Re: [clamav-users] clamav-milter: Failed to create temporary file
"4.7.1 Service unavailable" message to the client. Am 22.08.2014 09:57, schrieb Matus UHLAR - fantomas: This should not be a big issue, since the remote clients can resent in a while. It only makes troubles for end-users. On 22.08.14 10:22, Urban Loesch wrote: The milter is only active on my incoming server. No problems with endusers, they are sending trough another outgoing server. As I just said I my first post. Not a big problem, but not very nice to see :-) how many mail per day? I haven't seen this message yet... none tmpfs 1,0G 0 1,0G0% /tmp what's the TemporaryDirectory setting in clamav-milter.conf? /tmp But for beeing secure that the ramdisk isn't the problem I moved it out of it to another temp directory (/var/tmp). should not make the problem better, maybe even worse (/var/tmp is not on ramdisk and does not get cleaned on boot) I think the ramdisk is not the problem, becaue the error cames up also without the ramdisk involved. precisely. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. WinError #98652: Operation completed successfully. ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] false positive sample
On Aug 25, 2014, at 12:56 PM, G.W. Haywood mailto:cla...@jubileegroup.co.uk>> wrote: Hi there, On Mon, 25 Aug 2014, it was difficult to figure out who wrote: Good thing I only use Linux now, where the effectiveness of antivirus software isn't too important. I just wish ClamAV developers were more attentive to their product, which they haven't been since Cisco bought Sourcefire. I?d disagree here. In fact, we?ve only added to the team since the Cisco purchase. ... There's a distinction between adding to the team and improving it. Seems to me I've been reading the same old complaints here on the ClamAV mailing list for years now. Please remember that ClamAV is an open source product. Anyone from the community may take the engine we build, write their own signatures for malware and push them out. We’d love it if people push them to us (hence why the community signatures mailing list exists), so the whole community can take advantage of them, heck, we’d love it if Sanesecurity would like to participate with us and push the rules they have out via the official update mechanism, it only serves to help the whole community instead of fragmenting it. We’ll work with anyone to make the proper credit is given. However, despite our many attempts to get people to contribute back to the project they get for free, only a handful of submitters do. We are grateful for each and everyone that uses our software, and even more grateful for those of you that want to give back to the community as a whole, but we’d love it if more did. Good job I only use ClamAV because of the third party databases like Sanesecurity. And it would *really* help if the people who use this list learn how to write to mailing lists. I’m not going to be “strict mailing list guy” on here. Despite our repeated attempts, there are people that aren’t going to be able to, nor do they want to do things like inline or bottom post, and you know what? I’m not going to stress over it. I’m a realist, I know I’m not going be the mailing list police and get my blood pressure up, over what is really, just a form of communication. I don’t need that undue stress in my life. What I am going to do? Start banning people for top posting? Nope. That used to be a “requirement” on the list, and no one followed it anyway, so I removed it. -- Joel Esler Open Source Manager Threat Intelligence Team Lead Talos ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] false positive sample
On Mon, 25 Aug 2014 13:17:23 +, "Joel Esler (jesler)" wrote: > We’re currently working on a better way to report false positives, so > hopefully we’ll see some resolution to the issue soon, but by all means, if > you have FP reports, please report them via the website and we’ll take a look > at the issue. > > As far as reports of new malware, again, the website is the best place to > send them, however, for bulk uploads, like the website says, it’s best to > contact us. > > Where did you send emails to us that we missed? Maybe we’re having a server > problem that I haven’t seen yet and we need to get that fixed. > I most likely sent the list of MD5s (actually they were SHA256sums) as an attachment to "azidouemba-AT-sourcefire-D0T-c0m" I've just sent the attachment to "jesler-AT-cisco-D0T-c0m" I actually haven't had a false positive in a very long time, but lots of undetected malware which fail VirusTotal scans for all the major brands. Like I said CRDF third-party signatures detect the malware an hour or so after you submit the files. I've been also sending them to ClamAV, no more than 2 per day, using the clamsubmit tool. -- -Dan Q ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] false positive sample
Hi there, On Mon, 25 Aug 2014, it was difficult to figure out who wrote: Good thing I only use Linux now, where the effectiveness of antivirus software isn't too important. I just wish ClamAV developers were more attentive to their product, which they haven't been since Cisco bought Sourcefire. I?d disagree here. In fact, we?ve only added to the team since the Cisco purchase. ... There's a distinction between adding to the team and improving it. Seems to me I've been reading the same old complaints here on the ClamAV mailing list for years now. Good job I only use ClamAV because of the third party databases like Sanesecurity. And it would *really* help if the people who use this list learn how to write to mailing lists. -- 73, Ged. ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] false positive sample
On Aug 22, 2014, at 6:44 PM, Daniel Quintiliani mailto:d...@runbox.com>> wrote: On Fri, 22 Aug 2014 18:26:37 -0400, Dan McDaniel mailto:d...@dm3.us>> wrote: I submitted a false positive awhile ago -- probably back in May. It hasn't been fixed yet. Should I submit it again? Also, on the web form when submitting false positives there is a check-box that says "notify me". It would seem to imply that you might get some kind of notification when your sample had been processed, but I have never received any notification for any of the samples I've submitted. What is that check-box for? I don't know what's going on. It seems that ever since the Cisco buyout the quality of ClamAV has disintegrated really fast. I am always submitting samples from my email and blog spam to VirusTotal, ClamAV, and CRDF. VirusTotal often shows tons of failures, often more than half of the major antivirus products but never ClamAV, and then I submit to CRDF, who do their own automated VirusTotal scans and mark them as malware right away. ClamAV, however, marks them clean for weeks (unless you use CRDF's signatures) and often they are never marked malware. In fact, I have a list of MD5s of 600 MB worth of malware from a "game hack" site spammed to my blogs. I sent e-mails to ClamAV saying I had the MD5s and files but received no response. I wound up deleting the files because only two were marked as malware, and by CRDF's signatures, not by ClamAV's. (I still have the MD5s list if anyone wants me to post it on the message board) Good thing I only use Linux now, where the effectiveness of antivirus software isn't too important. I just wish ClamAV developers were more attentive to their product, which they haven't been since Cisco bought Sourcefire. I’d disagree here. In fact, we’ve only added to the team since the Cisco purchase. We’re currently working on a better way to report false positives, so hopefully we’ll see some resolution to the issue soon, but by all means, if you have FP reports, please report them via the website and we’ll take a look at the issue. As far as reports of new malware, again, the website is the best place to send them, however, for bulk uploads, like the website says, it’s best to contact us. Where did you send emails to us that we missed? Maybe we’re having a server problem that I haven’t seen yet and we need to get that fixed. If people would like to contribute their own signatures to the ruleset, we’d be happy to take a look at that as well: http://blog.clamav.net/2014/02/introducing-clamav-community-signatures.html -- Joel Esler Open Source Manager Threat Intelligence Team Lead Talos ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] false positive sample
On Aug 22, 2014, at 8:24 PM, Dan McDaniel mailto:d...@dm3.us>> wrote: On Fri 22.Aug.14 15:36, Al Varnell wrote: On Aug 22, 2014, at 3:26 PM, Dan McDaniel mailto:d...@dm3.us>> wrote: I submitted a false positive awhile ago -- probably back in May. It hasn't been fixed yet. Should I submit it again? Providing the MD5 of the submitted file will allow the team to locate it quickly. md5sum: 04f34a0597ab21ce25f4fc6bc84cc5d4 I see this on the server side and the hash is assigned to an analyst to take a look. -- Joel Esler Open Source Manager Threat Intelligence Team Lead Talos ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml