Re: [Clamav-users] Issue starting clamd
>As root > > audit2allow -M mypol -i /var/log/audit/audit.log > semodule -i mypol.pp > >This will go through your audit log and enable everything blocked by >SELINUX. (It's a good idea to make sure that you want everything >blocked so far permitted.) > >- -- > > Steve Steve, This opened up a can of never ending newer selinux messages that didn't stop after like 6 updates :) I was trying to follow the mods suggested in rpmforge list a few months ago but I had troubles compiling and installing the selinux module. Thanks, jlc ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] website has virus?
On Jan 4, 2008 9:19 PM, zamri <[EMAIL PROTECTED]> wrote: > I tried to access certain sites and it has been detected containing virus. I > use dansguardian s.9.9.2 + clamav 0.92. I remember one right now. If you > have found one, pls list here so I can check it out for testing. > > 1. www.myviper.net Yes, it has some javascript at the bottom which references the url http://www.flycheburoshki.com/countbanner/, which (I believe) tries to do a WebViewFolderIcon exploit. Lots of obfuscated javascript. Doesn't look good. Could be wrong, though. Dave M > zamri > Linux System Administrator > Kolej ShahPutra Kuantan > Pahang Malaysia > Tel : 609.573.777.7 ext 119 > web : http://muhdzamri.blogspot.com ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] website has virus?
I tried to access certain sites and it has been detected containing virus. I use dansguardian s.9.9.2 + clamav 0.92. I remember one right now. If you have found one, pls list here so I can check it out for testing. 1. www.myviper.net -- zamri Linux System Administrator Kolej ShahPutra Kuantan Pahang Malaysia Tel : 609.573.777.7 ext 119 web : http://muhdzamri.blogspot.com ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] VirusEvent Variables
On Fri, 04 Jan 2008 15:07:44 -0500 FM <[EMAIL PROTECTED]> wrote: > Hello, > I am using clamAV 0.91.2 > > I set the VirusEvent to be alerted when we receive virus. > > Are there other variables then %v ? like adresse of the sender,...? In clamd.conf you can only use %v. If you're calling a shell script with VirusEvent then it can additionally access the filename stored in the environment variable $CLAM_VIRUSEVENT_FILENAME -- oo. Tomasz Kojm <[EMAIL PROTECTED]> (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Fri Jan 4 23:44:16 CET 2008 ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Malware variants may have hit half-million mark
El Friday, 04 January del 2008 a las 03:59:10PM, Paul Kosinski escribió: > Fri 4 Jan 2008 > > According to today's SecurityFocus.com, there are as many as 500,000 > different versions of malware. Most are not original code, but "mass- > produced attempts to foil antivirus filters". > > And here I thought that ClamAV's 186,092+ signatures was getting out > of hand! > > In the interest of preserving copyright, I refer you to the original > article at http://www.securityfocus.com/brief/655. clamav: sigtool --list-sigs | wc -l 213246 f-prot workstation Linux: fpscan --virlist | wc -l 760649 avast v1.0.8 Linux Home Edition: avast --viruslist="*" | wc -l 146310 f-prot detects more than 500.000 :) Regards. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] Malware variants may have hit half-million mark
Fri 4 Jan 2008 According to today's SecurityFocus.com, there are as many as 500,000 different versions of malware. Most are not original code, but "mass- produced attempts to foil antivirus filters". And here I thought that ClamAV's 186,092+ signatures was getting out of hand! In the interest of preserving copyright, I refer you to the original article at http://www.securityfocus.com/brief/655. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] VirusEvent Variables
Hello, I am using clamAV 0.91.2 I set the VirusEvent to be alerted when we receive virus. Are there other variables then %v ? like adresse of the sender,...? Regards, ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Failure to detect first time
On Fri, 04 Jan 2008 12:23:06 -0500 James Kosin <[EMAIL PROTECTED]> wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Phil Chambers wrote: > > Further testing has resulted in the following strange resutls: > > > > With the above message in the scan spool directory where exim creates > the copy > > of the message for scanning I cd'd to the spool directory and got: > > > > clamscan > > /var/spool/exim/scan/1JAnYa-0006ir-N0/1JAnYa-0006ir-N0.eml:(wraps here) > > Email.Spam.Gen2111.Sanesecurity.08010217 FOUND > > > > --- SCAN SUMMARY --- > > Known viruses: 197921 > > Engine version: 0.92 > > Scanned directories: 1 > > Scanned files: 1 > > Infected files: 1 > > Data scanned: 0.00 MB > > Time: 1.736 sec (0 m 1 s) > > > > Then: > > > > clamdscan > > > > --- SCAN SUMMARY --- > > Infected files: 0 > > Time: 0.002 sec (0 m 0 s) > > > > So, clamscan detects the signature but clamdscan does not! Note that some > > examples of this signature do get detected by clamd.) > > > > Phil. > > --- > > Phil Chambers ([EMAIL PROTECTED]) > > University of Exeter > I can clear up some of the confusion... clamscan and clamdscan get > and have different defaults for scanning files. > > James I do not like killing clamd because of the knock-on effect on exim. (You either have to allow messages through unscanned while clamd restarts or messages are rejected. The latter is unkind for MUAs doing message submission.) However, I killed and restarted clamd and ran the clamscan and clamdscan tests again. This time they gave consistent results. I would assume that clamd just needed to reload its signatures, but freshclam has caused that several times recently. Indeed, the last logged time was at 16:15 this afternoon, when it loaded 198037 signatures. Following this time I have had the inconsistent clamscan/clamdscan results. The restart reported the same number of signatures being loaded, and there had been no change in the signature files between the two! I can think of a possible reason for this. Does clamd re-load all signatures or does it just load in new ones? If clamd only loads new signatures and the Sanesig signature I had a problem with had been changed then clamd could have been using the old version, while clamscan would use the latest one. Phil. --- Phil Chambers ([EMAIL PROTECTED]) University of Exeter ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Failure to detect first time
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Phil Chambers wrote: > Further testing has resulted in the following strange resutls: > > With the above message in the scan spool directory where exim creates the copy > of the message for scanning I cd'd to the spool directory and got: > > clamscan > /var/spool/exim/scan/1JAnYa-0006ir-N0/1JAnYa-0006ir-N0.eml:(wraps here) > Email.Spam.Gen2111.Sanesecurity.08010217 FOUND > > --- SCAN SUMMARY --- > Known viruses: 197921 > Engine version: 0.92 > Scanned directories: 1 > Scanned files: 1 > Infected files: 1 > Data scanned: 0.00 MB > Time: 1.736 sec (0 m 1 s) > > Then: > > clamdscan > > --- SCAN SUMMARY --- > Infected files: 0 > Time: 0.002 sec (0 m 0 s) > > So, clamscan detects the signature but clamdscan does not! Note that some > examples of this signature do get detected by clamd.) > > Phil. > --- > Phil Chambers ([EMAIL PROTECTED]) > University of Exeter I can clear up some of the confusion... clamscan and clamdscan get and have different defaults for scanning files. James -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHfmtxkNLDmnu1kSkRAqmMAJ9A8Pfszw0TnQWaLd/AWlIA5RHamQCfcJId ZOpM652iIaGJaKYgCdjo400= =uMIk -END PGP SIGNATURE- -- Scanned by ClamAV - http://www.clamav.net ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Failure to detect first time
On Fri, 04 Jan 2008 17:41:34 +0200 =?ISO-8859-1?Q?T=F6r=F6k_Edwin?= <[EMAIL PROTECTED]> wrote: > Phil Chambers wrote: > > clamdscan > > > > --- SCAN SUMMARY --- > > Infected files: 0 > > Time: 0.002 sec (0 m 0 s) > > > > So, clamscan detects the signature but clamdscan does not! Note that some > > examples of this signature do get detected by clamd.) > > > > > > Clamdscan detects the message here (if I put that signature in a ndb > file, and tell clamd to load that). > Check that clamscan and clamdscan use same databases (and post output of > clamconf). > Also check that clamd is able to read the file, try sending it an EICAR, > or some of the files in the test/ directory. > > Best regards, > --Edwin Note that the clamd logs show that this signature is being detected in some messages, so the signature is in clamd's database. I put the clam.exe test file in the same directory as my problem spool file and set its permissions and clamdscan found it. The non-blank, non-comment lines from my clam.conf are: LogFile /var/log/clamd.log LogFileMaxSize 20M LogTime yes LocalSocket /tmp/clamd FixStaleSocket yes TCPAddr 127.0.0.1 MaxThreads 80 User exim ArchiveMaxCompressionRatio 500 ArchiveBlockEncrypted yes Phil. --- Phil Chambers ([EMAIL PROTECTED]) University of Exeter ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Failure to detect first time
On Fri, 4 Jan 2008 15:26:17 + Rob MacGregor <[EMAIL PROTECTED]> wrote: > On Jan 4, 2008 3:20 PM, Phil Chambers <[EMAIL PROTECTED]> wrote: > <---SNIP---> > > So, clamscan detects the signature but clamdscan does not! Note that some > > examples of this signature do get detected by clamd.) > > File permissions problem (assuming you're not running clamd as root)? > No, I checked that. I changed the permissions on the file deliberately to see clamd log the problem, which it did. When I put the permissions back clamd no longer logged a problem. Phil. --- Phil Chambers ([EMAIL PROTECTED]) University of Exeter ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Failure to detect first time
Phil Chambers wrote: > clamdscan > > --- SCAN SUMMARY --- > Infected files: 0 > Time: 0.002 sec (0 m 0 s) > > So, clamscan detects the signature but clamdscan does not! Note that some > examples of this signature do get detected by clamd.) > > Clamdscan detects the message here (if I put that signature in a ndb file, and tell clamd to load that). Check that clamscan and clamdscan use same databases (and post output of clamconf). Also check that clamd is able to read the file, try sending it an EICAR, or some of the files in the test/ directory. Best regards, --Edwin ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Failure to detect first time
This message has beed re-sent because it contained text which may have caused some of you to block it! I have edited the text to prevent this. On Thu, 3 Jan 2008 18:31:05 + (GMT Standard Time) Phil Chambers <[EMAIL PROTECTED]> wrote: > Thanks, that was a great help and I have made some progress. I took the name > of > a signature from the log which was not being rejected by exim as it arrived > from the Internet but was when returning from Exchange and looked it up in > scam.ndb to get: > > > Email.Spam.Gen2111.Sanesecurity.08010217:4:*:61667465722074616b696e67205650584c > > The hex signature translates to 'aftertakingVPXL'. > > I configured a test instance of exim to not clean out the spool file which > clamd is asked to scan (control = no_mbox_unspool in the 'malware = *' ACL). > > I then manually typed SMTP at the test instance of exim using telnet to > inject > the simple message: > > From: > To: > Subject: test with no_mbox_unspool > > Testing aftertakingVPXL as a signature > test > . > > The message was delivered to my Exchange account. The spool file showed > what I would expect: the message header and body in a simple mbox-style text > file. The signature string is in the file just as one would expect. Exim must > have invoked clamd because 'control = no_mbox_unspool' and 'malware = *' are > both in the same ACL and exim did not delete the spool file. > > Is there any way to get clamd to produce diagnostic information to prove it > scanned the message in this situation? > Further testing has resulted in the following strange resutls: With the above message in the scan spool directory where exim creates the copy of the message for scanning I cd'd to the spool directory and got: clamscan /var/spool/exim/scan/1JAnYa-0006ir-N0/1JAnYa-0006ir-N0.eml:(wraps here) Email.Spam.Gen2111.Sanesecurity.08010217 FOUND --- SCAN SUMMARY --- Known viruses: 197921 Engine version: 0.92 Scanned directories: 1 Scanned files: 1 Infected files: 1 Data scanned: 0.00 MB Time: 1.736 sec (0 m 1 s) Then: clamdscan --- SCAN SUMMARY --- Infected files: 0 Time: 0.002 sec (0 m 0 s) So, clamscan detects the signature but clamdscan does not! Note that some examples of this signature do get detected by clamd.) Phil. --- Phil Chambers ([EMAIL PROTECTED]) University of Exeter ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Failure to detect first time
On Jan 4, 2008 3:20 PM, Phil Chambers <[EMAIL PROTECTED]> wrote: <---SNIP---> > So, clamscan detects the signature but clamdscan does not! Note that some > examples of this signature do get detected by clamd.) File permissions problem (assuming you're not running clamd as root)? -- Please keep list traffic on the list. Rob MacGregor Whoever fights monsters should see to it that in the process he doesn't become a monster. Friedrich Nietzsche ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Failure to detect first time
On Thu, 3 Jan 2008 18:31:05 + (GMT Standard Time) Phil Chambers <[EMAIL PROTECTED]> wrote: > Thanks, that was a great help and I have made some progress. I took the name > of > a signature from the log which was not being rejected by exim as it arrived > from the Internet but was when returning from Exchange and looked it up in > scam.ndb to get: > > > Email.Spam.Gen2111.Sanesecurity.08010217:4:*:61667465722074616b696e67205650584c > > The hex signature translates to 'after taking VPXL'. > > I configured a test instance of exim to not clean out the spool file which > clamd is asked to scan (control = no_mbox_unspool in the 'malware = *' ACL). > > I then manually typed SMTP at the test instance of exim using telnet to > inject > the simple message: > > From: > To: > Subject: test with no_mbox_unspool > > Testing after taking VPXL as a signature > test > . > > The message was delivered to my Exchange account. The spool file showed > what I would expect: the message header and body in a simple mbox-style text > file. The signature string is in the file just as one would expect. Exim must > have invoked clamd because 'control = no_mbox_unspool' and 'malware = *' are > both in the same ACL and exim did not delete the spool file. > > Is there any way to get clamd to produce diagnostic information to prove it > scanned the message in this situation? > Further testing has resulted in the following strange resutls: With the above message in the scan spool directory where exim creates the copy of the message for scanning I cd'd to the spool directory and got: clamscan /var/spool/exim/scan/1JAnYa-0006ir-N0/1JAnYa-0006ir-N0.eml:(wraps here) Email.Spam.Gen2111.Sanesecurity.08010217 FOUND --- SCAN SUMMARY --- Known viruses: 197921 Engine version: 0.92 Scanned directories: 1 Scanned files: 1 Infected files: 1 Data scanned: 0.00 MB Time: 1.736 sec (0 m 1 s) Then: clamdscan --- SCAN SUMMARY --- Infected files: 0 Time: 0.002 sec (0 m 0 s) So, clamscan detects the signature but clamdscan does not! Note that some examples of this signature do get detected by clamd.) Phil. --- Phil Chambers ([EMAIL PROTECTED]) University of Exeter ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html