Re: [clamav-users] issues with mirror - 194.186.47.19

[Walter H.]

On Sat, June 17, 2017 18:23, Paul Kosinski wrote:
> Why do you reject *all* email from ".edu". Doesn't that cut you off
> from lots of useful technological info? (I don't think I *ever* see
> spam from ".edu".)

you are a lucky boy; whenever I get an email from ".edu" it is spam ...



___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Automated Signature Production

[Joel Esler (jesler)]

Al,

I believe this is caused by another issue that we are working to resolve, one 
of our sample indexes is undergoing maintenance.  We use this particular index 
to look up hashes and sizes for sample conviction.  This should be fixed soon.


--
Joel Esler | Talos: Manager | jes...@cisco.com






On Jun 19, 2017, at 10:54 PM, Al Varnell 
mailto:alvarn...@mac.com>> wrote:

The last time I saw a notification that looked anything close to what is 
normally posted after an automated signature process was daily - 23468 on June 
12, over a week ago. Most every update since then has been empty or only 
contained a handful of entries.

-Al-
--
Al Varnell
Mountain View, CA




___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] Automated Signature Production

[Al Varnell]

The last time I saw a notification that looked anything close to what is 
normally posted after an automated signature process was daily - 23468 on June 
12, over a week ago. Most every update since then has been empty or only 
contained a handful of entries.

-Al-
-- 
Al Varnell
Mountain View, CA






smime.p7s
Description: S/MIME cryptographic signature
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Question on GUI notifications of virus detection

[Michael D.]

On 06/19/2017 07:49 PM, Bryan C. Everly wrote:

Hi all,

I am running Arch Linux with ClamAV 0.99.2 on a Thinkpad X1 Carbon
(Skylake) using xorg and Gnome3.  Anyhow, I have the ScanOnAccess
stuff configured to where the system will detect any activity on my
EICAR test file.

My /opt/clamav-utils/clamd-response file is where I'm running into
trouble.  I'd like to use it to trigger a GUI alert on my screen;

Hi Bryan,

The problem isn't with ClamAV, it's the difference in sessions between a 
daemon and a user.


A user that is logged in, is in a shell with lot's of environment 
variables set, whereas a daemon is running in a bare-minimum environment.


You probably need to set the variable DBUS_SESSION_BUS_ADDRESS in your 
script as described here:


https://askubuntu.com/questions/298608/notify-send-doesnt-work-from-crontab

Best regards
  Michael
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] Question on GUI notifications of virus detection

[Bryan C. Everly]

Hi all,

I am running Arch Linux with ClamAV 0.99.2 on a Thinkpad X1 Carbon
(Skylake) using xorg and Gnome3.  Anyhow, I have the ScanOnAccess
stuff configured to where the system will detect any activity on my
EICAR test file.  My configuration is below:

LogFile /var/log/clamav/clamd.log
LogTime yes
PidFile /run/clamav/clamd.pid
TemporaryDirectory /tmp
LocalSocket /var/lib/clamav/clamd.sock
User root
ScanOnAccess yes
OnAccessMountPath /home
OnAccessPrevention yes
OnAccessExtraScanning yes
OnAccessExcludeUID 0
VirusEvent /opt/clamav-utils/clamd-response

My /opt/clamav-utils/clamd-response file is where I'm running into
trouble.  I'd like to use it to trigger a GUI alert on my screen;
however, no matter what I do I cannot seem to get that to work.  If I
run the script by hand (even with sudo) it works like a champ;
however, even though it is being ran (because I see the log activity
and the test file is deleted), I cannot for the life of me get it to
show anything on the screen.  Here's the script:

#!/bin/sh

DISPLAY=:0.0
XAUTHORITY=/home/bceverly/.Xauthority
SHELL=/bin/bash
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

zenity --error --title="ClamAV Alert" --text "Virus Found
$CLAM_VIRUSEVENT_VIRUSNAME.  $CLAM_VIRUSEVENT_FILENAME has been
removed"
#sudo -u DISPLAY=:0.0 /usr/bin/notify-send -u critical "Virus Found
$CLAM_VIRUSEVENT_VIRUSNAME" "$CLAM_VIRUSEVENT_FILENAME has been
removed"
echo "$(date) - $CLAM_VIRUSEVENT_VIRUSNAME >
$CLAM_VIRUSEVENT_FILENAME" >> /var/log/clamav/infected.log
rm $CLAM_VIRUSEVENT_FILENAME

I've tried it with both zenity and notify-send and get the same
results.  I have a feeling there is some xorg fu that I need to do and
am just too ignorant to pull it off.  Any help would be massively
appreciated!

Thanks,
Bryan
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] temporary directories left in /var/lib/clamav

[Steven Morgan]

Hi,

Any temporary files left by "normal" ClamAV processing is considered to be
a bug. Temporary files may be left if a ClamAV component terminates
ungracefully. Do you have any other logs or know of any other events from
June 3 that may provide additional info about these files left in the temp
directory?

Steve

On Mon, Jun 19, 2017 at 8:01 AM, David Pullman 
wrote:

> Hi,
>
> We're seeing cases on some servers where tmp directories are possibly being
> left behind in /var/lib/clamav. The following is one example, there are
> some where more than one tmp dir is occurring.
>
> Is this a sign of a failure to clean up after a download? Is there
> something I can check in logs or in configuration regarding this? Or is it
> simply a need to run a clean up process?
>
> Thanks very much!
>
> David
>
> $ ls -alR /var/lib/clamav/clamav-12a37b16fb99966eac0b8cc6f66d5d8c.tmp/
> /var/lib/clamav/clamav-12a37b16fb99966eac0b8cc6f66d5d8c.tmp/:
> total 12
> drwxr-xr-x 3 clamav clamav 4096 Jun 19 11:16 .
> drwxr-xr-x 3 clamav clamav 4096 Jun 19 00:05 ..
> drwxr-xr-x 2 clamav clamav 4096 Jun  3 00:03
> clamav-6ef20391b3924221fc3fce4a535e157e.tmp
>
> /var/lib/clamav/clamav-12a37b16fb99966eac0b8cc6f66d5d8c.tmp/clamav-
> 6ef20391b3924221fc3fce4a535e157e.tmp:
> total 145216
> drwxr-xr-x 2 clamav clamav  4096 Jun  3 00:03 .
> drwxr-xr-x 3 clamav clamav  4096 Jun 19 11:16 ..
> -rw-r--r-- 1 clamav clamav 17992 Jun  3 00:03 COPYING
> -rw-r--r-- 1 clamav clamav   557 Jun  3 00:03 daily.cdb
> -rw-r--r-- 1 clamav clamav   424 Jun  3 00:03 daily.cfg
> -rw-r--r-- 1 clamav clamav  6040 Jun  3 00:03 daily.crb
> -rw-r--r-- 1 clamav clamav 26043 Jun  3 00:03 daily.fp
> -rw-r--r-- 1 clamav clamav  9965 Jun  3 00:03 daily.ftm
> -rw-r--r-- 1 clamav clamav  29125847 Jun  3 00:03 daily.hdb
> -rw-r--r-- 1 clamav clamav  3530 Jun  3 00:03 daily.hdu
> -rw-r--r-- 1 clamav clamav 112488731 Jun  3 00:03 daily.hsb
> -rw-r--r-- 1 clamav clamav89 Jun  3 00:03 daily.hsu
> -rw-r--r-- 1 clamav clamav 36126 Jun  3 00:03 daily.idb
> -rw-r--r-- 1 clamav clamav  5709 Jun  3 00:03 daily.ign
> -rw-r--r-- 1 clamav clamav  4235 Jun  3 00:03 daily.ign2
> -rw-r--r-- 1 clamav clamav  2271 Jun  3 00:03 daily.info
> -rw-r--r-- 1 clamav clamav849664 Jun  3 00:03 daily.ldb
> -rw-r--r-- 1 clamav clamav199116 Jun  3 00:03 daily.ldu
> -rw-r--r-- 1 clamav clamav   4847600 Jun  3 00:03 daily.mdb
> -rw-r--r-- 1 clamav clamav 69427 Jun  3 00:03 daily.mdu
> -rw-r--r-- 1 clamav clamav92 Jun  3 00:03 daily.msb
> -rw-r--r-- 1 clamav clamav92 Jun  3 00:03 daily.msu
> -rw-r--r-- 1 clamav clamav 97624 Jun  3 00:03 daily.ndb
> -rw-r--r-- 1 clamav clamav823647 Jun  3 00:03 daily.ndu
> -rw-r--r-- 1 clamav clamav  4094 Jun  3 00:03 daily.pdb
> -rw-r--r-- 1 clamav clamav87 Jun  3 00:03 daily.sfp
> -rw-r--r-- 1 clamav clamav 10095 Jun  3 00:03 daily.wdb
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] issues with mirror - 194.186.47.19

[Paul Kosinski]

I agree that there are lots of compromised ".edu" accounts, and that
some students like to cause trouble. But, when I say I never *see* spam
from ".edu" domains, I mean, if there is any, it gets filtered out by
other means, not that my MTA never receives any.

Also, in the past I *have* corresponded with ".edu". For example, I was
using a Stratum 1 NTP server at MIT (it being nearby, and my being an
MIT grad), and had to communicate with the guy running it.

The only TLDs I currently block are some of the weird new ones, like
'accountant', 'bid', 'club', 'cricket', 'date', 'download', 'men',
'stream', 'top' and 'xyz', as I have no evidence that anything *but*
spam ever comes from them.

P.S. I often look at our mail logs (for our tiny domain), and ".edu"
does not stand out at all. As far as IPTABLES logs, I don't remember
seeing probes from IP addresses which PTR-resolve to ".edu", but I
don't do that a lot (and I certainly don't log every dropped SYN).


On Sun, 18 Jun 2017 18:23:32 +0100 (BST)
"G.W. Haywood"  wrote:

> Hi there,
> 
> On Sun, 18 Jun 2017, Paul Kosinski wrote:
> > On Fri, 16 Jun 2017 17:22:53 +0100 (BST) "G.W. Haywood" wrote:
> > 
> >> ... We just outright reject all mail from the '.edu' TLD ...
> > 
> > Why do you reject *all* email from ".edu".
> 
> Because all connections we see from .edu are either from compromised
> accounts sending spam or from irresponsible juveniles who think it's
> clever/cool/whatever to try to hack into other people's computers.
> 
> > Doesn't that cut you off from lots of useful technological info?
> 
> Not in the least.  There's a reasonable scientific press, for example.
> 
> > (I don't think I *ever* see spam from ".edu".)
> 
> That seems strange to me.  Generally speaking we have no reason to
> correspond with .edu domains, but even so, apart from hack attempts
> we never see anything else.  Do you actually look for it?  I mean,
> you know, read the logs? :)
> 
> There's an important point here.  Well over 90% of the attacks we see
> are defeated by preventing connections from the sources of the attacks
> simply because they are known sources of attacks.  It's not the only
> technique we use, but even on its own it's more effective, in terms of
> both success rate and processing overhead, than scanning for malicious
> characteristics - which of course we do as well, but only after the
> bulk of the dross has been dropped using a number of other techniques.
> 
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] temporary directories left in /var/lib/clamav

[David Pullman]

Hi,

We're seeing cases on some servers where tmp directories are possibly being
left behind in /var/lib/clamav. The following is one example, there are
some where more than one tmp dir is occurring.

Is this a sign of a failure to clean up after a download? Is there
something I can check in logs or in configuration regarding this? Or is it
simply a need to run a clean up process?

Thanks very much!

David

$ ls -alR /var/lib/clamav/clamav-12a37b16fb99966eac0b8cc6f66d5d8c.tmp/
/var/lib/clamav/clamav-12a37b16fb99966eac0b8cc6f66d5d8c.tmp/:
total 12
drwxr-xr-x 3 clamav clamav 4096 Jun 19 11:16 .
drwxr-xr-x 3 clamav clamav 4096 Jun 19 00:05 ..
drwxr-xr-x 2 clamav clamav 4096 Jun  3 00:03
clamav-6ef20391b3924221fc3fce4a535e157e.tmp

/var/lib/clamav/clamav-12a37b16fb99966eac0b8cc6f66d5d8c.tmp/clamav-6ef20391b3924221fc3fce4a535e157e.tmp:
total 145216
drwxr-xr-x 2 clamav clamav  4096 Jun  3 00:03 .
drwxr-xr-x 3 clamav clamav  4096 Jun 19 11:16 ..
-rw-r--r-- 1 clamav clamav 17992 Jun  3 00:03 COPYING
-rw-r--r-- 1 clamav clamav   557 Jun  3 00:03 daily.cdb
-rw-r--r-- 1 clamav clamav   424 Jun  3 00:03 daily.cfg
-rw-r--r-- 1 clamav clamav  6040 Jun  3 00:03 daily.crb
-rw-r--r-- 1 clamav clamav 26043 Jun  3 00:03 daily.fp
-rw-r--r-- 1 clamav clamav  9965 Jun  3 00:03 daily.ftm
-rw-r--r-- 1 clamav clamav  29125847 Jun  3 00:03 daily.hdb
-rw-r--r-- 1 clamav clamav  3530 Jun  3 00:03 daily.hdu
-rw-r--r-- 1 clamav clamav 112488731 Jun  3 00:03 daily.hsb
-rw-r--r-- 1 clamav clamav89 Jun  3 00:03 daily.hsu
-rw-r--r-- 1 clamav clamav 36126 Jun  3 00:03 daily.idb
-rw-r--r-- 1 clamav clamav  5709 Jun  3 00:03 daily.ign
-rw-r--r-- 1 clamav clamav  4235 Jun  3 00:03 daily.ign2
-rw-r--r-- 1 clamav clamav  2271 Jun  3 00:03 daily.info
-rw-r--r-- 1 clamav clamav849664 Jun  3 00:03 daily.ldb
-rw-r--r-- 1 clamav clamav199116 Jun  3 00:03 daily.ldu
-rw-r--r-- 1 clamav clamav   4847600 Jun  3 00:03 daily.mdb
-rw-r--r-- 1 clamav clamav 69427 Jun  3 00:03 daily.mdu
-rw-r--r-- 1 clamav clamav92 Jun  3 00:03 daily.msb
-rw-r--r-- 1 clamav clamav92 Jun  3 00:03 daily.msu
-rw-r--r-- 1 clamav clamav 97624 Jun  3 00:03 daily.ndb
-rw-r--r-- 1 clamav clamav823647 Jun  3 00:03 daily.ndu
-rw-r--r-- 1 clamav clamav  4094 Jun  3 00:03 daily.pdb
-rw-r--r-- 1 clamav clamav87 Jun  3 00:03 daily.sfp
-rw-r--r-- 1 clamav clamav 10095 Jun  3 00:03 daily.wdb
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml