[clamav-users] File monitoring

2013-04-25 Thread Frans de Boer 
Some years ago the usability of Dazuko was ended and not further 
maintained because of the promise of "fanotify". Now, several years 
later. ClamAV is still offering support for disfunctional software and 
no usable substitute for real-time file monitoring.


I understood - from Thomasz - that the maintainer of fanotify does not 
in fact maintain this anymore which means that the software will/must be 
removed from the mainstream kernel in due time.


However, a real-time file monitor with malware scanning capabilities is 
very much appreciated. Does the ClamAV team has any concrete plans in 
that direction?


Regards,
Frans de Boer.
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

[clamav-users] New key?

2013-04-25 Thread Bowie Bailey 
ClamAV 0.97.8 is apparently being signed with a new key.  Where can I 
find the new gpg key?


--
Bowie
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [clamav-users] New key?

2013-04-25 Thread Nigel Houghton 

On Apr 25, 2013, at 11:23 AM, Bowie Bailey  wrote:

> ClamAV 0.97.8 is apparently being signed with a new key.  Where can I find 
> the new gpg key?


 http://pgp.mit.edu:11371/pks/lookup?search=Sourcefire+VRT&op=index

--
Nigel Houghton
Head Mentalist, Time Lord
SF VRT Department of Intelligence Excellence
http://vrt-blog.snort.org/ && http://labs.snort.org/

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [clamav-users] New key?

2013-04-25 Thread Bowie Bailey 

On 4/25/2013 12:21 PM, Nigel Houghton wrote:

On Apr 25, 2013, at 11:23 AM, Bowie Bailey  wrote:


ClamAV 0.97.8 is apparently being signed with a new key.  Where can I find the 
new gpg key?


  http://pgp.mit.edu:11371/pks/lookup?search=Sourcefire+VRT&op=index


Perfect.  Thank you!

--
Bowie
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

[clamav-users] Clamav gets Permission denied when scanning for Maia mailguard

2013-04-25 Thread Kim Johansen 

Hey,

I am setting up a Maia mailguard system with ClamAV for virus scanning.

I'm getting these in my logfile:
clamav.log
Thu Apr 18 18:13:40 2013 -> WARNING: lstat() failed on: 
/var/amavisd/tmp/amavis-20130403T221718-26913
Thu Apr 18 18:13:52 2013 -> WARNING: lstat() failed on: 
/var/amavisd/tmp/amavis-20130418T181352-01899/parts
Thu Apr 18 18:13:53 2013 -> WARNING: lstat() failed on: 
/var/amavisd/tmp/amavis-20130403T221718-26913
Thu Apr 18 18:15:08 2013 -> WARNING: lstat() failed on: 
/var/amavisd/tmp/amavis-20130403T221718-26913
Thu Apr 18 18:15:52 2013 -> WARNING: lstat() failed on: 
/var/amavisd/tmp/amavis-20130403T221718-26913




I have configured ClamAV to run as amavis:
mail ~ $ ps uax |grep amavis
amavis1292  0.0  4.7 393792 194180 ?   Ssl  18:12   0:00 
/usr/sbin/clamd
amavis1405  0.4  0.0  39848  1904 ?Ss   18:12   0:01 
/usr/bin/freshclam -d --quiet
amavis1896  0.3  2.0 205400 83232 ?Ss   18:13   0:01 amavisd 
(master)
amavis1899  0.0  2.1 285688 85184 ?S18:13   0:00 amavisd 
(ch1-avail)
amavis1900  0.0  2.0 206680 81848 ?S18:13   0:00 amavisd 
(virgin child)





And if I run the scan manual with clamdscan it shows the error:
amavis@mail:~$ clamdscan /var/amavisd/tmp/amavis-20130403T221718-26913/
/var/amavisd/tmp/amavis-20130403T221718-26913: lstat() failed: 
Permission denied. ERROR

--- SCAN SUMMARY ---
Infected files: 0
Total errors: 1
Time: 0.000 sec (0 m 0 s)



But it I run clamscan as the amavis user (The same user as clamd is 
running with) manual it works fine:

amavis@mail:~$ clamscan /var/amavisd/tmp/amavis-20130403T221718-26913/
/var/amavisd/tmp/amavis-20130403T221718-26913/email.txt: OK
--- SCAN SUMMARY ---
Known viruses: 2163386
Engine version: 0.97.7
Scanned directories: 1
Scanned files: 1
Infected files: 0
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 6.011 sec (0 m 6 s)
amavis@mail:~$



Here is the configuration file for ClamAV
mail ~ $ cat /etc/clamav/clamd.conf
#Automatically Generated by clamav-base postinst
#To reconfigure clamd run #dpkg-reconfigure clamav-base
#Please read /usr/share/doc/clamav-base/README.Debian.gz for details
LocalSocket /var/run/clamav/clamd.ctl
FixStaleSocket true
#LocalSocketGroup clamav
LocalSocketGroup amavis
LocalSocketMode 666
# TemporaryDirectory is not set to its default /tmp here to make overriding
# the default with environment variables TMPDIR/TMP/TEMP possible
#User clamav
User amavis
AllowSupplementaryGroups true
ScanMail true
ScanArchive true
ArchiveBlockEncrypted false
MaxDirectoryRecursion 15
FollowDirectorySymlinks false
FollowFileSymlinks false
ReadTimeout 180
MaxThreads 12
MaxConnectionQueueLength 15
LogSyslog false
LogFacility LOG_LOCAL6
LogClean false
LogVerbose false
PidFile /var/run/clamav/clamd.pid
DatabaseDirectory /var/lib/clamav
SelfCheck 3600
Foreground false
Debug false
ScanPE true
ScanOLE2 true
ScanHTML true
DetectBrokenExecutables false
ExitOnOOM false
LeaveTemporaryFiles false
AlgorithmicDetection true
ScanELF true
IdleTimeout 30
PhishingSignatures true
PhishingScanURLs true
PhishingAlwaysBlockSSLMismatch false
PhishingAlwaysBlockCloak false
DetectPUA false
ScanPartialMessages false
HeuristicScanPrecedence false
StructuredDataDetection false
CommandReadTimeout 5
SendBufTimeout 200
MaxQueue 100
ExtendedDetectionInfo true
OLE2BlockMacros false
StreamMaxLength 50M
LogFile /var/log/clamav/clamav.log
LogTime true
LogFileUnlock false
LogFileMaxSize 0
Bytecode true
BytecodeSecurity TrustSigned
BytecodeTimeout 6
OfficialDatabaseOnly false
CrossFilesystems true



Generally do the amavis user have RWX rights on all the folders except 
from the /var folder


Anyone have any ideas?

--
Kim
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [clamav-users] Clamav gets Permission denied when scanning for Maia mailguard

2013-04-25 Thread David Raynor 
On Thu, Apr 25, 2013 at 4:41 PM, Kim Johansen  wrote:

> Hey,
>
> I am setting up a Maia mailguard system with ClamAV for virus scanning.
>
> I'm getting these in my logfile:
> clamav.log
> Thu Apr 18 18:13:40 2013 -> WARNING: lstat() failed on:
> /var/amavisd/tmp/amavis-**20130403T221718-26913
> Thu Apr 18 18:13:52 2013 -> WARNING: lstat() failed on:
> /var/amavisd/tmp/amavis-**20130418T181352-01899/parts
> Thu Apr 18 18:13:53 2013 -> WARNING: lstat() failed on:
> /var/amavisd/tmp/amavis-**20130403T221718-26913
> Thu Apr 18 18:15:08 2013 -> WARNING: lstat() failed on:
> /var/amavisd/tmp/amavis-**20130403T221718-26913
> Thu Apr 18 18:15:52 2013 -> WARNING: lstat() failed on:
> /var/amavisd/tmp/amavis-**20130403T221718-26913
>
>
>
> I have configured ClamAV to run as amavis:
> mail ~ $ ps uax |grep amavis
> amavis1292  0.0  4.7 393792 194180 ?   Ssl  18:12   0:00
> /usr/sbin/clamd
> amavis1405  0.4  0.0  39848  1904 ?Ss   18:12   0:01
> /usr/bin/freshclam -d --quiet
> amavis1896  0.3  2.0 205400 83232 ?Ss   18:13   0:01 amavisd
> (master)
> amavis1899  0.0  2.1 285688 85184 ?S18:13   0:00 amavisd
> (ch1-avail)
> amavis1900  0.0  2.0 206680 81848 ?S18:13   0:00 amavisd
> (virgin child)
>
>
>
>
> And if I run the scan manual with clamdscan it shows the error:
> amavis@mail:~$ clamdscan /var/amavisd/tmp/amavis-**20130403T221718-26913/
> /var/amavisd/tmp/amavis-**20130403T221718-26913: lstat() failed:
> Permission denied. ERROR
> --- SCAN SUMMARY ---
> Infected files: 0
> Total errors: 1
> Time: 0.000 sec (0 m 0 s)
>
>
>
> But it I run clamscan as the amavis user (The same user as clamd is
> running with) manual it works fine:
> amavis@mail:~$ clamscan /var/amavisd/tmp/amavis-**20130403T221718-26913/
> /var/amavisd/tmp/amavis-**20130403T221718-26913/email.**txt: OK
> --- SCAN SUMMARY ---
> Known viruses: 2163386
> Engine version: 0.97.7
> Scanned directories: 1
> Scanned files: 1
> Infected files: 0
> Data scanned: 0.00 MB
> Data read: 0.00 MB (ratio 0.00:1)
> Time: 6.011 sec (0 m 6 s)
> amavis@mail:~$
>
>
>
> Here is the configuration file for ClamAV
> mail ~ $ cat /etc/clamav/clamd.conf
> #Automatically Generated by clamav-base postinst
> #To reconfigure clamd run #dpkg-reconfigure clamav-base
> #Please read /usr/share/doc/clamav-base/**README.Debian.gz for details
> LocalSocket /var/run/clamav/clamd.ctl
> FixStaleSocket true
> #LocalSocketGroup clamav
> LocalSocketGroup amavis
> LocalSocketMode 666
> # TemporaryDirectory is not set to its default /tmp here to make overriding
> # the default with environment variables TMPDIR/TMP/TEMP possible
> #User clamav
> User amavis
> AllowSupplementaryGroups true
> ScanMail true
> ScanArchive true
> ArchiveBlockEncrypted false
> MaxDirectoryRecursion 15
> FollowDirectorySymlinks false
> FollowFileSymlinks false
> ReadTimeout 180
> MaxThreads 12
> MaxConnectionQueueLength 15
> LogSyslog false
> LogFacility LOG_LOCAL6
> LogClean false
> LogVerbose false
> PidFile /var/run/clamav/clamd.pid
> DatabaseDirectory /var/lib/clamav
> SelfCheck 3600
> Foreground false
> Debug false
> ScanPE true
> ScanOLE2 true
> ScanHTML true
> DetectBrokenExecutables false
> ExitOnOOM false
> LeaveTemporaryFiles false
> AlgorithmicDetection true
> ScanELF true
> IdleTimeout 30
> PhishingSignatures true
> PhishingScanURLs true
> PhishingAlwaysBlockSSLMismatch false
> PhishingAlwaysBlockCloak false
> DetectPUA false
> ScanPartialMessages false
> HeuristicScanPrecedence false
> StructuredDataDetection false
> CommandReadTimeout 5
> SendBufTimeout 200
> MaxQueue 100
> ExtendedDetectionInfo true
> OLE2BlockMacros false
> StreamMaxLength 50M
> LogFile /var/log/clamav/clamav.log
> LogTime true
> LogFileUnlock false
> LogFileMaxSize 0
> Bytecode true
> BytecodeSecurity TrustSigned
> BytecodeTimeout 6
> OfficialDatabaseOnly false
> CrossFilesystems true
>
>
>
> Generally do the amavis user have RWX rights on all the folders except
> from the /var folder
>
> Anyone have any ideas?
>
> --
> Kim
> __**_
> Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
> http://www.clamav.net/support/**ml 
>

Kim,

1) Make sure that clamd has been restarted. (And amavisd, for that matter.)
2) Are you running SELinux or AppArmor or something like that?

Dave R.

-- 
---
Dave Raynor
Sourcefire Vulnerability Research Team
dray...@sourcefire.com
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [clamav-users] Clamav gets Permission denied when scanning for Maia mailguard

2013-04-25 Thread Kim Johansen 

On 2013-04-25 23:14, David Raynor wrote:

On Thu, Apr 25, 2013 at 4:41 PM, Kim Johansen  wrote:


Hey,

I am setting up a Maia mailguard system with ClamAV for virus scanning.

I'm getting these in my logfile:
clamav.log
Thu Apr 18 18:13:40 2013 -> WARNING: lstat() failed on:
/var/amavisd/tmp/amavis-**20130403T221718-26913
Thu Apr 18 18:13:52 2013 -> WARNING: lstat() failed on:
/var/amavisd/tmp/amavis-**20130418T181352-01899/parts
Thu Apr 18 18:13:53 2013 -> WARNING: lstat() failed on:
/var/amavisd/tmp/amavis-**20130403T221718-26913
Thu Apr 18 18:15:08 2013 -> WARNING: lstat() failed on:
/var/amavisd/tmp/amavis-**20130403T221718-26913
Thu Apr 18 18:15:52 2013 -> WARNING: lstat() failed on:
/var/amavisd/tmp/amavis-**20130403T221718-26913



I have configured ClamAV to run as amavis:
mail ~ $ ps uax |grep amavis
amavis1292  0.0  4.7 393792 194180 ?   Ssl  18:12   0:00
/usr/sbin/clamd
amavis1405  0.4  0.0  39848  1904 ?Ss   18:12   0:01
/usr/bin/freshclam -d --quiet
amavis1896  0.3  2.0 205400 83232 ?Ss   18:13   0:01 amavisd
(master)
amavis1899  0.0  2.1 285688 85184 ?S18:13   0:00 amavisd
(ch1-avail)
amavis1900  0.0  2.0 206680 81848 ?S18:13   0:00 amavisd
(virgin child)




And if I run the scan manual with clamdscan it shows the error:
amavis@mail:~$ clamdscan /var/amavisd/tmp/amavis-**20130403T221718-26913/
/var/amavisd/tmp/amavis-**20130403T221718-26913: lstat() failed:
Permission denied. ERROR
--- SCAN SUMMARY ---
Infected files: 0
Total errors: 1
Time: 0.000 sec (0 m 0 s)



But it I run clamscan as the amavis user (The same user as clamd is
running with) manual it works fine:
amavis@mail:~$ clamscan /var/amavisd/tmp/amavis-**20130403T221718-26913/
/var/amavisd/tmp/amavis-**20130403T221718-26913/email.**txt: OK
--- SCAN SUMMARY ---
Known viruses: 2163386
Engine version: 0.97.7
Scanned directories: 1
Scanned files: 1
Infected files: 0
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 6.011 sec (0 m 6 s)
amavis@mail:~$



Here is the configuration file for ClamAV
mail ~ $ cat /etc/clamav/clamd.conf
#Automatically Generated by clamav-base postinst
#To reconfigure clamd run #dpkg-reconfigure clamav-base
#Please read /usr/share/doc/clamav-base/**README.Debian.gz for details
LocalSocket /var/run/clamav/clamd.ctl
FixStaleSocket true
#LocalSocketGroup clamav
LocalSocketGroup amavis
LocalSocketMode 666
# TemporaryDirectory is not set to its default /tmp here to make overriding
# the default with environment variables TMPDIR/TMP/TEMP possible
#User clamav
User amavis
AllowSupplementaryGroups true
ScanMail true
ScanArchive true
ArchiveBlockEncrypted false
MaxDirectoryRecursion 15
FollowDirectorySymlinks false
FollowFileSymlinks false
ReadTimeout 180
MaxThreads 12
MaxConnectionQueueLength 15
LogSyslog false
LogFacility LOG_LOCAL6
LogClean false
LogVerbose false
PidFile /var/run/clamav/clamd.pid
DatabaseDirectory /var/lib/clamav
SelfCheck 3600
Foreground false
Debug false
ScanPE true
ScanOLE2 true
ScanHTML true
DetectBrokenExecutables false
ExitOnOOM false
LeaveTemporaryFiles false
AlgorithmicDetection true
ScanELF true
IdleTimeout 30
PhishingSignatures true
PhishingScanURLs true
PhishingAlwaysBlockSSLMismatch false
PhishingAlwaysBlockCloak false
DetectPUA false
ScanPartialMessages false
HeuristicScanPrecedence false
StructuredDataDetection false
CommandReadTimeout 5
SendBufTimeout 200
MaxQueue 100
ExtendedDetectionInfo true
OLE2BlockMacros false
StreamMaxLength 50M
LogFile /var/log/clamav/clamav.log
LogTime true
LogFileUnlock false
LogFileMaxSize 0
Bytecode true
BytecodeSecurity TrustSigned
BytecodeTimeout 6
OfficialDatabaseOnly false
CrossFilesystems true



Generally do the amavis user have RWX rights on all the folders except
from the /var folder

Anyone have any ideas?

--
Kim
__**_
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/**ml 


Kim,

1) Make sure that clamd has been restarted. (And amavisd, for that matter.)
2) Are you running SELinux or AppArmor or something like that?

Dave R.


Thanks Dave,

AppArmor is my problem, looks like it is time to sit down and read about it.


Kim
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [clamav-users] ClamAV 0.97.8 has been released!

2013-04-25 Thread Sergey 
On Friday 26 of April 2013 02:08:49 Sergey wrote:
 
> Which public key from http://www.clamav.net/gpg/ should be used ?

Sorry, I found the message about 
http://pgp.mit.edu:11371/pks/lookup?search=Sourcefire+VRT&op=index

-- 
Regards, Sergey
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [clamav-users] ClamAV 0.97.8 has been released!

2013-04-25 Thread Sergey 
On Tuesday 23 of April 2013 14:12:18 Joel Esler wrote:

> > http://sourceforge.net/projects/clamav/files/clamav/0.97.8/clamav-0.97.8.tar.gz.sig/download
> 
> Sorry about that, I had it right in my post, but when the email went out, it 
> didn't take.

Hm...

$ gpg --verify clamav-0.97.8.tar.gz.sig
gpg: Signature made Thu Apr 18 00:19:53 2013 SAMT using DSA key ID 64221D53
gpg: Can't check signature: public key not found

Which public key from http://www.clamav.net/gpg/ should be used ?

vrt.gpg 13-Jun-2012 21:02   2.5K

gpg: key 15497F03: public key "Sourcefire VRT (Sourcefire VRT GPG Key) 
" imported
 
-- 
Regards, Sergey
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml