___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] problems after .84 upgrade

[rick pim]

 > Not to be obvious, but was clamav-milter running ? (And clamd, if you run 
 > with --external ). 
 > 

meant to include that. yesterday clamav-milter had died. today
it hadn't:

# ps -ef | grep clam
root 19241 21218  0 16:37:14 pts/30:00 grep clam
  clamav 13432 1  0 20:20:17 ?0:00 /export/home/clamav/sbin/clamd
  clamav 13434 1 25 20:20:21 ?   120:52 
/export/home/clamav/sbin/clamav-milter -PHl --postmaster=root -m 64 /var/clamav


 > I'm running Solaris 8 here on Ultrasparc hardware, and haven't seen this.  
 > Are you on Sparc or Intel ?

this is on sparc (an E450).

rp

rick pim   [EMAIL PROTECTED]
information technology services  (613) 533-2242
queen's university, kingston   
---
"Advertising is the rattling of a stick inside a swill bucket."
-- George Orwell
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] problems after .84 upgrade

[Christopher X. Candreva]

On Tue, 3 May 2005, rick pim wrote:

> May  3 15:47:21 sennit sendmail[14381]: [ID 801593 mail.error] 
> j43JlKch014381: Milter (clamav): error connecting to filter: Connection 
> refused by /var/clamav/clmilter.sock
> May  3 15:47:21 sennit sendmail[14381]: [ID 801593 mail.info] j43JlKch014381: 
> Milter (clamav): to error state

Not to be obvious, but was clamav-milter running ? (And clamd, if you run 
with --external ). 

I'm running Solaris 8 here on Ultrasparc hardware, and haven't seen this.  
Are you on Sparc or Intel ?


==
Chris Candreva  -- [EMAIL PROTECTED] -- (914) 967-7816
WestNet Internet Services of Westchester
http://www.westnet.com/
___
http://lurker.clamav.net/list/clamav-users.html

[Clamav-users] problems after .84 upgrade

[rick pim]

environment: solaris 5.9, sendmail 8.13.2, clamav .84 (w/clamav-milter).

i upgraded to .84 yesterday with (as far as i could tell) no
problems. things started afterwards and ran as expected.

there were problems yesterday afternoon but i restarted things and
everything looked fine. this afternoon the same thing has happened.

symptoms:

 May  3 15:41:30 sennit sendmail[13416]: [ID 801593 mail.error] j43JbUXa013416: 
Milter (clamav): timeout before data read
May  3 15:41:30 sennit sendmail[13416]: [ID 801593 mail.info] j43JbUXa013416: 
Milter (clamav): to error state

but the corresponding message was apparently delivered.

later on, the error message get rather more worrisome:

May  3 15:47:21 sennit sendmail[14381]: [ID 801593 mail.error] j43JlKch014381: 
Milter (clamav): error connecting to filter: Connection refused by 
/var/clamav/clmilter.sock
May  3 15:47:21 sennit sendmail[14381]: [ID 801593 mail.info] j43JlKch014381: 
Milter (clamav): to error state

the socket appears to be present:

# ll /var/clamav/
total 4
drwxr-xr-x   2 clamav   clamav   512 May  2 20:20 ./
drwxr-xr-x  32 root sys  512 Feb 11 13:21 ../
srwxrwxrwx   1 clamav   clamav 0 May  2 20:20 clamd.sock=
srwxr-xr-x   1 clamav   clamav 0 May  2 20:20 clmilter.sock=

upon restart, things seem to work okay. 


ideas?

rp
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] clamd segfaulting as of about thursday

[Pete 'Wolfy' Hanson]

> Somehow or other, that -B flag is being set when clamav-milter
> restarts following the reload.

FWIW, the problem is happening on both Solaris 2.8 and 2.6 systems (on
the 2.8 system, there are no logged error messages - the milter simply
stops responding, and everything needs to be restarted).  Both systems
are running sendmail 8.13.0

-- 
Pete Hanson

http://www.well.com/user/wolfy
http://www.fotolog.net/wolfy
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] clamd segfaulting as of about thursday

[Pete 'Wolfy' Hanson]

On 5/2/05, Nigel Horne <[EMAIL PROTECTED]> wrote:
> On Monday 02 May 2005 23:08, Pete 'Wolfy' Hanson wrote:
> > slammed at postmaster each time it crashes.  This was in the logs from
> > the latest crash:
> >
> > May  2 14:22:24 smtp clamav-milter[153]: ClamAv: setsockopt() failed
> > (Invalid argument)
> >
> If that message appears, clamav-milter will fail to start, so it's not
> surprising nothing was logged...
> 
> Review if you need the "-B" flag, and if not then don't use it. If
> you do use the -B flag and this message appears, then check the NIC
> you are telling it to use is correct.

I am not explicity using the -B flag, nor do I believe that I need it.
 The error is occurring in clamav-milter (I should have been more
explicit) using this in sendmail.mc

INPUT_MAIL_FILTER(`clmilter', `S=local:/var/clamav/clamav-milter.sock,
F=A, T=E:25m; R:90s; S:45s; C:30m')

The milter runs for some period of time - the most recent instance was
about 18 hours - and then it stops responding soon after an update to
the database.  Here's the most recent logging:

May  3 12:17:00 smtp freshclam[20408]: Daemon started.
May  3 12:17:00 smtp freshclam[20408]: ClamAV update process started
at Tue May  3 12:17:00 2005
May  3 12:17:00 smtp freshclam[20408]: main.cvd is up to date
(version: 31, sigs: 33079, f-level: 4, builder: tkojm)
May  3 12:17:02 smtp freshclam[20408]: daily.cvd updated (version:
866, sigs: 1070, f-level: 4, builder: arnaud)
May  3 12:17:02 smtp freshclam[20408]: Database updated (34149
signatures) from database.clamav.net (IP: 129.64.99.170)
May  3 12:17:02 smtp freshclam[20408]: ERROR: Clamd was NOT notified:
Can't connect to clamd through /var/clamav/clamd.sock
May  3 12:17:09 smtp clamav-milter[8067]: j43JG2OX019910:
/tmp/clamav-c7c0b2a04378f618/msg.ZrCyWp: Worm.Sober.P Intercepted
virus from <[EMAIL PROTECTED]> to <[EMAIL PROTECTED]> <[EMAIL PROTECTED]>
May  3 12:19:03 smtp clamav-milter[8067]: ClamAv: setsockopt() failed
(Invalid argument)
May  3 12:19:03 smtp last message repeated 23 times

Somehow or other, that -B flag is being set when clamav-milter
restarts following the reload.

-- 
Pete Hanson

http://www.well.com/user/wolfy
http://www.fotolog.net/wolfy
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] CLAMD+SIMSCAN+RAR V3 SUPPORT

[Jim Maul]

Brian Morrison wrote:
On Tue, 03 May 2005 18:55:15 +0100 in
[EMAIL PROTECTED] Trog <[EMAIL PROTECTED]>
wrote:

On Tue, 2005-05-03 at 18:18 +0100, Brian Morrison wrote:
Pretty sure that clamd from 0.84 supports RAR v3 archive scanning.
Only CVS currently supports RAR3 scanning.

Oh OK, I thought the new RAR code had made it into the released version.
Sorry!

Honestly, i thought so too..the release announcement was sort of misleading.
- from release announcement -
release 0.84 is available for download.
This version improves detection of JPEG (MS04-028) based exploits,
introduces support for TNEF files and new detection mechanisms. Various
bugfixes (including problems with scanning of digest mail files) and
improvements have been made.
** We encourage users to help testing the development versions, now with
** ** rewritten RAR code and support for 3.0 archives!   **
**  http://www.clamav.net/snapshot/  **
The ChangeLog includes:
- end release snippet -
That little bit about encouraging users to help testing the development 
versions is kinda stuck in the middle of the announcement there and 
initially i thought the "rewritten RAR code and support for 3.0 
archives" was referring to the release, but after a second reading, it 
appears they are only referring to the development snapshots.

-Jim
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] CLAMD+SIMSCAN+RAR V3 SUPPORT

[Brian Morrison]

On Tue, 03 May 2005 18:55:15 +0100 in
[EMAIL PROTECTED] Trog <[EMAIL PROTECTED]>
wrote:

> On Tue, 2005-05-03 at 18:18 +0100, Brian Morrison wrote:
> > Pretty sure that clamd from 0.84 supports RAR v3 archive scanning.
> 
> Only CVS currently supports RAR3 scanning.
> 

Oh OK, I thought the new RAR code had made it into the released version.
Sorry!

-- 

Brian Morrison

bdm at fenrir dot org dot uk

GnuPG key ID DE32E5C5 - http://wwwkeys.uk.pgp.net/pgpnet/wwwkeys.html
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Virus slip?

[Pete D]

--- Pete D <[EMAIL PROTECTED]> wrote:
> I am currently running ClamAV 0.83 with
> clamav-milter
> and just recently received an infected email with a
> zip attachment.  Strange thing is that clamdscan
> does
> not detect the virus while clamscan does.
> 
> # clamdscan error-mail_info.zip
> /tmp/error-mail_info.zip: OK
> 
> --- SCAN SUMMARY ---
> Infected files: 0
> Time: 0.209 sec (0 m 0 s)
> 
> # clamscan error-mail_info.zip
> error-mail_info.zip: Worm.Sober.P FOUND
> 
> --- SCAN SUMMARY ---
> Known viruses: 34188
> Scanned directories: 0
> Scanned files: 1
> Infected files: 1
> Data scanned: 0.05 MB
> I/O buffer size: 131072 bytes
> Time: 1.986 sec (0 m 1 s)
> 
> Any ideas/suggestions?  Also, can anyone suggest a
> good set of flags to use on clamav-milter?  Here is
> what I am currently using:
> 
> MILTER_FLAGS="-H -C -e -l -n -N -o -P -m 10 -U
> /var/spool/virusmails"
> 
> Thanks,
> --Pete

False alarm. I ended up restarting things and now both
clamdscan and clamscan detect the virus properly. 
Weird.


__
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 
___
http://lurker.clamav.net/list/clamav-users.html

[Clamav-users] Re: clamav-users Digest, Vol 8, Issue 7

[Dwayne Hottinger]

I am using version 0.84rc2 with clamassassin 1.22 and havent had any issues with
it.  It is catching quite a few viruses that symantec hasnt.  I had a very old
version so was forced to update.

ddh

Quoting [EMAIL PROTECTED]:

> Send clamav-users mailing list submissions to
>   clamav-users@lists.clamav.net
>
> To subscribe or unsubscribe via the World Wide Web, visit
>   http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> or, via email, send a message with subject or body 'help' to
>   [EMAIL PROTECTED]
>
> You can reach the person managing the list at
>   [EMAIL PROTECTED]
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of clamav-users digest..."
>
>
> Today's Topics:
>
>1. RE: freshclam watchdog? (Bowie Bailey)
>2. RE: clamd segfaulting as of about thursday (Mark)
>3. Re: freshclam watchdog? (Odhiambo Washington)
>
>
> --
>
> Message: 1
> Date: Tue, 3 May 2005 11:37:00 -0400
> From: Bowie Bailey <[EMAIL PROTECTED]>
> Subject: RE: [Clamav-users] freshclam watchdog?
> To: ClamAV users ML 
> Message-ID:
>   <[EMAIL PROTECTED]>
> Content-Type: text/plain; charset="iso-8859-1"
>
> From: henry j. mason [mailto:[EMAIL PROTECTED]
> >
> > i need to know when freshclam fails silently.
> > i know freshclam includes options to alert on errors,
> > but i'd rather have some other process looking at it
> > and making sure it's doing the right thing. has anyone
> > tackled this problem? or is this just too obscure?
>
> [---snip---]
>
> > any ideas? i'm thinking about cobbling together something
> > in perl to run from a cron job.
>
> That would be my choice.  I've never had a problem with freshclam, but if I
> wanted to monitor it, I would probably write a perl script to run once a day
> and notify me if there is no entry for the current day.
>
> You could make it run more frequently, but then you would have to deal with
> timestamp comparisons.
>
> Bowie Bailey
>
>
> --
>
> Message: 2
> Date: Tue, 03 May 2005 15:50:26 GMT
> From: Mark <[EMAIL PROTECTED]>
> Subject: RE: [Clamav-users] clamd segfaulting as of about thursday
> To: "'ClamAV users ML'" 
> Message-ID: <[EMAIL PROTECTED]>
> Content-Type: text/plain; charset="us-ascii"
>
>
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of
> > Tomasz Kojm
> > Sent: dinsdag 3 mei 2005 14:51
> > To: ClamAV users ML
> > Subject: Re: [Clamav-users] clamd segfaulting as of about thursday
> >
> > On Tue, 03 May 2005 08:23:38 -0400
> > Mike Lambert <[EMAIL PROTECTED]> wrote:
> >
> > > Now that we have reports of spam crashing v0.80, it is time
> > > for me to test v0.84.
> >
> > If I was your boss, I'd fire you. Admins who wait with an update until
> > a software (especially a mission critical one responsible for e-mail
> > delivery) starts crashing are not worth any money.
>
> That seems a bit harsh. Mike makes a good general point about choosing
> pro stability. I myself tend to wait things out a day or two. Recently,
> for instance, qpopper moved from 4.0.5 to 4.0.6 to 4.0.7, all in a few
> days, with the proverbial "Oops! we forgot something!" Naturally, clamav
> is not qpopper, but still, it is quite sensible, imho, to wait a day or
> two before upgrading major stuff, to avoid these oopses.
>
> Having said that, I just upgraded my 0.83 installation to 0.84 (after
> reports on this list over the last few days were favorable). And it was a
> breeze. Took a grand total of less than 5 minutes. ;) In that regard, of
> course, there is really no valid excuse to still be running 0.80,
> methinks.
>
> - Mark
>
> System Administrator Asarian-host.org
>
> ---
> "If you were supposed to understand it,
> we wouldn't call it code." - FedEx
>
>
>
> --
>
> Message: 3
> Date: Tue, 3 May 2005 18:52:26 +0300
> From: Odhiambo Washington <[EMAIL PROTECTED]>
> Subject: Re: [Clamav-users] freshclam watchdog?
> To: clamav-users@lists.clamav.net
> Message-ID: <[EMAIL PROTECTED]>
> Content-Type: text/plain; charset=us-ascii
>
> * Bowie Bailey <[EMAIL PROTECTED]> [20050503 18:38]: wrote:
> > From: henry j. mason [mailto:[EMAIL PROTECTED]
> > >
> > >   i need to know when freshc

Re: [Clamav-users] Virus slip?

[Christopher X. Candreva]

On Tue, 3 May 2005, Pete D wrote:

> False alarm. I ended up restarting things and now both
> clamdscan and clamscan detect the virus properly. 
> Weird.

You will still  want to upgrade to 0.84

==
Chris Candreva  -- [EMAIL PROTECTED] -- (914) 967-7816
WestNet Internet Services of Westchester
http://www.westnet.com/
___
http://lurker.clamav.net/list/clamav-users.html

[Clamav-users] Re: CLAMD+SIMSCAN+RAR V3 SUPPORT

[René Berber]

Brian Morrison wrote:

>>I have a problem with .RAR files version 3.
>>
>> "RAR module failure ERROR".
>>
>>This error is for the version of .RAR file. Clamd does not support V3.
>>
>>How I solve the problem of scan v3 Rar archives?
>>
>>With Clamscan I have --unrar option, but in Clamd this option is not
>>available.
> 
> Pretty sure that clamd from 0.84 supports RAR v3 archive scanning.

Prety sure?

$ clamscan -V
ClamAV 0.84/865/Mon May  2 18:16:49 2005
$ unrar l clam-error.rar

UNRAR 3.40 freeware  Copyright (c) 1993-2004 Alexander Roshal

Archive clam-error.rar

 Name Size   Packed Ratio  Date   Time Attr  CRC   Meth Ver
---
 clam.exe  544  295  54% 19-09-04 21:56 -rw-r--r-- EF073CFD m3b 2.9
---
$ clamscan -r /tmp/test
/tmp/test/clam-error.rar: RAR module failure
/tmp/test/clam-error.rar: OK
/tmp/test/clam.cab: ClamAV-Test-File FOUND
/tmp/test/clam.exe: ClamAV-Test-File FOUND
/tmp/test/clam.exe.bz2: ClamAV-Test-File FOUND
/tmp/test/clam.rar: ClamAV-Test-File FOUND
...
Note: the first rar file is version 2.9, the second is version 2.0 .

So it doesn't look like clamscan supports other than version 2.
-- 
René Berber

___
http://lurker.clamav.net/list/clamav-users.html

[Clamav-users] Virus slip?

[Pete D]

I am currently running ClamAV 0.83 with clamav-milter
and just recently received an infected email with a
zip attachment.  Strange thing is that clamdscan does
not detect the virus while clamscan does.

# clamdscan error-mail_info.zip
/tmp/error-mail_info.zip: OK

--- SCAN SUMMARY ---
Infected files: 0
Time: 0.209 sec (0 m 0 s)

# clamscan error-mail_info.zip
error-mail_info.zip: Worm.Sober.P FOUND

--- SCAN SUMMARY ---
Known viruses: 34188
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.05 MB
I/O buffer size: 131072 bytes
Time: 1.986 sec (0 m 1 s)

Any ideas/suggestions?  Also, can anyone suggest a
good set of flags to use on clamav-milter?  Here is
what I am currently using:

MILTER_FLAGS="-H -C -e -l -n -N -o -P -m 10 -U
/var/spool/virusmails"

Thanks,
--Pete

__
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] CLAMD+SIMSCAN+RAR V3 SUPPORT

[q#]

On Tue, May 03, 2005 at 06:18:13PM +0100, Brian Morrison wrote:
> On Tue, 3 May 2005 18:58:48 +0200 in
> [EMAIL PROTECTED] "David" <[EMAIL PROTECTED]>
> wrote:
> 
> > I have a problem with .RAR files version 3.
> > 
> >  "RAR module failure ERROR".
> > 
> > This error is for the version of .RAR file. Clamd does not support V3.
> > 
> > How I solve the problem of scan v3 Rar archives?
> > 
> > With Clamscan I have --unrar option, but in Clamd this option is not
> > available.
> 
> 
> Pretty sure that clamd from 0.84 supports RAR v3 archive scanning.

Only CVS support it currently.

-- 
best regards
q#
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] CLAMD+SIMSCAN+RAR V3 SUPPORT

[Trog]

On Tue, 2005-05-03 at 18:18 +0100, Brian Morrison wrote:
> Pretty sure that clamd from 0.84 supports RAR v3 archive scanning.

Only CVS currently supports RAR3 scanning.

-trog



signature.asc
Description: This is a digitally signed message part
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] CLAMD+SIMSCAN+RAR V3 SUPPORT

[Brian Morrison]

On Tue, 3 May 2005 18:58:48 +0200 in
[EMAIL PROTECTED] "David" <[EMAIL PROTECTED]>
wrote:

> I have a problem with .RAR files version 3.
> 
>  "RAR module failure ERROR".
> 
> This error is for the version of .RAR file. Clamd does not support V3.
> 
> How I solve the problem of scan v3 Rar archives?
> 
> With Clamscan I have --unrar option, but in Clamd this option is not
> available.


Pretty sure that clamd from 0.84 supports RAR v3 archive scanning.

-- 

Brian Morrison

bdm at fenrir dot org dot uk

GnuPG key ID DE32E5C5 - http://wwwkeys.uk.pgp.net/pgpnet/wwwkeys.html
___
http://lurker.clamav.net/list/clamav-users.html

[Clamav-users] CLAMD+SIMSCAN+RAR V3 SUPPORT

[David]

 

Hello,

I have a problem with .RAR files version 3.

 "RAR module failure ERROR".

This error is for the version of .RAR file. Clamd does not support V3.

How I solve the problem of scan v3 Rar archives?

With Clamscan I have --unrar option, but in Clamd this option is not
available.


Thank you,


Please, excuse my poor english.

David R.


___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] freshclam watchdog?

[henry j. mason]

Odhiambo Washington wrote:
Why don't people think about the KISS principle?
freshclam can run in foreground, just like clamd and daemontools were
written by DJB, no?
I run clamd via daemontools, and I believe freshclam can also be run
same way, so no re-invention of wheels.
uh, because daemontools isn't free? i have to build the
package to install on debian. i don't doubt the merits
of DJB's software, however, i do also reserve the right
not to use it.
regards,
henry
___
http://lurker.clamav.net/list/clamav-users.html

RE: [Clamav-users] freshclam watchdog?

[Bowie Bailey]

From: Thomas Lamy [mailto:[EMAIL PROTECTED]
> 
> Bowie Bailey schrieb:
> > From: Odhiambo Washington [mailto:[EMAIL PROTECTED]
> > >
> > > Why don't people think about the KISS principle?
> > > freshclam can run in foreground, just like clamd and daemontools were
> > > written by DJB, no?
> > > I run clamd via daemontools, and I believe freshclam can also be run
> > > same way, so no re-invention of wheels.
> > 
> > The original problem was that freshclam simply stopped working.
> > Daemontools would have done nothing since the process was still running.
> > 
> > A perl script such as this could also watch for the "OUTDATED" messages
> > to remind you that you need to upgrade.
> > 
> Use logwatch () Not only useful for freshclam;
> I found it to be an invaluable tool when one has to admin more than a
> handful servers. With properly maintained filters, it sends you mail if
> and only if something unusual is in your logfiles.

Logwatch could be used to watch for the "OUTDATED" messages, but, AFAIK,
cannot notify you if an expected message is missing.

Unfortunately, I've never been able to get a good set of filters together
for logwatch.  The results are always way too verbose to be useful.

Bowie
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] freshclam watchdog?

[Thomas Lamy]

Bowie Bailey schrieb:
> From: Odhiambo Washington [mailto:[EMAIL PROTECTED]
> 
>>* Bowie Bailey <[EMAIL PROTECTED]> [20050503 18:38]: wrote:
>>
>>>From: henry j. mason [mailto:[EMAIL PROTECTED]
>>>
>>>>i need to know when freshclam fails silently.
>>>>i know freshclam includes options to alert on errors,
>>>>but i'd rather have some other process looking at it
>>>>and making sure it's doing the right thing. has anyone
>>>>tackled this problem? or is this just too obscure?
>>>
>>>[---snip---]
>>>
>>>
>>>>any ideas? i'm thinking about cobbling together something
>>>>in perl to run from a cron job.
>>>
>>>That would be my choice.  I've never had a problem with freshclam, but
>>>if I wanted to monitor it, I would probably write a perl script to run
>>>once a day and notify me if there is no entry for the current day.
>>
>>Why don't people think about the KISS principle?
>>freshclam can run in foreground, just like clamd and daemontools were
>>written by DJB, no?
>>I run clamd via daemontools, and I believe freshclam can also be run
>>same way, so no re-invention of wheels.
> 
> The original problem was that freshclam simply stopped working.  Daemontools
> would have done nothing since the process was still running.
> 
> A perl script such as this could also watch for the "OUTDATED" messages to
> remind you that you need to upgrade.
> 
Use logwatch (<http://www.logwatch.org/>) Not only useful for freshclam;
I found it to be an invaluable tool when one has to admin more than a
handful servers. With properly maintained filters, it sends you mail if
and only if something unusual is in your logfiles.

Thomas
___
http://lurker.clamav.net/list/clamav-users.html

RE: [Clamav-users] freshclam watchdog?

[Bowie Bailey]

From: Odhiambo Washington [mailto:[EMAIL PROTECTED]
> 
> * Bowie Bailey <[EMAIL PROTECTED]> [20050503 18:38]: wrote:
> > From: henry j. mason [mailto:[EMAIL PROTECTED]
> > > 
> > >   i need to know when freshclam fails silently.
> > >   i know freshclam includes options to alert on errors,
> > >   but i'd rather have some other process looking at it
> > >   and making sure it's doing the right thing. has anyone
> > >   tackled this problem? or is this just too obscure?
> > 
> > [---snip---]
> > 
> > >   any ideas? i'm thinking about cobbling together something
> > >   in perl to run from a cron job.
> > 
> > That would be my choice.  I've never had a problem with freshclam, but
> > if I wanted to monitor it, I would probably write a perl script to run
> > once a day and notify me if there is no entry for the current day.
> > 
> > You could make it run more frequently, but then you would have to deal
> > with timestamp comparisons.
> 
> Why don't people think about the KISS principle?
> freshclam can run in foreground, just like clamd and daemontools were
> written by DJB, no?
> I run clamd via daemontools, and I believe freshclam can also be run
> same way, so no re-invention of wheels.

The original problem was that freshclam simply stopped working.  Daemontools
would have done nothing since the process was still running.

A perl script such as this could also watch for the "OUTDATED" messages to
remind you that you need to upgrade.

Bowie
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] clamd segfaulting as of about thursday

[Timo Schoeler]

>>>Now that we have reports of spam crashing v0.80, it is time
>>>for me to test v0.84.
>>
>>If I was your boss, I'd fire you. Admins who wait with an update until
>>a software (especially a mission critical one responsible for e-mail
>>delivery) starts crashing are not worth any money.
> 
> 
> That seems a bit harsh. Mike makes a good general point about choosing
> pro stability. I myself tend to wait things out a day or two. Recently,
> for instance, qpopper moved from 4.0.5 to 4.0.6 to 4.0.7, all in a few
> days, with the proverbial "Oops! we forgot something!" Naturally, clamav
> is not qpopper, but still, it is quite sensible, imho, to wait a day or
> two before upgrading major stuff, to avoid these oopses.
> 

> - Mark 
>  
> System Administrator Asarian-host.org

the truth surely lies somewhere in between.

although it may be very important (esp. for clamav) to be up-to-date, no
 admin would ever introduce new software (even a new minor version) into
a production environment without thorough testing before doing so.

and guess what? even a not-so-thorough testbed will require some time to
provide results.

just my Pi cents... ;)

-- 
Timo Schoeler | http://macfinity.net/~tis | [EMAIL PROTECTED]
//macfinity -- finest IT services | http://macfinity.net
Key fingerprint = F844 51BE C22C F6BD 1196  90B2 EF68 C851 6E12 2D8A

There are 10 types of people in the world. Those who understand binary
and those who don't.
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] freshclam watchdog?

[Odhiambo Washington]

* Bowie Bailey <[EMAIL PROTECTED]> [20050503 18:38]: wrote:
> From: henry j. mason [mailto:[EMAIL PROTECTED]
> > 
> > i need to know when freshclam fails silently.
> > i know freshclam includes options to alert on errors,
> > but i'd rather have some other process looking at it
> > and making sure it's doing the right thing. has anyone
> > tackled this problem? or is this just too obscure?
> 
> [---snip---]
> 
> > any ideas? i'm thinking about cobbling together something
> > in perl to run from a cron job.
> 
> That would be my choice.  I've never had a problem with freshclam, but if I
> wanted to monitor it, I would probably write a perl script to run once a day
> and notify me if there is no entry for the current day.
> 
> You could make it run more frequently, but then you would have to deal with
> timestamp comparisons.

Why don't people think about the KISS principle?
freshclam can run in foreground, just like clamd and daemontools were
written by DJB, no?
I run clamd via daemontools, and I believe freshclam can also be run
same way, so no re-invention of wheels.


-Wash

http://www.netmeister.org/news/learn2quote.html

--
+==+
|\  _,,,---,,_ | Odhiambo Washington<[EMAIL PROTECTED]>
Zzz /,`.-'`'-.  ;-;;,_ | Wananchi Online Ltd.   www.wananchi.com
   |,4-  ) )-,_. ,\ (  `'-'| Tel: +254 20 313985-9  +254 20 313922
  '---''(_/--'  `-'\_) | GSM: +254 722 743223   +254 733 744121
+==+
Information Center, n.:
A room staffed by professional computer people whose job it is
to tell you why you cannot have the information you require.
___
http://lurker.clamav.net/list/clamav-users.html

RE: [Clamav-users] clamd segfaulting as of about thursday

[Mark]

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of
> Tomasz Kojm
> Sent: dinsdag 3 mei 2005 14:51
> To: ClamAV users ML
> Subject: Re: [Clamav-users] clamd segfaulting as of about thursday
>
> On Tue, 03 May 2005 08:23:38 -0400
> Mike Lambert <[EMAIL PROTECTED]> wrote:
>
> > Now that we have reports of spam crashing v0.80, it is time
> > for me to test v0.84.
>
> If I was your boss, I'd fire you. Admins who wait with an update until
> a software (especially a mission critical one responsible for e-mail
> delivery) starts crashing are not worth any money.

That seems a bit harsh. Mike makes a good general point about choosing
pro stability. I myself tend to wait things out a day or two. Recently,
for instance, qpopper moved from 4.0.5 to 4.0.6 to 4.0.7, all in a few
days, with the proverbial "Oops! we forgot something!" Naturally, clamav
is not qpopper, but still, it is quite sensible, imho, to wait a day or
two before upgrading major stuff, to avoid these oopses.

Having said that, I just upgraded my 0.83 installation to 0.84 (after
reports on this list over the last few days were favorable). And it was a
breeze. Took a grand total of less than 5 minutes. ;) In that regard, of
course, there is really no valid excuse to still be running 0.80,
methinks.

- Mark 
 
System Administrator Asarian-host.org
 
---
"If you were supposed to understand it,
we wouldn't call it code." - FedEx

___
http://lurker.clamav.net/list/clamav-users.html

RE: [Clamav-users] freshclam watchdog?

[Bowie Bailey]

From: henry j. mason [mailto:[EMAIL PROTECTED]
> 
>   i need to know when freshclam fails silently.
>   i know freshclam includes options to alert on errors,
>   but i'd rather have some other process looking at it
>   and making sure it's doing the right thing. has anyone
>   tackled this problem? or is this just too obscure?

[---snip---]

>   any ideas? i'm thinking about cobbling together something
>   in perl to run from a cron job.

That would be my choice.  I've never had a problem with freshclam, but if I
wanted to monitor it, I would probably write a perl script to run once a day
and notify me if there is no entry for the current day.

You could make it run more frequently, but then you would have to deal with
timestamp comparisons.

Bowie Bailey
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] freshclam watchdog?

[Tomasz Kojm]

On Tue, 03 May 2005 11:05:28 -0400
"henry j. mason" <[EMAIL PROTECTED]> wrote:

>   hi clamav-users;
> 
>   i've been using clamav for a long time now, and love it
>   dearly. however, once in a great while i get burned by
>   outdated definitions. at one point it was just me not
>   paying attention to the freshclam logfiles (i needed to
>   upgrade) but more recently freshclam just failed silently
>   and stopped logging. i actually had to kill -KILL the
>   freshclam process, and restart it. once that was done,
>   it grabbed the latest updates and all was well again.
> 
>   however. i need to know when freshclam fails silently.
>   i know freshclam includes options to alert on errors,
>   but i'd rather have some other process looking at it
>   and making sure it's doing the right thing. has anyone
>   tackled this problem? or is this just too obscure?
> 
>   my systems are:
>   intel celeron 1.1 ghz / 512 mb / ide
>   debian stable/testing with linux 2.6.4
>   clamav/freshclam 0.83-5
>   
>   ultrasparc IIi 440 mhz / 512 mb / scsi
>   debian stable/testing with linux 2.4.18
>   clamav/freshclam 0.83-5
> 
>   other than the hardware and kernel these two systems
>   have identical software configurations.
> 
>   i'm using amavis from debian testing, which is rather
>   ancient but has given me no grief. both these systems
>   failed around the same time (april 24) whereas two other
>   almost identical systems (also an intel and another
>   sparc) kept working perfectly.  
>   
>   any ideas? i'm thinking about cobbling together something

There was a bug (causing random hangs) in freshclam that has been fixed
in 0.84:

Thu Feb 17 16:13:29 CET 2005 (tk)
-
  * freshclam/freshclam.c: do not call logg() in daemon_sighandler()
   (patch by Trog)

-- 
   oo. Tomasz Kojm <[EMAIL PROTECTED]>
  (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg
 \..._ 0DCA5A08407D5288279DB43454822DC8985A444B
   //\   /\  Tue May  3 17:18:03 CEST 2005


pgpJdzMGPtrFe.pgp
Description: PGP signature
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] clamd segfaulting as of about thursday

[Jeremy Kitchen]

On Tuesday 03 May 2005 08:23 am, Christopher X. Candreva wrote:
> On Tue, 3 May 2005, Mike Lambert wrote:
> > I meant the most stable before 0.84. Sorry for the confusion.
>
> If you had stability problem on 0.81, 0.82, and 0.83 -- did you post them ?
> Sorry if I missed it, but I don't recall seeing anything posted about
> stability problems on those version.

I saw a couple of threads about MIME parsing time jumping exponentially and a 
lot of our customers have pretty high volume systems and this would have 
caused some serious problems.  0.84 was a very welcome sight, I can assure 
you :)

http://lurker.clamav.net/message/20050216.123538.5a838448.en.html

-Jeremy

-- 
Jeremy Kitchen ++ Systems Administrator ++ Inter7 Internet Technologies, Inc.
[EMAIL PROTECTED] ++ inter7.com ++ 866.528.3530 ++ 815.776.9465 int'l
  kitchen @ #qmail #gentoo on EFnet IRC ++ scriptkitchen.com/qmail
 GnuPG Key ID: 481BF7E2 ++ jabber:[EMAIL PROTECTED]


pgpdu7yzhIj64.pgp
Description: PGP signature
___
http://lurker.clamav.net/list/clamav-users.html

[Clamav-users] freshclam watchdog?

[henry j. mason]

hi clamav-users;
i've been using clamav for a long time now, and love it
dearly. however, once in a great while i get burned by
outdated definitions. at one point it was just me not
paying attention to the freshclam logfiles (i needed to
upgrade) but more recently freshclam just failed silently
and stopped logging. i actually had to kill -KILL the
freshclam process, and restart it. once that was done,
it grabbed the latest updates and all was well again.
however. i need to know when freshclam fails silently.
i know freshclam includes options to alert on errors,
but i'd rather have some other process looking at it
and making sure it's doing the right thing. has anyone
tackled this problem? or is this just too obscure?
my systems are:
intel celeron 1.1 ghz / 512 mb / ide
debian stable/testing with linux 2.6.4
clamav/freshclam 0.83-5

ultrasparc IIi 440 mhz / 512 mb / scsi
debian stable/testing with linux 2.4.18
clamav/freshclam 0.83-5
other than the hardware and kernel these two systems
have identical software configurations.
i'm using amavis from debian testing, which is rather
ancient but has given me no grief. both these systems
failed around the same time (april 24) whereas two other
almost identical systems (also an intel and another
sparc) kept working perfectly.  

any ideas? i'm thinking about cobbling together something
in perl to run from a cron job.
tia
henry
___
http://lurker.clamav.net/list/clamav-users.html

[Clamav-users] Re: clamav with postfix

[Raphael Posmyk]

ankush grover wrote at Montag, 2. Mai 2005 11:06:

> a) ... in Postfix to make it run with Postfix.
> 
> b) ...

Check the "Third-party software" section on the clamav web site:

  http://www.clamav.net/3rdparty.html#mta

> c)I ran the clamscan on the FC3 and clamav says there are 8 infected
> files.I don't know how to delete those files.Clamav does not deletes
> the infected files by itself .

man clamscan :-) 

Ciao, Raphael

___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] clamd segfaulting as of about thursday

[Mike Lambert]

Tomasz Kojm wrote:
On Tue, 03 May 2005 08:23:38 -0400
Mike Lambert <[EMAIL PROTECTED]> wrote:

Now that we have reports of spam crashing v0.80, it is time for me to 
test v0.84.

If I was your boss, I'd fire you. Admins who wait with an update until
a software (especially a mission critical one responsible for e-mail
delivery) starts crashing are not worth any money.
Ok, so now that I have managed to anger three members of the development 
team (and lose my job), I can see that I have no business posting to 
this list. I apologize for wasting everyone's time.

Thank you for making ClamAV.
-Mike
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] clamd segfaulting as of about thursday

[Christopher X. Candreva]

On Tue, 3 May 2005, Mike Lambert wrote:

> I meant the most stable before 0.84. Sorry for the confusion.

If you had stability problem on 0.81, 0.82, and 0.83 -- did you post them ? 
Sorry if I missed it, but I don't recall seeing anything posted about 
stability problems on those version. 

Our own upgrades here between those versions had not problems at all.

==
Chris Candreva  -- [EMAIL PROTECTED] -- (914) 967-7816
WestNet Internet Services of Westchester
http://www.westnet.com/
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] clamd segfaulting as of about thursday

[Mike Lambert]

Trog wrote:
On Tue, 2005-05-03 at 08:23 -0400, Mike Lambert wrote:

The responsible admin will evaluate the pros and cons of _any_ software 
release and choose what is best for his/her environment. The difficultly 
with any project in development, including ClamAV, is that "current" and 
"stable" do not always coincide. Clam v0.80 has been the most stable 
version to this point, and I, preferring stability over functionality, 
am running 0.80. If running a stable clamav means letting a few viruses 
through, then so be it.

Which is why I said, in the bit you snipped, new releases should be
tested on a test system that reflects your personal environment - and,
by extension, any problems reported back to the developers.
Ok.
The problem with running old versions is that they are not supported, so
when you do run into a problem like the one that started this thread,
you are on your own, and you'll be told to upgrade to the latest
version.
This I undertsand.
Now that we have reports of spam crashing v0.80, it is time for me to 
test v0.84.
How can you say 0.80 is the most stable, when you haven't tested 0.84?
I meant the most stable before 0.84. Sorry for the confusion.
-Mike
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] clamd segfaulting as of about thursday

[Mike Lambert]

Nigel Horne wrote:
On Tuesday 03 May 2005 13:23, Mike Lambert wrote:
Now that we have reports of spam crashing v0.80, it is time for me to 
test v0.84.
Your use the the word "now" makes it sound like this is something new only recently
discovered. 
Nope, just new to me. I read today's posts as though the problem was 
something new. My mistake.

You seem to be ignoring the fact that this was known about, and fixed, some
time ago.
I did not know. I appologize for wasting your time.
-Mike
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] clamd segfaulting as of about thursday

[Tomasz Kojm]

On Tue, 03 May 2005 08:23:38 -0400
Mike Lambert <[EMAIL PROTECTED]> wrote:

> Now that we have reports of spam crashing v0.80, it is time for me to 
> test v0.84.

If I was your boss, I'd fire you. Admins who wait with an update until
a software (especially a mission critical one responsible for e-mail
delivery) starts crashing are not worth any money.

-- 
   oo. Tomasz Kojm <[EMAIL PROTECTED]>
  (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg
 \..._ 0DCA5A08407D5288279DB43454822DC8985A444B
   //\   /\  Tue May  3 14:44:09 CEST 2005


pgpX3czUrByd5.pgp
Description: PGP signature
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] clamd segfaulting as of about thursday

[Nigel Horne]

On Tuesday 03 May 2005 13:23, Mike Lambert wrote:

> Now that we have reports of spam crashing v0.80, it is time for me to 
> test v0.84.

Your use the the word "now" makes it sound like this is something new only 
recently
discovered. You seem to be ignoring the fact that this was known about, and 
fixed, some
time ago.

> -Mike

-- 
Nigel Horne. Arranger, Composer, Typesetter.
NJH Music, Barnsley, UK.  ICQ#20252325
[EMAIL PROTECTED] http://www.bandsman.co.uk
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] clamd segfaulting as of about thursday

[Trog]

On Tue, 2005-05-03 at 08:23 -0400, Mike Lambert wrote:

> The responsible admin will evaluate the pros and cons of _any_ software 
> release and choose what is best for his/her environment. The difficultly 
> with any project in development, including ClamAV, is that "current" and 
> "stable" do not always coincide. Clam v0.80 has been the most stable 
> version to this point, and I, preferring stability over functionality, 
> am running 0.80. If running a stable clamav means letting a few viruses 
> through, then so be it.

Which is why I said, in the bit you snipped, new releases should be
tested on a test system that reflects your personal environment - and,
by extension, any problems reported back to the developers.

The problem with running old versions is that they are not supported, so
when you do run into a problem like the one that started this thread,
you are on your own, and you'll be told to upgrade to the latest
version.

> 
> Now that we have reports of spam crashing v0.80, it is time for me to 
> test v0.84.

How can you say 0.80 is the most stable, when you haven't tested 0.84?
Did you test anything after 0.80?

-trog



signature.asc
Description: This is a digitally signed message part
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] clamd segfaulting as of about thursday

[Mike Lambert]

Trog wrote:
Several. We don't release software updates for our own amusement. A
responsible system admin should always look to upgrade to the current
stable version as soon as possible after it is released.
The responsible admin will evaluate the pros and cons of _any_ software 
release and choose what is best for his/her environment. The difficultly 
with any project in development, including ClamAV, is that "current" and 
"stable" do not always coincide. Clam v0.80 has been the most stable 
version to this point, and I, preferring stability over functionality, 
am running 0.80. If running a stable clamav means letting a few viruses 
through, then so be it.

Now that we have reports of spam crashing v0.80, it is time for me to 
test v0.84.

-Mike
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Updating via freshclam without clamd?

[Nigel Horne]

On Tuesday 03 May 2005 13:13, Andy Schofield wrote:
> Is there any way of stopping freshclam from trying to notify clamd?

man freshclam.conf

> Andy

-- 
Nigel Horne. Arranger, Composer, Typesetter.
NJH Music, Barnsley, UK.  ICQ#20252325
[EMAIL PROTECTED] http://www.bandsman.co.uk
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Updating via freshclam without clamd?

[Timo Schoeler]

Andy Schofield wrote:
> Hi,
> 
> Is there any way of stopping freshclam from trying to notify clamd?
> 
> I use clamscan occasionally and I don't want to have the clamd daemon
> running. When I run freshclam I always get the error:
> 
> ERROR: Clamd was NOT notified: Can't connect to clamd on 127.0.0.1:3310
> 
> I would like to tell freshclam not to try to reload the daemon and
> thereby suppress this error message. Using the --notify-daemon seems
> only to redirect freshclam from the default location of the clamd.conf
> file and does not seem to do the obvious thing of not notifying the
> daemon if this option is not specified.
> 
> I am using version 0.84 and the rpm compiled binaries for redhat on the
> dag site.
> 
> Thanks for your help
> Andy
> ___
> http://lurker.clamav.net/list/clamav-users.html

hi,

commenting out 'NotifyClamd /var/run/clamd.pid' should be sufficient.

HTH,

-- 
Timo Schoeler | http://macfinity.net/~tis | [EMAIL PROTECTED]
//macfinity -- finest IT services | http://macfinity.net
Key fingerprint = F844 51BE C22C F6BD 1196  90B2 EF68 C851 6E12 2D8A

There are 10 types of people in the world. Those who understand binary
and those who don't.
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Updating via freshclam without clamd?

[Odhiambo Washington]

* Andy Schofield <[EMAIL PROTECTED]> [20050503 15:12]: wrote:
> Hi,
> 
> Is there any way of stopping freshclam from trying to notify clamd?

Yes! Read every line in your freshclam.conf or 
man freshclam.


-Wash

http://www.netmeister.org/news/learn2quote.html

--
+==+
|\  _,,,---,,_ | Odhiambo Washington<[EMAIL PROTECTED]>
Zzz /,`.-'`'-.  ;-;;,_ | Wananchi Online Ltd.   www.wananchi.com
   |,4-  ) )-,_. ,\ (  `'-'| Tel: +254 20 313985-9  +254 20 313922
  '---''(_/--'  `-'\_) | GSM: +254 722 743223   +254 733 744121
+==+
Adolescence, n.:
The stage between puberty and adultery.
___
http://lurker.clamav.net/list/clamav-users.html

[Clamav-users] Updating via freshclam without clamd?

[Andy Schofield]

Hi,

Is there any way of stopping freshclam from trying to notify clamd?

I use clamscan occasionally and I don't want to have the clamd daemon
running. When I run freshclam I always get the error:

ERROR: Clamd was NOT notified: Can't connect to clamd on 127.0.0.1:3310

I would like to tell freshclam not to try to reload the daemon and
thereby suppress this error message. Using the --notify-daemon seems
only to redirect freshclam from the default location of the clamd.conf
file and does not seem to do the obvious thing of not notifying the
daemon if this option is not specified.

I am using version 0.84 and the rpm compiled binaries for redhat on the
dag site.

Thanks for your help
Andy
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] virus questions

[Trog]

On Fri, 2005-04-29 at 23:55 -0700, Joanna Roman wrote:
> How are virues like IRC.LXD.A, IRC.Gadez.A encountered
> ? When a user submit a virus, how do clamav team know
> that they are of IRC types ??? Just curious .

Generally because they are in the form of IRC client software macro
files (mIRC INI files, for example). They then try and send themselves
and/or other virus files to people on IRC channels.

-trog



signature.asc
Description: This is a digitally signed message part
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] clamd segfaulting as of about thursday

[Trog]

On Mon, 2005-05-02 at 16:19 -0500, Jeremy Kitchen wrote:
> I'm having lots of customers call up saying their clamd is segfaulting.. 
> installations that have been around for many months (0.80) and all of a 
> sudden, later in the week last week.. everyone's been having problems with 
> clamd segfaulting.  Updating to clamav 0.84 seems to have done the trick, but 
> I don't remember seeing any segfault issues on either the -users or -devel 
> lists that had been resolved
> 
> I'm assuming it's some sort of email that is going around right now (either 
> spam or virus) that is causing it to happen, however I cannot pinpoint the 
> actual email :(
> 
> Was there a bug that might be causing this that was fixed since 0.80 was 
> released?

Several. We don't release software updates for our own amusement. A
responsible system admin should always look to upgrade to the current
stable version as soon as possible after it is released.

People who say that their policy doesn't allow it are just making
excuses. Write a new policy. Explain to your boss that he is increasing
the risk of infection by having an outdated policy, and then write the
same to his boss. Set up a test system appropriate for your environment
to perform assurance testing.

Apart from missing potential crash fixes, you are also missing detection
of some viruses by not upgrading:

W32.Magistr.A and B
W32.Parite.A B C and D
some JPEG exploits
some email Worms that use non-standard encoding schemes to by-pass
filters

-trog



signature.asc
Description: This is a digitally signed message part
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] clamd segfaulting as of about thursday

[Nigel Horne]

On Monday 02 May 2005 23:08, Pete 'Wolfy' Hanson wrote:
> Upgrading didn't seem to help me, though maybe it slowed down the
> crash rate - I just had another crash about an hour ago.  I'm getting
> slammed at postmaster each time it crashes.  This was in the logs from
> the latest crash:
> 
> May  2 14:22:24 smtp clamav-milter[153]: ClamAv: setsockopt() failed
> (Invalid argument)
> 
> Nothing leading up to it and nothing immediately after it out of the
> ordinary, other than a 5 minute break before the crash where nothing
> got logged (mildly unusual, but not completely unprecedented).

If that message appears, clamav-milter will fail to start, so it's not
surprising nothing was logged...

Review if you need the "-B" flag, and if not then don't use it. If
you do use the -B flag and this message appears, then check the NIC
you are telling it to use is correct.

-Nigel


-- 
Nigel Horne. Arranger, Composer, Typesetter.
NJH Music, Barnsley, UK.  ICQ#20252325
[EMAIL PROTECTED] http://www.bandsman.co.uk
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] /var/tmp/clamav-partial hanging around

[Nigel Horne]

On Monday 02 May 2005 18:30, jef moskot wrote:
> If I do the #24 testvirus test ( http://www.webmail.us/testvirus ), the
> mail is delivered properly (which is fine, because there's no virus in
> there), but I also get a little file in /var/tmp/clamav-partial named
> something like partialmsg### that doesn't go away.
>
> Inside the file is the data portion of the mail (I can provide a copy to
> anyone interested).
>
> Is this a minor Clam bug, or is something misconfigured on my side?

> The file and directory appear to be root:wheel.
>
> I've noticed that a similar thing happens (rarely) when large mail files
> are scanned.  Sometimes all the compnent parts are left undeleted.  Every
> few months, I can go in there and remove a couple directories and
> everything seems fine.
>
> I'm running 0.84, using amavis to pass the mail along to clamscan (not
> using clamd), using sendmail on FreeBSD 4.X.

If you don't want to scan RFC1341 messages, disable PARTIAL_DIR in
mbox.c and recompile.

You can (usually) safely delete files in that directory more than about 24
hours in age.

> Jeffrey Moskot

___
http://lurker.clamav.net/list/clamav-users.html