[Clamav-users] Excluding paths ?
Hi all, Question of the day : is it possible to exclude a list of directories on a clamdscan command ? Thks for helping me :) ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Progressive scan ?
Dennis Peterson a écrit : I run a tripwire-like tool at unpredictable times and use the results to scan the differences. It beats anything else I've tried. It seems to be the right tool to use on my system. Could you send me the tripwire-like script you are using ? I found several tools and I don't know which one to use. Is it a specific package ? Thanks for your answers ;) dp ___ http://lurker.clamav.net/list/clamav-users.html ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Clam-AV Corrupt
Fahmi (JN) wrote: Dear All. I had problem with Clam-AV, see the error below: Apr 21 09:52:18 mx1a X-Qmail-Scanner-1.25: [mx1a.ha.jetcoms.net114558793049323571] clamscan: corrupt or unknown ClamAV scanner error or memory/resource/perms problem - exit status 64 Question: What does cause this error ... ??? I'd guess memory/resource/permissions, but thats just me. It could be anything. Softlimit too low? permissions of /var/spool/qmailscan incorrect? permissions of clamav related directories not correct? The list goes on and on..you're going to have to track this one down yourself. -Jim ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] Re: freshclam Error: Problem with internal logger
On Fri, Apr 21, 2006 at 10:45:22AM +0200, Maik Holtkamp said: Hi, I am running a debian sarge box using exim - amavis - clamav, version: from the debian-volantile sources. OK. Permissions: OK. The cronjob starting freshclam: OK. but it's the same if I try to start it manually. -v does't give additional information. The config: OK. If I comment UpdateLogFile freshclam will work as expected, but activating logging again comes up with the same error message given in Subject :(. Any hint greatly appreciated. TIA. I see nothing unusual in your setup, sadly. I also see no changes to the logging code in recent verions - I have diff'ed back to 0.87 or so, and there is no real change. Can you run: su - clamav -s /bin/sh strace -ff freshclam -o strace.out And send me the file strace.out? Thanks, -- -- | Stephen Gran | You can do very well in speculation | | [EMAIL PROTECTED] | where land or anything to do with dirt | | http://www.lobefin.net/~steve | is concerned. | -- signature.asc Description: Digital signature ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] problem with cpu and memory consume
Dennis Peterson escreveu: Eduardo Reitz wrote: Hello All, I have ClamAV+Spamassassin+Postfix in a Debian. The problem is that I have a lot of clamscan process and they consume to much cpu and memory of the machine (I have 900M in RAM and 2CPU of 2G). I'm no expert, but the last thing in the world I'd use for scanning email is clamscan. Each time it's called it has to load all the pattern files then scan what ever file/directory you've told it to scan. If you get 20,000 messages/hour that's a lot of startup costs. Using clamdscan is more efficient because it uses a running instance of clamd and so already has loaded all the patterns. Even more efficient is to extract any suspicious attachment to a temp file area and call clamd directly via Unix socket or tcp/ip socket, and tell it where to find the file(s) to scan. I don't know if this is possible in Postfix or not as I gave up on it some weeks ago, but certainly in the Sendmail world this is trivial. How are you calling clamav from postfix If you're seeing 'a lot of clamscan process', then i'll suppose you're NOT using amavisd. And then i will strongly recommend that you use it. You can call clamd as well as spamassassin from amavisd and can also set a LOT of other content filter rules on that. You can also set the max number of processes amavisd can run, so it wont kill your machine altough it can get its usage very high. It's up to you decide what's high usage and what's killing usage. http://www.ijs.si/software/amavisd/ -- Atenciosamente / Sincerily, Leonardo Rodrigues Solutti Tecnologia http://www.solutti.com.br Minha armadilha de SPAM, NÃO mandem email [EMAIL PROTECTED] My SPAMTRAP, do not email it ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] Can clanscan scan attachments in mails in .dbx or .pst files?
Hello, My name is Fermín Galán. I'm a newcomer in the list, so please forgive me if I ask some stupid questions :) I'm involved in a forensic analysis of a Windows system. I have extracted the cracked disk particion and mounting it in the GNU/Linux system where I'm performing the analysis. One of the steps is to search for viruses and I'm using clamav to do it. It seems (manpage) that clamscan is able to search inside .zip and .rar files, right? However, I would like to know also if the tool is powerfull enough in order to search inside attachment files in mails that are stored in .dbx files (.dbx is the mailbox format that Outlook Express uses) and .pst files (uses by Outlook). There are several .dbx and .pst in the system I'm analysing and I suspect that some of them may content a virus in a mail attachment. Otherwise, is there any workarround? (maybe a tool that extracts attaches in mails in a .dbx to plain files and then using clamscan on them) Any information/help is really welcome... Thanks in advance! (I've searched the list archives regarding this topic, but I didn't find anything; however, if I'm wrong and this topic has been already treated, please provide me a URL to the thread or discussion) Best regards, Fermín Galán Márquez CTTC - Centre Tecnològic de Telecomunicacions de Catalunya Parc Mediterrani de la Tecnologia, Av. del Canal Olímpic s/n, 08860 Castelldefels, Spain Room 1.02 Tel : +34 93 645 29 12 Fax : +34 93 645 29 01 Email address: [EMAIL PROTECTED] ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Re: Logging not working for scans
Thanks René. You are 100% correct. I did not know there was clamdscan as well as clamscan. It works perfectly now I am using the correct command. Thanks. James. On 21/04/2006, at 2:02 PM, René Berber wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 James Brown wrote: clamd.log records info about shutting down and starting up, but not about scans. I have uncommented LogClean and the log does not change when I run clamscan on a folder with 1 clean file in it. clamscan works - ie it says how many files were scanned, how long it took etc. But the log file does not get touched. I have also set Verbose Logging on to no avail. Ran clamscan on the Test folder, it found 5 infected files, but again, nothing was written to /tmp/clamd.log. ClamAV is version 88.1 Permissions on clamd.log are 777. Any suggestions? Use clamdscan. The log is updated by clamd which is not used by clamscan. - -- René Berber ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Clam-AV Corrupt
There are several reports of clamd 0.88.1 crashing. Please take a look at these two bug reports: http://bugs.gentoo.org/show_bug.cgi?id=129702 http://bugs.gentoo.org/show_bug.cgi?id=129810 If you think you only have a permissions problem then you can also look at: http://forums.gentoo.org/viewtopic-t-216299-highlight-clamav.html --- Jim Maul [EMAIL PROTECTED] wrote: Fahmi (JN) wrote: Dear All. I had problem with Clam-AV, see the error below: Apr 21 09:52:18 mx1a X-Qmail-Scanner-1.25: [mx1a.ha.jetcoms.net114558793049323571] clamscan: corrupt or unknown ClamAV scanner error or memory/resource/perms problem - exit status 64 Question: What does cause this error ... ??? I'd guess memory/resource/permissions, but thats just me. It could be anything. Softlimit too low? permissions of /var/spool/qmailscan incorrect? permissions of clamav related directories not correct? The list goes on and on..you're going to have to track this one down yourself. -Jim __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Progressive scan ?
Roman ZARAGOCI wrote: Dennis Peterson a écrit : I run a tripwire-like tool at unpredictable times and use the results to scan the differences. It beats anything else I've tried. It seems to be the right tool to use on my system. Could you send me the tripwire-like script you are using ? I found several tools and I don't know which one to use. Is it a specific package ? Thanks for your answers ;) It isn't a script - it is Cfengine and is found at cfengine.org. It is sufficiently complex that this function is not enough reason to install it, but Tripwire will also work and is a simple install. In Solaris systems there is the aset tool which does similar things. These are basic Unix security tools and are worth running for no other reason, but they produce useful output for ClamAV scans. dp ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] use clamdscan instead of clamscan
Hello All, How can vpostmaster use clamdscan instead of clamscan (default) for CLAMAV antivirus option? Thank you Eduardo -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.385 / Virus Database: 268.4.4/320 - Release Date: 20-04-2006 ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Can clanscan scan attachments in mails in .dbx or .pst files?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Fermín Galán Márquez wrote: Hello, My name is Fermín Galán. I'm a newcomer in the list, so please forgive me if I ask some stupid questions :) I'm involved in a forensic analysis of a Windows system. I have extracted the cracked disk particion and mounting it in the GNU/Linux system where I'm performing the analysis. One of the steps is to search for viruses and I'm using clamav to do it. It seems (manpage) that clamscan is able to search inside .zip and .rar files, right? However, I would like to know also if the tool is powerfull enough in order to search inside attachment files in mails that are stored in .dbx files (.dbx is the mailbox format that Outlook Express uses) and .pst files (uses by Outlook). There are several .dbx and .pst in the system I'm analysing and I suspect that some of them may content a virus in a mail attachment. Otherwise, is there any workarround? (maybe a tool that extracts attaches in mails in a .dbx to plain files and then using clamscan on them) Any information/help is really welcome... Thanks in advance! (I've searched the list archives regarding this topic, but I didn't find anything; however, if I'm wrong and this topic has been already treated, please provide me a URL to the thread or discussion) Best regards, Fermín Galán Márquez CTTC - Centre Tecnològic de Telecomunicacions de Catalunya Parc Mediterrani de la Tecnologia, Av. del Canal Olímpic s/n, 08860 Castelldefels, Spain Room 1.02 Tel : +34 93 645 29 12 Fax : +34 93 645 29 01 Email address: [EMAIL PROTECTED] I'm not sure ClamAV is the right tool for you. I doubt that ClamAV scan scan inside pst-files, you need the MAPI-interface for that. Also, I don't think dbx files are supported either, but it still might be possible for clam to recognize viruses in them. I would guess that your best bet is going for a scanner (actually, scanners I you want to do a thorough job) that has Windows as its native platform (ClamAV is designed for *nix) and doing it from a Windows environment (which would allow you to use the MAPI-interface to scan inside the pst's). But it really depends on what kind of system and compromise (accidental or professionally targeted) you're dealing with. Kind Regards, Sander Holthaus -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2.2 (MingW32) iD8DBQFESPj9Vf373DysOTURAmQ7AKDzXQ1478rKpN3pWftIRW345dM6kACg4LIl EPykvWn47rg8rEEBsyQeLaA= =GPcb -END PGP SIGNATURE- ___ http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] Can clanscan scan attachments in mails in .dbxor .pst files?
Dear Sanders, First of all, thank you for your interest! :) I'm not sure ClamAV is the right tool for you. I doubt that ClamAV scan scan inside pst-files, you need the MAPI-interface for that. Also, I don't think dbx files are supported either, but it still might be possible for clam to recognize viruses in them. I guest it is possible to scan inside dbx as long as files in dbx are stored in raw format (actually, I don't know). However, if dbx implements a UNIX mailbox-like format for attachemnt (that is, a text transcodification of the file, like base84) I guest clamavscan wouldn't able to search for virus (it would need to transcode the text encoding of the raw format of the attached file). I would guess that your best bet is going for a scanner (actually, scanners I you want to do a thorough job) that has Windows as its native platform (ClamAV is designed for *nix) and doing it from a Windows environment (which would allow you to use the MAPI-interface to scan inside the pst's). But it really depends on what kind of system and compromise (accidental or professionally targeted) you're dealing with. I do forensics for hobby, it isn't a professional target. You are right, but given that I'm analysng a Windows post-mortem filesystem from a GNU/Linux enviroment is difficult to execute a Windows-native scanner. Maybe should I change my analysis enviroment (from GNU/Linux - Windows :) However, although I don't know the clamavscan code architecture, from the clavmscan code point of view, a .dbx should be more or less like a .zip and .rar: a file (with a given coding) that stores files inside that need to be analysed. Maybe a patch could be developed inspired in the .zip/.rar processing code. I don't know if this is the right place for such discussion (or even if I would have the time/expertise to develop the patch in the case I get all the needed information :), but this would require two pieces of information: - Which is the part of the code that implements the .zip/.rar analysis? - Documentation about .dbx format (maybe difficult, because Microsoft doesn't use to document his file formats) Again, any piece of help/information is welcome! Best regards, Fermín Galán Márquez CTTC - Centre Tecnològic de Telecomunicacions de Catalunya Parc Mediterrani de la Tecnologia, Av. del Canal Olímpic s/n, 08860 Castelldefels, Spain Room 1.02 Tel : +34 93 645 29 12 Fax : +34 93 645 29 01 Email address: [EMAIL PROTECTED] PD. I'm focussing in .dbx, not in .pst (it seems to be a complexer file format, and, actually, the mailbox files that I have in my Windows filesystem are all .dbx). ___ http://lurker.clamav.net/list/clamav-users.html
RE: [Clamav-users] Can clanscan scan attachments in mails in.dbxor .pst files?
I would guess that your best bet is going for a scanner (actually, scanners I you want to do a thorough job) that has Windows as its native platform (ClamAV is designed for *nix) and doing it from a Windows environment (which would allow you to use the MAPI-interface to scan inside the pst's). But it really depends on what kind of system and compromise (accidental or professionally targeted) you're dealing with. I do forensics for hobby, it isn't a professional target. You are right, but given that I'm analysng a Windows post-mortem filesystem from a GNU/Linux enviroment is difficult to execute a Windows-native scanner. Maybe should I change my analysis enviroment (from GNU/Linux - Windows :) Have a look at: http://alioth.debian.org/projects/libpst/ MrC ___ http://lurker.clamav.net/list/clamav-users.html
