[Copfilter] Copy of quarantined email - *** SPAM *** [6.0/6.0] Re: [Clamav-users] Protection from W32.Sality.U
This is a multi-part message in MIME format. BG Mahesh wrote: hi I am getting few emails which are passing thru clamav. Norton says the email is infected with W32.Sality.U Is there an update for clamav which can protect me from W32.Sality.U? I am using 0.88.7 Have you submitted a sample to www.clamav.net? ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] Strange behaviour on x86_64 (was 'Memory leak on x86_64!?')
Hi! As announced, I have done some testing with files containing garbage. I start a new thread as I want to get away from the vmware image related discussion. On my X86_64 SuSE 10.1 system, equipped with 4GB main memory, I have installed the standard rpm clamav-0.88.7-1.2.x84_64.rpm that can be downloaded from ftp.suse.com. I have done some testing with 1GB, 2GB and 6GB files created by use of /dev/urandom. When I scan the files, all seems to run ok until a certain point. From then on, the resident size clamscan has allocated (on my system about 26M; the 'RES' column shown by 'top') starts to rise rapidly up to several GB. It takes several minutes until the resident size starts to rise. I have appended all commands and their output below. If you look at the time consumed, you can see that the 6GB file takes 60min, the 2GB file 18min, and the 1GB file only 6min. I think this is strange. About 3.5G of memory is unused before I run the scans. Please have also a look at the Data scanned lines: The reported size is twice the size of the file. Stephan dd if=/dev/urandom of=file bs=1048576 count=6144 dd if=/dev/urandom of=file2 bs=1048576 count=2048 dd if=/dev/urandom of=file3 bs=1048576 count=1024 ls -la total 9446432 drwxr-xr-x 2 rootroot4096 2007-01-04 10:03 . drwxr-xr-x 31 rootroot4096 2007-01-04 10:23 .. -rw-r--r-- 1 rootroot 6442450944 2007-01-03 12:17 file -rw-r--r-- 1 rootroot 2147483648 2007-01-04 09:58 file2 -rw-r--r-- 1 rootroot 1073741824 2007-01-04 10:06 file3 du -h * 6.1Gfile 2.1Gfile2 1.1Gfile3 clamscan --verbose --stdout --no-archive file Scanning file --- SCAN SUMMARY --- Known viruses: 86039 Engine version: 0.88.7 Scanned directories: 0 Scanned files: 1 Infected files: 0 Data scanned: 12229.56 MB Time: 3627.437 sec (60 m 27 s) clamscan --verbose --stdout --no-archive file2 Scanning file2 --- SCAN SUMMARY --- Known viruses: 86039 Engine version: 0.88.7 Scanned directories: 0 Scanned files: 1 Infected files: 0 Data scanned: 4076.48 MB Time: 1113.966 sec (18 m 33 s) clamscan --verbose --stdout --no-archive file3 Scanning file3 --- SCAN SUMMARY --- Known viruses: 86039 Engine version: 0.88.7 Scanned directories: 0 Scanned files: 1 Infected files: 0 Data scanned: 2038.00 MB Time: 412.843 sec (6 m 52 s) ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] ClamAV version mismatch
Hi. I'm confused. I just upgraded to 0.88.7/2410 but in my email headers I still get : clamdscan: 0.88.4/2407. Here's what I get when I manually run the version-parameter on the binaries: # /usr/local/bin/clamdscan -V ClamAV 0.88.7/2410/Wed Jan 3 13:58:16 2007 # /usr/local/bin/clamscan -V ClamAV 0.88.7/2410/Wed Jan 3 13:58:16 2007 # /usr/local/bin/clamav-config --version 0.88.7 # /usr/local/sbin/clamd -V ClamAV 0.88.7/2410/Wed Jan 3 13:58:16 2007 I can't find any other binaries and I've even restarted the server. The libraries are the same files as in the compiled source... what am I missing here? I'm running FreeBSD 5.4 on x86. Thanks, Mathias. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] ClamAV version mismatch
Mathias wrote: Hi. I'm confused. I just upgraded to 0.88.7/2410 but in my email headers I still get : clamdscan: 0.88.4/2407. Here's what I get when I manually run the version-parameter on the binaries: # /usr/local/bin/clamdscan -V ClamAV 0.88.7/2410/Wed Jan 3 13:58:16 2007 # /usr/local/bin/clamscan -V ClamAV 0.88.7/2410/Wed Jan 3 13:58:16 2007 # /usr/local/bin/clamav-config --version 0.88.7 # /usr/local/sbin/clamd -V ClamAV 0.88.7/2410/Wed Jan 3 13:58:16 2007 I can't find any other binaries and I've even restarted the server. The libraries are the same files as in the compiled source... what am I missing here? I'm running FreeBSD 5.4 on x86. What mail server do you run? And how does the mailserver determine the clamdscan header? /rolf ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] Re: ClamAV version mismatch
What mail server do you run? And how does the mailserver determine the clamdscan header? I'm running qmail with qmailscan 1.25. I guess something has got to be compiled in there although I thougt that qmailscan was just a perlscript (qmail-scanner-queue.pl). I'll dig into it unless you know right away where the problem lies? Thanks, Mathias. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Re: ClamAV version mismatch
Mathias wrote: What mail server do you run? And how does the mailserver determine the clamdscan header? I'm running qmail with qmailscan 1.25. I guess something has got to be compiled in there although I thougt that qmailscan was just a perlscript (qmail-scanner-queue.pl). I'll dig into it unless you know right away where the problem lies? No, unfortunately not. /rolf ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] ClamAV version mismatch
On 1/4/07, Mathias [EMAIL PROTECTED] wrote: Hi. I'm confused. I just upgraded to 0.88.7/2410 but in my email headers I still get : clamdscan: 0.88.4/2407. Maybe you've got 0.88.4 somewhere in the path? What does which clamscan show and did you install both via the ports, or manually? -- Please keep list traffic on the list. Rob MacGregor Whoever fights monsters should see to it that in the process he doesn't become a monster. Friedrich Nietzsche ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Re: ClamAV version mismatch
Mathias wrote: What mail server do you run? And how does the mailserver determine the clamdscan header? I'm running qmail with qmailscan 1.25. I guess something has got to be compiled in there although I thougt that qmailscan was just a perlscript (qmail-scanner-queue.pl). I'll dig into it unless you know right away where the problem lies? The problem is with qmail-scanner. You must run qmail-scanner-queue.pl -z to get it to re-read the version information from your installed scanners. This is all on the qmail-scanner website somewhere. FWIW, this is purely aesthetic, the old version info is stored in qmail-scanner-queue-version.txt but it is actually using the newer version of clamav you have installed. -Jim ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] Update / upgrade questions
Hello all - New user here, couple quick questions. Background: I am trying to support a customer under a bit of duress. I know Linux, but have not worked with ClamAV directly myself, so am a bit hesitant because this is an env. that processes 250k emails a day. I've read over the FAQ, and things seem fairly clear, but I wanted to ask a couple quick questions to bolster my confidence before I proceed. Upgrade will be done via remote access. System: RHEL 3 Update 8, AS, on 32-bit Intel 2-way server Running QMail (netqmail 1.05) (I have seen a post in the archives about running a QMail script to update the scan headers after install/upgrade) Current ClamAV is 0.88.4/2061 (installed Oct. last year) Customer uses a cluster filesystem (IBM GPFS) so config data is in non-standard locations based on shares of this FS. Questions: I see the current release is 0.88.7 - is it advisable to upgrade the base package as opposed to just the scan DB? I took a look at the changelog in the latest stable and it looks like there were some required fixes, so I'm guessing that's a yes. The FAQ says Uninstall Old; Install New - is there any config data I should look for in the old build? (I have the log) Do I need to worry about losing any config data by uninstalling? If it's not obvious, I'm a little concerned about an potential disruption of service. so, if there's any other install tidbits anyone wants to pass on it's appreciated... TIA Don ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Update / upgrade questions
Vanco, Don wrote: Hello all - New user here, couple quick questions. Background: I am trying to support a customer under a bit of duress. I know Linux, but have not worked with ClamAV directly myself, so am a bit hesitant because this is an env. that processes 250k emails a day. I've read over the FAQ, and things seem fairly clear, but I wanted to ask a couple quick questions to bolster my confidence before I proceed. Upgrade will be done via remote access. System: RHEL 3 Update 8, AS, on 32-bit Intel 2-way server Running QMail (netqmail 1.05) (I have seen a post in the archives about running a QMail script to update the scan headers after install/upgrade) Yes, you should run qmail-scanner-queue.pl -z after you have the new version of clamav installed to pull the new version information and update the .txt file that holds this info. Everything will work fine even if you dont do this, but the headers will have the old version info. -Jim ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] Re: Re: ClamAV version mismatch
Thanks Jim, that's exactly the information I was looking for. Since I couldn't find any other binaries than the ones I refered to earlier I was suspecting it was only something aesthtically. I got to upgrade to qmailscanner v2.01 as a try-to-solve, so something good came out from the first upgrade anyway! Cheers and thanks a lot. /Mathias Jim Maul [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] The problem is with qmail-scanner. You must run qmail-scanner-queue.pl -z to get it to re-read the version information from your installed scanners. This is all on the qmail-scanner website somewhere. FWIW, this is purely aesthetic, the old version info is stored in qmail-scanner-queue-version.txt but it is actually using the newer version of clamav you have installed. -Jim ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] freshclam blacklist?
Doug Hubbard wrote: I am starting to think my systems have been blacklisted for some reason. They have all (3) been set up according to the instructions listed on the web site, but all are failing to get updates. How do I 1) find out for certain if I am blacklisted? (none of the machines in question have lynx or wget on them so that option from the FAQ won't work) Can you install them? Both of these are rather small and unintrusive programs. Steve ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] freshclam blacklist?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Doug Hubbard wrote: I am starting to think my systems have been blacklisted for some reason. They have all (3) been set up according to the instructions listed on the web site, but all are failing to get updates. How do I 1) find out for certain if I am blacklisted? (none of the machines in question have lynx or wget on them so that option from the FAQ won't work) 2) get removed from the blacklist if I am on it? 3) find out what cause the blacklisting to start with? Thanks for any help you can provide. -- ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html To start with, which tools do you have? What are the error-messages? Can you ping/traceroute the update hosts? Telnet? Kind Regards, Sander Holthaus -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (MingW32) iD8DBQFFnYyKVf373DysOTURAneHAKCGoIU5tzl5C4kP0dsHLTw1rQhxbACgp0F+ 4V/Z7RKVKCBxTMolEs3+TdI= =2qB8 -END PGP SIGNATURE- ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] freshclam blacklist?
At 05:08 PM 1/4/2007, you wrote: I am starting to think my systems have been blacklisted for some reason. They have all (3) been set up according to the instructions listed on the web site, but all are failing to get updates. How do I 1) find out for certain if I am blacklisted? (none of the machines in question have lynx or wget on them so that option from the FAQ won't work) 2) get removed from the blacklist if I am on it? 3) find out what cause the blacklisting to start with? Thanks for any help you can provide. -- See if you can make connections to port 80 with telnet... $ telnet www.yahoo.com 80 Trying 216.109.112.135... Connected to rc.yahoo.akadns.net. Escape character is '^]'. head / enterenter bunch of stuff printed... If the connection to yahoo works, try the same with database.clamav.net. If it doesn't, you're blacklisted (too-frequent updates? - I don't know). I think the blacklist entry is automatically removed after 24 hours. If the server doesn't have telnet installed, you will need to install some kind of testing tool, might as well install lynx or wget for testing, remove later. -- Noel Jones ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] About freshclam problem
After I type freshclam, I want to know what is : WARNING: DNS record is older than 3 hours. WARNING: Invalid DNS reply. Falling back to HTTP mode. Thanks ClamAV update process started at Fri Jan 5 15:33:03 2007 SECURITY WARNING: NO SUPPORT FOR DIGITAL SIGNATURES See the FAQ at http://www.clamav.net/faq.html for an explanation. WARNING: DNS record is older than 3 hours. WARNING: Invalid DNS reply. Falling back to HTTP mode. Reading CVD header (main.cvd): OK (IMS) main.cvd is up to date (version: 41, sigs: 73809, f-level: 10, builder: tkojm) Reading CVD header (daily.cvd): OK (IMS) daily.cvd is up to date (version: 2314, sigs: 6689, f-level: 9, builder: ccordes ___ YM - 離線訊息 就算你沒有上網,你的朋友仍可以留下訊息給你,當你上網時就能立即看到,任何說話都冇走失。 http://messenger.yahoo.com.hk ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] Scan / directory problem
I used the clamscan command to scan the root / directory, after that only have following results: [EMAIL PROTECTED] bin]# ./clamscan / //.autofsck: Empty file --- SCAN SUMMARY --- Known viruses: 86055 Engine version: 0.88.7 Scanned directories: 1 Scanned files: 0 Infected files: 0 Data scanned: 0.00 MB Time: 12.450 sec (0 m 12 s) Why only display one directories was scanned ?? Thanks ___ YM - 離線訊息 就算你沒有上網,你的朋友仍可以留下訊息給你,當你上網時就能立即看到,任何說話都冇走失。 http://messenger.yahoo.com.hk ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] problems updating using apt
hi, How can I upgrade my clamav installation to the latest version using apt-get command??Is possible? Best regards Antes de imprimir piensa en tu responsabilidad y compromiso con el MEDIO AMBIENTE ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Scan / directory problem
I used the clamscan command to scan the root / directory, after that only have following results: [EMAIL PROTECTED] bin]# ./clamscan / //.autofsck: Empty file --- SCAN SUMMARY --- Known viruses: 86055 Engine version: 0.88.7 Scanned directories: 1 Scanned files: 0 Infected files: 0 Data scanned: 0.00 MB Time: 12.450 sec (0 m 12 s) Why only display one directories was scanned ?? Try: ./clamscan -rv / dp ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
