Re: [Clamav-users] sober.p and german adverts?

[Alan Premselaar]

Jef Poskanzer wrote:
(B..snip...
(B
(B And finally, if you want to run a check on the HELO string, I find
(B that just rejecting outside connections that claim a HELO of your own
(B hostname gets rid of a very high proportion of crapmail.  This
(B very simple check is successful enough that I'll probably publish
(B a "notme_milter" at some point after spfmilter gets out of beta status.
(B
(BI already do this with MIMEDefang.  it's proven quite effective.
(B
(BI don't bother with any of the other checks because they either take too
(Bmany resources or have potentially too much collateral damage.
(B
(Balan
(B___
(Bhttp://lurker.clamav.net/list/clamav-users.html

[Clamav-users] 0.85 0.81.1 tha same troubles with milter

[Sergey]

Hello clamav-users,

   i've just tried to use 0.85 and 0.85.1 instead of my 0.84 but i
   found an error massage on starting clamav-milter (Permission
   denied). is there any chance to solve this little problem?


   p.s. sorry about my english...
-- 
Best regards,
 Sergey  mailto:[EMAIL PROTECTED]

___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] sober.p and german adverts?

[Dennis Davis]

On Mon, 16 May 2005, Todd Lyons wrote:

 From: Todd Lyons [EMAIL PROTECTED]
 To: ClamAV users ML clamav-users@lists.clamav.net
 Date: Mon, 16 May 2005 10:14:26 -0700
 Subject: Re: [Clamav-users] sober.p and german adverts?
 Reply-To: ClamAV users ML clamav-users@lists.clamav.net

...

 Some ISP's don't allow you to relay mail through them if it's not
 for @ispdomain.com.  In that case, you should offer them a value
 add service to relay mail for them and then configure SSL (583) so
 that they don't have that problem.

Make that port 587, mail message submission described in RFC2476.
You may also need to configure a listener on the obsolete SMTPS
port, 465, for the benefit of crippleware clients that require
tls-on-connect.
-- 
Dennis Davis, BUCS, University of Bath, Bath, BA2 7AY, UK
[EMAIL PROTECTED]   Phone: +44 1225 386101
___
http://lurker.clamav.net/list/clamav-users.html

RE: [Clamav-users] freshclam's daily.cvd messages not showing

[Randal, Phil]

[EMAIL PROTECTED] wrote:
 Hello,
 
 I'm running clamav (currently version 0.85) on two separate
 servers and my home notebook and recently noticed odd
 behavior when running freshclam.
 While on one server and my notebook it always both displays
 to the console and logs information about both main.cvd and
 daily.cvd (i.e. whether the were updated or are up to date),
 on the other server it only displays that information about
 main.cvd, though it does log information about both main.cvd
 and daily.cvd to the log and does update daily.cvd when
 appropriate.  For example, here is the output from the first,
 normally operating server:
 
 root ~ # /usr/local/bin/freshclam
 ClamAV update process started at Sun May 15 04:49:38 2005
 main.cvd is up to date (version: 31, sigs: 33079, f-level: 4, builder:
 tkojm)
 daily.cvd is up to date (version: 878, sigs: 1281, f-level: 5,
 builder: ccordes)
 root ~ #
 
 while the other server, running the same version of clamav
 with identical configuration files (as verified by md5sums), displays
 only: 
 
 [EMAIL PROTECTED]:~# /usr/local/bin/freshclam
 ClamAV update process started at Sun May 15 04:50:39 2005
 main.cvd is up to date (version: 31, sigs: 33079, f-level: 4, builder:
 tkojm)
 [EMAIL PROTECTED]:~#
 
 The log files for both, however, are identical (except for times, of
 course): 
 
 [EMAIL PROTECTED]:~# tail -n 4 /var/log/freshclam.log
 --
 ClamAV update process started at Sun May 15 04:50:39 2005
 main.cvd is up to date (version: 31, sigs: 33079, f-level: 4, builder:
 tkojm)
 daily.cvd is up to date (version: 878, sigs: 1281, f-level: 5,
 builder: ccordes)
 
 Both installations were compiled from source using identical
 config options (./configure --sysconfdir=/etc) and with the
 default optimizations.  I did grep -r 'up to date' in the
 source directory and find only four occurences, all in
 freshclam/manager.c, that consisted of two places where this
 message is first written to stdout then in the immediate next
 line apparently logged, so I am at a loss as to how the
 daily.cvd messages could be logged but not display to the
 console.  I'm no C programmer, though, so perhaps someone who
 is has a better idea as to what's going on here?
 
 The first (normal) server is a linux virtual machine
 running under UML on a box with dual Intel Xeon processors.
 My notebook has a pentium3 processor, and the server where
 freshclam behaves oddly is an old box with an amd k6-3
 processor.  The UML server is running a linux 2.4.26 based
 kernel, while my notebook and the other server currently run linux
 2.6.11-7 kernels.  If you need any other information let me know.
 
 Thanks,
 Zibeli
 
 ___
 http://lurker.clamav.net/list/clamav-users.html

This is fixed in ClamAV 0.85.1

Thanks for the rapid update, team.

Cheers,

Phil


Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Freshclam fall back to HTTP

[Tomasz Kojm]

On Tue, 17 May 2005 12:50:58 +0800
Awie [EMAIL PROTECTED] wrote:

 All,
 
 I cannot run Freshclam in DNS mode, it always fall back to HTTP. Below
 attached the message from my machine;
 
 [EMAIL PROTECTED] root]# freshclam
 ClamAV update process started at Tue May 17 12:43:32 2005
 WARNING: DNS record is older than 3 hours.

[...]

 but why Freshclam cannot run in DNS? What things should I fix?

System time?

-- 
   oo. Tomasz Kojm [EMAIL PROTECTED]
  (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg
 \..._ 0DCA5A08407D5288279DB43454822DC8985A444B
   //\   /\  Tue May 17 12:11:43 CEST 2005


pgpDt0gdV4rmv.pgp
Description: PGP signature
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] 0.85 0.81.1 tha same troubles with milter

[Tomasz Kojm]

On Tue, 17 May 2005 11:16:54 +0400
Sergey [EMAIL PROTECTED] wrote:

 Hello clamav-users,
 
i've just tried to use 0.85 and 0.85.1 instead of my 0.84 but i
found an error massage on starting clamav-milter (Permission
denied). is there any chance to solve this little problem?

I don't believe you've installed 0.85.1 properly.

-- 
   oo. Tomasz Kojm [EMAIL PROTECTED]
  (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg
 \..._ 0DCA5A08407D5288279DB43454822DC8985A444B
   //\   /\  Tue May 17 12:25:49 CEST 2005


pgpB6WSHrPNFf.pgp
Description: PGP signature
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Freshclam fall back to HTTP

[Guy Van Den Bergh]

On Tue, 2005-05-17 at 12:12, Tomasz Kojm wrote:
 On Tue, 17 May 2005 12:50:58 +0800
 Awie [EMAIL PROTECTED] wrote:

  WARNING: DNS record is older than 3 hours.
 
 [...]
 
  but why Freshclam cannot run in DNS? What things should I fix?
 
 System time?

Or maybe your local DNS servers.

I had a similar problem a few weeks ago.
I was using Windows 2000 DNS servers, and they were having trouble
caching the TXT record for ClamAV updates. Restarting the DNS server
services on the Windows machines helped me out.

You can ask your local dns server what it knows about clamav updates
with the command:

dig current.cvd.clamav.net txt

-- 
Guy Van Den Bergh
Netwerkbeheerder

http://www.ha.be 
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] 0.85 0.81.1 tha same troubles with milter

[Krištof Petr]

Tomasz Kojm wrote:
On Tue, 17 May 2005 11:16:54 +0400
Sergey [EMAIL PROTECTED] wrote:
 

Hello clamav-users,
  i've just tried to use 0.85 and 0.85.1 instead of my 0.84 but i
  found an error massage on starting clamav-milter (Permission
  denied). is there any chance to solve this little problem?
   

I don't believe you've installed 0.85.1 properly.
 


Sergey is right. This bug is not fixed.
May 17 12:36:41 server clamd: clamd startup succeeded
May 17 12:36:41 server clamd[27991]: HTML support enabled.
May 17 12:36:41 server clamd[27991]: Self checking every 1800 seconds.
May 17 12:36:54 server clamav-milter: /var/log/clamav/clamd.log: 
Permission denied

Petr
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] 0.85 0.81.1 tha same troubles with milter

[Tomasz Kojm]

On Tue, 17 May 2005 12:55:36 +0200
Krištof Petr [EMAIL PROTECTED] wrote:

 Sergey is right. This bug is not fixed.
 
 
 May 17 12:36:41 server clamd: clamd startup succeeded
 May 17 12:36:41 server clamd[27991]: HTML support enabled.
 May 17 12:36:41 server clamd[27991]: Self checking every 1800 seconds.
 May 17 12:36:54 server clamav-milter: /var/log/clamav/clamd.log: 
 Permission denied

The original bug was related to /dev/console. The above seems like
a standard permission problem.

-- 
   oo. Tomasz Kojm [EMAIL PROTECTED]
  (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg
 \..._ 0DCA5A08407D5288279DB43454822DC8985A444B
   //\   /\  Tue May 17 12:57:15 CEST 2005


pgpW4jse1DLY9.pgp
Description: PGP signature
___
http://lurker.clamav.net/list/clamav-users.html

Re[2]: [Clamav-users] 0.85 0.81.1 tha same troubles with milter

[Sergey]

Hello Tomasz,

Tuesday, May 17, 2005, 2:58:41 PM, you wrote:

TK On Tue, 17 May 2005 12:55:36 +0200
TK Krištof Petr [EMAIL PROTECTED] wrote:

 Sergey is right. This bug is not fixed.
 
 
 May 17 12:36:41 server clamd: clamd startup succeeded
 May 17 12:36:41 server clamd[27991]: HTML support enabled.
 May 17 12:36:41 server clamd[27991]: Self checking every 1800 seconds.
 May 17 12:36:54 server clamav-milter: /var/log/clamav/clamd.log: 
 Permission denied

TK The original bug was related to /dev/console. The above seems like
TK a standard permission problem.


 no it's not. beleve me because i'm not the only one who has such
 problem.

-- 
Best regards,
 Sergeymailto:[EMAIL PROTECTED]

___
http://lurker.clamav.net/list/clamav-users.html

Re[2]: [Clamav-users] 0.85 0.81.1 tha same troubles with milter

[Sergey]

Hello Tomasz,

Tuesday, May 17, 2005, 2:27:00 PM, you wrote:

TK On Tue, 17 May 2005 11:16:54 +0400
TK Sergey [EMAIL PROTECTED] wrote:

 Hello clamav-users,
 
i've just tried to use 0.85 and 0.85.1 instead of my 0.84 but i
found an error massage on starting clamav-milter (Permission
denied). is there any chance to solve this little problem?

TK I don't believe you've installed 0.85.1 properly.


what do you mean by properly?
 there were no errors while i was installing it.
 i used just the same option that i used for installing 0.84 or there
 is in 0.85 some new extra installation stuff that i missed?
 

-- 
Best regards,
 Sergeymailto:[EMAIL PROTECTED]

___
http://lurker.clamav.net/list/clamav-users.html

Re: Re[2]: [Clamav-users] 0.85 0.81.1 tha same troubles with milter

[Trog]

On Tue, 2005-05-17 at 15:10 +0400, Sergey wrote:
 
 what do you mean by properly?
  there were no errors while i was installing it.
  i used just the same option that i used for installing 0.84 or there
  is in 0.85 some new extra installation stuff that i missed?
  

Check the permissions on your log file. They must be accessible by the
user the milter runs as.

-trog



signature.asc
Description: This is a digitally signed message part
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] 0.85 0.81.1 tha same troubles with milter

[Tomasz Kojm]

On Tue, 17 May 2005 15:10:12 +0400
Sergey [EMAIL PROTECTED] wrote:

 Hello Tomasz,
 
 Tuesday, May 17, 2005, 2:27:00 PM, you wrote:
 
 TK On Tue, 17 May 2005 11:16:54 +0400
 TK Sergey [EMAIL PROTECTED] wrote:
 
  Hello clamav-users,
  
 i've just tried to use 0.85 and 0.85.1 instead of my 0.84 but i
 found an error massage on starting clamav-milter (Permission
 denied). is there any chance to solve this little problem?
 
 TK I don't believe you've installed 0.85.1 properly.
 
 
 what do you mean by properly?
  there were no errors while i was installing it.
  i used just the same option that i used for installing 0.84 or there
  is in 0.85 some new extra installation stuff that i missed?

The only 'essential' information you have provided is that
clamav-milter prints Permission denied on startup so don't expect
constructive help from me.

-- 
   oo. Tomasz Kojm [EMAIL PROTECTED]
  (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg
 \..._ 0DCA5A08407D5288279DB43454822DC8985A444B
   //\   /\  Tue May 17 13:12:51 CEST 2005


pgpiYZZeVVwQ8.pgp
Description: PGP signature
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] 0.85 0.81.1 tha same troubles with milter

[Krištof Petr]

Tomasz Kojm wrote:
On Tue, 17 May 2005 12:55:36 +0200
Kritof Petr [EMAIL PROTECTED] wrote:
 

Sergey is right. This bug is not fixed.
May 17 12:36:41 server clamd: clamd startup succeeded
May 17 12:36:41 server clamd[27991]: HTML support enabled.
May 17 12:36:41 server clamd[27991]: Self checking every 1800 seconds.
May 17 12:36:54 server clamav-milter: /var/log/clamav/clamd.log: 
Permission denied
   

The original bug was related to /dev/console. The above seems like
a standard permission problem.
 

I reported this bug one week before. But once again:
# uname -mpio
i686 i686 i386 GNU/Linux
# clamd -V
ClamAV 0.85.1/882/Tue May 17 08:48:03 2005
# clamav-milter -V
ClamAV version 0.85.1, clamav-milter version 0.85
# ll /var/log
total 42860
drwxr-xr-x  14 rootroot   4096 May 17 12:36 .
drwxr-xr-x  23 rootroot   4096 Jan  7 14:52 ..
-rw---   1 rootroot  21573 Feb  1 04:02 boot.log.4
drwxr-xr-x   2 clamav  clamav 4096 May 17 13:05 clamav
-rw-r--r--   1 rootroot 183414 May 17 13:01 cron
# ll /var/log/clamav/
total 16
drwxr-xr-x   2 clamav clamav 4096 May 17 13:08 .
drwxr-xr-x  14 root   root   4096 May 17 12:36 ..
-rw-r-   1 clamav clamav  474 May 17 13:05 freshclam.log
# service clamd start
Starting Clam AV daemon:   [  OK  ]
# ll /var/log/clamav/
total 20
drwxr-xr-x   2 clamav clamav 4096 May 17 13:09 .
drwxr-xr-x  14 root   root   4096 May 17 12:36 ..
-rw-r-   1 root   root   1417 May 17 13:09 clamd.log
-rw-r-   1 clamav clamav  474 May 17 13:05 freshclam.log
# service clamav-milter start
Starting clamav-milter:[FAILED]
# tail -f /var/log/messages
May 17 13:13:42 server clamav-milter: /var/log/clamav/clamd.log: 
Permission denied

and clamav-milter is not running.
# grep User /etc/clamd.conf
User clamav
My observation is: clamav creates log file with root permission,
so user clamav cannt write to log.
Are there some developers who believes that non-priviledged user clamav
can write to logfile with bad permissions (0640 root.root clamd.log)?
This assumption is wrong on some unix like OSes, Im affraid.
Clamav should create log file with same owner as defined in clamd.conf
to work it properly.
Petr
___
http://lurker.clamav.net/list/clamav-users.html

Re[2]: [Clamav-users] 0.85 0.81.1 tha same troubles with milter

[Sergey]

Hello Tomasz,

Tuesday, May 17, 2005, 3:17:34 PM, you wrote:

TK On Tue, 17 May 2005 15:10:12 +0400
TK Sergey [EMAIL PROTECTED] wrote:

 Hello Tomasz,
 
 Tuesday, May 17, 2005, 2:27:00 PM, you wrote:
 
 TK On Tue, 17 May 2005 11:16:54 +0400
 TK Sergey [EMAIL PROTECTED] wrote:
 
  Hello clamav-users,
  
 i've just tried to use 0.85 and 0.85.1 instead of my 0.84 but i
 found an error massage on starting clamav-milter (Permission
 denied). is there any chance to solve this little problem?
 
 TK I don't believe you've installed 0.85.1 properly.
 
 
 what do you mean by properly?
  there were no errors while i was installing it.
  i used just the same option that i used for installing 0.84 or there
  is in 0.85 some new extra installation stuff that i missed?

TK The only 'essential' information you have provided is that
TK clamav-milter prints Permission denied on startup so don't expect
TK constructive help from me.


1) i use freebsd 4,7
2) clamav is configured with such options as --prefix=/usr/local/clamav
--enable-milter
3) clamd, freshclam and clamav-milter starts by user clamav
4) /usr/local/clamav # ls -l
total 14
drwxr-xr-x  2 rootclamav  512 May 17 15:39 bin
drwxr-xr-x  2 rootclamav  512 May 17 15:31 etc
drwxr-xr-x  2 rootclamav  512 May 17 15:38 include
drwxr-xr-x  3 rootclamav  512 May 17 15:39 lib
drwxr-xr-x  2 rootclamav  512 May 17 15:39 sbin
drwxr-xr-x  3 rootclamav  512 May 17 15:39 share
drwxr-x---  4 clamav  clamav  512 May 17 15:39 var

5) /usr/local/clamav/var # ls -l
total 12
-rw-r-  1 clamav  clamav   583 May 17 15:40 clamd-update.log
-rw-r-  1 rootclamav  1265 May 17 15:40 clamd.log
-rw-rw  1 clamav  clamav 5 May 17 15:39 clamd.pid
srwxrwxrwx  1 clamav  clamav 0 May 17 15:39 clamd.sock
-rw-rw  1 clamav  clamav 5 May 17 15:39 freshclam.pid
drwx--  4 clamav  clamav   512 May 17 00:45 quarantine
drwxr-xr-x  4 clamav  clamav   512 May 17 15:44 tmp

6)  cat /usr/local/etc/rc.d/clamav.sh
#!/bin/sh
/usr/local/clamav/sbin/clamd
/usr/local/clamav/sbin/clamav-milter -lofU
/usr/local/clamav/var/quarantine /usr/local/clamav/var/clmilter.sock
-p [EMAIL PROTECTED] --max-children=3
/usr/local/clamav/bin/freshclam -d -c 6 -l 
/usr/local/clamav/var/clamd-update.log


what do i do wrong?

-- 
Best regards,
 Sergeymailto:[EMAIL PROTECTED]

___
http://lurker.clamav.net/list/clamav-users.html

Re[4]: [Clamav-users] 0.85 0.81.1 tha same troubles with milter

[Sergey]

Hello Trog,

Tuesday, May 17, 2005, 3:13:49 PM, you wrote:

T On Tue, 2005-05-17 at 15:10 +0400, Sergey wrote:
 
 what do you mean by properly?
  there were no errors while i was installing it.
  i used just the same option that i used for installing 0.84 or there
  is in 0.85 some new extra installation stuff that i missed?
  

T Check the permissions on your log file. They must be accessible by the
T user the milter runs as.

T -trog


they are accesseble

-- 
Best regards,
 Sergeymailto:[EMAIL PROTECTED]

___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] sober.p and german adverts?

[Bart Silverstrim]

On May 16, 2005, at 5:43 PM, Dennis Peterson wrote:
Most of the spam I've gotten the last three days is from comcast.net.
Apparently they allow their customers to send out to port 25. They 
should
lock that down so that spam goes out through their own servers so they 
can
feel the pain when they are blacklisted for incompetence. If you need 
to
run your own stand-alone mail service you should pay the price for the
privilege.
To me, that price is learning how to do it right.  Price isn't always 
monetary.

I wouldn't argue with the idea of having to tell your provider that you 
need your particular connection unfiltered and leave it unfiltered 
because you're setting up the server.

I'm paying for the bandwidth of a connection.  If anything you're 
saving the ISP money in labor to maintain your mail spool, you're 
saving them disk space, and you're saving them liability...because 
you're willing to shoulder the burden yourself.  The price here is 
you're doing the administration, you're sacrificing your disk space, 
and you're sacrificing the ability to complain to them when the disk 
dies and there's not a backup and you don't have 24/7 connection 
reliability, only a reasonable connection.

It's kinda stupid to me that you'd save them some space and time and 
liability and have to pay them for taking away a sliver of a headache, 
if all you want is a connection...and you may even be one of the small 
percentage that if you run the services yourself, you won't be on their 
tech support line.  Seems like that's the biggest cost for ISPs.  For 
people who are willing to learn and put work into maintaining it the 
cost of getting a business class connection is so high 
that...well...they'd have to be a business to get it.  Or at least get 
it and not subsist on bologna and Cheerios for meals.

___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] 0.85 0.81.1 tha same troubles with milter

[Andrzej Zawadzki]

Sergey wrote:
[...]
 -rw-r-  1 rootclamav  1265 May 17 15:40 clamd.log
  ^^
How clamd (in realy user clamav.clamav) can write to this file??

[...]

-- 
Andrzej Zawadzki
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Freshclam fall back to HTTP

[Awie]

 On Tue, 2005-05-17 at 12:12, Tomasz Kojm wrote:
  On Tue, 17 May 2005 12:50:58 +0800
  Awie [EMAIL PROTECTED] wrote:
 
   WARNING: DNS record is older than 3 hours.
  
  [...]
  
   but why Freshclam cannot run in DNS? What things should I fix?
  
  System time?

System time seems OK. Below the display.

[EMAIL PROTECTED] root]# date
Tue May 17 19:52:57 EDT 2005

Thx  Rgds,

Awie


___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Freshclam fall back to HTTP

[Awie]

Hello,

  System time?

 Or maybe your local DNS servers.

 I had a similar problem a few weeks ago.
 I was using Windows 2000 DNS servers, and they were having trouble
 caching the TXT record for ClamAV updates. Restarting the DNS server
 services on the Windows machines helped me out.

 You can ask your local dns server what it knows about clamav updates
 with the command:

 dig current.cvd.clamav.net txt

Below the result of dig in my machine. It seems can reach
current.cvd.clamav.net.

Please advise.

Thx  Rgds,

Awie

===SNIP===

[EMAIL PROTECTED] root]# dig current.cvd.clamav.net txt

;  DiG 9.2.4  current.cvd.clamav.net txt
;; global options:  printcmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: NOERROR, id: 35447
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;current.cvd.clamav.net.IN  TXT

;; ANSWER SECTION:
current.cvd.clamav.net. 900 IN  TXT 0.85.1:31:882:1116329341:0

;; Query time: 1482 msec
;; SERVER: 202.136.64.52#53(202.136.64.52)
;; WHEN: Tue May 17 19:54:59 2005
;; MSG SIZE  rcvd: 79



___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] sober.p and german adverts?

[John Jolet]

One final point here, I know I, and I'm sure many of you, have seen or come 
into contact with infected exchange serverson static ip addresses.  The 
fact that it's static, or in fact, a business connection, speaks not a thing 
for the competence of the administrator, or the security of the server.  My 
point before was this:  my ip in no way says you should  trust me, I can be 
infected and misconfigured on a static ip as a dynamic one.  Also, I'm being 
penalized for microsoft's inability to engineer and distribute a secure os.  
You have every right to block whatever address ranges you want, and when I 
get the bounce, I'll add you to my transport file for postfix.  All else, 
I'll manage the queue myself.

On Tuesday 17 May 2005 06:48 am, Bart Silverstrim wrote:
 On May 16, 2005, at 5:43 PM, Dennis Peterson wrote:
  Most of the spam I've gotten the last three days is from comcast.net.
  Apparently they allow their customers to send out to port 25. They
  should
  lock that down so that spam goes out through their own servers so they
  can
  feel the pain when they are blacklisted for incompetence. If you need
  to
  run your own stand-alone mail service you should pay the price for the
  privilege.

 To me, that price is learning how to do it right.  Price isn't always
 monetary.

 I wouldn't argue with the idea of having to tell your provider that you
 need your particular connection unfiltered and leave it unfiltered
 because you're setting up the server.

 I'm paying for the bandwidth of a connection.  If anything you're
 saving the ISP money in labor to maintain your mail spool, you're
 saving them disk space, and you're saving them liability...because
 you're willing to shoulder the burden yourself.  The price here is
 you're doing the administration, you're sacrificing your disk space,
 and you're sacrificing the ability to complain to them when the disk
 dies and there's not a backup and you don't have 24/7 connection
 reliability, only a reasonable connection.

 It's kinda stupid to me that you'd save them some space and time and
 liability and have to pay them for taking away a sliver of a headache,
 if all you want is a connection...and you may even be one of the small
 percentage that if you run the services yourself, you won't be on their
 tech support line.  Seems like that's the biggest cost for ISPs.  For
 people who are willing to learn and put work into maintaining it the
 cost of getting a business class connection is so high
 that...well...they'd have to be a business to get it.  Or at least get
 it and not subsist on bologna and Cheerios for meals.

 ___
 http://lurker.clamav.net/list/clamav-users.html

-- 
John Jolet
Technology Solutions
Your On-Demand IT Department
512-762-0729
www.jolet.net
[EMAIL PROTECTED]
___
http://lurker.clamav.net/list/clamav-users.html

Re: Re[4]: [Clamav-users] 0.85 0.81.1 tha same troubles with milter

[Trog]

On Tue, 2005-05-17 at 15:44 +0400, Sergey wrote:

 T Check the permissions on your log file. They must be accessible by the
 T user the milter runs as.
 
 T -trog
 
 
 they are accesseble
 

No they aren't. Actually look at the file permissions this time.

-trog



signature.asc
Description: This is a digitally signed message part
___
http://lurker.clamav.net/list/clamav-users.html

Re[2]: [Clamav-users] 0.85 0.81.1 tha same troubles with milter

[Sergey]

Hello Kritof,

Tuesday, May 17, 2005, 3:22:21 PM, you wrote:

KP Tomasz Kojm wrote:

On Tue, 17 May 2005 12:55:36 +0200
Kritof Petr [EMAIL PROTECTED] wrote:

  

Sergey is right. This bug is not fixed.


May 17 12:36:41 server clamd: clamd startup succeeded
May 17 12:36:41 server clamd[27991]: HTML support enabled.
May 17 12:36:41 server clamd[27991]: Self checking every 1800 seconds.
May 17 12:36:54 server clamav-milter: /var/log/clamav/clamd.log: 
Permission denied



The original bug was related to /dev/console. The above seems like
a standard permission problem.
  


KP I reported this bug one week before. But once again:

KP # uname -mpio
KP i686 i686 i386 GNU/Linux

KP # clamd -V
KP ClamAV 0.85.1/882/Tue May 17 08:48:03 2005

KP # clamav-milter -V
KP ClamAV version 0.85.1, clamav-milter version 0.85

KP # ll /var/log
KP total 42860
KP drwxr-xr-x  14 rootroot   4096 May 17 12:36 .
KP drwxr-xr-x  23 rootroot   4096 Jan  7 14:52 ..
KP -rw---   1 rootroot  21573 Feb  1 04:02 boot.log.4
KP drwxr-xr-x   2 clamav  clamav 4096 May 17 13:05 clamav
KP -rw-r--r--   1 rootroot 183414 May 17 13:01 cron

KP # ll /var/log/clamav/
KP total 16
KP drwxr-xr-x   2 clamav clamav 4096 May 17 13:08 .
KP drwxr-xr-x  14 root   root   4096 May 17 12:36 ..
KP -rw-r-   1 clamav clamav  474 May 17 13:05 freshclam.log

KP # service clamd start
KP Starting Clam AV daemon:   [  OK  ]

KP # ll /var/log/clamav/
KP total 20
KP drwxr-xr-x   2 clamav clamav 4096 May 17 13:09 .
KP drwxr-xr-x  14 root   root   4096 May 17 12:36 ..
KP -rw-r-   1 root   root   1417 May 17 13:09 clamd.log
KP -rw-r-   1 clamav clamav  474 May 17 13:05 freshclam.log

KP # service clamav-milter start
KP Starting clamav-milter:[FAILED]

KP # tail -f /var/log/messages
KP May 17 13:13:42 server clamav-milter: /var/log/clamav/clamd.log: 
KP Permission denied

KP and clamav-milter is not running.

KP # grep User /etc/clamd.conf
KP User clamav

KP My observation is: clamav creates log file with root permission,
KP so user clamav cannt write to log.

KP Are there some developers who believes that non-priviledged user clamav
KP can write to logfile with bad permissions (0640 root.root clamd.log)?
KP This assumption is wrong on some unix like OSes, Im affraid.

KP Clamav should create log file with same owner as defined in clamd.conf
KP to work it properly.

i've just noticed the same thing. clamd.log is made by root. but 0.84
doesn't care about that it works properly.


-- 
Best regards,
 Sergeymailto:[EMAIL PROTECTED]

___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] 0.85 0.81.1 tha same troubles with milter

[Bill Maidment]

Sergey wrote:
Hello Kritof,

KP # grep User /etc/clamd.conf
KP User clamav
Shouldn't the conf files be in /usr/local/etc/ ???
That's how it works for me and my log file is owned by clamav
Cheers
Bill
--
What's the difference between Linux and Windoze?
Linux   - Thousands of programmers are working *WITH*you.
Windoze - Thousands of programmers are working *AGAINST* you.
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Freshclam fall back to HTTP

[Guy Van Den Bergh]

On Tue, 2005-05-17 at 13:53, Awie wrote:

 Below the result of dig in my machine. It seems can reach
 current.cvd.clamav.net.
 
 Please advise.

 ===SNIP===
 
 [EMAIL PROTECTED] root]# dig current.cvd.clamav.net txt
 
 ;  DiG 9.2.4  current.cvd.clamav.net txt
 ;; global options:  printcmd
 ;; Got answer:
 ;; -HEADER- opcode: QUERY, status: NOERROR, id: 35447
 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
 
 ;; QUESTION SECTION:
 ;current.cvd.clamav.net.IN  TXT
 
 ;; ANSWER SECTION:
 current.cvd.clamav.net. 900 IN  TXT 0.85.1:31:882:1116329341:0
 
 ;; Query time: 1482 msec
 ;; SERVER: 202.136.64.52#53(202.136.64.52)
 ;; WHEN: Tue May 17 19:54:59 2005
 ;; MSG SIZE  rcvd: 79
 

This looks fine to me.
My DNS servers were messing up the expiration time (900 seconds right
here, as it should be...).

In my freshclam.conf, I have a section that says:

# Use DNS to verify virus database version. Freshclam uses DNS TXT
records
# to verify database and software versions. We highly recommend enabling
# this option.
# Default: disabled
DNSDatabaseInfo current.cvd.clamav.net

--
What is your configuration?
Does it have a DNSDatabaseInfo directive?
Maybe you're still using a configuration file from a previous version,
from before the DNSDatabasInfo days?
(just guessing, I have no clue what else could be happening at this
point.)

 
 
 ___
 http://lurker.clamav.net/list/clamav-users.html
-- 
Guy Van Den Bergh
Netwerkbeheerder
Hogeschool Antwerpen

http://www.ha.be 
___
http://lurker.clamav.net/list/clamav-users.html

Re[2]: [Clamav-users] 0.85 0.81.1 tha same troubles with milter

[Christopher X. Candreva]

On Tue, 17 May 2005, Sergey wrote:

 i've just noticed the same thing. clamd.log is made by root. but 0.84
 doesn't care about that it works properly.

Yes -- this is what I posted about Sat morning.

Previous to 0.85, clamav-milter didn't care if it couldn't write to it's log 
file.

Starting with 0.85, it won't run if it can't write to it's log file.

Personally I don't think that's a good enough reason to not run, but 
evidently people disagree, and I'm not inclined to argue about it further.

I solved the problem here by making clamd.log owned by group clamav and 
move 660

==
Chris Candreva  -- [EMAIL PROTECTED] -- (914) 967-7816
WestNet Internet Services of Westchester
http://www.westnet.com/
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] sober.p and german adverts?

[Bart Silverstrim]

On May 17, 2005, at 2:17 AM, Alan Premselaar wrote:
Jef Poskanzer wrote:
..snip...
And finally, if you want to run a check on the HELO string, I find
that just rejecting outside connections that claim a HELO of your own
hostname gets rid of a very high proportion of crapmail.  This
very simple check is successful enough that I'll probably publish
a notme_milter at some point after spfmilter gets out of beta 
status.
I already do this with MIMEDefang.  it's proven quite effective.
I don't bother with any of the other checks because they either take 
too
many resources or have potentially too much collateral damage.
What I'd like is a system that takes incoming mail, strips rich 
text/html and reinterprets it into plain text, strips attachments and 
puts them into an ACL-controlled quarantine so users can get to them 
only if they really wanted them (within X days before it's wiped from 
the database and storage area) whether it's a networked fileshare or 
(probably better) a website.  Stick headers in as to probability of 
message being spam so client filtering can work still.

Have DNS lookups on the helo string...not valid, don't take it.  Maybe 
even do a reverse check to see if there's a mail server on the sending 
system...how many systems would break doing a check like that?  Enough 
to be significant?  Build in some tarpitting if the same site keeps 
hitting users on your site that are invalid more than X times when 
checking against your user database.

How much collateral damage would a system like this cause, I wonder?
After yet another day of putting up with all this crap from viruses, 
there's a part of me that wonders what would happen if someone wrote a 
virus that would pull a sober.p infectinfectinfect...sleep...payload 
trick where instead of turning the computer into a spambot would 
instead delete some system files so Windows wouldn't boot again, 
forcing people to STOP CLICKING ON RANDOM ATTACHMENTS and fixing the 
problem systems.  Isn't that the primary trick being used now to spread 
spam and viruses?  People are clicking and running attachments from 
other viruses and are clueless about NOT CLICKING RANDOM ATTACHMENTS?  
Although I already know people abhor the idea and it's definitely not 
the first time that idea's been entertained in some twisted form of 
vigilante online justice.

*sigh*  too much of this stuff makes Johnny a dull boy.  Need more 
sleep.

___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] sober.p and german adverts?

[Dennis Peterson]

Bart Silverstrim said:

 On May 16, 2005, at 5:43 PM, Dennis Peterson wrote:

 Most of the spam I've gotten the last three days is from comcast.net.
 Apparently they allow their customers to send out to port 25. They
 should
 lock that down so that spam goes out through their own servers so they
 can
 feel the pain when they are blacklisted for incompetence. If you need
 to
 run your own stand-alone mail service you should pay the price for the
 privilege.

 To me, that price is learning how to do it right.  Price isn't always
 monetary.

 I wouldn't argue with the idea of having to tell your provider that you
 need your particular connection unfiltered and leave it unfiltered
 because you're setting up the server.


What you are paying for is their trust that you are doing your part
correctly. As an ISP my greatest investment aside from my hardware is my
IP. Anything that puts it at risk puts all at risk. Policy describes I do
all I can to protect that investment so I set the rules. I don't have to
trust my  average customers because I manage the resources. If you come to
me and ask me to loosen my rules I will do that but you have to invest in
my trust in you. By requiring you to have a higher liability I encourage
you to avoid activities that put your investment in jeopardy.

Imagine I am an ISP and you are a customer and you spam the world with
your own machine, drawing attention to my IP block. As is the norm, my IP
is blacklisted and I have to go to the blacklist vendors, hat in hand, to
explain that you, not I, did the dirty deed, and that I've pulled your
account. Personally I would probably find you and kick your ass, but
technically, I could have avoided the problem by requiring you to use my
smtp server and my traffic policies. Now imagine you are one of 25,000
customers I have to deal with. Where do you think I'm going to put my
effort?

It can be argued that true spammers are so profitable they can afford to
throw away any reasonable fees I might impose. It is certainly true, but
what I advocate is not directed at them. I'm just trying to help keep the
99.9% honest people out there from screwing up my business because they
use a POS Windows system that even Bill Gates, Inc. can't keep clean.

But let's get back to anti-virus issues - 0.85.1 is out and appears to
have an interesting issue with permissions and there's an easy solution. I
wonder who will find it first.

dp
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] 0.85 0.81.1 tha same troubles with milter

[Dennis Peterson]

Bill Maidment said:
 Sergey wrote:
 Hello Krištof,



 KP # grep User /etc/clamd.conf
 KP User clamav


 Shouldn't the conf files be in /usr/local/etc/ ???
 That's how it works for me and my log file is owned by clamav


That is dependant upon who built the binaries and the choices they made
when doing so. If this were standardized there would be fewer instances of
multiple versions of libs, executables, and config files installed on
systems. As a minimum, packagers should describe in their docs where
things go. My guess is most noobies would still not read it, but those who
try to debug the mess they have would have another tool to work with.

The lesson to learn is: know your system and don't trust packagers.

dp


___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] 0.85 0.81.1 tha same troubles with milter

[Mr Mailing List]

Hello,
On 17 May 2005, at 13:17, Tomasz Kojm wrote:
On Tue, 17 May 2005 15:10:12 +0400
Sergey [EMAIL PROTECTED] wrote:

Hello Tomasz,
Tuesday, May 17, 2005, 2:27:00 PM, you wrote:
TK On Tue, 17 May 2005 11:16:54 +0400
TK Sergey [EMAIL PROTECTED] wrote:

Hello clamav-users,
   i've just tried to use 0.85 and 0.85.1 instead of my 0.84 but i
   found an error massage on starting clamav-milter (Permission
   denied). is there any chance to solve this little problem?
TK I don't believe you've installed 0.85.1 properly.
what do you mean by properly?
 there were no errors while i was installing it.
 i used just the same option that i used for installing 0.84 or there
 is in 0.85 some new extra installation stuff that i missed?
The only 'essential' information you have provided is that
clamav-milter prints Permission denied on startup so don't expect
constructive help from me.
There appears to be something not quite good happening.
More information, for version v0.85 the following scenario seems  
consistent on my server:

clamd.conf contains:
User clamav
.
LogFile /var/log/clam/clamd.log
Now delete
stop clamd
delete /var/log/clam/clamd.log
start clamd again
Upon restart clamd.log is created, but owned by root.
ls -l /var/log/clam/clamd.log
-rw-r-1 root root 2675 May 17 14:42 /var/log/clam/ 
clamd.log

(Additional information:
ls -ld /var/log/clam/
drwxr-xr-x2 clamav   clamav   4096 May 17 14:42 /var/log/clam/
)

--
   oo. Tomasz Kojm [EMAIL PROTECTED]
  (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg
 \..._ 0DCA5A08407D5288279DB43454822DC8985A444B
   //\   /\  Tue May 17 13:12:51 CEST 2005
___
http://lurker.clamav.net/list/clamav-users.html
___
http://lurker.clamav.net/list/clamav-users.html

[Clamav-users] Clam AV allows e-mail from www.webmail.us/testvirus through?

[Douglas Ward]

I have recently installed Clam AV 0.85 and have downloaded the latest updates 
through freshclam.  We are running this software on a new e-mail gateway server 
built with Postfix and Mandrake LE2005.  Please excuse my ignorance as I am 
very new to this product.  My question is that with clamd running as a process 
and freshclam telling me that the latest updates are loaded the test viruses 
sent from webmail.us are being allowed through.  I believe that clamav is 
working as numbers 1-3, 6-12, and 13 were all blocked but the rest of the 27 
files were allowed through.  Am I missing something?  Shouldn't clamav have a 
better detection rate than that?  Should I be restarting the clamd process 
every time freshclam updates?  Everything starts properly with no errors in 
either clamd.log or freshclam.log.  Shouldn't clamav be intercepting all virus 
messages passing through the gateway?  There is no local delivery on this 
server - everything is relayed to four internal mail servers.  I re-read the 
documentation, faq's, and mailling list archives and didn't see much of help.  
Any assistance anyone can provide would be most welcome.

Douglas Ward
Director of Information Technology
NC Methodist Conference
1307 Glenwood Ave.
Raleigh, NC 27605
Work: (919) 832-9560 ext. 227
Fax: (919) 834-7989



___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Freshclam fall back to HTTP

[Awie]

 This looks fine to me.
 My DNS servers were messing up the expiration time (900 seconds right
 here, as it should be...).

 In my freshclam.conf, I have a section that says:

 # Use DNS to verify virus database version. Freshclam uses DNS TXT
 records
 # to verify database and software versions. We highly recommend enabling
 # this option.
 # Default: disabled
 DNSDatabaseInfo current.cvd.clamav.net

I use a new freshclam.conf.

 --
 What is your configuration?
 Does it have a DNSDatabaseInfo directive?
 Maybe you're still using a configuration file from a previous version,
 from before the DNSDatabasInfo days?

Below attached lines in the file

 (just guessing, I have no clue what else could be happening at this
 point.)

. :(

Thx  Rgds,

Awie

---SNIP---

[EMAIL PROTECTED] src]# cat /usr/local/etc/freshclam.conf
##
## Example config file for freshclam
## Please read the clamav.conf(5) manual before editing this file.
## This file may be optionally merged with clamav.conf.
##


# You can change the default database directory here.
#DatabaseDirectory /var/lib/clamav

# Path to the config file (make sure it has proper permissions)
#UpdateLogFile /var/log/freshclam.log

# Enable verbose logging.
#LogVerbose

# By default when freshclam is started by root it drops privileges and
# switches to the clamav user. You can change this behaviour here.
#DatabaseOwner clamav

# Use DNS to verify virus database version. Freshclam uses DNS TXT records
# to verify database and software versions. With this directive you can
change
# the database verification domain.
# Default: enabled, pointing to current.cvd.clamav.net

DNSDatabaseInfo current.cvd.clamav.net

# The main database mirror is database.clamav.net (this is a round-robin
# DNS that points to many mirrors on the world) and in most cases you
# SHOULD NOT change it.
DatabaseMirror db.sg.clamav.net
DatabaseMirror database.clamav.net

# How many attempts to make before giving up.
MaxAttempts 3

# How often check for a new database. We suggest checking for it every
# two hours.
Checks 12

# Proxy settings
#HTTPProxyServer myproxy.com
#HTTPProxyPort 1234
#HTTPProxyUsername myusername
#HTTPProxyPassword mypass

# Send the RELOAD command to clamd.
#NotifyClamd [/optional/config/file/path]

# Run command after database update.
#OnUpdateExecute command

# Run command if database update failed.
#OnErrorExecute command


___
http://lurker.clamav.net/list/clamav-users.html

Re: Re[2]: [Clamav-users] 0.85 0.81.1 tha same troubles with milter

[Dennis Peterson]

Christopher X. Candreva said:
 On Tue, 17 May 2005, Sergey wrote:

 i've just noticed the same thing. clamd.log is made by root. but 0.84
 doesn't care about that it works properly.

 Yes -- this is what I posted about Sat morning.

 Previous to 0.85, clamav-milter didn't care if it couldn't write to it's
 log
 file.

 Starting with 0.85, it won't run if it can't write to it's log file.

 Personally I don't think that's a good enough reason to not run, but
 evidently people disagree, and I'm not inclined to argue about it further.

 I solved the problem here by making clamd.log owned by group clamav and
 move 660


You will have solved the problem only if you put this procedure in your
startup scripts and any tools that rotate your logs.

dp


___
http://lurker.clamav.net/list/clamav-users.html

Re: Re[2]: [Clamav-users] 0.85 0.81.1 tha same troubles with milter

[Dennis Peterson]

Sergey said:
 Hello Andrzej,

 Tuesday, May 17, 2005, 3:52:31 PM, you wrote:

 AZ Sergey wrote:
 AZ [...]
 -rw-r-  1 rootclamav  1265 May 17 15:40 clamd.log
 AZ   ^^
 AZ How clamd (in realy user clamav.clamav) can write to this file??

 AZ [...]


  i've no idea, but 0.84 does.

 i've just found a solution. if clamd makes clamd.log it's useless to
 change the permissions. so before running clamd and so on i made
 touch clamd.log and than set all the permissions that is needed.
 now it works.


We have a winner! Now if you put that in your startup script and log
rotation tool you'll have the job finished.

dp
___
http://lurker.clamav.net/list/clamav-users.html

Re: Re[2]: [Clamav-users] 0.85 0.81.1 tha same troubles with milter

[Christopher X. Candreva]

On Tue, 17 May 2005, Dennis Peterson wrote:

 You will have solved the problem only if you put this procedure in your
 startup scripts and any tools that rotate your logs.

Gee, I wish I had already posted that -- oh wait, I did.



==
Chris Candreva  -- [EMAIL PROTECTED] -- (914) 967-7816
WestNet Internet Services of Westchester
http://www.westnet.com/
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Freshclam fall back to HTTP

[Guy Van Den Bergh]

On Tue, 2005-05-17 at 15:09, Awie wrote:

 I use a new freshclam.conf.
 
  --
  What is your configuration?
  Does it have a DNSDatabaseInfo directive?
  Maybe you're still using a configuration file from a previous version,
  from before the DNSDatabasInfo days?
 
 Below attached lines in the file

All is looking good as far as I'm concerned.
I would start sniffing on your server (with ethereal) to see what's
happening on the wire. Any experience with that?

-- 
Guy Van Den Bergh
Netwerkbeheerder
Hogeschool Antwerpen

http://www.ha.be 
___
http://lurker.clamav.net/list/clamav-users.html

Re[4]: [Clamav-users] 0.85 0.81.1 tha same troubles with milter

[Sergey]

Hello Dennis,

Tuesday, May 17, 2005, 5:11:43 PM, you wrote:

DP Sergey said:
 Hello Andrzej,

 Tuesday, May 17, 2005, 3:52:31 PM, you wrote:

 AZ Sergey wrote:
 AZ [...]
 -rw-r-  1 rootclamav  1265 May 17 15:40 clamd.log
 AZ   ^^
 AZ How clamd (in realy user clamav.clamav) can write to this file??

 AZ [...]


  i've no idea, but 0.84 does.

 i've just found a solution. if clamd makes clamd.log it's useless to
 change the permissions. so before running clamd and so on i made
 touch clamd.log and than set all the permissions that is needed.
 now it works.


DP We have a winner! Now if you put that in your startup script and log
DP rotation tool you'll have the job finished.

why is that? if i'll restart clamd it won't going to change the
permissions of clamd.log. and by the way i don't need any log rotation
because my clamd.log doesn't eveê become big or something like that.

-- 
Best regards,
 Sergeymailto:[EMAIL PROTECTED]

___
http://lurker.clamav.net/list/clamav-users.html

Re: Re[2]: [Clamav-users] 0.85 0.81.1 tha same troubles with milter

[Dennis Peterson]

Christopher X. Candreva said:
 On Tue, 17 May 2005, Dennis Peterson wrote:

 You will have solved the problem only if you put this procedure in your
 startup scripts and any tools that rotate your logs.

 Gee, I wish I had already posted that -- oh wait, I did.


Not completely, and not at the point at which I was responding. But good
for you anyway.

dp
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] 0.85 0.81.1 tha same troubles with milter

[Bill Maidment]

Dennis Peterson wrote:
Bill Maidment said:
Sergey wrote:
Hello Kritof,

KP # grep User /etc/clamd.conf
KP User clamav
Shouldn't the conf files be in /usr/local/etc/ ???
That's how it works for me and my log file is owned by clamav

That is dependant upon who built the binaries and the choices they made
when doing so. If this were standardized there would be fewer instances of
multiple versions of libs, executables, and config files installed on
systems. As a minimum, packagers should describe in their docs where
things go. My guess is most noobies would still not read it, but those who
try to debug the mess they have would have another tool to work with.
Agreed. Interestingly, it made me look at my setup again and, because I 
run Mimedefang, I have User defang in my clamd.conf clamav belongs to 
group defang and the log file permissions are 0660 clamav.clamav yet it 
still works on every clamav version including 0.85 and 0.85.1
My brain hurts.

The lesson to learn is: know your system and don't trust packagers.
I build clamav from source using default configure (even though I'm 
running Fedora 3.)

--
What's the difference between Linux and Windoze?
Linux   - Thousands of programmers are working *WITH*you.
Windoze - Thousands of programmers are working *AGAINST* you.
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Freshclam fall back to HTTP

[Awie]

 
  Below attached lines in the file

 All is looking good as far as I'm concerned.
 I would start sniffing on your server (with ethereal) to see what's
 happening on the wire. Any experience with that?


I never use Ethereal (for Linux) before. However, I will learn how to use
it.

I will inform you when I will be ready. Thanks for your kind help.

Thx  Rgds,

Awie


___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] 0.85 0.81.1 tha same troubles with milter

[Jim Maul]

Sergey wrote:
Hello Dennis,
Tuesday, May 17, 2005, 5:11:43 PM, you wrote:
DP Sergey said:
Hello Andrzej,
Tuesday, May 17, 2005, 3:52:31 PM, you wrote:
AZ Sergey wrote:
AZ [...]
-rw-r-  1 rootclamav  1265 May 17 15:40 clamd.log
AZ   ^^
AZ How clamd (in realy user clamav.clamav) can write to this file??
AZ [...]
i've no idea, but 0.84 does.
i've just found a solution. if clamd makes clamd.log it's useless to
change the permissions. so before running clamd and so on i made
touch clamd.log and than set all the permissions that is needed.
now it works.

DP We have a winner! Now if you put that in your startup script and log
DP rotation tool you'll have the job finished.
why is that? if i'll restart clamd it won't going to change the
permissions of clamd.log. and by the way i don't need any log rotation
because my clamd.log doesn't eveê become big or something like that.
Maybe thats because clamav couldnt write to it ;)  Regardless, this is a 
workaround not a solution.  The logfile should not be created with root 
owner to begin with.

-Jim
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Clam AV allows e-mail from www.webmail.us/testvirus through?

[Trog]

On Tue, 2005-05-17 at 09:05 -0400, Douglas Ward wrote:
 I have recently installed Clam AV 0.85 and have downloaded the latest updates 
 through freshclam.
  We are running this software on a new e-mail gateway server built with 
 Postfix and Mandrake LE2005. 
 Please excuse my ignorance as I am very new to this product.  My question is 
 that with clamd running as a process
 and freshclam telling me that the latest updates are loaded the test viruses 
 sent from webmail.us are being
 allowed through.  I believe that clamav is working as numbers 1-3, 6-12, and 
 13 were all blocked but the rest of
 the 27 files were allowed through.  Am I missing something?  Shouldn't clamav 
 have a better detection rate than that? 
 Should I be restarting the clamd process every time freshclam updates?  
 Everything starts properly with no
 errors in either clamd.log or freshclam.log.  Shouldn't clamav be 
 intercepting all virus messages passing
 through the gateway?  There is no local delivery on this server - everything 
 is relayed to four internal
 mail servers.  I re-read the documentation, faq's, and mailling list archives 
 and didn't see much of help.
 Any assistance anyone can provide would be most welcome.

There is something wrong with your configuration. Probably something
related to the way you have plugged clam and postfix together.

-trog



signature.asc
Description: This is a digitally signed message part
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Freshclam fall back to HTTP

[Guy Van Den Bergh]

On Tue, 2005-05-17 at 15:34, Awie wrote:
 
  All is looking good as far as I'm concerned.
  I would start sniffing on your server (with ethereal) to see what's
  happening on the wire. Any experience with that?
 
 
 I never use Ethereal (for Linux) before. However, I will learn how to use
 it.

One last hint: use a filter like udp port 53 to see only dns traffic.
Otherwise you will probably get lots and lots of noise.

 
 I will inform you when I will be ready. Thanks for your kind help.

Good luck!

-- 
Guy Van Den Bergh
Netwerkbeheerder
Hogeschool Antwerpen

http://www.ha.be 
___
http://lurker.clamav.net/list/clamav-users.html

Re: Re[4]: [Clamav-users] 0.85 0.81.1 tha same troubles with milter

[Dennis Peterson]

Sergey said:
 Hello Dennis,

 Tuesday, May 17, 2005, 5:11:43 PM, you wrote:

 DP Sergey said:
 Hello Andrzej,

 Tuesday, May 17, 2005, 3:52:31 PM, you wrote:

 AZ Sergey wrote:
 AZ [...]
 -rw-r-  1 rootclamav  1265 May 17 15:40 clamd.log
 AZ   ^^
 AZ How clamd (in realy user clamav.clamav) can write to this file??

 AZ [...]


  i've no idea, but 0.84 does.

 i've just found a solution. if clamd makes clamd.log it's useless to
 change the permissions. so before running clamd and so on i made
 touch clamd.log and than set all the permissions that is needed.
 now it works.


 DP We have a winner! Now if you put that in your startup script and log
 DP rotation tool you'll have the job finished.

 why is that? if i'll restart clamd it won't going to change the
 permissions of clamd.log. and by the way i don't need any log rotation
 because my clamd.log doesn't eveê become big or something like that.

 --
 Best regards,
  Sergeymailto:[EMAIL PROTECTED]

Many suggestions are applicable in the general sense and are good
practice. Not all apply specifically to any single environment. You're
lucky to have a low-demand system, Sergey.

dp
___
http://lurker.clamav.net/list/clamav-users.html

[Clamav-users] clamav-milter and key --max-children

[Andrey Nekrasov]

Hello,
1. Why clamav-milter ignores a key --max-children=N? I start with key 
--max-children=5, but I receive:

# pstree
init-+-atd
|-bdaemon
|-bdflush
|-bserver
|-clamav-milter---clamav-milter---16*[clamav-milter]

2.
/usr/local/clamav/sbin/clamav-milter -h|grep Maximum
   --max-childen   -m  Maximum number of concurrent scans.
Typing error ?
version clamav 0.85.1
--
Andrey Nekrasov
__
[EMAIL PROTECTED]   | http://www.design.ru
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] 0.85 0.81.1 tha same troubles with milter

[Stephen Gran]

On Tue, May 17, 2005 at 01:17:34PM +0200, Tomasz Kojm said:
 The only 'essential' information you have provided is that
 clamav-milter prints Permission denied on startup so don't expect
 constructive help from me.

The problem here is that clamav opens/creates the log at
clamd/clamd.c:144, but only drops priviledges to the user specified by
the User directive at clamd/clamd.c:235

It would perhaps be better if this priviledge drop happened earlier,
before opening the logfile.  I have never noticed this behavior, as the
set up scripts and log rotate scripts I use always touch the logfile and
give it appropriate permissions.

Since the milter never complained about log file permissions until
recently, I guess no one else noticed it either.
-- 
 --
|  Stephen Gran  | Patience is a minor form of despair,|
|  [EMAIL PROTECTED] | disguised as virtue.   -- Ambrose   |
|  http://www.lobefin.net/~steve | Bierce, on qualifiers   |
 --


pgpWPW8SoJhof.pgp
Description: PGP signature
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Clam AV allows e-mail from www.webmail.us/testvirus through?

[Ken Jones]

 On Tue, 2005-05-17 at 09:05 -0400, Douglas Ward wrote:

 I have recently installed Clam AV 0.85 and have downloaded the latest
 updates through freshclam. We are running this software on a new e-mail
 gateway server built with Postfix and Mandrake LE2005. Please excuse my
 ignorance as I am very new to this product.  My question is that with
 clamd running as a process and freshclam telling me that the latest
 updates are loaded the test viruses sent from webmail.us are being
 allowed through.  I believe that clamav is working as numbers 1-3,
 6-12, and 13 were all blocked but the rest of
 the 27 files were allowed through.  Am I missing something?  Shouldn't
 clamav have a better detection rate than that? Should I be restarting
 the clamd process every time freshclam updates?  Everything starts
 properly with no errors in either clamd.log or freshclam.log.  Shouldn't
 clamav be intercepting all virus messages passing through the gateway?
 There is no local delivery on this server - everything is relayed to
 four internal mail servers.  I re-read the documentation, faq's, and
 mailling list archives and didn't see much of help. Any assistance
 anyone can provide would be most welcome.


On my system, only #24 and #25 make it through ... both of which don't
have a test virus in them :)




-- 
Ken Jones


___
http://lurker.clamav.net/list/clamav-users.html

RE: [Clamav-users] Clam AV allows e-mail fromwww.webmail.us/testvirus through?

[Douglas Ward]

Do you by chance know of any resources that I could look at that would outline 
how to plug the two together?  Thanks!

Douglas Ward
Director of Information Technology
NC Methodist Conference
1307 Glenwood Ave.
Raleigh, NC 27605
Work: (919) 832-9560 ext. 227
Fax: (919) 834-7989



-Original Message-
From: [EMAIL PROTECTED] on behalf of Trog
Sent: Tue 5/17/2005 9:44 AM
To: ClamAV users ML
Subject: Re: [Clamav-users] Clam AV allows e-mail fromwww.webmail.us/testvirus 
through?
 
On Tue, 2005-05-17 at 09:05 -0400, Douglas Ward wrote:
 I have recently installed Clam AV 0.85 and have downloaded the latest updates 
 through freshclam.
  We are running this software on a new e-mail gateway server built with 
 Postfix and Mandrake LE2005. 
 Please excuse my ignorance as I am very new to this product.  My question is 
 that with clamd running as a process
 and freshclam telling me that the latest updates are loaded the test viruses 
 sent from webmail.us are being
 allowed through.  I believe that clamav is working as numbers 1-3, 6-12, and 
 13 were all blocked but the rest of
 the 27 files were allowed through.  Am I missing something?  Shouldn't clamav 
 have a better detection rate than that? 
 Should I be restarting the clamd process every time freshclam updates?  
 Everything starts properly with no
 errors in either clamd.log or freshclam.log.  Shouldn't clamav be 
 intercepting all virus messages passing
 through the gateway?  There is no local delivery on this server - everything 
 is relayed to four internal
 mail servers.  I re-read the documentation, faq's, and mailling list archives 
 and didn't see much of help.
 Any assistance anyone can provide would be most welcome.

There is something wrong with your configuration. Probably something
related to the way you have plugged clam and postfix together.

-trog


___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] 0.85 0.81.1 tha same troubles with milter

[Dennis Peterson]

Jim Maul said:




 DP We have a winner! Now if you put that in your startup script and log
 DP rotation tool you'll have the job finished.

 why is that? if i'll restart clamd it won't going to change the
 permissions of clamd.log. and by the way i don't need any log rotation
 because my clamd.log doesn't eveê become big or something like that.


 Maybe thats because clamav couldnt write to it ;)  Regardless, this is a
 workaround not a solution.  The logfile should not be created with root
 owner to begin with.

 -Jim

That would be a good trick if the directory it is found in is owned ro by
root. I suppose it could be created by root then chowned to clam_user, but
that too presumes much. To make it entirely turnkey the process should see
if the user-selected log directory is readable by clam_user first, then it
should see if the file already exists (or if a directory of the same name
exists), and if it is writable by clam_user. If everything isn't perfect
it could fail with a warning to the console. Now what to do about your log
rotator? How should clam predict a misconfigured rotator? That seems like
a lot of hand holding.

Call me old fashioned, but this is something I like to deal with myself.
There's still a roll for the thinking admin.

dp
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] sober.p and german adverts?

[Bart Silverstrim]

On May 17, 2005, at 8:48 AM, Dennis Peterson wrote:
Bart Silverstrim said:
To me, that price is learning how to do it right.  Price isn't always
monetary.
I wouldn't argue with the idea of having to tell your provider that 
you
need your particular connection unfiltered and leave it unfiltered
because you're setting up the server.

What you are paying for is their trust that you are doing your part
correctly.
I'm not sure of that...maybe that's your relationship with your 
provider, but I know what I was looking for when I bought access :-)

As an ISP my greatest investment aside from my hardware is my
IP. Anything that puts it at risk puts all at risk.
Your intellectual property?  Or do you mean your address?
Policy describes I do
all I can to protect that investment so I set the rules. I don't have 
to
trust my  average customers because I manage the resources.
And vice-versa.  If you want to offload the responsibility and 
liability.  I'm telling you there are people who don't want that, and 
if they're willing to shoulder the burden it should be shifted to them.

Second, as a business, businesses cater to market desires.  If you 
don't want to do that then that's your business.  You probably won't 
lose a huge number of people because of it but there are some that 
would leave if they couldn't find a solution that fits them.  Most 
businesses understand that there's a balance...give customers what they 
want, and they will be your customers instead of your competitor's.  
Other businesses don't really care or don't want to serve that kind of 
market.

If you come to
me and ask me to loosen my rules I will do that but you have to invest 
in
my trust in you. By requiring you to have a higher liability I 
encourage
you to avoid activities that put your investment in jeopardy.
*shrug* fine with me. :-)
Imagine I am an ISP and you are a customer and you spam the world with
your own machine, drawing attention to my IP block. As is the norm, my 
IP
is blacklisted and I have to go to the blacklist vendors, hat in hand, 
to
explain that you, not I, did the dirty deed, and that I've pulled your
account. Personally I would probably find you and kick your ass, but
technically, I could have avoided the problem by requiring you to use 
my
smtp server and my traffic policies.
Ahh...see...there are other things that can draw unwanted attention.  
And while using just your resources may be one way to prevent the 
problem, there are others as well, and it's not a guarantee that you'll 
be entirely protected still.  There are trojans now spamming through 
the legit servers now.

Blocking ports can have oddball side effects...secondary collateral 
damage.  Not always significance, but non-blocking is one less thing to 
worry about.

And why must I trust you?  Is there something else you're doing to the 
email that I don't know about?  After all, you could be subpoenaed into 
handing over copies of my email to other people without my knowledge or 
permission. What if I want to have my email stored on my servers with 
my own resources instead?  Unless you're covering something up, 
perhaps?

So if you're going to shoulder the burden of protecting me from my own 
stupidity to keep yourself looking better and off lists, what else are 
you going to block or monitor?  I mean, RIAA surely must be knocking at 
your door if you have more than a hundred users out there.  So you 
block those ports too?  Monitor for any and all programs that can be 
used for file sharing?  Mandatory website traffic blocking to prevent 
porn from hitting the end user?

Maybe you could require users to only run Linux or OS X, immune to most 
attacks and thus making your network better and safer?  Or probe your 
customer's systems to see that they have the latest updates, and if 
not, cut off access at your router and have them redirected to a site 
that has the latest updates for Windows and not allow access until the 
updates are installed?  There are some colleges that take that 
approach. I wouldn't want the liability of forcing a customer to update 
to the latest service pack and possibly having it keep them from 
booting or wiping some data, but hey, to each their own.

Now imagine you are one of 25,000
customers I have to deal with. Where do you think I'm going to put my
effort?
Serving the customer the service they want? :-)
If I don't want anything other than access, that's all I'm looking for. 
 I don't want to pay for blocking, filtering, or storage space on your 
servers.

It can be argued that true spammers are so profitable they can afford 
to
throw away any reasonable fees I might impose.
Considering that they're A) using zombied Wintel crap to spam and/or B) 
using foreign soil systems to spam, I don't think that's the problem.

It is certainly true, but
what I advocate is not directed at them. I'm just trying to help keep 
the
99.9% honest people out there from screwing up my business because they
use a POS Windows system that even 

Re: [Clamav-users] 0.85 0.81.1 tha same troubles with milter

[Dennis Peterson]

Stephen Gran said:
 On Tue, May 17, 2005 at 01:17:34PM +0200, Tomasz Kojm said:
 The only 'essential' information you have provided is that
 clamav-milter prints Permission denied on startup so don't expect
 constructive help from me.

 The problem here is that clamav opens/creates the log at
 clamd/clamd.c:144, but only drops priviledges to the user specified by
 the User directive at clamd/clamd.c:235

 It would perhaps be better if this priviledge drop happened earlier,
 before opening the logfile.  I have never noticed this behavior, as the
 set up scripts and log rotate scripts I use always touch the logfile and
 give it appropriate permissions.

 Since the milter never complained about log file permissions until
 recently, I guess no one else noticed it either.

I think it would be better if clamd, like syslogd, didn't create the file
at all. End of problem.

dp
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] 0.85 0.81.1 tha same troubles with milter

[Jim Maul]

Dennis Peterson wrote:
Jim Maul said:


DP We have a winner! Now if you put that in your startup script and log
DP rotation tool you'll have the job finished.
why is that? if i'll restart clamd it won't going to change the
permissions of clamd.log. and by the way i don't need any log rotation
because my clamd.log doesn't eveê become big or something like that.
Maybe thats because clamav couldnt write to it ;)  Regardless, this is a
workaround not a solution.  The logfile should not be created with root
owner to begin with.
-Jim

That would be a good trick if the directory it is found in is owned ro by
root. I suppose it could be created by root then chowned to clam_user, but
that too presumes much. To make it entirely turnkey the process should see
if the user-selected log directory is readable by clam_user first, then it
should see if the file already exists (or if a directory of the same name
exists), and if it is writable by clam_user. If everything isn't perfect
it could fail with a warning to the console. Now what to do about your log
rotator? How should clam predict a misconfigured rotator? That seems like
a lot of hand holding.
Call me old fashioned, but this is something I like to deal with myself.
There's still a roll for the thinking admin.

No, dont get me wrong here, im not saying clamav should predict 
anything.  Nor should it have to deal with misconfigured software.  This 
is of course left up to the admin.  However, it seems that it *creates* 
the logfile owned by root.  And that..well..just isnt right.

-Jim
___
http://lurker.clamav.net/list/clamav-users.html

[Clamav-users] AES encrypted zips causing scan error

[Chris Masters]

Hi All,

WinZip 9 256 bit AES encrypted zip files cause errors
[tested against 0.85.1]. 

We're calling clam from MIMEDefang and the scan
returns an error.

Other encrypted zip files scan OK. 

Is there any way round this as we have users wanting
to get these files through?

Thanks, Chris

LibClamAV debug: Loading databases from
/usr/local/clamav-0.85.1/share/clamav
LibClamAV debug: Loading
/usr/local/clamav-0.85.1/share/clamav/main.cvd
LibClamAV debug: in cli_cvdload()
LibClamAV debug: MD5(.tar.gz) =
97483b1d8189548e820e8a3f4bef787b
LibClamAV debug: Decoded signature:
97483b1d8189548e820e8a3f4bef787b
LibClamAV debug: Digital signature is correct.
LibClamAV debug: in cli_untgz()
LibClamAV debug: Unpacking
/tmp/clamav-9ed9a4f6e5fc39f3/COPYING
LibClamAV debug: Unpacking
/tmp/clamav-9ed9a4f6e5fc39f3/main.db
LibClamAV debug: Unpacking
/tmp/clamav-9ed9a4f6e5fc39f3/main.hdb
LibClamAV debug: Unpacking
/tmp/clamav-9ed9a4f6e5fc39f3/main.ndb
LibClamAV debug: Unpacking
/tmp/clamav-9ed9a4f6e5fc39f3/main.zmd
LibClamAV debug: Unpacking
/tmp/clamav-9ed9a4f6e5fc39f3/main.fp
LibClamAV debug: Loading databases from
/tmp/clamav-9ed9a4f6e5fc39f3
LibClamAV debug: Loading
/tmp/clamav-9ed9a4f6e5fc39f3/main.db
LibClamAV debug: Initializing main node
LibClamAV debug: Initializing trie
LibClamAV debug: Initializing BM tables
LibClamAV debug: in cli_bm_init()
LibClamAV debug: BM: Number of indexes = 63744
LibClamAV debug: Loading
/tmp/clamav-9ed9a4f6e5fc39f3/main.hdb
LibClamAV debug: Initializing md5 list structure
LibClamAV debug: Loading
/tmp/clamav-9ed9a4f6e5fc39f3/main.ndb
LibClamAV debug: Loading
/tmp/clamav-9ed9a4f6e5fc39f3/main.zmd
LibClamAV debug: Loading
/tmp/clamav-9ed9a4f6e5fc39f3/main.fp
LibClamAV debug: Loading
/usr/local/clamav-0.85.1/share/clamav/daily.cvd
LibClamAV debug: in cli_cvdload()
LibClamAV debug: MD5(.tar.gz) =
42269589481f2dbe16f277ce58a5a080
LibClamAV debug: Decoded signature:
42269589481f2dbe16f277ce58a5a080
LibClamAV debug: Digital signature is correct.
LibClamAV debug: in cli_untgz()
LibClamAV debug: Unpacking
/tmp/clamav-3181b9a816c26648/COPYING
LibClamAV debug: Unpacking
/tmp/clamav-3181b9a816c26648/daily.db
LibClamAV debug: Unpacking
/tmp/clamav-3181b9a816c26648/daily.hdb
LibClamAV debug: Unpacking
/tmp/clamav-3181b9a816c26648/daily.ndb
LibClamAV debug: Loading databases from
/tmp/clamav-3181b9a816c26648
LibClamAV debug: Loading
/tmp/clamav-3181b9a816c26648/daily.db
LibClamAV debug: Loading
/tmp/clamav-3181b9a816c26648/daily.hdb
LibClamAV debug: Loading
/tmp/clamav-3181b9a816c26648/daily.ndb
LibClamAV debug: Recognized ZIP file
LibClamAV debug: in scanzip()
LibClamAV debug: Zip: A File.txt, crc32: 0x0,
encrypted: 1, compressed: 4921, normal: 43378, method:
99, ratio: 8 (max: 250)
LibClamAV debug: ZzipLib: Unsupported compression mode
(99)
LibClamAV debug: Zip: Can't open file A File.txt
LibClamAV debug: Calculated MD5 checksum:
aa70e748d4c68d5a337cca261693bfea
problem.ZIP: Zip module failure
LibClamAV debug: Recognized ZIP file
LibClamAV debug: Calculated MD5 checksum:
aa70e748d4c68d5a337cca261693bfea
problem.ZIP: OK

--- SCAN SUMMARY ---
Known viruses: 34399
Engine version: 0.85.1
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 0.01 MB
Time: 0.804 sec (0 m 0 s)


__
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] sober.p and german adverts?

[Damian Menscher]

On Tue, 17 May 2005, Bart Silverstrim wrote:
After yet another day of putting up with all this crap from viruses, there's 
a part of me that wonders what would happen if someone wrote a virus that 
would pull a sober.p infectinfectinfect...sleep...payload trick where 
instead of turning the computer into a spambot would instead delete some 
system files so Windows wouldn't boot again, forcing people to STOP CLICKING 
ON RANDOM ATTACHMENTS and fixing the problem systems.  Isn't that the primary 
trick being used now to spread spam and viruses?  People are clicking and 
running attachments from other viruses and are clueless about NOT CLICKING 
RANDOM ATTACHMENTS?  Although I already know people abhor the idea and it's 
definitely not the first time that idea's been entertained in some twisted 
form of vigilante online justice.
Would the person who implements this do me a favor and make the virus 
pretend to be a viagra spam?  If we format the hard drives of people 
that buy from spammers, and the media picks up on it, then everyone will 
be informed of how dangerous spam is.  Nobody will click it anymore, and 
spammer profits will plummet.  This has a very real chance of 
eliminating the spam problem.

Kill two birds with one stone... I like it.
Damian Menscher
--
-=#| Physics Grad Student  SysAdmin @ U Illinois Urbana-Champaign |#=-
-=#| 488 LLP, 1110 W. Green St, Urbana, IL 61801 Ofc:(217)333-0038 |#=-
-=#| 4602 Beckman, VMIL/MS, Imaging Technology Group:(217)244-3074 |#=-
-=#| [EMAIL PROTECTED] www.uiuc.edu/~menscher/ Fax:(217)333-9819 |#=-
-=#| The above opinions are not necessarily those of my employers. |#=-
___
http://lurker.clamav.net/list/clamav-users.html

RE: [Clamav-users] Clam AV allows e-mail fromwww.webmail.us/testv irus through?

[Randal, Phil]

Douglas Ward asked:

 Do you by chance know of any resources that I could look at 
 that would outline how to plug the two together?  Thanks!

Have a look at MailScanner (http://www.mailscanner.info).

Cheers,

Phil


Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK
___
http://lurker.clamav.net/list/clamav-users.html

[Clamav-users] Re: virus passing through clamav-milter, but not through clamdscan!

[Apostolos Papayanakis]

Hi evrybody

I first posted this a week ago, but I still have not found a
solution.

Since v0.84, I've been receiving various obviously crafted mails
that contain viruses, but pass through clamav-milter ok. However, when I
save the mail and scan the mbox file with clamdscan (not clamscan)
Worm.Bagz.D is found.

When I submit the contaminated mailbox
(http://users.auth.gr/~apap/spurious-viral-mbox) to www.clamav.net, I get
the expected response clamav already recognizes the content you submitted,
there is no reason to resubmit it. 

It seems that when the crafted mail is sent directly to my mail
server (now sendmail 8.13.4, clamav-milter 0.85, ClamAV 0.85.1/882/Tue May
17 09:48:03 2005), the mail passes through. As I have found out, if it gets
relayed to another mail server with clamav, some how the virus is then
detected, but if the recipient is local, the viral mail gets through. It
seems that there is something strange in the original headers, that gets
cleared when passing through a mail server.

Here is the raw evidence that a mail that gets detected as viral by
clamdscan, passes through clamav-milter that uses the very same clamd, at
least at the first mail server in the path. Both clamdscan, and the mail
server clamav-milter use the very same clamd.

$ wget -q http://users.auth.gr/~apap/spurious-viral-mbox # Fetch a copy of my 
viral mail
$ clamdscan spurious-viral-mbox # Checkit your self
/home/apap/spurious-viral-mbox: Worm.Bagz.D FOUND
$ /usr/sbin/sendmail -v [EMAIL PROTECTED] spurious-viral-mbox # Try this if 
you have sendmail

[EMAIL PROTECTED] Connecting to smtp.ccf.auth.gr via relay...
220 Sendmail ESMTP Server Ready ; Tue, 17 May 2005 16:53:47 +0300 (EEST)
 EHLO helios.ccf.auth.gr
250-olympos.ccf.auth.gr Hello helios.ccf.auth.gr [155.207.1.6], pleased to meet 
you
 MAIL From:[EMAIL PROTECTED] SIZE=202598 BODY=8BITMIME
250 2.1.0 [EMAIL PROTECTED]... Sender ok
 RCPT To:[EMAIL PROTECTED]
 DATA
250 2.1.5 [EMAIL PROTECTED]... Recipient ok
354 Enter mail, end with . on a line by itself
 .
250 2.0.0 j4HDrlkc007312 Message accepted for delivery
[EMAIL PROTECTED] Sent (j4HDrlkc007312 Message accepted for delivery)
Closing connection to smtp.ccf.auth.gr
 QUIT
221 2.0.0 olympos.ccf.auth.gr closing connection


--
Apostolis Papayanakis
[EMAIL PROTECTED], 2310-998416

On Wed, 11 May 2005, Apostolos Papayanakis wrote:

 Hi everybody,

 I've received more than twenty profoundly viral mails since last night.
 They passed without being stopped, through our sendmail Clamav (ClamAV
 0.84/875/Tue May 10 14:27:59 2005+clamav-milter 0.84e). However if I save
 each of these viral mails in a seperate mbox, clamdscan with the same
 definitions can suddenly detect Worm.Bagz.D in them.

 It seems that clamav-milter cannot handle these mails correctly, and
 misses something while communicating (externally) with clamd. I should
 mention that the mbox contains an attachment BASE64 encoded in long lines
 o 2048 bytes(!), a mangled date header and a crafted filename with lots
 of spaces, eg: help.doc .exe

 I cannot submit the viral mbox on www.clamav.net, because it says that
 the virus is already detected.

 Is this a wide-spread problem?

 Apostolis Papayanakis

 p.s. Here follows a part of the mailbox that passes through our mail server=
 ,
 and detected as Worm.Bagz.D from clamdscan:
 ( is added at the start of each line to avoid being detected as broken =
 executable by clamd)
 ---=
 
 From [EMAIL PROTECTED]  Wed May 11 03:02:23 2005
 Received: from 127.0.0.1 ([211.191.198.7])
 by olympos.ccf.auth.gr (8.13.3/8.13.3) with ESMTP id j4B02EsG01374=
 5
 for [EMAIL PROTECTED]; Wed, 11 May 2005 03:02:1=
 5 +0300 (EEST)
 Message-Id: [EMAIL PROTECTED]
 SUBJECT: text
 FROM: [EMAIL PROTECTED]
 TO: [EMAIL PROTECTED]
 DATE: [[ =BC=F6, 11 5 2005 =BF=C0=C0=FC 9:02:24 ]]
 MIME-Version: 1.0
 Content-Type: multipart/mixed; boundary=3Dbound--
 X-Virus-Scanned: ClamAV version 0.84, clamav-milter version 0.84e on antiv=
 irus1.ccf.auth.gr
 X-Virus-Status: Clean
 X-Spam-Checker-Version: SpamAssassin 3.0.2-gr1 (2004-11-16) on
 helios.ccf.auth.gr
 X-Spam-Level: *
 X-Spam-Status: No, score=3D5.7 required=3D7.0 tests=3DBAYES_50,FORGED_HOTM=
 AIL_RCVD2,
 HEAD_ILLEGAL_CHARS,INVALID_DATE,MSGID_FROM_MTA_ID,NO_REAL_NAME,
 RCVD_IN_NJABL_DUL,RCVD_IN_SORBS_DUL autolearn=3Dno version=3D3.0.2=
 -gr1
 Status: R
 Content-Length: 207546
 X-Keywords:
 
 --bound--
 Content-Type: text/plain; charset=3Dus-ascii
 Content-Transfer-Encoding: 7bit
 
 Hello,
 What version of windows you are using?
 This last document I received from you came out weird.
 Please see the attached word file and resend the file to me.
 Many thanks,
 User
 
 --bound--
 Content-Type: application/x-msdownload; name=3Dhelp.doc  =
   .exe
 

Re: [Clamav-users] 0.85 0.81.1 tha same troubles with milter

[Dennis Peterson]

Jim Maul said:
 Dennis Peterson wrote:


 That would be a good trick if the directory it is found in is owned ro
 by
 root. I suppose it could be created by root then chowned to clam_user,
 but
 that too presumes much. To make it entirely turnkey the process should
 see
 if the user-selected log directory is readable by clam_user first, then
 it
 should see if the file already exists (or if a directory of the same
 name
 exists), and if it is writable by clam_user. If everything isn't perfect
 it could fail with a warning to the console. Now what to do about your
 log
 rotator? How should clam predict a misconfigured rotator? That seems
 like
 a lot of hand holding.

 Call me old fashioned, but this is something I like to deal with myself.
 There's still a roll for the thinking admin.



 No, dont get me wrong here, im not saying clamav should predict
 anything.  Nor should it have to deal with misconfigured software.  This
 is of course left up to the admin.  However, it seems that it *creates*
 the logfile owned by root.  And that..well..just isnt right.

Maybe I should have said doughnut :-) I meant role. I use syslog for the
log files here because I want them available to a common remote logger
server for processing. Ownership is not a problem, and it's one less issue
the deal with. My underlying point is that a take-charge admin would have
no problem dealing with this bug.

dp
___
http://lurker.clamav.net/list/clamav-users.html

[Clamav-users] Problem creating temporary file

[Karl Boyken]

I've installed ClamAV 0.83 on an HP-UX 11.11 system.  I'm running clamd, 
and it's communicating with MIMEDefang 2.51 via a socket.  Clamd is not 
able to unpack tar archives or compressed files.  I've set and exported 
the TMPDIR, TMP, and TEMP environment variables in the init script that 
runs clamd; I've explicitly set the TemporaryDirectory setting in 
clamd.conf.  I'm using /var/tmp as the temporary directory, and anyone 
can write to it, and it has about 1.5 Gb free.  I know clamd can write 
to /var/tmp, because it successfully unpacks the initial db stuff there 
on startup.  I've tried running clamd in the foreground with debugging 
turned on, but haven't found anything helpful.  Any suggestions would be 
greatly appreciated.

Karl Boyken
--
Karl Boyken, system administrator 
[EMAIL PROTECTED]
303A MLH, Dept. of Comp. Sci. 
http://www.cs.uiowa.edu/~boyken/
The U. of Iowa, Iowa City, IA  52242   319-335-2730 (voice) 
319-335-3668 (fax)
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] 0.85 0.81.1 tha same troubles with milter

[Stephen Gran]

On Tue, May 17, 2005 at 07:03:10AM -0700, Dennis Peterson said:
 That would be a good trick if the directory it is found in is owned ro by
 root. I suppose it could be created by root then chowned to clam_user, but
 that too presumes much. To make it entirely turnkey the process should see
 if the user-selected log directory is readable by clam_user first, then it
 should see if the file already exists (or if a directory of the same name
 exists), and if it is writable by clam_user. If everything isn't perfect
 it could fail with a warning to the console. Now what to do about your log
 rotator? How should clam predict a misconfigured rotator? That seems like
 a lot of hand holding.

On Tue, May 17, 2005 at 07:04:56AM -0700, Dennis Peterson said:
 I think it would be better if clamd, like syslogd, didn't create the file
 at all. End of problem.

So you want either all possible checks, or no seperable logging?  That
does seem like a rather drastic set of solutions to a trivial to fix
bug.  Moving about 10 lines of code will fix the bug under discussion,
and the rest is the job of the packager/local admin.  I have to say I
have never noticed this bug up until now, because the install scripts
and logrotate scripts I use handle permissions in a way that allows it
to work (pats self on back, and wrenches arm doing so).

5 minutes looking at the code could have avoided several hundred lines
of email, methinks.
-- 
 --
|  Stephen Gran  | A holding company is a thing where you  |
|  [EMAIL PROTECTED] | hand an accomplice the goods while the  |
|  http://www.lobefin.net/~steve | policeman searches you. |
 --


pgpkqGmT5G7ze.pgp
Description: PGP signature
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Freshclam fall back to HTTP

[Awie]

Hi Guy,

This is the captured text from Ethereal (Text mode)

I open 2 screen console

Screen 1:

[EMAIL PROTECTED] src]# tethereal -F libpcap -f udp
Capturing on eth0
  0.00 202.136.73.3 - 202.136.64.52 DNS Standard query TXT
current.cvd.clamav.net
  0.707822 202.136.64.52 - 202.136.73.3 DNS Standard query response TXT
  0.708643 202.136.73.3 - 202.136.64.52 DNS Standard query A
db.sg.clamav.net
  2.520258 202.136.64.52 - 202.136.73.3 DNS Standard query response A
203.81.37.58

Screen 2:

[EMAIL PROTECTED] root]# freshclam
ClamAV update process started at Tue May 17 22:39:18 2005
WARNING: DNS record is older than 3 hours.
WARNING: Invalid DNS reply. Falling back to HTTP mode.
Reading CVD header (main.cvd): OK (IMS)
main.cvd is up to date (version: 31, sigs: 33079, f-level: 4, builder:
tkojm)
Reading CVD header (daily.cvd): OK
daily.cvd is up to date (version: 882, sigs: 1320, f-level: 5, builder:
arnaud)

Please advise.

Thx  Rgds,

Awie

- Original Message - 
From: Guy Van Den Bergh [EMAIL PROTECTED]
To: ClamAV users ML clamav-users@lists.clamav.net
Sent: Tuesday, May 17, 2005 9:46 PM
Subject: Re: [Clamav-users] Freshclam fall back to HTTP


 On Tue, 2005-05-17 at 15:34, Awie wrote:
  
   All is looking good as far as I'm concerned.
   I would start sniffing on your server (with ethereal) to see what's
   happening on the wire. Any experience with that?
  
 
  I never use Ethereal (for Linux) before. However, I will learn how to
use
  it.

 One last hint: use a filter like udp port 53 to see only dns traffic.
 Otherwise you will probably get lots and lots of noise.

 
  I will inform you when I will be ready. Thanks for your kind help.

 Good luck!

 -- 
 Guy Van Den Bergh
 Netwerkbeheerder
 Hogeschool Antwerpen

 http://www.ha.be
 ___
 http://lurker.clamav.net/list/clamav-users.html



___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] 0.85 0.81.1 tha same troubles with milter

[Jim Maul]

Dennis Peterson wrote:
Jim Maul said:
Dennis Peterson wrote:

That would be a good trick if the directory it is found in is owned ro
by
root. I suppose it could be created by root then chowned to clam_user,
but
that too presumes much. To make it entirely turnkey the process should
see
if the user-selected log directory is readable by clam_user first, then
it
should see if the file already exists (or if a directory of the same
name
exists), and if it is writable by clam_user. If everything isn't perfect
it could fail with a warning to the console. Now what to do about your
log
rotator? How should clam predict a misconfigured rotator? That seems
like
a lot of hand holding.
Call me old fashioned, but this is something I like to deal with myself.
There's still a roll for the thinking admin.

No, dont get me wrong here, im not saying clamav should predict
anything.  Nor should it have to deal with misconfigured software.  This
is of course left up to the admin.  However, it seems that it *creates*
the logfile owned by root.  And that..well..just isnt right.

Maybe I should have said doughnut :-) I meant role. I use syslog for the
log files here because I want them available to a common remote logger
server for processing. Ownership is not a problem, and it's one less issue
the deal with. My underlying point is that a take-charge admin would have
no problem dealing with this bug.

Indeed.  I was merely trying to clarify the exact issue that other 
admins were having.  I am not experiencing this problem myself. 
Mainly because im still using 0.84 but thats another story ;)

-Jim
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] 0.85 0.81.1 tha same troubles with milter

[Dennis Peterson]

Stephen Gran said:
 On Tue, May 17, 2005 at 07:03:10AM -0700, Dennis Peterson said:
 That would be a good trick if the directory it is found in is owned ro
 by
 root. I suppose it could be created by root then chowned to clam_user,
 but
 that too presumes much. To make it entirely turnkey the process should
 see
 if the user-selected log directory is readable by clam_user first, then
 it
 should see if the file already exists (or if a directory of the same
 name
 exists), and if it is writable by clam_user. If everything isn't perfect
 it could fail with a warning to the console. Now what to do about your
 log
 rotator? How should clam predict a misconfigured rotator? That seems
 like
 a lot of hand holding.

 On Tue, May 17, 2005 at 07:04:56AM -0700, Dennis Peterson said:
 I think it would be better if clamd, like syslogd, didn't create the
 file
 at all. End of problem.

 So you want either all possible checks, or no seperable logging?

Where did I say that? With syslog you touch a file and it starts logging.
Simple, effective. It can be the same with clam. No local logging until
you, the admin, create the file and set the needed permissions. We do it
all the time.

  That
 does seem like a rather drastic set of solutions to a trivial to fix
 bug.  Moving about 10 lines of code will fix the bug under discussion,
 and the rest is the job of the packager/local admin.  I have to say I
 have never noticed this bug up until now, because the install scripts
 and logrotate scripts I use handle permissions in a way that allows it
 to work (pats self on back, and wrenches arm doing so).

That level of competence should be the norm - it's not rocket science.


 5 minutes looking at the code could have avoided several hundred lines
 of email, methinks.
 --

I think the coders are trying too hard to support the lower level admins.
That is a thankless job. As thankless as educating them. Threads like this
one do get some of them thinking, though.

dp
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] 0.85 0.81.1 tha same troubles with milter

[Erich Titl]

Stephen Gran wrote:
...
So you want either all possible checks, or no seperable logging?  That
does seem like a rather drastic set of solutions to a trivial to fix
bug.  Moving about 10 lines of code will fix the bug under discussion,
 

might lead to problems with logging _before_ dropping privileges
and the rest is the job of the packager/local admin.  I have to say I
have never noticed this bug up until now, because the install scripts
and logrotate scripts I use handle permissions in a way that allows it
to work (pats self on back, and wrenches arm doing so).
5 minutes looking at the code could have avoided several hundred lines
of email, methinks.
 

cheers
Erich
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Problem creating temporary file

[Kevin W. Gagel]

 I've installed ClamAV 0.83 on an HP-UX 11.11 system.  I'm
 running clamd,  and it's communicating with MIMEDefang
 2.51 via a socket.  Clamd is not  able to unpack tar
 archives or compressed files.  I've set and exported  the
 TMPDIR, TMP, and TEMP environment variables in the init
 script that  runs clamd; I've explicitly set the
 TemporaryDirectory setting in  clamd.conf.  I'm using
 /var/tmp as the temporary directory, and anyone  can write
 to it, and it has about 1.5 Gb free.  I know clamd can
 write  to /var/tmp, because it successfully unpacks the
 initial db stuff there  on startup.  I've tried running
 clamd in the foreground with debugging  turned on, but
 haven't found anything helpful.  Any suggestions would be 
 greatly appreciated.
 

I had a similar problem. I had to make clamd run as the same
user as my script. Check what user your MIMEDefang is
running as.

--
Kevin W. Gagel 
Postmaster for
College of New Caledonia
(250) 562-2131 loc. 448
(250) 561-5848 loc. 448
[EMAIL PROTECTED]
http://www.cnc.bc.ca
Anti-Spam info at:
http://avas.cnc.bc.ca


---
The College of New Caledonia, Visit us at http://www.cnc.bc.ca
Virus scanning is done on all incoming and outgoing email.
Anti-spam information for CNC can be found at http://avas.cnc.bc.ca
---
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] 0.85 0.81.1 tha same troubles with milter

[Stephen Gran]

On Tue, May 17, 2005 at 02:56:14PM +, Erich Titl said:
 Stephen Gran wrote:
 
 ...
 
 So you want either all possible checks, or no seperable logging?  That
 does seem like a rather drastic set of solutions to a trivial to fix
 bug.  Moving about 10 lines of code will fix the bug under discussion,
  
 
 might lead to problems with logging _before_ dropping privileges

What, in particular, are you thinking of?  If the first thing clamd does
is drop priviledges, there is no logging before dropping priviledges.
If the milter tries to log before dropping priviledges (say), it will be
running as root and can write to the logfile.  Or am I missing
something?
-- 
 --
|  Stephen Gran  | Time sharing: The use of many people by |
|  [EMAIL PROTECTED] | the computer.   |
|  http://www.lobefin.net/~steve | |
 --


pgpT2KN9owzOn.pgp
Description: PGP signature
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Freshclam fall back to HTTP

[Awie]

THANKS A LOT to Tomasz, Guy, Daniel and others.

I decide to use NTP to sync my machine time and it works !!! Freshclam run
in DNS mode.

My apologize to Tomasz for ignoring his advise to check system time.

Again, thanks a lot.

Thx  Rgds,

Awie

- Original Message - 
From: Daniel J McDonald [EMAIL PROTECTED]
To: ClamAV users ML clamav-users@lists.clamav.net
Sent: Tuesday, May 17, 2005 10:56 PM
Subject: Re: [Clamav-users] Freshclam fall back to HTTP


 On Tue, 2005-05-17 at 22:39 +0800, Awie wrote:
  Hi Guy,
 
  This is the captured text from Ethereal (Text mode)


 
  I open 2 screen console
 
  Screen 1:
 
  [EMAIL PROTECTED] src]# tethereal -F libpcap -f udp

 add -V so we can see the packet details.

 -- 
 Daniel J McDonald, CCIE # 2495, CNX
 Austin Energy

 [EMAIL PROTECTED]

 ___
 http://lurker.clamav.net/list/clamav-users.html



___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Problem creating temporary file

[Karl Boyken]

Thanks.  Both MIMEDefang and clamd are running as the same user, so 
that's not the problem.

I had a similar problem. I had to make clamd run as the same
user as my script. Check what user your MIMEDefang is
running as.
--
Karl Boyken, system administrator 
[EMAIL PROTECTED]
303A MLH, Dept. of Comp. Sci. 
http://www.cs.uiowa.edu/~boyken/
The U. of Iowa, Iowa City, IA  52242   319-335-2730 (voice) 
319-335-3668 (fax)
___
http://lurker.clamav.net/list/clamav-users.html

[Clamav-users] Re: virus passing through clamav-milter, but not through clamdscan!

[Jef Poskanzer]

   I first posted this a week ago, but I still have not found a
solution.

   Since v0.84, I've been receiving various obviously crafted mails
that contain viruses, but pass through clamav-milter ok. However, when I
save the mail and scan the mbox file with clamdscan (not clamscan)
Worm.Bagz.D is found.

Yeah.  I too have been posting about this issue for weeks, and have been
almost completely ignored.  I'm happy (sort of) to see that other folks
have the same problem, anyway.

For me it started when I was running version 0.83, on 01May.
I'm still getting 3000 to 5000 of these false negatives per day,
where my usual rate is more like a tenth of that.
---
Jef

 Jef Poskanzer  [EMAIL PROTECTED]  http://www.acme.com/jef/
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Re: custom signature files

[Morgan Smith]

Jef Poskanzer wrote:

Hey, has anyone made or run across a signature file that matches
all windows executables and all archive formats?  Seems like this
would be fairly easy to create.
---
Jef

 Jef Poskanzer  [EMAIL PROTECTED]  http://www.acme.com/jef/
___
http://lurker.clamav.net/list/clamav-users.html
  

Since not all executables and archives are malicious, ClamAV may not be
the proper tool to use.  If you want to handle all executables and
archives regardless of content, procmail may work well for you. 
Googleing for sanitizer may help as well.

-- 
Morgan Smith
Dutro Company
675 North 600 West
Logan, UT 84321
(435) 752-3922 ext.146
(435) 512-3374
[EMAIL PROTECTED]

___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Re: custom signature files

[Jef Poskanzer]

Hey, has anyone made or run across a signature file that matches
all windows executables and all archive formats?  Seems like this
would be fairly easy to create.

Since not all executables and archives are malicious, ClamAV may not be
the proper tool to use.

I think ClamAV would be a fine tool to use for this.  Plus the smaller
and simpler signature file would make it run faster.

I wouldn't expect this to get widespread use, but I suspect I'm far
from the only site out there which never sends or receives any
Windows files or PC executables as email.
---
Jef

 Jef Poskanzer  [EMAIL PROTECTED]  http://www.acme.com/jef/
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Clam AV allows e-mail from www.webmail.us/testvirus through?

[Daniel J McDonald]

On Tue, 2005-05-17 at 09:05 -0400, Douglas Ward wrote:
 I have recently installed Clam AV 0.85 and have downloaded the latest
 updates through freshclam.  We are running this software on a new
 e-mail gateway server built with Postfix and Mandrake LE2005. 

How is postfix calling clamav?  The Mandriva postfix rpm allows for a
content filter at port 10025.   Are you using amavisd-new?  Or are you
using some other sort of milter-like configuration with postfix?

-- 
Daniel J McDonald, CCIE # 2495, CNX
Austin Energy

[EMAIL PROTECTED]

___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Re: virus passing through clamav-milter, but not through clamdscan!

[Nigel Horne]

I tried your test and got this, so your end is NOT passing this virus through 
clamav-milter:

The original message was received at Tue, 17 May 2005 16:41:57 +0100
from bandsman.co.uk [127.0.0.1]

   - The following addresses had permanent fatal errors -
[EMAIL PROTECTED]
(reason: 554 5.7.1 virus Worm.Bagz.D detected by ClamAV - 
http://www.clamav.net)

   - Transcript of session follows -
... while talking to olympos.ccf.auth.gr.:
 DATA
 554 5.7.1 virus Worm.Bagz.D detected by ClamAV - http://www.clamav.net
554 5.0.0 Service unavailable

___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] 0.85 0.81.1 tha same troubles with milter

[Erich Titl]

Stephen Gran wrote:
On Tue, May 17, 2005 at 02:56:14PM +, Erich Titl said:
 

Stephen Gran wrote:
   

...
So you want either all possible checks, or no seperable logging?  That
does seem like a rather drastic set of solutions to a trivial to fix
bug.  Moving about 10 lines of code will fix the bug under discussion,
 

might lead to problems with logging _before_ dropping privileges
   

What, in particular, are you thinking of?  If the first thing clamd does
is drop priviledges, there is no logging before dropping priviledges.
If the milter tries to log before dropping priviledges (say), it will be
running as root and can write to the logfile.  Or am I missing
something?
 

You could not log problems while dropping privileges, well basically it 
might go to the (unwatched) console

   /* drop privileges */
#ifndef C_OS2
   if(geteuid() == 0  (cpt = cfgopt(copt, User))) {
   if((user = getpwnam(cpt-strarg)) == NULL) {
   fprintf(stderr, ERROR: Can't get information about user 
%s.\n, cpt-strarg);
   logg(!Can't get information about user %s.\n, cpt-strarg);
   exit(1);
   }

cheers
Erich
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] 0.85 0.81.1 tha same troubles with milter

[Dennis Peterson]

Stephen Gran said:
 On Tue, May 17, 2005 at 07:54:03AM -0700, Dennis Peterson said:
 Stephen Gran said:
  So you want either all possible checks, or no seperable logging?

 Where did I say that? With syslog you touch a file and it starts
 logging.  Simple, effective. It can be the same with clam. No local
 logging until you, the admin, create the file and set the needed
 permissions. We do it all the time.

 Of course it's trivial.  As every good admin knows, though, rote tasks
 deserve to be automated.  Since this one is basically already automated
 (the logg() function will create the file if it does not exist), the
 simplest approach would be to change the order of a few events.

That's why I'd manage it in the startup scripts. That way reliability of
the process is owned by me and not subject to the vagaries of the next
version release. It can't hurt.


   That does seem like a rather drastic set of solutions to a trivial
   to fix bug.  Moving about 10 lines of code will fix the bug under
   discussion, and the rest is the job of the packager/local admin.  I
   have to say I have never noticed this bug up until now, because the
   install scripts and logrotate scripts I use handle permissions in a
   way that allows it to work (pats self on back, and wrenches arm
   doing so).

 That level of competence should be the norm - it's not rocket science.

 Er, yes, I think you missed the sarcasm there.  It is fairly stragiht
 forward.

Just stating the obvious.


  5 minutes looking at the code could have avoided several hundred
  lines of email, methinks.

 I think the coders are trying too hard to support the lower level
 admins.  That is a thankless job. As thankless as educating them.
 Threads like this one do get some of them thinking, though.

 The fact that many people masquerade as admins when they shouldn't is no
 reason to shout down a minor bug.  My point is that there are two
 options - fix it in the place where it happens, so everyone gets the
 benefits, or have everyone do the trivial workarounds.  Which one sounds
 more reasonable to you?  If you answer option b, then it sounds like you
 spend too much time admin'ing the simple things on your machines.


I'm not shouting down the bug - just saying that being a victim of it is
unnecessary. I think it would be fine if they correct it, but... Putting
this process in the startup script is a matter of reliability and
repeatability, not a work-around. I'd do it even if this bug didn't
exist. I'd prefer to think it's being anal, and being anal can be a good
thing.

dp
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] 0.85 0.81.1 tha same troubles with milter

[Stephen Gran]

On Tue, May 17, 2005 at 03:50:38PM +, Erich Titl said:
 Stephen Gran wrote:
 On Tue, May 17, 2005 at 02:56:14PM +, Erich Titl said:
 might lead to problems with logging _before_ dropping privileges
 
 What, in particular, are you thinking of?  If the first thing clamd does
 is drop priviledges, there is no logging before dropping priviledges.
 If the milter tries to log before dropping priviledges (say), it will be
 running as root and can write to the logfile.  Or am I missing
 something?
 
 You could not log problems while dropping privileges, well basically it 
 might go to the (unwatched) console
 
/* drop privileges */
 #ifndef C_OS2
if(geteuid() == 0  (cpt = cfgopt(copt, User))) {
if((user = getpwnam(cpt-strarg)) == NULL) {
fprintf(stderr, ERROR: Can't get information about user 
 %s.\n, cpt-strarg);
logg(!Can't get information about user %s.\n, cpt-strarg);
exit(1);
}

No, the logg() function creates the file if it does not exist.  So, if
the getpwnam fails, the logg() call will still work.  This one logg()
call (well, and the one following this, if it fails) will still create
a root owned log file, but that is basically OK in this scenario, as
the local admin has clearly already goofed the install.
-- 
 --
|  Stephen Gran  | If you do not think about the future,   |
|  [EMAIL PROTECTED] | you cannot have one.   -- John  |
|  http://www.lobefin.net/~steve | Galsworthy  |
 --


pgpMmJROn9SVX.pgp
Description: PGP signature
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] 0.85 0.81.1 tha same troubles with milter

[Dennis Peterson]

Erich Titl said:


 You could not log problems while dropping privileges, well basically it
 might go to the (unwatched) console


Because I'm self-described anal, I capture my console to a file with
syslog and it is watched with automation and so is syslog. Here's to anal
admins and self-healing systems everywhere!

dp
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Re: custom signature files

[Bart Silverstrim]

On May 17, 2005, at 11:28 AM, Morgan Smith wrote:
Jef Poskanzer wrote:
Hey, has anyone made or run across a signature file that matches
all windows executables and all archive formats?  Seems like this
would be fairly easy to create.
---
Jef
Jef Poskanzer  [EMAIL PROTECTED]  http://www.acme.com/jef/
___
http://lurker.clamav.net/list/clamav-users.html

Since not all executables and archives are malicious, ClamAV may not be
the proper tool to use.  If you want to handle all executables and
archives regardless of content, procmail may work well for you.
Googleing for sanitizer may help as well.
Maybe something like mimedefang?  Haven't used it, but am considering 
it and read good things about it...

___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] 0.85 0.81.1 tha same troubles with milter

[Matt Fretwell]

Sergey wrote:

 KP Clamav should create log file with same owner as defined in
 KP clamd.conf to work it properly.
 
 i've just noticed the same thing. clamd.log is made by root. but 0.84
 doesn't care about that it works properly.


 The response someone posted a few days ago regarding 'software
covering up sloppy administration' springs to mind regarding this.


Matt
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] sober.p and german adverts?

[Matt Fretwell]

Bart Silverstrim wrote:

 Maybe even do a reverse check to see if there's a mail server on the
 sending system...how many systems would break doing a check like that?

 The sending server isn't guaranteed to be a MX, so any DNS MX or reverse
connection tests would fail.


Matt 
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] sober.p and german adverts?

[Bart Silverstrim]

On May 17, 2005, at 12:17 PM, Matt Fretwell wrote:
Bart Silverstrim wrote:
Maybe even do a reverse check to see if there's a mail server on the
sending system...how many systems would break doing a check like that?
 The sending server isn't guaranteed to be a MX, so any DNS MX or 
reverse
connection tests would fail.
No guarantees in life :-)
No matter what solution is put into place, there's going to be problems 
for some group that they would need to adapt to.  There has to be some 
sensible solution that doesn't involve fifty patches and hacks and 
sub-scanners...

___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] 0.85 0.81.1 tha same troubles with milter

[Matt Fretwell]

Sergey wrote:

 DP We have a winner! Now if you put that in your startup script and log
 DP rotation tool you'll have the job finished.
 
 why is that? if i'll restart clamd it won't going to change the
 permissions of clamd.log. and by the way i don't need any log rotation
 because my clamd.log doesn't eveê become big or something like that.


 And the reply above is a perfect example of sloppy administration.


Matt 
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] 0.85 0.81.1 tha same troubles with milter

[Matt Fretwell]

Jim Maul wrote:

  Call me old fashioned, but this is something I like to deal with
  myself. There's still a roll for the thinking admin.
 
 No, dont get me wrong here, im not saying clamav should predict 
 anything.  Nor should it have to deal with misconfigured software.  This
 is of course left up to the admin.  However, it seems that it *creates* 
 the logfile owned by root.  And that..well..just isnt right.


 Just to test, as an ordinary user, run:

touch /var/log/test.log

 Now why does it create the logfile as root?



Matt
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] sober.p and german adverts?

[Kelson]

Bart Silverstrim wrote:
On May 17, 2005, at 12:17 PM, Matt Fretwell wrote:
Bart Silverstrim wrote:
Maybe even do a reverse check to see if there's a mail server on the
sending system...how many systems would break doing a check like that?
 The sending server isn't guaranteed to be a MX, so any DNS MX or reverse
connection tests would fail.
No guarantees in life :-)
Actually, having separate servers for incoming and outgoing mail is 
quite common.  That's why people have tried to devise standards like 
RMX, SPF, Caller-Id, Sender-Id, and Domain Keys instead of just making 
the simple MX check you suggest.

And even *those* solutions have problems.
--
Kelson Vibber
SpeedGate Communications www.speed.net
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] 0.85 0.81.1 tha same troubles with milter

[Jim Maul]

Matt Fretwell wrote:
Jim Maul wrote:

Call me old fashioned, but this is something I like to deal with
myself. There's still a roll for the thinking admin.
 

No, dont get me wrong here, im not saying clamav should predict 
anything.  Nor should it have to deal with misconfigured software.  This
is of course left up to the admin.  However, it seems that it *creates* 
the logfile owned by root.  And that..well..just isnt right.

 Just to test, as an ordinary user, run:
touch /var/log/test.log
 Now why does it create the logfile as root?
While i get your point, it is irrelevant because it should not log in 
/var/log/ directly.  It should log in /var/log/clamav/

-Jim
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] 0.85 0.81.1 tha same troubles with milter

[Matt Fretwell]

Jim Maul wrote:

  touch /var/log/test.log
  
   Now why does it create the logfile as root?

 While i get your point, it is irrelevant because it should not log in 
 /var/log/ directly.  It should log in /var/log/clamav/


 The main point of my point, (I know that sounds weird), is that an admin
who relies upon any piece of software to correctly create and set
permissions on the logfile is asking for trouble. Clam is not alone in
this. This is not a bug in Clam, it is poor admin technique on the part of
the admin. Your logs are vital for a smoothly running system. The admin
should take full control of their logs.


Matt
___
http://lurker.clamav.net/list/clamav-users.html

RE: [Clamav-users] 0.85 0.81.1 tha same troubles with milter

[Matthew.van.Eerde]

Jim Maul wrote:
 Matt Fretwell wrote:
  Just to test, as an ordinary user, run:
 
 touch /var/log/test.log
 
  Now why does it create the logfile as root?
 
 
 While i get your point, it is irrelevant because it should not log in
 /var/log/ directly.  It should log in /var/log/clamav/
 
 -Jim

Hopefully this will help someone.  I got it off the list earlier (sorry, don't 
remember who sent it to me originally:)

$ cat /etc/logrotate.d/clamav
/var/log/clamav/clamd.log {
missingok
nocompress
create 640 clamav defang
postrotate
/bin/kill -HUP `cat /var/run/clamav/clamd.pid 2 /dev/null` 2 
/dev/null || true
endscript
}

/var/log/clamav/freshclam.log {
missingok
nocompress
create 640 clamav defang
postrotate
/bin/kill -HUP `cat /var/run/clamav/freshclam.pid 2 /dev/null` 
2 /dev/null || true
endscript
}

I use defang as a generic mail administration group, which is why that group 
gets read access.

-- 
Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902
Hispanic Business Inc./HireDiversity.com Software Engineer
perl -emap{y/a-z/l-za-k/;print}shift Jjhi pcdiwtg Ptga wprztg, 
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] sober.p and german adverts?

[Bill Taroli]

Matt Fretwell wrote:
Bart Silverstrim wrote:
 

Maybe even do a reverse check to see if there's a mail server on the
sending system...how many systems would break doing a check like that?
   

The sending server isn't guaranteed to be a MX, so any DNS MX or reverse
connection tests would fail.
But that doesn't mean you can't connect to an MX for the sender's domain 
to confirm they exist -- that you could send mail *to* them. This is a 
fairly regular check some mail systems perform. I was amused by one 
recent system that did this against my MX but did it from a host with a 
name that didn't match it's IP address, so mine rejected it... haha

Bill
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] 0.85 0.81.1 tha same troubles with milter

[Jim Maul]

Matt Fretwell wrote:
Jim Maul wrote:

touch /var/log/test.log
Now why does it create the logfile as root?

While i get your point, it is irrelevant because it should not log in 
/var/log/ directly.  It should log in /var/log/clamav/

 The main point of my point, (I know that sounds weird), is that an admin
who relies upon any piece of software to correctly create and set
permissions on the logfile is asking for trouble. Clam is not alone in
this. This is not a bug in Clam, it is poor admin technique on the part of
the admin. Your logs are vital for a smoothly running system. The admin
should take full control of their logs.

And the main point of my point (again with the weirdness) is that yes 
this should be handled by the admin, however it is indeed a (small) bug. 
 While the situation SHOULD never come up, clamav should not attempt to 
create a log file which it can never write to.

-Jim
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] 0.85 0.81.1 tha same troubles with milter

[Matt Fretwell]

Jim Maul wrote:

   The main point of my point, (I know that sounds weird), is that an
   admin who relies upon any piece of software to correctly create and
   set permissions on the logfile is asking for trouble. Clam is not
   alone in this. This is not a bug in Clam, it is poor admin technique
   on the part of the admin. Your logs are vital for a smoothly running
   system. The admin should take full control of their logs.

 And the main point of my point (again with the weirdness) is that yes 
 this should be handled by the admin, however it is indeed a (small) bug.
 
   While the situation SHOULD never come up, clamav should not attempt to
 create a log file which it can never write to.


 I think we have reached stalemate on this one :)


Matt
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] 0.85 0.81.1 tha same troubles with milter

[Jim Maul]

Matt Fretwell wrote:
Jim Maul wrote:

The main point of my point, (I know that sounds weird), is that an
admin who relies upon any piece of software to correctly create and
set permissions on the logfile is asking for trouble. Clam is not
alone in this. This is not a bug in Clam, it is poor admin technique
on the part of the admin. Your logs are vital for a smoothly running
system. The admin should take full control of their logs.

And the main point of my point (again with the weirdness) is that yes 
this should be handled by the admin, however it is indeed a (small) bug.

 While the situation SHOULD never come up, clamav should not attempt to
create a log file which it can never write to.

 I think we have reached stalemate on this one :)

Agreed. ;)
-Jim
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] 0.85 0.81.1 tha same troubles with milter

[Dennis Peterson]

Jim Maul said:
 Matt Fretwell wrote:
 Jim Maul wrote:


Call me old fashioned, but this is something I like to deal with
myself. There's still a roll for the thinking admin.



No, dont get me wrong here, im not saying clamav should predict
anything.  Nor should it have to deal with misconfigured software.  This
is of course left up to the admin.  However, it seems that it *creates*
the logfile owned by root.  And that..well..just isnt right.



  Just to test, as an ordinary user, run:

 touch /var/log/test.log

  Now why does it create the logfile as root?


 While i get your point, it is irrelevant because it should not log in
 /var/log/ directly.  It should log in /var/log/clamav/

It will log where ever the clamd.conf file says it will log - permissions
permitting. There is no concept of should.

dp
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] 0.85 0.81.1 tha same troubles with milter

[Jim Maul]

Dennis Peterson wrote:
Jim Maul said:
Matt Fretwell wrote:
Jim Maul wrote:

Call me old fashioned, but this is something I like to deal with
myself. There's still a roll for the thinking admin.


No, dont get me wrong here, im not saying clamav should predict
anything.  Nor should it have to deal with misconfigured software.  This
is of course left up to the admin.  However, it seems that it *creates*
the logfile owned by root.  And that..well..just isnt right.

Just to test, as an ordinary user, run:
touch /var/log/test.log
Now why does it create the logfile as root?
While i get your point, it is irrelevant because it should not log in
/var/log/ directly.  It should log in /var/log/clamav/

It will log where ever the clamd.conf file says it will log - permissions
permitting. There is no concept of should.

To the program itself, no.  If you tell it to log to / it will, however, 
it SHOULDNT.  See what im saying?  To say that clamav *has* to create 
the log file as root because only root can write to /var/log/ is 
irrelevant to the issue.

-Jim
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] 0.85 0.81.1 tha same troubles with milter

[Dennis Peterson]

Jim Maul said:
 Dennis Peterson wrote:
 Jim Maul said:

Matt Fretwell wrote:

Jim Maul wrote:



Call me old fashioned, but this is something I like to deal with
myself. There's still a roll for the thinking admin.



No, dont get me wrong here, im not saying clamav should predict
anything.  Nor should it have to deal with misconfigured software.
 This
is of course left up to the admin.  However, it seems that it
 *creates*
the logfile owned by root.  And that..well..just isnt right.



 Just to test, as an ordinary user, run:

touch /var/log/test.log

 Now why does it create the logfile as root?


While i get your point, it is irrelevant because it should not log in
/var/log/ directly.  It should log in /var/log/clamav/


 It will log where ever the clamd.conf file says it will log -
 permissions
 permitting. There is no concept of should.



 To the program itself, no.  If you tell it to log to / it will, however,
 it SHOULDNT.  See what im saying?  To say that clamav *has* to create
 the log file as root because only root can write to /var/log/ is
 irrelevant to the issue.

While you're out there making up rules can you think of any reason clamd
needs to be started as user root if all you do is scan incoming email? I
can't.

dp
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Re: virus passing through clamav-milter, but not through clamdscan!

[Jef Poskanzer]

I tried your test and got this, so your end is NOT passing this
virus through clamav-milter:

I.e. clamav-milter works for me, therefore it works for you, therefore
you are doing something else wrong.  This may be true but it's far
from proven.  Furthermore, if Apostolos' problem is like mine, then
the false-negatives have ClamAV headers added, showing that they
*do* pass through clamav-milter.  Here are the headers off the
latest of the many thousands of examples in my non-clamav virus
folder:

X-Virus-Scanned: ClamAV 0.84/882/Mon May 16 23:48:03 2005 on gate.acme.com
X-Virus-Status: Clean

Running this file through clamscan or clamdscan shows: Worm.Bagz.E FOUND.
---
Jef

 Jef Poskanzer  [EMAIL PROTECTED]  http://www.acme.com/jef/
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] 0.85 0.81.1 tha same troubles with milter

[Jim Maul]

Dennis Peterson wrote:
Jim Maul said:
Dennis Peterson wrote:
Jim Maul said:

Matt Fretwell wrote:

Jim Maul wrote:


Call me old fashioned, but this is something I like to deal with
myself. There's still a roll for the thinking admin.


No, dont get me wrong here, im not saying clamav should predict
anything.  Nor should it have to deal with misconfigured software.
This
is of course left up to the admin.  However, it seems that it
*creates*
the logfile owned by root.  And that..well..just isnt right.

Just to test, as an ordinary user, run:
touch /var/log/test.log
Now why does it create the logfile as root?
While i get your point, it is irrelevant because it should not log in
/var/log/ directly.  It should log in /var/log/clamav/

It will log where ever the clamd.conf file says it will log -
permissions
permitting. There is no concept of should.

To the program itself, no.  If you tell it to log to / it will, however,
it SHOULDNT.  See what im saying?  To say that clamav *has* to create
the log file as root because only root can write to /var/log/ is
irrelevant to the issue.

While you're out there making up rules can you think of any reason clamd
needs to be started as user root if all you do is scan incoming email? I
can't.

Um, where am i making up rules?  Thanks for the accusation though.
And no, i cant think of why you would want to or have to run clamd as 
root.  I run clamd as user qscand, not root so im not sure what your 
implying here.

Thanks again,
-Jim
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] 0.85 0.81.1 tha same troubles with milter

[Dennis Peterson]

Jim Maul said:
 Dennis Peterson wrote:


To the program itself, no.  If you tell it to log to / it will, however,
it SHOULDNT.  See what im saying?  To say that clamav *has* to create
the log file as root because only root can write to /var/log/ is
irrelevant to the issue.


 While you're out there making up rules can you think of any reason clamd
 needs to be started as user root if all you do is scan incoming email? I
 can't.



 Um, where am i making up rules?  Thanks for the accusation though.
 And no, i cant think of why you would want to or have to run clamd as
 root.  I run clamd as user qscand, not root so im not sure what your
 implying here.

 Thanks again,

 -Jim

You said it shouldn't log to / and there's no reason it shouldn't if that
is where one wishes it to log. There's lots of reasons why that would be a
bad idea, but it's an admin decision, not an application issue.

Do you start clamd as root or as qscand? My point is there is, or at least
can be no requirement that one start it as root and was trying to
demonstrate additional administrative latitude for the reading public that
isn't already put to sleep by this thread :-) If you su to qscand (in your
case) it should still start and run just fine. It was just an injected
factoid for thought. Many people just light things off as root and go on
their way. It is frequently safer and managerially more convenient to
write root scripts that su to the run-as user first, then fire off the
proc (/usr/bin/su - qscand -c /usr/local/bin/blah_blah_blah). Imagine how
it simplifies file ownerhips.

dp ... did I mention I'm anal?


___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] 0.85 0.81.1 tha same troubles with milter

[Jim Maul]

Dennis Peterson wrote:
Jim Maul said:
Dennis Peterson wrote:

To the program itself, no.  If you tell it to log to / it will, however,
it SHOULDNT.  See what im saying?  To say that clamav *has* to create
the log file as root because only root can write to /var/log/ is
irrelevant to the issue.

While you're out there making up rules can you think of any reason clamd
needs to be started as user root if all you do is scan incoming email? I
can't.

Um, where am i making up rules?  Thanks for the accusation though.
And no, i cant think of why you would want to or have to run clamd as
root.  I run clamd as user qscand, not root so im not sure what your
implying here.
Thanks again,
-Jim

You said it shouldn't log to / and there's no reason it shouldn't if that
is where one wishes it to log. There's lots of reasons why that would be a
bad idea, but it's an admin decision, not an application issue.
Do you start clamd as root or as qscand? My point is there is, or at least
can be no requirement that one start it as root and was trying to
demonstrate additional administrative latitude for the reading public that
isn't already put to sleep by this thread :-) If you su to qscand (in your
case) it should still start and run just fine. It was just an injected
factoid for thought. Many people just light things off as root and go on
their way. It is frequently safer and managerially more convenient to
write root scripts that su to the run-as user first, then fire off the
proc (/usr/bin/su - qscand -c /usr/local/bin/blah_blah_blah). Imagine how
it simplifies file ownerhips.
dp ... did I mention I'm anal?

Let me attempt to clear up any confusion (and hopefully put this thread 
to rest) by saying that I personally am not having any problems with 
clamav and i am not experiencing the logging issue that actually started 
this thread.  I do and always have run clamav as qscand.  My clamav logs 
are owned by qscand and everything works great.  I simply joined the 
conversation somewhere in the middle because something caught my 
attention.  The fact that clamav creates its log file as root if it 
doesnt already exist.  Why create it at all if you cant write to it? 
Its just silly.

Im anal as well which is why i stated that one should not tell anything 
to log to / or /var/log directly for that matter.  I like to have all 
programs logging in their own directories under /var/log/.  clamav is 
/var/log/clamav/ apache is /var/log/apache/ and so on.  That was the 
basis for my SHOULDNT statement above.

___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] 0.85 0.81.1 tha same troubles with milter

[Jason Frisvold]

On 5/17/05, Dennis Peterson [EMAIL PROTECTED] wrote:
 You said it shouldn't log to / and there's no reason it shouldn't if that
 is where one wishes it to log. There's lots of reasons why that would be a
 bad idea, but it's an admin decision, not an application issue.

It sounds like clam is creating the log files *before* the root
startup process hands over control to the user defined in the config
files.  In 0.84 and prior, it sounds like there was something that
handed off an open filehandle to the defined user, but that filehandle
was opened by root...  I'm not sure if that's possible or not, so
please correct me if I'm wrong..  :)

It seems that the current behaviour is more correct, but still not
completely correct..  I would expect that when clamav starts, all
control should be handed to the defined user immediately and then
files should be created, opened, etc...

It's possible that the current problems are mostly due to pre-existing
logfiles that are already owned by root, as opposed to new
installations.  To be honest, I haven't tried a new install to see if
the files are still created with improper permissions.

 dp ... did I mention I'm anal?

Isn't anal a required attribute for those who are security conscious?  ;)

-- 
Jason 'XenoPhage' Frisvold
[EMAIL PROTECTED]
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] 0.85 0.81.1 tha same troubles with milter

[Brian Morrison]

On Tue, 17 May 2005 16:09:01 +0400 in [EMAIL PROTECTED]
Sergey [EMAIL PROTECTED] wrote:

  i've just noticed the same thing. clamd.log is made by root. but 0.84
  doesn't care about that it works properly.

I have the same setup as you, but my log files are owned clamav:clamav,
using an rpm install based on Petr's rpms with the 0.85.1 tarball
specified in the spec file.

-- 

Brian Morrison

bdm at fenrir dot org dot uk

GnuPG key ID DE32E5C5 - http://wwwkeys.uk.pgp.net/pgpnet/wwwkeys.html
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] 0.85 0.81.1 tha same troubles with milter

[Dennis Peterson]

Jim Maul said:

 Let me attempt to clear up any confusion (and hopefully put this thread
 to rest) by saying that I personally am not having any problems with
 clamav and i am not experiencing the logging issue that actually started
 this thread.  I do and always have run clamav as qscand.  My clamav logs
 are owned by qscand and everything works great.  I simply joined the
 conversation somewhere in the middle because something caught my
 attention.  The fact that clamav creates its log file as root if it
 doesnt already exist.  Why create it at all if you cant write to it?
 Its just silly.

That doesn't happen if you start it as the run-as user. It happens if you
start it as root. That is why I say this bug is not necessarily a bug,
but an administrative issue.


 Im anal as well which is why i stated that one should not tell anything
 to log to / or /var/log directly for that matter.  I like to have all
 programs logging in their own directories under /var/log/.  clamav is
 /var/log/clamav/ apache is /var/log/apache/ and so on.  That was the
 basis for my SHOULDNT statement above.

And it's a good idea. Especially if you don't start clamd as root.

dp
___
http://lurker.clamav.net/list/clamav-users.html