Re: [clamav-users] Basic newbie question

2012-05-04 Thread stagni 
On Fri, May 04, 2012 at 07:39:39AM -0700, Mr. Eddie Jackson wrote:

> Is anything happening to the viruses that clamav (and amavis) is finding?
If you set Amavis to quarantine them, look into Amavis' home (in Debian it
is "/var/lib/amavis").

gc :-)

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [clamav-users] Basic newbie question

2012-05-04 Thread Pierre Dehaen 
Hi Eddie,

I'm not running debian squeeze but, from your question, I guess you are using 
clamav for 
scanning emails with the help of amavis. So it is not a question of scanning 
files and 
directories on the disk.

In this case (emails), it is probably in the amavis configuration that you will 
find your answer: 
clamav just tells the file is infected and amavis decides what to do with it 
and with the email. 
Look for instance at the following page: 


HTH
Pierre

On 4 May 2012 at 7:39, Mr. Eddie Jackson wrote:

> Please answer this simple basic newbie webmaster question. I have spent hous 
> and read the entire clamav manual and it is not answered.
> 
> I simply need to know if clamav deletes or quarantines viruses it finds in a 
> default debian squeeze apache2 general web/mail/db etc server?
> 
> I am seeing lots of viruses, trojans and mail viruses "FOUND" in the logs, 
> but no indication whatsoever that clamav (or amavis) is deleting or 
> quarantining them.
> 
> When I look at /etc/clamav/, both the
> 
> /onerrorexecute.d/  and the 
> 
> /virusevent.d/  sub-directories are empty. 
> 
> Is anything happening to the viruses that clamav (and amavis) is finding?
> 
> Thank you.
> 
> Newbie webmaster who can't afford a real one.
> ___
> Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
> http://www.clamav.net/support/ml
> 
> 



___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [clamav-users] Basic newbie question

2012-05-04 Thread Bowie Bailey 
On 5/4/2012 10:39 AM, Mr. Eddie Jackson wrote:
> Please answer this simple basic newbie webmaster question. I have spent hous 
> and read the entire clamav manual and it is not answered.
>
> I simply need to know if clamav deletes or quarantines viruses it finds in a 
> default debian squeeze apache2 general web/mail/db etc server?
>
> I am seeing lots of viruses, trojans and mail viruses "FOUND" in the logs, 
> but no indication whatsoever that clamav (or amavis) is deleting or 
> quarantining them.
>
> When I look at /etc/clamav/, both the
>
> /onerrorexecute.d/  and the 
>
> /virusevent.d/  sub-directories are empty. 
>
> Is anything happening to the viruses that clamav (and amavis) is finding?

ClamAV is simply a scanner.  It reports that a message contains a virus
and that's all.

Amavis is probably what is doing the quarantining or deleting.  You
would need to look at the Amavis settings to see what it is doing.  I
think it quarantines by default, but I'm not sure.

If you are using Amavis, you should see something like this in the log:

May  4 11:24:31 mailserver amavis[10587]: (10587-14) Blocked INFECTED
(Sanesecurity.Spam.11428.Dom.UNOFFICIAL), AM-SOCK
[:::216.117.128.143] [216.117.128.143] 
-> , quarantine: virus-jq6q66j9SEuS, Queue-ID:
0015804D.4FA3F4AE.4564, Message-ID:
<004e01c4288f$3de11c91$f0b803cf@levitra-pro@inacap.cl>, mail_id:
jq6q66j9SEuS, Hits: -, 152 ms

Try asking on the Amavis mailing list.  They should be able to tell you
where all the settings are.

http://lists.amavis.org/cgi-bin/mailman/listinfo/amavis-users

-- 
Bowie
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

[clamav-users] Basic newbie question

2012-05-04 Thread Mr. Eddie Jackson 
Please answer this simple basic newbie webmaster question. I have spent hous 
and read the entire clamav manual and it is not answered.

I simply need to know if clamav deletes or quarantines viruses it finds in a 
default debian squeeze apache2 general web/mail/db etc server?

I am seeing lots of viruses, trojans and mail viruses "FOUND" in the logs, but 
no indication whatsoever that clamav (or amavis) is deleting or quarantining 
them.

When I look at /etc/clamav/, both the

/onerrorexecute.d/  and the 

/virusevent.d/  sub-directories are empty. 

Is anything happening to the viruses that clamav (and amavis) is finding?

Thank you.

Newbie webmaster who can't afford a real one.
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

[clamav-users] Solved: False positive submission page down (for a few days now)?

2012-05-04 Thread Ralf Hildebrandt 
> Could you PLEASE check the server's logs?

I solved it. Your server doesn't like the "X-Forwarded-For: unknown" header!
See http://www.squid-cache.org/Doc/config/forwarded_for/

On our squids it was set to:
forwarded_for off
which results in 

"X-Forwarded-For: unknown"

and a subsequent error page from varnish. Setting it to "delete", "on"
or "truncate" make the page http://cgi.clamav.net/sendfp.cgi work
again. Only "off" causes the page to fail.

-- 
Ralf Hildebrandt   Charite Universitätsmedizin Berlin
ralf.hildebra...@charite.deCampus Benjamin Franklin
http://www.charite.de  Hindenburgdamm 30, 12203 Berlin
Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [clamav-users] False positive submission page down (for a few days now)?

2012-05-04 Thread Ralf Hildebrandt 
* Luca Gibelli :

> Most likely your proxy is issuing a HTTP/1.0 request upstream?

Could you PLEASE check the server's logs?

We're definitely sending HTTP/1.1 requests with all the headers, see
below:

output from tcpdump:

GET /sendfp.cgi HTTP/1.1
Host: cgi.clamav.net
Pragma: no-cache
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/535.19 (KHTML, like 
Gecko) Ubuntu/12.04 Chromium/18.0.1025.168 Chrome/18.0.1025.168 Safari/535.19
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: de,en;q=0.8,en-US;q=0.6
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=165234925.7124351.1326790435.1336028009.1336053668.11; 
__utmz=165234925.1326790435.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)
Via: 1.1 proxy-cbf-1 (squid/3.1.19-20120418-r10444)
X-Forwarded-For: unknown
Cache-Control: max-age=0
Connection: keep-alive

answer:

HTTP/1.1 503 Service Unavailable
Server: Varnish
Content-Type: text/html; charset=utf-8
Retry-After: 5
Content-Length: 284
Accept-Ranges: bytes
Date: Fri, 04 May 2012 10:29:21 GMT
X-Varnish: 221993613
Age: 0
Via: 1.1 varnish
Connection: close

-- 
Ralf Hildebrandt   Charite Universitätsmedizin Berlin
ralf.hildebra...@charite.deCampus Benjamin Franklin
http://www.charite.de  Hindenburgdamm 30, 12203 Berlin
Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [clamav-users] False positive submission page down

2012-05-04 Thread Ralf Hildebrandt 
* G.W. Haywood :

> Mt. Hildebrandt, you are being unreasonable.
> 
> The problem has been clearly explained to you, and it is your problem
> to solve.  You must not expect people who are managing a Web resource
> which may have many thousands of clients to solve problems for every
> individual client.  It "does not scale".  It cannot be done.
> 
> You need to access the Website using HTTP/1.1 not the old HTTP/1.0.

I did that.

> You need to ensure that the client requesting the resources tells the
> host which virtual host it wishes to contact.  That is the purpose of
> the "Host:" header.

It does that.

Only from a very limited IP address range I'm getting this
"Maintenance" error message. Thus my reasonable request to check the
server's logs.

> If your client does not send the correct headers, the software which
> receives the requests cannot pass them to the right server instance
> because your client has not told it which one it wants to talk to.

It's not a client issue. It depends on my source IP.

-- 
Ralf Hildebrandt   Charite Universitätsmedizin Berlin
ralf.hildebra...@charite.deCampus Benjamin Franklin
http://www.charite.de  Hindenburgdamm 30, 12203 Berlin
Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [clamav-users] False positive submission page down

2012-05-04 Thread G.W. Haywood 

Hi there,

On Fri, 4 May 2012, Ralf Hildebrandt wrote:


* Luca Gibelli :



$ telnet proxy.charite.de 8080
Trying 141.42.1.205...
Connected to proxy.charite.de.
Escape character is '^]'.
GET http://cgi.clamav.net/sendfp.cgi HTTP/1.0


we use name based virtual hosting, you must switch to HTTP/1.1 and
send a Host: header as well

See http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html and
http://www8.org/w8-papers/5c-protocols/key/key.html

Most likely your proxy is issuing a HTTP/1.0 request upstream?


It's still not working and unfortunately your admin is not willing to
check the logs to see whats being logged for my source IP.


Mt. Hildebrandt, you are being unreasonable.

The problem has been clearly explained to you, and it is your problem
to solve.  You must not expect people who are managing a Web resource
which may have many thousands of clients to solve problems for every
individual client.  It "does not scale".  It cannot be done.

You need to access the Website using HTTP/1.1 not the old HTTP/1.0.
You need to ensure that the client requesting the resources tells the
host which virtual host it wishes to contact.  That is the purpose of
the "Host:" header.

If your client does not send the correct headers, the software which
receives the requests cannot pass them to the right server instance
because your client has not told it which one it wants to talk to.

8<
laptop:~$ >>> wget --no-proxy http://cgi.clamav.net/sendfp.cgi
--2012-05-04 11:14:46--  http://cgi.clamav.net/sendfp.cgi
Resolving cgi.clamav.net... 194.109.142.194
Connecting to cgi.clamav.net|194.109.142.194|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2474 (2.4K) [text/html]
Saving to: `sendfp.cgi'

100%[=== ... =>] 2,474   --.-K/s   in 0.005s

2012-05-04 11:14:46 (502 KB/s) - `sendfp.cgi' saved [2474/2474]
8<

--

73,
Ged.
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml