[Clamav-users] 0.95.3 clamav-milter

[Bit Fuzzy]

Greetings all,

I've finally upgraded to 0.95.3 from 0.94 and I have a question 
regarding the new clamav-milter due to the lack of information regarding it.


Is the old milter string for sendmail still to be used?

INPUT_MAIL_FILTER(`clamav', `S=local:/var/run/clamav/clmilter.sock, F=, 
T=S:4m;R:4m;C:30s;E:10m')dnl

define(`confINPUT_MAIL_FILTERS', `clamav')

Or is "define(`confMILTER_MACROS_EOM', `{msg_id}, {mail_addr}, 
{rcpt_addr}, i')" to be used in its place.


Currently the milter is set to drop infected messages.

The systems maillog records who sent the message and what the 
infection/virus was, but it doesn't record who it was sent to.
Additionally when the clamav-milter.log is used, it does log who the 
message was intended for, but lists the local name rather than the 
address (johnk instead of some_addr...@mydomain.com)


I was wondering if anyone knows of a fix for this.

Ken



___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] WARNING: Suspicious recipient address blocked

[Bit Fuzzy]

Alan Stern wrote:
> There's certainly something wrong here.  The open and close bracket 
> characters ('[' and ']', items 19 and 21) can indeed be part of a valid 
> email address.  For example:  [EMAIL PROTECTED]
>   

There's a difference between "[EMAIL PROTECTED]" which would 
be invalid and [EMAIL PROTECTED] which should be translated via DNS.
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Memory usage for clamd is huge

[Bit Fuzzy]

It may be just me, but I think this topic has been beaten to death  :-\

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Memory usage for clamd is huge

[Bit Fuzzy]

Dennis Peterson wrote:
> And to follow up on the earlier 
> point about Windows systems not being the sole source of spam/virus 
> distribution, 
>   
> Two minutes to hack a Mac and it's now available to generate spam and 
> become a drone to spread malware for other Macs or Windows systems.
>
>   

It wouldn't even necessarily require a compromised system.
All it would take is a user with too much free time on their hands.

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Memory usage for clamd is huge

[Bit Fuzzy]

>>> It's not unthinkable, there actually are places where microsoft software 
>>> is not used.
>>>   
>> Doesn't matter - there's no reason to suspect that all viruses originate 
>> from Windows. Could I have your outgoing smtp IP please?
>> 
>
> Wow - as a long term IT professional I thought I'd heard it all but this 
> takes the cake. In all the past waves of viruses we've seen, they have 
> been analyzed in depth and found to be 100% windows. If you have some 
> evidence to the contrary feel free to share.
>
> A non-windows email virus is the kind of "man bites dog" story that 
> would cause quite the buzz...
>   

Erm, I don't believe that is what he said.

He said, (in relation to not scanning outgoing mail), to think or 
believe that "ALL" viruses "originate" from windows machines/users was 
incorrect.
This assumption would mean that nobody would ever send a virus laden 
message from any OS other than Windows.

He's right of course, the thought alone is dangerous for any 
administrator to entertain.

JMO


___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] clamav 90.1 isn't detecting attachments -- partially fixed

[Bit Fuzzy]

Matthias Häker wrote:



Bit Fuzzy schrieb:

I'm hoping somebody can shed some light on what we're seeing.

We've been using ClamAV since version: 85.1 and have had nothing but 
good things to say about it.

That is until we updated to version 90.1

Since the update any and all messages containing infected attachments 
including the provided test files pass through undetected.


Running "clamscan -r -l scan.txt clamav-0.90.1" manually works fine.
The issue seems to be limited to mail scanning

We scan messages through procmail and trashscan




maybe is something like the Problem with clamassassin in the trashcan 
script


have a look at

http://lists.jameslick.com/pipermail/clamassassin-announce/2007-February/30.html 



Matthias


Matthias,

Your suggestion was actually more helpful than I first thought.

For those using trashscan (if any besides me) the following strings will 
need to be modified:


Old: --disable-summary  New: --no-summary
Old: --unarj=[path]New: --arj=[path]
Old: --zoo=[path]   New: --unzoo=[path]

Though MSRBL images are still not being detected

Ken



___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] clamav 90.1 isn't detecting attachments

[Bit Fuzzy]

Matthias Häker wrote:



Bit Fuzzy schrieb:

I'm hoping somebody can shed some light on what we're seeing.

We've been using ClamAV since version: 85.1 and have had nothing but 
good things to say about it.

That is until we updated to version 90.1

Since the update any and all messages containing infected attachments 
including the provided test files pass through undetected.


Running "clamscan -r -l scan.txt clamav-0.90.1" manually works fine.
The issue seems to be limited to mail scanning

We scan messages through procmail and trashscan




maybe is something like the Problem with clamassassin in the trashcan 
script


have a look at

http://lists.jameslick.com/pipermail/clamassassin-announce/2007-February/30.html 



Matthias


Thanks for the suggestion Matthias.

No, Trashscan didn't use the --mbox switch (or atleast my setup doesn't)


Ken

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html

[Clamav-users] clamav 90.1 isn't detecting attachments

[Bit Fuzzy]

I'm hoping somebody can shed some light on what we're seeing.

We've been using ClamAV since version: 85.1 and have had nothing but 
good things to say about it.

That is until we updated to version 90.1

Since the update any and all messages containing infected attachments 
including the provided test files pass through undetected.


Running "clamscan -r -l scan.txt clamav-0.90.1" manually works fine.
The issue seems to be limited to mail scanning

We scan messages through procmail and trashscan


Any ideas?




___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Cherishing my ignorance - An appeal to package rs

[Bit Fuzzy]

My god!
This topic hasn't been killed yet?!?


___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Re: To ClamAV Developers: donation question

[Bit Fuzzy]

In other words, you are looking for a tax write off.
  


If so, is that a crime? Or for that matter wrong?
I think not

The truth of the matter is in a business setting (especially in a 
Corporate setting) you "need" to be able to show where funds are going. 
If we don't get a receipt (or at least an itemized invoice), you don't 
get paid. It's that simple.

___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] bash script to split mbox file and scan individual messages

[Bit Fuzzy]

the circumstances arose where mail folders are kept
from a pre-clamav time, or there was an issue with the clamav setup at
the time, or clamav was not scanning incoming mail but was scanning
files, etc.  can happen.  happened to me.  from looking at the mailing
list and the faq, it does happen.
  
I have to say that while I commend your sharing of a concept/idea, it 
does appear that it's not very viable.
As for the situation, we've been using ClamAV for going on 3 years now, 
and I have never (I repeat never) seen this occur.

Outside of a poor configuration/implementation that is.

true enough.  best it to catch it inline.  but if not then what.  that
is what i wanted to help.
  
If you're looking for redundancy a simple .procmailrc rule via trashscan 
or what ever would be more effective I'd think.
This would verify that messages are clean "before" it gets delivered to 
the recipients mailbox. (This is what it appears you're trying to address)

, man.  if pawing thru old mboxes is not your bag,  then delete the
message and move on.  it may be helpful to someone else

  
True enough, however, it's best not to need to go "pawing" through old 
mboxes in the first place ;)



___
http://lurker.clamav.net/list/clamav-users.html

Re: [ [Clamav-users] custom signatures not working]

[Bit Fuzzy]

- Original Message -
From: "Steve Basford" <[EMAIL PROTECTED]>
To: "ClamAV users ML" 
Sent: Tuesday, February 28, 2006 1:07 PM
Subject: Re: [Fwd: Re: [Clamav-users] custom signatures not working]


> Some example sigs... Note the case of the text
>
> Sig eg 1:
>
>
Html.Phishing.Pay.Gen017.Sanesecurity.06022800:3:*:646561722070617970616c206
d656d626572
>
>
> Note: type 3 is used (HTML) which means the file is normalised
>
> so : 646561722070617970616c206d656d626572 is (dear paypal member)
>
> will match: Dear PayPal Member
> and   : Dear Paypal member
> and   : dear paypal member
> and   : Dear PayPal Members
>
> Sig eg 2:
>
>
Html.Phishing.Pay.Gen017.Sanesecurity.06022800:0:*:446561722050617950616c204
d656d626572
>

Thanks for the help Steve.

Well, I've noticed something that doesn't quite make sense
Sending a message containing only "Dear PayPal Member" does not get flagged

However, a message containing only "Dear PayPal Member" and a attachment (a
simple blank txt file works) and message gets flagged as intended.

In other words, the only time "Dear PayPal Member" gets detected is if
there's an attachment, empty or otherwise


___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Squirriel Mail clamav scanner

[Bit Fuzzy]

  
> There are modules to do imap from other servers, as well as pop...at  
> the user, not server level.  I can very easily see a use for clam  
> scanning at the squirrelmail user level, just as you have the ability  
> to do spamassassin scanning at the user level.

This is true. 

___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Squirriel Mail clamav scanner

[Bit Fuzzy]

> i was wondering if anyone knows of a squirriel mail plugin using ClamAV
> to scan e-mails?

IMHO that would be over kill.

Incomming messages will be scaned via ClamAV as should messages being sent.
(depending on configuration)

Squirrelmail does not change how mail is sent or received. It only provides
a web interface to manage mail

___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Maybe a virus Sober.P

[Bit Fuzzy]

> 
> "Now, a clever man would put the poison into his own goblet, because he 
> would know that only a great fool would reach for what he was given. I 
> am not a great fool, so I can clearly not choose the wine in front of 
> you. But you must have known I was not a great fool, you would have 
> counted on it, so I can clearly not choose the wine in front of me. "  
> Bonus points if you identify what it's from :-p

Princess Bride..

I don't know which is worse

The fact you posted it, or the fact I responded ;)

___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] M$ preparing AV software ?

[Bit Fuzzy]

- Original Message -
From: "Thomas Cameron" <[EMAIL PROTECTED]>
To: "ClamAV users ML" 
Sent: Wednesday, February 09, 2005 4:13 PM
Subject: Re: [Clamav-users] M$ preparing AV software ?


> I'm actually viewing it more as a tactic of MS buying and then closing up
> shops that sell Linux products.  Look at what they did with VirtualPC.
The
> first release after they bought it you couldn't load Linux in the virtual
> machine.
>
> I'm wondering if that is what they are doing with all the AV purchases
> they've done?
>
> Thomas
>
> ___
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Would that be suprising? They're buying up security related companies at a
very quick pase.
Buy a few that offer nothing to linux, and you've got protection from
anti-competitive practices.

Long story short. Windows has been called "a hackers door way into your
computer".
MS AV/Spybot utilities are sure to be labled "The Express Lane"

Not too much longer all that'll be left for Windows PC's to do is Implode
upon activation

___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] clamav as HTTP scanner?

[Bit Fuzzy]

> Linux vendors make from their product is in the sale of packaged 
> products or the sale of updates.

Hmm, good point I didn't think of that

___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] ClamAV should not try to detectphishingandothersocial engineering attacks

[Bit Fuzzy]

I can't believe this one subject can create such a mess.


> ClamAv is marketed as an antivirus tool.  I think, as you say, there is a
need for a generic anti-malware tool.  But don't call it clamav.

Not detecting phishing attempts, would be like allowing Trojans through as
acceptable attachments.
These aren't Nigerian scams, or viagara ads, there are emails designed right
down to the linked site to obtain account information .

Lets not forget that the "Phishing", and "Social Engineering" are 'Hacker'
terms for methods of retrieving sensitive information, in
the hopes to gain access to the account or desired target (network).

With that in mind it seems to me these emails should be treated as seriously
as Trojans are treated.

The "phishing" e-mail's being detected (by all AV's I might add) should be
kept out of the hands of those who need protecting
(click happy users).

This isn't Spam that by replying or clicking the included link you get added
to a Spam list.

It's the type of emails that come along indicating they're from "Citibank,
Paypal, Ebay, CapitalOne, ETC". You click the link and 'HEY' what do you
know, it looks identical to the site they "thought" they were going to, so
they provide their credit card / account information for verification (like
they'd think to verify the URL in their address bar)

I'm sorry, but I personally know 7 people who fell prey to this practice,
and I've gotten emails from users thanking us for the addition.

Set it up as an option if needed, but as a network administrator, I'd rather
be on the safe side and allow them to view the email held if they desire,
than to find out that because it got through and put a hard working family
in to financial turmoil.


Just my 2 cents.



___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] New virus/worm ???

[Bit Fuzzy]

- Original Message - 
From: "Michael Brennen" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday, August 09, 2004 1:58 PM
Subject: [Clamav-users] New virus/worm ???


> 
> Just in the last few minutes I've started getting hit with several
> copies of a a zip packaged exe file from widely varying sources.  The
> names are of the form 'price.*\.zip'.  I've submitted a copy online
> and it was accepted.  Anyone else seeing this?
> 
>-- Michael

Yea, I've gotten atleast 22 of them in the past hour from the Mod_SSL lists

If it's not one thing it's another  :/



---
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] [clamav-users]stats about clamav

[Bit Fuzzy]

Nigel Horne wrote:

  On Tuesday 20 Jul 2004 17:23, Bit Fuzzy wrote:

  
  
The download link seems to have been removed

  
  
What download link? There never has been a download link, so I don't
know why you say it's been removed.

If you're after the software use the e-mail address at the top.

-Nigel


  

Nigel,

> As at http://cgi.bandsman.co.uk/cgi-bin/virus/display.pl?

--- >You'll see a link there
to the script that generated the stats. <---

My apologies, it appears I had misunderstood your statement.

BF




---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] [clamav-users]stats about clamav

[Bit Fuzzy]

Nigel Horne wrote:
> I want to generate statistics about clamav : how many
> requests or mails infected ? 

As at http://cgi.bandsman.co.uk/cgi-bin/virus/display.pl? You'll see a link there
to the script that generated the stats.
-Nigel
 

The download link seems to have been removed
---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Ethics Question

[Bit Fuzzy]

Damian Menscher wrote:
On Wed, 9 Jun 2004, Tris Forster wrote:
 

With a ridiculous number of Somefools arriving at our server daily I was
trying to think of a proactive way do deal with them.
One possible solution I came up with was sending winpopups to the
offending IP informing them that they are infected (there's a pretty
good chance they'll get through as the infected machine is most likely
not firewalled).
While the aim of doing this may be completely honourable,  sending
winpopups to a non-firewalled  machine stinks of spamming and thus I am
in two minds about putting it into practice
   

We recently had our mailserver being repeatedly hit with virus traffic,
which logs showed was coming mostly from a single IP.  I contacted their
ISP, and they really didn't care.  So I sent a few popups to them,
spaced several hours apart (so as not to be a nuisance) and the machine
stopped its virus traffic in about 2 days.
Automating this would be nice, but I didn't ever bother.  Hard to
imagine it breaking anything, though.  And as long as it's sent in
response to an attack (they punched you first!) and doesn't advertise
anything, I don't think anyone could complain.
Damian Menscher
 

There's really no good way to handle this
We've been sending emails for 2 solid months to Road Runner giving 
everything but the kitchen sink, and they yet are to do anything. (you'd 
think they'd at least contact their user(s) and inform them that their 
systems are infected)  While we have though about creating a pop up on 
the offending machine, we opted not to due to potential legal issues (It 
considered a hack and thus could be illegal)

At this point we are looking at 2 options.
1) Block offending IP's as they occur. -- Effective, but could be 
aggravating to potential customers
2) Warn the ISP in question, that if something isn't done soon, you're 
going to post their non-action along with email transcripts to the news 
media, whom have taken the position in the past that ISP's should be 
taking measures to keep the Internet (users) safe. -- Could be effective 
as well as in-effective.

:(   There's no easy way around this issue, so I guess what I'm trying 
to say, if a solution works for you go for it

---
This SF.Net email is sponsored by the new InstallShield X.
From Windows to Linux, servers to mobile, InstallShield X is the
one installation-authoring solution that does it all. Learn more and
evaluate today! http://www.installshield.com/Dev2Dev/0504
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Problems with False Positives for Oversized Zip.

[Bit Fuzzy]

- Original Message -
From: "Dave Stocker" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, May 11, 2004 12:30 PM
Subject: [Clamav-users] Problems with False Positives for Oversized Zip.


> Hi All,
>
> We have seen instances where we are sending out zip files which are
> picked up as virus-Oversized Zip.
> Can we disable this particular option without disabling scanning of
> Archives?
> Typical size ~ 15Mb before compression 600Kb after compression.
>
>   Regards,
>
> Dave
>

Is it possible that the contents are infected?

Just tested 2 zip'd files reg size 170MB compressed 43MB which went through
fine.



---
This SF.Net email is sponsored by Sleepycat Software
Learn developer strategies Cisco, Motorola, Ericsson & Lucent use to 
deliver higher performing products faster, at low TCO.
http://www.sleepycat.com/telcomwpreg.php?From=osdnemail3
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Re: Virus Alias Database

[Bit Fuzzy]

- Original Message - 
From: "Kevin Spicer" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, May 11, 2004 3:01 AM
Subject: RE: [Clamav-users] Re: Virus Alias Database


> On Tue, 2004-05-11 at 00:58, Mitch (WebCob) wrote:
> > I'm sure there are many (including myself) that could be convinced to
host
> > mirrors once the concept stabilizes...
> >
> > Or alternatively, you could allow download of the db and functions so
people
> > wouldn't have to keep hitting your server...
>
> Thats the better idea, although idealogically I'm all for open source I
> have no intention of releasing the code that build the database.  That
> is for purely practical reasons, most of it works by crawling the
> anti-virus vendors sites - as such if lots of people started to run it
> there would be significant load on their sites, which not only
> inconsiderate of us but also could lead to them blacklisting our IP's
> and/or changing their page format to make it much harder to parse.

That is a very valid point. However, I don't know if it'll be a problem as
for the most part it does appear
to fall within fair use, providing you keep a link with their
description/alias to obtain additional information.

They'd more than likely view it as a potential opportunity to get new
customers. (free advertising)

I stumbled across a site that had alias definitions cross referenced (clam,
trend, McAfee, etc) but
I can't remember what it was for the life of me.



---
This SF.Net email is sponsored by Sleepycat Software
Learn developer strategies Cisco, Motorola, Ericsson & Lucent use to 
deliver higher performing products faster, at low TCO.
http://www.sleepycat.com/telcomwpreg.php?From=osdnemail3
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Re: WORM_SWEN.A undetected

[Bit Fuzzy]

- Original Message -
From: "Virgo Pärna" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, April 21, 2004 11:00 AM
Subject: [Clamav-users] Re: WORM_SWEN.A undetected


> On Wed, 21 Apr 2004 09:54:35 -0400, Bit Fuzzy <[EMAIL PROTECTED]>
wrote:
> > Hmmm, I wonder why mine didn't
> >
>
>  I guess, it's up to standard questions - what version, what does
> the "sigtool --list-sigs | grep -i gibe" show, checking for incorrect
> database path and so on... Having file as example would help:)
>

> what version

clamav-0.67-1

> what does sigtool --list-sigs | grep -i gibe show
Worm.Gibe.1
Worm.Gibe.B
Worm.Gibe.F
Worm.Gibe.F.UPX.2
Worm.Gibe.F.UPX.3
Worm.Gibe.F.UPX
Worm.Gibe.F.dam
Worm.Gibe.F
Gibe.B-upx




---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id70&alloc_id638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Re: WORM_SWEN.A undetected

[Bit Fuzzy]

Hmmm, I wonder why mine didn't

My server passed it (clamav) but PC running Pc-Cillin caught it

- Original Message -
From: "Virgo Pärna" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, April 21, 2004 3:41 AM
Subject: [Clamav-users] Re: WORM_SWEN.A undetected


> On Tue, 20 Apr 2004 12:00:54 -0400, Bit Fuzzy <[EMAIL PROTECTED]>
wrote:
> > It appears ClamAV doesn't detect WORM_SWEN.A
> >
>
>   Yes it does. ClamAV actually detects 9 variants of Gibe virus.
> And for me Soemfool is usually blocked by extention, so for my clamav
> Gibe is actually most popular virus.
>
> --
> Virgo Pärna
> [EMAIL PROTECTED]
>
>
>
> ---
> This SF.Net email is sponsored by: IBM Linux Tutorials
> Free Linux tutorial presented by Daniel Robbins, President and CEO of
> GenToo technologies. Learn everything from fundamentals to system
> administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
> ___
> Clamav-users mailing list
> [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/clamav-users



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id70&alloc_id638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] WORM_SWEN.A undetected

[Bit Fuzzy]

It appears ClamAV doesn't detect WORM_SWEN.A

I'll try to track down a signature for it, but since my PC Scanner removed
it, it may be a while



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Virus Names

[Bit Fuzzy]

While I can and do understand what Eric was saying, I have to agree with
Erick.

http://www.bitdefender.com/index.php - Bitdefender
http://www.grisoft.com/us/us_index.php - AVG
http://www.pandasoftware.com/home/ - Panda
http://www.symantec.com/ - Norton
http://us.mcafee.com/default.asp - Mcafee
http://www.trendmicro.com - Trendmicro
http://viruslist.com/eng/ -- Virus List

While different, all have 1 thing in common with each other.
CVID's (Common Virus Identifiers), granted some list "netsky" as
worm-i/netsky, or w32/netsky,
but in the end you (the user/administrator) know what was stopped, and thus
have the ability to see
what's being identified and or do research on what the virus/worm did (the
function)

Not complaining.. just expressing my 2 cents ;)

- Original Message - 
From: "Eric Rostetter" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, April 06, 2004 10:58 AM
Subject: Re: [Clamav-users] Virus Names


> Quoting Erick Perez - Vision Media <[EMAIL PROTECTED]>:
>
> > Question:
> > If Worm.SomeFool is Netsky, then why is not labeled as netsky?
>
> Answer:
> If netsky is Worm.SomeFool, then why is it not labeled as Worm.SomeFool?
>
> > Basically that's because the users keep complaning about the virus names
> > that cannot be found anywhere else (like the virus databse from
TrendMicro).
>
> If they want to use the name TrendMicro uses, then they should use the
> TrendMicro software.
>
> > Thanks,
> > Erick
>
> --
> Eric Rostetter
>
>
> ---
> This SF.Net email is sponsored by: IBM Linux Tutorials
> Free Linux tutorial presented by Daniel Robbins, President and CEO of
> GenToo technologies. Learn everything from fundamentals to system
> administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
> ___
> Clamav-users mailing list
> [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/clamav-users



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Postmaster bounces and such.

[Bit Fuzzy]

This is true

- Original Message - 
From: "jef moskot" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Sunday, March 21, 2004 2:21 PM
Subject: Re: [Clamav-users] Postmaster bounces and such.


> On Sun, 21 Mar 2004, Bit Fuzzy wrote:
> > I notify the 'recipient' in the event the email in question was expected
> > (part of a project, family / business correspondence etc).
>
> Again, you can safely dump the message if it's an automatically generated
> worm.  I can see some kind of notification for a Word file with macro
> virus, but if you've got your nine millionth Bagle variant, there's no
> reason to notify an uninvolved third party.
>
> That would be bad.
>
> Jeffrey Moskot
> System Administrator
> [EMAIL PROTECTED]
>
>
> ---
> This SF.Net email is sponsored by: IBM Linux Tutorials
> Free Linux tutorial presented by Daniel Robbins, President and CEO of
> GenToo technologies. Learn everything from fundamentals to system
> administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
> ___
> Clamav-users mailing list
> [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/clamav-users



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Postmaster bounces and such.

[Bit Fuzzy]

Dropping isn't good or bad, however if you're not careful it could come
around and bite you on the back side.

I notify the 'recipient' in the event the email in question was expected
(part of a project, family / business correspondence etc).

Otherwise they could be wondering where their email is, and possibly look at
it as a problem with their hosted service,
which could affect your bottom line.

I know if I was hosted, and the host was making decisions for me regarding
how certain mail was handled
I'd be looking for a new host.

Just my 2 cents

KenC


- Original Message - 
From: "Jim Maul" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Sunday, March 21, 2004 11:00 AM
Subject: Re: [Clamav-users] Postmaster bounces and such.


> > When I say bounce I mean reject. We try not to accept them. But
> > sometimes we end up accepting them and they will "bounce" back. If we
> > warn sender we will often be sending messages to people who have been
> > spoofed (it will always go to the sender's email address). If we warn
> > recipient then they will flood us asking for information about email
> > that has been sent to them.
> >
> > Rejection is fairly popular, but it is a game of hot potato. Someone's
> > smtp server has the message and will need to deal with it. It is bad
> > practice to drop messages in the round file and not tell anyone about
> > it.
> >
>
> If the message is created by a virus and spreading a virus, who would you
> like to tell about it?  I dont see why simply dropping it is bad in any
> way.
>
>
> ---
> This SF.Net email is sponsored by: IBM Linux Tutorials
> Free Linux tutorial presented by Daniel Robbins, President and CEO of
> GenToo technologies. Learn everything from fundamentals to system
> administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
> ___
> Clamav-users mailing list
> [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/clamav-users



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] Updating ClamAv

[Bit Fuzzy]

First I'd like so say "GREAT PROGRAM!!!"

I notice in my logs that main.cvd isn't (or hasn't) been updating is this
normal?

Also, I'm currently using ClamAV 0.67 should I upgrade to 0.70 etc as they
become available?
or will the updated functionality be included in my update process?

Thanks in advance

KenC



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Great surprise!!! CLAMAV is showing virus into Notepad.exe on Windows 98 CD provided by Microsoft.

[Bit Fuzzy]

Which versions are you seeing this under?

I've tested notepad.exe from 98, ME, and XP Pro and show no virus result for
it.

It is possible that the files are indeed infected.

My suggestion before writing it off as an error on ClamAV's part, is to take
the win machine in question and perform a webscan via trendmicro, norton, or
mcafee

KenC

- Original Message - 
From: "chirag gandhi" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday, March 15, 2004 11:01 AM
Subject: [Clamav-users] Great surprise!!! CLAMAV is showing virus into
Notepad.exe on Windows 98 CD provided by Microsoft.


> I have successfully installed CLAMAV into my machine
> into Linux and updated its virus database. For
> checking it's efficiency I mounted my windows drive
> and performed scanning on it using clamscan.
> Surprisingly, I got a virus warning into notepad.exe
> it was showing infected by W32.Ladmar.A. However, I am
> already having Norton Corporate Edition with latest
> updation installed into my windows. So, I went to
> windows and checked notepad.exe for virus using
> norton. Norton had not shown any virus, but CLAMAV is
> showing into linux. I had also checked virus on
> notepad.exe extracted from the Windows .cab file from
> the CD provided by the Microsoft. Still CLAMAV is
> showing virus warning.
>
> On the URL
>
> http://clamav.ozforces.com/database/viruses.db2
>
> virus signature for W32.Ladmar.A is present into
> notepad.exe. So, whether the virus present into
> notepad.exe or CLAMAV's virus database contains wrong
> signature.
>
> Thanks,
> Chirag Gandhi
>
>
> __
> Do you Yahoo!?
> Yahoo! Mail - More reliable, more storage, less spam
> http://mail.yahoo.com
>
>
> ---
> This SF.Net email is sponsored by: IBM Linux Tutorials
> Free Linux tutorial presented by Daniel Robbins, President and CEO of
> GenToo technologies. Learn everything from fundamentals to system
> administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
> ___
> Clamav-users mailing list
> [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/clamav-users



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Trashscan Question

[Bit Fuzzy]

Never mind,
 
I got it

  - Original Message - 
  From: 
  Bit Fuzzy 
  
  To: [EMAIL PROTECTED] 
  
  Sent: Sunday, March 07, 2004 10:56 
  PM
  Subject: [Clamav-users] Trashscan 
  Question
  
  
  
  I have a question regarding Trashscan, and I'm hoping 
  someone has tried this.
   
  Is it possible for trashscan to provide the name of the 
  virus found in the notification email?
   
   
  I've tried contacting [EMAIL PROTECTED] regarding this issue, 
  but the address is invalid.
   
   

[Clamav-users] Trashscan Question

[Bit Fuzzy]

I have a question regarding Trashscan, and I'm hoping 
someone has tried this.
 
Is it possible for trashscan to provide the name of the 
virus found in the notification email?
 
 
I've tried contacting [EMAIL PROTECTED] regarding this issue, but 
the address is invalid.