RE: [Clamav-users] Sasser Worm Virus not shown with sigtool

2004-05-05 Thread Colin A. Bartlett 
Lynn Duerksen Sent: Wednesday, May 05, 2004 11:26 AM

 Freshclam reports:

 RELAY:root[sbin]  freshclam
 ClamAV update process started at Wed May  5 10:07:25 2004
 Reading CVD header (main.cvd): OK
 main.cvd is up to date (version: 22, sigs: 20229, f-level: 1, builder:
 tkojm)
 Reading CVD header (daily.cvd): OK
 daily.cvd is up to date (version: 303, sigs: 1196, f-level: 2, builder:
 trog)
 However when I run:

 sigtool -l | grep -i sasser

 I get nothing.  Shouldn't Worm.Sasser.A, Worm.Sasser.D and Worm.Sasser.B
all
 show up using this?

You probably have 2 versions of the database. Happened to me and many
others. Simple to rectify: search for main.cvd on your box. Then find which
one is being updated by freshclam. Delete the others and setup symbolic
links to the one that's updated by freshclam. I'm sure there are better ways
to do this like recompile with the proper path but I couldn't be bothered.
Works like a charm for me now.

cheers,
Colin

Colin A. Bartlett
Kinetic Web Solutions
www.kineticweb.biz



---
This SF.Net email is sponsored by Sleepycat Software
Learn developer strategies Cisco, Motorola, Ericsson  Lucent use to 
deliver higher performing products faster, at low TCO.
http://www.sleepycat.com/telcomwpreg.php?From=osdnemail3
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] Mail taking a *long* time to hit the list

2004-05-04 Thread Colin A. Bartlett 
Michael St. Laurent Sent: Monday, May 03, 2004 2:11 PM

 Wow.  I posted a message to the list at 9:23 AM (PDT) and as of 11:06 AM
 (PDT) it *still* hasn't posted.  I wonder if this one will do any better?

The list has been slow for me too. Welcome to SourceForge. Used to happen
all the time on the SpamAssassin list until it moved to Apache. SF is free
though so I hesitate to complain. :) But because of it, I always try to CC
the person I'm replying to directly.

cheers,
Colin

Colin A. Bartlett
Kinetic Web Solutions
www.kineticweb.biz




---
This SF.Net email is sponsored by: Oracle 10g
Get certified on the hottest thing ever to hit the market... Oracle 10g. 
Take an Oracle 10g class now, and we'll give you the exam FREE. 
http://ads.osdn.com/?ad_id=3149alloc_id=8166op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] Disabling a Signature

2004-04-29 Thread Colin A. Bartlett 
Dexter Ang Sent: Thursday, April 29, 2004 2:02 PM

 ClamAV FAQ #17:

 I found a false positive in ClamAV virus database. What shall I do?

 Fill the form at
 http://clamav.sourceforge.net/cgi-bin/sendvirus.cgi Be sure to
 select The file attached is... a false positive.

 - anyway, maybe ask the user to zip the html attachment first until
 the false positive is cleared up in the updates.

Thanks. I was going to do just that. However the document has what appears
to be some sensitive financial data in it and I hesitated before
diseminating it. Can someone confirm that I needn't worry about sending it?
The user can't zip the document up because MailScanner checks files within
the zip as any good email scanner should.

cheers,
Colin

Colin A. Bartlett
Kinetic Web Solutions
www.kineticweb.biz



---
This SF.Net email is sponsored by: Oracle 10g
Get certified on the hottest thing ever to hit the market... Oracle 10g. 
Take an Oracle 10g class now, and we'll give you the exam FREE. 
http://ads.osdn.com/?ad_id=3149alloc_id=8166op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] Re: OT: Just some interesting stats

2004-04-29 Thread Colin A. Bartlett 
Jim Maul Sent: Thursday, April 29, 2004 4:10 PM

 I think the wording is a little confusing..I could be wrong but i assume
he
 means current when he said last.  In the same way that the last 24 hours
 means the current 24 hours, i think last week means current week.

I'm sure Rick didn't want English language criticism when he asked for
suggestions but just to weigh in, maybe past 24 hours, past week, and
past month would be best. :)

cheers,
Colin

Colin A. Bartlett
Kinetic Web Solutions
www.kineticweb.biz



---
This SF.Net email is sponsored by: Oracle 10g
Get certified on the hottest thing ever to hit the market... Oracle 10g. 
Take an Oracle 10g class now, and we'll give you the exam FREE. 
http://ads.osdn.com/?ad_id=3149alloc_id=8166op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] Netsky P not being blocked, using 0.70-rc

2004-04-10 Thread Colin A. Bartlett 
Jeff Ramsey Sent: Friday, April 09, 2004 4:23 PM

 I have done some further testing, and I am blocking Somefool and
 Somefool.B, but I am not blocking variant P.

FWIW, this same thing happened to me when I upgraded from Clam .60 to the
latest version. Apparently I installed it in a different place so there were
two version of my daily updates and it wasn't using the new one. Are you
sure your virus signatures are being updated and include the SomeFool.P
variant? Run sigtool --list | grep SomeFool to see if it's listed.

cheers,
Colin

Colin A. Bartlett
Kinetic Web Solutions
www.kineticweb.biz



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] Virus Names

2004-04-07 Thread Colin A. Bartlett 
Stuart Mycock Sent: Wednesday, April 07, 2004 4:24 AM

 I'd prefer to adopt the approach of letting the Clam team get a def out 
 with any name they want and have a non-developer publish basic virus 
 info on an area of the Clam site, and on that page you'd just have the 
 blurb on SomeFool.Q for example, along with a short description (only 
 brief, tho, there's plenty of viral analysis on other sites) of the 
 virus with an Also known as: NetSky.Q, SmellyVirus.1, Whatever.Q, etc.

How about a Wiki?

cheers,
Colin

Colin A. Bartlett
Kinetic Web Solutions
www.kineticweb.biz 



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] Virus DB Update

2004-03-30 Thread Colin A. Bartlett 
Vernon A. Fort Sent: Tuesday, March 30, 2004 11:11 AM

 I noticed that virusdb was updated, according to the clamav-virusdb 
 list, to daily version 226 but my freshclam is still reporting that 225 
 is the latest.  Am I missing something?

FYI, my freshclam returns version 227.

cheers,
Colin

Colin A. Bartlett
Kinetic Web Solutions
www.kineticweb.biz 


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] clam not fresh

2004-03-25 Thread Colin A. Bartlett 
 Another poster pointed to testvirus.org for testing.  I think you'll
 find some methods of delivery more effective than others and that
 clamav will miss some of these.

They're not being detected by clam even when running them right through
clamscan on the command prompt. I think it's because SomeFool.P isn't in my
sig list even though freshclam says I'm up to date.

 And don't eat bad clams.

I had a bad oyster the other day but never a bad clam.

cheers,
Colin

Colin A. Bartlett
Kinetic Web Solutions
www.kineticweb.biz



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] clam not fresh

2004-03-25 Thread Colin A. Bartlett 
Jim Maul Sent: Thursday, March 25, 2004 4:28 PM

 If freshclam insists on saying they
 are up to date, i would try deleting them totally and running freshclam
 again.  Maybe that will clear up the problem.

Per Tomasz, I first checked the number of signatures reported by freshclam
and it was reporting the correct number. So Per Jim, I deleted both main.cvd
and daily.cvd from /var/lib/clamav and ran freshclam again. It downloaded
them again as expected. But grepping for SomeFool in the sig list still
didn't give me SomeFool.P. So I searched my system for the CVD files and
found a SECOND COPY of them in /usr/local/share/clamav. I checked my
/etc/clamav.conf file and it says, as I think it should:

DatabaseDirectory /var/lib/clamav

So for kicks, I copied the CVD files from /var/lib/clamav over top of the
ones in /usr/local/share/clamav. That worked! And now when I grep the sig
list for SomeFool I _DO_ get .P. So the question is this: if my clamav.conf
says to use /var/lib/clamav, and freshclam is downloading the files to
there, then why does clamscan use the files in /usr/local/share/clamav?

Thanks for your help and patience thus far!

cheers,
Colin

Colin A. Bartlett
Kinetic Web Solutions
www.kineticweb.biz



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] Iframe messages

2004-03-24 Thread Colin A. Bartlett 
Stuart Mycock Sent: Wednesday, March 24, 2004 5:03 AM

 What’s the consensus about messages with embedded iframe links?

 They look like a great potential for viral activity because they
 can be used to auto-download viruses, etc.. The reason I ask is my
 secondary AV caught a couple of messages that got past clam that
 weren’t carrying a virus as such but contained iframe code.

I use MailScanner with ClamAV and by default it catches Iframes. I've left
it on but the only emails that it has appeared to catch seem to be
quasi-legitimate marketing emails. Can't be too important though since no
clients have complained. I would think that scanning for iframes would be
better left to something like MailScanner or Amavis rather than Clam.

cheers,
Colin

Colin A. Bartlett
Kinetic Web Solutions
www.kineticweb.biz



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id70alloc_id638op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] freshclam debugging help

2004-03-24 Thread Colin A. Bartlett 
Greetings,
I've been using ClamAV for months without any problems. I use it in
conjunction with MailScanner to scan our client's email. However today I
noticed a plethora of messages being marked as clean but that really did
have viruses attached. I posted them to the web-based checker and sure
enough the virus database should be catching them. I'm thinking maybe my
FreshClam isn't updating. So...

Can someone tell me how to find out what database version I cam using? I
searched the docs and manpages but couldn't find anything.

And also can someone help me debug the following output from freshclam?

cheers,
Colin

Colin A. Bartlett
Kinetic Web Solutions
www.kineticweb.biz


Current working dir is /usr/local/share/clamav
Checking for a new database - started at Wed Mar 24 13:01:07 2004
Connected to clamav.elektrapro.com.
Reading md5 sum (viruses.md5): OK
viruses.db is up to date.
Reading md5 sum (viruses2.md5): OK
ERROR: Can't open new file ./1c136a7d92ca0d50 to write
open: Permission denied
ERROR: Can't download viruses.db2 from clamav.elektrapro.com
Checking for a new database - started at Wed Mar 24 13:01:08 2004
Connected to clamav.ozforces.com.
Reading md5 sum (viruses.md5): OK
viruses.db is up to date.
Reading md5 sum (viruses2.md5): OK
ERROR: Can't open new file ./2d7ea71a36b0476c to write
open: Permission denied
ERROR: Can't download viruses.db2 from clamav.ozforces.com
Checking for a new database - started at Wed Mar 24 13:01:09 2004
Connected to clamav.essentkabel.com.
Reading md5 sum (viruses.md5): OK
viruses.db is up to date.
Reading md5 sum (viruses2.md5): OK
ERROR: Can't open new file ./90b93c4b1dbdb47b to write
open: Permission denied
ERROR: Can't download viruses.db2 from clamav.essentkabel.com
Checking for a new database - started at Wed Mar 24 13:01:10 2004

At this point, it just hangs.



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users