[Clamav-users] clamav-milter 0.85e: /usr/lib/sendmail: not found
Nigel, As per our previous discussion, I've tried using the snapshot clamav-milter 0.85e (downloaded on May 30, around 14:30UTC). It's running fine so far without the hung processes which I had reported earlier. However, I'm seeing these in /var/log/clamd.log: Mon May 30 12:19:14 2005 -> /var/tmp/clamav-2f53e01a0cc7fe65/msg.xD8FAc: Worm.Bagle.AG FOUND /usr/lib/sendmail: not found Did a 'diff' on the Makefile against the previous version found: 18c18 < # Copyright (C) 2003 - 2005 Tomasz Kojm <[EMAIL PROTECTED]> --- > # Copyright (C) 2003 - 2004 Tomasz Kojm <[EMAIL PROTECTED]> 165a166 > SENDMAIL = @SENDMAIL@ 206d206 < sendmailprog = @sendmailprog@ 225a226 > AM_CFLAGS = -DSENDMAIL_BIN=\"$(SENDMAIL)\" I am not using the entire snapshot but only taking clamav-milter directory from the snapshot and place it into the 0.85 release distribution. Could that be the probem? I have done a 'make clean', re-ran ./configure before compile but that didn't help. Thanks. Cheers, N. __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ___ http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] Re: Zip files not being scanned
>> Any hints will be very much appreciated! > Was the zip file encrypted? Doesn't sound like it was since you ran it > through > the online scanner, but those are potentially the only zip files that can pass > through. Not encrypted, as you expected. > What version of clamav are you using? or more to the point, does your local > installation detect the virus inside the zip file? (e.g. clamscan sample.zip). > What we're looking at here is if your local virus signatures database is up to > date, the online scan showed that the virus is recognized in the current > database but perhaps your local one is not updated (hint: freshclam should be > executed at least once a day). ClamAV 0.85.1/898/Sat May 28 15:11:03 2005 freshclam runs hourly (querying db.au.clamav.net) I think what happened was that the worm went through prior to being updated in the db, so it wasn't detected. Thanks for your help! Cheers, Frode ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] Re: Zip files not being scanned
Frode Egeland wrote: > Hi all, Howdy. > I'm not 100% sure this is the correct list to ask this, but as the problem > relates to ClamAV, I hope someone will have the answer for me. > > I've got a mail filter server set up, running postfix, amavisd-new, > SpamAssassin and ClamAV. > This morning, it was found that a worm had somehow gotten in through this, by > being in a zip file (which a user naturally opened). > > I have "ScanArchive" in my clamd.conf and amavisd-new *should* be set up to > scan zip files, so I don't know why is would have been missed? I got a sample > of the worm, and ClamAV (the online web scan) detected it (inside the zip). > > Any hints will be very much appreciated! Was the zip file encrypted? Doesn't sound like it was since you ran it through the online scanner, but those are potentially the only zip files that can pass through. What version of clamav are you using? or more to the point, does your local installation detect the virus inside the zip file? (e.g. clamscan sample.zip). What we're looking at here is if your local virus signatures database is up to date, the online scan showed that the virus is recognized in the current database but perhaps your local one is not updated (hint: freshclam should be executed at least once a day). HTH -- René Berber ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] Zip files not being scanned
Hi all, I'm not 100% sure this is the correct list to ask this, but as the problem relates to ClamAV, I hope someone will have the answer for me. I've got a mail filter server set up, running postfix, amavisd-new, SpamAssassin and ClamAV. This morning, it was found that a worm had somehow gotten in through this, by being in a zip file (which a user naturally opened). I have "ScanArchive" in my clamd.conf and amavisd-new *should* be set up to scan zip files, so I don't know why is would have been missed? I got a sample of the worm, and ClamAV (the online web scan) detected it (inside the zip). Any hints will be very much appreciated! Cheers, Frode Egeland ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] freshclam - on error send email
Stephen Gran said: > On Sun, May 29, 2005 at 03:29:03PM -0700, Dennis Peterson said: >> Stephen Gran said: And I said in the next post this is not the way I'd >> do it. And you've spoiled the fun that was sure to come in the OP's >> next question, so let's get right to the issue at hand. > > I am not sure what the point of giving bad advice to someone who clearly > has difficulty understanding the ramifications of the bad advice is. I > guess giving good advice the first time around would spoil the fun, > though. It was step one of a solution set. That particular point was to indicate the MAILTO env var was not necessarily the best way to achieve the KISS principle. In fact the enire cron entry needed help. > >> The problem of the OP and which has not been addressed by anyone >> (except me last week) is that many of you people insist on starting or >> running this stuff as user root. If the OP had created a cronjob for >> user clamav or whomever the run-as user is the crontab would have >> truely met the KISS test (another bit of an insult from someone else, >> eh). > > Well, let's see ... ah yes, my packages do set the cron job to run as > whichever user owns the DatabaseDirectory (clamav by default). So I > guess I am not one of 'you people', so no problem there. If you're not > familiar with the KISS principle, and it's self-deprecatory connotations, > I can't help you there. And you didn't ask for help and so didn't need it. So far that's two - probably three including Matt. > >> Errors would automatically go to user clamav's inbox and that can and >> arguably should be aliased to the cognizant adminstrator. No need for >> tests or mail or pipes or redirected stdxxx. Simple. > > Well then why didn't you offer that solution up front, instead of > playing games with the OP? Again, I don't see the point in advising > something you are saying is insecure. Do you actually have a good > reason for giving advice you think is bad, or do you just like having > fun at someone else's expense? The OP didn't understand the basics. I was developing that just as I did last week when big sig guy got his speedos in a knot. > >> > Those who live in glass houses and so forth. Can we try to keep a >> > civil tongue, at least when you have your foot in your mouth? >> >> Can I use your response as an example of civility? > > Absolutely. > > You gave advice that > a) didn't do what was expected (generate an email only on errors) > b) was insecure by your definition > > and then you were condescending to the OP, and rude to others who tried > to help the OP. If you want me to be rude, I can, but that wasn't it. > > That wasn't rude, it was just pointing out the obvious. The advice I gave was part of a series I'd intended to offer. The entirety of it is complete. The rude part began with the KISS expansion which I didn't provide. And it wasn't even the best KISS example which is why I got interested. The additional fully qualified path advice is mentoring and it is good advice. In a workgroup (shared) environment you should always ensure all your scripts and crontabs use fully qualified paths or you are at the whim of mistakes others make. It is considered a best practice. If you need additional reading check the startup scripts on your system. I don't find it rude to mentor people who are in over their heads. After 30 years of doing this it just flows naturally. Offer some info - time to digest - expand it, refine it. There's no way to get there in a single post/brain dump. Oh - and I was pointing out the obvious. dp ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Reporting Phishing Mails?
Jan Pieter Cornet wrote: > > Looking forward to 0.90, when these debates can finally end. > > They can end NOW, for two reasons: first because subject has been > beaten to death and then some more already, and second because there's > a documented solution NOW, too. Well, you have just made sure that it will get beaten to death some more. Talk about a red rag to a bull :) Matt ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] freshclam - on error send email
On Sun, May 29, 2005 at 03:29:03PM -0700, Dennis Peterson said: > Stephen Gran said: And I said in the next post this is not the way I'd > do it. And you've spoiled the fun that was sure to come in the OP's > next question, so let's get right to the issue at hand. I am not sure what the point of giving bad advice to someone who clearly has difficulty understanding the ramifications of the bad advice is. I guess giving good advice the first time around would spoil the fun, though. > The problem of the OP and which has not been addressed by anyone > (except me last week) is that many of you people insist on starting or > running this stuff as user root. If the OP had created a cronjob for > user clamav or whomever the run-as user is the crontab would have > truely met the KISS test (another bit of an insult from someone else, > eh). Well, let's see ... ah yes, my packages do set the cron job to run as whichever user owns the DatabaseDirectory (clamav by default). So I guess I am not one of 'you people', so no problem there. If you're not familiar with the KISS principle, and it's self-deprecatory connotations, I can't help you there. > Errors would automatically go to user clamav's inbox and that can and > arguably should be aliased to the cognizant adminstrator. No need for > tests or mail or pipes or redirected stdxxx. Simple. Well then why didn't you offer that solution up front, instead of playing games with the OP? Again, I don't see the point in advising something you are saying is insecure. Do you actually have a good reason for giving advice you think is bad, or do you just like having fun at someone else's expense? > > Those who live in glass houses and so forth. Can we try to keep a > > civil tongue, at least when you have your foot in your mouth? > > Can I use your response as an example of civility? Absolutely. You gave advice that a) didn't do what was expected (generate an email only on errors) b) was insecure by your definition and then you were condescending to the OP, and rude to others who tried to help the OP. If you want me to be rude, I can, but that wasn't it. That wasn't rude, it was just pointing out the obvious. Relax, and let's play nice for a while. I am here because I often hear of potential problems with a software suite I use and maintain mentioned first here, and because I get to help off load a little of the work of support off of the people who do the bulk of the work keeping clam going by answering questions. Hopefully you're here for similar reasons, and not just to mock people who are struggling. I'm assuming that you're here because you want to help and be helped. Take care, -- -- | Stephen Gran | This must be morning. I never could| | [EMAIL PROTECTED] | get the hang of mornings. | | http://www.lobefin.net/~steve | | -- pgpVRvVhRhkoI.pgp Description: PGP signature ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Reporting Phishing Mails?
On Thu, May 26, 2005 at 12:34:03PM -0500, Damian Menscher wrote:
> >some people never learn.
>
> Looking forward to 0.90, when these debates can finally end.
They can end NOW, for two reasons: first because subject has been
beaten to death and then some more already, and second because there's
a documented solution NOW, too.
If you (just like I do) want to remove certain signatures from the
database for whatever reason, then use the OnUpdateExecute feature in
freshclam.conf to automatically fix ("grep -v") your database for you.
If you can't figure it out, I'm happy to send you my config as
an example. Offlist.
--
#!perl -wpl # mmfppfmpmmpp mmpffm <[EMAIL PROTECTED]>
$p=3-2*/[^\W\dmpf_]/i;s.[a-z]{$p}.vec($f=join('',$p-1?chr(sub{$_[0]*9+$_[1]*3+
$_[2]}->(map{/p|f/i+/f/i}split//,$&)+97):qw(m p f)[map{((ord$&)%32-1)/$_%3}(9,
3,1)]),5,1)='`'lt$&;$f.eig;# Jan-Pieter Cornet
___
http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] freshclam - on error send email
Stephen Gran said: > On Sun, May 29, 2005 at 01:42:32PM -0700, Dennis Peterson said: >> You could try a trivial example by creating a cron job that will fail. >> This can be done by requesting execution of a process that doesn't >> exist. >> >> * * * * * /tmp/junk 2>$1 |/usr/bin/mail -s "this is a test" >> [EMAIL PROTECTED] >> >> If you were to do this professionally you should include the full path >> to >> mail as well as your executable. It's a security thing and failure to do >> so it seen as a rookie mistake. Otherwise it will find the first >> example >> of either somewhere in the system path. It can be real embarrasing when >> somebody has created a script that contains "echo > /etc/passwd" in it >> and >> your cron process finds it because you've not used a fully qualified >> path. > > First, you advise someone to receive 4 empty emails an hour, then you > redirect stderr to the last match in a regular expression, and then you > have a world-writable root $PATH. Then you finish up with comments > about 'rookie mistakes' and an insult towards someone trying to help the > OP. And I said in the next post this is not the way I'd do it. And you've spoiled the fun that was sure to come in the OP's next question, so let's get right to the issue at hand. The problem of the OP and which has not been addressed by anyone (except me last week) is that many of you people insist on starting or running this stuff as user root. If the OP had created a cronjob for user clamav or whomever the run-as user is the crontab would have truely met the KISS test (another bit of an insult from someone else, eh). Errors would automatically go to user clamav's inbox and that can and arguably should be aliased to the cognizant adminstrator. No need for tests or mail or pipes or redirected stdxxx. Simple. > > Those who live in glass houses and so forth. Can we try to keep a > civil tongue, at least when you have your foot in your mouth? Can I use your response as an example of civility? dp ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] freshclam - on error send email
On Sun, May 29, 2005 at 01:42:32PM -0700, Dennis Peterson said: > You could try a trivial example by creating a cron job that will fail. > This can be done by requesting execution of a process that doesn't exist. > > * * * * * /tmp/junk 2>$1 |/usr/bin/mail -s "this is a test" [EMAIL PROTECTED] > > If you were to do this professionally you should include the full path to > mail as well as your executable. It's a security thing and failure to do > so it seen as a rookie mistake. Otherwise it will find the first example > of either somewhere in the system path. It can be real embarrasing when > somebody has created a script that contains "echo > /etc/passwd" in it and > your cron process finds it because you've not used a fully qualified path. First, you advise someone to receive 4 empty emails an hour, then you redirect stderr to the last match in a regular expression, and then you have a world-writable root $PATH. Then you finish up with comments about 'rookie mistakes' and an insult towards someone trying to help the OP. Those who live in glass houses and so forth. Can we try to keep a civil tongue, at least when you have your foot in your mouth? -- -- | Stephen Gran | Q. What's the difference| | [EMAIL PROTECTED] | between Batman and Bill Gates? | | http://www.lobefin.net/~steve | A. When Batman fought the Penguin, he | || won.| -- pgp1H46BEwtWF.pgp Description: PGP signature ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] freshclam - on error send email
On Sun, May 29, 2005 at 09:15:46PM +0100, Timothy Omer said: > Thank you all for your help, MAILTO does seem to work. I will try the > suggestion above as I can add my own subject. Good. This is the simplest, unless you are managing a farm of multiple platforms and need a script that works on all of them. > Not sure what 2>&1 does, is there any way I can create an error to test > this? (Obviously I can not disconnect the internet to create an update > error, as I would not receive the email :-) ) freshclam --quiet suppresses all of the informational messages that go to stdout. The shell construct 2>&1 redirects stderr into stdout, so that any remaining output from freshclam (in this case, what would normally be the stderr stream, generated by errors or warnings) will go throught the pipe into the mail command. As has been previously noted, though, the '| mail .. ' construct will generate an empty email on every successful run, and an email with content if there is an error. That is not something I would want, but tastes vary. -- -- | Stephen Gran | Conversation, n.: A vocal competition | | [EMAIL PROTECTED] | in which the one who is catching his| | http://www.lobefin.net/~steve | breath is called the listener. | -- pgpjmvjLQP2zn.pgp Description: PGP signature ___ http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] freshclam - on error send email
Timothy Omer said: > > Thank you all for your help, MAILTO does seem to work. I will try the > suggestion above as I can add my own subject. > > Not sure what 2>&1 does, is there any way I can create an error to test > this? (Obviously I can not disconnect the internet to create an update > error, as I would not receive the email :-) ) &1 is a symbolic reference to stdout which is the console or current term. Stderr is "2" so this directs all stderr to the same place as stdout. This is piped to mail. A description should be found in man sh. The need for doing this is to capture the stderr output of freshclam to a pipe to mail otherwise it is sent to the crontab owner by default. You could try a trivial example by creating a cron job that will fail. This can be done by requesting execution of a process that doesn't exist. * * * * * /tmp/junk 2>$1 |/usr/bin/mail -s "this is a test" [EMAIL PROTECTED] If you were to do this professionally you should include the full path to mail as well as your executable. It's a security thing and failure to do so it seen as a rookie mistake. Otherwise it will find the first example of either somewhere in the system path. It can be real embarrasing when somebody has created a script that contains "echo > /etc/passwd" in it and your cron process finds it because you've not used a fully qualified path. Suggestions like this seem to cause big sig guy to rant about arrogance - just ignore him. dp ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] freshclam - on error send email
Damian Menscher said: > On Sun, 29 May 2005, Dennis Peterson wrote: >> Timothy Omer said: >>> >>> 15 */4 * * */usr/local/bin/freshclam --quiet || mail -s "There has been >>> an >>> error updating ClamAV on the Office Server" [EMAIL PROTECTED] < >>> /var/log/clamav/freshclam.log >> >> use: >> 15 */4 * * */usr/local/bin/freshclam --quiet 2>&1 | mail -s "There has >> been an error updating ClamAV on the Office Server" [EMAIL PROTECTED] >> >> This should send stderr output to mail and will contain the error >> message. >> There is no stdout to capture because of the --quiet parameter. >> >> Simpler even than diddling with the MAILTO var. > > Uhh, unless I'm missing something obvious, that would send an email > every 4 hours, usually with no message body, but containing one when > there were errors. Definitely NOT what is desired. > > Or perhaps your mail command works differently than mine? I just cut/pasted his entry - not what I'd do. This also has the advantage of being portable across OS types which is important to some (me). dp ___ http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] freshclam - on error send email
Uhh, unless I'm missing something obvious, that would send an email every 4 hours, usually with no message body, but containing one when there were errors. Definitely NOT what is desired. Or perhaps your mail command works differently than mine? Damian Menscher -- -=#| Physics Grad Student & SysAdmin @ U Illinois Urbana-Champaign |#=- -=#| 488 LLP, 1110 W. Green St, Urbana, IL 61801 Ofc:(217)333-0038 |#=- -=#| 4602 Beckman, VMIL/MS, Imaging Technology Group:(217)244-3074 |#=- -=#| <[EMAIL PROTECTED]> www.uiuc.edu/~menscher/ Fax:(217)333-9819 |#=- -=#| The above opinions are not necessarily those of my employers. |#=- ___ http://lurker.clamav.net/list/clamav-users.html just what I was thinking, that's why I wanted to test it :-) ___ http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] freshclam - on error send email
use: 15 */4 * * */usr/local/bin/freshclam --quiet 2>&1 | mail -s "There has been an error updating ClamAV on the Office Server" [EMAIL PROTECTED] This should send stderr output to mail and will contain the error message. There is no stdout to capture because of the --quiet parameter. Simpler even than diddling with the MAILTO var. dp ___ http://lurker.clamav.net/list/clamav-users.html Thank you all for your help, MAILTO does seem to work. I will try the suggestion above as I can add my own subject. Not sure what 2>&1 does, is there any way I can create an error to test this? (Obviously I can not disconnect the internet to create an update error, as I would not receive the email :-) ) ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] freshclam - on error send email
On Sun, 29 May 2005, Dennis Peterson wrote: Timothy Omer said: 15 */4 * * */usr/local/bin/freshclam --quiet || mail -s "There has been an error updating ClamAV on the Office Server" [EMAIL PROTECTED] < /var/log/clamav/freshclam.log use: 15 */4 * * */usr/local/bin/freshclam --quiet 2>&1 | mail -s "There has been an error updating ClamAV on the Office Server" [EMAIL PROTECTED] This should send stderr output to mail and will contain the error message. There is no stdout to capture because of the --quiet parameter. Simpler even than diddling with the MAILTO var. Uhh, unless I'm missing something obvious, that would send an email every 4 hours, usually with no message body, but containing one when there were errors. Definitely NOT what is desired. Or perhaps your mail command works differently than mine? Damian Menscher -- -=#| Physics Grad Student & SysAdmin @ U Illinois Urbana-Champaign |#=- -=#| 488 LLP, 1110 W. Green St, Urbana, IL 61801 Ofc:(217)333-0038 |#=- -=#| 4602 Beckman, VMIL/MS, Imaging Technology Group:(217)244-3074 |#=- -=#| <[EMAIL PROTECTED]> www.uiuc.edu/~menscher/ Fax:(217)333-9819 |#=- -=#| The above opinions are not necessarily those of my employers. |#=- ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] freshclam - on error send email
Timothy Omer said: > Hello everyone, > > > > I have been asking on the forms and trying to solve this problem for a few > weeks now - I hope you can help me. > > > >>From cron I run freshclam every 4 hours with the following command. > > > > 15 */4 * * */usr/local/bin/freshclam --quiet || mail -s "There has been an > error updating ClamAV on the Office Server" [EMAIL PROTECTED] < > /var/log/clamav/freshclam.log use: 15 */4 * * */usr/local/bin/freshclam --quiet 2>&1 | mail -s "There has been an error updating ClamAV on the Office Server" [EMAIL PROTECTED] This should send stderr output to mail and will contain the error message. There is no stdout to capture because of the --quiet parameter. Simpler even than diddling with the MAILTO var. dp ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] freshclam - on error send email
On Sun, May 29, 2005 at 01:58:00PM -0500, Damian Menscher said: > I'm not certain the MAILTO construct will work to send the output of > different commands to different users, or if it's set for the entire > crontab. (It will probably work, I just haven't tried it personally.) The following format is valid here: MAILTO=steve @reboot /home/steve/bin/foo.sh MAILTO=root * * * * * /usr/local/bin/do_something MAILTO="[EMAIL PROTECTED]" */15 * * * * /usr/local/bin/do_something_else most vixie cron clones _should_ support this, but I am not sure they all do. -- -- | Stephen Gran | Old soldiers never die. Young ones do. | | [EMAIL PROTECTED] | | | http://www.lobefin.net/~steve | | -- pgpABDXjlBHW9.pgp Description: PGP signature ___ http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] freshclam - on error send email
On Sun, 29 May 2005, Timothy Omer wrote: On Sun, May 29, 2005 at 07:24:46PM +0100, Timothy Omer said: > Thank you for your response Damian, I should have been clearer - the email > needs to be sent to an external address. I don't know about your implementation of cron, but mine supports the MAILTO environment variable for exactly this sort of thing. I don't seem to have MAILTO on my system (CentOS 4). Yes, you do. It's a variable you set in your crontab, not a command. You can read all about it: man 5 crontab Alternatively, you could set an alias to point root mail to [EMAIL PROTECTED], which might be useful for other purposes. All depends on what you need. I'm not certain the MAILTO construct will work to send the output of different commands to different users, or if it's set for the entire crontab. (It will probably work, I just haven't tried it personally.) Damian Menscher -- -=#| Physics Grad Student & SysAdmin @ U Illinois Urbana-Champaign |#=- -=#| 488 LLP, 1110 W. Green St, Urbana, IL 61801 Ofc:(217)333-0038 |#=- -=#| 4602 Beckman, VMIL/MS, Imaging Technology Group:(217)244-3074 |#=- -=#| <[EMAIL PROTECTED]> www.uiuc.edu/~menscher/ Fax:(217)333-9819 |#=- -=#| The above opinions are not necessarily those of my employers. |#=- ___ http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] freshclam - on error send email
On Sun, May 29, 2005 at 07:24:46PM +0100, Timothy Omer said: > Thank you for your response Damian, I should have been clearer - the email > needs to be sent to an external address. I don't know about your implementation of cron, but mine supports the MAILTO environment variable for exactly this sort of thing. -- -- | Stephen Gran | BOFH excuse #357: I'd love to help you | | [EMAIL PROTECTED] | -- it's just that the Boss won't let me | | http://www.lobefin.net/~steve | near the computer. | -- I don't seem to have MAILTO on my system (CentOS 4). Tim ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] freshclam - on error send email
On Sun, May 29, 2005 at 07:24:46PM +0100, Timothy Omer said: > Thank you for your response Damian, I should have been clearer - the email > needs to be sent to an external address. I don't know about your implementation of cron, but mine supports the MAILTO environment variable for exactly this sort of thing. -- -- | Stephen Gran | BOFH excuse #357: I'd love to help you | | [EMAIL PROTECTED] | -- it's just that the Boss won't let me | | http://www.lobefin.net/~steve | near the computer. | -- pgpnbZutVOoFx.pgp Description: PGP signature ___ http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] freshclam - on error send email
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Damian Menscher Sent: 29 May 2005 19:17 To: ClamAV users ML Subject: Re: [Clamav-users] freshclam - on error send email On Sun, 29 May 2005, Timothy Omer wrote: >> From cron I run freshclam every 4 hours with the following command. > 15 */4 * * */usr/local/bin/freshclam --quiet || mail -s "There has been an > error updating ClamAV on the Office Server" [EMAIL PROTECTED] < > /var/log/clamav/freshclam.log > > Im sure that many of you must have a similar setup, how do you get cron to > only send an email when freshclam exits with an error code? Is there a way > to check the error code first in cron? KISS -- Keep It Simple, Stupid 7-59/15 * * * * /usr/local/bin/freshclam --quiet Cron will automagically email any output to the owner of the crontab. And the --quiet means there won't be any output unless there's an error. There's really no need for additional complexity here Damian Menscher -- -=#| Physics Grad Student & SysAdmin @ U Illinois Urbana-Champaign |#=- -=#| 488 LLP, 1110 W. Green St, Urbana, IL 61801 Ofc:(217)333-0038 |#=- -=#| 4602 Beckman, VMIL/MS, Imaging Technology Group:(217)244-3074 |#=- -=#| <[EMAIL PROTECTED]> www.uiuc.edu/~menscher/ Fax:(217)333-9819 |#=- -=#| The above opinions are not necessarily those of my employers. |#=- ___ http://lurker.clamav.net/list/clamav-users.html Thank you for your response Damian, I should have been clearer - the email needs to be sent to an external address. Thanks Tim ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] freshclam - on error send email
On Sun, 29 May 2005, Timothy Omer wrote: From cron I run freshclam every 4 hours with the following command. 15 */4 * * */usr/local/bin/freshclam --quiet || mail -s "There has been an error updating ClamAV on the Office Server" [EMAIL PROTECTED] < /var/log/clamav/freshclam.log Im sure that many of you must have a similar setup, how do you get cron to only send an email when freshclam exits with an error code? Is there a way to check the error code first in cron? KISS -- Keep It Simple, Stupid 7-59/15 * * * * /usr/local/bin/freshclam --quiet Cron will automagically email any output to the owner of the crontab. And the --quiet means there won't be any output unless there's an error. There's really no need for additional complexity here Damian Menscher -- -=#| Physics Grad Student & SysAdmin @ U Illinois Urbana-Champaign |#=- -=#| 488 LLP, 1110 W. Green St, Urbana, IL 61801 Ofc:(217)333-0038 |#=- -=#| 4602 Beckman, VMIL/MS, Imaging Technology Group:(217)244-3074 |#=- -=#| <[EMAIL PROTECTED]> www.uiuc.edu/~menscher/ Fax:(217)333-9819 |#=- -=#| The above opinions are not necessarily those of my employers. |#=- ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] freshclam - on error send email
Hello everyone, I have been asking on the forms and trying to solve this problem for a few weeks now - I hope you can help me. >From cron I run freshclam every 4 hours with the following command. 15 */4 * * */usr/local/bin/freshclam --quiet || mail -s "There has been an error updating ClamAV on the Office Server" [EMAIL PROTECTED] < /var/log/clamav/freshclam.log .when there is an update I get no email, but when there is no updates I get an email (I take it that freshclam exits with an non 0 exit code and this results in me getting an email). Im sure that many of you must have a similar setup, how do you get cron to only send an email when freshclam exits with an error code? Is there a way to check the error code first in cron? (I have also tried the -on-error-execute command, but I have been unable to get it to successfully send the email, I just get an error that says "-s is an unknown parameter". -s is for the subject of the mail, but freshclam seems to think that it is for itself) Many thanks, Tim ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Re: Spam from ClamAv digest lists.
Hello G.W. Haywood, > Do you happen to know who this mysterious owner might be? I'll look into it asap. Best regards -- Luca Gibelli (luca at clamav.net) - ClamAV, a GPL virus scanner PGP Key Fingerprint: C782 121E 8C3A 90E3 7A87 D802 6277 8FF4 5EFC 5582 PGP Key Available on: Key Servers || http://www.clamav.net/gpg/luca.gpg ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Error on upgrade from .84 to .85
* Rick Weinbender <[EMAIL PROTECTED]> [20050529 20:03]: wrote: > When I recently upgraded from clamav .84 to .85 > I got an error in freshclam.log as follows: > > ERROR: Clamd was NOT notified: Can't connect to clamd > through /var/run/clamav/clamd.ctl (see log below) > > Subsequent freshclam updates have not produced this > error. > Do you think I should be concerned? > > Thanks, > -Rick > > clip from freshclam.log below: > ** > freshclam daemon 0.85.1 (OS: linux-gnu, ARCH: i386, > CPU: i386) > ClamAV update process started at Sun May 29 09:52:43 > 2005 > main.cvd is up to date (version: 31, sigs: 33079, > f-level: 4, builder: tkojm) > daily.cvd updated (version: 898, sigs: 1782, f-level: > 5, builder: ccordes) > Database updated (34861 signatures) from > db.local.clamav.net (IP: 195.92.99.99) > > ERROR: Clamd was NOT notified: Can't connect to clamd > through /var/run/clamav/clamd.ctl > -- I am guessing that you upgraded and run freshclam before you restarted clamd. -Wash http://www.netmeister.org/news/learn2quote.html -- +==+ |\ _,,,---,,_ | Odhiambo Washington<[EMAIL PROTECTED]> Zzz /,`.-'`'-. ;-;;,_ | Wananchi Online Ltd. www.wananchi.com |,4- ) )-,_. ,\ ( `'-'| Tel: +254 20 313985-9 +254 20 313922 '---''(_/--' `-'\_) | GSM: +254 722 743223 +254 733 744121 +==+ Whatever is not nailed down is mine. What I can pry loose is not nailed down. -- Collis P. Huntingdon ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] Error on upgrade from .84 to .85
When I recently upgraded from clamav .84 to .85 I got an error in freshclam.log as follows: ERROR: Clamd was NOT notified: Can't connect to clamd through /var/run/clamav/clamd.ctl (see log below) Subsequent freshclam updates have not produced this error. Do you think I should be concerned? Thanks, -Rick clip from freshclam.log below: ** freshclam daemon 0.85.1 (OS: linux-gnu, ARCH: i386, CPU: i386) ClamAV update process started at Sun May 29 09:52:43 2005 main.cvd is up to date (version: 31, sigs: 33079, f-level: 4, builder: tkojm) daily.cvd updated (version: 898, sigs: 1782, f-level: 5, builder: ccordes) Database updated (34861 signatures) from db.local.clamav.net (IP: 195.92.99.99) ERROR: Clamd was NOT notified: Can't connect to clamd through /var/run/clamav/clamd.ctl -- __ Do you Yahoo!? Yahoo! Small Business - Try our new Resources site http://smallbusiness.yahoo.com/resources/ ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Memory limit per process hit
Pablo Alsina wrote: Hi We have been having some problems lately with our installation. We are using Sendmail+clamav-milter+clamd as our antivirus solution, over an RedHat Linux with a 2.4.21 kernel (RH9). This is somewhat outdated. Might I recommend you use the newer Fedora Core's or switch to a always-current distribution such as Debian Testing? We added a sort of tarpitting solution to our sendmail in order to stop people from scanning our userbase. What this means is that responses to SMTP "rcpt to" gets delayed when the envelope user is unknown. The more you miss, the more you get delayed (its exponential). So what happens is that some SMTP clients may have to wait up to 15 minutes for a response from Sendmail if the miss to many recipents. I cant help thinking that this is a bad idea as the cost you pay in overhead is far greater than the cost to the attacker. You have all these sendmail proccesses hanging around and all those milter threads. To DOS your box, all I have to do is open a few hundred connections to it and try to send email to a few dozen fake users. If that does not do it, I can simply open a few hundred more. Cheap for me, expensive for you. I would recommend a different approach, using this patch http://www.jmaimon.com/sendmail/patches/badrcpt_shutdown.v1.81301.patch http://www.jmaimon.com/sendmail/#badrcptshutdown This patch terminates connections that have a (configurable) high ratio of bad user attempts. This feature is compatible with sendmails delaying feature, so you can delay the connection for the first X bad users and shutdown the connection after Y bad users. Use that with sendmail rate-limiting. In this day and age all MTA's need to implement some kind of rate-limiting, otherwise all it takes is a few aggressive mta's out there and a joe job to put you out of business. I have been using this setup for quite some time. Works fine and dandy. ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Memory limit per process hit
On 27/05/05, Pablo Alsina <[EMAIL PROTECTED]> wrote: > So what we did was to increment the number of childers to an even > bigger value. But then we started to hit with other problems: > > clamav-milter[1932]: ClamAv: thread_create() failed: 12, try again > > We did an strace to that process, only to find out that we are running > out of memory: I had a similar problem using MIMEdefang rather than clamav-milter. See what default stack size is (ulimit -s). Reducing this in your sendmail init script, e.g. "ulimit -s 2048" can help. Worked for me. See earlier thread on this one: http://www.mail-archive.com/clamav-users@lists.sourceforge.net/msg08540.html And then you might be able to inconvenience 10 spammers instead of 1 before they DoS your mail service. But have fun! :) des -- des -- http://frommars.org/ ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] clamav-milter 0.85.1 processes not going away
Ok! Having watched this when it happened, I can now confirm that these are the sequence of events for a hung clamav-milter process: clamav-milter finds virus and logs these in /var/log/maillog: May 29 17:27:28 idc131 clamav-milter[30450]: j4T8RRO3033496: /var/tmp/clamav-2870772f87caf354/msg.C6YkeV: Worm.SomeFool.Gen-1 Intercepted virus from <[EMAIL PROTECTED]> to May 29 17:27:28 idc131 sm-mta[33496]: j4T8RRO3033496: Milter add: header: X-Virus-Status: Infected with Worm.SomeFool.Gen-1 But in /var/log/clamd.log it says: Sun May 29 17:27:28 2005 -> /var/tmp/clamav-2870772f87caf354/msg.C6YkeV: Worm.SomeFool.Gen-1 FOUND LibClamAV Error: Segmentation fault :-( Bye.. At this time, ps -aux still shows the incoming smtp process, AND the clamav-milter process. Then 10 minutes later in /var/log/maillog: May 29 17:37:28 idc131 sm-mta[33496]: j4T8RRO3033496: Milter (clmilter): timeout before data read May 29 17:37:28 idc131 sm-mta[33496]: j4T8RRO3033496: Milter (clmilter): to error state May 29 17:37:28 idc131 sm-mta[33496]: j4T8RRO3033496: Milter: data, reject=451 4.3.2 Please try again later May 29 17:37:28 idc131 sm-mta[33496]: j4T8RRO3033496: to=, delay=00:10:00, pri=54614, stat=Please try again later At this time, the incoming smtp connection closes but the clamav-milter process remains. Some minutes later, the same smtp server will try again to deliver the infected message (having been told to try again later,) and thus I have yet another hung process. Currently, I am using these to start clamav-milter: -HNPCol --external --timeout=60 [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] --pidfile=/var/somewhere local:/path/to/clmilter.sock on FreeBSD 4.x with sendmail-8.13.3. This is also happening on another FreeBSD 4.x boxx with sendmail-8.13.4 Thanks in advance for any pointers! Cheers, N. __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ___ http://lurker.clamav.net/list/clamav-users.html
