Re: [Clamav-users] Phishing Questions

[Jim Maul]

Damian Menscher wrote:
On Thu, 27 Jan 2005, Tomasz Kojm wrote:
Phishing IS NOT spam! Is that really so hard to understand?

Phishing IS NOT a virus! Is that really so hard to understand?

Ok, so its not a virus, and its not spam.  So neither product should 
detect it your saying? How about both products detect it, we have 
overlap, and users are happy cause they dont have to deal with this crap 
in their inbox.

-Jim
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

[Clamav-users] Building clamav 0.81 (broken zlib?)

[Jim Maul]

I am building clamav from src rpm from crash-hat.  It build just fine 
but i get the message:

configure: WARNING: ** This ClamAV installation may be linked against
configure: WARNING: ** a broken zlib version. Please DO NOT report any
configure: WARNING: ** stability problems to the ClamAV developers!
I know there were problems with older versions of zlib.  I am using 
zlib-1.2.2.2-1 which according to gzip.org/zlib/ isnt even out yet.  Is 
there a problem using this version of zlib with clamav 0.81?

-Jim
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] Phishing Questions

[Jim Maul]

Damian Menscher wrote:
On Thu, 27 Jan 2005, Jim Maul wrote:
Is it causing you (or anyone for that matter) a problem by clamav 
catching some phishing attempts as opposed to spamassassin catching 
them?  Whats really the issue here?  You just dont believe clamav is 
the right tool for that job, but is there REALLY a problem?  I doubt it.

Virus signatures typically rely on some binary attachment.  Phishing 
signatures rely on plaintext.  Therefore the probability of a false 
positive goes way up.  For those who drop/reject viruses, this is an 
unacceptable (and unnecessary) risk.

This is probably the best (and possibly only) reason i have heard to not 
detect them.  In a case where some people want the option and others 
dont, perhaps a way to turn off detection of these messages if you so 
choose is the best option.

If my car is broken usually I take it to a mechanic.  But if a friend 
of mine who happens to be a plumber can fix it also, does it really 
matter if I bring it to him instead?  No.

Great analogy.  What if you have two friends, one who happens to be a 
plumber, and one who happens to be a mechanic?  If it's free either way, 
who would you take it to?  Me, I'd take it to the mechanic.  Sure, the 
plumber can probably fix it.  But what if his solution to that fuel-line 
clog is a gallon of Drano?  Is it really worth the risk?
What if the plumber and the mechanic work on it together? ;)
-Jim
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] Phishing Questions

[Jim Maul]

Damian Menscher wrote:
On Thu, 27 Jan 2005, Trog wrote:
On Thu, 2005-01-27 at 09:25 -0800, Dennis Peterson wrote:
> We do a lot of on-line commerce. We cannot tolerate many false 
positives.
> Phishing exploits are something we deal with through education 
first, and
> filtering second. As phishers become more sophisticated and numerous 
false
> positives will rise leaving education as the final solution. I prefer
> using my filter processes for defending against them as I can fine tune
> them to our needs.

And how many Phishing false positives have you had exactly?

All of them.  ;)
Seriously, that's an unfair question.  When you're deleting people's 
email, how would they find out if there was a false positive?  With 
spam, it's standard practice to review a junk-mail box for false 
positives regularly.  Viruses are treated differently; nobody checks 
them for false positives.  That's why this is such a concern for those 
of us who depend on email.


We quarantine viruses, not delete.  Perhaps you should do the same.  A 
false positive on a virus is also likely, but you dont seem to have any 
problems deleting those.

We run NAV corp on about 200 workstations.  Just this morning i got a 
notification that 98 of them were infected with w32.randex.gen.  Being 
that these machines dont have web access (only email) and this virus is 
not spread through email, i found this highly unlikely.  Turns out 
symantecs newly distributed virus database had a false positive in it. 
Long story short, false positives do happen and you probably shouldnt be 
deleting ANY mail without first looking over it.  I realize that for 
large setups this is not likely possible due to lack of time and a large 
number of messages to review, but how can you honestly say you're 
worried about false positives in phishing attempts but delete virus 
infected mail without even looking back?

-Jim
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] Strange date in headers

[Jim Maul]

Nigel Horne wrote:
On Friday 28 Jan 2005 15:55, Joe Polk wrote:
Can someone tell me what the Jan 17 stands for in this clip from a header?
This mail came in on the 21st so I assume this is maybe an installation date?
X-Virus-Scanned: ClamAV 0.80/671/Mon Jan 17 09:16:31 2005 clamav-milter
version 0.80j on foo.foo.com 

man clamscan, look for "-V". clamav-milter picks it up from the same place as 
clamscan

Thats interesting.
[EMAIL PROTECTED] clamav]# clamscan -V
ClamAV 0.81/690/Fri Jan 28 07:09:45 2005
I didnt get to work until 9am today.  What happened at 7:09am this morning??
-Jim
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] Strange date in headers

[Jim Maul]

Tomasz Kojm wrote:
On Fri, 28 Jan 2005 11:17:54 -0500
Jim Maul <[EMAIL PROTECTED]> wrote:

Thats interesting.
[EMAIL PROTECTED] clamav]# clamscan -V
ClamAV 0.81/690/Fri Jan 28 07:09:45 2005
I didnt get to work until 9am today.  What happened at 7:09am this
morning??

Rather a simple puzzle...

Heh. Note to self: engage brain before typing.  Virus db updates.
-Jim
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] ArchiveMaxFileSize doesn't work

[Jim Maul]

Rémi gauthier wrote:
Le 7 févr. 05, à 19:36, Niek a écrit :
On 2/7/2005 6:51 PM +0100, Rémi gauthier wrote:
clamscan -V
ClamAV 0.81/700/Thu Feb  3 23:33:15 2005
clam
it works fine, but it seem to scan files who are bigger than 
ArchiveMaxFileSize define in /etc/clamav/clamd.conf.
clamd
scan it with clamdscan

i tried first but
clamdscan  --log=/var/log/re-scan.log --move=/home/virus/quarantine /home/
/home//avp/listavp: Unable to open file or directory ERROR
--- SCAN SUMMARY ---
Infected files: 0
Time: 0.002 sec (0 m 0 s)
User is qmailscan in /etc/clamav/clamd.conf


You either need to run clamd as a user who has access to this directory 
or run clamscan with the "--block-max" option.

clamscan does not use clamd.conf so this is not suprising that it doesnt 
listen to it.

check clamscan --help
--block-max  Block archives that exceed limits
-Jim
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] Deleting temporary files

[Jim Maul]

Jamie Saunders wrote:
Hi all,
I've recently installed clamav along with qmail-scanner on RedHat 9. 
Everything's working fine except that clamav is taking up all disk space 
on '/tmp with it's temporary database update files. As soon as '/tmp' is 
full it cannot download any more updates and spits out an error which 
prevents qmail from delivering any mail. I've currently setup a daily 
cron job to clear out all clamav-* folders on '/tmp', but I'm hoping 
there's a way of changing how clamav handles temporary files in it's 
configuration.  Any help much appreciated.

Sounds like debugging is enabled.
-Jim
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] Deleting temporary files

[Jim Maul]

Jamie Saunders wrote:
Jim Maul wrote:
Jamie Saunders wrote:
Hi all,
I've recently installed clamav along with qmail-scanner on RedHat 9. 
Everything's working fine except that clamav is taking up all disk 
space on '/tmp with it's temporary database update files. As soon as 
'/tmp' is full it cannot download any more updates and spits out an 
error which prevents qmail from delivering any mail. I've currently 
setup a daily cron job to clear out all clamav-* folders on '/tmp', 
but I'm hoping there's a way of changing how clamav handles temporary 
files in it's configuration.  Any help much appreciated.

Sounds like debugging is enabled.
-Jim
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Debugging is turned off in clamd.conf.  Here is the directory structure 
of one of the clamav folders in /tmp:

clamav-e3b114abc93db32
   |
   --- COPYING (17992)
   |
   --- main.db (3794792)
   | --- main.hdb (136626)
   |
   --- main.ndb (30528)
It looks to me like these are virus database files.  They are all owned 
by the user 'apache' which seems a little strange to me.

Jamie

Virus database files would be owned by the user that freshclam is 
running as.  So unless you are running clamav as 'apache' then i dont 
see how these tmp files could be created by clamav.

The other weird thing is that you should .db and .ndb files.  Clamav 
doesnt use these files by default.  In the more recent versions its 
using .cvd files.

Who is clamav running as?  Did you compile clamav from source or did you 
 use rpm, etc?

-Jim
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] Deleting temporary files

[Jim Maul]

Jamie Saunders wrote:
I've confirmed that clamav is running as qscand and is accessing the 
normal .cvd database files.  I remembered looking into a module for PHP 
that utilised the clamav api called, surprisingly enough, php-clamav 
.  I'm assuming this module was 
compiled against an older version of clamav which uses the .db files.  
If this is the cause of the mysterious temp files I don't want to simply 
disable the module as it's been used in a webmail PHP script.  However, 
I'm still no nearer to undestanding why these files are appearing in 
/tmp, where they're coming from and why they aren't being removed.

Well that would explain why they are owned by apache.  I tried checking 
out the link to php-clam you posted but the homepage 
(http://software.fotopic.net/) has no mention whatsoever about php-clam 
and there isnt a whole lot of info on the freshmeat page so its 
difficult to find out why this is happening.  Regardless, i dont believe 
its anything related to clamav directly.  Is there a php-clam list 
somewhere?

-Jim
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] Broken zlib version?

[Jim Maul]

Tarjei Knapstad wrote:
On Wed, 2005-02-16 at 15:11, Trog wrote:
On Wed, 2005-02-16 at 14:57 +0100, Tarjei Knapstad wrote:
On Wed, 2005-02-16 at 08:49, Dennis Peterson wrote:


A simple search in the archive for "zlib 1.2.2" turns this up:
http://lurker.clamav.net/message/20041103.143255.97fa22ec.en.html
It contains the references you are asking for, a link to the *current*
zlib homepage which has 1.2.2 all over it, and the front page then
states this:

Thanks Trog, that clears the haze. 

I thought the list archives were down (the archives link is borked if
you follow the link attached to the bottom of each post on the list).
Googling for zlib took me to the old site and does not show zlib.net in
the first 100 results. (Googling for "zlib 1.2.2" does not show either
in the first 100). Oh well :-S

Exactly, this is retarded.  I had the same problem.  Google for "zlib" 
returns http://www.gzip.org/zlib/ which shows 1.2.1 as current and has 
no mention of another website (namely zlib.net).  It also shows:

Canonical URL: http://www.gzip.org/zlib/
Mirror sites:
http://www.doc.cs.univ-paris8.fr/mirrors/zlib/ (France)
Ok fine..so now i hear zlib.net is the current site.
So over to www.zlib.net which says 1.2.2 is current. Aha! there it is. 
But on zlib.net there is no mention anywhere that www.gzip.org/zlib/ 
should not be used anymore and zlib.net even says:

Canonical URL: http://www.gzip.org/zlib/
Mirror sites:
http://www.zlib.net/ (US)
Which makes no sense at all.  I realize this is not a clamav issue, im 
just trying to point out the source of confusion WRT zlib and clamav.

-Jim
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Re: [Clamav-users] freshclam and milter --internal notification

[Jim Maul]

Damian Menscher wrote:
[6th try to get this sent out.]
And i've seen this messages 6 times already.

I'm using clamav-milter in the default mode (no --external flag).  As 
such, I
see no need to run clamd.  But freshclam doesn't like this very much:

freshclam[26975]: ERROR: Clamd was NOT notified: No socket specified in
/usr/local/encap/clamav-0.83/etc/clamd.conf
Now, clamav-milter will still see the updates, right?  Since it checks the
database for changes?  Or should I be doing something differently here, 
like
setting the socket in clamd.conf to the milter.sock (rather than the 
clamd.sock
it would normally have pointed to)?  If I'm not doing something wrong here,
then perhaps this freshclam message should be toned down a bit from 
ERROR to
Warning, or have a flag to disable it?

Damian Menscher
___
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Disabling ScanArchive ?

[Jim Maul]

Daniel J McDonald wrote:
On Tue, 2005-02-22 at 09:57 -0800, [EMAIL PROTECTED] wrote:
At 09:39 AM 2/22/2005, you wrote:
Due to license issues with the original RAR3.0 unpacker one of our
developers is working on a new version written from scratch. It's
planned for 0.90.

secondly, is there a way to employ unrar checking if one buys an unrar 
license and installs unrar - i couldn't quite see a hook to do that in 
clamd.conf.

amavis-new does rar unpacking using an external binary, then passes the
unpacked pieces to clamav.

As does qmail-scanner and i imagine a handful of other packages.
-Jim
___
http://lurker.clamav.net/list/clamav-users.html

[Clamav-users] Testing clamav virus catching ability

[Jim Maul]

I saw on another mailing list someone trying out some test viruses through
email that clamav wasnt catching.  I've tried the tests myself and out of
about 20 tests, i think 4 were caught by my mailserver running clamav with
the newest virus definitions.  Does anyone else have these results?  What
can be done about this?

BTW, the link is
http://www.testvirus.org/?co=

Thanks.

Jim Maul
Eastern Long Island Hospital
631-477-5417

My appologies if this is posted twice.  I accidently posted this message
to the virusdb list the first time.


smime.p7s
Description: S/MIME cryptographic signature

RE: [Clamav-users] pretty basic question - clamscan vs clamdscan

[Jim Maul]

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of
> Christopher X. Candreva
> Sent: Friday, January 09, 2004 1:00 PM
> To: [EMAIL PROTECTED]
> Subject: Re: [Clamav-users] pretty basic question - clamscan vs
> clamdscan
>
>
> On Fri, 9 Jan 2004 [EMAIL PROTECTED] wrote:
>
> > i installed clamav via the instructions quite a long time ago.
> i run it via
> > qmail-scanner. clamd is running, and messages are scanned by
> clamscan. so
> > where does clamdscan come in?? there's very little mention of
> clamdscan in
>
> Use clandscan instead of clanscan to have mail scaned by clamd.
>

The difference between up and down is that one is up and one is down.
Very profound, and not very helpful.  Why bother answering if the answer
in no way provides any explanation?

Jim Maul
Eastern Long Island Hospital


smime.p7s
Description: S/MIME cryptographic signature

RE: [Clamav-users] pretty basic question - clamscan vs clamdscan

[Jim Maul]

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of Tom Walsh
> Sent: Friday, January 09, 2004 1:44 PM
> To: [EMAIL PROTECTED]
> Subject: RE: [Clamav-users] pretty basic question - clamscan vs
> clamdscan
>
>
> > The difference between up and down is that one is up and one
> > is down. Very profound, and not very helpful.  Why bother
> > answering if the answer in no way provides any explanation?
>
> Why bother responding only to chide the response for its lack of content
> with more banter with similarly lacking substance?

I was attempting to make a point.  I appolgize if my response was just
another example of the exact thing i was bashing.

>
> To answer the question in a more detailed fashion... Clamd listens on a
> socket. Clamdscan is a client interface for talking to that socket.
>
> Clamd's purpose is to avoid the performance hit of forking a new process
> to scan a file or directory.
>

Thank you for a more detailed response.

> Tom Walsh
>
> It is Friday... Can't we all just get along?
>
>

Indeed.  Its been too long a week

Jim Maul
Eastern Long Island Hospital


smime.p7s
Description: S/MIME cryptographic signature

RE: [Clamav-users] pretty basic question - clamscan vs clamdscan

[Jim Maul]

I tried the test mentioned below and noticed my times were almost
identical.  I found the cause of this to be that my clamdscan was
symlinked to clamscan so they were 1 and the same.  Then i recalled a step
from the qmailrocks (www.qmailrocks.org) installation instructions that
says to rename clamdscan -> clamdscan.orig and symlink clamdscan to
clamscan.  This causes qmailscanner to detect clamuko instead of clamscan.

So, now im thinking, why was this done?  Im not sure if anyone here can
answer this, but what is clamuko and why would this be preferred over
clamdscan?

Thanks.
Jim Maul


> A simple comparison (very rough, but shows the idea):
>
> $ time clamscan /etc/services
> /etc/services: OK
>
> --- SCAN SUMMARY ---
> [...]
> Data scanned: 0.01 Mb
> I/O buffer size: 131072 bytes
> Time: 0.721 sec (0 m 0 s)
>
> real0m0.726s
> user0m0.680s
> sys 0m0.040s
>
>
> $ time clamdscan /etc/services
> /etc/services: OK
>
> --- SCAN SUMMARY ---
> Infected files: 0
> Time: 0.008 sec (0 m 0 s)
>
> real0m0.012s
> user0m0.000s
> sys 0m0.000s
>
>
> Depending on which times one compares, one gets:
>
> 0.721/0.008 ~= 90  or:
>
> 0.726/0.012 ~= 60.
>
> You can see the difference! ;-)
>
> --
>


smime.p7s
Description: S/MIME cryptographic signature

RE: [Clamav-users] SCO.a

[Jim Maul]

I am having this problem as well.  I have about 20 emails in my quaratine
which my qmail-scanner blocked because they had .exe or /pif attachments.
We have these attachment types blocked for security reasons.  However it
turns out these attachements all had virii in them.  Some flat out .exe
attachments, some .exe attachments in zip files and some that are using
different types of encoding to fool virus scanners.  I ran clamdscan on my
quarantine folder and NO messages are found to contain the Mydoom/Novarg
virus.  I know for a fact atleast 5 are infected.  I ran freshclam twice
this morning and it got updates both times.

I am running clamd 0.65 and my virus defs are as follows:

ClamAV update process started at Tue Jan 27 09:38:23 2004
main.cvd is up to date (version: 19, sigs: 19987, f-level: 1, builder:
ddm)
daily.cvd updated (version: 108, sigs: 593, f-level: 1, builder: ddm)
Database updated (20580 signatures) from database.clamav.net
(207.201.202.73).

Everything looks good yet Novarg is NOT detected.

Thanks

Jim Maul
Eastern Long Island Hospital
631-477-5417

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of Shawn
> Tayler
> Sent: Tuesday, January 27, 2004 9:31 AM
> To: [EMAIL PROTECTED]
> Subject: Re: [Clamav-users] SCO.a
>
>
>
>
> Nigel,
>
> I have several examples of this.  Even with older virii.
>
> Would you be interested in them as well?
>
> Shawn
>
> On Tue, 27 Jan 2004 08:52:58 + Nigel Horne <[EMAIL PROTECTED]>
> exclaimed:
>
> > On Tuesday 27 Jan 2004 3:11 am, McKeever Chris wrote:
> >
> > > Any suggestions?  It finds other virii fine when they are still
> > > encoded, maybe the definitions need to be added for its MIME
version?
> >
> > Please forward an *original* copy (hmm, that's a contradiction in
terms)
> > of the e-mail to me at [EMAIL PROTECTED] and I'll look into it.
> >
> > > Chris McKeever
> > > If you want to reply directly to me, please use
> > > cgmckeever--at--prupref---dot---com http://www.prupref.com
> >
> > -Nigel
> >
> > --
> > Nigel Horne. Arranger, Composer, Typesetter.
> > NJH Music, Barnsley, UK.  ICQ#20252325
> > [EMAIL PROTECTED] http://www.bandsman.co.uk
> >
> >
> >
> > ---
> > The SF.Net email is sponsored by EclipseCon 2004
> > Premiere Conference on Open Tools Development and Integration
> > See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
> > http://www.eclipsecon.org/osdn
> > ___
> > Clamav-users mailing list
> > [EMAIL PROTECTED]
> > https://lists.sourceforge.net/lists/listinfo/clamav-users
> >
>
>
> ---
> The SF.Net email is sponsored by EclipseCon 2004
> Premiere Conference on Open Tools Development and Integration
> See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
> http://www.eclipsecon.org/osdn
> ___
> Clamav-users mailing list
> [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/clamav-users
>


smime.p7s
Description: S/MIME cryptographic signature

[Clamav-users] Correction to my last post regarding viruses not found

[Jim Maul]

Sorry to have bothered everyone with my problem here but i have found the
resolution.

using the --mbox flag on the command line with clamdscan correctly
identifies about 95% of all viruses in email in my quarantine directory.

Thanks to all for the hints (changing softlimit and restarting clamd).

Hope this of help to the others that are having similar problems.

Jim Maul
Eastern Long Island Hospital
631-477-5417


smime.p7s
Description: S/MIME cryptographic signature

[Clamav-users] Viruses not detected, Please help.

[Jim Maul]

I hope that there is someone that can help me with this, i have been going
quite crazy trying to figure it out myself.

I am running clamav using the setup from www.qmailrocks.org.

ClamAV 0.65

FreshClam output:
ClamAV update process started at Wed Jan 28 09:59:38 2004
Reading CVD header (main.cvd): OK
main.cvd is up to date (version: 19, sigs: 19987, f-level: 1, builder:
ddm)
Reading CVD header (daily.cvd): OK
daily.cvd is up to date (version: 110, sigs: 596, f-level: 1, builder:
tomek)

I have a /var/spool/qmailscan/quarantine Maildir with about 50 emails in
it all containing attachments of some sort.  Manually looking at them, i
can see that about 40 have the SCO.A/Novarg virus.  However, running
clamdscan (or clamscan for that matter) on this Maildir directory tells me
that there are no infected files.  I have tried restarting clamd as
someone has suggested but that has not helped.

I really dont know what could be causing this.  The only thing i can think
of is at one point on the qmailrocks setup there is a step that says to
rename clamdscan to clamdscan.orig and then copy a new clamdscan into its
place.  What this does is cause qmail-scanner to use clamuko instead of
regular clam. Could this be the problem?  I have tried running the
clamdscan.orig instead but when i do that, i get the following error:
/var/spool/qmailscan/quarantine/new: Can't access the file ERROR

--- SCAN SUMMARY ---
Infected files: 0
Time: 0.000 sec (0 m 0 s)

I have tried everything that i can think of and it has not helped.  Can
anyone offer any ideas or insight into this problem?  A virus scanner
which scans an infected email and tells me its clean is not much help at
all.

Thank you.

Jim Maul
Eastern Long Island Hospital
631-477-5417


smime.p7s
Description: S/MIME cryptographic signature

Re: [Clamav-users] Correction to my last post regarding viruses not found

[Jim Maul]

Actually, it technically is clamscan, but for the installation i used
(www.qmailrocks.org) a step in there says to copy clamscan to clamdscan so
running clamscan and clamdscan effectively means the same thing.  So yes
technically you are correct, but for my setup, my statement is correct as
well.  Not to mention that using the original clamdscan (which is now
clamdscan.orig on my system) gives me an error and will not scan any
files.

[EMAIL PROTECTED] jmaul]# clamdscan.orig
/home/jmaul: Can't access the file ERROR

It does this for ANY file i try to scan.

Thanks for the reply though.

Jim

> Hi all,
>
> I think you should say clamscan with --mbox because I haven't found
> --mbox flag for clamdscan isn't it?
>
> Nevertheless if a similar flag exist flag exist for clamdscan (0.65
> release) I will be very interrested in.
>
> Best regards,
>
>
> Jose THOMAS.
>
>


---
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] Clamdscan problem

[Jim Maul]

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of Thomas
> Lamy
> Sent: Thursday, January 29, 2004 3:06 AM
> To: [EMAIL PROTECTED]
> Subject: Re: [Clamav-users] Clamdscan problem
>
>
> Jose R. Ortiz Ubarri wrote:
>
> > # clamdscan readme.zip
> > /root/readme.zip: Can't access the file ERROR
> >
> > --- SCAN SUMMARY ---
> > Infected files: 0
> > Time: 0.001 sec (0 m 0 s)
> >
> >
> > And everything I try to scan gives me the same ERROR.
> >
> >
> I suspect clamd is not running as root, and an ordinary user doesn't
> have privileges to read that file.
>
> Thomas
>

I have this problem as well.  Thing is, i start the clamd service while i
am root, but clamd is running as my clamav user.  I always thought this
was the correct way to do it.  Isnt clamd running as root a bad idea?

my clamav.conf shows:

# Run as selected user (clamd must be started by root).
# By default it doesn't drop privileges.
User clamav

It was set this way by default, i made no changes.  Is something else
wrong?

Thanks
Jim


smime.p7s
Description: S/MIME cryptographic signature

RE: [Clamav-users] sco.a+clamav+qmailscan

[Jim Maul]

Try the --mbox option on clamscan.  I was having this problem too.

Jim

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of McKeever
> Chris
> Sent: Monday, February 02, 2004 10:42 PM
> To: [EMAIL PROTECTED]
> Subject: [Clamav-users] sco.a+clamav+qmailscan
> 
> 
> I am able to quarantine files based on attachments using 
> qmail-scanner.  However, when they are in the quarantine, 
> clamscan (not clamdscan) is not picking the sco.a virus.  It 
> finds the sco.a when it is just a regular file, it picks up other 
> viruses when they
> are in the quarantine, I am just having an issue with sco..
> 
> Any ideas?
> 
> 
> 
> ---
> Chris McKeever
> If you want to reply directly to me, please use 
> cgmckeever--at--prupref---dot---com
> http://www.prupref.com
> 
> 
> 
> 
>  Prudential Preferred Properties   www.prupref.com  
> 
> 
> 
> ---
> The SF.Net email is sponsored by EclipseCon 2004
> Premiere Conference on Open Tools Development and Integration
> See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
> http://www.eclipsecon.org/osdn
> ___
> Clamav-users mailing list
> [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/clamav-users
> 


---
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] MyDoom???

[Jim Maul]

did you try running clamscan with the --mbox option?

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of Dinko
> Ivanov
> Sent: Wednesday, February 04, 2004 7:57 AM
> To: [EMAIL PROTECTED]
> Subject: [Clamav-users] MyDoom???
> 
> 
> Well, but i can not detect it with clamscan! Why?
> This my report:
> Known viruses: 20612
> Scanned directories: 1
> Scanned files: 63
> Infected files: 0
> Data scanned: 90.24 MB
> 
> This returned from freshclam:
> 
> ]# freshclam
> ClamAV update process started at Wed Feb  4 15:07:55 2004
> Reading CVD header (main.cvd): OK
> main.cvd is up to date (version: 19, sigs: 19987, f-level: 1, 
> builder: ddm)
> Reading CVD header (daily.cvd): OK
> daily.cvd is up to date (version: 119, sigs: 625, f-level: 1, 
> builder: ddm)
> 
> 
> 
> ---
> The SF.Net email is sponsored by EclipseCon 2004
> Premiere Conference on Open Tools Development and Integration
> See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
> http://www.eclipsecon.org/osdn
> ___
> Clamav-users mailing list
> [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/clamav-users
> 


---
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] LibClam error while scanning

[Jim Maul]

When trying to scan some messages in my quarantine directory, i am getting
the following output:

LibClamAV Warning: Ignoring empty field in " charset="

This happens with about 5 out of 800 messages.

Anyone have any ideas what might be causing this?

Thanks.

Jim Maul
Eastern Long Island Hospital
631-477-5417



---
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] LibClam error while scanning

[Jim Maul]

> On Wednesday 04 Feb 2004 5:52 pm, Jim Maul wrote:
> > When trying to scan some messages in my quarantine directory, i
> am getting
> > the following output:
> >
> > LibClamAV Warning: Ignoring empty field in " charset="
>
> > Anyone have any ideas what might be causing this?
>
> Virus writers don't honour RFCs (what a surprise!)
>

hehe i thought this was the cause (malformed messages) but i wasnt sure.
Thanks for clarifying.

Jim



---
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] Building RPMS from tarball

[Jim Maul]

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of Michael
> St. Laurent
> Sent: Thursday, February 12, 2004 12:25 PM
> To: '[EMAIL PROTECTED]'
> Subject: RE: [Clamav-users] Building RPMS from tarball
>
>
> Tarjei Knapstad  wrote:
> > There's also one in the "Binary packages" page, if you follow the link
> > to Fedora packages. It has binaries, an SRPM and the .spec file for
> > 0.66:
> >
> > http://crash.fce.vutbr.cz/crash-hat/1/clamav/
> >
> > (I've installed these binary packages on our RH 8.0 server without
> > probs.)
>
> Were there any dependency issues to be solved?  The .spec file
> looks like it
> requires the fedora user and group management packages to be installed.
>
>

Dont know about building from the srpms, but using the rpms worked just fine
to upgrade my 0.65 to 0.66.

Jim



---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] freshclam as non-privileged user?

[Jim Maul]

> Prior to upgrading to clamav 0.66, I have been running freshclam with
> the same unprivileged user that runs clamd.  However, it has stopped
> working:
> [EMAIL PROTECTED] clamav]$ freshclam
> ERROR: LOGGER: Can't open file /var/log/clamav/freshclam.log to write.
> ERROR: Problem with internal logger.
>

does the "unprivileged user" have access to write to /var/log/clamav/ ??

Jim


---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] freshclam as non-privileged user?

[Jim Maul]

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of Daniel J
> McDonald
> Sent: Friday, February 13, 2004 8:59 AM
> To: [EMAIL PROTECTED]
> Subject: Re: [Clamav-users] freshclam as non-privileged user?
>
>
> On Thu, 2004-02-12 at 18:24, Jim Maul wrote:
> > > Prior to upgrading to clamav 0.66, I have been running freshclam with
> > > the same unprivileged user that runs clamd.  However, it has stopped
> > > working:
> > > [EMAIL PROTECTED] clamav]$ freshclam
> > > ERROR: LOGGER: Can't open file /var/log/clamav/freshclam.log to write.
> > > ERROR: Problem with internal logger.
> > >
> >
> > does the "unprivileged user" have access to write to /var/log/clamav/ ??
> >
>
> Nope.  It did not have write permission under 0.65 either.
> --

Well i find that quite odd.  I dont see how it would be possible to write to
a directory if the user does not have the access to do so.  Judging by your
prompt, your trying to run freshclam as amavis.  What user do you have
specified in /etc/freshclam.conf?  This user needs to be able to write to
/var/log/clamav/freshclam.conf.  Just change permissions and you should be
set.

Jim



---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Re: Virus List

[Jim Maul]

> On Sun, 22 Feb 2004 17:07:06 +0100 (CET), Jesper Juhl <[EMAIL PROTECTED]> wrote:
>>
>> run  "sigtool --list-sigs"
>>
>> note that the name ClamAV uses for a virus is not always the same that
>> some of the other scanners use.
>
> Thanks all.
>
> I've just checked the man page for sigtool, and there is no mention of
> the -l or --list-sigs option. Howerver, it works.
>

sigtool --help

will show it.  For some reason, its not in the man page.


---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] Re: Multiple viruses in same file.

[Jim Maul]

-Original Message-
From: Virgo Pärna <[EMAIL PROTECTED]>
Sent: Wednesday, 25. Feb 2004 3:01 -0500
To: [EMAIL PROTECTED]
Subject: [Clamav-users] Re: Multiple viruses in same file.

On Wed, 25 Feb 2004 09:32:50 +0800, cc <[EMAIL PROTECTED]> wrote:
> 
> But wouldn't that waste cpu cycles when it has already been confirmed
> that the said file is infected? I mean, if say you were scanning your
> 

Actually, my idea was to have switch to enable it Not to do
it by default, but to have this ability for testing purposes. Like
this CIH, that was detected as Swen.A by NAV. With full db scan clamav
would have been able to show me (probably), that the file is CIH #2
and Gibe.F. I do agree, that it would be useless in real use in
server. Which raises another question - if NAV and clamav detected
virus differently, does this mean, that NAV virus database has newest
viruses first while clamav has newest last? 


Isnt this an issue of AV programs calling viruses by different names and
not actually a file infected with multiple viruses?





---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] Segmentation Fault (Again)!

[Jim Maul]

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of Philipp
> Grosswiler
> Sent: Thursday, February 26, 2004 3:34 PM
> To: [EMAIL PROTECTED]
> Subject: RE: [Clamav-users] Segmentation Fault (Again)!
>
>
> Hello Trog.
>
> > It's likely that a file it is scanning is causing the
> > failure. Would it be possible to isolate which file(s) it is
> > scanning at the time?
>
> It doesn't seem to be the e-mail it was scanning, or I can't exactly say
> which e-mail it was (unfortunately clamd doesn't show much in the logs).
>
> Maybe this should be enhanced in the future, to give more details of the
> connection, like SpamAssassin's spamd is doing:
>
> Feb 26 21:31:11 db spamd[19119]: connection from my.domain.com [127.0.0.1]
> at port 4716
> Feb 26 21:31:11 db spamd[24228]: processing message
> <[EMAIL PROTECTED]> for
> [EMAIL PROTECTED]:65534.
> Feb 26 21:31:12 db spamd[24211]: identified spam (113.6/5.0) for

That is an _incredibly_ high spam score.  I've never seen over 30.

On a more 'relative to the topic' note, logging like that of spamd would be
quite nice. :)

Jim



---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] clamd leaking

[Jim Maul]

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of John Jolet
> Sent: Friday, February 27, 2004 11:55 AM
> To: clamav list
> Subject: [Clamav-users] clamd leaking
> 
> 
> my bad.  Turns out it's not clamd leaking.  It's kde :)
> Got clamd working with postfix via amavisd.  works great (i think, 
> haven't been sent a virus yet).

clamD, kDei can see the resemblance ;)

Of course it works great.

Jim


---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] ClamAV 0.67 upgrade from.065 doesn't work

[Jim Maul]

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of Marc
> Brooks
> Sent: Friday, February 27, 2004 1:37 PM
> To: '[EMAIL PROTECTED]'
> Subject: [Clamav-users] ClamAV 0.67 upgrade from.065 doesn't work
>
>
> After upgrading from 0.65 to 0.67 on FreeBSD clamav went from finding 100+
> viruses a day to 0 a day..
>
> Any suggestions? The daemon and milter are running.
>

You have run freshclam successfully after upgrading yes?

Jim



---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] www.testvirus.org Test #17

[Jim Maul]

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of Everton da
> Silva Marques
> Sent: Friday, February 27, 2004 3:21 PM
> To: [EMAIL PROTECTED]
> Subject: [Clamav-users] www.testvirus.org Test #17
>
>
> Hi,
>
> Can anyone provide hints on how to make
> clamd to catch test #17 [1] from
> www.testvirus.org?
>
> I'm running 0.67-1 with ScanMail enabled.

I would assume the actual process would vary depending on your setup, but
all i had to do to catch 16 and 17 is install TNEF.  When i rebuilt
qmail-scanner, it detected TNEF and its been working ever since.

Jim



---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Re: 5 from testvirus.com came through

[Jim Maul]

> Nigel Horne wrote:
>
>>On Friday 27 February 2004 10:27 pm, Bryce wrote:
>>
>>
>>>Test # 17, 8, 5, 4, and 2 are making it through. I am using version .65.
>>>What can I do to prevent this?
>>>
>>>
>>
>>Binhex was added in 0.67, so all binhex encoded e-mails will get through
>>unless you upgrade.
>>
>>-Nigel
>>
>>
>>
> I guess that answers my question about test 8 as well.
>
>
I am using 0.67 and the binhex ones (5,8) are still getting through. 
Actually, they are the only ones out of 17 that are not stopped.  Are they
any special options that need to be enabled to catch the binhex encoded
emails?

Thanks
Jim


---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] sendmail devel?

[Jim Maul]

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of John
> Vestrum
> Sent: Friday, March 05, 2004 2:05 PM
> To: [EMAIL PROTECTED]
> Subject: Re: [Clamav-users] sendmail devel?
>



>  On the other hand, remove sendmail and install Postfix instead.
> Forget rpm, compile from source. Amavisd-new is a nice package to
> tie Postfix
> to ClamAV. 
>
> John

Or qmail.  Both are more secure than sendmail.

just my 0.218698 pesos

Jim



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] sendmail devel?

[Jim Maul]

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of Antony
> Stone
> Sent: Friday, March 05, 2004 3:32 PM
> To: [EMAIL PROTECTED]
> Subject: Re: [Clamav-users] sendmail devel?
>
>
> On Friday 05 March 2004 8:22 pm, redragon wrote:
>
> > This could end up being a long drawn out battle.
>
> That is not what I intended to start when I posted my question,
> and I hope it
> doesn't happen.
>
> > I personally prefer
> > sendmail to any other MTA and have no security issues with it.  Like any
> > other piece of software you install it must be maintained.
>
> Agreed.   I personally like sendmail, but that's partly simply
> because I know
> it better than other MTAs.
>
> I simply wanted to know if people were aware of any recent assessments
> comparing the security of sendmail vs. other MTAs, showing that sendmail
> still has problems.   The opinion expressed by Jim, that sendmail is less
> secure than postfix or qmail, suggested to me that he might have
> something to
> support it, and I would be very interested to see that.
>

Well sorry to disappoint, but there is no recent support to my claims.
Indeed i do not wish to start any quarrels with anyone so i hope that does
not happen here.  I was simply basing my claims on the history of the
software.  I do not run sendmail so i can not vouch for its current
security.  Simply put, i do not need all the fancy stuff that sendmail
supports.  Ease of installation/use is the main reason i use qmail.

It all comes down to what YOU need your mta to do.  Neither is better/worse
than any other.  IMHO the problem with sendmail is that when it was
designed, the author had NO idea just how popular it was going to be.  Had
he known, im sure it would have been designed differently.

On a (not so) side not, does sendmail support maildirs?  I tried finding the
answer to this on the website, but no luck.

Jim



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] sendmail devel?

[Jim Maul]

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of Jeff
> Ramsey
> Sent: Friday, March 05, 2004 3:47 PM
> To: [EMAIL PROTECTED]
> Subject: Re: [Clamav-users] sendmail devel?
>
> And while we're digging up old hatchets that have been buried long ago,
> I use vi over emacs.
>

My workstation has an amd processor instead of intel and i have an nvidia
vid card not ati.

With that said, we should all probably stop this before someone gets hurt.



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] sendmail devel?

[Jim Maul]

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of Hanford,
> Seth
> Sent: Friday, March 05, 2004 3:57 PM
> To: [EMAIL PROTECTED]
> Subject: Re: [Clamav-users] sendmail devel?
>
>
> > Why does multiple or single domains matter to the POP3 server?
>
> The only thing I can imagine off the top of my head is user accounts -- if
> you have [EMAIL PROTECTED] and [EMAIL PROTECTED], you need to make sure that
> your POP3 server doesn't think they both necessarily use the same mailbox
> b/c they are both named Joe.  Granted, a lot of other pieces (MTA, MDA,
> etc.) also need to have the exact same idea of who is who.
>
> Seth
>
>

Exactly, usually to solve this problem, the username is [EMAIL PROTECTED]
instead of just user.  There are other variations on this too
(user%domain.com ive seen before as well)

Jim



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] sendmail devel?

[Jim Maul]

> Some "pop3" services work of the system accounts (/etc/passwd) while
> others
> are database driven and use a "seperate" system.  The only thing you need
> to
> make sure is that the pop3 system your using works on the same level that
> your MTA does.  qpopper, courier, ipop all seem to work off system user
> accounts while other things such as hive work off a database driven mail
> system.
>

I dont know about courier pop, but courier imap works with virtual users
(neither system nor database driven accounts).  But that is together with
vpopmail so...




---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] duh, ignore my last question

[Jim Maul]

my apologies, it was almost 5pm on a friday and for some reason i asked if
sendmail supports maildirs.  musta been a brain fart cause obviously thats
not the mta's job.  Feel free to point and laugh.

Thanks
Jim


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] Re: Simple patch for dealing with password zip files

[Jim Maul]

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of
> Jean-Francois Guilmard
> Sent: Monday, March 08, 2004 1:30 PM
> To: [EMAIL PROTECTED]
> Subject: RE: [Clamav-users] Re: Simple patch for dealing with password
> zip files
>
>
> What about .html   ???
>

He doesnt mean more than 3 character extensions, but more than 1 extension.
like file.html.exe as opposed to just file.html.

Jim



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] Freshclam 0.67 doesn't switch user

[Jim Maul]

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of Faejon
> Sent: Monday, March 08, 2004 1:28 PM
> To: [EMAIL PROTECTED]
> Subject: [Clamav-users] Freshclam 0.67 doesn't switch user
> 
> 
> I upgraded from version 0.65 to 0.67 and now my freshclam wont recognize
> the -u or --user switch. It does not give an error it simply ignores the
> command and runs as clamav. This used to work in version 0.65.
> 
> I run my clamd as user avscan so that it ties in with amavisd-new. The
> problem I have is that freshclam then can't use the socket to 
> clamd because
> it's owned by avscan and not clamav.
> 
> 
> 

you probably want to change DatabaseOwner in /etc/freshclam.conf

0.67 uses conf file for freshclam options.

Jim


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] Re: Simple patch for dealing with password zipfiles

[Jim Maul]

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of Eric
> Rostetter
> Sent: Monday, March 08, 2004 2:32 PM
> To: [EMAIL PROTECTED]
> Subject: Re: [Clamav-users] Re: Simple patch for dealing with password
> zipfiles
> 
> 
> Quoting John Jolet <[EMAIL PROTECTED]>:
> 
> > This brings up an interesting point.  I've never seen a 
> legitimate file on a
> > windows box with two or more 3-character extensions.  Would it be a bad
> > assumption to make?
> 
> Yes.  Because not all machines are windows machines. Because the e-mail
> may just be going through the windows box on its way elsewhere.  Because
> people make mistakes (save their word file as file.doc so it becomes
> file.doc.doc, etc).
>

Windows hiding file extensions for known file types by default is a huge cause of 
multiple file extensions.  I really hate that microsoft has done this.

Jim



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id70&alloc_id638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] PB: ClamAV works but doesn't detect viruses

[Jim Maul]

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of
> Jean-Francois Guilmard
> Sent: Monday, March 08, 2004 3:08 PM
> To: [EMAIL PROTECTED]
> Subject: [Clamav-users] PB: ClamAV works but doesn't detect viruses
> 
> 
> 
> Hi guys,
> 
> Clamav is on my servers for quite a while, with clamscan: 0.65. 
> spamassassin: 2.61 qmail-scanner-queue 1.16
> 
> I was quite happy about all of that, but I recently figured out 
> that clamv doesnt intercept the viruses I launched the tests from 
> www.testvirus.org and all of them pass through ?
> 

This is not really JUST a clamav issue.  A lot of people start complaining to the 
clamav mailing list when tests from testvirus.org pass through their server.  In 
reality it is only sometimes a clamav issue but usually not.  qmail-scanner needs to 
have access to a mime program to be able to deal with the mime encoded messages 
(reformime), a binhex program to deal with the binhex encoded messages (hexbin), and 
an unzip program to be able to unzip messages.  Make sure you have all these 
installed, recompile qmail-scanner (you may want to get 1.2 from sourceforge) and you 
will notice a decrease in the number of tests that pass through.  Also, check out the 
TNEF package (i forget where) which will stop the microsoft outlook vulnerability 
tests.



> 
> Is there anything wrong ?

Yes, you are running outdated versions of all 3 pieces of software.

Jim



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id70&alloc_id638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] Re: sendmail devel?

[Jim Maul]

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of Stephen
> Gran
> Sent: Tuesday, March 09, 2004 6:25 AM
> To: [EMAIL PROTECTED]
> Subject: Re: [Clamav-users] Re: sendmail devel?
>
>
> On Mon, Mar 08, 2004 at 12:43:56PM +, Virgo Pärna said:
> > On Fri, 5 Mar 2004 16:17:45 -0500, Jim Maul <[EMAIL PROTECTED]> wrote:
> > >
> > > On a (not so) side not, does sendmail support maildirs?  I
> tried finding the
> > > answer to this on the website, but no luck.
> > >
> >
> >  IIRC sendmail does not do delivery to mailbox by itself but uses
> > something like procmail/maildrop to do it (there are others to). So
> > question is - does procmail support Maildir (useally sendmail is used
> > with procmail) - and it seems to support it.
>
> Yes:
> DEFAULT=$HOME/Maildir/
>
> Note the trailing slash.  That's all you need for sendmail + Maildir
> with procmail.
>

This thread has stuck around longer than i had hoped and look, im prolonging
it even more.  Besides being a dumb question to ask (sendmail doesnt do
local delivery so how could it support maildir) it wasnt even the question
that i wanted to ask.  What i had initially wanted to know is can
procmail/maildrop support virtual users.  using DEFAULT=$HOME/Maildir is not
going to work when i have 200 users with no home dirs.

Thanks
Jim



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] Please help "ERROR: Parse error at line 142: Unknown option Archive"

[Jim Maul]

-Original Message-
>From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of bryce
>Sent: Tuesday, March 09, 2004 1:31 PM
>To: [EMAIL PROTECTED]
>Subject: [Clamav-users] Please help "ERROR: Parse error at line 142:
Unknown option Archive"
>Here is the error that I am getting. I don't understand why Archive would
not be known
>ERROR: Parse error at line 142: Unknown option Archive.
>ERROR: Can't open/parse the config file /usr/local/etc/clamav.conf

Why shouldnt archive be an unknown option?  There is no option called just
"Archive".  What are you trying to accomplish?


All options with Archive:

## Archive support
ScanArchive
ArchiveMaxFileSize 10M
# Archives are scanned recursively - e.g. if Zip archive contains RAR file,
ArchiveMaxRecursion 5
ArchiveMaxFiles 1000
ArchiveMaxCompressionRatio 200
#ArchiveLimitMemoryUsage
# (This option doesn't depend on ScanArchive, you can have archive support
ClamukoScanArchive


Jim



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] debian/qmail install

[Jim Maul]

> I've just installed clamav 0.67 on stable debian, from a
> debian backport, using "apt-get install clamav".
> (qmail is the MTA)
> The package installs the following 6 modules:
> clamav, clamav-base, clamav-freshclam
> libclamav1, libgmp3, ucf.
> *
> I can successfully use clamscan to scan and detect
> a virus within the file system, but it isn't scanning
> any email.
> *
> From what I've read it seems like Clamav should
> be used in conjuction with another scanner like
> qmail-scanner.  clamav should be installed first.
> *
> Does anyone have any experience with or would
> be willing to point me to documentation for
> clamav, qmail, debian linux?
>
> Thanks,
> -Rick
>

http://www.qmailrocks.org/

It discusses a complete qmail/clamav/spamassassin/qmail-scanner/plus more
installation but you may be able to adapt it for your own needs. 
qmail-scanner is easy to compile on its own, but to do that, you will need
to patch qmail and recompile it as well.

Jim


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] PB: ClamAV works but doesn't detect viruses

[Jim Maul]

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of Michael
> Shekman
> Sent: Wednesday, March 10, 2004 9:13 AM
> To: [EMAIL PROTECTED]
> Subject: RE: [Clamav-users] PB: ClamAV works but doesn't detect viruses
> 
> 
> I  have a different issue: ALL the tests from testvirus.org are 
> detected, but my virus log is very slow: I am talking about 1-2 
> catches per day. Does that mean, that my clamav is not working, 
> or I am in an extremely "safe" area of Internet(-:)?
> 
> I wonder, what others' virus logs look like?
> 


My Qmail-Scanner Statistics show:

Qmail-Scanner stopped 1317 viruses since Mon, 23 Feb 2004 10:59:06 

About 70% are Worm.SCO

Jim


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] Bagle.N Virus cannot be detected by local clamscan

[Jim Maul]

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of Ling Ho
> Sent: Monday, March 15, 2004 2:06 PM
> To: [EMAIL PROTECTED]
> Subject: [Clamav-users] Bagle.N Virus cannot be detected by local
> clamscan
> 
> 
> Hi
> 
> One of my user (and possibly another) received a mail with an attachment
> Document.zip and password in a jpeg file. McAfee detected it as 
> Bagle.N and
> ClamAV website site detected it as Worm.Bagle.Gen-zippwd-2 . 
> However, when I ran
> clamscan on my Linux mail server with update 185, it doesn't 
> detect the mail.
> 185 is the latest update I have at this point. The clamscan 
> version is 0.65 .
> 

I believe upgrading to 0.67 will solve this problem.

Jim


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] Freshclam died

[Jim Maul]

I am running 0.67-1 from RPM on redhat 9.

I used to run freshclam from cron but since the daemonized 0.67 freshclam
was released i have been using it that way to reduce load on freshclam
servers.  Anyway, this morning i noticed that freshclam wasnt running.
Checking my freshclam.log shows

--
ClamAV update process started at Sun Mar  7 17:31:59 2004
ERROR: Maximal time (1200 seconds) reached.

And that was it.  There hasnt been another entry since and freshclam quit
after it.  I supposed it is acceptable that due to network issues, freshclam
may be unable to update the database, but it definitely should not die
because of it.

Restarting freshclam (service freshclam start) works fine again but does
anyone know why it died to begin with?  I may just go back to the cron
version to prevent this in the future.

Thanks

Jim Maul
Eastern Long Island Hospital
631-477-5417



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] Freshclam died

[Jim Maul]

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of Tomasz
> Kojm
> Sent: Tuesday, March 16, 2004 3:03 PM
> To: [EMAIL PROTECTED]
> Subject: Re: [Clamav-users] Freshclam died
> 
> 
> On Tue, 16 Mar 2004 11:28:53 -0500
> "Jim Maul" <[EMAIL PROTECTED]> wrote:
> 
> > I am running 0.67-1 from RPM on redhat 9.
> > 
> > I used to run freshclam from cron but since the daemonized 0.67
> > freshclam was released i have been using it that way to reduce load on
> > freshclam servers.  Anyway, this morning i noticed that freshclam
> > wasnt running. Checking my freshclam.log shows
> > 
> > --
> > ClamAV update process started at Sun Mar  7 17:31:59 2004
> > ERROR: Maximal time (1200 seconds) reached.
> > 
> > And that was it.  There hasnt been another entry since and freshclam
> > quit after it.  I supposed it is acceptable that due to network
> > issues, freshclam may be unable to update the database, but it
> > definitely should not die because of it.
> 
> We are aware of it and that should be fixed in the final 0.70 version.
> 

Thanks for the reply.  Patiently waiting

Jim


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] testvirus.org eicar tests failing w/ ClamAV version devel-20040316 on OSX+CGPro

[Jim Maul]

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of
> OpenMacNews
> Sent: Wednesday, March 17, 2004 11:27 AM
> To: ClamAV Users List
> Subject: [Clamav-users] testvirus.org eicar tests failing w/ ClamAV
> version devel-20040316 on OSX+CGPro
>
>
> hi,
>
> ClamAV version devel-20040316, built on OSX 10.3.3, and
> integrated into CommunigatePro 4.1.8, is consistently failing
> to detect the following Eicar tests from www.testvirus.org:
>

I would just like to point out that MOST of these are not problems with
clamav at all.  I can not say how to get clamav to detect these because that
is dependant on how clamav is called and how it integrates with your mta.


> Test #5: Eicar virus sent using BinHex encoding
>
> Test #8: Eicar virus sent using BinHex encoding within a
> MIME segment

Your system must be able to decode binhex attachments before they are passed
to clamav.  I dont believe clamav has an internal binhex decoder.  Being
that most people dont have a decoder themselves, i dont see how this is
really an issue.  symantec on my workstation doesnt even pick these up.

>
> Test #10: Eicar virus embedded within an RFC822 message
>
> Test #15: Eicar string in HTML, to ensure that your mail
> server scans HTML segments
>

This is definitely a fault with whatever program is calling clamav on your
system.  These are both blocked on my system (using qmail and
qmail-scanner).


> Test #22: Eicar virus within zip file hidden using the
> "Empty MIME Boundary Vulnerability"
>

I dont really know what this means but it is let through on my system as
well.  However i am not too worried about it as it was not picked up
symantec on my desktop and someone would need a base64 decoder and some
computer knowledge to be able to extract this attachment.

> Test #23: Test for the "Partial (Fragmented)
> Vulnerability". This does not include Eicar virus, but your mail
> server still must block this since it can break a virus
> into multiple emails and reassemble it in your inbox.
>
> Test #24: Attachment with a CLSID extension which may
> hide the real file extension. This does not include Eicar
> virus, but your mail server still must block this since
> it can hide the true extension of a file.
>

These 2 are not a virus and as such should not be detected by clamav.  They
are both blocked by qmail-scanner however.


> if there's anything further i can provide/check, pls let me know.
>
> richard
>
>

You may have more luck posting this message on a list decicated to whatever
program integrates clamav to your mta.  These are not faults of clamav.

Jim



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] testvirus.org eicar tests failing w/ ClamAV version devel-20040316 on OSX+CGPro

[Jim Maul]

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of Thomas
> Lamy
> Sent: Wednesday, March 17, 2004 3:43 PM
> To: [EMAIL PROTECTED]
> Subject: Re: [Clamav-users] testvirus.org eicar tests failing w/ ClamAV
> version devel-20040316 on OSX+CGPro
>
>
> Sorry, but IMHO a virus scanner on a Mac that doesn't handle BinHex is a
> piece of scrap.
> Clamav has a BinHex decoder, and it works.
>

Is this enabled by default?  I have been unable to find any way to enable
clamav to decode binhex attachments.  Both binhex attachments from
testvirus.org get through my system so i made the assumption that binhex
support was lacking.

Jim



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] Bagle.Q

[Jim Maul]

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of Scott Ryan
> Sent: Thursday, March 18, 2004 9:31 AM
> To: Clam Antivirus List
> Subject: [Clamav-users] Bagle.Q
>
>
> I am running 0.67-1 and was looking to get a copy of the virus to test
> if clamd catches it. where would i be able to get a copy of it from?

i seriously doubt anyone is just going to give it to you.  If you are
running a mail server with any sort of trafic, it should be hitting you on
its own.

Jim



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] clamassassin and procmail config

[Jim Maul]

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of pi
> Sent: Thursday, March 18, 2004 12:38 PM
> To: [EMAIL PROTECTED]
> Subject: Re: [Clamav-users] clamassassin and procmail config
>
>
> Ling C. Ho wrote:
>
> >
> >
> > You can also try amavis-new. http://www.ijs.si/software/amavisd
> >
> > ...
> > ling
> >
> It doesn't work, I can't succeed to install it on my RH9.
> If someone can help me
> Thought it was a perl problem tried to install  another  perl version
> but always the same problem.
> Any idea ??
>
> Phil
>
>

If you already installed some of the dependencies then you can try to
override them by using the --nodeps option with rpm.  This may cause
problems down the road but then again, it may not.

Jim



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] Postmaster bounces and such.

[Jim Maul]

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of Robert
> Schmidt
> Sent: Friday, March 19, 2004 11:06 AM
> To: [EMAIL PROTECTED]
> Subject: [Clamav-users] Postmaster bounces and such.
> 
> 
> We tend to forward the postmaster account off our each of our mail
> servers to other central servers that the admins read it on. If the
> postmaster account receives a virus (they are fairly popular addresses
> for spam and virus email) they will try to forward it on. The problem is
> if that central server is using ClamAV it will bounce the message back
> to the originating server.
>

Why are you bouncing mail back to the server?

Jim


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] qmail-scanner 1.21 and ClamAV .67 or .70

[Jim Maul]

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of Steve
> Schofield
> Sent: Friday, March 19, 2004 1:22 PM
> To: [EMAIL PROTECTED]
> Subject: [Clamav-users] qmail-scanner 1.21 and ClamAV .67 or .70
>
>
> I'm trying to get Q/S 1.21 and ClamAV working on FreeBSD 4.9.  I get the
> following errors
> I've verified the permissions on /var/spool/qmailscan, verified the
> softlimit without success.
> The clamd process is running when this error comes up.  Any help would be
> appreciated. Note the q/s 1.20 and clam .65 worked fine for months.  Just
> the enhancements for password zip files is reason enough to upgrade.
>
> run
> /usr/local/bin/clamdscan -r --disable-summary --max-recursion=10
> --max-space
> =100  /var/spool/qmailscan/tmp/mx.adminblogs.com1079
> Fri, 19 Mar 2004 12:41:17 -0500:351: --output of clamdscan was:
> /var/spool/qmailscan/tmp/mx.adminblogs.com1079718077470351: Can't
> access the
> file ERROR
>

Clamd uses /etc/clamav.conf in which there is a setting to specify which
user clamd runs as.  It may be that clamd is running as clamav and your
/var/spool/qmailscan dir is owned by qscand.

Jim



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] Postmaster bounces and such.

[Jim Maul]

> On Fri, 2004-03-19 at 12:51, Jim Maul wrote:
>> > We tend to forward the postmaster account off our each of our mail
>> > servers to other central servers that the admins read it on. If the
>> > postmaster account receives a virus (they are fairly popular addresses
>> > for spam and virus email) they will try to forward it on. The problem
>> is
>> > if that central server is using ClamAV it will bounce the message back
>> > to the originating server.
>> >
>>
>> Why are you bouncing mail back to the server?
>>
>
> We bounce messages that have viruses. We decided that was the least bad
> thing to do with mail that has viruses. All notification options have
> downsides and we thought this was the least bad. What do you do?
>

The message gets quarantined and no one is notified.  When most virii sent
are not from actual people, why even bother bouncing the message?

Jim


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Postmaster bounces and such.

[Jim Maul]

> On Fri, 2004-03-19 at 17:01, jef moskot wrote:
>> Worse than that, if the virus is still attached, you're now sending it
>> to
>> someone who might not have otherwise received it.  You're helping to
>> spread the infection.
>
> When I say bounce I mean reject. We try not to accept them. But
> sometimes we end up accepting them and they will "bounce" back. If we
> warn sender we will often be sending messages to people who have been
> spoofed (it will always go to the sender's email address). If we warn
> recipient then they will flood us asking for information about email
> that has been sent to them.
>
> Rejection is fairly popular, but it is a game of hot potato. Someone's
> smtp server has the message and will need to deal with it. It is bad
> practice to drop messages in the round file and not tell anyone about
> it.
>

If the message is created by a virus and spreading a virus, who would you
like to tell about it?  I dont see why simply dropping it is bad in any
way.


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Postmaster bounces and such.

[Jim Maul]

> On Saturday 20 March 2004 02:32, Jim Maul wrote:
>
>> The message gets quarantined and no one is notified.
>
> Why ? Virus message is not quarantined, it's rejected.
> All it is depend from configuration.
>

because qmail does not "reject anything" at smtp time by default.  Thefore
it gets accepted, scanned, and then quarantined.

Jim


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Postmaster bounces and such.

[Jim Maul]

> Dropping isn't good or bad, however if you're not careful it could come
> around and bite you on the back side.
>
> I notify the 'recipient' in the event the email in question was expected
> (part of a project, family / business correspondence etc).
>
> Otherwise they could be wondering where their email is, and possibly look
> at
> it as a problem with their hosted service,
> which could affect your bottom line.
>
> I know if I was hosted, and the host was making decisions for me regarding
> how certain mail was handled
> I'd be looking for a new host.
>
> Just my 2 cents
>
> KenC
>

Well the email i am hosting is for a hospital that i work for.  So not
notifying the sender or the recipient works pretty well in our case.  The
users in my case do not have control over their own email and they can not
look for another host :)  It all comes down to the type of hosting
situation that you are in i suppose.

Jim


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] freshclam config

[Jim Maul]

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of Guillaume
> Jullien
> Sent: Monday, March 22, 2004 12:35 PM
> To: [EMAIL PROTECTED]
> Subject: [Clamav-users] freshclam config
> 
> 
> Hi,
> 
> When I run
> # freshclam
> 
> I get this error
> 
> Can't change dir to /usr/local/share/clamav
> 
> This directory doesn't exist.
> Working on a Debian, I had compiled this program.
> After a while I did an other installation from a .deb packet
> 
> I think the only thing to do is to tell freshclam to look for some other 
> path but I can't find in which configuration file it is written.
> 
> 

/etc/freshclam.conf ?

Jim


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] database.clamav.net unresolvable ?

[Jim Maul]

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of Mark Moshe
> Kushinsky
> Sent: Monday, March 22, 2004 2:19 PM
> To: [EMAIL PROTECTED]
> Subject: [Clamav-users] database.clamav.net unresolvable ?
>
>
> Cannot resolve database.clamav.net using the attbi.com name servers.
>
> Some help please ! Is this a problem with the comcast's DNS servers ? I
> checked verizon.net and speakeasy and they are resolving fine.
>
> Thanks,
> Moshe
>
> $ nslookup
> Note:  nslookup is deprecated and may be removed from future releases.
> Consider using the `dig' or `host' programs instead.  Run nslookup with
> the `-sil[ent]' option to prevent this message from appearing.
> > server ns10.attbi.com
> Default server: ns10.attbi.com
> Address: 63.240.76.19#53
> > database.clamav.net
> ;; Truncated, retrying in TCP mode.
> ;; connection timed out; no servers could be reached
>

Seems to me that you are unable to get TCP dns queries.  the clamav dns
record is too large to fit in a udp query (which is why it says truncating,
retrying in tcp mode).  After that you will see that it times out.  Either
you or your host is blocking tcp dns requests.

My Results:

[EMAIL PROTECTED] etc]# nslookup
Note:  nslookup is deprecated and may be removed from future releases.
Consider using the `dig' or `host' programs instead.  Run nslookup with
the `-sil[ent]' option to prevent this message from appearing.
> database.clamav.net
;; Truncated, retrying in TCP mode.
Server: 167.206.112.3
Address:167.206.112.3#53

Non-authoritative answer:
Name:   database.clamav.net
Address: 152.66.249.132
Name:   database.clamav.net
Address: 193.1.219.100
Name:   database.clamav.net
Address: 193.138.115.108
Name:   database.clamav.net
Address: 193.225.86.3
Name:   database.clamav.net
Address: 195.70.36.141
Name:   database.clamav.net
Address: 196.40.71.226
Name:   database.clamav.net
Address: 200.68.106.39
Name:   database.clamav.net
Address: 202.134.0.71
Name:   database.clamav.net
Address: 207.201.202.73
Name:   database.clamav.net
Address: 209.94.36.5
Name:   database.clamav.net
Address: 209.204.175.217
Name:   database.clamav.net
Address: 212.31.160.239
Name:   database.clamav.net
Address: 212.113.16.74
Name:   database.clamav.net
Address: 24.73.112.74
Name:   database.clamav.net
Address: 62.210.153.201
Name:   database.clamav.net
Address: 62.210.153.202
Name:   database.clamav.net
Address: 64.18.103.6
Name:   database.clamav.net
Address: 64.69.64.158
Name:   database.clamav.net
Address: 64.74.124.90
Name:   database.clamav.net
Address: 80.69.67.3
Name:   database.clamav.net
Address: 129.64.99.170

Jim



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] ClamAV missing 100% of "Worm.SomeFool.Gen-1" on (clamav-users: addressed to exclusive sender for this address) OSX

[Jim Maul]

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of
> OpenMacNews
> Sent: Wednesday, March 24, 2004 3:35 PM
> To: [EMAIL PROTECTED]
> Subject: Re: [Clamav-users] ClamAV missing 100% of "Worm.SomeFool.Gen-1"
> on (clamav-users: addressed to exclusive sender for this address) OSX
>
>
> hi,
>
> i've had no problems logged re: freshclam updates ... just in
> case I did a manual update:
>
> ClamAV update process started at Wed Mar 24 12:32:55 2004
> Reading CVD header (main.cvd): OK
> main.cvd is up to date (version: 21, sigs: 20094,
> f-level: 1, builder: tkojm)
> Reading CVD header (daily.cvd): OK
> daily.cvd is up to date (version: 212, sigs: 601,
> f-level: 1, builder: diego)
>
>
> waited a bit, and another "Worm.SomeFool.Gen-1" snuck thru ...
>

Are you running clamscan or clamdscan?  If using clamscan are you using
the --mbox option?

Jim



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] clam not fresh

[Jim Maul]

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of Colin A.
> Bartlett
> Sent: Thursday, March 25, 2004 2:47 PM
> To: [EMAIL PROTECTED]
> Subject: RE: [Clamav-users] clam not fresh
>
>
> > Another poster pointed to testvirus.org for testing.  I think you'll
> > find some methods of delivery more effective than others and that
> > clamav will miss some of these.
>
> They're not being detected by clam even when running them right through
> clamscan on the command prompt. I think it's because SomeFool.P
> isn't in my
> sig list even though freshclam says I'm up to date.
>

My server shows the following:

[EMAIL PROTECTED] bin]# sigtool -l |grep -i somefool
Worm.SomeFool
Worm.SomeFool.B
Worm.SomeFool.B.2
Worm.SomeFool.D
Worm.SomeFool.E
Worm.SomeFool.F
Worm.SomeFool.Gen-1
Worm.SomeFool.Gen-2
Worm.SomeFool.Gen-unp
Worm.SomeFool.I
Worm.SomeFool.K
Worm.SomeFool.L
Worm.SomeFool.M
Worm.SomeFool.O
Worm.SomeFool.P
Worm.SomeFool.P-dll

If running the same command on your server does not show the SomeFool.P then
your definitions are NOT up to date.  If freshclam insists on saying they
are up to date, i would try deleting them totally and running freshclam
again.  Maybe that will clear up the problem.

> > And don't eat bad clams.
>
> I had a bad oyster the other day but never a bad clam.

I stay away from seafood altogether...

Jim



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] clam not fresh

[Jim Maul]

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of Mark Novak
> Sent: Thursday, March 25, 2004 5:37 PM
> To: [EMAIL PROTECTED]
> Subject: Re: [Clamav-users] clam not fresh
>



>
> I did exactly that, deleted the cvd files and re-ran freshclam.  I am
> only showing through SomeFool.M, no O, P or P-dll.
>
> Any ideas or tips appreciated.
>
> Thanks,
>
> Mark


Well, being that this makes no sense, the only thing i can suggest is to try
another mirror.  If you are not specifying one explicitly then you should
get a different one almost every time you run freshclam so i dont know why
this would matter, but i am running out of ideas.  What is the total number
of viruses it says for your database?

Try this

[EMAIL PROTECTED] jmaul]# sigtool -i /var/lib/clamav/main.cvd
Build time: 29 Feb 2004 18-19 +0100
Version: 21
# of signatures: 20094
Functionality level: 1
Builder: tkojm
MD5: a20b254aa5f6b97dcafc115a63c8af4e
Digital signature:
rpzUhP4jcYOSj/tMnkU5zPs3GbJWsdmj2+7Z4BkUGOfN8pS0XnQ2qJY1TF/1P4jeadvBVNoCwJiI
wamnGtBO8fTnLiMgMXSiy/L1odsalY0iCyRmxzYNqWUoG6Q3CMhEJ8M9c8idT7LBGYHwtKCBv0hH
hIIrkqS2jh5V0XAxIwh
Verification OK.

[EMAIL PROTECTED] jmaul]# sigtool -i /var/lib/clamav/daily.cvd
Build time: 26 Mar 2004 10-20 +0100
Version: 217
# of signatures: 615
Functionality level: 1
Builder: diego
MD5: 4c963cdbafb148be77556bf0cc9a
Digital signature:
QhYZD+fLArMzj4Eukpl7HCNZVgPw3aNNYyx860Mb2tj8CFXTHNZSM6L0k+pUtLKXa8wFbLjFPQCF
fnmiE0GiB5zjzT/oyzeFpXhmNH3axBrhQZ/h/qkN/XZgDgX2Dl4g9tv75uzu/XbAtNcbWBl04TPE
wkbu2Dq1aE5Ml0hlZfh
Verification OK.

see if the "# of signatures" matches what i have here.

Jim



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] clam not fresh

[Jim Maul]

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of Mark Novak
> Sent: Friday, March 26, 2004 10:14 AM
> To: [EMAIL PROTECTED]
> Subject: Re: [Clamav-users] clam not fresh
>
> My number of signatures is exactly the same as yours.  When I grep for
> somefool, I stop at M.
>
> I do still have the old style signatures located in /usr/share/clamav
> from clam-0.65.  Tomasz mentioned in an earlier post that this could be
> the problem.  I am wondering if I should change the freshclam.conf
> database line from /var/lib/clamav to /usr/share/clamav?
>
> It seems to me that I am updated, as I have the same number of
> signatures as you do, but when I grep it for somefool, maybe it is
> going to the old set in the other directory?
>
> What do you think?


I would remove the copy in /usr/share/clamav.  If you are using clamscan,
then having /var/lib/clamav as the database directory in /etc/clamav.conf
doesnt make any difference because clamscan does not listen to this config
file.  /etc/clamav.conf is for clamDscan only.  You can specify the database
path on the command line with clamscan using --database=FILE/DIR.  However i
would just remove the /usr/share copy of the database to prevent future
confusion.

Jim



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] Segfault on password protected rar?

[Jim Maul]

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of Ethan P
> Sent: Friday, March 26, 2004 10:32 AM
> To: [EMAIL PROTECTED]
> Subject: [Clamav-users] Segfault on password protected rar?
> 
> 
> I'm running ClamAV .65 on an RH9 system, with Qmail-Scanner-1.20RC3. 
> 
> The other day, the following worm slipped through my clamav scanner:
> Worm.Bagle.Gen-rarpwd 
> 
> At first, I thought it was a new rar file, and tried to submit it.  This 
> variant had already been input into the database.  Figuring that 
> I was just 
> out-of-date, I ran freshclam. 
> 
> I decided to grab the file and run clamscan on it -- just to make 
> sure that 
> it's being caught.  Upon a regular scan, clamav (clamscan) segfaults.  I 
> assumed that this is due to the file being password protected -- 
> so I re-ran 
> it with the --disable-archive option and sure enough, the worm was found: 
> 
> [EMAIL PROTECTED] root]# clamscan --disable-archive -i first_part.rar
> first_part.rar: Worm.Bagle.Gen-rarpwd FOUND 
> 
>  --- SCAN SUMMARY ---
> Known viruses: 41298
> Scanned directories: 0
> Scanned files: 1
> Infected files: 1
> Data scanned: 0.02 MB
> I/O buffer size: 131072 bytes
> Time: 0.782 sec (0 m 0 s) 
> 
> 
> Problem is, when I send this file via email, ClamAV doesn't detect it.  I 
> assume it's segfaulting each time it scans this file. 
> 
> What's the best thing I can do at this point?  I want ClamAV to open 
> archives when possible, but I don't want it to segfault and allow 
> password 
> protected archived worms through. 
> 

Im not sure why its segfaulting, but upgrading to 0.70 may fix this problem.

Jim



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id70&alloc_id638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] testvirus.org results

[Jim Maul]

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of Robert
> Blayzor
> Sent: Wednesday, March 31, 2004 10:35 AM
> To: [EMAIL PROTECTED]
> Subject: Re: [Clamav-users] testvirus.org results
>
>
> On 3/31/04 9:51 AM, "Antony Stone" <[EMAIL PROTECTED]> wrote:
>
> > That's because none of those tests contains a virus - not even
> a pretend one
> > such as Eicar.
> >
> > Since there's no virus, ClamAV doesn't have anything to detect.
>
> That may be true for Test #24, but on test 21, 23 and 25 every one that I
> received had attachments with the virus in a zip file format.
> They may not
> appear to have attachments in a lot of mail clients, but they do in broken
> M$ clients. (or so it's said)
>

These tests to not appear as attachments on any of the 50 machines we have
here running various versions of outlook and outlook express.  Symantec AV
does running on the workstations also dont pick anything up.  These tests
are basically harmless from what i have experienced.  Now granted, i dont
know exactly what they are supposed to exploit, but i have been unable to
get them to do anything harmful.

Besides, I hardly think it is up to ClamAV (or any virus scanner for that
matter) to detect something that really ISNT a virus, but COULD be in a
broken M$ email client.

Jim



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] Some viruses go through

[Jim Maul]

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of Mimmus
> Sent: Monday, April 05, 2004 10:14 AM
> To: [EMAIL PROTECTED]
> Subject: [Clamav-users] Some viruses go through
>
>
> Hi,
> I'm using Sendmail+ClamAv+ClamAV-milter (latest version in RPM format:
> 0.70rc1) on my primary mailserver (traffic: 5-6000 mail everyday).
> Behaviour is pretty good but sometime some viruses (of previously blocked
> kind) go through (then they are catched by Trend InterScan VirusWall
> antivirus on the firewall...).
> I'm unable to explain this: clamd and clamav-milter are up, all seems OK.
>
> Any suggestion?
>
> Thanks in advance and sorry for my bad english
> Domenico Viggiani
>
>
>

I do not know your answer, but posting the same message to the list twice
within 11 minutes is not a good way to get a response.

Jim



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] Cleaning MBOX files?

[Jim Maul]

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of Jack
> London Networks
> Sent: Thursday, April 08, 2004 6:47 PM
> To: [EMAIL PROTECTED]
> Subject: Re: [Clamav-users] Cleaning MBOX files?
>
>
> If I use the --remove flag, it removes the whole mailbox file, not just
> the infected message.  Glad I tested on a copy of an infected mailbox
> and not the real thing! :)
>
> I'm looking at the other solutions proposed, but they're going to take
> more work, obviously..and I don't think that it'll be something that
> I can run automatically every night on all the mail folders.
>
> *sigh*
>
> -bob


Thats because the example given (qmail) uses maildir, not mbox.  In the
qmail case it would only remove the infected message.  In the mbox
case...wellyou know what happens.

Jim



>
> Lloyd Albin wrote:
>
> >If you want to scan all mailboxes the following command is what I use to
> >do a manual scan. This example is for qmail with vpopmail.
> >
> >clamscan -r /home/vpopmail/domains --mbox -i --remove
> >
> >If you want to scan an individual domain use
> >
> >clamscan -r /home/vpopmail/domains/sampledomain.com --mbox -i --remove
> >
> >Or if you want to scan an individual account use
> >
> >clamscan -r /home/vpopmail/domains/sampledomain.com/username --mbox -i
> >--remove
> >
> >You must use clamscan because it will not timeout which the clamdscan
> >will.
> >
> >-Lloyd
> >
> >
> >
>
>
>
> ---
> This SF.Net email is sponsored by: IBM Linux Tutorials
> Free Linux tutorial presented by Daniel Robbins, President and CEO of
> GenToo technologies. Learn everything from fundamentals to system
> administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
> ___
> Clamav-users mailing list
> [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/clamav-users
>



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] submitting samples (name instead?)

[Jim Maul]

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of Henry
> Harvey
> Sent: Friday, April 09, 2004 10:16 AM
> To: [EMAIL PROTECTED]
> Subject: [Clamav-users] submitting samples (name instead?)
>
>
> Would it be possible to report what
> viruses (names) are not being detected by ClamAV,
> instead of submitting a sample?
>
> We have Symantec Corporate Ed AV running on
> all workstations and it blocks those files
> from even saving to any pc. I have the logs
> which says that
>
> [EMAIL PROTECTED]
> [EMAIL PROTECTED]
> [EMAIL PROTECTED]
> [EMAIL PROTECTED]
> [EMAIL PROTECTED]
> [EMAIL PROTECTED]
>
> are still being delivered to workstations.
> Meaning they were not stopped by ClamAV.
>
> A search on the database of ClamAV results
> with nothing with those same variants.
>
> ClamAV works perfectly fine with other
> viruses though, like those "SomeFool" viruses.
>


Being the NetSky _IS_ SomeFool, i wonder what your saying here.  If they are
being blocked, how are they being detected by symantec?

Jim



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] submitting samples (name instead?)

[Jim Maul]

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of Niek
> Sent: Friday, April 09, 2004 11:16 AM
> To: [EMAIL PROTECTED]
> Subject: Re: [Clamav-users] submitting samples (name instead?)
>
>
> Jim Maul wrote:
>
> >
> >>-Original Message-
> >>From: [EMAIL PROTECTED]
> >>[mailto:[EMAIL PROTECTED] Behalf Of Henry
> >>Harvey
> >>Sent: Friday, April 09, 2004 10:16 AM
> >>To: [EMAIL PROTECTED]
> >>Subject: [Clamav-users] submitting samples (name instead?)
> >>
> >>
> >>Would it be possible to report what
> >>viruses (names) are not being detected by ClamAV,
> >>instead of submitting a sample?
> >>
> >>We have Symantec Corporate Ed AV running on
> >>all workstations and it blocks those files
> >>from even saving to any pc. I have the logs
> >>which says that
> >>
> >>[EMAIL PROTECTED]
> >>[EMAIL PROTECTED]
> >>[EMAIL PROTECTED]
> >>[EMAIL PROTECTED]



> >>ClamAV works perfectly fine with other
> >>viruses though, like those "SomeFool" viruses.
> >>

This is a direct contradiction.

> he said: those virusses are caught by norton on workstations,
> clamav didn't catch them on the mailserver. Given that the workstations
> received them by mail.
>
> Niek Baakman

I understand that.  What i dont understand is that he basically said,
"Somefool is not getting detected by clamav but clamav works fine with other
viruses like somefool".

Jim



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] RPM Files....

[Jim Maul]

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of Mike van
> Vugt
> Sent: Tuesday, April 13, 2004 8:16 AM
> To: ClamAV Mail List
> Subject: [Clamav-users] RPM Files
>
>
> Can anyone tell me what goes wrong here  Downloaded the files but
> keep getting errors
>
> Regards,
>
> Mike
>
> # rpm -ivh clamav-0.66-0.20031204.1mdk.i586.rpm
> error: Failed dependencies:
> libclamav1 = 0.66-0.20031204.1mdk is needed by
> clamav-0.66-0.20031204.1mdk
> clamav-db is needed by clamav-0.66-0.20031204.1mdk
> libclamav.so.1 is needed by clamav-0.66-0.20031204.1mdk
> [EMAIL PROTECTED] downloads]# ls
> clamav-0.66-0.20031204.1mdk.i586.rpm
> clamav-db-0.66-0.20031204.1mdk.i586.rpm
> libclamav1-0.66-0.20031204.1mdk.i586.rpm
> [EMAIL PROTECTED] downloads]#
> -

You need to rpm -ivh the dependencies first and then instal the clamav
package.  Just because they are in the same directory as the package you are
trying to install doesnt mean that they will automatically be installed as
well.

Jim



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] Netsky P not being blocked, using 0.70-rc

[Jim Maul]

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of Henry
> Harvey
> Sent: Tuesday, April 13, 2004 2:14 PM
> To: [EMAIL PROTECTED]
> Subject: Re: [Clamav-users] Netsky P not being blocked, using 0.70-rc
>
>
> I also have the same problem.
> Apparently, I have two locations
> where the updates are stored. ClamAV
> was using /usr/local/share/clamav
> and freshclam was storing updates in
> /var/lib/clamav. So I made clamav.conf
> point to /var/lib/clamav also.
>
> And just to make sure that nothing is using
> /usr/local/share/clamav anymore, I changed
> the directory name to something else.
>
> I restarted clamd, amavisd and all went ok.
> But when I run sigtool --list it tells me
> ERROR: Can't open directory /usr/local/share/clamav
>
> How can I make it point to the new location
> of the database files? And how can I make sure
> that my clamd is now looking at the new location?
>

I would check /etc/clamav.conf and /etc/freshclam.conf and make sure both
files have

DatabaseDirectory /var/lib/clamav

This should be all you need to change.

Jim



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] clamd is not scanning my email.

[Jim Maul]

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of
> [EMAIL PROTECTED]
> Sent: Tuesday, April 13, 2004 3:39 PM
> To: [EMAIL PROTECTED]
> Subject: [Clamav-users] clamd is not scanning my email.
>
>
> I have done everything in the docs and still it just does not
> work.  I am on RH9 so I had to use the rpm version to even get
> clamd to work but there it is in the processes but check the
> maillog and not one mention of scanning the test file.
>
> I am stumped and been at this almost all day so can someone help?
>
> Thanks.
>

We _may_ be able to help you if you provide us with more information.  so
far all we know is you are trying to install some version of clamav on a
redhat 9 machine and it doesnt work.  Could you provide some more
information?

what version of clamav?
what mta?
what _do_ the log files say?

Jim



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] clamav and milter - dedicated mailing list.

[Jim Maul]

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of Antony
> Stone
> Sent: Wednesday, April 14, 2004 10:18 AM
> To: [EMAIL PROTECTED]
> Subject: Re: [Clamav-users] clamav and milter - dedicated mailing list.
>
>
> On Wednesday 14 April 2004 3:01 pm, Odhiambo Washington wrote:
>
> > May I propose a separate mailing list for milter users? There seems to
> > be alot of discussions about milter (now I even know it's some form of
> > sendmail plugin) that warrants this.
> > Some of us use Exiscan and we find milter quite a 'strange' idea ;-))
> > The list could be named clamav-milter-users.
> > I believe the usage of ClamAv has grown to an extent that this now
> > warranted.
> >
> > Any seconders
>
> Yes, I second this proposal - it should also help to add a clue
> to some of the
> posting we get, where people say "my ClamAV isn't catching viruses in my
> email", and they don't tell us how they've connected the two systems
> together.   At least with a milter list we can assume that part in any
> posting.
>
> I'm all for segregating off items which are likely to be of
> interest to only a
> sub-group of the subscribers to the main ClamAV list, too.
>
> Regards,
>
> Antony.
>

I'll second the second on this one.  I use qmail with qmail-scanner and all
this milter talk is quite strange to me.  I am not interested in it nor can
i be of ANY help with it.

Jim



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] My installation of ClamAV doesn't detect zipped virus

[Jim Maul]

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of Oscar A.
> Valdez
> Sent: Wednesday, April 14, 2004 3:09 PM
> To: [EMAIL PROTECTED]
> Subject: [Clamav-users] My installation of ClamAV doesn't detect zipped
> virus
>
>
> I just installed ClamAV, but Worm.SomeFool.P (in a zip file) is getting
> through, although the online scanner at
> http://www.gietl.com/test-clamav/ detects it.
>
> Am I missing something in my configuration?
> --
> Oscar A. Valdez
>
>

most likely you have out of date virus definitions.

Try:

sigtool -l |grep SomeFool

This is my output:

[EMAIL PROTECTED] elih.org]# sigtool -l|grep SomeFool
Worm.SomeFool.Gen-unp
Worm.SomeFool.O
Worm.SomeFool.P
Worm.SomeFool.P-dll
Worm.SomeFool.Q
Worm.SomeFool.N
Worm.SomeFool.R
Worm.SomeFool.Q.2
Worm.SomeFool
Worm.SomeFool.B
Worm.SomeFool.B.2
Worm.SomeFool.D
Worm.SomeFool.E
Worm.SomeFool.F
Worm.SomeFool.Gen-1
Worm.SomeFool.Gen-2
Worm.SomeFool.I
Worm.SomeFool.K
Worm.SomeFool.L
Worm.SomeFool.M


If you do not have the same, then either freshclam is not working correctly
(or not running at all) or freshclam is downloading the virus database to
one location and clamav is looking for it in another location.  I have seen
this problem more and more lately on this list.

Jim



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] revisit question about passworded zips

[Jim Maul]

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of Bart
> Silverstrim
> Sent: Thursday, April 15, 2004 9:55 AM
> To: [EMAIL PROTECTED]
> Subject: [Clamav-users] revisit question about passworded zips
>
>
> I've seen this batted back and forth for awhile about the bagle
> variants that use password-protected ZIPs and detecting them; I gleaned
> a bit of ambiguity in the answers because at the time the answer always
> seemed to be "Yes it detects it" (zips or passworded zips?), no it
> doesn't (nothing scans inside zips) , or "yes it does in the latest CVS
> version..."
>
> Sooo my question is that at this point, does clamav have the ability to
> pick up the passworded zip file sent by a specific bagle variant, while
> passing others along undetected?  the testvirus.org password protected
> zip gets through :-( So I wondered if just the bagle virus with the
> passworded zip has a specific signature attached.
>

My understanding of it is that the password protected zip files are detected
by a signatue of the message with the file attached.  Of course the virus
can not be detected by the virus itself because it is in a password
protected zip.  This is why the password protected zip test from
testvirus.org gets through.  There is no signature in the clamav database
for this file.  If you want to block ALL password protected zips you can do
so using the --detect-encrypted parameter. (i believe .070rc+)

So i guess the answer is: yes it detects it, but not by scanning inside the
zip file.

Jim



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] Complete system scan...

[Jim Maul]

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of Mike van
> Vugt
> Sent: Thursday, April 15, 2004 11:23 AM
> To: ClamAV Mail List
> Subject: [Clamav-users] Complete system scan...
> 
> 
> Hi,
> 
> What command can I use to scan my compleet system ???
> 

clamscan -r /


(must run as root though)

Jim


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] Complete system scan...

[Jim Maul]

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of Mike van
> Vugt
> Sent: Thursday, April 15, 2004 11:23 AM
> To: ClamAV Mail List
> Subject: [Clamav-users] Complete system scan...
> 
> 
> Hi,
> 
> What command can I use to scan my compleet system ???
>

Responding again to the same message...

By the way, "man clamscan" or "clamscan --help" will do wonders.

Jim 


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] Complete system scan...

[Jim Maul]

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of Mike van
> Vugt
> Sent: Thursday, April 15, 2004 2:41 PM
> To: ClamAV Mail List
> Subject: RE: [Clamav-users] Complete system scan...
>
>
> On Thu, 2004-04-15 at 19:35, Brad Morgan wrote:
> > >
> > > What command can I use to scan my compleet system ???
> > >
> > If its a *nix system, "find / -name daily.cvd" should work.
> >
> > If its a Windows system, Start, Search, For files & folders...,
> and enter
> > daily.cvd in the appropriate place.  The exact wording and
> location of the
> > search tool depends on which flavor of Windows you are running.
> >
> > If its some other operating system, tell us and hopefully,
> someone on this
> > list can give you directions.
>
> $ more /etc/mandrake-release ; rpm -qa|grep -i kernel
> Mandrake Linux release 10.0 (RC1) for i586
> kernel-2.6.2.3mdk-1-1mdk
>
> Trying both options... could take a while I think...  Nothing happends,
> the only thing I see is a blinking cursor ;-))
>


This will in no way scan your system.  It will however locate where your
virus database definitions are.  There have been many other replies to this
question with the correct answer.  As i stated before "clamscan -r /" will
do it.

Jim



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] clamd segfault

[Jim Maul]

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of Bill Pitz
> Sent: Friday, April 16, 2004 12:10 PM
> To: [EMAIL PROTECTED]
> Subject: [Clamav-users] clamd segfault
>
>
> I've had an occasional problem with clamd segfaulting.  The basics of my
> system are as follows:
>
> Red Hat Linux 9 / 2.4.25 kernel
> Sendmail 8.12.11
> clamav-0.68 + clamav-milter
>

If not already stated already, i'll be the first and suggest an upgrade to
the latest cvs.  There have been significant bugfixes since 0.68.

Jim



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] Problems with clamav and qmailscanner

[Jim Maul]

 

  -Original 
  Message-From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED]On Behalf Of 
  Administrador da RedeSent: Friday, April 16, 2004 3:19 
  PMTo: >Subject: [Clamav-users] Problems with clamav 
  and qmailscanner
  I have a qmail system with clamav e qmailscanner. it seems 
  functioning normaly, but I'm having trouble because netsky virus is comin from 
  messages.
   
   
  Some on can help -me? 
   
try 
 
[EMAIL PROTECTED] bin]# sigtool -l|grep 
SomeFool
 
 
if you do 
not get the same output as below:
Worm.SomeFool.Gen-unpWorm.SomeFool.OWorm.SomeFool.PWorm.SomeFool.P-dllWorm.SomeFool.QWorm.SomeFool.NWorm.SomeFool.RWorm.SomeFool.Q.2Exploit.HTML.SomeFool.VWorm.SomeFoolWorm.SomeFool.BWorm.SomeFool.B.2Worm.SomeFool.DWorm.SomeFool.EWorm.SomeFool.FWorm.SomeFool.Gen-1Worm.SomeFool.Gen-2Worm.SomeFool.IWorm.SomeFool.KWorm.SomeFool.LWorm.SomeFool.M  
 
Then you have outdated virus definitions.  Make 
sure freshclam is running and that it is saving the database definitions in the 
same place that clamav is looking for them.
 
If 
your output is the same as above then there most likely is a configuration 
problem.  In this case we would need to know more information about your 
setup.
 
Jim 

RE: [Clamav-users] freshclam PID file .... no where to be found

[Jim Maul]

 

  -Original Message-From: 
  [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED]On Behalf Of 
  [EMAIL PROTECTED]Sent: Friday, April 16, 2004 4:45 
  PMTo: [EMAIL PROTECTED]Subject: 
  [Clamav-users] freshclam PID file  no where to be 
  found
  I have tried: /etc/freshclam.conf PidFile /var/run/pid.file and freshclam -d --config-file=/etc/freshclam.conf 
  --pid=/var/run/pid.file --- But I can't get 
  a freshclam to create a PID file.  Anyone else 
  seen this? 
   
   
   
Does freshclam have permissions to write to 
/var/run?
 
Jim 

RE: [Clamav-users] W32.Netsky.B@mm not removed

[Jim Maul]

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of Pad
> Hosmane
> Sent: Monday, April 19, 2004 9:34 AM
> To: [EMAIL PROTECTED]
> Subject: [Clamav-users] [EMAIL PROTECTED] not removed
>
>
> Hi,
>   Clamav is not detecting or cleaning [EMAIL PROTECTED] I am running
> clamav-0.07-rc.
>
> PAd
>

First, clamav does not clean anything.  Second, clamav does not detect
netsky, it detects somefool which is the same thing.

Jim



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] W32.Netsky.B@mm not removed

[Jim Maul]

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of Riccardo
> Ghiglianovich
> Sent: Monday, April 19, 2004 12:10 PM
> To: [EMAIL PROTECTED]
> Subject: Re: [Clamav-users] [EMAIL PROTECTED] not removed
>
>
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> Il giorno 19/apr/04, alle 16:42, Odhiambo Washington ha scritto:
>
> > * Pad Hosmane <[EMAIL PROTECTED]> [20040419 17:30]: wrote:
> >> Hi,
> >>   Clamav is not detecting or cleaning [EMAIL PROTECTED] I am running
> >> clamav-0.07-rc.
> >
> > Hmm, 'cleaning' is not an option, unless I am behind the news, but
> > detection should work. But I think this virus is called
> > Worm.Somefool.XX
> > (I'm not sure about the XX) by ClamAv.
> > How did you arrive at your conclusion that ClamAv doesn't detect it?
> > Any
> > tests you did?
> >
>
> hi,
> I also have some "NetSky.q.2" not dtected; They are detected by some
> PC Antiviruses
>
> Moreover, Clamav Virus database Search
> http://clamav-du.securesites.net/cgi-bin/clamgrok does not contains
> nothing named Netsky*
>

Thats because (as stated above) clamav does NOT use the name Netsky.  It
uses SomeFool instead.

Jim



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] W32.Netsky.B@mm not removed

[Jim Maul]

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of Mitch
> (WebCob)
> Sent: Monday, April 19, 2004 4:01 PM
> To: [EMAIL PROTECTED]
> Subject: RE: [Clamav-users] [EMAIL PROTECTED] not removed
>
>
>
>
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] Behalf Of Jim Maul
> > Sent: Monday, April 19, 2004 11:04 AM
> > To: [EMAIL PROTECTED]
> > Subject: RE: [Clamav-users] [EMAIL PROTECTED] not removed
> > > hi,
> > > I also have some "NetSky.q.2" not dtected; They are detected by some
> > > PC Antiviruses
> > >
> > > Moreover, Clamav Virus database Search
> > > http://clamav-du.securesites.net/cgi-bin/clamgrok does not contains
> > > nothing named Netsky*
> > >
> >
> > Thats because (as stated above) clamav does NOT use the name Netsky.  It
> > uses SomeFool instead.
> >
> > Jim
>
> Jim - that would address why he doesn't see the sig, NOT why it doens't
> detect. Presumably he is noticing the problem because it got through his
> clam config and hit his pc av software...
>
> He should use the web system to upload a test of the virus and see if it's
> detected online, and if it is, then look at his config, and database to
> check for proper settings and current data.
>

Indeed you are correct.  I had assumed that the reason he was asking about
netsky was because there was no mention of it in the logs files and
searching the online clamav virus database returns nothing for netsky.  If
netsky is being detected on workstations by another av vendor, then there
are indeed configuration and/or virus definition update problems.

Jim



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] Problems detecting Worm.SomeFool.Y

[Jim Maul]

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of Andreas
> Haase
> Sent: Tuesday, April 20, 2004 8:42 AM
> To: [EMAIL PROTECTED]
> Subject: [Clamav-users] Problems detecting Worm.SomeFool.Y
>
>
> Hello,
>
> I have several installations of clamav. Versions are 0.67 or 0.70. A
> customer sent an infected file with the virus named in the subject.
>
> Version 0.67 detects the virus correctly, 0.70 doesn't. Comparing the
> amount of known virus, there is a difference of about 75 viruses. Needless
> to say that I updated the signatures several times using freshclam, which
> was successfull (no error messages) but the diff between the installations
> keeps as it is.
>
> I also deleted the signature files and got it completely new.
>
> Is there anything I'm doing wrong? Or how do I get the newest signatures
> that detect this virus?
>

This smells of freshclam downloading the virus definitions to one location
and clamav using a copy in a different location.  Make sure
"DatabaseDirectory" has the same location in both /etc/freshclam.conf and
/etc/clamav.conf.  Mine is DatabaseDirectory /var/lib/clamav

Jim



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

[Clamav-users] upgrading clamav changes permissions on directories?

[Jim Maul]

I just upgraded my clamav RPMs from 0.70rc to 0.70 (from
http://crash.fce.vutbr.cz/crash-hat/1/clamav/)

Since i am running qmail with qmail-scanner, i run clamav as user qscand and
have to change /var/run/clamav, /var/log/clamav and /var/lib/clamav to be
owned by qscand.  While upgrading to 0.70 i noticed that all three of these
directories have changed back to clamav.clamav.   Would it be possible to
NOT change ownership back to clamav during an upgrade?

Its not that big of a deal, just sorta annoying.

Thanks.

Jim Maul
Eastern Long Island Hospital
631-477-5417


CONFIDENTIALITY STATEMENT: The documents accompanying this transmission may
contain confidential health information that is legally privileged. This
information is intended only for the use of the individual or entity named
above. The authorized recipient of this information is prohibited from
disclosing this information to any other party unless required to do so by
law or regulation and is required to destroy the information after its
stated need has been fulfilled.

If you are not the intended recipient, you are hereby notified that any
disclosure, copying, distribution, or action taken in reliance on the
contents of these documents is strictly prohibited. If you have received
this information in error, please notify the sender immediately and arrange
for the return or destruction of these documents.



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] Problems detecting Worm.SomeFool.Y

[Jim Maul]

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of Andreas
> Haase
> Sent: Tuesday, April 20, 2004 2:46 PM
> To: [EMAIL PROTECTED]
> Subject: RE: [Clamav-users] Problems detecting Worm.SomeFool.Y
>
>
> Hello,
>
> > > Version 0.67 detects the virus correctly, 0.70 doesn't. Comparing the
> > > amount of known virus, there is a difference of about 75
> viruses. Needless
> > > to say that I updated the signatures several times using
> freshclam, which
> > > was successfull (no error messages) but the diff between the
> installations
> > > keeps as it is.
> >
> > This smells of freshclam downloading the virus definitions to
> one location
> > and clamav using a copy in a different location.  Make sure
> > "DatabaseDirectory" has the same location in both
> /etc/freshclam.conf and
> > /etc/clamav.conf.  Mine is DatabaseDirectory /var/lib/clamav
>
> mx:/etc/clamav # grep DatabaseDirectory *.conf
> clamav.conf:DatabaseDirectory /var/lib/clamav
> freshclam.conf:DatabaseDirectory /var/lib/clamav
>
> Thanks for your try, but that doesn't seem to be the solution.
>

Have you tried to locate or find *.cvd?  Are there other copies somewhere?
What about:

sigtool -l|grep SomeFool

my output is:

Worm.SomeFool.Gen-unp
Worm.SomeFool.O
Worm.SomeFool.P
Worm.SomeFool.P-dll
Worm.SomeFool.Q
Worm.SomeFool.N
Worm.SomeFool.R
Worm.SomeFool.Q.2
Exploit.HTML.SomeFool.V
Worm.SomeFool.X
Worm.SomeFool.Y
Worm.SomeFool
Worm.SomeFool.B
Worm.SomeFool.B.2
Worm.SomeFool.D
Worm.SomeFool.E
Worm.SomeFool.F
Worm.SomeFool.Gen-1
Worm.SomeFool.Gen-2
Worm.SomeFool.I
Worm.SomeFool.K
Worm.SomeFool.L
Worm.SomeFool.M

Do you have SomeFool.Y listed?

> ClamAV was compiled using the option --sysconfdir=/etc/clamav ... and I
> figured out another interesting "feature". Clamscan doesn't detect the
> worm, but Clamdscan does.
>

have you tried clamscan -m ?


> When I use strace to figure out, where clamscan is looking for the config
> file, there's no appearance of clamav.conf in the output.
>

Thats because clamscan doesnt use clamav.conf  only clamd/clamdscan

That brings up something ive been thinking about recently.  With all the
people asking why doesnt clamscan listen to settings in /etc/clamav.conf
would it be difficult to rename clamav.conf to clamd.conf since only clamd
uses it?  I realize that this wouldnt always be a good idea since according
to freshclam.conf "## This file may be optionally merged with clamav.conf.",
but how many people actually merge the 2 into just clamav.conf?  I think
renaming clamav.conf to clamd.conf would lessen some of the confusion.

Anyone else have any opinions on the topic?

Jim



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] upgrading clamav changes permissions ondirectories?

[Jim Maul]

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of Trog
> Sent: Wednesday, April 21, 2004 6:24 AM
> To: [EMAIL PROTECTED]
> Subject: Re: [Clamav-users] upgrading clamav changes permissions
> ondirectories?
>
>
> On Wed, 2004-04-21 at 10:58, Dilip M wrote:
> > On Wed, 21 Apr 2004 11:02:02 +0200, Krištof Petr
> <[EMAIL PROTECTED]>
> > wrote:
> >
> > > Jim Maul wrote:
> > >
> > >> I just upgraded my clamav RPMs from 0.70rc to 0.70 (from
> > >> http://crash.fce.vutbr.cz/crash-hat/1/clamav/)
> > >>
> > >> Since i am running qmail with qmail-scanner, i run clamav as user
> > >> qscand and
> > >> have to change /var/run/clamav, /var/log/clamav and
> /var/lib/clamav to
> > >> be
> > >> owned by qscand.  While upgrading to 0.70 i noticed that all
> three of
> > >> these
> > >> directories have changed back to clamav.clamav.   Would it
> be possible
> > >> to
> > >> NOT change ownership back to clamav during an upgrade?
> > >>
> > >> Its not that big of a deal, just sorta annoying.
> > >>
> >
> > Same things happened in my case..!! i'm running clamav as
> mailnull user !
> > So i need to change all clamav owned files to mailnull users :)
>
> then RTFM and tell configure which user you are running clamd as.
>
>

how about you RMFP (Read My F'in Post) and see that im using rpms and there
is no configure.  Thanks.

Jim



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] upgrading clamav changes permissions on directories?

[Jim Maul]

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of Kristof
> Petr
> Sent: Wednesday, April 21, 2004 5:02 AM
> To: [EMAIL PROTECTED]
> Subject: Re: [Clamav-users] upgrading clamav changes permissions on
> directories?
>
>
> Jim Maul wrote:
>
> >I just upgraded my clamav RPMs from 0.70rc to 0.70 (from
> >http://crash.fce.vutbr.cz/crash-hat/1/clamav/)
> >
> >Since i am running qmail with qmail-scanner, i run clamav as
> user qscand and
> >have to change /var/run/clamav, /var/log/clamav and /var/lib/clamav to be
> >owned by qscand.  While upgrading to 0.70 i noticed that all
> three of these
> >directories have changed back to clamav.clamav.   Would it be possible to
> >NOT change ownership back to clamav during an upgrade?
> >
> >Its not that big of a deal, just sorta annoying.
> >
> >
>
> Hello Jim,
>
> thanks for feedback.
>
> RPM has ability to enforce file/directory permissions and owners. This
> is usualy
> used for security reason on critical directories/files as a protection
> against
> inexperienced admins.
>
> But your request is valid.
>
> I will try to change package behaviour to
> - first instance of package on system will install these directories
> with clamav user
> - all next pieces will respect the actual setting, so if you changed
> owner, your
> setting will be untouched.
>
> Does it meet your needing?
>
> Petr
>

Sounds very good to me.  The only time i see this behavior being a problem
is if someone wants to reinstall the rpm to fix a permission problem.  In
that case i suppose they would have to delete the directories and then
reinstall so even that wouldnt be too bad.

Thanks for the help.

Jim



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

RE: [Clamav-users] Problems detecting Worm.SomeFool.Y

[Jim Maul]

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of Andreas
> Haase
> Sent: Tuesday, April 20, 2004 6:55 PM
> To: [EMAIL PROTECTED]
> Subject: RE: [Clamav-users] Problems detecting Worm.SomeFool.Y
>
>
> Hello,
>
> > Have you tried to locate or find *.cvd?  Are there other copies
> somewhere?
>
> yes, there are also files located in /usr/local/share/clamav/. These could
> be from a former installation. But the new directory is /var/lib/clamav/.
>

Having two copies of the database is just asking for trouble.  I would
remove the ones in /usr/local/share/clamav/ if you are not using them.  This
is almost definitely causing the problem

> > What about:
> >
> > sigtool -l|grep SomeFool
> >
> > [SomeFool list]
> >
> > Do you have SomeFool.Y listed?
>
> No, clamscan seems to use the wrong signature files as I state in an
> earlier mail.
>

I must have missed where you stated this.  Sigtool uses a hardcoded database
directory which is determined at compile time.  You may want to smylink the
old database directory to the new one to attempt to get sigtool to use the
newly freshclam'd virus files.  I dont know if this is the best solution,
but it would probably work.

> > have you tried clamscan -m ?
>
> That makes no sense and no difference ;-) ... The file is not in mbox
> format but the real *.pif containig the virus.
>

Indeed..i was not aware that it was just a pif.


> > Thats because clamscan doesnt use clamav.conf  only clamd/clamdscan
>
> Is there _any_ good reason for that? Why can I configure a alternative
> DatabaseDir for clamd and freshclam, if clamscan isn't using it? Sorry,
> but that seems to be a mistake in concept. Either there has to be a config
> file for clamscan as for the others, or clamscan has to use options out of
> clamav.conf to operate correctly.
>

I guess the reason for this is that clamscan expects all arguments on the
command line.  I honestly dont know as i did not develop clamav.  All i know
is that this is the case...why, im not sure.  This is the exact reason why i
suggested renaming clamav.conf to clamd.conf since clamd is the only program
using it.

> Please tell me if I'm completely wrong, but the actual state is
> unsatisfactory.

Im not sure what you mean by "the actual state"

Jim



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] Problem with clamscan .vs. clamdscan

[Jim Maul]

> On Fri, 2004-04-23 at 08:40, Stephen Gran wrote:
>> use /usr/bin/clamscan --tempdir=/tmp -r -i --block-encrypted bob.zip
>
> Any idea why the config file setting to enable blocking encrypted files
> is not working?
>

Because clamscan doesnt use clamav.conf!!  S many people dont seem to
realize this.

Jim


---
This SF.net email is sponsored by: The Robotic Monkeys at ThinkGeek
For a limited time only, get FREE Ground shipping on all orders of $35
or more. Hurry up and shop folks, this offer expires April 30th!
http://www.thinkgeek.com/freeshipping/?cpg=12297
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Re: [Clamav-users] clamav and simscan

[Jim Maul]

Jesús Arnáiz wrote:
> I'm compiling simscan 1.3.1 with clamav (at this time I'm using 
> simscan-1.0.1 without problems). Configure says this:
> 
> 
> configure: error: Unable to find your clamav databases, specify 
> --enable-clamavdb-path.
> 
> I see it tries to find daily.cvd file, and I don't have it on 
> /usr/local/share/clamav. I found, these files:
> 
> find /usr/local/share/clamav/
> /usr/local/share/clamav/
> /usr/local/share/clamav/mirrors.dat
> /usr/local/share/clamav/daily.inc
> /usr/local/share/clamav/daily.inc/COPYING
> /usr/local/share/clamav/daily.inc/daily.db
> /usr/local/share/clamav/daily.inc/daily.hdb
> /usr/local/share/clamav/daily.inc/daily.ndb
> /usr/local/share/clamav/daily.inc/daily.zmd
> /usr/local/share/clamav/daily.inc/daily.fp
> /usr/local/share/clamav/daily.inc/daily.mdb
> /usr/local/share/clamav/daily.inc/daily.info
> /usr/local/share/clamav/daily.inc/daily.wdb
> /usr/local/share/clamav/daily.inc/daily.pdb
> /usr/local/share/clamav/daily.inc/daily.cfg
> /usr/local/share/clamav/main.inc
> /usr/local/share/clamav/main.inc/COPYING
> /usr/local/share/clamav/main.inc/main.db
> /usr/local/share/clamav/main.inc/main.hdb
> /usr/local/share/clamav/main.inc/main.ndb
> /usr/local/share/clamav/main.inc/main.zmd
> /usr/local/share/clamav/main.inc/main.fp
> /usr/local/share/clamav/main.inc/main.info
> /usr/local/share/clamav/main.inc/main.mdb
> 
> 
> Is this normal?
> 

Yes its normal.  Simscan has not been updated to use the new format of 
the clamav databases.  This is a simscan problem, not clamav.

Jim

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] Install clamav on CentOS 4.4

[Jim Maul]

Rob MacGregor wrote:
> On 4/18/07, Gustavo Gouvea <[EMAIL PROTECTED]> wrote:
>> Hi there,
>> has anyone instaled clamav on CentOS 4.4 before?? Any tips??? Which version 
>> of Openssl do I need to use? Will I have to do it from the source code? By 
>> now, Ive been using the rpm packages from Petr Kristof.
>>
>> [EMAIL PROTECTED] yum.repos.d]# yum install clamav
>> Setting up Install Process
>> Setting up repositories
>> Reading repository metadata in from local files
>> Parsing package install arguments
>> Resolving Dependencies
>> --> Populating transaction set with selected packages. Please wait.
>> ---> Package clamav.i386 110:0.90.1-1 set to be updated
>> --> Running transaction check
>> --> Processing Dependency: libssl.so.5 for package: clamav
>> --> Processing Dependency: libcrypto.so.5 for package: clamav
>> --> Processing Dependency: libkrb5support.so.0 for package: clamav
>> --> Finished Dependency Resolution
>> Error: Missing Dependency: libssl.so.5 is needed by package clamav
>> Error: Missing Dependency: libcrypto.so.5 is needed by package clamav
>> Error: Missing Dependency: libkrb5support.so.0 is needed by package clamav
>>
>> [EMAIL PROTECTED] yum.repos.d]# find / -name libssl*
>> /lib/libssl.so.4
>> /lib/libssl.so.0.9.7a
>> /usr/lib/libssl.a
>> /usr/lib/thunderbird-1.5.0.5/libssl3.so
>> /usr/lib/libssl.so
>> /usr/lib/firefox-1.5.0.5/libssl3.so
>> /usr/lib/libssl3.so
>>
>> [EMAIL PROTECTED] yum.repos.d]# rpm -qa |grep openssl
>> openssl-devel-0.9.7a-43.14
>> xmlsec1-openssl-1.2.6-3
>> openssl-0.9.7a-43.14
> 
> Well, the most likely response is that you should install from source :)
> 
> Others have already talked about this on the CentOS forums, though the
> general flavour was very hostile.  I suspect you just need to upgrade
> your other packages, particularly openssl and openssl-devel.
> 

Im surprised that no one mentioned the real easy way to solve all this. 
  Download the SRC rpm. then rebuild for your specific environment and 
install built rpms.  quick and easy.

I grab the src rpm from dag or kristof or wherever then do rpmbuild 
--rebuild whatever.src.rpm and your all set.  Since i dont use milter i 
specify -without-milter as well.

This allows you to keep the system updated with rpm without having to 
wait for someone to build it for you for your specific arch.

-Jim

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html

Re: [Clamav-users] RPM 0.90.2 FC4

[Jim Maul]

Steven Stern wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
> 
> Dennis Peterson wrote:
>> Steven Stern wrote:
>>
>>> Robert Niepel wrote:
 Hello,

 an anyone tell me where i can get RPM?s for Fedora Core 4?
 Or has anyone have an hotwo to build those rpm from tar.gz?


>>> download the unpack the tar.gz file
>>> In the directory,
>>>
>>> ./configure
>>> make
>>> make install
>>>
>>> Here's how I invoke configure:
>>>
>>> ./configure --enable-milter --prefix=/usr --exec-prefix=/usr \
>>> - --sysconfdir=/etc --with-dbdir=/var/lib/clamav --disable-zlib-vcheck
>> I think this will not create an rpm.
>>
> 
> An RPM isn't needed. This will install the current version of Clam.
> 
> 

You are correct.  However the OP asked for an RPM.  You provided him 
with an irrelevant response which im sure was DPs point.

-Jim
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html