Re: [Clamav-users] No debian woody support anymore?

[Thomas Hochstein]

Simon Hobson schrieb:

> OK, how's this then. 9.5.3 (IIRC) came out about the time the notice 
> was published. It costs virtually nothing to add an extra DNS entry, 
> and the release could have had the default server URL changed for 
> Freshclam to fetch updates. it wouldn't even have been a great issue 
> to have a 9.5.4 just for that - and of course the change would be 
> quite prominent in the release notes then as well.

Why didn't you suggest that beforehand?

Why didn't you just DO that if you consider it necessary as it "costs
virtually nothing", neither time nor money?

-thh
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

[Clamav-users] Make check for 0.96 fails on PPC Macintosh running 10.5.8 client

[Larry Stone]

I've have 0.96 running just fine (I think) on my PPC Macintosh running
Leopard (10.5.8) (after applying the patch for bug 1921
(). But then after
reading various notes here, realized I should run make check. But it fails
making 'CXXLD not' with an undefined symbol error. I am way out of my league
in understanding what this is trying to tell me.

Make check runs fine for 0.95.3 on the same system and 0.96 make check runs
fine on an Intel Macintosh running Snow Leopard 10.6.3 .

>From the second run of make check:
Making check in libltdl
make  check-am
make[2]: Nothing to be done for `check-am'.
Making check in libclamav
make  check-recursive
Making check in c++
make  check-am
make  libllvmbitreader.la libllvmsupport_nodups.la libllvmsupport.la
libllvmfull
codegen.la libllvmasmprinter.la libllvmbitwriter.la libllvmasmparser.la
libgoogl
etest.la libllvminterpreter.la count not lli llc llvm-as llvm-dis
llvmunittest_A
DT llvmunittest_Support llvmunittest_VMCore llvmunittest_ExecutionEngine
llvmuni
ttest_JIT FileCheck \
  llvmcheck.sh
make[5]: `libllvmbitreader.la' is up to date.
make[5]: `libllvmsupport_nodups.la' is up to date.
make[5]: `libllvmsupport.la' is up to date.
make[5]: `libllvmfullcodegen.la' is up to date.
make[5]: `libllvmasmprinter.la' is up to date.
make[5]: `libllvmbitwriter.la' is up to date.
make[5]: `libllvmasmparser.la' is up to date.
make[5]: `libgoogletest.la' is up to date.
make[5]: `libllvminterpreter.la' is up to date.
make[5]: `count' is up to date.
  CXXLD  not
Undefined symbols:
  "operator delete(void*)", referenced from:
  llvm::sys::Path::FindLibrary(std::basic_string, std::allocator >&)in libllvmsystem.a(Path.o)
  llvm::sys::Path::getDirectoryContents(std::set, std::allocator >&,
std::basic_string, std::allocator >*) constin
libllvmsystem.a(Path.o)
(... Many, many lines deleted...)
  llvm::sys::Program::FindProgramByName(std::basic_string, std::allocator > const&)in libllvmsystem.a(Program.o)
ld: symbol(s) not found
collect2: ld returned 1 exit status
make[5]: *** [not] Error 1
make[4]: *** [check-am] Error 2
make[3]: *** [check] Error 2
make[2]: *** [check-recursive] Error 1
make[1]: *** [check] Error 2
make: *** [check-recursive] Error 1


-- 
Larry Stone
lston...@stonejongleux.com
http://www.stonejongleux.com/


___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] clamav-daemon didn't recognise attached virus

[Steve Basford]

Noel Jones wrote:


Clam must scan the whole email message because (as you know) some 
signatures only trigger on files that look like a mail message.
To have both attachment blocking and full email scanning, the mail 
ends up being scanned twice.  Maybe I'll put in a request for a "don't 
scan decoded parts" feature ...



I've updated the page here with the new info:

http://www.sanesecurity.com/clamav/problems.htm

In order to get the best out of the Sanesecurity signatures the FULL 
message must be passed to ClamAV, as a lot of the signatures use From 
header/Subject/Others Headers and

combination of header/body.

As for performance, I'd agree it not double-scan would be a good idea.

Cheers,

Steve
Sanesecurity
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] Can't map file into memory - mostly PDFs

[Chuck Swiger]

Hi, Jason--

On Apr 22, 2010, at 12:33 PM, Jason Evans wrote:
> The failure mode was trimmed before I was CC'ed, so I'm missing background 
> information.

Thanks for the response.  The bug report here:

  https://wwws.clamav.net/bugzilla/show_bug.cgi?id=1941

...contains the useful details, but the ktrace of the point of failure is:

  61805 clamdCALL  mmap(0,0x9d55d6,PROT_READ,MAP_PRIVATE,0xb,0,0)
  61805 clamdRET   mmap -1 errno 12 Cannot allocate memory
  61805 clamdCALL  write(0x2,0xbf5c850c,0x28)
  61805 clamdGIO   fd 2 wrote 40 bytes
"LibClamAV Error: cli_pdf: mmap() failed

...which lead to mmap()'s documentation:

 [ENOMEM]   MAP_FIXED was specified and the addr argument was not
available.  MAP_ANON was specified and insufficient
memory was available.  The system has reached the per-
process mmap limit specified in the vm.max_proc_mmap
sysctl.

> However, I doubt the number of map entries is the problem.  See procfs(5) on 
> how to mount the proc filesystem, then look at /proc//maps to see the VM 
> map.  My observation has been that the total number of entries is quite 
> small, even for large applications (shared libraries tend to contribute more 
> entries than malloc does).
> 
> As an aside, jemalloc maps at least 1 MiB at a time, so it doesn't 
> substantially contribute to the number of map entries even if the application 
> somehow causes bad map fragmentation.

Acknowledged.  Hopefully Royce can use this feedback to gather better 
information.

Regards,
-- 
-Chuck

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] clamav-daemon didn't recognise attached virus

[Noel Jones]

On 4/22/2010 12:30 PM, aCaB wrote:

Paul Whelan wrote:

I think your amavis tried to decode the message, and pass only parts of
it to ClamAV.


In general then, clamav may only recognise some malware when it is
still attached to a mail message and not after it has been
separately stored.  Is that correct?



It may or may not, depending on the message and the signature that
catches it.
Since clamav internally process the mail message and all its attachments
anyway, having this done twice (by amavis and by clamav) is probably
pointless...

---acab


For amavisd-new to block attachments by file(1) type, it must 
unpack the mail.


Clam must scan the whole email message because (as you know) 
some signatures only trigger on files that look like a mail 
message.


To have both attachment blocking and full email scanning, the 
mail ends up being scanned twice.  Maybe I'll put in a request 
for a "don't scan decoded parts" feature ...



  -- Noel Jones
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] Can't map file into memory - mostly PDFs

[Chuck Swiger]

Hi--

[ CC:ing Jason as the domain expert.  :-) ]

On Apr 22, 2010, at 10:01 AM, Royce Williams wrote:
> 2010/4/8 Török Edwin :
>> On 04/08/2010 11:03 PM, Chuck Swiger wrote:
[ ... ]
 # sysctl vm.max_proc_mmap
 vm.max_proc_mmap: 78951
>>> 
>>> It's the number of mmap() entries which the kernel is willing to make
>>> available per process; what you display should be plenty, unless there is
>>> some kind of problem where mmap()ed files never get munmap()ed.
>> 
>> Actually thats a pretty low number if FreeBSD is using mmap() for malloc()
>> and it is not merging adjacent maps when counting this limit.
>> 
>> 78951 (maps) * 4KB (pagesize) = 308 MB
>> 
>> 308 MB is a pretty low limit for clamd, especially since the database alone
>> is ~100MB.
>> 
>> The maximum maps count on Linux is even lower, and yet everything works:
>> vm.max_map_count = 65530
>> 
>> I guess Linux merges adjacent mmap()s into a single map, and only counts
>> those.  I don't know what FreeBSD does, but if it doesn't merge the maps 
>> then that
>> max_proc_mmap limit doesn't make sense.
> 
> For anyone who picks up this thread, it's in Bugzilla here:
> 
> https://wwws.clamav.net/bugzilla/show_bug.cgi?id=1941

There may be some confusion with regard to this matter.  FreeBSD's JE malloc() 
which landed with 7.x doesn't call mmap() for every call to malloc(), or even 
for every page allocated by malloc(), but I believe will call mmap() once per 
run for sizes up to a megabyte at a time:

  http://www.freebsd.org/cgi/cvsweb.cgi/src/lib/libc/stdlib/malloc.c?rev=1.193

I believe it will also try fall back to using sbrk() to get DSS memory if it 
needs to.  It might be interesting for Royce to try:

   ln -s 'DmP' /etc/malloc.conf

...(or set $MALLOC_OPTIONS in clamd's environment) and see whether disabling 
mmap() allocations entirely in favor of sbrk() helps.  The "P" flag will also 
cause malloc statistics to be generated to stderr, which might also be helpful 
for debugging the issue.

Regards,
-- 
-Chuck

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] clamav-daemon didn't recognise attached virus

[aCaB]

Paul Whelan wrote:
>> I think your amavis tried to decode the message, and pass only parts of
>> it to ClamAV.
> 
> In general then, clamav may only recognise some malware when it is 
> still attached to a mail message and not after it has been 
> separately stored.  Is that correct?


It may or may not, depending on the message and the signature that
catches it.
Since clamav internally process the mail message and all its attachments
anyway, having this done twice (by amavis and by clamav) is probably
pointless...

---acab
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] clamav-daemon didn't recognise attached virus

[Paul Whelan]

On 22 Apr 2010 at 12:06, Török Edwin wrote:

> You need to tell amavis to pass the entire message to ClamAV, try:
> $bypass_decode_parts = 1;
> 
> I think your amavis tried to decode the message, and pass only parts of
> it to ClamAV.

In general then, clamav may only recognise some malware when it is 
still attached to a mail message and not after it has been 
separately stored.  Is that correct?

paul


___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] Can't map file into memory - mostly PDFs

[Royce Williams]

2010/4/8 Török Edwin :
> On 04/08/2010 11:03 PM, Chuck Swiger wrote:
 If you're running FreeBSD 7.x, you should already have gcc-4.2.1 or
 thereabouts with the base OS.  Anyway, even the gcc-3.4.6 version from
 FreeBSD-6.x seems to be doing OK with LLVM/JIT bytecode enabled once I
 removed the two warning options which were not recognized by gcc-3.

 With regard to the failure you've described, what is output of "sysctl
 vm.max_proc_mmap"?  It could be the cause of ENOMEM from mmap():

     [ENOMEM]           MAP_FIXED was specified and the addr argument was
 not
                        available.  MAP_ANON was specified and
 insufficient
                        memory was available.  The system has reached the
 per-
                        process mmap limit specified in the
 vm.max_proc_mmap
                        sysctl.
>>>
>>> I am not familiar enough with the function of this sysctl to interpret
>>> the results.
>>>
>>> # sysctl vm.max_proc_mmap
>>> vm.max_proc_mmap: 78951
>>
>> It's the number of mmap() entries which the kernel is willing to make
>> available per process; what you display should be plenty, unless there is
>> some kind of problem where mmap()ed files never get munmap()ed.
>>
>
> Actually thats a pretty low number if FreeBSD is using mmap() for malloc()
> and it is not merging adjacent maps when counting this limit.
>
> 78951 (maps) * 4KB (pagesize) = 308 MB
>
> 308 MB is a pretty low limit for clamd, especially since the database alone
> is ~100MB.
>
> The maximum maps count on Linux is even lower, and yet everything works:
> vm.max_map_count = 65530
>
> I guess Linux merges adjacent mmap()s into a single map, and only counts
> those.
> I don't know what FreeBSD does, but if it doesn't merge the maps then that
> max_proc_mmap limit doesn't make sense.

For anyone who picks up this thread, it's in Bugzilla here:

https://wwws.clamav.net/bugzilla/show_bug.cgi?id=1941
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] clamav-daemon didn't recognise attached virus

[Noel Jones]

On 4/22/2010 10:51 AM, Thomas Herzog wrote:




Török Edwin wrote:


On 04/22/2010 10:24 AM, Török Edwin wrote:

lxhv1m02:~# grep ctl /etc/amavis/conf.d/15-av_scanners
\&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd.ctl"],


You need to tell amavis to pass the entire message to ClamAV, try:
$bypass_decode_parts = 1;

I think your amavis tried to decode the message, and pass only parts of
it to ClamAV.

Best regards,
--Edwin
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml




Hello, this solution seems to lever my "banned_filename_re"-filter out.
Perhaps, there's another solution?





Find the "@keep_decoded_original_maps" section and uncomment 
the line with:

#  qr'^MAIL$', # retain full original message


The side effect of this is that the mail will be virus scanned 
twice; once for the whole message, and again each decoded 
part.  On my machine clam is fast enough that this doesn't 
make a significant difference in processing time.



  -- Noel Jones

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] clamav-daemon didn't recognise attached virus

[Török Edwin]

On 04/22/2010 06:51 PM, Thomas Herzog wrote:
> 
> 
> 
> Török Edwin wrote:
>>
>> On 04/22/2010 10:24 AM, Török Edwin wrote:
 lxhv1m02:~# grep ctl /etc/amavis/conf.d/15-av_scanners
\&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd.ctl"],
>>
>> You need to tell amavis to pass the entire message to ClamAV, try:
>> $bypass_decode_parts = 1;
>>
>> I think your amavis tried to decode the message, and pass only parts of
>> it to ClamAV.
>>
>> Best regards,
>> --Edwin
>> ___
>> Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
>> http://www.clamav.net/support/ml
>>
>>
> 
> Hello, this solution seems to lever my "banned_filename_re"-filter out.
> Perhaps, there's another solution?

I don't know, try asking on the Amavis list.

Best regards,
--Edwin
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] clamav-daemon didn't recognise attached virus

[Thomas Herzog]

Török Edwin wrote:
> 
> On 04/22/2010 10:24 AM, Török Edwin wrote:
>>> lxhv1m02:~# grep ctl /etc/amavis/conf.d/15-av_scanners
>>>\&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd.ctl"],
> 
> You need to tell amavis to pass the entire message to ClamAV, try:
> $bypass_decode_parts = 1;
> 
> I think your amavis tried to decode the message, and pass only parts of
> it to ClamAV.
> 
> Best regards,
> --Edwin
> ___
> Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
> http://www.clamav.net/support/ml
> 
> 

Hello, this solution seems to lever my "banned_filename_re"-filter out.
Perhaps, there's another solution?

Thanks
Thomas
-- 
View this message in context: 
http://old.nabble.com/clamav-daemon-didn%27t-recognise-attached-virus-tp28288042p28330848.html
Sent from the clamav-users mailing list archive at Nabble.com.

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

[Clamav-users] PhishingScanURLs FPing too often

[Kris Deugau]

I've had reports of several FPs due to PhishingScanURLs recently - is 
there any way it can be made less aggressive rather than just turning it 
off outright?


The messages triggering it so far have been both outgoing and incoming 
mail from our customers:  forwarded copies of legitimate Amazon.ca mail 
and eBay replies on the outgoing side;  a newsletter linking to a bank 
website for a contest of some kind on the incoming side.


Some customers may not want to send the message in question to our 
reporting address due (quite reasonably) to privacy concerns, and it's a 
bit hard to create a .wdb entry when a) I don't have an example URL that 
triggers the test and b) I'm groping in the dark on exactly how to 
correctly format an entry.


-kgd
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] Clubbing a deceased equine

[Jim Preston]

Eray Aslan wrote:

On 22.04.2010 06:20, Dennis Peterson wrote:
  

Suggest at least one way to inform all the users successfully that
obsolete software is going to die soon - and don't let it slip past you
in your solution that the ClamAV people have know way of knowing who
they need to inform. And recall too, this: Filling their logs with
warnings didn't work. Posting the notice on the front page of their
website didn't work. Running commentary in this list didn't work.
Announcing it in their Announcements list didn't work.



Every major software project hits this road block sooner or later and
solves it in an acceptable way.  This is not rocket science.  I am
pretty sure some way of versioning support was on the table during the
decision making process and was rejected.  Knowing the rationale behind
it would be nice.  I think it was a bad decision but knowing how the
decision was made (the other side of the argument so to speak) would help.

[...]
  

We're left with this: The "problem" affected only those that did not pay
adequate attention. There is no cure for that.



Our problem statements differ.  I am against clamav's "right" to turn
off services on other people's computers which does not say anything on
sysadmins who may or may not be paying attention.

  

So here's a message to everyone that was surprised: PAY ATTENTION
because there's going to be a next time!



I hope not.

  
If you bothered to read this entire thread you would understand that 
ClamAV did no such thing. In a couple of weeks these very same systems 
would have failed when the new signature format went into affect. The 
issue is that without code changes to <0.95 installations the new 
signatures will crash Clamd by design of <0.95 versions. This was built 
into the versions NOT as a method of breaking clamd but as preventing 
loading of what this version considers malformed databases. They are not 
guilty of intentionally turn off services but of not WASTING their money 
to protect users who want to continue to use EOL software.


Jim
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] Way, way, way OT: Re: (no subject)

[Jim Preston]

Steve Holdoway wrote:

On Wed, 2010-04-21 at 22:08 -0700, Dennis Peterson wrote:
  

On 4/21/10 10:06 PM, Eric Rostetter wrote:


Quoting Jim Preston :

  

Read what I said. *functional* not security. Like, for example, php is
at 5.2.6 on lenny, unless you configure is differently. That's the whole
point of releases.
  

There are distros that release functional (feature) upgrades as well
as security/bug upgrades... Just as there are ones that don't.

Most distros will provide:
  

Show me the contract.

dp



This is just going round in circles. The vast majority ( I'm sure! ) of
non-hobbyist linux users will install debian lenny or ubuntu LTS or
CentOS 5 on their VPS using a single click ( for example ) for whatever
reason. It'll be a default install, probably with apt / yum running
automagically to install security upgrades... minimal maintenance
effort.

Who's the sysadmin? The one who drew the short straw, usually by asking
'who does the backups?' or something similar, and also usually have
about -10 hours a week available to perform this function. These are the
people who need looking after, not a career sysadmin like me ( and you
IIRC Dennis? ) who do keep up to date. We've heard of debian volatile,
and building from scratch isn't scary at all, but that sort of thing is
way beyond this majority.

This is what I'm saying. It's a practical appraisal - how it's been
working for the last 5-10 years - not a legal or academic one. I reckon
that - another example - a patch to freshclam to convert new to old
database format would have kept everyone happy ( no functional change
there: it's just acquiring new sigs ), keeps the effort on the client
servers, and lenny, etc would have kept on running until end of life.

There will always be edge conditions if you want the exception to prove
the rule. Personally I'd like to see the masses catered for.

And sure, maybe I'm being clever after the fact, and should have joined
in. However, after 4 years fighting spam I am just so over it. Sorry ):

Steve


Well Steve, I have to disagree with you. In the case of the VPS users 
(and in reality and remote system where the only human interaction is 
the the service provider) I feel it is the responsibility of the 
provider to help their customers. They are providing a service and if 
they do not provide good service users should switch. I ended up do that 
with a very notorious provider of PS and VPS (was with the company 
before VPS was invented). I will not post the company name as that would 
be Way, way, way OT.


Jim
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] clamscan fails from mimedefang with large third-party databases

[Jason Bertoch]

On 2010/04/22 6:23 AM, jef moskot wrote:

Try scanning the same file mimedefang scans.


It cleans up after itself, so I'm not sure exactly what's in the working
directory that causes the trouble.


Try mimedefang's -d switch:

   -d The  -d switch causes mimedefang not to delete the
  temporary spool files it creates for incoming messages.

--
/Jason



smime.p7s
Description: S/MIME Cryptographic Signature
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] clamav-daemon didn't recognise attached virus

[Thomas Herzog]

Török Edwin wrote:
> 
> On 04/22/2010 10:24 AM, Török Edwin wrote:
>>> lxhv1m02:~# grep ctl /etc/amavis/conf.d/15-av_scanners
>>>\&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd.ctl"],
> 
> You need to tell amavis to pass the entire message to ClamAV, try:
> $bypass_decode_parts = 1;
> 
> I think your amavis tried to decode the message, and pass only parts of
> it to ClamAV.
> 
> Best regards,
> --Edwin
> ___
> Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
> http://www.clamav.net/support/ml
> 
> 

BINGO!

After setting $bypass_decode_parts = 1; the virus was found:
lxhv1m02:/etc/amavis/conf.d# tail -n 2 /var/log/clamav/clamav.log
Thu Apr 22 13:39:02 2010 ->
/var/lib/amavis/tmp/amavis-20100422T133603-19502/parts/p001:
Suspect.Bredozip-zippwd-5 FOUND
Thu Apr 22 13:40:56 2010 ->
/var/lib/amavis/tmp/amavis-20100422T134024-20718/parts/p001:
Suspect.Bredozip-zippwd-5 FOUND

Thank You very much Edwin,
Regards Thomas


-- 
View this message in context: 
http://old.nabble.com/clamav-daemon-didn%27t-recognise-attached-virus-tp28288042p28327757.html
Sent from the clamav-users mailing list archive at Nabble.com.

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] clamd memory usage (Solved)

[Randal, Phil]

Francis Stevens wrote:
> Chris wrote:
>> I've misplaced the original post I made so I can't reply to it,
>> however I'd like to make a note for the archives what the problem is
>> and to thank Steve Basford and Edwin for the their help in finding
>> it. Seems like I had both a main.cvd and main.cld. I removed the
>> main.cld file and all is back to the way it should be.
>> 
>> Chris
>> 
> I was interested in this thread and so checked my clam folder on
> seeing this. I've got a main.cld file and no main.cvd have I got a
> problem (everything seems to be working correctly)?  
> 
> FAS

Having one of main.cld or main.cvd is fine, having both is the problem.

Same's true of daily.cld and daily.cvd.

If you have both, delete the .cld file and then run freshclam to make
sure you're up to date.

Cheers,

Phil

-- 
Phil Randal | Networks Engineer
NHS Herefordshire & Herefordshire Council  | Deputy Chief Executive's
Office | I.C.T. Services Division Thorn Office Centre, Rotherwas,
Hereford, HR2 6JT Tel: 01432 260160
email: pran...@herefordshire.gov.uk

Any opinion expressed in this e-mail or any attached files are those of
the individual and not necessarily those of Herefordshire Council. 

This e-mail and any attached files are confidential and intended solely
for the use of the addressee. This communication may contain material
protected by law from being passed on. If you are not the intended
recipient and have received this e-mail in error, you are advised that
any use, dissemination, forwarding, printing or copying of this e-mail
is strictly prohibited. If you have received this e-mail in error
please contact the sender immediately and destroy all copies of it.
Any opinion expressed in this e-mail or any attached files are those of the 
individual and not necessarily those of Herefordshire Council.
You should be aware that Herefordshire Council monitors its email service.
This e-mail and any attached files are confidential and intended solely for the 
use of the addressee. This communication may contain material protected by law 
from being passed on. If you are not the intended recipient and have received 
this e-mail in error, you are advised that any use, dissemination, forwarding, 
printing or copying of this e-mail is strictly prohibited. If you have received 
this e-mail in error please contact the sender immediately and destroy all 
copies of it.
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] clamd memory usage (Solved)

[Francis Stevens]

Chris wrote:

I've misplaced the original post I made so I can't reply to it, however
I'd like to make a note for the archives what the problem is and to
thank Steve Basford and Edwin for the their help in finding it. Seems
like I had both a main.cvd and main.cld. I removed the main.cld file and
all is back to the way it should be.

Chris

I was interested in this thread and so checked my clam folder on seeing 
this. I've got a main.cld file and no main.cvd have I got a problem 
(everything seems to be working correctly)?


FAS


___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] clamscan fails from mimedefang with large third-party databases

[jef moskot]

On Thu, 22 Apr 2010, Török Edwin wrote:

You are running out of memory (or rather mmap()s).
We have a bugreport about this, but we haven't figured how to fix it.
Increasing the max number of mmaps FreeBSD allows won't fix it :(


Yikes.  Well, at least there's already an open report.


Try scanning the same file mimedefang scans.


It cleans up after itself, so I'm not sure exactly what's in the working 
directory that causes the trouble.  We quarantine messages, however, and 
command-line scanning all the parts left in the quarantine doesn't produce 
any complaints, other than the infection detection message.


Jeffrey Moskot
System Administrator
j...@math.miami.edu___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] clamscan fails from mimedefang with large third-party databases

[Török Edwin]

On 04/22/2010 01:02 PM, jef moskot wrote:
> On Thu, 22 Apr 2010, jef moskot wrote:
>> Things ran smoothly for a little while without the larger databases...
> 
> Hmm, looks like I spoke too soon.  While it did catch bad messages, it
> barfed a little while doing so.
> 
> A couple of examples...
> 
> ===
> libclamav JIT: Allocation failed when allocating new memory in the JIT
> 
> ^[[0;1;31mlibclamav JIT: *** FATAL error encountered during bytecode
> generation
> ^[[0m./Work/INPUTMBOX: Sanesecurity.Junk.9210.UNOFFICIAL FOUND
> ===
> libclamav JIT: Allocation failed when allocating new memory in the JIT
> 
> ^[[0;1;31mlibclamav JIT: *** FATAL error encountered during bytecode
> generation
> ^[[0mLibClamAV Warning: fmap: map allocation failed
> LibClamAV Warning: fmap: map allocation failed

You are running out of memory (or rather mmap()s).
We have a bugreport about this, but we haven't figured how to fix it.
Increasing the max number of mmaps FreeBSD allows won't fix it :(


> LibClamAV Error: CRITICAL: fmap() failed
> LibClamAV Warning: fmap: map allocation failed
> LibClamAV Error: CRITICAL: fmap() failed
> LibClamAV Warning: fmap: map allocation failed
> LibClamAV Error: CRITICAL: fmap() failed
> ./Work/INPUTMBOX: local.sig.939.UNOFFICIAL FOUND
> ===
> 
> clamscanning from the command line doesn't seem to cause this problem.

Try scanning the same file mimedefang scans.

Best regards,
--Edwin
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] clamscan fails from mimedefang with large third-party databases

[Török Edwin]

On 04/22/2010 12:47 PM, jef moskot wrote:
> This might be a question for the mimedefang list, but I thought I'd try
> here first in case I'm missing something obviously related to clam.
> 
> I've had 0.95.3 running since it came out with no problems, but 0.96
> returns an error of 2 (which the man explains as "Some error(s)
> occured.") when mimedefang tries to run it with my default config.
> 
> It's using clamscan, which works fine from the command line.  If I go
> into my signature directory and move the largest of the databases away
> (SaneSecurity's "jurlbl.ndb", for example), it works fine.  When I move
> them back, I get the error code 2 again.  I didn't notice if specific
> databases were causing the problem, or if it was only when the total
> size topped a certain number.
> 
> (I've rolled back for the moment and am not in a good position to
> experiment right now, but I can test that later if necessary.)
> 
> I tried to add a "--debug", but I don't know where those messages go
> (yes, I know a question for the mimedefang guys) in that context.

Well you can add --debug 2>/tmp/clamscan-debug.
That way it'll always go to a place you know (assuming mimedefangs allow
the redirection).

--Edwin
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] clamscan fails from mimedefang with large third-party databases

[jef moskot]

On Thu, 22 Apr 2010, jef moskot wrote:

Things ran smoothly for a little while without the larger databases...


Hmm, looks like I spoke too soon.  While it did catch bad messages, it 
barfed a little while doing so.


A couple of examples...

===
libclamav JIT: Allocation failed when allocating new memory in the JIT

^[[0;1;31mlibclamav JIT: *** FATAL error encountered during bytecode generation
^[[0m./Work/INPUTMBOX: Sanesecurity.Junk.9210.UNOFFICIAL FOUND
===
libclamav JIT: Allocation failed when allocating new memory in the JIT

^[[0;1;31mlibclamav JIT: *** FATAL error encountered during bytecode generation
^[[0mLibClamAV Warning: fmap: map allocation failed
LibClamAV Warning: fmap: map allocation failed
LibClamAV Error: CRITICAL: fmap() failed
LibClamAV Warning: fmap: map allocation failed
LibClamAV Error: CRITICAL: fmap() failed
LibClamAV Warning: fmap: map allocation failed
LibClamAV Error: CRITICAL: fmap() failed
./Work/INPUTMBOX: local.sig.939.UNOFFICIAL FOUND
===

clamscanning from the command line doesn't seem to cause this problem. 
Maybe because it's doing something funky decoding mail messages when 
launched from mimedefang, as opposed to regular files sitting in a 
directory?  Scanning mbox files from the command line doesn't seem to 
cause these errors.


Jeffrey Moskot
System Administrator
j...@math.miami.edu
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] clamav-daemon didn't recognise attached virus

[Thomas Herzog]

Török Edwin wrote:
> 
> On 04/22/2010 10:01 AM, Thomas Herzog wrote:
>> 
>> Amavis seems to be calling the clam deamon, it finds also some other
>> exploits, viruses...
>> /var/log/clamav/clamav.log:
>> Thu Apr 22 08:15:07 2010 -> /tmp/UPS_invoice_4557.zip:
>> Suspect.Bredozip-zippwd-5 FOUND
> 
> BTW attachments are automatically removed on this mailing list.
> 
>> Thu Apr 22 08:23:53 2010 ->
>> /var/lib/amavis/tmp/amavis-20100422T082307-19639/parts/p002:
>> Exploit.HTML.IFrame-8 FOUND
>> Thu Apr 22 08:23:53 2010 ->
>> /var/lib/amavis/tmp/amavis-20100422T082307-19639/parts/p003:
>> Worm.NetSky-14
>> FOUND
>> 
>> Here you can see (UPS_invoice_4557.zip) was recognized with manually
>> scanning.
> 
> Is that the email, or the attachment? I guess it is the attachment.
> Try scanning the email containing that attachment with
> clamscan/clamdscan, and see if it is detected.
> 
>> 
>> lxhv1m02:~# dpkg -l | grep clam
>> ii  clamav0.95.3+dfsg-1~volatile1 anti-virus
>> utility for Unix - command-line i
>> ii  clamav-base   0.95.3+dfsg-1~volatile1 anti-virus
>> utility for Unix - base package
>> ii  clamav-daemon 0.95.3+dfsg-1~volatile1 anti-virus
>> utility for Unix - scanner daemon
>> ii  clamav-freshclam  0.95.3+dfsg-1~volatile1 anti-virus
>> utility for Unix - virus database
>> ii  libclamav60.95.3+dfsg-1~volatile1 anti-virus
>> utility for Unix - library
>> 
>> lxhv1m02:~# ps -eaf| grep clam
>> clamav2926 1  0  2009 ?00:01:49 /usr/bin/freshclam -d
>> --quiet
>> clamav   16517 1  1 Apr21 ?00:12:39 /usr/sbin/clamd
>> root 25902 23655  0 08:58 pts/100:00:00 grep clam
>> 
>> lxhv1m02:~# grep ctl /etc/amavis/conf.d/15-av_scanners
>>\&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd.ctl"],
>> 
>> lxhv1m02:~# grep ctl /etc/clamav/clamd.conf
>> LocalSocket /var/run/clamav/clamd.ctl
>> 
>> Looks good to me...any ideas left?
>> 
>> /Thomas
>> 
>> 
> 
> ___
> Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
> http://www.clamav.net/support/ml
> 
> 

Hi, The attachment should be listed as "logging.TXT" under following link:
http://old.nabble.com/clamav-daemon-didn%27t-recognise-attached-virus-to28288042.html#a28288042
direct link:
http://old.nabble.com/file/p28288042/logging.TXT

Scanning the msg gives me the same output:

lxhv1m02:~# clamdscan "/tmp/UPS Delivery Problem NR 09045..msg"
WARNING: Ignoring deprecated option ArchiveLimitMemoryUsage at line 12
WARNING: Ignoring deprecated option ArchiveLimitMemoryUsage at line 12
/tmp/UPS Delivery Problem NR 09045..msg: Suspect.Bredozip-zippwd-5 FOUND

--- SCAN SUMMARY ---
Infected files: 1
Time: 0.102 sec (0 m 0 s)
lxhv1m02:~# clamscan "/tmp/UPS Delivery Problem NR 09045..msg"
LibClamAV Warning:
***
LibClamAV Warning: ***  This version of the ClamAV engine is outdated.
***
LibClamAV Warning: *** DON'T PANIC! Read http://www.clamav.net/support/faq
***
LibClamAV Warning:
***
/tmp/UPS Delivery Problem NR 09045..msg: Suspect.Bredozip-zippwd-5 FOUND

--- SCAN SUMMARY ---
Known viruses: 757668
Engine version: 0.95.3
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.00 MB
Data read: 0.06 MB (ratio 0.00:1)
Time: 2.137 sec (0 m 2 s)

lxhv1m02:~# tail /var/log/clamav/clamav.log
Thu Apr 22 08:15:07 2010 -> /tmp/UPS_invoice_4557.zip:
Suspect.Bredozip-zippwd-5 FOUND
Thu Apr 22 08:23:53 2010 ->
/var/lib/amavis/tmp/amavis-20100422T082307-19639/parts/p002:
Exploit.HTML.IFrame-8 FOUND
Thu Apr 22 08:23:53 2010 ->
/var/lib/amavis/tmp/amavis-20100422T082307-19639/parts/p003: Worm.NetSky-14
FOUND
Thu Apr 22 09:13:35 2010 -> SelfCheck: Database status OK.
Thu Apr 22 10:13:35 2010 -> SelfCheck: Database status OK.
Thu Apr 22 10:48:33 2010 -> Reading databases from /var/lib/clamav
Thu Apr 22 10:48:34 2010 -> Database correctly reloaded (757668 signatures)
Thu Apr 22 11:04:45 2010 ->
/var/lib/amavis/tmp/amavis-20100422T110144-19947/parts/p001:
HTML.Phishing.Bank-1272 FOUND
Thu Apr 22 11:13:35 2010 -> SelfCheck: Database status OK.
Thu Apr 22 11:45:19 2010 -> /tmp/UPS Delivery Problem NR 09045..msg:
Suspect.Bredozip-zippwd-5 FOUND

Thanks
Thomas
-- 
View this message in context: 
http://old.nabble.com/clamav-daemon-didn%27t-recognise-attached-virus-tp28288042p28326571.html
Sent from the clamav-users mailing list archive at Nabble.com.

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

[Clamav-users] clamscan fails from mimedefang with large third-party databases

[jef moskot]

This might be a question for the mimedefang list, but I thought I'd try 
here first in case I'm missing something obviously related to clam.


I've had 0.95.3 running since it came out with no problems, but 0.96 
returns an error of 2 (which the man explains as "Some error(s) occured.") 
when mimedefang tries to run it with my default config.


It's using clamscan, which works fine from the command line.  If I go into 
my signature directory and move the largest of the databases away 
(SaneSecurity's "jurlbl.ndb", for example), it works fine.  When I move 
them back, I get the error code 2 again.  I didn't notice if specific 
databases were causing the problem, or if it was only when the total size 
topped a certain number.


(I've rolled back for the moment and am not in a good position to 
experiment right now, but I can test that later if necessary.)


I tried to add a "--debug", but I don't know where those messages go (yes, 
I know a question for the mimedefang guys) in that context.


But, anyway, do you guys have any clever suggestions?  Before you ask, I 
don't use clamdscan because I've never needed to, and it's been one less 
thing to go wrong, up until now anyway.


I suppose I should note that I got a number of compiler warnings during 
the make (see thread: "0.96 compile warnings on FreeBSD 7.1").  Things ran 
smoothly for a little while without the larger databases, but I'd rather 
not leave the system up without the phish database and such.


Jeffrey Moskot
System Administrator
j...@math.miami.edu
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] clamav-daemon didn't recognise attached virus

[Török Edwin]

On 04/22/2010 10:24 AM, Török Edwin wrote:
>> lxhv1m02:~# grep ctl /etc/amavis/conf.d/15-av_scanners
>>\&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd.ctl"],

You need to tell amavis to pass the entire message to ClamAV, try:
$bypass_decode_parts = 1;

I think your amavis tried to decode the message, and pass only parts of
it to ClamAV.

Best regards,
--Edwin
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] Clubbing a deceased equine

[Simon Hobson]

Dennis Peterson wrote:


I believe that best practice with this sort of thing is to only issue
warnings and not to actually force a potentially harmful change without
*express* consent of the user.


Suggest at least one way to inform all the users successfully that 
obsolete software is going to die soon - and don't let it slip past 
you in your solution that the ClamAV people have know way of knowing 
who they need to inform. And recall too, this: Filling their logs 
with warnings didn't work. Posting the notice on the front page of 
their website didn't work. Running commentary in this list didn't 
work. Announcing it in their Announcements list didn't work.


You don't know a way, they don't know a way, and I know for a fact 
it cannot be done


If you start with the pre-requisite that you must stop old versions 
working then you are correct. Remove that pre-requisite and you are 
not.


More than one suggestion has been made of how the team could have 
"just moved on" and left the old versions behind - without having to 
kill them. These suggestions have been rubbished for various (mostly 
false) reasons.


People keep saying it's the user/admin's fault, that the user/admin 
should take all the blame, and that the user/admin should suffer the 
consequences. Fair enough - how this for a really odd idea - why not 
just stop providing AV updates to the older versions, and let the 
users/admins take the responsibility and consequences if they 
continue to ignore the warnings that updates have stopped working. If 
they ignore "things aren't working" errors then I'd agree with you - 
let them deal with it. I don't agree with the argument that "things 
are not optimal" is a warning to upgrade before things go bang.


--
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] clamav-daemon didn't recognise attached virus

[Török Edwin]

On 04/22/2010 10:01 AM, Thomas Herzog wrote:
> 
> Amavis seems to be calling the clam deamon, it finds also some other
> exploits, viruses...
> /var/log/clamav/clamav.log:
> Thu Apr 22 08:15:07 2010 -> /tmp/UPS_invoice_4557.zip:
> Suspect.Bredozip-zippwd-5 FOUND

BTW attachments are automatically removed on this mailing list.

> Thu Apr 22 08:23:53 2010 ->
> /var/lib/amavis/tmp/amavis-20100422T082307-19639/parts/p002:
> Exploit.HTML.IFrame-8 FOUND
> Thu Apr 22 08:23:53 2010 ->
> /var/lib/amavis/tmp/amavis-20100422T082307-19639/parts/p003: Worm.NetSky-14
> FOUND
> 
> Here you can see (UPS_invoice_4557.zip) was recognized with manually
> scanning.

Is that the email, or the attachment? I guess it is the attachment.
Try scanning the email containing that attachment with
clamscan/clamdscan, and see if it is detected.

> 
> lxhv1m02:~# dpkg -l | grep clam
> ii  clamav0.95.3+dfsg-1~volatile1 anti-virus
> utility for Unix - command-line i
> ii  clamav-base   0.95.3+dfsg-1~volatile1 anti-virus
> utility for Unix - base package
> ii  clamav-daemon 0.95.3+dfsg-1~volatile1 anti-virus
> utility for Unix - scanner daemon
> ii  clamav-freshclam  0.95.3+dfsg-1~volatile1 anti-virus
> utility for Unix - virus database
> ii  libclamav60.95.3+dfsg-1~volatile1 anti-virus
> utility for Unix - library
> 
> lxhv1m02:~# ps -eaf| grep clam
> clamav2926 1  0  2009 ?00:01:49 /usr/bin/freshclam -d
> --quiet
> clamav   16517 1  1 Apr21 ?00:12:39 /usr/sbin/clamd
> root 25902 23655  0 08:58 pts/100:00:00 grep clam
> 
> lxhv1m02:~# grep ctl /etc/amavis/conf.d/15-av_scanners
>\&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd.ctl"],
> 
> lxhv1m02:~# grep ctl /etc/clamav/clamd.conf
> LocalSocket /var/run/clamav/clamd.ctl
> 
> Looks good to me...any ideas left?
> 
> /Thomas
> 
> 

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] clamav-daemon didn't recognise attached virus

[Thomas Herzog]

Rob MacGregor wrote:
> 
> On Thu, Apr 22, 2010 at 07:16, Thomas Herzog 
> wrote:
>>
>> Thanks for your reply, just to get this right.
>> The virus is detected by the binaries clamdscan or clamscan, but not by
>> the
>> deamon called through amavis -> see the attachment of my first post.
> 
> Then you have a problem with the way Amavis is calling ClamAV.  The
> few lines in that log file aren't sufficient to identify the cause of
> the problem.
> 
> Amongst other things, check that you don't have multiple copies of
> ClamAV installed and that Amavis isn't running one while you're
> manually running a different one.
> 
> -- 
>  Please keep list traffic on the list.
> 
> Rob MacGregor
>   Whoever fights monsters should see to it that in the process he
> doesn't become a monster.  Friedrich Nietzsche
> ___
> Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
> http://www.clamav.net/support/ml
> 
> 

Amavis seems to be calling the clam deamon, it finds also some other
exploits, viruses...
/var/log/clamav/clamav.log:
Thu Apr 22 08:15:07 2010 -> /tmp/UPS_invoice_4557.zip:
Suspect.Bredozip-zippwd-5 FOUND
Thu Apr 22 08:23:53 2010 ->
/var/lib/amavis/tmp/amavis-20100422T082307-19639/parts/p002:
Exploit.HTML.IFrame-8 FOUND
Thu Apr 22 08:23:53 2010 ->
/var/lib/amavis/tmp/amavis-20100422T082307-19639/parts/p003: Worm.NetSky-14
FOUND

Here you can see (UPS_invoice_4557.zip) was recognized with manually
scanning.

lxhv1m02:~# dpkg -l | grep clam
ii  clamav0.95.3+dfsg-1~volatile1 anti-virus
utility for Unix - command-line i
ii  clamav-base   0.95.3+dfsg-1~volatile1 anti-virus
utility for Unix - base package
ii  clamav-daemon 0.95.3+dfsg-1~volatile1 anti-virus
utility for Unix - scanner daemon
ii  clamav-freshclam  0.95.3+dfsg-1~volatile1 anti-virus
utility for Unix - virus database
ii  libclamav60.95.3+dfsg-1~volatile1 anti-virus
utility for Unix - library

lxhv1m02:~# ps -eaf| grep clam
clamav2926 1  0  2009 ?00:01:49 /usr/bin/freshclam -d
--quiet
clamav   16517 1  1 Apr21 ?00:12:39 /usr/sbin/clamd
root 25902 23655  0 08:58 pts/100:00:00 grep clam

lxhv1m02:~# grep ctl /etc/amavis/conf.d/15-av_scanners
   \&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd.ctl"],

lxhv1m02:~# grep ctl /etc/clamav/clamd.conf
LocalSocket /var/run/clamav/clamd.ctl

Looks good to me...any ideas left?

/Thomas


-- 
View this message in context: 
http://old.nabble.com/clamav-daemon-didn%27t-recognise-attached-virus-tp28288042p28324892.html
Sent from the clamav-users mailing list archive at Nabble.com.

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml