Re: [Clamav-users] Freshclam warning newer version, recommending older version
ZiGGie wrote: # freshclam ClamAV update process started at Fri Oct 27 18:15:03 2006 WARNING: Your ClamAV installation is OUTDATED! WARNING: Local version: 0.90RC1.1 Recommended version: 0.88.5 DON'T PANIC! Read http://www.clamav.net/faq.html main.cvd is up to date (version: 40, sigs: 64138, f-level: 8, builder: tkojm) daily.cvd is up to date (version: 2126, sigs: 10476, f-level: 8, builder: sven) This caught me too a few days ago as it is indicative of a spoiled installation. There has been a lot of discussion here about this, and while it is harmless, it is annoying. Continue using it and watch for new updates and read the change log files. dp ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] Freshclam warning newer version, recommending older version
# freshclam ClamAV update process started at Fri Oct 27 18:15:03 2006 WARNING: Your ClamAV installation is OUTDATED! WARNING: Local version: 0.90RC1.1 Recommended version: 0.88.5 DON'T PANIC! Read http://www.clamav.net/faq.html main.cvd is up to date (version: 40, sigs: 64138, f-level: 8, builder: tkojm) daily.cvd is up to date (version: 2126, sigs: 10476, f-level: 8, builder: sven) ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Complexity limit on (custom) signatures?
Kris Deugau wrote: From the problems I'm having with supposedly malformed signatures, it looks like there's an effective complexity limit; from the problems in *matching* a signature that's finally been found to be acceptable, it looks like there's a (lower) limit on what Clam can actually use in matching. Any suggestions on what I might be doing wrong? Not to change the direction on you, but you might want to take advantage of the work Steve Basford is doing at http://www.sanesecurity.com/clamav/ for phishing problems, and also look at http://www.msrbl.com/site/stats for image and spam solutions. Both sites are providing excellent results on systems I'm running. The patterns are downloadable and very up to date. I've not had a single complaint of false positives, and the number of patterns provided is quite large. Steve has also written a very useable how-to for creating these patterns. dp ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] Complexity limit on (custom) signatures?
I've been attempting to lighten the load for SpamAssassin a little by
creating signatures for the stock and pill spams that are flooding in
these days. More specifically, I'm creating signatures for the attached
images in the spams. (Upgrading SA, to be able to use OCR plugins and
so on, is not really possible, mostly due to system load.)
However, I'm having some odd problems with signatures that, so far as I
can tell, are *legitimate*, if perhaps a bit long. Here's what I'm
doing to create signatures:
I take a set of images, manually sorted for rough similarity, and run
them through a script that calls sigtool --hex-dump, and picks out a
segment of the data. (I started with just the first 400 characters of
hex, and pushed it up to 600; with the current set I'm picking out ~600
characters starting with "2c" from anywhere.)
I further sort the resulting data by hand to find similar data, and then
feed that through another script that splits each line up into octets
and notes which octet has been seen in which position for the entire
data set. It then constructs what should be a "correct" signature that
will match each line of the input according to the rules for ClamAV
signatures. (More than 5 different octets at a position get converted
to ??, and finally long segments of ??... get converted to {nn}.)
However, far too often, ClamAv rejects it as a malformed signature.
Chopping {nn} bits off the end often fixes that issue, but not always;
in some cases I've had to trim further (aa|bb|cc) blocks, along with
trailing {nn} and/or ?? segments that may get "exposed" at the end.
That still doesn't make a good signature for my purposes; I often have
to trim *further* to get a signature that actually matches on the image
files I started with. Manually spreading the data out shows it *should*
match fine before I've done any trimming.
>From the problems I'm having with supposedly malformed signatures, it
looks like there's an effective complexity limit; from the problems in
*matching* a signature that's finally been found to be acceptable, it
looks like there's a (lower) limit on what Clam can actually use in
matching.
Any suggestions on what I might be doing wrong?
I can post the scripts and some example signatures if needed.
-kgd
___
http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Clam misidentifying portfile.dll
On Fri, 27 Oct 2006 11:40:57 -0500 "Thomas Raef" <[EMAIL PROTECTED]> wrote: > I have been running clamwin on some Windows XP systems with Quickbooks > installed. This is not a ClamWin mailing list. Please first verify the problem exists in ClamAV and then report a false positive via our website. -- oo. Tomasz Kojm <[EMAIL PROTECTED]> (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Fri Oct 27 19:06:55 CEST 2006 ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] Clam misidentifying portfile.dll
I have been running clamwin on some Windows XP systems with Quickbooks installed. When I upgraded to the 88.5 version it misidentifies a Quickbooks dll (portfile.dll) as an infected file and quarantines it. How do I get this de-listed (unlisted)??? Thank you. ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] ClamAV miss Win32/Stration worm
On Fri, 27 Oct 2006 12:52:13 -0300 "Facundo Barrera" <[EMAIL PROTECTED]> wrote: > Hi i've got ClamAV 0.88.5 running and it's updated well (Today at > 1:30 am), but it let pass thru this Worm "Today at 1:30 am" means that your database is pretty much outdated. -- oo. Tomasz Kojm <[EMAIL PROTECTED]> (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Fri Oct 27 18:30:43 CEST 2006 ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] ClamAV miss Win32/Stration worm
Hello, Le Vendredi 27 Octobre 2006 17:52, Facundo Barrera a écrit : > Hi i've got ClamAV 0.88.5 running and it's updated well (Today at > 1:30 am), but it let pass thru this Worm Please, submit the sample : http://cgi.clamav.net/sendvirus.cgi -- Cordialement / Best regards, Arnaud Jacques Consultant Sécurité SecuriteInfo.com http://www.securiteinfo.com http://www.securiteinfo.net ___ ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] ClamAV miss Win32/Stration worm
Hi i've got ClamAV 0.88.5 running and it's updated well (Today at 1:30 am), but it let pass thru this Worm Any ideas??, hopefully NOD32 catch it! Thanks. The message contains Unicode characters and has been sent as a binary attachment. __ NOD32 1.1841 (20061027) Warning __ Warning: NOD32 antivirus system found the following in the message: doc.zip - a variant of Win32/Stration worm - deleted doc.zip > ZIP > doc.txt.cmd - a variant of Win32/Stration worm http://www.eset.com -- Facundo Agustin Barrera IT Management. Buenos Aires - Argentina. ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] clamav-milter problem
On Fri, 27 Oct 2006 12:38:09 -0300 Nicholas Anderson <[EMAIL PROTECTED]> wrote: > I have a login, and i logged in with it, and then it says that i dont > have permission to access you bug id . Should work now. -- oo. Tomasz Kojm <[EMAIL PROTECTED]> (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Fri Oct 27 17:44:30 CEST 2006 ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] clamav-milter problem
I have a login, and i logged in with it, and then it says that i dont have permission to access you bug id . :-P Nicholas Anderson Administrador de Sistemas Unix LPIC-1 Certified Rede Fiocruz R. Steven Rainwater wrote: > On Fri, 2006-10-27 at 07:51, Nicholas Anderson wrote: > >>> https://wwws.clamav.net/bugzilla/show_bug.cgi?id=106 >>> >>> >> I tried acessing this post but I was not able ... >> :-P >> You are not authorized to access bug #106 >> > > Hmmm... I get a warning saying the site has a broken security > certificate but once I click the "accept certificate anyway" button, it > shows up just fine. I have a clamav bugzilla login though. Maybe you > have to set up an account first? Try this URL: > > https://wwws.clamav.net/bugzilla/createaccount.cgi > > -Steve > > ___ > http://lurker.clamav.net/list/clamav-users.html > ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] clamav-milter problem
On Fri, 2006-10-27 at 07:51, Nicholas Anderson wrote: > > https://wwws.clamav.net/bugzilla/show_bug.cgi?id=106 > > > I tried acessing this post but I was not able ... > :-P > You are not authorized to access bug #106 Hmmm... I get a warning saying the site has a broken security certificate but once I click the "accept certificate anyway" button, it shows up just fine. I have a clamav bugzilla login though. Maybe you have to set up an account first? Try this URL: https://wwws.clamav.net/bugzilla/createaccount.cgi -Steve ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Clamd 0.90RC1.1 version string
Hi Robert, I have 2 different machines using Gentoo Linux: one with ClamAV 0.88.5 and other with ClamAV 0.99RC1.1. The output is: /var/lib/clamav. clamd -V output was correct, VERSION answer was not. Interesting, that it has started to work :) # clamd -V ClamAV 0.90RC1.1/2121/Fri Oct 27 11:42:49 2006 # telnet localhost 3310 VERSION ClamAV 0.90RC1.1/2121/Fri Oct 27 11:42:49 2006 Why is that ? Due DB updates ? Thank you. Regards, Ovidiu Robert Allerstorfer wrote: > On Thu, 26 Oct 2006, 23:30 GMT+03 Ovidiu Bivolaru wrote: > > >> Example: >> v. 0.88.5 >> ClamAV 0.88.5/2108/Thu Oct 26 19:21:59 2006 >> v. 0.90RC1.1 >> ClamAV 0.90RC1.1 >> > > I guess your problem is another one. What is the output of > > /path_to/clamscan --debug --no-summary --tempdir=/dev/null 2>&1 | sed -e > '/Loading databases from/!d' -e 's/.* //' > > from both clamscan versions? > > regards, > rob. > > ___ > http://lurker.clamav.net/list/clamav-users.html > ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] clamav-milter problem
R. Steven Rainwater wrote: > Thanks! I've filed a bug report and included sample error messages from > my log. It might be a good idea if some of the other people experiencing > this posted samples of their logs on the bug report too. > > https://wwws.clamav.net/bugzilla/show_bug.cgi?id=106 > I tried acessing this post but I was not able ... :-P You are not authorized to access bug #106 ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Freshclam says 0.90RC1.1 is outdated
On Fri, Oct 27, 2006 at 11:02:59AM +0200, Robert Allerstorfer said: > On Thu, 26 Oct 2006, 13:23 GMT-04 Jim Maul wrote: > > > Eric Peabody wrote: > >> # freshclam -v > (...) > >> Software version from DNS: 0.88.5 WARNING: Your ClamAV installation > >> is OUTDATED! WARNING: Local version: 0.90RC1.1 Recommended > >> version: 0.88.5 > > > Of course it says its outdated, 0.90RC1.1 != 0.88.5 > > This should not be "of course", it's in fact a bug. > 'freshclam/manager.c' has been designed NOT to issue a version > outdated warning on development (devel) and release canditates (rc) > versions. > > If ClamAV 0.90RC1.1 would have the version number "0.90rc1.1" > (lowercase-rc), no warning would appear. Thus, this problem could be > seen as a bug in the format the version number has been assigned. > Versioning the next release canditate to "0.90rc2" (as it has been the > case in the 0.8 releases) will automatically solve this bug. Another fix might be to change strstr to strcasestr on line 1031 of freshclam/manager.c, although I think that's a non-standard extension. -- -- | Stephen Gran | The time spent on any item of the | | [EMAIL PROTECTED] | agenda [of a finance committee] will be | | http://www.lobefin.net/~steve | in inverse proportion to the sum| || involved. -- C.N. Parkinson | -- signature.asc Description: Digital signature ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Clamd 0.90RC1.1 version string
On Thu, 26 Oct 2006, 23:30 GMT+03 Ovidiu Bivolaru wrote: > Example: > v. 0.88.5 > ClamAV 0.88.5/2108/Thu Oct 26 19:21:59 2006 > v. 0.90RC1.1 > ClamAV 0.90RC1.1 I guess your problem is another one. What is the output of /path_to/clamscan --debug --no-summary --tempdir=/dev/null 2>&1 | sed -e '/Loading databases from/!d' -e 's/.* //' from both clamscan versions? regards, rob. ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Freshclam says 0.90RC1.1 is outdated
On Thu, 26 Oct 2006, 13:23 GMT-04 Jim Maul wrote: > Eric Peabody wrote: >> # freshclam -v (...) >> Software version from DNS: 0.88.5 >> WARNING: Your ClamAV installation is OUTDATED! >> WARNING: Local version: 0.90RC1.1 Recommended version: 0.88.5 > Of course it says its outdated, 0.90RC1.1 != 0.88.5 This should not be "of course", it's in fact a bug. 'freshclam/manager.c' has been designed NOT to issue a version outdated warning on development (devel) and release canditates (rc) versions. If ClamAV 0.90RC1.1 would have the version number "0.90rc1.1" (lowercase-rc), no warning would appear. Thus, this problem could be seen as a bug in the format the version number has been assigned. Versioning the next release canditate to "0.90rc2" (as it has been the case in the 0.8 releases) will automatically solve this bug. regards, rob. ___ http://lurker.clamav.net/list/clamav-users.html
