[Clamav-users] Testers needed
Hi, I recently did a major rewrite of my 'scamp.sh' script that is available on Sanesecurity, http://www.sanesecurity.com/clamav/usage.htm. It came to my attention that the script did not work correctly on some OSs other than FreeBSD (the one I wrote it on). I have two beta testers, testing the script on different platforms for me, and it seems to be working as intended. In an effort to get as much diverse feedback as possible, I am asking if anyone is interested in testing the beta script for me. You can get a copy of it at: ftp.seibercom.net/pub/scamp.sh The version available on Sanesecurity is NOT the new beta version. Alternatively, just email me and I will send you a copy. I would appreciate any feedback that you would like to send. Please include your OS so I can be sure what flavors the script works correctly under. The documentation, although sparse, is located at the end of the file. There are numerous new options now available including the download/installation of the MSRBL-SPAM-CR.ndb database. Reloading the database and logging are now all configurable. The script can also locate the PID of clamd automatically if the auto reload function is activated (on by default). All of the user configurable options are located at the beginning of the file. The script only requires 'wget' to operate. It uses 'rsync' for download the 'MSRBL' files, although it will fallback to 'wget' if 'rsync' is not available. Assuming I do not receive any bug reports, I intend to transfer the script to Steve by this weekend so he can upload it to his site. Thanks -- Gerard Seibert [EMAIL PROTECTED] ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Phishing feature defaults, naming, and 0.92
On Thursday November 15, 2007 at 06:18:40 (AM) Ian Eiloart wrote: [ ... ] Oh, but wait. What's going on here? You upgrade ClamAV and your configuration changes? That shouldn't happen at all. Are you using an installer tool that overwrites your deployed configuration? Surely not! Excellent point. I am using FBSD-6.2, and when clamav is updated, the configuration file is never over written. However, a new 'clamd.conf.sample' file is created for my perusal. -- Gerard pgpAJaiZQeRj0.pgp Description: PGP signature ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Phishing feature defaults, naming, and 0.92
On Wednesday November 14, 2007 at 01:01:44 (PM) Török Edwin wrote: You can filter based on virus found name, and those containing 'Heuristics' can go to your special folder. Or you can turn the feature entirely off. [1] http://lurker.clamav.net/message/20071114.165015.e815b938.en.html P.S.: the performance issues with the phishing feature will be fixed in 0.92. The team apologizes for the delay of 0.92, the reasons are beyond us: licensing issues with unrar. This seems like a well thought out and reasonable solution. You are never going to please everyone no matter what your final solution is, so this would seem like a logical compromise. -- Gerard The very powerful and the very stupid have one thing in common. Instead of altering their views to fit the facts, they alter the facts to fit their views ... which can be very uncomfortable if you happen to be one of the facts that needs altering. Doctor Who ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Accurate subjects (was Re: PhishingScanURLs is dreadfully slow/CPU-intensive)
On Monday November 12, 2007 at 01:29:41 (PM) David F. Skoll wrote: A request: When replying to an e-mail, please change the subject if it no longer reflects the thread topic. I've been eagerly awaiting word on my complaings about PhishingScanURLs from Clam developers and the misleading subjects are giving me false hope that this problem will actually be addressed... That is not going to do a lot of good. The message will still be threaded with all the other messages in that discussion. A new message should be constructed to start a new discussion when the subject changes. Out of curiosity, what is so difficult about setting 'PhishingScanURLs off' in the 'clamd.conf' file? Since the developers made that feature configurable, they have in fact addressed the issue. -- Gerard No matter how rich you become, how famous or powerful, when you die the size of your funeral will still pretty much depend on the weather. Michael Pritchard ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Accurate subjects (was Re: PhishingScanURLs is dreadfully slow/CPU-intensive)
On Monday November 12, 2007 at 02:48:51 (PM) David F. Skoll wrote: [ ... ] It's not so difficult, but it leads to support calls (we have a large number of clients who are not particularly Linux-savvy and who hesitate to edit configuration files.) We've configured our packages to turn off PhishingScanURLs by default, but a lot of people don't use our Clam packages. The solution is simple. All you need do is properly post/advertise that you do not support user installed software; i.e., software not supplied by you. Many web providers do that presently. You might also strategically place a FAQ dealing with ClamAV and it's configuration file. Better yet, provide a pre-configured file that your users could download and install. I prefer defaults to be sensible. They also should be such that they don't kill performance. It goes without saying that your preferences will not necessarily be in agreement with other users. As far as system deterioration, that is totally system dependent. What slows down your system may very well have no adverse affect on another users network. My own opinion is that the developers are not going to change the default settings since they are what the majority of users would want enabled by default. Just my 2¢. -- Gerard It has always been the prerogative of children and half-wits to point out that the emperor has no clothes. However, the half-wit remains a half-wit, and the emperor remains an emperor. Neil Gaiman ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Accurate subjects (was Re: PhishingScanURLs is dreadfully slow/CPU-intensive)
On Monday November 12, 2007 at 04:22:47 (PM) David F. Skoll wrote: Really? All posters on this thread who gave an opinion wanted PhishingScanURLs off by default. I invite users who want PhishingScanURLs to be on by default to come forward; I'll happily go with the majority decision. Count my vote as On by default. -- Gerard ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] freshclam destroys database
On Sun, 15 Apr 2007 09:20:52 +0200 Thomas [EMAIL PROTECTED] wrote: I'm running clamav 0.90 on linux and i've been running freshclam once a day. Some days ago the clamd stopped working due to a missing database. I found out that it was freshclam that destroyed the database. After running freshclam the /var/lib/clamav directory looks like this: *.cvd daily.inc main.inc mirrors.dat What's up with the *.cvd? How is it possible that updating the virus database can detroy everything? Please help? B. regards, Thomas That problem has been reported already. I experienced it myself. To correct it, I shut down clamav and freshclam, deleted the entire contents of the directory and then restarted clamav and freshclam. That took care of everything. I am not sure if an official fix has been released however. HTH -- Gerard When among apes, one must play the ape. signature.asc Description: PGP signature ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Clamav-0.90.2 compile Error on FreeBSD 4.8
On Fri, 13 Apr 2007 21:32:13 +0400 Anton Yuzhaninov [EMAIL PROTECTED] wrote: Hello, Matthias. You wrote on Friday, April 13, 2007, 8:44:34 PM: i get a compile error on FreeBSD 4.8 i have 3 production Server running under FreeBSD 4.8 Try to build it from ports. I thought that they had stopped supporting 4.x systems? In any case would it be feasible to update to the 6.2 version? -- Gerard The way to make a small fortune in the commodities market is to start with a large fortune. signature.asc Description: PGP signature ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Clamav-0.90.2 compile Error on FreeBSD 4.8
On Fri, 13 Apr 2007 20:20:15 +0200 Matthias Häker [EMAIL PROTECTED] wrote: this is not a option because the server are leased virtual racks in a datacenter 0.90 didnt compile with a problem with pthread in configure but 0.90.1 did without any error and is running fine beside dying from time to time after a freshclam error wich was widely discussed in a other thread. Has anyone considered putting some pressure on whomever you are leasing from to upgrade? He is leasing obsolete software to you. Threatening to move to a more modern facility might just light a fire under his butt. If not, then you still have that same option. -- Gerard What is irritating about love is that it is a crime that requires an accomplice. Charles Baudelaire signature.asc Description: PGP signature ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] *.cvd again!
On Thursday April 12, 2007 at 12:21:32 (PM) James Bourne wrote: This brings a question to my mind. Is there any need for the old .cvd files now that clamd uses the incremental files? I took this approach to the problem (freebsd) I shutdown clamav and freshclam. Deleted all of the files in /var/db/clamav Restarted clamav freshclam All of the definition files were recreated and I have not had any problems. -- Gerard ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] freshclam problem
On Monday April 09, 2007 at 02:43:23 (AM) Julia Ovchinnikova wrote: Gerard Seibert wrote: On Friday April 06, 2007 at 08:16:27 (AM) Julia Ovchinnikova wrote: You stated that you are using FreeBSD-6.0 on your PC. I am using version 6.2 with clamav-devel without any problems. You might have had a bad installation. Try updating your ports system, then running: portmanager security/clamav-devel -p -l I have latest ports collection for FreeBSD 6.0, but neither ports nor source is OK. I saw configure.log (clamav-devel): WARNING:*** GNU MP 2 or newer NOT FOUND - dugital signature support will be disabled! libgmp4 is installed in my system. What can I do any more? You failed to state if you tried rebuilding clamav as I described. In any case, this is probably the wrong list to post this on. Try posting a new question regarding the missing library on the FreeBSD list. You can locate a list suitable for your needs here: http://www.freebsd.org/community/mailinglists.html Good luck! -- Gerard ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] freshclam problem
On Monday April 09, 2007 at 02:43:23 (AM) Julia Ovchinnikova wrote: Gerard Seibert wrote: On Friday April 06, 2007 at 08:16:27 (AM) Julia Ovchinnikova wrote: You stated that you are using FreeBSD-6.0 on your PC. I am using version 6.2 with clamav-devel without any problems. You might have had a bad installation. Try updating your ports system, then running: portmanager security/clamav-devel -p -l I have latest ports collection for FreeBSD 6.0, but neither ports nor source is OK. I saw configure.log (clamav-devel): WARNING:*** GNU MP 2 or newer NOT FOUND - dugital signature support will be disabled! libgmp4 is installed in my system. What can I do any more? You might try this: pkg_info libgmp4 See if that shows anything. You could also try to re-install the port. cd/usr/ports/math/libgmp4 make install make clean Personally, I would use portmanager to install the port and its dependencies, but that is your call. -- Gerard ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] Re: freshclam problem
On Friday April 06, 2007 at 04:52:57 (AM) Julia Ovchinnikova wrote: I have FreeBSD 6.0+ClamAV 0.90.1+ clamav-devel-latest, but clamav is not checked test virus signature. freshclam.log is attached Attaching files is not an option with this list. You will either have to post the file someplace where others can view it, or paste an excerpt of it here. Ciao -- Gerard A psychiatrist is a man who goes to a strip club and watches the audience. Merv Stockwood ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] Re: freshclam problem
On Friday April 06, 2007 at 08:16:27 (AM) Julia Ovchinnikova wrote: I have FreeBSD 6.0+ClamAV 0.90.1+ clamav-devel-latest, but clamav is not checked test virus signature. freshclam.log : Current working dir is /var/db/clamav freshclam daemon 0.90.1 (OS: freebsd6.0, ARCH: i386, CPU: i386) Max retries == 3 ClamAV update process started at Fri Apr 6 12:01:32 2007 SECURITY WARNING: NO SUPPORT FOR DIGITAL SIGNATURES See the FAQ at http://www.clamav.net/support/faq for an explanation. Querying current.cvd.clamav.net TTL: 231 Software version from DNS: 0.90.1 main.cvd version from DNS: 42 main.cvd is up to date (version: 42, sigs: 83951, f-level: 10, builder: tkojm) daily.cvd version from DNS: 3027 daily.inc is up to date (version: 3027, sigs: 22342, f-level: 14, builder: diego) Did you bother to read this? If so, does it pertain to you? What does SECURITY WARNING: NO SUPPORT FOR DIGITAL SIGNATURES mean? The ClamAV package requires the GMP library to verify the digital signature of the virus database. When building ClamAV you need the GMP library and its headers: if you are using Debian just run apt-get install libgmp3-dev, if you are using an RPM based distribution install the gmp-devel package. Youll need to rerun ./configure and recompile ClamAV. You stated that you are using FreeBSD-6.0 on your PC. I am using version 6.2 with clamav-devel without any problems. You might have had a bad installation. Try updating your ports system, then running: portmanager security/clamav-devel -p -l This assumes that you have portmanager installed. If not, you would want to install it first. See if that corrects your problem. -- Gerard ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] 0.90.1 issues on solaris 5.9
On Wed, 4 Apr 2007 08:54:34 +0300 Henrik Krohns [EMAIL PROTECTED] wrote: On Tue, Apr 03, 2007 at 02:18:00PM -0700, Gary Casterline wrote: On Tue, Apr 03, 2007 at 07:36:11PM +0300, Henrik Krohns wrote: On Tue, Apr 03, 2007 at 12:29:07PM -0400, Gerard Seibert wrote: On Tue, 3 Apr 2007 11:29:06 -0400 Rick Pim [EMAIL PROTECTED] wrote: system: 4 CPU Sun E450, solaris 5.9, gcc 3.4.3 before i start: i don't have a copy of gdb on this system, so i'm unable to provide a debug log. By the way, your version of 'gcc' is rather ancient. You might want to check out this URL as well: http://gcc.gnu.org/gcc-4.1/ Or rather, I would get Sun Studio 11. ;) I've never been able to use a clamd compiled with Sun Studio 11. The daemon dies for some reason. When I compile with gcc 3.4.5 on solaris 10 clamd runs and runs (without the --experimental configure option.) ClamAV devel-20070322/2967/Fri Mar 30 09:02:40 2007 Are there any compiler flags that might help Sun Studio 11? I just use ./configure CC=cc CFLAGS=-xO3 -xarch=v8plusb. Obviously you might need to change/remove the arch-flag. I use the following: CFLAGS= -pipe -Os Works fine here. Of course, this is on a FreeBSD-6.2 system. YMMV. I have heard of 'O3' causing problems with some applications. It wouldn't hurt to try with different compiler settings. Good Luck! -- Gerard It is so soon that I am done for, I wonder what I was begun for. Epitaph, Cheltenham Churchyard signature.asc Description: PGP signature ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] 0.90.1 issues on solaris 5.9
On Tue, 3 Apr 2007 11:29:06 -0400 Rick Pim [EMAIL PROTECTED] wrote: system: 4 CPU Sun E450, solaris 5.9, gcc 3.4.3 before i start: i don't have a copy of gdb on this system, so i'm unable to provide a debug log. [snip] Would it be possible to install one? http://ftp.gnu.org/gnu/gdb By the way, your version of 'gcc' is rather ancient. You might want to check out this URL as well: http://gcc.gnu.org/gcc-4.1/ Good Luck! -- Gerard Don't be overly suspicious where it's not warranted. signature.asc Description: PGP signature ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] Re: clamav 90.1 isn't detecting attachments
On Saturday March 31, 2007 at 12:25:49 (PM) Bit Fuzzy wrote: I'm hoping somebody can shed some light on what we're seeing. We've been using ClamAV since version: 85.1 and have had nothing but good things to say about it. That is until we updated to version 90.1 Since the update any and all messages containing infected attachments including the provided test files pass through undetected. Running clamscan -r -l scan.txt clamav-0.90.1 manually works fine. The issue seems to be limited to mail scanning We scan messages through procmail and trashscan Personally, I hate procmail. Do you have the option of using either your MTA or some other LDA? Then I would recommend something like 'mailscanner' http://www.mailscanner.info/ with perhaps 'amavised-new' http://www.ijs.si/software/amavisd/ to handle virus checking. As a side-bar, folding the LDA/POP/IMAP functions all into one application (Dovecot http://www.dovecot.org/) reduces system load and greatly improves performance. Works just fine on my FreeBSD-6.2 / Postfix / Dovecot / Mailscanner system. -- Gerard ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] Re: problem during compilling clamav-0.90.1
On Friday March 16, 2007 at 07:02:33 (AM) sergio wrote: I tried to install new clamav on my freebsd-4.8. ./configure with enable-experimental was good. but make ends with error code 1. Clamav-0.90.1 is not installable on freebsd-4.8,yes? Help please. Versions of FreeBSD = 5.5 are not supported by FBSD. Would it be conceivable for you to update your system to version 6.2, the current version, and then attempt to install clamav again? I think you are only going to have problems running modern software on an outdated OS version. -- Gerard ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] Re: cannot upgrade to 90.1
On Thursday March 15, 2007 at 02:25:59 (PM) jean-paul natola wrote: I updated my ports and when when I install clamav it only brings me to 90_3 and upon running freshclam- it tells me to upgrade to 90.1 Did you shutdown both the clamav and freshclam daemons? Try rebooting and see it that works. -- Gerard ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] Re: 0.90.1 from ports crashing on FreeBSD 5.4 during selfcheck
On Thursday March 15, 2007 at 04:09:50 (PM) Rob MacGregor wrote: Further testing shows that, for FreeBSD 5.4 at least, the use of -lthr (1:1 Threading Library) the result is instability. The second I added that to the configure argument clamd started crashing. Using the alternative -lpthread doesn't result in crashes. I'm going to raise a PR with the FreeBSD maintainer (and drop a line to freebsd-ports@), but others using (at least) FreeBSD 5.4 may want to avoid 0.90.1 from ports until this is resolved. This problem has not manifested itself on my FreeBSD-6.2 machine. It might very well be localized to pre-6.0 versions of FBSD. Do you have the option of updating to the latest version of FBSD? I assume you are going to use 'send-pr' to report this problem. -- Gerard ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Re: 0.90.1 from ports crashing on FreeBSD 5.4 TOO LATE
On Thursday March 15, 2007 at 04:50:05 (PM) jean-paul natola wrote: So now that I have already upgraded to 90.1 ( on freebsd 5.4) what can I do get this working? my clam is crashing constatnly - OK, this is untested, but you can try it anyway. Do you have 'compat5x-i386-5.4.0.8_7 ' installed? It is in the '/usr/ports/misc/compat5x' directory. It might alleviate your problem. You will need to reboot after installing it. Are you familiar with 'portmanager' at all? If that does not work, you could try the following. Assuming you have the 'portupgrade' installed: All as root. 1) cd /usr/ports/distfiles 2) rm -rdf * 3) portsclean -C -D -L -PP 4) Update your ports tree 5) Install 'portmanager' if it is not installed all ready 6) portmanager -u -l -p That should rebuild any ports that are either out of date or have the wrong dependencies. If you want to really go wild, replace the '-p' flag with '-f' instead. That will rebuild the entire ports system. Sometimes that corrects libraries that have become corrupt. There will be a log file created in /var/log/portmanager.log that will detail what was updated or corrected. Reboot and see if that corrects the problem. Good Luck! -- Gerard ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] again SECURITY WARNING: NO SUPPORT FOR DIGITAL SIGNATURES
On Wednesday March 14, 2007 at 06:28:20 (AM) Rob MacGregor wrote: Well, update the ports tree, uninstall/remove the existing clamav install and then install clamav from the ports instead :) You might want to make sure that you kill all of the running clamav processes first as a precaution. Also, if you have not all ready, place the following in the '/etc/rc.conf' file. clamav_clamd_enable=YES clamav_freshclam_enable=YES Make any changes you require to both the /usr/local/etc/clamd.conf and freshclam.conf files. Reboot and you should be good to go. Ciao! -- Gerard ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] again SECURITY WARNING: NO SUPPORT FOR DIGITAL SIGNATURES
On Wednesday March 14, 2007 at 08:15:15 (AM) Sergey Shilov wrote: And now on a theme: The problem is visible into logs at a stage of configure. Clamav-0.87 finds GMP libraries (libgmp-4.1.4_2), and clamav-0.90.1 does not find OK, we have ascertained that you are using FreeBSD. Try this, assuming you have the 'portupgrade' suite installed. 1) If you do not have the latest version of 'portmanager' installed, install it. 2) cd /usr/ports/distfiles 3) rm -rdf * 4) portsclean -C -D -L -PP 5) Update your ports tree 6) cd /usr/ports/security/clamav-devel 7) make config 8) make config-recursive 9) script -ak ~/pm-update.log portmanager /security/clamav-devel -l -f I am assuming that you have removed the old version of clamav that was installed on your system prior to attempting the above. If not, do that first. You will get a full log of what transpired. Also, check the /var/log/portmanager.log and see what it has to say. Contact me if this did not work. HTH -- Gerard ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] 0.90.1 not finding viruses
On Wed, 14 Mar 2007 21:12:37 -0400 John Fleming [EMAIL PROTECTED] wrote: I just realized to my horror that clamav has not found a virus in any email handled by my server since March 5th when I upgraded to clamav 0.90.1. The messages are being tagged appropriately, e.g.: X-Virus-Status: No X-Virus-Checker-Version: Luke wa9als.com running clamassassin 1.2.1 with ClamAV 0.90.1/2839/Wed Mar 14 05:24:32 2007 signatures 42. Are you sure about that signature number. This is from my clamd.log: Database correctly reloaded (268167 signatures) - And the clamav log is free of errors and indicated that the database is updated appropriately and clamd is being notified of changes. Since I usually see viruses daily, I can't believe that there have simply been no viruses since March 5th! It does seem rather strange, doesn't it. -- Gerard Jacquin's Postulate on Democratic Government: No man's life, liberty, or property are safe while the legislature is in session. signature.asc Description: PGP signature ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Upgrade to .90? - Update
On Mon, 12 Mar 2007 22:00:54 GMT Mark [EMAIL PROTECTED] wrote: In earnest, can't say as I'm very inspired to upgrade (from 0.88.7) yet. Ranging from various serious pthread problems to excessive CPU usage, to unlinking of pid files, to clamd dying, none of this makes me feel inclined much to do the upgrade; 0.90 may well be the buggiest public release ever. Then there's this: WARNING: Local version: 0.88.7 Recommended version: 0.90.1 So, I upgraded to 0.90_2 (FreeBSD, on a Vmware test machine), and freshcam still says: WARNING: Current functionality level = 13, recommended = 14 Probably because the clamav distro (http://www.freebsd.org/cgi/cvsweb.cgi/ports/security/clamav/) is 11 days old. That's not clamav's fault, of course, but leaves FreeBSD users exactly nowhere at the moment. I am running version: ClamAV devel-20070228/2830/Tue Mar 13 01:12:22 2007 from port: /usr/ports/security/clamav-devel I don't have any problems. This is on a FreeBSD-6.2 system. Perhaps you might want to consider going that route and see what happens. -- Gerard ... But we've only fondled the surface of that subject. Virginia Masters signature.asc Description: PGP signature ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] How to make ClamAV scan incoming email received by qmail on Plesk
On Sat, 10 Mar 2007 20:20:37 -0800 Dennis Peterson [EMAIL PROTECTED] wrote: [...] If you checked your outgoing mail I wouldn't have to check it when it gets to my server. The only reason I have to check other people's mail at all is because they don't. Personally, I think you are being slightly naive if you actually believe that everyone is going to be running an AV scanner on their outgoing traffic. Doing so, especially on an MTA that is sending out volumes of redundant traffic is worthless. Besides, I would never assume that the traffic I received was scanned or scanned successfully, -- Gerard Normal times may possibly be over forever. signature.asc Description: PGP signature ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] ClamAV installation is OUTDATED!
On Mon, 05 Mar 2007 09:23:33 -0800 Dennis Peterson [EMAIL PROTECTED] wrote: I wonder if anyone ever reads the admonishments about top-posting and pruning messages. They read it, they just choose to ignore it. It is for that reason that I will usually only reply to a top-poster once and then just ignore them, Suspiciously enough, these are the same individuals that fail to RTFM or STFW before asking a simple question. Yes, we have all been guilty of doing that once in awhile; however, some individuals abuse the privilege. Just a few useful top-posting links. http://en.wikipedia.org/wiki/Godwin's_law http://en.wikipedia.org/wiki/Top-post http://groups.google.com/support/bin/answer.py?answer=12348topic=250 http://www.catb.org/~esr/faqs/smart-questions.html http://www.html-faq.com/etiquette/?toppost http://www.neverending.org/~ftobin/resources/formatting_email_replies/ http://www.reedmedia.net/misc/mail/using-mailing-list.html http://www.river.com/users/share/etiquette/ http://www.river.com/users/share/etiquette/trumpetpower-netiquette.html -- Gerard Ask not what's inside your head, but what your head's inside of. J. J. Gibson signature.asc Description: PGP signature ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Can't open directory /var/db/clamav/daily.inc
On Thursday March 01, 2007 at 12:45:20 (PM) John W. Baxter wrote: The way our system operates, we learned of the problem well after the 700 permissions were set up, when I restarted our mail processing system for another reason. (We run two processing systems per machine--handling submitted mail and handling incoming-from-the-world mail, each under its own user, so 700 is difficult for us.) You might be able to script something to check the permissions and change them if they are not what you expected. Probably running it via CRON would take care of the problem. Just a thought. -- Gerard ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Is clamav 0.88.7-1 Vulnerable
On Tue, 20 Feb 2007 06:51:40 -0800 (PST) Antonio Storni [EMAIL PROTECTED] wrote: I am using this FreeBSD package. File: clamav-0.88.7_1.tgz 744 KB 12/30/2006 12:49:00 PM My question now is: Is this clamav Vulnerable? Thanks for your information. I am not sure about the vulnerability factor; however, these are the ports for clamav presently available in the ports system. Port: clamav-0.90_2 Path: /usr/ports/security/clamav Info: Command line virus scanner written entirely in C Maint: [EMAIL PROTECTED] B-deps: libgmp-4.2.1_2 libtool-1.5.22_3 R-deps: arc-5.21o_1 arj-3.10.22 lha-1.14i_6 libgmp-4.2.1_2 unzoo-4.4_2 WWW:http://www.clamav.net/ Port: clamav-devel-20070218 Path: /usr/ports/security/clamav-devel Info: Command line virus scanner written entirely in C Maint: [EMAIL PROTECTED] B-deps: libgmp-4.2.1_2 libtool-1.5.22_3 R-deps: arc-5.21o_1 arj-3.10.22 lha-1.14i_6 libgmp-4.2.1_2 unzoo-4.4_2 WWW:http://www.clamav.net/ I have the clamav-devel one installed myself and it works fine. You might want to consider updating. -- Gerard Elegance and truth are inversely related. Becker's Razor signature.asc Description: PGP signature ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Auto scan problems
On Sun, 18 Feb 2007 19:34:24 +1300 Steve Holdoway [EMAIL PROTECTED] wrote: Thankyou for your informative suggestion. I posted as an example of what a correctly set up mail client from someone in New Zealand should look like for an argumentative poster, also from godzone, to see what theirs should look like. I would have expected people with a pathological hatred of top posting, even a single line suggesting that the sender examine the headers of the post, to be able to follow a mail thread. If that is all the OP wanted, then the easiest solution would have been to send himself a message. Why involve others for such a trivial task? -- Gerard signature.asc Description: PGP signature ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Auto scan problems
On Saturday February 17, 2007 at 04:20:22 (AM) Steve Holdoway wrote: OK, I'm in Christchurch. What's my timezone come up as??? Please don't top post. If you don't know what that means, Google for it. I am assuming you are referring to: Christchurch, New Zealand . Check out these two URLS, which were the first two I found while doing a Google search for Christchurch. http://www.timeanddate.com/worldclock/timezone.html?n=951 http://academickids.com/encyclopedia/n/ne/new_zealand.html -- Gerard ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] Re: ClamAV upgrade
On Tuesday January 16, 2007 at 12:44:15 (AM) Nick wrote: Hi? I am running a FreeBSD 6.0 and clamav 0.88.2_4. I have done a port upgrade intending to upgrade to 0.88.7 but still this is what I get : # portupgrade -v clamav --- Session started at: Tue, 16 Jan 2007 08:38:20 +0300 ** No need to upgrade 'clamav-0.88.2_4' (= clamav-0.88.2_4). (specify -f to force) --- Listing the results (+:done / -:ignored / *:skipped / !:failed) - security/clamav (clamav-0.88.2_4) --- Packages processed: 0 done, 1 ignored, 0 skipped and 0 failed --- Session ended at: Tue, 16 Jan 2007 08:38:20 +0300 (consumed 00:00:00) How do I upgrade to 0.88.7? Update your ports tree. Use either cvsup or portsnap to accomplish this. You might then want to use either portupgrade or portmanager to update all of your programs. Sounds like you might have several out of date ones. -- Gerard ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Re: Why does clam die on a malformed database ?
On Saturday December 30, 2006 at 07:26:57 (PM) Sander Holthaus wrote: The issue is that email never was designed to be used in that particular fashion. While it may be fast and almost instant in normal circumstances, it was not designed with that in mind. The fact that businesses do expect that is something else and it is what usually gives people in IT headaches. Henry Ford never designed the original Model T with electronic ignition, air conditioning, GPS, etc. Does that mean that those items, among others, should simply be discarded? Things evolve. Even GUI's were probably not envisioned by the original PC architects, yet most people today would not choose to operate their PC's without them. -- Gerard ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] Curl-trouble on for clamav-0.88.7_1
On Saturday December 16, 2006 at 04:41:39 (AM) Mark wrote: -Original Message- From: Mark [mailto:[EMAIL PROTECTED] Sent: zaterdag 16 december 2006 10:37 To: 'ClamAV users ML' Subject: RE: [Clamav-users] Re: Curl-trouble on for clamav-0.88.7_1 The curl port (/usr/ports/ftp/curl) was updated to 7.16.0 about 3 days ago. It sounds like you haven't correctly updated your ports tree. I get my ports directly from: ftp://ftp.freebsd.org/pub/FreeBSD/ports/ports/ports.tar.gz That is the official URL (not cvs). And today it is STILL at curl-7.15.5. Seriously; just redownloaded the whole thing. Come to think of it, isn't there a longstanding tradition of freezing the ports for a while, prior to a major OS upgrade? Could be what I'm witnessing. I just updated my ports tree using 'portsnap, and ten preceded to check for 'curl'. It is listed as 'curl-7.16'. I then preceded to update it using 'portmanager'. The update was successful. I can therefore conclude that 'curl-7.16' is available and will install, at least on a FreeBSD-6.1 OS. -- Gerard ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] Re: Curl-trouble on for clamav-0.88.7_1
On Friday December 15, 2006 at 06:49:42 (AM) Mark wrote: I'm having trouble with curl on FreeBSD 4.11 and clamav-0.88.7_1: === Compressing manual pages for curl-7.15.5_1 === Running ldconfig /sbin/ldconfig -m /usr/local/lib === Registering installation for curl-7.15.5_1 readlink: not found === Returning to build of clamav-0.88.7_1 Error: shared library curl.4 does not exist *** Error code 1 Stop in /usr/ports/security/clamav. Pretty self-explanatory: there is no curl.4 library. curl-7.15.5_1 creates a new /usr/local/lib/libcurl.so.3, but not .4 version. FreeBSD 4.11 is extremely old. I have never heard of this problem existing on and FreeBSD 5+ installation. With version 6.2 due out any day now, perhaps it is time to consider updating. -- Gerard ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Maybe Oversized.Zip bug in clamav 0.88.7
On Friday December 15, 2006 at 07:31:52 (AM) Péter Simon wrote: Simon Péter írta: Hi List, Yesterday I updated on my server from clamav 0.88.6 to clamav 0.88.7. In daytime ClamAV detected a lot of Oversized.Zip from our partners. It was a little bit starnge because they're sending mails as usually earlier. Ok. At first try I changed ArchiveMaxCompressionRatio upto 1000. It didn't helped. Oversized.Zip virus detection still worked. I made a simply zip archive with zip's default settings. (Zip 2.32 (June 19th 2006)) and sent to an address to the server. Unfortunetly Oversized.Zip still signed. I downgraded to clamav 0.88.6. The problem resolved. So I think maybe it's a bug of clamav 0.88.7. Have a nice day: Peter Seems like is this trouble only my problem? It would seem rather obvious; however, did you restart the daemon? It would also help to facilitate securing a satisfactory response if you would post your entire conf file as well as any pertinent log entries. -- Gerard ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] Forcing clamd to reload its database
What is the preferred method to force clamd to reload its databases? -- Gerard ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Forcing clamd to reload its database
On Monday December 11, 2006 at 10:11:46 (AM) Stephen Gran wrote: On Mon, Dec 11, 2006 at 10:06:39AM -0500, Gerard Seibert said: What is the preferred method to force clamd to reload its databases? The simplest is: echo RELOAD | nc localhost 3310 OK, I have to admit that I am not familiar with that command. Anyway, it does not appear to have any effect on clamd. There is no indication in the clamd.log file that it is in fact rereading the database. I am running FreeBSD with bash3 as the shell. Also, netstat -a does not list any port listening on 3310. I do not have a the TCP port enabled in the clamd.conf file. -- Gerard ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] submit-to-publish time much too long for phishing
On Friday December 08, 2006 at 12:19:14 (AM) Noel Jones wrote: I'm pleased with clamav's detection of phish, but I'm really impressed with Steve Basford's add-on rules for phish and other malicious non-viral email. I strongly recommend them. http://www.sanesecurity.com/clamav/ I hardily concur. In addition, Steve updates his signatures numerous times daily. Steve also offers two automated updating programs on his site to make the entire process a breeze. -- Gerard ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] submit-to-publish time much too long for phishing
On Wednesday November 29, 2006 at 04:17:30 (AM) Nigel Horne wrote: On Tue, 2006-11-28 at 15:05 -0500, Gerard Seibert wrote: On Tuesday November 28, 2006 at 02:13:29 (PM) Per Jessen wrote: Quick additional comment - I used to use the very same argument, but experience and age have taught me that people are stupid. I would not say that. Perhaps absent-minded, absorbed, abstracted, aimless, amnesic, benighted, bird-brained, blind to, blind, blundering, bucolic, careless, caught napping, chance, comatose, country, cretinous, cursory, daydreaming, dead to, deaf, deaf to, dense, disregardful, distracted, doped , dreamy, easily pleased, forgetful, forgetting, gone, gorked, green , haphazard, hasty, heedless, hidebound, home-grown, homespun, hot-headed, ignorant, ill-advised, illiterate, imbecilic, imperceptive, imprecise, imprudent, inaccurate, inadvertent, inadvisable, inattentive, incautious, incognizant, incompetent, inconsiderate, inconversant, indiscreet, indiscriminate, inexperienced, injudicious, innocent, insensible, insular, involuntary, inward-looking, limited, local, mindless, misinformed, mooning, moronic, naive, narrow, narrow-minded, neglectful, negligent, nescient, new, newcomer, not associated, not cognizant, not smart, novice, numb, oblivious, obtuse, offhand, out cold , overlooking, parochial, pastoral, perfunctory, petty, preoccupied, rash, reckless, regardless, rude, rural, rustic, sappy, rural? Synonyms 1. unsophisticated, rough. In a derogatory sense, it means provincial, boorish, or crude sectarian, senseless, shallow, slipshod, small-minded, small-town, spaced out, spacey, stoned, strung out, superficial, thick, thoughtless, unaccustomed, unacquainted, unaware, unconcerned, unconscious, unconsidered, unconversant, uncultivated, uncultured, undesigned, undiscerning, undiscriminating, uneducated, unenlightened, unexacting, unfamiliar, unfamiliar with, unfussy, uninformed, uninitiated, uninstructed, unintellectual, unintended, unintentional, unknowing, unknowledgeable, unknown, unlearned, unlettered, unmeant, unmindful, unnoticing, unobservant, unperceptive, unplanned, unpolished, unpracticed, unread, unrecognizing, unschooled, unseasoned, unselective, unskilled, unsuspecting, unused to, unversed, unversed in bigoted, unwarned, unwary, unwise green, unwitting, unwitting careless, witless, zonked apprenticed or zonked brash; however, I believe 'stupid' is too harsh. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] submit-to-publish time much too long for phishing
On Tuesday November 28, 2006 at 02:13:29 (PM) Per Jessen wrote: Quick additional comment - I used to use the very same argument, but experience and age have taught me that people are stupid. I would not say that. Perhaps absent-minded, absorbed, abstracted, aimless, amnesic, benighted, bird-brained, blind to, blind, blundering, bucolic, careless, caught napping, chance, comatose, country, cretinous, cursory, daydreaming, dead to, deaf, deaf to, dense, disregardful, distracted, doped , dreamy, easily pleased, forgetful, forgetting, gone, gorked, green , haphazard, hasty, heedless, hidebound, home-grown, homespun, hot-headed, ignorant, ill-advised, illiterate, imbecilic, imperceptive, imprecise, imprudent, inaccurate, inadvertent, inadvisable, inattentive, incautious, incognizant, incompetent, inconsiderate, inconversant, indiscreet, indiscriminate, inexperienced, injudicious, innocent, insensible, insular, involuntary, inward-looking, limited, local, mindless, misinformed, mooning, moronic, naive, narrow, narrow-minded, neglectful, negligent, nescient, new, newcomer, not associated, not cognizant, not smart, novice, numb, oblivious, obtuse, offhand, out cold , overlooking, parochial, pastoral, perfunctory, petty, preoccupied, rash, reckless, regardless, rude, rural, rustic, sappy, sectarian, senseless, shallow, slipshod, small-minded, small-town, spaced out, spacey, stoned, strung out, superficial, thick, thoughtless, unaccustomed, unacquainted, unaware, unconcerned, unconscious, unconsidered, unconversant, uncultivated, uncultured, undesigned, undiscerning, undiscriminating, uneducated, unenlightened, unexacting, unfamiliar, unfamiliar with, unfussy, uninformed, uninitiated, uninstructed, unintellectual, unintended, unintentional, unknowing, unknowledgeable, unknown, unlearned, unlettered, unmeant, unmindful, unnoticing, unobservant, unperceptive, unplanned, unpolished, unpracticed, unread, unrecognizing, unschooled, unseasoned, unselective, unskilled, unsuspecting, unused to, unversed, unversed in bigoted, unwarned, unwary, unwise green, unwitting, unwitting careless, witless, zonked apprenticed or zonked brash; however, I believe 'stupid' is too harsh. -- Gerard ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] Re: To ClamAV Developers: donation question
On Wednesday November 08, 2006 at 11:16:21 (AM) Sergei Lavrov wrote: Some of the businesses I know do want to make donations. But is ClamAV able to issue invoice ? In other words, you are looking for a tax write off. Exactly what is the tax status of 'ClamAV'? I know I could probably look it up; however, I am just not that motivated at the present time. -- Gerard Ah, yes, divorce - from the Latin word meaning to rip out a man's genitals through his wallet. Robin Williams ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Complexity limit on (custom) signatures?
On Friday October 27, 2006 at 08:42:34 (PM) Dennis Peterson wrote: Not to change the direction on you, but you might want to take advantage of the work Steve Basford is doing at http://www.sanesecurity.com/clamav/ for phishing problems, and also look at http://www.msrbl.com/site/stats for image and spam solutions. Both sites are providing excellent results on systems I'm running. The patterns are downloadable and very up to date. I've not had a single complaint of false positives, and the number of patterns provided is quite large. Steve has also written a very useable how-to for creating these patterns. Steve has done a remarkable job with his 'sig' files. He is constantly updating them. I know because I use them. they are always catching 'phishing' threats' on my PC. He also has two automated installers for downloading and installing his signature files. I wrote the 'script' version. There is also a Perl version available on his site. -- Gerard There is nothing wrong with making love with the light on. Just make sure the car door is closed. George Burns ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] Clamav-milter whitelist
FreeBSD 6.1 Clamav-milter 0.88.5 Postfix-2.4-20061006 Has anyone gotten the whitelist to work with 'clamav-milter'? I am assuming that the file syntax is one entry per line. No matter what I have tried, clamav-milter insists on checking messages even when the address is in the 'whitelist' as specified. I am beginning to wonder if perhaps it is a bug. -- Gerard Seibert [EMAIL PROTECTED] ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Clamav-milter with Postfix
On Monday October 23, 2006 at 11:49:47 (AM) Dennis Peterson wrote: Gerard Seibert wrote: On Sunday October 22, 2006 at 09:49:38 (PM) Dennis Peterson wrote: Gerard Seibert wrote: I would rather not use the '--force-scan' option since I am not particularly interested in scanning outgoing mail. Perhaps someone has an idea how to correct this problem. Because you don't scan outgoing mail I have to scan incoming mail from you. My usual response when I read this kind of thing is to just go ahead and blacklist you now rather than later. Please practice safe messaging. That makes zero sense. Are you implying that if I were to scan an outbound message you would eliminate your inbound scan? You do know how stupid that sounds I assume. You clearly don't understand the problem. If everyone scanned their outbound I'd have fewer inbound to scan. I'd still scan them but there would be far less scanning required. Still sound stupid? Yes, because you are dealing in a real world, not some sort of idealistic one that you would like to exist. To put it in language you might better understand, It ain't gonna happen. Furthermore, you statement is illogical. If you would still pursue a course of scanning all of mail, in what manner does my or anyone else's use of AV scanning effect your scanning load? It doesn't effect it at all. Unless you were going to introduce header checks into your mail system. That would require even further overhead, plus you would be assuming that the sender was placing whatever headers you were check for in his/her/their mail accurately and not just spoofing the annotation. I personally would never trust such a scheme. Anyway, we send out several times a week flyers to our customers. These mailings range from 750 to 2000 messages per run. To scan 2000 identical messages is insane, not to mention a total waste of system resources. Other than going to the expense of setting up a separate mail server, etc. I am looking for a way to circumvent this annoyance. Configure your mta to not scan mail from certain addresses at a particular IP. It's a good idea to use a separate IP address for mass mailings so that you don't land your enterprise mailer on a DNSBL. There are people out there that will opt-in to a list but send your UBE to SpamCop anyway. That would require two IPs which I do not presently own. I would have to pay my ISP for another one. It would probably also require another domain name to insure total separation of business divisions. The time and money spend for the very slim advantage it might create is simply no feasible at this point in time. I have dealt with SpamCop before. In fact, I even have a paid account there. They are aware of our operation and the double opt-in requirement. If any report did come to them, and none has in over two years, we are notified first before any action is taken. Now Sorbs is a different matter. I do not know how they operate; however, I have never had a problem with them either. All of our messages carry full email headers, etc. SORBS, from what I was told, lists organizations that either do not send full headers or attempt to mangle or forge them. You might remember that Google was having its GMail accounts blacklisted because of that garbage. We are presently investigating other mail clients to see if they meet our requirement. It might also be noted that presently, at least as far as I can tell, clamav-milter does not natively support Postfix. I have to use the 'sendmail.cf' for instance. It would be nice if the 'clamav' team developed an application that worked natively with Postfix. PostFix recently adopted the Sendmail milter API. It is an incomplete implementation and there are probably all manner of problems you will find with it. It is a PostFix problem, not a ClamAV problem - PostFix does not own the code you are using for Milter support. Last I looked the API was not published and or was subject to change as required by Sendmail, so using it in PostFix is probably always going to be risky. A parallel to this is to write Excel spreadsheet translators - Microsoft can and has changed the format of the files in the past and this results in broken translators. That is what I am using, remember. I am fully aware that it does not work in a manner consistent with Sendmail. I use to run Sendmail with clamav-milter. It is why I believe that the clamav-milter author(s) should consider writing a milter that is fully compatible with Postfix. Postfix is a large player in the field now. It would seem that getting on board with compatible products would be a logical step. I think Wietse did a good thing in making Postfix compatible with at least some of the Sendmail milters that are roaming around out there. He admits he did not get it fully 100% compatible due to the structural differences between Postfix and Sendmail. I appreciate his effort. -- Gerard
Re: [Clamav-users] outbound scanning
On Monday October 23, 2006 at 01:20:54 (PM) Chuck Swiger wrote: On Oct 22, 2006, at 10:50 PM, Tom Metro wrote: [ ...heated debate aside :-), these questions are interesting... ] Is there really much practical value to outbound scanning? Yes. I've seen employees download viral mail from some other service (AOL, fastmail.fm, gmail, whatever) to their corporate desktop, get infected, and have their machine start spewing malicious email out. If you have outbound scanning, you have some hope of containing the problem or at least not sending malicious mail onwards to your clients. It doesn't stop all potential problems with outbound email from your domain, but together with adding SPF records and using a firewall to block outbound port 25 except from your legitimate mail relay, you can do a lot to keep your domain from contributing to the problem. If you have on access scanning working properly that will also greatly lessen any such problem. You stated that you were aware of users downloading infected material to their work stations. Where the hell is the AV that is suppose to be protecting those work stations. Seems to me it might be time to have a long discussion with your SA (I hope it isn't you) about installing and using reliable AV products on your work stations. On access scanning would be the minimum requirement here. Isn't the vast majority of viruses and spam sent via zombies on unfirewalled (outbound) home networks? Interesting question. I've gotten about 12000 spammy messages over the past week on one mailserver; about 1000 got through greylisting, consisting of about 5 actual viruses, ~60-odd phishing scams, and about 900 non-malware spams. Of the senders out of the original 12K, somewhere around half (5100) do not have reverse DNS configured; otherwise, here are sorted lists of the data where we'd gotten at least ten spammy messages from that source: http://www.codefab.com/AV/malware_histogram.txt http://www.codefab.com/AV/spammers_by_ip.txt http://www.codefab.com/AV/spammers_by_hostname.txt Postfix offers ways to check and prevent that from happening. Even if a zombie was inside a corporate network, how likely is it to use the SMTP relay that happens to be configured in some mail client on the compromised machine? Using the configured SMTP relay seems to be the most common case; but it's also common for the infected host to send mail out directly. As you've suggested, egress filtering is a good idea: The work station should be firewalled off from all but the company mail server. If it is not, then do it. I'd think you'd get far greater benefit by practicing some form of egress filtering at the firewall, like rejecting all outbound connections with a port 25 destination except from the mail relay (or proxy) inside the firewall. For any small shop that keeps a close eye on their machines and network traffic, I'd think the overhead of scanning every outbound message would be a waste. I concur. It's not very expensive in terms of CPU resources to scan normal messages, usually. The key is normal and usually. -- Gerard ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Clamav-milter with Postfix
On Sunday October 22, 2006 at 09:49:38 (PM) Dennis Peterson wrote: Gerard Seibert wrote: I would rather not use the '--force-scan' option since I am not particularly interested in scanning outgoing mail. Perhaps someone has an idea how to correct this problem. Because you don't scan outgoing mail I have to scan incoming mail from you. My usual response when I read this kind of thing is to just go ahead and blacklist you now rather than later. Please practice safe messaging. That makes zero sense. Are you implying that if I were to scan an outbound message you would eliminate your inbound scan? You do know how stupid that sounds I assume. Anyway, we send out several times a week flyers to our customers. These mailings range from 750 to 2000 messages per run. To scan 2000 identical messages is insane, not to mention a total waste of system resources. Other than going to the expense of setting up a separate mail server, etc. I am looking for a way to circumvent this annoyance. We are presently investigating other mail clients to see if they meet our requirement. It might also be noted that presently, at least as far as I can tell, clamav-milter does not natively support Postfix. I have to use the 'sendmail.cf' for instance. It would be nice if the 'clamav' team developed an application that worked natively with Postfix. -- Gerard ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Clamav-milter with Postfix
On Monday October 23, 2006 at 07:01:47 (AM) Christopher X. Candreva wrote: On Mon, Oct 23, 2006 at 05:53:30AM -0400, Gerard Seibert wrote: Anyway, we send out several times a week flyers to our customers. These mailings range from 750 to 2000 messages per run. To scan 2000 identical messages is insane, not to mention a total waste of system resources. Other than going to the expense of setting up a separate mail server, etc. I am looking for a way to circumvent this annoyance. To answer your original question: You scan outgoing mail for the same reason you scan incoming mail: To see if it has a virus. If you have otherwise restricted the ways your users can send mail (blocked port 25) -- if you even HAVE users -- this will alert you to infections on your network. I am assuming you want to know about infections on your network. As someone else pointed out, how you send your bulk mail will effect the next answer: If it is one message with many names, it is only scanned once. If it is individual messages (not as silly as it sounds, for VERP bounce-processing purposes) then you will need to see how to not have those scanned. IE, clamav-milter can have compiled-in addresses not to scan. If you know that those messages come from one IP only, and that machine won't ever be infected, you can whitelist there. All will depend on what you do. Personally, with linux free and hardware all over the place I would just set up sendmail/postfix/whatever on a separate machine for bulk mail, so bulk mailings can't ever effect regular mail. The mail is sent using DADA Mail, a discussion mailing list manager similar to Mailman. Again, yes, VERP is being employed. These are double opt-in lists, not a SPAM list like some asshole aka 'troll' mentioned in a reply. BCC is not even an option since these messages are customized for each individual recipient. I will investigate the 'white-listing' concept. I had not noticed that before. Setting up another PC is certainly an option, and one that we were intending to do sometime after the New Year when we get a new budget. -- Gerard ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] Clamav-milter with Postfix
FreeBSD 6.1 Postfix-2.4-20061006 Clamav-milter 0.88.5 I am trying to get clamav-milter working with Postfix. I finally got it to work, so to speak, but only after using the '-f' aka '--force-scan)' flag. Without that flag, clamav-milter will only scan outgoing files, and then only if I use the '--local' or '--outgoing' flags /usr/local/etc/postfix/main.cf smtpd_milters = unix:/var/log/clamav/clmilter.sock non_smtpd_milters = unix:/var/log/clamav/clmilter.sock milter_default_action = tempfail I would rather not use the '--force-scan' option since I am not particularly interested in scanning outgoing mail. Perhaps someone has an idea how to correct this problem. -- Gerard Friends come and go but enemies accumulate. ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] clamav-milter Postfix-2.4-20061006
FreeBSD 6.1 STABLE ClamAV 0.88.5 clamav-milter 0.88.5 Postfix-2.4-20061006 I previously had clamav-milter working on a PC with 'Sendmail' as the MTA. My new system has 'Postfix' installed. I have no desire to change this, therefore I would like to know how to get the clamav-milter to operate with Postfix. I have Googled for suggestions. There seems to be an abundance of them. What I am looking for is the definitive one; i.e., one that actually works. I did not seem to locate one on the ClamAV site. Is there somewhere else I can get accurate information regarding this? Thanks! -- Gerard ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] clamav-milter Postfix-2.4-20061006
On Saturday 21 October 2006 10:24, Christian Rueger wrote: what your problem? it so easy postfix main.cf: smtpd_milters = unix:/clamav/milter postfix work in chroot /var/spool/postfix clamav-milter fake sendmail.mc: INPUT_MAIL_FILTER(‘clmilter’,‘S=unix:/var/spool/postfix/clamav/milter, F=, T=S:4m;R:4m’)dnl define(‘confINPUT_MAIL_FILTERS’, ‘clmilter’) runit run-file: umask 007 exec 21 exec clamav-milter -A -N -m10 -q \ --sendmail-cf=/etc/clamav-milter/sendmail.mc \ -c /etc/clamd/clamd.conf unix:/var/spool/postfix/clamav/milter permissions for the directory/files should be: ls -la /var/spool/postfix/clamav/ drwxr-x--- 2 _clamav _postfix 512 Oct 18 10:12 ./ drwxr-xr-x 19 root wheel 512 Aug 26 10:46 ../ srwxrwxrwx 1 _clamav _postfix 0 Oct 18 10:12 clamd= srwxrwx--- 1 _clamav _postfix 0 Oct 18 10:12 milter= user _clamav run's clamd, freshclam and clamav-milter postfix need write permission to the socket (user _postfix and umask 007 in run-file) this works on openbsd read postfix's MILTER_README and clamAV's clamdoc.pdf All you did was copy this from a site. I have seen it all ready. I understand the postfix 'main.cf' entry. I also stated that I was employing FreeBSD. I doubt that the configuration for OpenBSD is compatible. -- Gerard pgp8NX6QmfrSG.pgp Description: PGP signature ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] Clamstats
I installed the clamstats-0.2.pl program because it was listed on this forum recently. Prior to actually running it, I cleaned out the clamd.log file. The program is producing an error message. This is the out put of one such incident. Script started on Mon Sep 25 18:57:55 2006 Use of uninitialized value in substitution (s///) at ./clamstats.pl line 133. Use of uninitialized value in concatenation (.) or string at ./clamstats.pl line 163. Use of uninitialized value in concatenation (.) or string at ./clamstats.pl line 166. Script done on Mon Sep 25 18:57:55 2006 I had to change the 'clamd_update.log' to 'freshclam.log' in order to get the script to even run. I know this is not a Perl forum, but I thought that perhaps someone might have an idea what is wrong with this script. I downloaded it from: http://weblog.infoworld.com/venezia/archives/clamstats.pl I have a FreeBSD 6.1 STABLE system with Perl 5.8.8 loaded. If anyone can assist me, I would appreciate it. -- Gerard Seibert [EMAIL PROTECTED] ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] My trouble with freshclam
Robert Zilbauer [EMAIL PROTECTED] On Wednesday 13 September 2006 05:43, Dennis Peterson wrote: Here too, updates stopped on august 16th. On 6 out of 6 mailservers running clamav, something went very wrong on august 16th. I run freshclam out of cron so would never have had this problem. I see failures all the time - 'Mirrors not fully...', etc., but it finally gets a fresh pattern. Ditto. I used to run all of my freshclam procs as daemons. However, a while back I switched all of our machines (mostly Solaris 9 10, sparc) running freshclam to use a cron job instead of daemon mode. As of 0.88.1 I began seeing a silent death problem in the freshclam daemon (it seemed to die with a SIGPIPE). Mine was a somewhat different issue than the problem reported today as I never had a freshclam process just hang and do nothing. If mine choked, they died completely. In my experience, freshclam in cron is the way to go. I haven't had any trouble with it whatsoever since I switched. I am running FreshClam on a FreeBSD 6.1 O without any problems. I routinely check the logs twice a week and nothing out of the ordinary is ever reported. I try to stay away from CRON whenever possible. There is always the possibility that I might forget to enable or disable something. Enabling or disabling in etc/rc.conf works just fine for me. I just let it run as daemon. Perhaps there is something else wrong on your OS. If this was really a software bug, then everyone, or at least a large number of users would be suffering this problem. I see no evidence of that anywhere. Perhaps an out of date library is screwing things up. -- Gerard Seibert [EMAIL PROTECTED] I went to a Palestinian SEX-SHOP the other day and bought a life-sized doll. When I got her home, she blew herself up. ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] clamav scan crashes server
Dennis Peterson [EMAIL PROTECTED] I don't see where there is any ridicule. Are you suggesting Windows people are delicate little flowers than require a gentle touch? That seems a bit of an insult. Perhaps not totally relevant; however, I have been involved in education in one way or another for over 40 years. Everybody is ignorant about something, sometime, somewhere, somehow. Even a genius over looks the obvious occasionally. I have come to the conclusion that it is better to assume the student knows nothing and let him prove to me he does, than to take the attitude that he/she already knows the subject. It saves me a lot of aggravation and him (the student) embarrassment. All in all, I fail to see what peccadillo the poster made. Even the simplest problem for some can appear to be pointillistic to others. -- Gerard Seibert [EMAIL PROTECTED] ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] clamav scan crashes server
Odhiambo Washington [EMAIL PROTECTED] [ ... ] ;) FreeBSD server home page is www.freebsd.org. If you switch to FreeBSD, I will assist you. Just buy the CDs from bsdmall.com and you earn my (our) support. You can also subscribe to the FreeBSD Support Forum: http://lists.freebsd.org/mailman/listinfo/freebsd-questions -- Gerard Seibert [EMAIL PROTECTED] ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] Clamav Milter + Postfix
I originally had the 'clamav-milter' working with Sendmail on my system. I recently switched over to Postfix for numerous reasons. I have not been able to configure the 'clamav-milter' to work correctly with Postfix. I have version 2.3.x of Postfix which is suppose to support Sendmail type milters. Does any have this running under Postfix now? If so, would they be willing to share their configuration with me? Thanks! -- Gerard Seibert [EMAIL PROTECTED] ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] bash script to split mbox file and scan individual messages
On Mon, 28 Aug 2006, jef moskot wrote: On Sun, 27 Aug 2006, Bit Fuzzy wrote: As for the situation, we've been using ClamAV for going on 3 years now, and I have never (I repeat never) seen this occur. Occasionally there are major virus flare-ups (and often there are phishing scams and such) that occur before an appropriate signature is in place. In these instances, it's not unreasonable to try to clean out user inboxes before they have a chance to do something they shouldn't. Jeffrey Moskot System Administrator [EMAIL PROTECTED] [...] It seems to me, that if the mail has been in the system for any appreciable amount of time, it has been accessed at least once already. If it was infected, it would no doubt have been caught by then. I have never witnessed an instance where I needed to manually scan mail after it was received. I agree that there is a possibility that a new or improved 'phishing' sig might be available but that hardly justifies the effort required to rescan every bit of mail. The days of someone routinely replying back to a 'PayPay - Your Account is Disabled' or whatever are in serious decline. -- Gerard Seibert [EMAIL PROTECTED] ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] Undetected Virus
I have recently installed the 'clamsmtpd' add on to work with Postfix. Messages are sent to it and returned to Postfix marked clean. In fact, everything is marked clean, I tried using some of the test files available here: http://www.declude.com/Articles.asp?ID=99 However, they are not being detected. These are two examples of messages I received: --=_307115168==_ Content-Type: text/plain; charset=us-ascii; format=flowed This is a test message that was sent to you because you (or someone you know) visited our page at http://www.declude.com/tools . This E-mail is designed to trigger mailserver virus scanners, but WILL NOT do any harm. It is not a virus. If you receive this E-mail, your mail server probably has no virus protection, so it will pass on viruses to you. Visit http://www.declude.com for our Declude Virus solution for IMail servers. This E-mail contains the Partial (Fragmented) Vulnerability, which future viruses may use to bypass mailserver virus scanners. Because of that, any mailserver virus scanner that does not catch this E-mail WILL almost certainly allow future viruses through. --=_307115168==_-- And this: This is a test message that was sent to you because you (or someone you know) visited our page at http://www.declude.com/tools . This E-mail is designed to trigger mailserver virus scanners, but WILL NOT do any harm. It is not a virus. If you receive this E-mail, your mail server probably has no virus protection, so it will pass on viruses to you. Visit http://www.declude.com for our Declude Virus solution for IMail servers. This E-mail contains the Outlook 'Blank Folding' Vulnerability, which future viruses may use to bypass mailserver virus scanners. Because of that, any mailserver virus scanner that does not catch this E-mail WILL almost certainly allow future viruses through. Is this considered normal? I tried several different tests, and most were never detected. -- Gerard Seibert [EMAIL PROTECTED] ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Scan Signature
On Fri, 18 Aug 2006, Diego Lorenzo - OJC wrote: Hello, folks! I'm needing to mark all incoming and outgoing e-mails with a virus scanned message, kindda This e-mail was scanned by Clamav (or Amavis), something like that. Is there any flag I can set it? Are you referring to adding an X-Header to the email, or actually adding a disclaimer to the end of the actual message? -- Gerard Seibert [EMAIL PROTECTED] Men say of women what pleases them; women do with men what pleases them. DeSegur ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Automating clamd and freshclam startup
Kaplan, Andrew H. [EMAIL PROTECTED] I want to have clamd and freshclam to automatically start on system boot, and to also be running in daemon mode in the background during routine operation. What is the best method to accomplishing this? Thanks. It would really help if you stated what OS you are using. I am familiar with FreeBSD. If you are using that OS, a startup script for Clamd and Freshclam were installed for you. All you need do is activate them in the /etc/rc.conf file. Ciao! -- Gerard Seibert [EMAIL PROTECTED] I love cooking with wine. Sometimes I even put it in the food. Anonymous ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] Whitelisting Addresses and clamav-milter
I am running FreeBSD 5.4 with the latest version of Clamav installed. In my /etc/rc.conf file I have the following: clamav_milter_flags=-P -l -o -m 50 --quarantine-dir=/var/mail/quarantine -T 0 That works fine. However, if I add the following to the line, clamav-milter will refuse to start. It gives a permission denied error message. --whitelist-file=/usr/home/ges/Text/whitelist.txt I have chmod'd the file to 0666 and changed the ownership to Clamav, but that does not seem to have helped. Perhaps someone has a suggestion as to what is causing this problem? Thanks! -- Gerard Seibert [EMAIL PROTECTED] PGP: http://www.seibercom.net/sig/gerard.asc ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] [EMAIL PROTECTED] undetected
Thomas Hochstein [EMAIL PROTECTED] James Miller schrieb: [EMAIL PROTECTED] is not be picked up by clamav. It is (and was) here: | 2006-01-18 09:34:18 [...] H=p54a7c5f6.dip.t-dialin.net (amd2) [84.167.197.246] F=[...] rejected after DATA: This message contains a virus (Worm.VB-8). Worm.VB-8 is ClamAV's name for [EMAIL PROTECTED], according to the advisories I read. -thh I believe that, that definition was only added on the 18th. On 2/16 and 2/17 I was being bombarded with that virus. It was getting through my mail server running ClamAV, but fortunately getting caught on a WinXP machine running Zone Alarm Suite. -- Gerard Seibert [EMAIL PROTECTED] ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] Not sure if configured correctly
I recently installed ClavAV on my FreeBSD 5.4 system. I am running Sendmail as my MTA. Clam seems to be working fine except for one small thing. First, this is the entry I have in my /etc/rc.conf file for Clam. clamav_clamd_enable=YES # Enable ClamAV clamav_freshclam_enable=YES # Enable auto updater for AV clamav_milter_enable=YES # Enable the mail AV scanner clamav_milter_socket=/var/run/clamav/clmilter.sock# Clam Milter socket clamav_milter_flags=--postmaster-only --local --outgoing --max-children=50 --quarantine dir=/var/mail/quarantine --timeout=0# Clam milter settings Each directive is on one separate line although it might not look like it here. This is a sample of the notices I receive when a virus is detected. The message k0JAB7nO094434 sent from [EMAIL PROTECTED] to [EMAIL PROTECTED] contained HTML.Phishing.Pay-6 and has not been delivered. The message in question has been quarantined as /var/tmp//clamav-48b75ba8e9a0d2da/msg.8LUShP First, you will notice that there are two // in the path. I do not understand why. Second, although the directory entry does exist, it is empty. The file mentioned is present in the /var/mail/quarantine/060119/k0JAB7nO094434.HTML.Phishing.Pay-6 directory. However, there does not appear to be anything attached to the file. It is very simple HTML code. My question is why is the /var/tmp/* directory being created if it is empty? Why the double '//' in the path? Also, shouldn't the file with the virus actually have something attached to it. Most of the time on WinXP machines anyway, there is a file attachment of some kind, although I guess that is not a requirement. I am just curious as to whether I have this who thing configured correctly. Ciao -- Gerard Seibert [EMAIL PROTECTED] ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Undetected Virus
Randal, Phil [EMAIL PROTECTED] I submitted a sample yesterday afternoon (GMT) to http://cgi.clamav.net/sendvirus.cgi , http://virusscan.jotti.org/ , and http://www.virustotal.com/ Cheers, Phil Thanks! I have a question though. I created a directory /var/mail/quarantine in which quarantined email is supposed to go. I assume that I would send the suspected email message from that directory for analyses. Is that correct? Ciao -- Gerard Seibert [EMAIL PROTECTED] ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] Undetected Virus
I have the latest version of ClamAV and the signature files installed, however it fails to detect the Win32.Blackmail.F virus. My mail is delivered to a FreeBSD server that I run. One of the machines on the network is a WinXP machine running ZoneAlarm Suite. When this Windows machine POPs mail from the mail server it detects this virus. It has happened three times in the past 24 hours. The messages are marked as clean by ClamAV. Is this something that I should be reporting to someone? Thanks! -- Gerard Seibert [EMAIL PROTECTED] ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] Configuring clamav-milter sendmail
I am sure that this question has been asked before; however, I am unable to locate the answer I need. I am a new user of Clam. I have it installed on a FreeBSD 5.4 machine. Upon bootup, this message is displayed: /usr/local/sbin/clamav-milter: socket-addr (local:/var/run/clamav/clamav.sock) doesn't agree with sendmail.cf I am running a small mail server with Sendmail. Like so many others, I have virtually no idea how to actually configure Sendmail. What sort of configuration change should I make in the hostname.mc file to alleviate this problem? -- Gerard E. Seibert [EMAIL PROTECTED] ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] clamd PING
When I issue the command as root: clamd PING I receive the following error message: ERROR: You must select server type (local/tcp). I assume that I am suppose to change something in the clamd.conf file, but I am unsure as to what. -- Gerard E. Seibert [EMAIL PROTECTED] ___ http://lurker.clamav.net/list/clamav-users.html
