Re: [Clamav-users] Mailware passes undetected.... is this a failure within my MTA?
On Tue, 16 Jan 2007 08:15:41 +0300 Odhiambo Washington <[EMAIL PROTECTED]> wrote: > * On 15/01/07 21:12 -0800, Dennis Peterson wrote: > | Odhiambo Washington wrote: > | >Hi, > | > > | >For some strange reasons, I've seen some malware go past my filters > | >on several occasions. > | >One such case is today, where a mail containing two attachments, one > | >a gif and the other a zip archive, skipped clamd completely and was > | >delivered to my inbox. > | > > | >However, when I extract the attachment from the file and scan it with > | >clamd, the worm is detected. > | > > | >Either this is a failure of the configuration on my MTA, or in the > | >way clamd analyzes such e-mail. I am running 0.88.7. > | > | Do you have any kind of minimum size limit a message must have before it > | is a candidate for scanning? Many sites don't scan very large messages > | because they are outside the typical size for spam/viruses. It's a > | choice that brings some risk but it does make things more efficient. > > Yes, I don't subject to scanning any mails whose size exceed 1MB, but > the mail in question does not meet this criteria. > > > -Wash > > http://www.netmeister.org/news/learn2quote.html > > DISCLAIMER: See http://www.wananchi.com/bms/terms.php > > -- > +==+ > |\ _,,,---,,_ | Odhiambo Washington<[EMAIL PROTECTED]> > Zzz /,`.-'`'-. ;-;;,_ | Wananchi Online Ltd. www.wananchi.com >|,4- ) )-,_. ,\ ( `'-'| Tel: +254 20 313985-9 +254 20 313922 > '---''(_/--' `-'\_) | GSM: +254 722 743223 +254 733 744121 > +==+ > > New members urgently required for SUICIDE CLUB, Watford area. > -- Monty Python's Big Red Book > ___ > Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net > http://lurker.clamav.net/list/clamav-users.html Don't forget that mails are delivered in base 64 (usually??) if they're binary, and this could exceed the 1MB threshold if they're of any size, as they're a lot bigger than the final target.. Steve ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] Re: ClamAV upgrade
On Tuesday January 16, 2007 at 12:44:15 (AM) Nick wrote: > Hi? > I am running a FreeBSD 6.0 and clamav 0.88.2_4. I have done a port upgrade > intending to upgrade to 0.88.7 but still this is what I get : > > # portupgrade -v clamav > ---> Session started at: Tue, 16 Jan 2007 08:38:20 +0300 > ** No need to upgrade 'clamav-0.88.2_4' (>= clamav-0.88.2_4). (specify -f to > force) > ---> Listing the results (+:done / -:ignored / *:skipped / !:failed) > - security/clamav (clamav-0.88.2_4) > ---> Packages processed: 0 done, 1 ignored, 0 skipped and 0 failed > ---> Session ended at: Tue, 16 Jan 2007 08:38:20 +0300 (consumed 00:00:00) > > How do I upgrade to 0.88.7? Update your ports tree. Use either cvsup or portsnap to accomplish this. You might then want to use either portupgrade or portmanager to update all of your programs. Sounds like you might have several out of date ones. -- Gerard ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Clamscan error on OS X Server 10.4.8 impossible to execute as root !
Thanks for all these answers ! To be more precise : 1. OS X Server has root user account AKA "System Administrator" configured on BSD local files, Local Netinfo DB, and LDAP (as It is activated in my case). 2. I am scanning a bunch of files, but I am not scanning It through the Network but on the Local System, It just happened to be a shared point. I am using user root because It is the only one to have full access to all these files. Here is what happened when I scan It with regular user clamav : [superxserv:~] clamav% clamscan -l /var/log/clamscan.log -r -v / Volumes/RAID/Users/ & [1] 24589 [superxserv:~] clamav% LibClamAV Warning: LibClamAV Warning: *** This version of the ClamAV engine is outdated. *** LibClamAV Warning: *** DON'T PANIC! Read http://www.clamav.net/ faq.html *** LibClamAV Warning: /Volumes/RAID/Users/pac3d1: Can't open directory. /Volumes/RAID/Users/pac3d2: Can't open directory. /Volumes/RAID/Users/pac3d3: Can't open directory. /Volumes/RAID/Users/pac3d4: Can't open directory. /Volumes/RAID/Users/pacabern: Can't open directory. /Volumes/RAID/Users/pacaccue: Can't open directory. /Volumes/RAID/Users/pacafeno: Can't open directory. /Volumes/RAID/Users/pacagonc: Can't open directory. /Volumes/RAID/Users/paccchar: Can't open directory. /Volumes/RAID/Users/paccclod: Can't open directory. /Volumes/RAID/Users/paccfria: Can't open directory. /Volumes/RAID/Users/pacclepo: Can't open directory. /Volumes/RAID/Users/paccmont: Can't open directory. /Volumes/RAID/Users/pacdlaug: Can't open directory. /Volumes/RAID/Users/pacdshul: Can't open directory. /Volumes/RAID/Users/pacelipc: Can't open directory. /Volumes/RAID/Users/pacfgutk: Can't open directory. /Volumes/RAID/Users/pacglego: Can't open directory. /Volumes/RAID/Users/pachlope: Can't open directory. /Volumes/RAID/Users/pacjchik: Can't open directory. /Volumes/RAID/Users/pacjmich: Can't open directory. /Volumes/RAID/Users/pacjozan: Can't open directory. /Volumes/RAID/Users/pacmfern: Can't open directory. /Volumes/RAID/Users/pacmlame: Can't open directory. /Volumes/RAID/Users/pacmtric: Can't open directory. /Volumes/RAID/Users/pacnaiss: Can't open directory. /Volumes/RAID/Users/pacnisab: Can't open directory. /Volumes/RAID/Users/pacnodru: Can't open directory. /Volumes/RAID/Users/pacplari: Can't open directory. /Volumes/RAID/Users/pacsconj: Can't open directory. /Volumes/RAID/Users/pacstage: Can't open directory. --- SCAN SUMMARY --- Known viruses: 86882 Engine version: 0.88.5 Scanned directories: 32 Scanned files: 0 Infected files: 0 Data scanned: 0.00 MB Time: 4.186 sec (0 m 4 s) And with root you already know what happened ! superxserv:~ root# clamscan -l /var/log/clamscan.log -r -v /Volumes/ RAID/Users/ & [1] 24605 superxserv:~ root# ERROR: Can't get information about user 0 [1]+ Exit 60 clamscan -l /var/log/clamscan.log -r - v /Volumes/RAID/Users/ superxserv:~ root# ??? Le 16 janv. 07 à 03:39, Dennis Peterson a écrit : Stephen Gran wrote: On Mon, Jan 15, 2007 at 05:41:52PM -0800, Dennis Peterson said: It required a visit to the Makefile to see where the user was being defined and you're right. I did not know this about clamscan and don't yet understand the rationale, but it does have an impact on systems where clamscan is intended to be used but not clamd nor clamdscan - stand alone systems, in other words. I'll have to tweek my Cfengine configs some. Does anyone know what this code is supposed to protect? My impression is that it is for unpacking archives and following symlinks and so forth - it deliberately drops privileges before doing so, so that sensitive files aren't tampered with, Maybe one of the dev team can shed more light on the subject, but that's what a quick glance through the code suggests. Of course - and perfectly sensible. I had no need to scan any archives so didn't make the association. This information allows a workaround without hacking the code. Thanks, Stephen. dp ___ Help us build a comprehensive ClamAV guide: visit http:// wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html «?»¥«?»§«?»¥«?»§«?»¥«?»§«?»¥«?»§«?»¥«?»§«?»¥«?»§ Gregober ---> PGP ID --> 0x1BA3C2FD bsd @at@ todoo.biz «?»¥«?»§«?»¥«?»§«?»¥«?»§«?»¥«?»§«?»¥«?»§«?»¥«?»§ P "Please consider your environmental responsibility before printing this e-mail" ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] Exclude attach file from Scan
Hi Guys I have a trouble , a need a way to exclude some attached files scanning because this file is encrypted and clamav identify as virus . I am using qmail with qmail-scanner and clamav Thanks for all ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] Bypassing clamav-milter
We have a mail server that gets filtered through postini. But for some reason management has decided to open it up to connections other than postini. Is there anyway that the clamav-milter can be told to only scan mail that was not relayed through postini? I have searched a good bit and cant any information regarding this. Thanks for any Help. Bryan ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Bypassing clamav-milter
Bryan Vest wrote: We have a mail server that gets filtered through postini. But for some reason management has decided to open it up to connections other than postini. Is there anyway that the clamav-milter can be told to only scan mail that was not relayed through postini? I have searched a good bit and cant any information regarding this. Thanks for any Help. Bryan The easiest thing I think you could do is just not call clamav-milter if it comes from a Postini IP. Steve ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] test av
Hi, I have used: testvirus.org gfi.com .. for test my clamv installation, but now there aren't this tools on web sites, there are another test available ? thanks. -- Salvatore. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Clamscan error on OS X Server 10.4.8 impossible to execute as root !
On Jan 16, 2007, at 3:35 AM, bsd wrote: And with root you already know what happened ! superxserv:~ root# clamscan -l /var/log/clamscan.log -r -v /Volumes/ RAID/Users/ & [1] 24605 superxserv:~ root# ERROR: Can't get information about user 0 [1]+ Exit 60 clamscan -l /var/log/clamscan.log -r - v /Volumes/RAID/Users/ superxserv:~ root# ??? Edit the freshclam.conf and clamd.conf files and uncomment the User or DatabaseUser entries; these files will be under /etc/spam/clamav if you are using Apple's default location. -- -Chuck ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Mailware passes undetected.... is this a failure within my MTA?
* On 15/01/07 21:23 -0800, Dennis Peterson wrote: | Odhiambo Washington wrote: | >* On 15/01/07 21:12 -0800, Dennis Peterson wrote: | >| Odhiambo Washington wrote: | >| >Hi, | >| > | >| >For some strange reasons, I've seen some malware go past my filters | >| >on several occasions. | >| >One such case is today, where a mail containing two attachments, one | >| >a gif and the other a zip archive, skipped clamd completely and was | >| >delivered to my inbox. | >| > | >| >However, when I extract the attachment from the file and scan it with | >| >clamd, the worm is detected. | >| > | >| >Either this is a failure of the configuration on my MTA, or in the | >| >way clamd analyzes such e-mail. I am running 0.88.7. | >| | >| Do you have any kind of minimum size limit a message must have before it | >| is a candidate for scanning? Many sites don't scan very large messages | >| because they are outside the typical size for spam/viruses. It's a | >| choice that brings some risk but it does make things more efficient. | > | >Yes, I don't subject to scanning any mails whose size exceed 1MB, but | >the mail in question does not meet this criteria. | > | > | | The next thing to suspect is the process that does the file extraction. | The one I use logs all the attachments so I can explore the logs for the | file names and what it did with them. Without that capability I don't | have any other way to continue the diagnosis were this my problem to solve. | | Something you can try though is to send the attachments to your self and | see if they are discovered. It is possible that your mail reader is more | forgiving of encoding errors than what ever pulls attachments for your | mail for scanning. If nothing else it may expose an encoding scheme that | gets past your scanning system but not your mail reader. Is anyone using Exim with exiscan in this forum? That is where the subject is heading, as I can see. Peterson, what do you use? -Wash http://www.netmeister.org/news/learn2quote.html DISCLAIMER: See http://www.wananchi.com/bms/terms.php -- +==+ |\ _,,,---,,_ | Odhiambo Washington<[EMAIL PROTECTED]> Zzz /,`.-'`'-. ;-;;,_ | Wananchi Online Ltd. www.wananchi.com |,4- ) )-,_. ,\ ( `'-'| Tel: +254 20 313985-9 +254 20 313922 '---''(_/--' `-'\_) | GSM: +254 722 743223 +254 733 744121 +==+ Left to themselves, things tend to go from bad to worse. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Clamscan error on OS X Server 10.4.8 impossible to execute as root !
I have done that but It has not changed anything… Unfortunately. … Should I change the User to "root" instead of clamav ?? Le 16 janv. 07 à 18:47, Chuck Swiger a écrit : On Jan 16, 2007, at 3:35 AM, bsd wrote: And with root you already know what happened ! superxserv:~ root# clamscan -l /var/log/clamscan.log -r -v / Volumes/RAID/Users/ & [1] 24605 superxserv:~ root# ERROR: Can't get information about user 0 [1]+ Exit 60 clamscan -l /var/log/clamscan.log -r -v /Volumes/RAID/Users/ superxserv:~ root# ??? Edit the freshclam.conf and clamd.conf files and uncomment the User or DatabaseUser entries; these files will be under /etc/spam/clamav if you are using Apple's default location. -- -Chuck «?»¥«?»§«?»¥«?»§«?»¥«?»§«?»¥«?»§«?»¥«?»§«?»¥«?»§ Gregober ---> PGP ID --> 0x1BA3C2FD bsd @at@ todoo.biz «?»¥«?»§«?»¥«?»§«?»¥«?»§«?»¥«?»§«?»¥«?»§«?»¥«?»§ P "Please consider your environmental responsibility before printing this e-mail" ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Mailware passes undetected.... is this a failure within my MTA?
On Tue, 16 Jan 2007 20:58:39 +0300 Odhiambo Washington <[EMAIL PROTECTED]> wrote: > Is anyone using Exim with exiscan in this forum? Yes, I do, currently have exim 4.66 running. I'll give you any help I can, which may not be a great deal in all honesty but I'm prepared to try. -- Brian Morrison bdm at fenrir dot org dot uk "Arguing with an engineer is like wrestling with a pig in the mud; after a while you realize you are muddy and the pig is enjoying it." GnuPG key ID DE32E5C5 - http://wwwkeys.uk.pgp.net/pgpnet/wwwkeys.html ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] Re: Mailware passes undetected.... is this a failure within my MTA?
I am not available at the moment. Jay Lee ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Re: Mailware passes undetected.... is this a failure within my MTA?
[EMAIL PROTECTED] wrote: > I am not available at the moment etc. ;) ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] My Bad, sorry (was: Mailware passes undetected.... is this a failure within my MTA?)
Steve Basford wrote: [EMAIL PROTECTED] wrote: I am not available at the moment etc. ;) I apologize, I actually am testing the autoreply settings of our mail client at the moment and only had it set for 3 minutes, a list email managed to come at exactly that time unfortunately, my bad. I'll use a junk account from now on. Hmm... the mailbot autoresponder program is supposed to be intelligent enough to not reply to mailing lists, I'll need to look into this one more. Again, sorry. I've added rules to not autoreply when there is a "Precedence: list" header to our global settings now... Jay ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] My Bad, sorry
Jay Lee wrote: > one more. Again, sorry. > It's not me you have to worry about... it's the "others" ;) Good reminder to everyone though :) Cheers, Steve ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] My Bad, sorry
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jay Lee wrote: > Steve Basford wrote: >> [EMAIL PROTECTED] wrote: >> >>> I am not available at the moment >>> >> etc. ;) >> > I apologize, I actually am testing the autoreply settings of our > mail client at the moment and only had it set for 3 minutes, a list > email managed to come at exactly that time unfortunately, my bad. > I'll use a junk account from now on. Hmm... the mailbot > autoresponder program is supposed to be intelligent enough to not > reply to mailing lists, I'll need to look into this one more. > Again, sorry. > > I've added rules to not autoreply when there is a "Precedence: > list" header to our global settings now... > > Jay I would suggest to look for /^List-Id:/:h too. For some reason, certain bulk-mailers do set the List-Id header, but not the Precedence - -header. You might also want to make sure that you don't auto-reply to messages from mailer-daemon@ or noreply@ etc. I accidently found it responding to mailer-daemon messages once :-s Kind regards, Sander Holthaus -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (MingW32) iD8DBQFFrVW2Vf373DysOTURAkblAJ9DkTwQUD2vj2meTs1KepHnHcO2GQCg1ULa Jg45dfeEsuyjaLoB+DiWIGg= =+rbL -END PGP SIGNATURE- ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] the best way to update
Hi, I running ubuntu edgy 6.10. I've installed my clamav 0.88.4 using apt-get command but now if I use apt-get update /upgrade I now there is a new version but I can not upgrade it. Can I download from internet and recompile it? best regards heze54 Antes de imprimir piensa en tu responsabilidad y compromiso con el MEDIO AMBIENTE Mensaje analizado y protegido, tecnologia antivirus amavis+clamav ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Clamscan error on OS X Server 10.4.8 impossible to execute as root !
On Tue, Jan 16, 2007 at 09:47:45AM -0800, Chuck Swiger said: > Edit the freshclam.conf and clamd.conf files and uncomment the User > or DatabaseUser entries; these files will be under /etc/spam/clamav > if you are using Apple's default location. Please see earlier discussion - this is a compile time setting. Whoever built these binaries for the OPs system did it with --user=0 or some other thing. The binaries will need to be recompiled, or he'll need to find a way to get a user 0 recognized by getpwnam. -- -- | Stephen Gran | Serving suggestion. | | [EMAIL PROTECTED] | | | http://www.lobefin.net/~steve | | -- signature.asc Description: Digital signature ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Mailware passes undetected.... is this a failure within my MTA?
On Tue, Jan 16, 2007 at 08:58:39PM +0300, Odhiambo Washington said: > Is anyone using Exim with exiscan in this forum? That is where the > subject is heading, as I can see. > > Peterson, what do you use? Not exim, if I recall correctly. I do, if it helps any. I suspect you may have /defer_ok tacked on to an acl that use the malware directive. I also suspect you'll find failed unpacks in exim's scan subdirectory, and/or in clamav's temporary directory. Good hunting, -- -- | Stephen Gran | As Zeus said to Narcissus, "Watch | | [EMAIL PROTECTED] | yourself." | | http://www.lobefin.net/~steve | | -- signature.asc Description: Digital signature ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Clamscan error on OS X Server 10.4.8 impossible to execute as root !
On Jan 16, 2007, at 3:11 PM, Stephen Gran wrote: On Tue, Jan 16, 2007 at 09:47:45AM -0800, Chuck Swiger said: Edit the freshclam.conf and clamd.conf files and uncomment the User or DatabaseUser entries; these files will be under /etc/spam/clamav if you are using Apple's default location. Please see earlier discussion - this is a compile time setting. Whoever built these binaries for the OPs system did it with --user=0 or some other thing. The binaries will need to be recompiled, or he'll need to find a way to get a user 0 recognized by getpwnam. With due respect, not only I was part of the earlier discussion, I even quoted the portion of the source code which generates the warning message the OP was having problems with, and tested that uncommenting the options I mentioned allowed one to use the vendor- supplied freshclam or clamscan binaries as the root user: 6# grep DatabaseOwner freshclam.conf # DatabaseOwner clamav 7# freshclam ERROR: Can't get information about user 0. 8# emacs freshclam.conf # uncomment the DatabaseOwner line 9# grep DatabaseOwner freshclam.conf DatabaseOwner clamav 10# freshclam ClamAV update process started at Tue Jan 16 18:38:50 2007 SECURITY WARNING: NO SUPPORT FOR DIGITAL SIGNATURES See the FAQ at http://www.clamav.net/faq.html for an explanation. WARNING: Your ClamAV installation is OUTDATED! WARNING: Local version: 0.88.5 Recommended version: 0.88.7 [ ... ] -- -Chuck ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Clamscan error on OS X Server 10.4.8 impossible to execute as root !
On Tue, Jan 16, 2007 at 03:40:26PM -0800, Chuck Swiger said: > On Jan 16, 2007, at 3:11 PM, Stephen Gran wrote: > >On Tue, Jan 16, 2007 at 09:47:45AM -0800, Chuck Swiger said: > >>Edit the freshclam.conf and clamd.conf files and uncomment the User > >>or DatabaseUser entries; these files will be under /etc/spam/clamav > >>if you are using Apple's default location. > > > >Please see earlier discussion - this is a compile time setting. > >Whoever > >built these binaries for the OPs system did it with --user=0 or some > >other thing. The binaries will need to be recompiled, or he'll > >need to > >find a way to get a user 0 recognized by getpwnam. > > With due respect, not only I was part of the earlier discussion, I > even quoted the portion of the source code which generates the > warning message the OP was having problems with, and tested that > uncommenting the options I mentioned allowed one to use the vendor- > supplied freshclam or clamscan binaries as the root user: I am sorry if I came across as harsher than I intended to. I know that you were part of the earlier discussion and provided valuable insight. However, your research so far seems to have focused on freshclam rather than clamscan, which is where I thought the OPs problem lay. clamscan explicitly exits if getpwnam() returns NULL on a query for the compile time user. I have not investigated freshclam's behavior, as I assume it can indeed honor it's config file, but I thank you for looking into it and confirming my hope. -- -- | Stephen Gran | There is no fool to the old fool. -- | | [EMAIL PROTECTED] | John Heywood| | http://www.lobefin.net/~steve | | -- signature.asc Description: Digital signature ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Clamscan error on OS X Server 10.4.8 impossible to execute as root !
On Jan 16, 2007, at 3:52 PM, Stephen Gran wrote: I am sorry if I came across as harsher than I intended to. I know that you were part of the earlier discussion and provided valuable insight. No harm done. However, your research so far seems to have focused on freshclam rather than clamscan, which is where I thought the OPs problem lay. clamscan explicitly exits if getpwnam() returns NULL on a query for the compile time user. I have not investigated freshclam's behavior, as I assume it can indeed honor it's config file, but I thank you for looking into it and confirming my hope. In the case of clamscan, we have (from clamscan/manager.c around line 70): if(!geteuid()) { if((user = getpwnam(UNPUSER)) == NULL) { mprintf("@Can't get information about user "UNPUSER"\n"); exit(60); /* this is critical problem, so we just exit here */ } } If the euid is 0 (aka root), and you can't look up the pw entry for the UNPUSER (which ought to be "clamav", but maybe was changed to root), then bail with the error message the OP mentioned. I wonder if making sure that whoever it is has a "clamav" user in LDAP/OpenDirectory would help. Otherwise, considering that the version which comes with an OS X system is somewhat dated, perhaps it would be easiest for the OP to simply build the latest version and make sure that the compiled-in user exists in whatever directory- services they are using. -- -Chuck ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Mailware passes undetected.... is this a failure within my MTA?
Odhiambo Washington wrote: Is anyone using Exim with exiscan in this forum? That is where the subject is heading, as I can see. Peterson, what do you use? J-Chkmail from Jose-Marcio in France. Works great. dp ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Clamscan error on OS X Server 10.4.8 impossible to execute as root !
Stephen Gran wrote: On Tue, Jan 16, 2007 at 09:47:45AM -0800, Chuck Swiger said: Edit the freshclam.conf and clamd.conf files and uncomment the User or DatabaseUser entries; these files will be under /etc/spam/clamav if you are using Apple's default location. Please see earlier discussion - this is a compile time setting. Whoever built these binaries for the OPs system did it with --user=0 or some other thing. The binaries will need to be recompiled, or he'll need to find a way to get a user 0 recognized by getpwnam. To find who the run-as user is that was compiled into the binary, run: $ strings clamscan |fgrep "get information about user" dp ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] clamav-milter error question
I've decided to explore clamav-milter. The objective is to have a single server where all clamAV process run. Think of it as a virtual AV appliance (Because that is what it is). The lab environment is a mail server (Solaris 9, Sparc) running sendmail and another server (Solaris 10, X86) that runs clamd and the milter used to extract the attachments and submit them to ClamAV. I have substituted clamav-milter for this function by adding clmilter to sendmail.cf on the mail server. I built and have a running copy of milter-clamav and tried the following command line to start it: /usr/local/sbin/clamav-milter --external --server=127.0.0.1 \ --quiet --blacklist=60 --postmaster-only --local \ -outgoing inet:3311 The mail server can connect to port 3311 on the AV server fine but the following error shows up in the clamav log: Jan 16 12:39:11 omak clamav-milter[13345]: [ID 472601 local6.warning] Access Denied for sparky[192.168.1.55] The av server is omak, and the mail server is sparky. I'm missing something, obviously. Perhaps this is not a valid architecture? dp ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] Should I submit...
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 a very basic perl script which opens a listening socket and a shell? I found it after a hacker tried to gain entry. The script is nothing special (far from, 612 bytes) but I doubt people are actually using it for any legitimate means. BitDefender does recognize the file, but not any other AV. Kind Regards, Sander Holthaus -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (MingW32) iD8DBQFFrYsZVf373DysOTURAtx/AKCj0w5IQWRom24D9jrsqO7w6IWMIACcCSS7 Y87QhZ8LtiuzukF/E58K+qI= =JiOR -END PGP SIGNATURE- ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html