Re: [Clamav-users] Many Javascript false - positives
Dennis Peterson schrieb: James E. Pratt wrote: I can confirm too that Trojan.Downloader.JS.Agent-2 (and 1) hit a load of legitimate sites. Hello . I ran into this Trojan.Downloader.JS.Agent-2 issue yesterday on our web server. When notified, the webmaster replied with these are coming from compressed js files using Dean Edwards' javascript packer [http://dean.edwards.name/packer/], which compresses js and usually reduces the file size by 30-40 percent. If the principal users of this service are spammers trying to obfuscate their content then I see no reason not to use a tool to block that content. A lesson that has been hard to teach is that when legitimate users create content that is indistinguishable from common spam it will be blocked. That takes into consideration the source - sales and marketing types in any corporation have a particular problem as almost all of what they create could be considered spam by someone. Best effort rules apply. I've never had a manager reverse me on this. Sorry, but that's completely beside the point. a) We are not talking about spam filtering here, but about classification as malware. b) Applying spam blocking rules to web content is quite inappropriate, as websites are actively requested, as opposed to spam which is forced on the recipient through her mailbox slot. c) Whether the principal users of Dean Edwards' JavaScript packer are spammers is open to debate, although IMHO it doesn't even matter in the light of a) and b). Generally speaking, I am quite wary of the increasing tendency of ClamAV to try and detect spam in addition to malware. These two categories need to be treated quite differently for many reasons, among them legal ones. mixing them up like this makes my life and work more difficult. Please don't do it. Thanks, T. -- Tilman Schmidt Phoenix Software GmbH Tel. +49 228 97199 0 Adolf-Hombitzer-Str. 12Fax +49 228 97199 99 53227 Bonn, Germany www.phoenixsoftware.de signature.asc Description: OpenPGP digital signature ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] Warning in logs
Hi ! First sorry with my pretty english :( Since I upgrade Clamav from 0.91.2 to stable version (0.92.1) on FreeBSD, I have some warnings in log (before I haven't this) : LibClamAV Warning: RFC2231 parameter continuations are not yet handled LibClamAV Warning: Invalid RFC2231 header: '*=%65%20%4F%72%61%6E%67%65%2E%64%6F%63' LibClamAV Warning: RFC2231 parameter continuations are not yet handled LibClamAV Warning: messageArgumentExists: no '=' sign found in MIME header 'filename' (filename*0*=ISO-8859-1''%43%56%20%61%63%71%75%61%6C%69%73%E9%20%4D%6F%64) LibClamAV Warning: messageArgumentExists: no '=' sign found in MIME header 'file' (filename*0*=ISO-8859-1''%43%56%20%61%63%71%75%61%6C%69%73%E9%20%4D%6F%64) LibClamAV Warning: messageFindArgument: no '=' sign found in MIME header 'filename' (filename*0*=ISO-8859-1''%43%56%20%61%63%71%75%61%6C%69%73%E9%20%4D%6F%64) LibClamAV Warning: messageFindArgument: no '=' sign found in MIME header 'name' (name*0*=ISO-8859-1''%43%56%20%61%63%71%75%61%6C%69%73%E9%20%4D%6F%64%E8%6C) What's means ? What can I do ? Thanks Julien ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Warning in logs
Keke Man wrote: Hi ! First sorry with my pretty english :( Since I upgrade Clamav from 0.91.2 to stable version (0.92.1) on FreeBSD, I have some warnings in log (before I haven't this) : LibClamAV Warning: RFC2231 parameter continuations are not yet handled LibClamAV Warning: Invalid RFC2231 header: See bb #880, those messages are degraded to debug message in 0.93rc already. Best regards, --Edwin ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] Time exceeded scanning msg.
I searched the mailing list for a message that is showing on my mail.err log file. I did postcat msg | clamscan - and it took a lot to scan it, an hour. What is odd is that the message saved at /var/spool/amavis/tmp/ is 9.8M (du -sh on the dir), but clamscan said it scanned 19M. No viruses found. I tried setting ArchiveMaxFileSize on /etc/ = -- Powered by Outblaze ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] Time exceeded scanning msg. (second try)
I searched the mailing list for a message that is showing on my mail.err log file. I did postcat msg | clamscan - and it took a lot to scan it, an hour. What is odd is that the message saved at /var/spool/amavis/tmp/ is 9.8M (du -sh on the dir), but clamscan said it scanned 19M. No viruses found. I tried setting ArchiveMaxFileSize on /etc/clamd.conf to 8M, so this message would be sent without being scanned(?), stop Postfix, Amavis, Clamd, restarted them, but didn't work. The message was scanned again, and it stopped with the same message on /var/log/mail.err. Is there a way to free the message, I mean, let it be sent, without being scanned? I want this message to get out of my mailq, how can I do that? thanks = -- Powered by Outblaze ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] clamav error
hello all, i am new to this post and i have some post for you ok i have one mail server which clamav and i can send email but i dont receive the mail for wan i see this mistake Clamsmtpd: Can't connect to : /var/run/clamav/clamd.ctl: connection refuse help me please thanks ps: sorry for my bad english. _ Envoyez avec Yahoo! Mail. Une boite mail plus intelligente http://mail.yahoo.fr ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Many Javascript false - positives
Tilman Schmidt wrote: Dennis Peterson schrieb: James E. Pratt wrote: I can confirm too that Trojan.Downloader.JS.Agent-2 (and 1) hit a load of legitimate sites. Hello . I ran into this Trojan.Downloader.JS.Agent-2 issue yesterday on our web server. When notified, the webmaster replied with these are coming from compressed js files using Dean Edwards' javascript packer [http://dean.edwards.name/packer/], which compresses js and usually reduces the file size by 30-40 percent. If the principal users of this service are spammers trying to obfuscate their content then I see no reason not to use a tool to block that content. A lesson that has been hard to teach is that when legitimate users create content that is indistinguishable from common spam it will be blocked. That takes into consideration the source - sales and marketing types in any corporation have a particular problem as almost all of what they create could be considered spam by someone. Best effort rules apply. I've never had a manager reverse me on this. Sorry, but that's completely beside the point. a) We are not talking about spam filtering here, but about classification as malware. b) Applying spam blocking rules to web content is quite inappropriate, as websites are actively requested, as opposed to spam which is forced on the recipient through her mailbox slot. c) Whether the principal users of Dean Edwards' JavaScript packer are spammers is open to debate, although IMHO it doesn't even matter in the light of a) and b). Generally speaking, I am quite wary of the increasing tendency of ClamAV to try and detect spam in addition to malware. These two categories need to be treated quite differently for many reasons, among them legal ones. mixing them up like this makes my life and work more difficult. Please don't do it. Thanks, T. We don't disagree on much, here. The last point you make is why I suggested some kind of scoring system. I've not examined the return codes from clamd but I suspect it is the same for every kind of match. Code Red would return the same thing as an Ebay scam, and if so then that right there is the problem. It leaves us with no means to evaluate the message further if ClamAV is to be a go no-go tool. A work-around is to not use ClamAV as a go no-go tool and evaluate every message further regardless of the presence of a virus. I'd prefer to not do that. I would like to evaluate certain image and scam messages further, though, and of course the way to do that is to disable that kind of filtering in ClamAV. And I'd prefer to not do that, too. I'd like all the tools to contribute to the score of a message and make the go no-go decision on that score. If you read Tomasz' interview by the SANS Tech Institute you'll learn that this business of going beyond malware is going to expand. I'm not real crazy about that. dp ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] ClamAv-Milter Configuration Troubles
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 James Kosin wrote: | Everyone, | | I've got clamav-milter using a .sock file and would like to change it to | use the IP socket address interface to clamd. | Any ideas on what I have to do? If I just change clamav-milter options | to use --external and remove the local socket file from the options, | clamav-milter complains. I want it to use the local machine's IP | 127.0.0.1 with clamd running. Anyone have a good configuration to | share, the documentation is a bit sparse in this area. | | James Hey... anyone out there??? ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkf/p0IACgkQkNLDmnu1kSl5JACfffex+uGPkNNgJcGhipU/VasL b0oAnRwzzdblaeQuwtTZs8aPG9Y5hPgD =wXTC -END PGP SIGNATURE- ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] ClamAv-Milter Configuration Troubles
On Fri, Apr 11, 2008 at 7:00 PM, James Kosin [EMAIL PROTECTED] wrote: -BEGIN PGP SIGNED MESSAGE- James Kosin wrote: | Everyone, | | I've got clamav-milter using a .sock file and would like to change it to | use the IP socket address interface to clamd. | Any ideas on what I have to do? If I just change clamav-milter options | to use --external and remove the local socket file from the options, | clamav-milter complains. I want it to use the local machine's IP | 127.0.0.1 with clamd running. Anyone have a good configuration to | share, the documentation is a bit sparse in this area. | | James Hey... anyone out there??? A quick read of the clamav-milter man page suggests you missed the --server option: --server=HOSTNAME/ADDRESS, -s HOSTNAME/ADDRESS IP address or hostname of server(s) running clamd (when using TCPsocket and --external). ... -- Rob MacGregor Whoever fights monsters should see to it that in the process he doesn't become a monster. Friedrich Nietzsche ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] pdf rar
Hello, ClamAV 0.92.1 (debian volatile) can't scan pdf files. I get the following error: Files number limit exceeded. My clam.conf is: ArchiveMaxRecursion 0, ArchiveMaxFiles 0, ArchiveMaxFileSize 30M (I'm scanning pdf near 3M) ArchiveMaxCompressionRatio 500 ArchiveLimitMemoryUsage false I don't understand, what's the problem. Also, my ClamAV can't scan rar 3 files. I have Unrar non-free version installed and my File-Roller is showing and unpacking rar 3 files. I used the following commands: $ clamscan $ clamscan --unrar ./* $ clamscan --unrar=/usr/bin/unrar ./* And I get: LibClamAV Warning: RAR code not compiled-in /home/shumkar/soft/downloads/rar3_virus/./clam.rar: OK Then, if I unpack clam.rar with unrar, or with File-Roller: $ clamscan --unrar=/usr/bin/unrar ./* /home/shumkar/soft/downloads/rar3_virus/./clam.exe: ClamAV-Test-File FOUND LibClamAV Warning: RAR code not compiled-in /home/shumkar/soft/downloads/rar3_virus/./clam.rar: OK I don't understand... Please explain me, what's wrong? Regards, Alex ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] clamav-users Digest, Vol 43, Issue 11
My clam.conf is: ArchiveMaxRecursion 0, ArchiveMaxFiles 0, ArchiveMaxFileSize 30M (I'm scanning pdf near 3M) ArchiveMaxCompressionRatio 500 ArchiveLimitMemoryUsage false There are no commas after zero in my clam.conf, I put it only here, in the message, by error. Real strings from clam.conf are ArchiveMaxRecursion 0 ArchiveMaxFiles 0 ArchiveMaxFileSize 30M ArchiveMaxCompressionRatio 500 ArchiveLimitMemoryUsage false Regards, Alex ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html